Slashdot Mirror
Windows Vulnerabilities Revealed, Patched
Saint Aardvark writes "A big MS Windows remote vulnerability has just hit BugTraq. It concerns a buffer overflow in MS' DCOM, and affects Win2k through Server 2003; here's the security advisory from Microsoft. This is in addition to an earlier vulnerability concerning conversion from HTML to RTF - there's a separate security advisory from Microsoft for this one, and it affects Win98 and NT 4.0 through Server 2003. Patch early, patch often." There's also a CNET News story with a little more explanation on the newest vulnerability.
... discloded after they got the Homeland security account. >_
You know it makes sense, a little reminder from jointm1k.
But if you keep port 135 open on your DMZ boxes, you deserve to be hanged with a piece of CAT-5 cable.
They hid this one until they patched it, but in light of the previous post about the US government relying so much on MS software, it makes me uneasy. This exploit let the attacker take control of the PC. Not good if you're running the bad guy database.
So there aren't any critical flaws in the Mac OS? Linux?
A system is as secure as the patches applied to it.
so finally the first unpatchable bug for NT4 is here.
i know i'm not the only greyhat who smiled when they heard of the patching-stop for NT4
aaaah, the joys of an nonsupported, yet still heavily used platform
happy cracking y'all
why would anyone not block this port on their firewall? ive had it blocked for years. i think you can also find out peoples shares with this port but am not 100% sure.
blocking this port should be as common sense as password protecting shares.
Why does MS come out with patches so often?
Probably similar reasons as to why Linux-contributors release patches so often.
Because software has bugs. That's what software is for.
Dacels Jewelers can't be trusted.
It's somewhat funny though that in a closed-source system how people are still finding vulnerabilities. Can you imagine how many vulnerabilities would be found in the first day of Microsoft releasing their source code to the world? I think the number would be staggering.
"They'd be getting "better" if the vulnerabilities didn't exist in the first place! :P "
That's a paradox of almost Terminatoresque proportions!
"It's somewhat funny though that in a closed-source system how people are still finding vulnerabilities. Can you imagine how many vulnerabilities would be found in the first day of Microsoft releasing their source code to the world? I think the number would be staggering."
I would always expect there to be more bugs in closed source code, simply because only a limited number of people get to see it. You also have to take into account "wood from trees" syndrome. A lot of coders can work so close to a task that finding a bug or testing code adequately is usually best handled by someone else. I guess MS mainly do product testing, and I doubt a product tester could ever be technically competent enough to exploit a buffer overflow while testing Word 2006 or whatever...
MS needs to learn that bugs go way, way deeper than crashes.
Patches have been in the works for 6 months or more. There is a extremely serious DC bug that was not announced until SP4 that can kill(DOS) any DC internal to a network in minutes via BSOD. Kudo's to Microsoft for ignoring the author and leaving millions vulnerable.
Or could it be that the system is as secure as it was built to be from the ground up, rather than relying on patches to be secure? Or, to rephrase, isn't it better that the system is built for security to begin with? Didn't a Microsoft representative say that their products had never been created with security in mind, but "we'll make it better now, honest!"?
Clever signature text goes here.
Would you trust a company that obviously hides the truth about the very foundation of your computer software base?
Would you prefer that all of the vulnerabilities for any piece of software be made public before the company has a chance to fix it? Cisco, Oracle, Microsoft, Red Hat... Every programmer/software company likes to be notified of the vulnerability so it can be fixed prior to a patch being released.
You can never go home again... but I guess you can shop there.
https://rhn.redhat.com/errata/rh9-errata-security. html
l t. asp?url=/technet/security/current.asp
33 patches and counting since March 31.
http://www.microsoft.com/technet/treeview/defau
18 patches and counting since March 31.
Nobody's immune. Even the BSD distros send out the occasional notice.
You can never go home again... but I guess you can shop there.
This is opposite of what some closed source companies want to happen to them. They want to be the ONLY ones notified and then they will announce that it was fixed. Personally I think that they should be notified the same time that that the news media are notified so that people who are up on the security issues can protect themselves until a patch is made available. With this one it seems that people could have closed port 135 to avoid the vulnerability until MS fixed it. Now the question is, how many people for how many years have been victims of this exploit? Guess we will never know.
seSales, Point of Sale software for OS X.
You know, when Apple spots a vulnerability in OSX and updates fairly promptly (and this isn't exactly a rare occurance), they're commended on their quick turnaround time for a patch. When Microsoft does the same thing, they're demonized as fixing Yet Another Bug(tm). Is it really impossible to give them credit where credit's due?
-- the opinions stated above aren't those of my employer. in fact, they're probably not even my own. you know what, ju
Could not check the MS one but I am guessing more than 3 of them were OS level patches since there were three just today.
Every one has security vulnerabilities but lets compare apples to apples here.
seSales, Point of Sale software for OS X.
Lets see, this vulnerbility has been in Windows since NT was released, and it's now July 2003 and they are just getting around to patching it?
Oh, you mean the turnaround time until it is *discovered* and the patch.
I guess the point is, with open-source software such as Linux, the chance of big gaping security holes hanging around for years is much less. People look in the code and get them fixed up fairly quickly. This hole had been in Windows for years, and thus virtually every Windows server on the planet could be a victim. I doubt that could happen in Linux.
This is comparing Apples to Apples for the most part. Saying Apache doesn't count, but IIS does is not comparing correctly. One reason MS appears to have so many more bugs is that their OS includes a lot more components that are thought of as part of the OS. Whever there is a problem with anything that ships with Windows, it is considered a Windows bug by most people. Yet when there is a Linux bug, people tend to saying it's an X bug (be it Apache, or Sendmail, or FTP, etc).
"Information wants to be expensive" - Stewart Brand, the same guy who said "Information wants to be free"
Every programmer/software company likes to be notified of the vulnerability so it can be fixed prior to a patch being released.
Everyone but Microsoft anyway. They usually seem happy enough to release patches before they (correctly) fix the vulnerability.
Responsibility has nothing to do with the OS itself. Attention to detail is something born within you and will never improve based on your job function.
The problem is most Windows admins make less than half of a Unix admin. This is feeding from the bottom of the pool so no shit they aren't going to patch their systems. If you aren't getting paid they won't care. They get fired and you hire another worthless bum who just joined the IT industry because they heard it pays well! The problem isn't windows or redhat. It's the dedication to your job to do the right thing!
You mean like the remote Samba root exploit that was in the code for something like a decade?
Not a troll, just figure I'd point out that this cuts both ways.
Having said that, Linux beats Windows hands down in my books, for one big reason: I don't even know how to close port 135 on a Windows machine, without killing other services. AFAIK the RPC service is pretty much tied up together, and many applications won't work without it.
Stock Linux install leaves maybe 2 ports open.. oh wait, 0 if you let IPtables do its thing. In Windows, I'm still busy playing whack-a-mole trying to close the 15 or so ports XP insists on listening on.
Or maybe it's easy in Windows, and I've just given up learning how to lock a machine down with every release. Anyone ever figure out how to *permanently* close those idiotic admin shares?
Endless arguments over trivial contradictions in books written by ignorant savages to explain thunder in the dark.
Their patches come with SpyWare? Are you kidding me?
Are you sure these 'patches' you are applying weren't annoymously sent to you in an e-mail message? You know the mail message, where every sentance has a gramatical error in it ("I give you these patches in hopes that we protect your system together"), and the From line simply says "Microsoft Support People".
Then I could believe you got spyware from a patch. But otherwise, you're just full of FUD.
-Malakai
-Malakai
A Dragon Lives in my Garage
Like the BIND patch. Lest you forget there was, a year ago, that affected all versions. Somehow, despite the fact that it is open source, very old, very widely used and reviewed, a bug still managed to slip through.
When you must expose software to an infinently unknown amount of combinations (of OS, software, hardware but most important user input), you just cannot gaurentee that there will be no unexpected results. The biggest problem is the vairablity of user input. People will try and use things in unexpected, unapproved and malicious ways. Well, when this happens, it is possable an unforseen problem will crop up, despite your best efforts to prevent it.
What I find funny is how outraged people get about this in the computer world, when it is so prevliant elsewhere, with much higher stakes. For example: It is a known flaw with basically every consumer automibile that high speed impacts will result in sever injury or death of the operator. Now, this is an unintended method of operation, you are't SUPPOSED to slam into a brick wall doing 80, but it is a KNOWN problem, and remains un fixed. Further, they could fix, or at least improve, the problem in a large way. The first step would be to install an 8-point racing harness. Those little shoulder strap belts just don't cut it, you need to belt yourself in tighter and have more points of contact to dissapate the force over a larger area. Then there is the car itself. It needs a much better frame and much better break away points, as seen in race cars. Finally, there is other safety gear such as a helmet. Well, as race cars demonstrate, these do work. They make extremely high speed collisons, generally with only minor injuries to the driver.
So, why don't we have this? Two big reasons: Cost and inconvenience. Building a car to race car specs is EXPENSIVE, and not just because teh engine is high performance. That frame is NOT cheap. Then there are other safety measues that are a huge pain in the ass. An 8-point harness is an ordeal to get in and out of and noone want to wear a helmet inside a car. Thus, we consider it acceptable to allow the flaw to exist since it is one resultant of behavious that should not happen.
This is also akin to the computer siutation in that we could drasticly increase reliablity, but only by sacraficing cost and convienece. The cost would come form needing a verified design. Thing would move slowly because each part would need to eb extensively tested to insure there were no problems. This appiles to hardware and software. Kiss $1000 computer goodbye and figure on $10,000 or up. Then there is the inconvienence. They can't have you fiddling with this verified design, so you are going to be able to run only the apps tey ahve preapproved on the hardware they preapprove.
Unless you are willing to accept that (and people do make systems like that, contact IBM) then unforseen bugs and exploits WILL happen. And please don't act like it doesn't happen to OSS, go read SANS or Security Focus some time. There are more than plenty of exploits for both closed and open software.
Why does MS come out with patches so often?
Seriously, because:
1) University Grad students think that Microsoft security problems are good Thesis topics.
2) It is the most prevalent OS on desktop machines, so it gets more attention.
3) Unlike other software vendors, they actually fix issues and distribute the patches instead of forcing customers to sign a NDA to get the known flaw in their enterprise class machine fixed (SUN).
4) They create complex software to provide the user with a better experience, but complex software is hard to test.
1. A Linux distro comes with so much more than a windows install does (windows comes with IE, linux comes with mozilla, galeon, konqueror; linux comes with koffice, abiword, openoffice, windows doesn't; etc etc etc. There's a reason that debian is 8+ CDs and Windows is 1 CD).
You are correct, but when was the last time you heard someone refer to a Mozilla bug as a Linux bug? If there is a bug in IE, it is usually considered a windows bug (even ones where you must be actively running and surfing with IE). No one ever says "there is a bug in IE, but that shouldn't count against windows", whereas every Mozilla bug is counted as completely seperate from a Linux bug. A true comparison would be to take everything that comes with windows and compare it the most popular version of the same app that runs on Linux. That means Windows would include IIS, IE, mail, ftp, etc, but that Linux would also include Apache, Mozilla, Sendmail, ftp, etc. That would be a fair comparison. To compare every app that comes with Windows versus only the base Linux install isn;t a fair comparison at all.
"Information wants to be expensive" - Stewart Brand, the same guy who said "Information wants to be free"
If your car had a 30% chance of bursting into flames while you were driving it, would you rather know about it now or wait for the recall?
Knowing about a problem even if no solution exists allows you to take measures, like perhaps blocking outside access on certain ports for some time or filtering traffic in specific ways.
Information always beats no information when you are trying to keep something secure.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Yes, this is /.
Yes, hardly anyone here likes MS and people here love to bash MS whenever they can.
That's fine with me. But almost all software has bugs, and in particular bugs that could be exploited to breach the security of the program. Just because MS has a bug in the RPC code doesn't mean that no one should use their software, or in particular the federal gov't should not.
If this same criterion were required of any software the gov't bought, they would have NO software. Linux is not bug free. Software written for Linux is not bug free. The main difference is, Windows is a much bigger target of attack by every hacker and "security group" in the world because it is the most popular operating system in the world. How would any Linux distribution fare if it and its components were used as widely as Windows, and people spent hours every day _trying_ to pass garbage strings of data to all of its external functions in order to find a buffer overrun? I bet it wouldn't do so hot either, and even if it didn't, that doesn't mean that no one should by that Linux distribution, does it?
PROGRAMS HAVE BUGS. And the more complex the programs, the more they interact with other components, often in ways the original programmers never thought of _or intended_, the more likely bugs will be found. My opinion is, taking cheap shots at MS is easy, but writing good code yourself is hard. We're all human beings here, and the developers who work on Linux and open source programs are no smarter than most who work at MS. People make mistakes. Sometimes people don't think about every possible bogus string parameter someone could pass in just to screw up their program. Most of the time the bugs I find in my and other's code is from components trying to _correctly_ use our code!
Flamebait, troll, whatever. Just because you don't like MS for all the /. reasons doesn't justify what you say.
Peace,
Devin
If software were properly engineered, it would have far less 'bugs'. You don't see any other discipline like this. An engineer doesn't build a bridge/airplane/car/elevator/building any which way and then say "let's see how it works!" Oops, fell apart...repeat. No, they understand materials science, they do preliminary designs/tests/models, they analyze their design, they make sure their calculations are correct, and THEN they build. Computer programmers today do it as a totally backwards clusterfuck. It doesn't help that the tools they use are not properly engineered either (libraries, etc).
Windows is closed source. Linux/various Unix's are open source. Without looking at the code, ppl are forever finding security holes in Windows. Open source OS's are cleaned up pronto, because anyone can look at the source and fix it. Hard to exploit open source software when hundreds of pairs of eyes are racing to be the first to patch a problem.
"We will be updating our automated scanning tool to make sure this type of issue is detected in the future."
Number 3 of Deming's 14 Points for Quality: "Quality is built/designed, not tested into a product."
Were some MicroSoftians sleeping in class?
As I have nothing of *that* much importance on my box, I'll take the chance and NOT update. I've heard these update stories too many times before.
While I can sympathize with your situation of living in mortal fear of updating your software (such is life when using microsoft products), Please please please lock your machine up behind a firewall of some sort (software firewalls don't count.) While you've got nothing of importance on your machine, You have an IP address and the ability to send spam or other malicious traffic to the entire internet should your machine be broken into.
You are correct, but when was the last time you heard someone refer to a Mozilla bug as a Linux bug? If there is a bug in IE, it is usually considered a windows bug (even ones where you must be actively running and surfing with IE).
.haeger
Ok. As soon as You show me how to remove IE from Windows altogether as I can do with Mozilla on a Linux box I'll agree with You.
A bug in IE is a windows bug since there is no way to remove IE (I don't cound win98lite) while a bug in Mozilla is a bug in Mozilla.
Choices You know...
You are not entitled to your opinion. You are entitled to your informed opinion. -- Harlan Ellison
Back when our little organization had a Windows 2000 server (a couple years ago) I quickly realized that leaving the server unattended for a week was hazardous... some major exploit would undoubtedly be discovered.
:)
We replaced it and are quite happy now. We don't pay anything for our new OS, and I go away for months and nothing bad happens
There are more posts here than I can count (at +5, no less) ranting on about how since there have been bugs in open source software (including recent severe ones like BIND), Microsoft is no worse than the rest. Bullshit. The current vulerability is (stay with me, now) a remote root exploit in a component that can not be removed and thus is installed on every machine in the world that's running a vulnerable OS and that can't be disabled without rendering the machine worthless. When was the last time anybody but Microsoft had a bug that fit those three categories? Personally, I can't think of one. Does this mean open source software doesn't suck? Nope. Does it mean it doesn't have security problems? Nope. Does it mean Microsoft screwed the pooch? Yep.
There have been 0 linux security advisories in the last week. The advisories you mention are in software that can run under Linux. If you're going to count all software that runs under Linux as a Linux vulnerability, then by extension you have to include all software that runs under Windows as a Windows vulnerability.
The reason this is a big issue isn't because it's a whole in a Microsoft product, it's because it's a whole in the core operating system. Note that /. is also making a big deal of the IOS vulnerability (quite rightly). Stop screaming about bias and start looking at the facts.
Blaming GW Bush for the Iraq war is like blaming Ronald McDonald for the poor quality of food.
How many times does this have to happen before soemone at MS realizes that there is a serious deficiency in their designs?
A large number of the vulnerabilities in Windows has been due to "buffer overrun". Isn't it time to fix this? Yeah, it's just stupid programming, but it happens a lot! Isn't it time to fix the underlying design so that stupid programmers can NOT cause vulnerabilties?
Linux/Unix/BSD has also suffered from this: a large number of vulnerabilties has been due to buffer overruns, also. There are specific groups doing something about it (STFW yourself, I gotta get back to work).
The point is this: there are known solutions to this specific problem and MS, if truly serious about security, should have made this a non-issue in Win2003, XP, etc.
Now, this in no way fixes ALL of MS's problems. Many, many, mnay of them have to do with underlying design philosophies and implementation. There are many other things they will have to do to make Windows what I would consider secure, but this is the place to start!