Slashdot Mirror
Windows Vulnerabilities Revealed, Patched
Saint Aardvark writes "A big MS Windows remote vulnerability has just hit BugTraq. It concerns a buffer overflow in MS' DCOM, and affects Win2k through Server 2003; here's the security advisory from Microsoft. This is in addition to an earlier vulnerability concerning conversion from HTML to RTF - there's a separate security advisory from Microsoft for this one, and it affects Win98 and NT 4.0 through Server 2003. Patch early, patch often." There's also a CNET News story with a little more explanation on the newest vulnerability.
So much for homeland security ;)
... discloded after they got the Homeland security account. >_
You know it makes sense, a little reminder from jointm1k.
More info here, here and here. Here internetnews.com state that 3 vulnerabilities (not 2) where patched.
Here is the report from the people who found the vulnerabilities (or at least one of them) which includes a proof-of-concept paper and code.
Life isn't like a box of chocolates. It's more like a jar of jalapenos. What you do today, might burn your ass tomorrow.
Sounds like we'll haev winnuke2003 sometime soon.
<disclaimer>I know that winnuke uses OOB data vs this which does something on the application layer.
-
ping -f 255.255.255.255 # if only
im just downloading the patch before reading the slashdot story even. microsofts possibly getting better?
But if you keep port 135 open on your DMZ boxes, you deserve to be hanged with a piece of CAT-5 cable.
They hid this one until they patched it, but in light of the previous post about the US government relying so much on MS software, it makes me uneasy. This exploit let the attacker take control of the PC. Not good if you're running the bad guy database.
"A great democracy must be progressive or it will soon cease to be a great democracy." --Theodore Roosevelt
We just had a story about a security vulnerability in WIndows!
so finally the first unpatchable bug for NT4 is here.
i know i'm not the only greyhat who smiled when they heard of the patching-stop for NT4
aaaah, the joys of an nonsupported, yet still heavily used platform
happy cracking y'all
Sent: Tuesday, January 15, 2002 5:22 PM
To: Microsoft and Subsidiaries: All FTE
Subject: Trustworthy computing
They are right to attribute such great importance to trustworthy systems -- and I do believe they are trying -- but 30,000,000 lines of code necessarily lead to opaque semantics. Good luck, MS, I think this will be one of many such deficiencies in Server 2003. Repeated claims of security and "trustworthiness" from their higher-ups will place the company in a boy-who-cried-wolf marketing scenario; at that point they're up a creek.
Why does MS come out with patches so often?
Probably similar reasons as to why Linux-contributors release patches so often.
Because software has bugs. That's what software is for.
Dacels Jewelers can't be trusted.
The only thing that works correctly in Windows ME has finally been discovered.
*News Flash!! A new vulnerability through buffer overflow has been found on computers. The new vulnerability does not appear to affect Unix, Linux, BSD, or Mac users. This of course only leaves very few commercial operating systems left, but we will not tell you right out which OS that this buffer overflow directly relates to. Thank you and have a nice day.
Much as I hate to give MS any ground on security, it does seem their lag time between vulnerabilities and patches is getting shorter recently. Amazing what some fear of competition will do :-)
"allow an attacker to take control of computers running any version of Windows except for Windows ME."
all you people who said i was stupid for running windows me, look who's laughing now!
No Borg icon? No wise cracks? What gives?
For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
Because software has bugs. That's what software is for.
Hmm, and all this time I thought software was for doing work, silly me!
I stole this Sig
10) find big remote vulnerability in product
20) perfect the exploit
30) have fun with it for months
40) find another big hole in same product
50) perfect exploit for hole
60) alert vendor about original hole
70) have fun with new hole
80) goto 40
Jonathan Frakes explores the seedy world of Windows Vulneralbilities, on Windows Vulnerabilities Revealed, Patched!
Tonight on Fox!
Windows seems to have some security issues. Well, I'm sure that Microsoft fixed it.
You know, when Apple spots a vulnerability in OSX and updates fairly promptly (and this isn't exactly a rare occurance), they're commended on their quick turnaround time for a patch. When Microsoft does the same thing, they're demonized as fixing Yet Another Bug(tm). Is it really impossible to give them credit where credit's due?
-- the opinions stated above aren't those of my employer. in fact, they're probably not even my own. you know what, ju
Could not check the MS one but I am guessing more than 3 of them were OS level patches since there were three just today.
Every one has security vulnerabilities but lets compare apples to apples here.
seSales, Point of Sale software for OS X.
"The software giant issued a patch Wednesday morning to plug a critical security hole that could allow an attacker to take control of computers running any version of Windows except for Windows ME."
Hell, even legitimate users of Windows ME can't take control of their computers...
What was your IP again?
Buffer Overrun In RPC Interface Could Allow Code Execution
Security Update for Windows XP (823980)
Download size: 1.2 MB, ~ 1 minute
A security issue has been identified that could allow an attacker to remotely compromise a computer running Microsoft® Windows® and gain complete control over it. You can help protect your computer by installing this update from Microsoft. After you install this item, you may have to restart your computer.
Unchecked Buffer in Windows Shell Could Enable System Compromise
821557: Security Update (Windows XP)
Download size: 5.1 MB, ~ 1 minute
An identified security issue in Microsoft Windows could allow an attacker to compromise a Microsoft Windows-based system and then take a variety of actions. For example, an attacker could execute code on the system. By installing this update, you can help protect your computer. After you install this item, you may have to restart your computer.
Could someone get them a copy of Secure Programming and highlight all of chapter 6 Avoid Buffer Overflow.
Whenever the offence inspires less horror than the punishment, the rigour of penal law is obliged to give way...
Saying Apache doesn't count, but IIS does is not comparing correctly. One reason MS appears to have so many more bugs is that their OS includes a lot more components that are thought of as part of the OS.
Actually it is comparing correctly because of the way the different systems are architected.
Apache is usually run in userland with limited privledges on a Unix machine while IIS.sys is a kernel mode device driver on a Windows machine. There result is a compromise in IIS presents a system wide security issue while a similar security issue in Apache only represents a user level security issue.
This sort of thing is very common in comparing Windows vs Unix/Linux security. The Windows code runs with admin level access or as part of the kernel, while the Linux application runs with much more restricted access.
I checked my incoming logs and am already seeing quite a few more tickles at port 135 than usual. Where from, you ask? Somewhere in china mostly.. ips in the range 218.15.192.xxx coming from somewhere beyond blahblah.gd.cn.net. Here's one of the ips (its a phony drug sales place) 218.15.192.84... nice little e-com site :)
Ugh, isn't the net fun?
StrategyTalk.com, PC Game Forums
The news.com article had one interesting quote that is different than the usual "time-to-patch-again" article, from Jeff Jones at MS:
"It was primarily a process issue," he said. "We will be updating our automated scanning tool to make sure this type of issue is detected in the future."
Last week, there were two patches released - both termed "buffer overruns". Nice semantics, because it's not made clear whether one could call this a buffer overflow, or an UNDERflow. It was just two weeks ago when the details about getting Linux to run on the XBox were released, and how the buffer underflow trick was used. Makes me wonder if MS took notice of that trick, and is now busy scanning the rest of their code looking for underflows, as opposed to the overflows they've already had their automated tools earmarking?
Like the BIND patch. Lest you forget there was, a year ago, that affected all versions. Somehow, despite the fact that it is open source, very old, very widely used and reviewed, a bug still managed to slip through.
When you must expose software to an infinently unknown amount of combinations (of OS, software, hardware but most important user input), you just cannot gaurentee that there will be no unexpected results. The biggest problem is the vairablity of user input. People will try and use things in unexpected, unapproved and malicious ways. Well, when this happens, it is possable an unforseen problem will crop up, despite your best efforts to prevent it.
What I find funny is how outraged people get about this in the computer world, when it is so prevliant elsewhere, with much higher stakes. For example: It is a known flaw with basically every consumer automibile that high speed impacts will result in sever injury or death of the operator. Now, this is an unintended method of operation, you are't SUPPOSED to slam into a brick wall doing 80, but it is a KNOWN problem, and remains un fixed. Further, they could fix, or at least improve, the problem in a large way. The first step would be to install an 8-point racing harness. Those little shoulder strap belts just don't cut it, you need to belt yourself in tighter and have more points of contact to dissapate the force over a larger area. Then there is the car itself. It needs a much better frame and much better break away points, as seen in race cars. Finally, there is other safety gear such as a helmet. Well, as race cars demonstrate, these do work. They make extremely high speed collisons, generally with only minor injuries to the driver.
So, why don't we have this? Two big reasons: Cost and inconvenience. Building a car to race car specs is EXPENSIVE, and not just because teh engine is high performance. That frame is NOT cheap. Then there are other safety measues that are a huge pain in the ass. An 8-point harness is an ordeal to get in and out of and noone want to wear a helmet inside a car. Thus, we consider it acceptable to allow the flaw to exist since it is one resultant of behavious that should not happen.
This is also akin to the computer siutation in that we could drasticly increase reliablity, but only by sacraficing cost and convienece. The cost would come form needing a verified design. Thing would move slowly because each part would need to eb extensively tested to insure there were no problems. This appiles to hardware and software. Kiss $1000 computer goodbye and figure on $10,000 or up. Then there is the inconvienence. They can't have you fiddling with this verified design, so you are going to be able to run only the apps tey ahve preapproved on the hardware they preapprove.
Unless you are willing to accept that (and people do make systems like that, contact IBM) then unforseen bugs and exploits WILL happen. And please don't act like it doesn't happen to OSS, go read SANS or Security Focus some time. There are more than plenty of exploits for both closed and open software.
"The announcement came one day after the Department of Homeland Security announced that it awarded a five-year, $90-million contract for Microsoft to supply all its most important desktop and server software for about 140,000 computers inside the new federal agency."
http://www.sfgate.com/cgi-bin/article.cgi?file=/ne ws/archive/2003/07/16/national1725EDT0732.DTL
that last quote is on the bottom..
Robert
If your car had a 30% chance of bursting into flames while you were driving it, would you rather know about it now or wait for the recall?
Knowing about a problem even if no solution exists allows you to take measures, like perhaps blocking outside access on certain ports for some time or filtering traffic in specific ways.
Information always beats no information when you are trying to keep something secure.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Oh wait! This week's security flaw arrived a day early.
I had my Outlook Calendar set to sync on the Windows patches, now tomorrow's schedule will be all messed up. I wonder if I can convince my boss that tomorrow is really Friday?
Yes, this is /.
Yes, hardly anyone here likes MS and people here love to bash MS whenever they can.
That's fine with me. But almost all software has bugs, and in particular bugs that could be exploited to breach the security of the program. Just because MS has a bug in the RPC code doesn't mean that no one should use their software, or in particular the federal gov't should not.
If this same criterion were required of any software the gov't bought, they would have NO software. Linux is not bug free. Software written for Linux is not bug free. The main difference is, Windows is a much bigger target of attack by every hacker and "security group" in the world because it is the most popular operating system in the world. How would any Linux distribution fare if it and its components were used as widely as Windows, and people spent hours every day _trying_ to pass garbage strings of data to all of its external functions in order to find a buffer overrun? I bet it wouldn't do so hot either, and even if it didn't, that doesn't mean that no one should by that Linux distribution, does it?
PROGRAMS HAVE BUGS. And the more complex the programs, the more they interact with other components, often in ways the original programmers never thought of _or intended_, the more likely bugs will be found. My opinion is, taking cheap shots at MS is easy, but writing good code yourself is hard. We're all human beings here, and the developers who work on Linux and open source programs are no smarter than most who work at MS. People make mistakes. Sometimes people don't think about every possible bogus string parameter someone could pass in just to screw up their program. Most of the time the bugs I find in my and other's code is from components trying to _correctly_ use our code!
Flamebait, troll, whatever. Just because you don't like MS for all the /. reasons doesn't justify what you say.
Peace,
Devin
If software were properly engineered, it would have far less 'bugs'. You don't see any other discipline like this. An engineer doesn't build a bridge/airplane/car/elevator/building any which way and then say "let's see how it works!" Oops, fell apart...repeat. No, they understand materials science, they do preliminary designs/tests/models, they analyze their design, they make sure their calculations are correct, and THEN they build. Computer programmers today do it as a totally backwards clusterfuck. It doesn't help that the tools they use are not properly engineered either (libraries, etc).
I've been seeing overflows run against port 135 on my home network for awhile now. Typically, these requests seem to come from Korea. Fortunately, my pc never had that port open anyway, and port 135 is Samba on my mac, but that is not effected by this exploit, though linux had a samba BO exploit a couple months back as I recall.
So, it may be very possible this sploit has been around for some time now.
Wonder how much coincedence there is in MS waiting to release this information til after they made their deal?
You are correct, but when was the last time you heard someone refer to a Mozilla bug as a Linux bug? If there is a bug in IE, it is usually considered a windows bug (even ones where you must be actively running and surfing with IE).
.haeger
Ok. As soon as You show me how to remove IE from Windows altogether as I can do with Mozilla on a Linux box I'll agree with You.
A bug in IE is a windows bug since there is no way to remove IE (I don't cound win98lite) while a bug in Mozilla is a bug in Mozilla.
Choices You know...
You are not entitled to your opinion. You are entitled to your informed opinion. -- Harlan Ellison
There are more posts here than I can count (at +5, no less) ranting on about how since there have been bugs in open source software (including recent severe ones like BIND), Microsoft is no worse than the rest. Bullshit. The current vulerability is (stay with me, now) a remote root exploit in a component that can not be removed and thus is installed on every machine in the world that's running a vulnerable OS and that can't be disabled without rendering the machine worthless. When was the last time anybody but Microsoft had a bug that fit those three categories? Personally, I can't think of one. Does this mean open source software doesn't suck? Nope. Does it mean it doesn't have security problems? Nope. Does it mean Microsoft screwed the pooch? Yep.