Windows Vulnerabilities Revealed, Patched

Saint Aardvark writes "A big MS Windows remote vulnerability has just hit BugTraq. It concerns a buffer overflow in MS' DCOM, and affects Win2k through Server 2003; here's the security advisory from Microsoft. This is in addition to an earlier vulnerability concerning conversion from HTML to RTF - there's a separate security advisory from Microsoft for this one, and it affects Win98 and NT 4.0 through Server 2003. Patch early, patch often." There's also a CNET News story with a little more explanation on the newest vulnerability.

*G*

[rylin]

So much for homeland security ;)

heh

Microsoft admits critical flaw in nearly all Windows software

...The announcement came one day after the Department of Homeland Security announced that it awarded a five-year, $90-million contract for Microsoft to supply all its most important desktop and server software for about 140,000 computers inside the new federal agency

Re:heh

[UnrefinedLayman]

The point is this is a remotely exploitable system level hole.

It's important to note that the system account is god in Windows -- even Administrator has less power than system.

More info and POC ...

[bigjocker]

More info here, here and here. Here internetnews.com state that 3 vulnerabilities (not 2) where patched.

Here is the report from the people who found the vulnerabilities (or at least one of them) which includes a proof-of-concept paper and code.

winnuke all over again!

[sporty]

The vulnerability results because the Windows RPC service does not properly check message inputs under certain circumstances. This particular failure affects an underlying Distributed Component Object Model (DCOM) interface, which listens on TCP/IP port 135.

Sounds like we'll haev winnuke2003 sometime soon. :)

<disclaimer>I know that winnuke uses OOB data vs this which does something on the application layer. :P</disclaimer>

Bad

[The+Bungi]

But if you keep port 135 open on your DMZ boxes, you deserve to be hanged with a piece of CAT-5 cable.

Re:Bad

[EvilTwinSkippy]

But if you keep port 135 open on your DMZ boxes, you deserve to be hanged with a piece of CAT-5 cable.

Most network admins are too portly and would sheer CAT-5 cable. Better to use Fiber-Optic cable. It has a higher tensile strength.

Dupe

We just had a story about a security vulnerability in WIndows!

Re:Poll: Tinfoil hat mode ON!

[Xerithane]

Why does MS come out with patches so often?

Probably similar reasons as to why Linux-contributors release patches so often.

Because software has bugs. That's what software is for.

What do you know...

[GMFTatsujin]

The only thing that works correctly in Windows ME has finally been discovered.

hah!

[kritikal]

"allow an attacker to take control of computers running any version of Windows except for Windows ME."

all you people who said i was stupid for running windows me, look who's laughing now!

one step ahead

[fihzy]

10) find big remote vulnerability in product
20) perfect the exploit
30) have fun with it for months
40) find another big hole in same product
50) perfect exploit for hole
60) alert vendor about original hole
70) have fun with new hole
80) goto 40

Re:Poll: Tinfoil hat mode ON!

[Jord]

How many of those are OS level? At the redhat site I counted 3 at the OS level. The rest are for add ons like Apache, MySQL, etc.

Could not check the MS one but I am guessing more than 3 of them were OS level patches since there were three just today.

Every one has security vulnerabilities but lets compare apples to apples here.

Re:Bad One?

[FLoWCTRL]

Yes... and there are probably lots of exploits that never get published, just used. Now do you want your government relying on this software to store data such as the Total Information Awareness Program, for example? (Oh, I see they renamed it...)

Would you want your business to rely on it? I find it utterly astounding that so many PHB's still think its a good idea. A German beaurocrat who was pitching open source insightfully quipped, "'Security through obscurity' is the model of yesterday. The model of the future is 'Security through transparency'". Thats a paraphrase, and I'm too lazy to look it up. Great point, though. Maybe this new vulnerability will lead to another "slammer" worm...

Sure.

[foobario]

"The software giant issued a patch Wednesday morning to plug a critical security hole that could allow an attacker to take control of computers running any version of Windows except for Windows ME."

Hell, even legitimate users of Windows ME can't take control of their computers...

Bugs in software != Cruddy software

[dsr9996]

I've gotta call this post what it is: Unfair.

Yes, this is /.
Yes, hardly anyone here likes MS and people here love to bash MS whenever they can.
That's fine with me. But almost all software has bugs, and in particular bugs that could be exploited to breach the security of the program. Just because MS has a bug in the RPC code doesn't mean that no one should use their software, or in particular the federal gov't should not.

If this same criterion were required of any software the gov't bought, they would have NO software. Linux is not bug free. Software written for Linux is not bug free. The main difference is, Windows is a much bigger target of attack by every hacker and "security group" in the world because it is the most popular operating system in the world. How would any Linux distribution fare if it and its components were used as widely as Windows, and people spent hours every day _trying_ to pass garbage strings of data to all of its external functions in order to find a buffer overrun? I bet it wouldn't do so hot either, and even if it didn't, that doesn't mean that no one should by that Linux distribution, does it?

PROGRAMS HAVE BUGS. And the more complex the programs, the more they interact with other components, often in ways the original programmers never thought of _or intended_, the more likely bugs will be found. My opinion is, taking cheap shots at MS is easy, but writing good code yourself is hard. We're all human beings here, and the developers who work on Linux and open source programs are no smarter than most who work at MS. People make mistakes. Sometimes people don't think about every possible bogus string parameter someone could pass in just to screw up their program. Most of the time the bugs I find in my and other's code is from components trying to _correctly_ use our code!

Flamebait, troll, whatever. Just because you don't like MS for all the /. reasons doesn't justify what you say.

Peace,
Devin

Re:Bugs in software != Cruddy software

[khuber]

But almost all software has bugs, and in particular bugs that could be exploited to breach the security of the program. Just because MS has a bug in the RPC code doesn't mean that no one should use their software, or in particular the federal gov't should not.

You're missing the point.

Microsoft has been bragging up their Trustworthy Computing [sic] and talking about how much better their efforts have been then open source projects. Meanwhile OpenBSD (for example) has had a much, much better security record.

If you brag about your secure code, yet continue to have ridiculous security holes, the technical community should have every right to call you on your unjustified haughtiness! There still appear to be systemic problems with Windows that won't be fixed in a year or two no matter how arrogant Microsoft is.

Where do you want to patch today?

-Kevin