Slashdot Mirror
WindowsUpdate.com Secured, Permanently
Precisely nineteen months ago, Bill Gates sent out a
memo
to employees (and the press) announcing that security was Microsoft's
number-one priority.
Today, about a hundred readers have submitted the
news that Microsoft.com
went down last night.
And now, the company has
"extinguished" WindowsUpdate.com
(future updates will come from a
different domain).
All this because of some Microsoft worm that triggers at midnight. Related news:
Windows Update
says you're protected, but maybe you're not;
WU.com
briefly ran Linux, heh;
worm variant with clever "anatomical term."
Take NetCraft stats with a Big Grain of Salt (big grains of salt, heh). If a site is "Akamized", as this one was, or is otherwise distributed, you'll see the OS of the front end, not what the site actually runs. You'll note that NetCraft lists "linux" for the Akamai site.
I like music
Went to check for updates today, just for the hell of it and the speed was a huge improvement over the old URL.
Where in any of those articles does it say that MS is taking down windowsupdate.com? It's always redirected me to windowsupdate.microsoft.com.
"...always new atoms but always doing the same dance, remembering what the dance was yesterday." -Richard Feynman
Did they point windowsupdate.com to 127.0.0.1 ? I hope not, there was a mail on FD explaining that such an action would cause it to DOS the local network.. Also, wtf is up with the site running lunix?
No, they took the A record out completely. It's not Akami-ized. That's the linux box you see.
Do not fold, spindle or mutilate.
OS: Linux
o m.edgesuite.net is an alias for a562.cd.akamai.net.
Server: Microsoft-IIS/6.0
Last changed: 15-Aug-2003
IP address: 213.161.82.33
Netblock Owner: Akamai
they did not switch their servers to linux, they used akamai's caching services to handle their massive bandwidth requirements. notice the server is still iis. this is an akamai box (linux) serving a cached copy of microsoft.com (windows/iis)
$ host www.microsoft.com
www.microsoft.com is an alias for www.microsoft.com.edgesuite.net.
www.microsoft.c
a562.cd.akamai.net has address 63.236.1.163
a562.cd.akamai.net has address 63.236.1.160
a562.cd.akamai.net has address 63.236.1.153
a562.cd.akamai.net has address 63.236.1.139
a562.cd.akamai.net has address 63.236.1.168
a562.cd.akamai.net has address 63.236.1.147
a562.cd.akamai.net has address 63.236.1.138
here it is:
/16
...
.. that should not be all that much of a problem.
Date: Fri, 15 Aug 2003 08:33:57 +0200
From: Carsten.Truckenbrodt@Bertelsmann.de
Subject: AW: [Full-Disclosure] MS should point windowsupdate.com to 127.0.0.1
To: full-disclosure@lists.netsys.com
Cc: security@microsoft.com
Hi,
This might be a bad idea. If you let windowsupdate.com resolve to 127.0.0.1
the following will happen: The worm uses spoofed IPs from the local
subnet as source address. Pointing all the syn packets to 127.0.0.1 will
generate a RST packet from the local host to the spoofed IPs and spread
traffic over the complete internal network.
Even blocking or routing the normally resolved IP to Null0 will be a lot
work because this domain is loadbalanced through the world. That means you
get a different resolution depending on your ISP or place in the world.
If you manipulate your DNS, you should give no A-Record back to the worm.
With this the worm will not start attacking anything. So setting up a
nameserver zone with only a SOA record will do the job for Saturday 0:00.
Best Regards,
Carsten Truckenbrodt
Arvato systems Taco Network SnotIing Security
-----Ursprungliche Nachricht-----
Von: Tobias Oetiker [mailto:oetiker@ee.ethz.ch]
Gesendet: Freitag, 15. August 2003 00:15
An: full-disclosure@lists.netsys.com
Cc: security@microsoft.com
Betreff: [Full-Disclosure] MS should point windowsupdate.com to 127.0.0.1
Folks,
How about MS standing up for the mess, and changing their own DNS to point
all request for windowsupdate.com and whatnot to 127.0.01 ?
This will null the effect of the syn flood very effectively. Only proxies
will be affected.
As far as I see it, they will not be able to use these names productively
for the foreseeable future anyways
So they will have to issue an update for windows-updater thourgh other
channels (like their homepage for example) to point it to a different
web-site
If MS does NOT make this change to their DNS, I can see many routers who are
trying to track connections toppling over in interesting ways.
Because the local techs have no clue, it will
take the affected companies ages to get back on the net.
tobi
I don't get it either. Slashdot says "future updates will come from a different domain" as if they always came from windowsupdate.com, which is completely false.
"Sufferin' succotash."
Unix is more secure for (at least) two reasons:
1. Users don't run Unix as root. Viruses have a very hard time attacking programs they have no write permissions on.
2. Unix has a much longer history than Windows NT+. It's had more time for the holes and buffer problems and other stuff to be fixed. Linux essentially "lengthens" its short history because it has so many eyes looking at it.
3. The killer Unix programs (Apache, SSH, PostgreSQL, etc.) don't run as root either. So even if they get exploited, worms can't do much with their rights anyway.
Unix is just built better. It has a longer history. I'll ceed that perhaps with a larger user base (pretend Unix has 90% market share) it would be a bigger target, but it is *not* as susceptible as Windows is. Not by a large margin.
host www.microsoft.como m.edgesuite.net is an alias for a562.cd.akamai.net.
www.microsoft.com is an alias for www.microsoft.com.edgesuite.net.
www.microsoft.c
a562.cd.akamai.net has address 206.112.112.69
a562.cd.akamai.net has address 206.112.112.71
a562.cd.akamai.net has address 206.112.112.63
a562.cd.akamai.net has address 206.112.112.64
.sig
I installed and ran the Microsoft BSA utility that scans your computer for updates (windowsupdate looks in registry only) per the link above. It found 4 problems that WindowsUpdate can't find, so I followed the links, to read about them.
Problem is, when you click on the link to DOWNLOAD the actual patch for XP, it just redirects you to www.microsoft.com, so even their security tool is useless if you cant get to the files to manually install them. Fucking rediculous.
Tequila: It's not just for breakfast anymore!
I could be wrong, but I'm pretty sure that PostgreSQL complains very loudly when run as root, and instead prefers to be run in a separate account named "postgres". Likewise, my Apache was by default set to run in an account named "httpd". As for sshd, I dunno, you may well be right about that one.
This is on RH 7.1, so it may have changed.
Going to 'tools, windows update' in internet explorer takes you to a redir site on microsoft.com, which attempts to forward you to windowsupdate.com NOT windowsupdate.microsoft.com .. even still (~3PM EST). you'd think they'd at least fix that if they were fuckin with the dns..
You may not know this, but when you change an entry in DNS, it is not available to everyone for a while. This is due to caching (all ISP DNS servers are caching servers, of course). For instance, the AOL servers may have gotten the ip for the domain at 8am, and if it doesnt expire for 24 hours, their server will assume it is still at the same ip, so when an AOLer tries to go there (using AOL's DNS server) it will simply give that IP address, even tho it has changed. It wont go back to the SOA and check the serial number of the DNS entry to see if it is still valid until after it expires and someone requests it. So, it depends on the expiry of the DNS record before the change. My experience is that it takes 1 to 2 days for all the changes to fully propegate, and sometimes longer on some DNS servers if they override expiry.
Tequila: It's not just for breakfast anymore!
The button on the taskbar is targeted to
a sp
%SystemRoot%\system32\wupdmgr.exe
which sends me to http://v4.windowsupdate.microsoft.com/en/default.
which appears to work just file. Didn't try it from IE tools menu, tho
There is much cruelty in the universe, John.
Yeah, we seem to have the tour map.
WindowsUpdate.com did not, I REPEAT: DID NOT EVER Run Linux. The scan from Netcraft only shows that during a particular scan the DNS resolved to Akamai's web caching servers. So Puh-LEASE don't try to start misinformed rumors.
Linux AkamaiGHost 15-Aug-2003 213.161.82.37 Akamai
Exactly! But what more can you do? I mean, if I get root access to a Red Hat box, I could corrupt the RPM database just as easily as a Windows virus could corrupt the registry. It's just a programmer's API, any way you look at it. If you have the intention and the permissions, you can screw up any OS.
The registry is protected with ACLs just as well as your average access-controlled filesystem (NTFS), so complaining about it being "easy to modify" is irrelevant. Files are easy to modify too, if you have the right permissions. But you EXPECT the permissions to block stupid programs from messing with your files.
Now I'm assuming someone is going to say, "But Windows users run as Administrator!" Well, if that's the case, then running a trojan horse or spyware app is their own damn fault. Running as Administrator all the time basically makes your NT system as secure as Windows 9x was.
Power grid in question is older that Microsoft is. I doubt it runs on Windows...
And, if you read further about how Netcraft actually works, you will notice that they state that firewalls and other sorts of software can make it appear that a server's software is actually running on an OS that it would otherwise be impossible to run on. This is why you will find IIS running on Solaris, FreeBSD and Linux. Read first.
www.sitetronics.com/wordpress
The SUS server is supposed to synchronize itself (manually or automatically) with Microsoft's servers to get the latest updates, and you get a chance to approve them for distribution to clients. Not a bad idea, and it seems to work OK.
However, the URL that's coded into SUS to synchronize with updates is -- wait for it -- a windowsupdate.com URL!
Error Message:l og1.cab'. (Error 0x80072EFD: Unable to connect to the server.)"
"Failed to download from URL 'http://www.msus.windowsupdate.com/msus/v1/aucata
Anyone using SUS to update their client machines is now stuck with their current update set until Microsoft sets up a new site to sync with and documents how to change the URL that SUS uses to whatever one they come up with.
Lame.
Well they bought a Romanian AV company called RAV. They used to have anti virus products for Linux and FreeBSD (to scan for wind0ze viruses of course), but no more now.
I don't know why this became a big deal. Ok, I lied. It became a big deal because of users who did not patch their systems (for whatever reason). But it isn't like this patch is new. It was originally posted on July 16, 2003. They just revised the bulletin because of the outbreak.
From MS's site:
Why have you revised this bulletin?
Subsequent to the release of this bulletin Microsoft has been made aware that additional ports involving RPC can be used to exploit this vulnerability. Information regarding these additional ports has been added to the mitigating factors and the Workaround section of the bulletin.
If I have installed the patch provided with the original bulletin, am I still protected?
Yes. There has been no update to the patch itself, and the patch will still correct the vulnerability. This additional information is being provided to those customers who may require a temporary workaround until they can apply the patch.
I wish I could make my friends, family, people I know read these security reports on their own, but they never do.
-Valiss
That is a bad idea. Not only does it not account for polymorphism in the name, but is also not foolproof.
For instance, block an image name, then set your Internet Explorer home page to that image. Bam. It executes with no problems. As long as a trusted program executes it, Windows will not complain. The group policy only prevents the user from running it directly.
*everything* is Orwellian to cats.
"Presto, instant DOS against your own network. Fun for the whole family!"
Actually this is not what would happen if you use the loopback.
The host spoofs a source address and sends it to its own loopback. This part is not seen on the network with a sniffer (obviously). What is seen though is a RST sent to the spoofed source. There is a chance the spoofed source is a real host on your network, but receiveing a RST for an unestablished connection periodically will not DoS it. The other thing to remember is the RST will have a source address of 127.x.x.x, which will be dropped by any router before it leaves your local segment.
Seeing a lot of RSTs on a segment is a lot less worse (harmless?) than directed SYNs. However the best solution is the null value for DNS queries. This keeps the SYN flood function in the worm from ever kicking off. Then download the M$ tool : KB823980Scan.exe and scan for unpatched machines. Then re-evaluate and redefine the duties of a sysadmin (ie patch management) as well as where you want to use M$ products.
Because the worm spoofs traffic from it's local subnet to the windowsupdate address. What this means is that any infected machine would spoof traffic to itself from its local subnet, and then flood the local lan with RSTs, presuming it wasn't actually running a webserver, in which case it would flood the local lan with ACKs. Either way, bad.
The worm doesn't sanity check the DNS result, though, so if the name doesn't exist, gethostbyname() returns -1, which translates to an IP of 255.255.255.255. The reports I'm reading say that the windows stack won't allow you to send traffic to that IP, so the machine will just drop it. (that could be wrong, though. We'll find out soon.)
Software Update Services. It is Microsoft's free solution for managing the installation of critical updates across a network. As I understand it, you are basically running your own mini Windows Update service to which your clients subscribe. You can download updates on the server and roll them out if and when you want to. I think it has reasonably good scheduling features. All the Windows Update clients need to be updated to a new version, but I think this was already been sent out in older service packs.
Caveats:
Requires Windows 2000/2003 Server (for the server)
Only updates Windows 2000/XP/2003 (Professional or higher?)
Until recently (SUS sp1), you could not install the SUS server on a domain controller.
I think it only installs critical updates, not recommended updates, and not 3rd party software... so (tear, sniffle) no euro conversion tool.
Other than that, I don't know a lot about it either... but I did very recently start a job where I desperately need to deploy something like this. There's a lot of questions I have like how do you ensure the clients actually update? Is there any reporting? Are the updates pushed or pulled? Does anyone have any SUS stories good or bad?
More info
Server Download Page
Random dated article found on google.
http://www.matrikon.com/drivers/opc/whatisopc.asp
OLE for Process Control (OPC) is a new technology designed to bridge Windows based applications and process control hardware. It is an open standard that permits a consistent method of accessing field data from plant floor devices. This method remains the same regardless of the type and source of data. Therefore, end users are free to choose the software and hardware that meets their primary production needs, without having to consider the availability of proprietary drivers.
OPC components fit into two categories: OPC clients and OPC servers. A client is typically a data sink -- an application that uses data in some way, such as an MMI or SCADA package. A server is a data source -a device specific program that collects data from a field device, and then makes it available to an OPC client.
and DCOM definately appears to be in the mix as well:
http://www.opcfoundation.org/Downloads/White%20Pap ers/OPC,%20DCOM%20and%20Security.pdf
Perhaps the lusers who are uneducatedly blaming the blaster virus aren't entirely wrong.
-1 Overrated for that on a +5 post
They already revoked access to WU for people who used pirated licence keys. As a result, there are plenty of XP installations which will never be patched. I believe this is reckless and self-defeating.
/ \
\ / ASCII ribbon campaign for peace
x
/ \
And now, the company has "extinguished" WindowsUpdate.com (future updates will come from a different domain). All this because of some Microsoft worm that triggers at midnight.
If you're going to submit a biased article, at least get the facts straight. WindowsUpdate.com was never the primary WU domain, windowsupdate.microsoft.com was. They're just disabling the extra one that was never linked from the Windows OS.
Beware: In C++, your friends can see your privates!
:)
A few of the german microsoft sites used to run Linux. Oh, and their "Switch to Windows" campaign server used to run Linux as well until everyone started picking on them. You don't have to get all huffy because Microsoft had to rely on the awesome power of Linux to save their bacon. They went with Akamai to load balance a site, and Akamai uses industrial strength Linux. So yes, inadvertently WindowsUpdate.com IS running on Linux. The scan from Netcraft was correct. So Sorry. Thank You For Playing. No rumors here. It's the honest to God's truth.
For every annoying gentoo user, are three even more annoying anti-gentoo crybabies. Take Yosh from #Gimp for example.
Most Windows users will know that something is wrong when "svchost" constantly crashes, prompting for a reboot. The hits on port 135 cause it to bork out. My mom, who is quite "computer illiterate", knew that something was wrong, and called me about it. We corrected the problem by upgrading her virus definitions (which were only a week out of date), and installed ZoneAlarm Free on her machine to stealth the ports from now on.
GRISoft's AVG Antivirus, and ZoneAlarm, are two great and free tools that can fix and prevent these things.
AVG Anti-Virus
Zone Alarm
A year or two ago, I wouldn't have thought that firewalls were so essential for dial-up users. Now, it's important for all users to have them, regardless of the OS.
Windows update is already massively load balanced across multiple server farms. They use both a DNS based load balancer (F5 3DNS) and local area load balancers (F5 BIGIP). The server farms are in a number of locations. Early, and not so early in the implementation of this, a number of people were concerned that Microsoft was attacking them because the 3-DNS's would create probes from each datacenter to the end-users system. I'm not sure if that is still being used. I have no knowledge of how they Akamized so quickly since I haven't been involved with this project in years. However, it should be pointed out that the BIG-IP's make Akamizing content a very simple matter. I'm not shilling for F5- I no longer own any of the stock, haven't been an employee for years, and I'm now just a reasonably-satisfied customer.
I'm not so sure. I have a dial-up and I got the worm IMMEDIATELY. It kept shutting down Windows to the point I couldn't even d/l the patch in time. I eventually found (through Symantec) where the worm was in the system and in the registry. Only then could I keep going long enough to install the patch and the anti-virus definition to fully remove it. It was really frustrating.
[SIG] Remember Mattel handheld games?
This is going to get blaimed on "hackers". And we all know hackers hate God, hate America, root for Saddam, get pentagram tattoos on their foreheads....and use Linux.
Unfortunately, this is (in my experience over the last couple of days) correct.
Since the outbreak of blast, I've helped around 5 or 6 family members (you know the ones: "Um, you work with comupters and mine's broken. What do I do?) patch their home systems and remove the worm.
"What was it?" they ask. "Well, it's this worm you see..." and before you can finish your sentence you get a barrage of "Why do these people do this??? Do they think it's fun???".
"Who, Microsoft?" I ask.
"NO! These bloody hackers!!! Where do they get off busting my into system. I wish they'd all get a life. Arseholes".
Sigh... There's really no point explaining that it's because of MS that they have these problems. They don't have an alternative as they see it. Computer = Windows.
TSJ