Slashdot Mirror

← Back to Stories (view on slashdot.org)

WindowsUpdate.com Secured, Permanently

Posted by jamie on from the and-fix-your-software dept.

Precisely nineteen months ago, Bill Gates sent out a memo to employees (and the press) announcing that security was Microsoft's number-one priority. Today, about a hundred readers have submitted the news that Microsoft.com went down last night. And now, the company has "extinguished" WindowsUpdate.com (future updates will come from a different domain). All this because of some Microsoft worm that triggers at midnight. Related news: Windows Update says you're protected, but maybe you're not; WU.com briefly ran Linux, heh; worm variant with clever "anatomical term."

13 of 766 comments (clear)

  1. NetCraft stats by xrayspx · · Score: 5, Informative

    Take NetCraft stats with a Big Grain of Salt (big grains of salt, heh). If a site is "Akamized", as this one was, or is otherwise distributed, you'll see the OS of the front end, not what the site actually runs. You'll note that NetCraft lists "linux" for the Akamai site.

    --
    I like music
  2. It sure is a hell of a lot faster by Hamster+Lover · · Score: 4, Informative

    Went to check for updates today, just for the hell of it and the speed was a huge improvement over the old URL.

  3. Re:What did they do? by lucifuge31337 · · Score: 4, Informative

    Did they point windowsupdate.com to 127.0.0.1 ? I hope not, there was a mail on FD explaining that such an action would cause it to DOS the local network.. Also, wtf is up with the site running lunix?

    No, they took the A record out completely. It's not Akami-ized. That's the linux box you see.

    --
    Do not fold, spindle or mutilate.
  4. not quite by joe_bruin · · Score: 5, Informative

    OS: Linux
    Server: Microsoft-IIS/6.0
    Last changed: 15-Aug-2003
    IP address: 213.161.82.33
    Netblock Owner: Akamai

    they did not switch their servers to linux, they used akamai's caching services to handle their massive bandwidth requirements. notice the server is still iis. this is an akamai box (linux) serving a cached copy of microsoft.com (windows/iis)

    $ host www.microsoft.com
    www.microsoft.com is an alias for www.microsoft.com.edgesuite.net.
    www.microsoft.co m.edgesuite.net is an alias for a562.cd.akamai.net.
    a562.cd.akamai.net has address 63.236.1.163
    a562.cd.akamai.net has address 63.236.1.160
    a562.cd.akamai.net has address 63.236.1.153
    a562.cd.akamai.net has address 63.236.1.139
    a562.cd.akamai.net has address 63.236.1.168
    a562.cd.akamai.net has address 63.236.1.147
    a562.cd.akamai.net has address 63.236.1.138

  5. Re:What did they do? by Tirel · · Score: 5, Informative

    here it is:
    Date: Fri, 15 Aug 2003 08:33:57 +0200
    From: Carsten.Truckenbrodt@Bertelsmann.de
    Subject: AW: [Full-Disclosure] MS should point windowsupdate.com to 127.0.0.1
    To: full-disclosure@lists.netsys.com
    Cc: security@microsoft.com

    Hi,

    This might be a bad idea. If you let windowsupdate.com resolve to 127.0.0.1
    the following will happen: The worm uses spoofed IPs from the local /16
    subnet as source address. Pointing all the syn packets to 127.0.0.1 will
    generate a RST packet from the local host to the spoofed IPs and spread
    traffic over the complete internal network.
    Even blocking or routing the normally resolved IP to Null0 will be a lot
    work because this domain is loadbalanced through the world. That means you
    get a different resolution depending on your ISP or place in the world.

    If you manipulate your DNS, you should give no A-Record back to the worm.
    With this the worm will not start attacking anything. So setting up a
    nameserver zone with only a SOA record will do the job for Saturday 0:00.

    Best Regards,

    Carsten Truckenbrodt
    Arvato systems Taco Network SnotIing Security

    -----Ursprungliche Nachricht-----
    Von: Tobias Oetiker [mailto:oetiker@ee.ethz.ch]
    Gesendet: Freitag, 15. August 2003 00:15
    An: full-disclosure@lists.netsys.com
    Cc: security@microsoft.com
    Betreff: [Full-Disclosure] MS should point windowsupdate.com to 127.0.0.1

    Folks,

    How about MS standing up for the mess, and changing their own DNS to point
    all request for windowsupdate.com and whatnot to 127.0.01 ?

    This will null the effect of the syn flood very effectively. Only proxies
    will be affected.

    As far as I see it, they will not be able to use these names productively
    for the foreseeable future anyways ...

    So they will have to issue an update for windows-updater thourgh other
    channels (like their homepage for example) to point it to a different
    web-site .. that should not be all that much of a problem.

    If MS does NOT make this change to their DNS, I can see many routers who are
    trying to track connections toppling over in interesting ways.

    Because the local techs have no clue, it will
    take the affected companies ages to get back on the net.

    tobi

  6. Re:really... by conan_albrecht · · Score: 4, Informative

    Unix is more secure for (at least) two reasons:

    1. Users don't run Unix as root. Viruses have a very hard time attacking programs they have no write permissions on.

    2. Unix has a much longer history than Windows NT+. It's had more time for the holes and buffer problems and other stuff to be fixed. Linux essentially "lengthens" its short history because it has so many eyes looking at it.

    3. The killer Unix programs (Apache, SSH, PostgreSQL, etc.) don't run as root either. So even if they get exploited, worms can't do much with their rights anyway.

    Unix is just built better. It has a longer history. I'll ceed that perhaps with a larger user base (pretend Unix has 90% market share) it would be a bigger target, but it is *not* as susceptible as Windows is. Not by a large margin.

  7. Re:I think the windows update botton on the taskba by Pharmboy · · Score: 5, Informative

    I installed and ran the Microsoft BSA utility that scans your computer for updates (windowsupdate looks in registry only) per the link above. It found 4 problems that WindowsUpdate can't find, so I followed the links, to read about them.

    Problem is, when you click on the link to DOWNLOAD the actual patch for XP, it just redirects you to www.microsoft.com, so even their security tool is useless if you cant get to the files to manually install them. Fucking rediculous.

    --
    Tequila: It's not just for breakfast anymore!
  8. Holy Misinformation Batman! by kevlar · · Score: 4, Informative


    WindowsUpdate.com did not, I REPEAT: DID NOT EVER Run Linux. The scan from Netcraft only shows that during a particular scan the DNS resolved to Akamai's web caching servers. So Puh-LEASE don't try to start misinformed rumors.

    Linux AkamaiGHost 15-Aug-2003 213.161.82.37 Akamai

  9. Microsoft hosed their own update service! by KE1LR · · Score: 5, Informative
    Microsoft has a free tool called " SUS " which is a localized version of Windows Update - you run it on a W2K server in your enterprise and then redirect your clients to get their automagic updates from the local server instead of going to MS directly.

    The SUS server is supposed to synchronize itself (manually or automatically) with Microsoft's servers to get the latest updates, and you get a chance to approve them for distribution to clients. Not a bad idea, and it seems to work OK.

    However, the URL that's coded into SUS to synchronize with updates is -- wait for it -- a windowsupdate.com URL!

    Error Message:
    "Failed to download from URL 'http://www.msus.windowsupdate.com/msus/v1/aucatal og1.cab'. (Error 0x80072EFD: Unable to connect to the server.)"

    Anyone using SUS to update their client machines is now stuck with their current update set until Microsoft sets up a new site to sync with and documents how to change the URL that SUS uses to whatever one they come up with.

    Lame.

  10. Re:Next Week.. by gclef · · Score: 4, Informative

    Because the worm spoofs traffic from it's local subnet to the windowsupdate address. What this means is that any infected machine would spoof traffic to itself from its local subnet, and then flood the local lan with RSTs, presuming it wasn't actually running a webserver, in which case it would flood the local lan with ACKs. Either way, bad.

    The worm doesn't sanity check the DNS result, though, so if the name doesn't exist, gethostbyname() returns -1, which translates to an IP of 255.255.255.255. The reports I'm reading say that the windows stack won't allow you to send traffic to that IP, so the machine will just drop it. (that could be wrong, though. We'll find out soon.)

  11. Re:I think the windows update botton on the taskba by subsolar2 · · Score: 4, Informative
    Going to 'tools, windows update' in internet explorer takes you to a redir site on microsoft.com, which attempts to forward you to windowsupdate.com NOT windowsupdate.microsoft.com .. even still (~3PM EST). you'd think they'd at least fix that if they were fuckin with the dns..
    You may not know this, but when you change an entry in DNS, it is not available to everyone for a while. This is due to caching (all ISP DNS servers are caching servers, of course). For instance, the AOL servers may have gotten the ip for the domain at 8am, and if it doesnt expire for
    You may not know this, but you are incorrect ... the redirection has nothing to do with DNS dns enteries propagating and everything to do with MS's web site/server. It's redirecting to the old URL and not the new one.

    -1 Overrated for that on a +5 post

  12. Re:Next Week.. by 13Echo · · Score: 4, Informative

    Most Windows users will know that something is wrong when "svchost" constantly crashes, prompting for a reboot. The hits on port 135 cause it to bork out. My mom, who is quite "computer illiterate", knew that something was wrong, and called me about it. We corrected the problem by upgrading her virus definitions (which were only a week out of date), and installed ZoneAlarm Free on her machine to stealth the ports from now on.

    GRISoft's AVG Antivirus, and ZoneAlarm, are two great and free tools that can fix and prevent these things.

    AVG Anti-Virus
    Zone Alarm

    A year or two ago, I wouldn't have thought that firewalls were so essential for dial-up users. Now, it's important for all users to have them, regardless of the OS.

  13. Re:Next Week.. by AngryRodent · · Score: 5, Informative

    Windows update is already massively load balanced across multiple server farms. They use both a DNS based load balancer (F5 3DNS) and local area load balancers (F5 BIGIP). The server farms are in a number of locations. Early, and not so early in the implementation of this, a number of people were concerned that Microsoft was attacking them because the 3-DNS's would create probes from each datacenter to the end-users system. I'm not sure if that is still being used. I have no knowledge of how they Akamized so quickly since I haven't been involved with this project in years. However, it should be pointed out that the BIG-IP's make Akamizing content a very simple matter. I'm not shilling for F5- I no longer own any of the stock, haven't been an employee for years, and I'm now just a reasonably-satisfied customer.