Slashdot Mirror
WindowsUpdate.com Secured, Permanently
Precisely nineteen months ago, Bill Gates sent out a
memo
to employees (and the press) announcing that security was Microsoft's
number-one priority.
Today, about a hundred readers have submitted the
news that Microsoft.com
went down last night.
And now, the company has
"extinguished" WindowsUpdate.com
(future updates will come from a
different domain).
All this because of some Microsoft worm that triggers at midnight. Related news:
Windows Update
says you're protected, but maybe you're not;
WU.com
briefly ran Linux, heh;
worm variant with clever "anatomical term."
always took you to http://windowsupdate.microsoft.com so whats the big deal about cancelling windowsupdate.com? do you think anyone will notice, or care for that matter?
Does the name Pavlov ring a bell?
This is kind of interesting: Microsoft's insecure Windows platforms is the breeding ground of massively distributed worms, which are designed to attack Microsoft's own servers (karma?)
While Microsoft thinks the "solution" is to move the target server, the real solution is to fix those gaping holes in their products.
Change the update machines, new names, etc etc. MS is resorting to smoke and mirror tricks. It will only fool the current worms, not future ones that will have the new machine names in them.
Trolling is a art,
netcraft goes by IP, so if the MS servers went down, someone else running Linux got the IP, then it could show up on Netcraft. it's happened to me, where my dns would point to some ip, but then I move apartments, and my net is down for a week, and during that week, netcraft says that my system was running Win2K... but I haven't had Windows in my home at all for about a year.
but with MS, they probably were running Linux, and their IPs likely don't change like that. but you never know.
They're obviously worried that something is in the wild that is hard-coded to attack WindowsUpdate.com, else there would be no point in abandoning that domain and moving to another.
So "Permanently Secured" now basically means "Permanently Offline"? Why didn't they just let the worm eat the domain? What's the difference, really? Whether they pull the plug, or the worm does it for them, it still means windowsupdate.com won't work...
"It's better to have a gun and not need it than need a gun and not have it." ~ Christian Slater, True Romance
And who says that BSOD are so bad.
governments of the world should heavily fine ms each time a serious bug is found and/or exploited. and people should examine, and demand, better alternatives
Would you prepared to submit the open source community to this same program? Every time a governmental Linux server is cracked, RedHat, SuSe or fundamentally FSF will have to pay.
BOO! TERRO
"We are preparing," said Stephen Toulouse, security program manager for Microsoft's security research center. "We are working diligently to make sure that our customers can get the patch."
We are doing anything and everything EXCEPT making sure that these Windows problems do not find their way to the user in the first place. That would cost too much, slow down the new releases of Windows (hey, it takes us years for new releases that are nuthin' but eye-candy, you wouldn't want us to find bugs, too?), and generally just hurt our bottom line. Can't have that!
Well, the bottom line should take a big boost now.
So now, when we face a choice between adding features and resolving security issues, we need to choose security.
Apparently he changed his mind.
Our products should emphasize security right out of the box, and we must constantly refine and improve that security as threats evolve.
After it's too late, that is.
A good example of this is the changes we made in Outlook to avoid email borne viruses.
I must've been absent when that came true.
If we discover a risk that a feature could compromise someone's privacy, that problem gets solved first.
Since when are bugs called "features"?
If there is any way we can better protect important data and minimize downtime, we should focus on this.
Lip + service = $$$
Marc Maiffret, chief hacking officer for security software maker eEye Digital Security, said the amount of data sent from each infected computer would be small....
Man, how would you like to put THAT on your resume? :-)
For example, if someone hijacks or otherwise poisons some DNS servers, then all the traffic to windowsupdate.com will make it through to windowsupdate.microsoft.com anyway.
Or, a future worm could be written to target & attack a variety of Microsoft servers.
Or a future fowm could be written in such a way that the target is not part of the worm's code, but rather can be directed remotely somehow. This way, even if Microsoft tries to switch addresses, the person[s] directing the attack can just change the target.
The real solution isn't to keep trying to dodge the bullet.
The solution to become bulletproof.
Even after all this time, Microsoft still doesn't seem to get that.
Part of the reason Microsoft is such a prominent target is of course because it is so, well, prominent. Taking down (say) an FSF server doesn't raise nearly as many headlines (as this week's headlines will attest to). But I don't think that all of the problem here can be traced to how widespread Windows is -- while the Internet's clients are nearly all running Windows, a large fraction of the server architecture is running some Unix variant, and while there is of course some malware that targets *nix (Linux, Solaris, MacOSX, BSD, etc), the results never seem to be as catastrophic as the typical Windows outbreak
To rip of Bruce Schneier's analogy from his security article in Atlantic Monthly a year ago, it seems to me that the what security mechanisms Windows has tend to be brittle, while those that the *nix etc world have tend to be pliable. That is to say, when a problem comes up with (say) Apache, the damage tends to be isolated. This is partly because each installation will be configured differently, with different features enabled or disabled, and partly because the server runs on a variety of systems, each of which may have different mechanisms for providing underlying security protections. On the other hand, IIS installations tend to be pretty homogeneous, and a flaw with one very well could be a flaw with all.
That's not to say that IIS couldn't be just as secure as Apache, if not much more so. But part of Apache (etc)'s strength is it's heterogeneous nature -- people are able to tinker, adapt, mix & match components to suit their needs, and in the process this will also tend to protect them from catastrophic failure. Microsoft has actively resisted this kind of diversity -- witness their howls about having to come up with "thousands of versions of Windows" if some of the firmer antitrust penalties were put into force. Those thousands of permutations are, arguably, exactly what is needed: this will give their users greater choice, and it will make emergencies like this more rare.
I don't get why they're so opposed to the idea.
Maybe they've got cleverer plans than anything I can think of. I certainly wouldn't claim to be any kind of security expert. But if the best they can come up with is a change of address card, I can't help but wonder if they're fumbling in the dark here...
DO NOT LEAVE IT IS NOT REAL
I cant wait for some asshole to try and reclaim the windowsupdate.com domain after it's been abandonded (if it is actually fully abandoned) and suddenly find his site being hammered on the first day.
no comment
This strikes me as being a really bad thing:
They're missing a really big flaw, here, which is that this is horribly vulnerable to malicious behavior. There are already plenty of viruses and worms out there that make registry entries for one purpose or another. It seems to me that if you were exploiting a vulnerability for which a patch already existed it would be very easy to automatically modify the registry to make it appear that the patch had already been applied. This would make tracking which systems were vulnerable much, much more difficult. This would work particularly well if you were trying to make a stealth worm.
There's no point in questioning authority if you aren't going to listen to the answers.
Yes but isn't the point that microsoft has chosen to protect it's windows server by putting it behind a load balancer running Linux ?
The obvious thing you are missing at this point is that most people have unix installed know what they're doing. Even with all it's recent GUI advances, unix is still a pain to setup and configure.
Disagree? Give a brand new machine to your parents, or grandparents and get them to install unix. See what happens, and if you have any hair left after walking them through.
Now, granted, a good unix installation can be very secure indeed. So can a good windows installation. I know how to configure my webserver (running on apache under windows), and it's never been hacked, and never will. I keep on top of security issues, watch bugtraq, regularly check for updates and patches, etc.
The problem is regular users - just wait until "joe average" who wants to surf the web, look at Pr0n, and read his email installs unix. Maybe he'll be running as root "because it's easier". I'm sure lots of security problems will spring up.
At the moment, I'd argue Unix has the old "security through obscurity" to some extent. As soon as everyone has a Unix/Linux desktop, the exploits will come out in full-force.
N.
"Nothing strengthens authority so much as silence." - Charles de Gaulle
Adding more salt to the wound I guess. I have also noticed that if their servers are not properly operating, they will say there are no updates available, even when there are. I have confirmed this twice when I KNEW there was an update that was not installed on the laptop (sometimes i go two weeks without using).
That is a pretty shitty way to handle a down server, by convincing your customers they are safe when they are not.
Tequila: It's not just for breakfast anymore!
I think given Microsoft's position on Linux that they shoud / would have researched the market to see if the service could be provided by a windows shop before signing a deal with akamai. It looks bad ... almost like saying windows isn't up to the task.
the Linux community needs to concentrate on not becoming the next big security joke. Okay, it's fun to laugh at Microsoft's pathetic record.... Just a second... Muhahahahahah. I feel better now. But as Linux becomes more and more popular blackhats will put more and more attention into breaking our OS.
We need to all make good design and operational decisions. Bad decisions like the one made by Lindows to run as root be default can lead to Linux having as bad a reputation as Microsoft.
The Linux community is positioned to demonstrate to the world that Linux, not Windows, should be used anywhere that security is an issue. Let's not blow it.
The race isn't always to the swift... but that's the way to bet!
Saying that users don't run as administrator on windows is a fallacy. At every office I've ever worked in the first thing the IT department does when setting up a new user's machine is add them to the administrator group. On top of that, the service run as privileged users by default. It's possible to run windows without admin rights, but very rarely happens in practice. It's possible to run services as unprivileged users, but again it rare in practice. You also don't need to be administrator to open privileged ports on Windows like you do on *nix. Unix and Linux have the advantage that users and services run unprivileged by default.
1) M$ (and the media) hyped this security patch to the hilt, IMHO, because WU was the target. Other worm exploits that have been cited in the news can be prevented by patches that come out a year or two ago. It would be nice to have the other 30 or so patches released this year equally hyped.
2) Re: WU says you're patched but you're not... I'm sorry, but nothing impresses me more than Shavlik's HFNetChkLT for Win2K, NT, and XP. SCan with this and then download the patch from the M$ Security Bulletins through Technet and install manually.
Mod Karma -1: I sed bad wurds. If I cep my mouf shut, I wud be at riyses.
Because they've endgendered a "computing" culture where users are either: 1)ignorant about the need for patching, or 2) have been burned by fucked up M$ patches in the past and hence, don't keep up to date.
"Fool me once, shame on you ...
...
Fool me twice
won't get fooled again"
This country is overrun with idiots. I hope you reap the consequences of your actions. I spit on you all!
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
Microsoft is about to get into the AV business yet again. Keep in mind, MS does NOT consider those companies friends, rather they are competitors, so I can see MS letting them look bad with old links. That is not new for them.
Tequila: It's not just for breakfast anymore!
but if linux couldn't be used for anything worthwhile, as they claim, why are they trusting their website to a serving system based off of it?
Unix is more secure for (at least) two reasons:
I'd like to add:
- UNIX is simple (yes, UNIX is simple).
- UNIX is transparent (post-kernel bootstrapping is via shell scripts for god's sake--it don't get better than that).
- UNIX is documented, bugs and all (thirty years of history plus POSIX ain't too shabby).
- UNIX is modular (I can guarantee not everyone runs the same mail server, DNS server, or even window manager).
- As a result, fixing UNIX is easy (all the system administrator has to do is admit "Oops, I was a real dumbass there" and either fix it or replace it (again, UNIX is modular, transparent, and documented)).
A cracker could attack certain subsets of the UNIX realm, but diversity is on the side of the users, in this case. It isn't like 95% of UNIX users happened to leave RPC open to the Internet, or something like that.
Healthcare article at Kuro5hin
Given the same marketshare as Windows, Linux would be just as much targetted by the black hats and script kiddies alike as Windows is these days.
I'm getting sick of hearing this particular bit of FUD.
First of all, when a vulnerability of this calibre is found in Linux or in common Linux utilities (e.g. the ssh vulnerability) it _does_ get attacked, despite Linux's smaller marketshare. RedHat lpd anyone?
Second, didn't the last big Windows worm only affect people running MS SQL? What is that, 1% of all Windows installs? So despite the small number of computers which would be affected by this worm, it was still written. Note that it also did a fair amount of damage (took down some root nameservers, I think), which is exactly why worm writers are targetting systems with smaller marketshare -- because "smaller" still means something in the realm of a million or so computers, which is more than enough to do some serious damage!
Thus the argument that Linux's marketshare is the reason why it doesn't get attacked does not make sense. Systems with limited marketshare (like Linux) _do_ get attacked by worms, presumably because they can still do lots of damage.
So why so few Linux worms? I suspect the reason why there have been fewer Linux worms is in the past few years is that there have been fewer vulnerabilities in Linux and common Linux utilities which were severe enough to allow a worm to spread. Linux has its share of security vulnerabilities, but there's a big difference between a bug which allows a user to, say, overwrite arbitrary files on a system, and one which allows them to execute code on the system without even logging in!
Put a locked-down box on windows-update.com that logs all the IP addresses it gets DOSed from, then trace them back to the actual users whose machines were compromised. Then revoke all of those users' XP licenses for being bloody stupid morons who don't know how to apply a patch.
Make me a friend and I'll mod you up
This is a garden-variety buffer-overflow exploit of the sort that could just as easily still exist somewhere in Linux.
m e kind of talk should be left at score 1 or so, where it belongs, regardless of wether it praises or bashes M$ or *nix.
Active Directory also provides a way to block this type of worm that *ix doesn't. There wasn't time to patch all of our servers during the outbreak, so one of the guys here implemented a group policy that prevents execution of msblast.exe and teekids.exe on any machine on our network. Once they're all patched, the policy can be removed really easily.
Is this guy for real?
This kind of am-an-admin-expert-because-i-have-two-boxes-at-ho
That kind of "block" should not be suggested to other clueless admins! This is exactly why the worm got the 2nd generation where the filename had changed.
(I'm trying real hard not to mention also the fact that you shouldn't make false claims like about *nix systems. You really think *nix systems, employed for thousands of users all over the world in thousands of universities don't have elaborate user policies that can be administered swiftly and efficiently? Thenagain you're probably just flaming/trolling...)
(and even you forgot the penis32.exe, which btw is indeed a genius naming stunt! I do loathe the black hats, but every now and then I can't help myself admiring the simplistic beauty in some of their tricks. Thinking how many warning mails that never reached their target because mail filters grabbed them...)
1 Earth is warming, 2 It's us, 3 it's royally bad, 4 we need to take action NOW
Because they've endgendered a "computing" culture where users are ... ignorant about the need for patching
Yeah, curse those bastards for making computers that are usable by people other than us techno-elite snobs.
Many people simply have other things they care about more than patching their computer. If 95% of people used *NIX, would it have a reputation for being mostly secure? No, because people who don't care would still be the vast majority. Most people should know the importance of basic car maintenence: checking oil, tire pressure, anti-freeze, etc. Many, many people don't bother to do so. When they have problems, is it Ford's fault?
If those rumors are true, then the worm didn't cause the power failures, it just disabled the systems that would have prevented them. That this happened at around the same time is just a coincidence, - or maybe minor power failures happen frequently and were just prevented from spreading?
... no, they don't run Windows.
Take it from someone who's soon-to-be-parents-in-law are up to their necks in the power + safety industry
Control frontends and GUIs may run Windows. They may also run Java apps. The back-end is ALL Unix (and specifically NOT Linux), because there are very few OS vendors who will certify and indemnify the use of their OS in that kind of safety critical environment. Windows explicitly states that it's not for use in such an enviornment.
Simon
Coming soon - pyrogyra
Interesting article. But did you have to be such an asshole about it?
Yours truly,
Keith
P.S.: If your power is still out tonight, I hope this burning karma lights your path.
This sig intentionally left blank.
The best way to deal with the worm is to return a null value in DNS. This ensures the SYN flood never gets started.
"[Unix] is *not* as susceptible as Windows is. Not by a large margin."
Oh really? I'd just like to point out that while this bug is *attacking* one of MS's sites, it won't successfully *break in*. It was a mere 2 days ago that a hacker successfully broke into GNU.org and compromised the crown jewel of the Linux community.
So who's more secure again? Don't be so quick to jump to Unix's defense. A lot more exploits are publicised for Linux than for Windows.
Like woodworking? Build your own picture frames.
No need- end our little war in Iraq and we'll free up the funds needed. I read yesterday that the cost of the war in and occupation of Iraq will cost over $600 billion dollars.
Just close up the operation a little early and divert those funds.
Nah, never happen. Preemptive wars and years-long occupations of nations that are of dubious (at best) threat to US interests are more important than making sure your lights stay on.
Google runs FreeBSD... Say no more. :-)
Let us not say that.
The MSBlast worm delivers about a 16 kbps stream, so whether the zombie is sitting on a 56k dial, a 256k upstream DSL or cable connection, or has a T-1 or larger uplink doesn't really matter. DDOS zombies don't usually consume all of the available bandwidth, since doing so would be rather counterproductive to the goal of making a DDOS attack.
If an average user, being mostly computer-illiterate but knowing that a reboot fixes most Windows problems for a while, finds that his/her computer can't connect to the Internet (the symptom of having all of your upstream bandwidth utilized), the most likely response will be a reboot. This lowers the effectiveness of the DDOS attack compared to a large number of zombies making the attack without their owners' knowledge, which allows them to continue uninterrupted.
Numbers of attackers are the key to a highly successful DDOS attack, not using up all the bandwidth at the zombie's dispoal. MSBlast could take a lot more bandwidth and still be not noticed by broadband users, but the authors have clearly crafted it to work and not be noticed on machines with dial-up and other low-bandwidth connections (I saw a 32-workstation LAN in a third world country; there was a 64k uplink for the whole office; things like that aren't unusual in many parts of the world. The likelihood of those machines being uptodate on patches is very low, which makes them a good target for MSBlaster.
My purpose for being there was to install a hardware firewall in front of their network, so they are far less likely to get infected, but there are many vulnerable machines like that out there with no protection. A good DDOS client can use them; one that consumes all available bandwidth can't.
"why would i want to help allievate the situation? hell, i get to have all my computers attack microsoft for free! and legally! wohoo! sick 'em!"
I know (think) you're joking, but while we can moan all we want about how Microsoft should design software that's more secure, we can't do anything about existing systems. And windowsupdate was the fastest, easiest way for the non-tech public to protect and repair themselves. Those of you out there that view this impending attack and the shutting down of windowsupdate as a good thing are very shortsighted.
Maybe you don't give a shit about all of those other users out there that use Windows. Maybe you're happy this is happening. Fine. But rest assured, it's not going to cause people to rebel against Microsoft, like many of you are hoping. There will be no enlightenment and mass exodus to Linux or BSD or OSX. This is going to get blaimed on "hackers". And we all know hackers hate God, hate America, root for Saddam, get pentagram tattoos on their foreheads....and use Linux. Pretty soon it'll be "yeah, I saw those Linux guys bragging on slashdot.org that they took windowsupdate down!"
IBM's reps will be going "yeah, thanks heaps for the positive image, slashdotters.........fuckers".
Make fun of people that run Windows all you want, but don't assist in, or support the disabling of one of their few effective means of defense.
Life is hard, and the world is cruel
car in roadworthy condition, huh?
I mean, what business is it of anyone else's if your brakes are bad, you have bald tires, and huge chunks of the car falling off as you drive down the street.
I hope people realize that, since the power is indeed coming back on nearly everywhere, those systems did exactly what they were supposed to do: They protected transmission lines, generators, and switching stations from turning themselves into a flash of light, a puff of smoke, a big bang, and a small mountain of carbonized slag.
The shutdown was a good thing, considering the alternative: Billions of dollars worth of damage to the power system.
-- ac at home
way to busy
I think everybody is missing the point on this whole issue. Fact :- Blaster is a worm, who's payload was intended to dos windowsupdate.com, rendering it unavailable to the folks using it.
Fact :- windowsupdate.com is 100% unavailable.
Conclusion :- Blaster is the most successful virus/trojan to date. It didn't just cause a few hours of unavailability, it wiped the domain from existence. Not just any domain, but a prominent microsoft domain (high profile, big budget website) totally obliterated off the internet.
Folks can say what they want, and argue about the politics of it all, bicker about who is responsible to update what, and whatever, but you cannot deny the facts.
Blaster is head and shoulders above the crowd as a denial of service worm, the first to achieve a 100% success even prior to actually triggering.
Say what you want folks, but this has got to go down in history as the most successful worm ever.
It's C2; there's no such thing as C4. C2 isn't terribly hard to get (lot's of auditing and doco requirements). However, since C2 isn't a particularly interesting or useful security classification except for marketing (DAC systems are strictly for unclassified environments), most vendors don't bother with it until they start selling lots of stuff into the gov/mil/intel areas.
B-level secure systems are another story entirely.