Yet Another Critical Windows Flaw

Dynamoo writes "Microsoft released yesterday a whole bunch of critical security updates. Out of these, MS03-043 is a flaw in the Windows Messenger Service (not MSN Messenger) with the possibility of a remote attacker gaining complete control of a Windows NT/2000/XP/2003 based PC remotely. If this sounds like another possible vector for a worm to spread, you'd probably be right. Microsoft's recommendation is to 'disable the Messenger Service immediately and evaluate their need to deploy the patch'. Of course a firewall will offer some protection but shouldn't be relied on. At least administrators can disable the Messenger Service remotely. Of course this is another headache for admins still patching for last month's RPC flaw."

Too bad it's such a pain in the ass...

[JLSigman]

...to uninstall Windows Messaging for the average user. 9/10th of them just assume that it IS MSN Messenger and don't have to worry about it.

Re:Too bad it's such a pain in the ass...

[Short+Circuit]

The average user thinks their computer runs "Microsoft."

Take that from a guy in tech support.

Re:Too bad it's such a pain in the ass...

[Jesrad]

Wrong ! Every support tech will tell you users don't think. At all.

Re:Too bad it's such a pain in the ass...

[general_re]

It could probably be somewhat simpler to disable it, but it's not all that bad. What they could do better is making sure that people know the difference between the Messenger service and the MSN Messenger app, as you seem to suggest.

Anyway, in case anyone's reading this and doesn't know how to disable Messenger, go to Start -> Settings -> Control Panel -> Administrative tools -> Services. Right-click on Messenger and pull up the properties sheet. On the "general" tab, select "disabled" for "Startup type". Then hit the "Stop" button right under that on the "general" tab to stop the service if it's currently running. That's for 2K - I assume XP is similar.

Re:Too bad it's such a pain in the ass...

[Jugalator]

What functionality do you lose when disabling the service? Is it one of those that never need to run, ever?

I thought the service description wasn't very clear, at least not after being translated to swedish. :-P

Re:Too bad it's such a pain in the ass...

[mst76]

What functionality do you lose when disabling the service? Is it one of those that never need to run, ever?

You lose the ability to receive winpopup spam.

Re:Too bad it's such a pain in the ass...

[Mr+Guy]

Near as I can tell, you lost those little bubbles that pop up off the service tray that say something like:

Want to sign up for MSN? Huh? Huh? Do ya? Click here!

Re:Too bad it's such a pain in the ass...

[ThomK]

...to uninstall Windows Messaging for the average user.
Do this:
1. Find 'my computer'
2. Right click on it, select manage.
3. Expand 'services and applications' (Left side)
4. Click on 'Services' (Left side)
5. Double click 'Messenger' (Right side)
6. Change 'startup type' to 'disable'
7. Click stop
8. okay yourself all the way out.
9. Restart

Re:Too bad it's such a pain in the ass...

[ceejayoz]

It could probably be somewhat simpler to disable it, but it's not all that bad. What they could do better is making sure that people know the difference between the Messenger service and the MSN Messenger app, as you seem to suggest.

It would appear you failed that particular test...

Windows Messenger Service != MSN Messenger.

Re:Too bad it's such a pain in the ass...

[general_re]

You don't lose much at all - the only dependency I know of is the Alerter service, which does administrative alerts locally and remotely. You won't be able to send those popup messages to remote users any more if they have Messenger disabled, which is fine by me, becase they're annoying as all hell anyway - it has the lovely side-effect of preventing those stupid popup spam messages, as an earlier reply alluded to, even if you don't have a firewall blocking it. Which you really should have anyway ;)

If you don't use that - and I don't, since it's not exactly hard to roll scripts that handle administrative alerts in other ways - you can probably pretty safely disable Messenger.

Re:Too bad it's such a pain in the ass...

[Otto]

What functionality do you lose when disabling the service? Is it one of those that never need to run, ever?

I thought the service description wasn't very clear, at least not after being translated to swedish. :-P

Originally it was conceived to provide an easy way for programs to send out messages over networks to users and/or admins about conditions that they need to know about. It allows one to send a simple pop up dialog box to anyone on the local network. You can use the "net send" command on any NT/2000/XP box to send messages using it.

As Windows got more into the internet, it got turned into a partially TCP/IP service sort of thing as well. This turned it, eventually, into another form of method used to send spam. Nowadays, that's really all it's used for mostly. Some network admins use it for it's original purpose, but simply have those ports firewalled off from the real internet to prevent the spam characteristics.

However, if you're not a network admin and don't use it for such, then there's really no reason it should be on. The fact that it's on by default is really the problem. It should be off by default, as should all network services, IMO. You turn on what you want, and the rest stays firmly closed.

What do you lose? The ability to receive those pop up messages, which are mostly spam nowadays.

Re:Too bad it's such a pain in the ass...

[general_re]

9. Restart

I know this is going to sound highly unusual for Windows, but you don't actually have to restart once you stop the service. Rebooting gets to be a bit reflexive after a while, but stopping and starting services is one of the few cases in a Microsoft OS where you don't have to feed the reboot monkey ;)

Re:Too bad it's such a pain in the ass...

[michib01]

By disabling the messenger service, accordind to MSFT:

Impact of Workaround: If the Messenger service is disabled, messages from the Alerter service (for example notifications from your backup software or Uninterruptible Power Supply) are not transmitted. If the Messenger service is disabled, any services that explicitly depend on the Messenger service do not start, and an error message is logged in the System event log.

Re:Too bad it's such a pain in the ass...

[eugene+ts+wong]

The average user thinks their computer runs "Microsoft."

Well, if I asked you what your IP is, then would you know what I'm asking for? How could that be, even though there is no 'a', 'd', 'r', 'e', or 's' in the acronym? Is it simply because you are taught that that is the meaning plus it just what you are used to? Well if you can do that, then they can say that their computers run Microsoft, just as some1 else can say that their computers run Red Hat, Suse, Gentoo, or Debian.

Get over it, & fix it for them.

Re:Too bad it's such a pain in the ass...

I'd like to see someone give instructions to an average user on how to disable a service under Linux...

1. Log in as root.
2. Edit /etc/inetd.conf
3. Find the line that says in.jk43jksdjvkfjpd
4. Add a # to the start of the line
5. Type "ps aux"
6. Find the entry that says inetd
7. Type "kill -1 "

Which is easier, which makes more sense? The Windows way, or the Linux way? Which one do you think a user is more likely to find ON THEIR OWN, without some snotty Linux user insulting them and telling them it's obvious, when it is anything BUT obvious?

As linux-security.com is fond of reporting, there are PLENTY of holes in Linux distributions.

Re:Too bad it's such a pain in the ass...

[ajensen]

Wrong ! Every support tech will tell you users don't think. At all.

I disagree. I've been a support technician and network administrator for about six years now and have spoken with thousands of people about various things. A good portion of the user base tries to think and figure things out, but many times the users are simply not educated well enough to see the greater whole of what's happening. There are, of course, those users who just don't get it -- I'll never argue against that point.

We've been organizing community education classes for a long time to help solve the lack of computer education problem -- it helps the users to work successfully on their own, which in turn helps us by lightening our support workload.

-a

Re:Too bad it's such a pain in the ass...

[ajensen]

Well if you can do that, then they can say that their computers run Microsoft, just as some1 else can say that their computers run Red Hat, Suse, Gentoo, or Debian.

The difference here is between education and ignorance. When two technicians speak to one another, they will often use the shorthand phrase "IP" instead of "IP address." When a user says "Microsoft," he or she may not know the difference between running Windows 98 and running Windows XP.

I think that your parent post was referring to the fact that many users just aren't versed enough in computing to know that there are different Microsoft products, and consequently may not be able to tell the difference between the similar names "Windows Messaging" and "MSN Messenger."

-a

Re:Too bad it's such a pain in the ass...

Although not obvious, you lose the ability to use nbtstat -a on the IP address to get local user name.

This is handy when you have a large number of PC's and get a list of IPs that are causing a problem (cough cough, blaster, etc)

nbtstat -a queries the box, and the Messenger service adds in two records, one for hostname and one for username. These are needed to be able to "net send" to host or user.

When you disable the service, this mechanism for tying users to IPs is gone.

You would be back to hopping on a group file share that you know they have mapped and tracing back the user thru open sessions.

Re:Too bad it's such a pain in the ass...

[eugene+ts+wong]

The difference here is between education and ignorance.

Hmm, okay. I'll grant you that, but I hope that there can be a certain level of tollerance for this kind of ignorance.

Thanks for the clarification.

Re:Too bad it's such a pain in the ass...

[minus9]

For Redhat

1. Log in as root
2. Type ntsysv
3. Deselect the service
4. Type service nameofservice stop

or if your running gnome

System Settings->Server Settings->Services

Re:Too bad it's such a pain in the ass...

Nice try...
The difference between linux and microsoft's philosophy is that unneeded/dangerous services aren't started by default on linux. Additionaly, the fact that only root can administer a linux computer also increases security. If microsoft had even an ounce of the security conciousness found in OSS, users wouldn't have to put up with worms and bluescreens

Re:Too bad it's such a pain in the ass...

[dokebi]

Are you telling me you're logged in as "Administrator" by default? Why do you need to run Word and Excel and IE as root? Well, there is Microsoft security for ya.

Re:Too bad it's such a pain in the ass...

[pyros]

check out chkconfig, way nicer than ntsysv `chkconfig service off` disables the service for all runlevels specified in /etc/init.d/service.

Re:Too bad it's such a pain in the ass...

[SpaceLifeForm]

You lose the ability to receive winpopup spam.

The parent is already moderated 'Funny', but it also could be moderated 'Informative'.

Re:Too bad it's such a pain in the ass...

[orangesquid]

Except that under unix/linux, you just need a script. Someone should write this into a very nice Bourne-compatible script and put it up on the web somewhere (or does such a thing already exist?)

Enable/disable:
0. AIX users... sorry.
1. If chkconfig exists in $PATH, run chkconfig appropriately (IRIX)
2. If /var/rc.config.d/$name exists, change contents (HPUX)
3. If /etc/init.d/$name exists,
link/unlink /etc/rc?.d/[SK][0-9][0-9]?([0-9])$name (SysV)
4. If /etc/rc.d/rc.$name exists, chmod 700/600 (Slackware)
5. If /etc/rc.d/rc.{?,inet?,local} exists, and grep $name succeeds, run a quick ed script to comment out lines, or, chmod a-x `which $name` (Slackware)
6. If /etc/rc exists and we're on Ultrix, run an ed, awk, or perl script to comment out the [ -f `which $name` ] && ... lines.
7. If /etc/rc.conf exists, grep/ed the appropriate line
8. If inetd is running, grep /etc/inetd.conf and use ed script to comment/uncomment
9. If xinetd is running, grep /etc/xinetd.conf and use awk or perl script to comment/uncomment appropriate block

Stop for non-inetd:
0. AIX users... again, sorry.
1. If /sbin/init.d/$name exists, run /sbin/init.d/$name stop (HPUX)
2. If /etc/init.d/$name exists, run /etc/init.d/$name stop (SysV)
3. If /var/run/$name.pid exists, kill `cat /var/run/$name.pid`
4. If pkill exists in $PATH, run pkill $name
5. If pidof exists in $PATH:/usr/freeware:/opt/sfw:{/usr,/opt}/gnu, run kill `pidof $name`
6. If killall exists in $PATH and we're on linux, run killall $name
7. Else, do the old ps aux/-aux/-efl|grep "\\(^\\| \\)$name "|grep -v grep|cut ... trick to get the PID, and kill that PID

For rehashing inetd.conf, do the same thing but with -HUP. For rehashing xinetd.conf, do the same thing but with -USR1.

Erm, I know this doesn't cover many systems, but I only have about a dozen different flavors of Unix that I work with, so I can't do all of them, sorry.

Re:Too bad it's such a pain in the ass...

[orangesquid]

Oh yah, I forgot, if this fails, repeat with/without prefixes of "in." and "rpc.", and suffix of "d".

Re:Too bad it's such a pain in the ass...

[general_re]

Are you telling me you're logged in as "Administrator" by default?

Gosh, I'm looking over my post, and I don't see where I said any such thing. Maybe you're thinking of someone else?

Whatever. Here's a tip for ya:

runas /user:localmachinename\administrator "mmc %SystemRoot%\system32\services.msc"

Re:Too bad it's such a pain in the ass...

yea... M$ should not turn messenger service (not to be confused with MSN Messenger) by default. Most home users aren't typing "net send ..." at a command line. Since most home users will never use the messenger service, why is it enabled by default?

Security 101:
Intractible rules --
1. Never run services that use a tcp-ip port/RPC, which you do not need.
2.....
[get a clue for the rest]

In a nutshell, someone at M$ needs to go to security 101 and implement what they learn. Most users will never use 40% of the crap (UPnP device discovery, Terminal services, network registry? C'mon) running on a default install of windows, so it should not be enabled out of the box.

MS,
Security advice: Put in a wizard to turn on the stuff they might need, but keep it turned off by default.

It is a lot easier to run help and a wizard, than it is to lose all of your files because the machine gets comprimised and you need to reinstall the OS. All becuase UPnP was running and it got hacked over the internet.

Nobody uses that stuff and the people that might, are savvy enough to run a wizard to turn it on.

l8,
AC

Re:Too bad it's such a pain in the ass...

[ajensen]

I hope so, too. I think that tolerance of ignorance is a very important quality in a support technician, since that type of ignorance is something he/she will deal with quite frequently. Sadly, it's also very difficult to find technicians who are tolerant.

Cheers,

-a

Re:Too bad it's such a pain in the ass...

[general_re]

Although not obvious, you lose the ability to use nbtstat -a on the IP address to get local user name.

...if you disable Messenger. Somebody needs to mod you up - I had quite forgotten about that, mostly since I never use it, but you're absolutely right. If you rely on this, you may not want to disable Messenger.

Re:Too bad it's such a pain in the ass...

Hell anyone who spends any time on the net using XP already has it disabled.
If not your going to get more popups than Carter has little liver pills.
Most of them advertise a program that will disable it, kinda like extortion.

Re:Too bad it's such a pain in the ass...

now that's a PITA :)
but it's unix it's part of the deal

Re:Too bad it's such a pain in the ass...

[markhb]

I'll bite... what's the issue with AIX? Can't you admin these things without going into smitty?

Re:Too bad it's such a pain in the ass...

[orangesquid]

Yes, you can, actually. smitty is simply an interface to a whole bunch of commands which do all the "real work." smitty, in fact, keeps logs of everything it does, and it logs every command it runs. From the smitty logfiles, you can figure out what commands to run to do particular tasks.

Unfortunately, my RS6k box has a dead power supply right now, so I can't pull up a list of any of the obscure commands needed to do any of these things.

Re:Too bad it's such a pain in the ass...

[aldousd666]

I'm tolerant to their faces and on the phone, but I'll be damned the day I can't blow off steam with my coworkers about silly user stuff. Maybe not so much damned as insane. It's a stressful job, and laughing at people who look at computers as magic boxes that 'are never willing to cooperate' (...Pc load letter?!?...) is how I keep my cool.

One thing I'm particularly fond of is when I get users telling me that their friend, who 'knows all about computers and stuff' told them to do something that either violates a security policy we have, or is just completely retarded. I have a HUGE tolerance for ignorance, and I appreciate that it pays my bills.

Some people just hate network guys because we control a large part of the way they do their job -- the computers.

One final thought: After 8 years of tech support and lately security administration, I've definately learned how to politely tell a user (or a manager who thinks his position in his own respective department somehow humbles me) to shove it up their ass.

Re:Too bad it's such a pain in the ass...

[bev_tech_rob]

If the machine is standalone, you lose nothing, except popup spam. But if your computer is on a corporate LAN and has software that depends on that service, then you might have problems. But hardly any software uses that service...

Re:Too bad it's such a pain in the ass...

The problem is that when some users try to get it they end up doing far more harm than good. Kind of like how doctors of old really tried to help people by putting leaches on them and telling them to eat ash to cure leprosy, etc. They had good intentions, they thought they got it but they probably did more harm than good.

Re:Too bad it's such a pain in the ass...

[Jugalator]

Ooh, it's that service. OK, got it now. :-)

We used it once to fool people into leaving a computer lab by sending it to some random computer with "Warning! Virus detected, please shut down your computer immediately". Ahh, the memories... ;-)

But haven't used it since... We use it occasionally on our corporate LAN to send really important messages, like if we plan to bring down a server.

Re:Too bad it's such a pain in the ass...

[Ryosen]

The Messenger Service allows one machine to send text messages to another, typically through the NET SEND command, although I think that it can be done through the Windows API as well. This is commonly used by Admins to notify users of important system events (e.g. server reboot). As a developer, I have used it to send messages to clueless users who clog up the printer queues with stalled print jobs that are hours old and long since forgotten.

As a side note, I used the messenger service to write an Instant Messenger (IM) client that ran under NT 3.5 back in 1996.

Already patched ........

[losttoy]

But I pity the victims of a forthcoming worm

Re:Already patched ........

[blibbleblobble]

"Already patched... But I pity the victims of a forthcoming worm"

Already patched... with Mandrake 9.1

Re:Already patched ........

Talk about the cure being worse than the disease...

Re:Already patched ........

i patched mine with JAMD Linux http://www.jamd-linux.com/

Re:Already patched ........

[tomstdenis]

Are you sure about that? From a 9.1 install you most likely have openssl updates to perform....

oops.

j0 zuckz

Re:Already patched ........

[mr_z_beeblebrox]

Already patched... with Mandrake 9.1

No fair! I have auto update and that's not applied on my systems

Re:Already patched ........

[TestBoy]

I just patched with Redhat 9. I have a whole list of microsoft bugs I don't need to worry about.

Re:Already patched ........

[blibbleblobble]

"From a 9.1 install you most likely have openssl updates to perform....oops."

Right. As opposed to a Windows install, where you have a few upgrades of your own to perform.

The people running university computing labs have noticed that if you leave a default Windows2000 installation connected to the internet for long enough to download the upgrades, you're likely to have already been infected by one of several Win2K worms which can install without user interaction using the messenger service. Some people had so much trouble keeping new Windows PCs working for long enough to update (during the peak of these viruses) that they had to download the upgrades from other peoples' computers.

(The people who knew how to switch Windows Messenger off and install the firewall or already had the update CDs, these people are probably administering other peoples' Windows computers, not using their own)

In comparaison, somebody using an old version of Mandrake could get a denial-of-service if they use SSL connections and the server they connect to specifically attacks them. So I can probably just about manage to upgrade the packages without having to worry about the system rebooting.

Looks like OpenSSL upgrades it is then...

Re:Already patched ........

[tomstdenis]

I totally agree that in that respect windows is flawed. It should have came out of the box with it's services disabled. But that isn't good marketing...

That being said I've installed windowsa a-many times and have yet to get infected with anything. Sole reason....firewall. I don't let every yahoo and nutjob from the web send my machine packets which means I'm fairly invulnerable to these lame attacks. I still patch my box but I don't worry about it as much.

Tom

Icons...

[mgebbers]

When looking at the slashdot icons lined up next to each other (ie borg, X, borg) Does any body else get the temptation to play tic-tac-toe using the icons?

annoying first posts.

[lanswitch]

first posts should be

-relevant. Keep to the subject, and don't make it a personal rant.
-free of offending languages, you asshole!
-free of annoying lists
-written in plian enlish
-without grammaticalar errors

So check your FP!

Looks like that commitment to security....

[micahmicahmicah]

is going oh so well.

Then again, considering the installed user base; I think they are doing ok. I know it's the cool thing to be anti-MS. But lets face it - sometimes:

"war is peace"

Call to worm developers!!

[borgdows]

This time, please do something really useful, not only doing such silly thing as DOS'ing windowsupdate

You can for instance, delete necessary files for Internet connection... in this case Microsoft will be in a *real* shit if nobody can connect the internet to download patches!
They'll maybe have to send MILLIONS of CD by mail!

Therefore, people will be *really* annoyed and may think it's time to switch to another more reliable OS.

Re:Call to worm developers!!

[kyrre]

And the worm will not spread of course. Back to the drawing board sir.

Re:Call to worm developers!!

[Jesrad]

Most clueless computer users will just format & reinstall if something breaks badly. As per previous answer, back to the drawing board.

Re:Call to worm developers!!

[Short+Circuit]

You're nuts. And you're part of the reason magazines like Forbes are afraid of OSS and Linux.

Re:Call to worm developers!!

Thanks for advocating the financial loss of millions (perhaps billions) of dollars in lost productivity in the US and abroad. You, sir, should be considered for the next available Fed Governorship.

Here's some advice for you:
Find noose, insert neck, jump off chair, improve IQ-quotient of world gene pool.

Re:Call to worm developers!!

[borgdows]

no!
the worm may have a time limit as Blaster was set up to begin DOS'ing from a specified date.

Here the worm business model :

1) infect local computer by the Messenger flaw
2) try to infect remote computers by the same flaw
3) redo step 2 until a specified date
4) disable internet connection (and suicide)
5) ???
6) PROFIT!!

Re:Call to worm developers!!

They fucking deserve it if they put their trust in Microsoft.

Re:Call to worm developers!!

[digitalunity]

Ahem, this new messenger service seems like the perfect hole for a smart virus. Check out my smart virus post.

Re:Call to worm developers!!

[tomstdenis]

another reliable OS. Sounds nice. Which one is that? Would that be GNU/Linux with it's daily new patches? Or MacOS with the pay-as-you-go updates?

This leaves us...hmm... DOS

Re:Call to worm developers!!

[ocelotbob]

Daily new patches? I'm sorry, but unless you're running every server program imaginable, you don't need to patch daily. Keeping a good, stable install, OTOH, with software like qmail, one can have a nice stable reliable OS that has great security. And aren't windows updates pay as you go as well, or is there some place I could have upgraded my copy of NT 4 to XP without paying a dime?

Re:Call to worm developers!!

[pebs]

This time, please do something really useful, not only doing such silly thing as DOS'ing windowsupdate
Therefore, people will be *really* annoyed and may think it's time to switch to another more reliable OS.

You're the reason people think like this.

You stupid prick, you think writing worms is a good way to get people to switch to a "more reliable OS"??!?? Do you realize how fucked up that is? Do you realize that its people like you who are keeping people away from Linux?

Its the stupid shits like you who are fucking up the open source community. Well guess what? We don't want your kind in our community. Get the fuck out. For all I care, you can go back to using Windows.

Open source will succeed by producing quality software, and by forming a community that is out to help people. It will NOT succeed by sabotaging the competition. Dirty tactics like that are for the truly evil. You're worse that Microsoft if you are advocating the use of worms to convince people to switch.

Re:Call to worm developers!!

[Geek+of+Tech]

> This time, please do something really useful, not only doing such silly thing as DOS'ing windowsupdate You can for instance, delete necessary files for Internet connection... in this case Microsoft will be in a *real* shit if nobody can connect the internet to download patches!

As fun as this is, better things could be done.

Modify the hosts file, so that whenever something requests microsoft.com or windowsupdate.com or windowsupdate.microsoft.com they get redirected to apple.com or maybe a fake windows site.

Modify the registry values where Windows keeps its information about windows updates. Add all the keys, so that unless they rewrite their windowsupdate script, it would appear that all updates are already installed.

Make it uninstall internet explorer.

Re:Call to worm developers!!

This exposes the bitter envy and evil of many people in the Linux community.

You WANT worm writers to attack people? What the hell is WRONG WITH YOU?

Would you rather have people switch to Linux because it is GOOD, or because someone ATTACKED them?!

Re:Call to worm developers!!

[BurritoWarrior]

People who use F*ck as every fourth word in their diatribe however, are quite welcome I take it?

You can lead the way out the door.

Re:Call to worm developers!!

[cscx]

Are you Icelandic or retarded?

Re:Call to worm developers!!

[pebs]

People who use F*ck as every fourth word in their diatribe however, are quite welcome I take it?

Is that all you have to criticize me on? My excessive use of profanities? That's about as effective as trying to fix my grammar/spelling. Try criticizing me on one of the points I made, not the language I used.

In any case, a flame is not complete without a good amount of "fuck you, you fucking fuck." And I'm not such a pansy bitch that I have to replace the u with a *.

Re:Call to worm developers!!

[resignator]

mabey someone will slash your tires today as well cause they really dont like the brand of car you drive. Or mabey someone will stab you in the face today because they think the clothes you wear were made in a sweatshop. In other words fuck off jackass...just because someones grandma is running windows does not give anyone any right to fuck that machine up.

Re:Call to worm developers!!

yeah, but the nice thing with a worm randomly infecting everyone and deleting important stuff to go online, the second the person gets back online, the person would have to do another reinstall..

Re:Call to worm developers!!

[rutledjw]

I don't understand how a dumb idea posted on /. that said nothing about OSS / Linux has anything to do with Forbes writing an un-flattering article about it. His idea is bad, but is an appropriate example of the frustration felt not only by Windows users but also others who are affected by these holes.

Blaster brought my corporate network to a STOP. My home DSL line was flooded with that crap, but did a little better. People I work with (developers, managers, VPs, etc) are stopped by this garbage while our network/desktop group tried to clean up the mess.

Forbes is weary of OSS b/c is doesn't fit into the capitalistic model in a way they understand. Companies like Red Hat and now Oracle, IBM, and many others are proving that it DOES fit, however. Further, you have people like Stallman who don't help the situation. Forbes clearly doesn't see the moderate business-agnostic attitude of Linus, the see Stallman screaming and waving his flag.

To be honest, if Stallman DID represent the majority of OSS, I wouldn't support OSS either...

Re:Call to worm developers!!

I must have spent too much time in the military, because I didn't even fucking notice the damn profanity.

The call for a destructive worm *is* a fucked up idea.

Re:Call to worm developers!!

Well said. That guy is definitely a pansy bitch.

Re:Call to worm developers!!

Modify the hosts file, so that whenever something requests microsoft.com or windowsupdate.com or windowsupdate.microsoft.com they get redirected to apple.com or maybe a fake windows site.

No not the goatse man!

Re:Call to worm developers!!

[AstroDrabb]

You have some logic problems. How does some bone head condoning a virus/worm writer, connect to Linux or OSS? All the viruses for MS Windows are written ON MS WINDOWS! All the people stealing music are MS Windows users. Those 4 or 5 million Kazza users are MS Windows users! If you or forbes should be anti-anything, it should be anti-MS users. Linux, *BSD and Mac users are busy writing software to SHARE with the world or busy rendering stuff on thier Mac's. It is the MS Widnows users that are writing and spreading viruses/worms and stealing music.

Re:Call to worm developers!!

[tomstdenis]

NT4 and XP are different distros though. That's like telling RH to upgrade your RH6 servers to RH9 for free with support.

As for daily updates go and try gentoo out. Though the updates aren't daily there is usually at least one or two things a week to rebuild on a decently complicated install [e.g. servers, kde, tetex, etc..]

The point is OSS software gets updated/patched quite often too. So saying windows sucks because there are too many patches is kind of hypocritical.

Tom

Re:Call to worm developers!!

[Short+Circuit]

The comment was posted on Slashdot, which is normally associated with Linux and Open Source.

(As if the word "hacker" didn't confuse people enough...)

Re:Call to worm developers!!

[nolife]

And how does this worm spread after disabling network access? A better way would be to add the following to the hosts file:

64.94.110.11 windowsupdate.microsoft.com

add some more just to be sure:
64.94.110.11 v4.windowsupdate.microsoft.com
64.94.110.11 www.google.com
64.94.110.11 www.microsoft.com

Kill two birds with one stone!

Throw some common antivirus vendors update sites in there and things could get real interesting.

Re:Call to worm developers!!

[SpaceLifeForm]

No, most clueless Windows users these days don't even have the option to re-install. They bought a pre-loaded machine and did *not* receive all of the CDs needed to reload.

Re:Call to worm developers!!

Hmmmm... I didn't think it was possible, but it seems we've stumbled upon an even bigger idiot.

Slashdot never dissapoints...

Re:Call to worm developers!!

[frank_adrian314159]

Even better! Use this IP: 198.247.175.96!

Re:Call to worm developers!!

[SpaceLifeForm]

While I can sense the motive here, preventing the users from being able to cleanup does not help. If someone were to write a worm that was informative but did *NO* damage, people might start getting the message about securing their machines. For example, a worm that periodically checks if the user has any security holes, and if so, pops up a window that says 'Your machine is still not secure!'. But when a worm causes damage, and lost time and money, the users frustration typically keeps them from seeing the bigger picture, which is that their machine was not secure in the first place.

Re:Call to worm developers!!

[rutledjw]

Fair enough. I just don't want to perpetuate the idea that what is posted on /. is automatically representative of OSS and Linux.

For obvious reasons...

Re:Call to worm developers!!

[op00to]

What about that Gerhard Schroeder? Germany is known for harboring nazis at one point. Everything he says must be antisemitic! Nice logic, deek.

Re:Call to worm developers!!

Here's an idea. Have the worm propagate for a couple of days, then turn the volume up really load on the sound card and play some middle-range tone (because really high and low tones are hard to locate). That way I can locate the machine and beat the crap out of the fucker who didn't patch like I told them to. I bet our employees would get better about patching after they've seen their two normally mild-mannered (one who's 6'2" 230lb weight lifter and the other is about 6'7" and about 210lbs) throw a serious beatdown to the first person who PC started making a racket.

Oh, I suppose the virus should beep that vestigial speaker in the case as well.

Re:Call to worm developers!!

[Slime-dogg]

heh. All it would have to do is change one or two strings in the registry, such as changing the default path to Internet Explorer to "C:\pro\IE" instead of "C:\program files\I..." You wouldn't believe how many programs depend on that one key.

Changing a key or two wouldn't necessitate a reinstall, but it would generate a whole lot of tech support phone calls.

Re:Call to worm developers!!

[rifter]

NT4 and XP are different distros though. That's like telling RH to upgrade your RH6 servers to RH9 for free with support.

No it's not. Firstly, NT4 and XP are not different distros. If they were, it would be like upgrading RedHat to gentoo.

That said, the poster didn't ask for support, the poster asked if you could upgrade for free. You could have in theory a RH6 box which you had upgraded all the way through to RH9. In fact, I think you can upgrade a RH6 box to RH9, but I haven't tried it, to be honest. Nevertheless, it is free.

The difference between Linux and Windows here is that NT4 plus service packs and hotfixes is NT4 with service packs and hotfixes, whereas you could conceivably, by continuing to patch and upgrade the system, have a box which started in the NT4 days of Linux which is running the latest version today. It is not a new OS even though there have been considerable improvements, and you do not have to pay a premium to get there.

Re:Call to worm developers!!

[rifter]

People who use F*ck as every fourth word in their diatribe however, are quite welcome I take it?

You can lead the way out the door.

You haven't read the fucking Linux source code have you? :)

Re:Call to worm developers!!

[zeugma-amp]

I'm still amazed that the things you describe in your post haven't come to pass already. People just have no idea how vastly much more destructive the last few windows could have easily been.

Essentially, all they did was propagate and maybe try a DOS on a MS website. That is nothing compared to what they could have done, like reformat drives, randomly corrupt system files, or insert random profanities into email and similar things.

Eventually, somone is going to propagate something really nasty and destructive. I'll be laughing my ass off, because there have been plenty of warnings!

Re:Call to worm developers!!

NT4 and XP are different distros though. That's like telling RH to upgrade your RH6 servers to RH9 for free with support.

RH and RH are the same distro, which makes your comparison really stupid.

Mod this troll down!

Re:Call to worm developers!!

[Cromac]

Fair enough. I just don't want to perpetuate the idea that what is posted on /. is automatically representative of OSS and Linux.

For obvious reasons

Fair, but man do you have an uphill battle fighting that perception.

Re:Call to worm developers!!

[tomstdenis]

If you actually look up the definition of Distribution from which Distro comes from it's quite conceivable to think that RH6 and RH9 are different collections of tools hence difference distributions.

Tom

Re:Call to worm developers!!

If you actually look up the definition of CANNING THE MANHAM from which Tom StDenis comes from, it's quite conceivable to think that he also BOTTLES THE MANGOO.

Windows' structure

[Rajesh+Gupta]

Isn't the case for a complete rewriting of the fundamental components of Windows rested already ? Microsoft even seems to be willing to use them for Longhorn in 2006 ! How many fatal flaws will it take until something is done about this ? Talk about "trusted computing"...

Re:Windows' structure

[EddWo]

There isn't much wrong with the fundamental componants of Windows. NT underneath is pretty stable and secure.

The out of the box configuration of Win32 API being deeply embedded and lots of interlinked network services running as localsystem by default is where the security issues come from.

There needs to be a cleanup, remove the depandancies, move to a more secure API. Allow users to run without admin rights most of the time without breaking too many older apps etc. These areas are being worked on towards Longhorn, which is probably why it is so delayed.
There is no need to fundamentally rewrite the system.

yet another critical /. flaw

va lairIE/robbIE's pateNTdead PostBlock devise is STILL not working.

be LIEk won FraUD calling another won infactdead, when, in fact, they're both sucking off the same conduit (yOUR wallet).

the lights are coming up now.

lookout bullow.

consult with/trust in yOUR creator... see you there.

What ever...

You all act as if there are no flaws in Linux, MacOS or BSD...

You guys are getting slow!

[goldspider]

Posting a Microsoft vulnerability AFTER they have released a patch? Either this news is really old, or you people who say that Microsoft doesn't react quickly to vulnerabilities are full of shit.

Re:You guys are getting slow!

[GigsVT]

The timeline is more like this:

Big corporate customer with security contract gets broken into in an unknown fashion.

Security company finds messenger flaw, tells their other paying customers, and notifies microsoft.

Microsoft sits on it a month or two at least, then finally comes out with a fix. Only then does the general public find out about the flaw.

Do you feel safer knowing that there are security companies out there that don't support full disclosure? I sure don't.

Re:You guys are getting slow!

Of course that is nothing but evidence-free speculation.

Re:You guys are getting slow!

[GigsVT]

You are correct, I'm not saying that I have any evidence that happened this particular time.

It happens though, and it's not unlikely something similar happened this time.

Security companies don't hide their preferential disclosure policies. Nearly all of them report vulns only to thier clients and the vendor, and have vague language in their policies like "responsible disclosure" clauses that let them sit on the flaw until the vendor bothers to get around to fixing it.

Re:You guys are getting slow!

[Jugalator]

I don't really care how they work as long as they fix it before the vulnerability is exploited by virus developers.

Re:You guys are getting slow!

[ceejayoz]

Do you feel safer knowing that there are security companies out there that don't support full disclosure? I sure don't.

I feel safer knowing that there are security companies out there that support delayed disclosure, yes.

They're doing the public a service by allowing Microsoft to patch it before releasing the announcement to the virus writers. That's far more responsible than screwing everyone over for the sake of idealogy.

Windows SUS

[GangstaLean]

Admins on sites exceeding 10 or so workstations may want to look into Windows SUS, Software Update Services (SUS) gives the capability of integrated patch management and centralized patch distribution. This is sort of along the lines of RHN with a centralized console for distributing through a domain.

It's useful.

Re:Windows SUS

[Jellybob]

I've looked into this, but it seems to require ridiculous specs for what it's doing.

As a small to medium charity, we can't afford an individual machine just to push out patches to our workstations.

For people in the same situation, done right, group policies can be very useful... I'm using them here to push out system patches to our machines.

Re:Windows SUS

[richy+freeway]

Just tried deploying this myself. Got SUS running nicely, but every time I try to install the client software on the win2k/xp machines it tells me that "SUS Client needs Win2k of XP blah blah blah"

Any ideas anyone?

Re:Windows SUS

no thanks.

you CANT control what get's uploaded... it simply mirrors the windows update site.

call me when I can fully control the damned thing. something that MS does NOT want to happen.

Re:Windows SUS

"For people in the same situation, done right, group policies can be very useful... I'm using them here to push out system patches to our machines"

Can you share how you do it?

Re:Windows SUS

[neilb78]

We're using this with about 400 XP & 2000 machines. I works pretty good. You can deploy it via Group Policy so you don't have to touch every machine. Recently they added the ability to send out Service Packs!

If you have a slow (mostly 32k frame), very distributed (140 sites), network like we do...it still works, but we can only approve a few updates per day or we'll hog all the bandwidth.

It's beats the fsck out of touching each PC --- give it a try. EASY EASY EASY to setup.

Re:Windows SUS

[wimbor]

If I remember correctly you need Windows 2000 SP3 or Windows XP to get it to work. Works perfectly here for all clients with XP SP1 and 2000 SP4

Re:Windows SUS

[easyfrag]

Windows 2000 Service Packs 3 & 4 as well as XP Service Pack 1 already have the client software installed, thats the error you will get when you try to reinstall it, not very clear I know.

If your clients are 2K SP3/4 and XP SP1 all you need to do is configure them via policies to use your SUS server for updates. Or you can do it manually: in Win 2K its in the Control Panel under "Automatic Updates", in XP right-click "My Computer" and choose the "Automatic Updates" tab.

Re:Windows SUS

[soundman32]

Which is a great help if you use Win98 because SUS only supports W2K or XP.

We have about 15 workstations, 2 run XP.

What do we do?

Neil

Re:Windows SUS

[neilb78]

You don't need a deticated machine for SUS. It will even run on a domain controller.

Re:Windows SUS

[Tassleman]

...But you CAN control which updates from Microsoft's site get Approved to be sent to clients. Any Critical Patch that goes to Windows Update gets sent to SUS Servers within a few days. From that point you can choose to approve the update, or opt to NOT distribute it. Once an update is approved clients will start downloading it within 17-22 hours, then installing at your pre-defined scheduled time, or when an Administrator logs on they can be prompted to Manually install the patches.

If you're talking about uploading your own patches (or whatever) you need to use another system, probably SMS.

Re:Windows SUS

[archen]

That depends upon the machine. I was reading through the specs and it was something like 256Mb of RAM and a pretty quick processor (recommended that the machine is dedicated). If your machine is already lacking horsepower then putting SUS on a machine as well is not a good idea. It also seems rather insane that you would risk your domain controller falling over to add an SUS server out of it.

Re:Windows SUS

[richy+freeway]

Go go gadget MS error message! :)

Cheers for that. I'll give it a whirl later!

Re:Windows SUS

[mr_z_beeblebrox]

Any ideas anyone?

Read this over and be sure that you understand what it does before you try it, better yet see if you can find it independently. Applying a registry patch from /. would be silly in the extreme. Here is the registry entry:

Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Wi ndows\WindowsUpdate]
"WUServer"="http://your.server.com"
"WUStatusServer"="http://your.server.com"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Wi ndows\WindowsUpdate\AU]
"RescheduleWaitTime"=dword:00000005
"NoAutoRebootWithLoggedOnUsers"=dword:00000001
"NoAutoUpdate"=dword:00000000
"AUOptions"=dword:00000004
"ScheduledInstallDay"=dword:00000000
"ScheduledInstallTime"=dword:00000003
"UseWUServer"=dword:00000001

Save that to a file called wu.reg or whatever.reg and then merge it with your registry.

Re:Windows SUS

[pbranes]

As far as the specs go, I am using it on a dual p2-400 xeon with 512mb ram. This computer is a domain controller and a SUS server. I am having no trouble with it slowing down. I don't think this qualifies as a supercomputer. I am serving updates to about 400 computers and I never experience any slowdown on the server.

I tried using group policies to push out patches, but it is such a pain to do and keep up with. I think that if you tried SUS on your domain controller, you would be happy with it.

The one thing that I didn't like about SUS was the fact that by default, you have to send the administrator password over a cleartext web page to use it. So, I installed Certificate Service on the server, generated a certificate, and installed it on the web page. Now when I go to https://someserver/susadmin, I get an error that the certificate could not be validated. However, I choose to continue, and then I get to use the administrative page with 128 bit encryption! :-)

Re:Windows SUS

[TA+Ealing]

Yep we run it on a server that has a load of other stuff running on it. Does not need a dedicated machine.

Re:Windows SUS

[hetairoi]

You may want to look at MBSAFU. It's clunky, but it works. I was using it before I got SUS running. SUS is much slicker if you have the resouce available, but mbsafu will get the job done.

Re:Windows SUS

[Jellybob]

What sort of loads are you getting on the SUS server?

We've got a single server here running 2000 SBS, which is the PDC, Exchange server, and file server for a few hundred users.

Once I persuade management to get another server to take the load of the current one I'll definately take a serious look at SUS though.

Re:Windows SUS

[iceT]

So.. did you get PAID for that product endorsement? I mean... aside from the fact that this software removes a driver for MS to write good code (because of the TCO for the patch management), you would want to install this on a central server that would, of course, require a Windows 2k(2k3?) license.

Re:Windows SUS

[LurkerXXX]

FUD! You have obviously never used it. The SUS server downloads all patches from MS servers. It then presents you with a nice list of them. You *MUST* check off a checkbox in order to approve each patch for distribution to your network. Leave it unchecked and it won't be installed on any of your machines. MS does give you control over what patches you want installed.

Re:Windows SUS

You don't have to worry, nobody writes programs to take advantage of exploits in 98 these days anyway. The last three "big" vulnerabilities have only affected the NT kernel windows, so users of 98 don't need to worry.

Re:Windows SUS

[boskone]

I'm confused. How do you have a few hundred people using SBS when it will only accept 100 licenses? Not to question you on your own environmment, but are you sure about that?

Peace...

Re:Windows SUS

[ostiguy]

The SUS specs are preposterous - they are for machines with thousands of clients. SUS is really just an IIS web site that serves up a couple megs at a time, so damn near anything ought to be able to do it. If you plan on deploying service packs through it, you might need more horsepower. I do SP's via group policy.

Re:Windows SUS

SUS sucks. I tried it a couple of weeks ago and from what I've seen it still depends on the user having to click through the patch installation. Users cant be trusted to do that. I dont know what kinda of users you deal with, but the ones i work with will dump a 2 liter of soda into a $2500 laser printer and then call the helpdesk to complain that it's not working.

Re:Windows SUS

Hi,
I have sus running, it is good for the small patches, DO NOT ENABLE SP installs.
Serious problems with it.
What you need to do is follow the white paper on ms site.
Also for those who cant do sus then get a tool called psexec and install your patches like that.
Have to do it manually but it isnt so bad with smaller sites.

Re:Windows SUS

[Zeddicus_Z]

We use SUS at work to distribute patches to around 60 desktops. While it's certainly nice to not have to go desk-to-desk doing this manually, SUS has some major drawbacks.

• Bad patch verification. Like WindowsUpdate, SUS relies on a registry entry to check sucessful installation of patches. As many admins have discovered over the past few months, this method of patch verification is highly flawed and results in many, many cases of false-negatives when searching for vulnerable workstations.
• OS patches only. SUS does OS patches. Great. Now what about Office, which is also installed on every desktop in our company?
• Patch reliability. Even if SUS was vastly improved, the sad fact of the matter is that MS patches are still capable of doing severe damage to the target system. It's not like there are no past examples of patches and/or service-packs f$*king up machines. Until the patching process becomes not only dead easy, but also bulletproof RELIABLE, servers (esp. critical infrastructure machines) will continue to need manual patching. Considering many larger companies can have hundreds of servers across the organisation, it becomes one hugeass timesink.
• Other pitfalls. There are many, MANY other options missing that would make life for administrators much easier - such as forcing reboots for patched machines, the ability to stagger deployement using only one SUS server (by using, say, MAC addresses or NetBT/DNS hostnames), the ability to detect mobile users (via a configurable registry setting on the client end) and *force* them to patch immediately upon connecting to the LAN based upon past percentage hit-rate for sucessful patching (i.e. machine was turned on and conneted to LAN) at the regular scheduled time

SUS is nice to have, but it's certainly not set-and-forget as it SHOULD be - at least on the client end of things. There is a long way to go with SUS before it begins to approach something that makes a significant impact on the nightmare that is Microsoft patching. But of course the problem with hoping SUS gets better is that SMS and MOM exist... and unlike SUS, neither of those are free.

Re:Windows SUS

[halr9000]

Problem is that you still have to touch, or at least remotely command every machine if you do not want the machines rebooted automatically. Not sure about you guys, but some of us have production servers that can't be rebooted on a schedule, every reboot must be planned in advance. So, if I use SUS (which we do), I have to set it to auto-download, but never install. Then login to box to manually install, then reboot. Which sucks ass.

What I did for the RPC patch was run a script against my 90 boxes that installed the patch manually with the no reboot switch. Then once I get a reboot window, come back and do the reboot.

SUS needs a feature to install but not reboot, then I can have every box set to auto-install and I keep my reboot process separate.

Re:Windows SUS

[Infernon]

The specs for SUS are outrageous (it's why we haven't even thought about implementing it) and M$ recommends against running it on a server that has another function so I'm of the opinion that you're dead on, no charge for SUS, but you have to purchase another server license...

Re:Windows SUS

We have +1200 servers in our company, and we tried SUS for patch deployment, unfortunally it reboots some servers even if we state we don't want to reboot them after patching.

Really unprofessionnal, you cannot rely on this piece of shit if you have to maintain a high availability environment.

Re:Windows SUS

[Jellybob]

We've got a few hundred users in the AD, but never have more than about 30 actually logged in at any one time.

Re:Windows SUS

[neilb78]

Ok, so load Win2k on a desktop if your company can't afford another server. You don't need to backup the machine, or have RAID -- you could reload Win2k & SUS in an hour if the drive failed.

Re:Windows SUS

[pbranes]

The IIS hits/sec are virtually nonexistant because the updates are only downloaded once a day. Even during the peak load, there is no noticeable slowdown. The CPU load is about 5% constant. The memory use is about 190MB out of 512MB.

Re:Windows SUS

[__aaklbk2114]

Thanks for the information.

Here at the BSA, we know it can be hard to stay in compliance with software licensing issues.

We'll be sending a special team (don't worry about keeping the door open, we'll let ourselves in) to help you determine your proper needs as you are obviously confused.

Remember, proper software licensing helps combat terrorism!

Sincerly,
Business Software Alliance

Re:Windows SUS

SUS is cute but try to push a Service Pack with it. It can't. So these patches are great until you hit some legacy machines that need a SP before you can load the patch(s). Then Micro$oft's response is use SMS. Which is not simple and 'a quick fix.'
Next, try to get some reports from it, or scan your network so it can tell you what is vulnerable.

Its not hardware demanding but falls short for an 'update manager' tool. Any admin that can use scripts could blow this tool out of the water.

One shameless recommendation is a product by Gravity Storm Software called Service Pack Manager 2000
We use it to update thousands of PC's and servers then it auto exports the results in CSV which is dumped into a simple MySQL database so our managers can easily see the 'state of the systems' without having a clue how it all works.

Re:Windows SUS

SUS is quite limited in what hotfixes it will deal with. For example, SUS will not patch MSSQL or MSDE.

A much more robust solution is something like PatchAdvisor. http://www.patchadvisor.com

Re:Windows SUS

[Eraser_]

Don't forget the installer. We have a server here running IIS with some strange application inside of it (Riverdeep). I read through all the readme's for SUS, and it said "don't worry, we only create a new site called SUS blah blah blah", and it's reccomended not required to install IIS Lockdown. You can get that [link]here[/link].

Sounds cool to me, I run the installer, and it does as it's told, but then procedes to IIS Lockdown my server, breaking the application that was running on it. Un-Installing IISLockdown and SUS does _not_ fix the problem. Thanks microsoft, when do we get chroot for windows. Oh, but it will still need to install 400megs of cruft into root-c:\winnt.

Re:Windows SUS

You're a poor admin if piddly shit like that holds you up. Anyone who knows more than a carrot can work around any windows update problems, likewise problems with SUS.

Get a job flipping burgers skippy.

Re:Windows SUS

Uh, did you read the SUS manual? You can set a registry key to make it require conformation to reboot, but still install automatically. In other words, RTFM.

Re:Windows SUS

[mr_z_beeblebrox]

SUS is cute but try to push a Service Pack with it.

It is cute and Service pack support was announced a few weeks back. I used it to push XP SP1 to 3 dozen new laptops without a hitch

Re:Windows SUS

It's funny, I never heard of this product before and it already has a "service pack" (a.k.a. cumulative patch)

Cheers!!!

Not a surprise

[mgv]

This is hardly news in a sense. Its not the first, last or only time that windows has a flaw. There is probably a thousand of these exploits hidden in the closed source.

On top of that, there is the prevailing attitude at microsoft that a quick sale for ease of use is better than a later sale with security. Until now that approach has always left them in the money.

I'm hoping that the level of attacks that we have seen in the last few months will finally produce the uprising against this "quick release" security through obscurity model that microsoft has done so well with.

My 2c worth

Michael

Re:Not a surprise

[mgv]

Ok, I'll bite on the troll.

By your logic we should not use openssl, kde, etc, o the many many other OSS projects that are in the upgrade windmill.

Are you seriously suggesting that openssl has a philosophy of putting code out as fast as possible in order to gain sales? There is no comparison between the quality of openssl and that of windows, and at best I would presume that you are trolling here.

Your rhetoric is old and mine is new, haha! Go to back to your master and learn new tricks, haha! Stop posting crap on slashdot, haha!

Yep, definitely trolling here

Michael

Re:Not a surprise

You know what, Tom, I never used to like your posts. I found them irritating, and your attitude arrogant and condescending. I was also very offended by your pro-Microsoft, anti-Linux attitude.

But recently I'm beginning to realise that you've been right all along, and I was I with the bad attitude. I was so much into my Linux zealotry that it destroyed a reasonable perception of anything else.

Thank you for your insightful and well-balanced comments.

Re:Not a surprise

[tomstdenis]

Are you kidding? The whole OSS philosophy is wrapped around release early release often. Maybe openssl doesn't follow this [though it has had it share of bugs] many other things [kernel for instance] follow this model.

This isn't "my wang is longer than your wang". The lesson is both streams have bugs and you have to patch both often to keep decently cought up.

I mean I can go fetch a RH6 cd of the shelf, install it and get rooted. What do you say then of your beloved OSS?

Tom

Re:Not a surprise

[mgv]

Are you kidding? The whole OSS philosophy is wrapped around release early release often. Maybe openssl doesn't follow this [though it has had it share of bugs] many other things [kernel for instance] follow this model.

Its the difference in approach that I see as the major point between microsoft and say openssl.

Microsoft has spent years releasing fast and furiously with a big sales pitch on their products. Even stuff that they don't "sell" such as internet explorer has this release philosophy.

Version numbers become sales pitches in their own right, and new features become the prime reason for release.

Compare that with my favourite browser, Firebird. Its still on a 0.6.1 release, and it is more stable than IE. It feels as though it has more features than IE, but it actually has less - especially in terms of features that are exploitable such as scripting.

This is because microsoft has had a "stuff on a new feature charge customers for it" mentality for as long as I can remember. It worked well for a while for them, but its left them with fundamentally insecure code (such as the whole windows messenger service) and a fundamentally insecure approach to their system (such as default administrator logon's with blank passwords in XP).

I don't believe that it is fair to compare the underlying approach of windows to alot of the open source code - as I said above and I still stand by it.

Michael

Slashdot Moderation

[sylvester]

Hey what's the deal with slashdot moderation? I used to read at +5 but now there're barely any comments there. I know this is offtopic, but did I miss a story about major changes or something?

Re:Slashdot Moderation

The problem is that slashdot sometimes is banning so much whole networks for bad postings that there are barely any people left to write comments.

Re:Slashdot Moderation

I find that in 'new news' you tend to be reading at 1/2 due to the lack of comments. Wait a few hours for the comment count to reach around 200 and the 4/5's will show up.

Re:Slashdot Moderation

[bots]

thats right, when you enter a new thread, you get it all, its called exploration and adventure. Why just recently i learned all about horses by boldly exploring a wild thread full of meandering comments.

Re:Slashdot Moderation

[Jellybob]

They're having problems with some of their machines, including the one which distributes mod points, running slow.

Which means that mod points aren't being given to as many people, which means there's less around to take things to +5.

More details in Taco's Journal.

Re:Slashdot Moderation

[Overly+Critical+Guy]

In other words, their Linux machines aren't up to the load?

Re:Slashdot Moderation

In other words, open source isn't the great cure-all that the editors and slashbots make it out to be.

But don't think this little episode will change their minds that all Microsoft and proprietary software is bad, while all open-source software is good. Their pea brains can't comprehend that.

Re:Slashdot Moderation

[Eamon+C]

Well, I'm glad they still found the time to post another story about a Microsoft security hole. What else should I expect from the page voted by Linux Journal readers as their "favorite Linux web site"?

Re:Slashdot Moderation

Ha ha, it's already down to -1. Looks like someone hit the nail on the head.

Re:Slashdot Moderation

Also, less points to take things down to -1. I've noticed a lot of stories with many comments that are all above my threshold.

Re:Slashdot Moderation

[donnz]

Which is great. I am back to browsing at +4. Maybe /. to cut down on the number of medartion points they give out these days.

And once again

[mst76]

Win98 is not affected. Or is it just that they don't bother to check it anymore?

Re:And once again

[shawn99452]

They don't check anymore. But if they did, it still wouldn't be affected. Windows 9x doesn't have the Messenger service that the overflow is for. It's only in NT-based machines.

Re:And once again

They stopped Win98 support so they don't HAVE TO check it anymore. That's the reason for stopping support of something and therefore forcing people to upgrade.

The real solution

Anyone see a pattern here? I think the only way to keep your windows boxen safe is to unplug the network cable.

Why is This Reported Now?

[EvlG]

I checked my Windows XP installation and it has had the patch applied since July 8, 2003. Why is this a news item just now?

SUS to the rescue

[MakoStorm]

Well my former employer should be okay, the last thing I did before they laid me off (with no warning) was implement SUS server in time for the second RPC vulnerability

I wish them all the best

Cheers!

Back to the job hunt

-Mako

Got all the buzz-phrases! YOU WIN!!

"exploits hidden in the closed source"

"security through obscurity"

WE HAVE A WINNER! MOD PARENT UP!

I love Win2K, but...

[LaserBeams]

ARRRGH, all these dang security updates, and patches, and holes, and everything... It's not fair. And Linux is no better, I'm stuck on 56K, so getting the thing in the first place is hard enough... not to mention isn't a fulltime job in itself.

I think I'll just go back to Windows 3.1 on all my machines, that will solve all these problems I'm having with new operating systems.

Re:I love Win2K, but...

[LaserBeams]

Though... after reading that last article maybe I should just go buy a Mac.

(and learn how to type... "not to mention it's a fulltime job in itself")

Re:I love Win2K, but...

[LaserBeams]

Oh goody. First of all, I have used Linux recently, and you seem to have missed the point, I was complaining about the downloads, not the OS itself. I simply cannot get broadband, it is not available here. Second, I don't lick anyone's ass. I bought, and use Win2K because in my extensive experience (that is, nearly every day since its release), I have found it to be an extremely reliable, as well as usable OS. Many apps I use are exclusive to Windows (and there are no comparable Linux alternatives) so running them on WinE would just be stupid and redundant. I admit I'm not the savviest user out there, but if I can keep a Win2K powered PII-366 laptop with only 128 MBs of RAM as my primary work / play / development / gateway / everything-else-but-new-games machine, up and running for nearly two months (only restarting for updates, and with lots of demand on the OS every day), then I say that's pretty darn good. Get off your high horse, and next time you want to insult someone because they're using something practical for how they work, uncheck that little box. Coward.

Re:I love Win2K, but...

Dude. It was a joke. I don't care what you use, really.

EULA

I just love how you have to accept an EULA saying that you won't release any .NET benchmarks just to get these security fixes.

Red Hat should add one of these clauses to stop Microsoft from paying for all of these "independent studies" concluding that Windows beats Red Hat.

Well....

[TaranRampersad]

At least they found them. I wonder if they are patching for the manner in which Valve's source code was pumped out?

Maybe paranoid game developers will start writing games for GNU/Linux...

Re:Well....

[Jugalator]

Yes, if GNU/Linux becomes as common as Windows.

Re:Well....

[TaranRampersad]

Chicken and Egg.

Re:Well....

[johnnyb]

I know I do my development on Linux even if I'm developing for Windows. I use cross-platform tools so I can code on Linux. I believe the Quake guys do this, too which is why it's always supported on Linux. When I worked at Wolfram Research (i.e. Mathematica), even though NeXT was no longer a supported platform, about 1/3 of the developers used it as their primary platform.

Stop blaming Microsoft!

It's the fault of the C programming language, ya hear me? In what other commonly used languages do you get buffer overflows? It's C's fault! Blame C! Ask for patches for C! I'm surprised no one noticed this earlier.

The problem with Microsoft software

...is that you can't uninstall it or install it separately from Windows itself. You're forced to experience the whole mess. Even those programs you'll never use.

You can do that on other platforms. But then everyone says: "It's too complicated." Ahhhwww..

New Popup Message

[powerlord]

joo R 0wn3d

Makes me glad I have a firewall between me and the internet (even at home for my LAN). I didn't even know about all the Popup spam until an article came around talking about it. It just hadn't been an issue. Yes, its better to be informed than clueless, but a decent firewall is still a help :)

Re:New Popup Message

[snatcheroo]

Firewalls are totally overrated, they're almost like a buzzword that won't die. They are just a deterrant and can be owned up faster than most people would expect.

Re:New Popup Message

[powerlord]

Quite possibly/probably.

Out of curiousity, are you refering to?
"real firewalls" (ie. Cisco PIX, etc.), "appliance" type firewalls (linksys, etc.), machines running as a firewall (Linux or Windows machine running firewalling software), "local firewalls" (machine running a piece of software to firewall itself. ... marginally in the previous category but also includes things like ZoneAlarm or Symantec/McAfee Personal Firewall).

I would imagine that each group has its own probability of being cracked "easily", with the chance of a box being cracked getting lower toward the front of the list (all assuming proper configuration). I would think that for the average tech-person, a Firewall appliance should be relatively secure (and securable).

Please explain your position, I'm curious why you think they are just a deterrant?

Re:New Popup Message

[SpaceLifeForm]

A stand-alone firewall that has no services running and drops all garbage coming from the Internet will not get owned, and is quite secure.

Software firewalls such as ZoneAlarm can't be totally secure because ultimately that can't control every packet coming into the machine.

Security update of the month?

Did I miss the announcement? It seems that Microsoft has shifted to announcing groups of patches every month. Will the natural outgrowth be a subscription based security update patch each month.

I can hear it now, "Yessir, we have 800 bugs identified in the new version, and if we announce patches for them at a 10 per month rate, it will increase our revenue stream threefold"

Hey, it makes more sense than the keystone cops approach currently in use.

Causes new problems?

[lavaforge]

I just installed the patch on my laptop and now it BSOD's immediately on boot. It's quick, but I caught something that looked like "basesrv." Quite the pain, really. Is anyone else having a similar problem, and if they are, how do you fix it?

Re:Causes new problems?

[KillerHamster]

I got a BSOD on the first boot with Windows 2000 after installing the latest updates. I hit reset and it started up fine. I have no clue what caused it. The Event Manager says nothing helpful.

This might seem weird, but from a couple years of experience with Win2k, when it BSOD's on bootup and I restart, for some reason it seems to help if I start wiggling the mouse as soon as the desktop appears and keep it up all the way through the login process until all the startup programs have loaded. Or maybe I'm just crazy.

I love Linux - it makes so much more sense.

Ahh... I'm On to Them

[Greyfox]

I've figured it out! My company sends around an update CD every time one of these flaws is announced. They're trying to drive us bankrupt through the cost of update CDs and lost productivity of every employee in the company having to spend half an hour to an hour applying them! I'm on to their evil plan now!

Re:Ahh... I'm On to Them

[NineNine]

That theory isn't very good, especially considering any new flavor of Windows has automatic updating that requires *zero* intervention from the user.

Re:Ahh... I'm On to Them

[Greyfox]

My company doesn't trust its employees to use automatic updating. And the automatic update still requires anywhere from 10 minutes to an hour of lost productivity depending on how big the patch is and if it requires a reboot. Since my company has deployed a bunch of VB crapplets I'm forced to reboot to Windows once a week to do my timesheet so I can't just nuke Windows off my hard drive completely, run Linux and ignore the Windows warnings ("apt-get update ; apt-get upgrade" doesn't require you to stop all your applications while it runs and it doesn't require a reboot.)

Re:Ahh... I'm On to Them

[NineNine]

You're missing the point. You don't do anything. That's why it's called automatic updating. Set it to happen at 2:00 AM every day. There's nothing to do. If a reboot is required, reboot when you're getting your coffee. It's not a big deal at all.

Re:Ahh... I'm On to Them

[$rtbl_this]

That's a good solution for home or small office users, but it doesn't scale that well for larger sites. As soon as you have a more than a few dozen workstations, having each one pull down the updates from the Internet causes an unacceptable amount of network traffic (maybe it's OK in the US where bandwidth is cheap, but here in Europe out Internet pipes tend to be a bit more frugal). Also, no sane person wants to use this solution for servers, where applying untested updates can have catastrophic consequences.

The only manageable solution I've found is using software distribution apps or dedicated patch management tools like LANGuard. SUS is a stab in the right direction, but its lack of support for NT 4.0 makes it a non-option for most of the sites I look after.

Re:Ahh... I'm On to Them

[TheRealFixer]

Until Microsoft puts out another hotfix that breaks something else, like your network connectivity, like the one they did with XP some months back. Most corporations prefer to test Microsoft patches first, before pushing them onto the whole user base.

Re:Ahh... I'm On to Them

[PyJockey]

I wouldn't recommend automatic patching at this point. My coworker's NT4 PC was left without a keyboard after this latest round of patches. WinNT4 requires a CTL-ALT-DEL before you can access the shell. This is rather difficult without a keyboard. In the event that you couldn't use the recovery console on the Win2K+ CD, MS's solution (KB article 305462) was to install a parallel installation of NT4 and use it to access the NTFS partition of the main installation and rename a sys file. After ribbing him about his ancient OS, I found that my XP Pro workstation was left in a similiar state after applying the patches. This is unacceptable. Automatic patching may be the answer sometime down the road, but it isn't there yet.

Re:Ahh... I'm On to Them

[RzUpAnmsCwrds]

Microsoft Software Update Services is what you're looking for.

Re:Ahh... I'm On to Them

[$rtbl_this]

Thanks, but that was the SUS I mentioned as being unsuitable. The lack of NT 4.0 support makes it a non-starter. I'm evaluating LANGuard right now and it seems like a better all-round solution.

In a way, it is a good thing...

[BottleCup]

... that someone took advantage of the previous RPC bugs on Windows. At least now Microsoft is taking this shit seriously enough to offer patches to other flaws. One wonders sometimes if those "flaws" were in fact flaws or just a backdoor implated purposely for remotely controlling your desktop ;). Then again, do these patches really fix things or do they just change the nature of the backdoor so that only Microsoft knows how to use it?

Or maybe I've just been watching too many Matrix movies.

Re:In a way, it is a good thing...

[quigonn]

A friend of mine recently said: "the only way to get a security hole fixed in Microsoft software is to write a worm that exploits it".

Re:In a way, it is a good thing...

And the only way to get a security hole fixed in Linux is to write it yourself.

Re:In a way, it is a good thing...

And what a wonderful thing that is! Imagine... you can say, "screw the vendor... I'll fix it myself"! (or hire someone to fix it) Instead of waiting around untill the VENDOR thinks its important.

Re:In a way, it is a good thing...

[praxis]

Well, I wouldn't say that's the only way. In fact many security holes are discovered, fixed, and a patch is released before the exploit hits. There has been evidence that some of the exploits have reverse engineered the patch to provide further information in developing the exploit. The crux of the problem is finding a way for users to patch their machines effectively. That's not an easy problem to solve, given corporate networks with hundreds of machines, server farms with mission critical applications, and even uneducated users.

Re:Yet Another Critical Linux Flaw!

[TaranRampersad]

"Even OpenBSD has had 1 security hole in the default install, and thats ONE TOO MANY"

Damn right. But with Debian and OpenBSD, irate consumers can fix the source code themselves if they choose. Ultimately, this *can* lead to better code, but the majority of computer users have problems installing patches and updates - so how can we expect them to actually do something positive about security?

People who don't patch - please disconnect from the internet after reading this, and burn all phone cords and network cables between you and the internet.

Really?

I reinstalled Windows 2k 2 days, ago, and downloaded all critical security patches. I go back today, and found there were 4 new ones.

who needs this?

[teemu.s]

who needs that service? o.k, its usefull to receive messages from olga from moscow providing you p0rn (if youre not firewalled) - but is there really anyone out there who takes advantage of this service? Hasnt it already been disabled? and if not - why didnt they do that?

Re:who needs this?

[shawn99452]

It's very useful on networks where the admin is too paranoid to allow normal messaging clients like MSN or AIM. Also, the messenger service allows you to do "NET SEND 192.168.0.255" and send a message to everybody on the network! Great fun.

Re:who needs this?

[fuzzix]

C:\> copy con pacman.bat
@echo off
:start
net send * I wanna play pacman!
goto start
^Z

Now, copy this file to a network share and wait. THAT'S fun...

Writing a worm would probably be less successful

[Talez]

After all, how many people out there have turned on the default Windows XP firewall since Blaster?

I know every machine I fixed during the blaster worm's reign had its default firewall turned on.

Re:Yet Another Critical Linux Flaw!

[dschl]

Marbles - yeah, that sure sounds like a remote root exploit waiting to happen. And freesweep (curses-based minesweeper clone) - sounds like another dangerous vulnerability to the unpatched machine. kdebase is a local vulnerability, and as for ipmasq, webfs, openssl and tomcat - I don't recall these even being installed on a typical debian workstation, let alone being started up at boot time. The only vulnerabilities in your list that might matter are the ssh ones.

RPC worm (welcha!)

[tonywestonuk]

So I installed W2k for a friend a few days ago - Connected to the internet to get the RPC patch, and got infected with this work in under a minute - Not even time to get the update!...

Now, getting rid of the worm is annoying, but is easily done. Can you imagine however, the chaos if the author of the worm also put nasty bios flashing code into it... Millions of PC would be heading for the dumpsta! Shops/busnesses/transport/universitys would all end up grinding to a halt, The economy would be up shit creak, and for a few weeks anyhow there would be a huge shortage of PC's through people panic buying new units - hardware prices would sore.... (good time to buy Dell stock maybe?)

Tony.

Re:RPC worm (welcha!)

[thrill12]

Lucky enough my PC has a backup bios :=)

Re:RPC worm (welcha!)

[Xouba]

Hate to use the topic, but "Me too" :-) This happened to me yesterday, but with XP.

Re:RPC worm (welcha!)

[Q2Serpent]

Should have enabled the built-in XP firewall before going online...

Re:RPC worm (welcha!)

[KFT]

Erm, I'd rather think it would cost Dell money to explain all their customers with warranty how to reset their BIOS. It's usually a simple jumper switch, or you can take the battery out for some minutes, but try to explain that to $average_user in an economically viable way... not a good reason to buy Dell stock IMHO.

) F T

Re:RPC worm (welcha!)

>hardware prices would sore

I think you meant 'soar'.

Re:RPC worm (welcha!)

[trikberg]

So I installed W2k for a friend a few days ago - Connected to the internet to get the RPC patch, and got infected with this work in under a minute - Not even time to get the update!...

And that's why you should have installed a software firewall, such as ZoneAlarm, from CD before connecting to the internet

While you're at it install a decent browser and e-mail client from the same CD before your friend has a chance to start using IE and Outlook (Express).

Re:RPC worm (welcha!)

[muffen]

. Can you imagine however, the chaos if the author of the worm also put nasty bios flashing code into it... Millions of PC would be heading for the dumpsta!

Virtually every BIOS has protection against this since the CIH days (doesn't mean people enable it, but its there). Furthermore, instead of throwing away a PC with a flashed BIOS, you can give it to me. It won't cost me more than $5 to get it fixed!

I agree that these flaws are bad, but no need to make it worse than it already is.

So I installed W2k for a friend a few days ago - Connected to the internet to get the RPC patch, and got infected with this work in under a minute - Not even time to get the update!...

All you have to do is change one registrykey (enableDCOM) from YES to NO. That way, you're "protected" without having the patch.

My PC is running with just over 10 services enabled. After all these flaws, I realized it was safer to simply disable anything non-critical. I don't like Windows anyways, just have to use it for work :/

Re:RPC worm (welcha!)

[TheTomcat]

Maybe I'm in the dark about this, but I understand that the jumper usually resets settings, and not the actual BIOS code. Is this correct?

S

Re:RPC worm (welcha!)

[cybergrue]

Ack. I had the same problem. I tosted Windows XP, and after I reinstalled, couldnt connect tot the internet. I phone my ISPs tech support, and after geting routed through the sales department (A friend that formally worked there said that management had decided that tech support should be a cost recovery unit!) told me to turn off the software firewall and try again. Of course it didn't work, so they told me to reinstall everything and hung up. I later sorted out the real problem (A driver issue) but forgot to turn on the firewall when I reconnected. Bang, in first minute after I had loged on I had a wlcha pop-up (while I was downloading windows update no less)

Now I have a hardware firewall as well as a better anti-virus scanner for windozs. And before you say it, I already had Linux on my other partition.

Re:RPC worm (welcha!)

[keith.bronstrup.com]

if the author put some nasty BIOS flashing code in the worm, it would spread to maybe 6 PCs before all of them were useless and unable to spread it any more...

Yeah, we'd really be up shit creek, man!

Re:RPC worm (welcha!)

[aridhol]

1. The BIOS doesn't need to be flashed immediately. The worm could spread for an hour, then flash. It'll still be able to cause significant damage.
2. Does Windows even use the BIOS after it's booted? The worm could flash the BIOS, then continue to spread until reboot, at which point the machine will become useless. Even more damaging goodness.

Re:RPC worm (welcha!)

> (A friend that formally worked there

As opposed to those friends of yours that work there informally (without pay?)

Or did you mean a former employee?

Re:RPC worm (welcha!)

[KFT]

Just checked this, you're right, most BIOS's can't be restored with a jumper when mis-flashed. I guess I read that for an expensive mainboard and figured it was standard. Don't know about Dell but I guess this goes for them too. Shouldn't post if I don't know everything about the subject I guess.

Re:RPC worm (welcha!)

[keith.bronstrup.com]

most interresting, except that, if you have ever seen a box with welchia connected to ANY network (internet or LAN) it usually will reboot within a minute or two. not much time to spread, there, buddy... although I think a minute or two would be record time for anyone likely to get one of these worms to have thier computer booted without crashing anyway...

POINT!

Re:RPC worm (welcha!)

[aridhol]

But the computer only reboots because Welchia tells it to (or so I assume). If Welchia told it to flash the BIOS instead of rebooting, or if it included a delay before instructing the computer to reboot, it would have all the time it wanted.

Re:RPC worm (welcha!)

[rgmoore]

If the worm flashed the BIOS, wouldn't that tend to destroy its hosts and thus slow down the infection? This is one more place where knowing biology can be helpful in understanding computer diseases. Diseases that are promptly fatal tend to be self-limiting because they kill off their hosts before they have much time to spread. Most successful diseases are either not uniformly fatal or at least take long enough to kill that their host has plenty of time to infect others. This is why many types of malware with destructive payloads will have a built-in delay before blowing up; otherwise they'd kill themselves before managing to infect enough computers to cause real havoc.

Re:RPC worm (welcha!)

[juhaz]

Well, the RPC service crashes as a result of a buffer underrun that allows the worm into the machine and windows notices that and reboots.

So even if the worm doesn't tell windows to reboot, further infection attempts will cause a boot.

It would work on worms using holes that don't cause crashes, though.

Re:RPC worm (welcha!)

[keith.bronstrup.com]

Welchia, either because it is poorly coded or because it was intended to do so, overloads the RPC service until it crashes by inundating it with requests that are used to, among other things, send mass e-mails containing the worm. This may allow it to spread to a few machines on every occurance, given a fast connection, but over dialup, you likely won't see it spreading much. If the BIOS were flashed before the crash/forced reboot (the system reboots 60 seconds after the RPC service crashes, giving warning that it is about to reboot -- during this 60 seconds, the virus is dead in its tracks -- it relies on RPC to do its thing and that is no longer running), systems using dial-up would rarely, if ever, be able to send a single message, let alone enough to cause the virus to spread quickly -- and even with the fastest broadband connection, you may see a system send out about 2 or 3 messages before the crash -- and remember, when they reboot, they won't actually boot at all... not a good way to spread, if you ask me.

Next time, research what a particular virus does, how it does it, how its dependancies (in this case RPC) work, and how the rest of the system if affected by the loss of these dependancies -- and do this before somone has to school you on it.

One of us is posting flamebait and just got flamed. I'll let the /. moderators decide who is who.

Re:RPC worm (welcha!)

[Rinikusu]

Dell stock? I dunno. They ship with Windows. And if consumers get "burned" with Windows as badly as having their BIOS flashed and their computers rendered unusable, I'd say Apple might look pretty damn tempting...

Re:RPC worm (welcha!)

[aridhol]

I don't know the specifics of how this specific worm works. That's OK, because I'm not in a position where I need to know this, as I keep up to date on my patches, have a firewall, and have a limited Linux box (only two services available from outside on boot, others available only locally or by manual activation).

But just because this worm crashes RPC, it does not mean that every worm must crash RPC. If a worm finds a different way in, or is able to get in through RPC without crashing, it will have complete control over the computer. This gives it time to do anything it wants.

Re:RPC worm (welcha!)

[Matey-O]

The nasty code to write zeros to a box's drive is about 12 lines of assembly. Why hasn't it been done yet?

Because a DEAD box cannot be used to attack OTHER boxes.

Re:RPC worm (welcha!)

[keith.bronstrup.com]

It appears that you are implying that I need to know how it works? Maybe because my system got infected? That is incorrect. I choose to know how it works in case a friend (or myself, yes, but that is unlikely) gets infected. This has worked to my advantage, as two of them did and I got a couple dinners out of removing it and, as one of them was my boss, a recommendation from him to the owner of the company, that at some point when a position opens up I be promoted into the IT department (because I was able to explain to him how it works, why it works, what it does, how he got it, and why he won't get it again because he is patched against it). I did all this without insulting anybody or making them feel stupid and they now both understand the importance of patching, as well as other security related items I discussed with them and have both demonstrated to me that they are now following good security practices.

Not bad for a burger-flipper, eh?

Out of gas, no more flames from me today. Sorry.

Re:RPC worm (welcha!)

[A_Non_Moose]

Can you imagine however, the chaos if the author of the worm also put nasty bios flashing code into it... Millions of PC would be heading for the dumpsta!

I wonder if I was the only one who thought "Hey, Dibs on the RAM, Drives and VidCards"?

Prolly not considering the present company.

Back on topic:
the akami servers are swamped: it took ~ 20 minutes to download about 8Meg (5 patches).

Make matters worse, the *one* xp box I've got wouldn't update via the SUS server (nice lady with poor vision and the cleartype helps, so lay off).

susserver.com has a nice, simple start-up guide and some forums that discuss common problems and work-arounds, like, for those of us without AD and new Samba 3.0 PDC's can push group policies (so I understand) instead of reg hacks.

I've already warned my users who I know have 2k/xp at home...patch, and soon.

Re:RPC worm (welcha!)

[kidlinux]

It would be an absolutely sweet time to go dumpster diving! Think of all the perfectly fine hardware being tossed because of a corrupt bios! Retrieve all the hardware, order a bios for $10 (better yet a flasher and some blank chips if you get that much hardware) and sell everything on ebay and make a fortune. Or...

setup a Beowulf cluster of your very own!!

baha! A slasdotter's dream come true :P

(Though I honestly can't imagine this happening since I hope no admin is so inept as to toss hardware just because of a corrupt bios.)

Re:RPC worm (welcha!)

[master_p]

I really nasty Unix lover would do this just to punish Microsoft. Any takers ?

Re:RPC worm (welcha!)

>The economy would be up shit creak,

And I think he meant "creek" here as well

Re:RPC worm (welcha!)

[aridhol]

Neither I, nor anybody that I know, has been infected by Welchia. If this were to occur, I would look it up. I do not see the need to research how every virus/worm/trojan works, because that would take too much time away from doing anything useful (and I am aware of the irony of saying such a thing on /.).

Just because it hit the nightly news does not mean I need to figure out how it works. In fact, in order to fix it I would need to know exactly nothing about how it works. Instead, I would just go to McAffee or Symantec or another antivirus corporation, and use their knowledge in order to fix it. Their job is knowing all about viruses. My job, as a programmer, is knowing about vulnerabilities in my code, and that of my team. That's quite enough for me.

Re:RPC worm (welcha!)

[TheCoop1984]

Yes it can. Have the worm/virus spread (probably using outlook-mass-emailing thing), then it goes to sleep for say 10 mins, then have it write over the bios. The virus spreads but still overwrites the bios.

Re:RPC worm (welcha!)

I think it's time people started to migrate off of WinBlows alltogether. With this Xploit, there will be ever MORE spam, as spammer exploit this flaw to the hilt.

A much larger percentage of spam is coming from hacked and exploited machines. M$'s "patch management" approach is just a bandaid at best.

It'a about time Gates and company start being a part of the solution instead of the problem.

Any self respecting "slashdotter" would have migrated into Linux or Macs a long time ago, but I guess Mr Gates has a far stronger hold on these people then ever.

Re:RPC worm (welcha!)

[BrynM]

If the worm flashed the BIOS

I suddenly had a mental image of an invertibrate holding open a trenchcoat next to a motherboard... Need more coffee...

Re:RPC worm (welcha!)

[dreamchaser]

Shouldn't post if I don't know everything about the subject I guess.

That's never stopped 99% of the posters here...

Re:RPC worm (welcha!)

[Inuchance]

One way to get around this without any sort of hardware firewall is to create an IPsec policy that blocks UDP 135.

Re:RPC worm (welcha!)

That is only if it immediately kills the host. A Virus that has a 100% fatality, but kills after an extended amount of time of infection will not have this problem. Look at how AIDS spreads compared to Ebola for an example. They both have near 100% fatality (even though AIDS doesn't directly kill you), yet Ebola is so much quicker that it kills it's host off before it can be transmitted.

Thus, a worm that is written as a stealthy time-bomb will be extremely destructive. If I were the bug, I would make a few random copies of myself to prevent extermination (much like the problem T-Cells have with the AIDS virus). Only a checksum of every single file on the system could completely wipe me out. Once I do that, I would lay dormant for a period of time, using the client to transmit myself to other computers. After my period of dormancy, I would then do something like wipe out the networks, install a phony NIC device driver, try to flash the bios, whatever.

That, my friend, would be one hell of a worm. I think it would also take too much patience to write. Most of the problem makers out there are the script kiddies that think mass infection is cool, but not intelligent infection.

Don't think of me as pro-virus writing. I think the practice is despicable, but I do know how some of the really bad ones work in life, and if I were to write one, that's what I would want to mimic.

Re:RPC worm (welcha!)

Does Windows even use the BIOS after it's booted?

Maybe, but the BIOS is cached anyway. Even if the chip is erased or removed, everything will work until a hard reset.

Re:RPC worm (welcha!)

[rgmoore]

Thus, a worm that is written as a stealthy time-bomb will be extremely destructive. If I were the bug, I would make a few random copies of myself to prevent extermination (much like the problem T-Cells have with the AIDS virus).

That's not exactly why the immune system has problems with AIDS. Part of it is that the virus actually invades the immune system itself, so the very part of you that's trying to protect you is itself prevented from working properly. ISTR that some viruses already try a similar approach by shutting down virus-check software.

Only a checksum of every single file on the system could completely wipe me out. Once I do that, I would lay dormant for a period of time, using the client to transmit myself to other computers. After my period of dormancy, I would then do something like wipe out the networks, install a phony NIC device driver, try to flash the bios, whatever.

The problem with this approach is that the worm would have to be completely stealthy in order to have maximum effect. If the virus-check companies figured out about it, they'd likely be able to decompile the thing and create a specialized countermeasure. This is one place where the analogy between biological and computer invaders breaks down. The natural immune system has a limited repertoire of possible responses and can only adapt to a novel threat on an evolutionary timescale, while our computers' "immune systems" can actually be intelligently designed to combat a specific threat.

For maximum destructive effect, you'd probably be better off using something like a Warhol Worm- an invader that can spread to most available hosts in 15 minutes. That's enough faster than the possible response of anti-worm software makers that there wouldn't be a reasonable chance of creating a countermeasure in time. The SQL Slammer worm was the closest thing yet to a Warhol Worm, though its unique source of speed probably precludes a seriously damaging payload. Still, a worm that could spread worldwide in a few hours and then did as much as possible to damage its host could wreak some significant havoc without a reasonable chance of stopping it.

Re:RPC worm (welcha!)

[rock_climbing_guy]

Say then, if there were to be a virus created that destroyed lots of people's BIOS. Can't that damage be repaired? I've heard that some machines allow you to "hot-swap" the BIOS or simply get another one from the manufacturer.

Also, I once had a machine that got its BIOS toasted. I was able to fix it because the machine has some sort of "backup" that allows you to boot a simple DOS floppy and flash it again.

Re:RPC worm (welcha!)

[f0rt0r]

True. But the point you miss is whatever part of the OS is loaded into memory will still work even if the file it loaded from is gone. The virus could selectively erase files ( ok, this probably wounldn't be done in assembly ) that it knew would not disrupt system opereration until the next reboot.

Of course, it's not like script kiddies would take time to write a virus that was that good. :)

And we wonder why our National Intelligence sucks.

I wonder how many governments and hackers have know about the messanger hole, and for how long.

And we wonder why our National Intelligence sucks. Its probably because other governments log right into our FBI computers.

Ummm.... No.

[AriesGeek]

Since when is "Messenger Service" at the core of Windows? Even the RPC services are not at the core of Windows. At least not anymore than sendmail or OpenSSH is to *nix. They're just services, or in the 'nix world, daemons.

Monthy Updates

[eadz]

To think that there are so many flaws in windows, and so many critical updates that they have to release them in batches because system admins are over worked constantly patching MS boxes..

This cnet article makes entertaining reading

Microsoft released its first monthly security update on Wednesday, following a new schedule that attempts to ease the load on overburdened system administrators.
"All of the five critical (vulnerabilities) are, of course, critical, so that means they are wormable," said Jeff Jones, senior director of Microsoft's security business unit.

Re:Monthy Updates

[NineNine]

Yeah, they wouldn't want to use Automatic Updating that comes with Windows. That would be too easy. Besides, patching machines provides the whiners with job security, right?

Re:Monthy Updates

[Dman33]

Welcome to slashdot, Troll. I will bite now...

You obviously do not rely on Windows Update for a corporate network, do you?

I have had at least two servers hosed (read: Re-install) due to auto update and have had several other servers and workstations cease performing properly. The reason is that MSFT patches are rarely tested well, so the way to patch is to patch after testing in your environment. Once you test and validate that the patch does not break anything, then you can deploy it. That takes time. Of course, if you stay on top of things and have a set procedure for testing patches, you can usually get the patches validated and deployed rather quickly but it is still a pain for many.

Um, please no...

[Joel+Carr]

Why? Because I'll be one of the poor soles fixing the problem for friends. I already have a friends computer to fix tomorrow, which has fallen victim to a virus attack, and despite the number of times I may tell him to keep his OS/Virus Scanner up-to-date, I know it's just a matter of time before I'm back there again...

---

Re:Um, please no...

don't do it. that is how you make money. if your friend is a roofer ask him to fix your roof for free. if he is a mechanic ask him to fix your brakes for free. watch how fast he comes up with an excuse or will give you a "reduced" rate but there still needs to be a transfer of money.

then say the same things back to him. you are a professional. start acting like one.

It only took two weeks

since i transitioned from Win2K to RedHat 9.0 to see one of the major benefits. Following the recent rash of Windows exploits i decided i was getting sick of patching every box on my home LAN on a weekly basis. Not to say that Linux is bullet proof but as i sit at work writing this, i'm not as concerned as i have been reading every other Windows security post.

But I Can't Disable Messenger Service!

[Esion+Modnar]

How else will I be able to get all the free advice about how I am broadcasting my IP address?

Messenger is such a valuable service to me... how can I live without it?

Excuse me, Sir...

[AriesGeek]

I checked my Windows XP installation and it has had the patch applied since July 8, 2003

Could I get your IP address please?

403

[CaptainBaz]

Unfortunately our sysadmin seems to have blocked microsoft.com (including Windows Update) at the proxy. I kid you not.

Fortunately I'm in Development, not IT Support :-)

News is even worse than reported.

[FreeLinux]

Of course this is another headache for admins still patching for last month's RPC flaw."

That RPC flaw, patched twice so far, is actually still vulnerable. That's right the RPC service will require a third patch.

Security experts have discovered that a vulnerability still exists in the Microsoft RPC service. Furthermore, an exploit has been developed as a proof of concept. The results have been reported to Microsoft but, as yet they have not responded publicly. So, be on the look out for yet another RPC security bulletin from Microsoft. Hopefully, coming soon.

Re:News is even worse than reported.

[Keeper]

Lots of stuff flows through RPC. Calling it an RPC flaw isn't entirely accurate. The last flaw was related to DCOM. The flaw you are referring to is related to SMB authentication (windows file sharing).

Guantanamo Bay awaits you!!

[gd23ka]

Guantamano Bay awaits you... You've just encouraged someone to commit a terrorist act against the United States, and I'm not sure if that's not an act of terrorism all by itself. Yes... they might just come for YOU, dear borgdows (#599861) and throw the book at you. That's the same thing as publicly asking Osama Bin Laden to blow up the Statue of Liberty. The next number you will be known by, dear #599861 will not be your slashdot number.

Re:Guantanamo Bay awaits you!!

[grammaticaster]

at least he'll have you for company when the statue of liberty blows up.

In other news

[zakezuke]

Microsoft discovered a MAJOR flaw in their naming convention. It seems it's far too easy to confuse MSN Messenger with Windows Messenger do in part they are both called Messenger, also due to the fact that Windows Messenger isn't widly used, except by sys/net admins telling their users the system is going down.

Getting users to actually peform updates when they don't have the ability to tell the diffrence between the diffrent products has proven to be most troublesome to Microsoft.

This flaw was noticed by technical support when users asked for assistance with "outlook" not knowing that "express" was a diffrent product. Not to speak of the diffrences between Windows Explorer, Microsoft Explorer, and the new hardly ever works MSN explorer.

"The idea that users know the diffrence between Windows, Microsoft, and MSN is ridiculous" --- typical power user.

A new convention is required based on the following facts

Windows - the operating system side of things
Microsoft - the software side of things, stuff you actually use
MSN - the ISP side of things, fluffy click shit that causes your computer to crash and burn.

Renaming should be as follows

Dont touch me crap - reserved for operating system level software
Play with me crap - the software you typicaly get to do stuff
Can't do crap - the stuff internet related that never works right

Now saying that there are patches for the "don't touch me crap messenger" has some meaning to the average user, vs their "Can't do crap Messenger" product.

This message was brought to you by Microsoft Crap, where did your document go today?

Re:In other news

[vjmurphy]

"It seems it's far too easy to confuse MSN Messenger with Windows Messenger do in part they are both called Messenger"

I'm surprised they aren't called MSN Messenger Explorer and Windows Messenger Explorer.

Re:In other news

Or would that be

Microsoft Windows Msn Messenger Explorer?

Messenger

[FrostedWheat]

disable the Messenger Service immediately

Good advice. This service has been abused for many years now by spammers, and now the posibility of a worm using it.

I wonder who/where at Microsoft considered it a good idea to enable this service by default and to allow connections from everywhere. Has anyone out there actually used it?

Re:Messenger

[trikberg]

I have, once. I used it to send a message to a friend on the campus network when the outside connection was down so that ICQ and mail where unavailable. The alternative would have been to use a few cents on a phone call or actually get up and walk *GASP* the 100 meters or so to talk to him face to face. :)

Re:Messenger

[mborland]

Has anyone out there actually used it?

Yes, I know at least two companies that used it rather frequently. In both cases, they would use it for batch-completion notifications and things like that.

That all said, I hate it and it seems like a prime candidate for abuse in various forms. Obviously.

Don't tell me about TCO!

[dannycim]

In my previous job, there were 4 guys administrating over 1500 Unix Workstations and servers, and 150 techies taking care of 3000 WIndows PC.

Now I'm in a small University department, we're two over-worked techies with about 50/50 Linux/Windows machines and let me tell you, this Windows crap is taking up all of my effin' time.

We're firewalled, we've got NAV Server and clients running on all workstations, and were almost up to date until some student brought in an infectected notebook (I call 'em whores now) on the internal network.

By the time arpwatch bleeped it was too late.

Now you're telling me I've gotta go back to all those stupid workstations and patch each individually again?

ARRRRGH!!!! I HATE WINDOWS!

This is such a waste of my time, I could be coding instead.
--
Pfff.

Re:Don't tell me about TCO!

[NineNine]

Now you're telling me I've gotta go back to all those stupid workstations and patch each individually again?


Yes you do. You gotta because you're a fucking idiot. Anyone with half a brain would just turn on Automatic Updating for most of the machines. But then again, you are in academia, which isn't exactly known for producing the sharpest people...

Re:Don't tell me about TCO!

[dannycim]

Yeah, and never know why, suddenly applications stop working.

See this nice article by John C. Dvorak, biggest MS shill ever:

http://www.pcmag.com/print_article/0,3048,a=1082 32 ,00.asp

Nice mouth you've got on you, by the way. Your mom must be really proud.

Re:Don't tell me about TCO!

[jcupitt65]

A friend mailed me this earlier today, might help you:

I've just applied the 5 windows patches released today to 160 boxes in under 2 hours. Takes a little bit of getting used to how it works but I highly recommend it. It does service packs now too.

http://sourceforge.net/projects/mbsafu/

Re:Don't tell me about TCO!

[Malc]

Learn to administer your Domain or Active Directory properly. There's absolutely no reason to be going to each and every machine. The patches can be pushed to every machine. In fact, by only students access to the network by participating in the domain/AD, you can force them to remain up to date too. If they don't like it, then they don't connect. Their choice.

Re:Don't tell me about TCO!

[gregarican]

True that. If I had a lot of workstations but still manually visit each one of them to install stuff I would be an idiot. Lemme see. The options:

Microsoft SMS

Microsoft SUS

Microsoft Automatic Windows Update

Simple logon scripts

More sophisticated KixTart logon scripts

If I was your boss or even a peon enduser and saw you manually hopping around from PC to PC I would grease up my boot and start warming up my knee!

Re:Don't tell me about TCO!

But then again, you are in academia, which isn't exactly known for producing the sharpest people...

You mean like this:

"It'd be nice if they were in a format that's actually usable. WTF is "gtar"??"

Amazing that you couldn't figure that one out. Time to get that pesky degree, I think!

funny disable MSN setrvice

[linuxislandsucks]

why noit allow user sto disable MSN completely with uninstall?

oh that is right Bil lgates doesn;t trust us lowly users..

Re:funny disable MSN setrvice

[Jugalator]

The exploit doesn't have anything to do with Microsoft's instant messaging client, so deleting MSN Messenger won't help.

Exchange Admins

[Obiwan+Kenobi]

Just to let everyone know, this morning after late-night patching my company's Exchange 2003 box it isn't sending/recieving internet emails (*cue Exchange jokes...now*).

I'm currently paying $250 so Microsoft can tell us if this is the correct behavior (oh, the humor), after asking them last night if all patches were approved for a Windows Server 2003/Exchange 2003 environment, and them telling me yes.

I know I'm in the minority for not using sendmail, but I am of the opinion that these patches may damage your system. Admins beware.

Re:Exchange Admins

[4of12]

not using sendmail

sendmail has built up at least as much of a legend for insecurity as Exchange, probably also amplified by its wide deployment.

Security in depth helps, though.

Sendmail costs nothing but a little time to install, but adds another layer to your corporate email system, one which can be used to handily filter crap that is bad for Windows systems. MyCorp has used both Exchange and sendmail for years. Performance of sendmail on piece of crap hardware is impressive, especially compared with Exchange where we need bunches of servers. To be fair, the Exchage servers are doing a lot of db management of user mailboxes that sendmail, simple MTA, does not.

Even better still, go for something like qmail or exim. Get greater security, great performance, and no mucking with sendmail.cf files.

Nothing's invulnerable, and there's still a decision with two layered MTAs as to how to layer things properly.

My own take is that the application/system/platform with the best security record and the one that is less common is the front you want to expose to to the network at large. Expose the Exchange servers more to the inside users than to to the outside world.

Average Joe is why this is really bad

[HighOrbit]

A few months ago, my sister-in-law and her husband bought a new computer (loaded with XP as most are). They are average users: they browse the www, send email, write letters, and play games. The know how to use their box, but they don't know how to administer it. So everything that was shipped as default was still default -including the messanger service. They are on cable modem and were getting constant popups (and I mean constant, like one every 30 seconds) over the messanger service. Now multiply that by millions of people and you have millions of potential DDOS zombie machines, or spam spewers, or any other nasty (or illegal) thing you can imagine.

It is time for MS to immediately change the default shipping configuration of XP to turn every service off by default because no desktop should be listening on any tcp by default. If that means they need to recall and replace all the master disks that they license to OEMs, then they need to do it. They need to have every major retail outlet yank all the shrink-wrap boxes and replace them with new one with secure default configurations. MS is sitting on $46 million in cash, so they can easily afford this expense as chump change. It just a question of whether they are willing to admit fault and buck up for failing their customers or if they are too greedy to spend some of their hoarded wealth.

Re:Average Joe is why this is really bad

[1s44c]

MS is sitting on $46 million in cash

It's true, but they really don't want to spend the monthly cola budget on silly things like security.

Microsoft sell things by good marketing, not by having good products.

Re:Average Joe is why this is really bad

[boskone]

MS has announced that they are shipping XP from now on with teh firewall on by default which would solve most of these problems.

Re:Average Joe is why this is really bad

[Malc]

Messenger service is disabled by default under Windows Server 2003. No idea whether they will do this in the next desktop release.

Re:Average Joe is why this is really bad

[jmcneill]

It is time for MS to immediately change the default shipping configuration of XP to turn every service off by default because no desktop should be listening on any tcp by default.

Not sure about Longhorn, but I know with Windows Server 2003, damn near _everything_ (including the sound service) is disabled by default. Hopefully they continue to follow the same trend with their consumer desktop releases.

Re:Average Joe is why this is really bad

[GSloop]

Same song - different day.

It's always - "The next version will be killer!"

95, 98, 98SE, 2000, XP, Longhorn...

DAMMIT, I want my current version fixed and for MS to foot the bill, Bill.

Personally, I don't think MS intends to fix security problems. The massive security review they did a while back...they could have found 95%+ of all these buffer overflows, but they didn't. Why could that be? My conclusion, they simply don't give a rat's ass about security.

Cheers,
Greg

Re:Average Joe is why this is really bad

You, sir, are a complete idiot. If you think that you can change millions of lines of code overnight, or even over the year, while trying to maintain usability (ya, linux fuckwits don't know about that) and product compatibility (or that), then you're wrong. OS X kicks ass because it was mostly a rewrite of MAC OS. Microsoft has chosen to take a more difficult road to maintain compatibilty. Even if Apple made the better choice, that doesn't mean that MS doesn't care about security... it just means that it'll take MS longer to fix many of the fundamental flaws in Windows.

Re:Average Joe is why this is really bad

[Keeper]

Their monthly color budget is more along the lines of $700,000/month...($8M a year). :)

Re:Average Joe is why this is really bad

[Keeper]

Err, typo ... "color budget" should be "cola budget"

Re:Average Joe is why this is really bad

[StarTux]

Yes they could turn that off, but how would MS earn extra money through advertising via its affialites?

Re:Average Joe is why this is really bad

[Sanga]

Isn't it 46 Billion?

Re:Average Joe is why this is really bad

[mpe]

A few months ago, my sister-in-law and her husband bought a new computer (loaded with XP as most are). They are average users: they browse the www, send email, write letters, and play games. The know how to use their box, but they don't know how to administer it.

This a big (if not the biggest) problem with Windows. The lack of proper separation between "user" and "admin" tasks

Why the surprise?

[EvilNutSack]

Updates are coming out at the regularity of snot from a sick kids nose, yet people seem shocked when a new batch come out. If you can't afford the specs to run SUS then why not just set automatic updates to install in the background on each machine?

Correction... $46 Billion.. not $46 Million

[HighOrbit]

Sorry.. I think that should be $46 billion in the MS cashbox.

Re:Ummm.... No.

That would be when IE is in the core of Windows.
Oh wait, it is, so sayeth MS

This creates a *lot* of work

[Zog+The+Undeniable]

Imagine patching 20,000 desktops and 2,000 servers before someone writes an exploit - that's what a large corporation has to do now [1]. I'm amazed, in the litigious US, that no-one has tried to sue MS for the cost of doing this.

[1] your corporate firewall should keep any exploiting worm out but there are still floppy drives, possible unauthorised modems and third party connections that *may* allow the thing in, so you'll have to patch to be on the safe side.

Re:This creates a *lot* of work

[Q2Serpent]

Or, worse yet, people who bring their laptops home (with no firewalls, since one isn't needed at work - corporate lan), get latest worm, and come in the next day only to infect every other machine (since no one has firewalls).

The biggest threat around here is from the inside.

Re:This creates a *lot* of work

[1s44c]

Imagine patching 20,000 desktops and 2,000 servers

cat serverlist | while read x
do
scp patch ${x}:/tmp
ssh $x /tmp/patch
done | tee log ...oh windoze you said, in that case your screwed.

Re:This creates a *lot* of work

[DarkZero]

I'm amazed, in the litigious US, that no-one has tried to sue MS for the cost of doing this.

If the US government can't beat their lawyers, WTF are the rest of us supposed to do? Have a priest, a rabbi, and a shaman blessing our lawyer every few minutes until the case is over some time in the summer of 2051?

Re:This creates a *lot* of work

[caluml]

for x in `cat serverlist`
do
scp patch ${x}:/tmp
ssh $x /tmp/patch
done
? :)

As an aside, what's the difference between $x and ${x} ?

Re:This creates a *lot* of work

[1s44c]

You can only put so much on a command line.
If you want to patch 22000 machines you are going to have a command line that is over 22000 words long. Thats why I used cat file | while read x.

The curly braces limit where the varible name ends. eg if x='cheese' $xy is an unset var but ${x}y is 'cheesey'. I normally use them more then I really have to out of habit.

Re:This creates a *lot* of work

[caluml]

Aaah, thanks for the info. So would my script fail with a lot of machines then? And I'll remember the {} thing.

My favorite part of the update procedure...

[Surlyboi]

"Welcome to the Win2k KB828035 Setup Wizard...

Before you install this update, we reccomend that you:

- Update your system repair disk

_ Back up your system

- Close all open programs"

Now, I can see closing all open progams, but backing up my system before installing an update? Microsoft, quality is job one.

Re:My favorite part of the update procedure...

[SuiteSisterMary]

'Tis a sad day indeed, when people consider 'back up before altering vital components of your operating system' to be folly.

'Tis a sadder day, of course, when the automatic response isn't 'no problem, my backups are up to date anyway.'

Re:My favorite part of the update procedure...

[Surlyboi]

Good point, but in my defense, the only thing I use windows for is games and as the occasional compatibility testbed for pushing stuff I've done on the unwashed masses. I lose data there, no big. The macs are backed up all the time though.

Re:My favorite part of the update procedure...

Backup, what backup?

These things never br*~~#$%[NO CARRIER]

Too bad it breaks stuff.

[bluGill]

I haven't confirmed this on all my machines, but when I installed the updates on one yesterday (I always update one machine, and if nothing important breaks I do the other one) Synergy no longer starts automaticly on boot, it works just fine starting when I log in. (I normally log into one comptuer, and then from there log into the other)

Hey Troll.. get a clue

[HighOrbit]

Everyhing you listed are *application* flaws with the possible exception of ipmasq and even that is optional. Nothing you listed is a core OS flaw or a "default" configuration issue, unlike the many many problems with windows.

Re:Yet Another Critical Linux Flaw!

[ag3n7]

funny nothing you listed was a LINUX FLAW.

please come back when one of the kernel services has a flaw..

By this argument, none of these vulnerabilities should be held against Microsoft since none of them affect the Windows kernel (kernel32.dll).

Please, at least apply the same criteria to both systems. Linux is just as worthless with just the kernel as Windows would be.

Not to mention, I haven't seen Microsoft include a WEBSERVER in the kernel space yet.

Ugh..

[Agent+R]

Isn't this enough reason for people to migrate to Linux? (or a Mac at least?) I mean seriously.. their RAD (Rapid Applications Development) program is the cause of all this trouble. Putting out software that has more holes in swiss cheese really doesn't help the public.

This is not an exploit!

[winchester]

It is an undocumented remote administration capability :)

Call me crazy...

[Cytlid]

... but doesn't *everyone* disable/uninstall messenger service? Even tho I'm a huge fan of Linux, it doesn't mean I don't know my way around windows. Whenever I setup a new XP machine (for anyone), or advise someone on setting up a new machine, I have 3 requirements: no spying(adaware, xp anti-spy), no viruses (virus software like avg, mcaffee or norton), and a firewall (either hardware or software, like black ice, tiny personal firewall, which they used to give out ver 2 of for free.) I also don't trust the firewall that comes with XP, looks like a tiny stateful firewall, which doesn't block outbound connections, so someone with a virus can still spread it.

I just went looking for XP Anti-Spy and the german site looks like its down or changed, but this looks like it might be the newest version. These are all options which should be standard with Windows, or at least steer the customers in the right direction (using other companies' products, instead of something recommended/influenced by MS).

Everyone knows there's a bit of hardening that needs to be done to Linux/Unix systems... what about hardening for Windows systems? Many folks will argue "it's not for normal joes" but I'm sure sooner or later it will become part of standard practice. Do you think seatbelts were a major concern with the first automobiles? How many people jump in their car now and fasten it without even thinking of it?

Re:Call me crazy...

[BlackHawk]

• ... but doesn't *everyone* disable/uninstall messenger service?

You're crazy. You shouldn't be, but the fact is that a huge number of MS shops are run by undertrained sysadmins who, through very little fault of their own, remain unaware of these little issues. I'm a certified engineer (Novell) with a lot of experience with MS products, and I read constantly trying to stay ahead of the curve. My company refuses to part with the money to send me to some proper training, or hire a mentor for a short while. And without that cash, there's only so much I can do on my own. I'm one of those folks that doesn't learn as well from reading books as I do from having guided hands-on training. How much worse is it for the guy who, a few years ago, got told by his boss, "Hey. You've got a computer at home. You're going to be our sysadmin for this new Microsoft server we're putting in. Don't worry, the sales rep told me it's all point-and-click stuff anyway." And yes... that's a true story about a friend of mine for whom I act as unofficial tech support. A case of the mostly blind leading the blind.

Re:Call me crazy...

[Bambi+Dee]

... but doesn't *everyone* disable/uninstall messenger service?

(How do you uninstall it?) Actually, on the MS support newsgroups, at least one of the more vocal and experienced regulars keeps telling people who suggest newbies to do just that that that's bad and wannabe-hacker-like advice since the messenger service is used for important alerts to the admin or something or other (which never happened to me, but I'm not on a LAN and perhaps that's why.)

([...] tiny personal firewall, which they used to give out ver 2 of for free.)

Kerio Personal Firewall is more or less the same product and it's free for home and personal use.

Re:Call me crazy...

[Cytlid]

I'm sorry, I meant to imply that "xp anti-spy" allows you to both either/or disable/uninstall it.

Re:Call me crazy...

[Bambi+Dee]

I believe Antispy allows you to remove the "Instant Messenger" Messenger, not the "Windows Service" (NET SEND) Messenger.

Re:Call me crazy...

Whenever I setup a new XP machine (for anyone), or advise someone on setting up a new machine, I have 3 requirements: no spying(adaware, xp anti-spy)

From the link you provide, it looks like XP Anti-Spy disables Automatic Updates. Do you expect end-users to run Windows Update manually whenever they are notified of another critical update through the security mailing lists they all subscribe to?

Questions that I Microsoft's page does not answer

[grungeman]

1. Regarding MS03-041: I have a simple XP professional (32Bit) running on my computer. This OS is neither listed in "Affected Software" nor in "Non Affected Software". So is it semi affected or what? And where can I get the download?

2. I am running a German version of XP, so all services have German names. What is the "Messaging Service" called in the German version? The closest I could find is "Nachrichtendienst".

Windows has had more flaws

Windwos has had more flaws then anything I've ever seen in my life!... granted I'm still yound :)

Lucky me!

The following items failed to install. To try installing them again, click Review and install updates, and then click Install Now again.
Security Update for Microsoft Windows 2000 (KB828035) Security Update for Microsoft Windows (KB824141)
These updates are successfully installed: Security Update for Microsoft Windows 2000 (KB825119) Security Update for Microsoft Windows 2000 (KB826232) Security Update for Microsoft Windows (KB823182)

Could all of these recent holes be the reason

[RCO]

That I've not been able to get Windows Update to work for over a month. Has anyone else experienced this problem?

Re:Could all of these recent holes be the reason

[wally440]

I think I was experiencing the same problem last month. From what I can tell it was caused by some corrupted system DLLs that the Windows Update process uses.

If you go to their update site, then go to the troubleshooting section, you should be able to find your problem. However, none of the solutions they provided worked. Here's what I did:

Go to a working windows machine and follow the "Manual installation instructions for Windows Update controls". It tells you to download and apply an iuctl.cab file. Once downloaded, move it to the machine in question and update per their instructions. That got me working. Attempting to do this on the "broken" machine always resulted in a corrupted iuctl.cab file, that's why I had to use another machine to get it.

As for your question about this problem being related to recent security flaws, I don't really know. I tend to think this is an unrelated problem, but I wouldn't rule out any correlation. I run AVG and Kerio firewall on my machine as well as the admittedly basic firewall on my hub/router so I don't suspect an attack of any sort. Of course, there probably are some holes/vulnerabilities that I am unaware of or unprepared for. At any rate, after I did this there hasn't been any problem so I hope this helps.

Re:Could all of these recent holes be the reason

[RCO]

Actually, my question is more along the lines of, maybe I can't get to windows update because it's being overrun by requests. This really wouldn't surprise me anyway.

Concerning, the idea of hitting it from a working system, I haven't found one of those 'round here, they're all running Windows ;-D.

Seriously, we have about a thousand windows systems, and myself as well as the techs and the other programmers/admins have not found any system that will hit windows update, even when we open the firewall totally.

I haven't had this running for years

[freeweed]

And quite frankly, I'd be surprised if anyone really does anymore.

Once spammers learned how easy it was to use the Messaging service to send almost anonymous spam a couple of years back, me and damn near anyone I know not behind a firewall turned it off.

Or did spammers stop sending dozens of nice popups a day to random IP addresses sometime between now and then?

Look at it this way...

[JanusFury]

The flaws aren't good, but it's good that Microsoft found them. The pace of MS finding bugs seems to be picking up lately; maybe MS's trustworthy computing shtick is finally doing some good? Perhaps MS will finally get on the ball about security!

Re:Look at it this way...

[johnnyb]

Very True! Perhaps Longhorn will do for security what Win2K did for stability.

Lessons Learned from RPC

[4of12]

Of course a firewall will offer some protection but shouldn't be relied on.

Check.

Unfinished poetry composition from RPC...

"Laptops that touch the raw Internet shall never touch my internal LANlips, be it even through an erstwhile VPN."

Macro$haft recommends....

....that all unpatched systems be permanently shut down to avoid worm propagation, and bad press, but also notes that a "powered off state" does not exempt the computer from licensing fees. When asked about the new Macro$haft security initiative, dubbed "Swiss Cheese", CEO Byll Gaytes is quoted as saying "We have hired the AAIR to detect users of unpatched Macro$haft systems, and sue shit out of them. There are also plans to send special AAIR agents Dr. Dre, and Metallica out to steal lunch money from grade school students".

Gaytes seemed openly annoyed at the suggestion that Macro$haft could possibly release source code for testing, and auditing purposes; "Macro$haft software is designed from the ground up by our team of highly trained marketing professionals. There is no need to ruin future marketing opportunities by releasing source code".

The people, events, and security initiatives mentioned in this story fictitious.

Somewhat Related

[MURD3R3R]

I use linux on my home Desktop PC, but my work laptop is windows 2000 based. A friend of mine said, hey chat with me later, I will be on msn. But I was leary of installing msn. Yea I know its free, but, is it full of holes? If I install it, will a hacker gain control of my laptop? Will Microsoft gain control of my laptop? Part of Microsofts problem is they want control of your computer, and the same vehicle they use to gain control of your computer is used by hackers to do the same thing.

How to disable

[encebollado]

This link tells how to disable the service on various Windows platforms.

Re:How to disable

[gassendi]

Windows 98 & ME
Windows Messenger Service cannot be disabled

I assume installing a firewall and blocking UDP ports 135, 137 & 138 and TCP ports 135, 139 & 445 will have the desired effect, but does anyone know of an alternative?

I love it when...

...I read an article about Windows security flaws on Slashdot and there's a Microsoft ad in the comments section!

Relevance of Windows Messenging

[UnknowingFool]

Not being a Windows expert, what does Windows Messenger really do in a system? When you go to disable it, all Windows tells you is that you shouldn't because other service might depend on it. Other than that, there very little information. Anybody know? Obviously if MS says to disable it until further notice, it can't be very important, but then again it might break something that they are not considering.

Re:Relevance of Windows Messenging

[b1t+r0t]

AFAIK it does two things: 1) it lets a printer tell you when your print job is finished, 2) it lets spammers annoy you.

Disabling the Messenger service is on the standard list of things I do when installing W2K. (right after installing SP2 and the latest RPC patch)

Re:Relevance of Windows Messenging

[Permission+Denied]

Not being a Windows expert, what does Windows Messenger really do in a system?

It does not do anything important. The messenger service accepts text messages over the network (from anywhere) and displays them in a message box. You can test this using "net send" from the command line. I believe messenger was meant as a replacement for "winpopup" from win9x.

I've heard of three uses for this service:

(1) some administrators apparently use this to send some notifications to their users about network outages or whatever. I have no sympathy for these administrators since it's absolutely trivial to write a replacement. Shouldn't be more than thirty lines of code for both client and server that use unadorned TCP and you can be damn sure that thirty lines of code you write won't contain an idiotic buffer overflow and you can also implement access controls to ensure your replacement won't be abused by other employees (whereas messenger accepts messages from anywhere and does not inform you of their origin).

(2) I've heard that certain printers or printing systems use this to notify users of conditions like low toner. Again, I have no sympathy since this should be done with SNMP traps. With SNMP traps, you can re-route these messages or write some program to deal with them automatically (page your "paper/toner" guy when toner is low, or automatically file a paper request with the supplies people). You cannot do this with undocument proprietary Microsoft protocols like messenger (although messenger is probably simple enough that you could easily reverse-engineer it (like the people in group (3) did), but there is no reverse engineering involved with standard protocols like SNMP).

(3) Messenger is used by spammers to display spam on your desktop. Since it accepts messages from anywhere and does not log the origininating IP of the messages, it's quite convenient for this purpose.

It is completely safe and very recommended to disable messenger. It is enabled by default in all recent versions of Windows.

Re:Relevance of Windows Messenging

[Homology]

(1) some administrators apparently use this to send some notifications to their users about network outages or whatever. I have no sympathy for these administrators since it's absolutely trivial to write a replacement. Shouldn't be more than thirty lines of code for both client and server that use unadorned TCP and you can be damn sure that thirty lines of code you write won't contain an idiotic buffer overflow and you can also implement access controls to ensure your replacement won't be abused by other employees (whereas messenger accepts messages from anywhere and does not inform you of their origin).

I gather that you are not greatly experienced in programming and system administration?

Re:Relevance of Windows Messenging

[Permission+Denied]

I gather that you are not greatly experienced in programming and system administration?

Incorrect. If you wish, I'll write these programs (windows service, low LOC, no exploits, similar functionality) and post them to my journal, like I've posted before when challenged (lameness filter prevents posting code as comments). I find it difficult to believe that you doubt such a thing can be done trivially. Indeed the messenger service has such little functionality that it's embarassing it could be exploited.

No biased opinions here!

http://www.securityfocus.com/bid

How many times in that list of recent vulnerabilities do you see Microsoft?

Not that I'm a Microsoft supporter in a major way, but still, what gives?

Interesting but...

[GearheadX]

One of the first things I do when I install Windows on a computer in my office is disable Messenger outright. It's simply not worth the aggrivation of dealing with it.

Ever since spammers started using it a few years back, it just wasn't worth the nuisance of dealing with it.

Re:Yet Another Critical Linux Flaw!

ag3n7 (442539) wrote:
I haven't seen Microsoft include a WEBSERVER in the kernel space yet

You haven't seen Windows Server 2003 and Internet Information Services (IIS) 6.0.

IIS 6.0 uses a new kernel-mode caching capability that generally enhances the Web server's performance. Its kernel-mode cache is designed speed up static file performance significantly by bypassing the need to do a kernel-to-usermode transition to generate and serve the response.

Even though IIS 6.0 runs in user mode, Windows Server 2003's HTTP stack is implemented as a kernel mode device driver called HTTP.sys. HTTP.sys is responsible for:

Connection management--managing the database connections from the ASP.NET pages to data bases
Caching--reading from a static cache as opposed to recompiling the ASP.NET page
Bandwidth throttling--limiting the size of the Web requests to a Web site
Text based logging--writing IIS information into a text log file

Now, whether or not this is good design is questionable. I surely would not recommend running your web server in your operating system's kernel space.

Brian
reflections of my imagination

Don't forget the 2 Exchange Bulletins

[101010]

I also received a notice on Exchange server, MS03-046 and MS03-047.

Re:Yet Another Critical Linux Flaw!

[jweatherley]

Kernel32.dll is not the Windows kernel - that would be ntoskrnl.exe. Kernel32.dll contains the Win32 functions.

Will they patch my BIOS too?

[cybrangl]

Not that I am trying to jump on the MS-bashing bandwagon, but these vulnerabilities take on new light when you consider MS is trying to get into the BIOS level ( http://www.geek.com/news/geeknews/2003Oct/gee20031 008022103.htm ) Soon we can expect even our hardware to be vulnerable. What gets ms, is the dismissive attitude MS takes when announcing these flaws. True, these are out "before any known attacks", but if you look at the nature of them, they should all have been patched years ago. this is not the first time these services have had such vulnerabilities. The problem is that Ms patches the symptom, but doesn't address the nature of the vulnerability. Thus, every once in a while, someone figures out a way around the last patch and the cycle starts over. How long did the last RPC patch last? Security should be about reinforcing the OS, not placing a sheet of playwood over the offending hole and hoping that no one notices the one next to it.

Another rabid submitter gets it wrong

[Call+Me+Black+Cloud]

Microsoft released yesterday a whole bunch of critical security updates.

Their new policy is to release monthly updates unless an exploit already exists, in which case a patch is immediately released.

Out of these, MS03-043 is a flaw in the Windows Messenger Service ... Of course a firewall will offer some protection but shouldn't be relied on

You don't know what you're talking about, submitter Dynamoo. Please, tell us why one shouldn't rely on a firewall? If you read the technical documentation about the flaw you see "If users have blocked the NetBIOS ports (ports 137-139) - and UDP broadcast packets using a firewall, others will not be able to send messages to them on those ports." (under "Technical Descriptions"). I think I'll ignore your advice and keep a firewall in place, no matter what OS I'm using.

Re:Another rabid submitter gets it wrong

[Pvt_Waldo]

The other bad line from the obviously bias'ed submitter is...
Of course this is another headache for admins still patching for last month's RPC flaw.

If admins at some site STILL haven't patched yet, they are - uh - morons. It takes all of about 2 minutes to do it. OK, 3 if you gotta reboot.

Re:Another rabid submitter gets it wrong

[LogicX]

.. Times 10,000 users and unique machine configurations... ... with new machines being shipped vulnerable, and coming on the network each day, or users reformatting...
yes, we're still dealing with the initial RPC vulnerability at RIT -- we have hundreds of machines at any one time which are blocked on the lan for being vulnerable or infected.

Re:Another rabid submitter gets it wrong

[NickRuisi]

You don't know what you're talking about, submitter Dynamoo. Please, tell us why one shouldn't rely on a firewall?
Here's why: All it takes is a 1 user running a non-firewalled connection dialing up on thier private ISP account from thier laptop while on the road. Said user becomes infected with blaster or another win32 worm, disconnects and merrily returns to the office the next day and plugs said laptop into the LAN. WHAMMO! You had better hope that the machines on your LAN are patched because said user has effectively bypassed the firewall for the worm.
It happened to my network. I had just finished a new win2k install for an end user and before I could get it up to the current SP/Patch level, it got infected because I have a "road warrior" who likes to use AOL when she's on the road (even though I explicitly told her not too).

Re:Another rabid submitter gets it wrong

[Dynamoo]

Wrong? Nope. There are two ways the potential worm can get through the firewall.

Firstly, it can come through as a blended attack combining a traditional worm with a mass-emailing virus. Really it's just a question of putting together existing malware technologies.

Secondly, all you need to really screw your network is for someone to use an unprotected laptop on their home ISP and then bring it into the office. The worm basically just walks past the firewall.

This second one was a favorite infection vector for MSBlast and Nachi to get onto corporate networks. Large networks with many laptop users got hit repeatedly.

Re:Another rabid submitter gets it wrong

[Call+Me+Black+Cloud]

As I stated in another message in this thread, I should have quoted Microsoft's solution directly where they say to set the Windows' firewall to block the ports. I just stated "firewall" which was unclear.

Re:Another rabid submitter gets it wrong

[Call+Me+Black+Cloud]

As I stated in another posting, I was unclear in my response. The technical document from MS states users should set the Windows built-in firewall to block the ports. That would prevent collateral damage from someone mailing in a virus or bringing one from home. Sorry for the confusion.

Re:Another rabid submitter gets it wrong

[Dynamoo]

Definitely. In fact a curse on MS for making it so difficult for novice users to find.. every individual user should have a firewall before they go within 6 foot of an internet connection in my view ;)

Re:Another rabid submitter gets it wrong

You don't know what you're talking about, submitter Dynamoo. Please, tell us why one shouldn't rely on a firewall?

One shouild not rely on firewalls becouse:

1. multiple attack vector worms. (nimbda abused 4 problems including a very rare infected server (iis) -> client (ie) trick using infected e-mail files that ie passed to oulook no questions asked) The only reason major later worms didn`t do this is becouse they did just fine going for only one hole. What good does a firewall do if a machine infected by outlook/ie is going for the rpc overflow on lan machines?

2. Firewalls are nothing more then the hundred year old packet filter idea, nothing in the past years has made them understand what they filter! So you punch a hole for your apache webserver and turn on the mod_proxy module and forget the proxy goes both ways.... alowing a nice tcp connection to say port 137 of some windows box. This is while you feel perfectly safe behind an expensive firewall. Iis while you are busy writing angry e-mails at the overworked admins of sites to which your l33t firewall droped a tcp port 80 packet before even knowing for sure these werent friendly typo`s

To argue that a firewall fixes everything would be shortsighted, you didn`t, you just went straight ahead and claimed someone sugesting looking beond a firewall didnt know what he was talking about....

Re:Another rabid submitter gets it wrong

We're still dealing with this because the patch broke several internal applications.

Nomenclature

[mborland]

I don't know if it's MS or the poster, but we should make sure to clean up the nomenclature for these various 'messenger' services. In XP, clicking on the service labeled 'Messenger' displays the help on the left which says: "...This service is not related to Windows Messenger." Although, the poster referred to this as the "Windows Messenger Service."

I want to shoot the Messenger, but it's hard to tell which one!

But not to worry, visiting the MS link in the post and following the directions cleared up the issue.

MS flip-flops (again)

[harley_frog]

Microsoft's recommendation is to 'disable the Messenger Service immediately and evaluate their need to deploy the patch'.

For over a year now, Leo Laporte from TechTV's The Screensavers has been saying that Messenger Service is a security hole but Microsoft kept saying, "It's not a hole; it's a feature." Guess now Microsoft will turn off Messenger Service by default. Or, maybe not.

Re:MS flip-flops (again)

Leo Laporte is my hero. god I love that show, but am I the only one that wants to punch that call-for-help guy in the face?

Re:MS flip-flops (again)

[gorfie]

Before we were told about the Messenger flaw, I don't think the Messenger service was considered a hole, I think it was the fact that spammers were able to send messages to computers remotely using the Messenger service that was INDICATIVE of a hole. Even if they disabled Messenger the problem still existed. It's NetBIOS that's the real problem. Of all the Windows worms that have come out in the past few years, all have relied on NetBIOS, IIS, or Outlook to propogate.

Most of the people running IIS got a clue and patched (granted some didn't).

Many running Outlook were aware that they could open viruses just by viewing message and many of them patched (granted some didn't).

However everyone running Windows probably has NetBIOS running and all but the Systems Administrators and nerds don't realize that it has numerous holes and can be exploited.

Re:MS flip-flops (again)

I hate to say it but you are wrong. By disabling the Messenger service. This does indeed stop the spam messages and would also stop any attack through the service. You cannot hack through a service that is not running. This is the first time that MS has said that their is a security hole in this service. They have ALWAYS said that spammers using this door into systems was not a hole but a wonderful network service. Maybe Bill does need all those peter enlargements ads.

It does amaze me how there are so many software fixes out there you must pay for when all you have to do is make a few clicks of the mouse and it all goes away for free.

You can block the service at the router on a LAN and still have use of the messenger service on the LAN

Re:MS flip-flops (again)

[gorfie]

Slight misunderstanding of what I said. Disabling the Messenger service does indeed prevent people from exploiting the hole *in the messenger service*. I don't doubt this.

Microsoft bundled enourmous functionality into a few ports, and they leave these ports open by default. If a user doesn't patch or use a firewall then they are obviously open to exploitation. This is what I consider a serious hole...

BSOD - BSD; Is it evil?

I installed an operating system that has something to do with devils (I'm not sure what, really), and now my computer BSD's immediately on boot.

Re:RPC worm (Secure the perimeter)

[ILikeRed]

Your problem is that you did not follow Microsoft's best practices. If you had, you would have done as Ballmer has been preaching, and Secured the Perimeter! Which really is just PHB speak for never putting a windows box on the internet without a Linux firewall to protect it. Why do you think microsoft has started using Linux as a proxy service for their website???

Re:Questions that I Microsoft's page does not answ

[Bambi+Dee]

ad 1 - XP Professional would be the XP "Gold" listed under "affected software". I haven't seen it called "Gold" before, but once you follow the link, their naming scheme reverts to the familiar "Home" and "Professional" editions.

You can download it here:
http://www.microsoft.com/downloads/details. aspx?di splaylang=de&FamilyID=F02DA309-4B0A-4438-A0B9-5B67 414C3833
(mind the gap!)

ad 2 - "Nachrichtendienst" is the one, yes.

Re:Yet Another Critical Linux Flaw!

[sqlrob]

By this argument, none of these vulnerabilities should be held against Microsoft since none of them affect the Windows kernel (kernel32.dll).

But those haven't been claimed IN A COURT OF LAW to be part of the OS. If there's a flaw in something MS claims is part of the OS, then, they take the bad with the good and get it docked against the OS.

Not to mention, I haven't seen Microsoft include a WEBSERVER in the kernel space yet.

And, yes, IIS runs partly in kernel with IIS 6.0 on Win 2003

Thanks Tom!

Thanks again Tom!

Congratulations, Slashdot moderators.

[mongbot]

This comment stands at "+2 Insightful" (hah), with no negative moderation, thereby confirming this site's reputation as the online capital of anti-social, thoughtless free-software zealotry.

YACWF!!!

[Biff98]

As much as the Micros~1 community likes acronyms, throw that one on the fire. Hell I bet it becomes one of the most widely used acronyms around!

Back to KDE(Desktop)/OpenOffice(Office Suite)/xmms(winamp)/Acrobat Reader(duh!)/NFS("File share")/Gimp(Photoshop).... Ahhh what a beautiful day. Isn't it?

Glad I'm not a Windows Operator (no such thing as a Windows Sys Admin)...

Not so fast...

[X86Daddy]

At least administrators can disable the Messenger Service remotely.

If you haven't patched yet, I'm guessing anyone can disable your services remotely. :-)

Re:Not so fast...

Your search - Domino security flaw - did not match any documents.
--Google News

At some point in the near future, Google is going to return this archived Slashdot thread as a search result for the string "Domino security flaw".

Re:Not so fast...

[godzillion]

This suggests a viral technique for applying security patches: Given a newly discovered vulnerability, create a worm which exploits that vulnerability, applies the patch on the infected machine (or disables the broken service), then attempts to infect other unpatched machines.

Re:Not so fast...

[r_j_prahad]

Your search - Domino security flaw - did not match any documents.
--Google News

Your search - Domino Administrator wanted - did not find any openings.
--Monster.com

Re:Not so fast...

[H0bb3z]

Yep -- its done through the RPC/DCOM services that M$ claims is a "secure communication transport" for Windows.

Nice. And ironic.

-----

Re:Not so fast...

[Chris+Mattern]

He cheated. "Google News". This thread will not be showing up in Google News. Neither do any of the many other articles about Domino security flaws I found when I did a Google web search on those terms: "Results 1 - 10 of about 7,790. Search took 0.29 seconds."

Chris Mattern

Re:Not so fast...

[JuggleGeek]

Your sig says... Your search - Domino security flaw - did not match any documents.

When I run that phrase through Google, I get...
Results 1 - 10 of about 8,030. Search took 0.24 seconds. I don't know anything about Domino, but I know BS when I see it. The rest of your "message" looked every bit as honest.

Re:Yet Another Critical Linux Flaw!

[Theatetus]

kernel32.dll is more like glibc than vmlinuz. The "dll" bit should have tipped you off.

If I had a dollar...

[Craig3010]

...for each and every Windows security flaw, I could make Bill Gates my bitch.

M$ users suffer from "Stockholm Syndrome"?

Gates is done, he's giving money away now.

All these flaws, high prices, long wait for Longhorn, control freak tactics are for a purpose.

To disgust you and wean you all off of Microsoft. To encourage healthy computer diversity.

So get your Macs or Linux OS's and be done with it already.

Or all you all suffering from "Stockholm Syndrome"?

http://www.macdailynews.com/opinion_comments.php ?i d=P1943_0_2_0_C

Only 35% are going to wait for Longhorn
22% are going to switch to Macs
37% are going to switch to Linux

http://www.eweek.com/poll_archive/0,3044,p=1253, 00 .asp

Re:EULA - did you spot this?

Hey, its a reference to the EULA you have to agree to when you download Win update - its not offtopic..

What?

[abulafia]

You fail to back up your title.

> Microsoft released yesterday a whole bunch of critical security updates.

Their new policy is to release monthly updates unless an exploit already exists, in which case a patch is immediately released.

How, exactly, are you contradicting the author?

> Of course a firewall will offer some protection but shouldn't be relied on

You don't know what you're talking about, submitter Dynamoo. Please, tell us why one shouldn't rely on a firewall? If you read the technical documentation about the flaw you see "If users have blocked the NetBIOS ports (ports 137-139) - and UDP broadcast packets using a firewall, others will not be able to send messages to them on those ports." (under "Technical Descriptions"). I think I'll ignore your advice and keep a firewall in place, no matter what OS I'm using.

I don't believe the author is telling you to remove your firewall. The author is saying that it shouldn't be relied upon. There is a significant difference. Because some other machine behind the same firewall might become infected, a firewall is not a perfect measure for protecting against this attack. There's a well worn phrase for this problem - "crunchy on the outside, chewey on the inside."

So, again, please explain how Another rabid submitter gets it wrong?

Re:What?

[Call+Me+Black+Cloud]

a firewall is not a perfect measure for protecting against this attack...Because some other machine behind the same firewall might become infected

Good point - I was unclear. I should have quoted Microsoft's technical documentation. They specify configuring Windows' built-in firewall to block those ports. If the ports are blocked at each machine then an infected machine behind a hardware firewall will not infect other machines on the LAN.

Re:What?

[cornjones]

I don't believe the author is telling you to remove your firewall. The author is saying that it shouldn't be relied upon. There is a significant difference.

The idea here is defence in depth. This should be blocked at your border firewall/router. Each machines personal fireall would block it and then you would patch the machine not to be vulnerable. Of course all uncessary service would also be shut off.

No matter how much I want to do that, I never seem to get around to locking everything down that much.

Re:What?

[don_carnage]

They specify configuring Windows' built-in firewall to block those ports.

Yeah...that works. Disable file sharing so now Mom can't send files to Sister's "folder". Ugh...I can hear the support calls now.

Re:What?

They specify configuring Windows' built-in firewall to block those ports.

How about not opening the port in the first place?

Open a port and install a firewall to block access to the port? It seems incredibly backwards to me.

Re:What?

Yeah...that works. Disable file sharing so now Mom can't send files to Sister's "folder".

That's just sick.

Firewall BAD! Patches GOOD!

[n1k0]

> Of course a firewall will offer some protection but shouldn't be relied on

What kind of crack are you smoking, and where can I get some? A firewall will offer complete protection, and should be relied on to protect you from exactly this kind of situation (and more!). I'm sure your point is that using a firewall is no excuse to not apply security patches and while I agree, this anti-firewall propaganda has to stop! ;-)

-Nick

Re:Firewall BAD! Patches GOOD!

[Biff98]

Well -- I think this guy MAY have a valid point after all. The term "Firewall" has been thrown around ENTIRELY too much.

A SOFTWARE "Firewall" running on a Micros~1 box is NOT A FIREWALL. In fact if you trust that thing you should be locked away in private address space for the remainder of your WWW years...

A SOFTWARE "Firewall" running on any *nix machine is probably ok.

A HARDWARE "Firewall" running at the Layer 2 -> 4 is probably your best bet. There's an OS designed to handle packets and not to share time with other processes, it's sole purpose is to block packets.

The argument? Writing apps for Windows on its API does not inspire a whole lot of confidence in the effectiveness of what you're writing. I'd be willing to bet some money that before your "Zone Alarm" software or whatever gets that packet to look at that Micros~1 has done some pre-parsing and processing for backdoor type stuff. If you want to inspect OpenBSD's 'pf' program, look at the source and decide if you like it or not. And well, the hardware firewalls -- that's why these people are in business. They protect networks.

(FINALLY) the MORAL of the story: Don't assign the term "Firewall" to something that DOES NOT DESERVE IT. It creates a FALSE sense of security.

"Tell me I'm wrong"

If Bill Gates had a nickel....

[Biff98]

http://ars.userfriendly.org/cartoons/?id=19990911 for every time Windows crashed...

Check out this User Friendly strip...

Releasing patches too frequently?

[hetairoi]

I was just over at the beast reading about the new security bulletin service and came across this under the 'What customers tell us' section:

Customers are concerned that Microsoft releases security patches too frequently

Wha?!? So, customers are saying that even if some critical flaw is found, M$ should wait awhile before releasing it because Joe Admin is concerned there are too many patches??

Come on, if they know something is broke I want a patch ASAP (after proper testing of course). I don't care if they release a patch an hour, if something is broke -- Fix it now, don't wait until next week because you've already released your quota of patches for this week. This sounds like BS to me, maybe M$ just stuck that in as an excuse to not release patches.

Later they say an exception will be made if they determine the customers are at immediate risk. I'm glad they know my system so well, but really, please just release the patch now and I will decide if MY system is at immediate risk.

Re:Releasing patches too frequently?

[porkchop_d_clown]

Frequent patching is cause for three concerns:

1. The patches haven't had time to be adequately tested.

2. A cascade of patches indicates serious underlying problems.

3. A cascade of patches distracts the MS developers from what should be their primary job: making patches unneccessary in the first place.

Re:Releasing patches too frequently?

[Phishcast]

I've heard folks from Microsoft say that there is an obvious corelation between the time they offer security patches and the appearance of public exploit code on the internet. Whether it's the patches being reverse engineered or whether black hats have a new place to focus their energies based on the security bulletin, it makes sense. Of course, this only applies to vulnerabilities found by Microsoft or by people that coordinate releases of vulnerabilities with Microsoft. In fact, they're moving to a monthly patch release schedule instead of a weekly schedule based on this (with exceptions allowed for new vulnerabilities being exploited in the interim). Hopefully it'll make the lives of Windows admins out there a little bit easier.

Re:Releasing patches too frequently?

[hetairoi]

1. Yes, obviously the patches should be tested, I mention that in my post. My problem is delaying a patch because, well, we've already put out a set this week and so we're just gonna let this one sit awhile. Give it to me and I'll test it (which I do before it goes to a production machine).

2. well, yeah, it does.

3. see your point 2.

Re:Releasing patches too frequently?

[Ozymandias1350]

I think it's pretty obvious. People are complaining about the number of security patches that they have to download to keep their system secure, especially over dial-up Internet connections. I hear this from my clients all the time, in fact - their system is unpatched and insecure, they got the latest virus, whatever, because it takes too long to download the patches.

They're not complaining that Microsoft is patching too frequently - they're complaining about the need for having so many patches. Even the clients that know next to nothing about their computers are saying this, and in just about that fashion, too. Many have gone so far as to complain about the quality of the software, directly. But you can't expect Microsoft to say that in their security bulletin, so instead they just say people are complaining about the patching frequency, which is technically true.

Re:Releasing patches too frequently?

[babyrat]

I love the way that people can interpret things that others say.

What s typical letter may read:

Dear Microsoft,

Your product is full of security holes. If it was coded properly from the get go, would have have fewer critical holes and you wouldn't have to release patches EVERY week. This patch process is a pain for administrators and users alike.

Regards,

Babyrat

What Microsoft interprets it as:


You release too many patches too quickly. We'd rather have the security holes rather than have to patch our systems every week.


I wouldn't necessarily blame Joe Admin or Fred End-user for that comment from Microsoft.

Re:Releasing patches too frequently?

[owlstead]

Moreover, if somebody would want to release a successfull worm, he now would have the oportunity to synchronize with the Windows update service.

Just wait until the monthly patch-thingy is issued and your worm has a whole month to have fun. Patches will be issued NEXT MONTH.

Great idea MS, I wonder why nobody else does such a thing. Sheesh.

Re:Releasing patches too frequently?

[Kris_J]

They're paraphrasing. Customers actually said "MS products are an insecure steaming pile", but they couldn't put that on their website.

It's a pain in the arse I tell you. We're in the middle of orientation. 17 staff trying to enrol 220 new students and 1000 returning students. Patching desktops is the last thing anyone has time for.

Bias

[Overly+Critical+Guy]

Was there a "Yet Another Ssh Flaw?" Does michael follow the link in my sig and post about all the flaws that come out monthly (compared to these new four)?

Of course not. And you won't see it reported, either. Because Slashdot is biased against Microsoft and wants your page hits.

I dare you to argue otherwise, because it's just too obvious.

Re:Bias

"Because Slashdot is biased against Microsoft"

You sir are a fucking genius.

Re:Bias

Well thank you captain Obvious.
Slashdot is biased aganist microsoft for two reasons:
Most people reading slashdot are fairly computersavvy, meaning they realize that microsoft products are more or less shit in a pretty box.
Also, many slashdot readers works as admins or similar, which means they have to clean up the mess everytime microsoft fucks up and a flaw is discovered

Re:Bias

[stor]

It seems to me that whinging about /.'s anti-MS bias is all you ever do, OCG. Save your breath: we know.

From what I see, you're just as obstinate as the most rabid anti-MS Zealot.

Cheers
Stor

p.s. Why is that page called "Linux Security" when it contains security advisories for NetBSD, SCO Unix, FreeBSD, etc that are irrelevant to Linux?

I personally hope this person rots in hell...

[El+Camino+SS]

This time, please do something really useful, not only doing such silly thing as DOS'ing windowsupdate

You can for instance, delete necessary files for Internet connection... in this case Microsoft will be in a *real* shit if nobody can connect the internet to download patches!
They'll maybe have to send MILLIONS of CD by mail!

Therefore, people will be *really* annoyed and may think it's time to switch to another more reliable OS.

You know what? You're evil. You probably don't consider yourself evil, just like the people that support Al-Qaeda consider themselves evil, but let there be no doubt about it. You're evil. Most who are evil really couldn't ever consider their actions evil. You are advocating a concerted attack on others. You are supporting the destruction of others property and disruption of their lives for your social agenda... for your personal opinion of how the world should be, without asking them what should be done. That is, by definition, selfish and evil.

You are advocating force and disruption as change, and it isn't even a good change. Most common users CAN'T USE LINUX. They simply cannot handle it all yet, they don't have years of computer experience necessary to run it.
Your analogies that destruction is a motive for positive social change are tantamount to putting a gun next to a person's head and telling them something like "How about my form of government? How about my style of computing?" That kind of FORCED activity is the kind of thing that China and other nations that squash people's human rights excel at. Cmon. Realize that you are advocating the destruction of property here on a global scale. The Chinese come into their homes disrupting their lives, dictating the terms of their behavior, and leashing their options. You're basically telling them what they need to do by hurting people. That makes you evil.

You are saying that forcing people to lose their work and data is a good thing for them. You are saying that rendering their computers useless is a good thing for them. You personally like the idea that others will suffer for your personal agenda. Well, I don't.

ANALOGY:
This is like saying that you don't like the current way that stoplights are working, so you sabotage them nationwide. All the people that might die? SO WHAT, HUNH?

You need serious help. Locking you up would be my opinion of "serious help." It's self-righteous a-holes like you that keep tearing down what we all need to build to be a civilization.

Yeah, you want the computer revolution, but you want it your way, and advocate force to do it... ...don't count many of us in on that future.

Taking bids on when worm comes...

[MarvinMouse]

The last worm, I was only 2 hours off of when I thought it would come.

I am saying this worm will probably come early November around midnight EST. (Nov 13th)

Official bid: Nov 13th 0000 hours.

Any other bidders?

Re:Taking bids on when worm comes...

[Tony-A]

Nov 13th 0230 EST.
I'm an optimist.

Re:Taking bids on when worm comes...

We have just released the worm DEPAnt$er. Give me your money if I have not already stolen your credit card number.

Re:Taking bids on when worm comes...

I bet $1,000,000.00 that the worm will be relased at 0:00 UTC October 17. (It'll probably take me a few minutes to work the kinks out.)

Completely false

[Overly+Critical+Guy]

In fact, Bill Gates gave a recent talk in which he mentioned that the reason SP2 is taking so long is because they're backporting security features from Windows Longhorn into XP.

This isn't really a big news item--except on Slashdot, of course. Meanwhile, Linux distros have 10-20 flaws a month, but everyone ignores that for "Yet Another Critical Windows Flaw."

Next.

Re:Completely false

I'm with you 99%

Re:Completely false

But linux users:

• are not running as root
• don't install services they don't need
• know how to apply patches
• yes we know about lindows

The security features they are backporting:

• new firewall
• auto update
• digital restrictions management

Good news for the computer illiterate and network admins alike.

Wait a minute is this still news

[mboom]

Lets be perfectly honest. With all news, if a story becomes repetitive it is no longer news. I think the "Windows Bug" thing has slipped into this chasm. Its no longer "new" and no longer interesting. Use windows at your own risk.

Nasty Supplemental EULA

[gvc]

I installed the patch on several machines yesterday. One of them demanded a supplemental EULA. I have not been able to reproduce it on the other machines, so I paraphrase from memory. It said, among other things:

"I will not publish the results of .net benchmarks"

I have never (intentionally) installed the update that installs the .net framework but judging from the EULA I wonder if that happened and that's why this EULA popped up.

In any event, this clause casts a chill over me.

Don't get cocky

[slittle]

Connected to the internet to get the RPC patch, and got infected with this work in under a minute

Same thing happened to me with RedHat 5.x - hacked via BIND in under 30 minutes. Fortunately I almost always use Midnight Commander, and show all files (why the fuck is the default hiding things from me?!?) and spotted a dot-file under / (my systems never have files under / only directories). So I F3'ed it and suprise, there's the root password.

After I busted the guy on IRC, he had the nerve to ask me for a shell account. Told him to fuck off, while I did a full reinstall from scratch. Even though he promised he only added an account for himself and didn't compromise any other binaries, it's not worth the risk (esp. since the install was less than an hour old).

MOD PARENT UP

Well put. I wish I had mod points for you.

How many more

holes are in windows that we dont yet know about ? I have remote systems that have all known M$ patches installed , have their virus defs up to date , yet I still get calls from the end user asking me about this "MIRC registration box". Yea I know put them behind a firewall, but that solotion requires the end user to have some idea of what a firewall is.

Do it for them

[kendric]

Every time I do tech work for my friends *sigh* I usually end up haveing to reinstall windows xp. God forbid they move to a different OS, but I digress... The first thing I do when the machine is on is turn off MS Messenger. I have met people that have no idea what it is and how to turn it off, including high level CS students here at university

This is how you turn off MS Messenger:
- Go to your main directory
- Then WinNT
- system32
- then find the file called services.msc
- you will have a list, find messenger on it
- disable it

While there, take a close look at what else microsoft has running, and see if you need all of it - perhaps remote PC access?

This is the first thing I do when turning on a cmoputer for almost anyone running XP; there is never any need for it. I've done it for families with kids, and have had the parents genuinely thank me for getting rid of the lewd popups their children are bombarded with.

Re:Do it for them

[inburito]

Or you could just right click on my computer and select manage and then services and then disable messenger from the same list.

Re:Do it for them

[ssstraub]

Or you could just Window key + R -> services.msc, then disable messenger service.

It's More Confusing Than You Think...

[Wymanator]

There are actually three similarly named components: Windows Messenger Service, Windows Messenger and MSN Messenger. I found this article via Google which does a pretty good job of explaining the difference.

Turning it off

[Griim]

I actually turned this service off back when I first installed...what exactly is it good for? I see tons of "services" running, that I'm assuming don't necessarily need to be (though I've learned through trial-and-error that turning some off, breaks things).

Slashdot

As much as I like slashdot, as a critical thinker, I have to entirely disregard its claim to be "news" when it is so obviously biased. This is not news, this is propaganda, worse than FOX news at times. Showing MS as a Borg Gates is hardly objective, which ought to be the goal of any self respecting news organization. How about we change the Linux penguin to him molesting small animals or children? That would be just as ludricous as this purported "news" about MS.
Oh, BTW, I *do* use and run Linux (dyneBolic CD), so all you haters can shove it up you know where. One other thing -- I am a programmer, so I know what open source and that is all about, I like it, but I can see its flaws as well, unlike all you other zealots.
I used to like this site more. Too bad its bias ruins its integrity in my eyes, just like FOX news "Fair and Balanced" BS.

Re:Slashdot

[boligmic]

Fox news provides the most accurate news in the world today. Just because they don't worship at your tax the rich, America is evil alter, doesn't make them wrong. In fact, it makes the most unbiased and fair new source around. Sorry, but I would go to war and killed 1,000,000 non-Americans to save one American life. We are worth more then they are. Go USA! And why in the world didn't we blow up that chinese rocket? they should have never been allowed to reach space.

Re:Slashdot

[Excen]

How about we change the Linux penguin to him molesting small animals or children
Fox news provides the most accurate news in the world today.

Bill? Dubya? Is that you guys again?

Re:Slashdot

[DarkZero]

As much as I like slashdot, as a critical thinker, I have to entirely disregard its claim to be "news" when it is so obviously biased. This is not news, this is propaganda, worse than FOX news at times. Showing MS as a Borg Gates is hardly objective, which ought to be the goal of any self respecting news organization.

Slashdot never claimed to offer balanced or objective coverage, nor to be your One True Source For News. Let's be honest, /. is a dinky little website run by geeks, and because of that it's allowed to make light-hearted jokes, like Borg Gates. It's part of its charm. If you find a site that openly editorializes and doesn't claim to be doing anything different offensive, then you're at the wrong site. And you need to lighten up.

Re:Slashdot

[Dhalka226]

If you don't like it, pack it up and move on. Bitching and moaning about a service others, myself included, find incredibly valuable does no good. Do you think the slashdot folks are running around to change all of their icons and edit all of their articles because you're displeased? Give me a break.

That's hilarious

[Rogerborg]

I'd post more, but I have to save my bandwidth for downloading half a gig of patches for one of Win2K's lunix contemporaries.

Is the cognitive dissonance kicking in yet? Are you feeling compelled to slap this as a troll, rather than actually looking into how many patches there are for lunix systems? Do we care about the lunixatics that got rooted by ssh or sendmail vulnerabilities down the years? Can we even acknowledge their existence? Do we remember the FSF's ftp server getting hax0red out from under them?

Hello? Hello?

Re:Slashdot spin

so true...

New MS initiative

[Comatose51]

I guess MS coming out with patches is a good thing. Is this part of a new MS initative to seriously make Windows secure?

It gets better

[jhswope]

I just installed the patches on the Trial version of Windows Server 2003 I have at work and it locked the machine "hard". Power cycle was the only remedy. And this is the OS they want me to replace my Linux servers with??? Long live OPEN SOURCE!!!!!!!!!!!!!!

Disabling services

Apropos of disabling Messenger: I've noticed that in some cases, if I disable enough services -- ones that don't appear to have any relevant dependency relationships -- Windows seems to "take offense" and reenable the services, sometimes going so far as to reenable *all* the services I've turned off.

The only way I've found to work around this is to use a .reg import file and a batch file run at both shutdown and startup to make sure the services never start. Obviously, this is an ugly and inflexible hack.

Has anyone discovered why this happens, and how to make it *not*? Many, many thanks in advance to anyone who can enlighten me.

Another rabid poster gets it wrong

You don't know what you're talking about, submitter Dynamoo.

I think I'll ignore your advice and keep a firewall in place, no matter what OS I'm using.

How about some reading comprehension skills? He didn't say anything even close to "don't use a firewall". Idiot.

Re:Bin Laden

Would this be the same Bush from the Bush family that were VERY friendly with the Bin Laden family all those years ago?

Re:RPC worm (Secure the perimeter)

[juhaz]

Because they get that proxy service from another company and have no power over how it's implemented.

It's not like they wouldn't use windows version if there was someone offering it (after all, even if it's worse or more expensive there's the PR win over FUD-spreaders like you).

Never connect any Windows box to the Internet

You should know better than to connect *any* Windows box directly to the Internet. That's like lighting up a cigarette at a petrol station. Always use at least a NAT router between a Windows box and the raw Internet, such that only outgoing connection requests can get relayed back or better yet, make the Windows box go through some sort of HTTP proxy server, like Squid, to access the web. Never allow a Windows box to directly answer incoming connection requests from the Internet or you get what you deserve for being such a fool.

Yea well...

[buddha42]

Of course this is another headache for admins still patching for last month's RPC flaw." Kudos to admin's still patching one month old holes.

Can anyone assist?

[acousticiris]

I thought this might be relevant in that we're discussing patching related to this (giant gaping) hole. Has anyone figured out why this 043 patch modifies the Workstation DLL? I can understand its interaction with the messanger service DLL, but why Workstation?
I wouldn't worry about rapidly patching a large number of workstations with just a modification of the Messenger service, but now that it's changing a major DLL--and knowing the reliability of some MS Patches--I'm concerned at this point. Also with changes like this, Is it possible this hole is deeper than what was originally stated?

Slashdot Script

[exp(pi*sqrt(163))]

$a = int(rand(5));
if ($a==0) { print "Security flaw in Windows discovered!\n" }
elsif ($a==1) { print "IBM invents new higher density storage.\n" }
elsif ($a==2) { print "Intel announces faster CPU.\n" }
elsif ($a==3) { print "G5 fastest CPU on desktop.\n" }
elsif ($a==4) { print "G5 not fastest CPU on desktop.\n" }

Shoot The Messenger

Is this a new exploit. I remember seeing this on grc.com. Seems like grc.com is not reachable but here is the google cache for it
.

Re:Slashdot Moderation (OT)

[caseih]

They're having problems with some of their machines, including the one which distributes mod points, running slow.

This begs the question, what would happen if several thousand users decided to "go on strike" as it were and simply withhold moderation points. Seems to me that if enough users did this, we would see a similar moderation point shortage.

On the other hand we have nearly 800,000 slashdot accounts theses days, and the possibility of any of them agreeing to anything to accomplish this would be about zero.

Hey Worm Developers

[supun]

You want to creative, be unique? Create a worm that patches people systems with the lastest patches!

Re:Hey Worm Developers

[cyt0plas]

It's been done. It was actually _more_ agressive, and caused more problems then the worm that it was trying to fix.

Re:Slashdot Moderation (OT)

[Jellybob]

I guess we would do, but I doubt it would be a huge problem, since mod points expire anyway.

My older running applications relies on 'net send'

[Baikala]

When I was working at my college's computer 'lab' there weren't enough computers to satisfy the demand at midterms and finals (I live in Mexico and 7 year ago only 2 or 3 students had laptops) so we have to limit the time to 1 1/2 or 2 hours per user per day on those seasons.

A friend and I wrote an app to handle that, users have to take a 'free' machine from the screen in the counter or get into the virtual wait line if there was none. The app did a 'net send' to alert users when their time was up and there was another user waiting, we had to update the messaging services on the win95 machines so they were able to get along the 'brand new' NT 4 machines

The application was enhanced later, by me and others, to handle stadistics and others alerts like annoying library dues and 'not enough sheets in your credit for your print work'. It was still running (although very modified) last time I was there (spring). I think that 'net send' was a very helpful admin tool for windows networks. ( I know unix has it since the down onf times)

Re:RPC worm (Secure the perimeter)

Some days it's just harder to eat your own dog food.

Context

[Short+Circuit]

Context and Guilt by Association. This is Slashdot. Slashdot is very much engrossed with Linux, the Linux community and Open Source.

Re:Context

Don't forget the goatse man, penis birds, and Natile Portman with hot grits!

"spin" -- WAS Re:Releasing patches too frequently?

Customers are concerned that Microsoft releases security patches too frequently

Wha?!? So, customers are saying that even if some critical flaw is found, M$ should wait awhile before releasing it because Joe Admin is concerned there are too many patches??

You must learn to read "spin". :) What this probably actually means is that their customers are concerned over the fact THAT WINDOWS REQUIRES SO MANY PATCHES SO FREQUENTLY to rememdy problems that shouldn't have happened in the first place. However, they spin the survey results so as to avoid acknowledging that their customers think their OS may be crap.

Hope this helps.

New Marketing Slogan

[cindik]

You'll never be locked out with Microsoft. We make windows that anyone can open from the outside.

Re:New Marketing Slogan

[Blackbrain]

I thought the new slogan was:

"Microsoft - The Network is the Password"

Re:New Marketing Slogan

[Mark_in_Brazil]

"Whose computer do you want to invade today?"

--Mark

Kill the Messenger

[Tony-A]

Not being a Windows expert either, but our standard setup has been to disable the messenger service to kill annoying messages from print servers that were so proud of actually printing a job that they just had to tell somebody (everybody?) about it. I think Windows Messenger and net send can be used to annoy people. If for some reason you depend on these annoyances, you probably need it.

worm patcher

[DayBoyUSA]

What would happen if microsoft wrote its own worm to patch the holes that allowed the worm onto the computer in the first place?

Then computers that are most suseptable to the security hole would be first to get the worm that patches the hole.

I know this would never happen as this would leave microsoft liable for anything the patch might brake.

I *like* the new moderation!

Ironically, this "problem" with too few moderation points being given out makes /. much more useful to me.

If I want a brief overview, I can browse the 5-7 +5 comments.

If I want a deeper look at what people are saying, I can look at 20-40 +3 comments.

When there are 30-50 +5 comments, there's no way to browse and get a fast overview of opinions on the topic. More often than not, wading through 40 comments isn't worth the bother, and I'll just skip the article entirely. Or, often, just skip /. entirely. Less mod points is a good thing.

I guess I should have opened those emails

[LuxFX]

You mean all those emails I get about there being a new Microsoft Critical Update weren't lying? I've just been deleting them....

Seriously though, I wish Microsoft would put out as many patches as those stupid emails I get say. After a few months at that rate they might have a stable OS for a change.

What does that have to do with MS security?

Nothing prevents even UNIX users from logging in as root and doing whatever they want and many do.

It is a horrible pain in the ass

[lowvato]

I have been forced into the c# world and VS.Net. After applying thier damned patches my development environment is all screwed up (links to web projects). I want to kill, see dead burnt bodies...kill.

Domain-wide service management

[YetAnotherDave]

I haven't seen an easy way to disable a service for a few hundred/thousand systems at once, so I cobbled together a quick hack with psservice to turn them off while I looked, since my corporate network has a TON of boxes I don't control which will likely remain unpatched for ages...

My hack follows, but if there's anyone here who knows the proper windows way to disable services on lotsa machines remotely (my hack just stops them) please respond...

my hack - 3 steps:

1) psservice find messenger| > messengerActive.txt

2) munge file so it's just a list of machine names - a programmable editor like gvim makes this trivial

3) FOR /F "usebackq delims==" %i IN (`cat messengerActive.txt`) do psservice \\%i stop messenger

http://www.sysinternals.com/ntw2k/freeware/psser vi ce.shtml

Re:Domain-wide service management

[YetAnotherDave]

yes, poor style - replying to my own post.

the latest psservice can change the startup config.
if step 3 above is changed to

FOR /F "usebackq delims==" %i IN (`cat messengerActive.txt`) do psservice \\%i setconfig messenger disabled

all is well and good :)

Re:Domain-wide service management

[skt]

Yes, I like the ps utilities, glued together with perl, for quick-and-dirty software deployment and reporting also. The nice thing about the set is that it works with the native NT/2000/XP operating systems without the requirement of third-party software.. in a domain environment it inherits all security.

I have used these for hardware reports, hotfix deployment, and desktop support (pslist/pskill/psinfo).. Lately I have been using Sysinternal's psutilities a LOT, it is definately one of the best sets of CLI utilities I have seen for Windows.

Good riddance to Messenger service!

[rkodama]

It won't stop me from patching, but the only "use" I've found for the Messenger service is for spammers to send me annoying popups. At least browser popups require some action on my part (viewing a web page), but these Messenger popups come out of nowhere. So I say disable Messenger and forget about it if you haven't already.

Re:RPC worm (Secure the perimeter)

[Minna+Kirai]

have no power over how it's implemented.

They have POWER. They have $40 billion dollars of liquid power.

It's a free market. Microsoft(tm) should be able to either pay Akamai to use Windows(r) servers, or go to another company that does.

And if there's no company that does, it tells us a salient fact about the suitability of Windows for critical, high-capacity servers.

Duh!

[Dman33]

Upgrade! Don't you love how you are forced to use the latest-and-greatest? 98 is retired, get XP or 2k

Re:Homewrecker!

Hey, this is a legitimate question. My home directory (which was specified by HOME or by HOMEDRIVE and HOMEPATH) was changed by the patches.

My home was "c:\"

After the patches, HOMEDRIVE and HOMEPATH point to "C:\Documents and Settings\myusername"

This caused programs such as xemacs to fail because various files weren't in the (new) "~/".

HOW IS THIS A TROLL??

Re:That's hilarious (dolt)

[phippy]

Hello.

Why do people find it necessary to making linux/windows comparisons everytime there is a security issue out, instead of a more productive discussion about the vulnerability itself ?

Do we remember or care about those incidents and vulnerabilities ? Of course. Does any serious admin recognize the security history of any OS that he runs ? Of course. I'm well aware of the amount of patches there are for the many OSs I run.

Will there always be people on slashdot such as yourself posting irrelevant sidenotes designed to start an argument with an obviously biased audience ? Apparently, *you* are proof of that.

Getting the slashdot crowd to argue with you about the security of Linux and Windows is about as challenging as guessing the color of the sky.

You must feel so proud of yourself.
Next time, try posting a comment that is productive.

p.s. the number of posted patches for OSs mean nothing when used in any arguing the security of an OS, because the severity of each has implications depending on too many variables. (application, use, adoption, vendor, etc.)

Re:Yet Another Critical Linux Flaw!

Sure, like everyone is going to get out the source code, go through it to understand it and then code up the fix. Not !!

Why wasn't the parent poster modded as informative ? He has facts for you ?

What's the point of having these news articles warning about MS exploits ? And don't tell me that it's so you can protect your own systems. If you want people to protect the *nix systems then put those warnings up instead. In the previous two weekly CERT warnings there was something like nine Linux warnings and virtualy no MS ones.

You just get that warm feeling kidding yourself that Linux is better but you'd get that same feeling pissing your pants.

You'd all be better off spending the time cross-training to Microsoft platforms for when people get wise to the Linux 'benefits' rather than repeating the same old crap about how bad MS code is.

Yeah, if you're a lazy bastard - Help HERE

[MukiMuki]

How to kill this in five (seven?) easy steps :

net stop messenger

1. Copy those three words.
2. Paste them into notepad.
3. Save them as "stopper.bat"
4. Drag that file into your Startup folder
5. DONE.
6. ????
7. PROFIT!

Similar....

[Dman33]

On Tuesday, I got two new servers in. Both came pre-loaded with Win2K3 Server. Naturally, I decided to update them before putting them in production... I hit MS Update, left all of the default Critical patches and let it install them. On bootup, BSOD; reboot, BSOD; reboot, BSOD etc etc....

Had to re-install the damn thing...

This is getting costly

[nyc_paladin]

I manage a small IT staff with limited resources and keeping up to date with all of these security fixes is getting costly. Instead of working on projects to improve my systems. I really have to switch over to linux.

Re:Yet Another Critical Linux Flaw!

BZZZT. Not for the content but the delivery. You haven't delivered the information with the proper slashdot tone! See here's what you should have said:

-----

You fucking moron. You don't know the fucking library (kernel32.dll) from the actual kernel (ntoskrnl.exe). Holy fuck what fucking hole did you climb out of and why the fuck don't you drag your sorry fucking ass back there. Fuck this mother fucker.

---

See you too can learn slashdot ettiquite

Thanks,

Mr. Manners

DON'T TOUCH THEM

[Gumpy]

Well it looks like you're screwed if you do and screwed if you don't!

Just applied them to one of our w2k DCs and it's FUBAR!

gonna try and revert one at a time and see what went wrong... meanwhile I have too many lusers screaming...

And I thought i was practicing safe computing

[penguin_powr]

Well, it makes sense, after getting all those pop up ads to visit porn sites through the messenger service, that it finally catches up with me and i get a virus.

Re:Average Joe SOLUTION

People who use computers like they use toasters and contribute through their ignorance to the viruses and trojans bouncing through their machines should be given READ ONLY operating systems on a LiveCD. If they don't like it tough. If they want to approach their computer like a toaster, give them something that works like a toaster.

Ever since the dumb newbs who stay newbs have jumped into the online world it's gone from bad to worse. I'm tired of seeing their computers spam mine in my firewall logs because they don't want to learn how to even make a vague attempt at securing their system.

Enough is enough.

Thanks for reminding me...

I didn't even realize it was Thursday until I saw that headline.

If you don't like it don't read it!

I don't watch Fox News because I feel they have a riduculously right wing bias.

If you feel that way about /. you are more than free to go elsewhere.

Besides, there are far more comments on this site complaining about supposed pro-linux bias than there are pro-linux comments most of the time!

Yes, a majority of ./ readers and editors are sympathetic towards open source.

If that is repugnant to you, you have many other sites to choose from.

The constant whining is getting really old and is distinctly unproductive.

You miss point #3 completely.

[porkchop_d_clown]

If they're spending all their time patching, they don't have any time to fix the underlying problem.

Any useful software firewalls for XP?

[steveha]

I have friends who run XP, and I want to help them secure their systems. I'd like to know what software firewalls people recommend for XP.

Every time Zone Alarm gets mentioned, someone says "don't use that, it sucks." So I guess not Zone Alarm.

How about the software firewall that is included with XP? Is that any good? (I hope so, because I don't want to make my friends spend money. Free-as-in-beer is a good thing.)

How about Norton Internet Security? BlackIce Defender?

steveha

Re:Any useful software firewalls for XP?

When the XP firewall is turned on, it passes all tests at grc.com

It seems pretty good but I also have a hardware firewall/router and I turn off all un-needed services.

I don't get why MS doesn't turn it on by default, or at least ask the user instead of requiring the user to find the option

Re:Any useful software firewalls for XP?

[SharpFang]

What about setting up 486 or pentium with Linux or BSD as firewall? Cheap, effective, stable and doesn't create any CPU overhead in the windows machine :)

Re:Yet Another Critical Linux Flaw!

[TaranRampersad]

" Sure, like everyone is going to get out the source code, go through it to understand it and then code up the fix. Not !!"

It's that sort of response that reflects the inherent cultural problem with regard to computer security. If you don't want to fix it when you can - well, shucks. Pay someone else to do it. Or sit around and wait for patches. Your choice.

"What's the point of having these news articles warning about MS exploits ? And don't tell me that it's so you can protect your own systems. If you want people to protect the *nix systems then put those warnings up instead. In the previous two weekly CERT warnings there was something like nine Linux warnings and virtualy no MS ones"

Good question. Ask CERT why they stopped bothering with Microsoft warnings.

"You just get that warm feeling kidding yourself that Linux is better but you'd get that same feeling pissing your pants."

Though I didn't say GNU/Linux was better, your retort shows a prejudice for anyone who speaks a similar opinion. Perhaps you're not reading very well. That may explain your potty humor as well.

However, can you say that one company being responsible for patching the majority of software in the world is a good thing? Maybe YOU think so, but there are a lot of people that disagree. I just sounded off. You did too. I decided that your ideas, propped up with a urine fetish, were thoughtful reflections without substantial understanding.

"You'd all be better off spending the time cross-training to Microsoft platforms for when people get wise to the Linux 'benefits' rather than repeating the same old crap about how bad MS code is."

I write and edit articles related to IT certifications, and was heavily into Microsoft coding for about 12 years. Not VB either. Perhaps you're a disgruntled VB 6 developer who doesn't have a target for his angst because you still have candles lit at your altar of Gates?

So I respond: Get to know GNU/Linux. Get to know BSD. Get to know who to call when you need things fixed.

You come to Slashdot, which deals with thousands of trolls a day - and can handle such posts as your own with disdain. LAMP, kiddo. LAMP.

Have a nice day. I'd advise taking a nap.

And Now Microsoft Announces

[Master+of+Transhuman]

a NEW "security initiative"!

It's deja vu time!

It's January 2001!

I'm so disoriented!

Microsoft plans Windows overhaul to fight hackers

Nightmare Scenario

[Maxwell'sSilverLART]

Here's a thought for ya. Culled mostly from other posts here on Slashdot, with a little bit of glue code to really make it hurt.

Take, say, Nachi. Exploits a remote roothole to infect without any interaction from the user. Now, write it so that it doesn't crash the system (which it doesn't; Nachi applies the patch to close the hole behind itself, then starts blast-casting itself). You now have a system that will run arbitrary code for an indefinite period of time. So far, nothing new. Here's the scary part:

The arbitrary code wipes your drive. As pointed out in this post (I don't vouch for its veracity; I'm not a programmer, 'specially not in ASM), the code to wipe a drive is about 12 lines of ASM. You could also mess with the BIOS.

Now, put that code on a delay of random(1-5) days from date of infection, so it doesn't get caught immediately. Also, add a two or three days from the time of initial release to give it some spreading time before anything starts getting deleted. This way, it propagates thoroughly before people really know what's going on. All this time, it should be blast-casting itself to infect as many hosts as possible.

Now, the really fun part: when it infects a host, it should open a port (possibly random) and run a daemon to listen for incoming connections. As the infected system broadcasts itself, it should modify the code with its own IP address. The new client will then call home, back to the machine that infected it, to check on its status. If the host is unreachable for, say, two hours, it should assume that its parent has been discovered, and that efforts are underway to clean it. (It should try to contact the server upon initial infection to ensure there's a path back, to prevent premature triggering as a result of NAT, firewalls, etc.) It should also look for attempts to find its directory, run virus scanners, patch the original hole, disconnect it from the network (have it ping its router or somesuch), etc. If it detects a threat to itself, it will run its payload immediately, destroying the data on the machine, preferably in a manner such that recovering the virus code will be impossible (to slow reverse-engineering); possibly combine with encrypted code and cryptographic wiping. You could also pass data to it through this connection, to change the code or give immediate execution instructions. This would have to be done carefully, lest a bad host or a dialup user trigger premature execution.

For bonus points, have the virus silently make minor changes to files, instead of simply wiping the drive. Maybe some of those changes can make it to the backup snapshots before things are discovered. Depends on which is more damaging. Alternatively, write a client that will run for an hour, change a few files and infect the world, then securely delete itself (but leave the hole open), so that the damage, and even the infection, goes unnoticed.

This is a hardcore malicious attack. So far, everything's been skript kiddiez, just playing around. Anybody who's going to write something like this is going for the jugular, so assume he'll do the same thing for the initial infection. Give him about three dozen people (hrm, where could we possibly find three dozen people who'd like to bring the USA to an economic standstill?) armed with laptops with ethernet and 802.11b connections. Send a half-dozen to Washington, DC; New York; Dallas; LA; and Seattle with a list of wireless hotspots (go through the airports: business travellers with laptops. Score!) and public access areas (libraries, universities (the student union and libraries are popular places to have open access), Starbucks, and cybercafes). Send the rest out roaming; universities are great (University of Oklahoma has publicly-avialable connections in the union, both wired and wireless). Have them all start operating at about the same time, and infecting every available host. Hitting laptops and suc

Re:Nightmare Scenario

[SharpFang]

the code to wipe a drive is about 12 lines of ASM

But the operation takes quite a while. Enough to start suspecting something went "very wrong" and th disconnect the drive before all the data gets destroyed. But "random shooting" - erasing randomly picked sectors of the drive may pass unnoticed for quite a while, while most of sensitive data is damaged. Note for a program to stop working, a few bytes missing is just enough. For a compressed file, it's often "lethal" (bad CRC), for database entry - what worth is a database with corrupted data? The damage spreads way faster. It's not that "20% of the files is erased, the rest is untouched". It's "95% of the files is corrupted in various degree."

Re:Bin Laden

[rifter]

Would this be the same Bush from the Bush family that were VERY friendly with the Bin Laden family all those years ago?

They still are. In fact Bush Sr. works as a consultant to the Bin Ladens. Bush Jr. has declared the Bin Laden family and their connections to the Bush family off limits to all investigation as well.

Is this related...

[LionMage]

...to the recent crap-flood of viral/Trojan e-mails bearing Microsoft's logo and purporting to be network security updates?

I'm not suggesting that the e-mails are legitimate security updates (they're not), only that maybe this recent official security update is somehow a response to this latest rash of opportunistic virii/Trojans.

The flood of bogus viral e-mail is bad enough, and thankfully my Mac is immune to Wintel viruses, but the sheer volume is affecting me by displacing legitimate e-mail in my inbox. It's put me over quota once already.

overflow in help and support

[windex82]

phew, took me a couple minutes to pick my self off the floor after that fit of laughter...

Warning about this update

[MrLint]

This update has a serious problem. I had the *exact* same symptoms as this guy.. be warned!

In other news...

[GunFodder]

In other news, the sun came up this morning. The sky is blue, and Microsoft bashers flocked to Slashdot all day.

Microsoft releases security patches nearly every damn week. When are we going to stop reporting non-news from companies just because we like to bitch about them in public?

Re:Questions that I Microsoft's page does not answ

[RoundSparrow]

"Gold" is a older industry term. It has been replaced with "RTM".

"Final (after beta) retail release" is what it means.... in the context you describe, I would say they mean "prior to SP1"?

Just speculation.

Domino Administrator jobs

[solprovider]

Your search - Domino Administrator wanted - did not find any openings.
--Monster.com

Monster.com has 26 jobs listed.
Dice.com has 20 jobs listed.
JustNotesJobs.com has 16 jobs in the U.S.

If you are going to troll, at least do it correctly.

---
The problem with finding Domino Administrator jobs is:
1. The people in those jobs are rather highly paid for an computer administration position. In 2000, Certified Lotus Professional System Administrators averaged $89,000.
2. They do not need to worry about viruses beyond choosing and installing a mail filter/virus protection, since no viruses have hurt Lotus Notes yet. The virus protection checks those virus-prone Word files, and helps if users are using MSOutlook as the mail client.
3. The number of administrators needed for a company running Notes and Domino is much less than the same company running Exchange. This is anecdotal from personal experience. I know a 500 person company that grew from one person doing Notes Admin work part-time in a computer department of 2 people to 2 full-time Exchange Admins with 10 people in the computer department, at a time when the company was shrinking. A 30,000+ employees company went from 10 Notes administrators maintaining their own servers to 60 Exchange administrators with the servers maintained by a different group. This is only the Administration side, application development costs skyrocketed while application rollouts almost disappeared after the switch.

Domino Administrators are happy, and companies of any size do not need very many of them. There is little turnover, and so there are few jobs to be filled. (Besides, who is going to quit with today's job market?)

---
To be on-topic, Lotus/IBM releases updates at least quarterly. The updates usually add functionality, and fix crashes due to very unique circumstances. I only remember 2 that were for security issues. One was only an issue if the option to use MSIE as the browser was selected. The other was only an issue if Notes Designer was run in a certain configuration without a firewall. None of the updates are "critical". I just upgraded one large company's server from Domino 5.0.2 because the hardware was being replaced.

To be fair, while Domino is a platform, it is not an OS. It relies on Unix, Linux, or MSWindows for its file protection. If you are running MSWindows, you may need some of these patches. Then again, if Domino is only running mail, web applications, and Notes client applications, you can turn off most of the vulnerable MS services.

Exchange server DOS

[planckscale]

After our exchange server died today, I read of a Cert advisory of possible SMTP denial of service attack. We downed the server and now we're looking at traffic at our router. Too early to say, but has anyone else been hit by DOS on their exchange servers today?

Windows 2003

Windows 2003 series have NO Messenger Service for the security reasons. Slashdot news posters should double check this stuff before they make such news go public.

IceMan

IT Pros complain about the frequency

[kylef]

Joe User doesn't complain about the frequency of patches. IT pros are the ones who bitch about the frequency of patches. In this case, Microsoft is absolutely responding to pressure from its large customers.

When the CTO of a Fortune 50 company calls up Steve Ballmer and says, "How are you going to compensate us for all this time we're wasting deploying patches from you every other week?" you can bet that MS is going to come up with a way to ease that burden, or lose another customer to Linux.

They're trying to ease the IT burden by aggregating the patches into monthly releases (whenever exploits aren't already present) so that Admins have adequate time in between releases for testing, deployment, and preparation for the next batch of updates. It's a queueing mechanism, essentially.

Re:IT Pros complain about the frequency

[Ozymandias1350]

Joe User doesn't complain about the frequency of patches.

Uh, actually, Joe User does complain about patches. See that whole thing in my comment about "my clients", "dial-up connections", etc. What in that gave you the impression my clients were IT Pros? I specialize in working with small businesses, mostly non-technical small businesses at that. And they frequently complain about the number and the size of the patches from Microsoft.

Re:IT Pros complain about the frequency

[kylef]

I completely disagree. Joe User does NOT complain about patches. Joe User doesn't even know that patches exist, and this is a demonstrable (if unfortunate) fact.

You're vastly over-estimating the vast majority of computer users out there. Anyone earmarked for installation of patches on business machines has enough training to be considered an "IT Guy." Maybe not a Pro. But of course, anyone performing this operation on a number of machines is exactly the audience Microsoft is attempting to satisfy by rolling out patches on a monthly basis.

Why on earth do you think they sat on 4 critical updates until the middle of the month, and then issued a press release simultaneously mentioning that they were switching to a monthly schedule? You think they're ignoring their primary business customers? Hardly.

This is a classic case of being damned if they do, and damned if they don't. If they release patches as they come out, people say "Ooooh, oooh, my poor rollout schedule, I just got done deploying the last patch and here comes another just to spite me!" If they release patches monthly, people complain "Oooh, oooh Microsoft is witholding critical updates and making me insecure!" I'm tired of all this freaking complaining.

Re:My older running applications relies on 'net se

[Otto]

My college computer labs had the same sort of thing hooked into the print spool. When you printed a document, it went into the spool. When it was finished printing, a "net send" type of message got sent to your workstation saying that your document was now in the printer tray.

It has it's uses, but it should never have been bound to the IP connection by default, without some kind of safeties.

The new patching "experience" I don't want to have

[AlanS2002]

http://www.codefish.net.au/modules.php?op=modload& name=News&file=article&sid=450

don't worry.....

.....according to Bill it should be fixed in 24 hours.

http://www.theregister.co.uk/content/4/33397.htm l