Slashdot Mirror
Yet Another Critical Windows Flaw
Dynamoo writes "Microsoft released yesterday a whole bunch of critical security updates. Out of these, MS03-043 is a flaw in the Windows Messenger Service (not MSN Messenger) with the possibility of a remote attacker gaining complete control of a Windows NT/2000/XP/2003 based PC remotely. If this sounds like another possible vector for a worm to spread, you'd probably be right. Microsoft's recommendation is to 'disable the Messenger Service immediately and evaluate their need to deploy the patch'. Of course a firewall will offer some protection but shouldn't be relied on. At least administrators can disable the Messenger Service remotely. Of course this is another headache for admins still patching for last month's RPC flaw."
The average user thinks their computer runs "Microsoft."
Take that from a guy in tech support.
tasks(723) drafts(105) languages(484) examples(29106)
So I installed W2k for a friend a few days ago - Connected to the internet to get the RPC patch, and got infected with this work in under a minute - Not even time to get the update!...
Now, getting rid of the worm is annoying, but is easily done. Can you imagine however, the chaos if the author of the worm also put nasty bios flashing code into it... Millions of PC would be heading for the dumpsta! Shops/busnesses/transport/universitys would all end up grinding to a halt, The economy would be up shit creak, and for a few weeks anyhow there would be a huge shortage of PC's through people panic buying new units - hardware prices would sore.... (good time to buy Dell stock maybe?)
Tony.
A few months ago, my sister-in-law and her husband bought a new computer (loaded with XP as most are). They are average users: they browse the www, send email, write letters, and play games. The know how to use their box, but they don't know how to administer it. So everything that was shipped as default was still default -including the messanger service. They are on cable modem and were getting constant popups (and I mean constant, like one every 30 seconds) over the messanger service. Now multiply that by millions of people and you have millions of potential DDOS zombie machines, or spam spewers, or any other nasty (or illegal) thing you can imagine.
It is time for MS to immediately change the default shipping configuration of XP to turn every service off by default because no desktop should be listening on any tcp by default. If that means they need to recall and replace all the master disks that they license to OEMs, then they need to do it. They need to have every major retail outlet yank all the shrink-wrap boxes and replace them with new one with secure default configurations. MS is sitting on $46 million in cash, so they can easily afford this expense as chump change. It just a question of whether they are willing to admit fault and buck up for failing their customers or if they are too greedy to spend some of their hoarded wealth.
For over a year now, Leo Laporte from TechTV's The Screensavers has been saying that Messenger Service is a security hole but Microsoft kept saying, "It's not a hole; it's a feature." Guess now Microsoft will turn off Messenger Service by default. Or, maybe not.
It's all fun and games until someone loses the key to the handcuffs.
Don't forget the installer. We have a server here running IIS with some strange application inside of it (Riverdeep). I read through all the readme's for SUS, and it said "don't worry, we only create a new site called SUS blah blah blah", and it's reccomended not required to install IIS Lockdown. You can get that [link]here[/link].
Sounds cool to me, I run the installer, and it does as it's told, but then procedes to IIS Lockdown my server, breaking the application that was running on it. Un-Installing IISLockdown and SUS does _not_ fix the problem. Thanks microsoft, when do we get chroot for windows. Oh, but it will still need to install 400megs of cruft into root-c:\winnt.