Yet Another Critical Windows Flaw

Dynamoo writes "Microsoft released yesterday a whole bunch of critical security updates. Out of these, MS03-043 is a flaw in the Windows Messenger Service (not MSN Messenger) with the possibility of a remote attacker gaining complete control of a Windows NT/2000/XP/2003 based PC remotely. If this sounds like another possible vector for a worm to spread, you'd probably be right. Microsoft's recommendation is to 'disable the Messenger Service immediately and evaluate their need to deploy the patch'. Of course a firewall will offer some protection but shouldn't be relied on. At least administrators can disable the Messenger Service remotely. Of course this is another headache for admins still patching for last month's RPC flaw."

Too bad it's such a pain in the ass...

[JLSigman]

...to uninstall Windows Messaging for the average user. 9/10th of them just assume that it IS MSN Messenger and don't have to worry about it.

Re:Too bad it's such a pain in the ass...

[Short+Circuit]

The average user thinks their computer runs "Microsoft."

Take that from a guy in tech support.

Re:Too bad it's such a pain in the ass...

[Jesrad]

Wrong ! Every support tech will tell you users don't think. At all.

Re:Too bad it's such a pain in the ass...

[general_re]

It could probably be somewhat simpler to disable it, but it's not all that bad. What they could do better is making sure that people know the difference between the Messenger service and the MSN Messenger app, as you seem to suggest.

Anyway, in case anyone's reading this and doesn't know how to disable Messenger, go to Start -> Settings -> Control Panel -> Administrative tools -> Services. Right-click on Messenger and pull up the properties sheet. On the "general" tab, select "disabled" for "Startup type". Then hit the "Stop" button right under that on the "general" tab to stop the service if it's currently running. That's for 2K - I assume XP is similar.

Re:Too bad it's such a pain in the ass...

[Jugalator]

What functionality do you lose when disabling the service? Is it one of those that never need to run, ever?

I thought the service description wasn't very clear, at least not after being translated to swedish. :-P

Re:Too bad it's such a pain in the ass...

[mst76]

What functionality do you lose when disabling the service? Is it one of those that never need to run, ever?

You lose the ability to receive winpopup spam.

Re:Too bad it's such a pain in the ass...

[Mr+Guy]

Near as I can tell, you lost those little bubbles that pop up off the service tray that say something like:

Want to sign up for MSN? Huh? Huh? Do ya? Click here!

Re:Too bad it's such a pain in the ass...

[ceejayoz]

It could probably be somewhat simpler to disable it, but it's not all that bad. What they could do better is making sure that people know the difference between the Messenger service and the MSN Messenger app, as you seem to suggest.

It would appear you failed that particular test...

Windows Messenger Service != MSN Messenger.

Re:Too bad it's such a pain in the ass...

[general_re]

You don't lose much at all - the only dependency I know of is the Alerter service, which does administrative alerts locally and remotely. You won't be able to send those popup messages to remote users any more if they have Messenger disabled, which is fine by me, becase they're annoying as all hell anyway - it has the lovely side-effect of preventing those stupid popup spam messages, as an earlier reply alluded to, even if you don't have a firewall blocking it. Which you really should have anyway ;)

If you don't use that - and I don't, since it's not exactly hard to roll scripts that handle administrative alerts in other ways - you can probably pretty safely disable Messenger.

Re:Too bad it's such a pain in the ass...

[Otto]

What functionality do you lose when disabling the service? Is it one of those that never need to run, ever?

I thought the service description wasn't very clear, at least not after being translated to swedish. :-P

Originally it was conceived to provide an easy way for programs to send out messages over networks to users and/or admins about conditions that they need to know about. It allows one to send a simple pop up dialog box to anyone on the local network. You can use the "net send" command on any NT/2000/XP box to send messages using it.

As Windows got more into the internet, it got turned into a partially TCP/IP service sort of thing as well. This turned it, eventually, into another form of method used to send spam. Nowadays, that's really all it's used for mostly. Some network admins use it for it's original purpose, but simply have those ports firewalled off from the real internet to prevent the spam characteristics.

However, if you're not a network admin and don't use it for such, then there's really no reason it should be on. The fact that it's on by default is really the problem. It should be off by default, as should all network services, IMO. You turn on what you want, and the rest stays firmly closed.

What do you lose? The ability to receive those pop up messages, which are mostly spam nowadays.

Re:Too bad it's such a pain in the ass...

[general_re]

9. Restart

I know this is going to sound highly unusual for Windows, but you don't actually have to restart once you stop the service. Rebooting gets to be a bit reflexive after a while, but stopping and starting services is one of the few cases in a Microsoft OS where you don't have to feed the reboot monkey ;)

Re:Too bad it's such a pain in the ass...

[michib01]

By disabling the messenger service, accordind to MSFT:

Impact of Workaround: If the Messenger service is disabled, messages from the Alerter service (for example notifications from your backup software or Uninterruptible Power Supply) are not transmitted. If the Messenger service is disabled, any services that explicitly depend on the Messenger service do not start, and an error message is logged in the System event log.

Re:Too bad it's such a pain in the ass...

[eugene+ts+wong]

The average user thinks their computer runs "Microsoft."

Well, if I asked you what your IP is, then would you know what I'm asking for? How could that be, even though there is no 'a', 'd', 'r', 'e', or 's' in the acronym? Is it simply because you are taught that that is the meaning plus it just what you are used to? Well if you can do that, then they can say that their computers run Microsoft, just as some1 else can say that their computers run Red Hat, Suse, Gentoo, or Debian.

Get over it, & fix it for them.

Re:Too bad it's such a pain in the ass...

[ajensen]

Wrong ! Every support tech will tell you users don't think. At all.

I disagree. I've been a support technician and network administrator for about six years now and have spoken with thousands of people about various things. A good portion of the user base tries to think and figure things out, but many times the users are simply not educated well enough to see the greater whole of what's happening. There are, of course, those users who just don't get it -- I'll never argue against that point.

We've been organizing community education classes for a long time to help solve the lack of computer education problem -- it helps the users to work successfully on their own, which in turn helps us by lightening our support workload.

-a

Re:Too bad it's such a pain in the ass...

[ajensen]

Well if you can do that, then they can say that their computers run Microsoft, just as some1 else can say that their computers run Red Hat, Suse, Gentoo, or Debian.

The difference here is between education and ignorance. When two technicians speak to one another, they will often use the shorthand phrase "IP" instead of "IP address." When a user says "Microsoft," he or she may not know the difference between running Windows 98 and running Windows XP.

I think that your parent post was referring to the fact that many users just aren't versed enough in computing to know that there are different Microsoft products, and consequently may not be able to tell the difference between the similar names "Windows Messaging" and "MSN Messenger."

-a

Re:Too bad it's such a pain in the ass...

[eugene+ts+wong]

The difference here is between education and ignorance.

Hmm, okay. I'll grant you that, but I hope that there can be a certain level of tollerance for this kind of ignorance.

Thanks for the clarification.

Re:Too bad it's such a pain in the ass...

[minus9]

For Redhat

1. Log in as root
2. Type ntsysv
3. Deselect the service
4. Type service nameofservice stop

or if your running gnome

System Settings->Server Settings->Services

Re:Too bad it's such a pain in the ass...

[dokebi]

Are you telling me you're logged in as "Administrator" by default? Why do you need to run Word and Excel and IE as root? Well, there is Microsoft security for ya.

Re:Too bad it's such a pain in the ass...

[pyros]

check out chkconfig, way nicer than ntsysv `chkconfig service off` disables the service for all runlevels specified in /etc/init.d/service.

Re:Too bad it's such a pain in the ass...

[SpaceLifeForm]

You lose the ability to receive winpopup spam.

The parent is already moderated 'Funny', but it also could be moderated 'Informative'.

Re:Too bad it's such a pain in the ass...

[orangesquid]

Except that under unix/linux, you just need a script. Someone should write this into a very nice Bourne-compatible script and put it up on the web somewhere (or does such a thing already exist?)

Enable/disable:
0. AIX users... sorry.
1. If chkconfig exists in $PATH, run chkconfig appropriately (IRIX)
2. If /var/rc.config.d/$name exists, change contents (HPUX)
3. If /etc/init.d/$name exists,
link/unlink /etc/rc?.d/[SK][0-9][0-9]?([0-9])$name (SysV)
4. If /etc/rc.d/rc.$name exists, chmod 700/600 (Slackware)
5. If /etc/rc.d/rc.{?,inet?,local} exists, and grep $name succeeds, run a quick ed script to comment out lines, or, chmod a-x `which $name` (Slackware)
6. If /etc/rc exists and we're on Ultrix, run an ed, awk, or perl script to comment out the [ -f `which $name` ] && ... lines.
7. If /etc/rc.conf exists, grep/ed the appropriate line
8. If inetd is running, grep /etc/inetd.conf and use ed script to comment/uncomment
9. If xinetd is running, grep /etc/xinetd.conf and use awk or perl script to comment/uncomment appropriate block

Stop for non-inetd:
0. AIX users... again, sorry.
1. If /sbin/init.d/$name exists, run /sbin/init.d/$name stop (HPUX)
2. If /etc/init.d/$name exists, run /etc/init.d/$name stop (SysV)
3. If /var/run/$name.pid exists, kill `cat /var/run/$name.pid`
4. If pkill exists in $PATH, run pkill $name
5. If pidof exists in $PATH:/usr/freeware:/opt/sfw:{/usr,/opt}/gnu, run kill `pidof $name`
6. If killall exists in $PATH and we're on linux, run killall $name
7. Else, do the old ps aux/-aux/-efl|grep "\\(^\\| \\)$name "|grep -v grep|cut ... trick to get the PID, and kill that PID

For rehashing inetd.conf, do the same thing but with -HUP. For rehashing xinetd.conf, do the same thing but with -USR1.

Erm, I know this doesn't cover many systems, but I only have about a dozen different flavors of Unix that I work with, so I can't do all of them, sorry.

Re:Too bad it's such a pain in the ass...

[orangesquid]

Oh yah, I forgot, if this fails, repeat with/without prefixes of "in." and "rpc.", and suffix of "d".

Re:Too bad it's such a pain in the ass...

[general_re]

Are you telling me you're logged in as "Administrator" by default?

Gosh, I'm looking over my post, and I don't see where I said any such thing. Maybe you're thinking of someone else?

Whatever. Here's a tip for ya:

runas /user:localmachinename\administrator "mmc %SystemRoot%\system32\services.msc"

Re:Too bad it's such a pain in the ass...

[ajensen]

I hope so, too. I think that tolerance of ignorance is a very important quality in a support technician, since that type of ignorance is something he/she will deal with quite frequently. Sadly, it's also very difficult to find technicians who are tolerant.

Cheers,

-a

Re:Too bad it's such a pain in the ass...

[general_re]

Although not obvious, you lose the ability to use nbtstat -a on the IP address to get local user name.

...if you disable Messenger. Somebody needs to mod you up - I had quite forgotten about that, mostly since I never use it, but you're absolutely right. If you rely on this, you may not want to disable Messenger.

Re:Too bad it's such a pain in the ass...

[markhb]

I'll bite... what's the issue with AIX? Can't you admin these things without going into smitty?

Re:Too bad it's such a pain in the ass...

[orangesquid]

Yes, you can, actually. smitty is simply an interface to a whole bunch of commands which do all the "real work." smitty, in fact, keeps logs of everything it does, and it logs every command it runs. From the smitty logfiles, you can figure out what commands to run to do particular tasks.

Unfortunately, my RS6k box has a dead power supply right now, so I can't pull up a list of any of the obscure commands needed to do any of these things.

Re:Too bad it's such a pain in the ass...

[aldousd666]

I'm tolerant to their faces and on the phone, but I'll be damned the day I can't blow off steam with my coworkers about silly user stuff. Maybe not so much damned as insane. It's a stressful job, and laughing at people who look at computers as magic boxes that 'are never willing to cooperate' (...Pc load letter?!?...) is how I keep my cool.

One thing I'm particularly fond of is when I get users telling me that their friend, who 'knows all about computers and stuff' told them to do something that either violates a security policy we have, or is just completely retarded. I have a HUGE tolerance for ignorance, and I appreciate that it pays my bills.

Some people just hate network guys because we control a large part of the way they do their job -- the computers.

One final thought: After 8 years of tech support and lately security administration, I've definately learned how to politely tell a user (or a manager who thinks his position in his own respective department somehow humbles me) to shove it up their ass.

Re:Too bad it's such a pain in the ass...

[bev_tech_rob]

If the machine is standalone, you lose nothing, except popup spam. But if your computer is on a corporate LAN and has software that depends on that service, then you might have problems. But hardly any software uses that service...

Re:Too bad it's such a pain in the ass...

[Jugalator]

Ooh, it's that service. OK, got it now. :-)

We used it once to fool people into leaving a computer lab by sending it to some random computer with "Warning! Virus detected, please shut down your computer immediately". Ahh, the memories... ;-)

But haven't used it since... We use it occasionally on our corporate LAN to send really important messages, like if we plan to bring down a server.

Re:Too bad it's such a pain in the ass...

[Ryosen]

The Messenger Service allows one machine to send text messages to another, typically through the NET SEND command, although I think that it can be done through the Windows API as well. This is commonly used by Admins to notify users of important system events (e.g. server reboot). As a developer, I have used it to send messages to clueless users who clog up the printer queues with stalled print jobs that are hours old and long since forgotten.

As a side note, I used the messenger service to write an Instant Messenger (IM) client that ran under NT 3.5 back in 1996.

Looks like that commitment to security....

[micahmicahmicah]

is going oh so well.

Then again, considering the installed user base; I think they are doing ok. I know it's the cool thing to be anti-MS. But lets face it - sometimes:

"war is peace"

Call to worm developers!!

[borgdows]

This time, please do something really useful, not only doing such silly thing as DOS'ing windowsupdate

You can for instance, delete necessary files for Internet connection... in this case Microsoft will be in a *real* shit if nobody can connect the internet to download patches!
They'll maybe have to send MILLIONS of CD by mail!

Therefore, people will be *really* annoyed and may think it's time to switch to another more reliable OS.

Re:Call to worm developers!!

[Jesrad]

Most clueless computer users will just format & reinstall if something breaks badly. As per previous answer, back to the drawing board.

Re:Call to worm developers!!

[Short+Circuit]

You're nuts. And you're part of the reason magazines like Forbes are afraid of OSS and Linux.

Re:Call to worm developers!!

[borgdows]

no!
the worm may have a time limit as Blaster was set up to begin DOS'ing from a specified date.

Here the worm business model :

1) infect local computer by the Messenger flaw
2) try to infect remote computers by the same flaw
3) redo step 2 until a specified date
4) disable internet connection (and suicide)
5) ???
6) PROFIT!!

Re:Call to worm developers!!

[digitalunity]

Ahem, this new messenger service seems like the perfect hole for a smart virus. Check out my smart virus post.

Re:Call to worm developers!!

[tomstdenis]

another reliable OS. Sounds nice. Which one is that? Would that be GNU/Linux with it's daily new patches? Or MacOS with the pay-as-you-go updates?

This leaves us...hmm... DOS

Re:Call to worm developers!!

[ocelotbob]

Daily new patches? I'm sorry, but unless you're running every server program imaginable, you don't need to patch daily. Keeping a good, stable install, OTOH, with software like qmail, one can have a nice stable reliable OS that has great security. And aren't windows updates pay as you go as well, or is there some place I could have upgraded my copy of NT 4 to XP without paying a dime?

Re:Call to worm developers!!

[pebs]

This time, please do something really useful, not only doing such silly thing as DOS'ing windowsupdate
Therefore, people will be *really* annoyed and may think it's time to switch to another more reliable OS.

You're the reason people think like this.

You stupid prick, you think writing worms is a good way to get people to switch to a "more reliable OS"??!?? Do you realize how fucked up that is? Do you realize that its people like you who are keeping people away from Linux?

Its the stupid shits like you who are fucking up the open source community. Well guess what? We don't want your kind in our community. Get the fuck out. For all I care, you can go back to using Windows.

Open source will succeed by producing quality software, and by forming a community that is out to help people. It will NOT succeed by sabotaging the competition. Dirty tactics like that are for the truly evil. You're worse that Microsoft if you are advocating the use of worms to convince people to switch.

Re:Call to worm developers!!

[Geek+of+Tech]

> This time, please do something really useful, not only doing such silly thing as DOS'ing windowsupdate You can for instance, delete necessary files for Internet connection... in this case Microsoft will be in a *real* shit if nobody can connect the internet to download patches!

As fun as this is, better things could be done.

Modify the hosts file, so that whenever something requests microsoft.com or windowsupdate.com or windowsupdate.microsoft.com they get redirected to apple.com or maybe a fake windows site.

Modify the registry values where Windows keeps its information about windows updates. Add all the keys, so that unless they rewrite their windowsupdate script, it would appear that all updates are already installed.

Make it uninstall internet explorer.

Re:Call to worm developers!!

[BurritoWarrior]

People who use F*ck as every fourth word in their diatribe however, are quite welcome I take it?

You can lead the way out the door.

Re:Call to worm developers!!

[cscx]

Are you Icelandic or retarded?

Re:Call to worm developers!!

[pebs]

People who use F*ck as every fourth word in their diatribe however, are quite welcome I take it?

Is that all you have to criticize me on? My excessive use of profanities? That's about as effective as trying to fix my grammar/spelling. Try criticizing me on one of the points I made, not the language I used.

In any case, a flame is not complete without a good amount of "fuck you, you fucking fuck." And I'm not such a pansy bitch that I have to replace the u with a *.

Re:Call to worm developers!!

[resignator]

mabey someone will slash your tires today as well cause they really dont like the brand of car you drive. Or mabey someone will stab you in the face today because they think the clothes you wear were made in a sweatshop. In other words fuck off jackass...just because someones grandma is running windows does not give anyone any right to fuck that machine up.

Re:Call to worm developers!!

[rutledjw]

I don't understand how a dumb idea posted on /. that said nothing about OSS / Linux has anything to do with Forbes writing an un-flattering article about it. His idea is bad, but is an appropriate example of the frustration felt not only by Windows users but also others who are affected by these holes.

Blaster brought my corporate network to a STOP. My home DSL line was flooded with that crap, but did a little better. People I work with (developers, managers, VPs, etc) are stopped by this garbage while our network/desktop group tried to clean up the mess.

Forbes is weary of OSS b/c is doesn't fit into the capitalistic model in a way they understand. Companies like Red Hat and now Oracle, IBM, and many others are proving that it DOES fit, however. Further, you have people like Stallman who don't help the situation. Forbes clearly doesn't see the moderate business-agnostic attitude of Linus, the see Stallman screaming and waving his flag.

To be honest, if Stallman DID represent the majority of OSS, I wouldn't support OSS either...

Re:Call to worm developers!!

[AstroDrabb]

You have some logic problems. How does some bone head condoning a virus/worm writer, connect to Linux or OSS? All the viruses for MS Windows are written ON MS WINDOWS! All the people stealing music are MS Windows users. Those 4 or 5 million Kazza users are MS Windows users! If you or forbes should be anti-anything, it should be anti-MS users. Linux, *BSD and Mac users are busy writing software to SHARE with the world or busy rendering stuff on thier Mac's. It is the MS Widnows users that are writing and spreading viruses/worms and stealing music.

Re:Call to worm developers!!

[tomstdenis]

NT4 and XP are different distros though. That's like telling RH to upgrade your RH6 servers to RH9 for free with support.

As for daily updates go and try gentoo out. Though the updates aren't daily there is usually at least one or two things a week to rebuild on a decently complicated install [e.g. servers, kde, tetex, etc..]

The point is OSS software gets updated/patched quite often too. So saying windows sucks because there are too many patches is kind of hypocritical.

Tom

Re:Call to worm developers!!

[Short+Circuit]

The comment was posted on Slashdot, which is normally associated with Linux and Open Source.

(As if the word "hacker" didn't confuse people enough...)

Re:Call to worm developers!!

[nolife]

And how does this worm spread after disabling network access? A better way would be to add the following to the hosts file:

64.94.110.11 windowsupdate.microsoft.com

add some more just to be sure:
64.94.110.11 v4.windowsupdate.microsoft.com
64.94.110.11 www.google.com
64.94.110.11 www.microsoft.com

Kill two birds with one stone!

Throw some common antivirus vendors update sites in there and things could get real interesting.

Re:Call to worm developers!!

[SpaceLifeForm]

No, most clueless Windows users these days don't even have the option to re-install. They bought a pre-loaded machine and did *not* receive all of the CDs needed to reload.

Re:Call to worm developers!!

[frank_adrian314159]

Even better! Use this IP: 198.247.175.96!

Re:Call to worm developers!!

[SpaceLifeForm]

While I can sense the motive here, preventing the users from being able to cleanup does not help. If someone were to write a worm that was informative but did *NO* damage, people might start getting the message about securing their machines. For example, a worm that periodically checks if the user has any security holes, and if so, pops up a window that says 'Your machine is still not secure!'. But when a worm causes damage, and lost time and money, the users frustration typically keeps them from seeing the bigger picture, which is that their machine was not secure in the first place.

Re:Call to worm developers!!

[rutledjw]

Fair enough. I just don't want to perpetuate the idea that what is posted on /. is automatically representative of OSS and Linux.

For obvious reasons...

Re:Call to worm developers!!

[op00to]

What about that Gerhard Schroeder? Germany is known for harboring nazis at one point. Everything he says must be antisemitic! Nice logic, deek.

Re:Call to worm developers!!

[Slime-dogg]

heh. All it would have to do is change one or two strings in the registry, such as changing the default path to Internet Explorer to "C:\pro\IE" instead of "C:\program files\I..." You wouldn't believe how many programs depend on that one key.

Changing a key or two wouldn't necessitate a reinstall, but it would generate a whole lot of tech support phone calls.

Re:Call to worm developers!!

[rifter]

NT4 and XP are different distros though. That's like telling RH to upgrade your RH6 servers to RH9 for free with support.

No it's not. Firstly, NT4 and XP are not different distros. If they were, it would be like upgrading RedHat to gentoo.

That said, the poster didn't ask for support, the poster asked if you could upgrade for free. You could have in theory a RH6 box which you had upgraded all the way through to RH9. In fact, I think you can upgrade a RH6 box to RH9, but I haven't tried it, to be honest. Nevertheless, it is free.

The difference between Linux and Windows here is that NT4 plus service packs and hotfixes is NT4 with service packs and hotfixes, whereas you could conceivably, by continuing to patch and upgrade the system, have a box which started in the NT4 days of Linux which is running the latest version today. It is not a new OS even though there have been considerable improvements, and you do not have to pay a premium to get there.

Re:Call to worm developers!!

[rifter]

People who use F*ck as every fourth word in their diatribe however, are quite welcome I take it?

You can lead the way out the door.

You haven't read the fucking Linux source code have you? :)

Re:Call to worm developers!!

[zeugma-amp]

I'm still amazed that the things you describe in your post haven't come to pass already. People just have no idea how vastly much more destructive the last few windows could have easily been.

Essentially, all they did was propagate and maybe try a DOS on a MS website. That is nothing compared to what they could have done, like reformat drives, randomly corrupt system files, or insert random profanities into email and similar things.

Eventually, somone is going to propagate something really nasty and destructive. I'll be laughing my ass off, because there have been plenty of warnings!

Re:Call to worm developers!!

[Cromac]

Fair enough. I just don't want to perpetuate the idea that what is posted on /. is automatically representative of OSS and Linux.

For obvious reasons

Fair, but man do you have an uphill battle fighting that perception.

Re:Call to worm developers!!

[tomstdenis]

If you actually look up the definition of Distribution from which Distro comes from it's quite conceivable to think that RH6 and RH9 are different collections of tools hence difference distributions.

Tom

Windows' structure

[Rajesh+Gupta]

Isn't the case for a complete rewriting of the fundamental components of Windows rested already ? Microsoft even seems to be willing to use them for Longhorn in 2006 ! How many fatal flaws will it take until something is done about this ? Talk about "trusted computing"...

Re:Windows' structure

[EddWo]

There isn't much wrong with the fundamental componants of Windows. NT underneath is pretty stable and secure.

The out of the box configuration of Win32 API being deeply embedded and lots of interlinked network services running as localsystem by default is where the security issues come from.

There needs to be a cleanup, remove the depandancies, move to a more secure API. Allow users to run without admin rights most of the time without breaking too many older apps etc. These areas are being worked on towards Longhorn, which is probably why it is so delayed.
There is no need to fundamentally rewrite the system.

You guys are getting slow!

[goldspider]

Posting a Microsoft vulnerability AFTER they have released a patch? Either this news is really old, or you people who say that Microsoft doesn't react quickly to vulnerabilities are full of shit.

Re:You guys are getting slow!

[GigsVT]

The timeline is more like this:

Big corporate customer with security contract gets broken into in an unknown fashion.

Security company finds messenger flaw, tells their other paying customers, and notifies microsoft.

Microsoft sits on it a month or two at least, then finally comes out with a fix. Only then does the general public find out about the flaw.

Do you feel safer knowing that there are security companies out there that don't support full disclosure? I sure don't.

Re:You guys are getting slow!

[GigsVT]

You are correct, I'm not saying that I have any evidence that happened this particular time.

It happens though, and it's not unlikely something similar happened this time.

Security companies don't hide their preferential disclosure policies. Nearly all of them report vulns only to thier clients and the vendor, and have vague language in their policies like "responsible disclosure" clauses that let them sit on the flaw until the vendor bothers to get around to fixing it.

Re:You guys are getting slow!

[Jugalator]

I don't really care how they work as long as they fix it before the vulnerability is exploited by virus developers.

Re:You guys are getting slow!

[ceejayoz]

Do you feel safer knowing that there are security companies out there that don't support full disclosure? I sure don't.

I feel safer knowing that there are security companies out there that support delayed disclosure, yes.

They're doing the public a service by allowing Microsoft to patch it before releasing the announcement to the virus writers. That's far more responsible than screwing everyone over for the sake of idealogy.

Re:Already patched ........

[blibbleblobble]

"Already patched... But I pity the victims of a forthcoming worm"

Already patched... with Mandrake 9.1

Windows SUS

[GangstaLean]

Admins on sites exceeding 10 or so workstations may want to look into Windows SUS, Software Update Services (SUS) gives the capability of integrated patch management and centralized patch distribution. This is sort of along the lines of RHN with a centralized console for distributing through a domain.

It's useful.

Re:Windows SUS

[Jellybob]

I've looked into this, but it seems to require ridiculous specs for what it's doing.

As a small to medium charity, we can't afford an individual machine just to push out patches to our workstations.

For people in the same situation, done right, group policies can be very useful... I'm using them here to push out system patches to our machines.

Re:Windows SUS

[richy+freeway]

Just tried deploying this myself. Got SUS running nicely, but every time I try to install the client software on the win2k/xp machines it tells me that "SUS Client needs Win2k of XP blah blah blah"

Any ideas anyone?

Re:Windows SUS

[wimbor]

If I remember correctly you need Windows 2000 SP3 or Windows XP to get it to work. Works perfectly here for all clients with XP SP1 and 2000 SP4

Re:Windows SUS

[easyfrag]

Windows 2000 Service Packs 3 & 4 as well as XP Service Pack 1 already have the client software installed, thats the error you will get when you try to reinstall it, not very clear I know.

If your clients are 2K SP3/4 and XP SP1 all you need to do is configure them via policies to use your SUS server for updates. Or you can do it manually: in Win 2K its in the Control Panel under "Automatic Updates", in XP right-click "My Computer" and choose the "Automatic Updates" tab.

Re:Windows SUS

[soundman32]

Which is a great help if you use Win98 because SUS only supports W2K or XP.

We have about 15 workstations, 2 run XP.

What do we do?

Neil

Re:Windows SUS

[Tassleman]

...But you CAN control which updates from Microsoft's site get Approved to be sent to clients. Any Critical Patch that goes to Windows Update gets sent to SUS Servers within a few days. From that point you can choose to approve the update, or opt to NOT distribute it. Once an update is approved clients will start downloading it within 17-22 hours, then installing at your pre-defined scheduled time, or when an Administrator logs on they can be prompted to Manually install the patches.

If you're talking about uploading your own patches (or whatever) you need to use another system, probably SMS.

Re:Windows SUS

[archen]

That depends upon the machine. I was reading through the specs and it was something like 256Mb of RAM and a pretty quick processor (recommended that the machine is dedicated). If your machine is already lacking horsepower then putting SUS on a machine as well is not a good idea. It also seems rather insane that you would risk your domain controller falling over to add an SUS server out of it.

Re:Windows SUS

[richy+freeway]

Go go gadget MS error message! :)

Cheers for that. I'll give it a whirl later!

Re:Windows SUS

[mr_z_beeblebrox]

Any ideas anyone?

Read this over and be sure that you understand what it does before you try it, better yet see if you can find it independently. Applying a registry patch from /. would be silly in the extreme. Here is the registry entry:

Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Wi ndows\WindowsUpdate]
"WUServer"="http://your.server.com"
"WUStatusServer"="http://your.server.com"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Wi ndows\WindowsUpdate\AU]
"RescheduleWaitTime"=dword:00000005
"NoAutoRebootWithLoggedOnUsers"=dword:00000001
"NoAutoUpdate"=dword:00000000
"AUOptions"=dword:00000004
"ScheduledInstallDay"=dword:00000000
"ScheduledInstallTime"=dword:00000003
"UseWUServer"=dword:00000001

Save that to a file called wu.reg or whatever.reg and then merge it with your registry.

Re:Windows SUS

[pbranes]

As far as the specs go, I am using it on a dual p2-400 xeon with 512mb ram. This computer is a domain controller and a SUS server. I am having no trouble with it slowing down. I don't think this qualifies as a supercomputer. I am serving updates to about 400 computers and I never experience any slowdown on the server.

I tried using group policies to push out patches, but it is such a pain to do and keep up with. I think that if you tried SUS on your domain controller, you would be happy with it.

The one thing that I didn't like about SUS was the fact that by default, you have to send the administrator password over a cleartext web page to use it. So, I installed Certificate Service on the server, generated a certificate, and installed it on the web page. Now when I go to https://someserver/susadmin, I get an error that the certificate could not be validated. However, I choose to continue, and then I get to use the administrative page with 128 bit encryption! :-)

Re:Windows SUS

[TA+Ealing]

Yep we run it on a server that has a load of other stuff running on it. Does not need a dedicated machine.

Re:Windows SUS

[hetairoi]

You may want to look at MBSAFU. It's clunky, but it works. I was using it before I got SUS running. SUS is much slicker if you have the resouce available, but mbsafu will get the job done.

Re:Windows SUS

[Jellybob]

What sort of loads are you getting on the SUS server?

We've got a single server here running 2000 SBS, which is the PDC, Exchange server, and file server for a few hundred users.

Once I persuade management to get another server to take the load of the current one I'll definately take a serious look at SUS though.

Re:Windows SUS

[iceT]

So.. did you get PAID for that product endorsement? I mean... aside from the fact that this software removes a driver for MS to write good code (because of the TCO for the patch management), you would want to install this on a central server that would, of course, require a Windows 2k(2k3?) license.

Re:Windows SUS

[LurkerXXX]

FUD! You have obviously never used it. The SUS server downloads all patches from MS servers. It then presents you with a nice list of them. You *MUST* check off a checkbox in order to approve each patch for distribution to your network. Leave it unchecked and it won't be installed on any of your machines. MS does give you control over what patches you want installed.

Re:Windows SUS

[boskone]

I'm confused. How do you have a few hundred people using SBS when it will only accept 100 licenses? Not to question you on your own environmment, but are you sure about that?

Peace...

Re:Windows SUS

[ostiguy]

The SUS specs are preposterous - they are for machines with thousands of clients. SUS is really just an IIS web site that serves up a couple megs at a time, so damn near anything ought to be able to do it. If you plan on deploying service packs through it, you might need more horsepower. I do SP's via group policy.

Re:Windows SUS

[Zeddicus_Z]

We use SUS at work to distribute patches to around 60 desktops. While it's certainly nice to not have to go desk-to-desk doing this manually, SUS has some major drawbacks.

• Bad patch verification. Like WindowsUpdate, SUS relies on a registry entry to check sucessful installation of patches. As many admins have discovered over the past few months, this method of patch verification is highly flawed and results in many, many cases of false-negatives when searching for vulnerable workstations.
• OS patches only. SUS does OS patches. Great. Now what about Office, which is also installed on every desktop in our company?
• Patch reliability. Even if SUS was vastly improved, the sad fact of the matter is that MS patches are still capable of doing severe damage to the target system. It's not like there are no past examples of patches and/or service-packs f$*king up machines. Until the patching process becomes not only dead easy, but also bulletproof RELIABLE, servers (esp. critical infrastructure machines) will continue to need manual patching. Considering many larger companies can have hundreds of servers across the organisation, it becomes one hugeass timesink.
• Other pitfalls. There are many, MANY other options missing that would make life for administrators much easier - such as forcing reboots for patched machines, the ability to stagger deployement using only one SUS server (by using, say, MAC addresses or NetBT/DNS hostnames), the ability to detect mobile users (via a configurable registry setting on the client end) and *force* them to patch immediately upon connecting to the LAN based upon past percentage hit-rate for sucessful patching (i.e. machine was turned on and conneted to LAN) at the regular scheduled time

SUS is nice to have, but it's certainly not set-and-forget as it SHOULD be - at least on the client end of things. There is a long way to go with SUS before it begins to approach something that makes a significant impact on the nightmare that is Microsoft patching. But of course the problem with hoping SUS gets better is that SMS and MOM exist... and unlike SUS, neither of those are free.

Re:Windows SUS

[halr9000]

Problem is that you still have to touch, or at least remotely command every machine if you do not want the machines rebooted automatically. Not sure about you guys, but some of us have production servers that can't be rebooted on a schedule, every reboot must be planned in advance. So, if I use SUS (which we do), I have to set it to auto-download, but never install. Then login to box to manually install, then reboot. Which sucks ass.

What I did for the RPC patch was run a script against my 90 boxes that installed the patch manually with the no reboot switch. Then once I get a reboot window, come back and do the reboot.

SUS needs a feature to install but not reboot, then I can have every box set to auto-install and I keep my reboot process separate.

Re:Windows SUS

[Infernon]

The specs for SUS are outrageous (it's why we haven't even thought about implementing it) and M$ recommends against running it on a server that has another function so I'm of the opinion that you're dead on, no charge for SUS, but you have to purchase another server license...

Re:Windows SUS

[Jellybob]

We've got a few hundred users in the AD, but never have more than about 30 actually logged in at any one time.

Re:Windows SUS

[pbranes]

The IIS hits/sec are virtually nonexistant because the updates are only downloaded once a day. Even during the peak load, there is no noticeable slowdown. The CPU load is about 5% constant. The memory use is about 190MB out of 512MB.

Re:Windows SUS

[__aaklbk2114]

Thanks for the information.

Here at the BSA, we know it can be hard to stay in compliance with software licensing issues.

We'll be sending a special team (don't worry about keeping the door open, we'll let ourselves in) to help you determine your proper needs as you are obviously confused.

Remember, proper software licensing helps combat terrorism!

Sincerly,
Business Software Alliance

Re:Windows SUS

[Eraser_]

Don't forget the installer. We have a server here running IIS with some strange application inside of it (Riverdeep). I read through all the readme's for SUS, and it said "don't worry, we only create a new site called SUS blah blah blah", and it's reccomended not required to install IIS Lockdown. You can get that [link]here[/link].

Sounds cool to me, I run the installer, and it does as it's told, but then procedes to IIS Lockdown my server, breaking the application that was running on it. Un-Installing IISLockdown and SUS does _not_ fix the problem. Thanks microsoft, when do we get chroot for windows. Oh, but it will still need to install 400megs of cruft into root-c:\winnt.

Re:Windows SUS

[mr_z_beeblebrox]

SUS is cute but try to push a Service Pack with it.

It is cute and Service pack support was announced a few weeks back. I used it to push XP SP1 to 3 dozen new laptops without a hitch

Not a surprise

[mgv]

This is hardly news in a sense. Its not the first, last or only time that windows has a flaw. There is probably a thousand of these exploits hidden in the closed source.

On top of that, there is the prevailing attitude at microsoft that a quick sale for ease of use is better than a later sale with security. Until now that approach has always left them in the money.

I'm hoping that the level of attacks that we have seen in the last few months will finally produce the uprising against this "quick release" security through obscurity model that microsoft has done so well with.

My 2c worth

Michael

Re:Not a surprise

[tomstdenis]

Are you kidding? The whole OSS philosophy is wrapped around release early release often. Maybe openssl doesn't follow this [though it has had it share of bugs] many other things [kernel for instance] follow this model.

This isn't "my wang is longer than your wang". The lesson is both streams have bugs and you have to patch both often to keep decently cought up.

I mean I can go fetch a RH6 cd of the shelf, install it and get rooted. What do you say then of your beloved OSS?

Tom

Re:Not a surprise

[mgv]

Are you kidding? The whole OSS philosophy is wrapped around release early release often. Maybe openssl doesn't follow this [though it has had it share of bugs] many other things [kernel for instance] follow this model.

Its the difference in approach that I see as the major point between microsoft and say openssl.

Microsoft has spent years releasing fast and furiously with a big sales pitch on their products. Even stuff that they don't "sell" such as internet explorer has this release philosophy.

Version numbers become sales pitches in their own right, and new features become the prime reason for release.

Compare that with my favourite browser, Firebird. Its still on a 0.6.1 release, and it is more stable than IE. It feels as though it has more features than IE, but it actually has less - especially in terms of features that are exploitable such as scripting.

This is because microsoft has had a "stuff on a new feature charge customers for it" mentality for as long as I can remember. It worked well for a while for them, but its left them with fundamentally insecure code (such as the whole windows messenger service) and a fundamentally insecure approach to their system (such as default administrator logon's with blank passwords in XP).

I don't believe that it is fair to compare the underlying approach of windows to alot of the open source code - as I said above and I still stand by it.

Michael

Slashdot Moderation

[sylvester]

Hey what's the deal with slashdot moderation? I used to read at +5 but now there're barely any comments there. I know this is offtopic, but did I miss a story about major changes or something?

Re:Slashdot Moderation

[bots]

thats right, when you enter a new thread, you get it all, its called exploration and adventure. Why just recently i learned all about horses by boldly exploring a wild thread full of meandering comments.

Re:Slashdot Moderation

[Jellybob]

They're having problems with some of their machines, including the one which distributes mod points, running slow.

Which means that mod points aren't being given to as many people, which means there's less around to take things to +5.

More details in Taco's Journal.

Re:Slashdot Moderation

[Eamon+C]

Well, I'm glad they still found the time to post another story about a Microsoft security hole. What else should I expect from the page voted by Linux Journal readers as their "favorite Linux web site"?

Re:Slashdot Moderation

[donnz]

Which is great. I am back to browsing at +4. Maybe /. to cut down on the number of medartion points they give out these days.

And once again

[mst76]

Win98 is not affected. Or is it just that they don't bother to check it anymore?

Re:And once again

[shawn99452]

They don't check anymore. But if they did, it still wouldn't be affected. Windows 9x doesn't have the Messenger service that the overflow is for. It's only in NT-based machines.

Why is This Reported Now?

[EvlG]

I checked my Windows XP installation and it has had the patch applied since July 8, 2003. Why is this a news item just now?

I love Win2K, but...

[LaserBeams]

ARRRGH, all these dang security updates, and patches, and holes, and everything... It's not fair. And Linux is no better, I'm stuck on 56K, so getting the thing in the first place is hard enough... not to mention isn't a fulltime job in itself.

I think I'll just go back to Windows 3.1 on all my machines, that will solve all these problems I'm having with new operating systems.

Re:I love Win2K, but...

[LaserBeams]

Though... after reading that last article maybe I should just go buy a Mac.

(and learn how to type... "not to mention it's a fulltime job in itself")

Re:I love Win2K, but...

[LaserBeams]

Oh goody. First of all, I have used Linux recently, and you seem to have missed the point, I was complaining about the downloads, not the OS itself. I simply cannot get broadband, it is not available here. Second, I don't lick anyone's ass. I bought, and use Win2K because in my extensive experience (that is, nearly every day since its release), I have found it to be an extremely reliable, as well as usable OS. Many apps I use are exclusive to Windows (and there are no comparable Linux alternatives) so running them on WinE would just be stupid and redundant. I admit I'm not the savviest user out there, but if I can keep a Win2K powered PII-366 laptop with only 128 MBs of RAM as my primary work / play / development / gateway / everything-else-but-new-games machine, up and running for nearly two months (only restarting for updates, and with lots of demand on the OS every day), then I say that's pretty darn good. Get off your high horse, and next time you want to insult someone because they're using something practical for how they work, uncheck that little box. Coward.

Well....

[TaranRampersad]

At least they found them. I wonder if they are patching for the manner in which Valve's source code was pumped out?

Maybe paranoid game developers will start writing games for GNU/Linux...

Re:Well....

[Jugalator]

Yes, if GNU/Linux becomes as common as Windows.

Re:Well....

[TaranRampersad]

Chicken and Egg.

Re:Well....

[johnnyb]

I know I do my development on Linux even if I'm developing for Windows. I use cross-platform tools so I can code on Linux. I believe the Quake guys do this, too which is why it's always supported on Linux. When I worked at Wolfram Research (i.e. Mathematica), even though NeXT was no longer a supported platform, about 1/3 of the developers used it as their primary platform.

New Popup Message

[powerlord]

joo R 0wn3d

Makes me glad I have a firewall between me and the internet (even at home for my LAN). I didn't even know about all the Popup spam until an article came around talking about it. It just hadn't been an issue. Yes, its better to be informed than clueless, but a decent firewall is still a help :)

Re:New Popup Message

[snatcheroo]

Firewalls are totally overrated, they're almost like a buzzword that won't die. They are just a deterrant and can be owned up faster than most people would expect.

Re:New Popup Message

[powerlord]

Quite possibly/probably.

Out of curiousity, are you refering to?
"real firewalls" (ie. Cisco PIX, etc.), "appliance" type firewalls (linksys, etc.), machines running as a firewall (Linux or Windows machine running firewalling software), "local firewalls" (machine running a piece of software to firewall itself. ... marginally in the previous category but also includes things like ZoneAlarm or Symantec/McAfee Personal Firewall).

I would imagine that each group has its own probability of being cracked "easily", with the chance of a box being cracked getting lower toward the front of the list (all assuming proper configuration). I would think that for the average tech-person, a Firewall appliance should be relatively secure (and securable).

Please explain your position, I'm curious why you think they are just a deterrant?

Re:New Popup Message

[SpaceLifeForm]

A stand-alone firewall that has no services running and drops all garbage coming from the Internet will not get owned, and is quite secure.

Software firewalls such as ZoneAlarm can't be totally secure because ultimately that can't control every packet coming into the machine.

Causes new problems?

[lavaforge]

I just installed the patch on my laptop and now it BSOD's immediately on boot. It's quick, but I caught something that looked like "basesrv." Quite the pain, really. Is anyone else having a similar problem, and if they are, how do you fix it?

Re:Causes new problems?

[KillerHamster]

I got a BSOD on the first boot with Windows 2000 after installing the latest updates. I hit reset and it started up fine. I have no clue what caused it. The Event Manager says nothing helpful.

This might seem weird, but from a couple years of experience with Win2k, when it BSOD's on bootup and I restart, for some reason it seems to help if I start wiggling the mouse as soon as the desktop appears and keep it up all the way through the login process until all the startup programs have loaded. Or maybe I'm just crazy.

I love Linux - it makes so much more sense.

Ahh... I'm On to Them

[Greyfox]

I've figured it out! My company sends around an update CD every time one of these flaws is announced. They're trying to drive us bankrupt through the cost of update CDs and lost productivity of every employee in the company having to spend half an hour to an hour applying them! I'm on to their evil plan now!

Re:Ahh... I'm On to Them

[NineNine]

That theory isn't very good, especially considering any new flavor of Windows has automatic updating that requires *zero* intervention from the user.

Re:Ahh... I'm On to Them

[Greyfox]

My company doesn't trust its employees to use automatic updating. And the automatic update still requires anywhere from 10 minutes to an hour of lost productivity depending on how big the patch is and if it requires a reboot. Since my company has deployed a bunch of VB crapplets I'm forced to reboot to Windows once a week to do my timesheet so I can't just nuke Windows off my hard drive completely, run Linux and ignore the Windows warnings ("apt-get update ; apt-get upgrade" doesn't require you to stop all your applications while it runs and it doesn't require a reboot.)

Re:Ahh... I'm On to Them

[NineNine]

You're missing the point. You don't do anything. That's why it's called automatic updating. Set it to happen at 2:00 AM every day. There's nothing to do. If a reboot is required, reboot when you're getting your coffee. It's not a big deal at all.

Re:Ahh... I'm On to Them

[$rtbl_this]

That's a good solution for home or small office users, but it doesn't scale that well for larger sites. As soon as you have a more than a few dozen workstations, having each one pull down the updates from the Internet causes an unacceptable amount of network traffic (maybe it's OK in the US where bandwidth is cheap, but here in Europe out Internet pipes tend to be a bit more frugal). Also, no sane person wants to use this solution for servers, where applying untested updates can have catastrophic consequences.

The only manageable solution I've found is using software distribution apps or dedicated patch management tools like LANGuard. SUS is a stab in the right direction, but its lack of support for NT 4.0 makes it a non-option for most of the sites I look after.

Re:Ahh... I'm On to Them

[TheRealFixer]

Until Microsoft puts out another hotfix that breaks something else, like your network connectivity, like the one they did with XP some months back. Most corporations prefer to test Microsoft patches first, before pushing them onto the whole user base.

Re:Ahh... I'm On to Them

[PyJockey]

I wouldn't recommend automatic patching at this point. My coworker's NT4 PC was left without a keyboard after this latest round of patches. WinNT4 requires a CTL-ALT-DEL before you can access the shell. This is rather difficult without a keyboard. In the event that you couldn't use the recovery console on the Win2K+ CD, MS's solution (KB article 305462) was to install a parallel installation of NT4 and use it to access the NTFS partition of the main installation and rename a sys file. After ribbing him about his ancient OS, I found that my XP Pro workstation was left in a similiar state after applying the patches. This is unacceptable. Automatic patching may be the answer sometime down the road, but it isn't there yet.

Re:Ahh... I'm On to Them

[RzUpAnmsCwrds]

Microsoft Software Update Services is what you're looking for.

Re:Ahh... I'm On to Them

[$rtbl_this]

Thanks, but that was the SUS I mentioned as being unsuitable. The lack of NT 4.0 support makes it a non-starter. I'm evaluating LANGuard right now and it seems like a better all-round solution.

In a way, it is a good thing...

[BottleCup]

... that someone took advantage of the previous RPC bugs on Windows. At least now Microsoft is taking this shit seriously enough to offer patches to other flaws. One wonders sometimes if those "flaws" were in fact flaws or just a backdoor implated purposely for remotely controlling your desktop ;). Then again, do these patches really fix things or do they just change the nature of the backdoor so that only Microsoft knows how to use it?

Or maybe I've just been watching too many Matrix movies.

Re:In a way, it is a good thing...

[quigonn]

A friend of mine recently said: "the only way to get a security hole fixed in Microsoft software is to write a worm that exploits it".

Re:In a way, it is a good thing...

[praxis]

Well, I wouldn't say that's the only way. In fact many security holes are discovered, fixed, and a patch is released before the exploit hits. There has been evidence that some of the exploits have reverse engineered the patch to provide further information in developing the exploit. The crux of the problem is finding a way for users to patch their machines effectively. That's not an easy problem to solve, given corporate networks with hundreds of machines, server farms with mission critical applications, and even uneducated users.

Re:Yet Another Critical Linux Flaw!

[TaranRampersad]

"Even OpenBSD has had 1 security hole in the default install, and thats ONE TOO MANY"

Damn right. But with Debian and OpenBSD, irate consumers can fix the source code themselves if they choose. Ultimately, this *can* lead to better code, but the majority of computer users have problems installing patches and updates - so how can we expect them to actually do something positive about security?

People who don't patch - please disconnect from the internet after reading this, and burn all phone cords and network cables between you and the internet.

who needs this?

[teemu.s]

who needs that service? o.k, its usefull to receive messages from olga from moscow providing you p0rn (if youre not firewalled) - but is there really anyone out there who takes advantage of this service? Hasnt it already been disabled? and if not - why didnt they do that?

Re:who needs this?

[shawn99452]

It's very useful on networks where the admin is too paranoid to allow normal messaging clients like MSN or AIM. Also, the messenger service allows you to do "NET SEND 192.168.0.255" and send a message to everybody on the network! Great fun.

Re:who needs this?

[fuzzix]

C:\> copy con pacman.bat
@echo off
:start
net send * I wanna play pacman!
goto start
^Z

Now, copy this file to a network share and wait. THAT'S fun...

Writing a worm would probably be less successful

[Talez]

After all, how many people out there have turned on the default Windows XP firewall since Blaster?

I know every machine I fixed during the blaster worm's reign had its default firewall turned on.

Re:Yet Another Critical Linux Flaw!

[dschl]

Marbles - yeah, that sure sounds like a remote root exploit waiting to happen. And freesweep (curses-based minesweeper clone) - sounds like another dangerous vulnerability to the unpatched machine. kdebase is a local vulnerability, and as for ipmasq, webfs, openssl and tomcat - I don't recall these even being installed on a typical debian workstation, let alone being started up at boot time. The only vulnerabilities in your list that might matter are the ssh ones.

RPC worm (welcha!)

[tonywestonuk]

So I installed W2k for a friend a few days ago - Connected to the internet to get the RPC patch, and got infected with this work in under a minute - Not even time to get the update!...

Now, getting rid of the worm is annoying, but is easily done. Can you imagine however, the chaos if the author of the worm also put nasty bios flashing code into it... Millions of PC would be heading for the dumpsta! Shops/busnesses/transport/universitys would all end up grinding to a halt, The economy would be up shit creak, and for a few weeks anyhow there would be a huge shortage of PC's through people panic buying new units - hardware prices would sore.... (good time to buy Dell stock maybe?)

Tony.

Re:RPC worm (welcha!)

[thrill12]

Lucky enough my PC has a backup bios :=)

Re:RPC worm (welcha!)

[Xouba]

Hate to use the topic, but "Me too" :-) This happened to me yesterday, but with XP.

Re:RPC worm (welcha!)

[Q2Serpent]

Should have enabled the built-in XP firewall before going online...

Re:RPC worm (welcha!)

[KFT]

Erm, I'd rather think it would cost Dell money to explain all their customers with warranty how to reset their BIOS. It's usually a simple jumper switch, or you can take the battery out for some minutes, but try to explain that to $average_user in an economically viable way... not a good reason to buy Dell stock IMHO.

) F T

Re:RPC worm (welcha!)

[trikberg]

So I installed W2k for a friend a few days ago - Connected to the internet to get the RPC patch, and got infected with this work in under a minute - Not even time to get the update!...

And that's why you should have installed a software firewall, such as ZoneAlarm, from CD before connecting to the internet

While you're at it install a decent browser and e-mail client from the same CD before your friend has a chance to start using IE and Outlook (Express).

Re:RPC worm (welcha!)

[muffen]

. Can you imagine however, the chaos if the author of the worm also put nasty bios flashing code into it... Millions of PC would be heading for the dumpsta!

Virtually every BIOS has protection against this since the CIH days (doesn't mean people enable it, but its there). Furthermore, instead of throwing away a PC with a flashed BIOS, you can give it to me. It won't cost me more than $5 to get it fixed!

I agree that these flaws are bad, but no need to make it worse than it already is.

So I installed W2k for a friend a few days ago - Connected to the internet to get the RPC patch, and got infected with this work in under a minute - Not even time to get the update!...

All you have to do is change one registrykey (enableDCOM) from YES to NO. That way, you're "protected" without having the patch.

My PC is running with just over 10 services enabled. After all these flaws, I realized it was safer to simply disable anything non-critical. I don't like Windows anyways, just have to use it for work :/

Re:RPC worm (welcha!)

[TheTomcat]

Maybe I'm in the dark about this, but I understand that the jumper usually resets settings, and not the actual BIOS code. Is this correct?

S

Re:RPC worm (welcha!)

[cybergrue]

Ack. I had the same problem. I tosted Windows XP, and after I reinstalled, couldnt connect tot the internet. I phone my ISPs tech support, and after geting routed through the sales department (A friend that formally worked there said that management had decided that tech support should be a cost recovery unit!) told me to turn off the software firewall and try again. Of course it didn't work, so they told me to reinstall everything and hung up. I later sorted out the real problem (A driver issue) but forgot to turn on the firewall when I reconnected. Bang, in first minute after I had loged on I had a wlcha pop-up (while I was downloading windows update no less)

Now I have a hardware firewall as well as a better anti-virus scanner for windozs. And before you say it, I already had Linux on my other partition.

Re:RPC worm (welcha!)

[aridhol]

1. The BIOS doesn't need to be flashed immediately. The worm could spread for an hour, then flash. It'll still be able to cause significant damage.
2. Does Windows even use the BIOS after it's booted? The worm could flash the BIOS, then continue to spread until reboot, at which point the machine will become useless. Even more damaging goodness.

Re:RPC worm (welcha!)

[KFT]

Just checked this, you're right, most BIOS's can't be restored with a jumper when mis-flashed. I guess I read that for an expensive mainboard and figured it was standard. Don't know about Dell but I guess this goes for them too. Shouldn't post if I don't know everything about the subject I guess.

Re:RPC worm (welcha!)

[aridhol]

But the computer only reboots because Welchia tells it to (or so I assume). If Welchia told it to flash the BIOS instead of rebooting, or if it included a delay before instructing the computer to reboot, it would have all the time it wanted.

Re:RPC worm (welcha!)

[rgmoore]

If the worm flashed the BIOS, wouldn't that tend to destroy its hosts and thus slow down the infection? This is one more place where knowing biology can be helpful in understanding computer diseases. Diseases that are promptly fatal tend to be self-limiting because they kill off their hosts before they have much time to spread. Most successful diseases are either not uniformly fatal or at least take long enough to kill that their host has plenty of time to infect others. This is why many types of malware with destructive payloads will have a built-in delay before blowing up; otherwise they'd kill themselves before managing to infect enough computers to cause real havoc.

Re:RPC worm (welcha!)

[juhaz]

Well, the RPC service crashes as a result of a buffer underrun that allows the worm into the machine and windows notices that and reboots.

So even if the worm doesn't tell windows to reboot, further infection attempts will cause a boot.

It would work on worms using holes that don't cause crashes, though.

Re:RPC worm (welcha!)

[Rinikusu]

Dell stock? I dunno. They ship with Windows. And if consumers get "burned" with Windows as badly as having their BIOS flashed and their computers rendered unusable, I'd say Apple might look pretty damn tempting...

Re:RPC worm (welcha!)

[aridhol]

I don't know the specifics of how this specific worm works. That's OK, because I'm not in a position where I need to know this, as I keep up to date on my patches, have a firewall, and have a limited Linux box (only two services available from outside on boot, others available only locally or by manual activation).

But just because this worm crashes RPC, it does not mean that every worm must crash RPC. If a worm finds a different way in, or is able to get in through RPC without crashing, it will have complete control over the computer. This gives it time to do anything it wants.

Re:RPC worm (welcha!)

[Matey-O]

The nasty code to write zeros to a box's drive is about 12 lines of assembly. Why hasn't it been done yet?

Because a DEAD box cannot be used to attack OTHER boxes.

Re:RPC worm (welcha!)

[A_Non_Moose]

Can you imagine however, the chaos if the author of the worm also put nasty bios flashing code into it... Millions of PC would be heading for the dumpsta!

I wonder if I was the only one who thought "Hey, Dibs on the RAM, Drives and VidCards"?

Prolly not considering the present company.

Back on topic:
the akami servers are swamped: it took ~ 20 minutes to download about 8Meg (5 patches).

Make matters worse, the *one* xp box I've got wouldn't update via the SUS server (nice lady with poor vision and the cleartype helps, so lay off).

susserver.com has a nice, simple start-up guide and some forums that discuss common problems and work-arounds, like, for those of us without AD and new Samba 3.0 PDC's can push group policies (so I understand) instead of reg hacks.

I've already warned my users who I know have 2k/xp at home...patch, and soon.

Re:RPC worm (welcha!)

[kidlinux]

It would be an absolutely sweet time to go dumpster diving! Think of all the perfectly fine hardware being tossed because of a corrupt bios! Retrieve all the hardware, order a bios for $10 (better yet a flasher and some blank chips if you get that much hardware) and sell everything on ebay and make a fortune. Or...

setup a Beowulf cluster of your very own!!

baha! A slasdotter's dream come true :P

(Though I honestly can't imagine this happening since I hope no admin is so inept as to toss hardware just because of a corrupt bios.)

Re:RPC worm (welcha!)

[master_p]

I really nasty Unix lover would do this just to punish Microsoft. Any takers ?

Re:RPC worm (welcha!)

[aridhol]

Neither I, nor anybody that I know, has been infected by Welchia. If this were to occur, I would look it up. I do not see the need to research how every virus/worm/trojan works, because that would take too much time away from doing anything useful (and I am aware of the irony of saying such a thing on /.).

Just because it hit the nightly news does not mean I need to figure out how it works. In fact, in order to fix it I would need to know exactly nothing about how it works. Instead, I would just go to McAffee or Symantec or another antivirus corporation, and use their knowledge in order to fix it. Their job is knowing all about viruses. My job, as a programmer, is knowing about vulnerabilities in my code, and that of my team. That's quite enough for me.

Re:RPC worm (welcha!)

[TheCoop1984]

Yes it can. Have the worm/virus spread (probably using outlook-mass-emailing thing), then it goes to sleep for say 10 mins, then have it write over the bios. The virus spreads but still overwrites the bios.

Re:RPC worm (welcha!)

[BrynM]

If the worm flashed the BIOS

I suddenly had a mental image of an invertibrate holding open a trenchcoat next to a motherboard... Need more coffee...

Re:RPC worm (welcha!)

[dreamchaser]

Shouldn't post if I don't know everything about the subject I guess.

That's never stopped 99% of the posters here...

Re:RPC worm (welcha!)

[Inuchance]

One way to get around this without any sort of hardware firewall is to create an IPsec policy that blocks UDP 135.

Re:RPC worm (welcha!)

[rgmoore]

Thus, a worm that is written as a stealthy time-bomb will be extremely destructive. If I were the bug, I would make a few random copies of myself to prevent extermination (much like the problem T-Cells have with the AIDS virus).

That's not exactly why the immune system has problems with AIDS. Part of it is that the virus actually invades the immune system itself, so the very part of you that's trying to protect you is itself prevented from working properly. ISTR that some viruses already try a similar approach by shutting down virus-check software.

Only a checksum of every single file on the system could completely wipe me out. Once I do that, I would lay dormant for a period of time, using the client to transmit myself to other computers. After my period of dormancy, I would then do something like wipe out the networks, install a phony NIC device driver, try to flash the bios, whatever.

The problem with this approach is that the worm would have to be completely stealthy in order to have maximum effect. If the virus-check companies figured out about it, they'd likely be able to decompile the thing and create a specialized countermeasure. This is one place where the analogy between biological and computer invaders breaks down. The natural immune system has a limited repertoire of possible responses and can only adapt to a novel threat on an evolutionary timescale, while our computers' "immune systems" can actually be intelligently designed to combat a specific threat.

For maximum destructive effect, you'd probably be better off using something like a Warhol Worm- an invader that can spread to most available hosts in 15 minutes. That's enough faster than the possible response of anti-worm software makers that there wouldn't be a reasonable chance of creating a countermeasure in time. The SQL Slammer worm was the closest thing yet to a Warhol Worm, though its unique source of speed probably precludes a seriously damaging payload. Still, a worm that could spread worldwide in a few hours and then did as much as possible to damage its host could wreak some significant havoc without a reasonable chance of stopping it.

Re:RPC worm (welcha!)

[rock_climbing_guy]

Say then, if there were to be a virus created that destroyed lots of people's BIOS. Can't that damage be repaired? I've heard that some machines allow you to "hot-swap" the BIOS or simply get another one from the manufacturer.

Also, I once had a machine that got its BIOS toasted. I was able to fix it because the machine has some sort of "backup" that allows you to boot a simple DOS floppy and flash it again.

Re:RPC worm (welcha!)

[f0rt0r]

True. But the point you miss is whatever part of the OS is loaded into memory will still work even if the file it loaded from is gone. The virus could selectively erase files ( ok, this probably wounldn't be done in assembly ) that it knew would not disrupt system opereration until the next reboot.

Of course, it's not like script kiddies would take time to write a virus that was that good. :)

Ummm.... No.

[AriesGeek]

Since when is "Messenger Service" at the core of Windows? Even the RPC services are not at the core of Windows. At least not anymore than sendmail or OpenSSH is to *nix. They're just services, or in the 'nix world, daemons.

Re:Already patched ........

[tomstdenis]

Are you sure about that? From a 9.1 install you most likely have openssl updates to perform....

oops.

j0 zuckz

Monthy Updates

[eadz]

To think that there are so many flaws in windows, and so many critical updates that they have to release them in batches because system admins are over worked constantly patching MS boxes..

This cnet article makes entertaining reading

Microsoft released its first monthly security update on Wednesday, following a new schedule that attempts to ease the load on overburdened system administrators.
"All of the five critical (vulnerabilities) are, of course, critical, so that means they are wormable," said Jeff Jones, senior director of Microsoft's security business unit.

Re:Monthy Updates

[NineNine]

Yeah, they wouldn't want to use Automatic Updating that comes with Windows. That would be too easy. Besides, patching machines provides the whiners with job security, right?

Re:Monthy Updates

[Dman33]

Welcome to slashdot, Troll. I will bite now...

You obviously do not rely on Windows Update for a corporate network, do you?

I have had at least two servers hosed (read: Re-install) due to auto update and have had several other servers and workstations cease performing properly. The reason is that MSFT patches are rarely tested well, so the way to patch is to patch after testing in your environment. Once you test and validate that the patch does not break anything, then you can deploy it. That takes time. Of course, if you stay on top of things and have a set procedure for testing patches, you can usually get the patches validated and deployed rather quickly but it is still a pain for many.

Um, please no...

[Joel+Carr]

Why? Because I'll be one of the poor soles fixing the problem for friends. I already have a friends computer to fix tomorrow, which has fallen victim to a virus attack, and despite the number of times I may tell him to keep his OS/Virus Scanner up-to-date, I know it's just a matter of time before I'm back there again...

---

But I Can't Disable Messenger Service!

[Esion+Modnar]

How else will I be able to get all the free advice about how I am broadcasting my IP address?

Messenger is such a valuable service to me... how can I live without it?

Excuse me, Sir...

[AriesGeek]

I checked my Windows XP installation and it has had the patch applied since July 8, 2003

Could I get your IP address please?

403

[CaptainBaz]

Unfortunately our sysadmin seems to have blocked microsoft.com (including Windows Update) at the proxy. I kid you not.

Fortunately I'm in Development, not IT Support :-)

News is even worse than reported.

[FreeLinux]

Of course this is another headache for admins still patching for last month's RPC flaw."

That RPC flaw, patched twice so far, is actually still vulnerable. That's right the RPC service will require a third patch.

Security experts have discovered that a vulnerability still exists in the Microsoft RPC service. Furthermore, an exploit has been developed as a proof of concept. The results have been reported to Microsoft but, as yet they have not responded publicly. So, be on the look out for yet another RPC security bulletin from Microsoft. Hopefully, coming soon.

Re:News is even worse than reported.

[Keeper]

Lots of stuff flows through RPC. Calling it an RPC flaw isn't entirely accurate. The last flaw was related to DCOM. The flaw you are referring to is related to SMB authentication (windows file sharing).

Guantanamo Bay awaits you!!

[gd23ka]

Guantamano Bay awaits you... You've just encouraged someone to commit a terrorist act against the United States, and I'm not sure if that's not an act of terrorism all by itself. Yes... they might just come for YOU, dear borgdows (#599861) and throw the book at you. That's the same thing as publicly asking Osama Bin Laden to blow up the Statue of Liberty. The next number you will be known by, dear #599861 will not be your slashdot number.

In other news

[zakezuke]

Microsoft discovered a MAJOR flaw in their naming convention. It seems it's far too easy to confuse MSN Messenger with Windows Messenger do in part they are both called Messenger, also due to the fact that Windows Messenger isn't widly used, except by sys/net admins telling their users the system is going down.

Getting users to actually peform updates when they don't have the ability to tell the diffrence between the diffrent products has proven to be most troublesome to Microsoft.

This flaw was noticed by technical support when users asked for assistance with "outlook" not knowing that "express" was a diffrent product. Not to speak of the diffrences between Windows Explorer, Microsoft Explorer, and the new hardly ever works MSN explorer.

"The idea that users know the diffrence between Windows, Microsoft, and MSN is ridiculous" --- typical power user.

A new convention is required based on the following facts

Windows - the operating system side of things
Microsoft - the software side of things, stuff you actually use
MSN - the ISP side of things, fluffy click shit that causes your computer to crash and burn.

Renaming should be as follows

Dont touch me crap - reserved for operating system level software
Play with me crap - the software you typicaly get to do stuff
Can't do crap - the stuff internet related that never works right

Now saying that there are patches for the "don't touch me crap messenger" has some meaning to the average user, vs their "Can't do crap Messenger" product.

This message was brought to you by Microsoft Crap, where did your document go today?

Re:In other news

[vjmurphy]

"It seems it's far too easy to confuse MSN Messenger with Windows Messenger do in part they are both called Messenger"

I'm surprised they aren't called MSN Messenger Explorer and Windows Messenger Explorer.

Messenger

[FrostedWheat]

disable the Messenger Service immediately

Good advice. This service has been abused for many years now by spammers, and now the posibility of a worm using it.

I wonder who/where at Microsoft considered it a good idea to enable this service by default and to allow connections from everywhere. Has anyone out there actually used it?

Re:Messenger

[trikberg]

I have, once. I used it to send a message to a friend on the campus network when the outside connection was down so that ICQ and mail where unavailable. The alternative would have been to use a few cents on a phone call or actually get up and walk *GASP* the 100 meters or so to talk to him face to face. :)

Re:Messenger

[mborland]

Has anyone out there actually used it?

Yes, I know at least two companies that used it rather frequently. In both cases, they would use it for batch-completion notifications and things like that.

That all said, I hate it and it seems like a prime candidate for abuse in various forms. Obviously.

Don't tell me about TCO!

[dannycim]

In my previous job, there were 4 guys administrating over 1500 Unix Workstations and servers, and 150 techies taking care of 3000 WIndows PC.

Now I'm in a small University department, we're two over-worked techies with about 50/50 Linux/Windows machines and let me tell you, this Windows crap is taking up all of my effin' time.

We're firewalled, we've got NAV Server and clients running on all workstations, and were almost up to date until some student brought in an infectected notebook (I call 'em whores now) on the internal network.

By the time arpwatch bleeped it was too late.

Now you're telling me I've gotta go back to all those stupid workstations and patch each individually again?

ARRRRGH!!!! I HATE WINDOWS!

This is such a waste of my time, I could be coding instead.
--
Pfff.

Re:Don't tell me about TCO!

[NineNine]

Now you're telling me I've gotta go back to all those stupid workstations and patch each individually again?


Yes you do. You gotta because you're a fucking idiot. Anyone with half a brain would just turn on Automatic Updating for most of the machines. But then again, you are in academia, which isn't exactly known for producing the sharpest people...

Re:Don't tell me about TCO!

[dannycim]

Yeah, and never know why, suddenly applications stop working.

See this nice article by John C. Dvorak, biggest MS shill ever:

http://www.pcmag.com/print_article/0,3048,a=1082 32 ,00.asp

Nice mouth you've got on you, by the way. Your mom must be really proud.

Re:Don't tell me about TCO!

[jcupitt65]

A friend mailed me this earlier today, might help you:

I've just applied the 5 windows patches released today to 160 boxes in under 2 hours. Takes a little bit of getting used to how it works but I highly recommend it. It does service packs now too.

http://sourceforge.net/projects/mbsafu/

Re:Don't tell me about TCO!

[Malc]

Learn to administer your Domain or Active Directory properly. There's absolutely no reason to be going to each and every machine. The patches can be pushed to every machine. In fact, by only students access to the network by participating in the domain/AD, you can force them to remain up to date too. If they don't like it, then they don't connect. Their choice.

Re:Don't tell me about TCO!

[gregarican]

True that. If I had a lot of workstations but still manually visit each one of them to install stuff I would be an idiot. Lemme see. The options:

Microsoft SMS

Microsoft SUS

Microsoft Automatic Windows Update

Simple logon scripts

More sophisticated KixTart logon scripts

If I was your boss or even a peon enduser and saw you manually hopping around from PC to PC I would grease up my boot and start warming up my knee!

funny disable MSN setrvice

[linuxislandsucks]

why noit allow user sto disable MSN completely with uninstall?

oh that is right Bil lgates doesn;t trust us lowly users..

Re:funny disable MSN setrvice

[Jugalator]

The exploit doesn't have anything to do with Microsoft's instant messaging client, so deleting MSN Messenger won't help.

Exchange Admins

[Obiwan+Kenobi]

Just to let everyone know, this morning after late-night patching my company's Exchange 2003 box it isn't sending/recieving internet emails (*cue Exchange jokes...now*).

I'm currently paying $250 so Microsoft can tell us if this is the correct behavior (oh, the humor), after asking them last night if all patches were approved for a Windows Server 2003/Exchange 2003 environment, and them telling me yes.

I know I'm in the minority for not using sendmail, but I am of the opinion that these patches may damage your system. Admins beware.

Re:Exchange Admins

[4of12]

not using sendmail

sendmail has built up at least as much of a legend for insecurity as Exchange, probably also amplified by its wide deployment.

Security in depth helps, though.

Sendmail costs nothing but a little time to install, but adds another layer to your corporate email system, one which can be used to handily filter crap that is bad for Windows systems. MyCorp has used both Exchange and sendmail for years. Performance of sendmail on piece of crap hardware is impressive, especially compared with Exchange where we need bunches of servers. To be fair, the Exchage servers are doing a lot of db management of user mailboxes that sendmail, simple MTA, does not.

Even better still, go for something like qmail or exim. Get greater security, great performance, and no mucking with sendmail.cf files.

Nothing's invulnerable, and there's still a decision with two layered MTAs as to how to layer things properly.

My own take is that the application/system/platform with the best security record and the one that is less common is the front you want to expose to to the network at large. Expose the Exchange servers more to the inside users than to to the outside world.

Average Joe is why this is really bad

[HighOrbit]

A few months ago, my sister-in-law and her husband bought a new computer (loaded with XP as most are). They are average users: they browse the www, send email, write letters, and play games. The know how to use their box, but they don't know how to administer it. So everything that was shipped as default was still default -including the messanger service. They are on cable modem and were getting constant popups (and I mean constant, like one every 30 seconds) over the messanger service. Now multiply that by millions of people and you have millions of potential DDOS zombie machines, or spam spewers, or any other nasty (or illegal) thing you can imagine.

It is time for MS to immediately change the default shipping configuration of XP to turn every service off by default because no desktop should be listening on any tcp by default. If that means they need to recall and replace all the master disks that they license to OEMs, then they need to do it. They need to have every major retail outlet yank all the shrink-wrap boxes and replace them with new one with secure default configurations. MS is sitting on $46 million in cash, so they can easily afford this expense as chump change. It just a question of whether they are willing to admit fault and buck up for failing their customers or if they are too greedy to spend some of their hoarded wealth.

Re:Average Joe is why this is really bad

[1s44c]

MS is sitting on $46 million in cash

It's true, but they really don't want to spend the monthly cola budget on silly things like security.

Microsoft sell things by good marketing, not by having good products.

Re:Average Joe is why this is really bad

[boskone]

MS has announced that they are shipping XP from now on with teh firewall on by default which would solve most of these problems.

Re:Average Joe is why this is really bad

[Malc]

Messenger service is disabled by default under Windows Server 2003. No idea whether they will do this in the next desktop release.

Re:Average Joe is why this is really bad

[jmcneill]

It is time for MS to immediately change the default shipping configuration of XP to turn every service off by default because no desktop should be listening on any tcp by default.

Not sure about Longhorn, but I know with Windows Server 2003, damn near _everything_ (including the sound service) is disabled by default. Hopefully they continue to follow the same trend with their consumer desktop releases.

Re:Average Joe is why this is really bad

[GSloop]

Same song - different day.

It's always - "The next version will be killer!"

95, 98, 98SE, 2000, XP, Longhorn...

DAMMIT, I want my current version fixed and for MS to foot the bill, Bill.

Personally, I don't think MS intends to fix security problems. The massive security review they did a while back...they could have found 95%+ of all these buffer overflows, but they didn't. Why could that be? My conclusion, they simply don't give a rat's ass about security.

Cheers,
Greg

Re:Average Joe is why this is really bad

[Keeper]

Their monthly color budget is more along the lines of $700,000/month...($8M a year). :)

Re:Average Joe is why this is really bad

[Keeper]

Err, typo ... "color budget" should be "cola budget"

Re:Average Joe is why this is really bad

[StarTux]

Yes they could turn that off, but how would MS earn extra money through advertising via its affialites?

Re:Average Joe is why this is really bad

[Sanga]

Isn't it 46 Billion?

Re:Average Joe is why this is really bad

[mpe]

A few months ago, my sister-in-law and her husband bought a new computer (loaded with XP as most are). They are average users: they browse the www, send email, write letters, and play games. The know how to use their box, but they don't know how to administer it.

This a big (if not the biggest) problem with Windows. The lack of proper separation between "user" and "admin" tasks

Why the surprise?

[EvilNutSack]

Updates are coming out at the regularity of snot from a sick kids nose, yet people seem shocked when a new batch come out. If you can't afford the specs to run SUS then why not just set automatic updates to install in the background on each machine?

Correction... $46 Billion.. not $46 Million

[HighOrbit]

Sorry.. I think that should be $46 billion in the MS cashbox.

This creates a *lot* of work

[Zog+The+Undeniable]

Imagine patching 20,000 desktops and 2,000 servers before someone writes an exploit - that's what a large corporation has to do now [1]. I'm amazed, in the litigious US, that no-one has tried to sue MS for the cost of doing this.

[1] your corporate firewall should keep any exploiting worm out but there are still floppy drives, possible unauthorised modems and third party connections that *may* allow the thing in, so you'll have to patch to be on the safe side.

Re:This creates a *lot* of work

[Q2Serpent]

Or, worse yet, people who bring their laptops home (with no firewalls, since one isn't needed at work - corporate lan), get latest worm, and come in the next day only to infect every other machine (since no one has firewalls).

The biggest threat around here is from the inside.

Re:This creates a *lot* of work

[1s44c]

Imagine patching 20,000 desktops and 2,000 servers

cat serverlist | while read x
do
scp patch ${x}:/tmp
ssh $x /tmp/patch
done | tee log ...oh windoze you said, in that case your screwed.

Re:This creates a *lot* of work

[DarkZero]

I'm amazed, in the litigious US, that no-one has tried to sue MS for the cost of doing this.

If the US government can't beat their lawyers, WTF are the rest of us supposed to do? Have a priest, a rabbi, and a shaman blessing our lawyer every few minutes until the case is over some time in the summer of 2051?

Re:This creates a *lot* of work

[caluml]

for x in `cat serverlist`
do
scp patch ${x}:/tmp
ssh $x /tmp/patch
done
? :)

As an aside, what's the difference between $x and ${x} ?

Re:This creates a *lot* of work

[1s44c]

You can only put so much on a command line.
If you want to patch 22000 machines you are going to have a command line that is over 22000 words long. Thats why I used cat file | while read x.

The curly braces limit where the varible name ends. eg if x='cheese' $xy is an unset var but ${x}y is 'cheesey'. I normally use them more then I really have to out of habit.

Re:This creates a *lot* of work

[caluml]

Aaah, thanks for the info. So would my script fail with a lot of machines then? And I'll remember the {} thing.

My favorite part of the update procedure...

[Surlyboi]

"Welcome to the Win2k KB828035 Setup Wizard...

Before you install this update, we reccomend that you:

- Update your system repair disk

_ Back up your system

- Close all open programs"

Now, I can see closing all open progams, but backing up my system before installing an update? Microsoft, quality is job one.

Re:My favorite part of the update procedure...

[SuiteSisterMary]

'Tis a sad day indeed, when people consider 'back up before altering vital components of your operating system' to be folly.

'Tis a sadder day, of course, when the automatic response isn't 'no problem, my backups are up to date anyway.'

Re:My favorite part of the update procedure...

[Surlyboi]

Good point, but in my defense, the only thing I use windows for is games and as the occasional compatibility testbed for pushing stuff I've done on the unwashed masses. I lose data there, no big. The macs are backed up all the time though.

Too bad it breaks stuff.

[bluGill]

I haven't confirmed this on all my machines, but when I installed the updates on one yesterday (I always update one machine, and if nothing important breaks I do the other one) Synergy no longer starts automaticly on boot, it works just fine starting when I log in. (I normally log into one comptuer, and then from there log into the other)

Hey Troll.. get a clue

[HighOrbit]

Everyhing you listed are *application* flaws with the possible exception of ipmasq and even that is optional. Nothing you listed is a core OS flaw or a "default" configuration issue, unlike the many many problems with windows.

Re:Yet Another Critical Linux Flaw!

[ag3n7]

funny nothing you listed was a LINUX FLAW.

please come back when one of the kernel services has a flaw..

By this argument, none of these vulnerabilities should be held against Microsoft since none of them affect the Windows kernel (kernel32.dll).

Please, at least apply the same criteria to both systems. Linux is just as worthless with just the kernel as Windows would be.

Not to mention, I haven't seen Microsoft include a WEBSERVER in the kernel space yet.

Ugh..

[Agent+R]

Isn't this enough reason for people to migrate to Linux? (or a Mac at least?) I mean seriously.. their RAD (Rapid Applications Development) program is the cause of all this trouble. Putting out software that has more holes in swiss cheese really doesn't help the public.

This is not an exploit!

[winchester]

It is an undocumented remote administration capability :)

Call me crazy...

[Cytlid]

... but doesn't *everyone* disable/uninstall messenger service? Even tho I'm a huge fan of Linux, it doesn't mean I don't know my way around windows. Whenever I setup a new XP machine (for anyone), or advise someone on setting up a new machine, I have 3 requirements: no spying(adaware, xp anti-spy), no viruses (virus software like avg, mcaffee or norton), and a firewall (either hardware or software, like black ice, tiny personal firewall, which they used to give out ver 2 of for free.) I also don't trust the firewall that comes with XP, looks like a tiny stateful firewall, which doesn't block outbound connections, so someone with a virus can still spread it.

I just went looking for XP Anti-Spy and the german site looks like its down or changed, but this looks like it might be the newest version. These are all options which should be standard with Windows, or at least steer the customers in the right direction (using other companies' products, instead of something recommended/influenced by MS).

Everyone knows there's a bit of hardening that needs to be done to Linux/Unix systems... what about hardening for Windows systems? Many folks will argue "it's not for normal joes" but I'm sure sooner or later it will become part of standard practice. Do you think seatbelts were a major concern with the first automobiles? How many people jump in their car now and fasten it without even thinking of it?

Re:Call me crazy...

[BlackHawk]

• ... but doesn't *everyone* disable/uninstall messenger service?

You're crazy. You shouldn't be, but the fact is that a huge number of MS shops are run by undertrained sysadmins who, through very little fault of their own, remain unaware of these little issues. I'm a certified engineer (Novell) with a lot of experience with MS products, and I read constantly trying to stay ahead of the curve. My company refuses to part with the money to send me to some proper training, or hire a mentor for a short while. And without that cash, there's only so much I can do on my own. I'm one of those folks that doesn't learn as well from reading books as I do from having guided hands-on training. How much worse is it for the guy who, a few years ago, got told by his boss, "Hey. You've got a computer at home. You're going to be our sysadmin for this new Microsoft server we're putting in. Don't worry, the sales rep told me it's all point-and-click stuff anyway." And yes... that's a true story about a friend of mine for whom I act as unofficial tech support. A case of the mostly blind leading the blind.

Re:Call me crazy...

[Bambi+Dee]

... but doesn't *everyone* disable/uninstall messenger service?

(How do you uninstall it?) Actually, on the MS support newsgroups, at least one of the more vocal and experienced regulars keeps telling people who suggest newbies to do just that that that's bad and wannabe-hacker-like advice since the messenger service is used for important alerts to the admin or something or other (which never happened to me, but I'm not on a LAN and perhaps that's why.)

([...] tiny personal firewall, which they used to give out ver 2 of for free.)

Kerio Personal Firewall is more or less the same product and it's free for home and personal use.

Re:Call me crazy...

[Cytlid]

I'm sorry, I meant to imply that "xp anti-spy" allows you to both either/or disable/uninstall it.

Re:Call me crazy...

[Bambi+Dee]

I believe Antispy allows you to remove the "Instant Messenger" Messenger, not the "Windows Service" (NET SEND) Messenger.

Questions that I Microsoft's page does not answer

[grungeman]

1. Regarding MS03-041: I have a simple XP professional (32Bit) running on my computer. This OS is neither listed in "Affected Software" nor in "Non Affected Software". So is it semi affected or what? And where can I get the download?

2. I am running a German version of XP, so all services have German names. What is the "Messaging Service" called in the German version? The closest I could find is "Nachrichtendienst".

Could all of these recent holes be the reason

[RCO]

That I've not been able to get Windows Update to work for over a month. Has anyone else experienced this problem?

Re:Could all of these recent holes be the reason

[wally440]

I think I was experiencing the same problem last month. From what I can tell it was caused by some corrupted system DLLs that the Windows Update process uses.

If you go to their update site, then go to the troubleshooting section, you should be able to find your problem. However, none of the solutions they provided worked. Here's what I did:

Go to a working windows machine and follow the "Manual installation instructions for Windows Update controls". It tells you to download and apply an iuctl.cab file. Once downloaded, move it to the machine in question and update per their instructions. That got me working. Attempting to do this on the "broken" machine always resulted in a corrupted iuctl.cab file, that's why I had to use another machine to get it.

As for your question about this problem being related to recent security flaws, I don't really know. I tend to think this is an unrelated problem, but I wouldn't rule out any correlation. I run AVG and Kerio firewall on my machine as well as the admittedly basic firewall on my hub/router so I don't suspect an attack of any sort. Of course, there probably are some holes/vulnerabilities that I am unaware of or unprepared for. At any rate, after I did this there hasn't been any problem so I hope this helps.

Re:Could all of these recent holes be the reason

[RCO]

Actually, my question is more along the lines of, maybe I can't get to windows update because it's being overrun by requests. This really wouldn't surprise me anyway.

Concerning, the idea of hitting it from a working system, I haven't found one of those 'round here, they're all running Windows ;-D.

Seriously, we have about a thousand windows systems, and myself as well as the techs and the other programmers/admins have not found any system that will hit windows update, even when we open the firewall totally.

I haven't had this running for years

[freeweed]

And quite frankly, I'd be surprised if anyone really does anymore.

Once spammers learned how easy it was to use the Messaging service to send almost anonymous spam a couple of years back, me and damn near anyone I know not behind a firewall turned it off.

Or did spammers stop sending dozens of nice popups a day to random IP addresses sometime between now and then?

Re:Already patched ........

[mr_z_beeblebrox]

Already patched... with Mandrake 9.1

No fair! I have auto update and that's not applied on my systems

Look at it this way...

[JanusFury]

The flaws aren't good, but it's good that Microsoft found them. The pace of MS finding bugs seems to be picking up lately; maybe MS's trustworthy computing shtick is finally doing some good? Perhaps MS will finally get on the ball about security!

Re:Look at it this way...

[johnnyb]

Very True! Perhaps Longhorn will do for security what Win2K did for stability.

Lessons Learned from RPC

[4of12]

Of course a firewall will offer some protection but shouldn't be relied on.

Check.

Unfinished poetry composition from RPC...

"Laptops that touch the raw Internet shall never touch my internal LANlips, be it even through an erstwhile VPN."

How to disable

[encebollado]

This link tells how to disable the service on various Windows platforms.

Re:How to disable

[gassendi]

Windows 98 & ME
Windows Messenger Service cannot be disabled

I assume installing a firewall and blocking UDP ports 135, 137 & 138 and TCP ports 135, 139 & 445 will have the desired effect, but does anyone know of an alternative?

Relevance of Windows Messenging

[UnknowingFool]

Not being a Windows expert, what does Windows Messenger really do in a system? When you go to disable it, all Windows tells you is that you shouldn't because other service might depend on it. Other than that, there very little information. Anybody know? Obviously if MS says to disable it until further notice, it can't be very important, but then again it might break something that they are not considering.

Re:Relevance of Windows Messenging

[b1t+r0t]

AFAIK it does two things: 1) it lets a printer tell you when your print job is finished, 2) it lets spammers annoy you.

Disabling the Messenger service is on the standard list of things I do when installing W2K. (right after installing SP2 and the latest RPC patch)

Re:Relevance of Windows Messenging

[Permission+Denied]

Not being a Windows expert, what does Windows Messenger really do in a system?

It does not do anything important. The messenger service accepts text messages over the network (from anywhere) and displays them in a message box. You can test this using "net send" from the command line. I believe messenger was meant as a replacement for "winpopup" from win9x.

I've heard of three uses for this service:

(1) some administrators apparently use this to send some notifications to their users about network outages or whatever. I have no sympathy for these administrators since it's absolutely trivial to write a replacement. Shouldn't be more than thirty lines of code for both client and server that use unadorned TCP and you can be damn sure that thirty lines of code you write won't contain an idiotic buffer overflow and you can also implement access controls to ensure your replacement won't be abused by other employees (whereas messenger accepts messages from anywhere and does not inform you of their origin).

(2) I've heard that certain printers or printing systems use this to notify users of conditions like low toner. Again, I have no sympathy since this should be done with SNMP traps. With SNMP traps, you can re-route these messages or write some program to deal with them automatically (page your "paper/toner" guy when toner is low, or automatically file a paper request with the supplies people). You cannot do this with undocument proprietary Microsoft protocols like messenger (although messenger is probably simple enough that you could easily reverse-engineer it (like the people in group (3) did), but there is no reverse engineering involved with standard protocols like SNMP).

(3) Messenger is used by spammers to display spam on your desktop. Since it accepts messages from anywhere and does not log the origininating IP of the messages, it's quite convenient for this purpose.

It is completely safe and very recommended to disable messenger. It is enabled by default in all recent versions of Windows.

Re:Relevance of Windows Messenging

[Homology]

(1) some administrators apparently use this to send some notifications to their users about network outages or whatever. I have no sympathy for these administrators since it's absolutely trivial to write a replacement. Shouldn't be more than thirty lines of code for both client and server that use unadorned TCP and you can be damn sure that thirty lines of code you write won't contain an idiotic buffer overflow and you can also implement access controls to ensure your replacement won't be abused by other employees (whereas messenger accepts messages from anywhere and does not inform you of their origin).

I gather that you are not greatly experienced in programming and system administration?

Re:Relevance of Windows Messenging

[Permission+Denied]

I gather that you are not greatly experienced in programming and system administration?

Incorrect. If you wish, I'll write these programs (windows service, low LOC, no exploits, similar functionality) and post them to my journal, like I've posted before when challenged (lameness filter prevents posting code as comments). I find it difficult to believe that you doubt such a thing can be done trivially. Indeed the messenger service has such little functionality that it's embarassing it could be exploited.

Interesting but...

[GearheadX]

One of the first things I do when I install Windows on a computer in my office is disable Messenger outright. It's simply not worth the aggrivation of dealing with it.

Ever since spammers started using it a few years back, it just wasn't worth the nuisance of dealing with it.

Don't forget the 2 Exchange Bulletins

[101010]

I also received a notice on Exchange server, MS03-046 and MS03-047.

Re:Yet Another Critical Linux Flaw!

[jweatherley]

Kernel32.dll is not the Windows kernel - that would be ntoskrnl.exe. Kernel32.dll contains the Win32 functions.

Will they patch my BIOS too?

[cybrangl]

Not that I am trying to jump on the MS-bashing bandwagon, but these vulnerabilities take on new light when you consider MS is trying to get into the BIOS level ( http://www.geek.com/news/geeknews/2003Oct/gee20031 008022103.htm ) Soon we can expect even our hardware to be vulnerable. What gets ms, is the dismissive attitude MS takes when announcing these flaws. True, these are out "before any known attacks", but if you look at the nature of them, they should all have been patched years ago. this is not the first time these services have had such vulnerabilities. The problem is that Ms patches the symptom, but doesn't address the nature of the vulnerability. Thus, every once in a while, someone figures out a way around the last patch and the cycle starts over. How long did the last RPC patch last? Security should be about reinforcing the OS, not placing a sheet of playwood over the offending hole and hoping that no one notices the one next to it.

Another rabid submitter gets it wrong

[Call+Me+Black+Cloud]

Microsoft released yesterday a whole bunch of critical security updates.

Their new policy is to release monthly updates unless an exploit already exists, in which case a patch is immediately released.

Out of these, MS03-043 is a flaw in the Windows Messenger Service ... Of course a firewall will offer some protection but shouldn't be relied on

You don't know what you're talking about, submitter Dynamoo. Please, tell us why one shouldn't rely on a firewall? If you read the technical documentation about the flaw you see "If users have blocked the NetBIOS ports (ports 137-139) - and UDP broadcast packets using a firewall, others will not be able to send messages to them on those ports." (under "Technical Descriptions"). I think I'll ignore your advice and keep a firewall in place, no matter what OS I'm using.

Re:Another rabid submitter gets it wrong

[Pvt_Waldo]

The other bad line from the obviously bias'ed submitter is...
Of course this is another headache for admins still patching for last month's RPC flaw.

If admins at some site STILL haven't patched yet, they are - uh - morons. It takes all of about 2 minutes to do it. OK, 3 if you gotta reboot.

Re:Another rabid submitter gets it wrong

[LogicX]

.. Times 10,000 users and unique machine configurations... ... with new machines being shipped vulnerable, and coming on the network each day, or users reformatting...
yes, we're still dealing with the initial RPC vulnerability at RIT -- we have hundreds of machines at any one time which are blocked on the lan for being vulnerable or infected.

Re:Another rabid submitter gets it wrong

[NickRuisi]

You don't know what you're talking about, submitter Dynamoo. Please, tell us why one shouldn't rely on a firewall?
Here's why: All it takes is a 1 user running a non-firewalled connection dialing up on thier private ISP account from thier laptop while on the road. Said user becomes infected with blaster or another win32 worm, disconnects and merrily returns to the office the next day and plugs said laptop into the LAN. WHAMMO! You had better hope that the machines on your LAN are patched because said user has effectively bypassed the firewall for the worm.
It happened to my network. I had just finished a new win2k install for an end user and before I could get it up to the current SP/Patch level, it got infected because I have a "road warrior" who likes to use AOL when she's on the road (even though I explicitly told her not too).

Re:Another rabid submitter gets it wrong

[Dynamoo]

Wrong? Nope. There are two ways the potential worm can get through the firewall.

Firstly, it can come through as a blended attack combining a traditional worm with a mass-emailing virus. Really it's just a question of putting together existing malware technologies.

Secondly, all you need to really screw your network is for someone to use an unprotected laptop on their home ISP and then bring it into the office. The worm basically just walks past the firewall.

This second one was a favorite infection vector for MSBlast and Nachi to get onto corporate networks. Large networks with many laptop users got hit repeatedly.

Re:Another rabid submitter gets it wrong

[Call+Me+Black+Cloud]

As I stated in another message in this thread, I should have quoted Microsoft's solution directly where they say to set the Windows' firewall to block the ports. I just stated "firewall" which was unclear.

Re:Another rabid submitter gets it wrong

[Call+Me+Black+Cloud]

As I stated in another posting, I was unclear in my response. The technical document from MS states users should set the Windows built-in firewall to block the ports. That would prevent collateral damage from someone mailing in a virus or bringing one from home. Sorry for the confusion.

Re:Another rabid submitter gets it wrong

[Dynamoo]

Definitely. In fact a curse on MS for making it so difficult for novice users to find.. every individual user should have a firewall before they go within 6 foot of an internet connection in my view ;)

Nomenclature

[mborland]

I don't know if it's MS or the poster, but we should make sure to clean up the nomenclature for these various 'messenger' services. In XP, clicking on the service labeled 'Messenger' displays the help on the left which says: "...This service is not related to Windows Messenger." Although, the poster referred to this as the "Windows Messenger Service."

I want to shoot the Messenger, but it's hard to tell which one!

But not to worry, visiting the MS link in the post and following the directions cleared up the issue.

MS flip-flops (again)

[harley_frog]

Microsoft's recommendation is to 'disable the Messenger Service immediately and evaluate their need to deploy the patch'.

For over a year now, Leo Laporte from TechTV's The Screensavers has been saying that Messenger Service is a security hole but Microsoft kept saying, "It's not a hole; it's a feature." Guess now Microsoft will turn off Messenger Service by default. Or, maybe not.

Re:MS flip-flops (again)

[gorfie]

Before we were told about the Messenger flaw, I don't think the Messenger service was considered a hole, I think it was the fact that spammers were able to send messages to computers remotely using the Messenger service that was INDICATIVE of a hole. Even if they disabled Messenger the problem still existed. It's NetBIOS that's the real problem. Of all the Windows worms that have come out in the past few years, all have relied on NetBIOS, IIS, or Outlook to propogate.

Most of the people running IIS got a clue and patched (granted some didn't).

Many running Outlook were aware that they could open viruses just by viewing message and many of them patched (granted some didn't).

However everyone running Windows probably has NetBIOS running and all but the Systems Administrators and nerds don't realize that it has numerous holes and can be exploited.

Re:MS flip-flops (again)

[gorfie]

Slight misunderstanding of what I said. Disabling the Messenger service does indeed prevent people from exploiting the hole *in the messenger service*. I don't doubt this.

Microsoft bundled enourmous functionality into a few ports, and they leave these ports open by default. If a user doesn't patch or use a firewall then they are obviously open to exploitation. This is what I consider a serious hole...

Re:RPC worm (Secure the perimeter)

[ILikeRed]

Your problem is that you did not follow Microsoft's best practices. If you had, you would have done as Ballmer has been preaching, and Secured the Perimeter! Which really is just PHB speak for never putting a windows box on the internet without a Linux firewall to protect it. Why do you think microsoft has started using Linux as a proxy service for their website???

Re:Questions that I Microsoft's page does not answ

[Bambi+Dee]

ad 1 - XP Professional would be the XP "Gold" listed under "affected software". I haven't seen it called "Gold" before, but once you follow the link, their naming scheme reverts to the familiar "Home" and "Professional" editions.

You can download it here:
http://www.microsoft.com/downloads/details. aspx?di splaylang=de&FamilyID=F02DA309-4B0A-4438-A0B9-5B67 414C3833
(mind the gap!)

ad 2 - "Nachrichtendienst" is the one, yes.

Re:Yet Another Critical Linux Flaw!

[sqlrob]

By this argument, none of these vulnerabilities should be held against Microsoft since none of them affect the Windows kernel (kernel32.dll).

But those haven't been claimed IN A COURT OF LAW to be part of the OS. If there's a flaw in something MS claims is part of the OS, then, they take the bad with the good and get it docked against the OS.

Not to mention, I haven't seen Microsoft include a WEBSERVER in the kernel space yet.

And, yes, IIS runs partly in kernel with IIS 6.0 on Win 2003

Congratulations, Slashdot moderators.

[mongbot]

This comment stands at "+2 Insightful" (hah), with no negative moderation, thereby confirming this site's reputation as the online capital of anti-social, thoughtless free-software zealotry.

YACWF!!!

[Biff98]

As much as the Micros~1 community likes acronyms, throw that one on the fire. Hell I bet it becomes one of the most widely used acronyms around!

Back to KDE(Desktop)/OpenOffice(Office Suite)/xmms(winamp)/Acrobat Reader(duh!)/NFS("File share")/Gimp(Photoshop).... Ahhh what a beautiful day. Isn't it?

Glad I'm not a Windows Operator (no such thing as a Windows Sys Admin)...

Not so fast...

[X86Daddy]

At least administrators can disable the Messenger Service remotely.

If you haven't patched yet, I'm guessing anyone can disable your services remotely. :-)

Re:Not so fast...

[godzillion]

This suggests a viral technique for applying security patches: Given a newly discovered vulnerability, create a worm which exploits that vulnerability, applies the patch on the infected machine (or disables the broken service), then attempts to infect other unpatched machines.

Re:Not so fast...

[r_j_prahad]

Your search - Domino security flaw - did not match any documents.
--Google News

Your search - Domino Administrator wanted - did not find any openings.
--Monster.com

Re:Not so fast...

[H0bb3z]

Yep -- its done through the RPC/DCOM services that M$ claims is a "secure communication transport" for Windows.

Nice. And ironic.

-----

Re:Not so fast...

[Chris+Mattern]

He cheated. "Google News". This thread will not be showing up in Google News. Neither do any of the many other articles about Domino security flaws I found when I did a Google web search on those terms: "Results 1 - 10 of about 7,790. Search took 0.29 seconds."

Chris Mattern

Re:Not so fast...

[JuggleGeek]

Your sig says... Your search - Domino security flaw - did not match any documents.

When I run that phrase through Google, I get...
Results 1 - 10 of about 8,030. Search took 0.24 seconds. I don't know anything about Domino, but I know BS when I see it. The rest of your "message" looked every bit as honest.

Re:Yet Another Critical Linux Flaw!

[Theatetus]

kernel32.dll is more like glibc than vmlinuz. The "dll" bit should have tipped you off.

What?

[abulafia]

You fail to back up your title.

> Microsoft released yesterday a whole bunch of critical security updates.

Their new policy is to release monthly updates unless an exploit already exists, in which case a patch is immediately released.

How, exactly, are you contradicting the author?

> Of course a firewall will offer some protection but shouldn't be relied on

You don't know what you're talking about, submitter Dynamoo. Please, tell us why one shouldn't rely on a firewall? If you read the technical documentation about the flaw you see "If users have blocked the NetBIOS ports (ports 137-139) - and UDP broadcast packets using a firewall, others will not be able to send messages to them on those ports." (under "Technical Descriptions"). I think I'll ignore your advice and keep a firewall in place, no matter what OS I'm using.

I don't believe the author is telling you to remove your firewall. The author is saying that it shouldn't be relied upon. There is a significant difference. Because some other machine behind the same firewall might become infected, a firewall is not a perfect measure for protecting against this attack. There's a well worn phrase for this problem - "crunchy on the outside, chewey on the inside."

So, again, please explain how Another rabid submitter gets it wrong?

Re:What?

[Call+Me+Black+Cloud]

a firewall is not a perfect measure for protecting against this attack...Because some other machine behind the same firewall might become infected

Good point - I was unclear. I should have quoted Microsoft's technical documentation. They specify configuring Windows' built-in firewall to block those ports. If the ports are blocked at each machine then an infected machine behind a hardware firewall will not infect other machines on the LAN.

Re:What?

[cornjones]

I don't believe the author is telling you to remove your firewall. The author is saying that it shouldn't be relied upon. There is a significant difference.

The idea here is defence in depth. This should be blocked at your border firewall/router. Each machines personal fireall would block it and then you would patch the machine not to be vulnerable. Of course all uncessary service would also be shut off.

No matter how much I want to do that, I never seem to get around to locking everything down that much.

Re:What?

[don_carnage]

They specify configuring Windows' built-in firewall to block those ports.

Yeah...that works. Disable file sharing so now Mom can't send files to Sister's "folder". Ugh...I can hear the support calls now.

Firewall BAD! Patches GOOD!

[n1k0]

> Of course a firewall will offer some protection but shouldn't be relied on

What kind of crack are you smoking, and where can I get some? A firewall will offer complete protection, and should be relied on to protect you from exactly this kind of situation (and more!). I'm sure your point is that using a firewall is no excuse to not apply security patches and while I agree, this anti-firewall propaganda has to stop! ;-)

-Nick

Re:Firewall BAD! Patches GOOD!

[Biff98]

Well -- I think this guy MAY have a valid point after all. The term "Firewall" has been thrown around ENTIRELY too much.

A SOFTWARE "Firewall" running on a Micros~1 box is NOT A FIREWALL. In fact if you trust that thing you should be locked away in private address space for the remainder of your WWW years...

A SOFTWARE "Firewall" running on any *nix machine is probably ok.

A HARDWARE "Firewall" running at the Layer 2 -> 4 is probably your best bet. There's an OS designed to handle packets and not to share time with other processes, it's sole purpose is to block packets.

The argument? Writing apps for Windows on its API does not inspire a whole lot of confidence in the effectiveness of what you're writing. I'd be willing to bet some money that before your "Zone Alarm" software or whatever gets that packet to look at that Micros~1 has done some pre-parsing and processing for backdoor type stuff. If you want to inspect OpenBSD's 'pf' program, look at the source and decide if you like it or not. And well, the hardware firewalls -- that's why these people are in business. They protect networks.

(FINALLY) the MORAL of the story: Don't assign the term "Firewall" to something that DOES NOT DESERVE IT. It creates a FALSE sense of security.

"Tell me I'm wrong"

If Bill Gates had a nickel....

[Biff98]

http://ars.userfriendly.org/cartoons/?id=19990911 for every time Windows crashed...

Check out this User Friendly strip...

Releasing patches too frequently?

[hetairoi]

I was just over at the beast reading about the new security bulletin service and came across this under the 'What customers tell us' section:

Customers are concerned that Microsoft releases security patches too frequently

Wha?!? So, customers are saying that even if some critical flaw is found, M$ should wait awhile before releasing it because Joe Admin is concerned there are too many patches??

Come on, if they know something is broke I want a patch ASAP (after proper testing of course). I don't care if they release a patch an hour, if something is broke -- Fix it now, don't wait until next week because you've already released your quota of patches for this week. This sounds like BS to me, maybe M$ just stuck that in as an excuse to not release patches.

Later they say an exception will be made if they determine the customers are at immediate risk. I'm glad they know my system so well, but really, please just release the patch now and I will decide if MY system is at immediate risk.

Re:Releasing patches too frequently?

[porkchop_d_clown]

Frequent patching is cause for three concerns:

1. The patches haven't had time to be adequately tested.

2. A cascade of patches indicates serious underlying problems.

3. A cascade of patches distracts the MS developers from what should be their primary job: making patches unneccessary in the first place.

Re:Releasing patches too frequently?

[Phishcast]

I've heard folks from Microsoft say that there is an obvious corelation between the time they offer security patches and the appearance of public exploit code on the internet. Whether it's the patches being reverse engineered or whether black hats have a new place to focus their energies based on the security bulletin, it makes sense. Of course, this only applies to vulnerabilities found by Microsoft or by people that coordinate releases of vulnerabilities with Microsoft. In fact, they're moving to a monthly patch release schedule instead of a weekly schedule based on this (with exceptions allowed for new vulnerabilities being exploited in the interim). Hopefully it'll make the lives of Windows admins out there a little bit easier.

Re:Releasing patches too frequently?

[hetairoi]

1. Yes, obviously the patches should be tested, I mention that in my post. My problem is delaying a patch because, well, we've already put out a set this week and so we're just gonna let this one sit awhile. Give it to me and I'll test it (which I do before it goes to a production machine).

2. well, yeah, it does.

3. see your point 2.

Re:Releasing patches too frequently?

[Ozymandias1350]

I think it's pretty obvious. People are complaining about the number of security patches that they have to download to keep their system secure, especially over dial-up Internet connections. I hear this from my clients all the time, in fact - their system is unpatched and insecure, they got the latest virus, whatever, because it takes too long to download the patches.

They're not complaining that Microsoft is patching too frequently - they're complaining about the need for having so many patches. Even the clients that know next to nothing about their computers are saying this, and in just about that fashion, too. Many have gone so far as to complain about the quality of the software, directly. But you can't expect Microsoft to say that in their security bulletin, so instead they just say people are complaining about the patching frequency, which is technically true.

Re:Releasing patches too frequently?

[babyrat]

I love the way that people can interpret things that others say.

What s typical letter may read:

Dear Microsoft,

Your product is full of security holes. If it was coded properly from the get go, would have have fewer critical holes and you wouldn't have to release patches EVERY week. This patch process is a pain for administrators and users alike.

Regards,

Babyrat

What Microsoft interprets it as:


You release too many patches too quickly. We'd rather have the security holes rather than have to patch our systems every week.


I wouldn't necessarily blame Joe Admin or Fred End-user for that comment from Microsoft.

Re:Releasing patches too frequently?

[owlstead]

Moreover, if somebody would want to release a successfull worm, he now would have the oportunity to synchronize with the Windows update service.

Just wait until the monthly patch-thingy is issued and your worm has a whole month to have fun. Patches will be issued NEXT MONTH.

Great idea MS, I wonder why nobody else does such a thing. Sheesh.

Re:Releasing patches too frequently?

[Kris_J]

They're paraphrasing. Customers actually said "MS products are an insecure steaming pile", but they couldn't put that on their website.

It's a pain in the arse I tell you. We're in the middle of orientation. 17 staff trying to enrol 220 new students and 1000 returning students. Patching desktops is the last thing anyone has time for.

Bias

[Overly+Critical+Guy]

Was there a "Yet Another Ssh Flaw?" Does michael follow the link in my sig and post about all the flaws that come out monthly (compared to these new four)?

Of course not. And you won't see it reported, either. Because Slashdot is biased against Microsoft and wants your page hits.

I dare you to argue otherwise, because it's just too obvious.

Re:Bias

[stor]

It seems to me that whinging about /.'s anti-MS bias is all you ever do, OCG. Save your breath: we know.

From what I see, you're just as obstinate as the most rabid anti-MS Zealot.

Cheers
Stor

p.s. Why is that page called "Linux Security" when it contains security advisories for NetBSD, SCO Unix, FreeBSD, etc that are irrelevant to Linux?

Taking bids on when worm comes...

[MarvinMouse]

The last worm, I was only 2 hours off of when I thought it would come.

I am saying this worm will probably come early November around midnight EST. (Nov 13th)

Official bid: Nov 13th 0000 hours.

Any other bidders?

Re:Taking bids on when worm comes...

[Tony-A]

Nov 13th 0230 EST.
I'm an optimist.

Wait a minute is this still news

[mboom]

Lets be perfectly honest. With all news, if a story becomes repetitive it is no longer news. I think the "Windows Bug" thing has slipped into this chasm. Its no longer "new" and no longer interesting. Use windows at your own risk.

Nasty Supplemental EULA

[gvc]

I installed the patch on several machines yesterday. One of them demanded a supplemental EULA. I have not been able to reproduce it on the other machines, so I paraphrase from memory. It said, among other things:

"I will not publish the results of .net benchmarks"

I have never (intentionally) installed the update that installs the .net framework but judging from the EULA I wonder if that happened and that's why this EULA popped up.

In any event, this clause casts a chill over me.

Don't get cocky

[slittle]

Connected to the internet to get the RPC patch, and got infected with this work in under a minute

Same thing happened to me with RedHat 5.x - hacked via BIND in under 30 minutes. Fortunately I almost always use Midnight Commander, and show all files (why the fuck is the default hiding things from me?!?) and spotted a dot-file under / (my systems never have files under / only directories). So I F3'ed it and suprise, there's the root password.

After I busted the guy on IRC, he had the nerve to ask me for a shell account. Told him to fuck off, while I did a full reinstall from scratch. Even though he promised he only added an account for himself and didn't compromise any other binaries, it's not worth the risk (esp. since the install was less than an hour old).

Do it for them

[kendric]

Every time I do tech work for my friends *sigh* I usually end up haveing to reinstall windows xp. God forbid they move to a different OS, but I digress... The first thing I do when the machine is on is turn off MS Messenger. I have met people that have no idea what it is and how to turn it off, including high level CS students here at university

This is how you turn off MS Messenger:
- Go to your main directory
- Then WinNT
- system32
- then find the file called services.msc
- you will have a list, find messenger on it
- disable it

While there, take a close look at what else microsoft has running, and see if you need all of it - perhaps remote PC access?

This is the first thing I do when turning on a cmoputer for almost anyone running XP; there is never any need for it. I've done it for families with kids, and have had the parents genuinely thank me for getting rid of the lewd popups their children are bombarded with.

Re:Do it for them

[inburito]

Or you could just right click on my computer and select manage and then services and then disable messenger from the same list.

Re:Do it for them

[ssstraub]

Or you could just Window key + R -> services.msc, then disable messenger service.

It's More Confusing Than You Think...

[Wymanator]

There are actually three similarly named components: Windows Messenger Service, Windows Messenger and MSN Messenger. I found this article via Google which does a pretty good job of explaining the difference.

Turning it off

[Griim]

I actually turned this service off back when I first installed...what exactly is it good for? I see tons of "services" running, that I'm assuming don't necessarily need to be (though I've learned through trial-and-error that turning some off, breaks things).

Slashdot

As much as I like slashdot, as a critical thinker, I have to entirely disregard its claim to be "news" when it is so obviously biased. This is not news, this is propaganda, worse than FOX news at times. Showing MS as a Borg Gates is hardly objective, which ought to be the goal of any self respecting news organization. How about we change the Linux penguin to him molesting small animals or children? That would be just as ludricous as this purported "news" about MS.
Oh, BTW, I *do* use and run Linux (dyneBolic CD), so all you haters can shove it up you know where. One other thing -- I am a programmer, so I know what open source and that is all about, I like it, but I can see its flaws as well, unlike all you other zealots.
I used to like this site more. Too bad its bias ruins its integrity in my eyes, just like FOX news "Fair and Balanced" BS.

Re:Slashdot

[Excen]

How about we change the Linux penguin to him molesting small animals or children
Fox news provides the most accurate news in the world today.

Bill? Dubya? Is that you guys again?

Re:Slashdot

[DarkZero]

As much as I like slashdot, as a critical thinker, I have to entirely disregard its claim to be "news" when it is so obviously biased. This is not news, this is propaganda, worse than FOX news at times. Showing MS as a Borg Gates is hardly objective, which ought to be the goal of any self respecting news organization.

Slashdot never claimed to offer balanced or objective coverage, nor to be your One True Source For News. Let's be honest, /. is a dinky little website run by geeks, and because of that it's allowed to make light-hearted jokes, like Borg Gates. It's part of its charm. If you find a site that openly editorializes and doesn't claim to be doing anything different offensive, then you're at the wrong site. And you need to lighten up.

Re:Slashdot

[Dhalka226]

If you don't like it, pack it up and move on. Bitching and moaning about a service others, myself included, find incredibly valuable does no good. Do you think the slashdot folks are running around to change all of their icons and edit all of their articles because you're displeased? Give me a break.

That's hilarious

[Rogerborg]

I'd post more, but I have to save my bandwidth for downloading half a gig of patches for one of Win2K's lunix contemporaries.

Is the cognitive dissonance kicking in yet? Are you feeling compelled to slap this as a troll, rather than actually looking into how many patches there are for lunix systems? Do we care about the lunixatics that got rooted by ssh or sendmail vulnerabilities down the years? Can we even acknowledge their existence? Do we remember the FSF's ftp server getting hax0red out from under them?

Hello? Hello?

New MS initiative

[Comatose51]

I guess MS coming out with patches is a good thing. Is this part of a new MS initative to seriously make Windows secure?

It gets better

[jhswope]

I just installed the patches on the Trial version of Windows Server 2003 I have at work and it locked the machine "hard". Power cycle was the only remedy. And this is the OS they want me to replace my Linux servers with??? Long live OPEN SOURCE!!!!!!!!!!!!!!

Re:RPC worm (Secure the perimeter)

[juhaz]

Because they get that proxy service from another company and have no power over how it's implemented.

It's not like they wouldn't use windows version if there was someone offering it (after all, even if it's worse or more expensive there's the PR win over FUD-spreaders like you).

Yea well...

[buddha42]

Of course this is another headache for admins still patching for last month's RPC flaw." Kudos to admin's still patching one month old holes.

Can anyone assist?

[acousticiris]

I thought this might be relevant in that we're discussing patching related to this (giant gaping) hole. Has anyone figured out why this 043 patch modifies the Workstation DLL? I can understand its interaction with the messanger service DLL, but why Workstation?
I wouldn't worry about rapidly patching a large number of workstations with just a modification of the Messenger service, but now that it's changing a major DLL--and knowing the reliability of some MS Patches--I'm concerned at this point. Also with changes like this, Is it possible this hole is deeper than what was originally stated?

Slashdot Script

[exp(pi*sqrt(163))]

$a = int(rand(5));
if ($a==0) { print "Security flaw in Windows discovered!\n" }
elsif ($a==1) { print "IBM invents new higher density storage.\n" }
elsif ($a==2) { print "Intel announces faster CPU.\n" }
elsif ($a==3) { print "G5 fastest CPU on desktop.\n" }
elsif ($a==4) { print "G5 not fastest CPU on desktop.\n" }

Re:Slashdot Moderation (OT)

[caseih]

They're having problems with some of their machines, including the one which distributes mod points, running slow.

This begs the question, what would happen if several thousand users decided to "go on strike" as it were and simply withhold moderation points. Seems to me that if enough users did this, we would see a similar moderation point shortage.

On the other hand we have nearly 800,000 slashdot accounts theses days, and the possibility of any of them agreeing to anything to accomplish this would be about zero.

Hey Worm Developers

[supun]

You want to creative, be unique? Create a worm that patches people systems with the lastest patches!

Re:Hey Worm Developers

[cyt0plas]

It's been done. It was actually _more_ agressive, and caused more problems then the worm that it was trying to fix.

Re:Slashdot Moderation (OT)

[Jellybob]

I guess we would do, but I doubt it would be a huge problem, since mod points expire anyway.

My older running applications relies on 'net send'

[Baikala]

When I was working at my college's computer 'lab' there weren't enough computers to satisfy the demand at midterms and finals (I live in Mexico and 7 year ago only 2 or 3 students had laptops) so we have to limit the time to 1 1/2 or 2 hours per user per day on those seasons.

A friend and I wrote an app to handle that, users have to take a 'free' machine from the screen in the counter or get into the virtual wait line if there was none. The app did a 'net send' to alert users when their time was up and there was another user waiting, we had to update the messaging services on the win95 machines so they were able to get along the 'brand new' NT 4 machines

The application was enhanced later, by me and others, to handle stadistics and others alerts like annoying library dues and 'not enough sheets in your credit for your print work'. It was still running (although very modified) last time I was there (spring). I think that 'net send' was a very helpful admin tool for windows networks. ( I know unix has it since the down onf times)

Context

[Short+Circuit]

Context and Guilt by Association. This is Slashdot. Slashdot is very much engrossed with Linux, the Linux community and Open Source.

Re:Already patched ........

[TestBoy]

I just patched with Redhat 9. I have a whole list of microsoft bugs I don't need to worry about.

New Marketing Slogan

[cindik]

You'll never be locked out with Microsoft. We make windows that anyone can open from the outside.

Re:New Marketing Slogan

[Blackbrain]

I thought the new slogan was:

"Microsoft - The Network is the Password"

Re:New Marketing Slogan

[Mark_in_Brazil]

"Whose computer do you want to invade today?"

--Mark

Kill the Messenger

[Tony-A]

Not being a Windows expert either, but our standard setup has been to disable the messenger service to kill annoying messages from print servers that were so proud of actually printing a job that they just had to tell somebody (everybody?) about it. I think Windows Messenger and net send can be used to annoy people. If for some reason you depend on these annoyances, you probably need it.

worm patcher

[DayBoyUSA]

What would happen if microsoft wrote its own worm to patch the holes that allowed the worm onto the computer in the first place?

Then computers that are most suseptable to the security hole would be first to get the worm that patches the hole.

I know this would never happen as this would leave microsoft liable for anything the patch might brake.

I guess I should have opened those emails

[LuxFX]

You mean all those emails I get about there being a new Microsoft Critical Update weren't lying? I've just been deleting them....

Seriously though, I wish Microsoft would put out as many patches as those stupid emails I get say. After a few months at that rate they might have a stable OS for a change.

It is a horrible pain in the ass

[lowvato]

I have been forced into the c# world and VS.Net. After applying thier damned patches my development environment is all screwed up (links to web projects). I want to kill, see dead burnt bodies...kill.

Domain-wide service management

[YetAnotherDave]

I haven't seen an easy way to disable a service for a few hundred/thousand systems at once, so I cobbled together a quick hack with psservice to turn them off while I looked, since my corporate network has a TON of boxes I don't control which will likely remain unpatched for ages...

My hack follows, but if there's anyone here who knows the proper windows way to disable services on lotsa machines remotely (my hack just stops them) please respond...

my hack - 3 steps:

1) psservice find messenger| > messengerActive.txt

2) munge file so it's just a list of machine names - a programmable editor like gvim makes this trivial

3) FOR /F "usebackq delims==" %i IN (`cat messengerActive.txt`) do psservice \\%i stop messenger

http://www.sysinternals.com/ntw2k/freeware/psser vi ce.shtml

Re:Domain-wide service management

[YetAnotherDave]

yes, poor style - replying to my own post.

the latest psservice can change the startup config.
if step 3 above is changed to

FOR /F "usebackq delims==" %i IN (`cat messengerActive.txt`) do psservice \\%i setconfig messenger disabled

all is well and good :)

Re:Domain-wide service management

[skt]

Yes, I like the ps utilities, glued together with perl, for quick-and-dirty software deployment and reporting also. The nice thing about the set is that it works with the native NT/2000/XP operating systems without the requirement of third-party software.. in a domain environment it inherits all security.

I have used these for hardware reports, hotfix deployment, and desktop support (pslist/pskill/psinfo).. Lately I have been using Sysinternal's psutilities a LOT, it is definately one of the best sets of CLI utilities I have seen for Windows.

Good riddance to Messenger service!

[rkodama]

It won't stop me from patching, but the only "use" I've found for the Messenger service is for spammers to send me annoying popups. At least browser popups require some action on my part (viewing a web page), but these Messenger popups come out of nowhere. So I say disable Messenger and forget about it if you haven't already.

Re:RPC worm (Secure the perimeter)

[Minna+Kirai]

have no power over how it's implemented.

They have POWER. They have $40 billion dollars of liquid power.

It's a free market. Microsoft(tm) should be able to either pay Akamai to use Windows(r) servers, or go to another company that does.

And if there's no company that does, it tells us a salient fact about the suitability of Windows for critical, high-capacity servers.

Duh!

[Dman33]

Upgrade! Don't you love how you are forced to use the latest-and-greatest? 98 is retired, get XP or 2k

Re:That's hilarious (dolt)

[phippy]

Hello.

Why do people find it necessary to making linux/windows comparisons everytime there is a security issue out, instead of a more productive discussion about the vulnerability itself ?

Do we remember or care about those incidents and vulnerabilities ? Of course. Does any serious admin recognize the security history of any OS that he runs ? Of course. I'm well aware of the amount of patches there are for the many OSs I run.

Will there always be people on slashdot such as yourself posting irrelevant sidenotes designed to start an argument with an obviously biased audience ? Apparently, *you* are proof of that.

Getting the slashdot crowd to argue with you about the security of Linux and Windows is about as challenging as guessing the color of the sky.

You must feel so proud of yourself.
Next time, try posting a comment that is productive.

p.s. the number of posted patches for OSs mean nothing when used in any arguing the security of an OS, because the severity of each has implications depending on too many variables. (application, use, adoption, vendor, etc.)

Similar....

[Dman33]

On Tuesday, I got two new servers in. Both came pre-loaded with Win2K3 Server. Naturally, I decided to update them before putting them in production... I hit MS Update, left all of the default Critical patches and let it install them. On bootup, BSOD; reboot, BSOD; reboot, BSOD etc etc....

Had to re-install the damn thing...

This is getting costly

[nyc_paladin]

I manage a small IT staff with limited resources and keeping up to date with all of these security fixes is getting costly. Instead of working on projects to improve my systems. I really have to switch over to linux.

DON'T TOUCH THEM

[Gumpy]

Well it looks like you're screwed if you do and screwed if you don't!

Just applied them to one of our w2k DCs and it's FUBAR!

gonna try and revert one at a time and see what went wrong... meanwhile I have too many lusers screaming...

And I thought i was practicing safe computing

[penguin_powr]

Well, it makes sense, after getting all those pop up ads to visit porn sites through the messenger service, that it finally catches up with me and i get a virus.

You miss point #3 completely.

[porkchop_d_clown]

If they're spending all their time patching, they don't have any time to fix the underlying problem.

Any useful software firewalls for XP?

[steveha]

I have friends who run XP, and I want to help them secure their systems. I'd like to know what software firewalls people recommend for XP.

Every time Zone Alarm gets mentioned, someone says "don't use that, it sucks." So I guess not Zone Alarm.

How about the software firewall that is included with XP? Is that any good? (I hope so, because I don't want to make my friends spend money. Free-as-in-beer is a good thing.)

How about Norton Internet Security? BlackIce Defender?

steveha

Re:Any useful software firewalls for XP?

[SharpFang]

What about setting up 486 or pentium with Linux or BSD as firewall? Cheap, effective, stable and doesn't create any CPU overhead in the windows machine :)

Re:Yet Another Critical Linux Flaw!

[TaranRampersad]

" Sure, like everyone is going to get out the source code, go through it to understand it and then code up the fix. Not !!"

It's that sort of response that reflects the inherent cultural problem with regard to computer security. If you don't want to fix it when you can - well, shucks. Pay someone else to do it. Or sit around and wait for patches. Your choice.

"What's the point of having these news articles warning about MS exploits ? And don't tell me that it's so you can protect your own systems. If you want people to protect the *nix systems then put those warnings up instead. In the previous two weekly CERT warnings there was something like nine Linux warnings and virtualy no MS ones"

Good question. Ask CERT why they stopped bothering with Microsoft warnings.

"You just get that warm feeling kidding yourself that Linux is better but you'd get that same feeling pissing your pants."

Though I didn't say GNU/Linux was better, your retort shows a prejudice for anyone who speaks a similar opinion. Perhaps you're not reading very well. That may explain your potty humor as well.

However, can you say that one company being responsible for patching the majority of software in the world is a good thing? Maybe YOU think so, but there are a lot of people that disagree. I just sounded off. You did too. I decided that your ideas, propped up with a urine fetish, were thoughtful reflections without substantial understanding.

"You'd all be better off spending the time cross-training to Microsoft platforms for when people get wise to the Linux 'benefits' rather than repeating the same old crap about how bad MS code is."

I write and edit articles related to IT certifications, and was heavily into Microsoft coding for about 12 years. Not VB either. Perhaps you're a disgruntled VB 6 developer who doesn't have a target for his angst because you still have candles lit at your altar of Gates?

So I respond: Get to know GNU/Linux. Get to know BSD. Get to know who to call when you need things fixed.

You come to Slashdot, which deals with thousands of trolls a day - and can handle such posts as your own with disdain. LAMP, kiddo. LAMP.

Have a nice day. I'd advise taking a nap.

And Now Microsoft Announces

[Master+of+Transhuman]

a NEW "security initiative"!

It's deja vu time!

It's January 2001!

I'm so disoriented!

Microsoft plans Windows overhaul to fight hackers

Nightmare Scenario

[Maxwell'sSilverLART]

Here's a thought for ya. Culled mostly from other posts here on Slashdot, with a little bit of glue code to really make it hurt.

Take, say, Nachi. Exploits a remote roothole to infect without any interaction from the user. Now, write it so that it doesn't crash the system (which it doesn't; Nachi applies the patch to close the hole behind itself, then starts blast-casting itself). You now have a system that will run arbitrary code for an indefinite period of time. So far, nothing new. Here's the scary part:

The arbitrary code wipes your drive. As pointed out in this post (I don't vouch for its veracity; I'm not a programmer, 'specially not in ASM), the code to wipe a drive is about 12 lines of ASM. You could also mess with the BIOS.

Now, put that code on a delay of random(1-5) days from date of infection, so it doesn't get caught immediately. Also, add a two or three days from the time of initial release to give it some spreading time before anything starts getting deleted. This way, it propagates thoroughly before people really know what's going on. All this time, it should be blast-casting itself to infect as many hosts as possible.

Now, the really fun part: when it infects a host, it should open a port (possibly random) and run a daemon to listen for incoming connections. As the infected system broadcasts itself, it should modify the code with its own IP address. The new client will then call home, back to the machine that infected it, to check on its status. If the host is unreachable for, say, two hours, it should assume that its parent has been discovered, and that efforts are underway to clean it. (It should try to contact the server upon initial infection to ensure there's a path back, to prevent premature triggering as a result of NAT, firewalls, etc.) It should also look for attempts to find its directory, run virus scanners, patch the original hole, disconnect it from the network (have it ping its router or somesuch), etc. If it detects a threat to itself, it will run its payload immediately, destroying the data on the machine, preferably in a manner such that recovering the virus code will be impossible (to slow reverse-engineering); possibly combine with encrypted code and cryptographic wiping. You could also pass data to it through this connection, to change the code or give immediate execution instructions. This would have to be done carefully, lest a bad host or a dialup user trigger premature execution.

For bonus points, have the virus silently make minor changes to files, instead of simply wiping the drive. Maybe some of those changes can make it to the backup snapshots before things are discovered. Depends on which is more damaging. Alternatively, write a client that will run for an hour, change a few files and infect the world, then securely delete itself (but leave the hole open), so that the damage, and even the infection, goes unnoticed.

This is a hardcore malicious attack. So far, everything's been skript kiddiez, just playing around. Anybody who's going to write something like this is going for the jugular, so assume he'll do the same thing for the initial infection. Give him about three dozen people (hrm, where could we possibly find three dozen people who'd like to bring the USA to an economic standstill?) armed with laptops with ethernet and 802.11b connections. Send a half-dozen to Washington, DC; New York; Dallas; LA; and Seattle with a list of wireless hotspots (go through the airports: business travellers with laptops. Score!) and public access areas (libraries, universities (the student union and libraries are popular places to have open access), Starbucks, and cybercafes). Send the rest out roaming; universities are great (University of Oklahoma has publicly-avialable connections in the union, both wired and wireless). Have them all start operating at about the same time, and infecting every available host. Hitting laptops and suc

Re:Nightmare Scenario

[SharpFang]

the code to wipe a drive is about 12 lines of ASM

But the operation takes quite a while. Enough to start suspecting something went "very wrong" and th disconnect the drive before all the data gets destroyed. But "random shooting" - erasing randomly picked sectors of the drive may pass unnoticed for quite a while, while most of sensitive data is damaged. Note for a program to stop working, a few bytes missing is just enough. For a compressed file, it's often "lethal" (bad CRC), for database entry - what worth is a database with corrupted data? The damage spreads way faster. It's not that "20% of the files is erased, the rest is untouched". It's "95% of the files is corrupted in various degree."

Re:Bin Laden

[rifter]

Would this be the same Bush from the Bush family that were VERY friendly with the Bin Laden family all those years ago?

They still are. In fact Bush Sr. works as a consultant to the Bin Ladens. Bush Jr. has declared the Bin Laden family and their connections to the Bush family off limits to all investigation as well.

Is this related...

[LionMage]

...to the recent crap-flood of viral/Trojan e-mails bearing Microsoft's logo and purporting to be network security updates?

I'm not suggesting that the e-mails are legitimate security updates (they're not), only that maybe this recent official security update is somehow a response to this latest rash of opportunistic virii/Trojans.

The flood of bogus viral e-mail is bad enough, and thankfully my Mac is immune to Wintel viruses, but the sheer volume is affecting me by displacing legitimate e-mail in my inbox. It's put me over quota once already.

Re:Already patched ........

[blibbleblobble]

"From a 9.1 install you most likely have openssl updates to perform....oops."

Right. As opposed to a Windows install, where you have a few upgrades of your own to perform.

The people running university computing labs have noticed that if you leave a default Windows2000 installation connected to the internet for long enough to download the upgrades, you're likely to have already been infected by one of several Win2K worms which can install without user interaction using the messenger service. Some people had so much trouble keeping new Windows PCs working for long enough to update (during the peak of these viruses) that they had to download the upgrades from other peoples' computers.

(The people who knew how to switch Windows Messenger off and install the firewall or already had the update CDs, these people are probably administering other peoples' Windows computers, not using their own)

In comparaison, somebody using an old version of Mandrake could get a denial-of-service if they use SSL connections and the server they connect to specifically attacks them. So I can probably just about manage to upgrade the packages without having to worry about the system rebooting.

Looks like OpenSSL upgrades it is then...

overflow in help and support

[windex82]

phew, took me a couple minutes to pick my self off the floor after that fit of laughter...

Warning about this update

[MrLint]

This update has a serious problem. I had the *exact* same symptoms as this guy.. be warned!

In other news...

[GunFodder]

In other news, the sun came up this morning. The sky is blue, and Microsoft bashers flocked to Slashdot all day.

Microsoft releases security patches nearly every damn week. When are we going to stop reporting non-news from companies just because we like to bitch about them in public?

Re:Questions that I Microsoft's page does not answ

[RoundSparrow]

"Gold" is a older industry term. It has been replaced with "RTM".

"Final (after beta) retail release" is what it means.... in the context you describe, I would say they mean "prior to SP1"?

Just speculation.

Domino Administrator jobs

[solprovider]

Your search - Domino Administrator wanted - did not find any openings.
--Monster.com

Monster.com has 26 jobs listed.
Dice.com has 20 jobs listed.
JustNotesJobs.com has 16 jobs in the U.S.

If you are going to troll, at least do it correctly.

---
The problem with finding Domino Administrator jobs is:
1. The people in those jobs are rather highly paid for an computer administration position. In 2000, Certified Lotus Professional System Administrators averaged $89,000.
2. They do not need to worry about viruses beyond choosing and installing a mail filter/virus protection, since no viruses have hurt Lotus Notes yet. The virus protection checks those virus-prone Word files, and helps if users are using MSOutlook as the mail client.
3. The number of administrators needed for a company running Notes and Domino is much less than the same company running Exchange. This is anecdotal from personal experience. I know a 500 person company that grew from one person doing Notes Admin work part-time in a computer department of 2 people to 2 full-time Exchange Admins with 10 people in the computer department, at a time when the company was shrinking. A 30,000+ employees company went from 10 Notes administrators maintaining their own servers to 60 Exchange administrators with the servers maintained by a different group. This is only the Administration side, application development costs skyrocketed while application rollouts almost disappeared after the switch.

Domino Administrators are happy, and companies of any size do not need very many of them. There is little turnover, and so there are few jobs to be filled. (Besides, who is going to quit with today's job market?)

---
To be on-topic, Lotus/IBM releases updates at least quarterly. The updates usually add functionality, and fix crashes due to very unique circumstances. I only remember 2 that were for security issues. One was only an issue if the option to use MSIE as the browser was selected. The other was only an issue if Notes Designer was run in a certain configuration without a firewall. None of the updates are "critical". I just upgraded one large company's server from Domino 5.0.2 because the hardware was being replaced.

To be fair, while Domino is a platform, it is not an OS. It relies on Unix, Linux, or MSWindows for its file protection. If you are running MSWindows, you may need some of these patches. Then again, if Domino is only running mail, web applications, and Notes client applications, you can turn off most of the vulnerable MS services.

Exchange server DOS

[planckscale]

After our exchange server died today, I read of a Cert advisory of possible SMTP denial of service attack. We downed the server and now we're looking at traffic at our router. Too early to say, but has anyone else been hit by DOS on their exchange servers today?

IT Pros complain about the frequency

[kylef]

Joe User doesn't complain about the frequency of patches. IT pros are the ones who bitch about the frequency of patches. In this case, Microsoft is absolutely responding to pressure from its large customers.

When the CTO of a Fortune 50 company calls up Steve Ballmer and says, "How are you going to compensate us for all this time we're wasting deploying patches from you every other week?" you can bet that MS is going to come up with a way to ease that burden, or lose another customer to Linux.

They're trying to ease the IT burden by aggregating the patches into monthly releases (whenever exploits aren't already present) so that Admins have adequate time in between releases for testing, deployment, and preparation for the next batch of updates. It's a queueing mechanism, essentially.

Re:IT Pros complain about the frequency

[Ozymandias1350]

Joe User doesn't complain about the frequency of patches.

Uh, actually, Joe User does complain about patches. See that whole thing in my comment about "my clients", "dial-up connections", etc. What in that gave you the impression my clients were IT Pros? I specialize in working with small businesses, mostly non-technical small businesses at that. And they frequently complain about the number and the size of the patches from Microsoft.

Re:IT Pros complain about the frequency

[kylef]

I completely disagree. Joe User does NOT complain about patches. Joe User doesn't even know that patches exist, and this is a demonstrable (if unfortunate) fact.

You're vastly over-estimating the vast majority of computer users out there. Anyone earmarked for installation of patches on business machines has enough training to be considered an "IT Guy." Maybe not a Pro. But of course, anyone performing this operation on a number of machines is exactly the audience Microsoft is attempting to satisfy by rolling out patches on a monthly basis.

Why on earth do you think they sat on 4 critical updates until the middle of the month, and then issued a press release simultaneously mentioning that they were switching to a monthly schedule? You think they're ignoring their primary business customers? Hardly.

This is a classic case of being damned if they do, and damned if they don't. If they release patches as they come out, people say "Ooooh, oooh, my poor rollout schedule, I just got done deploying the last patch and here comes another just to spite me!" If they release patches monthly, people complain "Oooh, oooh Microsoft is witholding critical updates and making me insecure!" I'm tired of all this freaking complaining.

Re:My older running applications relies on 'net se

[Otto]

My college computer labs had the same sort of thing hooked into the print spool. When you printed a document, it went into the spool. When it was finished printing, a "net send" type of message got sent to your workstation saying that your document was now in the printer tray.

It has it's uses, but it should never have been bound to the IP connection by default, without some kind of safeties.

Re:Already patched ........

[tomstdenis]

I totally agree that in that respect windows is flawed. It should have came out of the box with it's services disabled. But that isn't good marketing...

That being said I've installed windowsa a-many times and have yet to get infected with anything. Sole reason....firewall. I don't let every yahoo and nutjob from the web send my machine packets which means I'm fairly invulnerable to these lame attacks. I still patch my box but I don't worry about it as much.

Tom