Yet Another Critical Windows Flaw

Dynamoo writes "Microsoft released yesterday a whole bunch of critical security updates. Out of these, MS03-043 is a flaw in the Windows Messenger Service (not MSN Messenger) with the possibility of a remote attacker gaining complete control of a Windows NT/2000/XP/2003 based PC remotely. If this sounds like another possible vector for a worm to spread, you'd probably be right. Microsoft's recommendation is to 'disable the Messenger Service immediately and evaluate their need to deploy the patch'. Of course a firewall will offer some protection but shouldn't be relied on. At least administrators can disable the Messenger Service remotely. Of course this is another headache for admins still patching for last month's RPC flaw."

Re:Too bad it's such a pain in the ass...

[Short+Circuit]

The average user thinks their computer runs "Microsoft."

Take that from a guy in tech support.

Call to worm developers!!

[borgdows]

This time, please do something really useful, not only doing such silly thing as DOS'ing windowsupdate

You can for instance, delete necessary files for Internet connection... in this case Microsoft will be in a *real* shit if nobody can connect the internet to download patches!
They'll maybe have to send MILLIONS of CD by mail!

Therefore, people will be *really* annoyed and may think it's time to switch to another more reliable OS.

Windows SUS

[GangstaLean]

Admins on sites exceeding 10 or so workstations may want to look into Windows SUS, Software Update Services (SUS) gives the capability of integrated patch management and centralized patch distribution. This is sort of along the lines of RHN with a centralized console for distributing through a domain.

It's useful.

Re:Windows SUS

[mr_z_beeblebrox]

Any ideas anyone?

Read this over and be sure that you understand what it does before you try it, better yet see if you can find it independently. Applying a registry patch from /. would be silly in the extreme. Here is the registry entry:

Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Wi ndows\WindowsUpdate]
"WUServer"="http://your.server.com"
"WUStatusServer"="http://your.server.com"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Wi ndows\WindowsUpdate\AU]
"RescheduleWaitTime"=dword:00000005
"NoAutoRebootWithLoggedOnUsers"=dword:00000001
"NoAutoUpdate"=dword:00000000
"AUOptions"=dword:00000004
"ScheduledInstallDay"=dword:00000000
"ScheduledInstallTime"=dword:00000003
"UseWUServer"=dword:00000001

Save that to a file called wu.reg or whatever.reg and then merge it with your registry.

Re:Windows SUS

[Zeddicus_Z]

We use SUS at work to distribute patches to around 60 desktops. While it's certainly nice to not have to go desk-to-desk doing this manually, SUS has some major drawbacks.

• Bad patch verification. Like WindowsUpdate, SUS relies on a registry entry to check sucessful installation of patches. As many admins have discovered over the past few months, this method of patch verification is highly flawed and results in many, many cases of false-negatives when searching for vulnerable workstations.
• OS patches only. SUS does OS patches. Great. Now what about Office, which is also installed on every desktop in our company?
• Patch reliability. Even if SUS was vastly improved, the sad fact of the matter is that MS patches are still capable of doing severe damage to the target system. It's not like there are no past examples of patches and/or service-packs f$*king up machines. Until the patching process becomes not only dead easy, but also bulletproof RELIABLE, servers (esp. critical infrastructure machines) will continue to need manual patching. Considering many larger companies can have hundreds of servers across the organisation, it becomes one hugeass timesink.
• Other pitfalls. There are many, MANY other options missing that would make life for administrators much easier - such as forcing reboots for patched machines, the ability to stagger deployement using only one SUS server (by using, say, MAC addresses or NetBT/DNS hostnames), the ability to detect mobile users (via a configurable registry setting on the client end) and *force* them to patch immediately upon connecting to the LAN based upon past percentage hit-rate for sucessful patching (i.e. machine was turned on and conneted to LAN) at the regular scheduled time

SUS is nice to have, but it's certainly not set-and-forget as it SHOULD be - at least on the client end of things. There is a long way to go with SUS before it begins to approach something that makes a significant impact on the nightmare that is Microsoft patching. But of course the problem with hoping SUS gets better is that SMS and MOM exist... and unlike SUS, neither of those are free.

Re:Windows SUS

[Eraser_]

Don't forget the installer. We have a server here running IIS with some strange application inside of it (Riverdeep). I read through all the readme's for SUS, and it said "don't worry, we only create a new site called SUS blah blah blah", and it's reccomended not required to install IIS Lockdown. You can get that [link]here[/link].

Sounds cool to me, I run the installer, and it does as it's told, but then procedes to IIS Lockdown my server, breaking the application that was running on it. Un-Installing IISLockdown and SUS does _not_ fix the problem. Thanks microsoft, when do we get chroot for windows. Oh, but it will still need to install 400megs of cruft into root-c:\winnt.

Slashdot Moderation

[sylvester]

Hey what's the deal with slashdot moderation? I used to read at +5 but now there're barely any comments there. I know this is offtopic, but did I miss a story about major changes or something?

Re:Slashdot Moderation

[Jellybob]

They're having problems with some of their machines, including the one which distributes mod points, running slow.

Which means that mod points aren't being given to as many people, which means there's less around to take things to +5.

More details in Taco's Journal.

Re:Too bad it's such a pain in the ass...

[Jesrad]

Wrong ! Every support tech will tell you users don't think. At all.

Re:Too bad it's such a pain in the ass...

[general_re]

It could probably be somewhat simpler to disable it, but it's not all that bad. What they could do better is making sure that people know the difference between the Messenger service and the MSN Messenger app, as you seem to suggest.

Anyway, in case anyone's reading this and doesn't know how to disable Messenger, go to Start -> Settings -> Control Panel -> Administrative tools -> Services. Right-click on Messenger and pull up the properties sheet. On the "general" tab, select "disabled" for "Startup type". Then hit the "Stop" button right under that on the "general" tab to stop the service if it's currently running. That's for 2K - I assume XP is similar.

Re:In a way, it is a good thing...

[quigonn]

A friend of mine recently said: "the only way to get a security hole fixed in Microsoft software is to write a worm that exploits it".

RPC worm (welcha!)

[tonywestonuk]

So I installed W2k for a friend a few days ago - Connected to the internet to get the RPC patch, and got infected with this work in under a minute - Not even time to get the update!...

Now, getting rid of the worm is annoying, but is easily done. Can you imagine however, the chaos if the author of the worm also put nasty bios flashing code into it... Millions of PC would be heading for the dumpsta! Shops/busnesses/transport/universitys would all end up grinding to a halt, The economy would be up shit creak, and for a few weeks anyhow there would be a huge shortage of PC's through people panic buying new units - hardware prices would sore.... (good time to buy Dell stock maybe?)

Tony.

Re:RPC worm (welcha!)

[trikberg]

So I installed W2k for a friend a few days ago - Connected to the internet to get the RPC patch, and got infected with this work in under a minute - Not even time to get the update!...

And that's why you should have installed a software firewall, such as ZoneAlarm, from CD before connecting to the internet

While you're at it install a decent browser and e-mail client from the same CD before your friend has a chance to start using IE and Outlook (Express).

Re:RPC worm (welcha!)

[muffen]

. Can you imagine however, the chaos if the author of the worm also put nasty bios flashing code into it... Millions of PC would be heading for the dumpsta!

Virtually every BIOS has protection against this since the CIH days (doesn't mean people enable it, but its there). Furthermore, instead of throwing away a PC with a flashed BIOS, you can give it to me. It won't cost me more than $5 to get it fixed!

I agree that these flaws are bad, but no need to make it worse than it already is.

So I installed W2k for a friend a few days ago - Connected to the internet to get the RPC patch, and got infected with this work in under a minute - Not even time to get the update!...

All you have to do is change one registrykey (enableDCOM) from YES to NO. That way, you're "protected" without having the patch.

My PC is running with just over 10 services enabled. After all these flaws, I realized it was safer to simply disable anything non-critical. I don't like Windows anyways, just have to use it for work :/

Re:RPC worm (welcha!)

[rgmoore]

If the worm flashed the BIOS, wouldn't that tend to destroy its hosts and thus slow down the infection? This is one more place where knowing biology can be helpful in understanding computer diseases. Diseases that are promptly fatal tend to be self-limiting because they kill off their hosts before they have much time to spread. Most successful diseases are either not uniformly fatal or at least take long enough to kill that their host has plenty of time to infect others. This is why many types of malware with destructive payloads will have a built-in delay before blowing up; otherwise they'd kill themselves before managing to infect enough computers to cause real havoc.

Excuse me, Sir...

[AriesGeek]

I checked my Windows XP installation and it has had the patch applied since July 8, 2003

Could I get your IP address please?

Re:Too bad it's such a pain in the ass...

[mst76]

What functionality do you lose when disabling the service? Is it one of those that never need to run, ever?

You lose the ability to receive winpopup spam.

In other news

[zakezuke]

Microsoft discovered a MAJOR flaw in their naming convention. It seems it's far too easy to confuse MSN Messenger with Windows Messenger do in part they are both called Messenger, also due to the fact that Windows Messenger isn't widly used, except by sys/net admins telling their users the system is going down.

Getting users to actually peform updates when they don't have the ability to tell the diffrence between the diffrent products has proven to be most troublesome to Microsoft.

This flaw was noticed by technical support when users asked for assistance with "outlook" not knowing that "express" was a diffrent product. Not to speak of the diffrences between Windows Explorer, Microsoft Explorer, and the new hardly ever works MSN explorer.

"The idea that users know the diffrence between Windows, Microsoft, and MSN is ridiculous" --- typical power user.

A new convention is required based on the following facts

Windows - the operating system side of things
Microsoft - the software side of things, stuff you actually use
MSN - the ISP side of things, fluffy click shit that causes your computer to crash and burn.

Renaming should be as follows

Dont touch me crap - reserved for operating system level software
Play with me crap - the software you typicaly get to do stuff
Can't do crap - the stuff internet related that never works right

Now saying that there are patches for the "don't touch me crap messenger" has some meaning to the average user, vs their "Can't do crap Messenger" product.

This message was brought to you by Microsoft Crap, where did your document go today?

Average Joe is why this is really bad

[HighOrbit]

A few months ago, my sister-in-law and her husband bought a new computer (loaded with XP as most are). They are average users: they browse the www, send email, write letters, and play games. The know how to use their box, but they don't know how to administer it. So everything that was shipped as default was still default -including the messanger service. They are on cable modem and were getting constant popups (and I mean constant, like one every 30 seconds) over the messanger service. Now multiply that by millions of people and you have millions of potential DDOS zombie machines, or spam spewers, or any other nasty (or illegal) thing you can imagine.

It is time for MS to immediately change the default shipping configuration of XP to turn every service off by default because no desktop should be listening on any tcp by default. If that means they need to recall and replace all the master disks that they license to OEMs, then they need to do it. They need to have every major retail outlet yank all the shrink-wrap boxes and replace them with new one with secure default configurations. MS is sitting on $46 million in cash, so they can easily afford this expense as chump change. It just a question of whether they are willing to admit fault and buck up for failing their customers or if they are too greedy to spend some of their hoarded wealth.

Re:Average Joe is why this is really bad

[1s44c]

MS is sitting on $46 million in cash

It's true, but they really don't want to spend the monthly cola budget on silly things like security.

Microsoft sell things by good marketing, not by having good products.

Re:Yet Another Critical Linux Flaw!

[jweatherley]

Kernel32.dll is not the Windows kernel - that would be ntoskrnl.exe. Kernel32.dll contains the Win32 functions.

Another rabid submitter gets it wrong

[Call+Me+Black+Cloud]

Microsoft released yesterday a whole bunch of critical security updates.

Their new policy is to release monthly updates unless an exploit already exists, in which case a patch is immediately released.

Out of these, MS03-043 is a flaw in the Windows Messenger Service ... Of course a firewall will offer some protection but shouldn't be relied on

You don't know what you're talking about, submitter Dynamoo. Please, tell us why one shouldn't rely on a firewall? If you read the technical documentation about the flaw you see "If users have blocked the NetBIOS ports (ports 137-139) - and UDP broadcast packets using a firewall, others will not be able to send messages to them on those ports." (under "Technical Descriptions"). I think I'll ignore your advice and keep a firewall in place, no matter what OS I'm using.

MS flip-flops (again)

[harley_frog]

Microsoft's recommendation is to 'disable the Messenger Service immediately and evaluate their need to deploy the patch'.

For over a year now, Leo Laporte from TechTV's The Screensavers has been saying that Messenger Service is a security hole but Microsoft kept saying, "It's not a hole; it's a feature." Guess now Microsoft will turn off Messenger Service by default. Or, maybe not.

Re:MS flip-flops (again)

[gorfie]

Before we were told about the Messenger flaw, I don't think the Messenger service was considered a hole, I think it was the fact that spammers were able to send messages to computers remotely using the Messenger service that was INDICATIVE of a hole. Even if they disabled Messenger the problem still existed. It's NetBIOS that's the real problem. Of all the Windows worms that have come out in the past few years, all have relied on NetBIOS, IIS, or Outlook to propogate.

Most of the people running IIS got a clue and patched (granted some didn't).

Many running Outlook were aware that they could open viruses just by viewing message and many of them patched (granted some didn't).

However everyone running Windows probably has NetBIOS running and all but the Systems Administrators and nerds don't realize that it has numerous holes and can be exploited.

Not so fast...

[X86Daddy]

At least administrators can disable the Messenger Service remotely.

If you haven't patched yet, I'm guessing anyone can disable your services remotely. :-)

What?

[abulafia]

You fail to back up your title.

> Microsoft released yesterday a whole bunch of critical security updates.

Their new policy is to release monthly updates unless an exploit already exists, in which case a patch is immediately released.

How, exactly, are you contradicting the author?

> Of course a firewall will offer some protection but shouldn't be relied on

You don't know what you're talking about, submitter Dynamoo. Please, tell us why one shouldn't rely on a firewall? If you read the technical documentation about the flaw you see "If users have blocked the NetBIOS ports (ports 137-139) - and UDP broadcast packets using a firewall, others will not be able to send messages to them on those ports." (under "Technical Descriptions"). I think I'll ignore your advice and keep a firewall in place, no matter what OS I'm using.

I don't believe the author is telling you to remove your firewall. The author is saying that it shouldn't be relied upon. There is a significant difference. Because some other machine behind the same firewall might become infected, a firewall is not a perfect measure for protecting against this attack. There's a well worn phrase for this problem - "crunchy on the outside, chewey on the inside."

So, again, please explain how Another rabid submitter gets it wrong?

Re:What?

[Call+Me+Black+Cloud]

a firewall is not a perfect measure for protecting against this attack...Because some other machine behind the same firewall might become infected

Good point - I was unclear. I should have quoted Microsoft's technical documentation. They specify configuring Windows' built-in firewall to block those ports. If the ports are blocked at each machine then an infected machine behind a hardware firewall will not infect other machines on the LAN.

Releasing patches too frequently?

[hetairoi]

I was just over at the beast reading about the new security bulletin service and came across this under the 'What customers tell us' section:

Customers are concerned that Microsoft releases security patches too frequently

Wha?!? So, customers are saying that even if some critical flaw is found, M$ should wait awhile before releasing it because Joe Admin is concerned there are too many patches??

Come on, if they know something is broke I want a patch ASAP (after proper testing of course). I don't care if they release a patch an hour, if something is broke -- Fix it now, don't wait until next week because you've already released your quota of patches for this week. This sounds like BS to me, maybe M$ just stuck that in as an excuse to not release patches.

Later they say an exception will be made if they determine the customers are at immediate risk. I'm glad they know my system so well, but really, please just release the patch now and I will decide if MY system is at immediate risk.

Re:Slashdot Moderation (OT)

[Jellybob]

I guess we would do, but I doubt it would be a huge problem, since mod points expire anyway.

Context

[Short+Circuit]

Context and Guilt by Association. This is Slashdot. Slashdot is very much engrossed with Linux, the Linux community and Open Source.

New Marketing Slogan

[cindik]

You'll never be locked out with Microsoft. We make windows that anyone can open from the outside.