Yet Another Critical Windows Flaw

Dynamoo writes "Microsoft released yesterday a whole bunch of critical security updates. Out of these, MS03-043 is a flaw in the Windows Messenger Service (not MSN Messenger) with the possibility of a remote attacker gaining complete control of a Windows NT/2000/XP/2003 based PC remotely. If this sounds like another possible vector for a worm to spread, you'd probably be right. Microsoft's recommendation is to 'disable the Messenger Service immediately and evaluate their need to deploy the patch'. Of course a firewall will offer some protection but shouldn't be relied on. At least administrators can disable the Messenger Service remotely. Of course this is another headache for admins still patching for last month's RPC flaw."

Windows SUS

[GangstaLean]

Admins on sites exceeding 10 or so workstations may want to look into Windows SUS, Software Update Services (SUS) gives the capability of integrated patch management and centralized patch distribution. This is sort of along the lines of RHN with a centralized console for distributing through a domain.

It's useful.

Re:Windows SUS

[Zeddicus_Z]

We use SUS at work to distribute patches to around 60 desktops. While it's certainly nice to not have to go desk-to-desk doing this manually, SUS has some major drawbacks.

• Bad patch verification. Like WindowsUpdate, SUS relies on a registry entry to check sucessful installation of patches. As many admins have discovered over the past few months, this method of patch verification is highly flawed and results in many, many cases of false-negatives when searching for vulnerable workstations.
• OS patches only. SUS does OS patches. Great. Now what about Office, which is also installed on every desktop in our company?
• Patch reliability. Even if SUS was vastly improved, the sad fact of the matter is that MS patches are still capable of doing severe damage to the target system. It's not like there are no past examples of patches and/or service-packs f$*king up machines. Until the patching process becomes not only dead easy, but also bulletproof RELIABLE, servers (esp. critical infrastructure machines) will continue to need manual patching. Considering many larger companies can have hundreds of servers across the organisation, it becomes one hugeass timesink.
• Other pitfalls. There are many, MANY other options missing that would make life for administrators much easier - such as forcing reboots for patched machines, the ability to stagger deployement using only one SUS server (by using, say, MAC addresses or NetBT/DNS hostnames), the ability to detect mobile users (via a configurable registry setting on the client end) and *force* them to patch immediately upon connecting to the LAN based upon past percentage hit-rate for sucessful patching (i.e. machine was turned on and conneted to LAN) at the regular scheduled time

SUS is nice to have, but it's certainly not set-and-forget as it SHOULD be - at least on the client end of things. There is a long way to go with SUS before it begins to approach something that makes a significant impact on the nightmare that is Microsoft patching. But of course the problem with hoping SUS gets better is that SMS and MOM exist... and unlike SUS, neither of those are free.

Re:Too bad it's such a pain in the ass...

[general_re]

It could probably be somewhat simpler to disable it, but it's not all that bad. What they could do better is making sure that people know the difference between the Messenger service and the MSN Messenger app, as you seem to suggest.

Anyway, in case anyone's reading this and doesn't know how to disable Messenger, go to Start -> Settings -> Control Panel -> Administrative tools -> Services. Right-click on Messenger and pull up the properties sheet. On the "general" tab, select "disabled" for "Startup type". Then hit the "Stop" button right under that on the "general" tab to stop the service if it's currently running. That's for 2K - I assume XP is similar.

Re:Slashdot Moderation

[Jellybob]

They're having problems with some of their machines, including the one which distributes mod points, running slow.

Which means that mod points aren't being given to as many people, which means there's less around to take things to +5.

More details in Taco's Journal.

Re:In a way, it is a good thing...

[quigonn]

A friend of mine recently said: "the only way to get a security hole fixed in Microsoft software is to write a worm that exploits it".

RPC worm (welcha!)

[tonywestonuk]

So I installed W2k for a friend a few days ago - Connected to the internet to get the RPC patch, and got infected with this work in under a minute - Not even time to get the update!...

Now, getting rid of the worm is annoying, but is easily done. Can you imagine however, the chaos if the author of the worm also put nasty bios flashing code into it... Millions of PC would be heading for the dumpsta! Shops/busnesses/transport/universitys would all end up grinding to a halt, The economy would be up shit creak, and for a few weeks anyhow there would be a huge shortage of PC's through people panic buying new units - hardware prices would sore.... (good time to buy Dell stock maybe?)

Tony.

In other news

[zakezuke]

Microsoft discovered a MAJOR flaw in their naming convention. It seems it's far too easy to confuse MSN Messenger with Windows Messenger do in part they are both called Messenger, also due to the fact that Windows Messenger isn't widly used, except by sys/net admins telling their users the system is going down.

Getting users to actually peform updates when they don't have the ability to tell the diffrence between the diffrent products has proven to be most troublesome to Microsoft.

This flaw was noticed by technical support when users asked for assistance with "outlook" not knowing that "express" was a diffrent product. Not to speak of the diffrences between Windows Explorer, Microsoft Explorer, and the new hardly ever works MSN explorer.

"The idea that users know the diffrence between Windows, Microsoft, and MSN is ridiculous" --- typical power user.

A new convention is required based on the following facts

Windows - the operating system side of things
Microsoft - the software side of things, stuff you actually use
MSN - the ISP side of things, fluffy click shit that causes your computer to crash and burn.

Renaming should be as follows

Dont touch me crap - reserved for operating system level software
Play with me crap - the software you typicaly get to do stuff
Can't do crap - the stuff internet related that never works right

Now saying that there are patches for the "don't touch me crap messenger" has some meaning to the average user, vs their "Can't do crap Messenger" product.

This message was brought to you by Microsoft Crap, where did your document go today?

Average Joe is why this is really bad

[HighOrbit]

A few months ago, my sister-in-law and her husband bought a new computer (loaded with XP as most are). They are average users: they browse the www, send email, write letters, and play games. The know how to use their box, but they don't know how to administer it. So everything that was shipped as default was still default -including the messanger service. They are on cable modem and were getting constant popups (and I mean constant, like one every 30 seconds) over the messanger service. Now multiply that by millions of people and you have millions of potential DDOS zombie machines, or spam spewers, or any other nasty (or illegal) thing you can imagine.

It is time for MS to immediately change the default shipping configuration of XP to turn every service off by default because no desktop should be listening on any tcp by default. If that means they need to recall and replace all the master disks that they license to OEMs, then they need to do it. They need to have every major retail outlet yank all the shrink-wrap boxes and replace them with new one with secure default configurations. MS is sitting on $46 million in cash, so they can easily afford this expense as chump change. It just a question of whether they are willing to admit fault and buck up for failing their customers or if they are too greedy to spend some of their hoarded wealth.

Not so fast...

[X86Daddy]

At least administrators can disable the Messenger Service remotely.

If you haven't patched yet, I'm guessing anyone can disable your services remotely. :-)

Releasing patches too frequently?

[hetairoi]

I was just over at the beast reading about the new security bulletin service and came across this under the 'What customers tell us' section:

Customers are concerned that Microsoft releases security patches too frequently

Wha?!? So, customers are saying that even if some critical flaw is found, M$ should wait awhile before releasing it because Joe Admin is concerned there are too many patches??

Come on, if they know something is broke I want a patch ASAP (after proper testing of course). I don't care if they release a patch an hour, if something is broke -- Fix it now, don't wait until next week because you've already released your quota of patches for this week. This sounds like BS to me, maybe M$ just stuck that in as an excuse to not release patches.

Later they say an exception will be made if they determine the customers are at immediate risk. I'm glad they know my system so well, but really, please just release the patch now and I will decide if MY system is at immediate risk.

New Marketing Slogan

[cindik]

You'll never be locked out with Microsoft. We make windows that anyone can open from the outside.