Slashdot Mirror
Looking Back At Windows Security In 2003
thebatlab writes "Help Net Security has an interesting look at security in Windows during 2003, with various blurbs from related parties at Microsoft as well as security 'bigwigs' such as Russ Cooper. It's interesting to read the comments from external parties, as they tend to be very reasoned comments and don't simply attack away over recent 'indiscretions' and 'security lapses' Microsoft has had over the year."
or lack therof.
When anger rises, think of the consequences.
Confucius (551 BC - 479 BC)
Microsoft have had their share of vunerabilities over the last year but not significantly more than linux has, this kind of article always appears on slashdot poking fun at windows security but linux is not much better. Apt-get is not that much better than Windowsupdate.microsoft.com.
I work for a fortune 500 company and we have been considering switching from Windows NT 4 to either Windows Server 2003 or Linux. After much testing we decided to stay on windows for virtually everything except the Primary Domain Controller which scaled much better under Debian.
For file servers we found that samba caused some shares to dissapear occasionally and so we stuck to Windows. For email we needed exchange so we had no choice. For firewall we kept windows because the software we currently use performs much better on windows than Linux.
But as far as security goes we could see on clear advantes of one platform over the other.
There is no god
There was some?
Huh. This should make for a tiny featurette.
...where to get a definitive list of security holes in Windows (not Office or other add-ons) for the month of December?
"What Slammer showed us more than anything was the need to embrace more basic controls, such as "Default Deny"."
Do you think that that giving your user name and password to strangers might be a bit suspect too?
Of course the same holds true for businesses, but there the problem was more of a problem with the "Default Installation". We have long known that default installations are inherently insecure.
Windows "out of the box" is as wide open as the goatse.cx guy.
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
I'm sorry, but we've been told to disable preview-pane at work because yet another round of virii struck that used our internal servers as spam relays.
For Outlook issues alone (forget about slammer - though how could you!) Microsoft earns the big security rasberry of the year. PPHbth!!!
"There is more worth loving than we have strength to love." - Brian Jay Stanley
It's interesting to read the comments from external parties, as they tend to be very reasoned
-SNIP-
Yeah, and if I poke you in the eye with a sharp stick every morning, you'll get used to it. It might even appear "reasoned".
2004 will likely prove to be just as wormy as 2003.
I also predict that Linux will truely come into its own in 2004 as the first serious Linux worm/virus rock the open source world.
There's a new worm out there that exploits a security hole still in Windows 2k/XP from when it was released.
It has the capability to shut down applications, goes right through anti-virus software (even the latest patches!!!), and gives total control of the victim computer to the creator of the worm.
An attempt by the powers that be to shut down it's source of updates was thwarted by various government agencies and the worm itself.
Unfortunately there is no patch to get rid of the W32.MS.AutoUpdateRequired worm.
...does seem to leave you surprised when you see reasoned comments somewhere else.
Wait, looking back at Windows what?
Don't think of it as a flame---it's more like an argument that does 3d6 fire damage
It sucked!
<bows>
It is pitch black. You are likely to be eaten by a grue.
at Windows security, one thought comes to mind - eeeek.
"I object to doing things that computers can do." -- Olin Shivers, lispers.org
j00 w3r3 h4xx0r3d!!!!!!
I'm amazing. You aren't. SUCK IT
All systems are vulnerable to security issues; however it's important to note that Linux uses the same security model as the original UNIX implementations--a model that was not designed from the ground up to be secure.
Windows Security is an oxymoron. Just like the French fish who cleaned everything from Finding Nemo.
...they couldn't find ONE BAD THING to say about windows 2003 (other than too early to tell). In the good old days Microsoft's OS were quite fast in revealing their inadequacies.
Looks like it's been slashdotted...
Break out the asbestos suits boys:
Flame On!
A hole in Windows was announced today. Thats great, as soon as Windows Update tells me there is a fix available, I'll click and reboot to apply it.
/me, goes to website, they list some long inexplicable explanation of the hole. Link to some .tar.zip.gz.bz2 file (this saves bandwidth). Just run it through tar -xvzjf and it will automagically extract. Run make clean; make superclean; make reallyfuckingsureyourclean; make install; (whoops, su; make install) and boom! its installed.
A hole in Linux was announced today. Developers released a patch in 34.36 minutes flat after hearing the news. Download and update today!
it says: The site www.net-security.org is running Apache/1.3.28 (Unix) PHP/4.3.3 on Linux.
if windows really was as bad as you say it is, it wouldnt' be in NINETY PERCENT of all desktops.
I dual-boot Linux with W98SE. Recently, after quite a while of using it and getting the W98 more and more "dirty" I decided to install the update. System got so unstable that I couldn't open Explorer without crashing. "Time for reinstall", I thought. Format, install, config, everything runs smoothly. Windows Update, system starts crashing really bad. Maybe I did something wrong? Format, reinstall, update. Crash. So now I run "vanilla" W98SE, without ANY updates, just pure CD install. The only protection is my firewall on a Linux box. Sucks, but what should I do? This way it can keep running for several hours, and with screensavers and power management disabled, for several days in a row. With patches, crashes notoriously. Keep it secure? How? By unplugging the net or the power supply??
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
It basically says it all when an exploit that had been patched for months succeeds in bringing the internet to a crawl.
An In-Depth look Into Windows Security in 2003
by Mirko Zorz - Monday, 22 December 2003.
When it comes to security predictions for next year, basically everyone says it's going to be worst than this year despite the increased spending on security and some progress made when it comes to security awareness. Let's take a look at some interesting happenings that made the news during 2003 when it comes to Microsoft security and perhaps you'll be able to judge for yourself what 2004 will bring.
The experts that voice their opinion for this article are Russ Cooper (Surgeon General of TruSecure Corporation/NTBugtraq Editor), Ed Skoudis (a security geek who is focused on computer attacks and defenses, author of "Counter Hack" and "Malware: Fighting Malicious Code") and Arne Vidstrom (a security researcher and author of many security tools for Windows).
It's January and things don't look good
Just as we were getting used to writing 2003 instead of 2002 in our letters, here comes the Slammer worm and all hell brakes loose as thousands of computers are infected worldwide.
This, however, was not Microsoft's fault since a patch was available several months ago before the worm was unleashed. This has put the issue of irresponsible users into the spotlight while others said the reason why some servers weren't patched is because administrators are worried about the side-effects that come with a patch.
Russ Cooper said: "Firstly, SQL patches have been notoriously difficult to install, so I would argue that despite the availability of a patch, its lack of installation was not entirely the user's fault. Further, MSDE (Microsoft SQL Desktop Engine) inclusion in 3rd party software had never been tracked by Microsoft. This resulted in many people being vulnerable to Slammer who never knew they needed a patch. The method the SQL group has used to handle the SQL vs. MSDE issue have been very poor, with KB articles typically only being found by searching for SQL rather than MSDE. Finally the SQL Server Resolution Service, the service targeted by Slammer, isn't even mentioned in the SQL 7.0 documentation either as being present, installed, or enabled by default."
Lessons learned according to Cooper: "What Slammer showed us more than anything was the need to embrace more basic controls, such as "Default Deny". There's little reason to expose the SSRS to the Internet without any restrictions. Some hosting providers have argued that their customers required access to the service and, therefore, they exposed it directly to the Internet. While this might seem reasonable, the additional cost of locking down such connection points to, at least, an identifiable IP address range surely couldn't put them out of business compared to the risks they put the entire Internet at. Of course the same holds true for businesses, but there the problem was more of a problem with the "Default Installation". We have long known that default installations are inherently insecure. Knowing what you're installing, and installing only what you know, are crucial to achieving baseline security. The habit of simply accepting the defaults and no additional steps is yet another reason problems like this occur."
"Another aspect of "Default Deny" is the enforcement of *Outbound* rules as well as inbound. Habit says that inbound is what we fear, yet outbound is left entirely untouched. Slammer demonstrated just how harshly such a policy can affect the Internet. There was no reason for those systems to initiate connections outbound on UDP 1434, even if we accept there was a need to allow the inbound connections from other infected hosts. Ergo, had such rules been in place, machine
it was a big mess no doubt, until robbIE fired up his 'service'?
is it secure? well, @leased as much as the windose blight, no doubt?
Wow. You must be super elite! When I installed ISA, I couldn't even ping anything outside the firewall!
I would like to be added to your list so I might acquire super linux skillz and hacker cred. I hear that's as good as cigarettes in prision over in India, where I will appearently be moving.
Slashdot: The antidote to well reasoned comments.
Hello, new sig.
Windows Security. That's like... Military Intelligence? Jumbo Shrimp? Microsoft Works?
Free your ecomony and enact the FairTax
You are assuming that such a worm will be like the countless outlook varieties. Obviously this will not be too effective against Linux. However, there are other means for worms to propogate such as the slammer worm. There are also numerous services that are fairly common across all Linux variants.
My guess is that if such a worm were to come about, it would likely spread through a hole in sendmail. Another, though less likely, possibility is Apache with special emphasis on PHP.
Apart from the existing sections, I wish I could filter 'Section of things slashdot repeats ad nauseum.'
Could someone please begin implementation?
Who gives a fuck if someone's a karma whore? Those of you who are worried about them - they actually do add something to the discussion - have way too much time on your hands. Go outside or something, get a life.
AC just posted the article text to get modded up...lousy bastard.
he's funded.
...what...$40 billion in the bank...
well funded.
oh...i'd say...about
there's a nice diffusion of responsability. Can you point to a name? It's like a swarm of small insects when the blame starts flying, and there tolls to be collected, who gets hit? They just scatter. So with linux there is an aire of unavoidability, where a monolith like Microsoft just should have known better.
My Linux boxers have never been hacked!!!
Hey, Look'e at this http://www.petitiononline.com/Grammar/
billions of flies can't be wrong.
I mean, if you're going to post a message with a caption of "Slashdotted", at least have the decency to mirror the article in your comment...
great improvements to security on Gnu/Linux-*BSD
..), better access control (acl, selinux extensions), integrated crypto tools (encrypted partitions, gpg+email made easier).
There are already numerous security improvements made to those systems like anti-buffer overflow patches (propolice, patches to the kernel
In my view, 2004 we will be the year when see those changes become mainstream and the free systems will be "marketingly" more secure too (openbsd is already, but not targetted to joe user).
In areas like the construction industry, insurance companies take a very hard-nosed attitude towards various types of risky practices-and the difference in risks between those practices are reflected in insurance premiums. It would be straightforward to apply similar techniques to organizational security-but I suspect what we have here is a case of managerial resistance. The management types just don't want their practices closely scrutinized-they like things the way they are now. What I see, is a lot of folks taking enormous risks with other people's money.
Is it true that they are planning a new security initiative for next year ... a tidal wave of security sort of?
aLL kARMA wHORES aRE wORTHLESS pATHETIC pIECES oF fAGGOT sHIT! yOUR mOUTH sMELLS oF tHE cUM oF tHE sLASHBOTS!
Planned obsolescence.
This user account is inactive account replaced by the PDA
Every time I read another story about security holes in M$ crap I feel really good about sticking with Apple during the dark days of the mid 90's. Now I have OS X, XTools, UNIX, awesome software like iTunes, and no worries whatsoever about virus or worm infections as I do not have any M$ bugware like IE or Office on my Powerbook. Of course I pay a little more for the Mac, but I consider it small change for the right to gloat. And no that is not gloats.ex! Flame away, my Mac can take the heat.
Why was this modded down? Looks like more anti-MS mods at it again, can't accepting the fact that Linux isn't the best for everything.
Really a sad state of affairs here when you see just what a shambles the moderation system is in.
Over the last week, I've had a cold, had to put up a new mailbox in the snow while fighting said cold, gone to work, dealt with management, spent a Saturday with an SO with PMS, been told that standing at a football game is a bad thing, and driven on Indiana's highways.
.
.
.
.
.
.
.
I REALLY needed a laugh.
--
"Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
As I said, we got a message from corporate HQ telling us to turn off Preview and also not to click on stuff that does not come from people we know (more likely the outbreaks were from people clicking on things they should not). They had to get themselves off a few blacklists it seems as a result...
This is not a small company either, around 3000 people. Yes, we do have admins that know what the hell they are doing. Sometimes, stupid users click on links or bring in laptops and that is it.
The thing is, even if a UNIX admin is doing a poor job you aren't as likely to see a "wildfire" spread of infection, more like a slow burn.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
I just hope that in the next few weeks we won't see a disaster like the Slammer worm.
That, in a nutshell, destroys the entire article. The end user shouldn't be forced to "hope" that bad things won't happen to their computers. Any vendor that instills so much lack of confidence in their products doesn't deserve the benefit of the doubt.
I'm pretty much a Linux zealot. I switched to Linux back in 97 when I was very angry about quality of MS products. Win98 was that too.
Windows XP is actually quite nice (got it with my laptop, "forced" install), so much have been improved since Windows98 (which was last windows i've been touched).
Free vs Propitary software is still fundamentally a personal problem for some users, but since I work as software designer myself, I can give Microsoft a big plus what they've been for Windows XP - UI is very nice, with firewall its decently safe if you use firebird/thunderbird instead of ie/outlook...
Linux still has VERY strong points, but none in the _personal_ desktop area. With windows you can walk to any store, buy any game/peripheral you want and it works - you can't do this with Linux. You also cannot do 32cpu sparc machines with Windows, in other hand...
but that guy above you had me at "gnomes."
In Soviet Russia security goes through the Window(s)!
Of course, that has absolutely nothing to do with security.
Only those who dream can grasp reality.
I know me on the other hand, I set up a mirror to see what's behind me and I see my ass. Then I realize what they mean by looking back... When you look back you see your ass, and what does your ass produce? Shit... Simple Geek Zen ... Microsoft Security is shit... Get it now?
MoFscker
I do not see any security. As Gates/Balmer have said "it would be far too expensive to fix Windows" Besides by fixing Windows, the forced $upgrade$ incentive would go away. The problem with the MS software model is that if you make it too good no one will upgrade. Like banks and OS2, IBM focused on getting the security right, look what happened!
OH THE SHAME I fell off the wagon and use sigs again!
Microsoft puts itself in a catch-22 with this one.
Microsoft released a patch, yes. There are two people who wouldn't install it: those who don't have a clue about being a sysadmin (MCSE) and those who know MS's history of distributing broken patches.
The first group (mostly made of MCSE-only admins) are either too ignorant to install patches timely or are too stupid to know that your SQL server has no need to be internet-accesible. IIRC the only way to get slammer was to have your unpatched SQL server live to the world, something that anyone even slightly security concious wouldn't have done. Unfortunately, MS markets themselves as the easy delpoyment/any idiot can admin. So, they market themselves to idiots, then blame the idiots for not taking care of their servers. Umm... sure.
Secondly is the smart group who knows better than to deploy ANY MS patch without testing it. Having a patch 2 months before the worm hits is fine and good, but often times testing a patch takes that long. In the case of slammer these are the guys who know to keep their SQL servers behind the firewall. Slammer was mostly due to group #1. In the case of IIS and other internet services, however, a patch may not be deployed in a timely manner.
Combine MS's past of releasing broken patches with their careful marketing to idiots and you see how easily this crap happens.
There is no reasonable defense against an idiot with an agenda
:wq
My Nick.
hey man, isnt December pretty much effectively over? You know, what with that little obscure Christmas/New Year thing going on?
Manipulate the moderator system! Mod someone as "overrated" today.
"here comes the Slammer worm and all hell brakes loose as thousands of computers are infected worldwide.."
.. or is it that my brakes are breaking? How can I seriously read this article if they can't even write properly?
Oh no, my breaks are braking
--
Internet Explorer (n): Another bug -- that is, a feature that can't be turned off -- in Windows.
'nuf said
Format the hard drive and install linux
desktop on linux is cool and secure.
Number one default linux is low.
Try lids or other extra protection layors.
Most system administrators use auto update system to fix current bugs.
Most good system admins run check root kits systems.
Now this is the end of the normal protection systems.
Hiting one of my systems you will regret it. Cloud effect from one linux box making ip probing point less because all ip are in use some just as honey pots hit the honey pot you now have set off a tracking system and a IP lockout so all passwords and logins from you location will be treated as threat.
Lids is one of many other protective layers makes it ten times harder to break a linux. Lids protect a system from a root attack cleaning out logs and other important files. Note it is a minor pain having to reboot the machine to delete logs or having a closed network with access to partions of the servers protected by lids preventing everything bar like the coda/nfs driver accessing the network. Allowing the machine to clean out the logs.
Now this emables lotes of extra features there is a major reason why lids is not loaded in most distros by default. Number one lids will fight against its removal so you need a kernel not containing lids to remove it the simple way. You might not like lids and want to use one of the other projects that provide the extentions like lids. Note my system array is not only using lids it is also using a few other layers to make the system a mixed target.
What do they mean "looking back" on 2003? The date is December 23, 2003. An accurate annual analysis would require waiting until at least January 1, 2004. Who's to say that there might not be another Windows security hole discovered between now and 2004?
Finding new vulnerabilities isn't hard. Remember ntcrash? Variations on that theme should discover new holes automatically over time.
FFS, if you are going to troll at least put some effort in.
I'm actually quite happy that all the software I use can get security updates and a single vulnerabilty list from one location. Unlike Windows update which barely covers the OS. (Not even Office is covered)
Set up 3000 desktops with any ports open that could be used like slammer used Windows boxes?
With Windows you can't avoid it, with Linux (or OS X) you have a fighting chance of deploying a lot of systems that virii won't spread through like a fire through a forest in July.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
I buy a packaged consumer product and install it on my computer.
Why should I be expected to know there is such a thing as a firewall and that I should install it?
To put it simply, that's unrealistic. Sure, geeks should know better, but the general public shouldn't have to.
I buy a packaged consumer product and install it on my computer.
Whenever I try to do anything it spouts gibberish at me, like "access denied", "consult your systems adminstrator", "you don't have permission to do that", "consider enabling UDP port 1234 outbound on interface zzzz", "you need to urgle the flombat", "system error 5".
Why should I be epxected to understand all this gibberish? It's my computer, I bought it, I paid for it, it's mine, it has no business telling me I'm not allowed to do things. I want to install it and just have it work without my having to learn whether any of this technobabble actually means anything.
To put it simply, that's unrealistic. Sure, geeks can cope with all this stuff, but the general public shouldn't have to.
Everyone in the IT community already knows what a poor reputation that company has actively worked hard to earn. Articles like the above serve only to provide free marketing and distract from active development rather than pump-n-dump.
Rather than doing free security and sysadmin work for Chairman Bill this holiday season, and rather than providing free publicity for his portfolio, could we please give it a rest and have a MS free week, weekend or at least just a MS free friday? i.e. no articles or press releases about the lastest vaporware, thneed, fud or spin, inlcuding news relays via MS-owned sources like slate, msn, msnbc, msnpr, newseek, etc. It seems every day there is a shameless, uneccesary plug or two. Now that international investors have divested and even their own emloyees have offloaded it is as irrelevant to the stock market as it is for the IT sector. The pyramid scheme has maxed out, if you weren't already bailing, then it's too late.
As far as security goes, businesses and home users alike are finding Gnome and KDE easy to use and the plaforms (Darwin, OpenBSD, Linux, QNX, etc.) more secure, more stable, and easier to maintain. So looking back at MS-Window [lack of] security in 2003, we can say good bye to the terminally insecure and hello to modern technology.
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
Or perhaps we should be "Looking Back at Litigation Ethics in 2003"
To understand recursion, you must first understand recursion.
Is Apple any better?
But MacOS X also doesn't have things like RPC and Windows Messenger Service enabled by default.
... we plugged one into our network to see what we could get it to do, and gave up after a couple of hours of failing to find out how to turn on the DHCP client. Not going to waste time on one of those ever again.
Macs also don't seem to have DHCP client enabled by default
One word: Blaster
There are detailed reports of people who installed the patch, Microsoft's patching mechanism screwed up and they weren't protected even tho' the update software said they were.
What's wrong with this design?
1. check for updates
2. determine update is required
3. edit the registry to show that update is installed
4. install update
Why, obviously, if the update fails to install, the registry is already edited to show that it is installed.
This is the kind of moronic coding that you want to trust to protect your system?
Windows Sys Admins are a big part of the problem. They fucked up. They trusted Microsoft!
Except that Blaster was patched two months before the vulnerability hit, and the government warned you TWICE to patch. It takes you two months to plug a tiny little hole in RPC? Your fault, not Microsoft's. They had the problem solved.
If you want to talk about security in 2003, where are the mentions of the two breaches at GNU, and the breaches at GNOME, Debian, and Gentoo? Those are pretty embarrassing security lapses for the Linux community that--not surprisingly--are never brought up, as if they never happened.
"Sufferin' succotash."
If there are no ports open for an exploit?
Imagine a default desktop with no ports open. Spread a virus. How does that work? With Windows you are going to have a lot of ports open no matter what.
Now let's say you'd like to remotely administer a box. As just an example of some way this could be done, you do not have sshd running as root (so a buffer overflow gets you nothing) and keep what it can do to a minimum without further work on someone logging in. Now how are you going to spread an exploit?
There are a number of ways to approach setting up a linux or OS X desktop that can basically halt the spread of anything, even with the same configuration everywhere. By design the same is not true of Windows as you just don't have the options. Many governments and other entities are waking up to the fact that you seem blinded to.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
You avoid it in Windows the same way you avoid it in Linux.
By praying that users never run anything, or that the next vulnerability that affects a port you can't close doesn't arise?
The whole point is that Windows is insecure by design, and basically impossible to secure to the level a Linux box can be. If the apple is rotten it doesn't matter how hard you work at baking the pie.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
You are a MS astroturfer and an idiot.
That is all.
it's not diversity what makes linux less vulnarable, that's may be a reason but i don't think is the major one.
The major one is user behaviour, almost anyone use linux as root, just use it when need to make changes in the system.
But in windows almost every one uses it as admin (or some login that belongs to the admin group), so if you run a virus on windows your hole system is compromissed, on linux just your data and some binaries you may have.
Hey Sir Haxalot, why don't you shut the fuck up?
It won't run any of my old DOS games. :)