Slashdot Mirror
Latest SP2 News
Xformer writes "It seems that SP2 for Windows XP isn't as secure as Microsoft touts it to be. Heise Security has uncovered two flaws in SP2's bolstered security measures, both of which may be used to get around the new trusted/untrusted executable origin checks. Of course, who would be surprised by this?" Reader EtherNetFreak writes "Well it appears that at least one hotfix is already available to fix yet another bug in Windows XP, post SP2 application." Reader Finalnight writes "'Microsoft Corp. yesterday delayed yet again its oft-delayed Windows XP Service Pack 2, this time postponing the patch's distribution through the company's Automatic Update service.'"
These "flaws" are not really that big of a deal. The idea of warning is so that files are not run afterwards by mistake. They give an exploit in which someone opens cmd.exe, then drags the file into it. Well if the user will follow along and execute some command they suggest, then things are already out the window. In addition the other exploit talks about overwriting a current file and it not showing a warning, once again if they can get you to overwrite a file on your hard drive with their file then you are already gone.
I'm curious how long it takes them to release Service Patch 2 for SP2...
Great, someone used Sweeping Microsoft Generalisations #423 and #587, and gets modded up as Funny.
Come on, guys, if you're going to bash the Beast of Redmond, at least put some effort into it!
-MT.
-MT.
SP2 isn't available through Windows Update, only through Automatic Update. There is a difference. Automatic Update runs in the background, checking your patch status against MS and downloading as required, its set up from Control Panel > Automatic Updates. Windows Update is the on-demand website visit. SP2 won't be available through Windows Update until the 25th August.
No.
The attack vectors described are:
and (in an email)
Neither seem likely to be able to self-replicate without use intervention. So no worm then.
My pics.
This makes me wonder how Microsoft, as well as many other large software corporations, manage security patches and quality assurance of their software. Is the problem with there being so many people working on different projects that they do not communicate and therefore things get overlooked, or is it due to the complexity of the software, or something else entirely? I couldn't imagine how someone could manage 'security' for Windows (or any similarly large project) and be 100% sure of what all the technical staff do. Does it come down to having more meticulous software engineers and rigorous testers? How would people recommend this be done? I'm sure the typical "make it open source!" answer will be given, but if that is not an option, how do companies who are more successful at this do it?
Until then you need to get it via automatic update or an external installer. However these external installers are somewhat harder to come by than previously, as Microsoft has shut many of them down - which is a shame since they were very fast torrents. Oh well.
Yes, those external installers are very hard to come by indeed! But hopefully downloading directly from Microsoft's gigabit backbone qualifies as being fast enough for ya.
Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
I think it's funny, because it happens very often...
... (Fill in some very good reason, like getting fired ;))
Developers vs Rest-of-company:
Pre-release-phase:
Rest-of-company : Come on, we _need_ SP2 now!
Developers : But it isn't finished yet...
Rest-of-company : If we don't get it NOW, we will
Developers : Oke, but there are too many problems with SP2...
Rest-of-company : We'll release some hotfixes, just give it to us _NOW_!
Developers : *shrugs* Oh well... Just don't forget we warned you guys...
Post-release-phase:
Rest-of-company : WHOA, There is a problem with xxx. How is that possible?
Developers : Well, SP2 just isn't quite finished yet...
Rest-of-company : Not finished? What the f**k?!
Developers : We told you so, before the release, but...
Rest-of-company : I don't want to hear that, just go and work on the hotfix...
Developers : *shrugs* Oh well...
Is it there or isn't it? What is it? It's the Heisenberg Patch!
And remember kids: Never trust a computer you can actually lift.
These 'flaws' are of the same type as posting a script in your .sig that executes "rm -rf /" on a *nix system.
The best security measure would be some device that read the mind of the user and warned if you were too stupid. Or maybe even easier:
if(spywareCount > 20) stupidUser = true;
actually it's not available through Windows Update OR Automatic Update (yet). It's only available as a direct download from here
in SP2. They've gone through pretty much everything, re-hashed a lot of stuff, sometimes on a very deep level. Tons of bugs were fixed. There's not a software company in the world that could release something like this with zero bugs. Not even demi-god Linus Torvalds is capable of such a monumental technological feat as releasing code without bugs.
Having said that, it's all about risk management. If you're willing to postpone SP2 roll out in your org you've got to estimate the risks of not rolling it out, too. As I said it fixes a lot of issues, and if there's a bug or two the benefits still outweigh the risks by a wide margin.
How's sending .gif and asking to run cmd on Windows XP system is any different from sending .gif and asking to execute perl on Linux or BSD?
My other Beowulf cluster is... er...
Actually, to be honest XP is quite good. The masses really mainly seem to understand how to use it. My mum can write CDs, scan photos and so on :P ... which previously with Win98 was always a sure way for a phone call to me for support.
I really enjoy the fact hardware is finally really plug n play. No stuffing around finding the drivers. I slapped it on an old Pentium 500 recently and it detected everything, breathing new life into the box.
And yes, while I say this, I prefer (and are browsing on) Firefox, and we have a bunch of linux servers. (Its a shame I have to justify any decision to use anything which aint a "postgres server on some box where i have personally contributed into a branch of a kernel i compiled mysel" when on slashdot. ah well).
Ok, correct me if I'm wrong, but isn't a Service Pack supposed to add security fixes, and patches to operate more 'as expected'...
Yes, you can do something convoluted to get something to misbehave (save the file, open up a command prompt, run the file) etc, but seriously, if a normal user does this, then they are beyond help that we can expect an OS to provide.
Remember, you can get *ROOT* access to linux by rebooting and adding 'single' to the boot line. Does this mean that it should be fixed in the next kernel/distro?
You can only do so much to protect the user. If you go out of your way to bypass security measures, then the OS should not be expected to protect you.
Sendmail is like emacs: A nice operating system, but missing an editor and a MTA.
From my perspective based on the size of SP2 I'd say it's a new OS. Two patches/flaws in a MS OS is darn good. Kudos to Redmond.
I just got a new 4th gen iPOD, which I can write to on Linux, but can't get to work on my XP-SP2 Windows dual boot machine.
Guess what I'll be uninstalling next...
..........FULL STOP.
No wonder Windows '95 was so nice and stable, huh? Happened long before the bad new days of outsourcing ...
*Yet* another flaw in XP SP2 has been found:
Even with the service pack applied, Windows does nothing to guard against the user revealing their password to a complete stranger in a train station in exchange for some crappy pen.
MICROCRAP WINBLOWS!!!!!!!
In my humble opinion, this article is about as useful as a troll. Many /. readers have already pointed out that these aren't much of flaws.
Mircrosoft is finally playing the right tunes, but someone on a vendetta can't accept this, so they nitpick after _anything_ to pin on SP2.
For Christ's sake, Sendmail. Sendmail had a brand new remote execution (That's translates to your unpatched box being rooted.) exploit posted a week or two ago, and not a word was said.
This isn't news. This is hypocrisy.
--
All rites reversed 2010
Sending an email and instructing a user to do something more than "click here"? What's next, "Hello. To see nude pictures of Natalie Portman, please: go to insecure.org and download nmap, go to arin.net and find ip ranges for several major calbe internet providers, search for vulnerable Windows XP systems that you can use exploits on (use Google to find Windows compiled versions of the exploiting tools), and use the exploits to inform the remote user of this method. If you infect 10 people and get them to pass it to 5 of their friends, Bill Gates will send you a check for $50 for every person that references you. It's true! I did it and you can to! K THX!"
DeMe
I mean, let's be serious. I'm not defending Microsoft because let's face it, they have allowed some pretty serious security flaws to get into Windows in the past. But the article does mention "social engineering" and I ask you, isn't this at the root of many, many security issues? I'm not saying Microsoft is never to blame - not at all. But what I wonder is how much damage has to be done before the typical user just sits down and LEARNS a little about security. I am honestly appalled at the number of computers I see that are on the internet without ANY form of anti-virus protection - much less a firewall. Computers are certainly much more complex to operate than say, a car - and we make people go through a whole course and take a test before they're even legally allowed to drive one. Why? Because they can end up killing someone, or themselves, if they don't do it right. With a computer, it's not that severe, but you can still do some major damage (or have it done to you).
Put it this way. If the average user took the time to learn just a little more about this device that is a BIG part of their lives, and how to keep it and their private information secure, would security really be as massive of an issue as it is today? I will say this, though - I'm glad Microsoft has turned the firewall on by default in SP2. I know it's going to cause a lot of headaches, but think about it - a lot of people are hearing about a firewall for the first time thanks to SP2. Hearing about it, and being FORCED to deal with it, is a big step for the average user towards learning more about security.
After installing SP2 i received an email from a person i don't really know, but he somehow had found a Word document with a lot of personal information about me online and was worried i might have misplaced it. He was so nice to send it to me, so i tried to open the document to see what was in it but Word wouldn't start properly and nothing seemed to happen. So it seems SP2 breaks Word. And on top of that my computer is really slow lately and sometimes messages appear on my screen like, 1 0wn j00! WhaAHAHa 5uck3R!!
kinda funny but i don't remember installing that...
seriously, if a user is dumb enough to follow instructions to do something he never asked for from somebody (he probably doesn't even know) he got an email from, you might just as well ask them to install backdoor.exe because it will make their computer faster.
That tag is starting to wear awful thin.
Why is it harmful to stoop to clutching at any desperate cheap swipe at MS ignoring any similar commentary on OSS software?.... because there's a large number of NERDS that miss a lot of useful "stuff that matters" on Slashdot because they're not prepared to deal with the rabid hypocrisy of articles like this one.
Secondly it makes the OSS comunity look like a bunch of immature fanboys rather than the dedicated professionals most of the community is made up for... that directly impacts adoption of OSS by business.
If you've ever wondered why OSS struggles for credibility in many businesses, bullshit like this article and the culture it encourages are a significant factor.
Articles like this one hurt the OSS community way way more than they ever hurt MS and feed back into the fact that the OSS community itself is all the advertising MS needs.
"News for OSS Nerds. Any desperate shot at MS."
Grow the hell up.
Get back to news for ALL nerds, and stuff that genuinley does matter. Because **gasp** there are Nerds that also develop on the MS platform, and not suprisingly they're more likely to hear the OSS side of the argument if they're actually around rather than on the other side of the room rolling their eyes at you... and maybe... just maybe... you have as much to learn from them as they have to learn from you.
Yes, I couldn't suppress a first smirk upon seeing this article. But then again, there are two major reasons we shouldn't be laughing too much about this:
a) While uncertainty about Micro$oft brings some more people to Linux (which is touted to be more secure, but then again - it can just as well be penetrated by hackers), it also turns people away from using the Internet because they get too scared of what's going on there. The latter are mostly elderly people, but nevertheless - even they should be free to use the Internet, something which a number of them dread now because they feel their privacy (through spyware) and/or financial background (due to phish scams) may be at risk. And this is not a good thing.
b) Staying still, laughing about Micro$ofts misfortune here has to more immediate effects: (a) it will spurn M$ developers even more to deliver better software - and (b) has Linux people potentially stay back and enjoy M$'s misfortune (and hence giving M$ more time to catch up, security-wise, that is). Do you want to sit at the "other" end of the story in a year or two - once M$ has sorted out most of its security issues, while linux might be more and more negligent of these issues (because everyone "knows" that it's Windows that's insecure).
Personally, I've had some of my machines broken into about 2 years ago - and that was out of negligence (thinking Linux would be safe enough on its own). In the end, it probably was just a couple of script-kiddies breaking into the box to install - of all things - an IRC proxy/cache/logger on the machine. I don't know how the originally got into the machine, as I am not even quite sure WHEN it happened. But it went far enough that they even replaced the system's own ps/netstat/... to make sure those wouldn't display the "wrong" processes. I only noticed a problem when I inadvertently stumbled across it...
Since that time, I've done some more work trying to secure the box as far as (with MY knowledge) possible - but I'll no longer think my machines are inherently better than a M$ server might be. M$ *will* catch up - and they DO have the money they need to fix these kinds of problems.
The question is - do WE have the idealism to hunt down every single bug? (M$ people don't need the idealism for it - they get well PAID to do it).
What you do when you want a large system to be secure:
You implement a very small "core" or "security kernel" or "call it what you like". It is called a "reference monitor" in TCSEC. It is a piece of code that will be asked "can subject X do operation Y on object Z", whenever a user or program attempts any operation on any object (like a file or a network connection). This piece of code is so small and simple that you can inspect it and possibly even formally *prove* it to be correct.
The operating system kernel will then guarantee that the reference monitor is consulted on all such operations. This is, after all, what operating system kernels do, among other things.
Now; you can write a simple security policy for each subsystem in your operating system. One policy for your browser, one for your word processor, one for your regular secretaries, one for your accountants, etc. (a real OS with these features will of course have the majority of all policies set up and ready by default).
The system will now enforce the security policies on everything that goes on in the system. Because the OS is enforcing these policies, and because the subsystems cannot magially change the security policies set up for them, this is called "Mandatory Access Controls", or MAC for short.
MAC ensures that a bug in, say, your browser, cannot be exploited to, say, go thru your documents and harvest e-mail addresses. Simply because the system policy does not allow a browser with internet access to access local documents. Just an example.
This is how secure systems are built. This is what SELinux is trying to do, and this is what Trusted Solaris has done for a while. This is what is required if you want a TCSEC certification in the B (or A) class, not the kindergarten-security of the C class.
Or, under the common criteria, this is what you need to get certification against the LSPP (as Trusted Solaris has), instead of the kindergarten-security CAPP (as Win2000 can have in certain restricted setups), or even the home-grown "security targets" (which SuSE got).
This is old and well known technology. Too bad big businesses and governments never put pressure on the vendors to actually have real security built in.
Good to see SELinux coming along nicely, and Sun moving Trusted Solaris features into Solaris 10.
All is not lost - but trust me, they will be selling snow-cones in hell before you see MAC in Windows.
XP SP2 was definitely made available on the 16th (Monday) for Software Update Services (SUS - soon to be called WUS), 'cause it shows up in my list of downloaded updates (and there was a big spike of incoming traffic in my MRTG logs on Monday morning) - not that I'll be approving it just yet ;) Whether they've pulled it from this distribution channel I'm not sure, but given that most SUS installs update daily it's probably too late to bother.
BTW, for any small NT network admins I'd highly recommend SUS. It's basically the same as Automatic Updates but centralized to one (or more) of your servers, saving you bandwidth and allowing control of which patches are approved for internal distribution (so can hold back until you've done your testing), amongst other things. For more info see the link above; it's remarkably easy to set up and roll out.My wife and I both own 3G iPods (connected via Firewire) and using the latest firmware.
No problems under Service Pack 2 whatsoever, though Windows Firewall did fuss about iTunes wanting to connect o the Internet.
From my experience, many of the times when an OS/feature breaks from a service pack installation, it's because the user's PC was already damaged by corrupt files, registry entries, or"tweaks". The Service Pack simply exposed them.
Up, Up, Down, Down, Left, Right, Left, Right, B, A, START
Get rid of that "fuck micrsoft" attitude, start thinking for yourself, and actually take a look at it. It's a great addition to XP, and those who say it isn't have an alterior motive.
Win95 - ground-breaking. Paved the way for the GUIs in use in every subsequent windows version, and lots of *nix guis
Win98 - great for games (still is), supports the latest DirectX (still), has a very small footprint, boots fast and offers great hardware support
WinME - disappointing for some, exceedingly usable for most others. Say what you will, lots of people loved it
Win2000 - fantastic. Offered stability, great driver support, great networking, easy installs, perfect for the corporate environment (hence most places still using it)
WinXP - incredible. We're talking excelleng games/multimedia support, almost unlimited software catalogue, integrated auto-updating, visual themes, etc. etc. etc.
XPSP2 - a great step in the right direction, executed very well. If you can find fault in it, you can find fault in anything
2003 - One of the best server operating systems out there. Exceedingly fast, secure, stable, yet with great driver support, lots and lots of software, etc. Again, if you think it's bad there's something wrong.
At least get your arguments straight. Just because you label something as "disappointing" doesn't instantly wipe out the popular history that it was anything but. I know you have your head in the clouds, but even that shouldn't stop you from recognising truly important software.
Like most things with computers, it's a matter of user-education. (Including users of other OS's which bash it because they don't know how to properly run it)
I have respect for folks who can find buffer-overruns, heap-mangling attacks and so forth. These people are smart, hard-working and diligent. They give evil a good name.
:-/
I have nothing but contempt for someone with an axe to grind whose only response is the "exploit" in the linked article. It's pretty lame. Come back when you've written enough of your own code to present an attack surface.
Grow up. Sheesh.
Any sufficiently advanced technology is insufficiently documented.
It never ceases to amuse me to see the continual bashing of Microsoft on Slashdot. Yes, Microsoft has some major security issues to work out. However, they are making a fairly good faith effort to do this now. Service Pack 2 was a decent attempt. Yes, there were bugs introduced by Service Pack 2. But even Linux has bugs every once and a while after a new release.
If you really must discredit Microsoft, at least do it on fair ground and acknowledge that the operating system(s) you hold dear also have some bugs. And please, do not call them Micro$oft, M$ and other lame variants. It is Microsoft Windows, not Micro$haft Windblowz. If you can't even have the common decency to refer to somethign by the proper name, then nobody worth listening to is evey going to take you seriously.
If you want your community to be seen in a decent light, then you must behave decently.
Beware, Nugget is watching... See?