Slashdot Mirror
XP2 Spotted In The Wild
LostCluster writes "WinXP SP2 has just been released to the public via Automatic Update, but eWeek and PC Magazine are together reporting that Windows XP SP2's 'Windows Security Center' is just about as insecure as it could possibly be. According to them, any program (including ActiveX controls) can access and edit the Windows Management Instrumentation database, and therefore spoof the security status of an insecure box to report that it is properly secured."
any program can access and edit the Windows Management Instrumentation database
That MF'ing Clippy.exe in MS Word better stop accessing my Instrumentation database or I'll punch that SOB into the middle of next week. Really any program can access and edit the Windows Management Instrumentation database; I knew solitrae and tetris and an altier motive.
My box says it's insecure! So therefor, I can't possibly have some spoofing ActiveX control thingie, can I?
if every user were root.
I was told it was rolled out today (SP2), so can someone explain why my XP machines wanted to install the SP2 patch a few days ago?
...bring about the demise of the internet, according to Kaspersky or whatever that Russian company said? ...
Can you hear me now?
why does this surprise anybody - I am sure glad I don't do windows anymore - I can get on with a lot more important things and my computers just work - don't have to defrag, virus update, or worse yet os update from microsoft. now if my dsl provider can just get more reliable life would be great.
Fact: You cannot bolt on security to something after the fact-- it has to be designed in from the ground up, or it's worthless.
Exhibit A: Windows.
Bill can announce a new security initiative every day from now until Doomsday, and it won't mean a damn thing unless they scrap Windows completely and start over. Period.
another good reason to wait a few more weeks before applying sp2
To build in a security overview system and leave it wide open so that its easy to fake the current status of things like your firewall and anti-virus.
So this is what the Internet Meltdown Predicted for Tomorrow article was referring to!
According to them, any program (including ActiveX controls) can access and edit the Windows Management Instrumentation database, and therefore spoof the security status of an insecure box to report that it is properly secured."
;)
That's ok. MS probably wants it to be easy to use so that everyone can use it.
Little Bricklets
If a boxen is 0wned then we can savely assume that the 0wner/w0rm has root access. And with root access it can do anything anyway.
This is like complaining that one can shut down your computer by removing the power plug.
Step 1: Go to http://www.mikx.de/scrollbar/
Step 2: Drag the scrollbar down a bit and let go
Step 3: Start -> Programs -> Startup
That's just spooky.
Karma: Segmentation fault (tried to dereference a null post)
I'm seeing reports all over the shop that its easy to spoof the security centre into claiming that (for example) the firewall is turned on when it isn't.
What I've yet to see is any indication that its possible to actually do the turning off of things, which would be rather more serious.
As it is, surely the only problem is if you forget that you turned something off? I've no big plans to make my box insecure now I've done configuring it on installation.
"I Know You Are But What Am I?"
To spoof the Windows Security Center WMI would require system-level access to a PC. If the user downloads and runs an application that would allow for spoofing of Windows Security Center, they have already opened the door for the hacker to do what they want. In addition, if malware is already on the system, it does not need to monitor WSC to determine a vulnerable point of attack, it can simply shut down any firewall or AV service then attack - no WSC is necessary."
Sadly just about everyone runs shit as Administrator (it is the default mode for XP Home installs) to make life easier and as MSFT has noted they are opening themselves up to the attacks... For those that will mention that Linux is so much better remember that these are the same people that wouldn't like to have to change to root (sudo, su, login, whatever) to install anything and would be opening themselves up to the same vulnerability level as if they had been running Windows.
Basically the problem was in design... They should not have had an open API controlling the "WSC" and thus malware would not be able to detect the presence of the programs' status from a single location. The real problem is that MSFT isn't admitting that it is a serious problem and needs to be changed on a different level... Saying that malware writers are going to use the direct route and disable the firewall/AV outright, while true, doesn't get them off the hook for creating this hole that is more difficult even for a more advanced user to notice.
Is there a way to distinguish Windows XP with SP2 from older versions through the User Agent String?
"Spotted" it the code-name for SP2. MS Sales made the name change to piggyback, as usual, after Apple: OSX's "SP2" was called Jaguar.
No, it sounds more like a virus warning to me.
That after all the fuss about security, microsoft would get it right, especially in the face of obviously superior security in Linux.
I can't believe that they they lack the expertise or resources, which only leaves the will to do it, which sounds like a bad conspiracy theory.
Does anyone know why they would persist with allowing XP to be insecure on purpose?
Seriously, this is just more scaremongering. The WMI system has to be accessed locally, and their examples of how this could be circumvented is pretty silly. ActiveX apps on a web page won't run unless you specifically tell them to. The only other ways are via a downloaded application. It boils down to "you have to do something on your computer that lets a malicious application run". How is that any different from any other operating system in the world? Even as a non-root linux user you can fuck up a system by running a malicious script... I don't get it.
Am I missing something?
Made it sound like a disease to me.
Thanks a lot, Bill. I couldn't have asked for a more appropriate birthday present from you.
Let's be honest. Did anyone really expect SP2 to not need a slew of new patches after release?
Personally, I'm just glad that it doesn't bomb randomly after install. Yet.
At least Microsoft makes an attempt to identify non-secure PCs, while Unix security goes no further than 'read-only' flags on files (and only files, directories are by default read/write, so anybody can delete your files.)
running windows as admin again. what do you expect?
love is just extroverted narcissism
Auto-update notified me of the patch yesterday on my workstation. I accepted it to check it out, but it never downloaded.
Today I got the notification on my notebook and decided to try the same thing on that one as well. Same thing--the update box goes away but nothing appears to download.
It's not that big of a deal, but I do want to get it installed on at least one of my machines to see if it would break anything.
No, most user's don't need to be root most of the time. Yet:
While we are not aware of any malware exploiting this, we think it will only be a matter of time. The one mitigating factor that we found is that to change the WMI, and spoof the Security Center, the script has to be running in Administrator mode. If executed in Windows XP's Limited Mode, it will give an error, and not allow changes. Unfortunately, most home users who will be at risk, run in the default administrator mode.
How can we convince people not to run admin mode? It's easy at work, in UNIX land (most people don't get to know root pw.) But most Windows users I know don't even know the difference.
Every windows security problem I know of can be solved, or at least significanly mitigated, by users not running root.
everything in moderation
http://www.pcmag.com/article2/0,1759,1639277,00.as p
"There is nothing more frightful than ignorance in action." Johann Wolfgang von Goethe
Windows XP SP2's 'Windows Security Center' is just about as insecure as it could possibly be.
and you were expecting what???
Remember Windows Management Instrumentation requires administrator credentials. If you have admin priveledges on any box, you can do much harm, regardless of the Operating System
Consensus is good, but informed dictatorship is better
Cue Marlin Perkins (of the old Mutual of Omaha Wild Kingdom shows):
MP: "Today, we are going to find and capture the elusive XP2 Leopard. My associate, Jim, is armed with a toe-nail clipper and a badminton raquet. Jim, why don't you start marching down that trail over there? I'll be back at the truck with the cameraman and a bottle of scotch."
Administrator is the default context for XP Pro, too, if you create users at install time. I run as administrator, but I use Firefox to browse everything but windows update, and I have Norton installed and auto-updating itself every day. Hence I am operating in an insecure fashion, but with little risk.
(Watch me get owned tomorrow or something, but nonetheless, I stand by my statements.)
On Linux I do typically do everything as me, and sudo when I can, but some programs don't work right when you sudo, they need a full root environment. On windows, using run as often doesn't work right because spawned programs revert to your user context (though not always? I'm not sure what's going on there), and many processes spawn new processes to do their dirty work. Even a lot of installs work this way, unfortunately.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
I noticed it was up last night to I installed it.
It's 94.50 mb which takes a while to download. Upon installation and restart the new windows security center pops up and trys to get you to turn on your firewall, automatic updates and antivirus software. By default if any of these are off, there's an obnoxious red shield in the system tray. Turning off alerts for these makes it go away.
Otherwise there doesn't seem to be any major changes.
So far nothing's borked.
Maybe MS could get NASA to send a few rovers in there to see what they can find out.
There is one subtle difference between linux and window admins: There is a lot of window software that is written to be run as administrator. Finding all the files to give permissions to causes quite a headache.
Linux, I feel, has a better system at the moment. However, as this is the developers fault, I see no reason why linux would be immune from this problem.
Mod me down with all of your hatred and your journey towards the dark side will be complete!
They're claiming that it's much more secure that Unix/Linux with this service patch. In terms of being 0wned, it's hard to totally cover your tracks in a Unix box- you leave a trail of breadcrumbs somewhere that typically can be seen (most tools simply automate the process...). In the case of an SP2 XP box, it'a apparently rather easy to cover one's tracks and you have to rely on signature scanning (i.e. Virus/Trojan scanning...) to hope you can find the intruder.
I don't consider that to be a non-problem, nor do I consider it to be more secure. It's definitely not secure enough to be allowed exposure to critical infrastructure of any kind.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
To make Windows secure, that is. I know lately that Microsoft-bashing has gone from being the in thing to being "trolling", but it's true. Just because it's become less fashionable to say so doesn't change the fact. I don't understand how Windows users can continue to use these machines. I live in a relatively remote area of Japan, and yet somehow within 4 minutes after hooking up my brand-spanking new machine to the Internet, I started getting Code Red connection attempts and repeated assaults on various four-digit ports. I guess they don't respect geographic boundaries either. By the way, this all happened while I was downloading XP2/SP2. It's not going to help when we don't even have time to install it before getting our machines "owned".
I've always criticised Linux users for being sloppy and the like, but the operating system itself is at least rock solid. It rarely crashes, it has a decent windowing system, and I don't see advisories for it on Bugtraq every 8 hours. Windows is easy to install, but it's all too easy for someone else to compromise. Ease of use is nice, but I think I'll take peace of mind with GNOME on Fedora Core.
According to them, any program (including ActiveX controls) can access and edit the Windows Management Instrumentation database, and therefore spoof the security status of an insecure box to report that it is properly secured.
A protection scheme that reports that it is secure while actually being totally insecure is worse than no protection at all. A lot of people will use ZoneAlarm or whatever and their own virus scanner, but if too many people believe their machines are secured, this SP may have the opposite of its intended effect: *more* unsecured PCs attached to the Net than before. MS should stick with their old policy of not introducing new features in service packs, just bundling bug fixes and security patches together.
On Linux I do typically do everything as me, and sudo when I can, but some programs don't work right when you sudo, they need a full root environment.
You have a clue about the importance of doing so. Windows users don't give a fuck about the importance of anything except ease of use. All they want to do is click, download, install, and run. They would prefer to skip all steps except run if they could...
If that means running everything as "super user" then that's what it needs to be. Remember these are the people that use the same passwords for their home, work, ATM, websites, email, and garage door codes.
# umask 077
or
# chmod 700 XXX
The next thing to be said is usually: "But most home users run as admins." (The article also mentions this.) Well, that's not a Windows problem; that's a user problem. Even if Windows forced users to run in "limited mode" (which would cause an outcry in itself - "eek, Microsoft is trying to take away control over our own computers from us"), it also doesn't help that most third-party software for Windows requires admin rights either to install or *gasp* to run. Of course, this is ancient news to everyone with a clue
Of course, even when running as admin, protecting yourself against malicious code is fairly trivial; simply use a firewall (SP2 incidentally includes one), don't run binaries from untrusted sources, surf the web and check your email using something other than IE/Outlook, use a virus scanner/shield, and keep your apps and OS updated. Again, no news to anyone with a clue.
Quality, performance, value; you get only two, and you don't always get to pick.
I did a refresh of a XP Home update, and SP2 was at the top of the list. Pretty interesting, the boot screen now says "Windows XP" with no reference to Home or Professional. The scrolling bar color also changed. Now it looks like I have XP Pro....wait that's still embarassing....
Oh, wait...
Ever heard of google?
OH MY GOD.
that's so pathetic I think part of my brain just exploded.
I don't want to enable my firewall damnit.
I thought because it was spotty at best! ;)
"Tuez-les tous; Dieu reconnaitra les siens."
It's possible to write a virus exploiting an insecure machine...
Really now? How interesting *dripping sarcasm*.
This isn't news. In fact I'd say this whole article is a troll.
looks like you almost got it
e r= 8353205
http://www.freedesktoppc.com/default.aspx?refer
Great work Microsoft! After all the beta-testing, SP2 is still broken. Here's what I've found so far that's messed up badly:
What I find funny is that ZoneAlarm's AntiVirus monitor feature detects AVG and Norton properly.:P
My Systems
Breaking into computers is much like breaking into houses. There are different ways to do it, but the simplest way is to go through windows.
Oooo... Will you let me your tinfoil hat? Grow up.
I love my Linux box but I expend far more effort keeping it locked down with constant updates than I do my Windows boxes.
I'll say it again, OSS will never suceed with end users as long as so many in this community take an "Anything But Microsoft" stance.
In Slackware I trust- My only OS.
I will never go back to Windows. No crappy Sp's for me thankyou very much.
You need to remember, too, that most applications will BITCH (and not install) if you try to install them with anything less than Admin privlages. For ~90% of Linux/Unix programs, you can install them as a user in your home directory, with no problem. This is not the case with the majority of programs for windows, (even if it installs in a user directory, the installer still complains that your not running with admin privlages and tells you to get admin privlages before installing said software.
Sadly just about everyone runs shit as Administrator (it is the default mode for XP Home installs) to make life easier and as MSFT has noted they are opening themselves up to the attacks
If you want to run a program on XP almost everything requires you to be adminstrator.
The McAfee firewall/virus engine won't run unless your administrator. How's that for security?
Well, if you happen to track debian's sid or run something like gentoo's emerge world regularly, you'll easily update 400megs every month or less. The number of serious issues are miniscule; most are improvements.
Windows is having problems because of fundamental design flaws; not because it's updating lots of stuff.
UNIX was not originally designed with security in mind either. In fact, because Windows NT development is more recent, there was probably a larger focus on security in its initial stages than there was for UNIX when it was first designed. Are you arguing that UNIX can never be secure either? Or are you just attacking Microsoft and getting modded up to 5 for that?
For those that will mention that Linux is so much better remember that these are the same people that wouldn't like to have to change to root (sudo, su, login, whatever) to install anything and would be opening themselves up to the same vulnerability level as if they had been running Windows.
You've not used KDE for the past two years or so, have you? While I'm definitely not a KDE fan, they got one thing right: Stuff runs as user and if something (say, a system configuration change from the control center) requires root privs, it switches to them temporarily and asks for the root pw.
Assorted stuff I do sometimes: Lemuria.org
filling up the harddisk with bogus data (in /home/user or /tmp) could cause certain programs to fail
So it tells you the firewall is up when it 'may' be down. If you can't remember wether you put it up or not, PUT IT UP ANYWAYS DUMBASSES!! (Not that I'd trust a Windows Personal Firewall anyways - wasn't UPnP supposed to revolutionize something?)
This is a training issue. Just as anyone who hasn't used Linux before would need help setting it up, anyone using Windows will need to know how to not be a dumbass; 99% of all security issues I've come across could've been prevented with liberal application of common sense.
I have also installed it on a test machine here on my network.
If you use putty (an ssh client), be prepared to have problems right out of the box. If too much data is sent to the host at once, ie. backspacing a line out in vi, the session video buffer will lock up.
I have found that by adding it to the firewall exceptions does help, but does not eliminate the problem completely. You also have to put in boinc and seti@home or they won't contact the distro server eiether.
Overall, I wouldn't install this on any of my mainstream XP machines.
I do, however, like the new NIC properties window, and the exact status of ip renewal.
Installing SP2 overwrites W32_Clippy_A with W32_Clippy_B.
Home, Pro, Corporate, Media Center Edition and Tablet PC Edition.
What is this Windows XP thing I keep hearing about?
"I used to have that really cool,funny sig
If anyone is interested (and doesn't feel like wasting all that bandwith) Microsoft will gladly send you a free cd of Service Pack 2. Just go here and fill out the form.
People just conveniently forgot that running as a common user does NOT guarantee that a malicious app does not runs as admin (or SYSTEM, more precisely). IIS, RPC, Messenger, lots of others run as a service with SYSTEM privileges. If you do attack it and find any vulnerability then you can run your malicious code as SYSTEM as well.
Sure, running as ADMIN is almost stupid and multiplies your chances of being 0wned by large. But its not the only source of being 0wned as people said above. As long as I remember, IIS (along with Sendmail, Bind, IE and some others) where considered the worst software in terms of security in the SANS Institute list. Break-ins are common in these softwares and would grant you good priviledges for doing some nasty things.
Just to be fair the same can happen in Linux/Unix but it's a bit less easy to do it. And you can always run an UserMode Linux, for example, and host the application inside it which would turn the host system almost invunerable and this is quite difficult to do in Windows (I can only think of VMWARE). Normally people are a little better educated to not use root in daily use and every installation program of recent distros explicit says it.
The only way to make joe user NOT want to use an Administrator account is to make it anoying to use. IE: -Display a NAG window everytime the user launches an application. (Maybe only if the user spends more than 30 minutes in the account) Maybe even make it easy to do some admin tasks easily as a Limited user by prompting for the administrator pw when required like Linux distros do today.
Obama's legacy: (N)othing (S)ecure (A)nywhere and (T)error (S)imulation (A)dministration
On windows, using run as often doesn't work right because spawned programs revert to your user context (though not always? I'm not sure what's going on there), and many processes spawn new processes to do their dirty work. Even a lot of installs work this way, unfortunately.
Not sure what you're experiencing. A process is launched in the security context of its parent (unless that parent specifically requests it be launched under a different context, and it has to specify the exact user, etc).
The only way I can think of for your programs to be doing this is if they're doing some kind of funky junk using the shell/desktop to get it to launch the programs for them. This is a rather convoluted procedure, even when you're using the shell script host - they'd have to actually go through a lot more trouble to get it to do that then to just launch a child process in their context.
On windows, there's only one program I've had any problems with running in a context different from the rest of the console. That's part of activesync, when you have the main part running as a user, and another part used to register an installed program that needs to talk with the first part. If they're running as different users, they can't communicate, but you can't launch a new "main part" since it checks to see if one is already running.
funny munging
redundant and overrated
I find it amazing and certainly think someone should alert the NIMH. Software and hardware are each capable of EMOTIONS! Not just that, but complex ones at that. Who knew my little hunk of plastic, silicon, and metal would be so insecure? Is it because of my incessant banging away on the keyboard? Am I touching the mouse inappropriately? How do you tell?
I'd bet it's when I'm taping out the BPM for the music loaded on the drive. It has to be like the Chinese water torture. Poor little computer.
Please, let us make amends. I'm offering a sincere apology and promise to do what I can in the future to keep you from feeling battered and furthering your feelings of insecurity.
Good thing I've got all your patches up to date, or you might find strangers abusing you from far away locations. I'd never let you have such unsecured access. It' would only lead to more insecurity.
Plant a tree in a developing country.
Hey Do you know any of these people? They sound like they have the same (or very similar) problem
One,
Two,
Three,
Four,
Five,
Six,
They bypass this obvious lack of security as a feature, and that the application is rather to serve as an extra barrier of obscurity to hackers, and not as a solution to the problem (which it will ultimately be marketed as.)
This unfortunately isn't an adequate mentality. Microsoft appear to make the mistake to think that hackers are as technically challenged as their regular home user base.
Yes! certainly a home user wouldn't be able to craft some accidental software that rips a hole through the new security centre features. However, hackers which discover holes in Windows (Without ever seeing the source code.) have the competency to add the extra layers of dodging to their worms. This it at Microsoft's peril, as now worms can fool a system into reporting that everything is fine, in turn fooling the technically challenged home user into also thinking, that their new DDoS server is also functioning without a hitch.
Microsoft needs to understand that hackers are significantly "gifted" in comparison to their regular user base (many of which who'd think Mac OS X is another version of Windows.) They must craft their security devices such that they can not be trivially undermined, and put an end to the assumption that more easily bypassed road blocks lead to greater security.
That sounds backwards...why would they release the patch for "Home" users, most of whom probably wouldn't notice anyway, instead of "Pro" users, who mostly probably consider themselves power users and would tend to be more concerned about the security of their machine, or at least features?
Its called Linspire or Lindows depends on when you got it.
I do not run as Admin or even Power User. McAfee 7.1 AV and 8.0 Firewall are running just fine.
Office and most new MS products will prompt for an admin level ID if you try to install them as a user.
I've come across a few apps like IZarc and anything from Palm, that don't work with Run As for the installation, and will require adding the current account to the local admin group for the install. A few other apps try to do things that are dumb, like putting data files in the Program Files folder, so you have to change the file locations or configure permissions. When I come across these issues, I email the company or developer responsable, and generally get a favourable reply along the lines of "Hey, I never thought of that!"
I would always use Linux for a few months, and go back to Windows XP because of ease of use, and there being less hassle. Then came in SP2. Not only it it break most of my drivers, but it's "Wireless Wizard" won't work with my wireless router (D-Link). It worked better in SP1 (where atleast it *worked*). So screw that. I formatted my three systems a few days ago, and installed Debian. None of my family can really tell the diffrence, and everythings working well. Windows XP is no longer an option. It seems that I either have to choose between Windows 2000, or Linux. Thanks for making the choice for me, Microsoft. ;-_-
I installed the official release of SP2 and installed it on my mom's laptop last night, only to be greeted with a nice informative blue screen upon reboot.
n ews.jhtml?articleId=23905071
http://www.crn.com/sections/breakingnews/breaking
I had to boot into recovery mode and run a batch script to uninstall SP2, just like the article outlines. Then I had to go into the registry and change some keys, then do an uninstall via the add/remove programs wizard. Man, thanks Microsoft for a full night.
I'm not sure if I'm going to try again, we'll see how I feel after stewing about it all day...
Basically, the only software I've found to work propertly under a restricted user is Microsoft's own stuff. Anything third-party, especially things predating Win2K is a joke.
Sadly just about everyone runs shit as Administrator (it is the default mode for XP Home installs) to make life easier and as MSFT has noted they are opening themselves up to the attacks... For those that will mention that Linux is so much better remember that these are the same people that wouldn't like to have to change to root (sudo, su, login, whatever) to install anything
I've virtually no choice but to run my WinXP box with an administrator account. Almost all the software I use on a daily basis, from applications to the kids educational stuff, requires that it be run under an administrator account. If the software developers aren't going to deliver stuff that can run under a limited account then they're hardly helping solve the problems.
And some people don't even HAVE an administrator password on their computer - PERIOD. It wasn't set up in the first place. I'll admit, I run as administrator on Win2000 all the time, because it truly is a hassle to log out (especially with "saving user settings" all the time). What Windows needs is an option where you can log in as root from the guest account, do what you have to do and then when you close the window it automatically logs you out.
I fail to see what the fuzz is about. That a program running with admin priviliges on a compromised box can do whatever it wants to?
.m
Come on, this is just nonsense. XP SP2 has a slew of security enhancements to make it harder to compromise a box, but it doesn't change the fact that once a box is compromised it can never be trusted again. Game over, reinstall!
I think my install problem occurs when the 32 bit installer is launched from the 16 bit stub.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Argh... If it's really true, it's only if you run your user account are Administrator. The same is true if you run your linux desktop as root. Any program can overwrite your system settings.
I hate people blaming stupid user setup decisions on MS.
It should never have been added to the os. It should be removed from the OS just like any other exploit.
It does nothing that can't be done in other ways, and it is an inherent securiy risk. If they would just kill activeX, they would solve a metric crapton of problems in one shot.Free Mac Mini Yeah, it's
Actually, under XP, many programs take advantage of NETWORK SERVICE and LOCAL SERVICE accounts, which are not quite the same as SYSTEM. I believe IIS is one of these programs.
MICROS~1 FUCKS UP. FILM AT 11.
(Lameness filter encountered. Post aborted!
Reason: Don't use so many caps. It's like YELLING.)
We're out 'ere lookin for signs of the elusive XP2 that's been said to be lurkin' in the wild...
Crikey, I've just spotted a wild paypah-clip in it's natural 'abitat! Look at those big ole eyes an'.. oh!.. there he goes trying to ask me if he can 'elp me!! You see, this creature is what's known as a parasite, 'ee leeches off o' your Windows Management Instrumentation databases. It's 'ard to satisfy one o' these buggers, they'll never leave ya alone until they've done your work for ya.
</steve irwin>
They would invade a country run by a dictator, continue the dictator's tortures even in the same places, inflame the world and make the world an insanely dangerous place to live.
Oh, wait...
Victims of 9/11: <3000. Traffic in the US: >30,000/y
People, get a clue: a "malicious site" can't do anything to your computer, unless your box has already been compromised.
PC Mag, here's an idea: tell the users what the real problem is. You damn well know what it is. But you're afraid, because they spend a shitload of money on ads.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
He's got some serious points; think blaster.
The default behavior of XP Home, arguably the prime target for SP2, is that EVERYONE IS AN ADMINISTRATOR!
That WAS a decision made by MS.
Furthermore, if you try to run Windows with a non-admin-level account, there's quite a bit of stuff that will give you problems because many programs expect to be installed and run with administrator privileges.
So to avoid the headaches of constantly having to login/logout with differently-privileged accounts or do "Run As..." all the time, people just use an admin account. And then they wonder why they get fucked by every little bit of malware that comes gunning for XP.
Browse to C:\Program Files\Internet Explorer.
Hold down shift while right clicking on the IE Icon.
Select "Run AS" on the menu.
Enter the details of your Admin account.
You will now have an IE window running under the admin account. You can browse files, launch programs, install things and do whatever you need to do as admin.
When you are done, close the IE window and the admin priveledges are gone. (Assuming that you were originally under a guest account)
Never confuse feeling with thinking.
Is it really a surprise that an application that is run by an administrator can modify software defined elements of the machine?
.NET where the code that is run has its own permissions independant of the user running it.
An administrator, or code running on their behalf, can do ANYTHING. Period.
This is EXACTLY THE SAME as EVERY OTHER OPERATING SYSTEM, including Linux.
The only exception to this is certain managed code environments such as
Give me a break. These people are just looking for headlines. It makes me sick.
I was about to Ask Slashdot about wherever it is relevant to upgrade XP to SP2 given the fact that:
Seeing all the potential problems XP SP2 can bring in, is it worth the update?
What do you guys think?
SP2 is just that -- a condom -- it affords a little more protection but unfortunately, has holes in it! And I totally agree with you ... they should focus on services packs providing fixes not providing updates. At least Sun does this with their patch distributions.
http://secunia.com/advisories/12321/
For more info...
Does anyone know what the diffrence between the SP2 service paks the 280meg from early this month and the 100meg one that was released today is?
--
Whatever happened the Antec Phantom Powersupply?
Despite what you say, they are trainable.
I got my sister (15, and understands precisely nothing technical about computers), after much yelling, screaming, and misunderstanding (this one mostly on my part), to use an unprivledged user for normal work and to make changes and install as Administrator.
That said, not only are default accounts admins, but you cannot only have unprivledged accounts; you must have a named admin in addition to Administrator. Very dumb.
Then disable both WMI and WSC Services and get yourself another personal firewall here or here.
MS opened the WMI to third-party sources and that is why we may mistakenly call it a hole, while in the reality it's an option.
This leaps out at me. Do you mean that Windows now only considers itsself secure if it can automatically install an update and reboot itsself when it feels the need without asking me?
Not that I would leave it with that option, but any process that suddenly decides it is the one that gets to reboot my computer is just evil.
I'm glad more than ever that I have a hardware firewall between me and my cable modem on my network. So many of the things that end up happening to a windows box just seem like they can't be anticipated by the user, and should have been anticipated by Microsoft.
Meh
Lost at C:>. Found at C.
Manual su, sudo, or logging in isn't required. For any modern distribution you simply type in the root password when requested in a graphical question box. Even a stupid/simple root password will affectively prevent this type of cruft. People rarely notice the GUI popup requesting the root password after the first few shots...
Basically, people do whatever it is their required to with a minimum of grumbling once they're used to it. It just comes down to the default behaviour of whatever software their using being at fault.
And as to software installs needing root permissions.. I dunno. NWN seems to be running just fine.
You're reading Slashdot. Of course you like Linux and pc hardware
The main problem is that many applications written for Windows will only run if you are logged in as admin. Run As.... just doesn't work. I have a W2K machine that I only use for gaming. It only has an admin account because none of the games will run in a limited account using run as. For web browsing and email I use Linux on another machine. If the W2K box is compromised I'll just back up the game saves and reinstall but most users don't have that option.
I didn't expect SP2 to fortify my Windows from the demons of hell. Hell I think I downloaded it cuz I heard it makes some icons look cute. Anyway I'm working on something that will make my box more secure than all of ya'll. But with windows the best I can do is just unplug the damn ethernet cord.....
What do you mean *They*?
It's the same guy Anonymous Coward every time!
"The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
Huh? Nothing happens on my WinXP Home SP2 system. There's no scroll bar on the page (other than the regular window scroll bar, and moving that didn't do anything).
Every time I go into my Boss's office I see the lovely background I set up for him... bright red, with the words
And on top of it is Outlook Express.
Considering the knowledge level of most Win XP users, M$ didn't fix a single thing, security wise.
The cracks and new trojans will be out in a week. As usual.
Professional Politicians are not the solution, they ARE the problem.
right click on the program you need to run (not a shortcut). Select "Run As". Select "Administrator"
Maybe you've seen the old motto. MS: "The whole world is our beta test site."
Why is MS software so insecure, and just plain sloppy? Maybe their management model just does not allow a programmer to finish his work. Later some poor guy is assigned to fix a terrible bug that is getting publicity, but it is difficult, boring work trying to understand what someone else did, and he makes mistakes.
META REFRESH works just fine. It doesn't work if you launch IE from Frontpage to preview stuff in browser, but if it's on the actual website somewhere it works fine.
The small network "routers" are hardware firewalls, too, and modern ones are excellent firewalls.
Even if you could get a user to dot run as admin all the time, it's not going to help. Why? Because users WANT to run the stupid shit that infects their comptuer. They go to install Kaazaa, it says "I need root to install", you think they are NOT going to enter the root password? Of COURSE they will, they want Kaazaa on their computer, they'll do whatever it asks them to do.
As a receant example later variants of one of the receant worms was zipping itself and encrypting the zip to try and evade virus scanners (successfully, for a little while). That means you had to get the password from the e-mail, and use it to unzip the executable, then run it.
Guess what? People did. They went through all that trouble, because they believed the program to be something they wanted.
There is really no defense against stupid users, when they own the box. They can get admin, and will whenever they want it, even if it's not the default.
But if MS had required your average user to think about security they would have had as much desktop penetration as UNIX did. When all this began, security wasn't that big of a deal. And is MS alone in this issue? What about Apple, I don't remember dealing with users an Apple Mac.
Either that, or you are doing something wrong. Here at work we have, oh about 500 Windows machines and maybe 200 Solaris machines and some Linux machines too. Of the Windows machines, I'd say 200 or so are already on SP2. They don't crash on bootup and SMB traffic is ALWAYS flying over our building (it's a single large subnet too).
As for AVG, well, you screwed something up. It detects fine on every system I've put it on. As for Norton, it is a documented Norton problem, and they (Norton) are working on it.
As for security centre, yes, this is by design. They know users ignore the update installation requests, so they want it automatic. Just tell it to quit bothering you, and it will.
What I find really funny is that this user, who appears quite clueless, is modded informative when all the replies are not. Look folks, anti-MS != informative.
The only way to make joe user NOT want to use an Administrator account is to make it anoying to use. IE: -Display a NAG window everytime the user launches an application.
I'm afraid they'll just close the window and think nothing more of it, like they've been trained to do with pop-ups/pop-unders and all the other malware crap.
Take OS crashes, for example - they've been considered part of normal operation for years now.
zWhat would an EWOULDBLOCK block, if an EWOULDBLOCK could block would? -- me
If you wanted real security, you should be runing sumething geeky like Linux.
Free Software: Like love, it grows best when given away.
Note to Sun: The Java Runtime does this!!!! All icons go to the current user's profile. The automatic update screws up if it downloads while one person is logged in and another user tries to tell it to go ahead and install. I haven't even bothered to see if it can be installed by someone in the Power Users group.
-Lucas
The one windoze box I have popped up its little 'I want to download SP2' today. With all of the stuff I've kept hearing about how many apps were going to break, does any one have any antecdotal experiences post-SP2-install they'd like to share? I really don't want to install this stupid thing because I need my machine to continue functioning, barely as it may be.
The fundamental question is, now that you've installed it, what did SP2 break?
There is very little future in being right when your boss is wrong.
Nice trollery! Or do you just honestly misunderstand the intricacies of unix security?
Mod parent DOWN!!
Idiot? Astroturfer? Who knows...
That's it! I'm going to come and take your parenthesis keys off your keyboard. If you use them more than once in a post, you've done it too much, much less if you've nested them! These are quick-read posts, not algebraic theses! :-)
You are either part of the solution or part of the precipitate!
Anyone else notice that if you go to windowsupdate to download SP2, and you're using a browser that works / doesn't have gaping security holes (read: FireFox) you get the following message:
s p
You need to be running a version of Internet Explorer 5 or higher in order to use Windows Update.
As if downloading a file were something that only IE is capable of.
Check it out: http://v4.windowsupdate.microsoft.com/en/thanks.a
Search CVE for exploits involving WMI or WBEM. You will find 1 involving Sun. WMI has built in security features. Perhaps the only truth in this article is the fact that given time, someone can break any security.
s p
Microsoft's reply, http://www.pcmag.com/article2/0,1759,1639277,00.a
I actually feel that article should be pulled from Slashdot. First off, the Eweek article is just pointing to the PC Magazine article, why list it twice, google hits? More importantly, this is an editorial posted as news, the author provides no evidence or research. There is no reason Slashdot should condone this type of bad journalism, or are we all that biased.
Of course if you'd like to add WBEM to Linux or another nix, http://openwbem.org/.
Intelligence is a matter of opinion.
I know nobody will read this far down, but I gotta say it. The fact that SP2 is just as insecure as pre-SP2 surprises nobody around where I am.
Why? Quite easy: We've been noticing for a while that all these so-called "patches" that MS has been releasing have never closed a hole. They might close the one it claims to close, but more often than not the vulnerability is really still available, and it's usually either the same one or it was simply moved so that a new one is still open in a similar fashion.
SP2 blocked normal access by simply turning on the MS firewall, leaving it our fault if we turn it off and get hacked through the holes MS left. There are some of us over here that are starting to wonder if ol' Bill has got his own uses for these holes and that's why MS never closes them....
No operating system is secure...
Given that, what is the deal with this SP2 bashing by the tech media?
I don't think anyone ever said this would fix every possible security problem and make Windows un-hackable, yet there appears to be a special glee associated with reporting a (shudder) security issue with anything MS. Jeezuz, give em some credit for trying...
W.E.P.The quote from the article: Due to the nature of WMI, the WSC could potentially allow attackers to spoof the state of security on a user's system while accessing data, infecting the system, or turning the PC into a zombie for spam or other purposes.
This isn't an exploit...it could...potentially...be an exploit. In fact, the term "could potentially" shows up several times in one of the articles. Read it how you'd like ("could potentially" ranging from "if someone got around to doing it" to "well, it sure looks like it could be done if we knew enough to test it"), but Slashdot headlines have been teetering on the tabloid-edge by subtly twisting article content for the sake of sensationalism. Tsk tsk!
If the animated dog says my machine is secure who am I to argue with it...
All the torrents you could want.
What would happen if Microsoft limited the administrator account to 16 colors and maybe a low resolution. Would people learn quickly to use a user account to play games? Would administrators still be able to get their work done with said limitations?
This is just one of those off-the-top-of-the-head-and-not-thought-out type ideas, but i'm curious.
Why do I have this? I don't smoke.
MS has also uniformly limitted Window's responsibilities to just being an operating system; meaning if you get a trojan which disables a service, your security has been compromised. MS Windows is not created to be trojan-proof (nor is any operating system).
MS Windows is NOT a security product, virus scanner, etc. If you think those programs are necessary (and I hope you do), there are very good third-party products available.
Say for sake of argument I'm running something that is a long-running computation. Why I'd be doing this under XP is a mystery, but say I am.
Windows decides it's lonely and discovers yet another cumulative patch for IE (which I don't friggin' run in the first place) needs to be installed.
So now I come back to a machine that's rebooted itsself, stopped my long-running calculation, and launched an IE anyway because clearly I meant it to be my default browser, and wouldn't I really rather go visit MSN?
Yes, you make a valid point. But I get to be the one to decide when a machine reboots, not some git who thinks that a figgin' "critical" patch to remove possibly offensive characters from a Windows character set will require a reboot(*).
(*) No, really. That was actually presented to me the other week from Windows Update. Apparently, being the owner of the OS, you get to declare as critical which doesn't affect my security or performance, but demonstrates their stupidity. Changing a font will never qualify as critical in any meaningful way.
So, no, I'm not willing to accept their judgement on this, and I'll rely on my real firewall to keep Windows from the worst sort of crap.
For Joe Sixpack, I think your pointing out why some people might use that policy is valid, and I hadn't thought of it that way. But in terms of giving a blanket permission to reboot whenever it wishes, I'm not going to turn that on.
Cheers
Lost at C:>. Found at C.
Stop modding him down, its funny, and I'll keep modding him up!
> Windows XP SP2's 'Windows Security Center' is just about as insecure as it could possibly be. According to them, any program (including ActiveX controls) can access and edit the Windows Management Instrumentation database, and therefore spoof the security
Well, duh. We are, after all, talking about Microsoft. MS wouldn't know security if it bit them in the face.
"I knew solitrae and tetris and an altier motive."
I picture the poster slumping over their keyboard at this point, then sliding out of their chair into an unconscious heap on the floor. I've never read slurred speech before.
how can you NOT run as Administrator in XP though? The RunAs command doesn't work half the time, and when it does it installs the software in the wrong profile directory.
How many of us geeks actually manage to run XP as a Power User as we're "supposed" to and not as a member of the Admin group at the very least?
not to mention how some worms seem to be able to get past that stuff even if you are running as Power User, so now you have a worm ridden box, where the worm has more priviledges than you!
IE is actually usable for the first time since, err, ever. The extra nag dialogs and the pop-up blocker go a long way towards keeping spyware off your machine. Lets face facts, most people will never stop using IE. They will go to their deathbeds using bundled software. They will never switch to Firefox or Opera. This is the service pack for them.
The nag "Where if your anti-virus" box is a reminder that windows needs an AV program to run properly. I can't stress how important a built-in firewall is, even if it is "weak" its still going to introduce people to the concept of a firewall much more than the old version did. Personally, I dont think ports over 1025 should be blocked by default, but that's just me.
I've been running SP2 since MS released the final version and am pretty pleased with it. XP even feels snappier. It passes the "grandma" test fairly well and like you wrote is a good first step towards securing windows. If it only helps fight spyware installs its worth its bytes in grams of gold. Especially for us techies who get called, bothered, etc for stuff that is completely preventable.
This is really the first step to securing windows for the everyman, if such a thing is truly possible. Soon enough current machines will be replaced with machines with processors which understand NX, thus making the feared buffer overflow much less fearsome.
Even though SP2 is going to cause all sorts of headaches with clients, friends, and family, I'm very optimistic about what it can do to help stop spyware and to a lesser extent worms and viruses. Its a real shame there isn't an equivalant SP for the HUGE win2k user base out there. Seems like the script kiddies will now be focusing on win2k machines from now on.
Stop by a Circuit City and they will gladly give you sp2 on CD with a nice propaganda ridden sleeve. Suitable for collectors.
I don't keep a lid on my coffee so when I walk around I look busy -me
http://www.internetweek.com/allStories/showArticle .jhtml?articleID=38100003
Quote:
----------------
"Criminal actions the attacker could pursue include many that are far more interesting than spoofing the Windows Security Center," Microsoft said.
This defense -- that the bigger security holes in Windows are the real honeypots for hackers, and thus smaller flaws can be safely ignored -- is a new one from Microsoft.
----------------
Heh, even the author of this article was bemused by this statement.
Assuming you need admin privileges to change security parameters, I would think it would be nice to script some things if you're working with a lot of machines. You shouldn't be doing anything except admin stuff in accounts with admin privileges, so you should be safe from trojans and viruses.
Add to this that Windows doesn't give the user a facility to promote (and demote!) themselves easily its really hopeless. This problem has been around since NT 3.1 and has been compounded by the integration of IE into the kernel. And yes I know about "runas" but it doesn't work correctly for many apps (even ones provided by MS).
So Windows offers you as an IT manager two options:
- Remove admin rights from users but anytime an application requires a minor elevation in rights you will get pestered.
- Give everyone admin rights but watch installations like hawk because they might accidently misclick some link at some googled web site that wasn't what was said.
Either path is expensive. I curse MS every day for creating a flexible permission system, access control lists that are well integrated across the enterprise and then promptly not use them in any of the right places.
I'm stumped and have given up all hope of figure out what to do beyond pray. As long as MS clings to this system this Windows will be an expensive PITA system to maintain on the enterprise.
I have this really big problem with SP 2 after I installed it. There is this crazy red X in my taskbar that won't go away! With no close button!. So I c-alt-del it and bam it is back! Gah make it go away! Oh, wait it is a feature. My bad.
If the world wasn't assimilated...I could sleep at night.
"How many of us geeks actually manage to run XP as a Power User as we're "supposed" to and not as a member of the Admin group at the very least?" I have run as a power user for quite a long time now on both my work and home XP boxes.
:)
"Run As" is my friend.
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
You know, even if Microsoft ever does get their shit together, their credibility isn't going to be worth a share of SCO stock.
Join the Slashcott! Feb 10 thru Feb 17!
Even better, make all admin accounts monochrome.
I wouldn't lower the resolution too much though. Ever tried to use the Windowsupdate site in 640x480? NOT fun.
Some programs require administrator privileges to run. All of them (that I've seen) require admin privileges to install.
Microsoft needs to make a simple way for programs to request administrator privileges, a la OS X installers, for temporary, one-time settings. If a user could run an installer or updater and it would say 'you do not have permission to install this program, please enter the administrator password', then it would be conveniant.
When I installed my laptop, I resolved to do the whole separation of accounts - an Administrator account and a User account. After about an hour, I got fed up with it being a pain in the ass to do anything, made myself an admin, and deleted the admin account. It's just not feasible.
Another good feature would be to provide deferred installation. A program could ask for a password to be allowed to install, and if the password wasn't supplied, then it would 'ghost' the installation, going through the motions, but quarantining the program first. The notification could be sent to another account with privs (e.g. mommy or daddy), it could show up on boot or reboot (single-user system), or it could be forwarded to IT personnel to be reviewed (in detail).
Installers that are not designed with this in mind could go forward as usual, but a system alert would pop up notifying them that the program would not be ready to use until someone has verified the installation is approved - input password now, or forward to whomever.
This would also have the benefit of alerting users whenever something installs something else in the background, or tries to modify an installation or settings its not allowed to touch. It would also allow network administrators at large sites to see what kind of installations are being attempted (MSN? Gator? Cool cursor spyware?) and would allow them to clamp down on users for their part in it, as well as preventing them in the future (or firewalling certain websites at the proxy, etc).
Just a thought.
--Dan
In IIS6 no user code runs as System by default. ISAPI filters, ASP pages etc all run as Network Service.
RPC and RPC Locator services run as Network Service in SP2.
Messenger service is disabled by default in SP2.
Hell, my XP Home machine (well, multi-boot partition really...) got it from automatic update almost a week ago. The only thing that "broke" is I noticed it changed the Windows bootsplash from "Windows XP Home Edition" to just "Windows XP".
Firewall was already on, and it detected McAfee as the Anti-virus software in the new "security" console.
Apparently the hype surrounding the world ending was exactly that...
+++OK ATH
My brother set up a relatives office internet connection for a _security company_. He felt he had to leave Windows running as admin so they can dial up the adsl.
What can I say? My bro's lazy. Not does he feel *nix can't work with the computer ignorant in the office (problem no.1), but he's also not even doing the windows solution properly.
Someone type a message here to sort him out!
(His responses to me have been:
- they won't understand linux (do they have to; they only need to read emails and visit web AFAIK - that's kiosk stuff)
- I can't get it to dial without admin)
A blog I run for the wealth
I'm not disputing that from their perspective, it was a critical update.
However, in terms of security, "it's critical Microsoft doesn't get sued anymore" just doesn't cut it. Critical means it's going to potentially allow someone to get into my machine and cause damage.
It erodes trust in their update system if I have to accept that they'll call an update a higher priority if it affects their PR.
If they had a patch that was defined as critical whose sole job was to delete, say, Open Office, calling it critical would be just as disohnest as a change to a frigging font.
Hell, I may never apply that patch now.
Lost at C:>. Found at C.
use Linux. Unfortunatly, I admin about 1000 Windows boxen, about 200 are WinXP. At least I don't have to worry about it after 5 p.m. on Friday!!!
I had a terrible experience tonight. I downloaded (12 minutes) and installed the WIN XP SP2, and my computer stopped working. It would boot and offer to take my password, and then reboot as soon as I hit after putting in the password. I went through this drill about six times before I admitted to be being stupid. The restore function worked perfectly after rebooting into "SAFE MODE." Fortunately, I had read an article in one of the many magazines I read which strongly suggested that under NO circumstances should one install the SP2 without creating a "Restore Point." ALWAYS READ THE INSTRUCTIONS BEFORE PLAYING WITH DYNAMITE! I believe I will stay with the SP1 WIN XP until a few magazine articles are written listing the necessary caveats for the installation. My wife suggested I might wait for SP2.01! Beaten but not bowed,
Goddamned kids! Get off my lawn!