Slashdot Mirror
File and Printer Sharing Insecure in XP SP2
ProKras writes "German magazine PC-Welt has discovered a major security flaw in Windows XP SP2 when installing over SP1. The article says that 'with a certain configuration, your file and printer sharing data are visible worldwide, despite an activated Firewall.' The magazine claims they were 'able to discover private documents on easily accessible computers on the Internet' and that the configuration is fairly common."
The Slashdot summary is a little mis-worded such that it'll cause some unneeded alarm.
If you configure File/Print sharing in the "wrong" way as the article talks about, it'll expose those services to the whole 'net even through the Windows Firewall. If there's firewall security installed anywhere else on the way to the Internet, such as at the edge router where firewalls really belong, Windows XP isn't so dumb as to pierce that level of security. Even a simple NAT is enough to be an effective blocker.
In other words... we're running into "That's not a bug, that's a feature!" terroritory. If you ask Windows to share your files and printers accross an IP-based networks, you should be sure that the network is separated by a real firewall from the rest of the Internet. Fail to do that, and you might as well expect this is going to happen.
I suppose there were a few people out there that were expecting it to be secure...what with MS spending over a year...(maybe longer?) in making SP2 while the world was screaming at it to fix it's security holes.
And THIS is they're response to that. This isn't funny, this isn't a "ha, told you so" kind of thing. This is something that pisses people off. People get fired for this kind of fuck up.
"Leo Fender was in a 'state of grace' when he designed the Stratocaster." -- Paul Reed Smith
Oh, so you can see docs and printers of a XP box? What good news sherlock, that's really a feature, not a "security bug". And I still wonder how on eart that "insecurity" didn't happened in my box when I upgraded from SP1 to SP2.
= 10284438 or http://it.slashdot.org/comments.pl?sid=122264&cid= 10283379) and docens of other news by MrTaco, etc.
But since a well know and famous page like pcwelt.de (or something like that) says it, we must put it in the slashdot's front page without even checking if it's true!!
Just like the "XP SP2 Can Slow Down Business Apps" (read http://it.slashdot.org/comments.pl?sid=122264&cid
It doesn't seems matter all this can be pure FUD It's Windows!!!!1
I can't tell slashdot editors what they have to put in their own page, but I'm not visiting slashdot anymore if this FUD continues. Sure windows sucks - what about putting news about how much it sucks instead of all this senseless FUD?
This service pack has been a complete failure. This is no longer about performance issues or or installation issues.
This a serious bug, and proof of what a poor work Microsoft has done with the Service Pack.
I just remember how Microsoft executives stated (can't find the link, but read it here on slashdot) a bug was never discovered that they didn't know about in beforehand, and wanna laugh.
Let's hope this gets some media attention and people start migrating to other OS's. I'm sure the boys at Redmond would do a better job if they thought their product is under serious threat, because this so far is a joke.
With a certain configuration, ssh is accessable from outside, even with a firewall. if the configuration includes passwordless root, well then, a slashdot summary "ssh allows remote root access despite firewall" would be a tad overzealous, right? Unless the certain configuration is ever the default, this is just users not understanding what they are doing and missetting things. Not a MS problem, it's giving users a choice. It's just a very bad choice to make, but no different than, say, root telnet over wireless internet or something.
SAILING MISHAP
Most of these security issues are solved by simply having an inexpensive netgear or linksys router and up to date virus software. They are cheap and easy enough to use that they should be considered standard equipment on any home PC connecting to the internet.
"Nobody knows the age of the human race, but everybody agrees that it is old enough to know better." - Unknown
So a print magazine with 2 million readers is dubios. (`cause it`s over there?) The flaw is well explained but it is a little bit comlicated. Maybe you shluld read again. This means everybody who has used file and printer sharing in SP1 an has updated to Sp2 and uses the build in Firewall insteed of something else is affected. That is a very likely szenario, don`t you think?
Slashdot might be eager to publish bad news related to SP2, but calling PC-Welt a dubious source sounds ridiculous to me (can you tell me about a US computer mag, which actually features news?).
I don't think you ever heard of PC-Welt prior to this thread. You could as well state that nothing happened in Beslan, because you saw it on BBC (aka foreign media).
I don't want to say that PC-Welt is a great mag - I bought my last issue about 5 years ago and I no regrets not reading it anymore. But if
I don't read replies by ACs.
http://shit.slashdot.org/article.pl?sid=04/09/18/2 143242&tid=128&tid=201&tid=1
occultae nullus est respectus musicae - originally a Greek proverb
Could we "accidentally" print out goatse on Bills computer.
Would he fix it then?
liqbase
I, for one, welcome Slashdot's reporting of any security holes whether in Linux or MSWindows products. I can then research more and know what to be aware of before they get exploited.
Or are you some kind of h4x0r who wants people to remain ignorant of shared filesystems?
Hold on a minute.
This might be just the entry point virus writers have been looking for.
Having unrestricted access to that guys C drive enables software to be deposited and potentially run.
This software can add itself to the list of approved applications for firewall access and carry on spamming anyway.
This is important.
liqbase
Maybe if you posted as a registered user and not a cowardly AC, you might get modded differently. Oh yeah, why don't you use your "secure" web browser to find out the worldwide dollar figure for all the Windows vulnerabilities. And here's one to add to your list:
Which operating system permitted a virus to destroy the data and BIOSes of over one million computers?
Pain is merely failure leaving the body
I spent an afternoon printing warnings on people's printers
As well intentioned as you were, you shouldn't do such things. It's likely against your ISP's usage policy, generally considered unethical, and potentially against the law depending on where you live.
I spent an afternoon printing warnings on people's printers
As well intentioned as you were, you shouldn't do such things. It's likely against your ISP's usage policy, generally considered unethical, and potentially against the law depending on where you live.
While I can understand why such behavior might piss off an ISP, I don't see why it would generally be considered unethical. It's not like he was installing software remotely on someone's computer, which seems very different to me.
Would it be unethical if he knocked on their door and told them in person of their vulnerabilities? How about if he slipped a flyer under their door while they weren't home? That seems to me to be the ethical equivilence of using their computer to print a warning.
Download my free songs!
Because that would be real hacking not just running some scripts found on a website.
An Education is the Font of All Liberty
MS has been so busy smearing Linux they forgot item 2 of their Security Vision!
Or more probably they consciously decided that FUD was of utmost importance.
MS is just digging their own grave with their ulterior motives.
I do a fair share of programming so I can understand some glitches here and there but this one is an enormously major fuckup.
Dont they friggin test their software? What the hell?
This could easily have been prevented if they had just 1 halfway knowledgeable employee trying to break their own security before release!
Now that every(only XP users) PC has a firewall(unless they turned it off), they wont have to spend so much time on making their apps secure!
Its just gunna get worse.
To make laws that man cannot, and will not obey, serves to bring all law into contempt. --E.C. Stanton
Does your printer have a global internet IP address as allocated to you by your ISP? Most network printers have IPs on those subnets reserved for internal usage, which aren't accessible from outside your LAN without special routing aides like NAT. Of course I guess maybe you do have several IP addresses at your disposal, although at least for private internet lines that is extremely rate. Or did I miss something here...
Switch back to Slashdot's D1 system.
That is only true if you have broadband. To get a dedicated (though still software) router that supports dialup is several hundred dollars, and those routers only support dialup as a fallback mode, which means using them in dialup mode for a long time will reduce their lifespan as the serial port hardware wasn't intended for constant use.
Being forced to take your computer to have all the spyware etc. removed costs a lot more.
Microsoft goes on a bit about how much better their commercial software is because they have commercial code reviewers to catch this kind of thing, i.e. people who have a job to do and are getting paid to do it must be doing a better job than the great unwashed masses.
Microsoft tells us they do these kinds of things better, but the reality of the situation is that fixing security issues require a group of people who know what they're doing, and honestly, I don't think Microsoft has a whole lot of those people.
--- It is not the things we do which we regret the most, but the things which we don't do.
When you stick a flier under someone's door, they have to throw it out, which also costs money. There's a certain threshold below which, if you care, you need to get a life. That said, it is still too legally risky to attempt.
So does bandwidth consumed by infected zombie computers relaying spam.
Except you forgot about the people who "delete" there adminstrator account. .
They dont see it at login, it has no password, and other people (and viruses) can and do access your system (C$ anyone?) remotetly
On campus right now we have one worm which has infected about 10% of the resnet computers and spreads through open windows file shares
Now go back in your box.
It may not be unethical, but it is a felony under US law.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
People really shouldn't rely on the built-in WinXP firewall for protection.
It might be alright for compartmentalization--keeping boxes on a LAN safe from each other. But I sure wouldn't want to put a machine on the internet with just the WinXP firewall between it and the Big Network.
Sygate is easy to use, informative, and more secure than the built-in firewall. Hardware firewalls/routers/NAT-gizmos are cheap and for the most part will keep Joe Sixpack safe* while letting him do what he wants to do with no fuss.
Ideally each machine on a lan has its own software firewall, and then the lan has its own gateway/firewall--either a NAT-in-a-box or a Linux machine. Even in that situation I wouldn't trust Microsoft for the software firewall, mainly because it'll probably get in the way and I can't fine-tune it.
But anyone who puts a WinXP machine on the net with nothing but the built-in firewall is asking for trouble.
*wlan security aside, but that's a whole separate issue--and another argument for software firewalls on every machine.
Funny thing about that administrator password. As I pointed out in my post later in the comments: I work for one of the BIG OEM companies and I can say with all certianty... we don't put Administrator passwords on the comptuers when they ship. Furthermore, we WILL NOT assist in adding/removing/modifying any settings of the sort for less than $2.95 per minute. It's not covered in our scope of support. I guess our bosses figure if you're going to use the technology you should at least know something about it. Oh, don't forget the fact that the suits that run the place don't even know how the stuff works. When our tech call center came down with blaster I was recruited to assist with the removal. With the current admin being clueless, guess who had to plan the whole thing out. The first thing I did was scan for systems that had the symptoms (this was before we knew what it was) and I was amused to find out just how insecure our network is. Do you know what kind of information we collect and warehouse everyday. Scary. BTW, after helping disinfect about 500 systems and saving the company millions of bucks, they were nice enough to label me a security risk and put me on a watch list. Just goes to show, the companies that make the stuff don't know anything about it.
ThisIDalreadyInUse
These computing resources were being placed in the public domain.
So if I go out for the day and accidently leave my front door open, have I placed all my possessions in the public domain?
I've said it before, and it looks like I'm going to have to keep on saying it - just because you *can* do something doesn't mean that you *should* or that you're *allowed* to.
It's official. Most of you are morons.
Simple answer:
if you print stuff on other people's computers, and I will assume these people are idiots with their broken/default configs, then those idiots may or may not understand the warning in the way you intended it.
Some people will say "Oh gee my computer is so smart! Yay Compaq!", others will say "Holy bletcherous fsck midgets! I've been HACKED! Call the COPS! Call the PRESIDENT! Call Billco to fix my stupid machine!" And after little old Billco listens to his relatives/non-friends shriek for several hours he will want to print his fist up your ass.
Make that 1000 copies.
So please stop thinking like the world is populated with only geeks.. we are a minority, fools run the world, remember ?
-Billco, Fnarg.com
What bugs is that this is not on by default.
I mean, how hard can it be to set file and printer sharing by default to the local subnet only? Those parameters are already known, and in 90% of the cases this would suffice for normal usage.
The very fact that MS overlooks such simple security measures and pushes things like the new security control panel (forgot what it's called) as a 'solution' proves to me that MS is more concerned about the appearance of security than actual security itself.
Microsoft shows sloppy coding techniques and no understanding of security. Film at 11.
Mart"I know I will be modded down for this": where's the option '-1, Asking for it'?
That may well be true, but two wrongs don't make a right, at least in the eyes of the law.
It's official. Most of you are morons.
Since Windows file sharing is meant to share files - allow access to them - I don't really see how any document in a world-readable directory could be likened to the stuff in your house. You made the directory world-readable. You placed the document there. How could anyone make any other conclusion than that you meant the document to be readable by anyone. Same for printers - if you don't want people to print random garbage with them, why did you make them world-printable ?
Now, it's possible that your computer is buggy and shared the directory by itself, or that you're an idiot who plays around with his computers configuration without understanding what's he doing, but how is anyone else supposed to know that ?
As for your example, if keeping your front door open is commonly considered an invitation to come inside and take whatever you want, then yes, leaving your front door open is going to mean exactly that.
That, however, doesn't change the fact that you can hardly be blamed for using resources someone else has made available. Open port is an invitation. If the inviter wanted to limit his invitation to a certain group of people, he should have used a password. Otherwise, people have no way of knowing that this invitation didn't include them.
Forget magic. Any technology distinguishable from divine power is insufficiently advanced.
Imagine having the printer print out that it requires repairing and to ring a number which you have to pay $1 a second (or whatever).
but it is a felony under US law
Thank god I don't live in the land of the free, and home of the brave.
What hack job ? This article was about a bug in Windows which might cause a directory or printer to be made shared with the whole world. How is connecting to an open share a "hack" in any meaning of the job ?
No. It's the old "she uploaded naughty pictures of herself into a porn website and is now accusing me of looking at them ?!?" defense.
This isn't about a bug that allows anyone to break into anyone else's computer. This is about a bug that makes said computers make some resources available to anyone, using a standard resource-sharing protocol. To continue these analogues, it's like you accidentally spread your belongings to your front lawn, and posted a sign saying "take what you want". Sure, you didn't really mean it, but how is anyone else supposed to know that ?
Yes, I think this would indeed be a solid defense in front of a judge.
BTW. It takes a pretty sick mind to liken getting your printer hijacked to being raped.
Forget magic. Any technology distinguishable from divine power is insufficiently advanced.