Slashdot Mirror
File and Printer Sharing Insecure in XP SP2
ProKras writes "German magazine PC-Welt has discovered a major security flaw in Windows XP SP2 when installing over SP1. The article says that 'with a certain configuration, your file and printer sharing data are visible worldwide, despite an activated Firewall.' The magazine claims they were 'able to discover private documents on easily accessible computers on the Internet' and that the configuration is fairly common."
The Slashdot summary is a little mis-worded such that it'll cause some unneeded alarm.
If you configure File/Print sharing in the "wrong" way as the article talks about, it'll expose those services to the whole 'net even through the Windows Firewall. If there's firewall security installed anywhere else on the way to the Internet, such as at the edge router where firewalls really belong, Windows XP isn't so dumb as to pierce that level of security. Even a simple NAT is enough to be an effective blocker.
In other words... we're running into "That's not a bug, that's a feature!" terroritory. If you ask Windows to share your files and printers accross an IP-based networks, you should be sure that the network is separated by a real firewall from the rest of the Internet. Fail to do that, and you might as well expect this is going to happen.
I suppose there were a few people out there that were expecting it to be secure...what with MS spending over a year...(maybe longer?) in making SP2 while the world was screaming at it to fix it's security holes.
And THIS is they're response to that. This isn't funny, this isn't a "ha, told you so" kind of thing. This is something that pisses people off. People get fired for this kind of fuck up.
"Leo Fender was in a 'state of grace' when he designed the Stratocaster." -- Paul Reed Smith
Oh, so you can see docs and printers of a XP box? What good news sherlock, that's really a feature, not a "security bug". And I still wonder how on eart that "insecurity" didn't happened in my box when I upgraded from SP1 to SP2.
= 10284438 or http://it.slashdot.org/comments.pl?sid=122264&cid= 10283379) and docens of other news by MrTaco, etc.
But since a well know and famous page like pcwelt.de (or something like that) says it, we must put it in the slashdot's front page without even checking if it's true!!
Just like the "XP SP2 Can Slow Down Business Apps" (read http://it.slashdot.org/comments.pl?sid=122264&cid
It doesn't seems matter all this can be pure FUD It's Windows!!!!1
I can't tell slashdot editors what they have to put in their own page, but I'm not visiting slashdot anymore if this FUD continues. Sure windows sucks - what about putting news about how much it sucks instead of all this senseless FUD?
With a certain configuration, ssh is accessable from outside, even with a firewall. if the configuration includes passwordless root, well then, a slashdot summary "ssh allows remote root access despite firewall" would be a tad overzealous, right? Unless the certain configuration is ever the default, this is just users not understanding what they are doing and missetting things. Not a MS problem, it's giving users a choice. It's just a very bad choice to make, but no different than, say, root telnet over wireless internet or something.
SAILING MISHAP
Most of these security issues are solved by simply having an inexpensive netgear or linksys router and up to date virus software. They are cheap and easy enough to use that they should be considered standard equipment on any home PC connecting to the internet.
"Nobody knows the age of the human race, but everybody agrees that it is old enough to know better." - Unknown
Slashdot might be eager to publish bad news related to SP2, but calling PC-Welt a dubious source sounds ridiculous to me (can you tell me about a US computer mag, which actually features news?).
I don't think you ever heard of PC-Welt prior to this thread. You could as well state that nothing happened in Beslan, because you saw it on BBC (aka foreign media).
I don't want to say that PC-Welt is a great mag - I bought my last issue about 5 years ago and I no regrets not reading it anymore. But if
I don't read replies by ACs.
I, for one, welcome Slashdot's reporting of any security holes whether in Linux or MSWindows products. I can then research more and know what to be aware of before they get exploited.
Or are you some kind of h4x0r who wants people to remain ignorant of shared filesystems?
I spent an afternoon printing warnings on people's printers
As well intentioned as you were, you shouldn't do such things. It's likely against your ISP's usage policy, generally considered unethical, and potentially against the law depending on where you live.
I spent an afternoon printing warnings on people's printers
As well intentioned as you were, you shouldn't do such things. It's likely against your ISP's usage policy, generally considered unethical, and potentially against the law depending on where you live.
While I can understand why such behavior might piss off an ISP, I don't see why it would generally be considered unethical. It's not like he was installing software remotely on someone's computer, which seems very different to me.
Would it be unethical if he knocked on their door and told them in person of their vulnerabilities? How about if he slipped a flyer under their door while they weren't home? That seems to me to be the ethical equivilence of using their computer to print a warning.
Download my free songs!
Being forced to take your computer to have all the spyware etc. removed costs a lot more.
So does bandwidth consumed by infected zombie computers relaying spam.
It may not be unethical, but it is a felony under US law.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
These computing resources were being placed in the public domain.
So if I go out for the day and accidently leave my front door open, have I placed all my possessions in the public domain?
I've said it before, and it looks like I'm going to have to keep on saying it - just because you *can* do something doesn't mean that you *should* or that you're *allowed* to.
It's official. Most of you are morons.
Since Windows file sharing is meant to share files - allow access to them - I don't really see how any document in a world-readable directory could be likened to the stuff in your house. You made the directory world-readable. You placed the document there. How could anyone make any other conclusion than that you meant the document to be readable by anyone. Same for printers - if you don't want people to print random garbage with them, why did you make them world-printable ?
Now, it's possible that your computer is buggy and shared the directory by itself, or that you're an idiot who plays around with his computers configuration without understanding what's he doing, but how is anyone else supposed to know that ?
As for your example, if keeping your front door open is commonly considered an invitation to come inside and take whatever you want, then yes, leaving your front door open is going to mean exactly that.
That, however, doesn't change the fact that you can hardly be blamed for using resources someone else has made available. Open port is an invitation. If the inviter wanted to limit his invitation to a certain group of people, he should have used a password. Otherwise, people have no way of knowing that this invitation didn't include them.
Forget magic. Any technology distinguishable from divine power is insufficiently advanced.