Slashdot Mirror

← Back to Stories (view on slashdot.org)

Windows XP Firewall Bug Flies Under the Radar

Posted by timothy on from the mistakes-were-made dept.

echocharlie writes "Last Friday, the Computer World reported a quiet update to Windows XP that fixed a bug in the Windows Firewall included in SP2. Gary Schare, Director of Windows Product Management, said it was 'an unfortunate oversight.' The update wasn't mentioned in Microsoft's Security Bulletin even though it's listed as critical because it's a configuration change, not a software fix. The bug may cause shared files and printers to be accessible by others on the Internet. Unfortunate, indeed. Patch those boxes."

30 comments

  1. is that why by museumpeace · · Score: 1

    my xp box shut down in the middle of the night last weekend, tossing some unsaved mozilla composer pages away in the process....I HATE microsofts high handedness.

    --
    SLASHDOT: news for people who can't concentrate on work or have no life at all and got tired of yelling back at the TV.
    1. Re:is that why by WhatAmIDoingHere · · Score: 1

      ... Your "box" shutting down.. and you blame Microsoft before anything else? Do have a UPS? Is your hardware stable? Stable drivers?

      Why didn't you save your work?

      Why would you even be using XPSP2?

      --
      Not a Twitter sockpuppet... but I wish I was.
    2. Re:is that why by museumpeace · · Score: 2, Funny

      I put off the SP2 upgrade for months because I heard of all the trouble that came with the fixes. I had my XP box set to tell me of patches but not install them. Then, in a fit of carelessness, I just clicked on the darned "Apply updates" dialog. I am used to being asked which of the patches I want but this time it just shot the whole wad into my poor machine. I got WMP10, I got DRMcrap.dll's up the wazoo, I got icons all over my desktop. Nero, which had been burning stuff for me flawlessly stopped working with "no access permission for D: drive" or some such message. It took some fooling around to get Nero back and to keep WMP from running all my different media file types....arggghh!
      and to top it all off, thinking they couldn't screw it up any worse than it was, I let XP run auto-updatable. Well, now I know that I endured SP2 just to get a buggy firewall config and that I can expect unannounced patches to blow away my session whenever I turn my back.
      I swear I don't need this. I run Open Office and Cygwin on the damned machine anyway. If somebody could show me a URL and a few lines of commands to FTP down a decent BSD or Linux distro meant for the windows-competent but Linux-challenged, I'd flush the XP crap all the way back to Redmond.

      --
      SLASHDOT: news for people who can't concentrate on work or have no life at all and got tired of yelling back at the TV.
    3. Re:is that why by museumpeace · · Score: 1

      Its my best and most reliable system and it stays up for weeks on end. Heretofore, I only lost stuff if we lost power [right, no UPS]. If I know we are in for bad weather, I save. If I have been doing a lot of typing, I save. I lost more confidence than content this time around. As for why use XP/SP2... indeed! why? see my reply to my own post [ I cut the original short, seeing as it was a first post, and then continued it in the reply.]

      "tipping point" : e.g. the moment when the sheep notices that he is a ram and that outweighing the dog is more productive than outrunning it.

      --
      SLASHDOT: news for people who can't concentrate on work or have no life at all and got tired of yelling back at the TV.
    4. Re:is that why by EnronHaliburton2004 · · Score: 1

      I HATE microsofts high handedness.

      Please, quit it with the Microsoft bashing. If you don't like the default, then change it. It's a no brainer. Microsoft has made this as easy as possible.

      Go to Control Panel: Automatic Updates, and check "Download updates for me, but let me choose when to install them".

      --
      94% of Repubs and 21% of Dems voted to renew the Patriot Act
    5. Re:is that why by WhatAmIDoingHere · · Score: 2, Insightful

      So you can't keep an XP box running, good job.

      You want Linux? Try fedora.redhat.com

      Don't want Fedora, try googling for something.

      And about cutting it short to get first post.. WTF for?

      This isn't K5, grow up.

      --
      Not a Twitter sockpuppet... but I wish I was.
    6. Re:is that why by museumpeace · · Score: 1

      ...Microsoft has made this as easy as possible.
      maybe even easier! I knew better than to take the SP2 in the first place but got annoyed at the constant nagging. I didn't used to take auto-updates by choice and by deliberatly configuring the update service. But after the SP2 install, I either slept through the config dialog for update service or it defaulted to full-auto without asking my preference....all water over the dam now. I have since set config back to just warn me it has new stuff. I will stand by my complaint of high handedness though: I would rather make my own mistakes than have so many of them automated for me.
      Maybe I should run Linux for a while just for the sake of equal opportunity kvetching ;?)

      --
      SLASHDOT: news for people who can't concentrate on work or have no life at all and got tired of yelling back at the TV.
    7. Re:is that why by museumpeace · · Score: 1

      Probably could handle Fedora, thanks for the recommendation. What about Knoppix or, assuming I might want training wheels, Mepis?

      --
      SLASHDOT: news for people who can't concentrate on work or have no life at all and got tired of yelling back at the TV.
    8. Re:is that why by secret_squirrel_99 · · Score: 1

      my xp box shut down in the middle of the night last weekend, tossing some unsaved mozilla composer pages away in the process....I HATE microsofts high handedness

      Just shut off the automatic updates installations. Let it download and prompt for an install.

      --
      If privacy had a tombstone it would read "We did it for your own good" . -- John Twelve Hawks
    9. Re:is that why by Mortlath · · Score: 1
      I think one of the reasons that Microsoft turned auto-update to full-auto by default is that most Windows users are "newbies" and won't install the updates without the extra help.

      We can all hope that this will help patch a lot of Windows boxes and stop them from becoming zoombies.

    10. Re:is that why by EnronHaliburton2004 · · Score: 1

      I either slept through the config dialog for update service or it defaulted to full-auto without asking my preference

      You have probably slept throught he config. It does ask you this question.

      --
      94% of Repubs and 21% of Dems voted to renew the Patriot Act
    11. Re:is that why by IO+ERROR · · Score: 1

      If automatic updates is on, XP will reboot spontaneously once it's finished installing your updates. It does put a pop-up window on the screen with a countdown timer, and if you don't hit the button, blammo. The solution is to have it download, but not install, the updates. You can then install (and reboot) when it's convenient for you.

      --
      How am I supposed to fit a pithy, relevant quote into 120 characters?
    12. Re:is that why by dan_bethe · · Score: 1

      Hi. The Windows oriented ones are Xandros and Linspire. You can google for a free Linspire download coupon (web site will still say it costs money but I'm hearing that apparently it doesn't). You can also try the CD based Knoppix, downloadable from linuxiso.org. Knoppix can boot only from the CD so you can nondestructively test it and then install it later if you like it.

  2. Longer Boot Time by APE992 · · Score: 1

    I applied 3 updates maybe a week ago? Can't remember for sure. But now instead of the blue blocks cycling through 1/3rd of the box once, it cycles through 1.5 x. Nothing major, but angering that patches should make my boot time longer for no good reason.

  3. I didn't RTFA so... by squiggleslash · · Score: 1, Insightful
    The bug may cause shared files and printers to be accessible by others on the Internet.
    I'm kind of confused by this. Do they mean "The bug may cause files and printers that weren't shared to be shared, and thus accessible by others", "The bug may cause files and printers that were only accessable by network users with certain rights to actually be accessable by anyone", or do they mean "The bug may cause shared files and printers to be accessable by others on the Internet."?

    If it's merely the latter, then how is that a bug? I mean, that's like saying "The bug may allow computers with "on" buttons to be powered up."

    --
    You are not alone. This is not normal. None of this is normal.
    1. Re:I didn't RTFA so... by Return_of_the_Pyro · · Score: 1

      If it's merely the latter, then how is that a bug? I mean, that's like saying "The bug may allow computers with "on" buttons to be powered up."

      So you have no problem with me pressing print a million times with full page KKK propoganda, wasting your ink and paper, while you sleep?

    2. Re:I didn't RTFA so... by squiggleslash · · Score: 1
      That doesn't really answer my question, does it now.

      I don't particularly want my email box to be killed up with KKK propaganda too but I wouldn't class "receiving email" as a security flaw.

      Is it really the case that if I make my printer or some files shared, this patch undoes that configuration choice, or has the submitter left something out?

      --
      You are not alone. This is not normal. None of this is normal.
    3. Re:I didn't RTFA so... by milkman_matt · · Score: 1

      So you have no problem with me pressing print a million times with full page KKK propoganda, wasting your ink and paper, while you sleep?

      Absolutely, but I think what he's saying is that there's nothing wrong with your shared system showing up someplace to BE shared... After all, that's what sharing is for. People just need to make sure their stuff is secured first.

      On a sidenote though, it would make for a good possibility for Apr1 jokes. ;)

    4. Re:I didn't RTFA so... by DiscoOnTheSide · · Score: 1

      Lets say youre running a network in your home and you're using a Windows box as the firewall for a home network. (not the best setup, I know, but hey, I know some people who do it. Home users where the "IT guy" is Dad with a Computers for Dummies book) You're sharing a printer and files from this firewall box so that everyone in the house can get to them... NOW. Any firewall would keep such a service local, so that no one on the internet side of things can even SEE it, or ANYTHING for that matter... but people can just connect to these shared resources... this is where the MS firewall fails.

      --
      Viva La Revolucion! Buy a Mac!
    5. Re:I didn't RTFA so... by squiggleslash · · Score: 1
      Ah, ok, this starts to make a little more sense now. So this is the firewall failing when the user has said "I want these resources to be accessable, but not if someone's accessing my machine via my firewall".

      Ok. I'm fine with that.

      --
      You are not alone. This is not normal. None of this is normal.
    6. Re:I didn't RTFA so... by lachlan76 · · Score: 1

      Which in itself brings up another question:

      Why is file and printer sharing bound on that network adaptor?

    7. Re:I didn't RTFA so... by DiscoOnTheSide · · Score: 1

      I've found that Window's file and print sharing can sometimes overstep its bounds as just being bound to an adaptor, mostly with XP Home. Pro doesn't seem to have this problem, nor does 2000 or 2003.

      --
      Viva La Revolucion! Buy a Mac!
  4. security through obscurity? by v1x · · Score: 1

    Assuming of course that not a whole lot of people knew about this vulnerability, this may have been one of those exceptions where security through obscurity may have actually worked out for the better.

  5. short summary by TheGratefulNet · · Score: 4, Insightful

    use an external firewall, one you can trust, one that ONLY does routing/firewalling.

    sp2's fw is nice to have. but not SUFFICIENT to have.

    that about sums it up.

    --

    --
    "It is now safe to switch off your computer."
    1. Re:short summary by Anonymous Coward · · Score: 0

      I'm sorry. It flat out is useless for anyone except those on a dialup modem. It's a pile of doodoo taking up valuable processor and memory in the box. If you really want to cover your hind end, turn the thing off, and put on a decent after-market non-Microsoft firewall such as Zonealarm or Sygate(recommended). Been using Sygate for some time, and the thing is well covered.

      Also, Stop using Internet Exploder in the first place and reduce your chances of hacks by over 98%! :-)

  6. Most should disable M$ Firewall by JPyObjC+Dude · · Score: 1

    I had to disable my M$ firewall after installing XPsp2 because of daily crashes. Since disabling, I no longer get crashes.

    Use another professional FW product.

    JsD
    [dreaming of not working through windoze on my corporate heat generator]

    1. Re:Most should disable M$ Firewall by JohnGalt00 · · Score: 1

      Use another professional FW product.

      Should read: Use a professional FW product.

    2. Re:Most should disable M$ Firewall by TFGeditor · · Score: 1

      Who in their right Vulcan mind would trust a MS firewall anyway. I have to run XP for interoffice compatibility, but use ZoneAlarm Pro firewall with the MS waterfall disabled.

      --
      Ignorance is curable, stupid is forever.
    3. Re:Most should disable M$ Firewall by corsair2112 · · Score: 0

      Ya, everyone should disable the firewall because you had a problem. Great logic you fucking retard. OH NOES THE COMPUTAR BOX IS BROKEN GUYZ, BLAME IT ON M$--see what i did there! a dollar sign because microsoft is greedy HAHAHA LOLL!!LO!11!1

      OmGWtF
      [dreaming of not reading posts by down syndrome, autistic fucking slashdot nerds like JsD]

    4. Re:Most should disable M$ Firewall by JPyObjC+Dude · · Score: 1

      Dooooh!

      You are so right.

      I feel so ashamed .... :p