New Batch of XP SP2 Holes

terap writes "Microsoft has acknowledged that it is working on a patch for a potentially serious security hole in the 'Remote Desktop' feature. It affects fully patched versions of Windows XP Service Pack 2, even with the integration firewall turned on. There is a possibility this could lead to code execution attacks."

Hardware Firewall

[ForumTroll]

Seriously people they're cheap as hell and much superior to anything you're going to get from Microsoft on a software level. Just close all ports on the hardware firewall, except the few that you need, and try to keep your computer updated. It's really a very simple process and can save you tons of time in the end.

Re:Hardware Firewall

[macaulay805]

I have been battling with this exact problem for ages with one of my friends. Instead of reformatting/virus cleaning/spyware cleaning he'd rather just buy a whole new computer. He is currently on his 4th computer, but refuses to buy a $10 hardware firewall. These are not the cheap computers we buy and put together either, its the overpriced HP computers. The other reason why I do not want to touch his computer is this: One of my other friends brought over a NAV 9.0 CD and installed it, it detect a virus (unknown to me which one it is at this time), then this friend is no longer allowed at the house because it was the NAV 9.0 CD that was infected, not his unpatched (to this day) Windows XP (non SP anything) non firewalled porn cahce ridden spyware infested computer which contracted the disease before. Funny stuff. This guy, which basically BOUGHT an MCP, believes he is "THE SHIT" of computer techs can't even enable the damn Windows Firewall. Funny stuff, I come around every so often to hear the lunacy of his techness, the proably make a Bash quote or two out of 'em!

Re:Hardware Firewall

[Lennie]

There is no such thing, an affordable software firewall, there all software.

Just is they sometimes come in a box, any NAT firewall will help you a very great deal.

Get some NAT and 99% of the problem goes away and some new problems arise ofcourse (games, voip, whatever, some VPN's, all get more complicated). ;-)

Re:Hardware Firewall

[awkScooby]

A hardware firewall is good advice for a home user, but isn't as good a solution for a big company or university where Remote Desktop is used as a support tool. Sure, there will be corporate firewalls which protect desktops from the Internet, and maybe even from some other internal networks, but all it takes is one worm on someone's laptop to bypass the corporate firewall(s).

I'm curious as to whether 3rd party software firewalls for windows are impacted by this or not. If not, then this hole (and others which are likely to follow) would provide a good justification for purchasing and deploying a 3rd party solution.

Re:Hardware Firewall

[Lispy]

Nice friends you have. Sounds like a complete asshole to me.

Re:Hardware Firewall

[ForumTroll]

Yes, I meant for home users mostly. If a corporation is relying solely on a hardware firewall to provide security they have some serious issues that need to be addressed. With that being said remote desktop and most of these applications can still be used with a hardware firewall without many problems, it just needs the appropriate port forwarding and configuration.

Also, a hardware firewall is a very good "part of" the solution in a corporate environment. In a corporate situation there just needs to be more than a hardware firewall as having only one level of security can cause major problems for a large number of people. I can't remember the last time I walked into a large business that's security model didn't include a hardware firewall of some kind.

Re:Hardware Firewall

[HairyCanary]

It's worth remembering that just having a firewall does not protect you from everything. All it does is basic protection. If you allow RDP from any source through your firewall, then you are still vulnerable to any RDP exploit. The firewall is not protecting the traffic, only the TCP connection. If you really want to be protected, use a firewall for NAT only, and do not map any ports back to your inside box. Or unplug your box from the 'net altogether.

Re:Hardware Firewall

[nfsilkey]

Screenshot of the POC crashing a VMWare host.

I think the PuTTy window and the Windows desktop icons on the owner's screenshot are too funny. fux0r.phathookups.com? LOL. Hackerfucker? LOL! Tom 't0mmy' Ferris, youre my hero!

Re:Hardware Firewall

[DrSkwid]

Hey Lennie, tell Carl that "they are all" contracts to "they're all", not "there all"

Re:Hardware Firewall

[X0563511]

Sounds like you need to break in and teach his ass a lesson.

Start with changing his wallpaper to a large font message saying "YOUR A DUMBASS! YOU CALL THIS SECURITY? SCREW YOU !"

Leave it alone for a few weeks, see if he tries to change his ways. If not, keep the torment going. Hidden VNCs are nice.

Re:Hardware Firewall

[puppet10]

Sounds like a good supplier of cheap hardware if he just buys to cure a virus/spyware/trojan infestation - reformat hard drive and start over from scratch properly.

Re:Hardware Firewall

[isecore]

Yeah, but you forget that all the "cheap hardware firewalls" are nothing more than some NAT thrown in a cheap box. They have crap throughput and only the basic features. In most cases, they're not worth the plastic they're built with.

Admittedly they do help for the basic security for Joe Asshole, but they don't help if the user is a complete nitwit, and they also do introduce the analrape that NAT is for most users.

Sure, you can make little Timmys machine a bit more "secure", but also you have to teach him about portforwarding and all that crap as well, and explain to him why all of a sudden a lot of stuff (such as filetransfers over MSN/ICQ) don't work the way they should.

Most often than not the little "routers" are more pain than gain.

Re:Hardware Firewall

[ForumTroll]

"Most often than not the little "routers" are more pain than gain."

I completely disagree however I guess it's a matter of opinion. Nothing is going to offer complete security to a complete nitwit however simple measures like this can and are effective in most situations. You also seem to think that teaching someone about port forwarding and NAT is something that is hard to do. I have explained it to several people and set them up with hardware firewalls and they have all had no problems. Getting MSN/ICQ file transfers etc. to work is all very simple to do and most people just don't bother to take the 10 minutes it takes to learn. Afterwards they'll also be a little better off because they now understand a little bit more about security and how there information is being transmitted. Security will never be achieved with people that have no knowledge of what they're doing, on some level they need to understand the simple concepts.

I would also like to hear what you believe is easier to implement or more effective in this situation. In my opinion, this is currently the cheapest and most effective solution to current problems. Software such as OSs, web servers, IM clients etc. are always going to have exploits, it's best to block access to anything that you don't need.

Re:Hardware Firewall

[wowbagger]

Start with changing his wallpaper to a large font message saying "YOUR A DUMBASS! YOU CALL THIS SECURITY? SCREW YOU !"

And watch as the guy laughs his ass off because you don't even know the difference between "you're" (contraction: you are) and "your" (second person possessive).

Then watch, as the second time you do this, the feds sweep down upon you and "make an example" out of you as a "hacker".

Re:Hardware Firewall

[isecore]

You also seem to think that teaching someone about port forwarding and NAT is something that is hard to do.

I don't "think" it's hard to teach someone about NAT and portforwarding. I KNOW it's almost impossible with most people. I've spent countless hours trying to explain the basics of networking and how a NAT-box works to all walks of life (PH.D's as well as plumbers) and they all nod as if they understand it, and two days later calls me asking what the hell's going on "with that thingamajig".

So, these days I've given up. Instead I go there and fix the issue and send them a bill for my time. Borth parties are happy with that.

Re:Hardware Firewall

[TummyX]

And ofcourse, in this case, it would solve nothing since it's not the firewall that is the problem but a flaw in remote desktop.

The solution is for people to not open up these services to the internet and to use a VPN solution like OpenVPN which is *free* and *opensource*.

Re:Hardware Firewall

[Tim+C]

It's nothing to do with the firewall, the exploit is in rdesktop. The firewall allows incoming rdesktop connections by default (iirc), hence the "even with the firewall on" comment.

Re:Hardware Firewall

There is no such thing, an affordable software firewall, there all software.

Can you please rewrite that in proper English so it makes sense?

Re:Hardware Firewall

[Nik13]

I don't like forwarding/opening too many ports, it leads to too many potential vulnerabilities even if you're all patched up.

I only forward the required for public use (http/ftp), then everything else (lots of it) is only accessed over a VPN connection.

It's not as secure as being unplugged, but it's better than being wide open. It's a reasonably secure setup imho.

Re:Hardware Firewall

[Hurricane78]

I still recommend Gentoo stage 1 hardened with SELinux, PaX and GRSecurity. And it takes only 2 weeks of hard work and a psychologist (for you, in case "emerge system" broke for the 3rd time after 36 hours non-stop-compiling) to install it. ;) But the good thing: You can reuse you old computer for something useful instead of trashing the parts...

Re:Hardware Firewall

[freeweed]

Heh.

Back in the day, I was prone to scanning various cable ISP subnets looking for open Windows shares. The funniest thing I ever saw was this guy's wallpaper:

Imagine 2 stick figures engaged in doggy style, with one guy labelled "bad people" and the other "you". The caption was "You're fucked! You shouldn't be sharing your C drive with the whole world. Get a clue."

I never kept the bmp, but I still have a printout taped up on my wall as a reminder.

Re:Hardware Firewall

[Senzei]

but all it takes is one worm on someone's laptop to bypass the corporate firewall(s).

Actually it shouldn't. If rdesktop is being used as a support tool then the only possible connections should be from an administrator's computer to a normal user's, user to user connections should not be possible. Then you only get fried when an administrator's system gets hit by a worm, which is at least slightly less likely.

Re:Hardware Firewall

[sumdumass]

I thought it was the in thing to do when hacking.. err not spelling corectly when cracking. maybe i'm just used to the chineese hackers?

Re:Hardware Firewall

[evilviper]

If you really want to be protected, use a firewall for NAT only, and do not map any ports back to your inside box.

What do you mean about "NAT only"?

NAT provides NO protection at all, just a slight bit of obscurity that anyone with basic networking know-how can get around.

Whether you use NAT or have globally unique IP addresses for each of your boxes, there is no difference in the level of security at all.

In either case, use only a stateful firewall, and don't allow any incomming connections unless they are part of a connection initated from the local network.

Re:Hardware Firewall

[msim]

scan it in & give us the url damnit, uhm, please? :-)

Re:Hardware Firewall

[jonadab]

> all it takes is one worm on someone's laptop to bypass the corporate firewall

That's why you don't just firewall the borders; you firewall each small LAN segment (e.g., each suite of rooms) from the rest of the world, allowing through to other subnets only what is needed. This doesn't prevent any individual computer from being compromised, but it reduces the impact so that the whole network doesn't go down (assuming that the compromised system isn't a core mission-critical server or firewall; those hopefully are not running on Microsoft systems or at least are much better protected than the desktops, and, above all else, they're not sitting on the desks of ordinary users with no security sense or training, but rather locked up in the back of the IT department; ideally you can't get to them (physically) without ducking under cables and squeezing through a narrow space between a workbench and a cluttered table, or some similar management-deterring arrangement.

Re:Hardware Firewall

[jonadab]

> I'm curious as to whether 3rd party software firewalls for windows are
> impacted by this or not.

If the firewall is configured to allow Remote Desktop Connection traffic through, e.g., because it is used to administer headless servers, a very common practice for outfits that have Microsoft servers, then which firewall you use is not the real issue.

> If not, then this hole (and others which are likely to follow) would provide
> a good justification for purchasing and deploying a 3rd party solution.

Along similar lines, if you have a different remote administration facility, such as PC Anywhere or VNC, you could use that in the interim and configure your firewalls (hardware, software, all of them) to discard RDC traffic until you get the patch deployed. (And if next month there's a VNC vulnerability, you could do the reverse, discard VNC traffic and use Remote Desktop instead, until you get VNC patched. Seems to me like it's worth having more than one solution for remote administration, for precisely this reason.)

Firewall too?

[peawee03]

Isn't a firewall supposed to block incoming connections unless specifically allowed? So how can this flaw with RD still affect it with the firewall turned on? TFA doesn't make much of a mention of this.

Re:Firewall too?

[minus_273]

windows firewall opens a port for rdesktop by default

Re:Firewall too?

[Henry+V+.009]

Maybe you could explain how remote desktop could listen for incoming connections without an open port.

Re:Firewall too?

[kayen_telva]

no, it does not
well, kind of

it opens a port for remote desktop IF you enable remote desktop.

so, the question is, does this exploit affect xp sp2 if rdp has never been enabled ?

Re:Firewall too?

[Henry+V+.009]

The question was rhetorical. There is no open port for Remote Desktop in Windows Firewall until Remote Desktop has been enabled. After enabling, the open port is necessary for Remote Desktop to work.

Here, try firewalling port 22 on your Linux box with iptables and then see what happens when you attempt to ssh in.

Re:Firewall too?

[Cruithne]

When you turn RD on in windows, it automagically opens the required port (3389) with windows firewall for you.

Re:Firewall too?

[DA-MAN]

it opens a port for remote desktop IF you enable remote desktop.

so, the question is, does this exploit affect xp sp2 if rdp has never been enabled ?

I guess that all depends on whether there is a vulnerability on "Remote Assistance" as well. Since "Remote Assistance" is enabled and unblocked in the firewall by default.

Re:Firewall too?

Why do you expect a firewall to protect a system that runs that firewall?

Several years ago a friend of mine asked me to reinstall a badly infected WinXP machine, the times of MS Blast storms. I was curious about how well the WinXP built-in firewall can protect the machine for users without hardware firewalls, so I reformatted/reinstalled it offline, turned the firewall On, verified that it does drop packets and doesn't allow telnetting to any port (by turning it Off, telnetting, turning it On, telnetting again). Everything was as tight as it could be on that machine. Then I plugged it in directly, without hardware firewalls, and tried to download updates. In several mins it was blasted out by MS Blast, right through that useless MS firewall (yes, it was still enabled).

The point is - you can't protect an OS from exploits by a firewall that is being run by that very OS. They are only good to keep installed software from "calling home". If you need to protect your machine from external attacks, the firewall should be between that machine and Internet, and should not allow "bad" packets to reach the machine, at all. Means - a hardware firewall.

P.S. I reinstalled it again and successfully updated from behind a perimeter router.

Re:Firewall too?

[Henry+V+.009]

I don't recall a remote exploit for XP that worked through the firewall. MS Blast propagated by the buffer overrun in the RPC interface. Blocking TCP/135 and UDP/135 should have stopped the problem.

Re:Firewall too?

[Henry+V+.009]

Then you obviously discovered a new version of MS Blast exploiting a vulnerability that no one has ever heard of. You reported it, right?

You made sure that there weren't other MS Blast infected computers on the network, right? Those it might not block. Off the internet, ICF does block MS Blast.

Re:Firewall too?

[evilviper]

it opens a port for remote desktop IF you enable remote desktop.

*slaps forehead*

It doesn't matter if it opens a port for RDP or not if RDP is disabled anyhow. All that matters is if it opens up a port when RDP is running.

Of course, this is a stupid discussion anyhow. If the firewall blocked RDP, you couldn't make use of it, so what's the point?

Re:Firewall too?

[jonadab]

> Isn't a firewall supposed to block incoming connections unless
> specifically allowed?

That is the way you set up your firewall if you are following security best practices, yes. But not all firewalls are configured that way (some are configured so that they only block known types of problem traffic), and software firewalls in any case can still be vulnerable even if they are theoretically set up correctly, if there is a flaw in the OS (although that doesn not appear to be the issue in this case).

As far as the specific instance in this story, the hole is in Remote Desktop, something many firewalls are likely to be configured to let through, because it's frequently used to administer things that are behind firewalls. The closest equivalent for non-Microsoft systems is VNC, but it's a bigger deal than that, because Windows doesn't include an equivalent for ssh, so Remote Desktop typically gets used for that too. Our firewall at work forwards in Remote Desktop traffic to one particularly mission-critical system, but fortunately it's set up so that it only lets the traffic in from one specific source IP address, so I am not panicked over this, although I will nonetheless be installing the patch when I get half a chance. Things like this *need* to be plastered all over the major tech news services like slashdot, so that people in this sort of situation are aware of the issue. Some network administrators might even be in a situation where the best thing to do is to temporarily change the firewall ruleset to discard the type of traffic in question, until they can get the patch deployed.

Re:Firewall too?

[kayen_telva]

its not a stupid discussion. there is concern that an out of the box sp2 installed is vulnerable. do you know the answer ?

Honestly

[ZakuSage]

Why would anyone turn Remote Desktop on unless they know specifically that they're going to use it? The very name of it makes it sound like it's a problem waiting to happen. Even though I use Linux, I made a note of making sure any Remote Desktop feature was disabled.

Re:Honestly

[Deffexor]

Remote Desktop is definitely a security risk. It seems to me that if you plan on accessing your home machine remotely, it would be wise to put it behind your router/NAT/firewall and never port forward to it. Then setup a VPN connection to your home network and connect that way. Naturally, the trouble is that if you are not tech savvy, setting up VPN is not something that is trivial. (Well, maybe if you have a Linksys WRT54G and patch it with one of those 3rd party firmwares, it might not be so bad...)

Re:Honestly

[jonadab]

> Even though I use Linux, I made a note of making sure any Remote
> Desktop feature was disabled.

Yes, that's good practice. You wouldn't have been impacted by this specific vulnerability, since the "Remote Desktop" feature in most Linux distros is based on VNC, not RDC, so it would not be subject to the same exploits. But there could be a VNC vulnerability next month. So, obviously, it's better to have this sort of thing (indeed, any network service) turned off if you don't use it. That's been the recommended best practice for years.

Did you also disable ssh? If not, you will want to make sure all the user accounts on your system have decent (non-dictionary-word) passwords. There was a story about that this weekend too, about people trying to brute-force passwords for ssh login. ssh isn't graphical like remote desktop, but that doesn't make it any less powerful, and power, if used by the wrong people, is always dangerous. I keep ssh turned on, because I use it (heavily), but I'm aware of the security implications and avoid weak passwords on systems that are exposed to the internet.

> Why would anyone turn Remote Desktop on unless they know specifically
> that they're going to use it?

You hit the usual reason right on the head. People turn on Remote Desktop, and configure their firewalls to let it through, because they know specifically that they're going to use it. Same reason I keep ssh turned on. This is why vulnerabilities in these services are important tech news items, because we need to be aware of the risk so we can make an informed decision about whether to keep the service enabled or shut it off until we get the patch. In one instance a while back I moved ssh to non-standard ports on a couple of systems, until I got them patched. Sysadmins only know to do that sort of thing if they know about the vulnerabilities.

Re:Honestly

[ZakuSage]

I do use SSH fairly often, so no I don't have it disabled. I tend to use memorable passwords, but I usually tend to put it through a google test; if it doesn't show up with any results on google I'd say it's pretty safe, and I use it. Thanks for the advice, though.

Same old cat but just in boots

[soman]

Who thought really that there was a miracle at Microsoft? Look at all the holes Win Xp, SP1, had, who isnt suprised seeing that MS didnt have major holes in SP2. I doubt they went to the root of the problems with security in regards with their products at MS.

Re:Same old cat but just in boots

[ninja_assault_kitten]

And what exactly is the root of their security problems? Is it any different than those facing Linux? Enough about that...

Without looking up a definition, do you even know what a buffer overflow is or how it's used? Does the term EIP mean anything to you?

You have nothing to contribute other than some stupid comment on of your friends made on IRC. Guess what, he doesn't know what he's talking about either.

Re:Same old cat but just in boots

[soman]

I am not saying that it is only Microsoft that has problems but if you have Windows XP with out patches, you will be infected within 12 minutes (50 percent chance). The same does not apply to to Red Hat 9. Sure you Windows XP is a bigger target. I know very well know what a buffer overflow is, I dont know what EIP stands in short for. But clearly nothing has changed for MS. They might though be looking at changes with Longhorn. Hopefully. But as it remains now, for whatever reason, using *Nix, or and Mac OSX, I am more secure. And I never even mentioned Linux in my post you replied to? I guess that no one is perfect makes it ok to have so many holes?

Re:Same old cat but just in boots

[ninja_assault_kitten]

First, I'd like to know where you got the '50 percent chance' figure from.

Secondly, what's the ratio of Redhat 9 to Windows XP hosts on the Internet? Now, lets say it's 100:1 (even though it's a much wider figure), but 100:1 will do fine for the purpose of this arguement.

Now, lets say you have worms which attempt propagate at the same speed but exploit to unique vulnerabilities in both operating systems (Redhat 9 and Windows XP).

Based on the ratio of XP to RH9 hosts, each infected host would be 100x more likely to find and compromise a Windows XP host than Redhat 9. Now since this is a worm we're talking about, that would mean you'd have 100x more machines attempting to propagate, resulting in 100x attack attempts.

This doesn't mean that one operating system is more secure than the other, it just means that due to market saturation and the availability of unpatched hosts, Windows infections will be much more common in the wild and therefore have a much smaller window of compromise.

Re:Same old cat but just in boots

[Deviate_X]

Actually its a moderately critical flaw. You are at risk only if you have enabled Remote Desktop, and are not using NAT.

Remote Desktop is disabled by default in every version of XP. Including SP2.

To be clear. The bug is in Remote Desktop not the Firewall. A denial of service. The Firewall has an exceptions for Services like RDP, FTP, WWW, POP3 nearly all Firewalls have this except the most basic.

Given that slashdot has been reduced to trolling about moderate flaws in windows, i would say SP2 is a great success :)

Re:Same old cat but just in boots

[soman]

http://www.zdnet.com.au/news/security/0,2000061744 ,39200021,00.htm And one can talk about why such insecurity exists, but this is how the reality is currently. How linux will be like when it has a bigger market share, who knows. It doesnt matter what is today.

Re:Same old cat but just in boots

[oldwolf13]

I'm not trying to take sides here, but I have noticed on my ADSL connections (and cable when I'm somewhere else) that windows xp gets infected BEFORE I can even double click on the patches that I keep on a cd or hdd (for the RPC exploits anyways). It was taking me under 2 minutes to get infected on the machines I tried at various locations.

Only way I get around this is to not have the machine on the internet. Sure it's simple for me, but Joe Blow who just bought his spanky new laptop won't know what to do. When I first noticed this I had just bought my laptop, plugged it in and CRASH... there goes the RPC service.

One good, yet annoying thing is that if RPC crashed the system reboots in a minute (only on XP), so it's easy to tell that you've been hit. Bad thing is the minute doesn't give you enough time to patch it.

Why does RPC need internet access anyways? That was a very stupid move for them to do... in pre-SP2 is there any way short of an external firewall to block it? I've never seen one.

I have to admit I've not tried putting an unpatched system online in the last year though, so maybe these particular worms have calmed down.

Re:Same old cat but just in boots

[ninja_assault_kitten]

I think you missed my point. You made it appear as if Microsoft needed to address issues that Linux (Redhat 9 specifically) doesn't have. Which is not the case.

A patch for XP?

[intmainvoid]

That'd be longhorn then.

Re:A patch for XP?

[richie2000]

Patching XP with Longhorn to make it safer would be like trying to put out a fire with gasoline.

Re:A patch for XP?

[ForumTroll]

Longhorn exploits will be easier to understand! Such productivity improvements saves time for coders!

<rss version="2.0">
<title>Blaster Version 19.4</title>
<description>New version of blaster now in XML format!</description>
<author>1337 |_0ngh0rn h@x0r</author>
<run>Delete everything and start downloading 600 GBs of porn</run>
</rss>

Re:I Never Use Remote Desktop

[KiloByte]

Good advice.
I'll go and scrap ssh, vnc and X then.

Other implementations of RDP

[morgan_greywolf]

Does this perhaps affect other implementations of RDP, like the one included with Gnome?

Re:Other implementations of RDP

[Pecisk]

I just wonder how this is modded Interesting? Because of preemptive 'bashing' - 'Hey, open source got the same bug too'? AFAIK GNOME does include RD based on VNC. Microsoft Remote Desktop is totally different game and protocol.

Re:Other implementations of RDP

[PygmySurfer]

The GP was modded interesting because he was referring to RDP implementations on Linux. Like say, for example rdesktop or tsclient, both of which are based on the Microsoft RDP protocol.

Re:Other implementations of RDP

[natrius]

There's no RDP server in GNOME, just a client. I don't even think the client is included in a stock GNOME installation, but some distros add it.

Re:Other implementations of RDP

[diegocgteleline.es]

while people talks about remote-desktop there's a kernel hang there, so it's probably a tcp/ip related flaw, not tied to "remote desktop" particularly (my 2 )

Re:Other implementations of RDP

[cnettel]

Well, Remote Desktop creates new instances of the Win32 subsystem and the kernel objects (like file system and registry mount points, named pipes, the list goes on). Also, I guess that the actual translation of keyboard and mouse events from the TCP/IP stream to input to Win32K is done through a kernel module.

Not to forget the authentication. There's some stuff in creating/destroying sessions that affects the kernel, to some degree. So, no, I wouldn't expect the TCP/IP stack itself. Maybe keyboard/mouse input, as that's allowed to access a GUI login box, before being authenticated. Or even just flood the GINA with input that would be impossible to by just hammering a hardware keyboard. (That would make it a problem that would also affect Windows running in a virtualization environment or another, although if that could ever be considered safe is of course a matter of taste and perspective.)

More and more

[mfloy]

It must seem like a losing cause for all the patchers at Microsoft, every time they fix one hole 3 more pop up.

Re:More and more

[Stevyn]

It's like exponential whack-a-mole. Fun for the whole family!

Re:More and more

[ZeroExistenZ]

You know, in the porn-industry that would be a blessing.

Re:I Never Use Remote Desktop

[ForumTroll]

Honestly some of the stuff they have turned on in the default install is just idiotic. I strongly suggest to anyone after installing windows to configure their services because half of the default services are ones they will never need/use. On Windows XP just go to the run box and type in "services.msc" or "msconfig" to configure all your services. IIRC correctly services can be changed the same way for Windows NT and Windows ME (WORST OS EVER).

Re:I Never Use Remote Desktop

Remote Desktop is actually cool as hell. It is by far the best remote terminal service of any OS I've used.

It is also just about the only legitimate reason to buy (or otherwise own) Windows XP over Windows 2000.

And finally, it is also... guess what... turned off by default.

Move along, nothing to see here...

don't use the standard RDC Port

I use Remote Desktop quite often, it can be very useful and it's more transparent and efficient than PcAnywhere.

What i do is change the port that RDC uses, from the standard 3389 to a unique port. To do this, go to registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Contro l\TerminalServer\WinStations\RDP-Tcp\PortNumber
change the decimal value, and reboot.

Re:don't use the standard RDC Port

[jmking1]

This is security by obscurity. Any script kiddie with a port scanner is going to get around this naive hack.

Re:don't use the standard RDC Port

[hoggoth]

I run RDP to connect to my home computer from "the road", laptop, office, friend's houses, etc.

Changing the port is a good idea, but then how do you connect to it? The RDP client doesn't have a PORT option.
Or does this only work on clients you control (like your laptop) and can fiddle with the registry on?

Re:don't use the standard RDC Port

[lheal]

That's not even a first line of defense. OK, so you get past people scanning your whole /16 for open port 3389. But

nmap -v -sV -O your.box.net

will reveal that port running RDC on your.box.net the same as if it were on the default 3389.

Keep in mind that unusual results draw more attention. You want to be invisible, or at least, to look like as many others as possible.

Re:don't use the standard RDC Port

[rabbit994]

Same way it works when telling a browser to connect to a different port. $ipaddress/$hostname:$port in RDC client on Windows.

Re:don't use the standard RDC Port

[eljasbo]

That is true, but it will also defeat the script kiddies scanning 3389 on millions of ip addresses looking for a specific vulnerability.

Re:don't use the standard RDC Port

[myrdred]

While you are correct that a human hacker would still be able to find out what port RDC is running on, and then proceed exploit it (if there is an exploit), changing the port will still protect from automated worms that would just go for port 3389 and try to do their exploits.

Re:don't use the standard RDC Port

[DavidTC]

Oh, and can you change the port of the linux kernel HTTPD without reboot?

Yes, you can. You remove the module and reinsert it to change it. How do you think you specify the port number in the first place?

And no one uses that thing anyway. It's just a proof of concept, written back when IIS+Windows was faster than Apache+Linux, and the theory was that tying it to the kernel would make it faster. Which it did.

But that wasn't the real problem, the real problem was that Linux had a poor way to have multiple threads wait on one socket, or something like that, and that's been fixed at the kernel level. So khttpd no longer outdistances Apache, although it's still slightly faster.

I still think some extreme web servers use the kernel httpd server for static pages, via some sort of pass-though, because their dynamic httpd server is overloaded. (Or is it khttpd passing though to theid dynamic one? That makes more sense.)

But no one uses it as an 'actual' web server by itself. It has no security, no CGI, and no dynamic content. It's not a real web server.

And 'Remote Desktop' isn't part of the kernel. I can start it and stop it just fine, with it opening and closing a port, but mysteriously when I change the port number, I have to reboot? No, that's just shoddy coding.

Re:don't use the standard RDC Port

[man_of_mr_e]

Actually, I do the same thing. And yes, if someone is deliberately scanning all ports on your computer (which takes a significant amount of time) they will find it.

What it does, however, is prevent another code red or blaster worm style worm from finding me, since such worms aren't going to be scanning all ports and analyzing what each port does. That would be far too slow fo such worms that work primarily by infecting lots of machines very quickly.

In this case, "security by obscurity" works pretty well if you're just a faceless machine in th sea of random IP addresses. If, however, you are a deliberate target than no, it's not so effective.

Basically, it's like locking your house. Anyone that really wants to break in can do so quite easily, but it will stop the people that try all the doors looking for one that's unlocked from getting in.

Re:don't use the standard RDC Port

[KmArT]

Yes, but by changing the port number, you are no longer the lowest hanging fruit. And in some cases, security by obscurity is just enough to put you high enough up the tree that it is enough. For instance, a mass-scanning worm on port 3389 for listening RDP sockets won't find you. That kind of change would never be meant to suffice as full protection, but there is merit to it, just like there's merit in changing the default SQL Server port...

Re:don't use the standard RDC Port

[man_of_mr_e]

In Windows 2003 or XP you can use the :port field after the address to specify port. In Windows 2000 you have to edit the .rdp file with a text editor and add a "port" field.

Re:don't use the standard RDC Port

[tyler_larson]

That's not even a first line of defense.

Actually, it's a wonderful first line of defense. In fact, it's a wonderful procedure to follow for all remote access (if possible) because of two main reasons:

First, you're safe from worms. That's not an insignificant thing. The vast majority of all attacks (especially against Windows boxes) are perpetrated through some automated process--worms or other malware. These programs generally don't waste time doing in-depth scans of computers. If you're configured differently than the rest of the flock, you're not worth the time.

Second, you're safe from casual portscans. My own servers are scanned at least 20 times a day, and often over a hundred. To save time, these scans only hit the "interesting" ports. If you don't look immediately interesting, you'll just be passed by.

That whole bit about keeping the default setup to avoid extra attention is a bunch of BS. There's nothing terribly suspicious about running a service on a non-standard port. Furthermore, it doesn't matter how interesting or uninteresting a host appears. If you're configuration is exploitable, you'll be exploited when discovered. And if you look just like everyone else, well then everyone else will be exploited too.

There is no strength in numbers, and there is no real strength in solitude. But if you can avoid detection, then you've avoided an attack. That's like hiding your valuables to avoid theft: It's not a reliable defense, but it's simple and works often enough to make for a reasonable precaution.

Re:don't use the standard RDC Port

[way2trivial]

yea, and that renders my smartpanel useless,
it's hard coded for 3389.

Re:don't use the standard RDC Port

[DavidTC]

Well, I stand corrected. The fucktards at MS don't even let you disable remote access to your own system. (Yes, yes, fast user switching is good, but there's absolutely no reason to leave a damn port open.) I was thinking of 'remote assistance' that you can disable. So you can apparently disable you sending people invitations, but not them connecting without an invite. Real logical there.

And, FYI, there are almost no 'non-modular' settings in Linux. If it's a system parameter, it's usually set via /proc/sys, and not only are those changable after boot, that is, in fact, the only time you can change them. (Although a startup script usually sets them.)

About the only things can't change after boot are settings on devices you can't stop using. Like you can't set an IDE bus from 33Mhz to 66Mhz if a drive on it is mounted. Or rescan the bus. Although if your root filesystem is on an IDE drive, you probably have IDE support compiled in and thus couldn't change it anyway without reboot.

But I've changed my IDE bus speed when I've booted off a USB stick before. (Any USB drive is pretend SCSI. Even IDE to USB adapters.) Removed the ide module, reinstalled it with idebus0=66 or whatever it was.

And, of course, anything you randomly decide to compile into the kernel that takes command line parameters can't be changed without a reboot, but that's just delibrately being stupid.

Oh, there is one thing you can't change without a reboot. The damn VESA screen mode if you're using a VESA framebuffer. To access the VESA BIOS, the processor has to be in real mode, and Linux will not go into real mode, so it has to set the video mode before it changes out of it, right at the start of the boot process.

Although the VESA framebuffer is the framebuffer of the last resort anyway, as it has no acceleration, and most newer cards don't even have VESA support.

Oh, and there are security patches that let you change various security-related things until you set one specific value, and then completely disable changing stuff without a reboot. (And, sometimes, a specific command line at reboot.) So you can configure things via startup scripts (Instead of having to compile settings in.), but if someone breaks in, they can't change things without a very noticable reboot. But that's delibrate behavior.

Bookies

[soman]

Well bookies are longer allowing bets if there will be a new vulnerability discovered each week but how many.

Re:Oh great, another Microsoft bug story

[ak3ldama]

Seriously, it's funny how any bugs or exploits related to Microsoft products get the front page derogatory treatment on slashdot, and any other vulnerabilities from Linux, Apple, etc don't get the same sensationalistic coverage.
Obligatory: You must be new here.

Heh

[mcc]

The software maker's confirmation follows public disclosure of the vulnerability by a private security researcher who goes by the moniker "badpack3t."

I'm sorry, I can't read past that point in the article. I'm laughing too hard.

An entirely new approach

[AtariAmarok]

It has been years now, and Microsoft's solution to plugging this has never worked. How about an entirely new approach?

Re:This is news-worthy because...?

[lakcaj]

You must be new here.

Re:I Never Use Remote Desktop

[aetherspoon]

You'd be recalling incorrectly. MSC files don't exist in 9x OSes (95/98/ME). MSConfig does, but there aren't really "services" for ME like there are for NT/2000/XP.

Re:Oh great, another Microsoft bug story

[KiloByte]

They do. Any vulnerability in Linux-based distributions and/or Fruits gets a lot more spotlight than Windows ones.
However, the fact that you can see a lot more holes in Microsoft products is not accidental.

Also, don't forget that in Linux world, you will get security fixes for a bug that allows one user to mangle a shared scoreboard for a game on a multi-user box. On Windows, you don't get any bugs announced unless they are of the remote access kind.
According to Microsoft, they don't consider ways to crack a local system to be bugs.

Re:I Never Use Remote Desktop

[happy+monday]

It's a shame that nobody I know who has a computer is even remotely interested in computer security, they barely have any idea of what computer security means. Most people I know prefer to ignore it -- they find it too much of a chore to worry about, and I don't blame them. They prefer to ignore all aspects of computer security and will certainly never bother to turn off such features as remote desktop access, if they are enabled by default, and certainly would not worry about not doing so. Microsoft genuinely is utterly culpable for all the supposed millions of dollars lost to computer viruses. They provide the computer systems which are, by default, vulnerable. They suck.

Mirrored image

[andersbergh]

http://home.anders1.org/xp-sp2-remote.jpg <- mirror

Re:I Never Use Remote Desktop

[ForumTroll]

Yes remote desktop is turned off by default however the point still stands. Honestly look at the list of crap turned on in a default install here. Remote registry, Server, Secondary Login??? Half the services on that list are ones that a normal user will never use or know how to turn off.

Monty Python's Crashing Windows

[PakProtector]

Father: They told me I was daft to build Windows, but I built it anyway! It was full of flaws and suffered horrible exploits.

Father: So I built another Windows! It was full of flaws and suffered horrible exploits.

Father: So I built a third Windows. It was full of flaws and suffered horrible exploits and the Remote Desktop Feature could be hijacked causing it to crash.

Father: So I built a Forth Windows! And it had DRM! And that's what you're going to be inheriting lad! The most bloated, useless feature, locked-out OS in these here lands!

Son: But mothe-

Father: I'm your father!

Son: But father... I don't want any of that.

Father: Well what do you want?!

Son: I want... something... bug free... and... fre-...

Father: Hey! Hey, now! They're be none of that!

Re:Monty Python's Crashing Windows

[richie2000]

Couldn't you have him start off with the Free Software Song while the Father jumps in and stops him? :-D

- One day lad, all this will be yours!
- Wot, the curtains?
- No, the Windows!

Re:Monty Python's Crashing Windows

[mcc]

So I built a Forth Windows!

Windows written in Forth?? Wait, that actually sounds like something I'd pay to see.

Re:Monty Python's Crashing Windows

[Devar]

Oh, I'm a developer and I'm OK,
I sleep all night and I work all day ...

Re:Monty Python's Crashing Windows

[Duhavid]

Only if emulated in Excel's scripting language.

Potentially serious...

[ninja_assault_kitten]

I say medium at best... 1) Few corporate workstations have RDP enabled.
2) Few corporate environments allow anonymous access to RDP (or Teminal Services).
3) RDP isn't enabled on XPSP2 by default to begin with.
4) There's no reason to believe this vul would allow remote code execution at this point.

Re:Potentially serious...

[GIL_Dude]

I agree completely with your rating of medium at best.

However, I'm not so sure about the "Few corporate workstations have RDP enabled."
Part.

Remote Desktop was one of the selling factors of Windows XP over Windows 2000 as it enabled more remote support scenarios so that small sites don't have to have nearly as much on-site support. (There were other factors as well, but I distinctly remember that as one of the "bullet" items we used when working on a business case for deploying Windows XP in late 2001/2002 instead of deploying Windows 2000.) That's 60,000 machines in the "do allow RDP" category (the number we have).

Of course I agree that corps don't allow anonymous access; nobody does - you'd actually have to work pretty hard to enable that. Our default is administrators only (and our users aren't administrators). However, we do allow the primary user of a machine to add their own user ID to "Remote Desktop Users" on their own machine.

Re:Potentially serious...

[Belsical]

The initial investigation has found that neither of these involve remote code execution

And it's only a DOS attack. No one will profit from it. This is really not a big deal and releasing the patch in a couple of weeks should be sufficient.

You're obviously not a security person

[slonkak]

First, the firewall. The Windows firewall is a good thing. No company worth it's salt doesn't have a border firewall, either hardware or a secure *nix machine. That said, the Windows firewall is a good thing to protect against internal attacks. It's configurable by group policy across an Active Directory domain. Thus it's a good third layer of security (the second being ACL's on the routers and switches).

As for Remote Desktop, it can be a good thing. Yes, on client machines it shoudl be disabled (via GP) however being able to use it for tech support purposes is great.

Re:You're obviously not a security person

[GIL_Dude]

On client machines in a domain it should be ON if you want to do any support. It should also be appropriately ACL'ed. By default it is Administrators only, although you can put users or groups into the Remote Desktop Users group. However having it off in a large domain with distributed users (often with no on-site support at smaller sites) would just be silly. You'd get to tell management that you have to get on an airplane and fly to the damn location (really - WE have sites like that) because you thought it was a good idea to turn remote desktop off. OUR users aren't admins so they won't be turning it on for you...

Re:You're obviously not a security person

[slonkak]

Not necessarily... You can change the registry key that turns RDP on on the remote machine and force a service restart...

Re:Oh great, another Microsoft bug story

[Lennie]

That might also have something to do with that there are seperate sections for Linux and Apple, not so for Microsoft.

Re:I Never Use Remote Desktop

[ForumTroll]

Good to know. Couldn't really remember clearly with ME because it's not something I would use ever for myself, friends or family. I only have very limited experience with it from work. Thanks for the info.

Re:Who the fuck...

[Tezkah]

I've had too many problems with firewalls from ZoneAlarm, Kerio, etc, especially with them causing XP to hang on boot, skyrocketing memory use, etc, especially compared to the extremely basic windows firewall (I'm behind a router, I don't need much out of a firewall.)

I work in a call center for a major US ISP. Do you know how often we get people calling in because Norton Internet Security is screwing up? I talked to at least two people personally just yesterday, one couldn't get his email because Norton would cause the connection to the server to close, another lady could open up PORT 80 TO BROWSE THE INTERNET. These people didn't change any settings on NIS, it just caused this on its own. I know that IE isn't secure, but that's a little extreme.

The XP Firewall hasn't bothered me at all, not a memory hog for something as simple as a firewall, and hasn't caused me any problems, which is more than I can say about ZoneAlarm/Kerio.

Tell me, what makes it not a real firewall? It blocks ports.

Re:I Never Use Remote Desktop

[cipher+uk]

WHY ?

They are not supplied with windows turned ON by default. Theres also more trust in ssh, vnc and X whereas you know a microsoft program for remote access to a desktop tied into the OS is going to cause a problem at some point... especially when its on by default.

What is it with windows having so many services turned on by default. *eugh*

Always fun...

[DoddyUK]

Windows® - Now with more holes than a Polo factory.

Re:Always fun...

[ettlz]

I doubt the folks on the production line over at Wolfsburg would agree with that sentiment.

disabled by default?

[diegocgteleline.es]

it's even enabled by default? IIRC you've to enable it in "my pc -> preferences" in order to allow other people to use remote desktop. And...

This may include providing a security update through the monthly release process or issuing a security advisory, depending on customer needs," she added.

Fuck, what your customers want is to to get a fucking patch that fixes the fucking flaw and they want it before it hits sites like slashdot.

Re:Oh great, another Microsoft bug story

[Izago909]

I find it funny the editors are probably pushing their thirties, yet still act like 5 year olds toward a billion dollar corporation that has contributed more and done more for the world than they can ever hope to.

I agreed with you up until this point. I can't remember the last time MS went out of the way for philanthropic motives. Everything they have ever done has self-serving purposes. That's the way business works in a capitalistic society. Remember their settlement with the state of California? They gave vouchers and coupons for their software to schools as a settlement in the states anti-monopoly case. Whenever they have committed a true act of charity, the PR department is quick to flaunt it to every news agency around as if they can buy back a positive public image.

There are two main reasons that everyone loves to beat on MS. The first being their propensity to play the game of business by the dirtiest means possible. The second is how quickly they cry foul when anyone uses their own dirty tactics against them. Also, lets not forget the most important thing: you are now posting on a website owned by the "OPEN SOURCE DEVELOPMENT LABS". Seeing as how MS is enemy #1 of open source, I don't understand how you expect anything but MS bashing here. Personally, anytime I hear someone kissing Microsoft's ass, I can't help but think that they don't understand business ethics, or perhaps, live in a velvet cage.

Re:I Never Use Remote Desktop

> Remote Desktop is actually cool as hell. It is by far the best remote terminal service of any OS I've used.

I agree, and it's even cooler with this patch.

DOS-attack

[jiushao]

No need to blow this out of proportion; from the article:

In an advisory posted at SecurityProtocols.com, the researcher described the issue as a remote kernel denial-of-service flaw affecting XP SP2, with the default firewall turned on.

I know Slashdot loves to hold Microsoft to golden standards, but a DOS-attack in a not overly important desktop daemon is hardly huge news. At the very least it happens to a lot of OS's a lot of the time.

Re:DOS-attack

[cnettel]

OTOH, I would imagine there are more servers running terminal services (essentially the same). Hopefully, that's generally through VPN or with source address restrictions in place.

Re:DOS-attack

[jiushao]

Yeah. It is a clearly bad thing and has to be fixed. On the other hand Microsoft will no doubt fix it (in a less timely fashion than OSS typically does, but they are a lot quicker than they used to).

In retrospect my message is a bit whiny, it is a real security concern, it is just that I have read one too many slightly slanted reports on Microsoft security on Slashdot the last few years. Microsoft does a lot better today than they did before their security push and I am very happy to see this. Even for people who hate Windows it has to be heartening to see it improve, at least considering that there are no signs of Microsoft going away any time soon.

Re:I Never Use Remote Desktop

[Mr2001]

Remote Desktop isn't turned on by default in Windows XP SP2 either.

Unrealistic...

[fprog]

Blocking every port from 1024-65555 is unrealistic...

In fact, if you use passive FTP to download anything from the internet,
if you use MSN Messenger to transfer files or view webcams, if you transfer files by DCC via an IRC client...
or use any other application which is not port range specific.

It's a "design problem" that such application are not port range locked. It would be easier to lock the other ports.

This means that anytime you need to do such thing you have to manually open wide 1024-65535 ports and go back to normal mode after.

It would be easier if EVERY apps where somehow port range specific, just not few frequent application.

Re:Unrealistic...

[ForumTroll]

"It would be easier if EVERY apps where somehow port range specific, just not few frequent application."

What programs are you having problems with? All of the programs you listed are very easy to get working with a hardware firewall. Passive FTP can be setup to a range of ports which you can have open. MSN Messenger file transferring works if you open up the port and this is extremely well documented on the net, same goes for DCC files. Honestly, how many ports do you need to have open? It's pretty much as easy as typing in the port number on your hardware firewall configuration page and so far you've listed three applications. Are you telling me you would rather leave them all open so you don't have to type in the port numbers of those few applications?

Please, blocking all ports is completely realistic and most people with even the most basic computer security knowledge do it. Only let in what you need, block everything else. You also need to remember that you're doing more than the average computer user.

Re:Unrealistic...

[Not_Wiggins]

Blocking every port from 1024-65555 is unrealistic...
In fact, if you use passive FTP to download anything from the internet, if you use MSN Messenger to transfer files or view webcams, if you transfer files by DCC via an IRC client... or use any other application which is not port range specific.
This means that anytime you need to do such thing you have to manually open wide 1024-65535 ports and go back to normal mode after.

You're forgetting that a lot of these firewalls have stateful connections... meaning, if you originate a connection out (such as with passive FTP... you're told which port to connect to), it automatically is allowed back in in response.

And for services that require that you have ports open and back to the particular computer (active ftp, eMule, the webcam stuff, etc), a lot of the modern firewalls also include support for Port Triggering. Basically, if you specify the ports you'll want to use in the firewall, it can automatically forward that range of ports to whichever internal computer "triggers the port forwarding." This means, you can use eMule... then your roomate can use it after just by hitting the firewall trigger. An example of how this might look on a somewhat typical home firewall is here: D-Link firewall.

And if that sounds complicated, it is no more complicated then having to tell the Windows firewall to allow those same connections into the computer.

The home hardware firewall is very easy to use... and the parent stated, there's no reason for everyone to have one. Heck, even my 60 year-old mom uses one. 8)

Re:Unrealistic...

[DrSkwid]

*proper* firewalls can cope with those situations

Re:Unrealistic...

[Solosoft]

#NAT Settings
MasqueradeAddress 123.456.789.123
passivePorts 8087 8090

slap this in a proftpd.conf and open those ports and your FTP works behind a NAT. (If you choose to run a FTP server behind a NAT.

Of course you can choose different passive ports. I choose to keep mine near my actual FTP port. so if 8086 is my FTP port then 8087 - 8090 is my passive ports. Makes forwarding easier. :)

Re:Unrealistic...

[makomk]

The home hardware firewall is very easy to use... and the parent stated, there's no reason for everyone to have one. Heck, even my 60 year-old mom uses one. 8)

The NetGear router I'm currently accessing the net over is quite good in this respect; its firewall blocks incoming conections from the Internet by default. Plus, it supports UPnP, so stuff like Azuereus can automatically enable incoming connections and port forwarding for the ports it needs. (UPnP is also on by default, but can be disabled.)

Why is this not a surprise?

[pg110404]

The idea behind any firewall is to prevent unauthorized access and to alert the user when such access might be taking place. Microsoft is not about to second guess any of its own services, because clearly they are benign, their firewall has been known to let their own services traffic through without being second guessed. Even with all them service packs, it's entirely possible for an exploit in any area of their OS, and their remote desktop is no exception.

Why is microsoft so willing to let their customer base get screwed time and time again with the lack of security?

There are only two reasons I can think of for remote desktop.

1) It provides a means to allow a knowledgeable friend or tech support person to temporarily control your computer in order to solve some problem you can't.
2) It allows you access to your own computer from a remote location.

Every time two computers want to activate the remote desktop feature, the computer being "dialed in" should generate a public/private encryption key pair and fire off the public key to the other computer and that is needed for the entire remote desktop session. To end the session, the private key gets tossed. In any event, there should only be two ways to allow the remote desktop feature to even be accessed beyond the point of encryption key handling. The first involves a huge nasty dialog box that states "a remote user is trying to access your deskop remotely. do you want to allow it?" and the second is through some kind of PGP signature generated before you leave the computer and is placed on a usb key or emailed or something.

If joe q public gets a new computer home, joe is not about to put much effort to secure it by turning off the unnecessary services - those services microsoft quite helpfully has enabled by default - and with a more complicated environment, the risk of security holes increases. This is especially true if joe doesn't even have the slightest clue what "remote desktop" might be.

The best shot microsoft might have to improve security is to strip the running services down to bare nuts and provide a long questionnaire - with an explanation of each service and a detailed pros/cons - allowing the user to selectively tune the box to fit their needs. You can turn off a half dozen services in xp that are enabled by default and not only are they unnecessary, but it will make the system faster and more secure.

I'm more astonished at microsoft for failing to put the greatest amount of effort into securing their OS where it really counts. By simply leaving certain services disabled where most users will never need them.

Re:Why is this not a surprise?

Wow, that was quite the rant... Just how stupid do you think MS is?

Remote desktop requires authentication. In XP they also have Remote Assistance which is probably based off of Remote Desktop and requires an invite from the user at the console. Remote Desktop works just like logging onto a box - you need to enter your username and password to get a session and do anything. Presumably your user name and password are secure even if they're not q PGP signature (and emailing it? are you serious? At least transfer it over a website with SSL enabled, e-mail is wide open and COMPLETELY INSECURE!)

Finally as many others have mentioned Remote Desktop is not enabled by default (at least in XP SP2, not sure about previous versions).

The fact of the matter is that there are no fundamental flaws in remote desktop. This is simply a bug that has been discovered. Now maybe there will be a stream of similar bugs and then we can all point and laugh at the crap code that is remote desktop but one bug does not make a remote desktop worthy of your rant here.

The article even says that they don't believe this can allow remote code execution so it's very likely this is something as simple as "I can make remote desktop dereference a NULL pointer" - which is really not a big deal unless time shows that remote desktop is more generally broken.

I do.

[ichigo+2.0]

And until someone ports iptables to windows or I upgrade to a hardware firewall, I'm going to go on using it. All the other firewalls available for windows are disgustingly bloated crippleware, and I'll rather take my chances with windows built-in firewall than have yet another program slow up my computer at startup and add another-annoying-systray-icon(TM).

Remote Desktop? Meh.

Bugs are good for jobs

[msbsod]

Your IT staff loves security holes. It gives them an important task, they get paid and with every patch they install they know the software keeps them busy and employed for a long time. The PC users in your organization or company are also happy, because someone takes care of their PC's. While the PC is down you can even chat an hour with your colleague. And the executives are proud that they have everything under control. Everybody feels good.

Re:Bugs are good for jobs

[canuck57]

Your IT staff loves security holes. It gives them an important task, they get paid and with every patch they install they know the software keeps them busy and employed for a long time.

I wonder if Microsoft includes patching and rebuilding as part of their TCO? Most I/T professionals hate patch runs as when the patches break things they get the blame. If they don't patch, they get hacked/wormed and they get the blame. The real solution is get a more secure OS and remove excess user control on the desktop.

When it comes to user control of the desktop, it does not mater which OS a corporation chooses, allowing users admin privileges to change and install software on the computer is turning out to be the most expensive mistake I/T was forced to make by business management. Yes, accepting a toy rich OS that tosses security out with the bath water was the business decision. Most I/T departments would still run 3270 terminals if they had a choice. Never hear of one of those getting a keyboard logger.

Linux would be ideal, make the user unprivileged login and mount the users home directories as noexec/nosuid as with the /tmp file system and then they could not load/run/alter software. And quite frankly, I see absolutely no reason Linux couldn't do what maters to business right now.

But here is where it falls apart. If the CFO would rather watch their personal stocks in other companies with that spyware, but he should get "access denied". Maybe the CEO aught to remind the CFO to worry more about the company stock they work for and thus the spyware is not needed. Ditto for IM. But the business management needs to support this as corporate policy, rigidly enforced top down. And this will reduce costs considerably.

Business has a long way to go to mature how they run the desktops and manage user issues. I/T will as is with 98% of organiations, just going to do what management tells them to do.

Re:I Never Use Remote Desktop

[Solosoft]

Wow ... ive been looking for somthing to do this in windows for ages. I use Remote Desktop over my LAN all the time to fix computers and such or even just hop on to check somthing out now I can do it without the local user being booted off.

If I had mod points they would be going here !!

Re:Excuse me...

[kayak334]

The maturity level at Slashdot continues to rise.

Re:Oh great, another Microsoft bug story

[GIL_Dude]

Actually many people run both. Since many of them like to run games, they still need Windows. I'd guess a good portion run warez though - so Microsoft may or may not let them patch...

Could we please have something new..

[Jeet81]

what a boring day with the usual windows security fixes.

now what would be interesting is having a news like "No new windows security fixes for today." That would really be a eye popper.

Well back to sleep.

Re:I Never Use Remote Desktop

[kayak334]

If I had mod points I'd mod you +12 Only Good Post I've Seen Today.

Good news, it does.

[fbartho]

Actually, it does have a port option. syntax: ipaddress:port just put a colon in, the same as when you access any webservices not running on port 80

Don't forget the routers!

[jim_v2000]

If you are using a router to share an internet connect, it probably has a firewall on it that you can enable.

Hmm

[LooseChanj]

How exactly is this one problem a "batch"?

That's why I connect to my 2k3 server first,

[b00m3rang]

then RDP into my desktop machine. If only one of the two systems is vulnerable to a particular attack, you still won't be able to get into both (or either) system.

Re:I Never Use Remote Desktop

[KiloByte]

Why? What's wrong with them?

Oh wait... you're talking about using them in clear text instead of over ssh tunnels.

Just wait for Indigo!

[alucinor]

Not to troll, but hasn't it been every time Microsoft introduces some innovative network-related feature, like Remote Desktop or ActiveX, it's fundamentally flawed?

Makes me really anticipate Indigo :P

I'm sure the developers who think these things up are genuinely bright people, so I would assume it's the upper management with their "product" mentality want to rush these innovative features out the door, when they really should've been confined to serious lab testing for years before Microsoft starts touting them.

Re:Just wait for Indigo!

[wasabii]

How is it fundamentally flawed, again? BUffer over flow, dude.

Re:Just wait for Indigo!

[kryptx]

Yes, because we know that open source developers NEVER release ANY product until it is fully and completely finished and certified bug-free.

Re:Who the fuck...

[jim_v2000]

"I work in a call center for a major US ISP. Do you know how often we get people calling in because Norton Internet Security is screwing up?...These people didn't change any settings on NIS, it just caused this on its own."

I worked (till they outsourced last year) at a call center for Symantec's Norton line of products, and I can tell you from my experience, most ISP technicians are bumblefucks. Maybe you are an exception. Anyway, 99.99% of all firewall problems are caused by user ignorance of what a firewall is or how it works. They always click "Block" whenever their firewall comes up and asks whether or to Allow/Block a program, then wonder why that program can't access the internet.

I've had too many problems with firewalls from ZoneAlarm, Kerio, etc, especially with them causing XP to hang on boot, skyrocketing memory use, etc, especially compared to the extremely basic windows firewall...

Never had an issue here...maybe you should check to see if you have a gazillion programs trying to startup when you boot. It's probably a program conflict.

Hmmm

[Mechcozmo]

This may include providing a security update through the monthly release process or issuing a security advisory, depending on customer needs," she added.

That's what I want. Patches on your schedule.

RDC is actually very good. Sound, color, etc. I've used VNC and even over a high-speed connection I had to turn colors down, etc. Whereas RDC never needed me to turn down the colors. Plus it actually shows what your pointer looks like, not some little dot thing.
So before you bash RDC, see if you can learn something from it first.

Re:Hmmm

[shmlco]

That's what I want. Patches on your schedule.

This was addressed just the other day. Sysadmin's requested a standardized release schedule so they could schedule patch installation and downtime.

Damned if you do and...

Re:Hmmm

[oxygene2k2]

all well and known.. vnc aims for a different target.

try X11 (or it's spin-off NX) for a real RDC comparison

Re:I Never Use Remote Desktop

[eviljolly]

Actually remote desktop is not on by default, and MOST (not all) of those crappy services running in the background are required for some program in order for Windows to operate properly. A lot of times people use their own judgement and start to disable those services, then wonder why something on their computer won't function. Oh gee, it must be Microsoft's fault, this thing is a piece of junk. Or another common assumption...it MUST be a virus!! All of these tweaks and registry hacks that people perform can have lots of negative side effects on programs that are not designed to work with those different registry values, but the average joe doesn't know this. Honestly the only time I ever reformat my computer is when switching to a new motherboard/processor or if I am having physical problems with the drive. I have never had to reformat Windows XP simply because a program was not functioning properly. I believe my current install is going on about a year now. I have a second computer with remote desktop enabled which is not firewalled from the internet (on port 3389), and then I use that computer to access files on my other PCs, or even use a remote desktop session from within itself to access my other PCs on the network if I am away from the home. There will always be hacks and exploits, but I am not willing to sacrifice functionality because of things that *could* happen. If a problem presents itself, I will work around it when the time comes.

Re:Who the fuck...

[aaronl]

It only blocks incoming connections. There's no way to block outgoing connections with Windows Firewall. Other than that, it's very inflexible and doesn't offer any of the nicer advanced features that other products offer. It has no way to scan incoming email or www for viruses and other nastiness.

It OK for something built in, but there is still strong justification for third party solutions. It generally serves the purpose of stopping stuff from compromising you from the network while you are setting up something for real. It *is* very easy to configure, though.

The complaints you have about the NIS and such are perfectly valid. I've had many people use Kerio without trouble, and most ZA users are ok. NIS messes up all the time, though. We've been saying for around ten years that NIS was crap. ;-)

Overall, running a software firewall on your workstation isn't going to stop too much. If you end up running anything nasty, it can just modify your firewall config.

The real problem is that most computer owners know nothing about their machines, their network, or the Internet. This leads to huge number of problems. Education would work far better than stop-gaps like Windows Firewall.

Re:I Never Use Remote Desktop

[bigman2003]

Remote desktop more than "doesn't suck." I think it is pretty damn awesome.

I use it all the time to connect to my desktop- so rather than trying to keep my laptop in sync with my desktop, for mail and junk like that- I just connect to my desktop and I never worry about syncing.

It's also fast.

But, since day 1 I have thought that if there is a security hole, it will be a BIG one. If they can connect, then they own everything...

Holes?

[Triple+Click]

Nothing a 4"x4" shrimp bandage won't fix!

Re:Holes?

[cryptocom]

lol...good one. : )

Funny.

[lullabud]

Everybody else replying to this is like "But Windows Remote Desktop Connection is in WINDOWS! WAAAAH!!" as if you can't tunnel those through ssh from a linux box. They're ON. They DO allow you remote desktop connection. Yet they're still COMPLETELY secure... IF you do it right. I'm not worried at all.

Anybody using standard ports for their personal rig is asking for trouble.

Anybody who modded the parent insightful clearly missed his cynicism.

Re:Funny.

[evilviper]

Anybody using standard ports for their personal rig is asking for trouble.

Anyony using non-standard ports is just lulling themselves into a false sense of security.

Re:Who the fuck...

[papasui]

SP2 Firewall does block outgoing connections.

XP DoS really that horrible?

[jgercken]

Sure, having your box lock up is annoying but are any critical systems running on Windows XP? Would any real loss occur from successful exploitation? Unlikely.

Re:Who the fuck...

[westlake]

Anyway, 99.99% of all firewall problems are caused by user ignorance of what a firewall is or how it works. They always click "Block" whenever their firewall comes up and asks whether or to Allow/Block a program, then wonder why that program can't access the internet

If you are selling internet security to non-technical users, then it becomes your responsibility to see that everything works properly.

Re:Oh great, another Microsoft bug story

[DogDude]

As a business owner, I understand ethics pretty thoroughly. However, most OSS zealots have no clue. Most OSS zealots are more than happy to side with the gov't when they think it's somehow at their advantage (anti-trust against MS), and slam the gov't for it's stupid laws when it's at their advatage to do so (DMCA, IP laws, etc.). It's completely arbitrary and generally pretty damned uninformed.

I find it funny the editors are probably pushing their thirties, yet still act like 5 year olds toward a billion dollar corporation that has contributed more and done more for the world than they can ever hope to.

For one, their philanthropy really is unmatched. I've never heard of an OSS company giving away anywhere *near* the cash that MS gives away. On top of that, MS made PC's ubiquitous. Sure, you could say, "somebody else would've done it", but there's no way of knowing. But absolutely, definitely, MS made PC's widespread and easy to use for the masses... something that no OSS project has even come close to doing.

Get a linksys wrt54G

[papasui]

Seriously, get a WRT54G and load a custom firmware image that includes a PPTP VPN server or you could do it with SSH.

Windows 2003 (Sp1)

[wamatt]

I don't care about XP. What about our servers? I know a lot of Sp1 for 2003 is similar to XP SP2 code.

Is Windows 2003 Server affected?

OK I'll bite

[GIL_Dude]

You're an obvious troll, but what the hell - it's a slow day.

Let's see - since sanity vs. insanity is defined by the majority of the people (people "thinking" or "seeing" in a similar fashion will tend to define as "insane" people who think or see in an obviously different fashion), then I guess the 90% or so people who use Windows would beg to differ with you. They probably believe they are in their right minds, and hence could possibly have cause to believe that maybe you are not.

However, to the real issue you have rasied about "Times have changed and there is no reason anymore to use an operating system that is that insecure, prone to virues and spyware, and instable.". Let's see... We are just starting a project to replace our current crop of machines in early 2007. First thing- what OS? Is it Longhorn or something else like Linux or OSX? Every time we get some business unit suit asking us to go with Linux we (who wouldn't mind switching ourselves) ask them which of the 4,000 apps in use in the company they are willing to throw out and either buy a new version for Linux, re-write (if in-house), get a freeware community supported version, or try to make work using something like WINE.
They ALWAYS without fail just go away.

There is just NO WAY that we could make the switch at this point. Software that runs under Windows is too entrenched in our environment and purchasing, re-writing, investigating freeware, testing under WINE, etc. would cost WAY MORE than just upgrading to Longhorn as we install new machines. I mean it isn't even CLOSE. Not to mention the business delay it would cause to do all of that work investigating whether we could get a functional environment for people. Look at how many MS Office macros (yes they are evil, but they exist in large numbers) would have to be thrown out and redone. It's just huge any way you look at it.

That all said, a company just starting could probably get going with something like SuSe or RedHat (or another) with no major problems. They could start out on Open Office (2.0 is looking good). They'd probably be able to stay on it for a long time (until they merged or got bought out - that might force a change).

But for the folks with thousands of users in 180 countries that have used MS for years - there is just no way to go back now. The stockholders would kill us if we tried to spend enough money to make it happen.

Re:OK I'll bite

[aug24]

I'd suggest your shareholders ditch you for using macros for anything remotely business critical anyway. But what do I know, I'm just a sane person ;-)

Next question: 4000 apps? Really?! I'd suggest your desktop env is vastly overcomplicated then.

In other words, your reason for not changing boils down to 'having been doing things really badly for years, it would be impossible to move to linux without incurring the costs of changing to do things properly at the same time.' Really you should be trying to get rid of macros and reduce your desktop complexity to something sensible anyway.

Justin.

Re:I Never Use Remote Desktop

[VGPowerlord]

To address the services you explicitly mentioned, while I think Remote Registry being on by default is a Bad Item (tm), the other two have legitimate uses.

Secondary Login is the Windows equivalent of the su command. I wouldn't recommend removing it. Not all users run with Administrator access. I'm posting this from my gaming machine, a Windows XP machine, as a Limited User.

Server is part of the SMB networking system. While not useful in a corporate network, it is useful in a Peer to Peer network. As far as I can tell, disabling this is the same as disabling Samba's nmbd.

Re:Oh great, another Microsoft bug story

[Klaus+Obermeyer]

"As a business owner, I understand ethics pretty thoroughly."

And we all know the paragon of Ethics the business world is.

Honestly though, you may very well be an ethical person, but your status as a businessman is hardly related to such.

"However, most OSS zealots have no clue. Most OSS zealots are more than happy to side with the gov't when they think it's somehow at their advantage (anti-trust against MS), and slam the gov't for it's stupid laws when it's at their advatage to do so (DMCA, IP laws, etc.). It's completely arbitrary and generally pretty damned uninformed."

So, in your world one must either agree with everything the government does or disagree with everything it does?

Perhaps someone could believe in the enforcement of fair trade and the maintenance of a level playing field (one aspect of government) while still being in favor of curtailing the government's ability to intrude upon a person's privacy. You seem like an intelligent person though so I won't go on, suffice it to say that people's actions wouldn't seem as arbitrary if you took a minute to understand their motivations and beliefs.

Have to remember that phrase

[imsabbel]

"private security researcher" sounds really that much more educated and important then a mere "hacker"...

XP x86 only? Or does this impact XP x64?

[StudentAction.CA]

Can people *please* start adding the processor(s) affected to security releases? Or for that matter, to hardware and software?

Does this only apply to XP on x86, or XP x64 as well?

As someone who runs a XP x64 workstation, I'm getting really tired of being ignored! Vendors list "XP" support, but never tell you if they support x64. Security mailing lists have "XP Security issues", but no one says which XP it impacts.

I'm sure myself and the handful of other users of XP x64 would really appreciate it if people started denoting which hardware platforms they support.

Re:Who the fuck...

[wfberg]

Norton products simply suck ass. Their only saving grace is the enterprise edition of their virusscanner, anything marketed to consumers is basically complete crap.

Having said that, as a consumer you can settle for a free firewall as well. Check out Sygate's offering. Not quite suitable for your mother perhaps, but a pretty good program. It even nags about services that the windows firewall won't nag about.

For use in a network of windows workstations administered by a non-n00b, I like tdi_fw.
It's simple, straightforward, and has a whole lot of nifty features. The user doesn't even get to see it, it's a service that reads its config from a text file and does the job. It'll even recognise processes (iexplore.exe) or play sounds when connections are blocked. Only drawback of the thing is that you need to restart the service for it to re-read its config.

Re:Who the fuck...

[baadger]

Running Windows 2000 myself and I use Kerio Personal Firewall 2.15, the last firewall in the 2.x series and the last "personal firewall" from Kerio I can tolerate.

It has some major issues, don't use the remote access for one. But it's a decent suppliment to the Windows Firewall on open source project was planned to build an open source clone, unfortunately it seems to be going nowhere.

Failing that, Sygate is a good choice.

Re:Oh great, another Microsoft bug story

[catman]

Which shill modded this as flamebait?

Re:Oh great, another Microsoft bug story

[idonthack]

Apparently, you miss all of the Firefox articles and don't look in the Linux section.
---
I'm not a very effective viral sig. Please help me spread.
Generated by SlashdotRndSig via GreaseMonkey

Re:Who the fuck...

[baadger]

Well i forgot to close my anchor tag, shame on me
Ghost Personal Firewall

Good thing...

[pluggo]

...Linux and Windows security are neck-and-neck...

Re:Oh great, another Microsoft bug story

[DogDude]

I've actually spent quite a bit of time thinking and talking about this. The current method of enforcing "fair trade" and "level playing fields" is quite arbitrary. The MS anti-trust suit, for example, was against a company that while huge, is certainly not a monopoly, as per the definition of the word. So, when exactly is a company a monopoly? When they are worth $x? When they have X number of employees? When they control x% (less than 100%) of a market? And once they're deemed a "monopoly", what can they do and not do? Apparently, they can sell products to customers at a loss to kill competitors, but they aren't allowed to motivate their customers to purchase their products instead of a competitors by refusing to sell to them if they carry brand X. etc. etc. etc.

So I ask, in a case like this, or any other anti-trust lawsuit, where's the line? And if there is a line, why is the line there?

And while I like my own privacy, I don't know of a law that says that we have the right to privacy. What lengths do we go to protect privacy?

I understand what you're saying, but I fail to see how either case is *not* arbitrary.

Wrong.

[wasabii]

We force RDP on all our workstations through group policy. It would be sort of like the stone ages to have to walk to each desktop to support it, don't you think?

Every company I've worked at has done this.

Re:Oh great, another Microsoft bug story

[Lisandro]

For one, their philanthropy really is unmatched. I've never heard of an OSS company giving away anywhere *near* the cash that MS gives away. On top of that, MS made PC's ubiquitous. Sure, you could say, "somebody else would've done it", but there's no way of knowing. But absolutely, definitely, MS made PC's widespread and easy to use for the masses... something that no OSS project has even come close to doing.

Then again, the Internet you're using runs (and did even more in the past) mostly on non-MS software, specially OSS. You could then argue we wouldn't have Internet as we know it today without OSS just as you could argue PCs wouldn't be as widespread today without MS.

Just an example - it's not always so black-or-white. Microsoft has it pros and cons and so does OSS, and both have done their share of good for us, the users. Now, while i acknowledge what MS did for the computer industry, i find a bit too much calling them "philanthropic". They are a buisness, and do everything for a reason (i.e., get more money). No that there's anything wrong with that, but MS, particularly, has an historial of shady motivations an buisness actions.

Re:Who the fuck...

[awkScooby]

Tell me, what makes it not a real firewall? It blocks ports.

• No egress filters
• No stateful packet inspection
• Apparently doesn't work 100% (If RDP behind the firewall can still be DoSed, the firewall doesn't work)
• If it doesn't handle layer 7, it's not a real firewall.

Re:Who the fuck...

[Anakron]

"another lady could open up PORT 80 TO BROWSE THE INTERNET"

Ok, so she *could* open a port - why did you get the call?
And if you meant *couldn't*, you should know that you don't need to OPEN port 80 to BROWSE.

Re:Who the dickens...

[Duhavid]

I have been running ZoneAlarm on Win2000 for over a year now. I know of no major problems with it. Been running it on my wife's WinXP ( home ) machine for about 6 months, again, no major problems that I know of.

Re:Oh great, another Microsoft bug story

[geekee]

"So, in your world one must either agree with everything the government does or disagree with everything it does?

Perhaps someone could believe in the enforcement of fair trade and the maintenance of a level playing field (one aspect of government) while still being in favor of curtailing the government's ability to intrude upon a person's privacy. You seem like an intelligent person though so I won't go on, suffice it to say that people's actions wouldn't seem as arbitrary if you took a minute to understand their motivations and beliefs."

I think his point was it's a bit hypocritical to complain that the govt. is restricting your freedom via DMCA, but then support restricting the freedom of MS executives through anti-trust laws.

In the end, /.ers in general aren't interested in freedom or fairness. They are only interested in what benefits them the most. Just look at support for GPL enforcement but hatred towards RIAA for their copyright enforcement.

Re:I Never Use Remote Desktop

[man_of_mr_e]

I would advise against installing this, other than in behind a firewall in a trusted environment. Obviously, once the patch comes out for this security issue, it will "fix" this feature as well.

That means that if you install this, you will be insecure moving forward. Best bet would be to install an SSH server and then tunnel to it and execute locally behind a firewall.

Re:Oh great, another Microsoft bug story

[KwKSilver]

Evidently, the courts disagree with your definition of a monopoly. Being a monopoly is not illegal, being an abusive monopoly is. Interesting that you should bring up selling at a loss or giving away products. MS killed Netscape by giving away a browser, and-because a browser was Netscape's only real product-MS succeeded in killing them. Not satisfied with being able to kill them by giving a browser away, they also used coercion on OEMs to keep them from even loading Netscape on new computers.

Nor is that all, they used the same tactics to keep WordPerfect and Lotus off of new computers. That cost me hundreds of dollars on my first computer. Their "big-hearted giveaways" cost me that money. MS also supplied developers working for rivals with phony specs for Windows, and strangely enough, those competitors' products had a tendency to crash. They are still being sued over that.

If your heart is still bleeding for poor oppressed, downtrodden, paragon-of-sweetness-and-light MS, why don't you send them all your paychecks for the next 10 years. Bill's dogs will probably appreciate tha extra caviar.

Re:Who the fuck...

[Tezkah]

I worked (till they outsourced last year) at a call center for Symantec's Norton line of products, and I can tell you from my experience, most ISP technicians are bumblefucks

Agreed, most of my coworkers freak out if they get a Mac call. They're fine if you keep them within certain things they've been trained in, but once you get outside that you see that they're not quite knowledgeable.

Personally, I've never had any problems with blocking things with my firewall (the NAT connections on this "free" wireless router with port forwarding being an exception, but thats an issue with shitty settings in the firmware of this iNexQ device).

The way that Windows Firewall is at least better for computer illiterate people is that it blocks most ports that would cause problems like the sasser worm in the future, while not asking them if they want to block iexplore.exe. I mean, you and I might know what that is, but I can see why someone would block a program out of fear with so many spyware programs out there.

Never had an issue here...maybe you should check to see if you have a gazillion programs trying to startup when you boot. It's probably a program conflict.

I was more speaking about ZoneAlarm, especially the new versions. ZoneAlarm + a fresh install of slipstream SP2 on my laptop = hang on boot waiting for the Windows logon box ("Windows is starting up...", the message it shows before it lets you type in your username/password). I haven't bothered with Kerio or any other third party solution, just because the XP Firewall has been working perfectly for me, and I don't even bother with antivirus... since I don't run strange exes, and I run in user mode. I'm definitely the exception in this case though.

Also, to the person in the thread who said that he has Kerio on 200+ boxen... is this in a corporate environment? If so, why would you be deploying a workstation solution? Wouldn't it be better to have something like an OpenBSD based firewall as the entrance to the internet from your network?

Re: definition of insanity

[KwKSilver]

Let's see - since sanity vs. insanity is defined by the majority of the people (people "thinking" or "seeing" in a similar fashion will tend to define as "insane" people who think or see in an obviously different fashion), then I guess the 90% or so people who use Windows would beg to differ with you. They probably believe they are in their right minds, and hence could possibly have cause to believe that maybe you are not.

The best definition of insanity I've ever heard:
"Doing the same thing over and over again, expecting different results."

Keep applying those patches, rebooting, reformatting, and reinstalling. Maybe someday you'll get a different result. Maybe Lamehorn will bring pie from the sky.

Best antidote for insane behavior: "Son, if you want your life to be different, start doing things differently."

Re:Who the fuck...

[aaronl]

Nope, it doesn't. Look at any documentation at all for it. It will block some types of outgoing ICMP, but it monitors absolutely no outgoing TCP/UDP connections. It is limited to the blocking of incoming connection *only*.

Right from the Microsoft TechNet docs: "With the exception of some Internet Control Message Protocol (ICMP) messages, Windows Firewall allows all outgoing traffic."

You make a good example for why Windows users need better computer education, though. ;-P

Firewall is software, software has flaws

[SuperKendall]

This is EXACTLY why you cannot just run a firewall on a box and consider yourself protected. Because a firewall is just software (even the hardware ones have firmware that runs them) and software will have flaws.

It's exactly why defense in depth is the only real approach to security, so even if a firewall is vulnerable there's nothing inside to attack. Windows XP with firewall on is just like a Tootsie Pop, one bad lick and the attacker gets all your Tootsie they like.

Re:Oh great, another Microsoft bug story

[Klaus+Obermeyer]

I think his point was it's a bit hypocritical to complain that the govt. is restricting your freedom via DMCA, but then support restricting the freedom of MS executives through anti-trust laws.

The difference being that Microsoft's alleged actions as a monopolist infringe upon other's right to enjoy a fair and level playing field. Of course by stopping a monopolist you are curtailing what could be considered their "rights" but only so that others might enjoy a greater range of rights and equality. Government plays exactly this role of deciding the balance between one man's rights and another's.

In a similiar vain you could say that the Government stopping a serial sexual pedophile by putting him in prison is revoking what he sees as his "right" to take advantage of the innocent - on the other hand such a predator infringes upon the rights of his victims to life and security.

The general Slashdot hostility to the DMCA is grounded in exactly this reasoning. The DMCA expands the right's of recording industry at the expense of the consumer's right to enjoy their purchased content as they see fit.

In the end, /.ers in general aren't interested in freedom or fairness. They are only interested in what benefits them the most. Just look at support for GPL enforcement but hatred towards RIAA for their copyright enforcement.

You must be new here! Let me be the first to welcome you to the human race, I trust you'll feel right at home.

Re:Oh great, another Microsoft bug story

[lachlan76]

They are only interested in what benefits them the most. Just look at support for GPL enforcement but hatred towards RIAA for their copyright enforcement.

1. GPL enforcement helps the majority of people, and only hurts a small minority, while not enforcing RIAA copyrights would help everyone except the RIAA
2. When the GPL is enforced, it is not done by a multi-billion dollar corporation telling a small, non-profit closed-source programmer that he/she will be sued into bankruptcy whether they are guilty or innocent if they do not pay a multi-thousand dollar settlement

May Actually Be Two Flaws Reported Here

[SkiifGeek]

I think that the eWeek article might be slightly off on the flaw being reported.

The DailyDave mailing list suggests that the XPSP2 bug, and the RDP flaw are the same. It will take until the second week in August before the real bug with SP2 will be announced, as declared on the Security-Protocols site.

The ISC diary is talking about port 3389 starting to attract a rise in traffic - the RDP and Terminal Services port, with earlier rumours of a 0-day having raised its head on Windows. If it is the same vulnerability as that on the security-protocols site, then we are stuck until the second week of August before the patch is released, and someone either leaked the exploit, or it was independently uncovered, but news of which hasn't reached the surface, yet.

Looking at Microsoft's own security advisories, number 904797 talks of a known Denial of Service with RDP which is awaiting a patch. Perhaps it is the same as the security-protocols site, and maybe it isn't, but Microsoft only consider it to be a Denial of Service, while the security-protocols site appears to be something which can be actively exploited.

Re:I Never Use Remote Desktop

[eviljolly]

Notice I said MOST (not all). I'm not saying every program on your computer depends on them, but if someone disables Wireless Zero Configuration and then one day decides to install a wireless network card then they're going to run into problems. Ok maybe I went a little off topic talking about registry hacks, but it was all on the point of people doing things which cause programs to stop working and then they wonder why.

Re:I Never Use Remote Desktop

[eviljolly]

Ok you have proven you know how to use the word "idiot" properly in a sentence. Notice I said that I had a single port open for remote desktop. I'm almost not saying that I still have remote desktop enabled. My point is that there was no known issues with remote desktop up until now, and there was no reason for me to disable it. Anything which can access the internet is a potential security risk. Hell someone might use a new exploit in your instant messenger program that you left on overnight to execute arbitrary code and gain access to your computer. Are you saying you don't leave your computer running unless you are constantly attending it? Are businesses supposed to close down their VPNs because one day they could one day become vulnerable? Maybe Slashdot should shut down because someone could find a vulnerability in their php scripts? You are the kind of people who are too paranoid for your own good. If a problem exists I'll work around it, but I'm not going to live my life in fear of what might one day happen. I make regular backups of important information. My passwords are generally at least 10 character random alpha numeric. I scan all of my files when I download them, and only download from trusted sources to begin with. I'm surprised you even get on the internet as paranoid as you seem. Your system could have already been compromised by browsing to Slashdot for all you know. Get a life, grow a pair, stupid anonymous cowards...

Re:I Never Use Remote Desktop

[evilviper]

Oh wait... you're talking about using them in clear text instead of over ssh tunnels.

It wasn't a joke, but it went WAY over your head...

Re:I Never Use Remote Desktop

[gpoul]

And this is why? Because we never had exploits in ssh? well... my memory might be bad... but not that bad...

Come one guys. - This is the same service as ssh. remote access. It's just remote desktop because windows users always need to point-and-click... but it's the same service and it's used to do the same thing.

Get over it.

Brute force scanning takes time

[lullabud]

In the case at hand that's just not true. It's no more false than using strong passwords. The added time it would take for a script to TCP connect scan every single port on an entire netblock or selection of random IP addresses does give you security. Assuming you are not restricting access based on IP#, nothing is 100% secure against a brute force attack and non-standard port usage is no exception, however, it is one more substancial hurdle for the attacker to clear. Hacking strong passwords as opposed to weak ones adds to the time it takes for a successful attack. Using nonstandard ports also adds to that time.

In the case where somebody is hand-crafting an attack against your box then yes, the use of non-standard ports would be a trivial hurdle.

Re:Brute force scanning takes time

[evilviper]

The added time it would take for a script to TCP connect scan every single port on an entire netblock or selection of random IP addresses does give you security.

No, it gives you obscurity.

There are many different ways of scanning for vulnerable machines, and actively connecting to different ports on each machine is only one of them.

Re:Who the fuck...

[jim_v2000]

If you are selling internet security to non-technical users, then it becomes your responsibility to see that everything works properly.

Since when is the seller of a product responsible for teaching the buyer how to use it? The users should know how to use what they're are buying, or else why are they buying it?

Re:Oh great, another Microsoft bug story

[janrinok]

Now I really must take issue with the 'charitable' bit - Open Source software - you know, Linux and that sort of thing - is very often FREE. People all over the world can use it, without having to pay any fees, and they can do what they want with it. To my mind, that knocks Microsoft's contribution for six. Many of the contributors to /. also write OS. They do a damn site more than you realise. However, we forgive you, as long as you keep paying for your updates from MS because you obviously don't know any better. Jan

Re:I Never Use Remote Desktop

[man_of_mr_e]

I advise against installing it because it has a known vulnerability with no fix available (other than one that will disable the feature).

The point is, the beta version of terminal services *IS* vulnerable. Period.

Passwords ARE Security Through Obscurity

[lullabud]

Yes, it gives you security through obscurity. Attacks that are susceptible to brute force can't really do much except that. That is why using an obscure password is better than using an obvious password. If you happen to know a quicker method than TCP connect scans for use against mass amounts of randomly selected targets then please, let us all know. You are correct that there are many different ways, but your presupposition that those other ways are quicker is surely wrong.

Re:Passwords ARE Security Through Obscurity

[evilviper]

You are correct that there are many different ways, but your presupposition that those other ways are quicker is surely wrong.

Well, it's not a 1:1 comparison, since they can't be used in quite the same way.

Many are quicker in reality, though, because they can be used against large numbers of hosts simultaneously.

Besides that, the speed at which they find your machine doesn't really make any difference, does it? Changing the port may change the time it takes to find you from a milisecond to a few seconds. Changing your password to include non-alphanumeric characters can change it from taking a few minutes to run a dictionary attack, to taking decades upon decades to brute-force it. There's a big difference between the real security and the obscurity there.

If you happen to know a quicker method than TCP connect scans for use against mass amounts of randomly selected targets then please, let us all know.

Don't act like such an ass. Just because you don't happen to know how different port-scan methods can work doesn't imply that nobody does. That's called being arrogant. If you spend some time to look them up, I'm confident you'll find plenty of info on them.

It wasn't long ago I ran across a global warming nut on /. who used the same argument as you when I mentioned that there are other ways to cool the earth, other than cutting down on emissions. He was also making an ass of himself.

Re:Oh great, another Microsoft bug story

[aztracker1]

Personally, I like a lot of what they offer developers, outside that, their politics suck.. even as a developer for mostly-ms based stuff... I will say their environments for development (including .net) are far and above what is anywhere near standard anywhere else...

That said, I'm truly hopefull for mono to mature on other platforms, as it will make transition a welcome thing for many people...

Re:Who the fuck...

[aztracker1]

I think he means something hardware.. outside of dialup (for cable & dsl users) an internet router/firewall can be your best friend... the default dsl modems for a lot of companies actually have one integrated.. which can be nice, unless you are like me and have an ip block via dsl..

That said, windows firewall works okay, and this exploit is for something not enabled by default afaik... so it works for me.

A *REAL* firewall will generally do at least some packet analysis, and will block certain types of attacks (though won't stop ddos, because this is basically a flood attack usually). There's lots of other things a *real* firewall can/does do... but generally for dialup, you don't have an option.

Re:I Never Use Remote Desktop

[gbjbaanb]

Remote Desktop technology was bought (or licenced or whatever) from Citrix. They also have some pretty amazing stuff too that is RDC, but better (got to compete somehow).

Win2000 has it too, only it was called Terminal Services, in Administration Mode (as opposed to TS lots of users connecting and running programs).