Slashdot Mirror
Exploits Circulating for Latest Windows Holes
1sockchuck writes "Exploits are already circulating for at least two (and possibly four) of the Windows security holes addressed in Microsoft's updates on Tuesday. Several working exploits have been released for a new vulnerability in Windows Plug and Play technology, which could be used to spread a worm targeting Windows 2000 machines, according to eEye security, which has released a free scanner to help network admins identify vulnerable computers."
Perhaps this vulnerability was a 'Feature' to get people to migrate away from Windows 2000?
My UID is prime... is yours?
At least, Microsoft is maintaining great quality control.
I mean W2K has been around for about... uh, 5 years?
So isn't this just an old exploit that was just found?
See? Having 900,000,000,000 lines of code is a good thing.
This
Our website's registration forms require users to provide contact information (names and email addresses) and financial information (account or credit card numbers). Financial information that is collected is used to bill the user for products and services purchased and is only used internally by eEye. Contact information is used to confirm and ship orders, to contact the user when necessary, and to notify users when new products and services are available. Users may choose not to receive future mailings from eEye; see the Choice/Opt-Out section below. eEye Digital Security may occasionally share visitor contact information with official product resellers that adhere to a comparable privacy policy; visitor contact information is NEVER given to other third-party vendors that are not affiliated with eEye.
Why do they insist on my personal information if they aren't going to use it?
They have the ability to let me opt out of of mailing, why don't they provide an opt out for my information in the first place?
The exploits came out after the announcement and not before. It begs the question, do we need to give M$ credit for pushing the patch before the exploit became common knowledge? Compare this to Cisco who tried to squash recent publicizing of their vulnerability.
You got any karma man? I really neeed it. Just a little hit! Come on!
But I'm reminded of a childhood verse...
"The worms crawl in, the worms crawl out
The worms play pinochle on your snout..."
You can't talk about Wikipedia's flaws on Wikipedia
Is anyone but me getting sick of these companies releasing "free" tools that require you to register for their incessant spam, phone calls, and other marketing harassment in order to download? Yes, I understand that they spent money to develop the tool, but what if I want to scan my home network? MySQL isn't too bad, at least. They have the marketing signup, should you be interested, but provide a link to download without all the crap.
[Wanders off muttering about the good old days of gopher and archie]Exploits ike these will all be fixed in Longhorn, umm, Vista. Seriously, the general population doesn't patch the security fixes that are out there, let alone the new ones that come out every other Tuesday. So exploits based on new patches are irrelevant if a computer can be compromised with mydoom.
I mean, how DARE they release a fix for a security hole BEFORE it's exploited.
Tom
The recent article on the front page here (2 down at the moment), talks about vulnerabilities linked to MS05-038 being in the wild in mid July (actually quite a bit earlier, but we will give them the benefit of the doubt). There have been a number of minor exploits in existence for at least a month and a half with respect to some image handling capabilities through IE (also MS05-038).
Security-Protocols claimed to have discovered the vulnerability linked to MS05-041, and there were some minor claims that other people had been able to make it into exploits which weren't widespread.
I initially thought that the Plug and Play vulnerability was linked to a report on an overflow with respect to handling USB devices (which has also been reported), but it seems to be much worse.
I am fully aware of the reasons why companies EOL their software, but Microsoft's cessation of mainstream support for Win 2000 might be coming back to bite them, given that Win 2000 is just as vulnerable to these exploits as Win XP and 2003, if not more so.
InfoSec that matters, when it counts.
Ofcourse... This is NAN (Not A News). You can always expect this with MS !
I think once in the past three years I've seen on month without an update that was critical. Also, the way I've seen it, is that you have three to six months before the vulnerabilities are widely attacked. There are always people that are quicker on the ball, but three to six months is a good range before every other website is taking advantage of thtese vulnerabilities from what I've seen.
...is OK in here, Bob!* (heard from a little voice in my Mac).
.com ad with a fish talking to its owner?
* Remember that
...Microsoft patched the holes BEFORE the exploits started circulating?
If that's the case, what's the problem?
"Ask not what your country can do for you." --John F. Kennedy
Microsoft is disappointed that certain security researchers have breached the commonly accepted industry practice of withholding vulnerability data so close to update release and have published exploit code
I can already hear the Slashdot chant of how security researchers have every right to release exploit code usable by script-kiddies whenever they want. I can't wait until the Internet culture is such that just because you can do something doesn't make it right.
I'm a big tall mofo.
I've been a devote Windows user for many years but I am so fed up with patching Microsoft's crappy code and having to run several antivirus and antispyware programs at any given time. Instead of hiring more developers Microsoft is using us as unpaid guinea pigs to chase bugs and exposing us to script kiddies breaking into our machines. This is an endless rat race. At the same time they are hyping Windows security with sponsored "independent" studies and trashing Linux with brewed up FUD. I am sick and tired of this bullshit. I've backed up my data and I am burning my first Linux install disk. If I like it I'll be using Linux from now on.
On one hand, things like this are very serious, and at least they are fixing the issue. The problem is that while many business continue to use Win2K, Microsoft in my opinion, has shifted its focus to WinXP or 2003, Yet critical fixes are still needed for 2K. Personally, the software curse is in effect here, once you produce something, you have to support it forever. Microsoft has a nice history of dumping products, or "ending support" as they call it.
you = teh moron
"...eEye security, which has released a free scanner to help network admins identify vulnerable computers.
What, the Windows startup screen wasn't sufficient to identify vulnerable computers?
Hundreds of vulnerabilities discovered in Linux since the release of a distro:
0 .1
http://www.mandriva.com/security/advisories?dis=1
But of course, that's not newsworthy because it doesn't involve hating Microsoft. This ain't a troll; it's an attempt to show that BOTH systems have pretty lame security track records, yet all we hear about is Windows.
Look at that list above. Given 300 million clueless users running that Mandrake instead of Windows, don't you think there'd be exploits for that plenthora of holes too?
right here
-WH
It isn't all that expensive anymore just to get an upgrade to Windows XP and volia problem solved, well for w2k anyways. And w2k is way out of date by computer standards. In about 3 months stuff is out of date in computer standards so 5 years?!?!?! A much better upgrade would be just go with Linux. More security all around.
+1 useful
The exploits appeared not to exist before they were reported and announced. Now they do. This is not such a problem, since there is a patch available.
However, it does make me suspicious of the dogma of some white hat hackers, that black hats may already know about vulnerabilities so there's no reason not to give full exposure.
If you need to test the machines on your network Nessus http://nessus.org/ has released plugins.
Having to work for a living is the root of all evil.
Yes my Windows 98 Second Edition PC is not affected ;) This has to be a first...yes/no???
This may be a little hard comment, but do 100% of Windows 2000 servers really need the plug and play service to be running? Mabe 1% really need it. For the others, just deactivate it and future bugs and holes wont touch you. I think it is a pretty good practice to deactivate everything that you dont need!
Don't beleive me? I only work in a computer security company, what do I know?
No sig for now.
Red Hat ends support for OSes that are only 12 months old! Some distros won't update anything > 6 months old! Linux is THE WORST for long term support.
And Apple has dumped more products cold than Microsoft ever has.
Microsoft has actually be quite good on this in the PC arena.
The company distributing this requires you provide personal information just to pick up a small scanner which is entirely unnecessary. The purpose it seems behind distributing these little tools is to collect this information for sale and for use in sales.
I would recommend that users stop using slashdot.org as a way to distribute pointless software in an attempt to collect free user data.
eEye is hands down the most retarded name I've ever heard in my life.
In similar vein, note that you have to fill in your email twice . A classic example of why "double opt-in" is utterly meaningless.
My next sig will be ready soon, but subscribers can beat the rush
Once again: (original at http://slashdot.org/comments.pl?sid=71367&cid=645
10) find big remote vulnerability in product
20) perfect the exploit
30) have fun with it for months
40) find another big hole in same product
50) perfect exploit for hole
60) alert vendor about original hole
70) have fun with new hole
80) goto 40
First of all, Linux distros support every package on the system, not just the core files like MS update. That means perl, MySQL, apache, even the modules for apache. Everything. With that in mind, compare the Secunia security reports for Mandrake 10.0 and Windows XP Pro 10.0, which hit the market at about the same time. Have a look at the amount of unpatched vulnerabilities in both and see if you can still come to the same conclusions. Sheesh!
Working in a DevOps shop is like playing in a band made up entirely of keytarists.
So would their scanner software be called eEye eEye 0?
-- The Genesis project? What's that?
This actually has been patched in Win2k. Microsoft will continue with security patches for Windows 2000 through 2010. Their current policy for business-related software is 5 years "mainstream" support plus 5 more of security fixes. For "home" stuff, it's 5 years and you're done. This has some interesting consequences, such as Windows XP Professional being semi-supported through 2011 but Windows XP Home expiring at the end of 2006.
Source: http://support.microsoft.com/lifecycle/
He's been writing that Mike Lynn did the industry a disservice by revealing the buffer overflow class of Cisco vulnerabilities.
His logic is that as soon as you reveal a vulnerability, you accelerate the exploits, and therefore vulnerabilities should not be revealed. (In other words, the classic "security through obscurity argument.")
He seems to think it makes more work for him and other security people.
I pointed out to him that if we follow his logic, no vulnerability and no patch would ever be released. Here we have exploits following a patch. Does he now think Microsoft should not have released the advisory and patch because it "accelerated" the development of an exploit which will affect unpatched systems?
This is exactly his logic with Mike Lynn's actions. He claims revealing the buffer flaws, even though Cisco has patched the two actual flaws found, will cause an exploit to appear that will affect unpatched systems and cause him "more work."
I pointed out to him that he should thus blame Microsoft for patching the SQL Server flaws even though most admins didn't patch their servers in time for the worms that took advantage of them.
I also pointed out to him that if he thinks security is easy and he can't handle the "extra work" exploits cause, get out of the business.
His real motivation, of course, which I also pointed out to him, was simply sour grapes that he didn't get the press for revealing the flaws. The security business is very competitive, and every time a researcher announces something, everybody else denounces him as wrong, premature, or not following proper "protocol." All this just to keep THEIR names - and by extension, the same vulnerabilities they're complaining about - in the trade press. It's hypocritical.
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
I know that this is probably redundant by now. But seriously what is the point in releasing a FREE scanner that is limited to 16 ip's. I have over 400 workstations that I was going to scan with the nice FREE scanner offered by Eye. GAH
I am a computer/network consultant supporting small business in my small city. I put Linux in where I can, but most companies run Windows. I have found if I put in a Linux box, I never hear from them again. At least with Windows I know I hear from them in at least 6 months. If everyone switches to Linux I will be out of computer work and probably have to flip burgers. Thank you MS!
"Evergreen?" I mean, c'mon... How many times have we seen this headline?
" The exploits came out after the announcement and not before. It begs the question, do we need to give M$ credit for pushing the patch before the exploit became common knowledge? Compare this to Cisco who tried to squash recent publicizing of their vulnerability."
I think it reinforces the idea that people create exploits by reverse engineering patches. MS was right on this one.
Vote for Pedro
use spam.la or dodgeit.com or mailinator.com etc. I've been very happy with spam.la. Unfortunately there are plently of jerky admins out there that ban you from using these sites but still 95% of the time they work fine.
I'll also mention the bugmenot firefox extension since many others do, but personally I find it kind of useless. Beyond mega site like nytimes.com it doesnt' seem to work well. Anyway just figured it was worth mentioning.
If you wanna get rich, you know that payback is a bitch
A remotely exploitable vulnerability existed in several widely deployed operating systems for exactly 5 years, 4 months and 9 days before a patch was offered. Since we all know that everyone patches their systems the very day a patch is released, there is no need to worry about silly propagating exploits!
Furthermore, if you are a network admin who's deployed ISS protection agents (ISS initially discovered the bug), you would have been protected since March 2005, meaning the vulnerability would have been exposed in your network for only 5 years!
And people are worrying about so-called 'blackhats' exploiting so-called 'unknown' vulnerabilities? Hah, this really *is* funny!
I'm just curious; is your sig the Latin version of Godwin's Law?
With XPSP2, and Win2k3, the plug and play exploit requires that the attacker to be able to initiate connections to TCP ports 139 and 445, and have an *ADMINISTRATIVE ACCOUNT* on the machine.
If the attacker has an adminstrative account on the machine, why the $#@! bother to exploit this vulnerability when they allreay have carte blanche access?
For WinXPSP1, and WIN2k it's more serious. For WinXPSP1 the attacker only needs a regular user account, and for Win2k, the exploit can be done anonymously.
The second exploit code affects Internut Exploder. For desktop users stupid enough to use IE as their browser, this is an issue, but it's not much of an issue for windows servers, and non IE users.
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
Dear ignoramous,
You have no clue what "begs the question" means. Please stop pretending to be intellectual; you are embarrassing the species. Thank you and kindly stay out of the gene pool.
Regards,
The Human Race
I take it slashdot is handing out mod-points to the baboons today?
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
This is OLD news. Steve Gibson warned us about "UnPlug N Pray" way back in 2001. http://grc.com/UnPnP/UnPnP.htm
I do know of the 5/10 year split for Microsoft products, but I also believe that there will still be a large number of organisations running Windows 2000, come 2010, and they won't be upgrading. It is like the current concern over Cisco's IOS. Yes, they have patched the vulnerability Mike Lynn used as his example (stealthily in the April update), but there will be a not-insignificant number of network devices that will never see this patch, or others that are needed to protect against the newly described attack vector.
I know of some large government bodies interested in various matters of security and privacy, who are still stuck with NT4 on their outward facing systems (and internal). Where is the ongoing support for them? Yes, they probably should have upgraded by now, and they probably have already started a rollout, but it hasn't finished, and they possibly remain vulnerable, given the root of Win 2000, XP, 2003, which were all affected by these latest vulnerabilities.
InfoSec that matters, when it counts.
I wonder why the PNP function was bound to a server socket anyway? Seems like a bad idea to me.
its not in the wild its in the public domain now http://seclists.org/lists/pen-test/2005/Aug/0183.h tml
anyone who wants the binary for the scanner check below
http://www.eeye.com/html/Research/Tools/exe/Retina UMPNP.exe
http://www.frsirt.com/exploits/20050811.MS05-039.c .php
Good security is based upon reality and common sense. Common sense is a function of having common knowledge.
I clearly remember pluging in a scanner or something to a win2k machine in about 1999 (yeah pretty sure 2k was out) in a computer lab and the machine couldnt load the default profile or something, anyway it reverted to a less locked down desktop which was a way to exploit this security problem 5years ago. So, exploits circulated for this 5years ago ;)
So now, when MS releases patches (a GOOOD thing), they are hated because of the assholes that take the patches and make exploits.
/. life, where the assholes that cause the problems are revered, and the company that is trying to fix its problems continues to be hated.
And so we see the cycle of
I suppose you'd prefer MS to NOT patch any problems? So you can keep hating them for doing nothing?
A friendly reminder - Obscurity is not security. Let the patches come!
George Bush + Linux = "I will not let information get in the way of the fight against Windows"
It doesn't 'beg the question'!!! [insert rant about grammar and expressions here]