Slashdot Mirror
Exploits Circulating for Latest Windows Holes
1sockchuck writes "Exploits are already circulating for at least two (and possibly four) of the Windows security holes addressed in Microsoft's updates on Tuesday. Several working exploits have been released for a new vulnerability in Windows Plug and Play technology, which could be used to spread a worm targeting Windows 2000 machines, according to eEye security, which has released a free scanner to help network admins identify vulnerable computers."
Perhaps this vulnerability was a 'Feature' to get people to migrate away from Windows 2000?
My UID is prime... is yours?
At least, Microsoft is maintaining great quality control.
I mean W2K has been around for about... uh, 5 years?
So isn't this just an old exploit that was just found?
See? Having 900,000,000,000 lines of code is a good thing.
This
Our website's registration forms require users to provide contact information (names and email addresses) and financial information (account or credit card numbers). Financial information that is collected is used to bill the user for products and services purchased and is only used internally by eEye. Contact information is used to confirm and ship orders, to contact the user when necessary, and to notify users when new products and services are available. Users may choose not to receive future mailings from eEye; see the Choice/Opt-Out section below. eEye Digital Security may occasionally share visitor contact information with official product resellers that adhere to a comparable privacy policy; visitor contact information is NEVER given to other third-party vendors that are not affiliated with eEye.
Why do they insist on my personal information if they aren't going to use it?
They have the ability to let me opt out of of mailing, why don't they provide an opt out for my information in the first place?
The exploits came out after the announcement and not before. It begs the question, do we need to give M$ credit for pushing the patch before the exploit became common knowledge? Compare this to Cisco who tried to squash recent publicizing of their vulnerability.
You got any karma man? I really neeed it. Just a little hit! Come on!
But I'm reminded of a childhood verse...
"The worms crawl in, the worms crawl out
The worms play pinochle on your snout..."
You can't talk about Wikipedia's flaws on Wikipedia
Is anyone but me getting sick of these companies releasing "free" tools that require you to register for their incessant spam, phone calls, and other marketing harassment in order to download? Yes, I understand that they spent money to develop the tool, but what if I want to scan my home network? MySQL isn't too bad, at least. They have the marketing signup, should you be interested, but provide a link to download without all the crap.
[Wanders off muttering about the good old days of gopher and archie]Exploits ike these will all be fixed in Longhorn, umm, Vista. Seriously, the general population doesn't patch the security fixes that are out there, let alone the new ones that come out every other Tuesday. So exploits based on new patches are irrelevant if a computer can be compromised with mydoom.
The recent article on the front page here (2 down at the moment), talks about vulnerabilities linked to MS05-038 being in the wild in mid July (actually quite a bit earlier, but we will give them the benefit of the doubt). There have been a number of minor exploits in existence for at least a month and a half with respect to some image handling capabilities through IE (also MS05-038).
Security-Protocols claimed to have discovered the vulnerability linked to MS05-041, and there were some minor claims that other people had been able to make it into exploits which weren't widespread.
I initially thought that the Plug and Play vulnerability was linked to a report on an overflow with respect to handling USB devices (which has also been reported), but it seems to be much worse.
I am fully aware of the reasons why companies EOL their software, but Microsoft's cessation of mainstream support for Win 2000 might be coming back to bite them, given that Win 2000 is just as vulnerable to these exploits as Win XP and 2003, if not more so.
InfoSec that matters, when it counts.
I think once in the past three years I've seen on month without an update that was critical. Also, the way I've seen it, is that you have three to six months before the vulnerabilities are widely attacked. There are always people that are quicker on the ball, but three to six months is a good range before every other website is taking advantage of thtese vulnerabilities from what I've seen.
...Microsoft patched the holes BEFORE the exploits started circulating?
If that's the case, what's the problem?
"Ask not what your country can do for you." --John F. Kennedy
"...eEye security, which has released a free scanner to help network admins identify vulnerable computers.
What, the Windows startup screen wasn't sufficient to identify vulnerable computers?
Hundreds of vulnerabilities discovered in Linux since the release of a distro:
0 .1
http://www.mandriva.com/security/advisories?dis=1
But of course, that's not newsworthy because it doesn't involve hating Microsoft. This ain't a troll; it's an attempt to show that BOTH systems have pretty lame security track records, yet all we hear about is Windows.
Look at that list above. Given 300 million clueless users running that Mandrake instead of Windows, don't you think there'd be exploits for that plenthora of holes too?
Microsoft's biggest problem really is all this integration that they do when it doesn't need to be done. Yes, it's nice that I can click on a link in an email and open a document in my browser. That's a good use of integration. But when much of the system depends on a couple of dlls that can't be upgraded without changing the whole system then that's not good at all. I think that there's a huge appeal to the F/OSS model and decoupling of software when it comes to this kind of thing.
If you don't want crime to pay, let the government run it.
right here
-WH
I believe MS is discontinuing patch support for Win2k on March 31, 2010. MS is in business to make a profit, not to cater to more altruistic motives. Windows NT 4.0 patch support lasted for *eight* years.
So - what other software company is still patching eight-year old OS? Sun? IBM? SCO? Novell? Apple?
we see things not as as they are, but as we are.
-- anais nin
Maybe not for one machine, but how about for 500, 1,000, or 10,000?
Never understimate the power of human stupidity -Lazarus Long
I still have people using 75Mhz machines with windows 95, and most of my users are running 2000. We don't need to or have the budget to upgrade everyone to a new box with XP on it just so they can use word/excel, and email each other porn.
The exploits appeared not to exist before they were reported and announced. Now they do. This is not such a problem, since there is a patch available.
However, it does make me suspicious of the dogma of some white hat hackers, that black hats may already know about vulnerabilities so there's no reason not to give full exposure.
If you need to test the machines on your network Nessus http://nessus.org/ has released plugins.
Having to work for a living is the root of all evil.
Yes well what about linux then? It is definately a upgrade that is affordable if you have the time. And if you get the right Linux it will run on any machine just about and has more security for sure.
not entirely sure why this is a troll.
I can take a gun and shoot someone now just because someone made a gund available to me, but that doesn't make it right. I can release an exploit to software to disrupt many peoples lives because someone told me how to do it, but that doesn't make it right.
Just because it's on t'interweb doesn't change the rules of morality and ethics, right and wrong.
The company distributing this requires you provide personal information just to pick up a small scanner which is entirely unnecessary. The purpose it seems behind distributing these little tools is to collect this information for sale and for use in sales.
I would recommend that users stop using slashdot.org as a way to distribute pointless software in an attempt to collect free user data.
In similar vein, note that you have to fill in your email twice . A classic example of why "double opt-in" is utterly meaningless.
My next sig will be ready soon, but subscribers can beat the rush
Once again: (original at http://slashdot.org/comments.pl?sid=71367&cid=645
10) find big remote vulnerability in product
20) perfect the exploit
30) have fun with it for months
40) find another big hole in same product
50) perfect exploit for hole
60) alert vendor about original hole
70) have fun with new hole
80) goto 40
How exactly is Windows 2000 "out of date" by any standard except the date it was released? Windows XP is horrid compared to Windows 2000. Very few people I know have "upgraded" to Windows XP from Windows 2000. It's easier and cheaper to open the case and remove a stick of ram. Install a Yoshi's Island skin, and you have instant 2000->XP upgrade. Mentalities such as yours are why you need a 3 Ghz P4 and 512 MB of RAM just to open Microsoft Word in less than 30 seconds.
the enterprise versions are supported for 3 years. fedora is just a testbed, most of the folks that use it (including me) realize this.
if you want long term support, buy something that has it.
PHP is the solution of choice for relaying mysql errors to web users.
They do have every right, legally speaking. It's not a feature of Slashdot or internet culture, it's a feature of the American style of government. Ethically speaking, most security researchers disclose responsibly anyway - they give the company a month or so to fix the problem before telling the world. I, and probably most slashdotters, would agree that telling world+wife before the company producing the software has had a fair bash at the problem is a little off, if only because a lot of us know what it's like to be in the company's position.
In fact, it's essential to have a healthy population of security researchers finding flaws and (eventually) making them public, because it stops companies sitting on their arses for months or otherwise playing silly buggers
For the love of God, please learn to spell "ridiculous"!!!
First of all, Linux distros support every package on the system, not just the core files like MS update. That means perl, MySQL, apache, even the modules for apache. Everything. With that in mind, compare the Secunia security reports for Mandrake 10.0 and Windows XP Pro 10.0, which hit the market at about the same time. Have a look at the amount of unpatched vulnerabilities in both and see if you can still come to the same conclusions. Sheesh!
Working in a DevOps shop is like playing in a band made up entirely of keytarists.
Windows 2000 doesn't have as much security as XP for one. And the only time I do use Windows is to play games because Linux as of yet does not have many major game creators. And I don't like Intel either ;). I use a duel-core amd and 2gigs of Corsair XMS Speed Series ram. Which goes to a whole subject all togather... If you want to be more productive when you are working it tends to help to have a fast computer to process all the information or render a 3d object. It is a major time saver.
This actually has been patched in Win2k. Microsoft will continue with security patches for Windows 2000 through 2010. Their current policy for business-related software is 5 years "mainstream" support plus 5 more of security fixes. For "home" stuff, it's 5 years and you're done. This has some interesting consequences, such as Windows XP Professional being semi-supported through 2011 but Windows XP Home expiring at the end of 2006.
Source: http://support.microsoft.com/lifecycle/
He's been writing that Mike Lynn did the industry a disservice by revealing the buffer overflow class of Cisco vulnerabilities.
His logic is that as soon as you reveal a vulnerability, you accelerate the exploits, and therefore vulnerabilities should not be revealed. (In other words, the classic "security through obscurity argument.")
He seems to think it makes more work for him and other security people.
I pointed out to him that if we follow his logic, no vulnerability and no patch would ever be released. Here we have exploits following a patch. Does he now think Microsoft should not have released the advisory and patch because it "accelerated" the development of an exploit which will affect unpatched systems?
This is exactly his logic with Mike Lynn's actions. He claims revealing the buffer flaws, even though Cisco has patched the two actual flaws found, will cause an exploit to appear that will affect unpatched systems and cause him "more work."
I pointed out to him that he should thus blame Microsoft for patching the SQL Server flaws even though most admins didn't patch their servers in time for the worms that took advantage of them.
I also pointed out to him that if he thinks security is easy and he can't handle the "extra work" exploits cause, get out of the business.
His real motivation, of course, which I also pointed out to him, was simply sour grapes that he didn't get the press for revealing the flaws. The security business is very competitive, and every time a researcher announces something, everybody else denounces him as wrong, premature, or not following proper "protocol." All this just to keep THEIR names - and by extension, the same vulnerabilities they're complaining about - in the trade press. It's hypocritical.
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
I know that this is probably redundant by now. But seriously what is the point in releasing a FREE scanner that is limited to 16 ip's. I have over 400 workstations that I was going to scan with the nice FREE scanner offered by Eye. GAH
"Evergreen?" I mean, c'mon... How many times have we seen this headline?
So - what other software company is still patching eight-year old OS? Sun? IBM? SCO? Novell? Apple?
Your question is not quite fair. The relevant question is what OS's are eight years old, and have no published security vulnerabilities for which you cannot easily acquire a fix?
Looking at this from the point of view of a customer, I want to buy an OS and in eight years I want it to still be usable and secure and I preferably want it to be that way at no extra cost. I'm planning on running this platform long-term, and I recognize that my applications may end up tied to that platform. What would you choose?
From a consumer looking to have an OS supported and secure for 8 years I can tell you MS certainly does not look like a good choice to me. They are the only OS vendor you listed I know of that still has open, unfixed and unfixable vulnerabilities in an OS under ten years old. You seem to have mistaken "support" for "fixes vulnerabilities." Both are valuable but MS only does one for any length of time.
" The exploits came out after the announcement and not before. It begs the question, do we need to give M$ credit for pushing the patch before the exploit became common knowledge? Compare this to Cisco who tried to squash recent publicizing of their vulnerability."
I think it reinforces the idea that people create exploits by reverse engineering patches. MS was right on this one.
Vote for Pedro
use spam.la or dodgeit.com or mailinator.com etc. I've been very happy with spam.la. Unfortunately there are plently of jerky admins out there that ban you from using these sites but still 95% of the time they work fine.
I'll also mention the bugmenot firefox extension since many others do, but personally I find it kind of useless. Beyond mega site like nytimes.com it doesnt' seem to work well. Anyway just figured it was worth mentioning.
If you wanna get rich, you know that payback is a bitch
A remotely exploitable vulnerability existed in several widely deployed operating systems for exactly 5 years, 4 months and 9 days before a patch was offered. Since we all know that everyone patches their systems the very day a patch is released, there is no need to worry about silly propagating exploits!
Furthermore, if you are a network admin who's deployed ISS protection agents (ISS initially discovered the bug), you would have been protected since March 2005, meaning the vulnerability would have been exposed in your network for only 5 years!
And people are worrying about so-called 'blackhats' exploiting so-called 'unknown' vulnerabilities? Hah, this really *is* funny!
I'm just curious; is your sig the Latin version of Godwin's Law?
Care to elaborate on this one? Because I'm going to call bullshit. Windows XP and 2000 are prone to pretty much the exact same vulnerabilities and exploits. XP has some 2000 doesn't, and vice versa. Overall if you put a vanilla machine on the internet and walk away for a couple of days, they're both guaranteed to be spam zombies. Likewise, do updates on both and they'll both be pretty solid.
On that subject, try doing some filesharing. Windows XP is so secure, it doesn't even need the security tab on folders anymore! To be fair, in XP Pro you can enable it to use the "Advanced" Windows 2000 security model, but if you're using XP Home then you're out of luck. Want to let your roommate write to a share? No problem, just enable write access. Don't be surprised when your neighbor leaves you a nice little note thanking you for the extra storage space, though. If you want to be more productive when you are working it tends to help to have a fast computer to process all the information or render a 3d object.
You're in what is known as a minority. Most people don't play games, and have absolutely no need for 2 gigs of ram and dual-core. However, because of people who say, "Upgrade to Windows XP! It's somehow better, just look at the date!", my mom will soon need to toss in a Radeon video card to properly render Clippy.
You're right on, man. I specialize in Macs, but my Windows client base has been growing by leaps and bounds this year. Number one problem? Spyware. In fact, I'm launching my biz to go FT next month (really). I haven't been this busy EVER, and it's the middle of August! Thanks, Microsoft!
With XPSP2, and Win2k3, the plug and play exploit requires that the attacker to be able to initiate connections to TCP ports 139 and 445, and have an *ADMINISTRATIVE ACCOUNT* on the machine.
If the attacker has an adminstrative account on the machine, why the $#@! bother to exploit this vulnerability when they allreay have carte blanche access?
For WinXPSP1, and WIN2k it's more serious. For WinXPSP1 the attacker only needs a regular user account, and for Win2k, the exploit can be done anonymously.
The second exploit code affects Internut Exploder. For desktop users stupid enough to use IE as their browser, this is an issue, but it's not much of an issue for windows servers, and non IE users.
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
"Care to elaborate on this one? Because I'm going to call bullshit. Windows XP and 2000 are prone to pretty much the exact same vulnerabilities and exploits. XP has some 2000 doesn't, and vice versa."
You can call bullshit all you want, but you are wrong. Windows XP does have more security features than Windows 2000. If you had bothered to read Mirosoft's bulletin on the PnP vulnerability discussed in this article you would know that. There are many other example of exploits that affect Win2k, and either don't work or don't work as well on XP - especially XP with SP2 installed.
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
I read it. I took particular interest in the fact that Windows XP was on the vulnerable list. So you still get owned, only slightly less owned. That makes me want to shell out the money.
There are many other example of exploits that affect Win2k, and either don't work or don't work as well on XP
There are many other examples of exploits that affect WinXP, and either don't work or don't work as well on 2000. I'll provide examples when you do.
- especially XP with SP2 installed.
If we have time to install the patch that fixes it on XP, we have time to install the patch that fixes it on 2k.
I hope you're kidding. Yoshi's Island has a much more attractive design than XP. Analogies to PlaySkool and Barney would seem much more appropriate.
Eurohacker European paranoia, gun rights, and h
"I read it. I took particular interest in the fact that Windows XP was on the vulnerable list. So you still get owned, only slightly less owned."
More like, "slightly *not* owned". You must not have read it very carefully.
In order to remotely exploit XPSP2 or 2k3 with this vulnrabililty the attacker must have administrative credentials on the machine. COrrect me I'm wrong, but if someone has an admin account on your Windows box, are not you already owned?
"There are many other examples of exploits that affect WinXP, and either don't work or don't work as well on 2000. I'll provide examples when you do."
Many of the examples I'm referring to are recent IE exploits I've seen which don't affect XPSP2. No, I wont look up examples for you, as you already seem have made up your mind.
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
I take it slashdot is handing out mod-points to the baboons today?
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
This is OLD news. Steve Gibson warned us about "UnPlug N Pray" way back in 2001. http://grc.com/UnPnP/UnPnP.htm
I do know of the 5/10 year split for Microsoft products, but I also believe that there will still be a large number of organisations running Windows 2000, come 2010, and they won't be upgrading. It is like the current concern over Cisco's IOS. Yes, they have patched the vulnerability Mike Lynn used as his example (stealthily in the April update), but there will be a not-insignificant number of network devices that will never see this patch, or others that are needed to protect against the newly described attack vector.
I know of some large government bodies interested in various matters of security and privacy, who are still stuck with NT4 on their outward facing systems (and internal). Where is the ongoing support for them? Yes, they probably should have upgraded by now, and they probably have already started a rollout, but it hasn't finished, and they possibly remain vulnerable, given the root of Win 2000, XP, 2003, which were all affected by these latest vulnerabilities.
InfoSec that matters, when it counts.
" You're saying that a patched Windows XP machine is more stable than an unpatched Windows 2000 machine."
No, I did not say that.
I said a fully patched Windows XP machine is less vulnerable to this exploit than a fully patched Win2k machine.
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
its not in the wild its in the public domain now http://seclists.org/lists/pen-test/2005/Aug/0183.h tml
anyone who wants the binary for the scanner check below
http://www.eeye.com/html/Research/Tools/exe/Retina UMPNP.exe
http://www.frsirt.com/exploits/20050811.MS05-039.c .php
Good security is based upon reality and common sense. Common sense is a function of having common knowledge.
I clearly remember pluging in a scanner or something to a win2k machine in about 1999 (yeah pretty sure 2k was out) in a computer lab and the machine couldnt load the default profile or something, anyway it reverted to a less locked down desktop which was a way to exploit this security problem 5years ago. So, exploits circulated for this 5years ago ;)
So now, when MS releases patches (a GOOOD thing), they are hated because of the assholes that take the patches and make exploits.
/. life, where the assholes that cause the problems are revered, and the company that is trying to fix its problems continues to be hated.
And so we see the cycle of
I suppose you'd prefer MS to NOT patch any problems? So you can keep hating them for doing nothing?
A friendly reminder - Obscurity is not security. Let the patches come!
George Bush + Linux = "I will not let information get in the way of the fight against Windows"