Slashdot Mirror
Exploits Circulating for Latest Windows Holes
1sockchuck writes "Exploits are already circulating for at least two (and possibly four) of the Windows security holes addressed in Microsoft's updates on Tuesday. Several working exploits have been released for a new vulnerability in Windows Plug and Play technology, which could be used to spread a worm targeting Windows 2000 machines, according to eEye security, which has released a free scanner to help network admins identify vulnerable computers."
Perhaps this vulnerability was a 'Feature' to get people to migrate away from Windows 2000?
My UID is prime... is yours?
At least, Microsoft is maintaining great quality control.
I mean W2K has been around for about... uh, 5 years?
So isn't this just an old exploit that was just found?
See? Having 900,000,000,000 lines of code is a good thing.
This
Our website's registration forms require users to provide contact information (names and email addresses) and financial information (account or credit card numbers). Financial information that is collected is used to bill the user for products and services purchased and is only used internally by eEye. Contact information is used to confirm and ship orders, to contact the user when necessary, and to notify users when new products and services are available. Users may choose not to receive future mailings from eEye; see the Choice/Opt-Out section below. eEye Digital Security may occasionally share visitor contact information with official product resellers that adhere to a comparable privacy policy; visitor contact information is NEVER given to other third-party vendors that are not affiliated with eEye.
Why do they insist on my personal information if they aren't going to use it?
They have the ability to let me opt out of of mailing, why don't they provide an opt out for my information in the first place?
The exploits came out after the announcement and not before. It begs the question, do we need to give M$ credit for pushing the patch before the exploit became common knowledge? Compare this to Cisco who tried to squash recent publicizing of their vulnerability.
You got any karma man? I really neeed it. Just a little hit! Come on!
But I'm reminded of a childhood verse...
"The worms crawl in, the worms crawl out
The worms play pinochle on your snout..."
You can't talk about Wikipedia's flaws on Wikipedia
Is anyone but me getting sick of these companies releasing "free" tools that require you to register for their incessant spam, phone calls, and other marketing harassment in order to download? Yes, I understand that they spent money to develop the tool, but what if I want to scan my home network? MySQL isn't too bad, at least. They have the marketing signup, should you be interested, but provide a link to download without all the crap.
[Wanders off muttering about the good old days of gopher and archie]The recent article on the front page here (2 down at the moment), talks about vulnerabilities linked to MS05-038 being in the wild in mid July (actually quite a bit earlier, but we will give them the benefit of the doubt). There have been a number of minor exploits in existence for at least a month and a half with respect to some image handling capabilities through IE (also MS05-038).
Security-Protocols claimed to have discovered the vulnerability linked to MS05-041, and there were some minor claims that other people had been able to make it into exploits which weren't widespread.
I initially thought that the Plug and Play vulnerability was linked to a report on an overflow with respect to handling USB devices (which has also been reported), but it seems to be much worse.
I am fully aware of the reasons why companies EOL their software, but Microsoft's cessation of mainstream support for Win 2000 might be coming back to bite them, given that Win 2000 is just as vulnerable to these exploits as Win XP and 2003, if not more so.
InfoSec that matters, when it counts.
...Microsoft patched the holes BEFORE the exploits started circulating?
If that's the case, what's the problem?
"Ask not what your country can do for you." --John F. Kennedy
Microsoft with all its massive billions of dollars, charging in excess of $300 for a full, licesned version of Windows XP Proffessional... Cannot afford to write clean, bug free code?
As a programer myself I am often faced with the idea of completely re-writing my code, not just leaving the function sit, while being unused.
Compare to Apple's OS X (granted, the numbers argument about there is not a mass majority to spread a major virus even if it was to be discovered), why cant Microsoft decide to take shape, and start producing a REAL operating system that is built upon firm solid foundations of bug free (realitivly) code. They have admited in the past that they have pushed features ahead of security, and yet our major corporations still tout that microsoft is secure enough for there senstive finiancial information.
Give me a break will ya? I really just wish that microsoft would have a much more open beta, much more strict adherance to quality code, and less mouthpeices saying how great there stuff is.
"...eEye security, which has released a free scanner to help network admins identify vulnerable computers.
What, the Windows startup screen wasn't sufficient to identify vulnerable computers?
Hundreds of vulnerabilities discovered in Linux since the release of a distro:
0 .1
http://www.mandriva.com/security/advisories?dis=1
But of course, that's not newsworthy because it doesn't involve hating Microsoft. This ain't a troll; it's an attempt to show that BOTH systems have pretty lame security track records, yet all we hear about is Windows.
Look at that list above. Given 300 million clueless users running that Mandrake instead of Windows, don't you think there'd be exploits for that plenthora of holes too?
Microsoft's biggest problem really is all this integration that they do when it doesn't need to be done. Yes, it's nice that I can click on a link in an email and open a document in my browser. That's a good use of integration. But when much of the system depends on a couple of dlls that can't be upgraded without changing the whole system then that's not good at all. I think that there's a huge appeal to the F/OSS model and decoupling of software when it comes to this kind of thing.
If you don't want crime to pay, let the government run it.
right here
-WH
I still have people using 75Mhz machines with windows 95, and most of my users are running 2000. We don't need to or have the budget to upgrade everyone to a new box with XP on it just so they can use word/excel, and email each other porn.
If you need to test the machines on your network Nessus http://nessus.org/ has released plugins.
Having to work for a living is the root of all evil.
I think that you have to assume there will be bugs in the code. I am sure Apple has bugs. The real question, is: why are there so many listening ports on a Windows NT/2K/XP machine? Even one that has no files shared for users. What does it need them for? MS recommends running a firewall, which rather defeats the purpose of any listening ports, including such things as the administrative shares. In this case, we have some code that is supposed to detect new hardware apparently listening on the Ethernet port. Why? New hardware is going to fly down the network? Wow! MS should patent that now since it would put UPS and Fedex out of business. So, I don't think it is so much a bug as "what in $DEITY's name were they thinking when they designed this feature?"
The real "Libtards" are the Libertarians!
The company distributing this requires you provide personal information just to pick up a small scanner which is entirely unnecessary. The purpose it seems behind distributing these little tools is to collect this information for sale and for use in sales.
I would recommend that users stop using slashdot.org as a way to distribute pointless software in an attempt to collect free user data.
Once again: (original at http://slashdot.org/comments.pl?sid=71367&cid=645
10) find big remote vulnerability in product
20) perfect the exploit
30) have fun with it for months
40) find another big hole in same product
50) perfect exploit for hole
60) alert vendor about original hole
70) have fun with new hole
80) goto 40
How exactly is Windows 2000 "out of date" by any standard except the date it was released? Windows XP is horrid compared to Windows 2000. Very few people I know have "upgraded" to Windows XP from Windows 2000. It's easier and cheaper to open the case and remove a stick of ram. Install a Yoshi's Island skin, and you have instant 2000->XP upgrade. Mentalities such as yours are why you need a 3 Ghz P4 and 512 MB of RAM just to open Microsoft Word in less than 30 seconds.
the enterprise versions are supported for 3 years. fedora is just a testbed, most of the folks that use it (including me) realize this.
if you want long term support, buy something that has it.
PHP is the solution of choice for relaying mysql errors to web users.
First of all, Linux distros support every package on the system, not just the core files like MS update. That means perl, MySQL, apache, even the modules for apache. Everything. With that in mind, compare the Secunia security reports for Mandrake 10.0 and Windows XP Pro 10.0, which hit the market at about the same time. Have a look at the amount of unpatched vulnerabilities in both and see if you can still come to the same conclusions. Sheesh!
Working in a DevOps shop is like playing in a band made up entirely of keytarists.
He's been writing that Mike Lynn did the industry a disservice by revealing the buffer overflow class of Cisco vulnerabilities.
His logic is that as soon as you reveal a vulnerability, you accelerate the exploits, and therefore vulnerabilities should not be revealed. (In other words, the classic "security through obscurity argument.")
He seems to think it makes more work for him and other security people.
I pointed out to him that if we follow his logic, no vulnerability and no patch would ever be released. Here we have exploits following a patch. Does he now think Microsoft should not have released the advisory and patch because it "accelerated" the development of an exploit which will affect unpatched systems?
This is exactly his logic with Mike Lynn's actions. He claims revealing the buffer flaws, even though Cisco has patched the two actual flaws found, will cause an exploit to appear that will affect unpatched systems and cause him "more work."
I pointed out to him that he should thus blame Microsoft for patching the SQL Server flaws even though most admins didn't patch their servers in time for the worms that took advantage of them.
I also pointed out to him that if he thinks security is easy and he can't handle the "extra work" exploits cause, get out of the business.
His real motivation, of course, which I also pointed out to him, was simply sour grapes that he didn't get the press for revealing the flaws. The security business is very competitive, and every time a researcher announces something, everybody else denounces him as wrong, premature, or not following proper "protocol." All this just to keep THEIR names - and by extension, the same vulnerabilities they're complaining about - in the trade press. It's hypocritical.
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
If you are a black hat, and have a working exploit, you generally don't want to blast it all over the net, but use it judiciously to get as much as possible out of it before it is discovered. Once it becomes commonly known, and a patch exists, you know you don't have much time left, so you take advantage of it as much as possible.
I'm not saying that is the case with this particular exploit, but Microsoft wants everyone to believe that we wouldn't have to worry about exploits if those white hats would just stop finding problems with MS software.