Microsoft Bracing for Worm Attack

10010010 writes "A network worm attack targeting a critical Microsoft Windows vulnerability appears inevitable. The flaw is easy to exploit, as evidenced by the quick release of an exploit module for HD Moore's Metasploit Framework. Within hours of the Patch Day release Tuesday, two pen testing companies (Immunity and Core) created and released 'reliable exploits' for the flaw, which was deemed wormable on all Windows versions, including Windows XP SP2 and Windows Server 2003 SP1."

So, an Exploit For a Patch?

This article mentions the 23 patches that Microsoft released. It then goes on to say:

Just days after the Redmond, Wash., software maker issued the MS06-040 bulletin with patches for a "critical" Server Service flaw, Microsoft's security response unit is bracing for the worst after exploit code that offers a blueprint for attacks began circulating on the Internet.

And mentions that

Aitel's company was able to reverse-engineer Microsoft's patch and create a working exploit in less than 24 hours.

So are they saying that Microsoft is preparing for fall out from a new exploit that utilizes hastily written code from the latest series of patches? Is that what the pen companies reverse engineered? Or is Microsoft waiting for all the people who didn't patch their systems to be hit with what the DHS warned about and Microsoft fixed?

I'm confused and I'd like to know if my building's Window's administrator needs to be put on suicide watch. He was up all night last night. From what it sounds like, he spent all that time trying to increase the security of our machines when he was really just altering the application so that the virus that came out 24 hours later would be able to attack the machines ... there is one non-Windows machine in my lab. I think I'll use that one today.

Re:So, an Exploit For a Patch?

you can get the patch for the patch here

Re:So, an Exploit For a Patch?

It wasn't 23 patches: it was 12 patches that covered 23 vulnerabilities.

Yes, it's worms exploiting the MS06-040 vulnerability that they're worried about.

As long as you're properly firewalled from the rest of the world it can't get in but you should still get everything patched in case the worm gets inside your firewall e.g. as a trojan.

Re:So, an Exploit For a Patch?

They looked at the patch to find what is being patched, so now they know how to exploit the bug that is fixed by the patch. If your admin updated every Windows computer, you should be fine. The millions of unpatched systems on the internet however will most likely be wide open and added to botnets in a couple of days. Consequently even the users of well-administered Windows computers and other operating systems will feel the fallout of this vulnerability.

Re:So, an Exploit For a Patch?

[blowdart]

So are they saying that Microsoft is preparing for fall out from a new exploit that utilizes hastily written code from the latest series of patches? Is that what the pen companies reverse engineered?

Wrong conclusion I think. More likely the reverse engineering is comparing the patched and unpatched code and actually working out what the exploit is, then writing the code to use it. (this is why the behaviour of the Rails team holding back details of their exploit is rather weird; especially when the source is around)

Re:So, an Exploit For a Patch?

The fix for MS06-040 is KB921883, which is part of the recent batch of critical updates from Microsoft.
TFA is confusing because it makes it appear as though the latest MS updates *cause* this vulnerability, while in actual fact they *fix* it.

Re:So, an Exploit For a Patch?

[IAmTheDave]

Look, whatever the article says, it probably makes sense to ban all liquid or gell substances from any building that has Windows PCs, make all people stand in rediculously long lines to have their pocket books and napsacks security-checked for 8.5" floppy disks carrying said exploit, and even perhaps start a secret list of people who are banned by name from actually accessing a PC at all. I recommend the first name be John Smith, that bastard.

Further, we should probably ban anyone that has dirt on their shoes, because I hear worms like dirt.

Saftey first people. It may be an inconvenience, but it's all about your saftey, and the saftey of democracy across the world. We will prevail over the security-exploiters.

Re:So, an Exploit For a Patch?

[tomstdenis]

Sadly "properly firewalled" also means from your peers inside your network. When I was in College it was routine for viruses to spread almost instantly in the labs where we had our own system drives (e.g. not locked down). Similarly at any sufficiently large office there is bound to be at least one complete f'ing idiot who clicks on all email attachments and thinks "browsing the net commando style" is top shit.

Tom

Re:So, an Exploit For a Patch?

[NSIM]

The article is certainly ambiguous, but I think they mean these companies worked out what the original flaw was by looking at what the patch fixed. So if you are patched you are OK.

Re:So, an Exploit For a Patch?

[LordSnooty]

Excuse me, I never browse the net without my pants on.

Re:So, an Exploit For a Patch?

[tomstdenis]

"going commando" means no underwear not no pants.

I was trying to morph it into "browsing the net without anything in between".

Tom
[ I still hate Jon Callas ]

Re:So, an Exploit For a Patch?

[TheGhostOfDerrida]

I tried to read the article, but it got a little confusing... is this a worm for a patch? A patch for a worm? A patch for a patch? A worm for a patch for a patch? a patch for a worm for a patch for a patch? A worm that patches? A patch that worms? Patches for worms? Does my dog (patches) have worms? I lost interest. And I think the TV is on...

Re:So, an Exploit For a Patch?

[bwcarty]

But to the British, pants are undergarments (worn under trousers.)

Re:So, an Exploit For a Patch?

[OriginalArlen]

Immunity RE'd the patch to find the original vulnerability. The exploit attacks unpatched machines. Sorry if you were being sarcastic or weird or something (I find it hard to tell the difference.) Anyway, CANVAS (which costs mucho dineros) is not the problem. I'd be more enclined to worry about the (Free) Metasploit Framework exploit, by H D Moore - it only works on XP SP1 , W2K3 SP0 and W2K, but there are probably still lots of machines out there in those categories. You may remember Mr Moore, he it was who wrote the DCOM exploit in - when was it, January 2004 I think? - the exploit code which was subsequently ripped and repackaged as the Blaster worm.

Re:So, an Exploit For a Patch?

[tomstdenis]

Damn you Brit, we have ways of making you speak English properly!

So what are pants in the UK? :-)

Next you'll tell me that a fanny has a different meaning there too...

Re:So, an Exploit For a Patch?

[venir]

Shooting soda out my nose wasn't exactly the way I planned to start my day, but thanks anyway.

Re:So, an Exploit For a Patch?

That's your own fault. You were supposed to stay away from liquids.

Re:So, an Exploit For a Patch?

[Foofoobar]

Damn straight Baby! I used to use Fedora but a co-worker turned me onto Kubuntu (a KDE version of Ubuntu). At first, getting used to a Debian based distro was tough but I quickly realized that I really didn't have to do my makes or check for dependencies and a ton of the other stuff that can just be a constant annoyance and reduces consumer uptake of Linux as a Desktop.

I have it installed on my Mom's computer and she loves it! Instantly detected her new digital camera my brother got her, her scanner, her printer and I even installed all the extra codecs so she can play WMVs and other multimedia.

Plus she practically squeeled with jhoy when she realized that she wouldn't have to have any anti-virus software on her system and didn't really have to worry about spyware or anything else.

I now run Ubuntu at home and at work. When all the windows systems are getting patched, updated crashing or just dying (my bosses computer needs a re-install this morning), I can just keep plugging away.

Re:So, an Exploit For a Patch?

[Ichigo+Kurosaki]

On days like this I am glad I dual boot into kubuntu.

Re:So, an Exploit For a Patch?

[Simon80]

You seem confused about the timeline surrounding many security patches. The way it goes is they (Microsoft or whoever the vendor is) find an exploit, release a fix, and then people look at the patch to figure out what exploit they were fixing. That's why exploits become a big deal after a patch is released.

Re:So, an Exploit For a Patch?

[tsa]

Totally offtopic, I know, but I installed Ubuntu a week ago (coming from SlackWare), and after the first login it wouldn't start the window manager anymore. Thanks to my SW experience I was able to fix that, and now I am very happy to have changed distributions. Finally a package system that works, and an automounter that works out of the box, etc.! Kudos to the Ubuntu team. Now go fix that login bug guys! :-)

Re:So, an Exploit For a Patch?

[Mister+Whirly]

So what the hell are knickers then?

In the US "lifts" are called "elevators", "flats" are called "apartments", and "kidney pie" is called "ptomaine".

Re:So, an Exploit For a Patch?

Trousers?

Re:So, an Exploit For a Patch?

[tomstdenis]

Hmm, I think it's a mixed bag. I have yet to see a brit refer to their jeans as trousers. I think the younger brits have been sufficiently MTV'izied.

Tom

Re:So, an Exploit For a Patch?

[D-Cypell]

So what are pants in the UK? :-)

Trousers.

Funny story, my wife is Canadian and some time ago while in Florida on holiday (read: vacation). She asked if we could stop as a shopping centre (read: mall) to look for some 'Cacky Pants'. To her, this phrase describes those lightweight, cotton, military styled 'trousers'.

To me, it describes, "Soiled underwear". There was a short moment of total confusion while we unravelled that one.

Living with someone from the opposite side of the atlantic really puts meaning to the phrase, "Two nations divided by a common language" :).

Re:So, an Exploit For a Patch?

[tsa]

A pair of trousers.

Re:So, an Exploit For a Patch?

[D-Cypell]

Well at all of 25, I am probably out of touch now but the "Generic" term is trousers AFAIK. For example... "What trousers should I wear today? Perhaps my jeans?". :)

Re:So, an Exploit For a Patch?

[tomstdenis]

Hmm, well eitherway. Going commando is clearly an american term since they're the only people with real militant attitudes. /me ducks.

Tom

Re:So, an Exploit For a Patch?

[ThePromenader]

Just don't ask him what 'dress pants' are. Let's just say you'd look odd wearing them at a cocktail : )

Re:So, an Exploit For a Patch?

[steveatmarz]

My wife grew up in the UK. She and 5 other girls came over in 90 as foreign exchange students and they were concerned about coming to the DC area with the crime etc. They got to talking to an American soccer mom type and she said, "Oh, don't worry, you just need to get your self a fanny pack!" The British girls jaws all dropped. Fanny in the UK means vagina, so they were all envisioning a small (or large as the case may be) pack that you hide your valuables in and then insert into the holiest of holes for safe keeping. She saw their confusion and shouted to her husband (a few rows back), "honey, they want to see my fanny pack, pass it up here so they can see it!" The first exposure to English vs American, the "common" language that seperates us.

Re:So, an Exploit For a Patch?

[LiquidCoooled]

Does this mean I get next week off work?

I wouldn't want to overheat.

Re:So, an Exploit For a Patch?

[Ethan+Allison]

Just checked Windows Update and it's on the list.

Looks like this article is just anti-Microsoft FUD.

Come on, we can do better than FUD back can't we?

Re:So, an Exploit For a Patch?

Days like this are no different for me since all of my machines single boot Linux or OpenBSD. At work I've even replaced Windows with Ubuntu except on one machine that I rdesktop to for testing programs I develop under Linux and cross-compile.

Re:So, an Exploit For a Patch?

'Khaki' refers to the color.

Re:So, an Exploit For a Patch?

[Asztal_]

Hmm... I'm British and my family, friends and I have always used pants to mean trousers. Maybe it's those from down south who say it? :o

Re:So, an Exploit For a Patch?

[operagost]

I call "kidney pie" something else: "gross".

Re:So, an Exploit For a Patch?

[operagost]

Er... it's spelled "Khaki".

Re:So, an Exploit For a Patch?

Consequently even the users of well-administered Windows computers and other operating systems will feel the fallout of this vulnerability.

 
Nope. well-administered machines don't have ports 139 and 445 open to public networks. This imminent danger requires many factors including people not patching machines, which means they would have had to configure auto-update to not update, they would also have to not have a firewall and specifically have those already bad ports open to the internet. If someone has an unpatched machine with those ports open to the internet, something has already happened to that PC, another worm is the least of their worries.

Re:So, an Exploit For a Patch?

[jrockway]

And you can get the patch for Ubuntu here.

Re:So, an Exploit For a Patch?

[stunt_penguin]

Hehe, its getting so that pretty much any clothing made of cloth, has two legs and goes all the way to your ankles comes under trousers, therefore jeans come under the definition in a loose kind of way :)

Re:So, an Exploit For a Patch?

[0100010001010011]

I think your wife was looking for Khaki.
http://en.wikipedia.org/wiki/Khaki

Khaki, in British or European parlance, is a type of green tinged brown fabric, or the colour of such fabric. Traditionally pronounced IPA: ['kaki], it is today more often called ['kki] in Britain and ['kæki] in the USA. The name comes from the Persian word khak (dirt) which came to English through the Hindi/Urdu loan word meaning earth-coloured or dust coloured. The original khaki fabric is a closely twilled cloth of linen or cotton.

I'm from the states and I've never thought "Soiled Underwear" when I heard Khaki.

Re:So, an Exploit For a Patch?

'Safety' is spelled 'Safety'. I can't believe you spelled it wrong 3 times on 1 line...

Re:So, an Exploit For a Patch?

8.5 inch floppy disks? Is that a new format? I remember 8 inch disks, and 5.25 inch disks, then 3.5 inch.

Re:So, an Exploit For a Patch?

[rahrens]

The proper (American) spelling for those lightweight, cotton, millitary style (cacky) trousers is "khaki". It is also the proper spelling for that beige color...

Re:So, an Exploit For a Patch?

[Sporkinum]

So what are pants in the UK? :-)
Noun/Adj. Nonsense, rubbish, bad. From the standard British English of pants, meaning underwear; also a variation on 'knickers'. E.g."The first half was pants but I stayed until the end and it was actually a great film." [1990s]
Exclam. An exclamation of annoyance or frustration. From the noun, (above).

Re:So, an Exploit For a Patch?

[advocate_one]

I now run Ubuntu at home and at work. When all the windows systems are getting patched, updated crashing or just dying (my bosses computer needs a re-install this morning), I can just keep plugging away.

that's the real pisser though isn't it... everybody else can use the "my computer's playing up" excuse when they're late with some work... us Linux users can't

Re:So, an Exploit For a Patch?

[PinkPanther]

Now go fix that login bug guys

You did post the bug, right? A reproducible bug, pseudo-coherently written?

Re:So, an Exploit For a Patch?

[PinkPanther]

You mean they are the only ones who blazingly go into a situation without the proper preparations or protections?

;-)

Re:So, an Exploit For a Patch?

[Ana10g]

You, sir, have obviously never had the unenviable experience of sharting in your beige trousers... do that, and then you'll think of soiled underwear everytime you hear khaki.

Re:So, an Exploit For a Patch?

[Overly+Critical+Guy]

And when you're done playing around, you can upgrade here.

Re:So, an Exploit For a Patch?

erm, pants are underware. "going commando" means wearing trousers but no pants under them.

Re:So, an Exploit For a Patch?

So what are pants in the UK? :-)

Why, they're the most fantastic place to pour hot grits down, mate! That's what pants are!

Re:So, an Exploit For a Patch?

[Heembo]

You can also find a 3rd party patch for this here: http://fedora.redhat.com/Download/

Re:So, an Exploit For a Patch?

[IAmTheDave]

My fault, I meant 8"... I have one hanging on my wall - they were so massive. I don't even remember drives for them... even the 286 (I had) and the Commodore 64's used 5.25".

Re:So, an Exploit For a Patch?

[IAmTheDave]

'Safety' is spelled 'Safety'. I can't believe you spelled it wrong 3 times on 1 line...

Believe it baby. ;)

Re:So, an Exploit For a Patch?

[HiThere]

It makes a bit of sense, as they already had a patch available. It won't prevent an exploit, but it will slow it down by a day or two. This give people time to either update or at least check and see whether the version they are running is vulnerable.

Re:So, an Exploit For a Patch?

[DittoBox]

I love slashdot. The only place on the planet where Apple trolls get modded as...well, Trolls!

Re:So, an Exploit For a Patch?

[krray]

The fix for MS06-040 is KB921883, which is part of the recent batch of critical updates from Microsoft.
TFA is confusing because it makes it appear as though the latest MS updates *cause* this vulnerability, while in actual fact they *fix* it.

Yes, BUT -- the latest MS updates will certainly cause ANOTHER vulnerability, though it is one we just have not found yet...

Re:So, an Exploit For a Patch?

[Overly+Critical+Guy]

I just wanted to play along with the joke. :(

Re:So, an Exploit For a Patch?

[An+ominous+Cow+art]

> to look for some 'Cacky Pants'. To her, this phrase describes those lightweight, cotton, military styled 'trousers'. She probably meant khaki pants.

Re:So, an Exploit For a Patch?

[uncle_riley]

that's the real pisser though isn't it... everybody else can use the "my computer's playing up" excuse when they're late with some work... us Linux users can't

Sure you can, just use Gentoo

Re:So, an Exploit For a Patch?

I believe it's spelled "khaki"

Re:So, an Exploit For a Patch?

[Reaperducer]

It wasn't 23 patches: it was 12 patches that covered 23 vulnerabilities.

Oh, good. I feel better now.

Re:So, an Exploit For a Patch?

[barista]

I remember some TRS-80s had 8" floppy drives, mounted vertically beside the monitor. They were old when the C-64's were new.

Re:So, an Exploit For a Patch?

[McGiraf]

and when you tired of useless eye candy , you can finally install a Real OS

***ducks***

Re:So, an Exploit For a Patch?

[baptiste]

I've got a dual 8" drive unit from Digital down in my workshop. Why? I have no idea. The thing is HUGE. Twice the size of most avergae desktop towers.

Someday when I'm bored I'll have to fire it up and test out my old box of 8" floppies I've got in a box. Just for fun.

Re:So, an Exploit For a Patch?

[ultranova]

and when you tired of useless eye candy , you can finally install a Real OS

Can you, really ? Is SCO actually still selling anything, and more importantly, is anyone buying ? The chances of getting support in the future seem to be between null and zero due to SCO's inevitable bankrupty...

Re:So, an Exploit For a Patch?

[irtza]

I like the, "your word file came out unreadable in openoffice.org and I've been piecing it together using a hexeditor for the last two weeks I have now narrowed down the assignment to either liquidating all assets or putting liquid into asses" excuse. Its so much more original and better than, "my computer has a worm".

Re:So, an Exploit For a Patch?

It's spelled Khaki I believe.

Re:So, an Exploit For a Patch?

[Brickwall]

Interesting that when I tried to install half the patches, a window popped up saying "In order to protect you from malicious software, Internet Explorer will not allow this download".

How nice of M$ to protect me from their own software.

Re:So, an Exploit For a Patch?

[miro+f]

The age old question has been finally answered: When does a joke get old?

The answer: after 2 replies.

Re:So, an Exploit For a Patch?

[tsa]

Turns red.
Runs away.
Comes back half an hour later.

Yes of course I have! What do you take me for?

Re:So, an Exploit For a Patch?

[jrockway]

I'd rather my laptop not be hacked while I'm using my wireless network card, thanks. So I'll stick with OpenBSD for now.

Not really that serious

[$RANDOMLUSER]

From TFA:

In most enterprises, Pescatore said the use of firewalls and the automatic blocking of TCP ports 139 and 445 should help mitigate the risk. However, he cautioned against IT administrators letting their guards down.

If you have 139 or 445 exposed to the Internet, you've already been infected with something.

Re:Not really that serious

[140Mandak262Jamuna]

Well, In almost all companies and most homes the ports 137-139 and 445 are blocked at the firewall. But internally these ports are open otherwise file sharing/printer sharing inside the network is impossible. True, it wont be serious as long as the firewall holds. But all it takes is one home user bringing an infected laptop to work and plug it in and all hell breaks loose. I had an old NT4.0 machine just to support old releases of our product and for debugging. A salesman from Taiwan came in plugged his laptop in and I was hosed. Worse, the worm was probing rest of the corporate network so seriously that network traffic slowed to crawl in the company. All the top management knew was that I had an unpatched old computer in the network and compromised the company intranet and lost half their work day.

How easy it is to bring an infected laptop and plug it in behind the firewall? Our salesmen travel all over the world, plug into untold number of hotel intranets and wi-fi cafes. They leave these two ports open when plugged into company intranet. Do they always remember to close these ports when they work in an untrustable network connection? Chances of infection are great. Chances of them bringing the infection behind the firewall into the corporate network is great. I would not hastily dismiss it nonchalantly.

Re:Not really that serious

If you have 139 or 445 exposed to the Internet, you've already been infected with something.

I didn't know stupidity was infectious.

Re:Not really that serious

[$RANDOMLUSER]

Yup, you're absolutely right. And as I said, if you've exposed those ports on an unsecure network, you (your sales guys) are ALREADY infected...

Re:Not really that serious

How easy it is to bring an infected laptop and plug it in behind the firewall?

Where I work, this is not allowed. Plugging (or unplugging) any machine from our LANs without permission will quickly bring a tech, supported by a group of armed MPs, asking questions.

Re:Not really that serious

[telchine]

I'm a Windows user.

Can somebody please tell me what the hell a port is? :)

Re:Not really that serious

[walt-sjc]

IMHO, you should not be blocking those ports at the firewall, but rather redirect them to a responder that floods the return path with copies of the Ubuntu ISO. Run QOS on your outbound and set it at a lower(est) priority than your normal traffic so it doesn't impact you.

Re:Not really that serious

[Corbets]

Unfortunately, it's not that easy. You can (and most everyone does) block those ports at the firewall level. However, people that VPN in or connect via dialup, people who previously connected via the wireless at the local Panera, and either disabled their software firewall or just kept using their machine after that particular piece of software crashed.... they're infected, and when they VPN in, they go right through that precious firewall.

Every.layer.Every.step.Every.machine.Must.be.secur ed.and.patched.

It is, unfortunately, the only way.

Re:Not really that serious

How easy it is to bring an infected laptop and plug it in behind the firewall? Our salesmen travel all over the world, plug into untold number of hotel intranets and wi-fi cafes. They leave these two ports open when plugged into company intranet.

Why do they leave these ports open? There are few reasons that I can think of for client systems to have these ports open.

Re:Not really that serious

[SanityInAnarchy]

This is why I make it my personal policy, and would (if I could) make it company policy, to never run Windows on a laptop. It's just a bad idea.

Re:Not really that serious

[cp.tar]

It's like a train station, but for ships.

Re:Not really that serious

[mdarksbane]

Yep, the company I used to work for made a product to stop just that.

One of the emerging areas in enterprise security is so-called "endpoint" security solutions, that will verify whether a user plugging into a corporate network has
1) approved virus software with updated definitions.
2) an approved firewall
3) Any software updates that the techies have deemed required.

If you don't, you get shunted off to a quarantined part of the network with instructions on how to obtain the software to make you compliant.

On the one hand, it sounds like a pain to set up and annoying for the users (and as it usually requires dhcp enforcement can be bypassed by someone who knows the network), and we didn't run in it at our own company, but on the other hand I bet that if they required it at the university I went to the virus problem there would have been much more controlled.

Re:Not really that serious

[Megaweapon]

Every.layer.Every.step.Every.machine.Must.be.secur ed.and.patched.

William Shatner is a sysadmin?

Re:Not really that serious

You could create a Group Policy that restricts access to those ports via the built-in firewall in Windows XP to just a set of computers that is authorized by you. The policy remains on the computer even when used outside of the network.

Re:Not really that serious

[walt-sjc]

Hmm. Got modded funny, but I was serious. If the ports are blocked on your firewall, the worms just move on. If enough people would respond back with a flood of garbage, it would be a reverse DOS. Instead of reponding with an ubuntu ISO, you could scan the attacker for open ports and flood those with SYN packets. Enough is enough. If we just do nothing about zombie attacks and machines, they will just continue. It's time to fight back and make zombie networks useless.

Re:Not really that serious

[plover]

My son is heading off to university in a month, and he just bought a Netgear NATing firewall to keep the personal equipment in his dorm room isolated from the rest of the worm-ridden idiots at the school. So that leads me to a question for you: How does your company's device handle non-Windows equipment hooking up to the network? Alternately, how could it verify the anti-virus software was present behind a hardware firewall? How does it deal with a Linux or Mac box hooking up? Or is the device made primarily for homogenous Windows-only workplaces, with hand-entered exceptions?

Re:Not really that serious

[flatass]

In my organziation, I use Group Policy to enforce the following: When on-network (secured behind corporate firewall) the windows firewall is disabled and not allowed to be enabled. When off-network (anywhere else and not connected to the VPN) the windows firewall is enabled and cannot be disabled. It helps me sleep better at night for sure.

Re:Not really that serious

[rikkards]

That used to be ditto for me. However all laptops now have a software firewall installed and the workstation is locked down so that you can't browse the web through the normal interface. The only reason you would connect to an untrusted Network would be to VPN into the WAN.

Re:Not really that serious

[99BottlesOfBeerInMyF]

How easy it is to bring an infected laptop and plug it in behind the firewall?

It is pretty easy and even when it isn't there are plenty of droppers and trojans and multi-vector worms that can get past your firewall. Security at the network edge is all well and good, but if you're still vulnerable to this type of attack you might want to look into some internal hardening. The latest generation of IDS-like devices can really make a difference. They tell you something is spreading in your network, machines are talking on ports they normally don't, to hosts they normally don't and even trying to talk to your unused IP space. Then, you can use them to throttle all nonessential traffic on those ports and to the infected machines, saving your network bandwidth, stopping the worm from spreading, and keeping your vital services, even using those hosts, up and running. Print out a list of infected hosts and start your cleanup. Barring the expense of a full system like this, you can at least establish some firewall-like rules for network segments.

My apologies if you already know all this, but a lot of network security people are still living in the mid 90's.

Re:Not really that serious

[lastchance_000]

No, it's a sweet, fortified wine originally from Portugal.

Re:Not really that serious

[LiquidCoooled]

If you disable the firewall then won't a worm bounce around your internal network like wildfire?
Sure, you can protect the machines from the great unwashed interweb, but all it takes is one single untrusted application running somewhere on your network to make this go BOOOOM.

Re:Not really that serious

[laffer1]

What? That's your solution? Flood the internet traffic even more! Besides a worm is spread by people who can't or don't know how to patch. You're not helping anything by doing that.

Re:Not really that serious

[xtracto]

You are both wrong, it is the short of the brand of ciggarettes "Newport"

Re:Not really that serious

[Sax+Maniac]

IANANA (Network Admin) but can't you do something with DHCP and MAC indentification? Via DHCP, any MAC not in the pool of known workstations gets shunted into a private subnet that's outside the firewall.

In short, any laptop, by definition, is always outside the firewall.

If they really need to print or email or mount shares, then they should be using whatever sort of technology (VPN, IMAP/SSL, etc) to do that outside the network. Or walk to a workstation.

Re:Not really that serious

[operagost]

A salesman from Taiwan came in plugged his laptop in and I was hosed. Worse, the worm was probing rest of the corporate network so seriously that network traffic slowed to crawl in the company. All the top management knew was that I had an unpatched old computer in the network and compromised the company intranet and lost half their work day.

Some idiot unleashes a worm on your network and it's your fault? It's the fault of management for not implementing procedures to either wall off guest PCs as presumed hostiles or clear them before allowing them on the network.

Re:Not really that serious

[cp.tar]

Don't smoke that crap, it'll kill you.

Re:Not really that serious

[dhasenan]

My university does just that. It didn't work that well; in the semester or so while I had a Windows machine, there were periods in which I received virus notifications on an hourly basis, and I've been cleaning spyware out of that computer ever since.

Now, of course, I don't use Windows, and consequently have no viruses. (It helps that my computer is in storage, too.)

Re:Not really that serious

[walt-sjc]

ISP's are doing nothing, government is doing nothing, Microsoft is doing nothing, so what's YOUR solution? I want to take down compromised machines. I'd prefer that they actually go up in a puff of smoke, but I'll settle for crashing them or getting them knocked offline.

Really, the fsking ISP's are in the perfect position to detect and shut down botnets, but refuse to do so.

Re:Not really that serious

[Alsee]

If he's running Windows, that might not be such a bad idea.

-

Re:Not really that serious

[edflyerssn007]

The key to keeping your windows box safe on a university network is to make sure you have a good virusscan running real-time, a firewall running, etc. Then you shouldn't have to worry about getting all sorts of virus' on your machine. And keep yourself patched with the latest updates, do all these things and your computer will stay free of any of the nasty things that come on the internet. I've been doing this and I haven't had a virus on my computer (windows xp pro sp2) in over 2 years. Just keep yourself updated and diligent and you won't have any problems.

-ed

Re:Not really that serious

[g-san]

Nah.... tarpit. Put a listener on those ports (you windows users will have to reboot into linux for this. try it, you'll like it.) Open the connection, read from the channel, then just sit there until the remote end times out. If the worm is stupid enough it will connect back to your PC a few times. That slows them down, and doesn't cause any harm to the net. Or send back three bytes of data every 20 seconds or so... the remote end will buffer it expecting more to come and stretch the timeout even further.

Re:Not really that serious

[An+ominous+Cow+art]

CON:!!!!!!!!!!!

My takeoff on "Khaaaaannnn!!!" looks too much like ascii art :-(.

Re:Not really that serious

[turbidostato]

"IANANA (Network Admin)"

Of course you aren't.

"but can't you do something with DHCP and MAC indentification?"

Yes you can. And what then?

"In short, any laptop, by definition, is always outside the firewall."

Till the moment they discover how to reconfigure their MAC to get a valid IP address (or just use a fixed IP from the proper pool); a thing they will do as soon as the policy goes in their way and expectations for the job to be done (like, "you need to mount this share to get this so important data for your this evening's presentation to that very important client).

If they really need to print or email or mount shares, then they should be using whatever sort of technology "(VPN, IMAP/SSL, etc) to do that outside the network"

What's the difference about port 445 traffic on the LAN or through an VPN? (VPN==Virtual LAN). The worm that can expand through the LAN surely can expand through the VPN (unless, of course, the VPN has stricter access rules than the LAN ifself, in which case those rules will be jumped over, see previous point).

"Or walk to a workstation."

You are joking, aren't you?

Re:Not really that serious

[frank_adrian314159]

It's like a train station, but for ships.

OK. It's not really like a ship, it''s more like a truck... No scratch that. It's like a pipe. A big stinking sewer pipe. And when they get clogged!?! Well, you just don't wanna know.

Smootchies...

Sen. Ted Stevens

Re:Not really that serious

[vtcodger]

Jeez, the popular kids are having this big patch party, and we Windows 9 and Linux users aren't invited ... again.

Anybody want to join me at home for some popcorn and maybe some orange soda while the NT crowd spends the night fixin stuff? I know it's dull, but the most of the computers around here are just too slow to run XP, so I'll just have to pass on the excitement.

Actually, we do have a couple of XP machines, but they are such a pain, that I really don't much care if some sociopathic teenager in Bucharest 'owns' them. Owning a Windows machine is exactly what hackers deserve -- at least until it's technically feasible to send them a case of jock itch or crab lice.

I must say that depending on what the worm does, it really might be 'that' serious. Trouble is that from what I read networks of real computers doing real work for real users are likely to be in considerable difficulty the first time someone plugs an RJ45 into an infected laptop and hits the power switch. I'm glad that I'm retired.

Re:Not really that serious

[Sax+Maniac]

Till the moment they discover how to reconfigure their MAC to get a valid IP address (or just use a fixed IP from the proper pool); a thing they will do as soon as the policy goes in their way and expectations for the job to be done (like, "you need to mount this share to get this so important data for your this evening's presentation to that very important client).

Ha! The same people who think their computer is broken when two windows overlap, also know how to spoof MAC addresses or pick IP addresses?

Anyway, that's not the point. The idea is to minimize the number of Joes plugging completely anonymous machines into the LAN by default. If it's a corporate laptop, then you add it the MAC to the known list once you vet it and make sure it isn't infested with Punch The Monjey.

What's the difference about port 445 traffic on the LAN or through an VPN? (VPN==Virtual LAN).

Right, there is no difference, other than they can use it because they already know how to. Instead of whining at the admin for access post-haste, they can get their Important Work Done while requesting the laptop be authorized. I know that if I brough in a random laptop without consulting my admin first, he'd be pissed. Doubly so if it fucked something up.

Re:Not really that serious

[Adam9]

At Miami, we use Cisco Clean Access. We do not support firewalls that do NAT, including routers, because of the unnecessary support burden. CCA allows non-Windows machines to authenticate to the network without going through the policy enforcement hoops that Windows machines go through. Some organizations have Nessus scanning turned on in CCA as a policy option though. CCA verifies AV Software/Updates and Windows Updates by using a client-side agent that reports back the relevant information to the CCA appliance. OS detection can be done based on the web browser's user-agent or OS fingerprinting. Owners of headless devices, e.g. XBox and PS2, can use a web application to exempt their devices, which of course puts the device in a separate network role designed for the device and discourages students from trying to exempt their computers.

Re:Not really that serious

[laffer1]

I used to work for an isp. We did disable accounts when they were caught transmitting malicious code. 9 out of 10 times it was a 40+ year old woman who would call. They never knew about windows update and some didn't have antivirus software. We'd agree to turn them back on if they bought antivirus and patched their os. A few times it lost us customers, but most people were quite happy if they took our advice. Occasionally we'd get some pissed off customer who'd cancel and want a refund.

I believe they stopped that policy after I left.

My solution is to inform people. If they insist on windows, tell them about windows update, antivirus, and anti-spyware tools. I went back to college a few years ago and have done several presentations on the topic. I used public speaking and classes with non technical students to convince them to patch. It worked in a few cases. Several people told me next class that their network connection was much faster. I also mentioned linux, and Mac OSX in my talks. At least one person tried linux.

I think I've done my part.

Re:Not really that serious

[turbidostato]

"Ha! The same people who think their computer is broken when two windows overlap, also know how to spoof MAC addresses or pick IP addresses?"

You are suffering the myth about "all people except myself are dumb". You would be surprised how many advanced "tricks" those dumb users manage to know (certainly, for the most part it will be black magic to them, but they will know the trick). It's perfectly compatible thinking their computer is broken when two windows overlap and know how to change their MAC, I can tell you.

"Anyway, that's not the point. The idea is to minimize the number of Joes plugging completely anonymous machines into the LAN"

That's just OK, if you can get support from upper management for this. In too many situations this will be unaffordable, simply because management won't give enough power to you. You can block MAC addresses at the switch level, but if you can't have support from management so every new computer goes first to the IP departament for OS installation, inventory, etc. you will be doomed. And I can tell you people will learn about NATting their "unofficial" networks, about setting their own Wins servers and yes, learning how to change their MAC-address in order to use the one from a retired box that it is still on your databases.

In other words: you are just a tool for that people; it's their work the important one, and if you are to stablish a blocking policy, you better have the power to enforce it without the users seeing it as a blocker for their job, or they will find a workaround (that of cours, at the end will be much worse for everybody, but that's a different story).

Re:Not really that serious

[mdarksbane]

I'm pretty sure almost every product of this type more or less ignores macs and PCs. The administrators have the option of blocking them entirely or letting them right on through, and that's about it. They're designed mostly for homogenous, large business infrastructure.

I know that Cisco sells a similar solution that does this at the router - I think the advantage of ours (supposedly) was a higher level of scanning on the computer itself, and the fact that you didn't need to upgrade all your network infrastructure to support it - you just had to plug our box in somewhere on it.

As for your son, I ran a windows box on that network for four years, and with a good firewall, virus protection, Firefox, and some common sense, he should be fine.

Re:Not really that serious

[plover]

As for your son, I ran a windows box on that network for four years, and with a good firewall, virus protection, Firefox, and some common sense, he should be fine.

Thanks for the confirmation! He has all four of those in spades, so I'm not at all worried. Anyway, his summer job for the last three years has been building, upgrading, installing and repairing various Windows machines. I think he'll know what to do (and that is "charge other students for degunking their computers!" :-)

It's been a while

[ronanbear]

Since there's been any worms attacking new exploits. I'd even begun hearing from some people that the days of Blaster style attacks are over.

This should remind Windows users about complacency.

Re:It's been a while

[jellomizer]

It is really funny, There are pundents out there that jump on the fact that OS X, Linux have been found with a possible security hole, so people are afraid of going to these OS because of security, but they stay on Windows wich is a much higher Risk.
It is like saying I will just walk across the country because I heard of a person who died on an airplane.

The power of Homeland Security compels you!

I guess this must be what DHS was worried about when they started issuing press releases about running Windows Update right now.

Of course, I've got automatic updates turned on and set to download and install every night, and I leave the computer on all night, and it has yet to tell me it downloaded and installed this critical update. Way to go, Microsoft.

Re:The power of Homeland Security compels you!

[skoaldipper]

I have a red shield and X in my systray so I'm safe. I think it's a warning symbol for anyone trying to hack my box, like a medieaval coat of arms or something saying my computer is stronger than them.

Re:The power of Homeland Security compels you!

I have a red shield and X in my systray so I'm safe.

I have the yellow shield. They know that my computer is unrine stained. So, I'm safer than you!

Re:The power of Homeland Security compels you!

I don't have a "shield" displayed at all in my systray. I think that means I am hidden completely from any and all attacks. If you're running around the tubes of the Intarweb flashing a red or yellow shield at everyone...someone is going to get annoyed. It is better to stay low & hidden.

Re:The power of Homeland Security compels you!

[b1t+r0t]

I have a red shield and X in my systray so I'm safe. I think it's a warning symbol for anyone trying to hack my box, like a medieaval coat of arms or something saying my computer is stronger than them.

To be specific, that would be Gules, a saltire couped argent.

Pen Testing?

[devnullkac]

OK, maybe I'm just missing an acronym/typo somewhere, but "pen testing?" Will the worms come through my Mont Blanc?

Re:Pen Testing?

[1_brown_mouse]

Ha Ha! I use a PaperMate and they have never been cracked due to superior design and stylishness. Its the simple interface.

Re:Pen Testing?

[acklenx]

INAD but... Many a virus can easily be transported from one person to another by way of your pen, particularly if they are prone to bite or suck on it. I don't believe that brand matters, but perhaps this is what "pen testing" seeks to discover. As I stated I'm not a doctor, but from personal experience I can say that pens made of metal rather than plastic tend to deter biting, perhaps this makes them less likely to be exposed to and transport the little nasties.

How will this effect unpatched pirated versions?

[Average_Joe_Sixpack]

How will this effect my pirate... er my neighbor's pirated unpatched system?

File Servers

[slidersv]

Our enterprise file servers run w2k3sp1... Those ports are open on these machines. Basically we have to hope that noone brings infection inside.

Re:File Servers

Our enterprise file servers run w2k3sp1... Those ports are open on these machines. Basically we have to hope that noone brings infection inside.

No, you have to patch them already. One at a time if you're that paranoid about breaking something.

Re:File Servers

[Professor_UNIX]

Our enterprise file servers run w2k3sp1... Those ports are open on these machines. Basically we have to hope that noone brings infection inside.

That would be impossible unless you have users that have laptops that they take outside the office or users that browse the web or receive e-mail to their desktops or users that connect remotely from their homes via dialup or VPNs. All very unlikely scenarios in any modern business environment.

Re:File Servers

[LurkerXXX]

Have to hope? I sure *hope* you have test servers and clients set up, and that you have already installed and are testing the patches to make sure that they don't break any applications you are running. And I hope that as soon as you are confident that the patches don't break anything, you get them installed on the production servers.

That's a much better *hope*. Otherwise, I hope your administrator has his resume up to date.

Re:File Servers

And which one of the dumb mods modded this to informative? The guy reveals their file servers are not secured, but doesn't even add ip addresses or name of the company. How is that informative?

Re:File Servers

[k1773re7f]

What are these "test" severs of which you speak?

Re:Pen Testing? - Penetration Testing

[whitelines]

Penetration Testing. It's where you stick that mont-blanc through the case wall and if it damages something you need to get a patch (for the case) from microsoft.

Re:Penetration Testing?

"Pen" is a commonly used short term for "penetration" so you could interchange "pen testing" with "penetration testing."

Or, in your case, you would request full pen videos when you go to video rental store.

The Cyber Gnome, Denouncer of Computer Myths

[krell]

"The Cyber Gnome here. Denouncer of computer myths. Who needs to download security patches? I don't, and I've never had any prob%$#@@@@#^_@_#@ NO CARRIER"

Re:The Cyber Gnome, Denouncer of Computer Myths

[Alsee]

I need to call for backup.
NO DON'T BACK UP!

-

Let's mobilize

[ericlondaits]

From TFA:

<blockquote>A spokesperson for Microsoft said it is difficult to predict the motives and actions of attackers but insisted the company is "watching round-the-clock" and actively encouraging customers to download the update immediately.

"We will mobilize if something does happen," the spokesperson said.
</blockquote>
They'll mobilize? Mobilize? As in "get the heck out of here"? Or are they calling the [GI]Joes?

Re:Let's mobilize

[bky1701]

I think their mobilization plan is "launch all vista", however in their haste they forget to patch vista... or maybe just "run out doors and run around in circles". Who knows, it's M$.

Re:Let's mobilize

[TheRaven64]

"launch all vista"

I think you mean:

Take off all Vista! For great profit!

There should probably be a 'We get worm! Main firewall turn on!' in there somewhere too.

Re:Let's mobilize

[WilliamSChips]

Take off every Vista. EVERY.

Re:Let's mobilize

[dcam]

They'll mobilize? Mobilize? As in "get the heck out of here"? Or are they calling the [GI]Joes?

I hope that don't mobilize. As anyone who knows their WWI history will tell you: mobilization means war.

Re:Let's mobilize

[sunweight]

Our IT support department is like that, too.

OH PLEASE GOD, Let me help out on this one

If there's anything I can do to help get a worm going for this baby, respond back here. I'd love to stir up some shit.

Re:OH PLEASE GOD, Let me help out on this one

Try #hackers on irc.fbi.gov

Re:OH PLEASE GOD, Let me help out on this one

Goddamn if only I had mod points.. this deserves a +5 insightful:

Try #hackers on irc.fbi.gov

At the very least...

Ummm...

Tell your "neighbor" that if he doesn't want to pay for an OS, that he shouldn't be using Windows.

But if he's too fucking cheap to get an OEM copy or something and too fucking stupid to bypass the WGA, he should be prepared to have his ass handed to him when this shit hits.

I'd recommend him going to ubuntu.com, though.

Re:Ummm...

Why? Screw that, we don't want cheap jackasses with no respect for software development over here on the Linux side of things.

1% is better than 5% where 85% are whiny kids with no respect for intellectual property.

Re:Ummm...

[Tweekster]

How about the rest of us that are effected by those computers?

Re:Ummm...

[dotgain]

I guess that'd make you a child process.

Unless you meant affected

The Patch

[nherc]

Here is the actual patch page for every version of Windows and further information.

Re:The Patch

[doktorjayd]

and just to flame myself:

even better patches here:

http://www.openbsd.org/ :)

Re:The Patch

Jesus, what the fuck is wrong with you?

Re:The Patch

And no Genuine Advantage check, how great!

Not quite

[jackmama]

which was deemed wormable on all Windows versions, including Windows XP SP2 and Windows Server 2003 SP1

HD Moore posted a followup to the Daily Dave mailing list admitting defeat on those two platforms:

Time to eat my words. The wcscpy() destination pointer trick doesn't seem
doable on XP SP2 or 2003 SP1. I don't believe you can exploit this bug
for more than a DoS on 2003 SP2/XP SP1. If you have information to the
contrary, please share.

All other Windows platforms remain easily exploitable, though.

Re:Not quite

Time to eat my words. The wcscpy() destination pointer trick doesn't seem
doable on XP SP2 or 2003 SP1. I don't believe you can exploit this bug
for more than a DoS on 2003 SP2/XP SP1. If you have information to the
contrary, please share.

All other Windows platforms remain easily exploitable, though.

Windows XP SP2 is the current version of Windows. Has been for almost two years. Aside from Windows XP SP1 all other versions of Windows are no longer supported by Microsoft.

Re:Not quite

[jackmama]

Windows XP SP2 is the current version of Windows. Has been for almost two years. Aside from Windows XP SP1 all other versions of Windows are no longer supported by Microsoft.

Well, that's a relief. I was worried that millions of PCs and servers might still be out there running Windows 2000 and NT, and might help propagate some sort of worm. As long as all computers are magically running the currently-supported versions of Windows, I guess we're OK.

Re:Not quite

[jb.hl.com]

Windows 2000 is in extended support until 2010. So....no.

Re:Not quite

[0110011001110101]

I'm under 30 and not living with my parents. Myspace sucks ass. It's like all the least interesting people in the world got together and decided to design the ugliest web pages in the world, and then they all list each other as friends and leave comments with the word "dawg" and anything that endz in "Z" where there should be an "S".

But stop wasting time reading my reply, you're probably missing out on a whole new set of recently released butt-ass ugly animated graphics that you can use while posting to hot girls myspace accounts who are actually 30+ males living in their parents basements with dreams of luring you into their wrangler jeans...

Re:Not quite

[jb.hl.com]

I will, considering I'm going out in just a few minutes with my girlfriend, who I met over MySpace and is most definitely not a 30+ male living in her parents' basement.

Right back atcha :)

Re:Not quite

PLEASE! don't mention DD on Slashdot >:(

Re:Not quite

[evil_Tak]

Where does he live?

Re:Not quite

Windows XP SP2 is the current version of Windows. Has been for almost two years. Aside from Windows XP SP1 all other versions of Windows are no longer supported by Microsoft.

Well, that's a relief. I was worried that millions of PCs and servers might still be out there running Windows 2000 and NT, and might help propagate some sort of worm. As long as all computers are magically running the currently-supported versions of Windows, I guess we're OK.

What would you have Microsoft do? They addressed the problem almost two years ago. Microsoft would like nothing better than everyone to upgrade to Windows XP SP2. All they can do now is offer a fix for those who haven't upgraded. And since they've done that I see little point in bashing Microsoft (NOTE: I am not accusing you of this). It's time that people start taking some responsibility for their actions (or inaction in this case).

Re:Not quite

[jackmama]

What would you have Microsoft do?

Um...nothing. I'm not sure where other parts of this thread have gone, but I think the main point is that it's important for everyone to apply the patch, because a working exploit exists for most of the platforms that people use, and it can be used to create a worm. Anything beyond that is religion, and it's pointless to get caught up in that.

Re:Not quite

So it's that evil Unicode stuff, eh? Never up to any good.

P.S.: Length-counted strings pwn joo 4ll!1!11

Re:Not quite

[WilliamSChips]

So how many STDs does she have? And how many has she given to you so far?

Re:Not quite

[Yankovic]

FYI, here's the list archive:

http://lists.immunitysec.com/pipermail/dailydave/2 006-August/003408.html

Re:Not quite

[0110011001110101]

ohhh I got burned. The supposedly non-fictional she-male you met on that website definately shows me how wrong I am about MySpace... those thousands of MySpace pages that exist only to prove my theory have got nothing on that kind of evidence.

Oh wait holdon, you're a MySpace user, let me write it in language you'll understand:

OHHHH SNAP homeyz! Your super-fly tranny honey you spit game on dat websitez put me in my place for shizzo! You gotz mad skillz yo in with the MySpace Q-teez despitez my seeing all those online peeps with mad whack sites...

Re:Not quite

[innate]

Windows XP SP2 is the current version of Windows. Has been for almost two years. Aside from Windows XP SP1 all other versions of Windows are no longer supported by Microsoft.

That's fantastic news for Linux! Now that Microsoft is no longer supporting Windows Server companies will have to switch. And I would never have heard this news if it weren't for you, Anonymous Coward.

Re:Not quite

[fastgood]

I was worried that millions of PCs and servers might still be out there running Windows 2000 and NT

and SP1 installations of XP that are running keys that cannot be upgraded with the two year old "latest" (and last) XP service pack.

Or the first 18 months of XP releases that cannot be upgraded at the WindowsUpdate website because they aren't SP1 versions.

Re:How will this effect unpatched pirated versions

[skoaldipper]

Your pirate neighbor should be ok. I'm pretty sure the green parrot on his shoulder will eat any worms. If not, the patch over his right eye is probably the most current out there.

New Microsoft Windows mascot suggestion.

[krell]

Here's my suggestion for a new Microsoft Windows mascot. She's old enough to be public domain, she's tanned, she's rested, she's ready, and she's all patched to hell. All the better that Redmond is located in the vicinity of America's "Emerald City". Please, pay no attention to the borg behind the curtain.

Re:New Microsoft Windows mascot suggestion.

In before "LOL Linux is patched all the fucking time."

DHS

[hey]

Its funny that yesterday the Dept of Homeland Security (I can't say that name without laughing) was so concerned about patching Windows but -er- there was a plot to blow up ten planes. Misplaced priorities?

Pirate loading windows.

[krell]

Your pirate neighbor (what, do you live on a WHARF???) should be able to get around this by launching his Windows in pirate mode. He has to boot to the command line, and then enter WIN.EXE -R -R -R. Also, has he considered the eyepatched system? It might be more useful to him than the "unpatched system" you mentioned.

Re:Pirate loading windows.

[swordfish666]

Pirates are so "in" this year!!

Re:Pirate loading windows.

Holy crap, that was funny. And damn clever too.

Re:Pirate loading windows.

[wirelessbuzzers]

I'd recommend increasing your defenses of your ports, specifically 137-139 and 445. A heavy chain and a few batteries of cannon should suffice, but to ward off more determined attackers you might need a garrison of veteran sailors.

Re:Pirate loading windows.

[painQuin]

Also, has he considered the eyepatched system?

You clearly meant to say iPatch.

ALL Windows versions?

[kalirion]

FTFA it seems that my Windows 98 box is quite safe, thank you very much.

Re:ALL Windows versions?

[dvice_null]

Don't worry, win98 has several well known unpatched security holes already.

Re:ALL Windows versions?

[steveo777]

Right, but by the time it takes you to care, you'll probably have had to reset it twice to get your RAM back! (God I hated 98 when I was using it, XP is far from perfect, but it manages RAM a lot better)

Re:ALL Windows versions?

[kalirion]

Ah, but noone bothers to exploit them anymore.

Re:ALL Windows versions?

[Deathanatos]

FTFA it seems that my Windows 98 box is quite safe, thank you very much.

Now that's what I call +1 Informative. WinXP vulnerability this, WinXP vulnerability that. All these WinXP warnings, but when was the last time you heard one for Win98? Must be a rocksolid OS. Those people out there with XP should downgrade.

If only, if only... oh well. The solution is simple really - just apply video game tactics. Don't take a pack of orcs head on - shoot 'em through a doorway one at a time. Same goes for viruses, worms, etc, though I'm not quite sure how. Though strong magnets seem to make a fairly good anti-malware. Whatever, back to the orcs.

Re:ALL Windows versions?

[Mark+of+THE+CITY]

The last Win98 boxes I saw were un-networked embedded control units, vulnerable only to code- and script-bearing floppies.

No...they reverse engineered the patch..

and developed a worm to exploit the vulnerability that was fixed, which will target systems who have not yet been patched. If you've applied the patch, you're safe from this worm. It's targetting unpatched systems.

he who controls the OS..

From the title, I wondered if they were harvesting spice. "Wormsign! Is that wormsign?"

Re:he who controls the OS..

[Bryansix]

Steve Balmer (While throwing a chair in excitement): He who controls the spice, controls the universe!

Looking for fame and fortune

[brian23]

So companies like Immunity reverse-engineer an identified Microsoft patched vulnerability, release an exploit and expect kudos? Impressive as it may sound, I would be more interested to hear of a company discovering a vulnerability and releasing it to Microsoft so it can be patched. If I can't create a virus/worm to wreak havoc on Windows machines, what makes these companies able to reverse-engineer and release the "0-day" exploit? It almost seems unethical. Also, it seems like Immunity and others are trying to make a name for themselves rather than being interested in user security.

Re:Looking for fame and fortune

Umm...of course they're trying to make a name for themselves. They start a company called Immunity. This company's purpose, ultimately, is to make money. Well, they specialize in security assessment. Now they have to market themselves....let's see, what company is going to flip through magazine ads looking for a security assessment company? Not many, eh? Okay, then, let's use our skills, publish an exploit, then say this is what our company does, so hire us today! As long as they're not cast out as some Black Hat group of hackers, I can see companies (more than what plain advertising would bring in) giving this company a second look for their own corporate security.

Re:Looking for fame and fortune

[OriginalArlen]

So companies like Immunity reverse-engineer an identified Microsoft patched vulnerability, release an exploit and expect kudos?

Nope, they do it to make money from selling the superb CANVAS product to penetration testers and other security professionals. They couldn't give a rat's ass what some random fucko on Slashdot thinks of it. Sorry to be the bearer of bad news... ;p

Re:Looking for fame and fortune

[omgh4x0rs]

superb? For those that dont know, the 1200$ per license CANVAS is basically just a rip off of the open source programs nessus and metasploit. Any real security professional knows that it is a joke of a program. go back to your marketing cube at immunity troll

Re:Penetration Testing?

[GigsVT]

Well, it's better than calling it "digital penetration".

Any comment from DHS?

[192939495969798999]

I wonder what the DHS has to say about this, having just the other day told us all to patch all our Windows systems.

Re:Any comment from DHS?

[DimGeo]

Actually, the article is misleading. The patch *fixes* the bug, it doesn't introduce it.

Pen Testing explained

[krell]

The "pen test" is to see whether it much easier, faster, safer, and cheaper to create a document using a pen and paper compared to booting up the computer and doing it there.

Re:Penetration Testing?

[Billosaur]

Well, it's better than calling it "digital penetration".

Yes, that involves something entirely different... wink, wink, nudge, nudge, say no more!

Re:Penetration Testing?

It's good you pointed that out, because NOBODY understood that the grandparent was making some sort of SEXUAL INNUENDO.

Re:How will this effect unpatched pirated versions

Since he probably fears Windows Update because there's an "important security update" called WGA waiting to bite him, he is not going to be protected from an upcoming worm, which will add his computer to a botnet. His computer will be somewhat slow sometimes and he may find his personal data used as anti-bayesian spam filler, but otherwise he won't notice a thing. You on the other hand will receive tons of spam and if you act up and try to hunt down spammers, you will also learn how much upstream bandwidth your friendly next door pirate can contribute to a DDoS attack against you.

MS06-040?

[julesh]

When I saw the list of patches my machine had downloaded the other day, I thought "this one's going to be trouble. Maybe we'll see a blaster-style worm based on this one."

However, the vulnerability I was looking at was MS06-041 (remote buffer overflow in DNS client), not MS06-040 (remote buffer overflow in server) which I figured most people would have firewalled/disabled anyway.

I mean, DNS client? The best the "mitigation" section of the advisory can say is that an attacker would have to make your machine issue a DNS request to a domain they controlled in order to exploit it. Which wouldn't exactly be hard, would it?

Re:MS06-040?

[gregarican]

The DNS client vulnerability still puzzles me. From reading the advisory it appears as if the malicious party would have to be on a subnet between the DNS client and the DNS server. If this is the case exploiting this via the Internet might be a bit tough. But internally, a company that uses DNS could get rocked since the DNS clients and servers would likely be on the same LAN/WAN. Just thinking out loud...

Re:MS06-040?

[julesh]

From reading the advisory it appears as if the malicious party would have to be on a subnet between the DNS client and the DNS server

As I read it they must be either able to intercept an existing DNS request and send a forged response (which is the condition you're quoting) *or* be the target of the request in the first place (which could be easily arranged by sending an HTML e-mail). Unfortunately, MS are so sparse on technical details it's hard to tell. It might also be the case that the request would have to be for one of the strange types of record they list in the next section, although the advisory doesn't actually go as far as to state that. Just that filtering those on the inbound connection would help prevent it.

Re:Pen Testing? - Penetration Testing

[Aladrin]

Oh, so that's what those Intel case stickers are for. I always wondered!

Microsoft Bracing for (Giant) Worm Attack

[geobeck]

Emperor Shaddam Gates IV admitted today that the high rock formations that ring the city of Arredmond might not be able to repel a full-on attack by the Frehax0rz and their giant worms. Story at 11.

Re:Microsoft Bracing for (Giant) Worm Attack

[SanityInAnarchy]

They dare use atomics?!

Oh, if only we dared...

This would not have happened...

[oahazmatt]

This would not have happened had Microsoft walked without rhythm.

The force

[krell]

The troll side of the force is strong in this one.

Bill Gates watching "The Wall"

[ch-chuck]

... and the worms ate into his brain. (Pink Floyd)

Homeland Security.... this seems to ring a bell

[hcob$]

So, everyone was saying "EEEEEvilllllllle Homeland Securtiy is telling us to do something with out releasing details! They must be up to something..."

Yep, they were telling us that something like this was about to happen.

Re:Homeland Security.... this seems to ring a bell

[supremebob]

See now, the problem is that your tin foil hat isn't on tight enough, and the government brain wave monitors have got to you. The Eeeevil Homeland Security is obviously propagating these rumors of a worm just to make sure that everyone install their little spyware patch.

Geez, you probably believe all those news stories about that "foiled terror attack", too. That's obviously a conspiracy created by the folks who make those little travel bottles of shampoo to increase their sales once you get to your destination.

Re:Penetration Testing?

Personally, I'm partial to those nifty four-color pens.

Re:Penetration Testing?

Are there also "half penetrating videos"? I would imagine f***ing with the half-length of the dick would be very difficult to master.

relax :)

[Intangion]

its times like these im glad im using linux http://www.ubuntu.com/

The Posts Mod YOU!

[soloport]

Goddamn if only I had mod points.. this deserves a +5 insightful:

Try #hackers on irc.fbi.gov

At the very least...

Have mod points, but I refuse to mod a post (+Funny, in this case -- not Insightful) that includes the punchline but doesn't quote the context -- that still sits at Score: 0. How would it make any sense to someone who's surfing at, say, level 2?

Data Execution Prevention?

The bulletin states that this is a buffer overflow vulnerability and that a firewall would protect against an exploit. It does not mention whether Data Execution Prevention (which is supposed to monitor for buffer overlows), included in XP SP2 and 2003 SP1, would prevent the exploit. Anybody know if it does?

Shouldn't you wait...

[sheldon]

Until after this theorectical worm takes over the planet?

There are a lot of things in place today which weren't in place back with Blaster that allow IT depts to respond to these events... beyond just patching I mean.

makes me long for Windows 98SE

[vinn01]

This makes me long for the good old days, with Windows 98SE, where most ports were closed and exploits mostly came in through Outlook and IE.

Running Thunderbird and Firefox would solve the Outlook and IE exploits today.

Re:makes me long for Windows 98SE

Just because MS get the publicity for security holes, don't pretend other software doesn't have security holes.

For example,
http://www.kb.cert.org/vuls/id/866300
http://www.kb.cert.org/vuls/id/911004

This is called being STUPID!

[sharper56]

Any netadmin that allows VPN connected networks full access to their internal nets are idiots who need to get fired VERY soon.

The best admin I know says to treat VPN clients like neighbors from down the block... I'll let you in but watch you every second you're here. That means he sticks them on an untrusted nets with full IDS/APS setups. Additional, like all the well run sites I've worked, VPN (with two-piece auth) was only the gateway to allow access to a net with secured terminal services boxes (ssh/cytrix). You still had to hop networks once you logged in to get to email/messaging/intranet.

Heck, I don't even think the production guys had any access to the production server via network, I only saw them modify production by opening up the iris & passcard door then dragging out the com cart. All the site/status monitors were IN the production room pointed out the the monitoring center behind the shot proof glass.

Re:This is called being STUPID!

[swb]

While a handfull of businesses have the money to setup VPN networks that block naked access and the management savvy to sell the more complex and restrictive access to business unit leaders and their employees, most don't.

Most businesses can't afford a seperate VPN net or the servers necessary to make it functional, and even if they could they would face the wrath of remote workers and their bosses whose productivity was reduced because they had to jump through a bunch of hoops.

The good news is that in many cases, Remote Desktop or Citrix is a better solution than VPN for 95% of all workers, and with OS lockdown and limited app acccessability, it's a lot more secure, too.

Re: durty laptops

[An+anonymous+Frank]

Perhaps it would be useful for you to consider haveing those laptops on XP SP2, and configuring them through GPOs so that when they're not at work, they close those ports, and then some.

*every* version?

[holden+caufield]

I believe you meant to say "every *supported* version of Windows", as I see no patch for Windows 98 users. I'm not one of them, but unfortunately, some family members still are.

Of course, these family members are also firewalled, so I'm not particularly frightened.

But...

[MechaShiva]

If you walk without rhythm, you never learn

Re:How will this effect unpatched pirated versions

[darb_is_fat]

It's true, pirated software is the most secure, they either have no patches or just one. Sure, you may get scurvy, but hey, it was free!

maybe not so STUPID

[Gary+W.+Longsine]

Any netadmin that allows VPN connected networks full access to their internal nets are idiots who need to get fired VERY soon.

Your assertion seems obvious on the face of it, but it fails to consider the effects of bureaucracy and complexity, which are real and profound. Many systems administrators are restrained from improving the security posture of networks and systems in "obvious" ways because the business has "requirements" which prevent it. Many of these requirements are derived, in turn, from the tangled complexity of interlocking capability and limitations of various network, systems, and software. Suppose your VPN was established to allow 5000 employees scattered around the country access to hundreds of servers scattered around, too. You might say the architecture is flawed, and it might well be, but if you're the admin and you didn't get to make those decisions then you probably also don't get to just decide to shut down VPN access to Windows port 139, 445 and so forth.

Re:maybe not so STUPID

[msimm]

Well put. Sometimes as a systems administrator you're just stuck. You know the right thing to do, but business doesn't always see things in terms of black or white. It's called compromise and yes, it can have terrible results sometimes. Sometimes it doesn't.

What I do know is most system admins *I* know aren't remotely interested in going back to school to get an MBA and at the end of the day those are (generally) the people who get the final say (if your lucky enough to be able to talk that far up the food chain).

Its definitely a process and it takes some getting used to.

Personally I find it interesting.

I do the best I can do with the constrains I'm faced with. If something related to my field causes a problem I can offer real solutions, maybe they will be listened to (sometimes problems help define how 'doing the right thing' can actually impact your bottom line, which makes it a much simpler business decision:) maybe they won't. Worse case scenario is something goes wrong but I did the best that I could. I can live with that. And if a mid-level manager needs me to take the fall for that I can live with that too. Who need the hassle really? :)

Re:maybe not so STUPID

[lonecrow]

I am a freelancer and it is sometimes hard to get clients to pay for proper (secure) work. When I was starting out and a client asked me for a cheaper option I would lay out the options and the risks. I justified it by saying "Hey I told them the risks and its their system and their decision."

I don't do that anymore. Its like telling kids they can play in traffic if they really want to and are aware of the risks.

If they won't pay to have it built right they can hire someone else.

The DHS was on top of this.

[DiscWolf]

The Department of Homeland Security was on top of this. It seems like they are starting to understand what is going on. It makes you wonder if they are going to be proactive and raise the 'Terror Alert Level' when Vista is finally released.

This signature was going to be a lot nicer but I had to cut a lot of features in order to get this post out without any further delays.

Re:The DHS was on top of this.

[my+$anity++0]

As long as Vista is released sometime near an election. Which might be likely.

Re:Penetration Testing?

[fbjon]

I shudder at the thought of a horse pen.

patch your worm, worm your patch

[flickwipe]

Todays Microsoft Update menu

KB666123456 - Patch, Worm, Worm and Patch
KB666456789 - Patch, Worm, Worm, Worm, Worm and Patch
KB666666666* - Worm, Worm, Worm, Worm, Worm, Patch, Worm and Worm


* May not contain patch

Re:patch your worm, worm your patch

(customer) But I don't like worms!

(Vikings) Worms, worms, worms, worms....

Re:patch your worm, worm your patch

[burndive]

Well, there's worm patch sausage and worm, that's not got much worm in it.

Re:Penetration Testing?

[gwayne]

Last night, I tried pen testing with my wife, but her firewall blocked all access attempts...

Re:How will this effect unpatched pirated versions

Security updates are still available even if you're not "genuine". Your "neighbor" should be fine as long as he patches.

Win 98/ME not affected

[mabu]

It's also worth noting that according to the reports, the now "un-supported" Win98/ME OS is not vulnerable to these exploits.

What's a port?

[neo]

"I'm a Windows user.

Can somebody please tell me what the hell a port is? :)"

A port is where software pirates come to collect their booty. In this case your pron. They sail in by using special software to "surf the web" and come into your port. Once in your port they have to fight with swords in order to capture the port (just like in the game Pirates by Sid Myers... it looks just like that.)

Once they are in your port you're screwed, all the walls in the world wont stop them.

What? a C-based vulnerability?

[master_p]

How many exploits should there be before dumping C alltogether? use Cyclone, for Christ's sake.

The wonders of an "At Will" state...

[jeblucas]

at any sufficiently large office there is bound to be at least one complete f'ing idiot who clicks on all email attachments and thinks "browsing the net commando style" is top shit.

(Idiot's yearly salary) - (Hours IT works to correct problem) × (Avg IT hourly salary) - (Productive hours lost) × (Avg hourly production in dollars) < 0? ==> Fire that asshole.

Re:The wonders of an "At Will" state...

[Stellian]

(Idiot's yearly salary) - (Hours IT works to correct problem) × (Avg IT hourly salary) - (Productive hours lost) × (Avg hourly production in dollars) < 0? ==> Fire that asshole.

Or increase his salary?

Your equation is wrong. It should be:

(Idiot's gross productivity) - (Idiot's yearly salary) - (Hours IT works to correct problem) × (Avg IT hourly salary) - (Productive hours lost) × (Avg hourly production in dollars) < 0 ? --> Fire the idiot.

Re:Penetration Testing?

[LunaticTippy]

There's usually a backdoor somewhere, often unprotected.

It's beginning...

Just got an IS alert:

Network and Internet performance for [...] is currently being impacted a virus outbreak.

The IT Network team is working to identify the systems that have been affected by a virus outbreak at the [...] site. We hope to have everything back up and running as soon as possible.

cocky foreigners

[BlueStraggler]

to look for some 'Cacky Pants'. [...] To me, it describes, "Soiled underwear".

This is strange, since "khaki" is a British term.

Although it reminds me of a similar anecdote I heard in Jamaica, where khaki in American pronunciation ("kacky") comes across as "shitty", and in British pronunciation ("kah-ky") comes across as "penis-like". Endless hilarity, unless you're the hapless foreigner.

Response from a fellow Microsoftie...

A port is something you sail a ship into.

Like, duh! :-)

Useless Article

[thethibs]

I suppose I should be more positive and describe this as the "least useful" article I've read in some time. The writers have found eighteen ways to say "Ooooh, it's going to be terrible. Apply the patch!" without saying anything substantive about the threat.

What's the penetration vector? How is it transmitted? How is it initialized? Is the patch the only protection, or is it enough to make sure no one executes mail attachments? Can it get through firewall NAT and SPI? Etc.?

There are a lot of questions that could have been answered in the last seventeen paragraphs of the article instead of finding seventeen alternative ways of repeating the same message.

If, as is likely, there is nothing of substance in the article because there is nothing of substance in the threat, it would seem that this is just another attention-getting device by a organization whose revenue depends on FUD. Isn't "Y2K" a verb yet?

Re:How will this effect unpatched pirated versions

I resent your remarks.

My "parrot" is grey, not green. She doesn't eat worms, she eats seeds, pasta, rice, and leafy green vegtables. NO, I don't have a patch over my right eye. (http://tielair.blogspot.com).

I have, however, patched my Windows machine at home.

Re:Pen Testing? - Penetration Testing

"Penetration Testing."

How many times have I to say you Must Stay Away From Intarnet Pr0n???

(you dirty guy...)

Hasta La Vista, Baby!

[jonathansizz]

I'd even begun hearing from some people that the days of Blaster style attacks are over.

That's what they're bringing out Vista for. It's been too quiet for the last year or so..

Worms or hand-crafted exploits?

So much fuss is about worms. Yes, they're a problem, but they're rathr late on the scene.

Vulnerabilities get exploited against hand-picked targets (financial and business data) for weeks or months all the while the PR team spouts off about no known exploits "in the wild". What a crock.

What is a port

[Douglas+Goodall]

In the TCP/IP protocol suite, each computer with an interface to the network is considered a "host". Each host can have programs running that listen on a specific "port" (consider it a po box). When a packet arrives over the network for that port, the program wakes up and gets the data.
Regards, Douglas W. Goodall