Microsoft to Issue Emergency Patch For File-Sharing Hole

An anonymous reader writes "Microsoft said late Wednesday that it plans to release a critical security update today to plug a security hole present in all supported versions of Windows. The company hasn't released any details about the patch yet, which is expected to be pushed out at 1 p.m. PT. Normally, Redmond issues security updates on Patch Tuesday, the second Tuesday of each month. The Washington Post's Security Fix blog notes that each of the three times in the past that Microsoft has departed from its patch cycle, it was to fix some really nasty vulnerability that criminals already were exploiting to break into Windows PCs." Reader filenavigator points out an article which describes the hole as an SMB vulnerability, and says it "allows anyone to access a Windows machine remotely without any user name or password. Any machine that exposes Windows file sharing is vulnerable." Update: 10/23 17:42 GMT by T : Reader AngryDad adds a link to Microsoft's more detailed memo.

Cool

[KasperMeerts]

Gonna try this one out on the College Network right now. Shouldn't be using Windows if they don't want all their files deleted now should they?

Re:Cool

[iztehsux]

Still got plenty of time before this afternoon to turn your college campus into a botnet!

Re:Cool

[Ethanol-fueled]

Don't worry, the NSA and the RBN have plenty of Windows Backdoors(tm) left to use.

Re:Cool

[nurb432]

Considering how many people run un-patched, i don't think there is any hurry.

Re:Cool

[dgatwood]

In Soviet college, files serve you?

Re:Cool

Still got plenty of time before this afternoon to turn your college campus into a botnet!

cfengine is pretty good for stuff like that, as well as ldap

Re:Cool

[master5o1]

Of course, Microsoft allowed the NSA to enter Windows. The RBN had to find their own way through the mess of insecurity to find a nice looking aluminium door.

Re:Cool

[geirnord]

You, my friend, have just hit the motherlode!

Re:Cool

[davolfman]

Why the heck did they architect end-user versions of Windows to not only HAVE RPC but REQUIRE it for normal operations? The security bulletin on this sounds very much like the one for Blaster and we all know what a disaster THAT was.

Re:Cool

Are you kidding dude? I've done tech support on a college campus. You've got months left...years perhaps. It's only this afternoon if you want to include computers that belong to the college, and only that soon if the IT group on campus is competent, which I wouldn't put money on.

From an evolutionary standpoint, it's almost perversely beautiful that Blaster has survived in the wild for four full years after the vulnerability it exploits was patched.

Re:Cool

STFU, Twitter.

Re:Cool

[KasperMeerts]

It was a joke. Funny...
Jesus, I have no problems at all with Windows users.

This is why...

[TrippTDF]

...I don't use computers. They are too much of a security risk.

Re:This is why...

[TheNecromancer]

If you don't use computers, how did you post on /.?

Re:This is why...

[TrippTDF]

I don't.

Re:This is why...

[The+Gaytriot]

Who are you replying to?

Re:This is why...

[bradkittenbrink]

then I think somebody may have hacked your account...

Re:This is why...

Simple: Call up your ISP and make the correct noises. Real men don't use modems.

Re:This is why...

[Lord+Pillage]

Weren't you listening? He doesn't use computers therefore he doesn't have an account! Some people just don't get the logic in that...

Re:This is why...

[phedre]

Perhaps he just whistles the proper tones into his phone. So if he makes a lot of typos, it's probably understandable..

Re:This is why...

[_Sprocket_]

Simple: Call up your ISP and make the correct noises. Real men don't use modems.

Whistling in to a phone?! REAL men use butterflies.

Re:This is why...

[Ngarrang]

If you don't use computers, how did you post on /.?

Maybe he was dictating his response to someone who does have aaaaaaaaa...

Re:This is why...

[MikeDirnt69]

If you don't use computers, how did you post on /.?

Typewriter.

Re:This is why...

[LearnToSpell]

Must be a lot of people doing that around here...

Re:This is why...

[Rinisari]

He might be like Don Knuth and have a secretary read all his email and print out the ones to which he should reply, pen his reply, then give it back to the secretary to type and send.

This man, however, takes that a step further, and perhaps has his secretary print out every /. story and comment so that he can choose which to reply to.

Re:This is why...

[dgatwood]

No, you got the joke wrong. The correct line is:

First, he asks his secretary to print the Internet. Then, the secretary prints a bunch of random crap pages. Then, he types up a response on his Underwood No. 5 and sends it to her through a pneumatic tube. Then, the secretary rekeys the information in and sends a printed copy to him via a pneumatic tube for approval, which he then initials and sends back through the tube. Upon receipt of the initialed printed copy, she initials the electronic copy and clicks "submit".

Re:This is why...

[Abstrackt]

Easy, he picks up the phone and whistles really fast.

Re:This is why...

If you don't use computers, how did you post on /.?

Typewriter.

Then IP over Avian Carriers

Re:This is why...

[the_B0fh]

This is slashdot! If he's capable of listening, he would have gotten a girlfriend, and would have a real life instead, but here he is, posting on slashdot, so, obviously he is not capable of listening.

Re:This is why...

[Niten]

You can even get DSL if you have a good enough falsetto.

Re:This is why...

[WhiplashII]

Perhaps he die while posting it...

Re:This is why...

Yeah, we know.

Re:This is why...

[tsalmark]

Butter doesn't fly, does it?

Re:This is why...

[g-san]

Yeah but you only get half-duplex unless you learn circular breathing...

Re:This is why...

[BlueStrat]

If you don't use computers, how did you post on /.?

Easy, he just uses "old-skool" text transmission/reception equipment like this:

http://www.virhistory.com/navy/commsta/frupac-0050-vi.jpg

-along with the appropriate A/D-D/A converters and a modem.

Typos can be explained by a noisy vacuum tube.

Dang kids! Get off my lawn!

Cheers!

Strat

Re:This is why...

I don't use computers. They aaaaarrrrrrrrrr............. .. .. .

Maybe he was dictating?

Re:This is why...

[ridgecritter]

Along with cottage cheese. A friend's 4 year old daughter, when we were walking in a park and saw a butterfly, asked me "Are there cottage cheese flies?". Put a smile on my face for the rest of the day. And I told her yes, but they're very, very shy and so they're hard to find.

Re:This is why...

This might be one of the more retarded threads on /. EVAR.

Re:This is why...

[fractoid]

Only one tube? That's oldskool!

Re:This is why...

[djdavetrouble]

If he's capable of listening, he would have gotten a girlfriend

Very sage advice hidden within a sarcastic comment.

Re:This is why...

[silent_artichoke]

But he's not here posting on slashdot since he doesn't use computers. So he IS capable of listening...

Re:This is why...

[cromar]

Real men don't have anything to do with butterflies. Or XKCD ;)

Re:This is why...

[TrippTDF]

Actually, i got married about three weeks ago...

Re:This is why...

[phagstrom]

Chuck Norris? Is that you?

Let's hope

[cnettel]

Let's hope that the renewed Samba compatibility effort by MS means that this bug will be ported over.

Re:Let's hope

It was probably the shared Samba experience that gave them the idea on how to fix the bug.

I don't understand how the bug works, but I know one has been around. You can find hack tools for script kiddies out there that will exploit this automagically for people. I have even used it in the past to get some files from a computer that no one knew the password to and the key to the server room was broken off in the lock making physical access imposible until a locksmith was available.

Thankfully, the old tech (who broke the lock on his way out after resetting everyone's password) kept all the passwords in scripts that I could recover and use to change passwords to something usable. The owner of the company wanted me to testify in court to the old Techs actions and even offered me a permanent contract, I told him all I wanted was a check, I don't want anything to do with a company that pissed their old tech off that bad after 5 years of service.

Re:Let's hope

[kesuki]

and they modded me +5 funny for 'it's a feature' http://it.slashdot.org/comments.pl?sid=130544&cid=10893558 when smbfs (now samba) had a remote execution of attacker supplied code bug.

i am so proved right.

Re:Let's hope

the key to the server room was broken off in the lock

Damn you, Tibor!

Re:Let's hope

This sounds like a lie. There is no public exploit out for this.

Maybe..

[cirrustelecom]

At least they didn't describe it as a MAC vulnerability

Re:Maybe..

[abigor]

What would it have to do with Media Access Control?

Re:Maybe..

Media what? He obviously meant Macaroni And Cheese.

Re:Maybe..

[g-san]

If you disconnect from the network, you are no longer vulnerable!

Damn Fossies

[Ynot_82]

Those damn FOSSies can gain access to SMB shares
Quick, patch it....

More info already posted...

[Spazholio]

http://www.microsoft.com/technet/security/bulletin/MS08-067.mspx

Re:More info already posted...

[DevConcepts]

"This security update is rated Critical for all supported editions of Microsoft Windows 2000, Windows XP, Windows Server 2003, and rated Important for all supported editions of Windows Vista and Windows Server 2008."

At least my Win95 & Win98 is secure!

Re:More info already posted...

[Anonymous+Scoured]

Even more from technet. http://blogs.technet.com/swi/

FREEOWW!!!

[mcgrew]

allows anyone to access a Windows machine remotely without any user name or password. Any machine that exposes Windows file sharing is vulnerable

Yet this comment in the "Can You Trust Anti-virus Rankings?" thread, where I noted that a dual boot with internet for linux and with networking disabled in Windows was better than AV was modded down. Of course, a lot of MSCEs and Microsoft employees come to slashdot, and I'm sure a few get mod points once in a while. No matter, my karma's fine.

And yes, kiddies, you DO need a firewall for ANY OS and any OS is prone to trojans. But no AV will protect you against an unknown trojan OR the vuln mentioned in TFA, and no firewall will keep out someone you explicitly let in.

<tinfoil hat>
Some might wonder if this vuln was introduced on purpose as a weapon against the Pirat Bay? You can bet that a lot of people are uninstalling Kazaa, Morpheus, and all other legit and illigit P2P apps. Getting rid of P2P is a blow against FOSS and indie music.

Re:FREEOWW!!!

[flyingfsck]

"Any OS must be behind a firewal" - So do you put your firewall behind a firewall?

Re:FREEOWW!!!

[GlassHammer]

Thats funny my home setup is dual boot linux(Fedora) and Windows XP. Linux can connect to the internet and Windows can't. Seems to work fine for me.

Re:FREEOWW!!!

This is a problem with filesharing over local networks using SMB. Not P2P transfers. This has nothing to do with piracy.

Re:FREEOWW!!!

[Zironic]

windows file sharing has to my knowledge absolutely nothing to do with any P2P program.

Re:FREEOWW!!!

[truthsearch]

At my office we have a few Windows computers just for testing. Those dedicated machines, connected to the internet and with anti-virus, have had a fair amount of issues (suspicious background processes, excessive network usage, etc.). I test with Windows running inside of Parallels, typically only "networking" to localhost, and my copy with no anti-virus has had no problems at all.

So I completely agree with you... even if your post has already been modded flamebait.

Re:FREEOWW!!!

[hplus]

Disclaimer: I don't think that the tinfoil hatter is correct that this is in any way designed to combat piracy. Since you are posting on /., your technical knowledge is obviously higher than the average person's. Thus, whether or not SMB has anything to do with P2P to your knowledge is irrelevant. The important thing is if they are related in the mind of the average computer user, whose kid pirates the occasional album/movie.

Re:FREEOWW!!!

It's firewalls all the way down.

Re:FREEOWW!!!

[rootofevil]

there was an old one, back in 2000-ish that had a web interface, and downloads were basically just copying from other open windows shares. cant remember what the same of it was though.

Re:FREEOWW!!!

[Zironic]

Would those people even read about this vulnerability to begin with?

Re:FREEOWW!!!

[hplus]

I'm not sure - how specific is the description in Windows Update?

Re:FREEOWW!!!

[mcgrew]

Your home setup is exectly how I describe it - Linux on the net (I'm using Mandriva) and networking disabled in Windows.

I see the astroturfers modded me down. And they talk about US!

Re:FREEOWW!!!

[mcgrew]

Cue Nelson:

Re:FREEOWW!!!

[mcgrew]

Yeah, I saw that. My karma can take a beating so I don't care, but it irks me that there are so many MSCEs with such low self esteem that they would mod any comment unfavorable to Microsoft, no matter how valid, reasoned, concise, and polite, as "flamebait" and "troll".

I guess Bill Gates (as quoted by uncyclopedia in the "slashdot country" entry) was wrong when he said "Netcraft confirms it - Slashdot *is* filled with Linux fanboys." because every time I say something positive about Linux, or have the slightest criticism of Microsoft or any of its products, the hordes of astroturfers decend.

I'd say it's full of MSCEs with low self esteem. Poor kids.

Re:FREEOWW!!!

[Zironic]

Probably not more specific then the security bulletin which didn't mention any details at all(unless you happen to know what an RPC request is).

Re:FREEOWW!!!

[Lobster+Quadrille]

No, I just plug it into itself.

Re:FREEOWW!!!

[Lobster+Quadrille]

Maybe they're not astroturfers. Maybe you're just annoying.

Re:FREEOWW!!!

[marcosdumay]

Man, the latency of your network must suck.

Re:FREEOWW!!!

[cez]

\\ ?

Re:FREEOWW!!!

[morgan_greywolf]

Even better, if you don't care about DirectX or gaming: Get a box with lots of RAM. Run Windows under virtualization. Make sure the VM can't connect to the Internet.

Done. No dual boot required (which is a royal PITA to setup) and you can access Windows and Linux simultaneously.

If you do care about gaming, you really need a separate box for gaming anyhow, as any avid gamer can tell you, it makes things a lot easier.

Re:FREEOWW!!!

[caluml]

Aaah, so that's what the loopback interface is for...

Re:FREEOWW!!!

[shutdown+-p+now]

It's firewalls all the way down.

Not at all - it's 4 firewalls on top of a NAT.

Re:FREEOWW!!!

[OriginalArlen]

I saw the light on the "all systems need a firewall" thing after reading an excellent presentation called "My Dad's Computer: Microsoft and the future of internet security" by distinguished infosec professor, practioner, etc Bill Cheswick. I have a slide from that printed up and stuck to the side of my home rack*, I can read it from here:

"I've been skinny dipping on the Internet for years.

• FreeBSD and Linux hosts
• Very few, hardened network services
• Single-user hosts
• Dangerous service placed alone in sandboxes
• No known break-ins
• No angst

...and ever since I started practicing that credo, same here, too. It also saves you the false sense of security that a firewall gives. Guess what, if you have insecure services running a mistake on the firewall (or an attack from an internal host, or other source permitted to access that service) then a firewall's not going to save you. Turn 'em off. This laptop has apache (only running when needed, which is rarely and for local filesharing and a little light scripting only); sshd - ditto; CUPS - not externally accessible; X - ditto. Oh and (a secure) finger server, cos I wanted to demo the protocol to one of the kids in the office.

It takes a little longer to build a new machine, but the upside is you learn a lot reading the man pages.

* No, of course I haven't got a full-height rack in my bedroom; I'm a fully-grown adult, not a professional nerd. It's a half-height unit that doubles as a printer stand.

Re:FREEOWW!!!

[mcgrew]

No, of course I haven't got a full-height rack in my bedroom; I'm a fully-grown adult, not a professional nerd. It's a half-height unit that doubles as a printer stand

That would make an excellent sig if it weren't for the 120 character limit.

Re:FREEOWW!!!

[SL+Baur]

My karma can take a beating so I don't care, but it irks me that there are so many MSCEs with such low self esteem that they would mod any comment unfavorable to Microsoft, no matter how valid, reasoned, concise, and polite, as "flamebait" and "troll".

So can mine, and you are correct, though I'm not sure about the MSCE part. Most of the downmods ("overrated" usually) take place days after the article was posted when few people are reading.

Samba Interoperability?

[Philip+K+Dickhead]

Why patch? Looks like they went a long way to achieve this already!

Re:Samba Interoperability?

[TeacherOfHeroes]

I agree!

Every time that a new software bug or vulnerability is uncovered, I feel better and better about my choice to stick with an abacus instead of using these computer things.

Yes, it would be convenient to have it in my home or office, but you never know when some giant glaring exploit is going to appear and leave you open to pwnage due to some software company drinking a cold frosty can of fail.

Days like this justify my paranoia.

Re:Samba Interoperability?

[Tawnos]

I suppose, by your logic, that Debian should ship with ssh turned off as well, because it had a hole. Sure, it would be convenient to have on your network, but you never know when the OSS community has been drinking from the cold frosty watercooler of fail. Sounds dumb when it's put that way, doesn't it?

As for the "90% of users wouldn't need it anyway": [citation needed]. Even my parents and friends without a clue often need to use file sharing.

Re:Samba Interoperability?

[Jeremiah+Cornelius]

In Sony Russia, CD-ROM burns you!

Re:Samba Interoperability?

[Goldberg's+Pants]

Now in Debian, no. People using that are automatically more knowledgeable and know the potential risks. Plus OSS has it's house in far more order than Microsoft ever will.

And your friends without a clue, did they turn to you for assistance? Because if so, that sort of proves my point. It's not so much this stuff being turned on by default, as in people not knowing about it or how to use it.

Having all this stuff turned on out of the box is like having all your doors open. There's no guarantee anything bad will happen, but it will certainly increase the chances.

If anyone (who isn't the original poster as an AC) can confirm they know people "without a clue" who use Windows file sharing, please enlighten me, as I have never known ANYBODY who has used it outside of a corporate environment.

But even if people do, it's irrelevant really, as the MAJORITY of users are just one computer sitting on an internet connection, and no amount of random "parents and friends without a clue" blithering is going to change that.

Re:Samba Interoperability?

[Allador]

You make it a regular practice to shut down the Server and Computer Browser service?

The only place I can even imagine this working is in homes with only 1 PC. Any other situation, and thats going to be a real pain.

Without these services you cant share files on the networks, cant share printers, and cant browse the local network for CIFS/SMB stuff.

Many things expect the server service to be running.

Re:Samba Interoperability?

[Sj0]

I agree!

Every time that a new software bug or vulnerability is uncovered, I feel better and better about my choice to stick with an my fingers and toes instead of using these computer things(20 bits ought to be enough for anyone).

Yes, it would be convenient to have it in my home or office, but you never know when some giant glaring exploit is going to appear and leave you open to pwnage due to some software company drinking a cold frosty can of fail.

Days like this justify my paranoia.

Re:Samba Interoperability?

[Waffle+Iron]

I suppose, by your logic, that Debian should ship with ssh turned off as well

I don't know about Debian, but most distros I've used lately haven't had the sshd service enabled (and sometimes not even installed) by default.

Re:Samba Interoperability?

[Tawnos]

http://www.nizkor.org/features/fallacies/special-pleading.html

I request you don't make special pleading for Linux when not providing sources or even anecdotal evidence. People using a certain OS don't automatically get a free pass as being "more knowledgeable" - especially considering the advocacy of Linux users trying to turn their friends on to the product. The fact you call out the corporate environment shows that there's a huge market that needs/uses file sharing (and the associated network services: print sharing, discovery, etc).

I wasn't stating that all people without a clue use it, but that there are those who do. My parents use it for business, my "friends without a clue" use it so they can break copyright law more easily ("oh, you downloaded ASDF cd? can I get that from your computer?") and share documents between laptop and desktop.

On top of all this, Vista has network separation that doesn't turn some of this stuff on depending on what network you choose This means file sharing isn't on for public networks, but is for home and work, because those cases have been found to be needed by enough home users to justify turning it on.

Re:Samba Interoperability?

[mweather]

Debian does ship with ssh turned off.

Re:Samba Interoperability?

[atraintocry]

Most of us "muppets" are happy to block 139 and its cousins at the firewall and be done with it. It's a LAN service. Assuming your network is secure from the outside, you can have your cake and eat it to.

If in your paranoia you somehow neglected to secure your WLAN, you *do* need to worry about this.

Either way, shutting off useful parts of the OS because you're afraid of an exploit is more cargo cult thinking than paranoid thinking. If you can't tell at any given time who's on your LAN, you need to get that under control. No OS is immune to the workings of a bad administrator.

I see your later post is an example of the "no true scotsman" fallacy. Plenty of people with a clue use windows file sharing, because they know what's going in in their network and at what layer(s) their security needs to be applied. People who have a clue avoid the "I automatically do X because Y is automatically bad" approach.

I happen to be of the opinion that open source software is more secure by virtue of its openness, which is an opinion that not everyone here shares. But that doesn't mean that I refuse to use Windows file sharing because it may or may not have an exploit. Again, this is not critical if every Tom/Dick/Harry isn't hanging out on your LAN, (or you aren't at a college, hotel or what have you). That said, this *is* ridiculous on MS's part and I have this update deadlined right now.

Re:Samba Interoperability?

[Godji]

Have you even looked at the OpenSSH source code?

It's a bit ugly, not very consistent, almost completely undocumented, but it's very secure by design. Please don't take my word for it. Read this and then look at the source code.

Now have you looked at the Windows SMB server source code? I rest my case.

Re:Samba Interoperability?

[marcosdumay]

Debian does ship with ssh turned off. By the way, it ships with no ssh server even installed.

Ssh is a dangerous piece of software, that will can make your machine quite vunerable if you don't know it is running and don't protect it accordingly (good passwords or only key autentication).

Re:Samba Interoperability?

[Tawnos]

I wonder how you can claim that ugly, inconsistent, undocumented code is "secure by design" versus code you can't see. You're asserting that it must be bad because you don't see it and that openssh must be good because you can see it, a logical fallacy (especially considering your comment that it's ugly, not consistent, or documented...how can one vet something like that?).

As for looking at the SMB server source code... not in my area of Windows (I'm in desktop graphics technology), but I suppose I could look at the diff for the patch. One thing I do know is that, by and large, code is a bit ugly, consistent, and documented well here, though.

The comment regarding ssh (a service I consider a necessity on any Linux box) with Debian was because there was a huge problem ( http://it.slashdot.org/article.pl?sid=08/05/13/1533212 ) introduced into Debian's ssh stream. Secure by design or not, the scheme was broken because of a human mistake. Those kinds of mistakes can happen in OSS or closed source, and I don't think treating one as specially exempt from the problem is an honest view of the world.

Re:Samba Interoperability?

[khellendros1984]

Everyone I knew in college used it for file transfer within on-campus housing. It was convenient with everyone being on the same network. It's also my preferred method to transfer things around the network at home. Plus, there's a growing market of NAS boxes for home use.

Re:Samba Interoperability?

Whoops, I meant to type "I see your later post *as*", which would have been slightly less dickish.

Re:Samba Interoperability?

[Danny+Rathjens]

Debian stable does ship with ssh off by default.

Re:Samba Interoperability?

[billcopc]

Mods, if you can read English, I'd like to bring your attention to a very useful tool: Sarcasm.

The parent post is an example of this wonderful linguistic device. Study, learn and master it.

And stop downmodding perfectly valid comments just because your lives are too dull and closeted to grasp the double-edged humor that is sarcasm. Sometimes the only way to properly express a problem is to turn it inside out like this.

Re:Samba Interoperability?

[flosofl]

Most of us "muppets" are happy to block 139 and its cousins at the firewall and be done with it. It's a LAN service. Assuming your network is secure from the outside, you can have your cake and eat it to.

Well, that's only the *direct* vector of exploitation from external. There's quite a few indirect There's already a trojan in the wild trying to leverage this issue. And users are users. As in "muppets" may not be to far off. I work in a very large environment and we are setting a 3 day deadline for testing and deployment. In fact I just got off the phone with IBM and EDS (manage some of our regions) and MS regarding this issue.

Additionally, having a soft chewy internal network is a big problem as well. You cannot discount deliberate attacks from the inside. Or idiots clicking links and opening attachments. Yeah, external links and attachments should be under control, but really this issue is really too serious. Any machine within an MS domain could exploit the server.sys RPC issue on any other machine sans authentication.

Really, your best bet is to test this quickly and deploy.

Re:Samba Interoperability?

[g-san]

Even my parents and friends without a clue often need to use file sharing.

And I'll bet they use the modern version of sneaker-net: USB drives. If they are without clue, I seriously doubt they would be able to get two systems talking on a network. Windows is so damn finicky between versions that I usually end up firing up the FTP server if I don't have a USB drive. Muck with this enough "to get it working" and parental users end up having their whole drive shared with guest access.

And it's just great to know that there are these huge gaping holes that have obviously been seen in the wild but not made public yet. I think in the old days, black hats wrote worms that made a huge splash in the news. Now, when there are vulnerabilities found, the underground keeps it quiet, and abuses the hell out of it stealthily. Why go for headlines when you can steal identities?

Can you imagine finding the source of how someone keeps owning your boxen, then realizing the magnitude of the hole? After reporting it to Microsoft there are probably weeks where you have a wide-open backdoor to every Windows system connected to the internet. Just click the pi...

Re:Samba Interoperability?

[supernova_hq]

Why not just add a "do you want to enable file sharing" the first time a user tries to use it?

Chances are if you have more than one machine (thus needing file sharing), you have a firewalled router between you and the internet anyways.

The part that pisses me off the most about windows filesharing is that you use the same controls to share files with other users on the same computer as you do to share them with other computers? Why are these the same service at all?!?

I remember in high school, we took a look through network neighbourhood and saw every computer in the school district, including personal machines owned by principles, secretaries, etc. It would have been less than trivial to drop some "interesting" hyperlinks into the startup folder of the shared start menu (why is the fucking start menu shared over the network?!?) and cause someone to have a REALLY bad day. Sure the network admin should be disabling these on school comps, but he has little control over personal laptops and school salaries don't exactly pull in the most experiences network admins...

Re:Samba Interoperability?

[element-o.p.]

Tawnos is correct. Whether you are talking about SSH on Debian or SMB on Windows, the concept is the same. OS's *should* ship with services turned off by default. If you don't know enough to turn on the service then you don't know enough to secure it and you probably don't need it. That's one of the things I like about a lot of Linux distros -- they ask you if you want the various services turned on during install, and leave them off if you don't (or, like Gentoo, simply leave them off until you manually turn them on during/after install).

Since this is /., I'll follow up with a bad car analogy: if you don't know how to start the car, you have no business driving it on the roads with other people.

Re:Samba Interoperability?

[gmuslera]

Is the right way to do it. At least is Microsoft the one changing its own implementation to get closer to Samba (that hadn't the hole) than Samba having once more to duplicate Microsoft's implementation bug^H^H^Hfeatures to remain compatible,

Re:Samba Interoperability?

[Godji]

All three - ugly, inconsistent, and uncommented - make understanding the code more difficult. They do not make it impossible to go over.

Having spent a large amount of time looking into (the lowest layer of) OpenSSH, I can say it is very secure. Ugly, inconsistent, and uncommented together do not imply that the code is bad - that's your logical fallacy. (Besides, ugly and inconsistent are subjective.)

That does not change the fact that anyone (even me!) can look at OpenSSH, find problems in it, and fix it. Microsoft's code is secret, may or may not have glaring bugs in it, and nobody else can fix a problem even if it's known.

The link you posted is a testament to this. The problem was found and fixed extremely quickly. I can't trust Microsoft with the same response, and nobody else should trust them either.

Human error can happen to every code. But the open source ones we can fix.

Re:Samba Interoperability?

[nexu56]

I suppose, by your logic, that Debian should ship with ssh turned off as well, because it had a hole.

You're comparing apples and oranges. The equivalent service on Debian is Samba, which is turned off by default in Debian.

Re:Samba Interoperability?

[bobgap]

Firefox on an Abacus!?

Re:Samba Interoperability?

If in your paranoia you somehow neglected to secure your WLAN, you *do* need to worry about this.

Except there is no such thing as a secure WLAN...

Re:Samba Interoperability?

So when Joe user gets the bug via a website thats infected, public WIFI, or by letting his kids surf of the laptop over the weekend whats going to stop the bug from spreading all over your network when he brings the device back in on Monday?

Did you even read the technical details about this issue?

Re:Samba Interoperability?

if you debootstrap a base system, ssh isn't even installed.
Furthermore, I don't think ssh is installed on a default Ubuntu desktop. Now debian is much more server and advanced user focused, so it should come with ssh as 90% of users will use it. But unless I'm mistaken ubuntu doesn't have ANY ports open by default and doesn't even have the stuff installed unless you turn it on. So.... uh... when you turn it around...well...that IS what we do.

Re:Samba Interoperability?

[Kaboom13]

So, you think your firewall makes you immune? That just stops random scanning from infecting you. If this gets turned into a worm, as I suspect it will if not already has, all it will take is 1 client to get infected to spread through your network like wildfire. Unless all your users can't download attachments or files, can't bring files on cd or usb drives, can't visit web sites without the latest version of flash, java, and whatever web browser they use, and can't get attacked through any number of known security issues that are of a lesser priority, you are vulnerable. The problem is not that a security hole exists that can compromise systems, even the best networks have tons of those when you mix in users. The problem is how easily this attack can be completely automated and spread. 1 compromised machine can compromise the rest (if they aren't patched of course) very quickly. Your everyday security patches are generally about browser exploits, escalation of privilege exploits, etc. that require some user interaction or attack vector that limits their spread.

Re:Samba Interoperability?

[atraintocry]

I should have been clearer...if you're not on a network you trust, definitely shut off Windows file sharing. It *is* buggy. And who are you going to be sharing files with on an unknown network anyway?

But at home, I shoot for convenience. In that situation, both the technical (what the firewall's doing) and social (what his kids are doing) can be taken into account. You don't need to resort to FTP or sneakernetting. When we only had one computer, I had a lot of the network services shut off. But now we have more than one and they're useful to have on.

I do think that the exploit is a big deal, and that it reflects poorly on MS and SMB. All the boxes I'm responsible for were patched within a couple of hours. My issue was with the idea that occasional or potential exploits somehow justifies avoiding useful technology, especially when in a properly secured network, the chances of this affecting you are low enough that you're better off making good use of the technology. Having dealt with crap like LANtastic causes you to not take built-in file sharing for granted.

Also, I got the feeling it was pretty much an "MS sux0rs, other OSes are more secure because they're made from fairy farts" posts. And I misread the "muppet" bit. But OP was wrong anyway: they do ship Windows with file sharing turned off. You have to specifically enable it by either going through a wizard that enables Windows firewall or clicking off a dialog that says something like "this is risky".

Re:Samba Interoperability?

[atraintocry]

Flat out immunity would be nice but I'm not banking on it. But I do feel safe enough that I'm not about to shut off Windows file sharing for most of the workstations. We use it extensively. We've got web-filtering, AV, we stay patched, and I'm lucky to have a small enough network that I never have to guess what's going on.

The users are limited, though not locked down as far as you describe. Most days, I wish they were :D

Re:Samba Interoperability?

[Dahan]

The link you posted is a testament to this. The problem was found and fixed extremely quickly. I can't trust Microsoft with the same response, and nobody else should trust them either.

It took two years before the problem was found... if that's what you consider "extremely quickly," then MS must be ludicrously fast. From the link in question, "a Debian packager modified the source code of OpenSSL back in 2006 ..."

Re:Samba Interoperability?

[ITJC68]

OK. I must speak up here. Not everything in an operating system has to be open for "fixes". Who is to prevent someone from putting a "fix" in an OS that makes another vunerability. I am not an advocate of M$ by any means but you can't have thousands of different versions of different patches created by individuals and expect M$ to support and fix it. This BTW is the same for Apple but yet no one questions them 1/10th as much. At least we all have a choice of using Windows/ Linux on a PC or OSX on an Apple/Mac. At least with a PC we have a choice. I will get off my soapbox now and pass it on.

Re:Samba Interoperability?

[Godji]

In an open-source project, to put such a "fix" would require to fool everyone responsible for getting that patch accepted upsream, including explaining to them why that patch is necessary in the first place, and to hide it so well that nobody in the future will ever notice it. Practically impossible.

Of course Apple is like Microsoft - they are both proprietary OS vendors. I question them almost as much, the almost coming from the fact that at least their foundation, Darwin, is somewhat open.

i want to see a worm

please, code it fast!!!, and make it as nasty as you can.

Pretty serious

[IceCreamGuy]

I first saw this a couple days ago on the CERT bulletin, http://www.us-cert.gov/cas/bulletins/SB08-294.html, and http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4038, most serious vulnerability I've ever seen up there:

Access Vector: Network exploitable
Access Complexity: Low
Authentication: Not required to exploit
Impact Type:Provides administrator access, Allows complete confidentiality, integrity, and availability violation; Allows unauthorized disclosure of information; Allows disruption of service

In other words: any idiot on your network can gain admin access to any attached Windows-based system with file-sharing enabled. I'm really glad that they're releasing an emergency patch for this, because that's a pretty fucking crazy description of an exploit, especially since it affects all versions of their last 10 years of operating systems.

Re:Pretty serious

Actually that was a different (though similar) vulnerability it looks like. They linked to http://www.microsoft.com/technet/security/Bulletin/MS08-063.mspx but this is MS08-067.

Re:Pretty serious

[networkzombie]

So you never saw this? http://web.nvd.nist.gov/view/vuln/detail?execution=e3s1

Re:Pretty serious

[Lord+Ender]

That's not the scary part. The scary part is that this can be made into a worm which uses a service which is installed by default on almost every windows system, and does not require user interaction to exploit. It's the perfect worm-bait. It's like a von neumann machine near the galactic core.

Re:Pretty serious

[IceCreamGuy]

MS08-067 is an RPC vulnerability, and is indeed linked to in the summary as of the most recent update. However, the summary also states that it is an SMB vulnerability, which is MS08-063. I think one of the updates in the summary is talking about the wrong vulnerability, since they really aren't that similar. It appears from this article, though, that they are actually releasing the emergency patch for the SMB exploit in MS08-063, not the RPC vulnerability.

Re:Pretty serious

[IceCreamGuy]

Dude, you have to use the "static link" on the NIST page for that to work...

Re:Pretty serious

[secPM_MS]

Actually, it is rather more like the Zotob vuln than the Blaster vuln. It is a crit on earlier systems, but requires authenticated privledges on Vista and 2K8 server due to the implementation of the integrity level defenses in Vista and 2K8. That said, the potential for damage with this vulnerability is high and there were reports of attacks in the wild. Thus, Microsoft released out of the standard release cycle.

Re:Pretty serious

The question I might have is who know what and when.

How do we know that they didn't already know about this and did nothing until a point in which a regulatory/authoritative entity said something.

Re:Pretty serious

[marcosdumay]

"In other words: any idiot on your network can gain admin access to any attached Windows-based system with file-sharing enabled."

Looking by that point of view... I hope most admins don't backup their LDAP servers by file shares.

Re:Pretty serious

[IceCreamGuy]

rsyncd, baby!

Re:Pretty serious

[networkzombie]

Have you ever seen this? http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-1673

Re:Pretty serious

[IceCreamGuy]

Ah, no, I haven't, pretty scary shit!

Re:Pretty serious

[shutdown+-p+now]

Actually, it is rather more like the Zotob vuln than the Blaster vuln. It is a crit on earlier systems, but requires authenticated privledges on Vista and 2K8 server due to the implementation of the integrity level defenses in Vista and 2K8.

Given that the majority of boxes out there still run WinXP and Win2K3, yes, I'd say that it is in practice as bad as Blaster.

Re:Pretty serious

[kill-1]

Any vulnerability with the properties mentioned by the OP can be made into a worm. There is no special, extra scary worm property.

Re:Pretty serious

[Lord+Ender]

You're wrong. Reliable payload execution without requiring user interaction on a widely-deployed service are all conditions for a special, extra scary worm.

There are many "wormable" vulnerabilities, but most have limiting factors which make them far less dangerous than this one.

Re:Pretty serious

[Whiteox]

The notice that was sent to me stated that I should contact the Federal Police if I think I've been 'infected'.
Sounds serious.

Re:Pretty serious

[SL+Baur]

In other words: any idiot on your network can gain admin access to any attached Windows-based system with file-sharing enabled.

Most appear to be and have they ever considered the consequences of such a setup in any public area like an airport, hotel, etc.?

Does this mean . . .

[arizwebfoot]

I need to dust of my IMB Selectric III?

Re:Does this mean . . .

[Akardam]

Perhaps if you're going to do that you might want to dust off your typing skills, as well...

Re:Does this mean . . .

[arizwebfoot]

What's wrong with my Selectric III?

Re:Does this mean . . .

What's wrong with a Selectric III, I've had a I, a II, and a III? Heavy as boat anchors.

Re:Does this mean . . .

[TinFoilMan]

I've had a Selectric III as well, loved being able to change out the font balls.

Re:Does this mean . . .

[Virmal]

No. Just patch that WFW 3.11 like they asked you to...

Re:Does this mean . . .

[k1e0x]

What's wrong with a Selectric III, I've had a I, a II, and a III? Heavy as boat anchors.

Mine doubles *as* a boat anchor. Works great.

Re:Does this mean . . .

[Agronomist+Cowherd]

Yours wasn't made by IMB.

Re:Does this mean . . .

[goofyspouse]

Ball changer.

135

[Zebra_X]

Has been windows' stink hole for the last 10 years. Lets hope that most people have learned they need to cover it up.

Re:135

SMB is 445

Re:135

[SCHecklerX]

All bets are off in most organizations when that one user hits that one web site or opens that one email.

Useless Windows Update

[Jabbrwokk]

Why hasn't this been caught in the 3,000 previous security issues patched for Windows? It seems like kind of a biggie. In that list you linked to (thank you) it's present in all service packs for XP (the only Windows I use).

I don't have any of the affected services enabled so it doesn't affect me, but I think a lot of that stuff is on or can be easily activated by default.

Again, why did it take so long to catch this one? The tinfoil hat backdoor NSA spook theories seem almost believable.

Re:Useless Windows Update

[jonbryce]

Most people block port 139 at the firewall, so it shouldn't be an issue.

Re:Useless Windows Update

[dave562]

Shouldn't be an issue? What world are you living in? What happens when it gets crafted into an email or web exploit and someone inside the permimeter visits SeeMyBoobs.com and their now zombied desktop owns your servers?

Re:Useless Windows Update

[kitgerrits]

From TFA:
The vulnerability lies with the Windows Server service, and more specifically with Microsoft's implementation of "remote procedure call" (RPC),
a communications technology deeply embedded in the Windows operating system that allows a program to execute another process on a remote system.

From the looks of it, simply blocking SMB won't do the trick.
Remember Blaster? That was also a RPC trick.
Killing the RPC service might work, but you'd be surprised at how Windows reacts to that.
(hint: shutdown -a is your friend)

Re:Useless Windows Update

[Goldberg's+Pants]

What do you mean, "most people"? Most people don't even run firewalls for gods sake! God knows nobody I know would be if I hadn't battered it into their useless skulls that they were to never come crying to me if their computer got wrecked due to their stupidity. (I may have worded it more politely. In most cases anyway.)

Re:Useless Windows Update

[sexconker]

Hint: Set the service to restart.

(One of ol' workarounds back in the blaster days)

Re:Useless Windows Update

[abigor]

How would that work, exactly? This is an rpc issue. Turning off rpc and blocking smb would do the trick.

Re:Useless Windows Update

[dave562]

If the computer is a member of the domain then it has RPC and SMB turned on in order to communicate with the rest of the network. All it would take would be a trojan or other exploit with a payload crafted to exploit the current vulnerability. Workstations these days run many vulnerable applications. Flash seems to be a common target these days. So random dumb user gets an email directing them to or gets curious and browses to OwnMyBox.com. That site exploits their unpatched Flash player, installs exploit code to search the local network for machines vulnerable to the SMB/RPC exploit and it's game over. Time to restore from backup.

Re:Useless Windows Update

[SgtChaireBourne]

Why hasn't this been caught in the 3,000 previous security issues patched for Windows? It seems like kind of a biggie.

Because Samba is getting too much positive press and Google has to be pumped full of negative articles for the string smb to bury them?

Re:Useless Windows Update

Explanation of how the exploit slipped through

Re:Useless Windows Update

[Lobster+Quadrille]

Browser exploits come out daily, and they can get in and out the firewall. The firewall is nice, but it won't save you.

Slirpie is my favorite.

Re:Useless Windows Update

[kitgerrits]

Ooh, I didn't think of that!

Only happened to me once, it was a colleague's PC.
No, really!

Re:Useless Windows Update

That guy at MS has his spelling and grammar checker turned off.

First a 'teh', then a line later he uses 'allusions' instead of 'illusions'.

I know he's a coder dude and not a writer, but that kind of simple error combined with disabling safety checks (like spell checking) is exactly the kind of carelessness that produces bugs.

Re:Useless Windows Update

[RMH101]

It's not that he can't spell, it's that he's in a panic.

Re:Useless Windows Update

[ElizabethGreene]

Observation: For Every OS before vista/2008, it is a _Critical_ update. For Vista/2008, it is only "Important". Same vulnerability, same vector, same bug. Somebody is obviously sandbagging the exploit counts to make the new OS look better.

http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

-ellie

When is enough, enough?

[ryanw]

Microsoft has had something like this occur regularly enough that I found myself already skipping to the next story without even reading the complete heading.

I still cannot understand why major corporations run Windows of any version in enterprise server farms. They've had so many warning signs, so many high security breaches, so many alarms, and they're still very "ho-hum" about it.

If you read the post slowly and actually acknowledge what it says, it's saying that ever since the incarnation of Windows elite hackers from Russia (or anywhere else) have been able to steal files on any machine with no problem. The underground top hackers have exploits that they guard with top secrecy and keep in their box of tricks when nothing else "known" is working.

Come on, seriously! No other product provider on the planet would be allowed such leniency. Microsoft never feels any repercussions of any of these incredible security holes. They don't even loose business over it! When is enough, enough????

Re:When is enough, enough?

[Zironic]

It's as easy as you think to break into an arbitrary windows machine. If it was then every machine on the planet would be a zombie and they're obviously not. Get rid of your tin foil hat.

Re:When is enough, enough?

[Arainach]

Do you really believe that nothing like this exists on Mac or Linux? Not necessarily this specific exploit, but something of this severity. Neither Apple nor the various Linux/OSS developers have anywhere near the testing unit that Microsoft has to uncover these flaws, nor do they have anywhere near the level of real-world users testing their software. It's not possible to write software of this level and complexity 100% bug-free. It's a matter of how much time and testing it takes to find such bugs.

Re:When is enough, enough?

[Ender+Wiggin+77]

Seems to me any machines in a "enterprise server farm" would be firewalled. Certainly any machines in a data center worth its salt would be firewalled and thus not accepting connections on the port being exploited here. I think the bigger threat here is workstations exploiting workstations at enterprise. Even home users are probably ok with basic firewalling.

Re:When is enough, enough?

[jschottm]

Microsoft has had something like this occur regularly enough that I found myself already skipping to the next story without even reading the complete heading.

Not any more they don't. This is the first major exploit for MS in several years that will enable trivial worm creation. The last notable one was Zotob in 2005, which was really comparatively minor - the last really big one was Sasser in 2004. Thus, this is important news.

If you read the post slowly and actually acknowledge what it says, it's saying that ever since the incarnation of Windows elite hackers from Russia (or anywhere else) have been able to steal files on any machine with no problem.

The same thing can be said about OpenSSL, BIND, Apache, Sendmail, Samba, and pretty much every major piece of software.

The underground top hackers have exploits that they guard with top secrecy and keep in their box of tricks when nothing else "known" is working.

That's why people who need to worry about top hackers also need to worry about defense in depth.

I still cannot understand why major corporations run Windows of any version in enterprise server farms.

Because it's non-trivial to completely switch platforms. Windows gained the desktop and office software marketshare and whether you think that MS did bad things to get there is irrelevant. Computers are simply a tool to most businesses. If the vast majority of the business software you need as a tool runs on one platform, you use that platform. And you develop your specific tools, generally for that platform. Thus, to support the desktop systems, you get the servers that support them.

And while I don't use them, the integration of the server, database, and programming environment that Microsoft provides is an incredibly good value proposition for some companies. Other than perhaps IBM, no one else can offer that level of coordination for development and server tools.

Microsoft never feels any repercussions of any of these incredible security holes. They don't even loose business over it!

Microsoft has invested heavily in improving their security. Vista is a far more secure piece of software than XP was. And MS has lost business over it - that's part of why Linux and OS X have been able to penetrate the professional and home computer worlds.

I am not a Microsoft fan but your statements don't really add anything to the dialog. Mindless MS bashing does no good.

Re:When is enough, enough?

[dave562]

Enough will be enough when there are viable alternatives for ALL of the functionality that Windows provides. ALL might be a bit of a stretch but not too much of one. The OSS world continues chugging along but if you look closely they are spending a lot of time recreating the wheel, or improving the wheel in ways that don't change the fact that it is still a wheel... a wheel that has been spinning for a while on the Microsoft platform. You can whine about how Microsoft sucks all day long but the harsh reality is that there are too many applications that rely on it to simply dump it.

As an example I work at a non-profit. We have a membership/fundraising application that tracks all of the development activity for the organization. That package ties into the accounting system so that as funds are raised and budgets are projected and what have you the systems interact with each other. Another component ties into the ticketing system so that when members come to visit the box office their account details are available. Did I mention the online component that allows membership renewals and ticket sales? It sure the hell isn't running on *nix. Now that isn't because a similar program can't be written for *nix. It simply hasn't been done yet. But hey... maybe one day, all of these super duper bad Microsoft security holes will pile up to the point where there are hundreds of non-profits out there looking to come up with a million or so dollars to completely rip out their Windows foundation and replace it with a super, duper, ooper better Linux way of doing things.

Until the cost of sticking with the status quo significantly outweighs the cost of switching to something else, the status quo will remain. Despite the flaws, Microsoft does keep getting better, although it often times seems like a one step forward, two steps back process (got Vista?). Look at this latest exploit. On Vista and Server 2008 the exploit doesn't work without popping up a warning dialogue. Obviously some group at Microsoft is forward thinking to have realized the potential for badness. If they hadn't, the dialogue box wouldn't pop up.

Re:When is enough, enough?

Samba has had plenty of security vulnerabilities, nubbins. Unfortunately, that's not news as Samba isn't anywhere near as popular.

Re:When is enough, enough?

[King_TJ]

The thing is, there's really no clear measuring stick proving these vulnerabilities would be circumvented by switching to another OS.

Microsoft OS's (especially on the desktop) are in such wide use compared to anything else, there are bound to be more people discovering and reporting flaws than in the alternatives.

I'm definitely not a "Microsoft apologist", as anyone who knows me very well can attest. But I also think much can be said for running an OS that receives very regular security patches and fixes, vs. one that seems to primarily run via "security via obscurity".

Re:When is enough, enough?

[pipatron]

The difference is that the FOSS software have millions of people that can check the source code, Microsoft only a couple of thousands. Having the source makes it so much easier to spot the flaws.. (and thus fixing them)

Re:When is enough, enough?

[thewils]

Not any more they don't. This is the first major exploit for MS in several years that will enable trivial worm creation.

Not any more they don't. This is the first major exploit that I know about for MS in several years that will enable trivial worm creation.

There, fixed it for you.

Re:When is enough, enough?

Neither Apple nor the various Linux/OSS developers have anywhere near the testing unit that Microsoft has

[citation needed]

Re:When is enough, enough?

[jschottm]

This is the first major exploit for MS in several years that will enable trivial worm creation.

I believe the second definition is the relevant one. If an exploit is trivial - any moderately skilled script kiddy can create a worm and it's been added to metasploit, it is by definition known.

Re:When is enough, enough?

[TheRealSlimShady]

Microsoft has had something like this occur regularly enough

So when was the last time a bug this severe was found? I'm pretty sure it's well over a year, so it's not like this is "regular". All operating systems regularly have security holes, some are of course more severe. One's like this don't come along very often at all these days.

Re:When is enough, enough?

You obviously haven't been paying attention to CVE's lately, Windows has had a whole slew of serious, remote "root"-holes lately.
For example, take a peek at some from this bulletin; http://www.us-cert.gov/cas/bulletins/SB08-294.html
This for example: http://web.nvd.nist.gov/view/vuln/detail?execution=e3s1
"Provides administrator access, Allows complete confidentiality, integrity, and availability violation; Allows unauthorized disclosure of information; Allows disruption of service"

They might have gotten better, but not as much as you would like to think.

Re:When is enough, enough?

[dotgain]

Neither Apple nor the various Linux/OSS developers have anywhere near the testing unit that Microsoft has to uncover these flaws, nor do they have anywhere near the level of real-world users testing their software

Right, that's why this bug has lurked undetected for almost a decade, right?

Re:When is enough, enough?

[DiegoBravo]

But how many of those millions use their time to just untar the source code?... and to understand the source code?... and to fix the source code?

I think the advantage is that the (few?) FOSS hackers are not too compromised to a big business so they 1) can improve the security via best code quality without managers stopping the work because of profitability/marketing timelines, and 2) they do not need to hide or lie about the bad security issues.

Re:When is enough, enough?

[dotgain]

Rather than simply suggest the G.P. might be oblivious, why didn't you provide examples of the explots that seem to have escaped his attention?

Re:When is enough, enough?

[SCHecklerX]

Internal hosts aren't typically firewalled from each other in the enterprise. Critical systems, although they should be, aren't either.

What scares me is SCADA networks getting hit with this type of thing. It only takes one idiot user opening one email attachment or hitting one nefarious web site.

Re:When is enough, enough?

[Wrath0fb0b]

I still cannot understand why major corporations run Windows of any version in enterprise server farms. They've had so many warning signs, so many high security breaches, so many alarms, and they're still very "ho-hum" about it.

For any decent admin, port 135 will be closed on the local software firewall and probably blocked at the switches. Even Windows admins don't use SMB.

Re:When is enough, enough?

[gillbates]

You know, I can understand your sentiments, except that hapless Windows users don't have a choice but to have filesharing running on their machines. In fact, most don't even know it's running, or that it's enabled by default. With Linux, I don't have to start Samba, BIND, sendmail, etc... unless I want to. Windows users have much less control over the security of their systems than their Linux running counterparts.

Quite honestly, the insecurity of linux programs is a moot point; I don't have to run that program. The only security of undeniable consequence for the end user is that of the kernel, because everything else can be turned off. With Linux, I get to choose my risk acceptance level; with Windows, Redmond chooses it for me.

Re:When is enough, enough?

[Lobster+Quadrille]

The storm botnet contained between 1 and 50 million hosts last fall. I'd suggest hanging onto the tinfoil hat for a little while.

Re:When is enough, enough?

[Vegeta99]

Wait, what?

I can't disable File and Print Sharing?

So what does going into my network settings and unticking the box do? You know, the one that's unticked automatically by Vista if, when I connect to a new network, I tell it that it's not firewalled?

Re:When is enough, enough?

[logan@bitsmart.com]

You seriously need to read Reflections on Trusting Trust, by Ken Thompson, one of the founders of Unix:

http://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf

Re:When is enough, enough?

[Alsee]

Vista is a far more secure piece of software than XP was.

You must be thinking of Windows Mojave.

-

Re:When is enough, enough?

[thewils]

No problem. I'll get right on it just after:
1. MS Open up their source code.
2. I trawl through all the relevant code.
3. I know enough to understand it all.

Re:When is enough, enough?

[ryanw]

Do you really believe that nothing like this exists on Mac or Linux?

Let me see ..... There's Solaris, AIX, NetBSD, FreeBSD, anything else! Sure, there are going to be holes in every OS but usually you have to get physically logged into the box to make use of it.

Windows seems to thrive with the use of an "open door" policy.

Re:When is enough, enough?

[Zironic]

And there is something on the order of a billion windows machines around.

Re:When is enough, enough?

Mindless MS bashing does no good.

Yes it does! It's freakin' hilarious! Are you saying that's not good, you communist?

Re:When is enough, enough?

Microsoft never feels any repercussions of any of these incredible security holes. They don't even loose business over it!

In Soviet Russia, business looses you !

Re:When is enough, enough?

[recoiledsnake]

You know nothing about anything do you? If you knew about Linux you would know about this. http://www.theregister.co.uk/2008/05/21/massive_debian_openssl_hangover/

Re:When is enough, enough?

[jschottm]

And looking at SB08-294 there's a remotely exploitable flaw that a small number of servers have installed (that has already made it into Metasploit), the usual batch of Office flaws and local escalation of privileges, and a hard to do anything reliable with SMB flaw that requires the guest account to be turned on or having an account on the system.

Hardly the same as an on-by-default remotely and easily exploitable flaw.

Re:When is enough, enough?

[jschottm]

Address space layout randomization is (according to MS) the reason why this is a critical update for 2K3 and prior but only important for Vista and is not a feature that users turn off.

Re:When is enough, enough?

[ion.simon.c]

No really. To make it usable you need to turn the security off...

Back up that claim with examples, or shut the fuck up. You're hurting Slashdot by producing more of this unsubstantiated bullshit. [1]

[1] Have you seen that one where Jon Stewart is talking to the Crossfire [2] guys? If not, check [3] for the story.
[2] http://en.wikipedia.org/wiki/Crossfire_(TV_series)
[3] http://en.wikipedia.org/w/index.php?title=Crossfire_(TV_series)&oldid=246136706#Jon_Stewart.27s_appearance

Re:When is enough, enough?

[Dutch+Gun]

I would, but I don't trust that link you've provided.

Re:When is enough, enough?

[pipatron]

Of course I did. It was big news, because it was so rare and strange. Microsoft having a backdoor like this seem to be in the news a couple of times every year.

I'm glad I'm on a Mac

I'm glad I am on OS X. No need to worry about the security hole of the minute compared to what goes on with the Linux and Windows boxes.

Re:I'm glad I'm on a Mac

I'm glad to have a 40 dollar router with a built in firewall so that I don't have to compromise what apps I run and not have to pay the Apple tax.

Re:I'm glad I'm on a Mac

better hope that your market penetration doesn't rise over 3% or you will become a target too

Re:I'm glad I'm on a Mac

Right! The only holes we mac users have to worry about are the ones with cocks stuffed in them.

Re:I'm glad I'm on a Mac

[LodCrappo]

idiot

Is file sharing even open across most networks?

[Darth_brooks]

It's been years since I've tried, but doesn't SMB get dropped by some / all of the major residential carriers at this point? I know AT&T was dropping port 139 last time I tried leaving a machine wide open and exposed.

It's a nasty vulnerability and all, I'm just wondering if this could go all blaster / sasser.

Critical vs Important

[TheNinjaroach]

I notice on that page that the aggregate security rating is listed as 'Critical' for all versions of Windows up to Vista. All of the Vista and Server 2008 security ratings are listed as 'Important' even though they still allow for remote code execution..

Has Microsoft watered down the wording of 'Critical' to 'Important' simply to make newer versions of their OS sound like they are more secure?

Re:Critical vs Important

[quantumplacet]

No, if you RTFA article, on newer versions the overflow will still work, but require authentication, making it Important. On older versions the exploit can work with no authentication making it Critical. Microsoft has always used this labeling convention for patches.

Re:Critical vs Important

[Narnie]

The difference between XP and Vista will be a little pop up on Vista that will ask you if you want to run the RCP exploit n@5Ty.tr0g1n

Re:Critical vs Important

[dedazo]

No, because those require authentication for the exploit to work.

They don't "sound" like they're more secure, they are. At least in this particular context.

Re:Critical vs Important

[residieu]

Well, duh. Of course I do. That's that porn movie with all the "actors" in bad greek costumes, right?

Re:Critical vs Important

To which all Vista users, now well trained in clicking OK to UAC messages without reading them, will click OK once again and the exploit will continue on its merry way!

Re:Critical vs Important

[CrossChris]

At the last count, I'd found 38 vulnerabilities in Vista that would be labelled critical and reported all of them. Today MS patched the second of them (though it was only classed as "important")! I'll leave the rest of them out there as an excercise for the class...

Re:Critical vs Important

Maybe you should RTFA article about RAS syndrome: http://en.wikipedia.org/wiki/RAS_syndrome

-RAS syndrom nazi

Re:Critical vs Important

It's "syndrome".
Yours sincerely,
The Spelling Nazi

Re:Critical vs Important

[Lobster+Quadrille]

I find it amusing that we geeks can be so anal retentive about redundancy, spelling and grammar, then invent words like "boxen" and "borked".

Re:Critical vs Important

[mollymoo]

No, if you RTFA article, on newer versions the overflow will still work, but require authentication, making it Important. On older versions the exploit can work with no authentication making it Critical. Microsoft has always used this labeling convention for patches.

Additionally, Vista and Server 2008 will only restart the service twice after it crashes, so an attacker only gets two tries (failed attempts result in a crash). Earlier versions have no limit on how often they restart the service, so you can have as many tries as you like.

I always though there was some merit to the technologies behind UAC, even if the interface was god-awful. It seems in this case it's doing the job it was designed for.

Re:Critical vs Important

Damn, you figured out the plan that makes Vista more secure!

Seriously, now the big 'critical security bugs' tally board is now +1 on everything BUT the new shiny stuff.

It's an old but underhanded trick to manufacture those great 'New OS is more secure' bullet points that marketing loves.

Re:Critical vs Important

[fractoid]

These words may well be fabricated but they're spelled correctly, that's for sure!

Re:Critical vs Important

Oh sorry, I don't actually have a reply. It's just that when I saw the parent post I reflexively clicked a button. I guess it was the "Reply" button this time. Sorry!

Why yes, I do use Vista. Why do you ask?

Re:Critical vs Important

[SL+Baur]

I find it amusing that we geeks can be so anal retentive about redundancy, spelling and grammar, then invent words like "boxen"

Boxen is derived from "Vaxen", meaning multiple VAX minicomputers. That's us poking fun of those ignorant of the past.

Google it yourself or take a look at:
http://groups.google.com/group/net.nlang/browse_thread/thread/af64899cb03ec57d/f09204b36c3cb213?lnk=raot&fwc=1&pli=1

and "borked".

That's us making fun of misspellers. Nothing to see here, move along.

Oh and you must be new here.

- your friendly local spelling and grammar nazi

Re:Critical vs Important

[magarity]

invent words like "boxen" and "borked".
 
What's worse is that "borked" outside of the geek world means you've been the victim of a character assassination campaign (see: Robert Bork).

Security administration?

[tjstork]

I know f--- at all about linux security but is there something for it that works like AD. i mean, managing a user list on one linux box is pretty easy but how do you handle permissions for thousands of users on hundreds of servers?

Re:Security administration?

[JShadow21]

This would be a start: http://www.redhat.com/promo/ipa/

Re:Security administration?

[vsync64]

NIS, but it's kind of old and screwy. Nowadays you can hook things into LDAP if you want.

Re:Security administration?

[gbjbaanb]

do a search for LDAP.

Here's a comparison of some options:
IBM SecureWay Directory,
Messaging Direct M-Vault,
Microsoft Active Directory,
Netscape Directory Server,
Novell eDirectory,
OpenLDAP.

Re:Security administration?

[Maguscrowley]

Just because your platform has not been subject to as many high profile attacks, does not mean that it is so obscure that you can feel safe. If you run a browser, and think that you are immune under the assumption that malicious code is platform dependent, then you are sadly mistaken.

In addition, the biggest concern here is for buisness users that want to keep servers safe. I am unaware of any OSX enterprise servers out there.

Finally, remember that OSX is UNIX and hence some exploits may still work.

Re:Security administration?

ldap + pam

Re:Security administration?

[Maguscrowley]

DAmn it, I meant to reply to the person below me. I fail it *shame*

Re:Security administration?

[blueskies]

Are you asking if there is something like LDAP of which AD is composed of that runs on Linux boxes?

Re:Security administration?

[IceCreamGuy]

I really don't mean to be a dick, but it really aggravates me when people say that AD=LDAP. LDAP is the protocol used to access AD, and then beyond that there is the actual Active Directory system, which is way fucking more than just an LDAP server. Have you worked with group policy, which is possibly the main feature of AD? It's just a protocol used to access and structure Active Directory, and if you think that just implementing LDAP in a Linux environment brings you anywhere even close to the functionality of AD, then I'm sorry, but you just don't know what you're talking about. eDirectory is comparable to AD, LDAP is not.

Re:Security administration?

ldap

Re:Security administration?

it really aggravates me when people say that AD=LDAP. LDAP is the protocol used to access AD, and then beyond that there is the actual Active Directory system, which is way fucking more than just an LDAP server.

I agree. LDAP is a protocol; AD is an LDAP-capable directory. A very weak, vendor-locked, OS-version-specific, poorly performing directory that in many ways compensates for corresponding weaknesses in the Windows OS, so that together AD and Windows add up to a reasonably usable system, almost as capable as a standards-compliant system.

If that sounds like a troll or flamebait it's certainly not meant to be. It's just an honest appraisal - I've worked with directories since the late 80s, and AD is not a particularly good example of a directory since it is so specialized for dealing with MS-windows problems that other platforms don't necessarily have (they have completely other problems, of course).

I have around 600 systems running from OpenLDAP these days. Most of these are windows desktops that think they are talking to AD, but I've also got HP-UX, Solaris, 3 flavors of linux, a single mac, and we used to have AIX too. All running from a single, massively replicated OpenLDAP directory that requires far less maintenance and hardware than AD does.

So yes, you're quite right. AD is much more than an LDAP server. It's an enterprise directory, and may someday evolve into a good one... it's still a young product and has a lot of catching up to do before it can compete with eDirectory.

Re:Security administration?

[laffer1]

I would argue OS X is more vulnerable than many systems. Apple tends to be slow to patch holes in open source components of OS X like apache, php, bind, and python.

I'm saying this as an OS X admin at work. If you ant security, you use a mainstream bsd or mainstream linux distro. They have enough users to keep up on common security issues and get new packages (or ports) out.

I don't take patch counts to mean as much anymore because it might be that the developers take threats more seriously than others. If you look at redhat, they offer a lot of new updates but often they're for stupid things that aren't moderate or high priority. Microsoft tends to fix that stuff in the next version of windows if they're going to.

Re:Security administration?

[SCHecklerX]

ldap, nis, etc.

Re:Security administration?

[IceCreamGuy]

AD is an LDAP-capable directory. A very weak, vendor-locked, OS-version-specific, poorly performing directory that in many ways compensates for corresponding weaknesses in the Windows OS, so that together AD and Windows add up to a reasonably usable system, almost as capable as a standards-compliant system.

I've never seen that put so intelligently before!

Re:Security administration?

[Skrynesaver]

I also have worked with openLDAP and also with commercial LDAP and X.500 servers, AD has improved, but the notion that it is a real directory server is farcical, it comes with a default schema that integrates well with one OS, give it another 10 years and it may become a genuinely scalable cross platform directory server, otherwise it remains useless.

Re:Security administration?

Add Fedora Directory Server to the list, it's basically the same software as the Netscape Directory Server.

It is a bit less raw than OpenLDAP (more GUI) and it allows multimaster replication (like Active Directory) with up to 4 hosts.

Re:Security administration?

[Mr.+Arbusto]

Wow! I thought I was the only one with that pet peeve.

The feature is Group policy. Without it, its just Kerb+LDAP with LDAP backed services. Well, mostly.

Re:Security administration?

Lol.. AD = Microsof Active Directory
And none of the others in the list compares by miles in features that AD provides. "Just google it" does not always solves it :/

Re:Security administration?

[morgan_greywolf]

NIS is junk. It's buggy, unstable and insecure. NIS blows up if you sneeze in the general direction of the NIS master or any of the slaves, even.

Bleh.

The closest thing to ActiveDirectory on *nix is a LDAP-based enterprise directory coupled with TLS, Kerberos 5, GSSAPI, and PAM-KRB5 and PAM-LDAP for authentication and authorization, Samba for file-sharing (using LDAPSAM for accounts). Add Linux AutoFS with LDAP support and you can have something like MS-DFS, but tons more secure.

I have personally implemented such systems.

Re:Security administration?

[aproposofwhat]

Yeah, and I bet you've used them all, Mr AC.

Here's a hint - Microsoft's AD is a poor imitation of Novell's Directory Services (now eDirectory).

Novell even offered Microsoft the NDS codebase for free, back in the good old days of Netware 4 and NT4, but Microsoft insisted on writing their own implementation.

Astroturfing asshat.

Re:Security administration?

You, my friend, have no idea how well AD works nowadays, if you actually claim OpenLDAP was superior. There *are* better LDAP directories than AD - AD was simply designed to manage Windows environments, not to be a general purpose directory service - but OpenLDAP definitely isn't one of them...

Re:Security administration?

Or eDirectory

Re:Security administration?

[OriginalArlen]

is there something for it that works like AD.

Samba can operate as an AD domain controller.

Linux can be configured to be an AD client.

Re:Security administration?

[blueskies]

The follow up post did a far better job explaining that I can do, but please notice that i never said AD=LDAP ("LDAP of which AD is composed of" -- think "contains' vs "is") (it's not as snarky if i have to write a paragraph about the distinctions!)

The OP only asked for something that can manage permissions for thousands of users. They never asked for the identical (mis-)functionality of AD. Scaling out from "managing a user list on one linux box" doesn't need AD.

Re:Security administration?

[IceCreamGuy]

Yeah, now that I'm going back and reading the OP and your posts, I do realize that I was misinterpreting both of you, and I'm sorry for being kinda rude in my post; you do make a good point.

Re:Security administration?

[blueskies]

Hah. I was really trying to give some measured snarkiness in case the op was trolling. ;)

I'm sorry, but I am going to have to report you for breaking the ToS for apologizing on slashdot. Actually, i want to see more about your Popsicle project but i don't have a ieee membership.

Re:windows

no seriously, it is!

Re:Is file sharing even open across most networks?

[Shadow-isoHunt]

Current IP filters on DOCSIS(cable) networks are actually outbound filters done at the modem which can be turned off if you've got an uncapped modem. I haven't seen any inbound filters on any DOCSIS networks(I've looked at Cox, Comcast, RR, and Charter) on 135/139.

How about us behind routers?

[UncleMantis]

Does this effect us behind routers on a home network?

Sounds like a bad one

[Drakkenmensch]

You know that a vulnerability is bad when Microsoft goes out of its regular patching cycle to hurry and plug the hole so quickly, instead of following their usual philosophy of saying "What are you talking about? There is no security hole in Windows!" and quietly patching it a few months later amidst a flood of inocuous driver updates.

Re:Sounds like a bad one

[pm_rat_poison]

Of course. Windows Genuine Advantage

Re:Sounds like a bad one

"What are you talking about? There is no security hole in [insert apple product]!" is the usual apple philosophy, not the microsoft one

Re:Sounds like a bad one

[Drakkenmensch]

We've got a winner here! Sig line updated to reflect the new champ!

Re:Sounds like a bad one

Thanks to all the updates this month, we in band-capped 3rd world New Zealand (thanks TNZ) have been reduced to dial-up speed for the 4th month this year. Microsoft, mail me a CD once a year and stop the crap with constant updates.

Re:Sounds like a bad one

You know that a vulnerability is bad when Microsoft goes out of its regular patching cycle to hurry and plug the hole so quickly, instead of following their usual philosophy of saying "What are you talking about? There is no security hole in Windows!"

Who modded you up? Microsoft doesn't deny security holes in Windows, but sometimes they take a long time in fixing them.

Unlike Apple, which not only denies that there are security holes in the Mac OS, but threatens multi-million dollar lawsuits to people who talk about them.

Re:Sounds like a bad one

[OriginalArlen]

Oh dear, now I too must post an "I'm no fan of Microsoft, but mindless bashing by people ignorant of the facts doesn't help at all" post.

I'm no fan of Microsoft, but mindless bashing by people ignorant of the facts doesn't help at all. Whilst they do release patches that fix multiple vulnerabilities, the advisories list the CVEs for each separate vuln being addressed. They also don't seem to be downplaying the severity of a given vulnerability, and haven't been for the last five years or so. Unlike some vendors I could mention. Yes, Jobs, I'm looking at you.

Personally, I think Microsoft's evilitude differs from that of any other proprietary software vendor only in the details; I'm a swivel-eyed FSF zealot. Hi there! :)

Wow!

[Skiron]

And you Winders users - please DON'T forget to REBOOT after you apply this security patch (with no doubt extra luggage attached)!

I can see 5% of the Internet blinking on/off/on/off..... {6 hours}.... on again tonight.

Re:Wow!

That 30 second reboot's going to be too much for me to take; I'm installing Ubuntu!

Critical on XP - Important on Vista

The patch is critical on XP but only important on Vista - see Vista is MUCH more secure.

What d'ya say? You suggesting that marketing may impact a security decision? Them's fighting words...

Re:Critical on XP - Important on Vista

Because on Vista you get a prompt: "Your computer is being hacked. Cancel or Allow?"

Re:Critical on XP - Important on Vista

On Vista or later valid credentials are required to exploit this. On XP and earlier no credentials are required at all, allowing this to be a wormable attack. Hence the difference between "Critical" and "Important" on the two descriptions.

swiss cheese

[nurb432]

Windows, it is.

Well of COURSE they are releasing Monday

[davidsyes]

this time.... They are tired of having "Super Tuesday" associations...

Work around?

[slashkitty]

Is to just turn off file and print sharing? Why don't they share that bit of info with us? Who would enable file sharing on windows anyway?

Re:Work around?

[JohnnyKlunk]

Somebody with file/print servers.

Re:Work around?

I know of another work around. It's called a firewall...

Re:Work around?

[dotgain]

Phew. Until you chimed in I was starting to think I was the only one.

Re:Work around?

[Allador]

You mean like this phrase:

Disable the Server and Computer Browser services

In the section titled: "workarounds".

Yeah, it would be great if they would share that with us.

Re:Work around?

[geekoid]

I have.

I need to share some files and a printer with other computers on my LAN.

I know it's crazy talk , but there you go~

Re:Work around?

[slashkitty]

Ok, but it's not directly linked from the start page contents. Click "Server Service Vulnerability - CVE-2008-4250" Click "Workarounds for Server Service Vulnerability - CVE-2008-4250" There you go, but it really should be the first note for those that want an immediate fix.

Known about this for years

[xombo]

My friends and I have known about this hole since high school. Every version of Windows with SMB has underlying, invisible, "root" accounts which cannot be removed without a great deal of diligence. These accounts have no password and give full access to the SMB share. I'm shocked that it has taken Microsoft this long to address the issue.

Re:Known about this for years

[eli867]

Buffer underrun permitting arbitrary code execution != "invisble root account"

You don't know what you're talking about.

Re:Known about this for years

I'm not shocked at MS but I am shocked at your ignorance.

Re:Known about this for years

[codepunk]

What may I ask does this have to do with a smb buffer overflow which is what this vulnerability is about? You know, like overwriting a fixed size buffer allowing one to perhaps overwrite a return pointer with a jmp esp. This in turn executing malicious code on the stack.

I am sure that such a accomplished HaCkZ0r as yourself already knew this.

Re:Known about this for years

[k1e0x]

"Buffer underrun permitting arbitrary code execution != "invisble root account"

You don't know what you're talking about."

No xombo is uber 1337. He must be warning us of a NEW problem.. quick how do I remove the "bgownzyoass" hidden super user account!

Hello...

[ThePromenader]

I find it more than a bit ironic that the /. story two down from this one is titiled "Microsoft Working For Samba Interoperability".

Re:Hello...

[Medievalist]

I find it more than a bit ironic that the /. story two down from this one is titiled "Microsoft Working For Samba Interoperability".

I don't know about irony, but I do know that the samba team has found holes in Windows before now and has helped Microsoft fix them. I don't know if that's what happened this time, I haven't read the article yet (gotta preserve my /. cred by posting first).

Incidentally, Microsoft's been working with the Samba Team for months now. I found out about it, hmmmm.... let me check my email archive... 15th of May 2008. Slashdot's a little slow this time.

Re:Is file sharing even open across most networks?

[eli867]

Yeah, but all it takes is ONE person to run an email attachment (or exploit some other hole) and then it's on every computer on the LAN

The public doesn't know that

[tepples]

windows file sharing has to my knowledge absolutely nothing to do with any P2P program.

True, which is why I tagged the article !p2p, but the public doesn't know that. The news media, owned by the proprietary entertainment industry, have associated "file sharing" with programs such as LimeWire, eMule, and BitTorrent.

Re:The public doesn't know that

Windows filesharing on a workgroup == P2P. I mean, ever computer can act as both client & server... am I right?

Re:The public doesn't know that

[Lobster+Quadrille]

You should totally go tell them.

Webcast

[mungewell]

We are sorry, due to the popularity of this event, registration is now full. Please search for another event.

figures.....

PoC

Anyone know if a PoC has been released yet?

Re:PoC

[joshrulzzatwork]

The FA (both the official MS KB article and technet blog article) mention the fix was discovered after observing exploits in the wild, so yes.

Someone always clicks "allow".

[argent]

Because on Vista you get a prompt: "Your computer is being hacked. Cancel or Allow?"

Windows Airlines:
The terminal is very neat and clean, with security barriers every few meters. The attendants are attractive, even if it's kind of creepy how much they want to "help" (especially in the restrooms). The pilots are allegedly very capable, though nobody ever sees them and there's an armed guard by the cockpit door. The fleet of jets it operates are immense. Your jet takes off without a hitch, pushing above the clouds, and at 20,000 feet a message pops up on the seat back in front of you asking "Should this plane explode now?".

Some idiot always answers "Yes".

Slashdot, I think we've uncovered a mole

[Archangel+Michael]

Mindless MS bashing does no good.

HERETIC! IMPOSTOR!

Please turn in your slashdot ID card at the door!

How can you tell if you are secure?

[Wyck]

So your previous amount of security turned out to be: NONE. Anyone could have remotely executed arbitrary code without authentication.

I wonder how much security you will have after the update?

Re:How can you tell if you are secure?

[Talar]

Want to know if you are secure? just put something important/valuable on your computer and let us know when you are done.

Or maybe ...

[Rhabarber]

... the bug was found on one of the interoperability fests:

Samba Guy: Hey dude, look, when I open a connection _this way_ I get strange replies. There is nothing similar in the docs ...

MS Interoperability Officer Sir, the protocol is just to complex. I wouldn't care. How about putting little hears into the password dialog, I don't like the asterisks, anyway.

Samba Guy: Dude, come on, I want to understand how the stuff works...

MS Interoperability Officer: Sir, hmm, must be part a proprietary, essential, internal routine framework. It's in there since ages. The software works, we make billions from it.

Samba Guy: But what does it do? Why do you need it?

MS Interoperability Officer: Don't know. The guy who coded it left the company.

Samba Guy: Can't we just call him?

MS Interoperability Officer: Don't think so. He must be cleaning his Yacht somewhere near Tanzania right now.

Samba Guy: Well dude, then let's see what's gonna happen if I keep going on...

MS Interoperability Officer: Sir, I'm bored. I don't like your black console anyway. It feels so 50ths.

MS Interoperability Officer: Sir, I'm in the position to offer you a free trial for Microsoft Visual Studio 2009 with Ribbon TM included.

Samba Guy: Look dude, I just got root on your machine.

MS Interoperability Officer: Sir, which idiot gave you my password?

Samba Guy: No password, dude. I just opened the connection, look here ...

Samba Guy show 4 lines of code.

MS Interoperability Officer: Sir, please hold on, I need to call my chief security officer.

MS Interoperability Officer talking on the phone (next door).

Minutes later the door is opened violently. Gates and Balmer enter the scene guarded by five NSA officers.

Gates: Sir, I'm sorry, you found one of the many backdoors we built into all versions of Microsoft Windows TM released after 1999. I suppose you will perfectly understand that all algorithms concerning that matter is our intellectual property which is protected by American Law.

NSA Officer (in monotone voice): Sir, I'll now use this Neutralizer TM device to erase your memories of the last twenty-four hours. You've never been in this building and you never knew about the federal data acquisition program.

A bright flash of light gets emitted from the little device.

Samba Guy: Shit, my eyes. What the fuck is wrong with you guys. That code is so freaking stupid. You can't be serious...

Another NSA Officer (in aggressive voice): Shut up criminal bastard!

First NSA Officer (in same monotone voice): Sir, you might have consumed a critical cumulative dose of THC during adolescence. The resulting altered brain circuity is resistant to portable neutralizer devices. I'm sorry to inform you're temporally arrested under federal law.

Samba Guy: Bull shit, you have no idea what you're talking about. Look I've got a hock running that sends every command I type on the console directly to twitter. Everybody does it, it's lot's of fun. Nothing I do is secret. I believe in sharing of ideas.

Ballmer (in rage): Motherfucking communists ... this is why fucking America is all that fucked up ... how the fuck should we ever control that fucking mob ... fuck!

Ballmer, well, throws chairs.

Gates (calling the still governing president of the United States): My president, sir, I'm sorry to inform you, due to certain circumstances, details concerning the federal data acquisition program might just have been leaked to the public.

Samba Guy: Hey dude, the story is already on digg. I think you should issue a patch before it is on slashdot.

Curtain gets drawn, applause.

Off stage voice: Thank you ladies and gentlemen. Please don't forget to visit windowsupdates.microsoft.com

Re:Or maybe ...

[RiotingPacifist]

sounds like one of those commics they used to advertise .net!

Re:Or maybe ...

[b4dc0d3r]

Goddam, how much time did you spend on that?

Re:Or maybe ...

[vegiVamp]

"temporally arrested" ? That'd make the problem vanish instantly, yes :-)

Re:Or maybe ...

[Rhabarber]

Protocol says that a resistant subject ought to be arrested temporally, be brought to the headquarters and be injected with neutralizing nanobots. The whole procedure takes about 12 to 18 hours so it can easily be done during pre-charge detention period.

Sorry for leaving that fact out. I thought the comment was already long enough :)

Does it run Linux?

[BronsCon]

Any machine that exposes Windows file sharing is vulnerable.

When will the Ubuntu patch come out?

Re:Does it run Linux?

[orgthingy]

Any machine that exposes Windows file sharing is vulnerable.

When will the Ubuntu patch come out?

dude, this stupid update is for windows not linux because linux doesnt have this issue o__O

Re:Does it run Linux?

[BronsCon]

First of all... WOOSH!

Second...

Any machine that exposes Windows file sharing is vulnerable.

When will the Ubuntu patch come out?

No Fcking update is downloadable for it.

They are only offering the fix via the Windowsupdate procedure. There exists no fucking download where you can get just this patch and apply it.

I am prohibited from using Windows Update since it breaks a critical government law enforcement system we run, yet I am under orders to download and install this one patch immediately since the security hole poses a vulnerability on the inside of our network.

Re:No Fcking update is downloadable for it.

[SCPRedMage]

You should look into Windows Server Update Services...

http://technet.microsoft.com/en-us/wsus/default.aspx

Re:No Fcking update is downloadable for it.

[blowdart]

Utter balls. If you're an admin that doesn't know how to get the executables I fear for those systems.

As you appear to need severe help; here; but next time read the KB article, it tells you alternative locations to download from, including the Update Catalog Site which even uses a shopping basket metaphor. Errr. If you're using IE.

Windows 2000 SP4: http://www.microsoft.com/downloads/de...=E22EB3AE-1295-4FE2-9775-6F43C5C2AED3
Windows XP SP2: http://www.microsoft.com/downloads/de...=0D5F9B6E-9265-44B9-A376-2067B73D6A03
Windows XP SP3: http://www.microsoft.com/downloads/de...=0D5F9B6E-9265-44B9-A376-2067B73D6A03
Windows XP Professional x64 Edition: http://www.microsoft.com/downloads/de...=4C16A372-7BF8-4571-B982-DAC6B2992B25
Windows XP Professional x64 Edition SP2: http://www.microsoft.com/downloads/de...=4C16A372-7BF8-4571-B982-DAC6B2992B25
Windows Server 2003 SP1: http://www.microsoft.com/downloads/de...=F26D395D-2459-4E40-8C92-3DE1C52C390D
Windows Server 2003 SP2: http://www.microsoft.com/downloads/de...=F26D395D-2459-4E40-8C92-3DE1C52C390D
Windows Server 2003 x64 Edition: http://www.microsoft.com/downloads/de...=C04D2AFB-F9D0-4E42-9E1F-4B944A2DE400
Windows Server 2003 x64 Edition SP2: http://www.microsoft.com/downloads/de...=C04D2AFB-F9D0-4E42-9E1F-4B944A2DE400
Windows Server 2003 with SP1 for Itanium-based Systems: http://www.microsoft.com/downloads/de...=AB590756-F11F-43C9-9DCC-A85A43077ACF
Windows Server 2003 with SP2 for Itanium-based Systems: http://www.microsoft.com/downloads/de...=AB590756-F11F-43C9-9DCC-A85A43077ACF
Windows Vista (optionally with SP1): http://www.microsoft.com/downloads/de...=18FDFF67-C723-42BD-AC5C-CAC7D8713B21
Windows Vista x64 Edition (optionally with SP1): http://www.microsoft.com/downloads/de...=A976999D-264F-4E6A-9BD6-3AD9D214A4BD
Windows Server 2008 for 32-bit Systems: http://www.microsoft.com/downloads/de...=25C17B07-1EFE-43D7-9B01-3DFDF1CE0BD7
Windows Server 2008 for x64-based Systems: http://www.microsoft.com/downloads/de...=7B12018E-0CC1-4136-A68C-BE4E1633C8DF
Windows Server 2008 for Itanium-based Systems: http://www.microsoft.com/downloads/de...=2BCF89EF-6446-406C-9C53-222E0F0BAF7A

What about my FF XI box?

[Yvan256]

No patch for Windows 98SE?

Re:What about my FF XI box?

[Yvan256]

Score:2, Troll? WTF? I'm not allowed to use Win98SE for my FF XI box?

Reminds me of a TV ad

Advertising, advertising, advertising, fix Vista.
Advertising, advertising, advertising, fix Vista.

http://movies.apple.com/movies/us/apple/getamac/apple_getamac_beancounter_20081019_480x272.mov

"Read The Fucking Article Article?"

[Nimey]

Sure, right after I withdraw some cash from the automatic ATM machine.

Fail

[Nimey]

You mean port 137, 138, 139, and now 445, right? 135, according to /etc/services, is for "epmap", which is "DCE endpoint resolution".

Re:Fail

[tirnacopu]

Exactly, and the completely ignorant replies, here on Slashdot, are astounding. 135 is an entry point for maybe half of the functions the Windows OS offers remotely. And so few people seem to be aware of this.

Re:Fail

[Krisbee]

Maybe half of windows remote functions are or were DCE RPC's from the beginning. Hence 135

Dark security market already has this one

[David+Gerard]

Microsoft has released eight patches for applications with an insufficient number of security holes.

"Our market is the enterprise," said Microsoft security marketer Jonathan Ness. "Information technology professionals know that Windows is the greatest IT job creation scheme in history. Without Patch Tuesday, there's no reason for the experienced IT worker to spend his time hiding out in the server room watching progress bars and getting over his hangover. Also, you can't tell people a virus ate their mail, you actually have to get it back for them."

Several faintly cat-piss-smelling Linux users pointed and laughed in a nerdy bray at the news and a much larger number of annoying Mac users showed off their new model iPod Nanos.

That isn't what usually happens

Usually the patch is 'hidden' between a flood of other critical security patches. I don't know if parent is trolling or flamebaiting, but deserving his Insightful mod, he did not.

This is going to be a field day for the RIAA...

[Waffle+Iron]

... and their "making available" theory. They could soon be raking in $Trillions in statutory damages from the public.

Re:This is going to be a field day for the RIAA...

[geirnord]

You, my friend, has just hit the jackpot!

Mod parent up! Great "bug hunt" article

[Jabbrwokk]

Mod this AC up, the link is an interesting read.

I'm no coder, I didn't understand most of what the article says, but I got the gist of it:

In my opinion, hand reviewing this code and successfully finding this bug would require a great deal of skill and luck.

Our present toolset does not catch this bug.

First the good news; I think perhaps we have removed a good number of the low-hanging security vulnerabilities from many of our products, especially the newer code. The bad news is, we'll continue to have vulnerabilities because you cannot train a developer to hunt for unique bugs, and creating tools to find such bugs is also hard to do without incurring an incredible volume of false positives.

I'll be blunt; our fuzz tests did not catch this and they should have. So we are going back to our fuzzing algorithms and libraries to update them accordingly.

My opinion is Microsoft should have been taking the money they were getting from charging for tech support and put it into more testing and reviewing code.

I love how at the end of the article he turns it into an ad for Windows Vista.

Re:Mod parent up! Great "bug hunt" article

[idontgno]

I read the blog entry, and this little piece of spin doctoring amazed and amused me:

The bug is a stack-based buffer overflow inside a loop; finding buffer overruns in loops, especially complex loops, is difficult to detect with a high degree of probability without producing many false positives.

Gosh...

(stack size)/(stack frame size) = number of iterations before stack overrun.

They claim they fuzz test, but it seems pretty obvious not nearly hard enough. And they need explicit out-of-bounds exception tests. Every stack-based process thread based on externally-provided input has to be, to destruction.

The blog calls this a "onesie - twosie" bug, but I suspect it's actually the harbinger of an entire class of as-yet unexplored path string processing bugs.

Re:Mod parent up! Great "bug hunt" article

[TheRaven64]

How about this code:

for (unsigned i=0 ; i<100 ; i++)
{
int buffer[10+i];
read(s, buffer, 10+i);
}

No buffer overflow appears here, because you're using at most 110 bytes of stack space.

Actually, however, it depends on the compiler you use. Some C compilers will not deallocate VLAs until the function ends. This is a minor violation of the spec, but in this case dramatically increases the amount of stack space required for this.

(stack size)/(stack frame size) = number of iterations before stack overrun.

It's far from this simple. The amount of available stack space depends on the number of threads running, which thread is calling the function, and how many calls are above it.

Re:Mod parent up! Great "bug hunt" article

[GoodNicksAreTaken]

You must mean Windows bzzz.

Re:Mod parent up! Great "bug hunt" article

[shutdown+-p+now]

It's not a "stack overrun" (do you mean "stack overflow", perhaps?). It's a "buffer overrun" due to an invalid target pointer in a strcpy() call (and the pointer itself gets updated in the loop, and it's that calculation that can go wrong).

Re:Mod parent up! Great "bug hunt" article

[MadMidnightBomber]

If you had Windows Vista, you would spend most of your time dual-booted into Ubuntu (like I do) and therefore wouldn't have such a big problem. Easy!

Re:Mod parent up! Great "bug hunt" article

Common, the bug is very common. It's a spaghetti code!!! Don't tell me that spaghetti code is not common. The issue (of difficult review, test and verification, static analysis etc) would never be there in the first place if developers would not write in spaghetti paradigm!

Ok, then you do it.

I have given up....so I am just going to issue a challenge to all the people who bash Microsoft just because. If you think Microsoft sucks so bad then why don't you.... BUILD SOMETHING BETTER.

Below you will find a list of products (not every product) that Microsoft builds and supports. Your mission is to make each one. Not just code each one to work independently but make each one work with every other one.

Embedded OS
Mobile OS
Workstation OS
Server OS
Web Server
Project Server
Information Server
Database Server
Email Server
Multiple Computer Languages
Development IDE
Graphics Rendering
Word Processor
Spreadsheet
Presentation
Publishing
Multiple Database Clients
Email Client
Money Management
Web Design
Communication
Web Browser
Various PC Games
Various PC Hardware
Game Console
Various Console Games
Photo Viewing
Photo Editing
Media Player
Mapping
Encyclopedia
Movie

Once you do that, then you can complain.

Re:Ok, then you do it.

[3.14159265]

For how many of those should you write instead "that Microsoft bought and supports"?
And how many of those can you take and say "gee, this is actually a product with quality, well designed, stable, good."?
Just asking...

Re:Ok, then you do it.

[ledow]

Troll?

The point is that MS didn't make many of those products at all, it just put it's name on them or bought out other products to build upon, and in fact made a bad job of quite a few of them. And a lot of them are or were the laughing stock of their genre for many revisions until they bought enough other companies / actually PUT EFFORT into developing them to make them useful. And an awful lot of them have some terrible problems (usually security ones) and limitations. As examples, let's just take a few of your categories: IE, Frontpage, IIS, Outlook.

It's because of this "let's do everything with a crappy codebase not designed for it" that they hit such criticism. For example, your first four categories can all be answered with "Linux", or a myriad other OS's. And instead of being a bastardised version of Windows that wasn't suited for the purpose, each targetted version of Linux is ideal and competitive in that space.

I'm not saying that MS doing all these things is easily replicated, unless of course you were to, say, allow me to have a complete worldwide and at least partially illegal monopoly, to buy decisions and standards and to earn billions of dollars through such questionable channels. Then, probably, it would be much easier for any company with that sort of access to do a MUCH better job.

All the other channels have equivalents that you'll find in your average Linux (or indeed, Unix) business-based distro, except for the "online" stuff. Not by one company, perhaps, but distributed and developed for free and competitive if not superior.

It hardly makes MS special that they have lots of software in their portfolio because they DIDN'T invent a lot of those things, or even develop their own versions of them. They bought them, by and large. If the licensing agreements meant that you had to provide attribution for every line of MS code, About dialogs would be ten times as long because of the amount of code they don't develop in-house, but instead buy, license, or just use. Parts of Windows NT were in fact based on BSD code. IE was Spyglass Mosaic that MS licensed. Outlook was MS's own invention, it seems, as was IIS and Frontpage, but how much code was written in-house and how much was libraries, licensed code, etc. from elsewhere? We may never know. A lot of MS games are actually licensed and then have the MS name slapped on them (Ensemble Studios and all their creations, like "Microsoft" Age of Empires, for one example).

And with the interoperability thing, ever opened an MS Publisher document in a different version of MS Publisher? A lot of MS stuff does *not* interoperate without the right time, effort, patches, etc. applied to the task. The stuff that does won't necessarily interoperate with *anything else* without ten times the effort (e.g. we still don't have any decent AD alternative or stuff that can manage AD fully - there's nothing else that can "be" a complete Windows Domain Controller yet, it's just too hacky and incomplete). The hardest thing to do is to provide *general interoperation*, so that any web server/browser/email client/programming language/server/client can use the full capabilities of the machine. Microsoft fail that. When you have a particular OS and wish to make every bit of software dependent on the OS, it makes stuff *easier*, not harder. You just bodge it because only your apps will ever use that facility.

I bash Microsoft. So sue me. I don't like their products. I don't need to make something better. It's over on that FTP site that I can download from at any time for free and includes everything I need. No stupid licensing, no interconnectivity problems with the dozens of other OS's available (unless it's *to* a Windows system, and even then you can do most stuff), no stupid "on by default" protocols and options that make things like this so critical. Linux, et al, have their problems, even the same security problems at times. The key is in the stuff that differentiates them from Microsoft, not what they can replicate.

Relevant question: how to disable file sharing?

I think I already have it disabled, but how does one go about making sure it is disabled?

And, no, I'm not giving you an IP to check for me :-)

Collection of links and info on vulnerability

[webappsec]

http://www.cgisecurity.org/2008/10/emergency-micro.html

This hole was around for sooo many years...

And they will finally kill it :-(

Re:Pretty serious NOT FOR STANDALONE RIGS

"In other words: any idiot on your network can gain admin access to any attached Windows-based system with file-sharing enabled" - by IceCreamGuy (904648) on Thursday October 23, @01:39PM (#25484483) Homepage

Well, for a system that is an endpoint node (say, a workstation) on a LAN/WAN (for example, a departmental one, or even larger @ work for instance)?

Sure - This might be a severe risk!

(Although I have had my colleagues TRY to even find my system on our LAN/WAN @ work, & they can't (one of them's a *NIX head & he likes wireshark for this type of thing amongst other tools) - yet, I have FULL ACCESS to all of our internet, email, + other network features - this is doable, this "effect", with a few simple registry hacks, many of which are covered in the URL link below no less)...

HOWEVER - if you're a "standalone user" (meaning single machine online on the internet, say, from your home)?

This is EASILY secured!

That's easily done, as you more-or-less noted via YOUR method (stopping/disabling File & Print sharing)

OR

By even going a step further -> Stopping the SERVER service (disable it via services.msc)...

There is also a method using a batch file to stop ALL shares (yes, even administrative $ type ones, ala:

C:
NET SHARE C$ /DELETE
NET SHARE ADMIN$ /DELETE
NET SHARE IPC$ /DELETE
NET SHARE DFS$ /DELETE
NET SHARE COMCFG$ /DELETE
NET SHARE FAX$ /DELETE
NET SHARE NETLOGON /DELETE
NET SHARE PRINT$ /DELETE
NET USE * /DELETE

& technically?

Each/ALL/ANY of those measures SHOULD work, just fine, in mitigating this prior to applying this patch (especially if you're a standalone machine on the internet @ home, with no home LAN present)...

(Feel free to correct me if I am off/wrong here fellas... thanks!)

APK

P.S.=> I cover that & MUCH more, here:

HOW TO SECURE Windows 2000/XP/Server 2003, & even VISTA, + make it "fun-to-do", via CIS Tool Guidance (& beyond):

http://www.tcmagazine.com/forums/index.php?s=49125ef36605621c1a4c34eb160411a9&showtopic=2662

&, yes, it works... vs. today's threats, especially - I say this, mainly because today's "security-suites" are NOT doing such a good job, vs. them, as evidenced here:

----

Top security suites fail exploit tests (COMPUTERWORLD):

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9117042&intsrc=news_ts_head [computerworld.com]

&/or

Top security suites fail exploit tests (SECUNIA):

http://secunia.com/blog/29/

----

&, the fact is? They're not that useful vs. threats coming from the REAL source of today's exploits (mostly), & that's javascript (+ iframes & bad or vulnerable plugins for webbrowsers, email programs, & even lately Adobe .pdf reader w/ javascript enabled (easily turned off) & their FLASH plugin system)... &, they're NOT doing well vs. std. viruses either, since many are "polymorphic" in nature today, or, use rootkit type technology... HEURISTICS & white/black lists of sites + apps are the way imo, vs. "signatures" based detection (which is good vs. KNOWN threats only really)... & most of them, depend on the latter (sigs work).

PLUS - Hey, anyone can go to SECUNIA.COM &/or SECURITYFOCUS.COM for example & see my statement here just plain 'bears out as truth', just by seeing how much (a good 95%) of today's threats come from those sources... that guide above, however? IS... & again, it just works! apk

doesn't smb/nmb default filtering preventing this?

[Danny+Rathjens]

Much like the last SMB exploit?
http://it.slashdot.org/article.pl?sid=08/05/29/1844246

Every network I've been on and even some of my current company's ISPs have a policy of blocking all traffic on smb/nmb ports (e.g. 137 and 139).
Those types of filters prevent anyone following a smb:// link outside their network which prevented that last exploit. Is this new exploit in the same category?

I think this default filtering is from way back in the day when remote MS Windows SMB/NMB exploits were a dime a dozen and/or network admins wanted to make sure files weren't being shared to the world.

Common script kiddie trick...

[w0mprat]

A flaw in the code is not necessary to take over windows PCs. Back in the day [others not me] used to scan IP ranges for people with file sharing enabled out to the internet [i deny i ever did this hehe]. I must stress it's stupidly simple to inadvertently leave your windows network and shares wide open to the world. It takes someone to enable file sharing on the ICS host, enable it in the firewall on both network adapters. There are no warnings to the user that this will expose any shares to the world. [Add to that the number of blank passwords to administrator accounts out there :S]. Even today I rekon 1 in 40 windows machines on a broadband cable/adsl [and not behind a port blocking router] is vunerable in this way. Few ISPs in my area are clued up to blocking the appropriate ports it seems. All it would take is a simple pop up window if you try to enable file sharing on your internet facing network adaptor. (I wonder would this put a big dent in the botnet population?)

Personally, I don't actually care too much, everyone should have their equipment behind a decent dedicated firewall end of story. Relying on a firewall in the same OS was always going to be a less than ideal solution, let alone one by microsoft.

Re:Common script kiddie trick...

[geekoid]

It should be in the network card.

Re:Common script kiddie trick...

[g-san]

I've never done anything like that either, but I have heard of people leaving a .txt file in the startup folder telling people their systems are hacked and telling them to run windows update.

Re:Common script kiddie trick...

[FreakWent]

nvidia nforce chipset?

Re:Common script kiddie trick...

[l_bratch]

Few ISPs in my area are clued up to blocking the appropriate ports it seems.

The ISP should not, not should they be expected to, block any ports. That would be very annoying to anybody that actually wants to use those ports. It wouldn't really be _fixing_ the problem...

Re:Is file sharing even open across most networks?

[g-san]

At the border yes, but I recall sniffing direct connections to Verizon (and others) and there are usually several systems on your netblock infected with something and you will see probes from them.

Samba guys should be happy

[Lord+Byron+II]

The Samba guys should be happy considering that M$ is sending their best minds to help them achieve compatibility. How about if we do it the other way - send the Samba guys to Windows-world to show them how it should be done?

I find Microsoft's self-review incredible

[lennier]

In the 'not credible' sense. Pure back-slapping.

http://blogs.msdn.com/sdl/archive/2008/10/22/ms08-067.aspx

"Over the last year or so I've noticed that the security vulnerabilities across Microsoft, but most noticeably in Windows have become bugs of a class I call "onesey - twosies" in other words, one-off bugs."

"The $64,000 question we ask ourselves when we issue any bulletin is "did SDL fail?" and the answer in this case is categorically "No!""

"The bad news is, we'll continue to have vulnerabilities because you cannot train a developer to hunt for unique bugs, and creating tools to find such bugs is also hard to do without incurring an incredible volume of false positives. With all that said, I will add detail about one-off bugs to our internal education; I think it's important to make people aware that even with great tools and great security-savvy engineers, there are still bugs that are very hard to find."

FAIL.

Look, if you're getting a constant FLOW of 'one-off' bugs being found by third parties -- no matter how theoretically 'hard' it is to find these bugs, and no matter how sophisticated your methods, there's something very, very wrong with your methods, BECAUSE THE BLACK HATS ARE ABLE TO DO IT SO WHY CAN'T YOU?

The chance of the black hats finding this bug turned out to be 100%.

If you scored less than that, I don't care your reasons, you lose, thanks for playing, try again.

Re:I find Microsoft's self-review incredible

[7+digits]

...and by reading the description of the code, it was obvious that there were some issues in it ("As I alluded to, all three arguments are highly dynamic and constantly updated within the while() loop. There is a great deal of pointer arithmetic in this loop.")

As a general rule of the thumb, if some code does pointer arithmetic in loops with a lot of conditional tests and pointers assignment, it is probably buggy.

I know that this it seems presumptuous, but, over the years, I developed a good sense of looking at a block of C looping code, and saying if it is buggy based on the feel of the complexity in it, the presence of constants, etc, etc. If you can't "see" the invariants in the code by looking at it, it should raise a red flag.

There is that famous Kernighan saying:

"Debugging is twice as hard as writing the code in the first place. Therefore, if you write the code as cleverly as possible, you are, by definition, not smart enough to debug it."

Code should be dumb. In that case, they probably could have written slower but dumber code. Maybe by first testing if the path needs rewriting (most path don't), then use a slower/dumber rewriting loop, so the penalty would be paid only by the use of "." and "..". We are in 2008. Complex code is a liability. And vista is already slow, and that is not due to performance of path rewriting routines...

Yes it does!

[c1t1z3nk41n3]

Of course butter flies! Now how high and far depends on what exactly you use to launch it. ::}

Re:Is file sharing even open across most networks?

[TimothyDavis]

I find it somewhat ironic that higher access to broadband will probably reduce the number of users who will be exploited vs the Blaster virus.

Sitting behind a NAT or other firewall because your machine is not direct dialing and ISP and getting a public IP will probably mean that an attacker won't be able to directly exploit this.

You can't polish a turd You can roll it in glitter

[HornWumpus]

Read that on /. Re-posting to share.

What Does it Matter if They Push Out A Patch?

[nutznboltz]

There are still millions of systems where Windows Update has broken and won't receive any patches and the "muppets" can't being to understand that if you try to explain it to them.

Neat.

Does anyone know the location of a tool which exploits this way in? I want to play with it on my private LAN while learning about security and so forth. It's my machine, I can do anything I want to it, including use an 'exploit', right?

Reply anonymously with a link.

A show of hands

[symbolset]

Who thinks this is the last hole in this particular service Microsoft will have to issue an emergency patch for? Anybody? Anybody at all?

I think it's 50/50 whether the patch itself ads a new vulnerability. Will we never learn?

BTW, there are still remotely exploitable full control vulnerabilities in a fully patched Windows machine, even before you install any apps. There always will be. Windows: it's not for networking (tm).

What was that about a botnet some days ago?

[Chris+Tucker]

"Botnets, spammers botnets!

What kind of boxes make up botnets?"

Compaq, HP, Dell and Sony, true.
Gateway, Packard Bell, maybe even ASUS, too!

Are boxes, found on botnets, all running Windows, FOO!"

Code, link to zip file included in post

http://milw0rm.com/sploits/2008-ms08-067.zip

Do not travel anywhere

I get my jollies going to hotels with open WiFi and browsing all the Microsoft Windows machines around me. There's all kinds of interesting stuff around ...