Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft to Issue Emergency Patch For File-Sharing Hole

Posted by timothy on from the safest-version-of-windows-ever dept.

An anonymous reader writes "Microsoft said late Wednesday that it plans to release a critical security update today to plug a security hole present in all supported versions of Windows. The company hasn't released any details about the patch yet, which is expected to be pushed out at 1 p.m. PT. Normally, Redmond issues security updates on Patch Tuesday, the second Tuesday of each month. The Washington Post's Security Fix blog notes that each of the three times in the past that Microsoft has departed from its patch cycle, it was to fix some really nasty vulnerability that criminals already were exploiting to break into Windows PCs." Reader filenavigator points out an article which describes the hole as an SMB vulnerability, and says it "allows anyone to access a Windows machine remotely without any user name or password. Any machine that exposes Windows file sharing is vulnerable." Update: 10/23 17:42 GMT by T : Reader AngryDad adds a link to Microsoft's more detailed memo.

16 of 348 comments (clear)

  1. More info already posted... by Spazholio · · Score: 4, Informative

    http://www.microsoft.com/technet/security/bulletin/MS08-067.mspx

  2. Pretty serious by IceCreamGuy · · Score: 5, Informative
    I first saw this a couple days ago on the CERT bulletin, http://www.us-cert.gov/cas/bulletins/SB08-294.html, and http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4038, most serious vulnerability I've ever seen up there:

    Access Vector: Network exploitable
    Access Complexity: Low
    Authentication: Not required to exploit
    Impact Type:Provides administrator access, Allows complete confidentiality, integrity, and availability violation; Allows unauthorized disclosure of information; Allows disruption of service

    In other words: any idiot on your network can gain admin access to any attached Windows-based system with file-sharing enabled. I'm really glad that they're releasing an emergency patch for this, because that's a pretty fucking crazy description of an exploit, especially since it affects all versions of their last 10 years of operating systems.

    1. Re:Pretty serious by Lord+Ender · · Score: 4, Informative

      That's not the scary part. The scary part is that this can be made into a worm which uses a service which is installed by default on almost every windows system, and does not require user interaction to exploit. It's the perfect worm-bait. It's like a von neumann machine near the galactic core.

      --
      A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
    2. Re:Pretty serious by IceCreamGuy · · Score: 2, Informative

      Dude, you have to use the "static link" on the NIST page for that to work...

    3. Re:Pretty serious by secPM_MS · · Score: 2, Informative

      Actually, it is rather more like the Zotob vuln than the Blaster vuln. It is a crit on earlier systems, but requires authenticated privledges on Vista and 2K8 server due to the implementation of the integrity level defenses in Vista and 2K8. That said, the potential for damage with this vulnerability is high and there were reports of attacks in the wild. Thus, Microsoft released out of the standard release cycle.

  3. Re:FREEOWW!!! by Anonymous Coward · · Score: 1, Informative

    This is a problem with filesharing over local networks using SMB. Not P2P transfers. This has nothing to do with piracy.

  4. Re:Critical vs Important by quantumplacet · · Score: 5, Informative

    No, if you RTFA article, on newer versions the overflow will still work, but require authentication, making it Important. On older versions the exploit can work with no authentication making it Critical. Microsoft has always used this labeling convention for patches.

  5. Re:Security administration? by gbjbaanb · · Score: 3, Informative

    do a search for LDAP.

    Here's a comparison of some options:
    IBM SecureWay Directory,
    Messaging Direct M-Vault,
    Microsoft Active Directory,
    Netscape Directory Server,
    Novell eDirectory,
    OpenLDAP.

  6. Re:When is enough, enough? by thewils · · Score: 2, Informative

    Not any more they don't. This is the first major exploit for MS in several years that will enable trivial worm creation.

    Not any more they don't. This is the first major exploit that I know about for MS in several years that will enable trivial worm creation.

    There, fixed it for you.

    --
    Once I was a four stone apology. Now I am two separate gorillas.
  7. Re:When is enough, enough? by jschottm · · Score: 2, Informative

    This is the first major exploit for MS in several years that will enable trivial worm creation.

    I believe the second definition is the relevant one. If an exploit is trivial - any moderately skilled script kiddy can create a worm and it's been added to metasploit, it is by definition known.

  8. Re:When is enough, enough? by Anonymous Coward · · Score: 1, Informative

    You obviously haven't been paying attention to CVE's lately, Windows has had a whole slew of serious, remote "root"-holes lately.
    For example, take a peek at some from this bulletin; http://www.us-cert.gov/cas/bulletins/SB08-294.html
    This for example: http://web.nvd.nist.gov/view/vuln/detail?execution=e3s1
    "Provides administrator access, Allows complete confidentiality, integrity, and availability violation; Allows unauthorized disclosure of information; Allows disruption of service"

    They might have gotten better, but not as much as you would like to think.

  9. Re:Useless Windows Update by Anonymous Coward · · Score: 5, Informative

    Explanation of how the exploit slipped through

  10. Re:No Fcking update is downloadable for it. by blowdart · · Score: 3, Informative
    Utter balls. If you're an admin that doesn't know how to get the executables I fear for those systems.

    As you appear to need severe help; here; but next time read the KB article, it tells you alternative locations to download from, including the Update Catalog Site which even uses a shopping basket metaphor. Errr. If you're using IE.

    Windows 2000 SP4: http://www.microsoft.com/downloads/de...=E22EB3AE-1295-4FE2-9775-6F43C5C2AED3
    Windows XP SP2: http://www.microsoft.com/downloads/de...=0D5F9B6E-9265-44B9-A376-2067B73D6A03
    Windows XP SP3: http://www.microsoft.com/downloads/de...=0D5F9B6E-9265-44B9-A376-2067B73D6A03
    Windows XP Professional x64 Edition: http://www.microsoft.com/downloads/de...=4C16A372-7BF8-4571-B982-DAC6B2992B25
    Windows XP Professional x64 Edition SP2: http://www.microsoft.com/downloads/de...=4C16A372-7BF8-4571-B982-DAC6B2992B25
    Windows Server 2003 SP1: http://www.microsoft.com/downloads/de...=F26D395D-2459-4E40-8C92-3DE1C52C390D
    Windows Server 2003 SP2: http://www.microsoft.com/downloads/de...=F26D395D-2459-4E40-8C92-3DE1C52C390D
    Windows Server 2003 x64 Edition: http://www.microsoft.com/downloads/de...=C04D2AFB-F9D0-4E42-9E1F-4B944A2DE400
    Windows Server 2003 x64 Edition SP2: http://www.microsoft.com/downloads/de...=C04D2AFB-F9D0-4E42-9E1F-4B944A2DE400
    Windows Server 2003 with SP1 for Itanium-based Systems: http://www.microsoft.com/downloads/de...=AB590756-F11F-43C9-9DCC-A85A43077ACF
    Windows Server 2003 with SP2 for Itanium-based Systems: http://www.microsoft.com/downloads/de...=AB590756-F11F-43C9-9DCC-A85A43077ACF
    Windows Vista (optionally with SP1): http://www.microsoft.com/downloads/de...=18FDFF67-C723-42BD-AC5C-CAC7D8713B21
    Windows Vista x64 Edition (optionally with SP1): http://www.microsoft.com/downloads/de...=A976999D-264F-4E6A-9BD6-3AD9D214A4BD
    Windows Server 2008 for 32-bit Systems: http://www.microsoft.com/downloads/de...=25C17B07-1EFE-43D7-9B01-3DFDF1CE0BD7
    Windows Server 2008 for x64-based Systems: http://www.microsoft.com/downloads/de...=7B12018E-0CC1-4136-A68C-BE4E1633C8DF
    Windows Server 2008 for Itanium-based Systems: http://www.microsoft.com/downloads/de...=2BCF89EF-6446-406C-9C53-222E0F0BAF7A

  11. Re:Work around? by Allador · · Score: 2, Informative

    You mean like this phrase:

    Disable the Server and Computer Browser services

    In the section titled: "workarounds".

    Yeah, it would be great if they would share that with us.

  12. Re:Samba Interoperability? by Godji · · Score: 2, Informative

    Have you even looked at the OpenSSH source code?

    It's a bit ugly, not very consistent, almost completely undocumented, but it's very secure by design. Please don't take my word for it. Read this and then look at the source code.

    Now have you looked at the Windows SMB server source code? I rest my case.

  13. Re:Samba Interoperability? by marcosdumay · · Score: 2, Informative

    Debian does ship with ssh turned off. By the way, it ships with no ssh server even installed.

    Ssh is a dangerous piece of software, that will can make your machine quite vunerable if you don't know it is running and don't protect it accordingly (good passwords or only key autentication).

    --
    Rethinking email