Slashdot Mirror
Microsoft to Issue Emergency Patch For File-Sharing Hole
An anonymous reader writes "Microsoft said late Wednesday that it plans to release a critical security update today to plug a security hole present in all supported versions of Windows. The company hasn't released any details about the patch yet, which is expected to be pushed out at 1 p.m. PT. Normally, Redmond issues security updates on Patch Tuesday, the second Tuesday of each month. The Washington Post's Security Fix blog notes that each of the three times in the past that Microsoft has departed from its patch cycle, it was to fix some really nasty vulnerability that criminals already were exploiting to break into Windows PCs."
Reader filenavigator points out an article which describes the hole as an SMB vulnerability, and says it "allows anyone to access a Windows machine remotely without any user name or password. Any machine that exposes Windows file sharing is vulnerable." Update: 10/23 17:42 GMT by T : Reader AngryDad adds a link to Microsoft's more detailed memo.
Don't worry, the NSA and the RBN have plenty of Windows Backdoors(tm) left to use.
Has been windows' stink hole for the last 10 years. Lets hope that most people have learned they need to cover it up.
Microsoft has had something like this occur regularly enough that I found myself already skipping to the next story without even reading the complete heading.
I still cannot understand why major corporations run Windows of any version in enterprise server farms. They've had so many warning signs, so many high security breaches, so many alarms, and they're still very "ho-hum" about it.
If you read the post slowly and actually acknowledge what it says, it's saying that ever since the incarnation of Windows elite hackers from Russia (or anywhere else) have been able to steal files on any machine with no problem. The underground top hackers have exploits that they guard with top secrecy and keep in their box of tricks when nothing else "known" is working.
Come on, seriously! No other product provider on the planet would be allowed such leniency. Microsoft never feels any repercussions of any of these incredible security holes. They don't even loose business over it! When is enough, enough????
Perhaps if you're going to do that you might want to dust off your typing skills, as well...
Shouldn't be an issue? What world are you living in? What happens when it gets crafted into an email or web exploit and someone inside the permimeter visits SeeMyBoobs.com and their now zombied desktop owns your servers?
To which all Vista users, now well trained in clicking OK to UAC messages without reading them, will click OK once again and the exploit will continue on its merry way!
What may I ask does this have to do with a smb buffer overflow which is what this vulnerability is about? You know, like overwriting a fixed size buffer allowing one to perhaps overwrite a return pointer with a jmp esp. This in turn executing malicious code on the stack.
I am sure that such a accomplished HaCkZ0r as yourself already knew this.
Got Code?
I really don't mean to be a dick, but it really aggravates me when people say that AD=LDAP. LDAP is the protocol used to access AD, and then beyond that there is the actual Active Directory system, which is way fucking more than just an LDAP server. Have you worked with group policy, which is possibly the main feature of AD? It's just a protocol used to access and structure Active Directory, and if you think that just implementing LDAP in a Linux environment brings you anywhere even close to the functionality of AD, then I'm sorry, but you just don't know what you're talking about. eDirectory is comparable to AD, LDAP is not.
What do you mean, "most people"? Most people don't even run firewalls for gods sake! God knows nobody I know would be if I hadn't battered it into their useless skulls that they were to never come crying to me if their computer got wrecked due to their stupidity. (I may have worded it more politely. In most cases anyway.)
I suppose, by your logic, that Debian should ship with ssh turned off as well, because it had a hole. Sure, it would be convenient to have on your network, but you never know when the OSS community has been drinking from the cold frosty watercooler of fail. Sounds dumb when it's put that way, doesn't it?
As for the "90% of users wouldn't need it anyway": [citation needed]. Even my parents and friends without a clue often need to use file sharing.
http://www.nizkor.org/features/fallacies/special-pleading.html
I request you don't make special pleading for Linux when not providing sources or even anecdotal evidence. People using a certain OS don't automatically get a free pass as being "more knowledgeable" - especially considering the advocacy of Linux users trying to turn their friends on to the product. The fact you call out the corporate environment shows that there's a huge market that needs/uses file sharing (and the associated network services: print sharing, discovery, etc).
I wasn't stating that all people without a clue use it, but that there are those who do. My parents use it for business, my "friends without a clue" use it so they can break copyright law more easily ("oh, you downloaded ASDF cd? can I get that from your computer?") and share documents between laptop and desktop.
On top of all this, Vista has network separation that doesn't turn some of this stuff on depending on what network you choose This means file sharing isn't on for public networks, but is for home and work, because those cases have been found to be needed by enough home users to justify turning it on.
Exactly, and the completely ignorant replies, here on Slashdot, are astounding. 135 is an entry point for maybe half of the functions the Windows OS offers remotely. And so few people seem to be aware of this.
Debian does ship with ssh turned off.
Most of us "muppets" are happy to block 139 and its cousins at the firewall and be done with it. It's a LAN service. Assuming your network is secure from the outside, you can have your cake and eat it to.
If in your paranoia you somehow neglected to secure your WLAN, you *do* need to worry about this.
Either way, shutting off useful parts of the OS because you're afraid of an exploit is more cargo cult thinking than paranoid thinking. If you can't tell at any given time who's on your LAN, you need to get that under control. No OS is immune to the workings of a bad administrator.
I see your later post is an example of the "no true scotsman" fallacy. Plenty of people with a clue use windows file sharing, because they know what's going in in their network and at what layer(s) their security needs to be applied. People who have a clue avoid the "I automatically do X because Y is automatically bad" approach.
I happen to be of the opinion that open source software is more secure by virtue of its openness, which is an opinion that not everyone here shares. But that doesn't mean that I refuse to use Windows file sharing because it may or may not have an exploit. Again, this is not critical if every Tom/Dick/Harry isn't hanging out on your LAN, (or you aren't at a college, hotel or what have you). That said, this *is* ridiculous on MS's part and I have this update deadlined right now.
Maybe they're not astroturfers. Maybe you're just annoying.
"The cup is in turn designed for holding hot or cold liquids, and has an open rim and closed base." --US Patent #5425497
I wonder how you can claim that ugly, inconsistent, undocumented code is "secure by design" versus code you can't see. You're asserting that it must be bad because you don't see it and that openssh must be good because you can see it, a logical fallacy (especially considering your comment that it's ugly, not consistent, or documented...how can one vet something like that?).
As for looking at the SMB server source code... not in my area of Windows (I'm in desktop graphics technology), but I suppose I could look at the diff for the patch. One thing I do know is that, by and large, code is a bit ugly, consistent, and documented well here, though.
The comment regarding ssh (a service I consider a necessity on any Linux box) with Debian was because there was a huge problem ( http://it.slashdot.org/article.pl?sid=08/05/13/1533212 ) introduced into Debian's ssh stream. Secure by design or not, the scheme was broken because of a human mistake. Those kinds of mistakes can happen in OSS or closed source, and I don't think treating one as specially exempt from the problem is an honest view of the world.
Everyone I knew in college used it for file transfer within on-campus housing. It was convenient with everyone being on the same network. It's also my preferred method to transfer things around the network at home. Plus, there's a growing market of NAS boxes for home use.
It is pitch black. You are likely to be eaten by a grue.
Well, that's only the *direct* vector of exploitation from external. There's quite a few indirect There's already a trojan in the wild trying to leverage this issue. And users are users. As in "muppets" may not be to far off. I work in a very large environment and we are setting a 3 day deadline for testing and deployment. In fact I just got off the phone with IBM and EDS (manage some of our regions) and MS regarding this issue.
Additionally, having a soft chewy internal network is a big problem as well. You cannot discount deliberate attacks from the inside. Or idiots clicking links and opening attachments. Yeah, external links and attachments should be under control, but really this issue is really too serious. Any machine within an MS domain could exploit the server.sys RPC issue on any other machine sans authentication.
Really, your best bet is to test this quickly and deploy.
"This calls for a very special blend of psychology and extreme violence" - Vyvyan "The Young Ones"
All three - ugly, inconsistent, and uncommented - make understanding the code more difficult. They do not make it impossible to go over.
Having spent a large amount of time looking into (the lowest layer of) OpenSSH, I can say it is very secure. Ugly, inconsistent, and uncommented together do not imply that the code is bad - that's your logical fallacy. (Besides, ugly and inconsistent are subjective.)
That does not change the fact that anyone (even me!) can look at OpenSSH, find problems in it, and fix it. Microsoft's code is secret, may or may not have glaring bugs in it, and nobody else can fix a problem even if it's known.
The link you posted is a testament to this. The problem was found and fixed extremely quickly. I can't trust Microsoft with the same response, and nobody else should trust them either.
Human error can happen to every code. But the open source ones we can fix.
I suppose, by your logic, that Debian should ship with ssh turned off as well, because it had a hole.
You're comparing apples and oranges. The equivalent service on Debian is Samba, which is turned off by default in Debian.