Slashdot Mirror
Microsoft to Issue Emergency Patch For File-Sharing Hole
An anonymous reader writes "Microsoft said late Wednesday that it plans to release a critical security update today to plug a security hole present in all supported versions of Windows. The company hasn't released any details about the patch yet, which is expected to be pushed out at 1 p.m. PT. Normally, Redmond issues security updates on Patch Tuesday, the second Tuesday of each month. The Washington Post's Security Fix blog notes that each of the three times in the past that Microsoft has departed from its patch cycle, it was to fix some really nasty vulnerability that criminals already were exploiting to break into Windows PCs."
Reader filenavigator points out an article which describes the hole as an SMB vulnerability, and says it "allows anyone to access a Windows machine remotely without any user name or password. Any machine that exposes Windows file sharing is vulnerable." Update: 10/23 17:42 GMT by T : Reader AngryDad adds a link to Microsoft's more detailed memo.
Don't worry, the NSA and the RBN have plenty of Windows Backdoors(tm) left to use.
Perhaps if you're going to do that you might want to dust off your typing skills, as well...
Microsoft has had something like this occur regularly enough that I found myself already skipping to the next story without even reading the complete heading.
Not any more they don't. This is the first major exploit for MS in several years that will enable trivial worm creation. The last notable one was Zotob in 2005, which was really comparatively minor - the last really big one was Sasser in 2004. Thus, this is important news.
If you read the post slowly and actually acknowledge what it says, it's saying that ever since the incarnation of Windows elite hackers from Russia (or anywhere else) have been able to steal files on any machine with no problem.
The same thing can be said about OpenSSL, BIND, Apache, Sendmail, Samba, and pretty much every major piece of software.
The underground top hackers have exploits that they guard with top secrecy and keep in their box of tricks when nothing else "known" is working.
That's why people who need to worry about top hackers also need to worry about defense in depth.
I still cannot understand why major corporations run Windows of any version in enterprise server farms.
Because it's non-trivial to completely switch platforms. Windows gained the desktop and office software marketshare and whether you think that MS did bad things to get there is irrelevant. Computers are simply a tool to most businesses. If the vast majority of the business software you need as a tool runs on one platform, you use that platform. And you develop your specific tools, generally for that platform. Thus, to support the desktop systems, you get the servers that support them.
And while I don't use them, the integration of the server, database, and programming environment that Microsoft provides is an incredibly good value proposition for some companies. Other than perhaps IBM, no one else can offer that level of coordination for development and server tools.
Microsoft never feels any repercussions of any of these incredible security holes. They don't even loose business over it!
Microsoft has invested heavily in improving their security. Vista is a far more secure piece of software than XP was. And MS has lost business over it - that's part of why Linux and OS X have been able to penetrate the professional and home computer worlds.
I am not a Microsoft fan but your statements don't really add anything to the dialog. Mindless MS bashing does no good.
What may I ask does this have to do with a smb buffer overflow which is what this vulnerability is about? You know, like overwriting a fixed size buffer allowing one to perhaps overwrite a return pointer with a jmp esp. This in turn executing malicious code on the stack.
I am sure that such a accomplished HaCkZ0r as yourself already knew this.
Got Code?
I suppose, by your logic, that Debian should ship with ssh turned off as well, because it had a hole. Sure, it would be convenient to have on your network, but you never know when the OSS community has been drinking from the cold frosty watercooler of fail. Sounds dumb when it's put that way, doesn't it?
As for the "90% of users wouldn't need it anyway": [citation needed]. Even my parents and friends without a clue often need to use file sharing.
Most of us "muppets" are happy to block 139 and its cousins at the firewall and be done with it. It's a LAN service. Assuming your network is secure from the outside, you can have your cake and eat it to.
If in your paranoia you somehow neglected to secure your WLAN, you *do* need to worry about this.
Either way, shutting off useful parts of the OS because you're afraid of an exploit is more cargo cult thinking than paranoid thinking. If you can't tell at any given time who's on your LAN, you need to get that under control. No OS is immune to the workings of a bad administrator.
I see your later post is an example of the "no true scotsman" fallacy. Plenty of people with a clue use windows file sharing, because they know what's going in in their network and at what layer(s) their security needs to be applied. People who have a clue avoid the "I automatically do X because Y is automatically bad" approach.
I happen to be of the opinion that open source software is more secure by virtue of its openness, which is an opinion that not everyone here shares. But that doesn't mean that I refuse to use Windows file sharing because it may or may not have an exploit. Again, this is not critical if every Tom/Dick/Harry isn't hanging out on your LAN, (or you aren't at a college, hotel or what have you). That said, this *is* ridiculous on MS's part and I have this update deadlined right now.
All three - ugly, inconsistent, and uncommented - make understanding the code more difficult. They do not make it impossible to go over.
Having spent a large amount of time looking into (the lowest layer of) OpenSSH, I can say it is very secure. Ugly, inconsistent, and uncommented together do not imply that the code is bad - that's your logical fallacy. (Besides, ugly and inconsistent are subjective.)
That does not change the fact that anyone (even me!) can look at OpenSSH, find problems in it, and fix it. Microsoft's code is secret, may or may not have glaring bugs in it, and nobody else can fix a problem even if it's known.
The link you posted is a testament to this. The problem was found and fixed extremely quickly. I can't trust Microsoft with the same response, and nobody else should trust them either.
Human error can happen to every code. But the open source ones we can fix.