Slashdot Mirror
Microsoft to Issue Emergency Patch For File-Sharing Hole
An anonymous reader writes "Microsoft said late Wednesday that it plans to release a critical security update today to plug a security hole present in all supported versions of Windows. The company hasn't released any details about the patch yet, which is expected to be pushed out at 1 p.m. PT. Normally, Redmond issues security updates on Patch Tuesday, the second Tuesday of each month. The Washington Post's Security Fix blog notes that each of the three times in the past that Microsoft has departed from its patch cycle, it was to fix some really nasty vulnerability that criminals already were exploiting to break into Windows PCs."
Reader filenavigator points out an article which describes the hole as an SMB vulnerability, and says it "allows anyone to access a Windows machine remotely without any user name or password. Any machine that exposes Windows file sharing is vulnerable." Update: 10/23 17:42 GMT by T : Reader AngryDad adds a link to Microsoft's more detailed memo.
allows anyone to access a Windows machine remotely without any user name or password. Any machine that exposes Windows file sharing is vulnerable
Yet this comment in the "Can You Trust Anti-virus Rankings?" thread, where I noted that a dual boot with internet for linux and with networking disabled in Windows was better than AV was modded down. Of course, a lot of MSCEs and Microsoft employees come to slashdot, and I'm sure a few get mod points once in a while. No matter, my karma's fine.
And yes, kiddies, you DO need a firewall for ANY OS and any OS is prone to trojans. But no AV will protect you against an unknown trojan OR the vuln mentioned in TFA, and no firewall will keep out someone you explicitly let in.
<tinfoil hat>
Some might wonder if this vuln was introduced on purpose as a weapon against the Pirat Bay? You can bet that a lot of people are uninstalling Kazaa, Morpheus, and all other legit and illigit P2P apps. Getting rid of P2P is a blow against FOSS and indie music.
Free Martian Whores!
It was probably the shared Samba experience that gave them the idea on how to fix the bug.
I don't understand how the bug works, but I know one has been around. You can find hack tools for script kiddies out there that will exploit this automagically for people. I have even used it in the past to get some files from a computer that no one knew the password to and the key to the server room was broken off in the lock making physical access imposible until a locksmith was available.
Thankfully, the old tech (who broke the lock on his way out after resetting everyone's password) kept all the passwords in scripts that I could recover and use to change passwords to something usable. The owner of the company wanted me to testify in court to the old Techs actions and even offered me a permanent contract, I told him all I wanted was a check, I don't want anything to do with a company that pissed their old tech off that bad after 5 years of service.
Why hasn't this been caught in the 3,000 previous security issues patched for Windows? It seems like kind of a biggie. In that list you linked to (thank you) it's present in all service packs for XP (the only Windows I use).
I don't have any of the affected services enabled so it doesn't affect me, but I think a lot of that stuff is on or can be easily activated by default.
Again, why did it take so long to catch this one? The tinfoil hat backdoor NSA spook theories seem almost believable.
I notice on that page that the aggregate security rating is listed as 'Critical' for all versions of Windows up to Vista. All of the Vista and Server 2008 security ratings are listed as 'Important' even though they still allow for remote code execution..
Has Microsoft watered down the wording of 'Critical' to 'Important' simply to make newer versions of their OS sound like they are more secure?
I went to eat some animal crackers and the box said, "Do not eat if seal is broken." I opened the box and sure enough..
You know that a vulnerability is bad when Microsoft goes out of its regular patching cycle to hurry and plug the hole so quickly, instead of following their usual philosophy of saying "What are you talking about? There is no security hole in Windows!" and quietly patching it a few months later amidst a flood of inocuous driver updates.
it really aggravates me when people say that AD=LDAP. LDAP is the protocol used to access AD, and then beyond that there is the actual Active Directory system, which is way fucking more than just an LDAP server.
I agree. LDAP is a protocol; AD is an LDAP-capable directory. A very weak, vendor-locked, OS-version-specific, poorly performing directory that in many ways compensates for corresponding weaknesses in the Windows OS, so that together AD and Windows add up to a reasonably usable system, almost as capable as a standards-compliant system.
If that sounds like a troll or flamebait it's certainly not meant to be. It's just an honest appraisal - I've worked with directories since the late 80s, and AD is not a particularly good example of a directory since it is so specialized for dealing with MS-windows problems that other platforms don't necessarily have (they have completely other problems, of course).
I have around 600 systems running from OpenLDAP these days. Most of these are windows desktops that think they are talking to AD, but I've also got HP-UX, Solaris, 3 flavors of linux, a single mac, and we used to have AIX too. All running from a single, massively replicated OpenLDAP directory that requires far less maintenance and hardware than AD does.
So yes, you're quite right. AD is much more than an LDAP server. It's an enterprise directory, and may someday evolve into a good one... it's still a young product and has a lot of catching up to do before it can compete with eDirectory.
Mod this AC up, the link is an interesting read.
I'm no coder, I didn't understand most of what the article says, but I got the gist of it:
In my opinion, hand reviewing this code and successfully finding this bug would require a great deal of skill and luck.
Our present toolset does not catch this bug.
First the good news; I think perhaps we have removed a good number of the low-hanging security vulnerabilities from many of our products, especially the newer code. The bad news is, we'll continue to have vulnerabilities because you cannot train a developer to hunt for unique bugs, and creating tools to find such bugs is also hard to do without incurring an incredible volume of false positives.
I'll be blunt; our fuzz tests did not catch this and they should have. So we are going back to our fuzzing algorithms and libraries to update them accordingly.
My opinion is Microsoft should have been taking the money they were getting from charging for tech support and put it into more testing and reviewing code.
I love how at the end of the article he turns it into an ad for Windows Vista.
Of course, Microsoft allowed the NSA to enter Windows. The RBN had to find their own way through the mess of insecurity to find a nice looking aluminium door.
signature is pants
Why not just add a "do you want to enable file sharing" the first time a user tries to use it?
Chances are if you have more than one machine (thus needing file sharing), you have a firewalled router between you and the internet anyways.
The part that pisses me off the most about windows filesharing is that you use the same controls to share files with other users on the same computer as you do to share them with other computers? Why are these the same service at all?!?
I remember in high school, we took a look through network neighbourhood and saw every computer in the school district, including personal machines owned by principles, secretaries, etc. It would have been less than trivial to drop some "interesting" hyperlinks into the startup folder of the shared start menu (why is the fucking start menu shared over the network?!?) and cause someone to have a REALLY bad day. Sure the network admin should be disabling these on school comps, but he has little control over personal laptops and school salaries don't exactly pull in the most experiences network admins...
In the 'not credible' sense. Pure back-slapping.
http://blogs.msdn.com/sdl/archive/2008/10/22/ms08-067.aspx
"Over the last year or so I've noticed that the security vulnerabilities across Microsoft, but most noticeably in Windows have become bugs of a class I call "onesey - twosies" in other words, one-off bugs."
"The $64,000 question we ask ourselves when we issue any bulletin is "did SDL fail?" and the answer in this case is categorically "No!""
"The bad news is, we'll continue to have vulnerabilities because you cannot train a developer to hunt for unique bugs, and creating tools to find such bugs is also hard to do without incurring an incredible volume of false positives. With all that said, I will add detail about one-off bugs to our internal education; I think it's important to make people aware that even with great tools and great security-savvy engineers, there are still bugs that are very hard to find."
FAIL.
Look, if you're getting a constant FLOW of 'one-off' bugs being found by third parties -- no matter how theoretically 'hard' it is to find these bugs, and no matter how sophisticated your methods, there's something very, very wrong with your methods, BECAUSE THE BLACK HATS ARE ABLE TO DO IT SO WHY CAN'T YOU?
The chance of the black hats finding this bug turned out to be 100%.
If you scored less than that, I don't care your reasons, you lose, thanks for playing, try again.
You are not a brain: http://books.google.com/books?id=2oV61CeDx-YC
No really. To make it usable you need to turn the security off...
Back up that claim with examples, or shut the fuck up. You're hurting Slashdot by producing more of this unsubstantiated bullshit. [1]
[1] Have you seen that one where Jon Stewart is talking to the Crossfire [2] guys? If not, check [3] for the story.
[2] http://en.wikipedia.org/wiki/Crossfire_(TV_series)
[3] http://en.wikipedia.org/w/index.php?title=Crossfire_(TV_series)&oldid=246136706#Jon_Stewart.27s_appearance