Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft to Issue Emergency Patch For File-Sharing Hole

Posted by timothy on from the safest-version-of-windows-ever dept.

An anonymous reader writes "Microsoft said late Wednesday that it plans to release a critical security update today to plug a security hole present in all supported versions of Windows. The company hasn't released any details about the patch yet, which is expected to be pushed out at 1 p.m. PT. Normally, Redmond issues security updates on Patch Tuesday, the second Tuesday of each month. The Washington Post's Security Fix blog notes that each of the three times in the past that Microsoft has departed from its patch cycle, it was to fix some really nasty vulnerability that criminals already were exploiting to break into Windows PCs." Reader filenavigator points out an article which describes the hole as an SMB vulnerability, and says it "allows anyone to access a Windows machine remotely without any user name or password. Any machine that exposes Windows file sharing is vulnerable." Update: 10/23 17:42 GMT by T : Reader AngryDad adds a link to Microsoft's more detailed memo.

81 of 348 comments (clear)

  1. This is why... by TrippTDF · · Score: 4, Funny

    ...I don't use computers. They are too much of a security risk.

    1. Re:This is why... by TrippTDF · · Score: 4, Funny

      I don't.

    2. Re:This is why... by The+Gaytriot · · Score: 4, Funny

      Who are you replying to?

      --
      Srsly u guys. U guys, srsly.
    3. Re:This is why... by bradkittenbrink · · Score: 3, Funny

      then I think somebody may have hacked your account...

    4. Re:This is why... by Anonymous Coward · · Score: 5, Funny

      Simple: Call up your ISP and make the correct noises. Real men don't use modems.

    5. Re:This is why... by Lord+Pillage · · Score: 5, Funny

      Weren't you listening? He doesn't use computers therefore he doesn't have an account! Some people just don't get the logic in that...

      --
      try { Signature mysig = new CleverAttempt(); } catch(NonCleverSignatureException e) { postanyway(); }
    6. Re:This is why... by _Sprocket_ · · Score: 4, Funny

      Simple: Call up your ISP and make the correct noises. Real men don't use modems.

      Whistling in to a phone?! REAL men use butterflies.

    7. Re:This is why... by Ngarrang · · Score: 2, Funny

      If you don't use computers, how did you post on /.?

      Maybe he was dictating his response to someone who does have aaaaaaaaa...

      --
      Bearded Dragon
    8. Re:This is why... by LearnToSpell · · Score: 2, Funny

      Must be a lot of people doing that around here...

      --
      Haida Manga
    9. Re:This is why... by dgatwood · · Score: 2, Funny

      No, you got the joke wrong. The correct line is:

      First, he asks his secretary to print the Internet. Then, the secretary prints a bunch of random crap pages. Then, he types up a response on his Underwood No. 5 and sends it to her through a pneumatic tube. Then, the secretary rekeys the information in and sends a printed copy to him via a pneumatic tube for approval, which he then initials and sends back through the tube. Upon receipt of the initialed printed copy, she initials the electronic copy and clicks "submit".

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

    10. Re:This is why... by the_B0fh · · Score: 2, Funny

      This is slashdot! If he's capable of listening, he would have gotten a girlfriend, and would have a real life instead, but here he is, posting on slashdot, so, obviously he is not capable of listening.

    11. Re:This is why... by Niten · · Score: 2, Funny

      You can even get DSL if you have a good enough falsetto.

    12. Re:This is why... by g-san · · Score: 4, Funny

      Yeah but you only get half-duplex unless you learn circular breathing...

  2. Let's hope by cnettel · · Score: 5, Funny

    Let's hope that the renewed Samba compatibility effort by MS means that this bug will be ported over.

    1. Re:Let's hope by Anonymous Coward · · Score: 5, Interesting

      It was probably the shared Samba experience that gave them the idea on how to fix the bug.

      I don't understand how the bug works, but I know one has been around. You can find hack tools for script kiddies out there that will exploit this automagically for people. I have even used it in the past to get some files from a computer that no one knew the password to and the key to the server room was broken off in the lock making physical access imposible until a locksmith was available.

      Thankfully, the old tech (who broke the lock on his way out after resetting everyone's password) kept all the passwords in scripts that I could recover and use to change passwords to something usable. The owner of the company wanted me to testify in court to the old Techs actions and even offered me a permanent contract, I told him all I wanted was a check, I don't want anything to do with a company that pissed their old tech off that bad after 5 years of service.

    2. Re:Let's hope by Anonymous Coward · · Score: 2, Funny

      This sounds like a lie. There is no public exploit out for this.

  3. Re:Cool by iztehsux · · Score: 5, Funny

    Still got plenty of time before this afternoon to turn your college campus into a botnet!

  4. Maybe.. by cirrustelecom · · Score: 2, Funny

    At least they didn't describe it as a MAC vulnerability

    --
    "No, but understanding is not required, only obedience."
  5. Damn Fossies by Ynot_82 · · Score: 2, Funny

    Those damn FOSSies can gain access to SMB shares
    Quick, patch it....

  6. More info already posted... by Spazholio · · Score: 4, Informative

    http://www.microsoft.com/technet/security/bulletin/MS08-067.mspx

  7. Re:Cool by Ethanol-fueled · · Score: 4, Insightful

    Don't worry, the NSA and the RBN have plenty of Windows Backdoors(tm) left to use.

  8. FREEOWW!!! by mcgrew · · Score: 2, Interesting

    allows anyone to access a Windows machine remotely without any user name or password. Any machine that exposes Windows file sharing is vulnerable

    Yet this comment in the "Can You Trust Anti-virus Rankings?" thread, where I noted that a dual boot with internet for linux and with networking disabled in Windows was better than AV was modded down. Of course, a lot of MSCEs and Microsoft employees come to slashdot, and I'm sure a few get mod points once in a while. No matter, my karma's fine.

    And yes, kiddies, you DO need a firewall for ANY OS and any OS is prone to trojans. But no AV will protect you against an unknown trojan OR the vuln mentioned in TFA, and no firewall will keep out someone you explicitly let in.

    <tinfoil hat>
    Some might wonder if this vuln was introduced on purpose as a weapon against the Pirat Bay? You can bet that a lot of people are uninstalling Kazaa, Morpheus, and all other legit and illigit P2P apps. Getting rid of P2P is a blow against FOSS and indie music.

    --
    Free Martian Whores!
    1. Re:FREEOWW!!! by flyingfsck · · Score: 2, Funny

      "Any OS must be behind a firewal" - So do you put your firewall behind a firewall?

      --
      Excuse me, but please get off my Pennisetum Clandestinum, eh!
    2. Re:FREEOWW!!! by Anonymous Coward · · Score: 5, Funny

      It's firewalls all the way down.

    3. Re:FREEOWW!!! by Lobster+Quadrille · · Score: 3, Insightful

      Maybe they're not astroturfers. Maybe you're just annoying.

      --
      "The cup is in turn designed for holding hot or cold liquids, and has an open rim and closed base." --US Patent #5425497
    4. Re:FREEOWW!!! by cez · · Score: 2, Funny

      \\ ?

      --
      Walk with Music;
    5. Re:FREEOWW!!! by caluml · · Score: 2, Funny

      Aaah, so that's what the loopback interface is for...

      --
      Get your own free personal location tracker
  9. Samba Interoperability? by Philip+K+Dickhead · · Score: 2, Funny

    Why patch? Looks like they went a long way to achieve this already!

    --
    "Speaking the Truth in times of universal deceit is a revolutionary act." -- George Orwell
    1. Re:Samba Interoperability? by TeacherOfHeroes · · Score: 2, Funny

      I agree!

      Every time that a new software bug or vulnerability is uncovered, I feel better and better about my choice to stick with an abacus instead of using these computer things.

      Yes, it would be convenient to have it in my home or office, but you never know when some giant glaring exploit is going to appear and leave you open to pwnage due to some software company drinking a cold frosty can of fail.

      Days like this justify my paranoia.

    2. Re:Samba Interoperability? by Tawnos · · Score: 5, Insightful

      I suppose, by your logic, that Debian should ship with ssh turned off as well, because it had a hole. Sure, it would be convenient to have on your network, but you never know when the OSS community has been drinking from the cold frosty watercooler of fail. Sounds dumb when it's put that way, doesn't it?

      As for the "90% of users wouldn't need it anyway": [citation needed]. Even my parents and friends without a clue often need to use file sharing.

    3. Re:Samba Interoperability? by Sj0 · · Score: 2, Funny

      I agree!

      Every time that a new software bug or vulnerability is uncovered, I feel better and better about my choice to stick with an my fingers and toes instead of using these computer things(20 bits ought to be enough for anyone).

      Yes, it would be convenient to have it in my home or office, but you never know when some giant glaring exploit is going to appear and leave you open to pwnage due to some software company drinking a cold frosty can of fail.

      Days like this justify my paranoia.

      --
      It's been a long time.
    4. Re:Samba Interoperability? by Tawnos · · Score: 2, Insightful

      http://www.nizkor.org/features/fallacies/special-pleading.html

      I request you don't make special pleading for Linux when not providing sources or even anecdotal evidence. People using a certain OS don't automatically get a free pass as being "more knowledgeable" - especially considering the advocacy of Linux users trying to turn their friends on to the product. The fact you call out the corporate environment shows that there's a huge market that needs/uses file sharing (and the associated network services: print sharing, discovery, etc).

      I wasn't stating that all people without a clue use it, but that there are those who do. My parents use it for business, my "friends without a clue" use it so they can break copyright law more easily ("oh, you downloaded ASDF cd? can I get that from your computer?") and share documents between laptop and desktop.

      On top of all this, Vista has network separation that doesn't turn some of this stuff on depending on what network you choose This means file sharing isn't on for public networks, but is for home and work, because those cases have been found to be needed by enough home users to justify turning it on.

    5. Re:Samba Interoperability? by mweather · · Score: 2, Insightful

      Debian does ship with ssh turned off.

    6. Re:Samba Interoperability? by atraintocry · · Score: 5, Insightful

      Most of us "muppets" are happy to block 139 and its cousins at the firewall and be done with it. It's a LAN service. Assuming your network is secure from the outside, you can have your cake and eat it to.

      If in your paranoia you somehow neglected to secure your WLAN, you *do* need to worry about this.

      Either way, shutting off useful parts of the OS because you're afraid of an exploit is more cargo cult thinking than paranoid thinking. If you can't tell at any given time who's on your LAN, you need to get that under control. No OS is immune to the workings of a bad administrator.

      I see your later post is an example of the "no true scotsman" fallacy. Plenty of people with a clue use windows file sharing, because they know what's going in in their network and at what layer(s) their security needs to be applied. People who have a clue avoid the "I automatically do X because Y is automatically bad" approach.

      I happen to be of the opinion that open source software is more secure by virtue of its openness, which is an opinion that not everyone here shares. But that doesn't mean that I refuse to use Windows file sharing because it may or may not have an exploit. Again, this is not critical if every Tom/Dick/Harry isn't hanging out on your LAN, (or you aren't at a college, hotel or what have you). That said, this *is* ridiculous on MS's part and I have this update deadlined right now.

    7. Re:Samba Interoperability? by Godji · · Score: 2, Informative

      Have you even looked at the OpenSSH source code?

      It's a bit ugly, not very consistent, almost completely undocumented, but it's very secure by design. Please don't take my word for it. Read this and then look at the source code.

      Now have you looked at the Windows SMB server source code? I rest my case.

    8. Re:Samba Interoperability? by marcosdumay · · Score: 2, Informative

      Debian does ship with ssh turned off. By the way, it ships with no ssh server even installed.

      Ssh is a dangerous piece of software, that will can make your machine quite vunerable if you don't know it is running and don't protect it accordingly (good passwords or only key autentication).

      --
      Rethinking email
    9. Re:Samba Interoperability? by Tawnos · · Score: 3, Insightful

      I wonder how you can claim that ugly, inconsistent, undocumented code is "secure by design" versus code you can't see. You're asserting that it must be bad because you don't see it and that openssh must be good because you can see it, a logical fallacy (especially considering your comment that it's ugly, not consistent, or documented...how can one vet something like that?).

      As for looking at the SMB server source code... not in my area of Windows (I'm in desktop graphics technology), but I suppose I could look at the diff for the patch. One thing I do know is that, by and large, code is a bit ugly, consistent, and documented well here, though.

      The comment regarding ssh (a service I consider a necessity on any Linux box) with Debian was because there was a huge problem ( http://it.slashdot.org/article.pl?sid=08/05/13/1533212 ) introduced into Debian's ssh stream. Secure by design or not, the scheme was broken because of a human mistake. Those kinds of mistakes can happen in OSS or closed source, and I don't think treating one as specially exempt from the problem is an honest view of the world.

    10. Re:Samba Interoperability? by khellendros1984 · · Score: 2, Insightful

      Everyone I knew in college used it for file transfer within on-campus housing. It was convenient with everyone being on the same network. It's also my preferred method to transfer things around the network at home. Plus, there's a growing market of NAS boxes for home use.

      --
      It is pitch black. You are likely to be eaten by a grue.
    11. Re:Samba Interoperability? by flosofl · · Score: 2, Insightful

      Most of us "muppets" are happy to block 139 and its cousins at the firewall and be done with it. It's a LAN service. Assuming your network is secure from the outside, you can have your cake and eat it to.

      Well, that's only the *direct* vector of exploitation from external. There's quite a few indirect There's already a trojan in the wild trying to leverage this issue. And users are users. As in "muppets" may not be to far off. I work in a very large environment and we are setting a 3 day deadline for testing and deployment. In fact I just got off the phone with IBM and EDS (manage some of our regions) and MS regarding this issue.

      Additionally, having a soft chewy internal network is a big problem as well. You cannot discount deliberate attacks from the inside. Or idiots clicking links and opening attachments. Yeah, external links and attachments should be under control, but really this issue is really too serious. Any machine within an MS domain could exploit the server.sys RPC issue on any other machine sans authentication.

      Really, your best bet is to test this quickly and deploy.

      --
      "This calls for a very special blend of psychology and extreme violence" - Vyvyan "The Young Ones"
    12. Re:Samba Interoperability? by supernova_hq · · Score: 2, Interesting

      Why not just add a "do you want to enable file sharing" the first time a user tries to use it?

      Chances are if you have more than one machine (thus needing file sharing), you have a firewalled router between you and the internet anyways.

      The part that pisses me off the most about windows filesharing is that you use the same controls to share files with other users on the same computer as you do to share them with other computers? Why are these the same service at all?!?

      I remember in high school, we took a look through network neighbourhood and saw every computer in the school district, including personal machines owned by principles, secretaries, etc. It would have been less than trivial to drop some "interesting" hyperlinks into the startup folder of the shared start menu (why is the fucking start menu shared over the network?!?) and cause someone to have a REALLY bad day. Sure the network admin should be disabling these on school comps, but he has little control over personal laptops and school salaries don't exactly pull in the most experiences network admins...

    13. Re:Samba Interoperability? by Godji · · Score: 4, Insightful

      All three - ugly, inconsistent, and uncommented - make understanding the code more difficult. They do not make it impossible to go over.

      Having spent a large amount of time looking into (the lowest layer of) OpenSSH, I can say it is very secure. Ugly, inconsistent, and uncommented together do not imply that the code is bad - that's your logical fallacy. (Besides, ugly and inconsistent are subjective.)

      That does not change the fact that anyone (even me!) can look at OpenSSH, find problems in it, and fix it. Microsoft's code is secret, may or may not have glaring bugs in it, and nobody else can fix a problem even if it's known.

      The link you posted is a testament to this. The problem was found and fixed extremely quickly. I can't trust Microsoft with the same response, and nobody else should trust them either.

      Human error can happen to every code. But the open source ones we can fix.

    14. Re:Samba Interoperability? by nexu56 · · Score: 2, Insightful

      I suppose, by your logic, that Debian should ship with ssh turned off as well, because it had a hole.

      You're comparing apples and oranges. The equivalent service on Debian is Samba, which is turned off by default in Debian.

  10. Pretty serious by IceCreamGuy · · Score: 5, Informative
    I first saw this a couple days ago on the CERT bulletin, http://www.us-cert.gov/cas/bulletins/SB08-294.html, and http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4038, most serious vulnerability I've ever seen up there:

    Access Vector: Network exploitable
    Access Complexity: Low
    Authentication: Not required to exploit
    Impact Type:Provides administrator access, Allows complete confidentiality, integrity, and availability violation; Allows unauthorized disclosure of information; Allows disruption of service

    In other words: any idiot on your network can gain admin access to any attached Windows-based system with file-sharing enabled. I'm really glad that they're releasing an emergency patch for this, because that's a pretty fucking crazy description of an exploit, especially since it affects all versions of their last 10 years of operating systems.

    1. Re:Pretty serious by Lord+Ender · · Score: 4, Informative

      That's not the scary part. The scary part is that this can be made into a worm which uses a service which is installed by default on almost every windows system, and does not require user interaction to exploit. It's the perfect worm-bait. It's like a von neumann machine near the galactic core.

      --
      A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
    2. Re:Pretty serious by IceCreamGuy · · Score: 2, Informative

      Dude, you have to use the "static link" on the NIST page for that to work...

    3. Re:Pretty serious by secPM_MS · · Score: 2, Informative

      Actually, it is rather more like the Zotob vuln than the Blaster vuln. It is a crit on earlier systems, but requires authenticated privledges on Vista and 2K8 server due to the implementation of the integrity level defenses in Vista and 2K8. That said, the potential for damage with this vulnerability is high and there were reports of attacks in the wild. Thus, Microsoft released out of the standard release cycle.

  11. Does this mean . . . by arizwebfoot · · Score: 4, Funny

    I need to dust of my IMB Selectric III?

    --
    Beer is proof that God loves us and wants us to be happy.
    1. Re:Does this mean . . . by Akardam · · Score: 4, Insightful

      Perhaps if you're going to do that you might want to dust off your typing skills, as well...

  12. 135 by Zebra_X · · Score: 3, Insightful

    Has been windows' stink hole for the last 10 years. Lets hope that most people have learned they need to cover it up.

  13. Useless Windows Update by Jabbrwokk · · Score: 4, Interesting

    Why hasn't this been caught in the 3,000 previous security issues patched for Windows? It seems like kind of a biggie. In that list you linked to (thank you) it's present in all service packs for XP (the only Windows I use).

    I don't have any of the affected services enabled so it doesn't affect me, but I think a lot of that stuff is on or can be easily activated by default.

    Again, why did it take so long to catch this one? The tinfoil hat backdoor NSA spook theories seem almost believable.

    1. Re:Useless Windows Update by dave562 · · Score: 3, Insightful

      Shouldn't be an issue? What world are you living in? What happens when it gets crafted into an email or web exploit and someone inside the permimeter visits SeeMyBoobs.com and their now zombied desktop owns your servers?

    2. Re:Useless Windows Update by Goldberg's+Pants · · Score: 3, Insightful

      What do you mean, "most people"? Most people don't even run firewalls for gods sake! God knows nobody I know would be if I hadn't battered it into their useless skulls that they were to never come crying to me if their computer got wrecked due to their stupidity. (I may have worded it more politely. In most cases anyway.)

    3. Re:Useless Windows Update by Anonymous Coward · · Score: 5, Informative

      Explanation of how the exploit slipped through

  14. When is enough, enough? by ryanw · · Score: 2, Insightful

    Microsoft has had something like this occur regularly enough that I found myself already skipping to the next story without even reading the complete heading.

    I still cannot understand why major corporations run Windows of any version in enterprise server farms. They've had so many warning signs, so many high security breaches, so many alarms, and they're still very "ho-hum" about it.

    If you read the post slowly and actually acknowledge what it says, it's saying that ever since the incarnation of Windows elite hackers from Russia (or anywhere else) have been able to steal files on any machine with no problem. The underground top hackers have exploits that they guard with top secrecy and keep in their box of tricks when nothing else "known" is working.

    Come on, seriously! No other product provider on the planet would be allowed such leniency. Microsoft never feels any repercussions of any of these incredible security holes. They don't even loose business over it! When is enough, enough????

    1. Re:When is enough, enough? by Arainach · · Score: 2, Insightful

      Do you really believe that nothing like this exists on Mac or Linux? Not necessarily this specific exploit, but something of this severity. Neither Apple nor the various Linux/OSS developers have anywhere near the testing unit that Microsoft has to uncover these flaws, nor do they have anywhere near the level of real-world users testing their software. It's not possible to write software of this level and complexity 100% bug-free. It's a matter of how much time and testing it takes to find such bugs.

    2. Re:When is enough, enough? by jschottm · · Score: 5, Insightful

      Microsoft has had something like this occur regularly enough that I found myself already skipping to the next story without even reading the complete heading.

      Not any more they don't. This is the first major exploit for MS in several years that will enable trivial worm creation. The last notable one was Zotob in 2005, which was really comparatively minor - the last really big one was Sasser in 2004. Thus, this is important news.

      If you read the post slowly and actually acknowledge what it says, it's saying that ever since the incarnation of Windows elite hackers from Russia (or anywhere else) have been able to steal files on any machine with no problem.

      The same thing can be said about OpenSSL, BIND, Apache, Sendmail, Samba, and pretty much every major piece of software.

      The underground top hackers have exploits that they guard with top secrecy and keep in their box of tricks when nothing else "known" is working.

      That's why people who need to worry about top hackers also need to worry about defense in depth.

      I still cannot understand why major corporations run Windows of any version in enterprise server farms.

      Because it's non-trivial to completely switch platforms. Windows gained the desktop and office software marketshare and whether you think that MS did bad things to get there is irrelevant. Computers are simply a tool to most businesses. If the vast majority of the business software you need as a tool runs on one platform, you use that platform. And you develop your specific tools, generally for that platform. Thus, to support the desktop systems, you get the servers that support them.

      And while I don't use them, the integration of the server, database, and programming environment that Microsoft provides is an incredibly good value proposition for some companies. Other than perhaps IBM, no one else can offer that level of coordination for development and server tools.

      Microsoft never feels any repercussions of any of these incredible security holes. They don't even loose business over it!

      Microsoft has invested heavily in improving their security. Vista is a far more secure piece of software than XP was. And MS has lost business over it - that's part of why Linux and OS X have been able to penetrate the professional and home computer worlds.

      I am not a Microsoft fan but your statements don't really add anything to the dialog. Mindless MS bashing does no good.

    3. Re:When is enough, enough? by pipatron · · Score: 2, Insightful

      The difference is that the FOSS software have millions of people that can check the source code, Microsoft only a couple of thousands. Having the source makes it so much easier to spot the flaws.. (and thus fixing them)

      --
      c++; /* this makes c bigger but returns the old value */
    4. Re:When is enough, enough? by thewils · · Score: 2, Informative

      Not any more they don't. This is the first major exploit for MS in several years that will enable trivial worm creation.

      Not any more they don't. This is the first major exploit that I know about for MS in several years that will enable trivial worm creation.

      There, fixed it for you.

      --
      Once I was a four stone apology. Now I am two separate gorillas.
    5. Re:When is enough, enough? by jschottm · · Score: 2, Informative

      This is the first major exploit for MS in several years that will enable trivial worm creation.

      I believe the second definition is the relevant one. If an exploit is trivial - any moderately skilled script kiddy can create a worm and it's been added to metasploit, it is by definition known.

    6. Re:When is enough, enough? by dotgain · · Score: 2, Insightful

      Rather than simply suggest the G.P. might be oblivious, why didn't you provide examples of the explots that seem to have escaped his attention?

    7. Re:When is enough, enough? by ion.simon.c · · Score: 2, Interesting

      No really. To make it usable you need to turn the security off...

      Back up that claim with examples, or shut the fuck up. You're hurting Slashdot by producing more of this unsubstantiated bullshit. [1]

      [1] Have you seen that one where Jon Stewart is talking to the Crossfire [2] guys? If not, check [3] for the story.
      [2] http://en.wikipedia.org/wiki/Crossfire_(TV_series)
      [3] http://en.wikipedia.org/w/index.php?title=Crossfire_(TV_series)&oldid=246136706#Jon_Stewart.27s_appearance

  15. Re:Critical vs Important by quantumplacet · · Score: 5, Informative

    No, if you RTFA article, on newer versions the overflow will still work, but require authentication, making it Important. On older versions the exploit can work with no authentication making it Critical. Microsoft has always used this labeling convention for patches.

  16. Re:Critical vs Important by Narnie · · Score: 5, Funny

    The difference between XP and Vista will be a little pop up on Vista that will ask you if you want to run the RCP exploit n@5Ty.tr0g1n

    --
    greed@All_Evils:~#
  17. Sounds like a bad one by Drakkenmensch · · Score: 5, Interesting

    You know that a vulnerability is bad when Microsoft goes out of its regular patching cycle to hurry and plug the hole so quickly, instead of following their usual philosophy of saying "What are you talking about? There is no security hole in Windows!" and quietly patching it a few months later amidst a flood of inocuous driver updates.

  18. Re:Security administration? by gbjbaanb · · Score: 3, Informative

    do a search for LDAP.

    Here's a comparison of some options:
    IBM SecureWay Directory,
    Messaging Direct M-Vault,
    Microsoft Active Directory,
    Netscape Directory Server,
    Novell eDirectory,
    OpenLDAP.

  19. Known about this for years by xombo · · Score: 3, Funny

    My friends and I have known about this hole since high school. Every version of Windows with SMB has underlying, invisible, "root" accounts which cannot be removed without a great deal of diligence. These accounts have no password and give full access to the SMB share. I'm shocked that it has taken Microsoft this long to address the issue.

    1. Re:Known about this for years by eli867 · · Score: 2, Funny

      Buffer underrun permitting arbitrary code execution != "invisble root account"

      You don't know what you're talking about.

    2. Re:Known about this for years by codepunk · · Score: 5, Insightful

      What may I ask does this have to do with a smb buffer overflow which is what this vulnerability is about? You know, like overwriting a fixed size buffer allowing one to perhaps overwrite a return pointer with a jmp esp. This in turn executing malicious code on the stack.

      I am sure that such a accomplished HaCkZ0r as yourself already knew this.

      --


      Got Code?
  20. Re:Cool by dgatwood · · Score: 2, Funny

    In Soviet college, files serve you?

    --

    Check out my sci-fi/humor trilogy at PatriotsBooks.

  21. Someone always clicks "allow". by argent · · Score: 5, Funny

    Because on Vista you get a prompt: "Your computer is being hacked. Cancel or Allow?"

    Windows Airlines:
    The terminal is very neat and clean, with security barriers every few meters. The attendants are attractive, even if it's kind of creepy how much they want to "help" (especially in the restrooms). The pilots are allegedly very capable, though nobody ever sees them and there's an armed guard by the cockpit door. The fleet of jets it operates are immense. Your jet takes off without a hitch, pushing above the clouds, and at 20,000 feet a message pops up on the seat back in front of you asking "Should this plane explode now?".

    Some idiot always answers "Yes".

  22. Re:Security administration? by IceCreamGuy · · Score: 3, Insightful

    I really don't mean to be a dick, but it really aggravates me when people say that AD=LDAP. LDAP is the protocol used to access AD, and then beyond that there is the actual Active Directory system, which is way fucking more than just an LDAP server. Have you worked with group policy, which is possibly the main feature of AD? It's just a protocol used to access and structure Active Directory, and if you think that just implementing LDAP in a Linux environment brings you anywhere even close to the functionality of AD, then I'm sorry, but you just don't know what you're talking about. eDirectory is comparable to AD, LDAP is not.

  23. Or maybe ... by Rhabarber · · Score: 5, Funny

    ... the bug was found on one of the interoperability fests:

    Samba Guy: Hey dude, look, when I open a connection _this way_ I get strange replies. There is nothing similar in the docs ...

    MS Interoperability Officer Sir, the protocol is just to complex. I wouldn't care. How about putting little hears into the password dialog, I don't like the asterisks, anyway.

    Samba Guy: Dude, come on, I want to understand how the stuff works...

    MS Interoperability Officer: Sir, hmm, must be part a proprietary, essential, internal routine framework. It's in there since ages. The software works, we make billions from it.

    Samba Guy: But what does it do? Why do you need it?

    MS Interoperability Officer: Don't know. The guy who coded it left the company.

    Samba Guy: Can't we just call him?

    MS Interoperability Officer: Don't think so. He must be cleaning his Yacht somewhere near Tanzania right now.

    Samba Guy: Well dude, then let's see what's gonna happen if I keep going on...

    MS Interoperability Officer: Sir, I'm bored. I don't like your black console anyway. It feels so 50ths.

    MS Interoperability Officer: Sir, I'm in the position to offer you a free trial for Microsoft Visual Studio 2009 with Ribbon TM included.

    Samba Guy: Look dude, I just got root on your machine.

    MS Interoperability Officer: Sir, which idiot gave you my password?

    Samba Guy: No password, dude. I just opened the connection, look here ...

    Samba Guy show 4 lines of code.

    MS Interoperability Officer: Sir, please hold on, I need to call my chief security officer.

    MS Interoperability Officer talking on the phone (next door).

    Minutes later the door is opened violently. Gates and Balmer enter the scene guarded by five NSA officers.

    Gates: Sir, I'm sorry, you found one of the many backdoors we built into all versions of Microsoft Windows TM released after 1999. I suppose you will perfectly understand that all algorithms concerning that matter is our intellectual property which is protected by American Law.

    NSA Officer (in monotone voice): Sir, I'll now use this Neutralizer TM device to erase your memories of the last twenty-four hours. You've never been in this building and you never knew about the federal data acquisition program.

    A bright flash of light gets emitted from the little device.

    Samba Guy: Shit, my eyes. What the fuck is wrong with you guys. That code is so freaking stupid. You can't be serious...

    Another NSA Officer (in aggressive voice): Shut up criminal bastard!

    First NSA Officer (in same monotone voice): Sir, you might have consumed a critical cumulative dose of THC during adolescence. The resulting altered brain circuity is resistant to portable neutralizer devices. I'm sorry to inform you're temporally arrested under federal law.

    Samba Guy: Bull shit, you have no idea what you're talking about. Look I've got a hock running that sends every command I type on the console directly to twitter. Everybody does it, it's lot's of fun. Nothing I do is secret. I believe in sharing of ideas.

    Ballmer (in rage): Motherfucking communists ... this is why fucking America is all that fucked up ... how the fuck should we ever control that fucking mob ... fuck!

    Ballmer, well, throws chairs.

    Gates (calling the still governing president of the United States): My president, sir, I'm sorry to inform you, due to certain circumstances, details concerning the federal data acquisition program might just have been leaked to the public.

    Samba Guy: Hey dude, the story is already on digg. I think you should issue a patch before it is on slashdot.

    Curtain gets drawn, applause.

    Off stage voice: Thank you ladies and gentlemen. Please don't forget to visit windowsupdates.microsoft.com

  24. Re:Security administration? by Anonymous Coward · · Score: 5, Interesting

    it really aggravates me when people say that AD=LDAP. LDAP is the protocol used to access AD, and then beyond that there is the actual Active Directory system, which is way fucking more than just an LDAP server.

    I agree. LDAP is a protocol; AD is an LDAP-capable directory. A very weak, vendor-locked, OS-version-specific, poorly performing directory that in many ways compensates for corresponding weaknesses in the Windows OS, so that together AD and Windows add up to a reasonably usable system, almost as capable as a standards-compliant system.

    If that sounds like a troll or flamebait it's certainly not meant to be. It's just an honest appraisal - I've worked with directories since the late 80s, and AD is not a particularly good example of a directory since it is so specialized for dealing with MS-windows problems that other platforms don't necessarily have (they have completely other problems, of course).

    I have around 600 systems running from OpenLDAP these days. Most of these are windows desktops that think they are talking to AD, but I've also got HP-UX, Solaris, 3 flavors of linux, a single mac, and we used to have AIX too. All running from a single, massively replicated OpenLDAP directory that requires far less maintenance and hardware than AD does.

    So yes, you're quite right. AD is much more than an LDAP server. It's an enterprise directory, and may someday evolve into a good one... it's still a young product and has a lot of catching up to do before it can compete with eDirectory.

  25. Re:No Fcking update is downloadable for it. by blowdart · · Score: 3, Informative
    Utter balls. If you're an admin that doesn't know how to get the executables I fear for those systems.

    As you appear to need severe help; here; but next time read the KB article, it tells you alternative locations to download from, including the Update Catalog Site which even uses a shopping basket metaphor. Errr. If you're using IE.

    Windows 2000 SP4: http://www.microsoft.com/downloads/de...=E22EB3AE-1295-4FE2-9775-6F43C5C2AED3
    Windows XP SP2: http://www.microsoft.com/downloads/de...=0D5F9B6E-9265-44B9-A376-2067B73D6A03
    Windows XP SP3: http://www.microsoft.com/downloads/de...=0D5F9B6E-9265-44B9-A376-2067B73D6A03
    Windows XP Professional x64 Edition: http://www.microsoft.com/downloads/de...=4C16A372-7BF8-4571-B982-DAC6B2992B25
    Windows XP Professional x64 Edition SP2: http://www.microsoft.com/downloads/de...=4C16A372-7BF8-4571-B982-DAC6B2992B25
    Windows Server 2003 SP1: http://www.microsoft.com/downloads/de...=F26D395D-2459-4E40-8C92-3DE1C52C390D
    Windows Server 2003 SP2: http://www.microsoft.com/downloads/de...=F26D395D-2459-4E40-8C92-3DE1C52C390D
    Windows Server 2003 x64 Edition: http://www.microsoft.com/downloads/de...=C04D2AFB-F9D0-4E42-9E1F-4B944A2DE400
    Windows Server 2003 x64 Edition SP2: http://www.microsoft.com/downloads/de...=C04D2AFB-F9D0-4E42-9E1F-4B944A2DE400
    Windows Server 2003 with SP1 for Itanium-based Systems: http://www.microsoft.com/downloads/de...=AB590756-F11F-43C9-9DCC-A85A43077ACF
    Windows Server 2003 with SP2 for Itanium-based Systems: http://www.microsoft.com/downloads/de...=AB590756-F11F-43C9-9DCC-A85A43077ACF
    Windows Vista (optionally with SP1): http://www.microsoft.com/downloads/de...=18FDFF67-C723-42BD-AC5C-CAC7D8713B21
    Windows Vista x64 Edition (optionally with SP1): http://www.microsoft.com/downloads/de...=A976999D-264F-4E6A-9BD6-3AD9D214A4BD
    Windows Server 2008 for 32-bit Systems: http://www.microsoft.com/downloads/de...=25C17B07-1EFE-43D7-9B01-3DFDF1CE0BD7
    Windows Server 2008 for x64-based Systems: http://www.microsoft.com/downloads/de...=7B12018E-0CC1-4136-A68C-BE4E1633C8DF
    Windows Server 2008 for Itanium-based Systems: http://www.microsoft.com/downloads/de...=2BCF89EF-6446-406C-9C53-222E0F0BAF7A

  26. Re:Work around? by Allador · · Score: 2, Informative

    You mean like this phrase:

    Disable the Server and Computer Browser services

    In the section titled: "workarounds".

    Yeah, it would be great if they would share that with us.

  27. Re:Fail by tirnacopu · · Score: 2, Insightful

    Exactly, and the completely ignorant replies, here on Slashdot, are astounding. 135 is an entry point for maybe half of the functions the Windows OS offers remotely. And so few people seem to be aware of this.

  28. This is going to be a field day for the RIAA... by Waffle+Iron · · Score: 3, Funny

    ... and their "making available" theory. They could soon be raking in $Trillions in statutory damages from the public.

  29. Mod parent up! Great "bug hunt" article by Jabbrwokk · · Score: 4, Interesting

    Mod this AC up, the link is an interesting read.

    I'm no coder, I didn't understand most of what the article says, but I got the gist of it:

    In my opinion, hand reviewing this code and successfully finding this bug would require a great deal of skill and luck.

    Our present toolset does not catch this bug.

    First the good news; I think perhaps we have removed a good number of the low-hanging security vulnerabilities from many of our products, especially the newer code. The bad news is, we'll continue to have vulnerabilities because you cannot train a developer to hunt for unique bugs, and creating tools to find such bugs is also hard to do without incurring an incredible volume of false positives.

    I'll be blunt; our fuzz tests did not catch this and they should have. So we are going back to our fuzzing algorithms and libraries to update them accordingly.

    My opinion is Microsoft should have been taking the money they were getting from charging for tech support and put it into more testing and reviewing code.

    I love how at the end of the article he turns it into an ad for Windows Vista.

  30. Re:Cool by master5o1 · · Score: 2, Interesting

    Of course, Microsoft allowed the NSA to enter Windows. The RBN had to find their own way through the mess of insecurity to find a nice looking aluminium door.

    --
    signature is pants
  31. Re:Critical vs Important by Lobster+Quadrille · · Score: 2, Funny

    I find it amusing that we geeks can be so anal retentive about redundancy, spelling and grammar, then invent words like "boxen" and "borked".

    --
    "The cup is in turn designed for holding hot or cold liquids, and has an open rim and closed base." --US Patent #5425497
  32. Re:Critical vs Important by mollymoo · · Score: 2, Interesting

    No, if you RTFA article, on newer versions the overflow will still work, but require authentication, making it Important. On older versions the exploit can work with no authentication making it Critical. Microsoft has always used this labeling convention for patches.

    Additionally, Vista and Server 2008 will only restart the service twice after it crashes, so an attacker only gets two tries (failed attempts result in a crash). Earlier versions have no limit on how often they restart the service, so you can have as many tries as you like.

    I always though there was some merit to the technologies behind UAC, even if the interface was god-awful. It seems in this case it's doing the job it was designed for.

    --
    Chernobyl 'not a wildlife haven' - BBC News