Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft to Issue Emergency Patch For File-Sharing Hole

Posted by timothy on from the safest-version-of-windows-ever dept.

An anonymous reader writes "Microsoft said late Wednesday that it plans to release a critical security update today to plug a security hole present in all supported versions of Windows. The company hasn't released any details about the patch yet, which is expected to be pushed out at 1 p.m. PT. Normally, Redmond issues security updates on Patch Tuesday, the second Tuesday of each month. The Washington Post's Security Fix blog notes that each of the three times in the past that Microsoft has departed from its patch cycle, it was to fix some really nasty vulnerability that criminals already were exploiting to break into Windows PCs." Reader filenavigator points out an article which describes the hole as an SMB vulnerability, and says it "allows anyone to access a Windows machine remotely without any user name or password. Any machine that exposes Windows file sharing is vulnerable." Update: 10/23 17:42 GMT by T : Reader AngryDad adds a link to Microsoft's more detailed memo.

18 of 348 comments (clear)

  1. Let's hope by cnettel · · Score: 5, Funny

    Let's hope that the renewed Samba compatibility effort by MS means that this bug will be ported over.

    1. Re:Let's hope by Anonymous Coward · · Score: 5, Interesting

      It was probably the shared Samba experience that gave them the idea on how to fix the bug.

      I don't understand how the bug works, but I know one has been around. You can find hack tools for script kiddies out there that will exploit this automagically for people. I have even used it in the past to get some files from a computer that no one knew the password to and the key to the server room was broken off in the lock making physical access imposible until a locksmith was available.

      Thankfully, the old tech (who broke the lock on his way out after resetting everyone's password) kept all the passwords in scripts that I could recover and use to change passwords to something usable. The owner of the company wanted me to testify in court to the old Techs actions and even offered me a permanent contract, I told him all I wanted was a check, I don't want anything to do with a company that pissed their old tech off that bad after 5 years of service.

  2. Re:Cool by iztehsux · · Score: 5, Funny

    Still got plenty of time before this afternoon to turn your college campus into a botnet!

  3. Re:This is why... by Anonymous Coward · · Score: 5, Funny

    Simple: Call up your ISP and make the correct noises. Real men don't use modems.

  4. Pretty serious by IceCreamGuy · · Score: 5, Informative
    I first saw this a couple days ago on the CERT bulletin, http://www.us-cert.gov/cas/bulletins/SB08-294.html, and http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4038, most serious vulnerability I've ever seen up there:

    Access Vector: Network exploitable
    Access Complexity: Low
    Authentication: Not required to exploit
    Impact Type:Provides administrator access, Allows complete confidentiality, integrity, and availability violation; Allows unauthorized disclosure of information; Allows disruption of service

    In other words: any idiot on your network can gain admin access to any attached Windows-based system with file-sharing enabled. I'm really glad that they're releasing an emergency patch for this, because that's a pretty fucking crazy description of an exploit, especially since it affects all versions of their last 10 years of operating systems.

  5. Re:This is why... by Lord+Pillage · · Score: 5, Funny

    Weren't you listening? He doesn't use computers therefore he doesn't have an account! Some people just don't get the logic in that...

    --
    try { Signature mysig = new CleverAttempt(); } catch(NonCleverSignatureException e) { postanyway(); }
  6. Re:Critical vs Important by quantumplacet · · Score: 5, Informative

    No, if you RTFA article, on newer versions the overflow will still work, but require authentication, making it Important. On older versions the exploit can work with no authentication making it Critical. Microsoft has always used this labeling convention for patches.

  7. Re:Critical vs Important by Narnie · · Score: 5, Funny

    The difference between XP and Vista will be a little pop up on Vista that will ask you if you want to run the RCP exploit n@5Ty.tr0g1n

    --
    greed@All_Evils:~#
  8. Sounds like a bad one by Drakkenmensch · · Score: 5, Interesting

    You know that a vulnerability is bad when Microsoft goes out of its regular patching cycle to hurry and plug the hole so quickly, instead of following their usual philosophy of saying "What are you talking about? There is no security hole in Windows!" and quietly patching it a few months later amidst a flood of inocuous driver updates.

  9. Re:FREEOWW!!! by Anonymous Coward · · Score: 5, Funny

    It's firewalls all the way down.

  10. Re:When is enough, enough? by jschottm · · Score: 5, Insightful

    Microsoft has had something like this occur regularly enough that I found myself already skipping to the next story without even reading the complete heading.

    Not any more they don't. This is the first major exploit for MS in several years that will enable trivial worm creation. The last notable one was Zotob in 2005, which was really comparatively minor - the last really big one was Sasser in 2004. Thus, this is important news.

    If you read the post slowly and actually acknowledge what it says, it's saying that ever since the incarnation of Windows elite hackers from Russia (or anywhere else) have been able to steal files on any machine with no problem.

    The same thing can be said about OpenSSL, BIND, Apache, Sendmail, Samba, and pretty much every major piece of software.

    The underground top hackers have exploits that they guard with top secrecy and keep in their box of tricks when nothing else "known" is working.

    That's why people who need to worry about top hackers also need to worry about defense in depth.

    I still cannot understand why major corporations run Windows of any version in enterprise server farms.

    Because it's non-trivial to completely switch platforms. Windows gained the desktop and office software marketshare and whether you think that MS did bad things to get there is irrelevant. Computers are simply a tool to most businesses. If the vast majority of the business software you need as a tool runs on one platform, you use that platform. And you develop your specific tools, generally for that platform. Thus, to support the desktop systems, you get the servers that support them.

    And while I don't use them, the integration of the server, database, and programming environment that Microsoft provides is an incredibly good value proposition for some companies. Other than perhaps IBM, no one else can offer that level of coordination for development and server tools.

    Microsoft never feels any repercussions of any of these incredible security holes. They don't even loose business over it!

    Microsoft has invested heavily in improving their security. Vista is a far more secure piece of software than XP was. And MS has lost business over it - that's part of why Linux and OS X have been able to penetrate the professional and home computer worlds.

    I am not a Microsoft fan but your statements don't really add anything to the dialog. Mindless MS bashing does no good.

  11. Re:Known about this for years by codepunk · · Score: 5, Insightful

    What may I ask does this have to do with a smb buffer overflow which is what this vulnerability is about? You know, like overwriting a fixed size buffer allowing one to perhaps overwrite a return pointer with a jmp esp. This in turn executing malicious code on the stack.

    I am sure that such a accomplished HaCkZ0r as yourself already knew this.

    --


    Got Code?
  12. Someone always clicks "allow". by argent · · Score: 5, Funny

    Because on Vista you get a prompt: "Your computer is being hacked. Cancel or Allow?"

    Windows Airlines:
    The terminal is very neat and clean, with security barriers every few meters. The attendants are attractive, even if it's kind of creepy how much they want to "help" (especially in the restrooms). The pilots are allegedly very capable, though nobody ever sees them and there's an armed guard by the cockpit door. The fleet of jets it operates are immense. Your jet takes off without a hitch, pushing above the clouds, and at 20,000 feet a message pops up on the seat back in front of you asking "Should this plane explode now?".

    Some idiot always answers "Yes".

  13. Re:Samba Interoperability? by Tawnos · · Score: 5, Insightful

    I suppose, by your logic, that Debian should ship with ssh turned off as well, because it had a hole. Sure, it would be convenient to have on your network, but you never know when the OSS community has been drinking from the cold frosty watercooler of fail. Sounds dumb when it's put that way, doesn't it?

    As for the "90% of users wouldn't need it anyway": [citation needed]. Even my parents and friends without a clue often need to use file sharing.

  14. Or maybe ... by Rhabarber · · Score: 5, Funny

    ... the bug was found on one of the interoperability fests:

    Samba Guy: Hey dude, look, when I open a connection _this way_ I get strange replies. There is nothing similar in the docs ...

    MS Interoperability Officer Sir, the protocol is just to complex. I wouldn't care. How about putting little hears into the password dialog, I don't like the asterisks, anyway.

    Samba Guy: Dude, come on, I want to understand how the stuff works...

    MS Interoperability Officer: Sir, hmm, must be part a proprietary, essential, internal routine framework. It's in there since ages. The software works, we make billions from it.

    Samba Guy: But what does it do? Why do you need it?

    MS Interoperability Officer: Don't know. The guy who coded it left the company.

    Samba Guy: Can't we just call him?

    MS Interoperability Officer: Don't think so. He must be cleaning his Yacht somewhere near Tanzania right now.

    Samba Guy: Well dude, then let's see what's gonna happen if I keep going on...

    MS Interoperability Officer: Sir, I'm bored. I don't like your black console anyway. It feels so 50ths.

    MS Interoperability Officer: Sir, I'm in the position to offer you a free trial for Microsoft Visual Studio 2009 with Ribbon TM included.

    Samba Guy: Look dude, I just got root on your machine.

    MS Interoperability Officer: Sir, which idiot gave you my password?

    Samba Guy: No password, dude. I just opened the connection, look here ...

    Samba Guy show 4 lines of code.

    MS Interoperability Officer: Sir, please hold on, I need to call my chief security officer.

    MS Interoperability Officer talking on the phone (next door).

    Minutes later the door is opened violently. Gates and Balmer enter the scene guarded by five NSA officers.

    Gates: Sir, I'm sorry, you found one of the many backdoors we built into all versions of Microsoft Windows TM released after 1999. I suppose you will perfectly understand that all algorithms concerning that matter is our intellectual property which is protected by American Law.

    NSA Officer (in monotone voice): Sir, I'll now use this Neutralizer TM device to erase your memories of the last twenty-four hours. You've never been in this building and you never knew about the federal data acquisition program.

    A bright flash of light gets emitted from the little device.

    Samba Guy: Shit, my eyes. What the fuck is wrong with you guys. That code is so freaking stupid. You can't be serious...

    Another NSA Officer (in aggressive voice): Shut up criminal bastard!

    First NSA Officer (in same monotone voice): Sir, you might have consumed a critical cumulative dose of THC during adolescence. The resulting altered brain circuity is resistant to portable neutralizer devices. I'm sorry to inform you're temporally arrested under federal law.

    Samba Guy: Bull shit, you have no idea what you're talking about. Look I've got a hock running that sends every command I type on the console directly to twitter. Everybody does it, it's lot's of fun. Nothing I do is secret. I believe in sharing of ideas.

    Ballmer (in rage): Motherfucking communists ... this is why fucking America is all that fucked up ... how the fuck should we ever control that fucking mob ... fuck!

    Ballmer, well, throws chairs.

    Gates (calling the still governing president of the United States): My president, sir, I'm sorry to inform you, due to certain circumstances, details concerning the federal data acquisition program might just have been leaked to the public.

    Samba Guy: Hey dude, the story is already on digg. I think you should issue a patch before it is on slashdot.

    Curtain gets drawn, applause.

    Off stage voice: Thank you ladies and gentlemen. Please don't forget to visit windowsupdates.microsoft.com

  15. Re:Security administration? by Anonymous Coward · · Score: 5, Interesting

    it really aggravates me when people say that AD=LDAP. LDAP is the protocol used to access AD, and then beyond that there is the actual Active Directory system, which is way fucking more than just an LDAP server.

    I agree. LDAP is a protocol; AD is an LDAP-capable directory. A very weak, vendor-locked, OS-version-specific, poorly performing directory that in many ways compensates for corresponding weaknesses in the Windows OS, so that together AD and Windows add up to a reasonably usable system, almost as capable as a standards-compliant system.

    If that sounds like a troll or flamebait it's certainly not meant to be. It's just an honest appraisal - I've worked with directories since the late 80s, and AD is not a particularly good example of a directory since it is so specialized for dealing with MS-windows problems that other platforms don't necessarily have (they have completely other problems, of course).

    I have around 600 systems running from OpenLDAP these days. Most of these are windows desktops that think they are talking to AD, but I've also got HP-UX, Solaris, 3 flavors of linux, a single mac, and we used to have AIX too. All running from a single, massively replicated OpenLDAP directory that requires far less maintenance and hardware than AD does.

    So yes, you're quite right. AD is much more than an LDAP server. It's an enterprise directory, and may someday evolve into a good one... it's still a young product and has a lot of catching up to do before it can compete with eDirectory.

  16. Re:Useless Windows Update by Anonymous Coward · · Score: 5, Informative

    Explanation of how the exploit slipped through

  17. Re:Samba Interoperability? by atraintocry · · Score: 5, Insightful

    Most of us "muppets" are happy to block 139 and its cousins at the firewall and be done with it. It's a LAN service. Assuming your network is secure from the outside, you can have your cake and eat it to.

    If in your paranoia you somehow neglected to secure your WLAN, you *do* need to worry about this.

    Either way, shutting off useful parts of the OS because you're afraid of an exploit is more cargo cult thinking than paranoid thinking. If you can't tell at any given time who's on your LAN, you need to get that under control. No OS is immune to the workings of a bad administrator.

    I see your later post is an example of the "no true scotsman" fallacy. Plenty of people with a clue use windows file sharing, because they know what's going in in their network and at what layer(s) their security needs to be applied. People who have a clue avoid the "I automatically do X because Y is automatically bad" approach.

    I happen to be of the opinion that open source software is more secure by virtue of its openness, which is an opinion that not everyone here shares. But that doesn't mean that I refuse to use Windows file sharing because it may or may not have an exploit. Again, this is not critical if every Tom/Dick/Harry isn't hanging out on your LAN, (or you aren't at a college, hotel or what have you). That said, this *is* ridiculous on MS's part and I have this update deadlined right now.