Attack Code Found For Recent Windows Bug

← Back to Stories (view on slashdot.org)

Attack Code Found For Recent Windows Bug

Posted by Soulskill on Tuesday October 28, 2008 @10:23AM from the oh-by-the-way dept.

CWmike writes "Just a day after downplaying the vulnerability that caused it to issue an out-of-cycle patch last week, Microsoft warned customers late yesterday that exploit code had gone public and was being used in additional attacks. 'We've identified the public availability of exploit code that now shows code execution for the vulnerability addressed by MS08-067,' said Mike Reavey, operations manager of Microsoft's Security Response Center, in a post to the MSRC blog. 'This exploit code has been shown to result in remote code execution on Windows Server 2003, Windows XP, and Windows 2000.'"

137 of 184 comments (clear)

Min score:

Reason:

Sort:

Hmmm... by Anonymous Coward · 2008-10-28 10:26 · Score: 2, Funny

Lets see, perpetually vulnerable-to-script-kiddies Windows XP, or locks-up-every-5-seconds Ubuntu?
1. Re:Hmmm... by cheater512 · 2008-10-28 10:53 · Score: 1, Interesting
  
  Wikipedia seems to think that its a good idea. :P
2. Re:Hmmm... by Anonymous Coward · 2008-10-28 11:01 · Score: 2, Insightful
  
  Locks up every 5 seconds? What do you mean? What kind of computer are you using? Have you submitted a bug report?
3. Re:Hmmm... by Anonymous Coward · 2008-10-28 11:07 · Score: 3, Insightful
  
  Seriously, Insightful?
4. Re:Hmmm... by daeg · 2008-10-28 11:13 · Score: 4, Funny
  
  Well, to be fair, their discussion took place on Wiki pages, so it was either Ubuntu 8.04 or HAHAHHAYOUSUCKCOCKS.
5. Re:Hmmm... by Larryish · 2008-10-28 11:14 · Score: 1
  
  ubuntu 7.10 is pretty stable these days, and 8.04 isn't giving much trouble either
6. Re:Hmmm... by Anonymous Coward · 2008-10-28 11:31 · Score: 4, Funny
  
  Who the fuck runs windows on a server? Context man, context!
  There, fixed it for you.
7. Re:Hmmm... by Dogtanian · 2008-10-28 11:45 · Score: 5, Funny
  
  Well, to be fair, their discussion took place on Wiki pages, so it was either Ubuntu 8.04 or HAHAHHAYOUSUCKCOCKS.
  Yeah, I can see that some 13 year old vandal might think that it was funny to replace "Red Hat Enterprise Linux 5.2" with something silly like, er... "Ubuntu 8.04" ;-)
  
  BTW, HAHAHHAYOUSUCKCOCKS 2.06 is a fine server distro and I won't hear a word against it.
  
  --
  "Slashdot - News and Chat Sites Deviant". (Click "homepage" link above for details).
8. Re:Hmmm... by Venik · 2008-10-28 11:59 · Score: 4, Insightful
  
  Why should anyone bother submitting a bug report? If it's a minor issue and I have a workaround - sure, I'll submit a bug report. But if a system is completely unusable with Ubuntu, I will better spend my time finding a working alternative. Having said that, as a Unix sysadmin I have nothing against Ubuntu, other than using it on a server is not the best idea: there are many far more stable alternatives. The problem with most Linux aficionados out there is that few of them worked in a real production environment of a big datacenter. These guys may know how to configure Apache and MySQL on their Ubuntu PC, but they don't see a difference between getting something to work and getting it to be fast and reliable under constant heavy load.
9. Re:Hmmm... by Meumeu · 2008-10-28 12:23 · Score: 1
  
  Because thats irrelevant in a server environment.
  Ubuntu's main target is the desktop, not the server...
10. Re:Hmmm... by rikkards · 2008-10-28 13:12 · Score: 2, Informative
  
  That plus the wireless network card drops randomly. The message in dmesg is that it can't find the AP so it assumes it is gone. Restarting the networking fixes it.
11. Re:Hmmm... by markkezner · 2008-10-28 13:32 · Score: 1
  
  If you're having lock-ups that badly, you have a either a hardware problem or a driver problem. My guess is it's a restricted driver causing your issue.
  
  --
  Dangerous, sexy, turing complete: Femme Bots
12. Re:Hmmm... by notdotcom.com · 2008-10-28 13:46 · Score: 1
  
  If I had mod points, I would mod this up... ...Especially because I'm running HAHAHHAYOUSUCKCOCKS 1.8 and need to upgrade.
  Thanks for the reminder.
  
  --
  Grandpa: My Homer is not a communist. He may be a liar, a pig, an idiot, a communist, but he is not a porn star.
13. Re:Hmmm... by CrazedWalrus · 2008-10-28 14:55 · Score: 4, Insightful
  
  But it does make a damn fine server. The software is reasonably up to date, the administration is dead-simple, and I'm already familiar with it from my desktops.
  I've got other things to concentrate on besides server administration -- like coding my project management and billing system, or working for my clients so I have something to bill them for. Ubuntu makes that easy for me.
  I've recently vetted Slackware, Debian (stable), and Ubuntu Server 7.04, and settled on the latter because it strikes the balance I need between stability and up to date software. You may legitimately disagree with my choice, but I have my reasons and I'm sure you have yours. Most Linuxes make great servers, so it's really choosing your favorite incarnation of "awesome."
14. Re:Hmmm... by jimmyhat3939 · 2008-10-28 15:06 · Score: 3, Interesting
  
  I've run Ubuntu on a Dell Inspiron 9400 laptop for over a year without a single lockup.
  Now, I also run VirtualBox and Windows XP under that. *That* has locked up several times. So if that's what you mean, I agree.
  
  --
  Free Conference Call -- No Spam, High Quality
15. Re:Hmmm... by DiegoBravo · 2008-10-28 15:19 · Score: 2, Insightful
  
  I also worked as Unix sysadmin for several years (but no longer... I love to sleep all night long) and from my experience:
  1) Most "big datacenters" have several key servers that are really unstable despite being Unix(tm), mostly because of evil combinations of HW/Applications/OS (patches and more patches from Oracle, NUMA configurations, etc)... as happens with any Linux.
  2) Most servers in datacenters are 99% idle, except when silly programmers try to execute infinite pooling loops or that sort of things. There is a myth (now banishing) that you need a real Unix of >100K$ to do the real work; think of the price of Sun's.
  So apart from their trash PC hardware, I believe those kids with LAMP systems do really know a bit on stability and heavy load (think of /.)
16. Re:Hmmm... by darkpixel2k · 2008-10-28 16:26 · Score: 3, Funny
  
  You may legitimately disagree with my choice, but I have my reasons and I'm sure you have yours. Most Linuxes make great servers, so it's really choosing your favorite incarnation of "awesome."
  
  Damnit! Stop doing that. Your job on Slashdot is to perpetuate the holy OS wars. If you start to lose an argument based in 'nuh uh, yeah huh' then immediately question the person's choice of vi verses emacs.
  
  Never EVER admit that something may come down to personal preference unless you are willing to follow it up by blatantly trashing said person's personal preference by calling them 'dumb' or 'retarded'. Finally, if you are totally and completely losing the argument, link to final irrefutable proof: like this
  
  --
  There's no place like ::1 (I've completed my transition to IPv6)
17. Re:Hmmm... by CrazedWalrus · 2008-10-28 17:08 · Score: 1
  
  The only dumb or retarded thing I've seen in this thread is someone threatening to go to BSD because I chose Ubuntu Server. I guess it affects their life in some cosmic butterfly way.
  Seriously though, I'm a little sick of the infighting. I don't bitch about using Red Hat, even though it's not typically my first choice. I'm just happy as hell to be using Linux.
  Besides, most orgs I've been in (big ones) start off with something like RHEL, but then customize it so heavily that it's barely recognizable anyway. Morgan Stanley even put together their own distro called Aurora Linux, though I think it might be defunct now. I haven't worked there in several years, but they had one hell of an environment -- based loosely on Red Hat if I remember -- but so heavily "Morganized" that it was effectively a new distribution by the time they were done with it.
18. Re:Hmmm... by Anonymous Coward · 2008-10-28 18:23 · Score: 1, Interesting
  
  Open source projects are the worst when it come to fixing problems. Nothing but a bunch of arrogant (not that they are skilled enough to truly be) developers who refuse to believe that anything they worked on has a problem.
  Firefox memory leak - check
  GIMP poor user interface - check
  Pidgin forced size chatbox - check
  Ubuntu general instability - check
  There are plenty of other examples, but those are some of the most prominent and they still have yet to be fixed.
19. Re:Hmmm... by Venik · 2008-10-28 19:06 · Score: 2, Informative
  
  I don't know where you work, but unstable servers are usually a result of poor planning by system architects, insufficient funding, or inexperienced sysadmins. If I had any servers that were continuously unstable for the reasons you listed, I would lose my job. Sometimes you do have to support a system that has been outgrown by its users and applications, but there is no funding to get an upgrade and so you have to make do. This would be a valid reason for system instability. But to say that the server is crashing all the time because you installed all kinds of garbage on it without first doing the necessary checking and testing - just because some software vendor released a patch - is simply an admission of incompetence or just plain laziness. Most servers I work with are high-performance computing boxes used for CFD, FEM and other HPC tasks. Believe me, these systems run at full capacity most of the time. This is why you need these operating systems and this is why these machines cost so much. And your point of view is a perfect illustration of what I wrote in the previous post.
20. Re:Hmmm... by wisty · 2008-10-28 22:11 · Score: 1
  
  Inexperienced sysadmins? Why do sysadmins need experience? Don't your sysadmins get formal and on the job training and career development? Oh, I crack me up.
21. Re:Hmmm... by Splab · 2008-10-28 23:16 · Score: 2, Insightful
  
  Yeah, blame it on closed source.
  You probably need to get some counseling on your fetish for open source when you with absolutely no evidence of restricted drivers even being present on said system starts blaming them.
22. Re:Hmmm... by isorox · 2008-10-28 23:23 · Score: 1
  
  But it does make a damn fine server. The software is reasonably up to date, the administration is dead-simple, and I'm already familiar with it from my desktops.
  Where I work, we're not a computer company. We are a media company. We tend to employ engineers on their ability to do video and audio. This is slowly changing, however if we employ any engineers with linux experience, it's likely to be Ubuntu. Proper unix people should be able to adapt, otherwise they aren't linux people, they're [redhat|suse|solaris|whatever] people, and I'm not interested.
  
  I've recently vetted Slackware, Debian (stable), and Ubuntu Server 7.04, and settled on the latter
  7.04 went end of life 10 days ago. I assume you mean 8.04?
  
  Most Linuxes make great servers, so it's really choosing your favorite incarnation of "awesome."
  They all run the same code, it's the administration that's different.
23. Re:Hmmm... by petermgreen · 2008-10-28 23:25 · Score: 1
  
  Ubuntu Server 7.04
  You do realise that release stopped getting security updates 10 days ago right?
  
  --
  note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
24. Re:Hmmm... by CrazedWalrus · 2008-10-28 23:32 · Score: 1
  
  You're right - 8.04. My bad. It'd be nice if I could edit my post, but...
25. Re:Hmmm... by marcosdumay · 2008-10-29 00:15 · Score: 1
  
  Well, you probably don't use a Debian based distro too much. To get a stable reasonably secure (known bugs out, most common DoS attacks out) and fast for the most common situations, you simply "aptitude install apache2".
  If you have a less common situation, you may want a different apache2 package, there are some other ones that differ on the configurations. Now, when you have a completely unusual situation, then you'll need to mess with apache configuration or maybe even compilation, but don't assume that an instalation is unreliable or slow just because the admin didn't work hard on it.
  
  --
  Rethinking email
26. Re:Hmmm... by fprintf · 2008-10-29 00:34 · Score: 2, Insightful
  
  "XXXX has ruined Linux" is what they said when RedHat was king of the distros, when SuSE YAST made setting up a Linux box a snap, when Mandrake was getting popular and folks will continue to do so.
  If you feel it is time to install FreeBSD or OpenSolaris, go ahead. No one is stopping you, and there is no need to cry to the rest of us about your ruined Linux.
  
  --
  This post brought to you by your friendly neighborhood MBA.
27. Re:Hmmm... by DiegoBravo · 2008-10-29 00:45 · Score: 1
  
  >>I don't know where you work, but unstable servers are usually a result of poor planning by system architects, insufficient funding, or inexperienced sysadmins
  Well, just to add some data, I used to work in telco systems where we have to support several heterogeneous software from different vendors that "certify" its product for several Unix configurations (and databases), so supposedly they do some of the planning ahead (note that they also have to develop several country-specific -i.e. mostly unplanned- customizations.) The rest of the decisions comes from our "architecture staff" but there are also some key "regional corporate decisions" on the brands. Most of the time the difficult problems were passed to the Unix vendors (they usually came with customer-specific-patches), so we also shared the sysadmin duties.
  Sadly in that environment it is difficult to do all the logical things you say, and you end just testing the configurations in a rush some weeks before passing to production. And before you get the desired % of uptime, you get a new generation of software/hardware that you *MUST* apply because of the fast moving "business requirements" (you know, the sector was growing in the last years, as mobile technology is being created all the time.)
  Interestingly, the more stable equipment was our internet-related RedHat machines (maybe since about the .com-crash there was not many changes in that front, at least for us.)
28. Re:Hmmm... by hesaigo999ca · 2008-10-29 00:48 · Score: 1
  
  Relpace VirtualBox with VMWare free as in beer....and you are good to go.
29. Re:Hmmm... by CheShACat · 2008-10-29 02:25 · Score: 1
  
  Can you point me to any other free .deb based distro that is officially supported by VMWare? Heck, can you even point me to another .deb based distro, free or not, that is officially supported by VMWare?
  
  --
  CheShA: Manchester Breakcore / Drill and Bass Yes I'm a s
30. Re:Hmmm... by CheShACat · 2008-10-29 02:28 · Score: 1
  
  You chose an unstable (7.04) release of Ubuntu for a server? I'm all behind Ubuntu servers but you should definitely be using a stable (LTS) release for a production system.
  
  --
  CheShA: Manchester Breakcore / Drill and Bass Yes I'm a s
31. Re:Hmmm... by CheShACat · 2008-10-29 02:40 · Score: 2, Insightful
  
  I really don't understand this "n00buntu" mentality. There's nothing stopping you from manually installing Ubuntu by bootstrapping your disks and installing minimal packages then building your own sleek build on top. There's nothing stopping you from doing all your setup and administration in vi. There's nothing stopping you from compiling your kernel and all your apps from source.... You just don't have to, and you get to take advantage of the largest package repos in the Linux world at the minute (I think, but am prepared to be corrected...), and use an enterprise class, business supported Debian OS for free.
  
  --
  CheShA: Manchester Breakcore / Drill and Bass Yes I'm a s
32. Re:Hmmm... by CrazedWalrus · 2008-10-29 03:39 · Score: 1
  
  No - as I mentioned to another comment above, I misspoke. It's 8.04.
33. Re:Hmmm... by BrokenHalo · 2008-10-29 03:48 · Score: 1
  
  Who the fuck runs ubuntu on a server? Context man, context!
  
  Actually, it seems a (to me) distressing number of people do, including my university.
  
  I don't necessarily have a problem with Ubuntu per se (I don't happen to personally like it, but that's another subject) but it is primarily a desktop distribution, and I don't see it as a real server candidate.
  
  OK, if I am asked to name names and say what I do consider such a candidate, at the top of my list would be Slackware or Arch Linux.
34. Re:Hmmm... by wanderingknight · 2008-10-29 07:11 · Score: 1
  
  Whoops, meant to rate funny.
  
  Sorry about that.
Another out-of-cycle patch is coming, right? by Thundercross · 2008-10-28 10:32 · Score: 1, Insightful

Time to set Windows to automatically reboot my computer without my permission.
1. Re:Another out-of-cycle patch is coming, right? by TubeSteak · 2008-10-28 10:48 · Score: 5, Informative
  
  No, this is the same exploit we talked about before.
  If you patched on the 23rd, you should be fine.
  
  --
  [Fuck Beta]
  o0t!
2. Re:Another out-of-cycle patch is coming, right? by gparent · 2008-10-28 12:19 · Score: 2, Informative
  
  So you mean giving it permission, right? Thought so.
Hotpatching by nmb3000 · 2008-10-28 10:37 · Score: 5, Insightful

For those interested, there was a really cool hack of hotpatching the files and services that are affected by this exploit. The Microsoft patch isn't designed to be hotpatched, instead requiring a reboot to replace the needed files. However, by using a binary diff and DLL injection you can apply the patch on the fly without rebooting.
I wish Microsoft would put more effort into making the official patches not require a reboot. Consumer operating systems are one thing, but rebooting Windows servers gets annoying really fast.

--
"What do you despise? By this are you truly known." --Princess Irulan, Manual of Muad'Dib
/)
1. Re:Hotpatching by TubeSteak · 2008-10-28 10:50 · Score: 4, Insightful
  
  However, by using a binary diff and DLL injection you can apply the patch on the fly without rebooting.
  Is that something you would want to do on a production server?
  And if you were MS, is that something you would want to support?
  
  --
  [Fuck Beta]
  o0t!
2. Re:Hotpatching by cheater512 · 2008-10-28 10:57 · Score: 2, Informative
  
  Just switch to Linux servers instead.
  The ability to not require rebooting for years comes as standard. :)
  Downtime due to upgrades is limited to how fast you can restart the app.
  You can swap the files while its still running, then just restart it.
3. Re:Hotpatching by Dr+Caleb · 2008-10-28 10:57 · Score: 3, Interesting
  
  >And if you were MS, is that something you would want to support?
  If you were MS, and wanted to brag about 5 Nines uptime, wouldn't you design the patch so you didn't have to reboot production servers once a month?
  Glad I spent all weekend patching, now that the exploit has escaped.
  
  --
  "History doesn't repeat itself, but it does rhyme." Mark Twain
4. Re:Hotpatching by vux984 · 2008-10-28 11:16 · Score: 4, Interesting
  
  If you were MS, and wanted to brag about 5 Nines uptime, wouldn't you design the patch so you didn't have to reboot production servers once a month?
  5 nines is ~5.3 minutes downtime per year
  You don't acheive that with a single Linux box either, unless you simply aren't keeping it up to date, even if you manage to avoid 'rebooting it' you are still going to have serious trouble reliably preventing 'unavailability of services' from reaching 5.3 minutes over a year.
  It takes either a mainframe or a cluster to reach 5 9's with any reliability. Windows doesn't run on a mainframe, and if you have cluster, a few scheduled reboots now and then don't result in any downtime, since you don't have to bring the entire cluster down.
  So your argument really doesn't apply.
5. Re:Hotpatching by thatskinnyguy · 2008-10-28 11:18 · Score: 1
  
  Me: Did you shut down the server?
  Other Tech: Nope. I thought you did it. Now I can't get to the internet.
  Me: Son of a bitch... Automatic Updates again... it needs a power-off and then cold start to work.
  *15 minutes later*
  Me: Where the hell are the backup tapes?
  Other Tech: I have no fucking clue. What the hell did you do?
  Me: I learned to never trust automatic updates. That said, I have a resume` to refresh.
  Other Tech: But nothing is working still.
  Me: Your problem now.
  *2 minutes later*
  Me: I can't even log on! The fucking AD server is down!
  
  --
  The game.
6. Re:Hotpatching by MostAwesomeDude · 2008-10-28 11:22 · Score: 2, Interesting
  
  No, I've managed to have a single Linux box reach 99.999%. It's mostly a matter of not updating the kernel; everything else can be upgraded monthly with ~15 seconds downtime, for an average of ~3 minutes annually.
  
  --
  ~ C.
7. Re:Hotpatching by Chirs · 2008-10-28 11:31 · Score: 1
  
  Actually, yes. The company I work for has spent a fair amount of resources to enable safe patching of running binaries. When you're aiming for 99.999% uptime and better, rebooting to apply a patch is suboptimal.
8. Re:Hotpatching by vux984 · 2008-10-28 11:58 · Score: 5, Insightful
  
  No, I've managed to have a single Linux box reach 99.999%
  "Managed to have"? You are talking about 5 9's as something that you can reach. People who demand 5 9's consider that the minimum they will accept. They don't want systems that can reach 5 9's they want systems guaranteed not to be less than 5 9's. That's a HUGE difference.
  So if we sign an SLA, how certain should I be that you can deliver 5 9's? ... From one box? Not very.
  That fact that you might 'manage it' simply isn't good enough. What happens when a piece of hardware fails? or if an update doesn't go smoothly? With a single box you have no contingency and 5 minutes to resolve any problems and perform any updates that might be needed for the entire year.
  My point stands: anyone serious about delivering 5 9's simply isn't using a single box, because you simply can't depend on it. MAYBE you'll get 5 9's out of it, but getting 5 9's from a single box is like winning a prize from a scratch and win. Its not exactly a miracle, but its hardly something you can rely on.
  Hell, even promising 4 9's from a single box is taking on some heavy risk. It's not hard to envision an unexpected hour of downtime on a box over the course of a year.
9. Re:Hotpatching by caluml · 2008-10-28 12:50 · Score: 4, Funny
  
  My current longest uptime:
  
  $ uptime ; uname -r 00:49:19 up 1222 days, 14:09, 1 user, load average: 0.00, 0.00, 0.00 2.6.11-hardened-r14
  
  Yeah, it doesn't actually do much. Just lets me win willy-waving matches.
  
  --
  Get your own free personal location tracker
10. Re:Hotpatching by DamnStupidElf · 2008-10-28 13:05 · Score: 3, Informative
  
  Come on, it's dead simple and it's safe. Just install a page fault handler and mark all the pages of the DLL as being unavailable, examine the current thread state of all processes and mark them if they are currently executing in the unavaiable pages, and if so simply return success from the page fault handler until the thread leaves the locked region (essentially single step through the DLL until it finally returns to the caller). If a thread was not originally executing in the protected pages and enters it, just stall it. Once all threads are stalled or not accessing the locked pages, patch the DLL and mark the pages available and uninstall the page fault handler.
  What could possibly go wrong? Only if the data structures that the DLL uses internally are modified will this be difficult, in which case the patched DLL will just have to convert its own data during the patch time. If changes to user data structures are required, then the patched DLL would have to burn some space in each new data structure to identify it as a patched version and treat it appropriately, while detecting the old data structures reliably. That might be a little harder than the general case, but not impossible.
  Is getting 0wned something you would want to happen on a production server that can't have downtime?
11. Re:Hotpatching by stim · 2008-10-28 13:14 · Score: 1
  
  And an impressive willy i might add.
  
  --
  Browse at -1 to keep an eye out for abuses.
12. Re:Hotpatching by Darkness404 · 2008-10-28 13:40 · Score: 1
  
  What would be smart for Windows to do is to not randomly reboot. For example, I was asked to run a PowerPoint presentation at a funeral. No problems there, except the laptop was running Vista, midway through the presentation the computer showed "Logging Off" and the computer rebooted. Naturally, there wasn't anything I could do about it, I rebooted the thing and it ran mostly smoothly the rest of the way, but seriously MS, by default don't reboot I don't care if its a patch that if not applied it can turn your computer into a script kiddy's toy, I care that my computer doesn't randomly shut down (but then again, I run Linux :))
  
  --
  Taxation is legalized theft, no more, no less.
13. Re:Hotpatching by ozphx · 2008-10-28 13:56 · Score: 1
  
  Your company sucks.
  If taking a single node down is going to unacceptably increase your risk, then you are in the realms of "trying for 5 nines", and not "guaranteeing 5 nines".
  The risk of corrupting process state is going to be a hell of a lot worse than a reboot, and the cost another node is going to be less than a "fair amount of resources".
  
  --
  3laws: No freebies, no backsies, GTFO.
14. Re:Hotpatching by andreyvul · 2008-10-28 13:59 · Score: 1
  
  AC Linux uptime pissing match is now over.
  
  --
  proud caffeine whore
15. Re:Hotpatching by sleeponthemic · 2008-10-28 14:47 · Score: 5, Funny
  
  Oh yeah? Well, uh, nyah.
  
  $ uptime ; uname -r 00:40:23 up 1222 days, 14:10, 1 user, load average: 0.00, 0.00, 0.00 2.6.11-hardened-r14
  You made that post 51 minutes after he did.
  
  So close, but forever in his shadow :-)
  
  --
  I record my sleeptalking
16. Re:Hotpatching by tlhIngan · 2008-10-28 15:43 · Score: 2, Insightful
  
  What would be smart for Windows to do is to not randomly reboot. For example, I was asked to run a PowerPoint presentation at a funeral. No problems there, except the laptop was running Vista, midway through the presentation the computer showed "Logging Off" and the computer rebooted. Naturally, there wasn't anything I could do about it, I rebooted the thing and it ran mostly smoothly the rest of the way, but seriously MS, by default don't reboot I don't care if its a patch that if not applied it can turn your computer into a script kiddy's toy, I care that my computer doesn't randomly shut down (but then again, I run Linux :))
  Upgrade your software. Seriously, if you're a business, you shouldn't be using Home versions of the software.
  The HOME versions of XP and Vista (XP Home, Vista Home Basic, Vista Home Premium) do this automatically. Supposedly there's a way around it with some registry hacking, but I've never bothered. You get around 5 minutes from when the dialog pops up to hit the "Reboot later" button, which just silences it for another 5 minutes.
  Windows XP Pro, Vista Business, Vista Enterprise, and Vista Ultimate pop up a dialog asking you to reboot, but they won't force the nasty cannot-save-force-quits-everything reboot. Considering what you get, the only reason to use the Home versions for work is if work is too cheap to get you a laptop and you use your own. The price difference between Home Premium and Business isn't that much, and will be made up in not having your computer reboot unexpectedly on you.
17. Re:Hotpatching by mlts · 2008-10-28 15:47 · Score: 1
  
  Actually, in production critical environments, they go through a staging process where they try a patch on a test box or two, then put the patch (even if its an out of band emergency fix) on a WSUS server that the production boxes update from.
  This is very important. I've seen 0.01 revisions for firmware for a hardware issue which are just relatively small fixes to install make terabytes of data inaccessible until the machine was backed off and restored... and a production machine being down for 7 hours usually means that a sysadmin is going to be fired.
  A small business with an Exchange server, SMB server, and a SQL box as a Web backend, its OK to let it update and reboot off of Windows update. Once you get into 24/7 server rooms with 3+ nines uptime, there is no way in Hell you would ever let a machine patch unless someone was there babysitting it, there was a plan to reverse the changes (system restore is not it), the patches were tried and certified in house, and they patches were put on a secure server.
18. Re:Hotpatching by mlts · 2008-10-28 16:21 · Score: 1
  
  If someone is promising a high quality SLA, they almost never will be using one box for their offerings. They will be using two or more machines connected via redundant disk controllers to a common SAN or disk array, and all the boxes will be connected to each other via heartbeat monitors.
  The good thing, both VMWare and Hyper-V in Windows Server 2008 help make this task a bit easier, by allowing for a virtual machine to be hosted on a cluster, so if the primary machine fails, the others can take over without missing a step.
  For five nines, everything needs to be redundant, from different sets of wires coming in the building so a backhoe doesn't cut everything in one swipe, to multiple power trunks connecting to a machine's redundant power supplies (no "Y" cables), so on and so forth. Some IBM machines even use 2-3 CPUs executing the same task at a time so if one of them glitches on a calculation, the machine can be failed down and a backup take over. A lot of companies even have different hot spare locations, where they mirror their disk I/O over dedicated fiber channel over IP connections.
  Uptime is all about planning. You can get lucky... but Murphy rules the roost here, and you don't want to have a signed agreement saying you have 5 nines, then some drunk causes the agreement to be violated because he got into your data center and mashed the Big Red Button, EPO-ing not just your machines, but your business.
19. Re:Hotpatching by darkpixel2k · 2008-10-28 17:06 · Score: 1
  
  5 nines is ~5.3 minutes downtime per year
  You don't acheive that with a single Linux box either
  Wow--5.3 minutes per year? Shit--that's like 8 reboots on my linux box...
  
  Even though they release kernel updates for my distro about once per month, most of them involve being a local user to exploit some strange privilege in some strange area of the kernel that I don't use--and I don't have local user accounts except for root and a few services like maybe mail, dns, and/or possibly apache. So once you take out all the updates that aren't remotely exploitable, I end up with about 3 reboots per year--and those take under 1 minute before I'm back in operation.
  
  That beats five 9's.
  
  I've never touched Vista or Windows Server 2008...how long do they take to boot on something like an Intel 2.4 GHz machine w/ 1 GB RAM? (I mean boot fully, and have IIS, SQL, etc.. started?)
  
  --
  There's no place like ::1 (I've completed my transition to IPv6)
20. Re:Hotpatching by darkpixel2k · 2008-10-28 17:10 · Score: 1
  
  Oh yeah? Well, uh, nyah.
  
  $ uptime ; uname -r 00:40:23 up 1222 days, 14:10, 1 user, load average: 0.00, 0.00, 0.00 2.6.11-hardened-r14
  You made that post 51 minutes after he did. So close, but forever in his shadow :-)
  ...unless of course one were to find out where he lived and take a blunt object to his electrical panel...
  
  --
  There's no place like ::1 (I've completed my transition to IPv6)
21. Re:Hotpatching by Splab · 2008-10-28 23:19 · Score: 1
  
  You have no idea what 5 9's are all about if you think that one box can handle it.
22. Re:Hotpatching by Atzanteol · 2008-10-29 00:32 · Score: 1
  
  And when you upgrade glibc, how do you ensure *everything* is rebooted to use the new one?
  
  --
  "Ignorance more frequently begets confidence than does knowledge"
  
  - Charles Darwin
23. Re:Hotpatching by hesaigo999ca · 2008-10-29 00:49 · Score: 1
  
  M$ does not do REAL clusters like Linux does though...
24. Re:Hotpatching by jcookeman · 2008-10-29 01:23 · Score: 1
  
  Bollocks. Many of my RHEL servers have 0 downtime for 365 days. I can keep the entire server up to date without rebooting in almost all circumstances bar major libc or kernel updates. There are very few and far between remote kernel exploits. Almost all of them are local and easily mitigated.
25. Re:Hotpatching by fast+turtle · 2008-10-29 03:04 · Score: 1
  
  Well Here's mine and I'm running F@h using the 64bit smp
  Uptime; 08:00:22 up 21 days, 16:49, 3 users, load average: 1.08, 1.08, 1.07
  Of course its only been up for 21 days due to power outages (last one was for 5 hours, which is why I'm planning a Solar Backup system
  
  --
  Mod me up/Mod me down: I wont frown as I've no crown
26. Re:Hotpatching by vux984 · 2008-10-29 04:08 · Score: 1
  
  Saying the software is no better or worse because the package as a whole is no better or worse is a pointless argument. The weakest link in that set is the infrastructure (depending on how the SLA defines it) followed by the hardware.
  Which is why you have redundant infrastructure and redundant hardware. Pretty much by definition you can't achieve 5 9's on a single box, because the box itself can't achieve 5 9's. (A mainframe doesn't count as a single box here, because its got all the redundancy built in.)
  So at the end of the day, your OS should be a negligible factor in your SLA. In terms of availability, it shouldn't even come up in the discussion.
  Your OS is what enables you to effectively use that redundancy, it's what allows clustering, replication, load balancing, automatic failover, etc. This is -how- the average shop achieves 5 9's.
  When an OS vendor wants to talk about how its being used in a 5 9's shop, this is what they are talking about.
  I have had personal BSD and Linux boxes that have run endlessly for more than a year, multiple times, and only rebooted due to 4+ hour power outages.
  Stopping a service, updating, and starting it again isn't really that much better than rebooting. Its a bit faster, sure, and that's a good thing, but bragging about the uptime of the OS is irrelevant if the service is still down.
  *nix definitely has an edge and I'm not making excuses for windows, but at the same time I know of lots of *nix admins who had a problem after an apache update that took hours to sort out, who still brag about their 'uptime' numbers, as if the fact that they didn't have to 'reboot' is somehow relevant to people trying to use the web site.
27. Re:Hotpatching by thatskinnyguy · 2008-10-29 04:39 · Score: 1
  
  Wouldn't matter if the DNS cluster is stuck trying to restart.
  
  --
  The game.
28. Re:Hotpatching by cheater512 · 2008-10-29 10:29 · Score: 1
  
  Thats trickier, but its *FAR* better than having to reboot because IE has a little security flaw.
29. Re:Hotpatching by unleashedgamers · 2008-10-29 11:49 · Score: 1
  
  Not very hard with a server load of 0.00
30. Re:Hotpatching by darkpixel2k · 2008-10-29 14:34 · Score: 1
  
  You have no idea what 5 9's are all about if you think that one box can handle it.
  Yeah, I do know what 5 9's are all about.
  You could do it with one box--but you'd have to be damn lucky.
  
  The point I was trying to make is that I have a handful of linux boxes at various client sites doing things like intranets, spam filtering, IM servers, etc...most of them have 5 9's of uptime BY ACCIDENT. It's not like I'm promising the clients 5 9's of uptime or anything--I just maintain the box and it gets it. Sure, one of these days a drive will fail, and my response time will be 30 minutes or so, and my stats will be gone.
  
  I never get that on a Windows box. Ever.
  Not even if I'm trying.
  
  --
  There's no place like ::1 (I've completed my transition to IPv6)
31. Re:Hotpatching by Allador · 2008-10-29 14:35 · Score: 1
  
  There is not a mechanism for this to happen in windows unless you (or your sa's) specifically configured it to do so.
  So this wasnt MS doing anything to you ... this is you setting something to happen and forgetting that you did so, or your SA's setting it to happen.
32. Re:Hotpatching by Darkness404 · 2008-10-29 14:56 · Score: 1
  
  Upgrade your software. Seriously, if you're a business, you shouldn't be using Home versions of the software.
  
  A) It wasn't business, I was doing it for a friend because I was the only mildly technically inclined person she knew, B) it wasn't my laptop (otherwise it would be running Ubuntu) and I wasn't really given much of a choice to use a different laptop but then again I didn't think that Windows would randomly restart (haven't been an admin of a Windows box for ~3 years, done some work for work on an XP box but wasn't admin and do a bit of VM with XP every now and then)
  
  The HOME versions of XP and Vista (XP Home, Vista Home Basic, Vista Home Premium) do this automatically. Supposedly there's a way around it with some registry hacking, but I've never bothered. You get around 5 minutes from when the dialog pops up to hit the "Reboot later" button, which just silences it for another 5 minutes.
  
  And who thought this to be a good idea? Seriously, if we need to patch Joe Sixpack's computer he is going to shut it down eventually and reboot it. But teaching users that computers just spontaneously reboot every now and then doesn't really help them when a virus that does the same thing infects their computers they think everything is normal, creating a bigger problem than unpatched installs.
  
  And the dialog box wouldn't have helped me, it was fullscreen hooked up to a projector.
  
  --
  Taxation is legalized theft, no more, no less.
That's it! I'm switching to a Linux Desktop by Anonymous Coward · 2008-10-28 10:43 · Score: 5, Funny

Slashdot's unbiased coverage of an exploit for a patch that was released last week has finally convinced me to stop using MS products. I'm also beginning to think this MS might be evil as well.
1. Re:That's it! I'm switching to a Linux Desktop by Anonymous Coward · 2008-10-28 12:11 · Score: 2, Informative
  
  LOL! Yea... especially considering that doing some SIMPLE things like these:
  1.) Stopping "File & Print Sharing", via your local connection, removing it as a Client/Protocol there (if you're not on a Lan Manager based OR Active Directory IP based LAN/WAN, or home network? Who cares! It's slowing you down just broadcasting extra packets anyhow OR listening for them too, wasting IO + resources) & the SYSTEM ICON in Control Panel (as to options &/or quick tasks to perform for that) make it a snap to stop it from being effective
  ----
  2.) Removing ALL shares, hidden or otherwise via say, a batchfile (or even DOS command prompt) like:
  C:
  NET SHARE C$ /DELETE
  NET SHARE ADMIN$ /DELETE
  NET SHARE IPC$ /DELETE
  NET SHARE DFS$ /DELETE
  NET SHARE COMCFG$ /DELETE
  NET SHARE FAX$ /DELETE
  NET SHARE NETLOGON /DELETE
  NET SHARE PRINT$ /DELETE
  NET USE * /DELETE
  ----
  3.) Stopping the SERVER SERVICE (which allows sharing, & if you're not part of a LAN/WAN (like a single user system online on the internet only), you also save Memory, CPU Cycles, & Other I/O by cutting said service (via service.msc & setting its default startup type to DISABLED, & stopping it there also, once you doubleclick on it in the list)
  That also, can stop this exploit from being effective - as IT is what permits shares & file + print sharing...
  ----
  See - Technically, afaik, @ this point (haven't read the EXACT details of this thing's coding & methods though, via this RECENT CURRENT news on it)?
  Each/ALL/ANY of those measures SHOULD work, just fine, in mitigating this prior to applying this patch (especially if you're a standalone machine on the internet @ home, with no home LAN present)...
  (AND PLEASE - Feel free to correct me if I am off/wrong here fellas... thanks, as again, I have not "RTFA" (/. badge of honor, lol), yet as I noted above...)
  APK
  P.S.=> Afaik? That's more than adequate to stop this being exploitable, because if there are no SHARED DISKS present? How can you get to anything to execute anything?? File ACL's also being set (to stop remote NETWORK SERVICE, or other remote capable services &/or user-entities, except that which YOU use) helps moreso than the above, maybe overkill, but worth doing & should be by everyone anyhow, imo @ least... apk
Clarification by Raconteur · 2008-10-28 10:48 · Score: 5, Informative

Just in case the /. entry seemed as ambiguous to you as it did to me, the linked article states "Our investigation has shown that it does not affect customers who have installed the update."
But not everyone has installed the update. by khasim · 2008-10-28 10:59 · Score: 5, Insightful

This is added incentive to complete YOUR testing of this patch ASAP.
Remember, only incompetent admins apply patches without testing them.
In our environment, the patch would have been put into testing the day after it was released (no sense getting caught by a brown paper bag bug) and then into production NEXT Sunday.
With a known exploit out there, we'd be getting more people to test the test systems TODAY. With the goal of putting the patch into production TOMORROW evening.
1. Re:But not everyone has installed the update. by DigiShaman · 2008-10-28 11:44 · Score: 4, Insightful
  
  Remember, only incompetent admins apply patches without testing them.
  Cool.
  Sounds like your part of an internal IT department of a big corporation. Well, I'm not. I admin several small businesses network which contain 5 to 20 users. Each company has one server which runs Windows SBS. So, testing isn't an option. Should there be a problem, I have no choice but to pull it out via the Add/Remove program list.
  So, do you think I'm an incompetent admin given what I have to work with?
  
  --
  Life is not for the lazy.
2. Re:But not everyone has installed the update. by citylivin · 2008-10-28 11:54 · Score: 1
  
  "Remember, only incompetent admins apply patches without testing them."
  I hope you don't think this applies to every environment out there. I am sure some very tightly integrated, heavily customized servers require this level of paranoia, but for most systems / environments, security patches do VASTLY more good than harm. You cant test for everything anyway no matter how hard you try.
  Id rather explain to my CEO that I broke an app because I was trying to be safe and secure than get hit by a worm (pants down), with my only excuse being that I didn't want to roll out something that might POSSIBLY fuck shit up. Because at that point shit WOULD definitely be fucked up, and it would be my fault for not testing fast enough.
  But again, it depends on your organization. Security patches from M$ have historically been pretty good. You also have the ability to blame them if shit hits the fan. Odds are many other people will have issues if the patch is THAT badly designed.
  This seemed like a major issue (codered or mydoom level worm potential). When I read of it last week, I made sure all the machines were patched and rebooted ASAP. Like always its a judgement call you have to make with these things. I take a major issue with being called incompetent because I'd rather protect myself than blindly follow "Best practices".
  
  --
  As a potential lottery winner, I totally support tax cuts for the wealthy
3. Re:But not everyone has installed the update. by Fulcrum+of+Evil · 2008-10-28 12:20 · Score: 2, Insightful
  
  So, do you think I'm an incompetent admin given what I have to work with?
  Sure. You don't have a test network to at least smoke patches on or you would've said something. What happens when your SBS box barfs? how long is recovery and when's the last time you tried it?
  
  --
  "We returned the General to El Salvador, or maybe Guatemala, it's difficult to tell from 10,000 feet"
4. Re:But not everyone has installed the update. by homesteader · 2008-10-28 13:33 · Score: 1
  
  Sure, and in the real world, every small business is going to spend massive amounts of money to protect an IT infrastructure, even though when it's down they might not actually lose any money.
  That's how all of my clients work.
5. Re:But not everyone has installed the update. by DigiShaman · 2008-10-28 14:25 · Score: 4, Informative
  
  Sure. You don't have a test network to at least smoke patches on or you would've said something
  A fifteen user network all running off a cable modem, router/firewall, and Windows 2003 SBS. Sure, let me pitch the sale for them to purchase another SBS box (for testing purposes only) and the billable time required for each test required per monthly patch cycle...
  What happens when your SBS box barfs
  Rebuild it, add PCs back to the domain, and restore user data and exchange data. I've done it before and it's a lot cheaper alternative to the one above. Funny isn't? Sometimes it's cheaper to let a server crash and burn than spend money on preventive maintenance. It's all in how much the customer wants to spend.
  
  --
  Life is not for the lazy.
6. Re:But not everyone has installed the update. by afidel · 2008-10-28 16:47 · Score: 1
  
  Yep that's what I just finished doing. We started testing last Friday but due to some changes going into production last weekend we weren't able to test all systems. We blocked all known paybload sites for the in-the-wild exploit at the firewall and set it to email us if those rules triggered. This morning we got a hit. We went into emergency response mode. The patch testing went to the top of the pile for all application groups. We located the affected workstation and pulled it from the network, confirmed it hadn't used the exploit on anything else on the network through analyzing server vlan sniffer traces (we mirror the entire vlan to a network general sniffer box with a couple TB array for about a week of storage). I just finished patching all of our servers except for the financials because they are running month end processing tonight but they will be done tomorrow night and all of the monitoring and blocking is still in place. Luckily all the systems like the proxy server, firewall and sniffer give us enough protection and visibility that we didn't have any big worries on this one.
  
  --
  There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
7. Re:But not everyone has installed the update. by afidel · 2008-10-28 16:51 · Score: 1
  
  Actually today if I was doing a SBS server I would probably use some sort of virtualization, and use snapshots for a level of backups and to allow the rollback of bad patches.
  
  --
  There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
8. Re:But not everyone has installed the update. by vic-traill · 2008-10-28 17:05 · Score: 1
  
  Remember, only incompetent admins apply patches without testing them.
  Okay, I'll bite on playing devil's advocate here - so what's your test proc?
  This is an patch developed and distributed by the OS manufacturer. I don't know what files are being touched by the fix, but how are your folks testing against those files, all apps which touch those files in execution, and what constitutes a successful test?
  I agree with what you're saying in principle, but in practise it is very difficult to truly test OS vendor patches comprehensively. How do you ensure that every piece of functionality used by apps (and thus users) is not borked by the patch?
  
  --
  [17] Leary, T., White, C., Wood, P. R., Bhabha, W. D., and Wirth, N. Lambda calculus considered harmful. In Proceedings
9. Re:But not everyone has installed the update. by Fulcrum+of+Evil · 2008-10-28 19:16 · Score: 1
  
  How about a SBS box and some clients that can at least accommodate smoke testing? Sure, your client's box may explode or conflict with an app they use, but it'll happen less with smoke tests.
  
  --
  "We returned the General to El Salvador, or maybe Guatemala, it's difficult to tell from 10,000 feet"
10. Re:But not everyone has installed the update. by SuiteSisterMary · 2008-10-29 01:26 · Score: 1
  
  Seems like an honest question, so I'll give you an honest answer. :-)
  Most companies that bother with an 'IT department,' rather than That One Guy, will have standardized desktops by role. That is to say, you take a computer, you put it on the network, you authorize it into your management system (be it Microsoft SMS, Novell Zenworks, whatever) and wait. Or you whip out your image CD for that role, plop it in the drive, reboot, and walk away.
  In any event, a standard load for that role is plopped onto the PC. Clerical staff have your company data-entry programs, programmers have IDEs, libraries, docs and what not, salesmen have the CRM system, and so on. This will usually be a combination of off-the-shelf software, internally-developed software, and highly customized commercial software.
  At this point, it becomes pretty easy to set aside a few desktops, be they dedicated test boxes for a given role, or simply a sacrificial lamb in each department, roll out the new patches, then either a) run through the programs and see if anything refuses to run, or b) use automated testing software to run through a standard workflow. If nothing breaks, you're reasonably sure that it's OK to roll out.
  Now, properly written Windows software is virtually guaranteed to be fine. Like you point out, the OS manufacturer isn't going to roll out patches that do stupid things. It's the poorly written software, software that still follows Windows 98 conventions, let alone Windows 3.1; a properly written program, using guidelines that first came out with Windows ME, let alone XP, will very VERY rarely trigger a UAC prompt on Vista. Most of the prompts are for Windows95 era conventions, like writing data under the Program Files directory.
  This is generally exacerbated by the fact that most of these internal apps are one-offs, were written by one guy in VBA to make his life easier, somebody noticed and wanted a copy, and next thing you know, it's being used as a line-of-business app, or it's a prototype that somebody wanted tested 'in the real world' and it quickly mutated into a production server, or the guy who wrote it in very obfuscated VC++ with no comments is no longer with the company, or the money's not there to re-engineer it, or all sorts of such things.
  
  --
  Vintage computer games and RPG books available. Email me if you're interested.
11. Re:But not everyone has installed the update. by Zarquil · 2008-10-29 09:09 · Score: 1
  
  I hate being the cynic, but both times I've been burned have been on small, specialized apps that aren't going to be blink across the mind's eye of Microsoft's testing matrix. The likelihood of any or all of his clients sharing it are presumably small (unless he wrote it himself).
  Smoke testing on a general scale like that is not likely to give a great return beyond the Microsoft testing.
the droning *gong* of microsoft cracks by drDugan · 2008-10-28 11:04 · Score: 3, Interesting

This is like a droning gong.
*Gong* Bring out your dead *Gong* Windows is insecure *Gong* Bring out your dead *Gong*
It seems to me there is a fatigue that sets in regarding unpleasant information. How many times does one have to hear a thing, especially an unpleasant thing they don't want to hear, before that person stop listening to it? This happens to me at least. We see this (as a parallel) in politics all the time, when we're told this guy or that person broke the law. Its like a background din you have to tune out to get through the day.
It's made worse because there is no solution.
For the user of windows, there is nothing they can do about the fundamental insecurity that leads to repeated, consistent, and regular security updates like this. The only option is to change OS, which if you're the average computer user, that is not an option without significant expense. It's unpleasant to hear that crackers are breaking into computers and turning them into zombie swarms of attacking botnets. Hear the same bad thing enough times, eventually people stop listening.
I was fortunate: my windows laptop was stolen in 2004 and I made the switch, and now use Mac and Linux now exclusively. Not that Mac is any panacea - I still can't stand Finder, I think it is awful, and curse it every time I need to move a few files to some other folder on another drive (usually I just use "mv"). BUT at least I'm not forced to start ignoring serious security threats that I can't prevent or address effectively. (I don't consider a long series of "After the crack" patches effectively addressing the problem)
1. Re:the droning *gong* of microsoft cracks by not+already+in+use · 2008-10-28 12:10 · Score: 1
  
  Nope, never forced to ignore serious security vulnerabilities
  
  --
  Similes are like metaphors
2. Re:the droning *gong* of microsoft cracks by afidel · 2008-10-28 16:55 · Score: 1
  
  Dude, this is the third out of cycle MS has released in the 4 years since they went to the patch tuesday standard and it was because it was found by reverse engineering an in-the-wild worm. Also you might notice that Windows 2008 and Vista are lower priority because security improvements in default ACL's means that this exploit is only exploitable by authenticated users, not by anonymous bind, it's not like MS isn't doing things to improve security including reducing the attack surface of 2008 with Server Core.
  
  --
  There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
3. Re:the droning *gong* of microsoft cracks by leomekenkamp · 2008-10-28 21:34 · Score: 1
  
  I still can't stand Finder, I think it is awful, and curse it every time I need to move a few files to some other folder on another drive (usually I just use "mv")
  Pure curiosity: what exactly is it that makes Finder bad at moving files for you? For me it works a lot better than Windows' Explorer.
  
  --
  Wenn ist das Nunstueck git und Slotermeyer? Ja! Beiherhund das Oder die Flipperwaldt gersput.
I'm not Microsoft lover, but by dkleinsc · 2008-10-28 11:11 · Score: 5, Insightful

I'll give them credit for patching this quickly. This could have been Yet Another Windows Worm (TM) that brings all legitimate network traffic to a halt. And us Slashdotters have been after them for years for taking too long to patch things, so it would be completely hypocritical to get pissed at them for doing what we'd want them to do.
I'll hate them for having the exploit possible in the first place, I'll hate them for requiring reboots, I'll hate them for forcing crappy software down our throats, but every once in a while they do something right.

--
I am officially gone from /. Long live http://www.soylentnews.com/
1. Re:I'm not Microsoft lover, but by Johnny+Loves+Linux · 2008-10-28 11:33 · Score: 1
  
  Problem is, that this could *still* become another worm if enough Windows users don't apply the patch. Does windows update guarantee that this patch will eventually be applied to every Windows machine?
2. Re:I'm not Microsoft lover, but by X0563511 · 2008-10-28 11:41 · Score: 1, Insightful
  
  It would, but for their intentional denial of updates to "illegitimate" installations.
  
  --
  For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
3. Re:I'm not Microsoft lover, but by Macthorpe · 2008-10-28 11:49 · Score: 2, Informative
  
  You've always been able to automatically update even cracked copies of Windows automatically, you just can't do it via update.microsoft.com.
  I'm not sure where you've got your information from.
  
  --
  "It does not do to leave a live dragon out of your calculations, if you live near him." - Tolkien
4. Re:I'm not Microsoft lover, but by 0100010001010011 · 2008-10-28 14:18 · Score: 1
  
  How the fuck does this keep happening? I can understand a remote exploit here and there. But seriously. How dumb/slow/lack of testing do you have to be to put these in the wild. Last bug that made Slashdot affected everything back through like 98 or something. I know "MS sux" is the big joke around here, but seriously.
  If it's because Windows is the Most used OS in the world, why don't we hear about Apache remote exploits? With Apple and Linux taking market share with College kids and the Server market why aren't we hearing about these remote exploits with them?
  Seriously, What the Fuck.
5. Re:I'm not Microsoft lover, but by shutdown+-p+now · 2008-10-28 19:32 · Score: 1
  
  As I recall, critical updates are installed via Windows Update even on "non-genuine" Windows. Or did that policy change lately?
6. Re:I'm not Microsoft lover, but by dhasenan · 2008-10-29 02:03 · Score: 1
  
  Windows is huge compared to a typical Linux server setup -- Server 2003 takes up 20 times as much disk space as Ubuntu's server offering, and on the desktop, it's still a factor of three or four. On one hand, a lot of that is going to be help files, images, GUIs, and so forth; on the other, there's just going to be a lot more executable code that might be running.
  This isn't an excuse for Windows to have exploits, but it's probably a large portion of the cause.
7. Re:I'm not Microsoft lover, but by prshaw · 2008-10-29 05:03 · Score: 1
  
  >>I'm not sure where you've got your information from.
  I'm sure they got it from slashdot, where else would you find accurate information about Windows :)
8. Re:I'm not Microsoft lover, but by petermgreen · 2008-10-29 09:39 · Score: 1
  
  Yeah, the trouble is they made windows genuine advantage notifications a "critical" update and worse if you are in semi-automatic mode, decline it and tell it not to show it again it will reappear when they do a new version of it.
  So those who want to avoid getting it rammed in thier face that they are running "pirate" windows can't use fully automatic updates and if they use semi-automatic updates they have to check for wga in the list every time.
  
  --
  note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
9. Re:I'm not Microsoft lover, but by petermgreen · 2008-10-29 09:44 · Score: 1
  
  And as such I would expect most people selling machines with pirate copies of windows/using pirate copies to do reinstalls for people to leave automatic updates completely disabled.
  
  --
  note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
Microsoft didn't downplay this by Anonymous Coward · 2008-10-28 11:17 · Score: 5, Informative

Instead they issued an out-of-cycle patch and they gave it a very high severity rating in their bulletins. None of us are Microsoft lovers. But you don't have to lie to us just to be able to pat us on the back. It's disgusting, please stop it.
1. Re:Microsoft didn't downplay this by felipekk · 2008-10-28 12:36 · Score: 3, Informative
  
  Please mod parent up.
  Microsoft even contacted partners to make sure they were applying the patch as soon as possible.
  I don't know where the author got the downplaying from...
Cut & Paste by westlake · 2008-10-28 11:59 · Score: 1

Just a day after downplaying the vulnerability that caused it to issue an out-of-cycle patch last week, Microsoft warned customers late yesterday that exploit code had gone public and was being used in additional attacks
.
How does this translate into downplaying the threat?
October 23, 2008 (IDG News Service) Microsoft Corp. fixed a critical bug in its Windows operating system Thursday, saying that it is being exploited by online criminals and could eventually be used in a widespread "worm" attack.
Microsoft took the unusual step of issuing an emergency patch for the flaw several weeks ahead of its regularly scheduled November security updates, saying that vulnerability is being exploited in "limited targeted attacks." The company had already announced plans to rush out the patch.
"It is possible that this vulnerability could be used in the crafting of a wormable exploit. If successfully exploited, an attacker could then install programs or view, change, or delete data; or create new accounts with full user rights," Microsoft said in a bulletin released Thursday morning. Microsoft releases emergency Windows patch to head off worm attack {Oct 23]
New Windows bug differs from 2006 flaw, Microsoft says [Oct 27]
If you rely on a single system for 5 9s by Sycraft-fu · 2008-10-28 12:00 · Score: 1, Insightful

You are an idiot. 5 9s gives you just 5 minutes per year of downtime. You think if something fails in a system, you can get it back up in 5 minutes? Hell no. You want reliability like that, you do it with redundant systems. Well, in that case the individual units can certainly go down. Perfectly valid strategy. You patch them whenever you feel like, making sure that only one is down at a time and that it comes back up to full operational status before you do the next one.
A single system, well you are just rolling the dice. Sure I've seen single systems go for over a year, no crashes, no hardware faults. I've also seen plenty that have gone down. When a problem does occur, it isn't something that gets fixed in 5 minutes, or even usually in an hour (4 9s requires no more than 53 minutes down).
In addition to that you also have to keep the idea of planned and unplanned outages separate. While in some cases, no outage is acceptable and thus the system needs to designed to never be down, often an outage is fine, so long as it's planned. So you can take a system down every week and still have a perfect rating because you had no unplanned outages. The system was only down at specified times. That works just fine for non-critical systems in many cases.
However if it is critical, and if it really can't ever be out at all, ever, which is more or less what 5 9s implies, then you need to have redundancy, and have it at every level. You can't have any single points of failure because the chances that you get that point fixed in time is very slim.
So no reboot on patch isn't useful for that, because in a system with that high an availability, well it has to be redundant anyhow. More important that the patch applies properly and works (which is why you do the reboot, to eliminate potential conflicts) than that you can do it on a running system. After all, you take one part down for a couple minutes as you patch and verify, that's great your uptime is unaffected. You instead apply a hot patch to all systems, which then causes them all to crash an hour later, you are screwed because you are down.
Metasploit by slimjim8094 · 2008-10-28 12:14 · Score: 4, Informative

Be warned; this is already on metasploit. The intrepid can find this for themselves...
Testing it to see if it actually works though.

--
I have developed a truly marvelous proof of this comment, which this signature is too narrow to contain.
1. Re:Metasploit by Darkness404 · 2008-10-28 13:46 · Score: 1
  
  The intrepid can find this for themselves...
  
  Well, unless this thing runs in WINE so I doubt those who are intrepid can find it for themselves...
  
  (For those who are clueless and won't get the joke, Intrepid Ibex is the codename for Ubuntu 8.10)
  
  --
  Taxation is legalized theft, no more, no less.
2. Re:Metasploit by kv9 · 2008-10-28 17:38 · Score: 1
  
  explaining jokes always makes them so much better. thanks!
  
  --
  Stop Computers/Cars Analogies on S
If only... by SupremoMan · 2008-10-28 12:20 · Score: 1

If only the writers of malicious programs dropped their Windows XP support when Microsoft does... What are my options when dark day comes?
1. Re:If only... by Computershack · 2008-10-28 14:06 · Score: 1
  
  If you were running Vista, you'd not need to be worried by this.
  
  --
  I only please one person per day. Today is not your day. Tomorrow isn't looking good either. - Scott Adams
2. Re:If only... by SupremoMan · 2008-10-28 18:03 · Score: 1
  
  Yep, and if my hardware upgraded itself and I didn't have to pay for a license, I might just do that.
3. Re:If only... by Computershack · 2008-10-28 22:08 · Score: 1
  
  Bloody hell, how old is your computer? I'm typing this on a 30 month old laptop running Ultimate.
  
  --
  I only please one person per day. Today is not your day. Tomorrow isn't looking good either. - Scott Adams
4. Re:If only... by petermgreen · 2008-10-29 09:52 · Score: 1
  
  1: upgrade to a new version of windows (IIRC microsofts lifecycle policy says there will be at least two years between the release of windows 7 and the end of security updates for XP)
  2: switch to another OS
  3: stick with XP and work to reduce your exposure by other means
  3a: use a software firewall to severely restrict what if any machines can connect to file and print sharing on your machine
  3b: don't serve files or printers off windows client machines, give that job to a dedicated box running a supported version of windows or linux.
  3c: Use a virus checker (not perfect but good as a second line of defense if something bad does get onto a "trusted" machine somehow.
  
  --
  note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
5. Re:If only... by Allador · 2008-10-29 15:10 · Score: 1
  
  If you're still using XP in 2014 when they stop issuing security patches, then the problem may be on your end.
Link to exploit... by hitchhacker · 2008-10-28 12:57 · Score: 1

From milw0rm here

-metric
Re:Sauce by tylerni7 · 2008-10-28 13:14 · Score: 1

For anyone thinking about clicking that link, it seems to be a legitimate rar containing source code and an executable for an exploit, looks to be this one.

Now that your curiosity it settled, you probably shouldn't click that unless you trust the owner/controller of milw0rm.com to not infect whichever system you have. </warning >
Singin' The Zero-Day Blues by bill_mcgonigle · 2008-10-28 13:41 · Score: 1

Remember, only incompetent admins apply patches without testing them.
In our environment, the patch would have been put into testing the day after it was released (no sense getting caught by a brown paper bag bug) and then into production NEXT Sunday.
Your strategy fails to deal with certain 0-day scenarios. Not that competent admin would actually run critical services on Windows.

--
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
1. Re:Singin' The Zero-Day Blues by tibman · 2008-10-28 23:40 · Score: 1
  
  I agree with your comment but i'd like to add that sometimes zero day stuff just sucks balls and there isn't much you can do. Sometimes it isn't the OS's fault either, but the software on top. This is where a real sysadmin shines.. he can isolate the problem and hack up a solution within minutes and apply it without regard for testing.
  
  --
  http://soylentnews.org/~tibman
2. Re:Singin' The Zero-Day Blues by bill_mcgonigle · 2008-10-29 06:20 · Score: 1
  
  Agreed, sometimes there are no perfect options, and strategies which fail to deal with actual real-world scenarios can't be considered comprehensive.
  This is where a real sysadmin shines.. he can isolate the problem and hack up a solution within minutes and apply it without regard for testing.
  The degree to which this is unwise is inversely proportional to the skill of your sysadmin.
  
  --
  My God, it's Full of Source!
  OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Vista rulez... by Computershack · 2008-10-28 14:04 · Score: 2, Interesting

Glad I'm running Vista or I might have to look like I remotely give a shit about something that might affect me if I weren't connected to the internet via a router running NAT you know, just like pretty much most people on broadband are?
Seriously, this is only really gonna be a problem to someone connecting on dialup and it's gonna take so fucking long to send the information that the person running the exploit is most likely to have died from old age before they get anything worth a toss.

--
I only please one person per day. Today is not your day. Tomorrow isn't looking good either. - Scott Adams
1. Re:Vista rulez... by Computershack · 2008-10-28 22:11 · Score: 1
  
  How do you know "most people" use a router on broadband?
  Well in the UK at least virtually all ISPs provide you with one, usually wifi enabled in the form of a DG834G, when you sign up to their service.
  
  --
  I only please one person per day. Today is not your day. Tomorrow isn't looking good either. - Scott Adams
2. Re:Vista rulez... by xiang+shui · 2008-10-28 23:04 · Score: 1
  
  There are still a lot of people connected directly to the internet, or even intentionally placed in a DMZ for some apps that have a long list of random ports that need to be opened.
3. Re:Vista rulez... by petermgreen · 2008-10-29 10:00 · Score: 1
  
  I see a bigger issue in buisness networks. Many places rely heavilly on windows file and print sharing so blocking it complely is not an option and iirc the basic browse/name resoloution system tends to get upset if you try and do any kind of firewalling.
  One infected machine behind the firewall could easilly reak havok.
  
  --
  note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
4. Re:Vista rulez... by Allador · 2008-10-29 15:12 · Score: 1
  
  The problem is when a worm for this exploit starts being incorporated into drive-by-download attacks into IE.
  So someone browses to a site, IE promptly downloads and runs the worm behind the scenes, in about 4 seconds every machine on the LAN has been compromised.
virtualization by TheLink · 2008-10-28 14:17 · Score: 1

Depending on what sort of software is running on those servers, and what those companies allow you to do, you could do _some_ testing with vmware server.

Stuff like vmware server is free. Download it and install it.

Create a windows guest with the required virtual hardware.

Install the cheapest licensed Windows SBS on it.

Make copies for testing different software configurations and scenarios.

The courts in my country are unlikely to smack me down as long as I don't run them all at the same time, but your country might be different so consult your lawyer :).

If just a single Windows SBS license costs too much money, you might be able to get away with something like Windows XP just to test the Microsoft Windows Update cycle for any "obvious problems".

Would be strange that you can't afford the USD600+ (inclusive of the 2 x 500GB drives for storing all those vmware images), if you're doing this as a business. Maybe you should bill those companies a bit more.

I'm assuming you have your own PC, and are not some person stuck with using library/cybercafe computers (in which case installing vmware server is out).

You'll still need a windows client of course, but you can also use that windows client in vmware server for testing various client configs as well.

BTW there are free linux distros that you can run vmware server on. So you spend money on 1 x windows client, 1 x windows server and 2 x 500GB (or even 1TB) hard drives.
--
- Too many replies beneath your current threshold
1. Re:virtualization by darkpixel2k · 2008-10-28 17:26 · Score: 1
  
  Would be strange that you can't afford the USD600+ (inclusive of the 2 x 500GB drives for storing all those vmware images), if you're doing this as a business. Maybe you should bill those companies a bit more.
  I don't know about the grandparent, but I'd rather take that money home. If a company wants a patching/testing infrastructure, they can pay for it instead of me having to cut my already slim profit-margins.
  
  To be blunt, no small business wants to pay double for their SBS install--because that's what it would take to get a real server and a test server--or a real server and a VM. (Need more memory and space in the real server for the VM.)
  
  Many clients are fine with leaving it up to MS to get the patches right, not patching at all, or delaying all patch installs by 1 week.
  
  I have tons of clients running SBS 2003. They've been running SBS 2003 since the time SBS 2003 came out. Not a single catastrophic server failure in 5ish years due to software updates.
  
  Seriously--if there were a huge update fuckup, I'd hear about it on Slashdot within a few days and I could delay the patch by another week so MS can fix it.
  
  --
  There's no place like ::1 (I've completed my transition to IPv6)
NT4 Affected By This? by ScottCooperDotNet · 2008-10-28 15:10 · Score: 1

As Windows 2000 is affected by this vulnerability, I'm wondering if NT4 is as well. There's a still a sprinkle of NT4 servers about hidden in the back of server rooms. Will this be the push to finally replace them?
1. Re:NT4 Affected By This? by darkpixel2k · 2008-10-28 17:44 · Score: 1
  
  As Windows 2000 is affected by this vulnerability, I'm wondering if NT4 is as well. There's a still a sprinkle of NT4 servers about hidden in the back of server rooms. Will this be the push to finally replace them?
  Hell no. If you still have an NT4 server around, the only thing that will get it replaced is to drive a silver stake through the hard drive and dump it off the nearest bridge.
  
  --
  There's no place like ::1 (I've completed my transition to IPv6)
Downplaying the vulnerability ? by DavidD_CA · 2008-10-28 17:20 · Score: 3, Insightful

I'm sorry... downplayed?
Is there any admin in the world that didn't get the message that this was kinda sorta urgent?
This was the first time in four (?) years that Microsoft went out-of-cycle on their patches. That alone got attention, and would hardly be considered "downplayed".
Every stinkin' newsletter I got last week all mentioned it. Vendors mentioned it. Slashdot mentioned it a dozen times. And Microsoft sent out many many bullitens.
What would it take to satisfy the submitter's requirements for sufficient attention? CDs mailed out via FedEx Next Day to every registered owner of Windows?
Perhaps the real downplaying is what Slashdot tends to do whenever a Linux-releated bug is found.

--
-David
1. Re:Downplaying the vulnerability ? by leuk_he · 2008-10-28 21:17 · Score: 1
  
  Well, the article linked is just a summery.
  Most important part is that there is no worm code yet, because that could melt down the internet like blaster did.
Re:Sauce by darkpixel2k · 2008-10-28 17:36 · Score: 1

you probably shouldn't click that unless you trust the owner/controller of milw0rm.com to not infect whichever system you have. </warning >
darkpixel@hoth:~/tmp$ uname -a
Linux hoth 2.6.27-7-generic #1 SMP Fri Oct 24 06:42:44 UTC 2008 i686 GNU/Linux

I feel pretty safe...

*time passes*

*time passes*

...hmm...

darkpixel@hoth:~/tmp$ wget -c http://milw0rm.com/sploits/2008-MS08-067.rar
*snip*
MS08-067.rar' saved [12506/12506]
darkpixel@hoth:~/tmp$ unrar e 2008-MS08-067.rar
*snip*

darkpixel@hoth:~/tmp$ clamscan .
./MS08-067.c: OK
./srvsvc.h: OK
./srvsvc_c.c: OK
./mem.h: OK
./srvsvc.idl: OK
./MS08-067.exe: OK
./srvsvc_s.c: OK

----------- SCAN SUMMARY -----------
Known viruses: 454416
Engine version: 0.94.1rc1
Scanned directories: 1
Scanned files: 7
Infected files: 0
Data scanned: 0.11 MB
Time: 6.840 sec (0 m 6 s)
darkpixel@hoth:~/tmp$ wine MS08-067.exe

fixme:system:SetProcessDPIAware stub!
fixme:iphlpapi:NotifyAddrChange (Handle 0x7d8699f8, overlapped 0x7d8699dc): stub
fixme:shell:DllCanUnloadNow stub

MS08-067 Exploit for CN by EMM@ph4nt0m.org

MS08-067.exe <Server>

darkpixel@hoth:~/tmp$

Damn me and my refusal to run any MS software at home... If only I had a vmware image of XP. I wonder if WINE emulates windows well enough to attack another machine...

--
There's no place like ::1 (I've completed my transition to IPv6)
Re:9 Nines by Anpheus · 2008-10-28 18:11 · Score: 1

Oh, I see. Hey everyone, I'm selling 30 9s of availability such that outages aren't included in the calculation. I can offer it from even Windows ME.
I guess all my *ux boxes don't apply by joe_n_bloe · 2008-10-28 20:16 · Score: 1

The majority of them, that is, you know, the ones with 400+ days of uptime.
What's all the fuss? by myxiplx · 2008-10-28 21:49 · Score: 1

I saw all the fuss last week about this, so I went ahead and read the MS release. My reaction: "meh". Yes, we're running windows. About 100 desktops and 13 servers. No, we don't patch everything at the drop of a hat.
This patch will be rolled out here in 2-3 months, along with a bunch of other MS patches. Do we test everything thoroughly? No, that would be far too much time and effort. We wait a few months so that everybody else can do the bulk of the testing for us, then internally we simply roll patches out to IT first for a couple of weeks, then send them to the rest of the company. Sometimes we'll go 6-12 months between patches.
Do I worry about Viruses? Yes, I'm constantly aware of them, and I read most of the MS security bulletins, but it's not something that keeps me awake at night. In the last 2 years I've seen just one bug that actually had a chance of infecting our machines. Good firewall and e-mail security, and locked down workstations are a far better solution than patching all the time.
Most people don't seem to realise that it's actually pretty easy to secure windows, and to do so with minimal disruption. 99% of our users don't even know what we do. For the rest, the extra security adds a few minutes delay from time to time.
1. Re:What's all the fuss? by Allador · 2008-10-29 15:16 · Score: 1
  
  The problem is that 'securing windows' consists 80% of making sure its patched to current, and another 15% not having the users run as admin.
  If you're not patching, you're ignoring the single biggest thing you can do to protect your systems, not to mention the easiest.
  All that this has to do is be incorporated into a drive-by-install that targets IE, and if any of your users trip over a website that contains this, then it'll eat everything on your LAN in a few seconds.
  Frankly, not patching for 2-3 months is possibly one of the worst possible things you can do.
  You'd be better off patching quickly, and not running AV or firewalls.
2. Re:What's all the fuss? by myxiplx · 2008-10-29 20:40 · Score: 1
  
  I'd disagree. Patching definitely isn't the easiest way to secure this network. If I don't have AV or firewalls, I then have to manage patches for over 100 applications to keep my network secure. By ensuring our internet access is heavily restricted, we have a hugely reduced window for viruses to enter the building, reducing the need to patch.
  We have a two stage corporate firewall, e-mail filtering, and locked down workstations that in combination mean we:
  - blocks access to non work related sites outside of lunch breaks
  - block all executable content
  - quarantine all questionable content (including office documents and pdf's), from all but a few trusted sites
  - block all scripts, activeX controls, flash, and all similar functionality from all but a list of known trusted sites.
  When I say my reaction to this alert was "meh", that was for a good reason. In the past two years there has been precisely one vulnerability report from Microsoft where we did not already have every single mitigating factor in place. For that patch we reacted quickly, and had it rolled out to all workstations within 24 hours. However, the vast majority of web based viruses require activex or scripting to infect your computer. With these disabled, there are very few infections that are capable of attacking our clients.
  The overall effect is that instead of spending hours each week testing patches, rolling them out, and fixing the problems that the patches create, we spend maybe 4-5 hours a year on security patches, and probably 30 minutes a week authorizing downloads. It means we have a very stable network, that requires very little time to manage.
  Of course we're not finished yet. Viruses are a big concern, and while I think we have a good setup, nothing is perfect, and I've dealt first hand with mass infections in the past. We have plans to improve our disaster recovery process so that we can recover from a site wide virus in an hour or two. Long term we intend to isolate key areas of the network to reduce the risk of an infection affecting certain departments, and we are also closely watching Linux and Solaris, to see if there is a way we can provide a mix of operating systems to our users, instead of relying on just one.
msileading by hesaigo999ca · 2008-10-29 00:51 · Score: 1

Talk about being let down...I thought they were going to post the actual code for the exploit...this would have been great news for some of us....I am trying to apply this exploit to show my admin we REALLY need those patches, although no one seems to care....anyone have links or code they could share???
Re:Real Programmers use Emacs by lzdt · 2008-10-29 02:42 · Score: 2, Funny

If you start to lose an argument based in 'nuh uh, yeah huh' then immediately question the person's choice of > VI> verses [small]emacs[/small].
vi is [[13~^[[15~^[[15~^[[19~^[[18~^ a muk[^[[29~^[[34~^[[26~^[[32~^ch better editor than this emacs. I know I^[[14~'ll get flamed for this but the truth has to be said. ^[[D^[[D^[[D^[[D ^[[D^[^[[D^[[D^[[B^ exit ^X^C quit :x :wq dang it :w:w:w :x ^C^C^Z^D