Attack Code Found For Recent Windows Bug

← Back to Stories (view on slashdot.org)

Attack Code Found For Recent Windows Bug

Posted by Soulskill on Tuesday October 28, 2008 @10:23AM from the oh-by-the-way dept.

CWmike writes "Just a day after downplaying the vulnerability that caused it to issue an out-of-cycle patch last week, Microsoft warned customers late yesterday that exploit code had gone public and was being used in additional attacks. 'We've identified the public availability of exploit code that now shows code execution for the vulnerability addressed by MS08-067,' said Mike Reavey, operations manager of Microsoft's Security Response Center, in a post to the MSRC blog. 'This exploit code has been shown to result in remote code execution on Windows Server 2003, Windows XP, and Windows 2000.'"

20 of 184 comments (clear)

Min score:

Reason:

Sort:

Hotpatching by nmb3000 · 2008-10-28 10:37 · Score: 5, Insightful

For those interested, there was a really cool hack of hotpatching the files and services that are affected by this exploit. The Microsoft patch isn't designed to be hotpatched, instead requiring a reboot to replace the needed files. However, by using a binary diff and DLL injection you can apply the patch on the fly without rebooting.
I wish Microsoft would put more effort into making the official patches not require a reboot. Consumer operating systems are one thing, but rebooting Windows servers gets annoying really fast.

--
"What do you despise? By this are you truly known." --Princess Irulan, Manual of Muad'Dib
/)
1. Re:Hotpatching by TubeSteak · 2008-10-28 10:50 · Score: 4, Insightful
  
  However, by using a binary diff and DLL injection you can apply the patch on the fly without rebooting.
  Is that something you would want to do on a production server?
  And if you were MS, is that something you would want to support?
  
  --
  [Fuck Beta]
  o0t!
2. Re:Hotpatching by vux984 · 2008-10-28 11:16 · Score: 4, Interesting
  
  If you were MS, and wanted to brag about 5 Nines uptime, wouldn't you design the patch so you didn't have to reboot production servers once a month?
  5 nines is ~5.3 minutes downtime per year
  You don't acheive that with a single Linux box either, unless you simply aren't keeping it up to date, even if you manage to avoid 'rebooting it' you are still going to have serious trouble reliably preventing 'unavailability of services' from reaching 5.3 minutes over a year.
  It takes either a mainframe or a cluster to reach 5 9's with any reliability. Windows doesn't run on a mainframe, and if you have cluster, a few scheduled reboots now and then don't result in any downtime, since you don't have to bring the entire cluster down.
  So your argument really doesn't apply.
3. Re:Hotpatching by vux984 · 2008-10-28 11:58 · Score: 5, Insightful
  
  No, I've managed to have a single Linux box reach 99.999%
  "Managed to have"? You are talking about 5 9's as something that you can reach. People who demand 5 9's consider that the minimum they will accept. They don't want systems that can reach 5 9's they want systems guaranteed not to be less than 5 9's. That's a HUGE difference.
  So if we sign an SLA, how certain should I be that you can deliver 5 9's? ... From one box? Not very.
  That fact that you might 'manage it' simply isn't good enough. What happens when a piece of hardware fails? or if an update doesn't go smoothly? With a single box you have no contingency and 5 minutes to resolve any problems and perform any updates that might be needed for the entire year.
  My point stands: anyone serious about delivering 5 9's simply isn't using a single box, because you simply can't depend on it. MAYBE you'll get 5 9's out of it, but getting 5 9's from a single box is like winning a prize from a scratch and win. Its not exactly a miracle, but its hardly something you can rely on.
  Hell, even promising 4 9's from a single box is taking on some heavy risk. It's not hard to envision an unexpected hour of downtime on a box over the course of a year.
4. Re:Hotpatching by caluml · 2008-10-28 12:50 · Score: 4, Funny
  
  My current longest uptime:
  
  $ uptime ; uname -r 00:49:19 up 1222 days, 14:09, 1 user, load average: 0.00, 0.00, 0.00 2.6.11-hardened-r14
  
  Yeah, it doesn't actually do much. Just lets me win willy-waving matches.
  
  --
  Get your own free personal location tracker
5. Re:Hotpatching by sleeponthemic · 2008-10-28 14:47 · Score: 5, Funny
  
  Oh yeah? Well, uh, nyah.
  
  $ uptime ; uname -r 00:40:23 up 1222 days, 14:10, 1 user, load average: 0.00, 0.00, 0.00 2.6.11-hardened-r14
  You made that post 51 minutes after he did.
  
  So close, but forever in his shadow :-)
  
  --
  I record my sleeptalking
That's it! I'm switching to a Linux Desktop by Anonymous Coward · 2008-10-28 10:43 · Score: 5, Funny

Slashdot's unbiased coverage of an exploit for a patch that was released last week has finally convinced me to stop using MS products. I'm also beginning to think this MS might be evil as well.
Clarification by Raconteur · 2008-10-28 10:48 · Score: 5, Informative

Just in case the /. entry seemed as ambiguous to you as it did to me, the linked article states "Our investigation has shown that it does not affect customers who have installed the update."
Re:Another out-of-cycle patch is coming, right? by TubeSteak · 2008-10-28 10:48 · Score: 5, Informative

No, this is the same exploit we talked about before.
If you patched on the 23rd, you should be fine.

--
[Fuck Beta]
o0t!
But not everyone has installed the update. by khasim · 2008-10-28 10:59 · Score: 5, Insightful

This is added incentive to complete YOUR testing of this patch ASAP.
Remember, only incompetent admins apply patches without testing them.
In our environment, the patch would have been put into testing the day after it was released (no sense getting caught by a brown paper bag bug) and then into production NEXT Sunday.
With a known exploit out there, we'd be getting more people to test the test systems TODAY. With the goal of putting the patch into production TOMORROW evening.
1. Re:But not everyone has installed the update. by DigiShaman · 2008-10-28 11:44 · Score: 4, Insightful
  
  Remember, only incompetent admins apply patches without testing them.
  Cool.
  Sounds like your part of an internal IT department of a big corporation. Well, I'm not. I admin several small businesses network which contain 5 to 20 users. Each company has one server which runs Windows SBS. So, testing isn't an option. Should there be a problem, I have no choice but to pull it out via the Add/Remove program list.
  So, do you think I'm an incompetent admin given what I have to work with?
  
  --
  Life is not for the lazy.
2. Re:But not everyone has installed the update. by DigiShaman · 2008-10-28 14:25 · Score: 4, Informative
  
  Sure. You don't have a test network to at least smoke patches on or you would've said something
  A fifteen user network all running off a cable modem, router/firewall, and Windows 2003 SBS. Sure, let me pitch the sale for them to purchase another SBS box (for testing purposes only) and the billable time required for each test required per monthly patch cycle...
  What happens when your SBS box barfs
  Rebuild it, add PCs back to the domain, and restore user data and exchange data. I've done it before and it's a lot cheaper alternative to the one above. Funny isn't? Sometimes it's cheaper to let a server crash and burn than spend money on preventive maintenance. It's all in how much the customer wants to spend.
  
  --
  Life is not for the lazy.
I'm not Microsoft lover, but by dkleinsc · 2008-10-28 11:11 · Score: 5, Insightful

I'll give them credit for patching this quickly. This could have been Yet Another Windows Worm (TM) that brings all legitimate network traffic to a halt. And us Slashdotters have been after them for years for taking too long to patch things, so it would be completely hypocritical to get pissed at them for doing what we'd want them to do.
I'll hate them for having the exploit possible in the first place, I'll hate them for requiring reboots, I'll hate them for forcing crappy software down our throats, but every once in a while they do something right.

--
I am officially gone from /. Long live http://www.soylentnews.com/
Re:Hmmm... by daeg · 2008-10-28 11:13 · Score: 4, Funny

Well, to be fair, their discussion took place on Wiki pages, so it was either Ubuntu 8.04 or HAHAHHAYOUSUCKCOCKS.
Microsoft didn't downplay this by Anonymous Coward · 2008-10-28 11:17 · Score: 5, Informative

Instead they issued an out-of-cycle patch and they gave it a very high severity rating in their bulletins. None of us are Microsoft lovers. But you don't have to lie to us just to be able to pat us on the back. It's disgusting, please stop it.
Re:Hmmm... by Anonymous Coward · 2008-10-28 11:31 · Score: 4, Funny

Who the fuck runs windows on a server? Context man, context!
There, fixed it for you.
Re:Hmmm... by Dogtanian · 2008-10-28 11:45 · Score: 5, Funny

Well, to be fair, their discussion took place on Wiki pages, so it was either Ubuntu 8.04 or HAHAHHAYOUSUCKCOCKS.
Yeah, I can see that some 13 year old vandal might think that it was funny to replace "Red Hat Enterprise Linux 5.2" with something silly like, er... "Ubuntu 8.04" ;-)

BTW, HAHAHHAYOUSUCKCOCKS 2.06 is a fine server distro and I won't hear a word against it.

--
"Slashdot - News and Chat Sites Deviant". (Click "homepage" link above for details).
Re:Hmmm... by Venik · 2008-10-28 11:59 · Score: 4, Insightful

Why should anyone bother submitting a bug report? If it's a minor issue and I have a workaround - sure, I'll submit a bug report. But if a system is completely unusable with Ubuntu, I will better spend my time finding a working alternative. Having said that, as a Unix sysadmin I have nothing against Ubuntu, other than using it on a server is not the best idea: there are many far more stable alternatives. The problem with most Linux aficionados out there is that few of them worked in a real production environment of a big datacenter. These guys may know how to configure Apache and MySQL on their Ubuntu PC, but they don't see a difference between getting something to work and getting it to be fast and reliable under constant heavy load.
Metasploit by slimjim8094 · 2008-10-28 12:14 · Score: 4, Informative

Be warned; this is already on metasploit. The intrepid can find this for themselves...
Testing it to see if it actually works though.

--
I have developed a truly marvelous proof of this comment, which this signature is too narrow to contain.
Re:Hmmm... by CrazedWalrus · 2008-10-28 14:55 · Score: 4, Insightful

But it does make a damn fine server. The software is reasonably up to date, the administration is dead-simple, and I'm already familiar with it from my desktops.
I've got other things to concentrate on besides server administration -- like coding my project management and billing system, or working for my clients so I have something to bill them for. Ubuntu makes that easy for me.
I've recently vetted Slackware, Debian (stable), and Ubuntu Server 7.04, and settled on the latter because it strikes the balance I need between stability and up to date software. You may legitimately disagree with my choice, but I have my reasons and I'm sure you have yours. Most Linuxes make great servers, so it's really choosing your favorite incarnation of "awesome."