Microsoft's "Dead Cow" Patch Was 7 Years In the Making

narramissic writes "Back in March 2001, a hacker named Josh Buchbinder (a.k.a Sir Dystic) published code showing how an attack on a flaw in Microsoft's SMB (Server Message Block) service worked. Or maybe the flaw was first disclosed at Defcon 2000, by Veracode Chief Scientist Christien Rioux (a.k.a. Dildog). It was so long ago, memory is dim. Either way, it has taken Microsoft an unusually long time to fix. Now, a mere seven and a half years later, Microsoft has released a patch. 'I've been holding my breath since 2001 for this patch,' said Shavlik Technologies CTO Eric Schultze, in an e-mailed statement. Buchbinder's attack, called a SMB relay attack, 'showed how easy it was to take control of a remote machine without knowing the password,' he said."

Without knowing the password?

[girlintraining]

It's always been easy to take control of a machine without the password. Sit down in front of the computer. Now the only thing stopping you is yourself. Oddly enough, that's what keeps most systems up... The fact that the vast majority of people are honest, decent folk. That, and they don't know what a null pointer is.

Re:Does anyone use this OS any more?

[Sancho]

Of course, if the OS is fighting you all the way while you're trying to work with the software, that's a problem.

What made it worse? Really?

[140Mandak262Jamuna]

From the article: To make matters worse, the SMB flaw was already publicly disclosed prior to Tuesday's updates, Microsoft said.

What made it worse? Taking 8 years to fix it or disclosing it before the patch was released?

Further it is not a bug at all. It is essentially badly designed protocol having a hole and instead of abandoning it and making users upgrade, MSFT left this hole open for 8 years. All the in the name of backward compatibility. Why has backward compatibility trumped security for 8 years? It not surprising no one takes MSFT's statements about its commitment to security seriously?

Re:Does anyone use this OS any more?

[HerculesMO]

From my experience, the Linux folks that try to work in Windows just simply don't know WTF they are doing.

Likewise, Windows Admins who work in Linux don't know either.

It's always easy to curse the platform if you don't have the knowledge. I've built stable environments out of Windows and out of Linux, and they all serve their purpose with perfectly fine uptime. Just a different delivery platform for different things.

Re:Does anyone use this OS any more?

[malkavian]

Hear hear. I've been running UNIX and Windows in admin capacity since the early '90s. The biggest problem I've seen at the moment is caused by marketing. Microsoft just refuse to stop advertising Windows servers as being so simple the cat could administer it.
With that message on the table, HR departments get the idea that all it then takes to administer servers is one cat and a magic wand. So they create low paid jobs for 'admins' that don't actually know much about administration (as it's so easy, who actually needs skills in it 'eh?).
UNIX tends to get better results overall, largely because it's seen as a skilled job. They pay the money, they require that you know what you're doing.
Where you get admins that know the detail on Windows to the depth that UNIX gurus know UNIX, comparable results are obtained.

Now, if only Microsoft would stop telling suits that all they need to administer Windows is someone with one finger and half a brain, then the rep. of Windows would increase dramatically. However, there's money to be made today by churning out an MCSE who two weeks ago didn't know what the power cable plugged into. Who cares about the future of the platform when you can advertise tomorrow with a new glossy pamphlet, and make money today? Well, apart from the people who really understand system administration, and hey, what do they know?