Microsoft's "Dead Cow" Patch Was 7 Years In the Making

← Back to Stories (view on slashdot.org)

Microsoft's "Dead Cow" Patch Was 7 Years In the Making

Posted by timothy on Wednesday November 12, 2008 @07:57AM from the were-they-lean-years-or-fat-years? dept.

narramissic writes "Back in March 2001, a hacker named Josh Buchbinder (a.k.a Sir Dystic) published code showing how an attack on a flaw in Microsoft's SMB (Server Message Block) service worked. Or maybe the flaw was first disclosed at Defcon 2000, by Veracode Chief Scientist Christien Rioux (a.k.a. Dildog). It was so long ago, memory is dim. Either way, it has taken Microsoft an unusually long time to fix. Now, a mere seven and a half years later, Microsoft has released a patch. 'I've been holding my breath since 2001 for this patch,' said Shavlik Technologies CTO Eric Schultze, in an e-mailed statement. Buchbinder's attack, called a SMB relay attack, 'showed how easy it was to take control of a remote machine without knowing the password,' he said."

46 of 203 comments (clear)

Now I get it by Maniacal · 2008-11-12 07:59 · Score: 5, Funny

So that's how they came up with the name 'Windows 7'

--
MG
1. Re:Now I get it by thewils · 2008-11-12 08:03 · Score: 5, Funny
  
  Things look a bit bleak for Windows 2008 then :(
  
  --
  Once I was a four stone apology. Now I am two separate gorillas.
2. Re:Now I get it by mfh · 2008-11-12 08:04 · Score: 4, Funny
  
  So that's how they came up with the name 'Windows 7'
  No, they needed to get some luck for Windows, so they added the lucky number 7 to it. This bug fix was introduced to confuse us all.
  
  --
  The dangers of knowledge trigger emotional distress in human beings.
3. Re:Now I get it by Yvan256 · 2008-11-12 08:16 · Score: 4, Funny
  
  George Costanza works for Microsoft?
'been holding my breath since 2001 for this patch' by Anonymous Coward · 2008-11-12 08:03 · Score: 5, Funny

...and boy are my arms tired.
P.S. I'm dead.
Does anyone use this OS any more? by WillAffleckUW · 2008-11-12 08:06 · Score: 5, Interesting

I mean, seriously, most of us have written it off, and it makes bad business sense too.
At work we've cancelled plans to use Win7 and WinVista and are moving to all Linux where we can, just from a staffing level perspective.

--
-- Tigger warning: This post may contain tiggers! --
1. Re:Does anyone use this OS any more? by HerculesMO · 2008-11-12 08:20 · Score: 5, Interesting
  
  Yes, lots of people still do.
  Makes little business sense right now to go to Win7/Vista, but XP is still a smart move for most people.
  It's too bad Slashdotters here are so entranced with the platform, they forget what it's supposed to delivery. I don't really care what OS is on the desktop, so long as it allows us to achieve what we are trying to do. Usually, it's the software that does that, not the OS.
  
  --
  The price is always right if someone else is paying.
2. Re:Does anyone use this OS any more? by Sancho · 2008-11-12 08:27 · Score: 5, Insightful
  
  Of course, if the OS is fighting you all the way while you're trying to work with the software, that's a problem.
3. Re:Does anyone use this OS any more? by HerculesMO · 2008-11-12 08:33 · Score: 5, Insightful
  
  From my experience, the Linux folks that try to work in Windows just simply don't know WTF they are doing.
  Likewise, Windows Admins who work in Linux don't know either.
  It's always easy to curse the platform if you don't have the knowledge. I've built stable environments out of Windows and out of Linux, and they all serve their purpose with perfectly fine uptime. Just a different delivery platform for different things.
  
  --
  The price is always right if someone else is paying.
4. Re:Does anyone use this OS any more? by heffrey · 2008-11-12 08:38 · Score: 5, Funny
  
  Hardly anybody still uses Windows, it's dying out.
5. Re:Does anyone use this OS any more? by Sancho · 2008-11-12 08:40 · Score: 4, Insightful
  
  I'm not specifically referring to tasks which are "hard to do" in the OS--I'm referring to the incessant stream of vulnerabilities in various components that makes working with Windows a virtual minefield.
6. Re:Does anyone use this OS any more? by DAldredge · 2008-11-12 08:50 · Score: 3, Funny
  
  I do. And I like Vista too.
7. Re:Does anyone use this OS any more? by Anonymous Coward · 2008-11-12 09:06 · Score: 3, Funny
  
  Good riddance, it's been a total pane since day one.
8. Re:Does anyone use this OS any more? by Duckie01 · 2008-11-12 09:07 · Score: 4, Insightful
  
  If you've used Windows in a corporate environment and still feel that way, there is something wrong with your organization. I've been with my current company for just over a year now and yesterday I called the help desk for my first Windows related problem.
  Perhaps the gp was on the other end of the line, dealing with the nightmare to keep the rest of the organization including you, clear from it. In other words, your experience with your office desktop computer might say more about the quality of the IT department that installed the OS than about the flaws in the installed OS.
  
  It's stable, period. Now, all the antivirus, security, firewall etc they install makes the thing so slow it's awful to use, but that's beside the point.
  No, that is *not* beside the point. You see, if you *need* to bog down your OS with third party software to keep it working reliably at all, I'd say that the flaws in this OS are exactly what causes your pc to slow down to the point that it's awful to use.
  
  One thing is for sure, though. I don't want to make an 'Impress' presentation and send it to a client unless I'm sure they are going to be able to open it in Powerpoint.
  Yeah or in something else they might have, like Impress ;) I actually don't know Impress, btw. But I get your point.
9. Re:Does anyone use this OS any more? by HerculesMO · 2008-11-12 09:14 · Score: 4, Insightful
  
  In the 7 years as a Windows Sysadmin I've seen my job getting easier and easier by taking a few proactive steps to corporate use of Windows.
  For server use, it's perfectly fine. I have a Windows file cluster running over a year without an downtime, but we've taken cluster members offline for patches in turn, and failed back to the alternate which is a net of 0 downtime.
  We use strict policies on the desktop, and don't allow users to do things that are going to cause problems. Mostly, this includes *not* giving them administrative rights, though we do delegate some things out.
  It's like any other system. The problem is that Windows is so large an ecosystem, and so many folks that 'represent' Windows sysadmins pretty much suck at their job, or are MCSEs on paper and not in practice, then it does a disservice to what I feel is a perfectly fine OS for daily use, and corporate use. I have no 'virtual minefield' because I know my business well, I know my job well, and I perform well in bringing harmony between them (the business and the IT use).
  It's like ANY system (*nix included), because if you have an incompetent sysadmin, you will have problems on your domain and infrastructure. If you have a competent sysadmin, you won't see anything wrong. Our users are largely very happy, and that's done by internal auditing (mandatory surveys, as we represent 19000 employees country wide), and consistently the 2500+ userbase I work with and for rank me highest of the family of companies I work for in their satisfaction in their computing needs.
  Again, it's not the platform at fault, it's the admins around it. If you feel Windows is a virtual mine field then it may indicate your talents lie elsewhere (*nix), and as such should keep to the business you know, rather than tell folks who run Windows successfully that they have inherent problems at hand they aren't aware of.
  
  --
  The price is always right if someone else is paying.
10. Re:Does anyone use this OS any more? by stevied · 2008-11-12 09:20 · Score: 4, Informative
  
  I've hacked an interesting little solution together for my household, which I'm sure would scale. I've been using Linux for about 13 years, and have forgotten more tricks than most people know. Over that time I've done a certain amount with Windows, too, but the lack of a rich toolset and open / free documentation and source always put me off spending too much time on it. I understand things are a bit better now on those fronts, but I chose where to invest my time ages ago. I've certainly not bothered about keeping up to speed, have no experience with Vista, Office, 2007, etc.
  Anyway .. I have to provide a Windows environment for a family member who's really not up to learning anything new. I wanted to be able to manage it, secure it, control changes to the configuration, etc., etc., and eventually hit on the idea of just running XP inside VBox on Ubuntu. It starts automatically, changes to the main Windows partition are discarded on each shutdown, and I can do all my management with ssh (and occasionally rdesktop if I need to actually fiddle with Windows, which is rare.) Performance is fine even on old hardware.
  Virtualization on the server is obviously mainstream now, and I guess many users are running virtualization software themselves to provide access to apps on other platforms and run old software. I haven't seen much about using virtualization as a platform for managed desktops though, and I reckon it has some advantages: moving images between machines when hardware fails or users move departments; change control; configuration testing, etc., etc. Knowing you've got the exact same disk image in use on a herd of workstations, regardless of hardware, seems like a good thing for peace of mind ..
11. Re:Does anyone use this OS any more? by Tubal-Cain · 2008-11-12 09:25 · Score: 3, Informative
  
  One thing is for sure, though. I don't want to make an 'Impress' presentation and send it to a client unless I'm sure they are going to be able to open it in Powerpoint.
  It may give you peace of mind to know that MS released the specs on their binary formats in late June, so the OOo team had about 2.5 months to fix their implementations in version 3. If they didn't manage that, they should have them in the next release.
12. Re:Does anyone use this OS any more? by Cowmonaut · 2008-11-12 09:54 · Score: 4, Insightful
  
  How, HOW is this Flamebait? I happen to like Vista as well, now that SP1 is out and the majority of my driver issues are resolved. In fact, literally the only issue I have with my system currently is a VERY small sector on my hard drive or bad memory space on a single stick. I'm not sure which, I occasionally (3 times a month) blue screen due to an issue relating to one or the other. For all I know, its really my motherboard since memtest and SMART test my hardware fine.
  Just because YOU don't like Vista doesn't mean others don't. On my desktop I happen to think my system runs smoother and faster and is easier to fix than with XP. To each his own, like several other +5 Insightful in this thread have mentioned...
13. Re:Does anyone use this OS any more? by malkavian · 2008-11-12 09:58 · Score: 5, Insightful
  
  Hear hear. I've been running UNIX and Windows in admin capacity since the early '90s. The biggest problem I've seen at the moment is caused by marketing. Microsoft just refuse to stop advertising Windows servers as being so simple the cat could administer it.
  With that message on the table, HR departments get the idea that all it then takes to administer servers is one cat and a magic wand. So they create low paid jobs for 'admins' that don't actually know much about administration (as it's so easy, who actually needs skills in it 'eh?).
  UNIX tends to get better results overall, largely because it's seen as a skilled job. They pay the money, they require that you know what you're doing.
  Where you get admins that know the detail on Windows to the depth that UNIX gurus know UNIX, comparable results are obtained.
  Now, if only Microsoft would stop telling suits that all they need to administer Windows is someone with one finger and half a brain, then the rep. of Windows would increase dramatically. However, there's money to be made today by churning out an MCSE who two weeks ago didn't know what the power cable plugged into. Who cares about the future of the platform when you can advertise tomorrow with a new glossy pamphlet, and make money today? Well, apart from the people who really understand system administration, and hey, what do they know?
14. Re:Does anyone use this OS any more? by Sponge+Bath · 2008-11-12 10:40 · Score: 5, Funny
  
  ...stop telling suits that all they need to administer Windows is someone with one finger
  Damn skippy! Alt-Ctrl-Del takes three fingers.
15. Re:Does anyone use this OS any more? by benjymouse · 2008-11-12 10:53 · Score: 4, Informative
  
  You could have just used Windows SteadyState Hint: Can revert harddisks state at each reboot while still allowing windows update to run and make persistent changes, can leverage much of the same policies (restrictions) Windows allows in a domain, but without the central AD. Among other things.
  
  --
  Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
16. Re:Does anyone use this OS any more? by conlaw · 2008-11-12 11:24 · Score: 4, Interesting
  
  Windows is GUI based to be sure, but there are behind the scenes things (registry, hosts files, policies, clustering, etc) that is not as intuitive as people think it may be. That's also where a LOT of problems occur, and cause the BSODs and other things that the *nix fans love to jump at.
  Yes, my penultimate reason for leaving Windows was all of those hidden problems like "why is xxx.dll using 92% of my capacity? and WTF is xxx.dll anyway?" MS would never tell anyone the answers so you had to go to all of the forums where people volunteer to help you, but first you have to download and run a spy seeker, an ad finder, a virus detector and "Hijack this." BTW, I have great respect for these volunteers but they shouldn't be needed in a system that I paid for.
  Just to forestall questions, my ultimate reason for leaving was when I read what Microsoft Genuine Advantage was going to do, rather than blindly pushing the download key so that I could get this "advantage."
17. Re:Does anyone use this OS any more? by Thaelon · 2008-11-12 11:33 · Score: 3, Insightful
  
  What format was that survey in?
  I recently had the opportunity to design a survey. And preemptively learned from the mistakes at UPS.
  We started out with a ton of questions we thought were good, then scrapped the idea and asked three open ended questions with big free form text fields.
  Another group went ahead and asked a bunch of continuum and multiple choice questions.
  In their survey everything looked peachy.
  In ours (the freeform one) results were considerably less favorable, and considerably more useful.
  Usefulness can be lost especially easily when you simply boil the continuum questions down to percentages. What if that mere fraction of a percentage of your employees that are extremely dissatisfied are crucial to it's function? Or if you didn't ask the right questions?
  It's really easy to create a survey that tells you absolutely nothing useful.
  
  --
  Question everything
18. Re:Does anyone use this OS any more? by HerculesMO · 2008-11-12 13:22 · Score: 3, Informative
  
  We didn't initiate the survey (it comes from a third party, and we don't know when it goes out), but it was about your user experience, what problems you have, how quickly they are resolved, that kind of thing.
  Given the 'marks' our department gets consistently, and the bonus *I* get as a result afterwards, I am going to assume that I'm doing okay. Besides, I'm one of the few sysadmins that puts my name out 'in the wild' for the business users to get a hold of me. I don't answer helpdesk calls, but at least people know who's running the systems they are on, and who can help them if there's an issue.
  
  --
  The price is always right if someone else is paying.
my prayers are answered! by Trepidity · 2008-11-12 08:08 · Score: 5, Funny

Seven years ago, The Register devastated me with this terrible news:

It's backward compatibility that has MS in a trap now. "NTLMv2 was created to address many of these issues, and if Windows came configured to use only NTLMv2 these would not be issues, unless the user knowingly opened himself up to allow communication with older operating systems," Sir Dystic noted.
[...]
However, if for some reason it's necessary for you to use the many thrilling features of Windows networking without NTLMv2, then there is absolutely nothing you can do but pray.
Finally, I can use my favorite thrilling NTLM features without giving in and using NTLMv2!

--
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
SMB? by EraserMouseMan · 2008-11-12 08:09 · Score: 3, Funny

Could a Windows Server Admin worth his/her salt please explain to us what SMB is, who would use it, and if there was a workaround that made the vulnerability a non-issue?
1. Re:SMB? by corsec67 · 2008-11-12 08:13 · Score: 5, Informative
  
  SMB is used by Windows for file/printer sharing.
  
  --
  If I have nothing to hide, don't search me
2. Re:SMB? by eln · 2008-11-12 08:14 · Score: 5, Informative
  
  http://en.wikipedia.org/wiki/Server_Message_Block
  Also,
  http://justfuckinggoogleit.com/
3. Re:SMB? by QuantumRiff · 2008-11-12 08:24 · Score: 3, Interesting
  
  Okay Mr. Quick with the link.. Where does the "dead cow" Reference come from?
  
  --
  
  What are we going to do tonight Brain?
4. Re:SMB? by Anonymous Coward · 2008-11-12 08:38 · Score: 5, Funny
  
  It took me a while, but apparently Sir Dystic was(is?) a member of The Cult Of The Dead Cow (reference).
  What a crappy headline. I hate teasers like that.
5. Re:SMB? by corsec67 · 2008-11-12 08:45 · Score: 5, Informative
  
  http://en.wikipedia.org/wiki/Cult_of_the_Dead_Cow
  and
  http://en.wikipedia.org/wiki/SMBRelay
  
  --
  If I have nothing to hide, don't search me
6. Re:SMB? by TuxThePenguin2205 · 2008-11-12 10:14 · Score: 3, Interesting
  
  When I ran some benchmarks on NT4 back in the day file transfer speeds over 10baseT was half that of FTP .. I haven't found a use for SMB outside homogeneous Windows set-ups that can't be beaten by alternate solutions.
C2MyAzz by Anonymous Coward · 2008-11-12 08:10 · Score: 5, Interesting

Hmm - there was an attack called C2MyAzz that was even simpler than the man in the middle attack. It would just spoof the handshake between client and server. The attacking workstation would watch for client->server message requesting authentication. The attacking workstation would send a packet back to the client before the server, asking the client to send back a clear-text password. Much easier than a man-in-the-middle attack, and it worked well. When it was released, Microsoft's official response was "most organizations use switches and routers, so this is not a problem". Originally released in 2001, IIRC.
port 139 by heffrey · 2008-11-12 08:15 · Score: 5, Funny

Oh well, I guess I'd better block incoming public Internet traffic on port 139 then. That's a shame because it's been so very useful to have an Internet facing SMB share.
1. Re:port 139 by adamruck · 2008-11-12 08:39 · Score: 3, Insightful
  
  If you still want that service just run it over a vpn.
  
  --
  Selling software wont make you money, selling a service will.
Windows Server Admin? On Slashdot? Are you kidding by drachenfyre · 2008-11-12 08:18 · Score: 5, Funny

Like any windows server admin reads slashdot.... And the ones that do aren't going to stick their hands up and say "Oh, pick me" so we can all berate them for their choice in closed source server operating systems.
Without knowing the password? by girlintraining · 2008-11-12 08:19 · Score: 5, Insightful

It's always been easy to take control of a machine without the password. Sit down in front of the computer. Now the only thing stopping you is yourself. Oddly enough, that's what keeps most systems up... The fact that the vast majority of people are honest, decent folk. That, and they don't know what a null pointer is.

--
#fuckbeta #iamslashdot #dicemustdie
Re:I forget... by spacerog · 2008-11-12 08:19 · Score: 4, Informative

According to Google, 1997. Yeah, over a decade ago.

CIFS: Common Insecurities Fail Scrutiny

- SR
Re:Windows Server Admin? On Slashdot? Are you kidd by HerculesMO · 2008-11-12 08:21 · Score: 3, Informative

I do.
You can make fun of me :)
That said, if you have a Linksys firewall in place, it usually takes care of the issue. Granted the attacks you'll get internally *can* happen, but we have managed to circumvent SMB exploitation via policy settings in Windows. It works fine for us, nice to see they finally patched it though.

--
The price is always right if someone else is paying.
Holding his breath ? by Tomun · 2008-11-12 08:25 · Score: 3, Funny

"I've been holding my breath since 2001 for this patch"
With lungs like that he should try free-diving!
What made it worse? Really? by 140Mandak262Jamuna · 2008-11-12 08:31 · Score: 5, Insightful

From the article: To make matters worse, the SMB flaw was already publicly disclosed prior to Tuesday's updates, Microsoft said.
What made it worse? Taking 8 years to fix it or disclosing it before the patch was released?
Further it is not a bug at all. It is essentially badly designed protocol having a hole and instead of abandoning it and making users upgrade, MSFT left this hole open for 8 years. All the in the name of backward compatibility. Why has backward compatibility trumped security for 8 years? It not surprising no one takes MSFT's statements about its commitment to security seriously?

--
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
1. Re:What made it worse? Really? by UnknowingFool · 2008-11-12 08:43 · Score: 4, Insightful
  
  From the article: To make matters worse, the SMB flaw was already publicly disclosed prior to Tuesday's updates, Microsoft said.
  What made it worse? Taking 8 years to fix it or disclosing it before the patch was released?
  This is MS modus operandi. You know all those MS based studies that say that MS fixes bugs faster than Linux. Well we never really believed them but they are technically true. See MS only counts the time between when they publicly disclose a bug and when they patch it. They don't count the time between when they find or are informed of the bug. With Linux people the whole process is more transparent. When bugs are discovered in Linux, they are almost disclosed at the same time. So this 8 year old bug will appear on all MS studies as only taking a few days rather than 8 years.
  
  --
  Well, there's spam egg sausage and spam, that's not got much spam in it.
And yet the world didn't end. by Beelzebud · 2008-11-12 08:32 · Score: 4, Insightful

How many people were actually a victim of this exploit? Is there one documented case of an electronic break-in because of this exploit?
Re:Windows Server Admin? On Slashdot? Are you kidd by 0racle · 2008-11-12 08:46 · Score: 4, Funny

I do.

You can make fun of me :)

That said, if you have a Linksys firewall

Now you deserve to be made fun of.

--
"I use a Mac because I'm just better than you are."
Re:Easter egg for Windows 7? by dkleinsc · 2008-11-12 09:06 · Score: 5, Funny

That would make it harder to get to than the Secret Cow Level in Diablo II, because in Diablo II all you have to do is go through Hell, whereas with Windows 7 you have to install it successfully.

--
I am officially gone from /. Long live http://www.soylentnews.com/
Windows Server can be solid, however... by kwabbles · 2008-11-12 13:12 · Score: 4, Insightful

My #1 beef with Microsoft is that they market it so that every small to medium business owner thinks that everything will all run together happily on one box all "plug-n-play" and snuggly whirring away on the floor of their office closet.
I have the hardest time convincing users that they cannot run their 20-user network on one SBS 2003 server, with Exchange (running OWA and OMA), running their heavily-accessed SQL database, sharepoint, anti-virus server software, backup software, and company file and printer sharing to 5 multi-function copiers and expect 5 9's of freaking uptime.
This is how it is marketed. This is what the end user expects when shopping for a Microsoft solution. You tell them that they'll need at least 3 separate boxes, Server, Exchange, SQL, etc all separate, RAID and ideally a failover system and an excellent firewall for the remote access they look at you like you're nuts. So they buy it and have it set up their way, it works like hell for a year, then they end up paying in the end to have it done again the right way (and more this time, because they have to now migrate off of their old system).
And the Microsoft money machine chugs on.

--
Just disrupt the deflector shield with a tachyon burst.