Microsoft's "Dead Cow" Patch Was 7 Years In the Making

narramissic writes "Back in March 2001, a hacker named Josh Buchbinder (a.k.a Sir Dystic) published code showing how an attack on a flaw in Microsoft's SMB (Server Message Block) service worked. Or maybe the flaw was first disclosed at Defcon 2000, by Veracode Chief Scientist Christien Rioux (a.k.a. Dildog). It was so long ago, memory is dim. Either way, it has taken Microsoft an unusually long time to fix. Now, a mere seven and a half years later, Microsoft has released a patch. 'I've been holding my breath since 2001 for this patch,' said Shavlik Technologies CTO Eric Schultze, in an e-mailed statement. Buchbinder's attack, called a SMB relay attack, 'showed how easy it was to take control of a remote machine without knowing the password,' he said."

Now I get it

[Maniacal]

So that's how they came up with the name 'Windows 7'

Re:Now I get it

[thewils]

Things look a bit bleak for Windows 2008 then :(

'been holding my breath since 2001 for this patch'

...and boy are my arms tired.

P.S. I'm dead.

Does anyone use this OS any more?

[WillAffleckUW]

I mean, seriously, most of us have written it off, and it makes bad business sense too.

At work we've cancelled plans to use Win7 and WinVista and are moving to all Linux where we can, just from a staffing level perspective.

Re:Does anyone use this OS any more?

[HerculesMO]

Yes, lots of people still do.

Makes little business sense right now to go to Win7/Vista, but XP is still a smart move for most people.

It's too bad Slashdotters here are so entranced with the platform, they forget what it's supposed to delivery. I don't really care what OS is on the desktop, so long as it allows us to achieve what we are trying to do. Usually, it's the software that does that, not the OS.

Re:Does anyone use this OS any more?

[Sancho]

Of course, if the OS is fighting you all the way while you're trying to work with the software, that's a problem.

Re:Does anyone use this OS any more?

[HerculesMO]

From my experience, the Linux folks that try to work in Windows just simply don't know WTF they are doing.

Likewise, Windows Admins who work in Linux don't know either.

It's always easy to curse the platform if you don't have the knowledge. I've built stable environments out of Windows and out of Linux, and they all serve their purpose with perfectly fine uptime. Just a different delivery platform for different things.

Re:Does anyone use this OS any more?

[heffrey]

Hardly anybody still uses Windows, it's dying out.

Re:Does anyone use this OS any more?

[malkavian]

Hear hear. I've been running UNIX and Windows in admin capacity since the early '90s. The biggest problem I've seen at the moment is caused by marketing. Microsoft just refuse to stop advertising Windows servers as being so simple the cat could administer it.
With that message on the table, HR departments get the idea that all it then takes to administer servers is one cat and a magic wand. So they create low paid jobs for 'admins' that don't actually know much about administration (as it's so easy, who actually needs skills in it 'eh?).
UNIX tends to get better results overall, largely because it's seen as a skilled job. They pay the money, they require that you know what you're doing.
Where you get admins that know the detail on Windows to the depth that UNIX gurus know UNIX, comparable results are obtained.

Now, if only Microsoft would stop telling suits that all they need to administer Windows is someone with one finger and half a brain, then the rep. of Windows would increase dramatically. However, there's money to be made today by churning out an MCSE who two weeks ago didn't know what the power cable plugged into. Who cares about the future of the platform when you can advertise tomorrow with a new glossy pamphlet, and make money today? Well, apart from the people who really understand system administration, and hey, what do they know?

Re:Does anyone use this OS any more?

[Sponge+Bath]

...stop telling suits that all they need to administer Windows is someone with one finger

Damn skippy! Alt-Ctrl-Del takes three fingers.

my prayers are answered!

[Trepidity]

Seven years ago, The Register devastated me with this terrible news:

It's backward compatibility that has MS in a trap now. "NTLMv2 was created to address many of these issues, and if Windows came configured to use only NTLMv2 these would not be issues, unless the user knowingly opened himself up to allow communication with older operating systems," Sir Dystic noted.
[...]
However, if for some reason it's necessary for you to use the many thrilling features of Windows networking without NTLMv2, then there is absolutely nothing you can do but pray.

Finally, I can use my favorite thrilling NTLM features without giving in and using NTLMv2!

C2MyAzz

Hmm - there was an attack called C2MyAzz that was even simpler than the man in the middle attack. It would just spoof the handshake between client and server. The attacking workstation would watch for client->server message requesting authentication. The attacking workstation would send a packet back to the client before the server, asking the client to send back a clear-text password. Much easier than a man-in-the-middle attack, and it worked well. When it was released, Microsoft's official response was "most organizations use switches and routers, so this is not a problem". Originally released in 2001, IIRC.

Re:SMB?

[corsec67]

SMB is used by Windows for file/printer sharing.

Re:SMB?

[eln]

http://en.wikipedia.org/wiki/Server_Message_Block

Also,

http://justfuckinggoogleit.com/

port 139

[heffrey]

Oh well, I guess I'd better block incoming public Internet traffic on port 139 then. That's a shame because it's been so very useful to have an Internet facing SMB share.

Windows Server Admin? On Slashdot? Are you kidding

[drachenfyre]

Like any windows server admin reads slashdot.... And the ones that do aren't going to stick their hands up and say "Oh, pick me" so we can all berate them for their choice in closed source server operating systems.

Without knowing the password?

[girlintraining]

It's always been easy to take control of a machine without the password. Sit down in front of the computer. Now the only thing stopping you is yourself. Oddly enough, that's what keeps most systems up... The fact that the vast majority of people are honest, decent folk. That, and they don't know what a null pointer is.

What made it worse? Really?

[140Mandak262Jamuna]

From the article: To make matters worse, the SMB flaw was already publicly disclosed prior to Tuesday's updates, Microsoft said.

What made it worse? Taking 8 years to fix it or disclosing it before the patch was released?

Further it is not a bug at all. It is essentially badly designed protocol having a hole and instead of abandoning it and making users upgrade, MSFT left this hole open for 8 years. All the in the name of backward compatibility. Why has backward compatibility trumped security for 8 years? It not surprising no one takes MSFT's statements about its commitment to security seriously?

Re:SMB?

It took me a while, but apparently Sir Dystic was(is?) a member of The Cult Of The Dead Cow (reference).

What a crappy headline. I hate teasers like that.

Re:SMB?

[corsec67]

http://en.wikipedia.org/wiki/Cult_of_the_Dead_Cow
and
http://en.wikipedia.org/wiki/SMBRelay

Re:Easter egg for Windows 7?

[dkleinsc]

That would make it harder to get to than the Secret Cow Level in Diablo II, because in Diablo II all you have to do is go through Hell, whereas with Windows 7 you have to install it successfully.