Security Firm VUPEN Claims To Have Hacked Windows 8 and IE10

An anonymous reader writes "Windows 8 was released late last week, and already this week French security firm VUPEN says it has broken Microsoft's latest and greatest security features. The company claims it has developed a 0-day exploit for Windows 8 and IE10, by chaining multiple undisclosed flaws together."

Re:have fun hacking a OS that few want to run

[Nyder]

have fun hacking a OS that few want to run

Yep, it's bad news for the those 10 people that use it...

Lesser Target Security.

[TechyImmigrant]

I thought that little used operating systems were less vulnerable because fewer hackers would target them compared to popular, mass market operating systems such as Linux and MacOS.

Re:Lesser Target Security.

[Shoten]

Yes, but that effect covers casual attackers. When your attacker is well-resourced and determined to hack YOU...then it's not such a good thing, because they're willing to find the specific vulnerabilities in an obscure OS or application. Microsoft Windows gets pretty well wrung-out because of all the attention. For a long time, OSX was full of vulnerabilities until they started to get enough market share to become a good target. Then the flaws started getting detected and patched. But if a nation-state actor or large criminal organization had a reason to hack OSX, they probably would have looked for (and found) some 0-days on their own, then leveraged them.

Re:Lesser Target Security.

[mevets]

MicroSoft released a pretty decent surface.

crickets..

Re:Lesser Target Security.

[Desler]

For a long time, OSX was full of vulnerabilities until they started to get enough market share to become a good target. Then the flaws started getting detected and patched.

You mean programs like Java and Flash were full of vulnerabilities. Also, people manually installing trojans on their system is not an OS vulnerability. Care to share these "vulnerabilities" that weren't in third-party software or malware that users were installing themselves? Please post any examples of drive-by malware downloads, etc. that were actually OS flaws.

Re:Lesser Target Security.

[tlhIngan]

Please post any examples of drive-by malware downloads, etc. that were actually OS flaws.

Safari has/had nasty bugs that took advantage of the "auto-open safe files" default setting, which I think counts as they're distributed by the same vendor as the OS and it comes preinstalled.

I think QuickTime is similar as well a few malicious MOV files can get you hooped.

Bunches of flaws in the open-source software it comes with as well (though we usually attribute that to the software on Linux, and to OS X on OS X. So an Apache flaw would be reported as an Apache flaw on Linux, or an OS X "Webserver" flaw on OS X...).

Re:have fun hacking a OS that few want to run

[tuppe666]

Its a pretty common quote, basically its about the unloved and unwanted Vista

http://www.microsoft.com/en-us/news/exec/steve/2008/10-12AdDay.aspx

"STEVE BALLMER: Vista is our best selling product ever. So, if that takes too much getting over -- we're not going to have products that are much more successful than Vista has been. We sold over 180 million copies in the first 18 months, quite successful."

Windows RT?

[Gaygirlie]

I wonder if their hack could be used on Windows RT to gain low-level access to the system, allowing one to essentially jailbreak the thing and let one side-load apps on it. I'm not planning to buy a Windows RT - tablet and one of the reasons is exactly the fact that I am only allowed to install stuff from Windows Store; a fully-working jailbreak would atleast make the thing slightly more useful.

Re:Windows RT?

You can side-load apps on RT. ;)

Re:Windows RT?

[tuppe666]

I wonder if their hack could be used on Windows RT to gain low-level access to the system, allowing one to essentially jailbreak the thing and let one side-load apps on it. I'm not planning to buy a Windows RT - tablet and one of the reasons is exactly the fact that I am only allowed to install stuff from Windows Store; a fully-working jailbreak would atleast make the thing slightly more useful.

Why buy a closed device, when open devices like Googles Chromebook which is available cheaper and isn't locked. Excusing manufacturers for their abuse behaviour...and giving them money, never persuaded, and manufacturer to be more open.

Re:Windows RT?

[Gaygirlie]

Really? How? Because even Microsoft's own website doesn't say that. You can only side-load things if you have a proper license for that, meaning that you need to be a large company with a contract with Microsoft.

Re:Windows RT?

[Gaygirlie]

I did say I'm not planning to buy one, so you're barking up the wrong tree.

Re:Windows RT?

[tuppe666]

Windows RT is going to be hell its hard to find actuate reliable information about anything. From wikipedia http://en.wikipedia.org/wiki/Windows_RT it claims.

"Perhaps the biggest change is that Windows RT will only run applications that have been included in Microsoft's App store. This requires certification by Microsoft that they consider the application to be suitable."

and obviously

"Users will not have an option to disable UEFI secure boot on Windows RT systems. As a result, only operating systems that have been signed for secure boot by their developers can be installed"

Re:Windows RT?

[Gaygirlie]

To back up what I just said: http://msdn.microsoft.com/en-us/library/windows/hardware/hh825613.aspx

[August 2012] Sideloading apps on Windows 8

Sideloading is supported on the following editions when you activate a sideloading product key:

        Windows 8 Pro

        Windows 8 Enterprise*

* The sideloading product key is not required with Windows 8 Enterprise when the computer is joined to an active directory domain.

noteNote
Sideloading is also supported on Windows RT. The group policy service is not enabled by default on Windows RT. You must enable the service before policies can be applied to the computer.

To sideload line-of-business apps on Windows Server 2012, the computer must be joined to an active directory domain.

For more information, see How to Add and Remove Apps.

In other words a side-loading key is needed. Ordinary users won't get that and won't be able to side-load.

Re:Windows RT?

[__aaqvdr516]

Why buy a closed device, when open devices like Googles Chromebook which is available cheaper and isn't locked. Excusing manufacturers for their abuse behaviour...and giving them money, never persuaded, and manufacturer to be more open.

Exchanging your control of the device for having every piece of information scanned, categorized, and resold by Google would be reason enough for someone to buy a Win RT tablet. The grass isn't always greener on the other side of the fence. The only difference between the grass is that different dogs shit on either side. I've flashed many different ROMs to my Kindle, I've owned a Playbook, I have a Linux netbook. Pretty much every OS sucks in it's own special way. If the only thing that sucks about WinRT is that it's "closed", then I'll take one.

Re:Windows RT?

Exchanging your control of the device for having every piece of information scanned, categorized, and resold by Google ...

If your only response is to lie relentlessly, then I suppose it's safe to Ignore all your arguments.

Re:Windows RT?

[tuppe666]

I'm sorry to disagree with you. Clearly you have an issue with Google. It is untrue that they sell your information. Their business model does not allow that. The whole point is they will *never* sell your information...they sell targeted AD space. They are advertisers just like Apple and Microsoft.

On the point of privacy. Clearly you have not installed Windows 8. Its defaults are appalling, and your being insincere in implying Microsoft is better.

The bottom line though is I personally would like a device where I can choose to install whatever OS. The reason being I personally quite like the look of the oversized trackpad on Chomebook , and the ability to install Debien, and it beong Good Value, all three features lacking on windows rt devices.

Re:Windows RT?

[thoth]

Exchanging your control of the device for having every piece of information scanned, categorized, and resold by Google would be reason enough for someone to buy a Win RT tablet.

So Microsoft has stated they will guarantee full privacy of your info that is stored in SkyDrive?

If your going to pull the "grass isn't always greener" argument, then Microsoft still loses, as their device is more expensive, will everything else (their treatment of your data) the same.

Re:Windows RT?

[cbhacking]

Actually, getting a sideloading key is dead easy. You have to run Powershell as Admin, then type Show-WindowsDeveloperLicenseRegistration (or just "show-wi" and hit Tab). Enter Windows Live credentials - anything, including a throw-away account created for the purpose, will work - and boom, you are unlocked for sideloading. Works on Windows 8 (Pro, Enterprise, or otherwise) and on Windows RT (tested it on a Surface).

http://msdn.microsoft.com/en-us/library/windows/apps/Hh974578.aspx

I don't know what's up with that old data that says you can't. That's been bouncing around for almost a year, and as far as I can tell it was *never* true, even on pre-release versions. You've been able to unlock Win8 for sideloading since the first preview builds came out! It's as though there's two completely different teams talking about this. Well, three (the one that says *only* Store apps are allowed) but the last one is the marketing team trying to keep the n00bs from getting confused; they are safely ignorable. Fortunately, the team that supports the more open approach is the one that is correct.

Re:Windows RT?

[Microlith]

Yes, you can go through a ridiculously complex process to install a key that will expire and Microsoft can revoke so that you can run some software on your system. It's more akin to Apple's extreme restrictions on side loading than Android's 3rd party sources checkbox. The only difference is that Microsoft isn't charging you $99 to get one. You're still at Microsoft's mercy, and no one can use your application unless they too are capable of repeating the steps.

I don't know why people keep defending this. It's designed explicitly to inhibit people from using it and bypassing the store.

Re:Windows RT?

[LordLucless]

Exchanging your control of the device for having every piece of information scanned, categorized, and resold by Google would be reason enough for someone to buy a Win RT tablet

Well, gee, it's lucky Google doesn't scan, categorize and resell very piece of information on your device then, isn't it? FUD much?

Re:Windows RT?

The only part of that statement that can be debated is "resold." But you can be damn sure the other verbs apply.

Re:Windows RT?

[blind+biker]

If the only thing that sucks about WinRT is that it's "closed", then I'll take one.

Windows RT (WinRT is the new API, Windows RT is the new OS) is not "closed", it is closed, and that's not the only thing that sucks about it.

Re:Windows RT?

[LordLucless]

Well, thank goodness I've got your assurances Anonymous Coward.

Re:Windows RT?

Lets see, I can buy a more expensive device that has the applications and ecosystem that I prefer, and I don't really care that it is sandboxed because it does not impair my use case in any way. Or I can buy a cheaper unlocked device that runs nothing of any interest to me and I have no desire to exercise the capabilities gained by its unlocked state. It really a pretty easy decision.

Re:Windows RT?

So, open power shell, type a command, sign in with a live ID. Damn, that's complicated!

Re:Windows RT?

Well - that was the main complaint about Linux.

And now -using windows- it is suddenly a no-brainer?

Wow... just wow!

Re:Windows RT?

[pentadecagon]

With Microsoft you have worse privacy than with Google. They collect at least the same amount of information, and because everything is closed you never know what else they transmit and collect.

Re:Windows RT?

[westlake]

Yes, you can go through a ridiculously complex process to install a key that will expire and Microsoft can revoke so that you can run some software on your system.

Let's be honest here:

The geek sideloads.

The convenience and security of the app store and the apps sideloaded by their school, employer, etc., trumps all other considerations for others. How many casual Linux users install apps that haven't been packaged and "marketed" for their distribution?

Install Visual Studio Express and the recreational or student programmer can renew his key in one or two clicks.

Re:Windows RT?

"It is untrue that they sell your information." That may be true - but Google RENTS your information - Google says to advertisers,"W have users with profiles that align with your desired profiles. Pay us and we'll place ads that these user will see" That's really close to selling user information.

Re:Windows RT?

[__aaqvdr516]

This is straight from the Google privacy page:

http://www.google.com/intl/en/policies/privacy/key-terms/#toc-terms-sensitive-info

Information we share

We do not share personal information with companies, organizations and individuals outside of Google unless one of the following circumstances apply:

With your consent

We will share personal information with companies, organizations or individuals outside of Google when we have your consent to do so. We require opt-in consent for the sharing of any sensitive personal information.?

Sensitive personal information This is a particular category of personal information relating to confidential medical facts, racial or ethnic origins, political or religious beliefs or sexuality.

Read that again. It's opt-in only if it's "sensitive personal information". For everything else, unless you "opt out" you've already given Google your consent and they are free to share your information with other companies. For the types of things that are included in that *everything else* is a hellofawholelot.

Tell me I'm wearing a tinfoil hat, that's fine. I know Google isn't the worst of all companies. The real problem is scale. They're everywhere. If you're comfortable with giving up privacy for free stuff, that's certainly for you to decide. Google is waiting with open arms for you.

As far as the default settings for Win8 being atrocious, I can't comment. You didn't provide any specific concerns about them.

Re:Windows RT?

[Raenex]

It is untrue that they sell your information. Their business model does not allow that. The whole point is they will *never* sell your information...they sell targeted AD space.

Where "targeted AD space" is based on information all about you. Maybe they aren't reselling your name + information, but they sure are collecting it. Facebook requires real names, and Google has gone chasing after that policy, starting with Google+. Just the other day YouTube oh so helpfully wanted me to upgrade my account to my real name. I was able to decline it... for now.

Re:Windows RT?

I'm sorry. Could you remind me who owns Doubleclick again?

Re:Windows RT?

[Cowmonaut]

Alright, throwing away mod points but you are completely dead wrong. You clearly do not understand how sideloading works in Windows 8.

Per Microsoft, sideloading is installing an app without the Store. With Windows 8 you have to have two things in order to sideload an app:

1. You need either the fully packed installer (which you cannot apparently save on your computer and can only download through the Windows Store app proper; going to the Windows Store page in a web browser doesn't give you any options to install or download) OR you need the unpackaged app including its .MAIN file.

2. You need the product key for the specific app.

Both of these things you will only have if you are the original developer of the app or if the original developer deigned to share it with you. They won't, since that essentially gives you their source code and ability to steal their product from them.

To make things even worse, you need these items in order to "provision" an app (MS' term) prior to running Sysprep on an image.

Basically, unless its a Line of Business (LOB) app that was developed internally by your company, you cannot sideload or provision an app in Windows 8.

It's hilarious, since we are using Windows 8 for a project for Microsoft and their own OS is stopping the things they want from happening. In my opinion, they listened to marketing guys who don't fully understand how people actually use Windows in a business environment so that they could get accurate data for individual usage. Everything they have done is 100% anti-business. The Windows Store is only fit for home consumer use, and even then...

The real clincher to me that Microsoft is losing its mind and trying to piss off their Enterprise customers is that as an IT admin you are incapable of managing the Windows Store outside of disabling access to it. Any updates that need to be done, have to be done by the user. You have to have a Windows Live account for it, logged in, and you can't fix license sync issues with the apps except through a manual process.

Windows 8 is just a disaster for business.

Re:Windows RT?

And one of the main complaints about Windows has been its ineffectual CLI for power users.

So here we are in a power user situation and you need to use the quite effective, relatively new CLI. Cats and dogs living together. The end of the world.

Re:Windows RT?

[graphius]

How many casual Linux users install apps that haven't been packaged and "marketed" for their distribution?

First, "casual Linux" LOL
second, Many linux users use apps outside their distro. have you ever heard of a program called make?
Ubuntu specifically created ppa's to allow 3rd party programs.
Fedora used to be famous for dependency hell, where required programs or libraries were not available in the repository....

yeah, let's be honest here....

Re:Windows RT?

[cbhacking]

I'm terribly sorry about your mod points. Hopefully, in the interest of them not being completely wasted, you'll learn something:

I'm right, and I know because I've done it. How much experience with Win8 / Windows RT sideloading do you have? I'm guessing moinimal to none, because (to use your own words) "you clearly do not understand how sideloading works on Windows 8." Or rather, you may understand how APPX provisioning into an install image works, but you have no clue about how sideloading (in the sense that normal people and Microsoft themselves generally use the term) works.

Follow the steps I gave above to enable sideloading.
Download any app bundle off a website (there's a few on XDA-Developers, for example).
Bundle will contain the following:
* An .APPX file (a signed ZIP archive holding the compiled application binaries if applicable, and configuration files).
* A .CER certificate file, which contains the public key to verify the signature on the .APPX.
* A .PS1 powershell script, which installs the cert and the app for you (you can also do it manually).
* A Resources folder, which holds translations.

No source code (although decompiling managed code is pretty easy, and JS/HTML/CSS apps aren't compiled at all so I guess they're all source).
No product key at all! I think you need one for buiness-internal apps, but you don't need one for everyday sideloading.
No .MAIN file anywhere, even inside the .APPX archive. I've never encountered one, ever.
Not only is the app packaged, the dev doesn't even need to do the packaging him- or herself; either the command-line build tools or Visual Studio can do it for you.
You don't need to do these steps on a pre-sysprep image; you can sideload on live images (a good thing too, or sideloading on Windows RT would be impossible, which it empirically is not).

I don't know who is coordinating your "project for Microsoft" but both that person and the head of your project should probably be fired at this point; they are clearly completely incompetent. Take what you just learned and go solve this "problem" for them, why don't you?

Re:Windows RT?

[cbhacking]

There are certainly casual Linux users. Not terribly many, compared to other desktop OSes, but they exist. I've had to do tech support for a few of them.

Anybody who can install the build tools (for those silly distros which don't include them) and run

tar xzf [tarball] && cd [folder] && ./configure && make && sudo make install

on Linux can handle the process to sideload on Win8 just fine, which is what this thread is about. As you (rightly) point out; plenty of people do it. Possibly the majority of Linux users, although I'm not sure about that.

However, the majority of Android users definitely do not sideload apps, even though the process is considerably simpler. This is partially due to Google's lax policy on admitting stuff to the store, but largely due to the fact that most people will basically never open the Settings widget in the entire time they have the phone unless explicitly instructed to do so, nor will they go looking for apps anywhere except on the store.

Re:Windows RT?

[Rexdude]

I don't get it, does this refer to Metro apps? I upgraded Win 7 Ultimate to Win 8 Pro on my desktop, and it hasn't affected my ability to install regular windows applications at all. In fact, I use Classic Shell to bring back the old start menu and I don't use the Metro UI at all.

Re:Windows RT?

[graphius]

I agree with what you are saying, although I still feel most Linux users are in the top percentile of computer competence. Linux tends to encourage learning and knowledge (except for the newer Ubuntu releases....:~), while OSX, and especially Windows tends to discourage the same...

Android is a different beast. I would say that most people do not use their phones as computers, but as the infamous "consumption devices". They are appliances.

As for Win8-RT? It seems to be a bit of an unknown. Some people are saying yes it can be opened up, some people say no. I have no desire for a tablet, let alone a Win8-RT tablet. I am really not sure what it brings to the market, except that it is made by Microsoft, and that is not really a selling feature for me.

It will be much more interesting to see what the reception to the x86 version of Win8 will be.....

Win 8 Pro or RT or Both?

Does this affect one or both of the flavors of 8?

On the bright side, your typical hacker won’t be able to figure this one out either: Windows 8 raises the security bar even higher than before, and if it was easy, someone would have beaten VUPEN to it long ago.

And who thinks that other hackers won't figure this out?

captcha: untried

Re:Win 8 Pro or RT or Both?

[Gaygirlie]

On the bright side, your typical hacker won’t be able to figure this one out either: Windows 8 raises the security bar even higher than before, and if it was easy, someone would have beaten VUPEN to it long ago.

And who thinks that other hackers won't figure this out?

More precisely, who says the other hackers would disclose it if they found such vulnerabilities? There's plenty of profit to be earned in vulnerabilities in the black market.

Re:Win 8 Pro or RT or Both?

You didn't RTFA, did you? That's exactly what these guys do. They're not a "security company" at all. Pack of cunts would be more appropriate.

If you’ve never heard of VUPEN, that’s because it isn’t your typical security company. The firm finds exploits in popular software from major technology companies like Microsoft, Apple, and Google, only to sell the details to governments around the world and various other parties willing to write massive cheques.

Hack Windows?

Open a command prompt as administrator and type

del /F /S c:\*.*

Re:Hack Windows?

[ThatsMyNick]

I tried that. But it did not hack the computer I was trying to hack. And now my computer is not working either.

Re:Hack Windows?

[History's+Coming+To]

Next time try targetting 127.0.0.1 - it's a far easier target.

Re:Hack Windows?

[cdxta]

don't forget /q

Re:Hack Windows?

I happen to have just the right tools, I'm gonna show that bastard.

NO CARRIER

4 chained flaws to be exact!

[stillpixel]

1. They bought Windows 8. 2. They Installed Windows 8. 3. They connected Windows 8 to the internet. 4. They surfed goatse with IE10.

Re:4 chained flaws to be exact!

[History's+Coming+To]

+1 Insightful. The computer savvy of Windows users will always be its weakest point, purely because of it's the only interface for "I hate computers" people.

Hardly surprising, it's still a baby.

[BPPG]

Considering that W8 still has that new OS smell, this is hardly surprising. Like any piece of software, it will take a while before it is provably secure. Microsoft may not have the worst QA department in the world, but it the only way to really put it through its paces is to let the world bang on it like it is now.

The real question is, how many 0-days haven't been announced?

Re:Hardly surprising, it's still a baby.

[hobarrera]

It's sad to see that MS has dominated the market for so long that exploits seem accetable and it's insightful to claim this. Software should be well-written before you start charging for it. Period.

OpenBSD has only had 2 remote security holes in several dozen releases, in over 15 years. Why is it acceptable that something you pay for has had thousands more every release?

Re:Hardly surprising, it's still a baby.

[volxdragon]

Like any piece of software, it will take a while before it is provably secure.

Provably secure? *snicker*

Re:Hardly surprising, it's still a baby.

Computers were built on trust, it's an inherent flaw in their design.

OpenBSD vs Windows. I wonder which would be viewed more enticing to find exploits in....

Re:Hardly surprising, it's still a baby.

[BPPG]

Exactly. For example, I can prove that Windows 3.1 is secure on a modern network.

Re:Hardly surprising, it's still a baby.

[gewalker]

You don't know much about VUPEN -- they are expletive deleted low-lifes of the first order. VUPEN used their existing 0-day exploits from older versions of Windows -- and they don't tell the manufacturers about the exploits -- they only sell them for big bucks to government intell. agencies, etc.

Re:Hardly surprising, it's still a baby.

Very true as I doubt many people are writing 16-bit malware anymore! (Hey you did say 3.1 and not 3.11)

Re:Hardly surprising, it's still a baby.

[smash]

To be fair, if you compare the functionality of an OpenBSD "default install" (which is all they count the vulnerabilities in) to a Windows 8 installation, it is hardly comparable. Now I hate Windows 8 as much as anyone, but this comparison simply isn't worth much.

Re:Hardly surprising, it's still a baby.

[smash]

No it's not. Just because Windows 3.1 malware is not currently running rampant, it doesn't mean the old exploits like WinNuke (and others) aren't still available if someone wants to target you. In fact, if someone can exploit ANY application in Windows 3.1, they have system level access, as the old Windows versions prior to NT were not multi-user, and only had one security context.

Re:Hardly surprising, it's still a baby.

So you want to compare a default install of OpenBSD that is basically useless to the average person as it has nothing installed, to a usable install of windows. I hate MS with the best of them but this is a moronic comparison, OpenBSD has very few exploits as it comes with nothing installed and is only slightly more useful than a boat anchor till you install stuff.

Re:Hardly surprising, it's still a baby.

That's the problem. The client Windows is not delivered hardened, with services and features enabled as needed and the way needed. The server version, on the other hand, is moving faster to that particular direction.

Re:Hardly surprising, it's still a baby.

[jones_supa]

How surprising some slashtard were to mod you down.

Re:Hardly surprising, it's still a baby.

But OpenBSD is also useless. It doesn't even support essential security features like 802.1X.

Re:Hardly surprising, it's still a baby.

you silly noob, winnuke exploited a vulnerability in the NETBIOS, in _win95_

Re:Hardly surprising, it's still a baby.

[Ash-Fox]

Software should be well-written before you start charging for it. Period.

How do you assess if it's well written?

From what I understand of Microsoft's development cycle, they do employ third parties to do security penetration testing on their systems before release as well as numerous other sorts of audits from manual to automated testing.

What would you suggest they do to reach your level of 'well written'?

OpenBSD has only had 2 remote security holes in several dozen releases

Out of the box with the default installation.

Of course, nobody uses OpenBSD in it's default configuration because it's useless. There are bigger security problems with OpenBSD, such as the default of creating just a root user, no configuration of sudo out of the box, ssh enabled to permit root logins by default (therefore making it an excellent bruteforce target) and so many other daemons that retain an unsafe configuration by default (although, I emphasize they aren't installed by default, so this magically makes it okay to the OpenBSD crowd). OpenBSD in this configuration doesn't help users learn 'safe' way of using the system and from experience, I have seen many who just continue using root for everything.

In reality, you will find that servers and desktops from SuSE or Ubuntu are more secure because of the enforcement of various policies. Ubuntu for example tries to ensure all the daemons run as regular users that don't have access to more than what they need to. SuSE on the other hand focuses on having daemons jailed, so even if they are running as root, they don't have access to the rest of the system. They both have sane root and sudo policies. Root by default not being accessible from remote systems and instead need to enter via a regular user and use sudo to obtain access to higher privileged commands.

OpenBSD really needs to update their security practices because security these days is more than just kernel vulnerabilities and what the default configuration installs with the system (which is essentially 'nothing' on OpenBSD). The practice of blaming the user for the fact they are using poor default configurations on daemons and poor user privilege management which is encouraged by how the system sets up the system initially does not help security.

Why is it acceptable that something you pay for has had thousands more every release?

If it's unacceptable, don't use it. So far, I find Microsoft's security practices somewhat more decent than OpenBSD's when it comes to default and usable configurations.

Re:Hardly surprising, it's still a baby.

[hobarrera]

Software should be well-written before you start charging for it. Period.

How do you assess if it's well written?

From what I understand of Microsoft's development cycle, they do employ third parties to do security penetration testing on their systems before release as well as numerous other sorts of audits from manual to automated testing.

What would you suggest they do to reach your level of 'well written'?

It's not too hard to determine when it's "well written": it's basically when the default install does not have security holes. ie: not like windows.

OpenBSD has only had 2 remote security holes in several dozen releases

Out of the box with the default installation.

Windows has security holes out-of-the-box with all the defaults set. No system is safe if a user reconfigures it. What OS can protect me from a user who sets his password to his birthdate?

Of course, nobody uses OpenBSD in it's default configuration because it's useless. There are bigger security problems with OpenBSD, such as the default of creating just a root user

The installer quite clearly offers a choice to create a non-root account

, no configuration of sudo out of the box, ssh enabled to permit root logins by default (therefore making it an excellent bruteforce target)

This is only enabled if you skipped the step in whice you can create a non-root user. If you only have root, then it's quite obvious you'll want to log in as root

and so many other daemons that retain an unsafe configuration by default (although, I emphasize they aren't installed by default, so this magically makes it okay to the OpenBSD crowd).

[citation needed]

OpenBSD in this configuration doesn't help users learn 'safe' way of using the system and from experience, I have seen many who just continue using root for everything.

In reality, you will find that servers and desktops from SuSE or Ubuntu are more secure because of the enforcement of various policies. Ubuntu for example tries to ensure all the daemons run as regular users that don't have access to more than what they need to.

OpenBSD does this and chroots several daemons as well.

In any case, this is a fine example of yet another OS that cares about security to some degree, but does not defend window's stance in any way.

SuSE on the other hand focuses on having daemons jailed, so even if they are running as root, they don't have access to the rest of the system. They both have sane root and sudo policies. Root by default not being accessible from remote systems and instead need to enter via a regular user and use sudo to obtain access to higher privileged commands.

Again, OpenBSD only suggests you don't disable remote root logins if you skipped the step where you create another user. For quite obvious reasons.

OpenBSD really needs to update their security practices because security these days is more than just kernel vulnerabilities and what the default configuration installs with the system (which is essentially 'nothing' on OpenBSD). The practice of blaming the user for the fact they are using poor default configurations on daemons and poor user privilege management which is encouraged by how the system sets up the system initially does not help security.

Why is it acceptable that something you pay for has had thousands more every release?

If it's unacceptable, don't use it. So far, I find Microsoft's security practices somewhat more decent than OpenBSD's when it comes to default and usable configurations.

1) Install XP on a PC.
2) Plug an internet cable.
3) Sit back.
4) You now have an infected machine.

Windows 8 hasn't reached this point yet, but it's just a matter of time, as with every other release.

Re:Hardly surprising, it's still a baby.

[1s44c]

You don't know much about VUPEN -- they are expletive deleted low-lifes of the first order. VUPEN used their existing 0-day exploits from older versions of Windows -- and they don't tell the manufacturers about the exploits -- they only sell them for big bucks to government intell. agencies, etc.

If low-lives can find these zero days how come MS with their massive profits and massive install base can't find them first and fix them?

Maybe because fixing Windows is like polishing a turd.

Re:Hardly surprising, it's still a baby.

[TechyImmigrant]

802.1X is an essential security feature?!

How did we survive before EAPoL?

Re:Hardly surprising, it's still a baby.

[smash]

Yeah tell me about it. The "I don't agree" = mod down. This place used to be worth hanging out on for actual discussion rather than anything critical of any sort of open source being modded down into oblivion.

Re:Hardly surprising, it's still a baby.

[smash]

Actually, these days they are. Firewall on by default on all versions. UAC on by default on all versions. Server core install suggested during server installation. IE secure mode on by default. Install X11 and a desktop environment on OpenBSD, compare to a client version of Windows and we're somewhere near being in the ballpark as far as a valid comparison goes.

If you want to compare without X11 and a desktop environment, then compare to Windows server core install.

Re:Hardly surprising, it's still a baby.

[smash]

It was a conversation point, jackass. Given there were holes you could drive a truck through in the Windows 9x TCP/IP stack, I would bet my house that there were also similar sized holes in the 16 bit Windows 3.1 TCP/IP stack shipped with the IEAK for 16 bit IE, and also trumpet winsock of the day as well.

And as per my original post - ANY exploit in ANY software for Windows 3.1 would result in full privileges, as there was no multi-user security model.

Re:Hardly surprising, it's still a baby.

OpenBSD in this configuration doesn't help users learn 'safe' way of using the system and from experience, I have seen many who just continue using root for everything.

Have ever tried to instal OpenBSD, read the effing manual or even tried visiting their website?

Christmas

[koan]

Is what it must be like for malware authors when Microsoft releases a new OS.

Not surprising

[Richy_T]

Security generally advances through evolution, not revolution.After making significant advances in security from 3.1 to XP, Microsoft is all out of evolution and so they're just throwing in random shiny (and they've even run out of the semi-good stock of that).

So new code just for the sake of it and is it any wonder bugs come along with it?

One can only hope...

...Microsoft is able to warn both users in time.

wow

it took *that* long to get exploited?

This is important ...

[stevez67]

... NOT. All the fuss about zero day exploits and the only people who ever use them are the ones who find them and the engineers who plug the holes. No big take-down of masses of people, no crippled companies, no nothing.

Re:This is important ...

[BPPG]

only people who ever use them are the ones who find them and the engineers who plug the holes.

If people were going to use a 0day maliciously, then they wouldn't have announced it. In which case the engineers wouldn't be involved until after it was found in the wild.

Re:This is important ...

VUPEN isn't going to use the zero day maliciously. They're just going to sell it to the highest bidder. Because that's the company's business model.

Re:have fun hacking a OS that few want to run

[BronsCon]

Well, it's more than 01, less than 11, and still only a 2-bit binary integer.

Re:have fun hacking a OS that few want to run

Well, it had one big selling point.

It had "up^Wdowngrade to XP" option when XP was no longer available to buy.

Re:have fun hacking a OS that few want to run

Let's see, IE can't even load pages properly over a slower connection.

IE7: Jumps to Page Cannot Be Displayed error page.

IE8: See IE7, they never fixed the bug.

IE9: Throws error 408 and error 409 errors in place of the generic Page Cannot Be Displayed. Two browser versions later, they still didn't fix the bug. Rolled back to IE7 since at least it has a progress bar during page loading. (Idiots at Microsoft did away with it in IE9, just watch the circle spinning for however short or long.)

IE10: I don't run Windows 7 nor Windows 8. Don't care to. Don't care about IE10. Microsoft lost me as a customer beyond Vista 64-bit SP2.

Anyway, it doesn't surprise me that IE10 might still be a bug ridden POS with a few security holes.

Windows insecure, Linux difficult

[aNonnyMouseCowered]

I guess plenty of Slashdot discussions still revolve around the "reputations" these two OS types established at the start of the millenium. It's nice for a joke or two, or for some clueless fanboy to rant about. But the latest Windows and Linux releases are roughly at the same level of in/security and difficulty/ease of use, bar things like misbehaving user pograms and unsupported hardware. The moral here maybe that if you're starting a new software product you have to put equal attention into these two things.

Re:Windows insecure, Linux difficult

[TechyImmigrant]

The moral here maybe that if you're starting a new software product you have to put equal attention into these two things.

Software? I design cryptographic hardware for a living you insensitive clod!

Re:Windows insecure, Linux difficult

Bull [cough] Shill [cough] Shit

Re:Windows insecure, Linux difficult

[Seeteufel]

I expect those fanboys to run Windows 8s = Windows Aids and search for bugs and vulnerabilities. Actually, I never had a virus with Linux, and my drupal server was only once compromised. The reason I like windows is that third party apps just work, the reason why I use Linux is the shell and multiple desktops. I mostly need Firefox and Thunderbird and Irssi, that is all.

Re:have fun hacking a OS that few want to run

[Doctor_Jest]

Up to, but not including, 10. Reads like an old Sun Microsystems license agreement, doesn't it? I remember their legalese included the phrase "up to, but not including, 2 processors" on a Solaris 9 agreement. :)

Thing is...

[WillyWanker]

The sad thing is they think anyone actually cares.

Re:inforMative dickdCick

Informative dick-click: your penisbird will get blue, if you put too much rubber on it. By formality of progress, you get distracted. However we can plainly state that just "doing something" would be a lot slower.

Re:Nig6a

Doing something beyond the scope of BSD is fundamental to the project again. That is the definition of giving to other people.

If I may be allowed to...

[empgodot]

Even though I lack any surprise in this announcement, and would actually have been surprised if no 0-day had arisen within the first week after release, please kindly allow me to express, and excuse if it may sound a little childish, my first reaction:

lol

Re:have fun hacking a OS that few want to run

[wonkey_monkey]

IE8: See IE7, they never fixed the bug.

What bug, specifically, is this? Or have you just screwed up your IE and you're intent on blaming it on Microsoft?

Re:have fun hacking a OS that few want to run

[hawkinspeter]

How do you screw up a browser unless you're changing it's code?

Not suprising at all

[SmallFurryCreature]

I am a Linux user because of this exchange:

Me to tech department: "Hi, I need to setup a FTP server with anonymous access only for people to download our companies installer who have problems getting it through http"

BSD user: FTP is insecure because password are plain text.

LInux user: You can run proftp for a simple open ftp with just one directory in a chroot jail so it is perfectly safe and accessible.

Basic openbsd is plain useless and out of date, start updating and adding stuff you need, and they stop counting security holes. If openbsd was a car, it would be the safest car in the world. It would also never ever have moved out of the garage.

In the real world you need to trade security for functionality. Let BSD guy loose on your systems and nobody can hack into them, and neither can anyone use them. You get the perfectly secure system and all your developers and users leave you because the system is unusable. The BSD admin will not only insist on 20 character passwords that are a mix of characters, numbers, symbols and arcane spells but insist usernames follow a similar pattern. And for mobile access as well. 4 digit unlock on company phone? NOOOO! INSECURE!!!! 12 char password atleast and mix of caps, characters, reading symbols and dna sample!

And then they wonder why everyone spends all their time working around the system. Was so bad in one company that all work was getting done on laptops over mobile connections because getting things done through channels just took to fucking long.

Next BSD release will be called concrete, you poor concrete over your computer and it will be very secure!

Re:Not suprising at all

It looks like you accidentally duplicated the second half of your comment.

uplicated the second half of your comment.

Re:Not suprising at all

it depends on what you use it for. OpenBSD has full functionality for being a great router/firewall out of the box. Bgp, ospf, all these things where on linux you'll have to install (oh wait not popular enough it's on another dvd) afterwards. Also it's userland is complete, no suprises with a minimal install; all the unix utilities which you should have are there. You don't have to trade security for functionality imho. There's an ftpd included in the base system, I even run it on some sites without problems. There are better alternatives though. I worked at a place (isp) which ran all it's systems on freebsd and openbsd and I can tell you they were very usable.

Re:Not suprising at all

If I need a break from sysadmin work can I come join you under your rock?

1) This isn't BSD vs Linux.
2) Usernames following a pattern is good practice. The BSD admin will use long secure passwords for himself and critical accounts and advise the others. (Passwords don't help if they don't even bother to lock the screen. Have a functioning backup for that.)
3) I don't worry about ftp in a real jail (man jail). Better than chroot.

Switching systems because of the sysadmin's stance (might even been company enforced) is plain dumb. It has nothing to do with the system. Atm I prefer BSD, because some Linux changes doesn't make sense if the computer isn't a desktop and I don't mind a little more typing if I do it once per set up (The user wont notice it anyway). I hate regressions.

Re:Not suprising at all

[hobarrera]

I am a Linux user because of this exchange:

Me to tech department: "Hi, I need to setup a FTP server with anonymous access only for people to download our companies installer who have problems getting it through http"

BSD user: FTP is insecure because password are plain text.

Whoever gave you this answer is a moron. There's no plaintext password if it's an FTP for anonymous users.

Re:Not suprising at all

[1s44c]

That's a big overreaction. The OpenBSD base system comes with lots of nice stuff, it does mail, web, NTP, and DNS for example plus all sorts of cool networking and firewalling tools. FreeBSD has native ZFS so don't tell me that BSD's lack cool toys.

The problems you describe are not due to the operating systems involved, but the people and policies. There is no reason why you can't run an anonymous FTP server on *BSD.

Not shocked

[ledow]

It took me nearly a day to get a "Active Directory Users and Computers" icon on my Windows 8 Pro VM.

- First I have to download RSAT.
- It errors with random hex-code when run.
- Much googling (and no help in the MS KB) later, I find out it doesn't like being on a mapped shared drive (which is what VMWare uses for it's shared drive with the host).
- Copy to C:\, run it.
- It installs without error, but nothing happens after (nothing in Windows Features related to remote admin tools, no new icons).
- Much googling (and no help in the MS KB) later, it turns out I don't have the en_US language installed and it won't work without it (despite the computer being en_GB!) but will just die silently.
- Go to install language, get empty language lists.
- Think they must be on the CD, so point it at the original CD image. Nope. Nothing useful.
- Much googling (and no help in the MS KB) later, it turns out that because I'd disabled Windows Search, it totally stops the list of languages populating.
- Enabled Windows Search.
- Installed language.
- Still no joy.
- Much googling (and no help in the MS KB) later, it turns out that because I have disabled Automatic Updates, it won't actually download the language pack (or error, or tell you that, or anything).
- Re-enabled, got the language pack (150Mb!)
- Reinstalled the MSU
- Finally get "Users and Computers".

It doesn't shock me that in that mess of code there might be a security feature or two that's lax. I mean, seriously? Half the things had no error code or even message to say they weren't going to work or why and those that did provided zero useful information.

- You can't install an MSU from a network-mapped drive (even if it appears as a mapped drive Z:!)
- You can't install RSAT with only en_GB enabled.
- You can't even see the languages available without Windows Search enabled (WTF?)
- You can't install a language without Automatic Updates enabled (Again, WTF?)
- You have to know all this to get Users & Computers working (which, if I remember rightly, is installed by default on most "Pro" versions of Windows or at worst was an Add/Remove Windows Feature kind of deal from the initial install disk).

I'm not surprised, with that amount of cross-interaction between COMPLETELY unrelated components, complete lack of user feedback, and random interactions, that there's a few security problems cropping up.

And that's not even the worst experience I've had with a clean Windows 8 VM image from an official Windows 8 ISO with a proper Windows 8 Pro Product Key. I actually managed to BSOD the VM within hours of install, not by even doing anything remotely interesting.

Re:Not shocked

[cyber-vandal]

I feel your pain. Microsoft Dynamics CRM regularly throws up such gems as "An unknown error has occurred" which you then have to spend days trying to figure out via Google or in extreme cases disassembling the DLLs. Microsoft just seem totally averse to providing decent error messages or any documentation to suggest what caused the error message. I see the new blue screen doesn't have any "scary" useful information on it any more either.

Re:Not shocked

[bertok]

I had a similar experience when I was asked to evaluate Hyper-V as a potential replacement for VMware ESX server. The installer failed because I didn't use the en-US keyboard.

I laughed, didn't even bother trying to fix the problem, and told my boss that there's no way in hell we're trusting our infrastructure to a hypervisor that depends on the keyboard layout to function. That's a blatant sign of shoddy engineering.

Here's another example for you: Windows Server 2008 R2 will not run a PowerShell script from a network share by default. So, here's the process:

- The error message will tell you to enable script execution.
- Run "Set-ExecutionPolicy Unrestricted -Force"
- Run the script again. It runs, but only after a "safety" prompt. This breaks your unattended workflow. No helpful tip this time.
- Much googling later, it turns out that it's IE's Enhanced Security Crap.
- Turn IE ESC off for Administrators.
- Still the same warning.
- Much googling later, you discover that downloaded script files are tagged with a hidden stream to mark them as potentially unsafe.
- Open the properties of the file, and click "Unblock".
- Still the same warning.
- Did you use ".com" as the suffix of your domain's FQDN? Oops, Windows now thinks that it's the "Internet", instead of the "Intranet", even though it's the same FQDN as the machine's own domain! Apparently that simple check was too hard to do, but looking for a bunch of variants of ".com" suffixes was easy.
- Go to the Tools menu of Internet Fucking Explorer, and add the name of the file server to the Intranet list. Obviously. Because that's the first place I'd look to make my console scripts work. O_o
- At this point, your script will work... for that user, and nobody else.
- Sigh, now to track down the setting in Group Policy, so it can be pushed out to all the servers.
- Unless the script needs to run before the machine is joined to the domain.
- Oh fuck it...

I suspect that one of the many root causes of this kind of shoddy engineering is that the "well trodden path" for Microsoft Engineers is a machine that's already joined to the Microsoft domain, with pre-prepared policies applied to it. They just don't use or test other scenarios enough. They don't work on non-domain machines. They don't work with keyboards other than en-US. They don't test scripts downloaded from the Internet, because when they developed PowerShell, there weren't any yet!

Re:Not shocked

The MSU issue is an old one (As old as vista). Most people aren't familiar with it because they don't install MSU packs. Pretty much the only time you see them is for RSAT, or for special updates/hotfixes/bugfixes/whatever that come only by request. - The issue is that the MSU packs are installed as a local system account. That account can't see your mapped drives because it doesn't have the permissions to do so. (For security reasons) I think you can install them from a UNC path if you add some special permission to the share.

The rest of your issues come from having a nonstandard setup, and it's on you to do deal with your screwed up environment.

Most microsoft admin tools require US english to be installed. It's SOP to install US engilsh /and/ whatever other languages you need to use. Has been for a long time.

Since Vista, the search service has been pretty much non-optional. If you disable it a lot of things will break. (Even non-windows things, like MS office)

Running without Automatic updates has been a bad idea since vista, and really bad since 7. (Lots of non-security services fetch data from AU, like the printer wizard, device pictures, drivers, and as you discovered language packs) Don't want your computers to reach out to the internet? It's called a WSUS server, so they can fetch updates locally. You might even like it. You can specify what machines get what updates, and even require them to be manually approved. (You can make any class of update auto approved too, like security)

And no, AD users and computers has always been an optional install on non-server windows OSs. Before the launch of server 2008 it was in the admin utilties pack (Or something, been a while- Also, it was somewhat broken on vista) Post server 08, it's been a totally different package called RSAT. (Which only comes as an MSU)

So all of this has been pretty much bog standard windows admin stuff since Vista . Nothing new to windows 8 here.

Re:have fun hacking a OS that few want to run

by installing stupid toolbars and other things like BHOs

I don't believe it!

[1s44c]

Security holes! In Windows!

It's just like every other release from Microsoft then, bug ridden and insecure.

First The Command Line

..then we condition you to use the Linux kernel. It will be the "Windows Window Manager".

Re:have fun hacking a OS that few want to run

[mcgrew]

Screwing around with the registry. The wrong registry entry in the right place will cause any program to go "boom".

And You ?

A Burger-Jerk ? There are lots of American and other nation's companies who do the same. Remember the HB Gary sleazebags ? They had one competent guy on payroll and he had Windows and VMWare zero-days "on sale". They tried to peddle it to USG. Figure how they got four Windows ZDs for Stuxnet...

LMAO

Windows will never, ever be "provable secure". The only OS I know of that could be said of somehow "proven secure" is L4. Everybody else is "hope and pray".

Windows Looks Polished

..so fuck security. Welcome to be World Of Business !

Like HB Gary

..and they had VMWare exploits in case you wanted to pull a condom around Windows to feel more secure. It contracted with USG and was run by a former US Navy officer. Porks stinks everywhere.