HomeSec Warns Again About Microsoft's Insecurity

cbrandtbuffalo writes "The Department of Homeland Security has posted this advisory about an impending attack on MS systems. This RPC attack has already been seen in some localized systems, but may spread as unpatched computers are exploited. Some of the national news like CNN are running stories too."

How big a threat is this?

[mjmalone]

The security people at my office were talking about this vulnerability yesterday in our monthly meeting, they were saying it is likely going to be worse than slammer/code red/etc (which the article seems to back up)... Do you guys think this is that serious of a threat? A lot of what they were saying sounded like worst case scenario kind of stuff, hopefully it will not be that large of an issue. One interesting thing that the security people mentioned, that the article doesn't, is that windows 98/windows 98se is vulnerable but Microsoft has not released a patch because they no longer support the product.

Microsoft really did it this time..

[Tirel]

This is turning out to be a huge problem, we got the exploit a bit *cough*early*cough* and by simply joining a channel on IRC you get a handful of IPs, of which at least a few are exploitable. And then they wonder why there are a thousands of ddos zombie machines running windows!

But there's another problem, a lot of people are starting to distrust microsoft and are turning off the automatic update / not getting service packs instead of switching to another operating system.

Re:How long?

[rusty0101]

And what's the OS Vendor of choice for the Department of Homeland Security? I seem to recall a story or something [slashdot.org] about it.

Anyone want to talk to their representative or senators about that decision?

Homeland Security? Don't make me laugh...

[NineNine]

Homeland Security are the new American Nazis. I'm sure they'll have their own SS troops, soon, if they don't already. Not only would I never believe a word these bastards have to say, but I'm waiting for the next sane administration to dismantle this bunch of jackbooted thugs. So what is this, a "code orange" for web sites? oooh. Well, next thing we know, they'll start arresting webmasters of unpatched web servers for terrorism. Homeland Security can suck my dick (ooops, that's illegal too, isn't it?)

windows at the office??

[chef_raekwon]

i could have sworn that 2 weeks ago, here on this very same slashdot....there was a story about HomeLand Security securing a very large purchase from Microsoft....aka 100 million, or some outrageous number like that..

isn't this a bit irresponsible of them, now that they are declaring Windows a vulnerability?

how long has the patch been available?

[*weasel]

*boggle*

would every geek please walk over to their nearest 4 non-geek's MS boxes and flick 'autoupdate' on? maybe we can spare a few routers in the future?

i mean, if they insist on having those boxes, the least we can do is make sure they're patched up.

say what you will about MS - but these big exploits don't usually hit until weeks after the patch has been available.

and if you're relaxed enough with control over your box to run MS in the first place, autoupdate ain't any worse.

Re:How big a threat is this?

[tlovie]

I'm not sure if Windows98/se is vulnerable since microsoft's knowledge base specifically states that Windows ME is not vulnerable. The vulnerability is based on a buffer overflow of the RPC service. Does windows 95/98 even offer the RPC service?

Futures market for network insecurity

[The Fun Guy]

I wonder what kind of odds John Poindexter would offer on "MS-based systems will be the subject of a successful cyberattack resulting in significant economic impact in lost data, functionality, uptime and manhours." Any bets? Anyone? C'mon, no body wants to take this bet?

Seriously, if they wanted to take bets on which national leader would get hit, couldn't they do the same for which OS will fail first/most? Or bet on how much the next big expolit will cost, to the nearest $10M?

Re:How long?

[sniggly]

The sad part is that the NSA itself already was far ahead developing a secure OS [nsa.gov] that would do just fine for the dept of HS. Instead tax monies go to bill gates and his dancing monkeys.

Re:Microsoft really did it this time..

[BWJones]

But there's another problem, a lot of people are starting to distrust microsoft and are turning off the automatic update / not getting service packs instead of switching to another operating system.

Shoot, this was a problem years ago leading me to never enable automatic updates after more than one Windows machine was completely FUBAR'ed after an update. We fought with security issues on Windows for a while, then dealt with the expense and hassle of IRIX (although IRIX is impressively stable), went back to Windows due to the cost and then simply migrated our servers to Apache on OS X. Safe, simple, stable, affordable and secure.

Re:How big a threat is this?

[iabervon]

It's reasonable to expect this to be worse than some of the other worms, because it is part of a more central and common service. It seems unlikely that future worms will be less effective than past ones, for that matter, since the past ones have generally been disassembled and discussed, and someone writing a worm is unlikely to start from scratch.

Of course, the vulnerability requires that it be possible to reach the machine with an inbound connection, so firewalled networks will be protected until someone combines this with a document-based vulnerability to attack these networks from inside.

Re:How big a threat is this?

[gregmac]

One interesting thing that the security people mentioned, that the article doesn't, is that windows 98/windows 98se is vulnerable but Microsoft has not released a patch because they no longer support the product.

If this is true, Microsoft doesn't even acknowledge [microsoft.com] that it affects Windows98. It's one thing to not release a patch for an affected OS, it's quite another to not mention that it's affected.

Re:Well engineered worms

[hey]

Thanks for the tips ;-)

Yeah, I like the idea of changing DLLs on a system back to insecure versions and (of course) keeping the Add/Remove Programs list saying they patches have been applied. Needless to say this would be other worms/viruses would get in further making diagnosing more difficult.

If we want to see what nasty viruses do we need only look at nature. For example, AIDS (or the HIV virus if you want to be exact) attacks the immune system -- the part of the body that fights viruses. People with AIDS then die with opportunistic viruses, like pneumonia, take advantage of the situation. If you wrote a computer virus that only attacked the immune system of the net it would be quite a sight to see.

• Launch DDOS attached against Windows Update, Symantec, Norton, CERT websites
• Make the Windows update agent think all is well but to the user appear to functioning properly
• Likewise neuter virus checking programs by say altering their .EXE's to check for a different .DAT file. If the user can manage to get a current .DAT file he replace one that the program isn't looking at :-)

Re:Microsoft really did it this time..

[Andy Smith]

a lot of people are starting to distrust microsoft and are turning off the automatic update

That's exactly what I've done.

One of their "updates" to Movie Maker (which I use solely to grab DV from an encoder) made the output files incompatible with other video programmes, in particular VirtualDub. Thankfully I was able to get the previous version back by doing a system restore but that's the last time I'll upgrade an MS app when the one I've got is working fine.

google is fun

[sniggly]

Concidence or not? google news' [google.com] primary link to this story points to the register's [theregister.co.uk] article about this vulnerability. In their best sour Brit register tradition theyre none too congratulatory about "free patches". Does bandwidth cost money?

Re:Well engineered worms

[Finni]

No. This has nothing to do with forced upgrades, because

1. They made patches for this covering all the way back to NT 4.0

2. They don't charge for these patches.

3. The bloody patch doesn't work.

Unfair to public servants

[laetus]

You know guys, not everybody in the government is fawking off and trying to screw you out of your legitimate right to freely download copyrighted music.

There are thousands of hardworking men and women serving in Coast Guard ships off our coasts, monitoring land border crossings, inspecting imported cargo containers, and serving as airport security inspectors and skymarshals, all to keep your bloody arses safe behind your monitors as you make fun of them.

Sorry for the rant, but reality check, there ARE bad people in the world that are intent upon harming the United States and a good number of Americans working at the Department of Homeland Security are intent upon preventing that from happening.

Instead of easily making fun of these institutions, how about sitting down and thinking about better ways to reduce risks cost effectively. Propose it, then make your criticisms.

Re:How big a threat is this?

[Lumpy]

and the fun part is that cince corperate IT is so damn slow, current IT policy is "NOTHING HIGHER THAN SP3 on W2K machines."

so that makes all "OFFICIAL" machines in corperate will be hosed as usual when these things come through... Just like the stupid policy of no virus updates from anywher but the corperate server which is always at least 4-5 behind the software companies site. (Another policy I ignore.. I keep everything at the latest DAT)

Who or what can you trust?

[dollar70]

Look, this is not meant as a flame or troll, but new updates/patches are coming out every 10 minutes, and conspiracy theories keep flying around like its a tin-foil hat party. The only patch I've ever decided I had to install was the one for Win95 back in '98 because I kept getting "nuked" whenever I went into an IRC chat room. Win98 was that patch. Then one day I discovered GRC.com and realized I was leaking crap all over the web. So I put ZoneAlarm on my PC and felt relatively secure. Yes, I was one of the poor suckers that actually got the free rubber collectors' watch with my purchase of Windows ME. After much hesitation I finally decided to plunge into broadband, and felt the need for a NAT router, but still kept ZoneAlarm turned on for good measure. With the introduction of XP and the EULA I couldn't abide, I started seriously looking into the option of Linux. By this time, MS was crankin' out the updates every time a new weblog started.

Now why should I trust MicroSoft? They led me down the primrose path to endless updates that either show no noticeable effect, or cause my computer to act flakey.

Why should I trust HomeSec? I'm never going to feel secure so long as they keep throwing terror alerts in my face as an excuse to keep whittling away what's left of my civil rights.

And why should I trust the Linux community who's mainstay advice is "RTFM". I'm stuck using Lycoris until I can figure out how to get Wine to work under a better distro. (I'm sorry but some programs designed to run under MS Windows are just too cool to ignore.)

As far as I can tell, these so called updates could be trojans to give backdoor access to HomeSec so they can determine the efficacy of their scare tactics, and Linux is a twisted plot to make borderline-geeks like myself waste their time reading endless man pages trying to figure out how the damn thing works.

OK, so maybe I'm sounding a little frustrated, but all I really want is a nice little computer that does only what I tell it to do. Is that too much to ask?

--

Next stop: Insanity

Re:It's all right

[pmz]

I've just had a kid. When he starts asking what the HSAS is, what do I tell him? "We're at War, junior. We've always been at War. Terrorists, drug barons, organized criminals, religious extremists, crackers, hackers, commies, arabs, they're all out to get us, and it's important to know just how scared the government wants us to be that we're going to die today."

Nice world he's going to grow up in.

I don't know why this is modded "Funny". Yeah, the world turning into shit is so funny I'm in pain from laughing.

Re:Well engineered worms

[johnnyb]

Actually, destroying the whole OS isn't as bad as you can get. Imagine if there were a worm packed with a payload like CPUburn! Or if it had drivers which hosed hardware. Especially if it was set to go off in the middle of the night, you could actually have a virus which inflicted hardware damage.

Re:How big a threat is this?

[net-junk]

I really can't say this bothers me much after several people have called me to find out why their systems are down. After going thru the usual questions, one person explained to me that they ran updates on their systems, only to find that each and every one of them got disabled. Now this person has purchased a license for each system, yet this "update" has rendered his systems unusable. Last I heard he was playing phone tag with MS in getting them unlocked, but this brings a question to mind: Is this another ploy of M$ to get everyone to run the update so it can effectivly weed out pirated copies? I mean, it wouldn't really suprise me much if this wasn't another one of their tactics. That is just my thought on this - Thank God for Linux..

Re:Switch campaign kick-off

[platypus]

Maybe I'm ignoring the severity of this new Microsoft flaw, but why the Dept. of Homeland Security issuing ANY statement about security flaws in any operating system?

Maybe because their PR department was scheduled to prodce some proof for their right to exists,but they didn't have any terrorists handy ATM.

Seriously, this shouldn't be their job, in the end they will be just echoing CERT or bugtraq, while wasting a lot of money into "network security research".