Forgot your password?
typodupeerror
Microsoft Bug Security

XP2 Spotted In The Wild 634

Posted by michael
from the watch-out-or-it'll-chew-you-up dept.
LostCluster writes "WinXP SP2 has just been released to the public via Automatic Update, but eWeek and PC Magazine are together reporting that Windows XP SP2's 'Windows Security Center' is just about as insecure as it could possibly be. According to them, any program (including ActiveX controls) can access and edit the Windows Management Instrumentation database, and therefore spoof the security status of an insecure box to report that it is properly secured."
This discussion has been archived. No new comments can be posted.

XP2 Spotted In The Wild

Comments Filter:
  • by Anonymous Coward on Thursday August 26, 2004 @10:11AM (#10077585)
    any program can access and edit the Windows Management Instrumentation database

    That MF'ing Clippy.exe in MS Word better stop accessing my Instrumentation database or I'll punch that SOB into the middle of next week. Really any program can access and edit the Windows Management Instrumentation database; I knew solitrae and tetris and an altier motive.
    • by paranode (671698) on Thursday August 26, 2004 @11:31AM (#10078649)
      <steve irwin>
      We're out 'ere lookin for signs of the elusive XP2 that's been said to be lurkin' in the wild...

      Crikey, I've just spotted a wild paypah-clip in it's natural 'abitat! Look at those big ole eyes an'.. oh!.. there he goes trying to ask me if he can 'elp me!! You see, this creature is what's known as a parasite, 'ee leeches off o' your Windows Management Instrumentation databases. It's 'ard to satisfy one o' these buggers, they'll never leave ya alone until they've done your work for ya.

      </steve irwin>
  • by GroovBird (209391) * on Thursday August 26, 2004 @10:11AM (#10077588) Homepage Journal
    My box says it's insecure! So therefor, I can't possibly have some spoofing ActiveX control thingie, can I?
  • by BobRooney (602821) on Thursday August 26, 2004 @10:12AM (#10077593) Homepage
    if every user were root.
    • by Red Alastor (742410) on Thursday August 26, 2004 @10:19AM (#10077686)
      And all running the same distro. And all running Internet Explorer with crossover. ;-)
      • And designing new programs from a marketing impetus instead of what people want.

        Seriously, this Security Console is a good example. "What if somebody could tell if their machine was secure just by opening a control panel?" That's a very good idea -- but it will take at least a year to develop something like this that actually works well enough to be a part of windows. In the meantime, they shake and bake something so people know they're working on it.

        This is the Microsoft equivalent of Sourceforge Development Status 1. It's a dog and pony panel that will undoubtedly be replaced by something good in the future -- but by that time, most of the industry will have lost all trust in it.

        Such is the case with IIS 6. It's actually pretty good, according to a lot of web programmers I know, but I just don't trust it -- to the point that I'm considering not using C# for impending web projects despite having a massive C# codebase. MS would have to go VERY far to get that trust back, and make a security leap similar to the UI leap they made from 3.1 to 95 or the stability leap they made from 98 to 2000.
        • That is the microsoft way. They release version 1, and it sucks, version 2, sucks less... They don't have a bid deal on 1.0! the way Apple or open source projects do. Microsoft evolves their software publicly, not in the lab...

          Office, IE, IIS, Windows... in their latest incarnations, they are varying degrees of good/decent software(configured correctly, ofcourse)... But their first 2 or 3 or 4 versions were bad/horrible/unholy. They got better, but they did so within the public sector, not an R&D lab.
          • Why so sloppy? (Score:3, Insightful)


            Maybe you've seen the old motto. MS: "The whole world is our beta test site."

            Why is MS software so insecure, and just plain sloppy? Maybe their management model just does not allow a programmer to finish his work. Later some poor guy is assigned to fix a terrible bug that is getting publicity, but it is difficult, boring work trying to understand what someone else did, and he makes mistakes.
        • by bankman (136859) on Thursday August 26, 2004 @11:59AM (#10079055) Homepage
          And designing new programs from a marketing impetus instead of what people want.

          You probably don't know it, but marketing is about giving people the product they want. Unfortunately many companies (and Microsoft is one of them) talk about marketing, but what they are really talking about is advertising.

          "What if somebody could tell if their machine was secure just by opening a control panel?"

          This statement would be a really bad example of marketing: The company and/or its developers and "marketing" experts sit together and brainstorm without ever actually asking the customer. If they were to ask me this exact question, my answer would be:

          "Are you really this insane? I don't want a control panel to tell me whether my machine is secure. I want the machine to be secure, plain and simple. Given MS Windows' (whatever incarnation) security track record, I neither would nor could ever trust any application that tells me the security status of the machine from within. It's probably already cracked, infested or whatever anyway by the time I check it. If history tells us anything, it's that any application can be made to tell me that it is secure."

          ...but it will take at least a year to develop something like this that actually works well enough to be a part of windows.

          I couldn't agree less with you. According to developers who are far more experienced with Windows than I am (IANAP), Windows is insecure by design, no fix or additional security layer on top of the current product will ever make it more secure. The only way to fix it, is to dump it and start from scratch.

          This is the Microsoft equivalent of Sourceforge Development Status 1. It's a dog and pony panel that will undoubtedly be replaced by something good in the future -- but by that time, most of the industry will have lost all trust in it.

          Many people argue that XP is, while more stable than all previous versions, with the notable exception of W2K, is still in development status and many of its design features are so braindead, that many knowledgable people have already lost trust in it.

          IMHO, this is yet another stupid toy to make the casual home user and the boss feel more secure without actually delivering on the promises. If you were to ask them, they would all answer that they want a machine that is actually more secure rather than a having a MS tool that tells them they are. Once they told you, you design a product that is actually secure and does what the customer wants. This is marketing from an academic's point of view.

        • Its not that bad (Score:5, Insightful)

          by gad_zuki! (70830) on Thursday August 26, 2004 @03:48PM (#10081700)
          IE is actually usable for the first time since, err, ever. The extra nag dialogs and the pop-up blocker go a long way towards keeping spyware off your machine. Lets face facts, most people will never stop using IE. They will go to their deathbeds using bundled software. They will never switch to Firefox or Opera. This is the service pack for them.

          The nag "Where if your anti-virus" box is a reminder that windows needs an AV program to run properly. I can't stress how important a built-in firewall is, even if it is "weak" its still going to introduce people to the concept of a firewall much more than the old version did. Personally, I dont think ports over 1025 should be blocked by default, but that's just me.

          I've been running SP2 since MS released the final version and am pretty pleased with it. XP even feels snappier. It passes the "grandma" test fairly well and like you wrote is a good first step towards securing windows. If it only helps fight spyware installs its worth its bytes in grams of gold. Especially for us techies who get called, bothered, etc for stuff that is completely preventable.

          This is really the first step to securing windows for the everyman, if such a thing is truly possible. Soon enough current machines will be replaced with machines with processors which understand NX, thus making the feared buffer overflow much less fearsome.

          Even though SP2 is going to cause all sorts of headaches with clients, friends, and family, I'm very optimistic about what it can do to help stop spyware and to a lesser extent worms and viruses. Its a real shame there isn't an equivalant SP for the HUGE win2k user base out there. Seems like the script kiddies will now be focusing on win2k machines from now on.
        • The problem is that Microsoft can't make Windows secure, and it isn't Microsoft's fault. If Microsoft added a full-featured firewall and virus scanner to XP, they'd be in a heap-o-trouble. If they get sued half a billion bucks for bundling Media Player, think how fast they'd be in trouble for new features. And if they made it even remotely difficult for any ole' program to claim to be a virus scanner or a firewall, the same thing would happen.

          Essentially, Microsoft has done the best they can in their po
  • by forgotten_my_nick (802929) on Thursday August 26, 2004 @10:12AM (#10077598)
    I was told it was rolled out today (SP2), so can someone explain why my XP machines wanted to install the SP2 patch a few days ago?
  • by Anonymous Coward
    Fact: You cannot bolt on security to something after the fact-- it has to be designed in from the ground up, or it's worthless.

    Exhibit A: Windows.

    Bill can announce a new security initiative every day from now until Doomsday, and it won't mean a damn thing unless they scrap Windows completely and start over. Period.
    • by SilentChris (452960) on Thursday August 26, 2004 @10:37AM (#10077898) Homepage
      This has nothing to do with the base security of Windows. The base nuts of NTFS and the security scheme has been solid ever since it was ripped from VMS. The problem IS the bolts that have been added since then: easily-foiled APIs that have full access to some of the underpinnings when they shouldn't.

      Quite frankly, if MS never "innovated", it would be a fairly secure product. NT 3 was practically bulletproof. It's when they started grafting on Win32 junk from 9x, things started to get screwed up. Take off that top layer and everything would be kosher (but a lot less user-friendly)... just like Linux.
    • by Jeff DeMaagd (2015) on Thursday August 26, 2004 @10:46AM (#10077989) Homepage Journal
      Wasn't security for UNIX and UNIX-like systems an afterthought? The difference being that it has had decades of work to get where it is now, by companies and organizations that had to make it good, and not just a few years on a product that only has to be "good enough" for consumers.
      • by _Sprocket_ (42527) on Thursday August 26, 2004 @12:43PM (#10079649)


        Wasn't security for UNIX and UNIX-like systems an afterthought? The difference being that it has had decades of work to get where it is now, by companies and organizations that had to make it good, and not just a few years on a product that only has to be "good enough" for consumers.


        Great point. I would suggest a few other things to consider.

        One of the things I find interesting about Unix is its modular nature. For the most part, various components are fairly well insulated from each other. One is able to rip out or drop in pieces as one wants. This allows for major changes of the system's operation. This can be applied to anything from hardening the system to implementing new functionality. Security may have been an afterthought for Unix. But it's foundation allowed for it.

        Keep in mind that "security" hadn't always been a buzzword for Unix. A very visible example is the Morris Worm. But exposure to the public via the Wild Internet caused the Unix community to start picking up all its dirty laundry. It learned lessons. And those lessons are often the basic tenants of Infosec.

        One of my criticisms of Microsoft is that they ignore history. The Unix crowd has already run its gauntlet early on and made its findings and lessons learned widely available. Yet Microsoft continually repeats not only Unix's mistakes, but also their own.

        Sure - a mature code base implies a greater degree of bug fixing, etc. But that solves implementation mistakes. It doesn't help fundamental design flaws. Those can be very difficult to deal with. Especially if your system isn't very modular.

        One final point - how mature IS the relative codebases? How much of the original *nix code still exists vs. being entirely new? And how much of WinXP is pedigree WinNT from a previous decade?
  • by Nos. (179609) <andrewNO@SPAMthekerrs.ca> on Thursday August 26, 2004 @10:13AM (#10077617) Homepage
    To build in a security overview system and leave it wide open so that its easy to fake the current status of things like your firewall and anti-virus.
    • by shird (566377) on Thursday August 26, 2004 @10:52AM (#10078054) Homepage Journal
      Uhm... yeah. Easy to fake by a program already running as admin on your box. Why would such a program even bother?

      The point of the security center is so you dont get that malicious code running on your system in the first place. If it does, your systrem is already compromised, and nothing can be trusted anyway.

      No OS can protect against malicious code running as root/admin.
      • No OS can protect against malicious code running as root/admin.

        If the OS has the concept of a superuser, then you're correct. However, that's ignoring other OSes [sun.com] that are built on capabilities or mandatory access controls. Those do away with "root users" altogether, and replace them with users with sufficient access to grant necessary rights to other users. These aren't hypothetical creations, but real systems in use, today, in high-security installations.

  • by Cocodude (693069) on Thursday August 26, 2004 @10:13AM (#10077618) Homepage
    So this is what the Internet Meltdown Predicted for Tomorrow [slashdot.org] article was referring to!
    • hahahaha

      You know what I got from the article was:

      It will now be easy for people/code to exploit a new vulnerability in Windows allowing (insert favorite action taken after an exploit is found HERE).

      Umm, I saw this coming, I mean it's 10am where I am right now and I haven't heard about today's exploit yet.

      In all seriousness Joe Computer needs to stop trusting Microsoft to do everything in his computer. Their idea of shouting "HEY STUPID get an anti-virus program" isn't a bad idea. The implementation wa

  • That's ok (Score:5, Funny)

    by Bricklets (703061) on Thursday August 26, 2004 @10:14AM (#10077621)
    According to them, any program (including ActiveX controls) can access and edit the Windows Management Instrumentation database, and therefore spoof the security status of an insecure box to report that it is properly secured."

    That's ok. MS probably wants it to be easy to use so that everyone can use it. ;)
  • Pseudo Problem. (Score:5, Insightful)

    by vi (editor) (791442) on Thursday August 26, 2004 @10:14AM (#10077625)
    If a boxen is 0wned then we can savely assume that the 0wner/w0rm has root access. And with root access it can do anything anyway.
    This is like complaining that one can shut down your computer by removing the power plug.
    • Actually, no... (Score:3, Interesting)

      by Svartalf (2997)
      They're claiming that it's much more secure that Unix/Linux with this service patch. In terms of being 0wned, it's hard to totally cover your tracks in a Unix box- you leave a trail of breadcrumbs somewhere that typically can be seen (most tools simply automate the process...). In the case of an SP2 XP box, it'a apparently rather easy to cover one's tracks and you have to rely on signature scanning (i.e. Virus/Trojan scanning...) to hope you can find the intruder.

      I don't consider that to be a non-problem
  • Scary stuff. (Score:5, Interesting)

    by sploo22 (748838) <dwahler AT gmail DOT com> on Thursday August 26, 2004 @10:15AM (#10077630)
    Step 1: Go to http://www.mikx.de/scrollbar/ [www.mikx.de]
    Step 2: Drag the scrollbar down a bit and let go
    Step 3: Start -> Programs -> Startup

    That's just spooky.
  • by iainl (136759) on Thursday August 26, 2004 @10:15AM (#10077631)
    I'm seeing reports all over the shop that its easy to spoof the security centre into claiming that (for example) the firewall is turned on when it isn't.

    What I've yet to see is any indication that its possible to actually do the turning off of things, which would be rather more serious.

    As it is, surely the only problem is if you forget that you turned something off? I've no big plans to make my box insecure now I've done configuring it on installation.
  • by garcia (6573) * on Thursday August 26, 2004 @10:15AM (#10077635) Homepage
    To spoof the Windows Security Center WMI would require system-level access to a PC. If the user downloads and runs an application that would allow for spoofing of Windows Security Center, they have already opened the door for the hacker to do what they want. In addition, if malware is already on the system, it does not need to monitor WSC to determine a vulnerable point of attack, it can simply shut down any firewall or AV service then attack - no WSC is necessary."

    Sadly just about everyone runs shit as Administrator (it is the default mode for XP Home installs) to make life easier and as MSFT has noted they are opening themselves up to the attacks... For those that will mention that Linux is so much better remember that these are the same people that wouldn't like to have to change to root (sudo, su, login, whatever) to install anything and would be opening themselves up to the same vulnerability level as if they had been running Windows.

    Basically the problem was in design... They should not have had an open API controlling the "WSC" and thus malware would not be able to detect the presence of the programs' status from a single location. The real problem is that MSFT isn't admitting that it is a serious problem and needs to be changed on a different level... Saying that malware writers are going to use the direct route and disable the firewall/AV outright, while true, doesn't get them off the hook for creating this hole that is more difficult even for a more advanced user to notice.
    • Administrator is the default context for XP Pro, too, if you create users at install time. I run as administrator, but I use Firefox to browse everything but windows update, and I have Norton installed and auto-updating itself every day. Hence I am operating in an insecure fashion, but with little risk.

      (Watch me get owned tomorrow or something, but nonetheless, I stand by my statements.)

      On Linux I do typically do everything as me, and sudo when I can, but some programs don't work right when you sudo,

      • Wouldn't matter (Score:3, Informative)

        by Sycraft-fu (314770)
        Even if you could get a user to dot run as admin all the time, it's not going to help. Why? Because users WANT to run the stupid shit that infects their comptuer. They go to install Kaazaa, it says "I need root to install", you think they are NOT going to enter the root password? Of COURSE they will, they want Kaazaa on their computer, they'll do whatever it asks them to do.

        As a receant example later variants of one of the receant worms was zipping itself and encrypting the zip to try and evade virus scann
    • There is one subtle difference between linux and window admins: There is a lot of window software that is written to be run as administrator. Finding all the files to give permissions to causes quite a headache.

      Linux, I feel, has a better system at the moment. However, as this is the developers fault, I see no reason why linux would be immune from this problem.
    • What would happen if Microsoft limited the administrator account to 16 colors and maybe a low resolution. Would people learn quickly to use a user account to play games? Would administrators still be able to get their work done with said limitations?

      This is just one of those off-the-top-of-the-head-and-not-thought-out type ideas, but i'm curious.
  • by Anonymous Coward on Thursday August 26, 2004 @10:16AM (#10077644)
    Is there a way to distinguish Windows XP with SP2 from older versions through the User Agent String?

    • I don't work with the UA string but here is something nobody likes to see on /.
      VB CODE IN YOUR FACE
      Wscript.echo "Service Pack: " & objOperatingSystem.ServicePackMajorVersion _ & "." & objOperatingSystem.ServicePackMinorVersion
      I almost used the BLINK tags for that one :-) The above VB put into a script will echo the SP level and I think you can do it remotely on VB I have only the MSNSK certification (Microsoft novice script kiddie :-)
  • Oh my god! (Score:3, Insightful)

    by dave420 (699308) on Thursday August 26, 2004 @10:17AM (#10077661)
    You mean it's possible to edit configuration scripts from within the operating system? Oh no!

    Seriously, this is just more scaremongering. The WMI system has to be accessed locally, and their examples of how this could be circumvented is pretty silly. ActiveX apps on a web page won't run unless you specifically tell them to. The only other ways are via a downloaded application. It boils down to "you have to do something on your computer that lets a malicious application run". How is that any different from any other operating system in the world? Even as a non-root linux user you can fuck up a system by running a malicious script... I don't get it.

    Am I missing something?

    • Re:Oh my god! (Score:3, Insightful)

      by $rtbl_this (584653)

      Even as a non-root linux user you can fuck up a system by running a malicious script...

      I'm intrigued. While I've only given it a few minutes' thought, I haven't managed to come up with a way that an unprivileged Linux user can hose an entire system (well, outside of their own data) with a malicious script. Could you let me know what I'm missing here? Thanks.

  • No real surprise (Score:4, Insightful)

    by Arclite (471674) on Thursday August 26, 2004 @10:17AM (#10077669)
    Let's be honest. Did anyone really expect SP2 to not need a slew of new patches after release?

    Personally, I'm just glad that it doesn't bomb randomly after install. Yet.

  • running windows as admin again. what do you expect?
  • Auto-update notified me of the patch yesterday on my workstation. I accepted it to check it out, but it never downloaded.

    Today I got the notification on my notebook and decided to try the same thing on that one as well. Same thing--the update box goes away but nothing appears to download.

    It's not that big of a deal, but I do want to get it installed on at least one of my machines to see if it would break anything.

  • Need root? (Score:5, Insightful)

    by randyest (589159) on Thursday August 26, 2004 @10:18AM (#10077679) Homepage
    No, most user's don't need to be root most of the time. Yet:

    While we are not aware of any malware exploiting this, we think it will only be a matter of time. The one mitigating factor that we found is that to change the WMI, and spoof the Security Center, the script has to be running in Administrator mode. If executed in Windows XP's Limited Mode, it will give an error, and not allow changes. Unfortunately, most home users who will be at risk, run in the default administrator mode.

    How can we convince people not to run admin mode? It's easy at work, in UNIX land (most people don't get to know root pw.) But most Windows users I know don't even know the difference.

    Every windows security problem I know of can be solved, or at least significanly mitigated, by users not running root.
    • Re:Need root? (Score:3, Insightful)

      by MobyDisk (75490)

      How can we convince people not to run admin mode?

      Two steps are required:
      1) Make apps that work without admin mode. Most stuff on the shelf today still doesn't. I have yet to see a game that does.
      2) Make apps that need admin access prompt you for it. - *nix has done this for a long long time.

      But neither of these things will happen until the mentality changes. The mentality won't change until the apps are there. I've tried to get user's to do it when possible, but then they go download some spywar

    • Re:Need root? (Score:3, Interesting)

      by SilentChris (452960)
      "How can we convince people not to run admin mode?"

      Simple. Force them not to. When my family got a new PC, I immediately dumped XP Home and put on XP Pro. I set up myself with the Admin account and gave everyone else Limited User accounts.

      If they want to install software, tough. They have to go though me first. Just like at work.
  • by stonebeat.org (562495) on Thursday August 26, 2004 @10:19AM (#10077695) Homepage

    Windows XP SP2's 'Windows Security Center' is just about as insecure as it could possibly be.

    and you were expecting what???

    Remember Windows Management Instrumentation requires administrator credentials. If you have admin priveledges on any box, you can do much harm, regardless of the Operating System
  • by mrgreenfur (685860) on Thursday August 26, 2004 @10:20AM (#10077701)
    I noticed it was up last night to I installed it.

    It's 94.50 mb which takes a while to download. Upon installation and restart the new windows security center pops up and trys to get you to turn on your firewall, automatic updates and antivirus software. By default if any of these are off, there's an obnoxious red shield in the system tray. Turning off alerts for these makes it go away.

    Otherwise there doesn't seem to be any major changes.

    So far nothing's borked.
  • by MikeMacK (788889) on Thursday August 26, 2004 @10:21AM (#10077712)
    Based on an anonymous tip, PC Magazine looked into the WMI and the Windows Security Center's use of it, and found that it may not only be a security hole, but a crater.

    Maybe MS could get NASA to send a few rovers in there to see what they can find out.

  • by London Bus (803556) on Thursday August 26, 2004 @10:22AM (#10077725)
    To make Windows secure, that is. I know lately that Microsoft-bashing has gone from being the in thing to being "trolling", but it's true. Just because it's become less fashionable to say so doesn't change the fact. I don't understand how Windows users can continue to use these machines. I live in a relatively remote area of Japan, and yet somehow within 4 minutes after hooking up my brand-spanking new machine to the Internet, I started getting Code Red connection attempts and repeated assaults on various four-digit ports. I guess they don't respect geographic boundaries either. By the way, this all happened while I was downloading XP2/SP2. It's not going to help when we don't even have time to install it before getting our machines "owned".

    I've always criticised Linux users for being sloppy and the like, but the operating system itself is at least rock solid. It rarely crashes, it has a decent windowing system, and I don't see advisories for it on Bugtraq every 8 hours. Windows is easy to install, but it's all too easy for someone else to compromise. Ease of use is nice, but I think I'll take peace of mind with GNOME on Fedora Core.
  • Running as admin? (Score:5, Insightful)

    by W2k (540424) <wilhelm.svenseli ... 15926om minus pi> on Thursday August 26, 2004 @10:24AM (#10077753) Homepage Journal
    According to them, any program (including ActiveX controls) can access and edit the Windows Management Instrumentation database, and therefore spoof the security status of an insecure box to report that it is properly secured.
    Um .. you sure that's not supposed to be any program that's already running as admin on the box in question? Sorry, but if I was a malicious app running as admin, I would do much more interesting things than tamper with the security center. Not even Linux/OSX/*BSD are secure if you manage to get malicious code running with admin rights. The article got it right (it mentions that the attacking script/app/whatever must be running as admin) but whoever submitted this to Slashdot seems to have missed this tiny, unimportant detail.

    The next thing to be said is usually: "But most home users run as admins." (The article also mentions this.) Well, that's not a Windows problem; that's a user problem. Even if Windows forced users to run in "limited mode" (which would cause an outcry in itself - "eek, Microsoft is trying to take away control over our own computers from us"), it also doesn't help that most third-party software for Windows requires admin rights either to install or *gasp* to run. Of course, this is ancient news to everyone with a clue .. nothing to see here, move along.

    Of course, even when running as admin, protecting yourself against malicious code is fairly trivial; simply use a firewall (SP2 incidentally includes one), don't run binaries from untrusted sources, surf the web and check your email using something other than IE/Outlook [mozilla.org], use a virus scanner/shield, and keep your apps and OS updated. Again, no news to anyone with a clue.
    • by Tom (822) on Thursday August 26, 2004 @10:42AM (#10077948) Homepage Journal
      "But most home users run as admins." [...] Well, that's not a Windows problem; that's a user problem.

      You are oversimplifying. Ask yourself why most home users run as admins. May it be because that's the default? Because XP doesn't even offer another setup option, but hides it well? Or maybe because tons of things simply don't work if you run as a normal user?

      Driving reckless is a user fault, yes. But driving reckless when that's how the manual told you to do it and that's what the car was designed for makes it a bit more tricky to properly place the blame.

      • by W2k (540424)
        It's the default because the users want it that way (see previous posting). Windows users have been running as admin since it was just a glossy shell over DOS (hell, pre-NT, Windows didn't have a non-admin access mode as such). If Microsoft changed it now, there would be an outcry (see grandparent) and people would just figure out how to make themselves admins, and do so. It's a lose-lose situation for Microsoft - and again, the fact that many pieces of third-party software expect or demand admin access to
  • STILL Broken (Score:4, Informative)

    by Roguelazer (606927) <Roguelazer@gma i l .com> on Thursday August 26, 2004 @10:33AM (#10077852) Homepage Journal

    Great work Microsoft! After all the beta-testing, SP2 is still broken. Here's what I've found so far that's messed up badly:

    • FarCry Demo fails to install
    • Unreal2 won't run
    • Norton Antivirus status is not detected by Security Center
    • AVG Antivirus is not detected by Security Center
    • Windows crashes on startup if any non-MS OS is doing a SMB network scan while it is starting up
    • Security Center considers having Automatic Updates set to "Ask Before Installing" a security risk

    What I find funny is that ZoneAlarm's AntiVirus monitor feature detects AVG and Norton properly.:P

    • Re:STILL Broken (Score:4, Informative)

      by delus10n0 (524126) <delusion_@pdsys.oAUDENrg minus poet> on Thursday August 26, 2004 @11:03AM (#10078203) Homepage
      # FarCry Demo fails to install
      # Unreal2 won't run


      Both working fine here..

      # Norton Antivirus status is not detected by Security Center

      Norton's problem, they've said repeatedly they're working on a patch.

      # AVG Antivirus is not detected by Security Center

      This should be working. It's works for a lot of other people correctly.

      Windows crashes on startup if any non-MS OS is doing a SMB network scan while it is starting up

      Huh? Did you pull this one out of the air? We haven't had a problem with this on our network here (300+ PCs, 10+ Macs)

      Security Center considers having Automatic Updates set to "Ask Before Installing" a security risk

      And I agree that it should. Users are totally retarded, and should be treated like a child.
    • Either that, or you are doing something wrong. Here at work we have, oh about 500 Windows machines and maybe 200 Solaris machines and some Linux machines too. Of the Windows machines, I'd say 200 or so are already on SP2. They don't crash on bootup and SMB traffic is ALWAYS flying over our building (it's a single large subnet too).

      As for AVG, well, you screwed something up. It detects fine on every system I've put it on. As for Norton, it is a documented Norton problem, and they (Norton) are working on it.
  • Windows? (Score:3, Funny)

    by mrselfdestrukt (149193) <nollie_A7_firstcounsel_com> on Thursday August 26, 2004 @10:55AM (#10078093) Homepage Journal
    What is this Windows XP thing I keep hearing about?
  • by fmachado (89905) on Thursday August 26, 2004 @11:01AM (#10078181)
    People just conveniently forgot that running as a common user does NOT guarantee that a malicious app does not runs as admin (or SYSTEM, more precisely). IIS, RPC, Messenger, lots of others run as a service with SYSTEM privileges. If you do attack it and find any vulnerability then you can run your malicious code as SYSTEM as well.

    Sure, running as ADMIN is almost stupid and multiplies your chances of being 0wned by large. But its not the only source of being 0wned as people said above. As long as I remember, IIS (along with Sendmail, Bind, IE and some others) where considered the worst software in terms of security in the SANS Institute list. Break-ins are common in these softwares and would grant you good priviledges for doing some nasty things.

    Just to be fair the same can happen in Linux/Unix but it's a bit less easy to do it. And you can always run an UserMode Linux, for example, and host the application inside it which would turn the host system almost invunerable and this is quite difficult to do in Windows (I can only think of VMWARE). Normally people are a little better educated to not use root in daily use and every installation program of recent distros explicit says it.
  • by denis-The-menace (471988) on Thursday August 26, 2004 @11:03AM (#10078216)
    The only way to make joe user NOT want to use an Administrator account is to make it anoying to use. IE: -Display a NAG window everytime the user launches an application. (Maybe only if the user spends more than 30 minutes in the account) Maybe even make it easy to do some admin tasks easily as a Limited user by prompting for the administrator pw when required like Linux distros do today.
  • by SavoWood (650474) on Thursday August 26, 2004 @11:05AM (#10078238) Homepage
    I find it amazing and certainly think someone should alert the NIMH. Software and hardware are each capable of EMOTIONS! Not just that, but complex ones at that. Who knew my little hunk of plastic, silicon, and metal would be so insecure? Is it because of my incessant banging away on the keyboard? Am I touching the mouse inappropriately? How do you tell?

    I'd bet it's when I'm taping out the BPM for the music loaded on the drive. It has to be like the Chinese water torture. Poor little computer.

    Please, let us make amends. I'm offering a sincere apology and promise to do what I can in the future to keep you from feeling battered and furthering your feelings of insecurity.

    Good thing I've got all your patches up to date, or you might find strangers abusing you from far away locations. I'd never let you have such unsecured access. It' would only lead to more insecurity.
  • by catwh0re (540371) on Thursday August 26, 2004 @11:06AM (#10078260)
    Judging from Microsoft's response to this issue. (and many similar issues in the past)

    They bypass this obvious lack of security as a feature, and that the application is rather to serve as an extra barrier of obscurity to hackers, and not as a solution to the problem (which it will ultimately be marketed as.)

    This unfortunately isn't an adequate mentality. Microsoft appear to make the mistake to think that hackers are as technically challenged as their regular home user base.
    Yes! certainly a home user wouldn't be able to craft some accidental software that rips a hole through the new security centre features. However, hackers which discover holes in Windows (Without ever seeing the source code.) have the competency to add the extra layers of dodging to their worms. This it at Microsoft's peril, as now worms can fool a system into reporting that everything is fine, in turn fooling the technically challenged home user into also thinking, that their new DDoS server is also functioning without a hitch.

    Microsoft needs to understand that hackers are significantly "gifted" in comparison to their regular user base (many of which who'd think Mac OS X is another version of Windows.) They must craft their security devices such that they can not be trivially undermined, and put an end to the assumption that more easily bypassed road blocks lead to greater security.

  • by kronin (413035) on Thursday August 26, 2004 @11:12AM (#10078371)
    I installed the official release of SP2 and installed it on my mom's laptop last night, only to be greeted with a nice informative blue screen upon reboot.

    http://www.crn.com/sections/breakingnews/breakingn ews.jhtml?articleId=23905071 [crn.com]

    I had to boot into recovery mode and run a batch script to uninstall SP2, just like the article outlines. Then I had to go into the registry and change some keys, then do an uninstall via the add/remove programs wizard. Man, thanks Microsoft for a full night.

    I'm not sure if I'm going to try again, we'll see how I feel after stewing about it all day...
  • by orzetto (545509) on Thursday August 26, 2004 @11:32AM (#10078660)
    'Windows Security Center' is just about as insecure as it could possibly be.
    Just imagine if Microsoft were an army instead, and decided to promote world peace...
    They would invade a country run by a dictator, continue the dictator's tortures even in the same places, inflame the world and make the world an insanely dangerous place to live.
    Oh, wait...
  • Cowards at PC Mag (Score:5, Insightful)

    by Sloppy (14984) on Thursday August 26, 2004 @11:42AM (#10078782) Homepage Journal
    This open door to the security status of a system can be exploited several ways. First, a malicious site could download a file (possibly with the drag and drop exploit discussed in our Windows updates and vulnerabilities section), which could run and access the WMI, monitoring the status of the firewall and antivirus protection.
    Holy crap, you're already executing hostile code, and you're worried that MS has added yet another library that it can call? You fucking idiot! It can already write to your disk's partition table, what more are you worried about? A psychotic killer is holding a loaded gun to your head, and you're worrying about the second-hand-smoke cancer-risk from his cigarette. ;-)

    People, get a clue: a "malicious site" can't do anything to your computer, unless your box has already been compromised.

    PC Mag, here's an idea: tell the users what the real problem is. You damn well know what it is. But you're afraid, because they spend a shitload of money on ads.

  • by zxflash (773348) on Thursday August 26, 2004 @02:17PM (#10080766) Homepage
    If the animated dog says my machine is secure who am I to argue with it...

Nondeterminism means never having to say you are wrong.

Working...