Forgot your password?
typodupeerror
Security Operating Systems Software Windows

Exploits Circulating for Latest Windows Holes 185

Posted by CmdrTaco
from the netcraft-confirms-that-trolls-are-uncreative dept.
1sockchuck writes "Exploits are already circulating for at least two (and possibly four) of the Windows security holes addressed in Microsoft's updates on Tuesday. Several working exploits have been released for a new vulnerability in Windows Plug and Play technology, which could be used to spread a worm targeting Windows 2000 machines, according to eEye security, which has released a free scanner to help network admins identify vulnerable computers."
This discussion has been archived. No new comments can be posted.

Exploits Circulating for Latest Windows Holes

Comments Filter:
  • by Deltaspectre (796409) on Friday August 12, 2005 @11:20AM (#13304120)
    Perhaps this vulnerability was a 'Feature' to get people to migrate away from Windows 2000?
  • by creimer (824291) on Friday August 12, 2005 @11:23AM (#13304154) Homepage
    At least, Microsoft is maintaining great quality control.
  • by ellem (147712) * <ellem52NO@SPAMgmail.com> on Friday August 12, 2005 @11:23AM (#13304159) Homepage Journal
    I mean W2K has been around for about... uh, 5 years?

    So isn't this just an old exploit that was just found?

    See? Having 900,000,000,000 lines of code is a good thing.
    • Re:Is it really New? (Score:5, Interesting)

      by 99BottlesOfBeerInMyF (813746) on Friday August 12, 2005 @11:43AM (#13304321)

      So isn't this just an old exploit that was just found?

      No. This is an old vulnerability that was just published, and had new exploits written and published for it. That is not to say other exploits have not existed for this vulnerability for the last five years.

      • This is an old vulnerability that was just published, and had new exploits written and published for it.

        Just to amplify what you've said:

        This is an old vulnerability that was just published

        publically, and had new exploits written and published for it.

        It's possible, and has a certain chance of being likely that this exploit has been published in non-public fora for the past five years.

        As we learned a couple stories back, Microsoft is catching exploits of unpublished vulnerabilities in their honeypots. I'm

        • > It's possible, and has a certain chance of being likely ...

          Well gosh, there's an authoritative statement.
    • I mean W2K has been around for about... uh, 5 years? So isn't this just an old exploit that was just found?

      This just goes to prove that hackers are getting as lazy. I mean it took them 5 years to find this hidden feature. Or maybe MS programmers have more forsight than we give them credit for.

  • by mikeophile (647318) on Friday August 12, 2005 @11:25AM (#13304170)
    Our website's registration forms require users to provide contact information (names and email addresses) and financial information (account or credit card numbers). Financial information that is collected is used to bill the user for products and services purchased and is only used internally by eEye. Contact information is used to confirm and ship orders, to contact the user when necessary, and to notify users when new products and services are available. Users may choose not to receive future mailings from eEye; see the Choice/Opt-Out section below. eEye Digital Security may occasionally share visitor contact information with official product resellers that adhere to a comparable privacy policy; visitor contact information is NEVER given to other third-party vendors that are not affiliated with eEye.

    Why do they insist on my personal information if they aren't going to use it?

    They have the ability to let me opt out of of mailing, why don't they provide an opt out for my information in the first place?
  • by donleyp (745680) * on Friday August 12, 2005 @11:26AM (#13304177) Homepage
    The exploits came out after the announcement and not before. It begs the question, do we need to give M$ credit for pushing the patch before the exploit became common knowledge? Compare this to Cisco who tried to squash recent publicizing of their vulnerability.
    • It begs the question, do we need to give M$ credit for pushing the patch before the exploit became common knowledge?


      Uh oh, the grammar nazis will decend upon ye shortly. I heard that phrase misused on CNN the other day, how the hell does that happen.
      • I don't know how it happens, but when I heard the phrase misused on NPR's "All Things Considered", I officially gave up.

        By the way, it's spelled "descend". Also, your second sentence is a comma splice; in this case your comma could be replaced with a semicolon or a period. You also need a question mark after "how the hell does that happen", not a period.
    • Cisco had also patched their vulnerability before the publicity. The whole point of the BlackHat presentation was to encourage admins to use the patch, and to shame Cisco for underplaying how serious the issue is.
    • " The exploits came out after the announcement and not before. It begs the question, do we need to give M$ credit for pushing the patch before the exploit became common knowledge? Compare this to Cisco who tried to squash recent publicizing of their vulnerability."

      I think it reinforces the idea that people create exploits by reverse engineering patches. MS was right on this one.
      • I think it reinforces the idea that people create exploits by reverse engineering patches

        Professional crackers do not release their exploits, they use them for profit. This may reinforce the idea that the second tier of crackers writes their exploits after shown how. Thus forcing Microsoft to do something.

        MS was right on this one

        You don't know that.
    • I haven't the faintest clue why your comment is insightful.

      Let me give you some examples of exploits (ie worms) that came out after patches: Blaster, Sasser, Nimda (MS patched this 330 days before the worm actually hit). Code Red is the only one that immediately comes to mind as a worm that hit before the patch, and even in that case, MS didn't know ahead of time that IIS was exploitable. It was 0-day.

      In the case of the Plug & Play exploit, it became common knowledge *because* of the patch, which was re
  • But I'm reminded of a childhood verse...
    "The worms crawl in, the worms crawl out
    The worms play pinochle on your snout..."
  • by bitslinger_42 (598584) on Friday August 12, 2005 @11:27AM (#13304185)

    Is anyone but me getting sick of these companies releasing "free" tools that require you to register for their incessant spam, phone calls, and other marketing harassment in order to download? Yes, I understand that they spent money to develop the tool, but what if I want to scan my home network? MySQL isn't too bad, at least. They have the marketing signup, should you be interested, but provide a link to download without all the crap.

    [Wanders off muttering about the good old days of gopher and archie]
  • Exploits ike these will all be fixed in Longhorn, umm, Vista. Seriously, the general population doesn't patch the security fixes that are out there, let alone the new ones that come out every other Tuesday. So exploits based on new patches are irrelevant if a computer can be compromised with mydoom.
    • Microsoft with all its massive billions of dollars, charging in excess of $300 for a full, licesned version of Windows XP Proffessional... Cannot afford to write clean, bug free code?

      As a programer myself I am often faced with the idea of completely re-writing my code, not just leaving the function sit, while being unused.

      Compare to Apple's OS X (granted, the numbers argument about there is not a mass majority to spread a major virus even if it was to be discovered), why cant Microsoft decide to take shape,
      • I'm affraid that you are wishing for something that's never going to happen. Here's to the OS X revolution! pm
      • Re:Not to worry... (Score:4, Interesting)

        by whoever57 (658626) on Friday August 12, 2005 @12:09PM (#13304509) Journal
        I think that you have to assume there will be bugs in the code. I am sure Apple has bugs. The real question, is: why are there so many listening ports on a Windows NT/2K/XP machine? Even one that has no files shared for users. What does it need them for? MS recommends running a firewall, which rather defeats the purpose of any listening ports, including such things as the administrative shares. In this case, we have some code that is supposed to detect new hardware apparently listening on the Ethernet port. Why? New hardware is going to fly down the network? Wow! MS should patent that now since it would put UPS and Fedex out of business. So, I don't think it is so much a bug as "what in $DEITY's name were they thinking when they designed this feature?"
      • I wish there was a direct correlation between "Making more money" and "Quality Products." Let's face it: Microsoft is the McDonalds of the Operating System world. They aren't interested in giving you the best thing on earth, they are interested in supplying you with barest essential needs to sustain you, in order to maximize their profit without sacrificing their customer demand and quarterly profits.

        Don't misunderstand me, I'm not trying to bash Microsoft. Overall I beleive their product fills the need o

  • by SkiifGeek (702936) <info AT beskerming DOT com> on Friday August 12, 2005 @11:28AM (#13304200) Homepage Journal

    The recent article on the front page here (2 down at the moment), talks about vulnerabilities linked to MS05-038 being in the wild in mid July (actually quite a bit earlier, but we will give them the benefit of the doubt). There have been a number of minor exploits in existence for at least a month and a half with respect to some image handling capabilities through IE (also MS05-038).

    Security-Protocols claimed to have discovered the vulnerability linked to MS05-041, and there were some minor claims that other people had been able to make it into exploits which weren't widespread.

    I initially thought that the Plug and Play vulnerability was linked to a report on an overflow with respect to handling USB devices (which has also been reported), but it seems to be much worse.

    I am fully aware of the reasons why companies EOL their software, but Microsoft's cessation of mainstream support for Win 2000 might be coming back to bite them, given that Win 2000 is just as vulnerable to these exploits as Win XP and 2003, if not more so.

    • This actually has been patched in Win2k. Microsoft will continue with security patches for Windows 2000 through 2010. Their current policy for business-related software is 5 years "mainstream" support plus 5 more of security fixes. For "home" stuff, it's 5 years and you're done. This has some interesting consequences, such as Windows XP Professional being semi-supported through 2011 but Windows XP Home expiring at the end of 2006.

      Source: http://support.microsoft.com/lifecycle/ [microsoft.com]
      • I do know of the 5/10 year split for Microsoft products, but I also believe that there will still be a large number of organisations running Windows 2000, come 2010, and they won't be upgrading. It is like the current concern over Cisco's IOS. Yes, they have patched the vulnerability Mike Lynn used as his example (stealthily in the April update), but there will be a not-insignificant number of network devices that will never see this patch, or others that are needed to protect against the newly described

  • I think once in the past three years I've seen on month without an update that was critical. Also, the way I've seen it, is that you have three to six months before the vulnerabilities are widely attacked. There are always people that are quicker on the ball, but three to six months is a good range before every other website is taking advantage of thtese vulnerabilities from what I've seen.
  • by goldspider (445116) <ardrake79.gmail@com> on Friday August 12, 2005 @11:31AM (#13304227) Homepage
    ...Microsoft patched the holes BEFORE the exploits started circulating?

    If that's the case, what's the problem?
    • The millions of users who don't patch are the problem. Sometimes these exploits turn their computers into zombies that send spam or spread viruses, making them other peoples' problems as well.
    • Not everyone auto-updates and reboots right when the patch comes out. Some people might even ignore the Windows Update icon for weeks at a time, or tell it to stop bothering them.
    • The problem is that most people don't patch their systems.

      Seems to me Microsoft almost always has a patch before the exploits go around.

      I keep my system updated and turn on the firewall in XP, and I've never had a security issue with my machine.
    • by Espectr0 (577637) on Friday August 12, 2005 @12:01PM (#13304444) Journal
      Simple. It is known that exploits are made after MS releases the patch, by reverse engineering them. Since 90% of the people is stupid and don't patch their systems (i made this up) then these people get hit.

      My rant is not against MS. It's against people (supposedly people with knowledge) don't take the time to update their systems. SP2 actually improved this by trying to push the updates in the user's throats.
      • My rant is not against MS. It's against people (supposedly people with knowledge) don't take the time to update their systems.

        Until recently, they haven't really had to. They should have, but the zombie nets are relatively recent developments.

        I wonder how many people burned out their Model T engines because they didn't understand they had to change the oil.
        • ...but the zombie nets are relatively recent developments.

          How long ago do you consider recent? Zombie nets have been becoming increasingly problematic for at least the past 4 years... and that's just when I started being affected by them. At least it's slightly more difficult to infect machines now... in the good 'ol days, the zombie nets mostly spread by looking for win2k machines with a blank administrator password and open c$ share.
          • How long ago do you consider recent? Zombie nets have been becoming increasingly problematic for at least the past 4 years...

            Yeah, that's about right. It's a long time in the computer security field, but we're talking about something that needs to have an effect on societal behavior. From that perspective, 4 years is pretty short for something that, on the surface, risks neither life nor limb.
    • The problem are the thousands of unpatched systems out there that will get infected.
  • Microsoft is disappointed that certain security researchers have breached the commonly accepted industry practice of withholding vulnerability data so close to update release and have published exploit code

    I can already hear the Slashdot chant of how security researchers have every right to release exploit code usable by script-kiddies whenever they want. I can't wait until the Internet culture is such that just because you can do something doesn't make it right.

    • not entirely sure why this is a troll.

      I can take a gun and shoot someone now just because someone made a gund available to me, but that doesn't make it right. I can release an exploit to software to disrupt many peoples lives because someone told me how to do it, but that doesn't make it right.

      Just because it's on t'interweb doesn't change the rules of morality and ethics, right and wrong.
    • They do have every right, legally speaking. It's not a feature of Slashdot or internet culture, it's a feature of the American style of government. Ethically speaking, most security researchers disclose responsibly anyway - they give the company a month or so to fix the problem before telling the world. I, and probably most slashdotters, would agree that telling world+wife before the company producing the software has had a fair bash at the problem is a little off, if only because a lot of us know what it's
  • Scanner? (Score:5, Funny)

    by Fear the Clam (230933) on Friday August 12, 2005 @11:41AM (#13304312)
    "...eEye security, which has released a free scanner to help network admins identify vulnerable computers.

    What, the Windows startup screen wasn't sufficient to identify vulnerable computers?
    • "What, the Windows startup screen wasn't sufficient to identify vulnerable computers?"

      As many computer customers tell me, "I don't know how I got a virus, I run Scandisk and Defrag every week!"
  • In other news... (Score:2, Insightful)

    by Anonymous Coward
    Hundreds of vulnerabilities discovered in Linux since the release of a distro:

    http://www.mandriva.com/security/advisories?dis=10 .1 [mandriva.com]

    But of course, that's not newsworthy because it doesn't involve hating Microsoft. This ain't a troll; it's an attempt to show that BOTH systems have pretty lame security track records, yet all we hear about is Windows.

    Look at that list above. Given 300 million clueless users running that Mandrake instead of Windows, don't you think there'd be exploits for that plenthora of holes
    • It's not sexy to make Linux look bad... And even if you do the zealots will simply fire back "What do you want, it's free..."
    • by BabyDave (575083)

      Hundreds of vulnerabilities discovered in Linux since the release of a distro:

      Of course, Windows doesn't come with the hundreds (thousands?) of applications that Mandriva does, and so it's a bit unfair to compare the Mandriva security advisory list (which includes fixes for MySQL, Apache, Perl, Mozilla, Vi, etc etc) to the Windows list.

    • First of all, Linux distros support every package on the system, not just the core files like MS update. That means perl, MySQL, apache, even the modules for apache. Everything. With that in mind, compare the Secunia security reports for Mandrake 10.0 [secunia.com] and Windows XP Pro 10.0 [secunia.com], which hit the market at about the same time. Have a look at the amount of unpatched vulnerabilities in both and see if you can still come to the same conclusions. Sheesh!
  • The exploits appeared not to exist before they were reported and announced. Now they do. This is not such a problem, since there is a patch available.

    However, it does make me suspicious of the dogma of some white hat hackers, that black hats may already know about vulnerabilities so there's no reason not to give full exposure.
    • If you are a black hat, and have a working exploit, you generally don't want to blast it all over the net, but use it judiciously to get as much as possible out of it before it is discovered. Once it becomes commonly known, and a patch exists, you know you don't have much time left, so you take advantage of it as much as possible.

      I'm not saying that is the case with this particular exploit, but Microsoft wants everyone to believe that we wouldn't have to worry about exploits if those white hats would just
  • by sgt scrub (869860) <saintium@ y a hoo.com> on Friday August 12, 2005 @12:05PM (#13304475)
    If you need to test the machines on your network Nessus http://nessus.org/ [nessus.org] has released plugins.
  • by Anonymous Coward
    The company distributing this requires you provide personal information just to pick up a small scanner which is entirely unnecessary. The purpose it seems behind distributing these little tools is to collect this information for sale and for use in sales.

    I would recommend that users stop using slashdot.org as a way to distribute pointless software in an attempt to collect free user data.
  • steps ahead (Score:4, Funny)

    by fihzy (214410) on Friday August 12, 2005 @12:30PM (#13304745)

    Once again: (original at http://slashdot.org/comments.pl?sid=71367&cid=6457 101 [slashdot.org])

    10) find big remote vulnerability in product
    20) perfect the exploit
    30) have fun with it for months
    40) find another big hole in same product
    50) perfect exploit for hole
    60) alert vendor about original hole
    70) have fun with new hole
    80) goto 40
  • by Master of Transhuman (597628) on Friday August 12, 2005 @01:12PM (#13305143) Homepage

    He's been writing that Mike Lynn did the industry a disservice by revealing the buffer overflow class of Cisco vulnerabilities.

    His logic is that as soon as you reveal a vulnerability, you accelerate the exploits, and therefore vulnerabilities should not be revealed. (In other words, the classic "security through obscurity argument.")

    He seems to think it makes more work for him and other security people.

    I pointed out to him that if we follow his logic, no vulnerability and no patch would ever be released. Here we have exploits following a patch. Does he now think Microsoft should not have released the advisory and patch because it "accelerated" the development of an exploit which will affect unpatched systems?

    This is exactly his logic with Mike Lynn's actions. He claims revealing the buffer flaws, even though Cisco has patched the two actual flaws found, will cause an exploit to appear that will affect unpatched systems and cause him "more work."

    I pointed out to him that he should thus blame Microsoft for patching the SQL Server flaws even though most admins didn't patch their servers in time for the worms that took advantage of them.

    I also pointed out to him that if he thinks security is easy and he can't handle the "extra work" exploits cause, get out of the business.

    His real motivation, of course, which I also pointed out to him, was simply sour grapes that he didn't get the press for revealing the flaws. The security business is very competitive, and every time a researcher announces something, everybody else denounces him as wrong, premature, or not following proper "protocol." All this just to keep THEIR names - and by extension, the same vulnerabilities they're complaining about - in the trade press. It's hypocritical.
  • With XPSP2, and Win2k3, the plug and play exploit requires that the attacker to be able to initiate connections to TCP ports 139 and 445, and have an *ADMINISTRATIVE ACCOUNT* on the machine.

    If the attacker has an adminstrative account on the machine, why the $#@! bother to exploit this vulnerability when they allreay have carte blanche access?

    For WinXPSP1, and WIN2k it's more serious. For WinXPSP1 the attacker only needs a regular user account, and for Win2k, the exploit can be done anonymously.

    The second
  • Why should the bad guys be the only ones with it?

    http://www.frsirt.com/exploits/20050811.MS05-039.c .php [frsirt.com]

It's a poor workman who blames his tools.

Working...