Windows Vulnerabilities Revealed, Patched

Saint Aardvark writes "A big MS Windows remote vulnerability has just hit BugTraq. It concerns a buffer overflow in MS' DCOM, and affects Win2k through Server 2003; here's the security advisory from Microsoft. This is in addition to an earlier vulnerability concerning conversion from HTML to RTF - there's a separate security advisory from Microsoft for this one, and it affects Win98 and NT 4.0 through Server 2003. Patch early, patch often." There's also a CNET News story with a little more explanation on the newest vulnerability.

*G*

[rylin]

So much for homeland security ;)

heh

[Anonymous Coward]

Microsoft admits critical flaw in nearly all Windows software

...The announcement came one day after the Department of Homeland Security announced that it awarded a five-year, $90-million contract for Microsoft to supply all its most important desktop and server software for about 140,000 computers inside the new federal agency

Re:heh

[Anonymous Coward]

So there aren't any critical flaws in the Mac OS? Linux?

A system is as secure as the patches applied to it.

Re:heh

[UnrefinedLayman]

The point is this is a remotely exploitable system level hole.

It's important to note that the system account is god in Windows -- even Administrator has less power than system.

Re:heh

[hkmwbz]

Or could it be that the system is as secure as it was built to be from the ground up, rather than relying on patches to be secure? Or, to rephrase, isn't it better that the system is built for security to begin with? Didn't a Microsoft representative say that their products had never been created with security in mind, but "we'll make it better now, honest!"?

Re:heh

[phaze3000]

There have been 0 linux security advisories in the last week. The advisories you mention are in software that can run under Linux. If you're going to count all software that runs under Linux as a Linux vulnerability, then by extension you have to include all software that runs under Windows as a Windows vulnerability.

The reason this is a big issue isn't because it's a whole in a Microsoft product, it's because it's a whole in the core operating system. Note that /. is also making a big deal of the IOS v

Re:heh

[Anonymous Coward]

I don't think the Department of Homeland Security has anything to worry about. If you hack into Homeland Security then you must be a terrorist, and you will be pursued with great vengeance and furious anger, more than likely. With the Patriot Act also in existence, is there anyone brave enough to attack the Department of Homeland Security?

Re:heh

[Grishnakh]

Sure, any crackers who aren't living in the US. While the US may think its laws apply to all parts of the globe, there's still places that don't have extradition treaties.

Re:heh

[buffer-overflowed]

Actually, the flaw is my fault. Didn't you read the summary?

I'm an evil demon that tricks programmers into not bounds checking. ::Cackle::

Re:heh

[epiphani]

This patch that was released - well, I installed it on my home machines today. It screwed up my OpenGL libraries. Considering it should have absolutely nothing to do with OpenGL, microsofts patches are making me EXTREMELY nervous.

Don't Worry

[Lux]

That's not a bug. As long as DirectX still works, there's no reason to suspect the patch worked incorrectly.

-Lux

Re:heh

[derF024]

As I have nothing of *that* much importance on my box, I'll take the chance and NOT update. I've heard these update stories too many times before.

While I can sympathize with your situation of living in mortal fear of updating your software (such is life when using microsoft products), Please please please lock your machine up behind a firewall of some sort (software firewalls don't count.) While you've got nothing of importance on your machine, You have an IP address and the ability to send spam or othe

Bugs in software != Cruddy software

[dsr9996]

I've gotta call this post what it is: Unfair.

Yes, this is /.
Yes, hardly anyone here likes MS and people here love to bash MS whenever they can.
That's fine with me. But almost all software has bugs, and in particular bugs that could be exploited to breach the security of the program. Just because MS has a bug in the RPC code doesn't mean that no one should use their software, or in particular the federal gov't should not.

If this same criterion were required of any software the gov't bought, they would have NO software. Linux is not bug free. Software written for Linux is not bug free. The main difference is, Windows is a much bigger target of attack by every hacker and "security group" in the world because it is the most popular operating system in the world. How would any Linux distribution fare if it and its components were used as widely as Windows, and people spent hours every day _trying_ to pass garbage strings of data to all of its external functions in order to find a buffer overrun? I bet it wouldn't do so hot either, and even if it didn't, that doesn't mean that no one should by that Linux distribution, does it?

PROGRAMS HAVE BUGS. And the more complex the programs, the more they interact with other components, often in ways the original programmers never thought of _or intended_, the more likely bugs will be found. My opinion is, taking cheap shots at MS is easy, but writing good code yourself is hard. We're all human beings here, and the developers who work on Linux and open source programs are no smarter than most who work at MS. People make mistakes. Sometimes people don't think about every possible bogus string parameter someone could pass in just to screw up their program. Most of the time the bugs I find in my and other's code is from components trying to _correctly_ use our code!

Flamebait, troll, whatever. Just because you don't like MS for all the /. reasons doesn't justify what you say.

Peace,
Devin

Re:Bugs in software != Cruddy software

[khuber]

But almost all software has bugs, and in particular bugs that could be exploited to breach the security of the program. Just because MS has a bug in the RPC code doesn't mean that no one should use their software, or in particular the federal gov't should not.

You're missing the point.

Microsoft has been bragging up their Trustworthy Computing [sic] and talking about how much better their efforts have been then open source projects. Meanwhile OpenBSD (for example) has had a much, much better security record.

If you brag about your secure code, yet continue to have ridiculous security holes, the technical community should have every right to call you on your unjustified haughtiness! There still appear to be systemic problems with Windows that won't be fixed in a year or two no matter how arrogant Microsoft is.

Where do you want to patch today?

-Kevin

Re:Bugs in software != Cruddy software

[Tackhead]

> Microsoft has been bragging up their Trustworthy Computing [sic] and talking about how much better their efforts have been then open source projects.

And the truly funny part is that when the rubber hits the road, it's still the Same Old Microsoft.

The bugs aren't in the software. THEY'RE IN THE CORPORATE CULTURE OF THIS PARTICULAR VENDOR.

Shit, look at today's hole - a cut-and-paste operation could 0wnz0r j00r b0x0r? Go ahead and secure your box if you like, but...

Note that there is generally a trade-off between ease-of-use and security; by selecting a high-security configuration, you could make it extremely unlikely that a malicious Web site could take action against you, but at the cost of missing a lot of rich functionality.

This is a security advisory? What the fuck? What the fucking fuck fuck?

(Shit, if they put that on the "cut-and-paste 0wnz j00, disable Javashit for a quick fix" page, I'm surprised they didn't put something like "Note that firewalling port 135 could cost you rich functionality and notifications of products and services in which you might be interested" on the remotely-exploitable SYSTEM hole.)

The mindset that values "rich functionality" over basic sane design is why MSFT is unfit to secure Steve Ballmer's head outside of his own ass, let alone HomeSec's b0x3n. That mindset starts at the top, and works its way down to every developer, even the poor motherfucker who has to write up the TechNet web pages on the weekly critical 'sploits. THAT MINDSET is the bug that needs to be fixed before MS crapware can even begin to fantasize about trustworthiness.

(/me goes back to pounding head on desk, repeating "WTFFF", over and over again.)

"WTFFF" - A New Mantra for a New Age of Trustworthy Computing.

Re:Bugs in software != Cruddy software

[simong_oz]

[...] But almost all software has bugs, [...] Linux is not bug free. Software written for Linux is not bug free [...] PROGRAMS HAVE BUGS. And the more complex the programs, the more they interact with other components, often in ways the original programmers never thought of _or intended_, the more likely bugs will be found.

slightly offtopic I know, and I don't mean to pick on your post but it always amuses (and amazes) me that the computer industry gets away with this programs-are-complicated-so-they're-

Re:Bugs in software != Cruddy software

[Ironica]

And the more complex the programs, the more they interact with other components, often in ways the original programmers never thought of _or intended_, the more likely bugs will be found.

Excellent point, and one of the biggest problems with Windows. Why is the HTML converter a component of the *operating system*? Why can a web site give someone access to the system if I'm using Internet Explorer? The more "functionality" they pile into Windows, the more points of access there are to the system, and the

Re: yes... hmmmmmm..

[op51n]

Wonder how much coincedence there is in MS waiting to release this information til after they made their deal?

Conviently...

[jointm1k]

... discloded after they got the Homeland security account. >_

Re:Conviently...

[suss]

... discloded after they got the Homeland security account.

Yeah, like it's a big secret that microsoft products are insecure... come on, it's not like they're stupid and/or oblivious at the department of Homeland Security, are they...?

More info and POC ...

[bigjocker]

More info here [sfgate.com], here [infoworld.com] and here [eweek.com]. Here [internetnews.com] internetnews.com state that 3 vulnerabilities (not 2) where patched.

Here [lsd-pl.net] is the report from the people who found the vulnerabilities (or at least one of them) which includes a proof-of-concept paper [lsd-pl.net] and code [lsd-pl.net].

Re:More info and POC ...

[Anonymous Coward]

No it was only two. The third vulnerability was introduced with the fix for the second vulnerability, then patched.

That's how these security rollups work, right?

Re:More info and POC ...

[rritterson]

Yes, there was a third vulnerability patched, but it only affected win9X and not the newer NT kernal OS's

Re:More info and POC ...

[jorupp]

The 'paper' and 'code' links in the parent post are not to a paper and code that exploit this, they are to the tools they used to write the exploit.

winnuke all over again!

[sporty]

The vulnerability results because the Windows RPC service does not properly check message inputs under certain circumstances. This particular failure affects an underlying Distributed Component Object Model (DCOM) interface, which listens on TCP/IP port 135.

Sounds like we'll haev winnuke2003 sometime soon. :)

<disclaimer>I know that winnuke uses OOB data vs this which does something on the application layer. :P</disclaimer>

Re:winnuke all over again!

[netsharc]

Calling it win2003nuke would also be appropriate. Yeah, Flagship Server Product, but the rats are eating through the hull!

patch beat slashdot

[Anonymous Coward]

im just downloading the patch before reading the slashdot story even. microsofts possibly getting better?

Re:patch beat slashdot

[ergonal]

I received the Microsoft Security Bulletin mailing-list emails (with patch directions) 4 hours ago while I was sleeping. I still wouldn't say Microsoft is getting "better" though. They'd be getting "better" if the vulnerabilities didn't exist in the first place! :P

It's somewhat funny though that in a closed-source system how people are still finding vulnerabilities. Can you imagine how many vulnerabilities would be found in the first day of Microsoft releasing their source code to the world? I think the number would be staggering.

Re:patch beat slashdot

[Anonymous Coward]

"They'd be getting "better" if the vulnerabilities didn't exist in the first place! :P "

That's a paradox of almost Terminatoresque proportions!

"It's somewhat funny though that in a closed-source system how people are still finding vulnerabilities. Can you imagine how many vulnerabilities would be found in the first day of Microsoft releasing their source code to the world? I think the number would be staggering."

I would always expect there to be more bugs in closed source code, simply because only a l

Re:patch beat slashdot

[Anonymous Coward]

it's not that microsoft is getting better.... it just means that you're not checking slashdot often enough....

shame on you! ;)

now go to slashdot.org and practice hitting that 'refresh' button

Re:patch beat slashdot

[gotr00t]

Still, don't forget that the vulnerability was THERE, way before Microsoft revealed the nature of it. They didn't tell you about it until they releaesd the patch to it.

Would you trust a company that obviously hides the truth about the very foundation of your computer software base?

Re:patch beat slashdot

[Martin Blank]

Would you prefer that all of the vulnerabilities for any piece of software be made public before the company has a chance to fix it? Cisco, Oracle, Microsoft, Red Hat... Every programmer/software company likes to be notified of the vulnerability so it can be fixed prior to a patch being released.

Re:patch beat slashdot

[Jord]

Actually in the open source world since everything is open EVERYONE is notified at the same time of a security issue. They "company" is not notified first since there is no "company" to notify.

This is opposite of what some closed source companies want to happen to them. They want to be the ONLY ones notified and then they will announce that it was fixed. Personally I think that they should be notified the same time that that the news media are notified so that people who are up on the security issues c

Playing that game

[SuperKendall]

If your car had a 30% chance of bursting into flames while you were driving it, would you rather know about it now or wait for the recall?

Knowing about a problem even if no solution exists allows you to take measures, like perhaps blocking outside access on certain ports for some time or filtering traffic in specific ways.

Information always beats no information when you are trying to keep something secure.

Re:patch beat slashdot

[FuzzyBad-Mofo]

Ever consider that large portions of the Slashdot readership possibly have no need for the patch?

Re:patch beat slashdot

[jdennett]

Whereas I read the slashdot story, and then attempted to use Microsoft's software update facility from IE6 to download the patch -- only to be told that my system was up to date. It wasn't, so I downloaded the patch and applied it manually.

For critical security updates, don't rely on the automatic update tools yet.

Re:patch beat slashdot

[H310iSe]

yea, but the post above (linking to technical info on the exploit, but not an actual exploit) was based on a paper from last November. I wonder how long this one has been just under the radar?

Bad

[The Bungi]

But if you keep port 135 open on your DMZ boxes, you deserve to be hanged with a piece of CAT-5 cable.

Re:Bad

[Homology]

But if you keep port 135 open on your DMZ boxes, you deserve to be hanged with a piece of CAT-5 cable.

Consider the usual : A Windows client on the internal network is infected with a virus that may exploit this buffer overflow. Since port 135 is not firewalled on the internal network, your Windows servers are hacked. And the rest is history.

In addition we have all those home Windows boxes connected direct to the Internet with no firewall/virus-detection. Another playground has been opened for script kiddies.

Re:Bad

[Sloppy]

It just takes one single MS Outlook or MS Internet Explorer user. Then the attack comes from inside the firewall.

Unless you're really smart: put all the Windows users inside the DMZ.

Re:Bad

[EvilTwinSkippy]

But if you keep port 135 open on your DMZ boxes, you deserve to be hanged with a piece of CAT-5 cable.

Most network admins are too portly and would sheer CAT-5 cable. Better to use Fiber-Optic cable. It has a higher tensile strength.

Bad One?

[blackmonday]

They hid this one until they patched it, but in light of the previous post about the US government relying so much on MS software, it makes me uneasy. This exploit let the attacker take control of the PC. Not good if you're running the bad guy database.

Re:Bad One?

[Anonymous Coward]

Let me give you a hint: the "bad guy database" isn't connected to the outside world. The only way to get at that (whatever you were referring to) is to have an account on that network, and the right passes and codes to get into the building where it's stored. That's standard operating procedure for many, many secure systems, and I'm sure the US gov isn't any different :).

Re:Bad One?

[FLoWCTRL]

Yes... and there are probably lots of exploits that never get published, just used. Now do you want your government relying on this software to store data such as the Total Information Awareness Program [darpa.mil], for example? (Oh, I see they renamed it...)

Would you want your business to rely on it? I find it utterly astounding that so many PHB's still think its a good idea. A German beaurocrat who was pitching open source insightfully quipped, "'Security through obscurity' is the model of yesterday. The model of the future is 'Security through transparency'". Thats a paraphrase, and I'm too lazy to look it up. Great point, though. Maybe this new vulnerability will lead to another "slammer" worm...

Poll: Tinfoil hat mode ON!

[Atario]

Why does MS come out with patches so often?

1. To get you used to installing whatever they tell you to, you good little sheep
2. To appear to be constantly updating, just like all those punk kids with their Open Source and their Rock and Roll Music and such
3. To save money on testing costs

Re:Poll: Tinfoil hat mode ON!

[Xerithane]

Why does MS come out with patches so often?

Probably similar reasons as to why Linux-contributors release patches so often.

Because software has bugs. That's what software is for.

Re:Poll: Tinfoil hat mode ON!

[quantaman]

Because software has bugs. That's what software is for.

Hmm, and all this time I thought software was for doing work, silly me!

Re:Poll: Tinfoil hat mode ON!

[SCHecklerX]

If software were properly engineered, it would have far less 'bugs'. You don't see any other discipline like this. An engineer doesn't build a bridge/airplane/car/elevator/building any which way and then say "let's see how it works!" Oops, fell apart...repeat. No, they understand materials science, they do preliminary designs/tests/models, they analyze their design, they make sure their calculations are correct, and THEN they build. Computer programmers today do it as a totally backwards clusterfuck. It doesn't help that the tools they use are not properly engineered either (libraries, etc).

Re:Poll: Tinfoil hat mode ON!

[lostindenver]

Take you ha off and deal ALL (yes ALL) Software has bugs, Exploits or problems. Before you show your Ignorance compare how many realeases your favorite distro has had and compare it to MS. No I am not a ms Zealot but dude Chill out and reasearch. I really hope you do not have anything to do with ANY network i deal with.

Re:Poll: Tinfoil hat mode ON!

[Martin Blank]

https://rhn.redhat.com/errata/rh9-errata-security. html

33 patches and counting since March 31.

http://www.microsoft.com/technet/treeview/defaul t. asp?url=/technet/security/current.asp

18 patches and counting since March 31.

Nobody's immune. Even the BSD distros send out the occasional notice.

Re:Poll: Tinfoil hat mode ON!

[Jord]

How many of those are OS level? At the redhat site I counted 3 at the OS level. The rest are for add ons like Apache, MySQL, etc.

Could not check the MS one but I am guessing more than 3 of them were OS level patches since there were three just today.

Every one has security vulnerabilities but lets compare apples to apples here.

Re:Poll: Tinfoil hat mode ON!

[dirk]

This is comparing Apples to Apples for the most part. Saying Apache doesn't count, but IIS does is not comparing correctly. One reason MS appears to have so many more bugs is that their OS includes a lot more components that are thought of as part of the OS. Whever there is a problem with anything that ships with Windows, it is considered a Windows bug by most people. Yet when there is a Linux bug, people tend to saying it's an X bug (be it Apache, or Sendmail, or FTP, etc).

Re:Poll: Tinfoil hat mode ON!

[the eric conspiracy]

Saying Apache doesn't count, but IIS does is not comparing correctly. One reason MS appears to have so many more bugs is that their OS includes a lot more components that are thought of as part of the OS.

Actually it is comparing correctly because of the way the different systems are architected.

Apache is usually run in userland with limited privledges on a Unix machine while IIS.sys is a kernel mode device driver on a Windows machine. There result is a compromise in IIS presents a system wide security issue while a similar security issue in Apache only represents a user level security issue.

This sort of thing is very common in comparing Windows vs Unix/Linux security. The Windows code runs with admin level access or as part of the kernel, while the Linux application runs with much more restricted access.

Re:Poll: Tinfoil hat mode ON!

[dirk]

1. A Linux distro comes with so much more than a windows install does (windows comes with IE, linux comes with mozilla, galeon, konqueror; linux comes with koffice, abiword, openoffice, windows doesn't; etc etc etc. There's a reason that debian is 8+ CDs and Windows is 1 CD).

You are correct, but when was the last time you heard someone refer to a Mozilla bug as a Linux bug? If there is a bug in IE, it is usually considered a windows bug (even ones where you must be actively running and surfing with IE).

Choices...

[haeger]

You are correct, but when was the last time you heard someone refer to a Mozilla bug as a Linux bug? If there is a bug in IE, it is usually considered a windows bug (even ones where you must be actively running and surfing with IE).

Ok. As soon as You show me how to remove IE from Windows altogether as I can do with Mozilla on a Linux box I'll agree with You.
A bug in IE is a windows bug since there is no way to remove IE (I don't cound win98lite) while a bug in Mozilla is a bug in Mozilla.

Choices You know...

.haeger

Re:Poll: Tinfoil hat mode ON!

[deranged unix nut]

Why does MS come out with patches so often?

Seriously, because:
1) University Grad students think that Microsoft security problems are good Thesis topics.
2) It is the most prevalent OS on desktop machines, so it gets more attention.
3) Unlike other software vendors, they actually fix issues and distribute the patches instead of forcing customers to sign a NDA to get the known flaw in their enterprise class machine fixed (SUN).
4) They create complex software to provide the user with a better experience, but c

Dupe

[Anonymous Coward]

We just had a story about a security vulnerability in WIndows!

Last Stage of Delirium Research Group

[Peter_Pork]

The guys that found this vulnerability have an amusing web site [lsd-pl.net]. It looks rather professional for the underground (?) community. I bet the wear white coats while they hack.

Re:Last Stage of Delirium Research Group

[netsharc]

For the underground community maybe. But someone there has an arrows >>> <<< fetish, pointing at every direction.. the bottom of the page even has one ">>>", but clicking it gets you to the top of the page.. wtf?!?

To be more of the topic, why the hell do people love it so much to put links that "Go back to the top of the page"? Tell the users to press "Home" damnit!

Technet article

[Anonymous Coward]

Article [microsoft.com]

nt4

[denthijs]

so finally the first unpatchable bug for NT4 is here.
i know i'm not the only greyhat who smiled when they heard of the patching-stop [slashdot.org] for NT4
aaaah, the joys of an nonsupported, yet still heavily used platform
happy cracking y'all

Re:nt4

[PDHoss]

weird, I just patched this very bug for NT4 from Windows Update. YMMV, I guess.

I would patch

[Anonymous Coward]

It's a shame. I really like using windows, and I would like to patch my machine, but I don't trust Microsoft anymore. Their 'patches' come with new licensing terms and spyware. :(

Re:I would patch

[malakai]

Their patches come with SpyWare? Are you kidding me?

Are you sure these 'patches' you are applying weren't annoymously sent to you in an e-mail message? You know the mail message, where every sentance has a gramatical error in it ("I give you these patches in hopes that we protect your system together"), and the From line simply says "Microsoft Support People".

Then I could believe you got spyware from a patch. But otherwise, you're just full of FUD.

-Malakai

An apropos blast from the past

[sigelman]

From: Bill Gates
Sent: Tuesday, January 15, 2002 5:22 PM
To: Microsoft and Subsidiaries: All FTE
Subject: Trustworthy computing

"Every few years I have sent out a memo talking about the highest priority for Microsoft. Two years ago, it was the kickoff of our .NET strategy. Before that, it was several memos about the importance of the Internet to our future and the ways we could make the Internet truly useful for people. Over the last year it has become clear that ensuring .NET is a platform for Trustworthy Computing is more important than any other part of our work. If we don't do this, people simply won't be willing -- or able -- to take advantage of all the other great work we do. Trustworthy Computing is the highest priority for all the work we are doing. We must lead the industry to a whole new level of Trustworthiness in computing."

They are right to attribute such great importance to trustworthy systems -- and I do believe they are trying -- but 30,000,000 lines of code necessarily lead to opaque semantics. Good luck, MS, I think this will be one of many such deficiencies in Server 2003. Repeated claims of security and "trustworthiness" from their higher-ups will place the company in a boy-who-cried-wolf marketing scenario; at that point they're up a creek.

Re:An apropos blast from the past

[Rob Simpson]

Hmm...does "Trust" have the same relationship to "trust" as Truth has to the truth?

Here we go again

[coolmacdude]

Thank you Microsoft. I was beginning to feel for a minute there that the security holes were becoming less and less frequent and that Windows might not be such a dangerous platform after all. I really thought that trustworthy computing was starting to live up to its name. I was sure that I was getting a sincere vibe from Redmond that ol' Stevie boy had really decided to make a genuine effort to not have his users' data be preyed upon by script kiddies and cracker freaks. I would like to express my deepest g

Re:Here we go again

[FLoWCTRL]

I really thought that trustworthy computing was starting to live up to its name.

The motivation behind Trustworthy Computing is all about Digital Rights Management and copyright enforcement - it has little to do with fixing the seemingly infinite number of buffer overflow vulnerabilities that lead to total system compromise in Micro$soft's operating systems.

Here's some links about it [www.lifl.fr] if you want more information.

Re:Here we go again

[coolmacdude]

Yeah, I'm not up on all the latest MS terminology. I just used a few things I remembered randomly for my rant. :)

What do you know...

[GMFTatsujin]

The only thing that works correctly in Windows ME has finally been discovered.

Vulnerability

[Jason_says]

*News Flash!! A new vulnerability through buffer overflow has been found on computers. The new vulnerability does not appear to affect Unix, Linux, BSD, or Mac users. This of course only leaves very few commercial operating systems left, but we will not tell you right out which OS that this buffer overflow directly relates to. Thank you and have a nice day.

Turnaround time...?

[seldolivaw]

Much as I hate to give MS any ground on security, it does seem their lag time between vulnerabilities and patches is getting shorter recently. Amazing what some fear of competition will do :-)

Re:Turnaround time...?

[toddestan]

Lets see, this vulnerbility has been in Windows since NT was released, and it's now July 2003 and they are just getting around to patching it?

Oh, you mean the turnaround time until it is *discovered* and the patch.

I guess the point is, with open-source software such as Linux, the chance of big gaping security holes hanging around for years is much less. People look in the code and get them fixed up fairly quickly. This hole had been in Windows for years, and thus virtually every Windows server on the pl

Re:Turnaround time...?

[freeweed]

You mean like the remote Samba root exploit that was in the code for something like a decade?

Not a troll, just figure I'd point out that this cuts both ways.

Having said that, Linux beats Windows hands down in my books, for one big reason: I don't even know how to close port 135 on a Windows machine, without killing other services. AFAIK the RPC service is pretty much tied up together, and many applications won't work without it.

Stock Linux install leaves maybe 2 ports open.. oh wait, 0 if you let IPtables do its thing. In Windows, I'm still busy playing whack-a-mole trying to close the 15 or so ports XP insists on listening on.

Or maybe it's easy in Windows, and I've just given up learning how to lock a machine down with every release. Anyone ever figure out how to *permanently* close those idiotic admin shares?

Correct

[Sycraft-fu]

Like the BIND patch. Lest you forget there was, a year ago, that affected all versions. Somehow, despite the fact that it is open source, very old, very widely used and reviewed, a bug still managed to slip through.

When you must expose software to an infinently unknown amount of combinations (of OS, software, hardware but most important user input), you just cannot gaurentee that there will be no unexpected results. The biggest problem is the vairablity of user input. People will try and use things in unexpected, unapproved and malicious ways. Well, when this happens, it is possable an unforseen problem will crop up, despite your best efforts to prevent it.

What I find funny is how outraged people get about this in the computer world, when it is so prevliant elsewhere, with much higher stakes. For example: It is a known flaw with basically every consumer automibile that high speed impacts will result in sever injury or death of the operator. Now, this is an unintended method of operation, you are't SUPPOSED to slam into a brick wall doing 80, but it is a KNOWN problem, and remains un fixed. Further, they could fix, or at least improve, the problem in a large way. The first step would be to install an 8-point racing harness. Those little shoulder strap belts just don't cut it, you need to belt yourself in tighter and have more points of contact to dissapate the force over a larger area. Then there is the car itself. It needs a much better frame and much better break away points, as seen in race cars. Finally, there is other safety gear such as a helmet. Well, as race cars demonstrate, these do work. They make extremely high speed collisons, generally with only minor injuries to the driver.

So, why don't we have this? Two big reasons: Cost and inconvenience. Building a car to race car specs is EXPENSIVE, and not just because teh engine is high performance. That frame is NOT cheap. Then there are other safety measues that are a huge pain in the ass. An 8-point harness is an ordeal to get in and out of and noone want to wear a helmet inside a car. Thus, we consider it acceptable to allow the flaw to exist since it is one resultant of behavious that should not happen.

This is also akin to the computer siutation in that we could drasticly increase reliablity, but only by sacraficing cost and convienece. The cost would come form needing a verified design. Thing would move slowly because each part would need to eb extensively tested to insure there were no problems. This appiles to hardware and software. Kiss $1000 computer goodbye and figure on $10,000 or up. Then there is the inconvienence. They can't have you fiddling with this verified design, so you are going to be able to run only the apps tey ahve preapproved on the hardware they preapprove.

Unless you are willing to accept that (and people do make systems like that, contact IBM) then unforseen bugs and exploits WILL happen. And please don't act like it doesn't happen to OSS, go read SANS or Security Focus some time. There are more than plenty of exploits for both closed and open software.

Trustworthy Homeland

[Eberlin]

I see this as a cross between trustworthy computing and homeland security. Now that the deal has been set, I figure there's not much else to be said there.

We now need on ensure that our homeland is trustworthy. Whether that means full disclosure and a decrease in FUD, I don't know. (political implications intended)

As for operating systems and security vulnerabilities, holding back information regarding possible security threats until they're fixed (knowingly exposing systems in the meantime) DEFINITELY

hah!

[kritikal]

"allow an attacker to take control of computers running any version of Windows except for Windows ME."

all you people who said i was stupid for running windows me, look who's laughing now!

WTF?

[istartedi]

No Borg icon? No wise cracks? What gives?

Re: WTF?

[Black Parrot]

> No Borg icon? No wise cracks? What gives?

The cracks are in the software; don't know about the other stuff.

one step ahead

[fihzy]

10) find big remote vulnerability in product
20) perfect the exploit
30) have fun with it for months
40) find another big hole in same product
50) perfect exploit for hole
60) alert vendor about original hole
70) have fun with new hole
80) goto 40

Windows Vulnerabilities Revealed, Patched

[teamhasnoi]

Tonight on Fox! Right after "That 70's Show", You will learn the secrets Windows developers don't want you to know!

Jonathan Frakes explores the seedy world of Windows Vulneralbilities, on Windows Vulnerabilities Revealed, Patched!

Tonight on Fox!

and this is news?

[b17bmbr]

please. windows vulnerabilites are commonplace. we've all grown to know, love, and expect them. like death and taxes, if you will. are you shocked? not me?

This is very surprising

[dtjohnson]

Windows seems to have some security issues. Well, I'm sure that Microsoft fixed it.

Aren't we being just a little hypocritical here?

[neko the frog]

You know, when Apple spots a vulnerability in OSX and updates fairly promptly (and this isn't exactly a rare occurance), they're commended on their quick turnaround time for a patch. When Microsoft does the same thing, they're demonized as fixing Yet Another Bug(tm). Is it really impossible to give them credit where credit's due?

Yes, I run Windows!

[coene]

Yes, I run Windows on my desktops. And yes, I've stopped patching. I refuse. What's installed is exactly what comes off the CD. Got a problem with that, Microsoft?

*hides*

Re:Yes, I run Windows!

[valkraider]

What was your IP again?

Sure.

[foobario]

"The software giant issued a patch Wednesday morning to plug a critical security hole that could allow an attacker to take control of computers running any version of Windows except for Windows ME."

Hell, even legitimate users of Windows ME can't take control of their computers...

Windows Update

[heli0]

Buffer Overrun In RPC Interface Could Allow Code Execution
Security Update for Windows XP (823980)
Download size: 1.2 MB, ~ 1 minute
A security issue has been identified that could allow an attacker to remotely compromise a computer running Microsoft® Windows® and gain complete control over it. You can help protect your computer by installing this update from Microsoft. After you install this item, you may have to restart your computer.

Unchecked Buffer in Windows Shell Could Enable System Compromise
821557: Security Update (Windows XP)
Download size: 5.1 MB, ~ 1 minute
An identified security issue in Microsoft Windows could allow an attacker to compromise a Microsoft Windows-based system and then take a variety of actions. For example, an attacker could execute code on the system. By installing this update, you can help protect your computer. After you install this item, you may have to restart your computer.

Could someone get them a copy of Secure Programming and highlight all of chapter 6 Avoid Buffer Overflow.

Didnt take long...

[angst7]

I checked my incoming logs and am already seeing quite a few more tickles at port 135 than usual. Where from, you ask? Somewhere in china mostly.. ips in the range 218.15.192.xxx coming from somewhere beyond blahblah.gd.cn.net. Here's one of the ips (its a phony drug sales place) 218.15.192.84... nice little e-com site :)

Ugh, isn't the net fun?

Buffer Overruns - this sounds familiar

[sempai]

The news.com article had one interesting quote that is different than the usual "time-to-patch-again" article, from Jeff Jones at MS:

"It was primarily a process issue," he said. "We will be updating our automated scanning tool to make sure this type of issue is detected in the future."

Last week, there were two patches released - both termed "buffer overruns". Nice semantics, because it's not made clear whether one could call this a buffer overflow, or an UNDERflow. It was just two weeks ago when the details about getting Linux to run on the XBox were released, and how the buffer underflow trick was used. Makes me wonder if MS took notice of that trick, and is now busy scanning the rest of their code looking for underflows, as opposed to the overflows they've already had their automated tools earmarking?

Yet another SCAM ?

[stock]

oh my goodness : " Microsoft admits critical flaw in nearly all Windows software "

"The announcement came one day after the Department of Homeland Security announced that it awarded a five-year, $90-million contract for Microsoft to supply all its most important desktop and server software for about 140,000 computers inside the new federal agency."

http://www.sfgate.com/cgi-bin/article.cgi?file=/ne ws/archive/2003/07/16/national1725EDT0732.DTL

that last quote is on the bottom..

Robert

Time to patch Windows, must be Thursday

[dheltzel]

Oh wait! This week's security flaw arrived a day early.

I had my Outlook Calendar set to sync on the Windows patches, now tomorrow's schedule will be all messed up. I wonder if I can convince my boss that tomorrow is really Friday?

Ahhhh, This explains it

[l0ungeb0y]

I've been seeing overflows run against port 135 on my home network for awhile now. Typically, these requests seem to come from Korea. Fortunately, my pc never had that port open anyway, and port 135 is Samba on my mac, but that is not effected by this exploit, though linux had a samba BO exploit a couple months back as I recall.

So, it may be very possible this sploit has been around for some time now.

We replaced Windows server long ago

[bigberk]

Back when our little organization had a Windows 2000 server (a couple years ago) I quickly realized that leaving the server unattended for a week was hazardous... some major exploit would undoubtedly be discovered.

We replaced it and are quite happy now. We don't pay anything for our new OS, and I go away for months and nothing bad happens :)

One Of These Things Is Not Like The Other...

[neuroxmurf]

There are more posts here than I can count (at +5, no less) ranting on about how since there have been bugs in open source software (including recent severe ones like BIND), Microsoft is no worse than the rest. Bullshit. The current vulerability is (stay with me, now) a remote root exploit in a component that can not be removed and thus is installed on every machine in the world that's running a vulnerable OS and that can't be disabled without rendering the machine worthless. When was the last time anybody but Microsoft had a bug that fit those three categories? Personally, I can't think of one. Does this mean open source software doesn't suck? Nope. Does it mean it doesn't have security problems? Nope. Does it mean Microsoft screwed the pooch? Yep.

Re:someting is wrong with this picture

[tarquin_fim_bim]

4) ????

5) PROFIT

Re:OH NO! Not Windows 2003!?

[Oriumpor]

Then again, the gap between responsible Redhat techs, and responsible Windows techs is still widening... Ease of use = ease of stupid.

Not that there can't be 2k&2k3 admins who patch frequently, but there's sure a lot more of em who just don't care or don't have time, whatever.

Re:OH NO! Not Windows 2003!?

[Flower]

Two patches rated by MS as critcal and both OS related vs an admittedly large number of patches, some very serious, but mostly non-os related.

Is this bit'o'news overblown? Probably. Will a lot of /.s generate a bunch of banner ad hits posting a lot of noise over it? Definately. But your example does not compare apples to apples.

Re:Well that's better than...

[Valar]

If the contents of those "documents" were made public

Well, I'll assume they are, seeing as you are OBVIOUSLY not a kernel developer yourself and yet you seem to be talking about those very contents...

Re:port 135 um...

[Homology]

It's also common sense to have patched up boxes, but still old exploits works because this is not done.