WindowsUpdate.com Secured, Permanently 766
Precisely nineteen months ago, Bill Gates sent out a
memo
to employees (and the press) announcing that security was Microsoft's
number-one priority.
Today, about a hundred readers have submitted the
news that Microsoft.com
went down last night.
And now, the company has
"extinguished" WindowsUpdate.com
(future updates will come from a
different domain).
All this because of some Microsoft worm that triggers at midnight. Related news:
Windows Update
says you're protected, but maybe you're not;
WU.com
briefly ran Linux, heh;
worm variant with clever "anatomical term."
Next Week.. (Score:5, Funny)
Re:Next Week.. (Score:5, Funny)
Re:Next Week.. (Score:5, Funny)
Let the infected servers work it out amongst themselves.
Re:Next Week.. (Score:5, Interesting)
Better still, why not put 30 or 40 round robin DNS entries in? Symantec says there's about 228,000 infected boxes; with 40 different IPs on windowsupdate.com's DNS record, each server would be hit by less than 6,000 attackers. Surely, with the time they've had to prepare, they should have been able to handle this.. I'm really surprised that they actually took windowsupdate offline. I think any competent sysadmin with the financial resources of MS behind them should have been able to weather this storm without any loss of service.
I've been kind of wondering if there might not be some other exploit that some researcher is waiting to release, after everyone's auto update is broken...
Re:Next Week.. (Score:5, Informative)
Re:Next Week.. (Score:5, Insightful)
The MSBlast worm delivers about a 16 kbps stream, so whether the zombie is sitting on a 56k dial, a 256k upstream DSL or cable connection, or has a T-1 or larger uplink doesn't really matter. DDOS zombies don't usually consume all of the available bandwidth, since doing so would be rather counterproductive to the goal of making a DDOS attack.
If an average user, being mostly computer-illiterate but knowing that a reboot fixes most Windows problems for a while, finds that his/her computer can't connect to the Internet (the symptom of having all of your upstream bandwidth utilized), the most likely response will be a reboot. This lowers the effectiveness of the DDOS attack compared to a large number of zombies making the attack without their owners' knowledge, which allows them to continue uninterrupted.
Numbers of attackers are the key to a highly successful DDOS attack, not using up all the bandwidth at the zombie's dispoal. MSBlast could take a lot more bandwidth and still be not noticed by broadband users, but the authors have clearly crafted it to work and not be noticed on machines with dial-up and other low-bandwidth connections (I saw a 32-workstation LAN in a third world country; there was a 64k uplink for the whole office; things like that aren't unusual in many parts of the world. The likelihood of those machines being uptodate on patches is very low, which makes them a good target for MSBlaster.
My purpose for being there was to install a hardware firewall in front of their network, so they are far less likely to get infected, but there are many vulnerable machines like that out there with no protection. A good DDOS client can use them; one that consumes all available bandwidth can't.
Re:Next Week.. (Score:5, Informative)
GRISoft's AVG Antivirus, and ZoneAlarm, are two great and free tools that can fix and prevent these things.
AVG Anti-Virus [grisoft.com]
Zone Alarm [zonelabs.com]
A year or two ago, I wouldn't have thought that firewalls were so essential for dial-up users. Now, it's important for all users to have them, regardless of the OS.
Re:Next Week.. (Score:5, Informative)
The worm doesn't sanity check the DNS result, though, so if the name doesn't exist, gethostbyname() returns -1, which translates to an IP of 255.255.255.255. The reports I'm reading say that the windows stack won't allow you to send traffic to that IP, so the machine will just drop it. (that could be wrong, though. We'll find out soon.)
Everybody is missing the point (Score:5, Insightful)
Power outage related to Microsoft (Score:3, Funny)
Re:Power outage related to Microsoft (Score:5, Funny)
"Impossibly, there's too many compromised machines. You'd need to turn off every computer on the East Coast..."
Re:Power outage related to Microsoft (Score:4, Interesting)
If those rumors are true, then the worm didn't cause the power failures, it just disabled the systems that would have prevented them. That this happened at around the same time is just a coincidence, - or maybe minor power failures happen frequently and were just prevented from spreading?
Microsoft != reliable (Score:5, Funny)
If those rumors are true, then the worm didn't cause the power failures, it just disabled the systems that would have prevented them. That this happened at around the same time is just a coincidence, - or maybe minor power failures happen frequently and were just prevented from spreading?
Who the fuck runs mission-critical systems on Windows?!! HOMER SIMPSON?!!!
Re:Microsoft != reliable (Score:5, Funny)
<stupid filler to avoid the fscking retarded lameness filter>
Re:Microsoft != reliable (Score:5, Funny)
Re:Power outage related to Microsoft (Score:5, Interesting)
I was watching the discovery channel (or History channel, one of those) and they talked about that large blackout that occured back in NYC in 1977.
The power grid protection system itself is what caused the black out. One substation sees it's getting a huge surge of excess power, can't handle it, and shuts down. This passes this huge surge to the next station, which also shuts itself down to protect itself. It's a huge chain reaction of power surge seen my a substation, substation shuts down to protect itself, surge passes on to next station, etc etc.
The show was about terrorism in the US and how unprotected we are - and it really gets you thinking. If some jackass in Ottawa can plug in their hairblower and toast the power to seberal major metropolitan areas, imagine what a well thought out organized terrorist could do.
Personally, I think we should some new nuclear power plants [doe.gov]. 66 reactors provide 769 billion kWh, or about 20% of the total power produced in the US (2001 figures). These plants are old, the newest ones going all the way back to the early 80s, with no new orders for nuclear units since 77.
The US is relying less on its hydroelectric, nuclear and coal plants and building more "peak use" and "daytime" generators, huge gas turbines that are only turned on when there's a peak demand or only on normal business hours, say 9-5.
Why? It's not any more efficient, in fact these giant gas turbines tend to use more fuel then coal systems to produce nowhere near the same power. It's all about asthetics. No one wants a power plant near them, but everyone wants power. So they build these peak use and daytime plants - low output systems that take up almost no room and dont have the usual huge smoke stacks, etc your used to seeing with plants.
I personally wish the US would update it's power infrastructure, and I'd be willing to pay for it. Retire old, inefficient nuclear plants and build new, more powerful, safer ones. Add in more redundancy into the network, more real-time failovers.
They are modernizing it, don't get me wrong, but they aren't going at near the pace I'd like to see.
(Probably kiss my karma goodbye now, oh well. The power grid is something no one cares about or wants to put money into unless something goes wrong - then we all conveinently forget about what happened when theres a bill up to repair and update it at the cost of a couple bucks a week in taxes)
Re:Power outage related to Microsoft (Score:5, Funny)
Just send that personal check for several hundred billion dollars to:
U.S. Department of Energy
1000 Independence Ave., SW
Washington, DC 20585
Re:Power outage related to Microsoft (Score:5, Insightful)
Just close up the operation a little early and divert those funds.
Nah, never happen. Preemptive wars and years-long occupations of nations that are of dubious (at best) threat to US interests are more important than making sure your lights stay on.
Prepare to pay thru the colon (Score:5, Interesting)
Re:Power outage related to Microsoft (Score:4, Funny)
Interestingly enough, Bush says that the nation's power grid needs to be updated, [yahoo.com] but doesn't know how or how much it will cost. Hmmm, I wonder if these means replacing the hampsters [hamsterdance.com] with ferrets?
Re:Power outage related to Microsoft (Score:5, Insightful)
Take it from someone who's soon-to-be-parents-in-law are up to their necks in the power + safety industry
Control frontends and GUIs may run Windows. They may also run Java apps. The back-end is ALL Unix (and specifically NOT Linux), because there are very few OS vendors who will certify and indemnify the use of their OS in that kind of safety critical environment. Windows explicitly states that it's not for use in such an enviornment.
Simon
Re:Power outage related to Microsoft (Score:5, Funny)
Control frontends and GUIs may run Windows. They may also run Java apps. The back-end is ALL Unix (and specifically NOT Linux), because there are very few OS vendors who will certify and indemnify the use of their OS in that kind of safety critical environment.
Ah.
SCO UNIX.
No wonder.
(*duck*)
What did they do? (Score:3, Funny)
Re:What did they do? (Score:5, Informative)
No, they took the A record out completely. It's not Akami-ized. That's the linux box you see.
Re:What did they do? (Score:5, Informative)
Date: Fri, 15 Aug 2003 08:33:57 +0200
From: Carsten.Truckenbrodt@Bertelsmann.de
Subject: AW: [Full-Disclosure] MS should point windowsupdate.com to 127.0.0.1
To: full-disclosure@lists.netsys.com
Cc: security@microsoft.com
Hi,
This might be a bad idea. If you let windowsupdate.com resolve to 127.0.0.1
the following will happen: The worm uses spoofed IPs from the local
subnet as source address. Pointing all the syn packets to 127.0.0.1 will
generate a RST packet from the local host to the spoofed IPs and spread
traffic over the complete internal network.
Even blocking or routing the normally resolved IP to Null0 will be a lot
work because this domain is loadbalanced through the world. That means you
get a different resolution depending on your ISP or place in the world.
If you manipulate your DNS, you should give no A-Record back to the worm.
With this the worm will not start attacking anything. So setting up a
nameserver zone with only a SOA record will do the job for Saturday 0:00.
Best Regards,
Carsten Truckenbrodt
Arvato systems Taco Network SnotIing Security
-----Ursprungliche Nachricht-----
Von: Tobias Oetiker [mailto:oetiker@ee.ethz.ch]
Gesendet: Freitag, 15. August 2003 00:15
An: full-disclosure@lists.netsys.com
Cc: security@microsoft.com
Betreff: [Full-Disclosure] MS should point windowsupdate.com to 127.0.0.1
Folks,
How about MS standing up for the mess, and changing their own DNS to point
all request for windowsupdate.com and whatnot to 127.0.01 ?
This will null the effect of the syn flood very effectively. Only proxies
will be affected.
As far as I see it, they will not be able to use these names productively
for the foreseeable future anyways
So they will have to issue an update for windows-updater thourgh other
channels (like their homepage for example) to point it to a different
web-site
If MS does NOT make this change to their DNS, I can see many routers who are
trying to track connections toppling over in interesting ways.
Because the local techs have no clue, it will
take the affected companies ages to get back on the net.
tobi
Re:What did they do? (Score:3, Funny)
Re:What did they do? (Score:4, Funny)
Sure I was thinking about that. Let's use YOUR network for it...
Re:What did they do? (Score:5, Funny)
Uhhhh, No (Score:5, Insightful)
I know (think) you're joking, but while we can moan all we want about how Microsoft should design software that's more secure, we can't do anything about existing systems. And windowsupdate was the fastest, easiest way for the non-tech public to protect and repair themselves. Those of you out there that view this impending attack and the shutting down of windowsupdate as a good thing are very shortsighted.
Maybe you don't give a shit about all of those other users out there that use Windows. Maybe you're happy this is happening. Fine. But rest assured, it's not going to cause people to rebel against Microsoft, like many of you are hoping. There will be no enlightenment and mass exodus to Linux or BSD or OSX. This is going to get blaimed on "hackers". And we all know hackers hate God, hate America, root for Saddam, get pentagram tattoos on their foreheads....and use Linux. Pretty soon it'll be "yeah, I saw those Linux guys bragging on slashdot.org that they took windowsupdate down!"
IBM's reps will be going "yeah, thanks heaps for the positive image, slashdotters.........fuckers".
Make fun of people that run Windows all you want, but don't assist in, or support the disabling of one of their few effective means of defense.
I think the windows update botton on the taskbar.. (Score:5, Insightful)
Re:I think the windows update botton on the taskba (Score:5, Insightful)
Re:I think the windows update botton on the taskba (Score:5, Insightful)
Re:I think the windows update botton on the taskba (Score:5, Informative)
Problem is, when you click on the link to DOWNLOAD the actual patch for XP, it just redirects you to www.microsoft.com, so even their security tool is useless if you cant get to the files to manually install them. Fucking rediculous.
Re:I think the windows update botton on the taskba (Score:3, Insightful)
That is a pretty shitty way to handle a down server, by convincing your customers they are safe when they are not.
Re:I think the windows update botton on the taskba (Score:4, Insightful)
Re:I think the windows update botton on the taskba (Score:3, Interesting)
Re:I think the windows update botton on the taskba (Score:5, Informative)
-1 Overrated for that on a +5 post
Re:I think the windows update botton on the taskba (Score:5, Interesting)
I'm an XP user (among other os's) and I don't trust the average Windows user either. Not ragging, just a fact. My mom is one of them.
My brother and I were joking around because mom asked him what she should do about "that new virus" (blaster). She asked him if unplugging the computer was enough, or if she needed to do more. I told him he should have told her to put the box in the refrigerator because everyone knows that viruses and germs won't grow when they are kept that cold. Yea, I know, slightly cruel, but I'm telling ya, she just MIGHT have done it if we could have kept from laughing.
So its not an insult to Windows users, its just a fact: Most are interested in doing stuff with their computers and expect them to be like a toaster, just plug it in and never think about it again.
Ironically, I bought my 67 year old mom the computer last christmas, she uses it every day, and she WAS smart enough to ask someone about it, more than I can say about a few
Re:I think the windows update botton on the taskba (Score:4, Interesting)
It used to be that we could blame the users for running executables they receive via emails. We demanded common sense, and said that it was user error, not Software Developer error. This time, the mere act of being plugged into a network or the Internet is enough to get the computer infected. So what do we do? We say Damn those lusers because they didn't install their latest security patches!.
That's a big, smelly load of shit. Systems administrators should be required to read bugtraq and keep their systems patched. Users should only show common sense. We can't ask them to do these things. There are people working with computers that actually use them as tools to do work, rather than as objects of worship, as we geeks do. They don't want to know about driver install woes or our petty flavour of the month.
We should be bounds-checking our mallocs rather than demanding users take the time to fix the faulty products we put out.
Not just WU... (Score:3, Interesting)
Quoth Billy G: "Linux sucks, it's worthless, not usable for real . . . What? A worm? Aaaiiiieee! Tux Save Me!!!"
---
Jedimom.com [jedimom.com], that not-so-fresh feeling.
not quite (Score:5, Informative)
Server: Microsoft-IIS/6.0
Last changed: 15-Aug-2003
IP address: 213.161.82.33
Netblock Owner: Akamai
they did not switch their servers to linux, they used akamai's caching services to handle their massive bandwidth requirements. notice the server is still iis. this is an akamai box (linux) serving a cached copy of microsoft.com (windows/iis)
$ host www.microsoft.com
www.microsoft.com is an alias for www.microsoft.com.edgesuite.net.
www.microsoft.c
a562.cd.akamai.net has address 63.236.1.163
a562.cd.akamai.net has address 63.236.1.160
a562.cd.akamai.net has address 63.236.1.153
a562.cd.akamai.net has address 63.236.1.139
a562.cd.akamai.net has address 63.236.1.168
a562.cd.akamai.net has address 63.236.1.147
a562.cd.akamai.net has address 63.236.1.138
Re:not quite (Score:3, Interesting)
Re:not quite (Score:3, Interesting)
Re:not quite (Score:3, Interesting)
Security by obscurity. (Score:3, Insightful)
Change the update machines, new names, etc etc. MS is resorting to smoke and mirror tricks. It will only fool the current worms, not future ones that will have the new machine names in them.
Re: Security by obscurity. (Score:3, Interesting)
NetCraft stats (Score:5, Informative)
Re:NetCraft stats (Score:3, Insightful)
Re:Not really... (Score:5, Insightful)
In other news... (Score:5, Funny)
Breathing is more important to us than any other activity. If we don't breathe, we will die.
Ahhh, the perfect security (Score:4, Funny)
2) Encase box in several hundred cubic meters of concrete
3) Surround concrete with meter thick lead lining
4) Bury under radioactive waste in a geologically stable region
5) Saturate the surface with nuclear land mines
6) Curse MicrSoft, becase you still get hacked!
Re:Ahhh, the perfect security (Score:5, Funny)
2) Encase box in several hundred cubic meters of concrete
3) Surround concrete with meter thick lead lining
4) Bury under radioactive waste in a geologically stable region
5) Saturate the surface with nuclear land mines
6) Curse MicrSoft, becase you still get hacked!
7) Profit?
It sure is a hell of a lot faster (Score:5, Informative)
Sensationalism? (Score:3, Informative)
windowsupdate.microsoft.com (Score:5, Interesting)
Re:windowsupdate.microsoft.com (Score:4, Funny)
darn...
cvs co msworm.asm
click. tap. clack. click.
cvs commit -m 'fix url'
make;make install
ok, done. Thanks!
Permanently Secured == Permanently Offline? (Score:5, Insightful)
Military Definitions of "Secured"... (Score:5, Funny)
Reminds me of the old military joke,
The Army will post guards around the place.
The Navy will turn out the lights and lock the doors.
The Marines will kill everybody inside and set up a headquarters
The Air Force will take out a 5 year lease with an option to buy.
Here's the deal on Linux for windowsupdate.com (Score:5, Interesting)
Of course, it's extremely amusing that they're paying to have their content served by a flock of 15,000 penguins. I'm a bit concerned for our own site this weekend, as we use akamai for our static content. It'll be interesting to see how my pageloadtimes are affected (if they are).
Akamai is a great resource for dealing with huge spikes in webserver load - I guess you could say this qualifies as that.
Saved? (Score:5, Funny)
Now I'm thinking, was this intervention from a higher force to protect me from installing WMP9 or just odd luck?
Gotto think fast (Score:3, Funny)
So... (Score:4, Interesting)
I started using it here about 6 months ago, it is the only way to go. I cannot imagine using Windows Update as an enterprise solution. One or two PCs at home sure, but SUS is free dammit.
Re:So... (Score:4, Informative)
Caveats:
Requires Windows 2000/2003 Server (for the server)
Only updates Windows 2000/XP/2003 (Professional or higher?)
Until recently (SUS sp1), you could not install the SUS server on a domain controller.
I think it only installs critical updates, not recommended updates, and not 3rd party software... so (tear, sniffle) no euro conversion tool.
Other than that, I don't know a lot about it either... but I did very recently start a job where I desperately need to deploy something like this. There's a lot of questions I have like how do you ensure the clients actually update? Is there any reporting? Are the updates pushed or pulled? Does anyone have any SUS stories good or bad?
More info
Server Download Page [microsoft.com]
Random dated article found on google. [directions...rosoft.com]
What took out Microsoft.com last night??? (Score:5, Funny)
How to get Good MS PR (Score:3, Funny)
Assuming that all old windows systems are unsecure or badly written..
Would it not make sense to take 75% fo $45 billion and offere to replace hardware and update to winXp or longhorn to every MS custoemr worldwide?
It would be the PR stunt of the century..
next work is going to use goofle (Score:5, Interesting)
Let's see what happen then... Microsoft is going to pressure Google to remove www.google.com from their DNS Servers
cool title (Score:5, Funny)
That is the coolest job title. I'd have to negotiate a gold plated machette as a hiring bonus for a title like that. And anyone working for me would be officially titled a Hacking Minion!
Ironic? (Score:5, Funny)
Maybe he didn't get the memo?
About That Bill Gates Memo... (Score:3, Insightful)
So now, when we face a choice between adding features and resolving security issues, we need to choose security.
Apparently he changed his mind.
Our products should emphasize security right out of the box, and we must constantly refine and improve that security as threats evolve.
After it's too late, that is.
A good example of this is the changes we made in Outlook to avoid email borne viruses.
I must've been absent when that came true.
If we discover a risk that a feature could compromise someone's privacy, that problem gets solved first.
Since when are bugs called "features"?
If there is any way we can better protect important data and minimize downtime, we should focus on this.
Lip + service = $$$
Today, in the developed world (Score:3, Funny)
"Today, in the developed world, we do not worry about electricity and water services being available"
Well, at least some people don't have to worry about electricity...
Sidechannel attacks (Score:5, Insightful)
For example, if someone hijacks or otherwise poisons some DNS servers, then all the traffic to windowsupdate.com will make it through to windowsupdate.microsoft.com anyway.
Or, a future worm could be written to target & attack a variety of Microsoft servers.
Or a future fowm could be written in such a way that the target is not part of the worm's code, but rather can be directed remotely somehow. This way, even if Microsoft tries to switch addresses, the person[s] directing the attack can just change the target.
The real solution isn't to keep trying to dodge the bullet.
The solution to become bulletproof.
Even after all this time, Microsoft still doesn't seem to get that.
Part of the reason Microsoft is such a prominent target is of course because it is so, well, prominent. Taking down (say) an FSF server doesn't raise nearly as many headlines (as this week's headlines will attest to). But I don't think that all of the problem here can be traced to how widespread Windows is -- while the Internet's clients are nearly all running Windows, a large fraction of the server architecture is running some Unix variant, and while there is of course some malware that targets *nix (Linux, Solaris, MacOSX, BSD, etc), the results never seem to be as catastrophic as the typical Windows outbreak
To rip of Bruce Schneier's analogy from his security article in Atlantic Monthly [theatlantic.com] a year ago, it seems to me that the what security mechanisms Windows has tend to be brittle, while those that the *nix etc world have tend to be pliable. That is to say, when a problem comes up with (say) Apache, the damage tends to be isolated. This is partly because each installation will be configured differently, with different features enabled or disabled, and partly because the server runs on a variety of systems, each of which may have different mechanisms for providing underlying security protections. On the other hand, IIS installations tend to be pretty homogeneous, and a flaw with one very well could be a flaw with all.
That's not to say that IIS couldn't be just as secure as Apache, if not much more so. But part of Apache (etc)'s strength is it's heterogeneous nature -- people are able to tinker, adapt, mix & match components to suit their needs, and in the process this will also tend to protect them from catastrophic failure. Microsoft has actively resisted this kind of diversity -- witness their howls about having to come up with "thousands of versions of Windows" if some of the firmer antitrust penalties were put into force. Those thousands of permutations are, arguably, exactly what is needed: this will give their users greater choice, and it will make emergencies like this more rare.
I don't get why they're so opposed to the idea.
Maybe they've got cleverer plans than anything I can think of. I certainly wouldn't claim to be any kind of security expert. But if the best they can come up with is a change of address card, I can't help but wonder if they're fumbling in the dark here...
Re:Sidechannel attacks (Score:5, Insightful)
I actually don't want to get into whether or not having source code access improves security. A lot of people firmly believe that openness lends to security (and I happen to agree with them, in general), but some of the arguments against source availability are pretty persuasive too. Let's not get into that right now.
You write...
Well put. After re-reading my post again, I think you've done a better job of putting your thumb on Schneier's argumeent about the pliability of systems that have well designed security. The point, which I guess I didn't really explain well enough, is that a well designed system sags instead of buckles; it softens instead of shatters. Apache tends to sag & soften; IIS tends to buckle & shatter.
No system can ever be completely resistant to catastrophic failure. I think that Godel's incompleteness theorem [ncsu.edu] and Turing's halting problem [wikipedia.org] are, in a way, proofs of this assertion: no matter how well any system is designed, there are always cases that fall out of the design scope, and will cause Interesting Failures.
This can be a depressing insight. You will never have a perfectly safe system. Ever.
You can respond to that in a couple of ways. One is to say "fuck it, we can't win, so why try"? Another way is to say "we can't anticipate what will happen, but we can try to compartmentalize the damage from certain problem classes." You could say that Microsoft has been moving to the second point of view here, but it's taking them an agonizingly long time to get there, while Apache/Linux/etc have long beeen designed from this point of view.
Interestingly, and to go back to Schneier's excellent article again, this sort of thinking also comes up in real world security considerations. Some of our systems are brittle (the airlines), and single failures can have catastrophic results. Other systems tend to be plastic (the power grid), and catastrophic failures are rare -- because single failures are common, expected, and planned for.
This is why I find all the bleating on by the newscasters & politicians that "the power outage was not the result of terrorism." Well of course it wasn't, this isn't the sort of attack that a small malicious party can pull off. Power stations go out all the time, but normally nobody ever notices. Indeed, it is very, very hard to deliberately bring down a power system: NATO spent a month bombing [cnn.com] the power grid & computer netwroks in Yugoslavia, but they never managed to do much more than bring a city like Belgrade down for a few hours before power was restored.
If you want to bring down a whole grid, the best way to do it is by plain dumb luck (or an overwhelming lack of luck, depending on your point of view :-). It was a random fluke that caused yesterday's outage, just as it was random flukes that brought down the grid in the last two major outages, in 1977 & 1965. (On the bright side, that suggests that the mean time between power grid failures may be stretching out... :-). (Incidently, the Presidential Report [gmu.edu] on the 1965 outage makes for fascinating -- and newly relevant -- reading material).
(To get even further off track, this kind of thing is also why Bayesian spam filters are such a good idea: at the micro level, each filter tends to do a fairly good job of being able to classify each user's patterns. But at a macro level, everyone ends up with a unique profile, and spam crafted to circumvent one user's Bay
Scary Vulnerability (Score:5, Insightful)
This strikes me as being a really bad thing:
They're missing a really big flaw, here, which is that this is horribly vulnerable to malicious behavior. There are already plenty of viruses and worms out there that make registry entries for one purpose or another. It seems to me that if you were exploiting a vulnerability for which a patch already existed it would be very easy to automatically modify the registry to make it appear that the patch had already been applied. This would make tracking which systems were vulnerable much, much more difficult. This would work particularly well if you were trying to make a stealth worm.
DOS or real traffic? (Score:4, Interesting)
Who cares (Score:3, Interesting)
Doesn't seem right that they are allowed to throw up a button for "Program Access and Defaults" while at the same time making sure you actually can't live without the products your trying not to use.
btw, waiting and hoping that the automatics updates works is NOT an alternative. Except for those who never use non-critical updates(IE WMovMaker, WMP9 etc) or love being alpha testers for a company known to CONSTANTLY screw up their patches.
Microsoft's "Security" Record sucks but... (Score:5, Insightful)
We need to all make good design and operational decisions. Bad decisions like the one made by Lindows to run as root be default can lead to Linux having as bad a reputation as Microsoft.
The Linux community is positioned to demonstrate to the world that Linux, not Windows, should be used anywhere that security is an issue. Let's not blow it.
Re:Microsoft's "Security" Record sucks but... (Score:5, Insightful)
What we really can't overlook are the popular distributions. They can't be putting in ridiculous defaults at startup. They shouldn't use too much beta software that's going to be running a lot. They need to keep pushing updates, and make it easy. And for the most part, I think we're doing pretty good. Learn from Microsoft's mistakes while you laugh at them.
Package Management (Score:3, Interesting)
Operating system version control has been a problem for Microsoft Windows for a long time. Especially with runtime software bundled with third-party applications (think DirectX), you need a clear way to identify what is installed on a machine, upgrade it while tracking dependencies, and easily remove it. InstallShield does this sort of thing -- why isn't it built into the operating system?
Furthermore, most package managers provide a facility to verify the files that are running on the machine. While it isn't as conclusive as something like Tripwire, a simple "rpm --verify --all" will give you some insight into whether a system file has been replaced.
Package management on AIX (and probably other UN*Xes, but I haven't used them) gives you the ability to roll back out of a patch that went wrong, too. While that is possible to some extent in Windows, a package management solution could make that very easy.
And while we're at it, why isn't there a framework built into Windows to centralize patching of ALL products, not just Microsoft ones? Certainly the "Microsoft Update" that they are proposing is a good step, but why not build something that can check other vendors' web sites for patches? Couldn't such a framework be built so that when an application is installed it registers with the OS, and tells the OS where to look for updates for that specific product? Then when you run this "update console" or whatever, your local machine goes out to Microsoft, Symantec, Adobe, whoever, and checks to see if there are updates for EVERYTHING that is installed?
The system could also be similar to Red Hat's update mirrors/satellite up2date server, where a corporate customer could set up a central update server, tell it where to get updates for all the products in use in their company, and then that server mirrors it. Then updating the client workstations (and servers) is something that happens in-house. Maybe it could even be smart enough to tell if a client machine hasn't been updated yet, and then when that machine is powered on it could update itself and reboot if necessary, all before the user is able to log in.
These two things together could really put a dent in management for Windows machines. Sorry if this is sort of a ramble, I've been thinking about it for a while and it all just spilled out.
Holy Misinformation Batman! (Score:5, Informative)
WindowsUpdate.com did not, I REPEAT: DID NOT EVER Run Linux. The scan from Netcraft only shows that during a particular scan the DNS resolved to Akamai's web caching servers. So Puh-LEASE don't try to start misinformed rumors.
Linux AkamaiGHost 15-Aug-2003 213.161.82.37 Akamai
Disk Operating System (Score:5, Funny)
From the infoworld article:
The company is cooperating with federal law enforcement officials to investigate the attack, which is the second successful DOS attack against Microsoft.com this month.
Two successful DOS attacks this month. And what a sense of irony: revolt against the creator by manipulating "the favorite" to do its bidding.
What's so hard about using a lower-case 'o'?
No third party distribution of patches (Score:5, Interesting)
I have no sympathy for MSFT getting DOS-ed. The fuckers deserve it, and they were hoist by their own petard. Sure, there is some nitwit out there that acted on as explout that was known for at least a month, but WTF? What is the problem with letting ISPs distribute the patch to fix this thing?
The ISPs are burning time and support lines over it, bandwidth is getting hosed by the packets on the affected ports, filtering ports helps (but doesn't eliminate the problem). Essentially, third-party companies (ISPs) asked for permission to help put out this fire, and Microsoft gave them a big "fuck you" and I am somewhat gratified by the whole thing.
Fuck you, Microsoft. Here's hoping you get more of the same.
I might post the emails discussing the attempt to get authority to help spread the patches somewhere, but I'm not anxious to cause a slashdotting of my own weenie ISP's servers.
Microsoft hosed their own update service! (Score:5, Informative)
The SUS server is supposed to synchronize itself (manually or automatically) with Microsoft's servers to get the latest updates, and you get a chance to approve them for distribution to clients. Not a bad idea, and it seems to work OK.
However, the URL that's coded into SUS to synchronize with updates is -- wait for it -- a windowsupdate.com URL!
Error Message:l og1.cab'. (Error 0x80072EFD: Unable to connect to the server.)"
"Failed to download from URL 'http://www.msus.windowsupdate.com/msus/v1/aucata
Anyone using SUS to update their client machines is now stuck with their current update set until Microsoft sets up a new site to sync with and documents how to change the URL that SUS uses to whatever one they come up with.
Lame.
Microsoft Security Bulletin MS03-026 (Score:4, Informative)
From MS's site:
Why have you revised this bulletin?
Subsequent to the release of this bulletin Microsoft has been made aware that additional ports involving RPC can be used to exploit this vulnerability. Information regarding these additional ports has been added to the mitigating factors and the Workaround section of the bulletin.
If I have installed the patch provided with the original bulletin, am I still protected?
Yes. There has been no update to the patch itself, and the patch will still correct the vulnerability. This additional information is being provided to those customers who may require a temporary workaround until they can apply the patch.
I wish I could make my friends, family, people I know read these security reports on their own, but they never do.
Eeh, excuse me? (Score:4, Informative)
If you're going to submit a biased article, at least get the facts straight. WindowsUpdate.com was never the primary WU domain, windowsupdate.microsoft.com was. They're just disabling the extra one that was never linked from the Windows OS.
Re:Security is #1.... again? (Score:4, Funny)
Oh, you mean this?
Precisely nineteen months ago, Bill Gates sent out a memo to employees (and the press) announcing that security was Microsoft's number-one priority.
It's the first line of the fucking story! For cryin' out loud, we know you're not going to read the fucking article, we don't really expect you to even read the whole story, but can't you at least fucking read the first line?!?!
Re:Security is #1.... again? (Score:3, Funny)
Re:really... (Score:4, Insightful)
governments of the world should heavily fine ms each time a serious bug is found and/or exploited. and people should examine, and demand, better alternatives
Would you prepared to submit the open source community to this same program? Every time a governmental Linux server is cracked, RedHat, SuSe or fundamentally FSF will have to pay.
Re:really... (Score:5, Informative)
1. Users don't run Unix as root. Viruses have a very hard time attacking programs they have no write permissions on.
2. Unix has a much longer history than Windows NT+. It's had more time for the holes and buffer problems and other stuff to be fixed. Linux essentially "lengthens" its short history because it has so many eyes looking at it.
3. The killer Unix programs (Apache, SSH, PostgreSQL, etc.) don't run as root either. So even if they get exploited, worms can't do much with their rights anyway.
Unix is just built better. It has a longer history. I'll ceed that perhaps with a larger user base (pretend Unix has 90% market share) it would be a bigger target, but it is *not* as susceptible as Windows is. Not by a large margin.
Re:really... (Score:3, Insightful)
Disagree? Give a brand new machine to your parents, or grandparents and get them to install unix. See what happens, and if you have any hair left after walking them through.
Now, granted, a good unix installation can be very secure indeed. So can a good windows installation. I know how to configure my webser
Re:really... (Score:4, Insightful)
Oh really? I'd just like to point out that while this bug is *attacking* one of MS's sites, it won't successfully *break in*. It was a mere 2 days ago that a hacker successfully broke into GNU.org [slashdot.org] and compromised the crown jewel of the Linux community.
So who's more secure again? Don't be so quick to jump to Unix's defense. A lot more exploits are publicised for Linux than for Windows.
Re:really... (Score:4, Informative)
This is on RH 7.1, so it may have changed.
Re:really... (Score:3, Insightful)
Re:really... (Score:4, Interesting)
And really that is the case, many billions of dollars were paid to Microsoft for defective software. When auto makers have a recall, they are required to fix the problem for you. With software you have to do it yourself, and if you don't its your fault. Then again if you do install the patch yourself and your machine breaks, its still your fault!
Basically, expect to see no real improvement in Microsoft's software until someone has the guts to sue them or the government gets involved (ala auto recalls). Otherwise there is absolutely zero incentive for them to work any harder than they have to to sell you software.
Re:Gates Memo repost - slowing... (Score:5, Funny)
You have to give it to the guy; his timing is impeccable...
Re:A moving target is still a target (Score:5, Insightful)
This is not like those stupid email trojans that are inexcusable because Microsoft intentionally opened the door (with scriptable email, etc.). This is a garden-variety buffer-overflow exploit of the sort that could just as easily still exist somewhere in Linux.
Re:A moving target is still a target (Score:5, Interesting)
Active Directory also provides a way to block this type of worm that *ix doesn't. There wasn't time to patch all of our servers during the outbreak, so one of the guys here implemented a group policy that prevents execution of msblast.exe and teekids.exe on any machine on our network. Once they're all patched, the policy can be removed really easily.
Re:A moving target is still a target (Score:4, Insightful)
Re:A moving target is still a target (Score:3, Interesting)
I don't like MS either, but this is blatantly unfair. MS did fix the gaping hole -- last month. The problem is that their customers didn't implement the fix, so they are taking reasonable precautions to avoid damage. Beat them up for the things for which they deserve, but not this.
It's still M$'s fault! (Score:4, Insightful)
Because they've endgendered a "computing" culture where users are either: 1)ignorant about the need for patching, or 2) have been burned by fucked up M$ patches in the past and hence, don't keep up to date.
"Fool me once, shame on you ...
...
Fool me twice
won't get fooled again"
This country is overrun with idiots. I hope you reap the consequences of your actions. I spit on you all!
Re:A moving target is still a target (Score:3, Funny)