New Batch of XP SP2 Holes 274
terap writes "Microsoft has acknowledged that it is working on a patch for a potentially serious security hole in the 'Remote Desktop' feature. It affects fully patched versions of Windows XP Service Pack 2, even with the integration firewall turned on. There is a possibility this could lead to code execution attacks."
Hardware Firewall (Score:4, Insightful)
Re:Hardware Firewall (Score:2, Interesting)
Re:Hardware Firewall (Score:2)
Re:Hardware Firewall (Score:3, Informative)
Start with changing his wallpaper to a large font message saying "YOUR A DUMBASS! YOU CALL THIS SECURITY? SCREW YOU !"
Leave it alone for a few weeks, see if he tries to change his ways. If not, keep the torment going. Hidden VNCs are nice.
Re:Hardware Firewall (Score:2)
Re:Hardware Firewall (Score:2)
Just is they sometimes come in a box, any NAT firewall will help you a very great deal.
Get some NAT and 99% of the problem goes away and some new problems arise ofcourse (games, voip, whatever, some VPN's, all get more complicated).
Re:Hardware Firewall (Score:5, Insightful)
I'm curious as to whether 3rd party software firewalls for windows are impacted by this or not. If not, then this hole (and others which are likely to follow) would provide a good justification for purchasing and deploying a 3rd party solution.
Re:Hardware Firewall (Score:2)
Re:Hardware Firewall (Score:3, Insightful)
Re:Hardware Firewall (Score:2)
I only forward the required for public use (http/ftp), then everything else (lots of it) is only accessed over a VPN connection.
It's not as secure as being unplugged, but it's better than being wide open. It's a reasonably secure setup imho.
Don't forget the routers! (Score:2)
Re:Hardware Firewall (Score:2)
The solution is for people to not open up these services to the internet and to use a VPN solution like OpenVPN which is *free* and *opensource*.
Re:Unrealistic... (Score:3, Informative)
In fact, if you use passive FTP to download anything from the internet, if you use MSN Messenger to transfer files or view webcams, if you transfer files by DCC via an IRC client... or use any other application which is not port range specific.
This means that anytime you need to do such thing you have to manually open wide 1024-65535 ports and go back to normal mode after.
You're forgetting that a lot of these firewalls have stateful connections... m
Re:Unrealistic... (Score:2)
The NetGear router I'm currently accessing the net over is quite good in this respect; its firewall blocks incoming conections from the Internet by default. Plus, it supports UPnP, so stuff like Azuereus can automatically enable incoming connections and port forwarding for the ports it needs. (UPnP is also on by default, but can be disabled.)
Firewall too? (Score:5, Interesting)
Isn't a firewall supposed to block incoming connections unless specifically allowed? So how can this flaw with RD still affect it with the firewall turned on? TFA doesn't make much of a mention of this.
Re:Firewall too? (Score:3, Informative)
Re:Firewall too? (Score:3, Informative)
well, kind of [wown.com]
it opens a port for remote desktop IF you enable remote desktop.
so, the question is, does this exploit affect xp sp2 if rdp has never been enabled ?
Re:Firewall too? (Score:2)
so, the question is, does this exploit affect xp sp2 if rdp has never been enabled ?
I guess that all depends on whether there is a vulnerability on "Remote Assistance" as well. Since "Remote Assistance" is enabled and unblocked in the firewall by default.
Re:Firewall too? (Score:3, Insightful)
Re:Firewall too? (Score:2)
Here, try firewalling port 22 on your Linux box with iptables and then see what happens when you attempt to ssh in.
Re:Firewall too? (Score:2, Informative)
Re:Firewall too? (Score:2)
Honestly (Score:2, Interesting)
Re:Honestly (Score:2)
Same old cat but just in boots (Score:2, Insightful)
Re:Same old cat but just in boots (Score:2)
Remote Desktop is disabled by default in every version of XP. Including SP2.
To be clear. The bug is in Remote Desktop not the Firewall. A denial of service [cert.org]. The Firewall has an exceptions for Services like RDP, FTP, WWW, POP3 nearly all Firewalls have this except the most basic.
Given that slashdot has been reduced to trolling about moderate flaws in windows, i would say SP2 is a great
Re:Same old cat but just in boots (Score:2)
Only way I get around this is to not have the machine on the internet. Sure it's simple for me, but Joe Blow who just bought his spanky new laptop won't know what to d
A patch for XP? (Score:3, Funny)
Re:A patch for XP? (Score:2)
Other implementations of RDP (Score:5, Interesting)
Re:Other implementations of RDP (Score:2)
Re:Other implementations of RDP (Score:2)
Re:Other implementations of RDP (Score:2)
Re:Other implementations of RDP (Score:2)
Re:Other implementations of RDP (Score:2)
Not to forget the authentication. There's some stuff in creating/destroying sessions that affects the kernel, to some degree. So, no, I wouldn't expect the TCP/IP stack itself. Maybe keyboard/mouse in
More and more (Score:2, Insightful)
Re:More and more (Score:2)
Re:More and more (Score:2)
don't use the standard RDC Port (Score:5, Informative)
What i do is change the port that RDC uses, from the standard 3389 to a unique port. To do this, go to registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Contr
change the decimal value, and reboot.
Re:don't use the standard RDC Port (Score:2, Insightful)
Re:don't use the standard RDC Port (Score:2)
What it does, however, is prevent another code red or blaster worm style worm from finding me, since such worms aren't going to be scanning all ports and analyzing what each port does. That would be far too slow fo such worms that work primarily by infecting lots of machines very quickly.
In this case, "security by obscurity" works pretty well
Re:don't use the standard RDC Port (Score:2)
Changing the port is a good idea, but then how do you connect to it? The RDP client doesn't have a PORT option.
Or does this only work on clients you control (like your laptop) and can fiddle with the registry on?
Good news, it does. (Score:2, Informative)
Re:don't use the standard RDC Port (Score:2)
Re:don't use the standard RDC Port (Score:5, Insightful)
That's not even a first line of defense. OK, so you get past people scanning your whole /16 for open port 3389. But
will reveal that port running RDC on your.box.net the same as if it were on the default 3389.Keep in mind that unusual results draw more attention. You want to be invisible, or at least, to look like as many others as possible.
Re:don't use the standard RDC Port (Score:2, Informative)
Re:don't use the standard RDC Port (Score:5, Insightful)
Actually, it's a wonderful first line of defense. In fact, it's a wonderful procedure to follow for all remote access (if possible) because of two main reasons:
First, you're safe from worms. That's not an insignificant thing. The vast majority of all attacks (especially against Windows boxes) are perpetrated through some automated process--worms or other malware. These programs generally don't waste time doing in-depth scans of computers. If you're configured differently than the rest of the flock, you're not worth the time.
Second, you're safe from casual portscans. My own servers are scanned at least 20 times a day, and often over a hundred. To save time, these scans only hit the "interesting" ports. If you don't look immediately interesting, you'll just be passed by.
That whole bit about keeping the default setup to avoid extra attention is a bunch of BS. There's nothing terribly suspicious about running a service on a non-standard port. Furthermore, it doesn't matter how interesting or uninteresting a host appears. If you're configuration is exploitable, you'll be exploited when discovered. And if you look just like everyone else, well then everyone else will be exploited too.
There is no strength in numbers, and there is no real strength in solitude. But if you can avoid detection, then you've avoided an attack. That's like hiding your valuables to avoid theft: It's not a reliable defense, but it's simple and works often enough to make for a reasonable precaution.
Heh (Score:5, Funny)
Have to remember that phrase (Score:4, Funny)
An entirely new approach (Score:5, Funny)
Monty Python's Crashing Windows (Score:5, Funny)
Father: They told me I was daft to build Windows, but I built it anyway! It was full of flaws and suffered horrible exploits.
Father: So I built another Windows! It was full of flaws and suffered horrible exploits.
Father: So I built a third Windows. It was full of flaws and suffered horrible exploits and the Remote Desktop Feature could be hijacked causing it to crash.
Father: So I built a Forth Windows! And it had DRM! And that's what you're going to be inheriting lad! The most bloated, useless feature, locked-out OS in these here lands!
Son: But mothe-
Father: I'm your father!
Son: But father... I don't want any of that.
Father: Well what do you want?!
Son: I want... something... bug free... and... fre-...
Father: Hey! Hey, now! They're be none of that!
Re:Monty Python's Crashing Windows (Score:5, Funny)
- One day lad, all this will be yours!
- Wot, the curtains?
- No, the Windows!
Re:Monty Python's Crashing Windows (Score:2)
I sleep all night and I work all day
Re:Monty Python's Crashing Windows (Score:2)
Windows written in Forth?? Wait, that actually sounds like something I'd pay to see.
Re:Monty Python's Crashing Windows (Score:2)
Potentially serious... (Score:2, Interesting)
2) Few corporate environments allow anonymous access to RDP (or Teminal Services).
3) RDP isn't enabled on XPSP2 by default to begin with.
4) There's no reason to believe this vul would allow remote code execution at this point.
Wrong. (Score:2)
Every company I've worked at has done this.
DOS-attack (Score:4, Informative)
In an advisory posted at SecurityProtocols.com, the researcher described the issue as a remote kernel denial-of-service flaw affecting XP SP2, with the default firewall turned on.
I know Slashdot loves to hold Microsoft to golden standards, but a DOS-attack in a not overly important desktop daemon is hardly huge news. At the very least it happens to a lot of OS's a lot of the time.
Re:DOS-attack (Score:2)
Why is this not a surprise? (Score:2)
Why is microsoft so willing to let their customer
Bugs are good for jobs (Score:2, Interesting)
Re:Bugs are good for jobs (Score:2)
Your IT staff loves security holes. It gives them an important task, they get paid and with every patch they install they know the software keeps them busy and employed for a long time.
I wonder if Microsoft includes patching and rebuilding as part of their TCO? Most I/T professionals hate patch runs as when the patches break things they get the blame. If they don't patch, they get hacked/wormed and they get the blame. The real solution is get a more secure OS and remove excess user control on the de
Hmm (Score:2, Interesting)
That's why I connect to my 2k3 server first, (Score:3, Funny)
Get a linksys wrt54G (Score:2)
Re:I Never Use Remote Desktop (Score:4, Insightful)
I'll go and scrap ssh, vnc and X then.
Funny. (Score:2)
Anybody using standard ports for their personal rig is asking for trouble.
Anybody who modded the parent insightful clearly missed his cynicism.
Re:I Never Use Remote Desktop (Score:2)
Re:I Never Use Remote Desktop (Score:2)
Oh wait... you're talking about using them in clear text instead of over ssh tunnels.
Re:I Never Use Remote Desktop (Score:2)
I use it all the time to connect to my desktop- so rather than trying to keep my laptop in sync with my desktop, for mail and junk like that- I just connect to my desktop and I never worry about syncing.
It's also fast.
But, since day 1 I have thought that if there is a security hole, it will be a BIG one. If they can connect, then they own everything...
Re:I Never Use Remote Desktop (Score:2, Interesting)
Re:I Never Use Remote Desktop (Score:2)
Re:I Never Use Remote Desktop (Score:2, Informative)
It is also just about the only legitimate reason to buy (or otherwise own) Windows XP over Windows 2000.
And finally, it is also... guess what... turned off by default.
Move along, nothing to see here...
Re:I Never Use Remote Desktop (Score:2, Interesting)
Secondary Login is the Windows equivalent of the su command. I wouldn't recommend removing it. Not all users run with Administrator access. I'm posting this from my gaming machine, a Windows XP machine, as a Limited User.
Server is part of the SMB networking system. While not useful in a corporate network, it is useful in a Peer to Peer network.
Re:I Never Use Remote Desktop (Score:2)
That means that if you install this, you will be insecure moving forward. Best bet would be to install an SSH server and then tunnel to it and execute locally behind a firewall.
disabled by default? (Score:2)
This may include providing a security update through the monthly release process or issuing a security advisory, depending on customer needs," she added.
Fuck, what your customers want is to to get a fucking patch that fixes the fucking flaw and they want it before it hits sites like slashdot.
Re:This is news-worthy because...? (Score:5, Funny)
You must be new here.
Re:Oh great, another Microsoft bug story (Score:2, Insightful)
I agreed with you up until this point. I can't remember the last time MS went out of the way for philanthropic motives. Everything they have ever done has self-serving purposes. That's the way business works in a capitalistic society. Remember their settlement with the state of California? They
Re:Oh great, another Microsoft bug story (Score:2)
I find it funny the editors are probably pushing their thirties, yet still act like 5 year olds toward a bill
Re:Oh great, another Microsoft bug story (Score:2, Insightful)
And we all know the paragon of Ethics the business world is.
Honestly though, you may very well be an ethical person, but your status as a businessman is hardly related to such.
"However, most OSS zealots have no clue. Most OSS zealots are more than happy to side with the gov't when they think it's somehow at their advantage (anti-trust against MS), and slam the gov't for it's stupid laws when it's at their advatage to do so (DMCA, IP laws, etc.)
Re:Oh great, another Microsoft bug story (Score:2)
Re:Oh great, another Microsoft bug story (Score:2)
Perhaps someone could believe in the enforcement of fair trade and the maintenance of a level playing field (one aspect of government) while still being in favor of curtailing the government's ability to intrude upon a person's privacy. You seem like an intelligent person though so I won't go on, suffice it to say that people's actions wouldn't seem as arbitrary if you took a minute to understan
Re:Oh great, another Microsoft bug story (Score:2)
Then again, the Internet you're using runs (and did even more in the past) mostly on non-MS so
Re:Oh great, another Microsoft bug story (Score:2)
Re:Oh great, another Microsoft bug story (Score:2)
Re:Who the fuck... (Score:5, Interesting)
I work in a call center for a major US ISP. Do you know how often we get people calling in because Norton Internet Security is screwing up? I talked to at least two people personally just yesterday, one couldn't get his email because Norton would cause the connection to the server to close, another lady could open up PORT 80 TO BROWSE THE INTERNET. These people didn't change any settings on NIS, it just caused this on its own. I know that IE isn't secure, but that's a little extreme.
The XP Firewall hasn't bothered me at all, not a memory hog for something as simple as a firewall, and hasn't caused me any problems, which is more than I can say about ZoneAlarm/Kerio.
Tell me, what makes it not a real firewall? It blocks ports.
Re:Who the fuck... (Score:2)
I worked (till they outsourced last year) at a call center for Symantec's Norton line of products, and I can tell you from my experience, most ISP technicians are bumblefucks. Maybe you are an exception. Anyway, 99.99% of all firewall problems are caused by user ignorance of what a fi
Re:Who the fuck... (Score:2)
If you are selling internet security to non-technical users, then it becomes your responsibility to see that everything works properly.
Re:Who the fuck... (Score:2)
It OK for something built in, but there is still strong justification for third party solutions. It generally serves the purpose of stopping stuff from compromising you from the network while you are setting
Re:Who the fuck... (Score:2)
Re:Who the fuck... (Score:2)
Having said that, as a consumer you can settle for a free firewall as well. Check out Sygate's [sygate.com] offering. Not quite suitable for your mother perhaps, but a pretty good program. It even nags about services that the windows firewall won't nag about.
For use in a network of windows workstations administered by a non-n00b, I like tdi_fw [sourceforge.net].
It's simple,
Re:Who the fuck... (Score:3, Informative)
It has some major issues, don't use the remote access for one. But it's a decent suppliment to the Windows Firewall on open source project was planned to build an open source clone, unfortunately it seems to be going nowhere.
Failing that, Sygate is a good choice.
Re:Who the fuck... (Score:2)
Ghost Personal Firewall [sourceforge.net]
Re:Who the fuck... (Score:2)
Re:Who the dickens... (Score:2)
I do. (Score:2, Insightful)
Remote Desktop? Meh.
Re:Hmmm (Score:2)
This was addressed just the other day. Sysadmin's requested a standardized release schedule so they could schedule patch installation and downtime.
Damned if you do and...
Re:Hmmm (Score:2)
try X11 (or it's spin-off NX) for a real RDC comparison
Re:Always fun... (Score:2)
Re:Just wait for Indigo! (Score:2)