Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

Attack Code Found For Recent Windows Bug

Posted by Soulskill on Tue Oct 28, 2008 05:23 PM
from the oh-by-the-way dept.
Operating Systems Software Windows Microsoft Security
CWmike writes "Just a day after downplaying the vulnerability that caused it to issue an out-of-cycle patch last week, Microsoft warned customers late yesterday that exploit code had gone public and was being used in additional attacks. 'We've identified the public availability of exploit code that now shows code execution for the vulnerability addressed by MS08-067,' said Mike Reavey, operations manager of Microsoft's Security Response Center, in a post to the MSRC blog. 'This exploit code has been shown to result in remote code execution on Windows Server 2003, Windows XP, and Windows 2000.'"
+ -
story

Related Stories

[+] Microsoft to Issue Emergency Patch For File-Sharing Hole 348 comments
An anonymous reader writes "Microsoft said late Wednesday that it plans to release a critical security update today to plug a security hole present in all supported versions of Windows. The company hasn't released any details about the patch yet, which is expected to be pushed out at 1 p.m. PT. Normally, Redmond issues security updates on Patch Tuesday, the second Tuesday of each month. The Washington Post's Security Fix blog notes that each of the three times in the past that Microsoft has departed from its patch cycle, it was to fix some really nasty vulnerability that criminals already were exploiting to break into Windows PCs." Reader filenavigator points out an article which describes the hole as an SMB vulnerability, and says it "allows anyone to access a Windows machine remotely without any user name or password. Any machine that exposes Windows file sharing is vulnerable." Update: 10/23 17:42 GMT by T : Reader AngryDad adds a link to Microsoft's more detailed memo.
Submission: Hackers Publish Attack Code for New Windows Bug by CWmike (1292728)
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Attack Code Found For Recent Windows Bug 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • Hmmm... (Score:2, Funny)

    by Anonymous Coward
    Lets see, perpetually vulnerable-to-script-kiddies Windows XP, or locks-up-every-5-seconds Ubuntu?

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      Locks up every 5 seconds? What do you mean? What kind of computer are you using? Have you submitted a bug report?

      • Re:Hmmm... (Score:5, Insightful)

        by Venik (915777) on Tuesday October 28 2008, @06:59PM (#25549231)
        Why should anyone bother submitting a bug report? If it's a minor issue and I have a workaround - sure, I'll submit a bug report. But if a system is completely unusable with Ubuntu, I will better spend my time finding a working alternative. Having said that, as a Unix sysadmin I have nothing against Ubuntu, other than using it on a server is not the best idea: there are many far more stable alternatives. The problem with most Linux aficionados out there is that few of them worked in a real production environment of a big datacenter. These guys may know how to configure Apache and MySQL on their Ubuntu PC, but they don't see a difference between getting something to work and getting it to be fast and reliable under constant heavy load.

          • Re: (Score:3, Informative)

            by Venik (915777)
            I don't know where you work, but unstable servers are usually a result of poor planning by system architects, insufficient funding, or inexperienced sysadmins. If I had any servers that were continuously unstable for the reasons you listed, I would lose my job. Sometimes you do have to support a system that has been outgrown by its users and applications, but there is no funding to get an upgrade and so you have to make do. This would be a valid reason for system instability. But to say that the server is c

    • Re:Hmmm... (Score:4, Interesting)

      by jimmyhat3939 (931746) on Tuesday October 28 2008, @10:06PM (#25550591) Homepage

      I've run Ubuntu on a Dell Inspiron 9400 laptop for over a year without a single lockup.

      Now, I also run VirtualBox and Windows XP under that. *That* has locked up several times. So if that's what you mean, I agree.

        • Re: (Score:2, Interesting)

          by cheater512 (783349)

          Wikipedia seems to think that its a good idea. :P

          • Re:Hmmm... (Score:5, Funny)

            by daeg (828071) on Tuesday October 28 2008, @06:13PM (#25548735)

            Well, to be fair, their discussion took place on Wiki pages, so it was either Ubuntu 8.04 or HAHAHHAYOUSUCKCOCKS.

            • Re:Hmmm... (Score:5, Funny)

              by Dogtanian (588974) on Tuesday October 28 2008, @06:45PM (#25549085) Homepage

              Well, to be fair, their discussion took place on Wiki pages, so it was either Ubuntu 8.04 or HAHAHHAYOUSUCKCOCKS.

              Yeah, I can see that some 13 year old vandal might think that it was funny to replace "Red Hat Enterprise Linux 5.2" with something silly like, er... "Ubuntu 8.04" ;-)

              BTW, HAHAHHAYOUSUCKCOCKS 2.06 is a fine server distro and I won't hear a word against it.

        • Re:Hmmm... (Score:4, Funny)

          by Anonymous Coward on Tuesday October 28 2008, @06:31PM (#25548949)

          Who the fuck runs windows on a server? Context man, context!

          There, fixed it for you.

        • Re: (Score:3, Insightful)

          by Anonymous Coward
          Seriously, Insightful?

        • Re: (Score:3, Informative)

          by rikkards (98006)

          That plus the wireless network card drops randomly. The message in dmesg is that it can't find the AP so it assumes it is gone. Restarting the networking fixes it.

        • Re:Hmmm... (Score:5, Insightful)

          by CrazedWalrus (901897) on Tuesday October 28 2008, @09:55PM (#25550531) Journal

          But it does make a damn fine server. The software is reasonably up to date, the administration is dead-simple, and I'm already familiar with it from my desktops.

          I've got other things to concentrate on besides server administration -- like coding my project management and billing system, or working for my clients so I have something to bill them for. Ubuntu makes that easy for me.

          I've recently vetted Slackware, Debian (stable), and Ubuntu Server 7.04, and settled on the latter because it strikes the balance I need between stability and up to date software. You may legitimately disagree with my choice, but I have my reasons and I'm sure you have yours. Most Linuxes make great servers, so it's really choosing your favorite incarnation of "awesome."

          • Re:Hmmm... (Score:4, Funny)

            by darkpixel2k (623900) <slashdot@darkpixel.com> on Tuesday October 28 2008, @11:26PM (#25551039) Homepage
            You may legitimately disagree with my choice, but I have my reasons and I'm sure you have yours. Most Linuxes make great servers, so it's really choosing your favorite incarnation of "awesome."

            Damnit! Stop doing that. Your job on Slashdot is to perpetuate the holy OS wars. If you start to lose an argument based in 'nuh uh, yeah huh' then immediately question the person's choice of vi verses emacs.

            Never EVER admit that something may come down to personal preference unless you are willing to follow it up by blatantly trashing said person's personal preference by calling them 'dumb' or 'retarded'. Finally, if you are totally and completely losing the argument, link to final irrefutable proof: like this [goatse.cx]

      • Re: (Score:3, Insightful)

        by Splab (574204)

        Yeah, blame it on closed source.

        You probably need to get some counseling on your fetish for open source when you with absolutely no evidence of restricted drivers even being present on said system starts blaming them.

  • Hotpatching (Score:5, Insightful)

    by nmb3000 (741169) <nmb3000@that-google-mail-site.com> on Tuesday October 28 2008, @05:37PM (#25548441) Homepage Journal

    For those interested, there was a really cool hack [nynaeve.net] of hotpatching the files and services that are affected by this exploit. The Microsoft patch isn't designed to be hotpatched, instead requiring a reboot to replace the needed files. However, by using a binary diff and DLL injection you can apply the patch on the fly without rebooting.

    I wish Microsoft would put more effort into making the official patches not require a reboot. Consumer operating systems are one thing, but rebooting Windows servers gets annoying really fast.

    • Re:Hotpatching (Score:5, Insightful)

      by TubeSteak (669689) on Tuesday October 28 2008, @05:50PM (#25548553) Journal

      However, by using a binary diff and DLL injection you can apply the patch on the fly without rebooting.

      Is that something you would want to do on a production server?
      And if you were MS, is that something you would want to support?

      • Re:Hotpatching (Score:4, Interesting)

        by Dr Caleb (121505) <thedarkknight&hushmail,com> on Tuesday October 28 2008, @05:57PM (#25548633) Homepage Journal

        >And if you were MS, is that something you would want to support?

        If you were MS, and wanted to brag about 5 Nines uptime, wouldn't you design the patch so you didn't have to reboot production servers once a month?

        Glad I spent all weekend patching, now that the exploit has escaped.

        • Re:Hotpatching (Score:5, Interesting)

          by vux984 (928602) on Tuesday October 28 2008, @06:16PM (#25548771)

          If you were MS, and wanted to brag about 5 Nines uptime, wouldn't you design the patch so you didn't have to reboot production servers once a month?

          5 nines is ~5.3 minutes downtime per year

          You don't acheive that with a single Linux box either, unless you simply aren't keeping it up to date, even if you manage to avoid 'rebooting it' you are still going to have serious trouble reliably preventing 'unavailability of services' from reaching 5.3 minutes over a year.

          It takes either a mainframe or a cluster to reach 5 9's with any reliability. Windows doesn't run on a mainframe, and if you have cluster, a few scheduled reboots now and then don't result in any downtime, since you don't have to bring the entire cluster down.

          So your argument really doesn't apply.

          • No, I've managed to have a single Linux box reach 99.999%. It's mostly a matter of not updating the kernel; everything else can be upgraded monthly with ~15 seconds downtime, for an average of ~3 minutes annually.

            • Re:Hotpatching (Score:5, Insightful)

              by vux984 (928602) on Tuesday October 28 2008, @06:58PM (#25549215)

              No, I've managed to have a single Linux box reach 99.999%

              "Managed to have"? You are talking about 5 9's as something that you can reach. People who demand 5 9's consider that the minimum they will accept. They don't want systems that can reach 5 9's they want systems guaranteed not to be less than 5 9's. That's a HUGE difference.

              So if we sign an SLA, how certain should I be that you can deliver 5 9's? ... From one box? Not very.

              That fact that you might 'manage it' simply isn't good enough. What happens when a piece of hardware fails? or if an update doesn't go smoothly? With a single box you have no contingency and 5 minutes to resolve any problems and perform any updates that might be needed for the entire year.

              My point stands: anyone serious about delivering 5 9's simply isn't using a single box, because you simply can't depend on it. MAYBE you'll get 5 9's out of it, but getting 5 9's from a single box is like winning a prize from a scratch and win. Its not exactly a miracle, but its hardly something you can rely on.

              Hell, even promising 4 9's from a single box is taking on some heavy risk. It's not hard to envision an unexpected hour of downtime on a box over the course of a year.

            • Re:Hotpatching (Score:5, Funny)

              by caluml (551744) <slashdotNO@SPAMspamgoeshere.calum.org> on Tuesday October 28 2008, @07:50PM (#25549647) Homepage
              My current longest uptime:

              $ uptime ; uname -r
              00:49:19 up 1222 days, 14:09, 1 user, load average: 0.00, 0.00, 0.00
              2.6.11-hardened-r14

              Yeah, it doesn't actually do much. Just lets me win willy-waving matches.

                • Re:Hotpatching (Score:5, Funny)

                  by sleeponthemic (1253494) on Tuesday October 28 2008, @09:47PM (#25550485) Homepage

                  Oh yeah? Well, uh, nyah.

                  $ uptime ; uname -r 00:40:23 up 1222 days, 14:10, 1 user, load average: 0.00, 0.00, 0.00 2.6.11-hardened-r14

                  You made that post 51 minutes after he did.

                  So close, but forever in his shadow :-)

        • You are an idiot. 5 9s gives you just 5 minutes per year of downtime. You think if something fails in a system, you can get it back up in 5 minutes? Hell no. You want reliability like that, you do it with redundant systems. Well, in that case the individual units can certainly go down. Perfectly valid strategy. You patch them whenever you feel like, making sure that only one is down at a time and that it comes back up to full operational status before you do the next one.

          A single system, well you are just r

      • Actually, yes. The company I work for has spent a fair amount of resources to enable safe patching of running binaries. When you're aiming for 99.999% uptime and better, rebooting to apply a patch is suboptimal.

      • Re:Hotpatching (Score:4, Informative)

        by DamnStupidElf (649844) <Fingolfin@linuxmail.org> on Tuesday October 28 2008, @08:05PM (#25549797)

        Come on, it's dead simple and it's safe. Just install a page fault handler and mark all the pages of the DLL as being unavailable, examine the current thread state of all processes and mark them if they are currently executing in the unavaiable pages, and if so simply return success from the page fault handler until the thread leaves the locked region (essentially single step through the DLL until it finally returns to the caller). If a thread was not originally executing in the protected pages and enters it, just stall it. Once all threads are stalled or not accessing the locked pages, patch the DLL and mark the pages available and uninstall the page fault handler.

        What could possibly go wrong? Only if the data structures that the DLL uses internally are modified will this be difficult, in which case the patched DLL will just have to convert its own data during the patch time. If changes to user data structures are required, then the patched DLL would have to burn some space in each new data structure to identify it as a patched version and treat it appropriately, while detecting the old data structures reliably. That might be a little harder than the general case, but not impossible.

        Is getting 0wned something you would want to happen on a production server that can't have downtime?

    • Re: (Score:3, Informative)

      by cheater512 (783349)

      Just switch to Linux servers instead.
      The ability to not require rebooting for years comes as standard. :)

      Downtime due to upgrades is limited to how fast you can restart the app.
      You can swap the files while its still running, then just restart it.

    • Me: Did you shut down the server?
      Other Tech: Nope. I thought you did it. Now I can't get to the internet.
      Me: Son of a bitch... Automatic Updates again... it needs a power-off and then cold start to work.
      *15 minutes later*
      Me: Where the hell are the backup tapes?
      Other Tech: I have no fucking clue. What the hell did you do?
      Me: I learned to never trust automatic updates. That said, I have a resume` to refresh.
      Other Tech: But nothing is working still.
      Me: Your problem now.
      *2 minutes later*
      Me: I can't ev
    • What would be smart for Windows to do is to not randomly reboot. For example, I was asked to run a PowerPoint presentation at a funeral. No problems there, except the laptop was running Vista, midway through the presentation the computer showed "Logging Off" and the computer rebooted. Naturally, there wasn't anything I could do about it, I rebooted the thing and it ran mostly smoothly the rest of the way, but seriously MS, by default don't reboot I don't care if its a patch that if not applied it can turn

      • Re: (Score:3, Insightful)

        by tlhIngan (30335)

        What would be smart for Windows to do is to not randomly reboot. For example, I was asked to run a PowerPoint presentation at a funeral. No problems there, except the laptop was running Vista, midway through the presentation the computer showed "Logging Off" and the computer rebooted. Naturally, there wasn't anything I could do about it, I rebooted the thing and it ran mostly smoothly the rest of the way, but seriously MS, by default don't reboot I don't care if its a patch that if not applied it can turn

  • That's it! I'm switching to a Linux Desktop (Score:5, Funny)

    by Anonymous Coward on Tuesday October 28 2008, @05:43PM (#25548493)

    Slashdot's unbiased coverage of an exploit for a patch that was released last week has finally convinced me to stop using MS products. I'm also beginning to think this MS might be evil as well.

    • Re: (Score:2, Informative)

      by Anonymous Coward

      LOL! Yea... especially considering that doing some SIMPLE things like these:

      1.) Stopping "File & Print Sharing", via your local connection, removing it as a Client/Protocol there (if you're not on a Lan Manager based OR Active Directory IP based LAN/WAN, or home network? Who cares! It's slowing you down just broadcasting extra packets anyhow OR listening for them too, wasting IO + resources) & the SYSTEM ICON in Control Panel (as to options &/or quick tasks to perform for that) make it a snap to

  • Clarification (Score:5, Informative)

    by Raconteur (1132577) on Tuesday October 28 2008, @05:48PM (#25548535)
    Just in case the /. entry seemed as ambiguous to you as it did to me, the linked article states "Our investigation has shown that it does not affect customers who have installed the update."

    • This is added incentive to complete YOUR testing of this patch ASAP.

      Remember, only incompetent admins apply patches without testing them.

      In our environment, the patch would have been put into testing the day after it was released (no sense getting caught by a brown paper bag bug) and then into production NEXT Sunday.

      With a known exploit out there, we'd be getting more people to test the test systems TODAY. With the goal of putting the patch into production TOMORROW evening.

      • Re:But not everyone has installed the update. (Score:5, Insightful)

        by DigiShaman (671371) on Tuesday October 28 2008, @06:44PM (#25549077) Homepage

        Remember, only incompetent admins apply patches without testing them.

        Cool.

        Sounds like your part of an internal IT department of a big corporation. Well, I'm not. I admin several small businesses network which contain 5 to 20 users. Each company has one server which runs Windows SBS. So, testing isn't an option. Should there be a problem, I have no choice but to pull it out via the Add/Remove program list.

        So, do you think I'm an incompetent admin given what I have to work with?

        • So, do you think I'm an incompetent admin given what I have to work with?

          Sure. You don't have a test network to at least smoke patches on or you would've said something. What happens when your SBS box barfs? how long is recovery and when's the last time you tried it?

          • Re:But not everyone has installed the update. (Score:5, Informative)

            by DigiShaman (671371) on Tuesday October 28 2008, @09:25PM (#25550341) Homepage

            Sure. You don't have a test network to at least smoke patches on or you would've said something

            A fifteen user network all running off a cable modem, router/firewall, and Windows 2003 SBS. Sure, let me pitch the sale for them to purchase another SBS box (for testing purposes only) and the billable time required for each test required per monthly patch cycle...

            What happens when your SBS box barfs

            Rebuild it, add PCs back to the domain, and restore user data and exchange data. I've done it before and it's a lot cheaper alternative to the one above. Funny isn't? Sometimes it's cheaper to let a server crash and burn than spend money on preventive maintenance. It's all in how much the customer wants to spend.

      • Remember, only incompetent admins apply patches without testing them.

        In our environment, the patch would have been put into testing the day after it was released (no sense getting caught by a brown paper bag bug) and then into production NEXT Sunday.

        Your strategy fails to deal with certain 0-day scenarios. Not that competent admin would actually run critical services on Windows.

  • the droning *gong* of microsoft cracks (Score:4, Interesting)

    by drDugan (219551) on Tuesday October 28 2008, @06:04PM (#25548679) Homepage

    This is like a droning gong.

    *Gong* Bring out your dead *Gong* Windows is insecure *Gong* Bring out your dead *Gong*

    It seems to me there is a fatigue that sets in regarding unpleasant information. How many times does one have to hear a thing, especially an unpleasant thing they don't want to hear, before that person stop listening to it? This happens to me at least. We see this (as a parallel) in politics all the time, when we're told this guy or that person broke the law. Its like a background din you have to tune out to get through the day.

    It's made worse because there is no solution.

    For the user of windows, there is nothing they can do about the fundamental insecurity that leads to repeated, consistent, and regular security updates like this. The only option is to change OS, which if you're the average computer user, that is not an option without significant expense. It's unpleasant to hear that crackers are breaking into computers and turning them into zombie swarms of attacking botnets. Hear the same bad thing enough times, eventually people stop listening.

    I was fortunate: my windows laptop was stolen in 2004 and I made the switch, and now use Mac and Linux now exclusively. Not that Mac is any panacea - I still can't stand Finder, I think it is awful, and curse it every time I need to move a few files to some other folder on another drive (usually I just use "mv"). BUT at least I'm not forced to start ignoring serious security threats that I can't prevent or address effectively. (I don't consider a long series of "After the crack" patches effectively addressing the problem)

  • I'm not Microsoft lover, but (Score:5, Insightful)

    by dkleinsc (563838) on Tuesday October 28 2008, @06:11PM (#25548725)

    I'll give them credit for patching this quickly. This could have been Yet Another Windows Worm (TM) that brings all legitimate network traffic to a halt. And us Slashdotters have been after them for years for taking too long to patch things, so it would be completely hypocritical to get pissed at them for doing what we'd want them to do.

    I'll hate them for having the exploit possible in the first place, I'll hate them for requiring reboots, I'll hate them for forcing crappy software down our throats, but every once in a while they do something right.

      • Re: (Score:2, Insightful)

        by X0563511 (793323)

        It would, but for their intentional denial of updates to "illegitimate" installations.

        • Re: (Score:3, Informative)

          by Macthorpe (960048)

          You've always been able to automatically update even cracked copies of Windows automatically, you just can't do it via update.microsoft.com.

          I'm not sure where you've got your information from.

  • Microsoft didn't downplay this (Score:5, Informative)

    by Anonymous Coward on Tuesday October 28 2008, @06:17PM (#25548789)

    Instead they issued an out-of-cycle patch and they gave it a very high severity rating in their bulletins. None of us are Microsoft lovers. But you don't have to lie to us just to be able to pat us on the back. It's disgusting, please stop it.

    • Re: (Score:3, Informative)

      by felipekk (1007591)

      Please mod parent up.

      Microsoft even contacted partners to make sure they were applying the patch as soon as possible.

      I don't know where the author got the downplaying from...

  • Just a day after downplaying the vulnerability that caused it to issue an out-of-cycle patch last week, Microsoft warned customers late yesterday that exploit code had gone public and was being used in additional attacks

    .
    How does this translate into downplaying the threat?

    October 23, 2008 (IDG News Service) Microsoft Corp. fixed a critical bug in its Windows operating system Thursday, saying that it is being exploited by online criminals and could eventually be used in a widespread "worm" attack.

    Micro

  • Metasploit (Score:5, Informative)

    by slimjim8094 (941042) <slashdot@justconnected.net> on Tuesday October 28 2008, @07:14PM (#25549373) Homepage

    Be warned; this is already on metasploit. The intrepid can find this for themselves...

    Testing it to see if it actually works though.

  • Downplaying the vulnerability ? (Score:4, Insightful)

    by DavidD_CA (750156) on Wednesday October 29 2008, @12:20AM (#25551315) Homepage

    I'm sorry... downplayed?

    Is there any admin in the world that didn't get the message that this was kinda sorta urgent?

    This was the first time in four (?) years that Microsoft went out-of-cycle on their patches. That alone got attention, and would hardly be considered "downplayed".

    Every stinkin' newsletter I got last week all mentioned it. Vendors mentioned it. Slashdot mentioned it a dozen times. And Microsoft sent out many many bullitens.

    What would it take to satisfy the submitter's requirements for sufficient attention? CDs mailed out via FedEx Next Day to every registered owner of Windows?

    Perhaps the real downplaying is what Slashdot tends to do whenever a Linux-releated bug is found.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.