Forgot your password?
typodupeerror
Microsoft Operating Systems Security Software Windows

Yet Another Critical Windows Flaw 511

Posted by michael
from the keep-bailing dept.
Dynamoo writes "Microsoft released yesterday a whole bunch of critical security updates. Out of these, MS03-043 is a flaw in the Windows Messenger Service (not MSN Messenger) with the possibility of a remote attacker gaining complete control of a Windows NT/2000/XP/2003 based PC remotely. If this sounds like another possible vector for a worm to spread, you'd probably be right. Microsoft's recommendation is to 'disable the Messenger Service immediately and evaluate their need to deploy the patch'. Of course a firewall will offer some protection but shouldn't be relied on. At least administrators can disable the Messenger Service remotely. Of course this is another headache for admins still patching for last month's RPC flaw."
This discussion has been archived. No new comments can be posted.

Yet Another Critical Windows Flaw

Comments Filter:
  • This time, please do something really useful, not only doing such silly thing as DOS'ing windowsupdate

    You can for instance, delete necessary files for Internet connection... in this case Microsoft will be in a *real* shit if nobody can connect the internet to download patches!
    They'll maybe have to send MILLIONS of CD by mail!

    Therefore, people will be *really* annoyed and may think it's time to switch to another more reliable OS.
    • Guantamano Bay awaits you... You've just encouraged someone to commit a terrorist act against the United States, and I'm not sure if that's not an act of terrorism all by itself. Yes... they might just come for YOU, dear borgdows (#599861) and throw the book at you. That's the same thing as publicly asking Osama Bin Laden to blow up the Statue of Liberty. The next number you will be known by, dear #599861 will not be your slashdot number.
    • This time, please do something really useful, not only doing such silly thing as DOS'ing windowsupdate
      Therefore, people will be *really* annoyed and may think it's time to switch to another more reliable OS.


      You're the reason people think like this [overclockers.com].

      You stupid prick, you think writing worms is a good way to get people to switch to a "more reliable OS"??!?? Do you realize how fucked up that is? Do you realize that its people like you who are keeping people away from Linux?

      Its the stupid shits like you wh
    • > This time, please do something really useful, not only doing such silly thing as DOS'ing windowsupdate You can for instance, delete necessary files for Internet connection... in this case Microsoft will be in a *real* shit if nobody can connect the internet to download patches!

      As fun as this is, better things could be done.

      Modify the hosts file, so that whenever something requests microsoft.com or windowsupdate.com or windowsupdate.microsoft.com they get redirected to apple.com or maybe a fake wind

    • Are you Icelandic or retarded?
    • Was there a "Yet Another Ssh Flaw?" Does michael follow the link in my sig and post about all the flaws that come out monthly (compared to these new four)?

      Of course not. And you won't see it reported, either. Because Slashdot is biased against Microsoft and wants your page hits.

      I dare you to argue otherwise, because it's just too obvious.
  • Windows SUS (Score:5, Informative)

    by GangstaLean (102189) <gangstalean@NoSpAM.birdinthebush.org> on Thursday October 16, 2003 @08:29AM (#7228249) Homepage
    Admins on sites exceeding 10 or so workstations may want to look into Windows SUS [microsoft.com], Software Update Services (SUS) gives the capability of integrated patch management and centralized patch distribution. This is sort of along the lines of RHN with a centralized console for distributing through a domain.


    It's useful.

    • I've looked into this, but it seems to require ridiculous specs for what it's doing.

      As a small to medium charity, we can't afford an individual machine just to push out patches to our workstations.

      For people in the same situation, done right, group policies can be very useful... I'm using them here to push out system patches to our machines.
      • As far as the specs go, I am using it on a dual p2-400 xeon with 512mb ram. This computer is a domain controller and a SUS server. I am having no trouble with it slowing down. I don't think this qualifies as a supercomputer. I am serving updates to about 400 computers and I never experience any slowdown on the server.

        I tried using group policies to push out patches, but it is such a pain to do and keep up with. I think that if you tried SUS on your domain controller, you would be happy with it.

        Th

        • What sort of loads are you getting on the SUS server?

          We've got a single server here running 2000 SBS, which is the PDC, Exchange server, and file server for a few hundred users.

          Once I persuade management to get another server to take the load of the current one I'll definately take a serious look at SUS though.

      • The SUS specs are preposterous - they are for machines with thousands of clients. SUS is really just an IIS web site that serves up a couple megs at a time, so damn near anything ought to be able to do it. If you plan on deploying service packs through it, you might need more horsepower. I do SP's via group policy.
    • So.. did you get PAID for that product endorsement? I mean... aside from the fact that this software removes a driver for MS to write good code (because of the TCO for the patch management), you would want to install this on a central server that would, of course, require a Windows 2k(2k3?) license.

    • Re:Windows SUS (Score:5, Insightful)

      by Zeddicus_Z (214454) on Thursday October 16, 2003 @10:23AM (#7228978) Homepage
      We use SUS at work to distribute patches to around 60 desktops. While it's certainly nice to not have to go desk-to-desk doing this manually, SUS has some major drawbacks.
      • Bad patch verification. Like WindowsUpdate, SUS relies on a registry entry to check sucessful installation of patches. As many admins have discovered over the past few months, this method of patch verification is highly flawed and results in many, many cases of false-negatives when searching for vulnerable workstations.
      • OS patches only. SUS does OS patches. Great. Now what about Office, which is also installed on every desktop in our company?
      • Patch reliability. Even if SUS was vastly improved, the sad fact of the matter is that MS patches are still capable of doing severe damage to the target system. It's not like there are no past examples of patches and/or service-packs f$*king up machines. Until the patching process becomes not only dead easy, but also bulletproof RELIABLE, servers (esp. critical infrastructure machines) will continue to need manual patching. Considering many larger companies can have hundreds of servers across the organisation, it becomes one hugeass timesink.
      • Other pitfalls. There are many, MANY other options missing that would make life for administrators much easier - such as forcing reboots for patched machines, the ability to stagger deployement using only one SUS server (by using, say, MAC addresses or NetBT/DNS hostnames), the ability to detect mobile users (via a configurable registry setting on the client end) and *force* them to patch immediately upon connecting to the LAN based upon past percentage hit-rate for sucessful patching (i.e. machine was turned on and conneted to LAN) at the regular scheduled time
      SUS is nice to have, but it's certainly not set-and-forget as it SHOULD be - at least on the client end of things. There is a long way to go with SUS before it begins to approach something that makes a significant impact on the nightmare that is Microsoft patching. But of course the problem with hoping SUS gets better is that SMS and MOM exist... and unlike SUS, neither of those are free.
  • This is hardly news in a sense. Its not the first, last or only time that windows has a flaw. There is probably a thousand of these exploits hidden in the closed source.

    On top of that, there is the prevailing attitude at microsoft that a quick sale for ease of use is better than a later sale with security. Until now that approach has always left them in the money.

    I'm hoping that the level of attacks that we have seen in the last few months will finally produce the uprising against this "quick release"
  • by sylvester (98418)

    Hey what's the deal with slashdot moderation? I used to read at +5 but now there're barely any comments there. I know this is offtopic, but did I miss a story about major changes or something?
  • Win98 is not affected. Or is it just that they don't bother to check it anymore?
  • I checked my Windows XP installation and it has had the patch applied since July 8, 2003. Why is this a news item just now?
  • ARRRGH, all these dang security updates, and patches, and holes, and everything... It's not fair. And Linux is no better, I'm stuck on 56K, so getting the thing in the first place is hard enough... not to mention isn't a fulltime job in itself.

    I think I'll just go back to Windows 3.1 on all my machines, that will solve all these problems I'm having with new operating systems.
  • joo R 0wn3d

    Makes me glad I have a firewall between me and the internet (even at home for my LAN). I didn't even know about all the Popup spam until an article came around talking about it. It just hadn't been an issue. Yes, its better to be informed than clueless, but a decent firewall is still a help :)
  • I just installed the patch on my laptop and now it BSOD's immediately on boot. It's quick, but I caught something that looked like "basesrv." Quite the pain, really. Is anyone else having a similar problem, and if they are, how do you fix it?
  • I've figured it out! My company sends around an update CD every time one of these flaws is announced. They're trying to drive us bankrupt through the cost of update CDs and lost productivity of every employee in the company having to spend half an hour to an hour applying them! I'm on to their evil plan now!
    • That theory isn't very good, especially considering any new flavor of Windows has automatic updating that requires *zero* intervention from the user.
      • My company doesn't trust its employees to use automatic updating. And the automatic update still requires anywhere from 10 minutes to an hour of lost productivity depending on how big the patch is and if it requires a reboot. Since my company has deployed a bunch of VB crapplets I'm forced to reboot to Windows once a week to do my timesheet so I can't just nuke Windows off my hard drive completely, run Linux and ignore the Windows warnings ("apt-get update ; apt-get upgrade" doesn't require you to stop all
        • You're missing the point. You don't do anything. That's why it's called automatic updating. Set it to happen at 2:00 AM every day. There's nothing to do. If a reboot is required, reboot when you're getting your coffee. It's not a big deal at all.
          • That's a good solution for home or small office users, but it doesn't scale that well for larger sites. As soon as you have a more than a few dozen workstations, having each one pull down the updates from the Internet causes an unacceptable amount of network traffic (maybe it's OK in the US where bandwidth is cheap, but here in Europe out Internet pipes tend to be a bit more frugal). Also, no sane person wants to use this solution for servers, where applying untested updates can have catastrophic conseque

  • After all, how many people out there have turned on the default Windows XP firewall since Blaster?

    I know every machine I fixed during the blaster worm's reign had its default firewall turned on.
  • RPC worm (welcha!) (Score:5, Interesting)

    by tonywestonuk (261622) on Thursday October 16, 2003 @08:43AM (#7228346)
    So I installed W2k for a friend a few days ago - Connected to the internet to get the RPC patch, and got infected with this work in under a minute - Not even time to get the update!...

    Now, getting rid of the worm is annoying, but is easily done. Can you imagine however, the chaos if the author of the worm also put nasty bios flashing code into it... Millions of PC would be heading for the dumpsta! Shops/busnesses/transport/universitys would all end up grinding to a halt, The economy would be up shit creak, and for a few weeks anyhow there would be a huge shortage of PC's through people panic buying new units - hardware prices would sore.... (good time to buy Dell stock maybe?)

    Tony.
    • Hate to use the topic, but "Me too" :-) This happened to me yesterday, but with XP.

    • by trikberg (621893)

      So I installed W2k for a friend a few days ago - Connected to the internet to get the RPC patch, and got infected with this work in under a minute - Not even time to get the update!...

      And that's why you should have installed a software firewall, such as ZoneAlarm, from CD before connecting to the internet

      While you're at it install a decent browser and e-mail client from the same CD before your friend has a chance to start using IE and Outlook (Express).

    • by muffen (321442)
      . Can you imagine however, the chaos if the author of the worm also put nasty bios flashing code into it... Millions of PC would be heading for the dumpsta!

      Virtually every BIOS has protection against this since the CIH days (doesn't mean people enable it, but its there). Furthermore, instead of throwing away a PC with a flashed BIOS, you can give it to me. It won't cost me more than $5 to get it fixed!

      I agree that these flaws are bad, but no need to make it worse than it already is.

      So I installed
    • Your problem is that you did not follow Microsoft's best practices. If you had, you would have done as Ballmer has been preaching, and Secured the Perimeter [com.com]! Which really is just PHB speak for never putting a windows box on the internet without a Linux firewall to protect it. Why do you think microsoft has started using Linux as a proxy service for their website???
  • How else will I be able to get all the free advice about how I am broadcasting my IP address?

    Messenger is such a valuable service to me... how can I live without it?

  • Of course this is another headache for admins still patching for last month's RPC flaw."

    That RPC flaw, patched twice so far, is actually still vulnerable. That's right the RPC service will require a third patch.

    Security experts have discovered that a vulnerability still exists in the Microsoft RPC service. Furthermore, an exploit has been developed as a proof of concept. The results have been reported to Microsoft but, as yet they have not responded publicly. So, be on the look out for yet another RPC s
  • by zakezuke (229119) on Thursday October 16, 2003 @08:48AM (#7228380)
    Microsoft discovered a MAJOR flaw in their naming convention. It seems it's far too easy to confuse MSN Messenger with Windows Messenger do in part they are both called Messenger, also due to the fact that Windows Messenger isn't widly used, except by sys/net admins telling their users the system is going down.

    Getting users to actually peform updates when they don't have the ability to tell the diffrence between the diffrent products has proven to be most troublesome to Microsoft.

    This flaw was noticed by technical support when users asked for assistance with "outlook" not knowing that "express" was a diffrent product. Not to speak of the diffrences between Windows Explorer, Microsoft Explorer, and the new hardly ever works MSN explorer.

    "The idea that users know the diffrence between Windows, Microsoft, and MSN is ridiculous" --- typical power user.

    A new convention is required based on the following facts

    Windows - the operating system side of things
    Microsoft - the software side of things, stuff you actually use
    MSN - the ISP side of things, fluffy click shit that causes your computer to crash and burn.

    Renaming should be as follows

    Dont touch me crap - reserved for operating system level software
    Play with me crap - the software you typicaly get to do stuff
    Can't do crap - the stuff internet related that never works right

    Now saying that there are patches for the "don't touch me crap messenger" has some meaning to the average user, vs their "Can't do crap Messenger" product.

    This message was brought to you by Microsoft Crap, where did your document go today?

    • "It seems it's far too easy to confuse MSN Messenger with Windows Messenger do in part they are both called Messenger"

      I'm surprised they aren't called MSN Messenger Explorer and Windows Messenger Explorer.
  • disable the Messenger Service immediately

    Good advice. This service has been abused for many years now by spammers, and now the posibility of a worm using it.

    I wonder who/where at Microsoft considered it a good idea to enable this service by default and to allow connections from everywhere. Has anyone out there actually used it?
    • I have, once. I used it to send a message to a friend on the campus network when the outside connection was down so that ICQ and mail where unavailable. The alternative would have been to use a few cents on a phone call or actually get up and walk *GASP* the 100 meters or so to talk to him face to face. :)
    • Has anyone out there actually used it?

      Yes, I know at least two companies that used it rather frequently. In both cases, they would use it for batch-completion notifications and things like that.

      That all said, I hate it and it seems like a prime candidate for abuse in various forms. Obviously.

  • why noit allow user sto disable MSN completely with uninstall?

    oh that is right Bil lgates doesn;t trust us lowly users..

  • Just to let everyone know, this morning after late-night patching my company's Exchange 2003 box it isn't sending/recieving internet emails (*cue Exchange jokes...now*).

    I'm currently paying $250 so Microsoft can tell us if this is the correct behavior (oh, the humor), after asking them last night if all patches were approved for a Windows Server 2003/Exchange 2003 environment, and them telling me yes.

    I know I'm in the minority for not using sendmail, but I am of the opinion that these patches may damage y

    • not using sendmail

      sendmail has built up at least as much of a legend for insecurity as Exchange, probably also amplified by its wide deployment.

      Security in depth helps, though.

      Sendmail costs nothing but a little time to install, but adds another layer to your corporate email system, one which can be used to handily filter crap that is bad for Windows systems. MyCorp has used both Exchange and sendmail for years. Performance of sendmail on piece of crap hardware is impressive, especially compared with E

  • by HighOrbit (631451) on Thursday October 16, 2003 @08:51AM (#7228404)
    A few months ago, my sister-in-law and her husband bought a new computer (loaded with XP as most are). They are average users: they browse the www, send email, write letters, and play games. The know how to use their box, but they don't know how to administer it. So everything that was shipped as default was still default -including the messanger service. They are on cable modem and were getting constant popups (and I mean constant, like one every 30 seconds) over the messanger service. Now multiply that by millions of people and you have millions of potential DDOS zombie machines, or spam spewers, or any other nasty (or illegal) thing you can imagine.

    It is time for MS to immediately change the default shipping configuration of XP to turn every service off by default because no desktop should be listening on any tcp by default. If that means they need to recall and replace all the master disks that they license to OEMs, then they need to do it. They need to have every major retail outlet yank all the shrink-wrap boxes and replace them with new one with secure default configurations. MS is sitting on $46 million in cash, so they can easily afford this expense as chump change. It just a question of whether they are willing to admit fault and buck up for failing their customers or if they are too greedy to spend some of their hoarded wealth.
  • Imagine patching 20,000 desktops and 2,000 servers before someone writes an exploit - that's what a large corporation has to do now [1]. I'm amazed, in the litigious US, that no-one has tried to sue MS for the cost of doing this.

    [1] your corporate firewall should keep any exploiting worm out but there are still floppy drives, possible unauthorised modems and third party connections that *may* allow the thing in, so you'll have to patch to be on the safe side.

  • I haven't confirmed this on all my machines, but when I installed the updates on one yesterday (I always update one machine, and if nothing important breaks I do the other one) Synergy no longer starts automaticly on boot, it works just fine starting when I log in. (I normally log into one comptuer, and then from there log into the other)

  • ... but doesn't *everyone* disable/uninstall messenger service? Even tho I'm a huge fan of Linux, it doesn't mean I don't know my way around windows. Whenever I setup a new XP machine (for anyone), or advise someone on setting up a new machine, I have 3 requirements: no spying(adaware, xp anti-spy), no viruses (virus software like avg, mcaffee or norton), and a firewall (either hardware or software, like black ice, tiny personal firewall, which they used to give out ver 2 of for free.) I also don't trust
      • ... but doesn't *everyone* disable/uninstall messenger service?

      You're crazy. You shouldn't be, but the fact is that a huge number of MS shops are run by undertrained sysadmins who, through very little fault of their own, remain unaware of these little issues. I'm a certified engineer (Novell) with a lot of experience with MS products, and I read constantly trying to stay ahead of the curve. My company refuses to part with the money to send me to some proper training, or hire a mentor for a short while.

  • 1. Regarding MS03-041: I have a simple XP professional (32Bit) running on my computer. This OS is neither listed in "Affected Software" nor in "Non Affected Software". So is it semi affected or what? And where can I get the download?

    2. I am running a German version of XP, so all services have German names. What is the "Messaging Service" called in the German version? The closest I could find is "Nachrichtendienst".

  • And quite frankly, I'd be surprised if anyone really does anymore.

    Once spammers learned how easy it was to use the Messaging service to send almost anonymous spam a couple of years back, me and damn near anyone I know not behind a firewall turned it off.

    Or did spammers stop sending dozens of nice popups a day to random IP addresses sometime between now and then?
  • The flaws aren't good, but it's good that Microsoft found them. The pace of MS finding bugs seems to be picking up lately; maybe MS's trustworthy computing shtick is finally doing some good? Perhaps MS will finally get on the ball about security!

  • Of course a firewall will offer some protection but shouldn't be relied on.

    Check.

    Unfinished poetry composition from RPC...

    "Laptops that touch the raw Internet shall never touch my internal LANlips, be it even through an erstwhile VPN."
  • Not being a Windows expert, what does Windows Messenger really do in a system? When you go to disable it, all Windows tells you is that you shouldn't because other service might depend on it. Other than that, there very little information. Anybody know? Obviously if MS says to disable it until further notice, it can't be very important, but then again it might break something that they are not considering.
    • AFAIK it does two things: 1) it lets a printer tell you when your print job is finished, 2) it lets spammers annoy you.

      Disabling the Messenger service is on the standard list of things I do when installing W2K. (right after installing SP2 and the latest RPC patch)

  • One of the first things I do when I install Windows on a computer in my office is disable Messenger outright. It's simply not worth the aggrivation of dealing with it.

    Ever since spammers started using it a few years back, it just wasn't worth the nuisance of dealing with it.
  • by Call Me Black Cloud (616282) on Thursday October 16, 2003 @09:41AM (#7228633)
    Microsoft released yesterday a whole bunch of critical security updates.

    Their new policy [myitforum.com] is to release monthly updates unless an exploit already exists, in which case a patch is immediately released.

    Out of these, MS03-043 is a flaw in the Windows Messenger Service ... Of course a firewall will offer some protection but shouldn't be relied on

    You don't know what you're talking about, submitter Dynamoo. Please, tell us why one shouldn't rely on a firewall? If you read the technical documentation [microsoft.com] about the flaw you see "If users have blocked the NetBIOS ports (ports 137-139) - and UDP broadcast packets using a firewall, others will not be able to send messages to them on those ports." (under "Technical Descriptions"). I think I'll ignore your advice and keep a firewall in place, no matter what OS I'm using.
    • What? (Score:3, Insightful)

      by abulafia (7826)
      You fail to back up your title.

      > Microsoft released yesterday a whole bunch of critical security updates.

      Their new policy is to release monthly updates unless an exploit already exists, in which case a patch is immediately released.

      How, exactly, are you contradicting the author?

      > Of course a firewall will offer some protection but shouldn't be relied on

      You don't know what you're talking about, submitter Dynamoo. Please, tell us why one shouldn't rely on a firewall? If you read the technica

      • Re:What? (Score:3, Informative)

        a firewall is not a perfect measure for protecting against this attack...Because some other machine behind the same firewall might become infected

        Good point - I was unclear. I should have quoted Microsoft's technical documentation. They specify configuring Windows' built-in firewall to block those ports. If the ports are blocked at each machine then an infected machine behind a hardware firewall will not infect other machines on the LAN.
  • I don't know if it's MS or the poster, but we should make sure to clean up the nomenclature for these various 'messenger' services. In XP, clicking on the service labeled 'Messenger' displays the help on the left which says: "...This service is not related to Windows Messenger." Although, the poster referred to this as the "Windows Messenger Service."

    I want to shoot the Messenger, but it's hard to tell which one!

    But not to worry, visiting the MS link in the post and following the directions cleared up

  • by X86Daddy (446356) on Thursday October 16, 2003 @10:05AM (#7228759) Journal
    At least administrators can disable the Messenger Service remotely.

    If you haven't patched yet, I'm guessing anyone can disable your services remotely. :-)
  • by hetairoi (63927) on Thursday October 16, 2003 @10:16AM (#7228889) Homepage
    I was just over at the beast reading about the new security bulletin [microsoft.com] service and came across this under the 'What customers tell us' section:

    Customers are concerned that Microsoft releases security patches too frequently

    Wha?!? So, customers are saying that even if some critical flaw is found, M$ should wait awhile before releasing it because Joe Admin is concerned there are too many patches??

    Come on, if they know something is broke I want a patch ASAP (after proper testing of course). I don't care if they release a patch an hour, if something is broke -- Fix it now, don't wait until next week because you've already released your quota of patches for this week. This sounds like BS to me, maybe M$ just stuck that in as an excuse to not release patches.

    Later they say an exception will be made if they determine the customers are at immediate risk. I'm glad they know my system so well, but really, please just release the patch now and I will decide if MY system is at immediate risk.

    • Frequent patching is cause for three concerns:

      1. The patches haven't had time to be adequately tested.

      2. A cascade of patches indicates serious underlying problems.

      3. A cascade of patches distracts the MS developers from what should be their primary job: making patches unneccessary in the first place.
  • The last worm, I was only 2 hours off of when I thought it would come.

    I am saying this worm will probably come early November around midnight EST. (Nov 13th)

    Official bid: Nov 13th 0000 hours.

    Any other bidders?
  • I installed the patch on several machines yesterday. One of them demanded a supplemental EULA. I have not been able to reproduce it on the other machines, so I paraphrase from memory. It said, among other things:

    "I will not publish the results of .net benchmarks"

    I have never (intentionally) installed the update that installs the .net framework but judging from the EULA I wonder if that happened and that's why this EULA popped up.

    In any event, this clause casts a chill over me.
  • by cindik (650476) <solidusfullstop@ ... inus threevowels> on Thursday October 16, 2003 @12:23PM (#7230290) Homepage Journal
    You'll never be locked out with Microsoft. We make windows that anyone can open from the outside.

The relative importance of files depends on their cost in terms of the human effort needed to regenerate them. -- T.A. Dolotta

Working...