Yet Another Critical Windows Flaw 511
Dynamoo writes "Microsoft released yesterday a whole bunch of critical security updates. Out of these, MS03-043 is a flaw in the Windows Messenger Service (not MSN Messenger) with the possibility of a remote attacker gaining complete control of a Windows NT/2000/XP/2003 based PC remotely. If this sounds like another possible vector for a worm to spread, you'd probably be right. Microsoft's recommendation is to 'disable the Messenger Service immediately and evaluate their need to deploy the patch'. Of course a firewall will offer some protection but shouldn't be relied on. At least administrators can disable the Messenger Service remotely. Of course this is another headache for admins still patching for last month's RPC flaw."
Slashdot Moderation (Score:2, Insightful)
Hey what's the deal with slashdot moderation? I used to read at +5 but now there're barely any comments there. I know this is offtopic, but did I miss a story about major changes or something?
Re:Too bad it's such a pain in the ass... (Score:2, Insightful)
Re:RPC worm (welcha!) (Score:3, Insightful)
So I installed W2k for a friend a few days ago - Connected to the internet to get the RPC patch, and got infected with this work in under a minute - Not even time to get the update!...
And that's why you should have installed a software firewall, such as ZoneAlarm, from CD before connecting to the internet
While you're at it install a decent browser and e-mail client from the same CD before your friend has a chance to start using IE and Outlook (Express).
Re:RPC worm (welcha!) (Score:3, Insightful)
Virtually every BIOS has protection against this since the CIH days (doesn't mean people enable it, but its there). Furthermore, instead of throwing away a PC with a flashed BIOS, you can give it to me. It won't cost me more than $5 to get it fixed!
I agree that these flaws are bad, but no need to make it worse than it already is.
So I installed W2k for a friend a few days ago - Connected to the internet to get the RPC patch, and got infected with this work in under a minute - Not even time to get the update!...
All you have to do is change one registrykey (enableDCOM) from YES to NO. That way, you're "protected" without having the patch.
My PC is running with just over 10 services enabled. After all these flaws, I realized it was safer to simply disable anything non-critical. I don't like Windows anyways, just have to use it for work
Re:Average Joe is why this is really bad (Score:2, Insightful)
It's true, but they really don't want to spend the monthly cola budget on silly things like security.
Microsoft sell things by good marketing, not by having good products.
Re:MS flip-flops (again) (Score:2, Insightful)
Most of the people running IIS got a clue and patched (granted some didn't).
Many running Outlook were aware that they could open viruses just by viewing message and many of them patched (granted some didn't).
However everyone running Windows probably has NetBIOS running and all but the Systems Administrators and nerds don't realize that it has numerous holes and can be exploited.
What? (Score:3, Insightful)
> Microsoft released yesterday a whole bunch of critical security updates.
Their new policy is to release monthly updates unless an exploit already exists, in which case a patch is immediately released.
How, exactly, are you contradicting the author?
> Of course a firewall will offer some protection but shouldn't be relied on
You don't know what you're talking about, submitter Dynamoo. Please, tell us why one shouldn't rely on a firewall? If you read the technical documentation about the flaw you see "If users have blocked the NetBIOS ports (ports 137-139) - and UDP broadcast packets using a firewall, others will not be able to send messages to them on those ports." (under "Technical Descriptions"). I think I'll ignore your advice and keep a firewall in place, no matter what OS I'm using.
I don't believe the author is telling you to remove your firewall. The author is saying that it shouldn't be relied upon. There is a significant difference. Because some other machine behind the same firewall might become infected, a firewall is not a perfect measure for protecting against this attack. There's a well worn phrase for this problem - "crunchy on the outside, chewey on the inside."
So, again, please explain how Another rabid submitter gets it wrong?
Firewall BAD! Patches GOOD! (Score:1, Insightful)
What kind of crack are you smoking, and where can I get some? A firewall will offer complete protection, and should be relied on to protect you from exactly this kind of situation (and more!). I'm sure your point is that using a firewall is no excuse to not apply security patches and while I agree, this anti-firewall propaganda has to stop!
-Nick
Releasing patches too frequently? (Score:4, Insightful)
Customers are concerned that Microsoft releases security patches too frequently
Wha?!? So, customers are saying that even if some critical flaw is found, M$ should wait awhile before releasing it because Joe Admin is concerned there are too many patches??
Come on, if they know something is broke I want a patch ASAP (after proper testing of course). I don't care if they release a patch an hour, if something is broke -- Fix it now, don't wait until next week because you've already released your quota of patches for this week. This sounds like BS to me, maybe M$ just stuck that in as an excuse to not release patches.
Later they say an exception will be made if they determine the customers are at immediate risk. I'm glad they know my system so well, but really, please just release the patch now and I will decide if MY system is at immediate risk.
Re:Windows SUS (Score:5, Insightful)
- Bad patch verification. Like WindowsUpdate, SUS relies on a registry entry to check sucessful installation of patches. As many admins have discovered over the past few months, this method of patch verification is highly flawed and results in many, many cases of false-negatives when searching for vulnerable workstations.
- OS patches only. SUS does OS patches. Great. Now what about Office, which is also installed on every desktop in our company?
- Patch reliability. Even if SUS was vastly improved, the sad fact of the matter is that MS patches are still capable of doing severe damage to the target system. It's not like there are no past examples of patches and/or service-packs f$*king up machines. Until the patching process becomes not only dead easy, but also bulletproof RELIABLE, servers (esp. critical infrastructure machines) will continue to need manual patching. Considering many larger companies can have hundreds of servers across the organisation, it becomes one hugeass timesink.
- Other pitfalls. There are many, MANY other options missing that would make life for administrators much easier - such as forcing reboots for patched machines, the ability to stagger deployement using only one SUS server (by using, say, MAC addresses or NetBT/DNS hostnames), the ability to detect mobile users (via a configurable registry setting on the client end) and *force* them to patch immediately upon connecting to the LAN based upon past percentage hit-rate for sucessful patching (i.e. machine was turned on and conneted to LAN) at the regular scheduled time
SUS is nice to have, but it's certainly not set-and-forget as it SHOULD be - at least on the client end of things. There is a long way to go with SUS before it begins to approach something that makes a significant impact on the nightmare that is Microsoft patching. But of course the problem with hoping SUS gets better is that SMS and MOM exist... and unlike SUS, neither of those are free.Re:RPC worm (welcha!) (Score:2, Insightful)
If the worm flashed the BIOS, wouldn't that tend to destroy its hosts and thus slow down the infection? This is one more place where knowing biology can be helpful in understanding computer diseases. Diseases that are promptly fatal tend to be self-limiting because they kill off their hosts before they have much time to spread. Most successful diseases are either not uniformly fatal or at least take long enough to kill that their host has plenty of time to infect others. This is why many types of malware with destructive payloads will have a built-in delay before blowing up; otherwise they'd kill themselves before managing to infect enough computers to cause real havoc.
Re:Slashdot Moderation (OT) (Score:2, Insightful)
This begs the question, what would happen if several thousand users decided to "go on strike" as it were and simply withhold moderation points. Seems to me that if enough users did this, we would see a similar moderation point shortage.
On the other hand we have nearly 800,000 slashdot accounts theses days, and the possibility of any of them agreeing to anything to accomplish this would be about zero.
Re:Slashdot Moderation (OT) (Score:3, Insightful)
Context (Score:2, Insightful)