Last Words On Service Pack 2 542
thejoelpatrol writes "So did Slashdotters call this one? Windows XP SP2 seems not to be so secure after all. A Register reporter goes in depth to find out just how safe a fresh install is. He provides a list of which dangerous ports are left open and which services are left on by default. I guess now we know why Microsoft's security timetable is 10 years." Reader ack154 writes "ZDNet is reporting that many Dell Inspiron users are reporting an extreme performance decrease since installing Windows XP SP2 - decreases as much as from 2.6ghz down to 300mhz. Dell claims no responsibility, claiming it is 'externally loaded software' and they don't support it. In the mean time there has been a fix posted on Dell's forums, which rolls back the processor driver." Finally, Marxist Hacker 42 writes "Amid complaints of too much XP Service Pack 2 coverage on ZD Net, David Berlind writes that Service Pack 2 deserved the scrutiny it got- and charges that it failed to live up to Gates' Trusted Computing Initiative." Finally, Microsoft warns that installing SP2 on a spyware-infested PC is a bad idea.
Why I didn't bother... (Score:5, Interesting)
I might add that the free/OSS I have protecting my machine weighs in considerably less in terms of combined file size then does SP2.
From an Inspiron 9100 owner... (Score:5, Interesting)
not to be a jerk, but... (Score:3, Interesting)
David Berlind writes that Service Pack 2 deserved the scrutiny it got- and charges that it failed to live up to Gates' Trusted Computing Initiative.
Okay, Mr. Berlind, did you actually fall for that and now you're surprised?
Firewall is on by default (Score:5, Interesting)
I say it's a "massive step forward" because there are literally MILLIONS of windows machines which are never updated, don't run any firewall software, and which are directly connected to broadband ISPs. The people running these boxes truthfully don't know what they're doing in these matters.
Right now, those poeple have NOTHING. Now at least they will have something, albeit limited. This is a major improvement. Even the old XP internet connection firewall, if it had only been enabled by default, would have prevented Blaster from ever happening.
Of course there are some questionable exceptions in the new firewall default configuration, and no doubt the next generation of worms will take advantage of those - but at least the bar has been raised a little higher.
all in the spirit....and its manifestation... (Score:3, Interesting)
Its this same manifestation of the application of doing things in software to "make people need them" that is causing all the security problems.
This security problem is not fixable by this mindset that cause it.
Its like an alcoholic or drug abuser, their mind is geard towards supporting the continuation of its vise. What I call a "self supporting dependancy". And under such conditions, as those who have admitted it and sough help, you have to have external help in order to be lead out of the blindness of the self supporting mindset.
Whos helping MS??? If anyone can?
Re:Why I didn't bother... (Score:3, Interesting)
The biggest problem I had was trying to actually get the update through Windows Update. I did set Windows Update to automatically download it (but not install) but that didn't work for 3 whole days after SP2 had been released. So I tried to use Windows Update manually but the Windows Update site was so busy that I was told that I couldn't download it and would have to try again later. That amused me no end for some reason. All in all Windows Update reported i needed 75 Mb of patches, instead downloaded 111 Mb of patches, turned on a crappy firewall and some services that were not worth running.
However I know what I'm doing when it comes to maintaining my Windows box. I have a Linux box too so don't bother telling me to go use Linux instead :)
Re:Why I didn't bother... (Score:4, Interesting)
Re:Why I didn't bother... (Score:3, Interesting)
That isn't feasible. The mass majority of users out there are not going to have the time to become security aware. The curve to getting there is too steep and requires devoting too much time. Somehow, systems out there will have to be redone to have a secure foundation and security measures, like patching, will require automation. This is as true for a corporate system as it is for a home system.
I can't believe this got published (Score:3, Interesting)
I can't believe they published this bullshit.
Slowed Down? (Score:3, Interesting)
Re:any time now... (Score:4, Interesting)
Ok, so... (Score:5, Interesting)
Think about it, for a moment. The firewall is blocking internally-generated connections. Which is fair enough. (Though silently dropping would likely have been safer.) However, to lock the machine up, the TCP stack has got to be taking the error as cause to retransmit the packet.
Why am I so certain that this is what's happening? Because Windows has had some degree of preemption for a while. It's not great, but it works. Sort-of. Lock-ups should be next to impossible on a totally pre-emptive OS, as the locked-up program would simply be interrupted. It'd slow the machine down, slightly, but it wouldn't be fatal.
What we're getting here, though, looks like something fouling up big-time in a non-blockable part of Windows. Odds are pretty good that it's the network code. My suspicion is that the TCP stack and firewall are in an unbreakable infinite loop, with the error generated by the firewall causing the TCP code to resend the packet, ad infinitum.
A lot of people have argued that Microsoft isn't to blame for other people's crappy code. Which is fair enough. But they are very much to blame for their own crappy code. If you're going to have non-blockable code (a VERY bad idea!) then you've got to be damn sure that there are no scenarios in which that code will put itself into a spin-dry cycle.
It seems as though Microsoft merely added firewall code, with absolutely no thought as to the possible impact it could have on the rest of Windows.
Further, if my suspicion is correct (and I'm pretty confident it is), then it should be possible to crash any Windows box remotely. Simply generate a packet that Windows cannot reply to. By forcing the TCP stack and the firewall to fight it out, you'd paralyze the machine.
The correct way to handle this kind of situation is to recognise when a connection is administratively prohibited or impossible, and to not keep retrying. You'd then escape out of the non-blockable code, and pre-emption would allow you to continue as normal.
If you want slightly "smarter" behaviour, then if a process repeatedly keeps retrying a connection or activity that is prohibited, every time it gets woken back up, it should drop in priority, be slept a reasonably long time (in the hope the problem can be cleared by then) or get kicked off the system. ("Three strikes and you're out." logic.)
It should absolutely not be possible for any user process, no matter how badly written, to create a situation in which an uninterruptable infinite loop can develop. Either there needs to be some mechanism to interrupt any loop that might be infinite, OR there needs to be a mechanism for recognising when a loop is running unacceptably long.
It's no use Microsoft whining that customers should clean their computers first. That would be like McAffee arguing that you should clean your computer of viruses before running their software. And how are you supposed to do that, if you've no software installed for detecting and/or cleaning the damn things in the first place?
The only way you can know (for certain) that there's nothing trying to access an unauthorised port is by blocking the ports and seeing what happens when you try to use the computer as normal. And the only way you can then do anything about it is if the computer can cope with that situation in a controlled manner.
Re:WinXP happiness (Score:2, Interesting)
his account was magically created on my system and the default policy was to allow him the access to modify all the files on MY HD
DUH. That's the whole purpose of a domain - he logs on with an AD UN, he gets the same permissions on whatever machine. Again, your admins should be using permissions to provide you with protected storage on a central server, NOT on your machine. If you want stuff stored on your machine, safely, then setup your own damn permissions.
much more complex.... (Score:2, Interesting)
Implementing major security upgrades, a very necessary thing to do, comes with difficulties. The main problem is trying not to cause problems with too many other applications; else MS would have more issues to deal with. The trick is to balance the fixes with their effect on applications and corporate network configurations where questionable Windows services are most commonly utilized.
Don't get me wrong, I am not trying to defend MS. But I think people need to see that problem this big can only be fixed in stages, else it will create so many problems that no one will install it. The 10% rate of SP2 problems recently cited is a very acceptable rate overall. Had MS locked much more down, we'd most likely be seeing problem rates closer to 50%.
I think we can all think of at least one past experience with a flawed application where the manufacturer went too far and basically destroyed their user base thanks to a fix or update. MS is not going to do that. In addition, end users have to take responsibility for implementing known measures to ensure their system is as secure/virus free as possible. I recently read an article I concur with based on years of working with end users. The article stated that a very high percentage of users do not bother to keep their virus scanners up to date. In addition, at least one company has made a good firewall available for end users to use FREE for one year. Microsoft has had a link to that software for quite some time now. If a user is not doing the minimum known procedures to keep their system secured and virus free, they have no one to blame beside themselves.
Give it time. As Windows grows up, is fixed further, it will slowly become a secure product. The only part of Windows that I'd saw in an unfixable mess is IE, and there are known, easy to obtain alternatives. One can do a lot to plug the security holes now, but they have to get over blaming MS for the problem and take responsibility for their system(s).
Ok, this concludes my rant. Let the flames begin.
Bogus write up by the register (Score:3, Interesting)
The first section of the article goes on to explain how a number of services are left on that "shouldn't be". This is for the most part a subjective rant about services that have traditionally been a source of system compromise. The "Hate On Microsoft" stick was made apparent when the author went so far as to proclaim that the DHCP client service and DNS client service should be off by default, "DHCP Client, automatic. Unnecessary on most home machines. Should be disabled by default. "DNS Client, automatic. Unnecessary on most home machines. Should be disabled by default." that wouldn't be a very useful computer would it? How about hitting up google for an answer to "Why can't I check my mail, browse the web, or do ANYTHING online?" - oh, wait...
Among some of the old favorites that were left on, file and print services made the list. That would be pretty bogus if the system's firewall wasn't turned on by default:
"The new "Windows Firewall" packet filter is turned on by default, finally. However, an exception for Remote Assistance connections is enabled, which is preposterous, although file and printer sharing, and UPnP, are blocked by the firewall as they should be."
Since it's firewalled, it's a non-issue. In fact, most of the article is written as if the system's firewall is not installed. Remote assistance is referenced in almost all of the help documents it would be a pretty bad user experience if you wanted help - but couldn't get it. As far as I can tell there has been no exploit based on this service since the introduction of XP.
Generally speaking unused services should be turned off. The only reasonable way to address this would have been yet another wizard that would ask the user how they use the computer and set services setting accordingly. However, the question of "Is sp2 remotely exploitable out of the box? More to the point is it secure from a network perspective, now and into the future?" The answer to that question is generally yes. Unless there is a nasty buffer overflow of some kind in the firewall (one hasn't been found, not to say it won't) an SP2 box is pretty safe on the network.
Wasn't that the point of SP2?
When evaluating the effectiveness of SP2 the net result needs to be evaluated. Many critics have evaluated the implementation. A lot of people might NOT AGREE with File sharing, RPC, Remote Assistance, or any number of the other services being on by default for that matter, but does it matter from an exploitability perspective? Only if that port is available for remote exploitation -- which is not the case.
Network issues aside, IE and the shell both do a good job of throwing up warning dialogs when the user is about to run an executable. There is also the "Data Execution Prevention" feature that detects when "data" is trying to execute as a program, though for it to work well the hardware has to support non-executable memory regions. Only time will tell how well those measures aid in stopping the propagation of worms.
Windows XP SP2 treats "password" as a special case (Score:4, Interesting)
This is odd. Now, repeat the steps again *after* switching the password from "password" to "test". The results? The login dialog does not report that "test" is an invalid password.
While I am not doing any more debugging of XP for Microsoft (a detail or two might not be 100% correct), what I have seen is enough to make me wince. Microsoft did not test this one well enough.
Note: It may be necessary to have a program running in the admin account to trip up this bug.
Re:Interesting... (Score:3, Interesting)
Blame (Score:3, Interesting)
This article is just dead wrong. (Score:3, Interesting)
If the past year has proven nothing else, it's that we can't afford to let the Windows masses to have control over their own machines. The paranoid rants of a few slashdotters gave us Blaster, and I really don't think they can be forgiven for that.
Re:What crap (Score:1, Interesting)
Client for Microsoft Networks, File and Print Sharing, and the QoS Packet Scheduler
But perhaps he assumes everyone has one and only one PC in their home and has no wish to share files between them (yeah right).
No, I think he is quite correct on this one. I recently installed win2k for a client of mine with cable access. She took the standard package from the cable company which included a cable modem/router which was delivered with the internal firewall disabled! I spent an entertaining hour looking at all the shared drives on her local cable segment.
This was just stupidity on Microsoft's part. No way should shared drives and printers have been mapped to the Internet. They then compounded the stupidity with the hidden shares that NT (and 2k and XP) puts in place automatically. Before they deprecated NetBUI, I used to bind file and print sharing exclusively to this protocol and deliberately not binding it to TCP/IP. NetBUI couldn't be IP'd.
I maintain a lot of home computers in my area. The norm is still one computer per household with a dial-up connection. Lately I am seeing more DSL and cable hook-ups but the majority is still dial-up. They do not need nor should they have file and print sharing enabled by default!
Missed the big stuff. (Score:1, Interesting)
There are always going to be new buffer overflows found. What SP2 will do is make these unexploitable. If this sort of protection was in XP previously the vulnerability blaster used would not have worked even with the same coding mistake that resulted in an overflow.
I suspect the author would only have been happy if Microsoft had gotten rid of every networking feature of the OS. SP2 while not prociding the super secure magic bullet which the commentators want definitely raises the bar greatly for a default configured workstation.
Port 445 (Score:3, Interesting)
Two machines a minute are saying 'Hello' on 445, 95% of my scans are on that Port and it has been left open. Sheesh.
The other unblocked Port where I often saw scans is 135, but the frequency there has dropped almost to zero recently.
Re:Port 445 (Score:1, Interesting)
It's possible to close that port by unloading the NetBIOS over TCP/IP kernel driver. Kinda like Linux's rmmod, the sc program can remove these. Try typing
then run a netstat -an to verify that the port is closed.If you want to permanently unload it type the following. I haven't tested it much, so it might prevent you from booting.
To undo the previous command:Re:SP2 is actually more funny than secure... (Score:2, Interesting)