Windows 2003 and XP SP2 Vulnerable To LAND Attack 534
An anonymous reader writes "Dejan Levaja, a Serbian security engineer has discovered that nearly 8 years after the attack was first made public, WIndows 2003 and Windows XP SP2 are in fact vulnerable to the historic LAND attack." Granted, you need to have the firewall turned off for this work, but there's a whole lotta machines that don't have it turned on.
News? (Score:5, Insightful)
Machines that are not protected are vulnerable. Well, that isn't really news is it? Sounds pretty silly to me.
Re:News? (Score:5, Insightful)
A box running no services should be not vulnerable of any dos except brute force even without a firewall. A firewall shouldn't be a solution to poor design/implementation problems and code bugs. That is simply not working. What if someone gets through the firewall?
Only one thing though... (Score:5, Insightful)
Anyway, given all the warnings about Internet security in the last five years, the majority of users will already have downloaded and installed firewall programs such as ZoneAlarm.
Re:News? (Score:3, Insightful)
Re:News? (Score:3, Insightful)
Then you get attacked I guess but I have a feeling that if the firewall is up the would-be attackers would move on to a more vunerable attacker.
I know its been around, but...Linking to source? (Score:2, Insightful)
Tm
Open ports (Score:5, Insightful)
Re:News? (Score:0, Insightful)
Re:Only one thing though... (Score:5, Insightful)
Re:wow (Score:3, Insightful)
Re:wow (Score:5, Insightful)
This incident is just another example which demonstrates the importance (or more accurately, the lack thereof) that Microsoft's corporate culture places on security. Hasn't anyone at Microsoft ever heard about regression testing?
Microsoft has consistantly demonstrated that, regardless of what their press releases say, security is NOT one of their priorities. People need to start waking up and realizing this before they entrust their critical infrastructure to Microsoft products.
Re:Not that big of a deal (Score:5, Insightful)
That is like saying the rape victim is at fault "'cause she looked so sexy"
Comment removed (Score:3, Insightful)
Re:I know its been around, but...Linking to source (Score:3, Insightful)
Honestly. Why don't you just stick your head in the ground every time there's a problem. If you don't see it, it can't be real.
C'mon. How much more difficult is it to go to google, type in "land.c" and get the source yourself?
Do you honestly think people visiting
Besides, any good system administrator has to assume that every user out there has access to the latest, greatest, and most sophisticated tools to get into their systems.
And this is an 8 year-old exploit to boot.
OH NOES! He linked to the h4x0r f13lz! Whut k4nz W3 DOOZ?! C4llz 0wtz t3h wh4mbul4nc3!!!11!!
It shouldn't matter a single bit what gets linked to. The information is out there, anyone who wants to find it will. You can't try and suppress it. And to say that linking to it makes it easier... what did I just say about search engines? Oh gee, I've been saved a whole 5 seconds from going to google and finding it myself. Maybe all windows machiens will be patched within that time?
And source isn't useful to many people (Score:5, Insightful)
I mean ethical issues aside, it's just not that helpful to most people. I'm sure most people though "WTF is a LAND attack?" and cliked on the link to see. Getting a C file, is probably not the answer they wanted, espically given that it doesn't seem to be transfering, so I can't even see if it has useful comments or not.
When doing
Re:Big deal... (Score:1, Insightful)
UNLABELED too. (Score:5, Insightful)
Not only that, it was unlabeled. That means anybody who follwed the link now has a copy of the malware in their machine's webcache, minimum. And if they saved it (to keep the list of vulnerable configurations, for example) they have the malware itself.
This simultaneously puts a bunch of slashdot readers at legal risk (from false prosecution and/or in-court character assasination, based on evidence from a siezed computer) and gives real baddies plausible deniability.
Re:News? (Score:5, Insightful)
Generally speaking, just about any Windows instance is going to gave at lease these ports open:
So this could reak havoc on business or residential networks. But then, I guess this is what you get for giving your users or peers an inapropriate level of trust.
Re:so what? (Score:5, Insightful)
Mod parent down (Score:5, Insightful)
Re:Two things of note: (Score:1, Insightful)
The only thing that worries me is about the way MICROSOFT handles computer security.
Please remove your head from your ass before posting inane comments.
(how the original post was modded "insightful" is utterly beyond me
Re:News? (Score:3, Insightful)
To accept a connection on a IP port, you need a service running. If you have no such service running, no connections are possible. Having such services running but then blocking them with another layer of software is pointless and adds more potential failure modes to the system. If you want a stupid car analogy, it is somewhat like putting a large spike on the steering wheel aimed at the driver, and 'compensating' by adding an airbag in the hope of stopping you from impaling yourself on the spike in case of an accident.
Granted, this is the way Microsoft forces you to act, but that isn't the point.
Malware (Score:3, Insightful)
User is in big corp behind firewall.
User receives email claiming to be something or other.
User runs attachment.
All 'doze boxes in big corp stop working.
Firewalls are (a) not the answer to all crap coding and (b) not perfect solutions even so.
Justin.
Re:Not that big of a deal (Score:4, Insightful)
Re:News? (Score:3, Insightful)
A system is only that strong as it's weakest component
If you put that on a platform level from the viewpoint of a software developer organization it clearly means that you need to code the system in a way that an attacker sees a very low ratio of possible compromisable hosts. Relying on a feature(firewall) to fix a bug(networking code) is NOT the way to do it. That doesn't mean of course that a firewall is not useful or even quite recommended.
I think if i would claim that 10% of all windows home-user boxes are vulnerable and/or compromised then i think i was really cautious. That 10% however can fu*k up the "fun" for the rest of the 90% too.
Re:Mod parent down (Score:4, Insightful)
It's also clear that (outside of the Microsoft world) newer versions won't suffer the same vulnerability, nor will it be allowed to persist if somehow the same bug does sneak back into the codebase.
I sometimes wonder if there's a single Microsoft shill or fan with an IQ that breaks triple digits
Re:Not that big of a deal (Score:1, Insightful)
It means more than you think... (Score:3, Insightful)
So now we have Bill Gates and co. coming out and saying, "Windows is our #1 priority." Everyone feels better, because hey... Bill's on the case right?
Then, out of left-field, it turns out that Windows is vulnerable to an exploit that's practically ancient in the biz. And what if you can get through the firewall somehow? Or what if you're cruising around wireless networks on a laptop?
This kind of one-shot lockup is something from the dark ages of computing. Everyone's confidence in MSshould be lowered even further.
Might as well unplug it (Score:4, Insightful)
The only safe way to safely run this server is to place it behind a SPI firewall. Packet filters will have a hard time detecting and blocking this kind of attack, you will need a full blown SPI to defend and block against these attacks.
SMCs, Linksys and other consumer level firewall seem to be vulnerable [homenethelp.com] to this thing, the only thing that might save your server is the NAT they might provide. Of course if you are running your server on a public routable IP, then you better start thinking of running a serious setup there.
Re:Little known fact (Score:1, Insightful)
It's not good enough (Score:2, Insightful)
-- I bought this SIG on ebay.
Re:News? (Score:2, Insightful)
If you wear your seatbelt (secure your system and turn off unneeded services), you don't really need the airbag. The airbag is used as a second line of defense in case the seatbelt is ineffective.
By relying only on the airbag in your car, and not using the seatbelt, you're probably more likely to get injured if you have to stop suddenly or the car is involved in an accident.
Firewall need not be disable (Score:2, Insightful)
Re:Only one thing though... (Score:3, Insightful)
And when some worm implementing this attack rides inside of the firewall on a laptop or some removable media and attacks from the inside?
Re:Open ports (Score:2, Insightful)
Re:News? (Score:3, Insightful)
Security patching is our last line of defence, because if you're actually getting packets to the servers, that packet has already been vetted by two different types of firewall and a number of routers.
Re:wow (Score:3, Insightful)
True, but this is like excusing someone who fits front doors after they fit a load which have no locks (and are marketted as having locks) because they're not a security company, just a front door company.
You tell them they should focus more on security than making a GUI that can be used equally well if you have perfect vision or are blind or anywhere in between.
Having recently installed Windows XP for some testing (the last version of Windows I used was Win98) I can tell you that the Windows XP interface is absolutely horrendous - Win98's was actually reasonably intuitive but I can't say the same about XP. Infact after having to set up XP I have come to the conclusion that anyone who claims XP is more userfriendly than a modern Linux distribution is sadly mistaken.
this vulnerability happened after SP2 was released.
Uh.. huh?!? This is a vulnerability that was known about in a number of operating systems and fixed in Linux in the kernel 2.0 days...
MS has been working a lot on connectivity over the last year or so with some protocol enhancements and increased IPv6 support.
Ok, I actually _use_ IPv6, both on my internal network and on the internet at large. After hearing that MS had implemented a wonderful IPv6 stack I tried it out (XP SP2)... Imagine my surprise when I found that yes, there is a wonderful shiny IPv6 stack, but it's almost completely useless since none of the standard MS services actually support IPv6 at all. Thats right, you can't do any stuff like terminal services (RDP) or file sharing (SMB/CIFS), etc over IPv6. By comparison, Linux had a good IPv6 stack in 1998 and most services now support it natively (exceptions are NFS and CUPS).
So no, I can't accept the idea that MS are slacking on security because they're at the forefront of IPv6 development since they're not even at the level Linux's IPv6 support was at 7 years ago. And even if this was a reason for them slacking on the security side, security is _the most important thing_ to have on a networked system, so it's still not an excuse.
I certainly hope you're happy with your front door that has a pretend painted-on lock.
Re:News? (Score:3, Insightful)