Forgot your password?
typodupeerror
Windows Operating Systems Software Microsoft Security

Microsoft to Issue Emergency Patch For File-Sharing Hole 348

Posted by timothy
from the safest-version-of-windows-ever dept.
An anonymous reader writes "Microsoft said late Wednesday that it plans to release a critical security update today to plug a security hole present in all supported versions of Windows. The company hasn't released any details about the patch yet, which is expected to be pushed out at 1 p.m. PT. Normally, Redmond issues security updates on Patch Tuesday, the second Tuesday of each month. The Washington Post's Security Fix blog notes that each of the three times in the past that Microsoft has departed from its patch cycle, it was to fix some really nasty vulnerability that criminals already were exploiting to break into Windows PCs." Reader filenavigator points out an article which describes the hole as an SMB vulnerability, and says it "allows anyone to access a Windows machine remotely without any user name or password. Any machine that exposes Windows file sharing is vulnerable." Update: 10/23 17:42 GMT by T : Reader AngryDad adds a link to Microsoft's more detailed memo.
This discussion has been archived. No new comments can be posted.

Microsoft to Issue Emergency Patch For File-Sharing Hole

Comments Filter:
  • by TrippTDF (513419) <hilandNO@SPAMgmail.com> on Thursday October 23, 2008 @01:24PM (#25484243)
    ...I don't use computers. They are too much of a security risk.
  • Let's hope (Score:5, Funny)

    by cnettel (836611) on Thursday October 23, 2008 @01:25PM (#25484267)
    Let's hope that the renewed Samba compatibility effort by MS means that this bug will be ported over.
    • Re:Let's hope (Score:5, Interesting)

      by Anonymous Coward on Thursday October 23, 2008 @01:36PM (#25484459)

      It was probably the shared Samba experience that gave them the idea on how to fix the bug.

      I don't understand how the bug works, but I know one has been around. You can find hack tools for script kiddies out there that will exploit this automagically for people. I have even used it in the past to get some files from a computer that no one knew the password to and the key to the server room was broken off in the lock making physical access imposible until a locksmith was available.

      Thankfully, the old tech (who broke the lock on his way out after resetting everyone's password) kept all the passwords in scripts that I could recover and use to change passwords to something usable. The owner of the company wanted me to testify in court to the old Techs actions and even offered me a permanent contract, I told him all I wanted was a check, I don't want anything to do with a company that pissed their old tech off that bad after 5 years of service.

    • by kesuki (321456) on Thursday October 23, 2008 @01:58PM (#25484769) Journal

      and they modded me +5 funny for 'it's a feature' http://it.slashdot.org/comments.pl?sid=130544&cid=10893558 [slashdot.org] when smbfs (now samba) had a remote execution of attacker supplied code bug.

      i am so proved right.

    • by Rhabarber (1020311) on Thursday October 23, 2008 @02:47PM (#25485507)
      ... the bug was found on one of the interoperability fests:

      Samba Guy: Hey dude, look, when I open a connection _this way_ I get strange replies. There is nothing similar in the docs ...

      MS Interoperability Officer Sir, the protocol is just to complex. I wouldn't care. How about putting little hears into the password dialog, I don't like the asterisks, anyway.

      Samba Guy: Dude, come on, I want to understand how the stuff works...

      MS Interoperability Officer: Sir, hmm, must be part a proprietary, essential, internal routine framework. It's in there since ages. The software works, we make billions from it.

      Samba Guy: But what does it do? Why do you need it?

      MS Interoperability Officer: Don't know. The guy who coded it left the company.

      Samba Guy: Can't we just call him?

      MS Interoperability Officer: Don't think so. He must be cleaning his Yacht somewhere near Tanzania right now.

      Samba Guy: Well dude, then let's see what's gonna happen if I keep going on...

      MS Interoperability Officer: Sir, I'm bored. I don't like your black console anyway. It feels so 50ths.

      MS Interoperability Officer: Sir, I'm in the position to offer you a free trial for Microsoft Visual Studio 2009 with Ribbon TM included.

      Samba Guy: Look dude, I just got root on your machine.

      MS Interoperability Officer: Sir, which idiot gave you my password?

      Samba Guy: No password, dude. I just opened the connection, look here ...

      Samba Guy show 4 lines of code.

      MS Interoperability Officer: Sir, please hold on, I need to call my chief security officer.

      MS Interoperability Officer talking on the phone (next door).

      Minutes later the door is opened violently. Gates and Balmer enter the scene guarded by five NSA officers.

      Gates: Sir, I'm sorry, you found one of the many backdoors we built into all versions of Microsoft Windows TM released after 1999. I suppose you will perfectly understand that all algorithms concerning that matter is our intellectual property which is protected by American Law.

      NSA Officer (in monotone voice): Sir, I'll now use this Neutralizer TM device to erase your memories of the last twenty-four hours. You've never been in this building and you never knew about the federal data acquisition program.

      A bright flash of light gets emitted from the little device.

      Samba Guy: Shit, my eyes. What the fuck is wrong with you guys. That code is so freaking stupid. You can't be serious...

      Another NSA Officer (in aggressive voice): Shut up criminal bastard!

      First NSA Officer (in same monotone voice): Sir, you might have consumed a critical cumulative dose of THC during adolescence. The resulting altered brain circuity is resistant to portable neutralizer devices. I'm sorry to inform you're temporally arrested under federal law.

      Samba Guy: Bull shit, you have no idea what you're talking about. Look I've got a hock running that sends every command I type on the console directly to twitter. Everybody does it, it's lot's of fun. Nothing I do is secret. I believe in sharing of ideas.

      Ballmer (in rage): Motherfucking communists ... this is why fucking America is all that fucked up ... how the fuck should we ever control that fucking mob ... fuck!

      Ballmer, well, throws chairs.

      Gates (calling the still governing president of the United States): My president, sir, I'm sorry to inform you, due to certain circumstances, details concerning the federal data acquisition program might just have been leaked to the public.

      Samba Guy: Hey dude, the story is already on digg. I think you should issue a patch before it is on slashdot.

      Curtain gets drawn, applause.

      Off stage voice: Thank you ladies and gentlemen. Please don't forget to visit windowsupdates.microsoft.com
  • Maybe.. (Score:2, Funny)

    by cirrustelecom (1353617) on Thursday October 23, 2008 @01:26PM (#25484281)
    At least they didn't describe it as a MAC vulnerability
  • by Ynot_82 (1023749) on Thursday October 23, 2008 @01:27PM (#25484289)

    Those damn FOSSies can gain access to SMB shares
    Quick, patch it....

  • FREEOWW!!! (Score:2, Interesting)

    by mcgrew (92797) * on Thursday October 23, 2008 @01:33PM (#25484393) Homepage Journal

    allows anyone to access a Windows machine remotely without any user name or password. Any machine that exposes Windows file sharing is vulnerable

    Yet this comment [slashdot.org] in the "Can You Trust Anti-virus Rankings?" thread, where I noted that a dual boot with internet for linux and with networking disabled in Windows was better than AV was modded down. Of course, a lot of MSCEs and Microsoft employees come to slashdot, and I'm sure a few get mod points once in a while. No matter, my karma's fine.

    And yes, kiddies, you DO need a firewall for ANY OS and any OS is prone to trojans. But no AV will protect you against an unknown trojan OR the vuln mentioned in TFA, and no firewall will keep out someone you explicitly let in.

    <tinfoil hat>
    Some might wonder if this vuln was introduced on purpose as a weapon against the Pirat Bay? You can bet that a lot of people are uninstalling Kazaa, Morpheus, and all other legit and illigit P2P apps. Getting rid of P2P is a blow against FOSS and indie music.

  • Pretty serious (Score:5, Informative)

    by IceCreamGuy (904648) on Thursday October 23, 2008 @01:39PM (#25484483) Homepage
    I first saw this a couple days ago on the CERT bulletin, http://www.us-cert.gov/cas/bulletins/SB08-294.html [us-cert.gov], and http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4038 [nist.gov], most serious vulnerability I've ever seen up there:

    Access Vector: Network exploitable
    Access Complexity: Low
    Authentication: Not required to exploit
    Impact Type:Provides administrator access, Allows complete confidentiality, integrity, and availability violation; Allows unauthorized disclosure of information; Allows disruption of service

    In other words: any idiot on your network can gain admin access to any attached Windows-based system with file-sharing enabled. I'm really glad that they're releasing an emergency patch for this, because that's a pretty fucking crazy description of an exploit, especially since it affects all versions of their last 10 years of operating systems.

    • Re:Pretty serious (Score:5, Informative)

      by Lord Ender (156273) on Thursday October 23, 2008 @02:08PM (#25484935) Homepage

      That's not the scary part. The scary part is that this can be made into a worm which uses a service which is installed by default on almost every windows system, and does not require user interaction to exploit. It's the perfect worm-bait. It's like a von neumann machine near the galactic core.

    • Re:Pretty serious (Score:3, Informative)

      by secPM_MS (1081961) on Thursday October 23, 2008 @02:15PM (#25485061)

      Actually, it is rather more like the Zotob vuln than the Blaster vuln. It is a crit on earlier systems, but requires authenticated privledges on Vista and 2K8 server due to the implementation of the integrity level defenses in Vista and 2K8. That said, the potential for damage with this vulnerability is high and there were reports of attacks in the wild. Thus, Microsoft released out of the standard release cycle.

  • by arizwebfoot (1228544) * on Thursday October 23, 2008 @01:40PM (#25484505)
    I need to dust of my IMB Selectric III?
  • 135 (Score:4, Insightful)

    by Zebra_X (13249) on Thursday October 23, 2008 @01:40PM (#25484507)

    Has been windows' stink hole for the last 10 years. Lets hope that most people have learned they need to cover it up.

  • by ryanw (131814) on Thursday October 23, 2008 @01:42PM (#25484543)

    Microsoft has had something like this occur regularly enough that I found myself already skipping to the next story without even reading the complete heading.

    I still cannot understand why major corporations run Windows of any version in enterprise server farms. They've had so many warning signs, so many high security breaches, so many alarms, and they're still very "ho-hum" about it.

    If you read the post slowly and actually acknowledge what it says, it's saying that ever since the incarnation of Windows elite hackers from Russia (or anywhere else) have been able to steal files on any machine with no problem. The underground top hackers have exploits that they guard with top secrecy and keep in their box of tricks when nothing else "known" is working.

    Come on, seriously! No other product provider on the planet would be allowed such leniency. Microsoft never feels any repercussions of any of these incredible security holes. They don't even loose business over it! When is enough, enough????

    • by Arainach (906420) on Thursday October 23, 2008 @02:06PM (#25484903)
      Do you really believe that nothing like this exists on Mac or Linux? Not necessarily this specific exploit, but something of this severity. Neither Apple nor the various Linux/OSS developers have anywhere near the testing unit that Microsoft has to uncover these flaws, nor do they have anywhere near the level of real-world users testing their software. It's not possible to write software of this level and complexity 100% bug-free. It's a matter of how much time and testing it takes to find such bugs.
    • by jschottm (317343) on Thursday October 23, 2008 @02:18PM (#25485081)

      Microsoft has had something like this occur regularly enough that I found myself already skipping to the next story without even reading the complete heading.

      Not any more they don't. This is the first major exploit for MS in several years that will enable trivial worm creation. The last notable one was Zotob in 2005, which was really comparatively minor - the last really big one was Sasser in 2004. Thus, this is important news.

      If you read the post slowly and actually acknowledge what it says, it's saying that ever since the incarnation of Windows elite hackers from Russia (or anywhere else) have been able to steal files on any machine with no problem.

      The same thing can be said about OpenSSL, BIND, Apache, Sendmail, Samba, and pretty much every major piece of software.

      The underground top hackers have exploits that they guard with top secrecy and keep in their box of tricks when nothing else "known" is working.

      That's why people who need to worry about top hackers also need to worry about defense in depth.

      I still cannot understand why major corporations run Windows of any version in enterprise server farms.

      Because it's non-trivial to completely switch platforms. Windows gained the desktop and office software marketshare and whether you think that MS did bad things to get there is irrelevant. Computers are simply a tool to most businesses. If the vast majority of the business software you need as a tool runs on one platform, you use that platform. And you develop your specific tools, generally for that platform. Thus, to support the desktop systems, you get the servers that support them.

      And while I don't use them, the integration of the server, database, and programming environment that Microsoft provides is an incredibly good value proposition for some companies. Other than perhaps IBM, no one else can offer that level of coordination for development and server tools.

      Microsoft never feels any repercussions of any of these incredible security holes. They don't even loose business over it!

      Microsoft has invested heavily in improving their security. Vista is a far more secure piece of software than XP was. And MS has lost business over it - that's part of why Linux and OS X have been able to penetrate the professional and home computer worlds.

      I am not a Microsoft fan but your statements don't really add anything to the dialog. Mindless MS bashing does no good.

    • by dave562 (969951) on Thursday October 23, 2008 @02:21PM (#25485129) Journal

      Enough will be enough when there are viable alternatives for ALL of the functionality that Windows provides. ALL might be a bit of a stretch but not too much of one. The OSS world continues chugging along but if you look closely they are spending a lot of time recreating the wheel, or improving the wheel in ways that don't change the fact that it is still a wheel... a wheel that has been spinning for a while on the Microsoft platform. You can whine about how Microsoft sucks all day long but the harsh reality is that there are too many applications that rely on it to simply dump it.

      As an example I work at a non-profit. We have a membership/fundraising application that tracks all of the development activity for the organization. That package ties into the accounting system so that as funds are raised and budgets are projected and what have you the systems interact with each other. Another component ties into the ticketing system so that when members come to visit the box office their account details are available. Did I mention the online component that allows membership renewals and ticket sales? It sure the hell isn't running on *nix. Now that isn't because a similar program can't be written for *nix. It simply hasn't been done yet. But hey... maybe one day, all of these super duper bad Microsoft security holes will pile up to the point where there are hundreds of non-profits out there looking to come up with a million or so dollars to completely rip out their Windows foundation and replace it with a super, duper, ooper better Linux way of doing things.

      Until the cost of sticking with the status quo significantly outweighs the cost of switching to something else, the status quo will remain. Despite the flaws, Microsoft does keep getting better, although it often times seems like a one step forward, two steps back process (got Vista?). Look at this latest exploit. On Vista and Server 2008 the exploit doesn't work without popping up a warning dialogue. Obviously some group at Microsoft is forward thinking to have realized the potential for badness. If they hadn't, the dialogue box wouldn't pop up.

    • by King_TJ (85913) on Thursday October 23, 2008 @02:28PM (#25485245) Journal

      The thing is, there's really no clear measuring stick proving these vulnerabilities would be circumvented by switching to another OS.

      Microsoft OS's (especially on the desktop) are in such wide use compared to anything else, there are bound to be more people discovering and reporting flaws than in the alternatives.

      I'm definitely not a "Microsoft apologist", as anyone who knows me very well can attest. But I also think much can be said for running an OS that receives very regular security patches and fixes, vs. one that seems to primarily run via "security via obscurity".

  • It's been years since I've tried, but doesn't SMB get dropped by some / all of the major residential carriers at this point? I know AT&T was dropping port 139 last time I tried leaving a machine wide open and exposed.

    It's a nasty vulnerability and all, I'm just wondering if this could go all blaster / sasser.

  • by Drakkenmensch (1255800) on Thursday October 23, 2008 @01:57PM (#25484753)
    You know that a vulnerability is bad when Microsoft goes out of its regular patching cycle to hurry and plug the hole so quickly, instead of following their usual philosophy of saying "What are you talking about? There is no security hole in Windows!" and quietly patching it a few months later amidst a flood of inocuous driver updates.
  • by Skiron (735617) on Thursday October 23, 2008 @01:57PM (#25484759) Homepage

    And you Winders users - please DON'T forget to REBOOT after you apply this security patch (with no doubt extra luggage attached)!

    I can see 5% of the Internet blinking on/off/on/off..... {6 hours}.... on again tonight.

  • by nurb432 (527695) on Thursday October 23, 2008 @02:01PM (#25484817) Homepage Journal

    Windows, it is.

  • by xombo (628858) on Thursday October 23, 2008 @02:03PM (#25484841)

    My friends and I have known about this hole since high school. Every version of Windows with SMB has underlying, invisible, "root" accounts which cannot be removed without a great deal of diligence. These accounts have no password and give full access to the SMB share. I'm shocked that it has taken Microsoft this long to address the issue.

  • by BronsCon (927697) <social@bronstrup.com> on Thursday October 23, 2008 @02:50PM (#25485559) Journal

    Any machine that exposes Windows file sharing is vulnerable.

    When will the Ubuntu patch come out?

  • by Waffle Iron (339739) on Thursday October 23, 2008 @03:38PM (#25486441)

    ... and their "making available" theory. They could soon be raking in $Trillions in statutory damages from the public.

The ideal voice for radio may be defined as showing no substance, no sex, no owner, and a message of importance for every housewife. -- Harry V. Wade

Working...