Attack Code Found For Recent Windows Bug 184
CWmike writes "Just a day after downplaying the vulnerability that caused it to issue an out-of-cycle patch last week, Microsoft warned customers late yesterday that exploit code had gone public and was being used in additional attacks. 'We've identified the public availability of exploit code that now shows code execution for the vulnerability addressed by MS08-067,' said Mike Reavey, operations manager of Microsoft's Security Response Center, in a post to the MSRC blog. 'This exploit code has been shown to result in remote code execution on Windows Server 2003, Windows XP, and Windows 2000.'"
Another out-of-cycle patch is coming, right? (Score:1, Insightful)
Hotpatching (Score:5, Insightful)
For those interested, there was a really cool hack [nynaeve.net] of hotpatching the files and services that are affected by this exploit. The Microsoft patch isn't designed to be hotpatched, instead requiring a reboot to replace the needed files. However, by using a binary diff and DLL injection you can apply the patch on the fly without rebooting.
I wish Microsoft would put more effort into making the official patches not require a reboot. Consumer operating systems are one thing, but rebooting Windows servers gets annoying really fast.
Re:Hmmm... (Score:0, Insightful)
Re:Hotpatching (Score:5, Insightful)
However, by using a binary diff and DLL injection you can apply the patch on the fly without rebooting.
Is that something you would want to do on a production server?
And if you were MS, is that something you would want to support?
But not everyone has installed the update. (Score:5, Insightful)
This is added incentive to complete YOUR testing of this patch ASAP.
Remember, only incompetent admins apply patches without testing them.
In our environment, the patch would have been put into testing the day after it was released (no sense getting caught by a brown paper bag bug) and then into production NEXT Sunday.
With a known exploit out there, we'd be getting more people to test the test systems TODAY. With the goal of putting the patch into production TOMORROW evening.
Re:Hmmm... (Score:2, Insightful)
Locks up every 5 seconds? What do you mean? What kind of computer are you using? Have you submitted a bug report?
Re:Hmmm... (Score:3, Insightful)
I'm not Microsoft lover, but (Score:5, Insightful)
I'll give them credit for patching this quickly. This could have been Yet Another Windows Worm (TM) that brings all legitimate network traffic to a halt. And us Slashdotters have been after them for years for taking too long to patch things, so it would be completely hypocritical to get pissed at them for doing what we'd want them to do.
I'll hate them for having the exploit possible in the first place, I'll hate them for requiring reboots, I'll hate them for forcing crappy software down our throats, but every once in a while they do something right.
Re:I'm not Microsoft lover, but (Score:2, Insightful)
It would, but for their intentional denial of updates to "illegitimate" installations.
Comment removed (Score:5, Insightful)
Re:Hotpatching (Score:5, Insightful)
No, I've managed to have a single Linux box reach 99.999%
"Managed to have"? You are talking about 5 9's as something that you can reach. People who demand 5 9's consider that the minimum they will accept. They don't want systems that can reach 5 9's they want systems guaranteed not to be less than 5 9's. That's a HUGE difference.
So if we sign an SLA, how certain should I be that you can deliver 5 9's? ... From one box? Not very.
That fact that you might 'manage it' simply isn't good enough. What happens when a piece of hardware fails? or if an update doesn't go smoothly? With a single box you have no contingency and 5 minutes to resolve any problems and perform any updates that might be needed for the entire year.
My point stands: anyone serious about delivering 5 9's simply isn't using a single box, because you simply can't depend on it. MAYBE you'll get 5 9's out of it, but getting 5 9's from a single box is like winning a prize from a scratch and win. Its not exactly a miracle, but its hardly something you can rely on.
Hell, even promising 4 9's from a single box is taking on some heavy risk. It's not hard to envision an unexpected hour of downtime on a box over the course of a year.
Re:Hmmm... (Score:5, Insightful)
If you rely on a single system for 5 9s (Score:2, Insightful)
You are an idiot. 5 9s gives you just 5 minutes per year of downtime. You think if something fails in a system, you can get it back up in 5 minutes? Hell no. You want reliability like that, you do it with redundant systems. Well, in that case the individual units can certainly go down. Perfectly valid strategy. You patch them whenever you feel like, making sure that only one is down at a time and that it comes back up to full operational status before you do the next one.
A single system, well you are just rolling the dice. Sure I've seen single systems go for over a year, no crashes, no hardware faults. I've also seen plenty that have gone down. When a problem does occur, it isn't something that gets fixed in 5 minutes, or even usually in an hour (4 9s requires no more than 53 minutes down).
In addition to that you also have to keep the idea of planned and unplanned outages separate. While in some cases, no outage is acceptable and thus the system needs to designed to never be down, often an outage is fine, so long as it's planned. So you can take a system down every week and still have a perfect rating because you had no unplanned outages. The system was only down at specified times. That works just fine for non-critical systems in many cases.
However if it is critical, and if it really can't ever be out at all, ever, which is more or less what 5 9s implies, then you need to have redundancy, and have it at every level. You can't have any single points of failure because the chances that you get that point fixed in time is very slim.
So no reboot on patch isn't useful for that, because in a system with that high an availability, well it has to be redundant anyhow. More important that the patch applies properly and works (which is why you do the reboot, to eliminate potential conflicts) than that you can do it on a running system. After all, you take one part down for a couple minutes as you patch and verify, that's great your uptime is unaffected. You instead apply a hot patch to all systems, which then causes them all to crash an hour later, you are screwed because you are down.
Re:But not everyone has installed the update. (Score:3, Insightful)
So, do you think I'm an incompetent admin given what I have to work with?
Sure. You don't have a test network to at least smoke patches on or you would've said something. What happens when your SBS box barfs? how long is recovery and when's the last time you tried it?
Re:Hmmm... (Score:5, Insightful)
But it does make a damn fine server. The software is reasonably up to date, the administration is dead-simple, and I'm already familiar with it from my desktops.
I've got other things to concentrate on besides server administration -- like coding my project management and billing system, or working for my clients so I have something to bill them for. Ubuntu makes that easy for me.
I've recently vetted Slackware, Debian (stable), and Ubuntu Server 7.04, and settled on the latter because it strikes the balance I need between stability and up to date software. You may legitimately disagree with my choice, but I have my reasons and I'm sure you have yours. Most Linuxes make great servers, so it's really choosing your favorite incarnation of "awesome."
Re:Hmmm... (Score:2, Insightful)
I also worked as Unix sysadmin for several years (but no longer... I love to sleep all night long) and from my experience:
1) Most "big datacenters" have several key servers that are really unstable despite being Unix(tm), mostly because of evil combinations of HW/Applications/OS (patches and more patches from Oracle, NUMA configurations, etc)... as happens with any Linux.
2) Most servers in datacenters are 99% idle, except when silly programmers try to execute infinite pooling loops or that sort of things. There is a myth (now banishing) that you need a real Unix of >100K$ to do the real work; think of the price of Sun's.
So apart from their trash PC hardware, I believe those kids with LAMP systems do really know a bit on stability and heavy load (think of /.)
Re:Hotpatching (Score:3, Insightful)
Upgrade your software. Seriously, if you're a business, you shouldn't be using Home versions of the software.
The HOME versions of XP and Vista (XP Home, Vista Home Basic, Vista Home Premium) do this automatically. Supposedly there's a way around it with some registry hacking, but I've never bothered. You get around 5 minutes from when the dialog pops up to hit the "Reboot later" button, which just silences it for another 5 minutes.
Windows XP Pro, Vista Business, Vista Enterprise, and Vista Ultimate pop up a dialog asking you to reboot, but they won't force the nasty cannot-save-force-quits-everything reboot. Considering what you get, the only reason to use the Home versions for work is if work is too cheap to get you a laptop and you use your own. The price difference between Home Premium and Business isn't that much, and will be made up in not having your computer reboot unexpectedly on you.
Downplaying the vulnerability ? (Score:4, Insightful)
I'm sorry... downplayed?
Is there any admin in the world that didn't get the message that this was kinda sorta urgent?
This was the first time in four (?) years that Microsoft went out-of-cycle on their patches. That alone got attention, and would hardly be considered "downplayed".
Every stinkin' newsletter I got last week all mentioned it. Vendors mentioned it. Slashdot mentioned it a dozen times. And Microsoft sent out many many bullitens.
What would it take to satisfy the submitter's requirements for sufficient attention? CDs mailed out via FedEx Next Day to every registered owner of Windows?
Perhaps the real downplaying is what Slashdot tends to do whenever a Linux-releated bug is found.
Re:Hmmm... (Score:3, Insightful)
Yeah, blame it on closed source.
You probably need to get some counseling on your fetish for open source when you with absolutely no evidence of restricted drivers even being present on said system starts blaming them.
Re:Hmmm... (Score:2, Insightful)
"XXXX has ruined Linux" is what they said when RedHat was king of the distros, when SuSE YAST made setting up a Linux box a snap, when Mandrake was getting popular and folks will continue to do so.
If you feel it is time to install FreeBSD or OpenSolaris, go ahead. No one is stopping you, and there is no need to cry to the rest of us about your ruined Linux.
Re:Hmmm... (Score:2, Insightful)