Microsoft's "Dead Cow" Patch Was 7 Years In the Making

narramissic writes "Back in March 2001, a hacker named Josh Buchbinder (a.k.a Sir Dystic) published code showing how an attack on a flaw in Microsoft's SMB (Server Message Block) service worked. Or maybe the flaw was first disclosed at Defcon 2000, by Veracode Chief Scientist Christien Rioux (a.k.a. Dildog). It was so long ago, memory is dim. Either way, it has taken Microsoft an unusually long time to fix. Now, a mere seven and a half years later, Microsoft has released a patch. 'I've been holding my breath since 2001 for this patch,' said Shavlik Technologies CTO Eric Schultze, in an e-mailed statement. Buchbinder's attack, called a SMB relay attack, 'showed how easy it was to take control of a remote machine without knowing the password,' he said."

Re:SMB?

[corsec67]

SMB [wikipedia.org] is used by Windows for file/printer sharing.

Re:SMB?

[eln]

http://en.wikipedia.org/wiki/Server_Message_Block [wikipedia.org]

Also,

http://justfuckinggoogleit.com/ [justfuckinggoogleit.com]

Re:I forget...

[spacerog]

According to Google, 1997. Yeah, over a decade ago.

CIFS: Common Insecurities Fail Scrutiny [ussrback.com]

- SR

Re:Windows Server Admin? On Slashdot? Are you kidd

[HerculesMO]

I do.

You can make fun of me :)

That said, if you have a Linksys firewall in place, it usually takes care of the issue. Granted the attacks you'll get internally *can* happen, but we have managed to circumvent SMB exploitation via policy settings in Windows. It works fine for us, nice to see they finally patched it though.

Re:SMB?

[corsec67]

http://en.wikipedia.org/wiki/Cult_of_the_Dead_Cow [wikipedia.org]
and
http://en.wikipedia.org/wiki/SMBRelay [wikipedia.org]

Re:C2MyAzz

[Anonymous Coward]

Actually, it was originally released in 1997 http://www.security-express.com/archives/ntbugtraq/1998/msg00512.html [security-express.com]

Re:SMB?

[Anonymous Coward]

Cult of the Dead Cow, probably. Oldskool hacker group, probably most famous for the Back Orifice trojan^W remote administration utility.

Re:Does anyone use this OS any more?

[stevied]

I've hacked an interesting little solution together for my household, which I'm sure would scale. I've been using Linux for about 13 years, and have forgotten more tricks than most people know. Over that time I've done a certain amount with Windows, too, but the lack of a rich toolset and open / free documentation and source always put me off spending too much time on it. I understand things are a bit better now on those fronts, but I chose where to invest my time ages ago. I've certainly not bothered about keeping up to speed, have no experience with Vista, Office, 2007, etc.

Anyway .. I have to provide a Windows environment for a family member who's really not up to learning anything new. I wanted to be able to manage it, secure it, control changes to the configuration, etc., etc., and eventually hit on the idea of just running XP inside VBox on Ubuntu. It starts automatically, changes to the main Windows partition are discarded on each shutdown, and I can do all my management with ssh (and occasionally rdesktop if I need to actually fiddle with Windows, which is rare.) Performance is fine even on old hardware.

Virtualization on the server is obviously mainstream now, and I guess many users are running virtualization software themselves to provide access to apps on other platforms and run old software. I haven't seen much about using virtualization as a platform for managed desktops though, and I reckon it has some advantages: moving images between machines when hardware fails or users move departments; change control; configuration testing, etc., etc. Knowing you've got the exact same disk image in use on a herd of workstations, regardless of hardware, seems like a good thing for peace of mind ..

Re:Does anyone use this OS any more?

[Tubal-Cain]

One thing is for sure, though. I don't want to make an 'Impress' presentation and send it to a client unless I'm sure they are going to be able to open it in Powerpoint.

It may give you peace of mind to know that MS released the specs on their binary formats [slashdot.org] in late June, so the OOo team had about 2.5 months to fix their implementations in version 3. If they didn't manage that, they should have them in the next release.

Way overhyped ... only applies to deprecated OSes

[laughingskeptic]

If you look at
http://support.microsoft.com/kb/q147706/ [microsoft.com]
You will see that the affected operating systems are old and that Microsoft long ago told people how to configure their systems to avoid this issue.

• Microsoft Windows NT Server 4.0, Terminal Server Edition
• Microsoft Windows NT Workstation 3.51
• Microsoft Windows NT Workstation 4.0 Developer Edition
• Microsoft Windows NT Server 3.51
• Microsoft Windows NT Server 4.0 Standard Edition
• Microsoft LAN Manager 4.2 Standard Edition
• Microsoft Windows for Workgroups 3.2
• Microsoft Windows 95

Re:Does anyone use this OS any more?

[benjymouse]

You could have just used Windows SteadyState [microsoft.com] Hint: Can revert harddisks state at each reboot while still allowing windows update to run and make persistent changes, can leverage much of the same policies (restrictions) Windows allows in a domain, but without the central AD. Among other things.

Re:Does anyone use this OS any more?

[HerculesMO]

We didn't initiate the survey (it comes from a third party, and we don't know when it goes out), but it was about your user experience, what problems you have, how quickly they are resolved, that kind of thing.

Given the 'marks' our department gets consistently, and the bonus *I* get as a result afterwards, I am going to assume that I'm doing okay. Besides, I'm one of the few sysadmins that puts my name out 'in the wild' for the business users to get a hold of me. I don't answer helpdesk calls, but at least people know who's running the systems they are on, and who can help them if there's an issue.