Microsoft's "Dead Cow" Patch Was 7 Years In the Making 203
narramissic writes "Back in March 2001, a hacker named Josh Buchbinder (a.k.a Sir Dystic) published code showing how an attack on a flaw in Microsoft's SMB (Server Message Block) service worked. Or maybe the flaw was first disclosed at Defcon 2000, by Veracode Chief Scientist Christien Rioux (a.k.a. Dildog). It was so long ago, memory is dim. Either way, it has taken Microsoft an unusually long time to fix. Now, a mere seven and a half years later, Microsoft has released a patch. 'I've been holding my breath since 2001 for this patch,' said Shavlik Technologies CTO Eric Schultze, in an e-mailed statement. Buchbinder's attack, called a SMB relay attack, 'showed how easy it was to take control of a remote machine without knowing the password,' he said."
Without knowing the password? (Score:5, Insightful)
It's always been easy to take control of a machine without the password. Sit down in front of the computer. Now the only thing stopping you is yourself. Oddly enough, that's what keeps most systems up... The fact that the vast majority of people are honest, decent folk. That, and they don't know what a null pointer is.
Re:Does anyone use this OS any more? (Score:5, Insightful)
Of course, if the OS is fighting you all the way while you're trying to work with the software, that's a problem.
What made it worse? Really? (Score:5, Insightful)
What made it worse? Taking 8 years to fix it or disclosing it before the patch was released?
Further it is not a bug at all. It is essentially badly designed protocol having a hole and instead of abandoning it and making users upgrade, MSFT left this hole open for 8 years. All the in the name of backward compatibility. Why has backward compatibility trumped security for 8 years? It not surprising no one takes MSFT's statements about its commitment to security seriously?
And yet the world didn't end. (Score:4, Insightful)
Re:Does anyone use this OS any more? (Score:5, Insightful)
From my experience, the Linux folks that try to work in Windows just simply don't know WTF they are doing.
Likewise, Windows Admins who work in Linux don't know either.
It's always easy to curse the platform if you don't have the knowledge. I've built stable environments out of Windows and out of Linux, and they all serve their purpose with perfectly fine uptime. Just a different delivery platform for different things.
Re:port 139 (Score:4, Insightful)
If you still want that service just run it over a vpn.
Re:SMB? (Score:2, Insightful)
Samba's primary weakness is that it doesn't run on a Windows file system.
Re:Does anyone use this OS any more? (Score:3, Insightful)
One thing is for sure, though. I don't want to make an 'Impress' presentation and send it to a client unless I'm sure they are going to be able to open it in Powerpoint.
Re:Does anyone use this OS any more? (Score:4, Insightful)
I'm not specifically referring to tasks which are "hard to do" in the OS--I'm referring to the incessant stream of vulnerabilities in various components that makes working with Windows a virtual minefield.
Re:What made it worse? Really? (Score:5, Insightful)
This is MS modus operandi. You know all those MS based studies that say that MS fixes bugs faster than Linux. Well we never really believed them but they are technically true. See MS only counts the time between when they publicly disclose a bug and when they patch it. They don't count the time between when they find or are informed of the bug. With Linux people the whole process is more transparent. When bugs are discovered in Linux, they are almost disclosed at the same time. So this 8 year old bug will appear on all MS studies as only taking a few days rather than 8 years.
Re:Does anyone use this OS any more? (Score:3, Insightful)
Actually, I thought that was specifically the point. If people hate using their computer, then you're doing something wrong.
It's about getting the job done, but Microsoft has consistently been the roadblock. Microsoft is the barrier to compatibility. They're the roadblock to having everything "just work". The Windows monopoly has to end before we can move forward again.
Re:Does anyone use this OS any more? (Score:5, Insightful)
If you've used Windows in a corporate environment and still feel that way, there is something wrong with your organization. I've been with my current company for just over a year now and yesterday I called the help desk for my first Windows related problem.
Perhaps the gp was on the other end of the line, dealing with the nightmare to keep the rest of the organization including you, clear from it. In other words, your experience with your office desktop computer might say more about the quality of the IT department that installed the OS than about the flaws in the installed OS.
It's stable, period. Now, all the antivirus, security, firewall etc they install makes the thing so slow it's awful to use, but that's beside the point.
No, that is *not* beside the point. You see, if you *need* to bog down your OS with third party software to keep it working reliably at all, I'd say that the flaws in this OS are exactly what causes your pc to slow down to the point that it's awful to use.
One thing is for sure, though. I don't want to make an 'Impress' presentation and send it to a client unless I'm sure they are going to be able to open it in Powerpoint.
Yeah or in something else they might have, like Impress ;) I actually don't know Impress, btw. But I get your point.
Re:Does anyone use this OS any more? (Score:4, Insightful)
In the 7 years as a Windows Sysadmin I've seen my job getting easier and easier by taking a few proactive steps to corporate use of Windows.
For server use, it's perfectly fine. I have a Windows file cluster running over a year without an downtime, but we've taken cluster members offline for patches in turn, and failed back to the alternate which is a net of 0 downtime.
We use strict policies on the desktop, and don't allow users to do things that are going to cause problems. Mostly, this includes *not* giving them administrative rights, though we do delegate some things out.
It's like any other system. The problem is that Windows is so large an ecosystem, and so many folks that 'represent' Windows sysadmins pretty much suck at their job, or are MCSEs on paper and not in practice, then it does a disservice to what I feel is a perfectly fine OS for daily use, and corporate use. I have no 'virtual minefield' because I know my business well, I know my job well, and I perform well in bringing harmony between them (the business and the IT use).
It's like ANY system (*nix included), because if you have an incompetent sysadmin, you will have problems on your domain and infrastructure. If you have a competent sysadmin, you won't see anything wrong. Our users are largely very happy, and that's done by internal auditing (mandatory surveys, as we represent 19000 employees country wide), and consistently the 2500+ userbase I work with and for rank me highest of the family of companies I work for in their satisfaction in their computing needs.
Again, it's not the platform at fault, it's the admins around it. If you feel Windows is a virtual mine field then it may indicate your talents lie elsewhere (*nix), and as such should keep to the business you know, rather than tell folks who run Windows successfully that they have inherent problems at hand they aren't aware of.
Re:Windows Server Admin? On Slashdot? Are you kidd (Score:2, Insightful)
It wasn't meant in seriousness, but if you want to take it and run, feel free.
Just meant that any port blocking software or hardware (as simple AS a Linksys firewall) prevents this from being anything of an issue.
Hell, even Windows built-in firewall will do the trick.
Re:Does anyone use this OS any more? (Score:4, Insightful)
Just because YOU don't like Vista doesn't mean others don't. On my desktop I happen to think my system runs smoother and faster and is easier to fix than with XP. To each his own, like several other +5 Insightful in this thread have mentioned...
Re:Does anyone use this OS any more? (Score:5, Insightful)
Hear hear. I've been running UNIX and Windows in admin capacity since the early '90s. The biggest problem I've seen at the moment is caused by marketing. Microsoft just refuse to stop advertising Windows servers as being so simple the cat could administer it.
With that message on the table, HR departments get the idea that all it then takes to administer servers is one cat and a magic wand. So they create low paid jobs for 'admins' that don't actually know much about administration (as it's so easy, who actually needs skills in it 'eh?).
UNIX tends to get better results overall, largely because it's seen as a skilled job. They pay the money, they require that you know what you're doing.
Where you get admins that know the detail on Windows to the depth that UNIX gurus know UNIX, comparable results are obtained.
Now, if only Microsoft would stop telling suits that all they need to administer Windows is someone with one finger and half a brain, then the rep. of Windows would increase dramatically. However, there's money to be made today by churning out an MCSE who two weeks ago didn't know what the power cable plugged into. Who cares about the future of the platform when you can advertise tomorrow with a new glossy pamphlet, and make money today? Well, apart from the people who really understand system administration, and hey, what do they know?
Re:Does anyone use this OS any more? (Score:2, Insightful)
There is something to be said about *nix platforms always championed by the 'geeks'. Windows is GUI based to be sure, but there are behind the scenes things (registry, hosts files, policies, clustering, etc) that is not as intuitive as people think it may be. That's also where a LOT of problems occur, and cause the BSODs and other things that the *nix fans love to jump at.
I'm not really a proponent of Windows, or Unix. I am a proponent of *getting things done*. Now whether I find *nix to do a job better, faster, cheaper, or Windows, that's the platform I'll do it off of. More often than not, it's actually cheaper (in terms of FTE billing) to do the job in Windows. It's not universally true, but it holds true in a lot of client/server applications.
As far as Microsoft advertising Windows to be more hard to use -- I don't know... I think people who use Windows and are 'sysadmins' (and I use quotes on that on purpose) are the ones who will continue to delude themselves that they can 'figure it out' without any study or knowledge. The amount of reading I've done on the ability to edit active directory is insane, and unexpected from me before I actually scratched the surface. And it's the same idiot sysadmins who try the same thing in 'figuring it out' and wreak havoc for the entire organization.
Re:Does anyone use this OS any more? (Score:4, Insightful)
What format was that survey in?
I recently had the opportunity to design a survey. And preemptively learned from the mistakes at UPS [surveycompany.com].
We started out with a ton of questions we thought were good, then scrapped the idea and asked three open ended questions with big free form text fields.
Another group went ahead and asked a bunch of continuum and multiple choice questions.
In their survey everything looked peachy.
In ours (the freeform one) results were considerably less favorable, and considerably more useful.
Usefulness can be lost especially easily when you simply boil the continuum questions down to percentages. What if that mere fraction of a percentage of your employees that are extremely dissatisfied are crucial to it's function? Or if you didn't ask the right questions?
It's really easy to create a survey that tells you absolutely nothing useful.
Veracode Blog Clarification (Score:2, Insightful)
I've posted on the Veracode Blog [veracode.com] about this issue for clarification purposes.
Here's the content:
With regard to the recent Patch Tuesday fix, there has been an issue fixed regarding NTLM Relaying, that has been around for more than eight years.
In 2000, I wrote an advisory about NTLM relaying (CVE-2000-0834). The problem turned out to be significantly larger than I originally suggested in the advisory. The attack extended to other NTLM-based authentications on other protocols and allowed general-purpose credential theft via a man-in-the-middle attack.
The SMBRelay tool was published in 2001 by Sir Dystic of Cult Of The Dead Cow, and that really took it to the next level. The protocol completely fell apart. It kicked off a number of other analyses of the NTLM protocol that finally resulted in this patch. Eight years after itâ(TM)s discovery.
At least they got around to it. Thanks!
--chris
(Buy my house! http://tinyurl.com/dilshouse [tinyurl.com])
Windows Server can be solid, however... (Score:5, Insightful)
My #1 beef with Microsoft is that they market it so that every small to medium business owner thinks that everything will all run together happily on one box all "plug-n-play" and snuggly whirring away on the floor of their office closet.
I have the hardest time convincing users that they cannot run their 20-user network on one SBS 2003 server, with Exchange (running OWA and OMA), running their heavily-accessed SQL database, sharepoint, anti-virus server software, backup software, and company file and printer sharing to 5 multi-function copiers and expect 5 9's of freaking uptime.
This is how it is marketed. This is what the end user expects when shopping for a Microsoft solution. You tell them that they'll need at least 3 separate boxes, Server, Exchange, SQL, etc all separate, RAID and ideally a failover system and an excellent firewall for the remote access they look at you like you're nuts. So they buy it and have it set up their way, it works like hell for a year, then they end up paying in the end to have it done again the right way (and more this time, because they have to now migrate off of their old system).
And the Microsoft money machine chugs on.