Yet Another Critical Windows Flaw 511
Dynamoo writes "Microsoft released yesterday a whole bunch of critical security updates. Out of these, MS03-043 is a flaw in the Windows Messenger Service (not MSN Messenger) with the possibility of a remote attacker gaining complete control of a Windows NT/2000/XP/2003 based PC remotely. If this sounds like another possible vector for a worm to spread, you'd probably be right. Microsoft's recommendation is to 'disable the Messenger Service immediately and evaluate their need to deploy the patch'. Of course a firewall will offer some protection but shouldn't be relied on. At least administrators can disable the Messenger Service remotely. Of course this is another headache for admins still patching for last month's RPC flaw."
Call to worm developers!! (Score:2, Funny)
You can for instance, delete necessary files for Internet connection... in this case Microsoft will be in a *real* shit if nobody can connect the internet to download patches!
They'll maybe have to send MILLIONS of CD by mail!
Therefore, people will be *really* annoyed and may think it's time to switch to another more reliable OS.
Guantanamo Bay awaits you!! (Score:2)
Re:Call to worm developers!! (Score:2, Flamebait)
Therefore, people will be *really* annoyed and may think it's time to switch to another more reliable OS.
You're the reason people think like this [overclockers.com].
You stupid prick, you think writing worms is a good way to get people to switch to a "more reliable OS"??!?? Do you realize how fucked up that is? Do you realize that its people like you who are keeping people away from Linux?
Its the stupid shits like you wh
Re:Call to worm developers!! (Score:2)
As fun as this is, better things could be done.
Modify the hosts file, so that whenever something requests microsoft.com or windowsupdate.com or windowsupdate.microsoft.com they get redirected to apple.com or maybe a fake wind
Re:Call to worm developers!! (Score:2)
Bias (Score:2)
Of course not. And you won't see it reported, either. Because Slashdot is biased against Microsoft and wants your page hits.
I dare you to argue otherwise, because it's just too obvious.
Re:Call to worm developers!! (Score:2)
Windows SUS (Score:5, Informative)
It's useful.
Re:Windows SUS (Score:2)
As a small to medium charity, we can't afford an individual machine just to push out patches to our workstations.
For people in the same situation, done right, group policies can be very useful... I'm using them here to push out system patches to our machines.
Re:Windows SUS (Score:2)
I tried using group policies to push out patches, but it is such a pain to do and keep up with. I think that if you tried SUS on your domain controller, you would be happy with it.
Th
Re:Windows SUS (Score:2)
We've got a single server here running 2000 SBS, which is the PDC, Exchange server, and file server for a few hundred users.
Once I persuade management to get another server to take the load of the current one I'll definately take a serious look at SUS though.
Re:Windows SUS (Score:2)
The SUS specs are preposterous - they are for machines with thousands of clients. SUS is really just an IIS web site that serves up a couple megs at a time, so damn near anything ought to be able to do it. If you plan on deploying service packs through it, you might need more horsepower. I do SP's via group policy.
Re:Windows SUS (Score:2)
Re:Windows SUS (Score:2)
Re:Windows SUS (Score:5, Insightful)
- Bad patch verification. Like WindowsUpdate, SUS relies on a registry entry to check sucessful installation of patches. As many admins have discovered over the past few months, this method of patch verification is highly flawed and results in many, many cases of false-negatives when searching for vulnerable workstations.
- OS patches only. SUS does OS patches. Great. Now what about Office, which is also installed on every desktop in our company?
- Patch reliability. Even if SUS was vastly improved, the sad fact of the matter is that MS patches are still capable of doing severe damage to the target system. It's not like there are no past examples of patches and/or service-packs f$*king up machines. Until the patching process becomes not only dead easy, but also bulletproof RELIABLE, servers (esp. critical infrastructure machines) will continue to need manual patching. Considering many larger companies can have hundreds of servers across the organisation, it becomes one hugeass timesink.
- Other pitfalls. There are many, MANY other options missing that would make life for administrators much easier - such as forcing reboots for patched machines, the ability to stagger deployement using only one SUS server (by using, say, MAC addresses or NetBT/DNS hostnames), the ability to detect mobile users (via a configurable registry setting on the client end) and *force* them to patch immediately upon connecting to the LAN based upon past percentage hit-rate for sucessful patching (i.e. machine was turned on and conneted to LAN) at the regular scheduled time
SUS is nice to have, but it's certainly not set-and-forget as it SHOULD be - at least on the client end of things. There is a long way to go with SUS before it begins to approach something that makes a significant impact on the nightmare that is Microsoft patching. But of course the problem with hoping SUS gets better is that SMS and MOM exist... and unlike SUS, neither of those are free.Re:Windows SUS (Score:2)
If your clients are 2K SP3/4 and XP SP1 all you need to do is configure them via policies to use your SUS server for updates. Or you can do it manually: in Win 2K its in the Control Panel under "Automatic Updates", in XP right-click "My Computer" and choose the "Automatic Updates" tab.
Re:Windows SUS (Score:3, Informative)
Read this over and be sure that you understand what it does before you try it, better yet see if you can find it independently. Applying a registry patch from
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W i ndows\WindowsUpdate]
"WUServer"="http://your.server.com"
"WUStatusServer"="http://your.server.com"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Wi ndows\WindowsUpdate\AU]
"Res
Re:Windows SUS (Score:2)
If you're talking ab
Not a surprise (Score:2)
On top of that, there is the prevailing attitude at microsoft that a quick sale for ease of use is better than a later sale with security. Until now that approach has always left them in the money.
I'm hoping that the level of attacks that we have seen in the last few months will finally produce the uprising against this "quick release"
Slashdot Moderation (Score:2, Insightful)
Hey what's the deal with slashdot moderation? I used to read at +5 but now there're barely any comments there. I know this is offtopic, but did I miss a story about major changes or something?
Re:Slashdot Moderation (Score:5, Informative)
Which means that mod points aren't being given to as many people, which means there's less around to take things to +5.
More details in Taco's Journal [slashdot.org].
Re:Slashdot Moderation (OT) (Score:3, Insightful)
And once again (Score:2)
Why is This Reported Now? (Score:2)
Excuse me, Sir... (Score:2, Funny)
Could I get your IP address please?
I love Win2K, but... (Score:2)
I think I'll just go back to Windows 3.1 on all my machines, that will solve all these problems I'm having with new operating systems.
Re:I love Win2K, but... (Score:2)
(and learn how to type... "not to mention it's a fulltime job in itself")
New Popup Message (Score:2)
Makes me glad I have a firewall between me and the internet (even at home for my LAN). I didn't even know about all the Popup spam until an article came around talking about it. It just hadn't been an issue. Yes, its better to be informed than clueless, but a decent firewall is still a help
Causes new problems? (Score:2)
Ahh... I'm On to Them (Score:2)
Re:Ahh... I'm On to Them (Score:2)
Re:Ahh... I'm On to Them (Score:2)
Re:Ahh... I'm On to Them (Score:2)
Re:Ahh... I'm On to Them (Score:2)
That's a good solution for home or small office users, but it doesn't scale that well for larger sites. As soon as you have a more than a few dozen workstations, having each one pull down the updates from the Internet causes an unacceptable amount of network traffic (maybe it's OK in the US where bandwidth is cheap, but here in Europe out Internet pipes tend to be a bit more frugal). Also, no sane person wants to use this solution for servers, where applying untested updates can have catastrophic conseque
Writing a worm would probably be less successful (Score:2)
I know every machine I fixed during the blaster worm's reign had its default firewall turned on.
RPC worm (welcha!) (Score:5, Interesting)
Now, getting rid of the worm is annoying, but is easily done. Can you imagine however, the chaos if the author of the worm also put nasty bios flashing code into it... Millions of PC would be heading for the dumpsta! Shops/busnesses/transport/universitys would all end up grinding to a halt, The economy would be up shit creak, and for a few weeks anyhow there would be a huge shortage of PC's through people panic buying new units - hardware prices would sore.... (good time to buy Dell stock maybe?)
Tony.
Re:RPC worm (welcha!) (Score:2)
Hate to use the topic, but "Me too" :-) This happened to me yesterday, but with XP.
Re:RPC worm (welcha!) (Score:3, Insightful)
So I installed W2k for a friend a few days ago - Connected to the internet to get the RPC patch, and got infected with this work in under a minute - Not even time to get the update!...
And that's why you should have installed a software firewall, such as ZoneAlarm, from CD before connecting to the internet
While you're at it install a decent browser and e-mail client from the same CD before your friend has a chance to start using IE and Outlook (Express).
Re:RPC worm (welcha!) (Score:3, Insightful)
Virtually every BIOS has protection against this since the CIH days (doesn't mean people enable it, but its there). Furthermore, instead of throwing away a PC with a flashed BIOS, you can give it to me. It won't cost me more than $5 to get it fixed!
I agree that these flaws are bad, but no need to make it worse than it already is.
So I installed
Re:RPC worm (Secure the perimeter) (Score:2)
Re:RPC worm (welcha!) (Score:2)
But I Can't Disable Messenger Service! (Score:2)
Messenger is such a valuable service to me... how can I live without it?
News is even worse than reported. (Score:2)
That RPC flaw, patched twice so far, is actually still vulnerable. That's right the RPC service will require a third patch.
Security experts have discovered that a vulnerability still exists in the Microsoft RPC service. Furthermore, an exploit has been developed as a proof of concept. The results have been reported to Microsoft but, as yet they have not responded publicly. So, be on the look out for yet another RPC s
In other news (Score:4, Funny)
Getting users to actually peform updates when they don't have the ability to tell the diffrence between the diffrent products has proven to be most troublesome to Microsoft.
This flaw was noticed by technical support when users asked for assistance with "outlook" not knowing that "express" was a diffrent product. Not to speak of the diffrences between Windows Explorer, Microsoft Explorer, and the new hardly ever works MSN explorer.
"The idea that users know the diffrence between Windows, Microsoft, and MSN is ridiculous" --- typical power user.
A new convention is required based on the following facts
Windows - the operating system side of things
Microsoft - the software side of things, stuff you actually use
MSN - the ISP side of things, fluffy click shit that causes your computer to crash and burn.
Renaming should be as follows
Dont touch me crap - reserved for operating system level software
Play with me crap - the software you typicaly get to do stuff
Can't do crap - the stuff internet related that never works right
Now saying that there are patches for the "don't touch me crap messenger" has some meaning to the average user, vs their "Can't do crap Messenger" product.
This message was brought to you by Microsoft Crap, where did your document go today?
Re:In other news (Score:2)
I'm surprised they aren't called MSN Messenger Explorer and Windows Messenger Explorer.
Messenger (Score:2)
Good advice. This service has been abused for many years now by spammers, and now the posibility of a worm using it.
I wonder who/where at Microsoft considered it a good idea to enable this service by default and to allow connections from everywhere. Has anyone out there actually used it?
Re:Messenger (Score:2)
Re:Messenger (Score:2)
Yes, I know at least two companies that used it rather frequently. In both cases, they would use it for batch-completion notifications and things like that.
That all said, I hate it and it seems like a prime candidate for abuse in various forms. Obviously.
funny disable MSN setrvice (Score:2)
oh that is right Bil lgates doesn;t trust us lowly users..
Re:funny disable MSN setrvice (Score:2)
Exchange Admins (Score:2)
I'm currently paying $250 so Microsoft can tell us if this is the correct behavior (oh, the humor), after asking them last night if all patches were approved for a Windows Server 2003/Exchange 2003 environment, and them telling me yes.
I know I'm in the minority for not using sendmail, but I am of the opinion that these patches may damage y
Re:Exchange Admins (Score:2)
not using sendmail
sendmail has built up at least as much of a legend for insecurity as Exchange, probably also amplified by its wide deployment.
Security in depth helps, though.
Sendmail costs nothing but a little time to install, but adds another layer to your corporate email system, one which can be used to handily filter crap that is bad for Windows systems. MyCorp has used both Exchange and sendmail for years. Performance of sendmail on piece of crap hardware is impressive, especially compared with E
Average Joe is why this is really bad (Score:5, Interesting)
It is time for MS to immediately change the default shipping configuration of XP to turn every service off by default because no desktop should be listening on any tcp by default. If that means they need to recall and replace all the master disks that they license to OEMs, then they need to do it. They need to have every major retail outlet yank all the shrink-wrap boxes and replace them with new one with secure default configurations. MS is sitting on $46 million in cash, so they can easily afford this expense as chump change. It just a question of whether they are willing to admit fault and buck up for failing their customers or if they are too greedy to spend some of their hoarded wealth.
Correction... $46 Billion.. not $46 Million (Score:2)
Re:Average Joe is why this is really bad (Score:2, Insightful)
It's true, but they really don't want to spend the monthly cola budget on silly things like security.
Microsoft sell things by good marketing, not by having good products.
This creates a *lot* of work (Score:2)
[1] your corporate firewall should keep any exploiting worm out but there are still floppy drives, possible unauthorised modems and third party connections that *may* allow the thing in, so you'll have to patch to be on the safe side.
Too bad it breaks stuff. (Score:2)
I haven't confirmed this on all my machines, but when I installed the updates on one yesterday (I always update one machine, and if nothing important breaks I do the other one) Synergy no longer starts automaticly on boot, it works just fine starting when I log in. (I normally log into one comptuer, and then from there log into the other)
Call me crazy... (Score:2)
Re:Call me crazy... (Score:2)
You're crazy. You shouldn't be, but the fact is that a huge number of MS shops are run by undertrained sysadmins who, through very little fault of their own, remain unaware of these little issues. I'm a certified engineer (Novell) with a lot of experience with MS products, and I read constantly trying to stay ahead of the curve. My company refuses to part with the money to send me to some proper training, or hire a mentor for a short while.
Questions that I Microsoft's page does not answer (Score:2)
2. I am running a German version of XP, so all services have German names. What is the "Messaging Service" called in the German version? The closest I could find is "Nachrichtendienst".
I haven't had this running for years (Score:2)
Once spammers learned how easy it was to use the Messaging service to send almost anonymous spam a couple of years back, me and damn near anyone I know not behind a firewall turned it off.
Or did spammers stop sending dozens of nice popups a day to random IP addresses sometime between now and then?
Look at it this way... (Score:2)
Lessons Learned from RPC (Score:2)
Of course a firewall will offer some protection but shouldn't be relied on.
Check.
Unfinished poetry composition from RPC...
Relevance of Windows Messenging (Score:2)
Re:Relevance of Windows Messenging (Score:2)
Disabling the Messenger service is on the standard list of things I do when installing W2K. (right after installing SP2 and the latest RPC patch)
Interesting but... (Score:2)
Ever since spammers started using it a few years back, it just wasn't worth the nuisance of dealing with it.
Another rabid submitter gets it wrong (Score:3, Informative)
Their new policy [myitforum.com] is to release monthly updates unless an exploit already exists, in which case a patch is immediately released.
Out of these, MS03-043 is a flaw in the Windows Messenger Service
You don't know what you're talking about, submitter Dynamoo. Please, tell us why one shouldn't rely on a firewall? If you read the technical documentation [microsoft.com] about the flaw you see "If users have blocked the NetBIOS ports (ports 137-139) - and UDP broadcast packets using a firewall, others will not be able to send messages to them on those ports." (under "Technical Descriptions"). I think I'll ignore your advice and keep a firewall in place, no matter what OS I'm using.
What? (Score:3, Insightful)
> Microsoft released yesterday a whole bunch of critical security updates.
Their new policy is to release monthly updates unless an exploit already exists, in which case a patch is immediately released.
How, exactly, are you contradicting the author?
> Of course a firewall will offer some protection but shouldn't be relied on
You don't know what you're talking about, submitter Dynamoo. Please, tell us why one shouldn't rely on a firewall? If you read the technica
Re:What? (Score:3, Informative)
Good point - I was unclear. I should have quoted Microsoft's technical documentation. They specify configuring Windows' built-in firewall to block those ports. If the ports are blocked at each machine then an infected machine behind a hardware firewall will not infect other machines on the LAN.
Nomenclature (Score:2)
I want to shoot the Messenger, but it's hard to tell which one!
But not to worry, visiting the MS link in the post and following the directions cleared up
Not so fast... (Score:5, Funny)
If you haven't patched yet, I'm guessing anyone can disable your services remotely.
Releasing patches too frequently? (Score:4, Insightful)
Customers are concerned that Microsoft releases security patches too frequently
Wha?!? So, customers are saying that even if some critical flaw is found, M$ should wait awhile before releasing it because Joe Admin is concerned there are too many patches??
Come on, if they know something is broke I want a patch ASAP (after proper testing of course). I don't care if they release a patch an hour, if something is broke -- Fix it now, don't wait until next week because you've already released your quota of patches for this week. This sounds like BS to me, maybe M$ just stuck that in as an excuse to not release patches.
Later they say an exception will be made if they determine the customers are at immediate risk. I'm glad they know my system so well, but really, please just release the patch now and I will decide if MY system is at immediate risk.
Re:Releasing patches too frequently? (Score:2)
1. The patches haven't had time to be adequately tested.
2. A cascade of patches indicates serious underlying problems.
3. A cascade of patches distracts the MS developers from what should be their primary job: making patches unneccessary in the first place.
Taking bids on when worm comes... (Score:2)
I am saying this worm will probably come early November around midnight EST. (Nov 13th)
Official bid: Nov 13th 0000 hours.
Any other bidders?
Nasty Supplemental EULA (Score:2)
"I will not publish the results of
I have never (intentionally) installed the update that installs the
In any event, this clause casts a chill over me.
New Marketing Slogan (Score:4, Funny)
Re:Too bad it's such a pain in the ass... (Score:2, Interesting)
Take that from a guy in tech support.
Re:Too bad it's such a pain in the ass... (Score:2, Insightful)
Re:Too bad it's such a pain in the ass... (Score:2)
Well, if I asked you what your IP is, then would you know what I'm asking for? How could that be, even though there is no 'a', 'd', 'r', 'e', or 's' in the acronym? Is it simply because you are taught that that is the meaning plus it just what you are used to? Well if you can do that, then they can say that their computers run Microsoft, just as some1 else can say that their computers run Red Hat, Suse, Gentoo, or Debian.
Get over it, & fix it for
Re:Too bad it's such a pain in the ass... (Score:5, Informative)
Anyway, in case anyone's reading this and doesn't know how to disable Messenger, go to Start -> Settings -> Control Panel -> Administrative tools -> Services. Right-click on Messenger and pull up the properties sheet. On the "general" tab, select "disabled" for "Startup type". Then hit the "Stop" button right under that on the "general" tab to stop the service if it's currently running. That's for 2K - I assume XP is similar.
Re:Too bad it's such a pain in the ass... (Score:2)
I thought the service description wasn't very clear, at least not after being translated to swedish.
Re:Too bad it's such a pain in the ass... (Score:3, Funny)
Re:Too bad it's such a pain in the ass... (Score:2)
Want to sign up for MSN? Huh? Huh? Do ya? Click here!
Re:Too bad it's such a pain in the ass... (Score:2)
It would appear you failed that particular test...
Windows Messenger Service != MSN Messenger.
Re:Too bad it's such a pain in the ass... (Score:2)
If y
Re:Too bad it's such a pain in the ass... (Score:2)
I thought the service description wasn't very clear, at least not after being translated to swedish.
Originally it was conceived to provide an easy way for programs to send out messages over networks to users and/or admins about conditions that they need to know about. It allows one to send a simple pop up dialog box to anyone on the local network. You can use the "net send" command on any NT/200
MS flip-flops (again) (Score:2, Interesting)
For over a year now, Leo Laporte from TechTV's The Screensavers [techtv.com] has been saying that Messenger Service is a security hole [techtv.com] but Microsoft kept saying, "It's not a hole; it's a feature." Guess now Microsoft will turn off Messenger Service by default. Or, maybe not.
Re:MS flip-flops (again) (Score:2, Insightful)
Most of the people running IIS got
Re:Too bad it's such a pain in the ass... (Score:2)
I know this is going to sound highly unusual for Windows, but you don't actually have to restart once you stop the service. Rebooting gets to be a bit reflexive after a while, but stopping and starting services is one of the few cases in a Microsoft OS where you don't have to feed the reboot monkey ;)
Re:In a way, it is a good thing... (Score:5, Funny)
Re:You guys are getting slow! (Score:2)
Re:You guys are getting slow! (Score:2)
I feel safer knowing that there are security companies out there that support delayed disclosure, yes.
They're doing the public a service by allowing Microsoft to patch it before releasing the announcement to the virus writers. That's far more responsible than screwing everyone over for the sake of idealogy.
Re:Well.... (Score:2)
Re:Yet Another Critical Linux Flaw! (Score:2)
please come back when one of the kernel services has a flaw..
By this argument, none of these vulnerabilities should be held against Microsoft since none of them affect the Windows kernel (kernel32.dll).
Please, at least apply the same criteria to both systems. Linux is just as worthless with just the kernel as Windows would be.
Not to mention, I haven't seen Microsoft include a WEBSERVER in the kernel space yet.
Re:Yet Another Critical Linux Flaw! (Score:3, Informative)
Re:Yet Another Critical Linux Flaw! (Score:2)
But those haven't been claimed IN A COURT OF LAW to be part of the OS. If there's a flaw in something MS claims is part of the OS, then, they take the bad with the good and get it docked against the OS.
Not to mention, I haven't seen Microsoft include a WEBSERVER in the kernel space yet.
And, yes, IIS runs partly in kernel with IIS 6.0 on Win 2003 [microsoft.com]
Re:Yet Another Critical Linux Flaw! (Score:2)
kernel32.dll is more like glibc than vmlinuz. The "dll" bit should have tipped you off.
Re:Already patched ........ (Score:2)
No fair! I have auto update and that's not applied on my systems
Re:Monthy Updates (Score:2)
Re:Don't tell me about TCO! (Score:2)
Yes you do. You gotta because you're a fucking idiot. Anyone with half a brain would just turn on Automatic Updating for most of the machines. But then again, you are in academia, which isn't exactly known for producing the sharpest people...