Security experts are monitoring widespread use of exploit code that takes advantage of a recently disclosed vulnerability in Windows. A worm, although anticipated, hasn’t yet been spotted.
Security experts are monitoring widespread use of exploit code that takes advantage of a recently disclosed vulnerability in Windows. A worm, although anticipated, hasn’t yet been spotted.
While “security through non-disclosure” seems to be generally frowned upon, this news reiterates its practicality. Many seem to take issue with the fact that Microsoft tells no one about vulnerabilities they discover until either it begins being exploited in the wild or they have a patch available. While it may seem cruel to not let users know of gaping holes in the security of their systems, doing so can preclude malicious people from developing exploits for those vulnerabilities. As we’ve seen here, this exploit came out quite quickly after disclosure. Are the advantages of disclosure really worth sacrificing the potential time which could be used for developing and testing patches?
And for those open source zealots who like to tout open source’s quick turnaround on patches, remember the OpenSSH 3.6 fiasco? A quickly produced but poorly tested patch can, in many ways, be more detremental than leaving users vulnerable while taking the time to properly test patches.
If you need to result to loaded words (open source zealots) to make your argument, you don’t have much of an argument.
One other thing, the reasons why security through obscurity don’t work are well documented.
The fact that you can point to one problematic set of patches in the many years in which open source has been in use does not your point prove. I could give a fairly long list of patches and service packs that break things going all the way back to the NT4 days to the present.
Try harder…
In this case, it took MS months to release a patch. I’m not here to debate why it took them so long, but imagine if they had released details of this months ago, and then it was exploited a few days later; that would leave months that machines were vunerable and no patch. Of course, you could say that it shouldn’t take MS that long to release a patch (and I’m sure the MS bashers will be all over it like a pack of dogs on a 3-legged cat), but that’s not really the point here …
The point here is that if you give details about the security issue and don’t release a patch, the only people who are going to take notice are the security consious, and those people already have software and hardware firewalls anyway. If there’s no patch available, what else can you do besides people are already doing? Block a port that is already being blocked?
long before blaster, long before microsoft released a patch for blaster, the rpc hole was known to script kiddies. i know a few in RL and watched as they were showing me owning a remote box through this hole. this was over 9 months prior to microsoft releasing a patch. dont give me that security through nondisclosure crap, many boxes could have been secured or at least firewalled off if the knowledge had surfaced public prior to ms patching it. i was happy when ms finally patched it, these wanna be h4x0rs werent. (no idea who wrote the exploit they were using, i really dont want to know).
just because the public doesnt know about it, doesnt mean that noone knows about it and it certainly doesnt mean that noone is using it.
im a firm believer that a vendor should be notified prior to going public, but i think that the public should be told within a 2 month period if not sooner. microsoft has a history of NOT patching until a working exploit goes public.
Hi
“remember the OpenSSH 3.6 fiasco?”
remember how every distro backported it so that it works right
It all boils down to one thing: keep all your windows boxen behind a seperate firewall. When I say firewall I mean a NAT box, not software. Software firewalls have problems too. Just look at ZoneAlarm. Flame On.
They take their time releasing security patches and who ends up suffering? Not Microsoft but instead the end user suffers because of their lazy assed attitude. I’m not trying to start a flame war but you have to wonder why companies such as Red Hat and Novel (SuSE) can release security patches with in hours and not weeks like Microsoft? Time and time again Microsoft has dissappointed not only businesses but home consumers. Leaving their systems insecure for months while keeping it secret that there are gaping holes in IE, etc. What’s suprising is Microsoft continually attempts to put down the Open Source community and Linux in general. Making it seem tech support and security issues are not dealt with properly even though some popular Linux commercial distros such as the ones mentioned are well known for their security and support. Microsoft needs to get their act together and provide reasonable fixes to security issues, bugs, etc. Better yet, before releasing an OS certified as “complete/final” Microsoft should make sure there are no bugs or holes like the thousands that were present when XP was first released to the public.
dont give me that security through nondisclosure crap, many boxes could have been secured or at least firewalled off if the knowledge had surfaced public prior to ms patching it
If somebody wasn’t using a firewall before blaster existed, why do you suppose people would rush out to install one before blaster actually hit?
As I said before, the people who are actually interested in these kinds of vunerabilities are already protected anyway, so you do nothing by releasing the info before a patch is available except let more bad guys know about it. Hell, can you imagine what it would’ve been like had blaster been released BEFORE the patch was ready? Who knows how many machines would’ve been infected.
Exactly. If the white hats who release the info about the bug have found ways to exploit it, there’s a good chance some black hats in this great wide world have found it as well.
Public disclosure should not wait long after either the software makers have been informed.
no, chances are that the isps would block the port, like most isps did with blaster. thats what i did when there was a security hole on a port that doesnt need exposure to the internet, i blocked that port to try and prevent customers from getting infected.
also not everyplace runs a firewall that blocks everthing except what is on a short little list, some just block known bad traffic types so that users are inconveinienced as little as possible.
As I said before, the people who are actually interested in these kinds of vunerabilities are already protected anyway
Those people are part of the public as well. Many are MS customers.
More and more people are becoming security conscious. And they’re not necessarily protected if they use services on open ports. Someone mentioned OpenSSH earlier, and how people could revert to a previous (safer) version – this is a good example of how knowing of a vulnerability can possibly help you secure your computer.
As a member of the public as well as a security-conscious netizen with a few servers running on the Internet, I’m glad to know when a vulnerability has been found. I can take the necessary steps to secure my system. I can’t do that if the vulnerabilities aren’t made public.
Dude, where the fuck do you get off talking to Bascule like that. He’s been an intelligent regular ever since I’ve been here, and I’ve never even heard of you before. Perhaps the reason he uses the phrase “open source zealots” is because of the crazy firebrands like you who are trying to spread FUD about people trying to combat the “in the trenches” bullshit campaign on forums like these perpetrated by “overzealous” open source enthusiasts. If people want to bandy about the phrase “zealot” that’s their perogative, but you act as if he just broke Godwin’s Law. Where the hell do you get off “discrediting” his whole argument just because he used the word “zealot”? The only way you’d even remotely have a case is if he said “open source nazis”, but don’t try to bullshit people into thinking that “zealot” is some sort of taboo word just because you don’t like it.
It all boils down to one thing: keep all your windows boxen behind a seperate firewall. When I say firewall I mean a NAT box, not software. Software firewalls have problems too. Just look at ZoneAlarm. Flame On.
——————-
give me a break. why people think a hardware appliance would save their arses…
Mullighan, was this sarcastic or what, but try to keep the forms clean. You don’t need to say the f word, they’re better words than that. As far as doggedblue statement I agree with him. That’s the only one they can come up with while MS has a long history of patches broken other patches and that’s after a month of getting it out to the people. So if Linux vendors only had one broken patch after getting it out as fast as they do than that’s pretty good record.
If people want to bandy about the phrase “zealot” that’s their perogative, but you act as if he just broke Godwin’s Law. Where the hell do you get off “discrediting” his whole argument just because he used the word “zealot”? The only way you’d even remotely have a case is if he said “open source nazis”, but don’t try to bullshit people into thinking that “zealot” is some sort of taboo word just because you don’t like it.
You are right. It is your (and Bascule’s) right to use the word “zealot”, but you lose all credibility when begin an argument like that. Actual facts go a lot farther than name calling and unfortunately for Bascule, his one and only “fact” is more of an anomoly than the rule in open source. This latest exploit in XP, on the other hand, seems to be the rule for MS, not an anomoly.
One other thing, the reasons why security through obscurity don’t work are well documented.
Yes, however as has been reiterated by Darius and others throughout this thread, why disclose knowledge of a vulnerability which isn’t being exploited in the wild before a patch is available? This was the case exhibited by this series of vulnerabilities, and the case I was arguing.
The fact that you can point to one problematic set of patches in the many years in which open source has been in use does not your point prove.
Clearly you missed my point and focused merely on the bottom paragraph, simply because I used the word “zealot”. The bottom paragraph was a pre-emptive response to those who prefer to spread FUD about Microsoft and unconditionally tout the virtues of (while providing an entirely one-sided and ultimately misleading view of) open source.
The question asked in my post was the following:
“Are the advantages of disclosure really worth sacrificing the potential time which could be used for developing and testing patches?”
Perhaps you’d have answered that if you’d have tried… reading harder?
long before blaster, long before microsoft released a patch for blaster, the rpc hole was known to script kiddies.
Source please. This is only heresay.
i know a few in RL and watched as they were showing me owning a remote box through this hole. this was over 9 months prior to microsoft releasing a patch. dont give me that security through nondisclosure crap, many boxes could have been secured or at least firewalled off if the knowledge had surfaced public prior to ms patching it.
The bulletin was originally disclosed in July of last year:
http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx
and Blaster was discovered in August:
http://support.microsoft.com/default.aspx?scid=kb;en-us;825750
Further proof that Microsoft’s disclosures (regardless of the availability of the patch) as a general trend preceed widespread exploitation. Is protecting the few (who apparently don’t read security mailing lists regularly enough to keep abreast of what services are being exploited) really worth the potential of widespread exploitation of vulnerabilities? Providing more information to the public on a particular vulnerability only eases the job of those exploiting a given vulnerability.
Microsoft has provided information on disabling the DCOM service here:
http://support.microsoft.com/default.aspx?scid=kb;en-us;825750
It all boils down to one thing: keep all your windows boxen behind a seperate firewall. When I say firewall I mean a NAT box, not software. Software firewalls have problems too. Just look at ZoneAlarm. Flame On.
I use sygate and never had any problems. Hardware firewalls are too expensive for home users.
The problem is that some vulnerabilities have been found and are not patched. For a _long_ time. Some are known to the public (MSIE), some only to a company which keeps them secret (on eeye.com). The first example is obvious; the second could be threat when these people would share their information in a way Microsoft wouldn’t know it (the so called “underground”).
A more heterogenous, diverse environment would at least put the risks lower. Together with high security for important servers it would lower the risks and the effectiveness of the worms and such.
“remember the OpenSSH 3.6 fiasco?”
How about 3.4?
“why disclose knowledge of a vulnerability which isn’t being exploited in the wild before a patch is available?”
Why take more then 60 months till a half year in which you don’t publish a patch to a known vulnerability?
Vulnerability found -> Vendor informed -> Vendor issues tested patch -> Public disclosure.
Microsoft’s problem is between step 2 and 3. Known vulnerabilities aren’t patched.
I haven’t seen that in your Solaris yet. I also haven’t seen it in Linux, with the exception of do_brk (they didn’t thought it was vulnerable; slightly different). Instead, FLOSS vulnerabilities -especially regarding important daemons; ie. some game isn’t very important- are patched quite quickly afaik.
(Honest question)
What is bad about Zone Alarm? I use it on my Win 2000 PC, my wife’s Win XP machine, and my Win 98 laptop. If there’s a better alternative, I’d like to know, please.
John
First lets get this straight. The term “zealot” is getting thrown around to much on forums in an attempt to antagonize other platform users. This site has turned into a poo flinging contest to see who is better at discrediting another poster. Once you make such comments it does leave a reader to consider your point biased no matter what your platform of choice is. I myself have been called a Linux zealot in the past because I tried to defend my preferred OS and point out similarities/differances between other OS. What’s remarkable is the assumption that just because one defends their platform of choice that they only have used that platform. I myself only recently switched to Linux around last November after using Windows since it was first released and experiencing OSX through my friend who is an avid Mac user due to he’s a graphic designer. So let’s try more to act as adults and keep our points on target with the articles posted at OS News. This way readers will more respect your posts and less likely to consider your comments as biased or child like.
As for Windows security well I already made my point in my previous post but I would like to point out a few more things. There is one major flaw with Windows and that is the end user who is new to computers or those that are in denial about the risk of attack causing their systems to become pawns in an attack on companies, etc. Most home users for Windows still run as the default set up which is the Administrator 24/7 and some even do that with out a anti-virus scanner. At least Microsoft enables ICF (Internet Connection Firewall) by default in WinXP which offers basic protection.
Even some Linux users believe they are invincible to attack. I have seen on several Linux forums users state “Linux doesn’t get viruses”. Well maybe not lately but it could happen with the increase of Linux users on the desktop and laptop. After testing several Linux distros for ease of use, stability and security I settled on SuSE. It has a proven track record like RedHat while offering more friendly GUI tools which eased the transition from Windows to Linux. SuSE like WinXP has the firwall running by default on install. It also comes with free virus scan utilities unless of course you want a retail version like F-Secure or F-Prot.
Though what I really liked was that during the installation YAST offers the user the chance to update the OS for security patches, drivers, etc, prior to completing the installation. This can increase the installation time but it differs a lot from Windows. After just installing WinXP I and my friends systems were comprimised right after logging in. We didn’t even have the opportunity to download our Windows updates or install a virus scanner.
Linux also does something that Windows should be able to accomplish but doesn’t and that is install updates with out the need to reboot. How many times have as a Windows user you’ve been tired of rebooting or installing updates seperately? This does not happen in Linux which is something maybe Microsoft can learn from.
You said….”I use sygate and never had any problems”
Hmmm, what does that mean ? that you have never had a malicious program on your computer ? or that one has never been detected ?
Thats the whole thing with software firewalls, you only know they are working when they show an attempted breech. If they don’t come off with loads of warnings, how can you be sure it is working/set up properly/not iteslef trojanned ??
The only way you’d even remotely have a case is if he said “open source nazis”, but don’t try to bullshit people into thinking that “zealot” is some sort of taboo word just because you don’t like it.
Actually, using the expression “open source zealot” is pretty much the OSNews version of Godwin’s law. In my view, and in the view of many others, it’s enough to discredit someone’s post entirely (for the record, I use both open- and closed-source software on Windows and Linux).
Of course, in this case, it’s the argument itself that is faulty, so the use of a “catch-all” insult like “open source zealots” is only the icing on the cake.
BTW, using profanity on this board will usually get you modded down.
“give me a break. why people think a hardware appliance would save their arses…”
I don’t have a link but I remember ZoneAlarm having a security problem recently. I personally have had more problems with zonealarm breaking the system than security problems. Most of the problems I have had with ZoneAlarm have caused major headaches for the users. Some of the problems I have seen have blocked the internet connection altogether, removing ZoneAlarm wouldn’t even fix the problem. Question for all of you ZoneAlarm users, have you ever read the instructions on removing it completely?
“I use sygate and never had any problems. Hardware firewalls are too expensive for home users.”
I call bullshit, you can pick up any NAT firewall for $40
Software firewalls like to get their dirty hands in to much of the system. ZoneAlarm is the worst one I have seen so far. Everyone claims ZoneAlarm is “really good” but like I said have you ever tried to remove it from a system that it borked?
Network Address Transalation is the ONLY way to go for a Windows box.
P.S It is MSBlast, not “Blaster”
This has to be the most loaded, vague story I’ve read here in a while. What vulnerablity? What security experts? Just a few details in the blurb make all the difference. MS has vulnerabilities come out every week it seems. I would like to know from the blurb if I have already read something about htis particular exploit or is it something new. If it were a vulnerability that I thought I might be susceptible to, then I might be on the lookout for more info.
/rant
“Actually, using the expression “open source zealot” is pretty much the OSNews version of Godwin’s law. In my view, and in the view of many others, it’s enough to discredit someone’s post entirely (for the record, I use both open- and closed-source software on Windows and Linux).”
I agree, except on entiry, and i see it broader: any name calling (“argumentum ad hominem”) discredits one’s opinion in my view; but views regarding that differ. Some who agree with the name calling or argument could buy the name calling or argument easier because of the either of these 2. Pretty sad, isn’t it?
This site also is one of the few where the word zealot is used so much. Quite funny that i learned the meaning of the word here after i read it and didn’t knew the meaning therefore looking it up in my dictionary…