Microsoft identified three vulnerabilities in Windows on Wednesday that could have a similar effect to that of the dreaded MSBlast worm of August. The flaws, which affect Windows NT 4.0, Windows 2000, Windows Server 2003, Windows XP and the 64-bit versions of Windows XP, are the latest in a string of critical weaknesses identified in Windows recently.
Windows Flaws Allow PC Takeover
About The Author
Eugenia Loli
Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker.
Follow me on Twitter @EugeniaLoli
Just like clockwork.
Oh horrors. At this rate they’re going to fix all flaws pretty soon and be invulnerable…
I wonder how long until a virus exploiting this is written. Blaster actually was slow in getting out. If a virus is released with this capability very soon, it will be even more devestating. Blaster was slow enough out that it didn’t get the full effect. If a virus is written in less than a month, many users won’t have applied the patch yet, and it could make blaster look small. – It’s only a matter of time
Is it Microsoft finding its own flaws, or is it still other people doing it. Because that will show if they are really working at making their systems secure or not.
I’m not trolling but I just wanted to say that this proves Windows isn’t read for prime time.
is that MS is not creating patches that will deploy on any system. The Windows 2000 patch for the first DCOM RPC vulnerability required that the system have at least SP2. In an environment where a single administrator is responsible for patching dozens of machines, many of which he/she doesn’t actively maintain, this can be quite a headache, as there exist several cases in which installing SP2-4 is not possible: the underlying installation has been corrupted to the point that service packs will not apply… there is insufficient space to apply the service pack, etc. In such a case, the only course of action is to reinstall the whole system.
Bad news…
From the article
“The actual flaw was first discovered by eEye security, NSFocus and Tenable Network Security.”
There’s a patch on windows update AFAIK.
Service pack 4 jacked up many of our PCs here.
oh wait, no it’s not
http://www.infoworld.com/article/03/03/19/HNvulnerable_1.html
http://www.cert.org/advisories/CA-2003-07.html
http://insight.zdnet.co.uk/software/developer/0,39020469,2133040,00…
i am so tired of “install linux problem solved” posts because linux has just as many security problems as windows, it’s just there’s five million kinds of linux and only a few kinds of windows plus alot less people use linux than windows, so why bother writing a linux worm?
you have no concept of the differences in Linux “security” problems and windows security problems.
a local exploit is not as dangerous as a remote exploit.
windows remote exploits give the entire system over to the program that has invaded, Linux remote exploits (if they existed like they do in windows, would not have any effect on the system as you saw via MSBlaster.
all security problems are not created equal.
Of my god does you know me???
ans also appart of those problem here office 2000 doesn’t work when you install the blaster patch and of course here with have more than 600 pc’s just in our locality, our complete network have more than 1200 machines…
Is very hard…..
i have trying use GFI LANguard Scanner for apply remote patch but until now not lucky
rowel wrote:
“i am so tired of “install linux problem solved” posts because linux has just as many security problems as windows, it’s just there’s five million kinds of linux and only a few kinds of windows plus alot less people use linux than windows, so why bother writing a linux worm?”
1. It is demonstrably false that “linux has just as many security problems as windows”.
2. Regardless of 1. above, rowel agrees that, as a practical matter, one is more secure using linux, at least until there are only a few kinds of linux (never) and more people use linux than windows (several years away). So wouldn’t it be better to be more secure now by switching to linux? (or BSD or Mac OS X or even BeOS or Amiga)? Yes, according to rowel, no less. Thank you for the guidance rowel.
Regards,
Mark Wilson
dude….read your post before hitting submit……that is just horrible……I have plenty of workstations running office 2000 with the patch and there are no problems.
I’m afraid LINUX is secure but Windows is not! In the last two years I never had to fix an infected/broken-in Linux box but had to fix hundreds of infected/broken-in Windows boxes. I don’t care about the details on why and how this happens. It just happens and I can see the “total cost of fixmanship” of using Micros~1 operating systems growing and growing. Thats what counts for us.
By the way, there’s only one LINUX. The distros are just the same goodie in different flavors of wrapping paper.
Okay, but _who_ mentioned it yet? Nobody. Why bother to say that?
“alot less people use linux than windows, so why bother writing a linux worm?”
Right… How many gazillions of web servers run linux?
Wouldn’t that be a more inviting target for a malicious programmer than to bring down Windows PCs, a large percentage (if not most) of which are desktop workstations?
…..rollup required
Thats what, 35Mb of critical patches since XPSP1A ?
Yes I’ve got them all downloaded and saved into a new folder on my XP install disk, but I could really use a slipstreamable single rollup patch now…. something system builders can apply with one click.
I installed the latest patch on a NT4 box. Restarted. Now IE6 fails on launch. reinstalled IE6; restarted. IE6 fails to start. THANKS, BILL!!!!!!
Given that Windows probably has at least 100,000 bugs in it, I think we won’t be seeing an invulnerable Windows in our lifetimes. ( 100,000,000 LOC / ( 1000 LOC/bug ) )
With my two home system one a Gentoo linux box up 24/7 for the last 3ish years the other a XP box just for games only up a few hours day.
The linux box has never been hacked or crashed unless Ive been messing with iffy beta software.
The XP system you only have to walk past it and it seems it falls over.
Yes I’ve got them all downloaded and saved into a new folder on my XP install disk, but I could really use a slipstreamable single rollup patch now…. something system builders can apply with one click.
I certainly hope that Microsoft will release Windows XP SP2 with all of the DCOM and other security patches soon. I created a second CD for myself with SP1 and the RPC DCOM patches on it which I use immediately after installing XP now before I can even plug the machine into the network… it’s quite annoying.
You guys are so full of sh1t. I’ve ran XP since release without a single hack or virus. So what? No one cares if you have a linux box that has never been hacked or crashed “unless Ive been messing with iffy beta software”. Has XP ever crashed on me? Probably. My system uptime speaks for itself however (well over a month prior to installing this latest patch). If your XP system crashes everytime you “walk past it” then learn how to configure a pc or quit buying sh1t components. Oh and get over your Microsoft envy and just use what you like.
Hey dude! I’ve got a mail from you with the following subject: “RE:Details” 🙂 Are you sure about that virus thing..?
As there is nearly ever a single constructive comment in response to MS security articles. All we get is the Linux crowd spewing their usual drivel.
Yes, we know Linux is more secure … now, move along.
Xp is a solid operating system. yes, it has security issues, but so would linux or any other if it had 99% of the desktops in the world.
Thats what we have been trying to tell you all the time! We are moving along already and we also want you to move along with us instead of staying back and reading service pack instructions and dnloading huge patches every day. Computers are built to be used, not just to be patched.
I do use what I like thats why I have the best of both worlds I have no microsoft envy if I had I would not be using windows for games,you do have me on the crappy hardware THANKS SSC computers (the first and last pc I buy complete).I know I could keep XP up over a month but suffing the net and creating docs and that type of stuff is not a good use of the hardware.
Windows SP Lifecycle page suggests that previously announced plans for XP SP2 are still on course – for a release in 9 months.
http://www.microsoft.com/windows/lifecycle/servicepacks.mspx
I note with interest that Win2K’s SP5 date seems unknown and hope this is a sign of an interim package release pending. I reckon XP SP2 will be a product of 2004 but they’ll have to put something out before then… SP1b perhaps?
I beg to differ, apache (like linux) is open source software, more widely used than the Microsoft alternative (IIS). There are more holes in IIS and it is exploited more, so even if there were more Linux boxes around (and there really are not like 500 linuxes, it is more like 3, and then like bsd ad such) I don’t think Linux would be affected in the same way be viruses. Also the fact that linux is more diverse than windows makes it less exploitable, your virus/worm must be compatible with several versions of linux (or glibc) to work, so it is harder to make it spread far, unlike the windows side…
I recieved about 6 or 10 sobig’s in my mail box so far, and I being a linux user was not affected by them, also I am sure my machine was probed by blaster (it’s in our network here) and again I am not affected. I even saved a sobig to my HD to check if my virus scanner (clamav) would find. It did and removed it (I know I don’t need a virus scanner, but I wan’t to be able to tell people that yes they can have it if they want).
So everyone install linux (if equlivant linux exist for you (that means all you email sending, office using, dvd watching, internet users))and fix all your problems. Use Lindows if you are not a *geek*…
Ok that last paragraph should read:
So everyone install linux (if equlivant linux software exist for you (all you email sending, office using, dvd watching, internet users are covered))and fix all your problems. Use Lindows if you are not a *geek*…
All we get is the Linux crowd spewing their usual drivel.
To be fair, the first shot here was fired by a pro-Microsoft poster, in the tenth comment of this thread:
http://www.osnews.com/comment.php?news_id=4507&offset=0&rows=15#142…
Now, would this qualify as a troll? I don’t know (in any case, it wasn’t deemed such by the moderators). If it does, then I agree that the pro-linux advocates should have ignored it. If it isn’t, however, then they are entitled to defend their point of view…
Xp is a solid operating system. yes, it has security issues, but so would linux or any other if it had 99% of the desktops in the world.
The popularity of an OS isn’t related to the number of exploits that affect it. The only thing one can assume is that there may be more attempts to carry out these exploits on a more popular OS.
By the way, Windows isn’t on 99% of the world’s desktop – the figure is probably more like 91 to 93% (still dominating, mind you). But security issues are not limited to the Desktop, far from it! Server vulnerabilities are as much of a threat, if not more – and there Windows only has a 50% market share, about three times more than Linux…
“The popularity of an OS isn’t related to the number of exploits that affect it. The only thing one can assume is that there may be more attempts to carry out these exploits on a more popular OS.”
Wow. Somebody ACTUALLY GETS IT!
rowen wrote:
“i am so tired of “install linux problem solved” posts because linux has just as many security problems as windows, it’s just there’s five million kinds of linux and only a few kinds of windows plus alot less people use linux than windows, so why bother writing a linux worm?”
According to Netcraft about 65% of today´s webservers run on Apache, that is a lot of webservers. The majority of those run on Linux 24/7 connected to the Internet on huge bandwith links. I would really regard those machines valuable targets for hackers since they hardly go offline (like Windows desktops) and Linux comes out of the box with lots of network tools on the contrary to Windows.
So ask yourself rowen why only few Linux machines get hacked…
Unfortunately Linux or Macintosh are not a realistic alternative for many people. It isn’t the windows desktop itself that makes it indispensable, it is the special applications that you can only use in a windows environment, I don’t mean MS Office either. The ones that cannot be realistically run under emulation. I’m ready to give up windows. I’m not ready to give up the programs that I need windows to run.
This is the second round of flaws in the DCOM service. A simpler fix to this flaw is to turn off DCOM. For those who don’t want to wade through lots of menus, or hack the registry, good ol’ Steve Gibson has a utility that will turn it off. I have run that way for a week with four machines, and haven’t missed any functionality. You can get it here:
http://grc.com/dcom/
Microsoft should have turned DCOM off by default, of course, but if you have administrator rights, it’s not hard to fix.
Why do people keep running this piece of shit OS?
Because it has applications that people need to get work done. Please show me a *IX counterpart for this software:
http://www.campbellsci.com/software.html#full
If there exists a *IX replacement with the same functionality I will happily switch in a heartbeat.
Actually, Windows XP does not have 90% of desktops. Believe it or not, the majority of Windows desktops are 9x, which I think everyone will agree is buggy and insecure. Relatively few people upgrade, most just buy a new PC–but not everyone has the money or inclination to do that.
an MS fanboy (not neccesarily a _good_ MS tech) launched the first shot.
so pipe down.
e
mcse, mcp+i, lpi1, linux+
an MS fanboy (not neccesarily a _good_ MS tech) launched the first shot.
You’re right – I stand corrected
However, I still stick by my original comment that articles like this really don’t need comments.
Why do people keep running this piece of shit OS?
To piss off people like you – that’s why.
>Xp is a solid operating system.
depends on how you define “solid” …now windows only blue screens twice a day.
but seriously, xp is worse than win2k. win2k is much faster and takes up a lot less overhead. plus i hate the super big kindergarten sized icons and overwrought grandiloquent start menu. and xp has the drm licensing which is a big pain in the arse. maybe because of the excess fluff xp has, win2k in much more stable than xp too. and finally, i must mention that xp hides many settings that were adjustable in win2k …that especially sucks.
“Bad news…
From the article
“The actual flaw was first discovered by eEye security, NSFocus and Tenable Network Security.””
Well, not necessary a bad news. If they are specialized firms PAID by Microsoft to find every vulnerabilities, then I think it’s very positive and show they’re serious to patch every holes.
I’m really afraid that when e.g. SP7 for 2k is out, and it really fixes majority of flaws and holes, this working OK OS will be dropped out of MS support after 6 months or so.
We have lot of well-working NT4 installs, and wish to use it even on new hardware…
“depends on how you define “solid” …now windows only blue screens twice a day.”
Oh yeah, sure, blue screens still exist. That’s why I never saw a SINGLE ONE with 2K and XP … And you’re not a troll. Nah ! Not at all.
“plus i hate the super big kindergarten sized icons”
Wah ? Icons in XP have the exact same size as all other Windows. Maybe you confound OSX and XP …
“and overwrought grandiloquent start menu”
With TWO clicks you get the exact same start menu as under 2K. You don’t even need to mess around with a config file …
“win2k in much more stable than xp too”
Name ONE please ? Every single options in 2K are the SAME under XP, or just slightly moved around.
After finding so many flaws in windoze and .Not M$ should get out of OS business. If I wrote any application that had so many bugs I would get fired same thing with windoze it purely is a crappy OS. Windoze should be banned and M$ should be fined for flawed software.
“The popularity of an OS isn’t related to the number of exploits that affect it. The only thing one can assume is that there may be more attempts to carry out these exploits on a more popular OS.”
I’m not trying to pick a fight here, but the above is incorrect. The popularity of an OS has everything to do with the number of exploits that affect it. It may not have anything to do with the number of (latent) vulnerabilities contained within the OS, but an exploit is some code or method designed to take advantage of a vulnerability. Additionally, the popularity of an OS will shape the amount of effort put forth in finding the vulnerabilities contained within an OS.
Sorry for the above knit-picking.
Given Microsofts market share and their inability to code reasonably secure software, we continue to have a cracker feeding frenzy for some time to come.
Your logic is flawed. 99.999% of the time, a worm is used in order to turn a computer into a zombie and then DOS a certain server.
The worms are in effect bringing down those webservers you speak of, just by using those millions of workstations they took over.
i bought my imac back in 1999 and it hasn’t crashed yet. os x runs flawless and there is no way i am going to switch to windows. i had a compaq presario and i gave it to my cousin. it was always crashing and freezing. i got tired of it, i kicked it a LOT of times and i called my cousin. she picked it up and
left.
i am keeping my imac and later i’d want to try Zeta BeOS or Amiga.
– 2501
you are right.
wintel need a lot of time to work correctly.
but once getting stable, also it give you the power that equal to mac’s.
—
i hadn’t try mac.
> Please show me a *IX counterpart for this software:
Dude..there is a ton of SCADA work being done in Linux… I doubt you have even tried to look….just beceause your too lazy to look, which is fine if your happy with the status quo, but don’t say it “doesnt exsist” when you don’t really know.
http://www.verano.com/general_downloads/pr_watch_screenshots.pdf?PH…
http://www.merz-sw.com/products/aspicmp-screens.php3
“Xp is a solid operating system. yes, it has security issues, but so would linux or any other if it had 99% of the desktops in the world. ”
Exactly, this is why Apache with it’s overwhelming 60% marketshare as a webserver has security holes all over and gets hacked all the time while IIS with it’s measly 20something percent has far less bugs and is completely secu…
Oh, wait, it isn’t. Hmmm. Strange.
Ah, and if you estimate Mac 5% Linux 5% and others 5% (and I think there’s a larger installed base worldwide of Macs and Linux) then Windows has 85% marketshare at best. And this marketshare gets divided again between Win95, Win98, WinME, Win2000, WinXP, WinNT and now 2003 Server…
vxworks has a cr510 multilogger afaik, that was ~two years ago
FYI, IIS6 does not have a single known vulnerability.
The popularity of an OS has everything to do with the number of exploits that affect it. It may not have anything to do with the number of (latent) vulnerabilities contained within the OS
Well, you are nit-picking, but right nonetheless…bad choice of words. I was counting as-yet-undiscovered exploits – exploit potential, if you will. Indeed, what I should have said was simply “vulnerabilities” since these are there even if no one knows about them.
Dude..there is a ton of SCADA work being done in Linux… I doubt you have even tried to look….just beceause your too lazy to look, which is fine if your happy with the status quo, but don’t say it “doesnt exsist” when you don’t really know.
I’ll thank you for the condescending and ill-informed response. We need data acquisition software which supports communication with both the array and table based operating systems of Campbell Dataloggers (http://www.campbellsci.com/)
Let’s say it will affect Longhorn too in 2010.
Don’t bother, Microsoft will be out of business by 2010. As of today, half of the world doesn’t trust their product and are desperately seeking alternatives.
Regards,
Mystilleef
Yet.
> FYI, IIS6 does not have a single known vulnerability.
Do you really think Microsoft has finally coded bug-free software? How naive you are. I believe IIS6 runs with a kernel mode driver. Thats a huge vulnerability just waiting to happen. Here is a piece from a recent eWeek article:
“As for Web speed, Microsoft compared IIS 6, which uses the kernel-mode driver, http.sys, to achieve its outstanding speed, and Apache doesn’t work at the kernel level. Of course, if you want to you can match IIS 6’s speed with Red Hat’s TUX Web server, which also runs close to the operating system’s heart. But this speed comes at a cost: Running any end-user interactive program that close to the kernel is downright dangerous, no matter what operating system you’re running. With Linux, you get to choose if you want speed over danger; with Server 2003 and IIS 6, like it or lump it, you’re stuck with a very fast, very dangerous Web server.”
See:
http://www.eweek.com/article2/0,4149,1238672,00.asp
In sworn congressional testimony, microsoft’s recommendation to consumers to fix network problems is “install a new version of windows”. This testimony starkly contrasts with marco nellison’s ” My music software can play mp3’s backwards, mr chairman, who else can do that??”
yeah, who’s you daddy?
Be.
Aitvo: Notice I said known.
Anon: No, I don’t think they coded a bug-free piece of software. As long as humans are coding software, it will NEVER be bug-free, it doesn’t matter who is coding it.
The point is everyone is saying how IIS is a huge secuirty hole in and of itself, yet there are no known vulnerabilities for the latest version. Meanwhile, Apache 2 has had a very rough start.
I think it becomes really tricky when you try to compare track records of Microsoft’s share of the desktop market with Linux’s share of the server market. First of all, desktop security was not that high of a priority in the past (understandably), and it was most likely good business logic for Microsoft to focus on delivering a product by a deadline over delivering an insanely secure product. Now that security is a concern, Microsoft is at least working on patching their products. They need time for a revamp with a new focus on security; hopefully that will come with Longhorn.
Now, take every desktop computer with XP Home or 9x that’s on computers throughout the world with little or no effort given to security. Most XP Home’s have blank Administrator passwords, 9x doesn’t even need a password, they’re filled with spyware, and the users will install anything that makes a flash. People rarely care about account names/passwords (most XP users have it automatically log in). The home desktop market has traditionally and continues to care very little about security. It is NO WONDER that Blaster did so well. Microsoft *did* preemptively reach a patch, but the audience is so untrainable and illiterate that it could not effectively be deployed.
Linux doesn’t have the “complete computer illiterate” audience yet. It may in the future. However, in order to get that audience they’ll need to dumb down some of the security (like user name switching/su/etc). I believe Lindows does this already (is it Lindows that logs in as root?). Now, so far the track record for desktop Linux is good because of the diversity of distributions and the general audience that installs Linux. However, I’m going to go out on a limb and say that if Lindows had the market share of Windows right now, and there were just one flaw that allowed code execution (and I think it is naive to ignore that possibility), then Lindows would be in just as tough of a position as Microsoft in getting the “dumb and illiterate” to take the time to patch their computer.
The problem I see with all the Apache references is that Linux web servers are generally being setup by people with at least a clue about technology… their jobs depend on how well they set it up. They’re not going to make a bunch of careless mistakes, and if they do, they’ll probably get a defaced website.
I like to think of this latest blaster problem as a “mistake” of the audience of Windows, not necessarily Microsoft themselves (since they had a patch). Most Windows vulnerabilities do NOT directly affect a properly maintained Windows system. The problem is, most users of Windows do not properly maintain their systems.
I believe the general audience of Linux (both desktop and webservers) is significantly better at maintaining computer systems than the general audience of Windows.
MS sure makes a secure OS.
Make no make mistake, Windows is full of holes. Just because MS releases patches doesn’t mean those vulnerabilities don’t exist. Its full of holes and I don’t see how anyone can rationalize it to be anything else.
Marketshare? If Windows had 1% marketshare it would still have security issues. It won’t automatically become more secure becasue of having less marketshare. There are plenty of Mac and Linux users that are just as clueless as the average Windows user yet they will have less security issues?
A fundamental problem that a lot of people WILL NOT accept is that security wise Windows is flawed. To say its not is being ignorant.
Who wants to babysit an OS that can get taken down by a script kiddie that doesn’t even have a basic knowledge of TCP/IP? I don’t see how people find this acceptable.
>>Xp is a solid operating system. yes, it has security issues, but so would linux or any other if it had 99% of the desktops in the world.
XP has far, far fewer than 99% of the desktops in the world, my friend. Far fewer.
Notice I said yet. 😛 haha
“Who wants to babysit an OS that can get taken down by a script kiddie that doesn’t even have a basic knowledge of TCP/IP? I don’t see how people find this acceptable.”
Who wants to use something else than Windows and having NO WORK done ? I don’t see how people find this acceptable.
See ? I too can make twisted logic.
BTW never heard of firewalls ?
… the sky was found to be blue.
there are hundreds of thousands of competent programmers who love Windows and hate Linux. And, of course, THE SOURCE CODE IS FREELY AVAILABLE. If it were that easy to crack Linux, I’m sure it would have been done many times over. And, has been pointed out ad nauseum, there are tens of thousands of Linux webservers that just sitting there 24/7.
What’s stopping them from being cracked?
While I prefer Linux, I do run Win2K and XP as well and I must
say that they’ve both been quite stable. My laptop does run XP
significantly slower than Redhat 9 but neither has crashed on me and I do stress them both.