Microsoft takes 7 years to fix security exploit

Microsoft on Tuesday released a security update, MS08-068, which addresses an NT LAN Manager reflection vulnerability in the Server Message Block protocol. The exploit was discovered in 2000, and the code was first published back in March of 2001.

That means that a known security vulnerability related to a Microsoft authentication protocol sat on your Windows box for more than seven years, waiting for Microsoft to get around to fixing it:

This vulnerability allows an attacker to redirect an incoming SMB connection back to the machine it came from and then access the victim machine using the victim's own credentials. (Hence the term "credential reflection").

In typical Windows XP configurations, where SMB sharing is enabled, and the user is a member of the Administrators group, this allows the attacker to easily take over the machine. Public tools, including a Metasploit module, are available to perform this attack.

You can read the full story on PC World's site.

[joetesta70]

Oh yea, David Rosenberg - no conflict of interest there.

Go away.

[daverosenberg]

Please feel free to never visit this site again. You should note that this post offered no opinion, only the story.

[Mark_Anderson]

I think it's probably because that attack is killed by a firewall and since XP and Vista run Windows Firewall as standard it's not exactly a high priority.

Next non-issue please.

[MrTangent]

The first iteration of XP (before SP2) did not have the firewall on by default, if memory serves.

[timber2005]

It had it. It just wasn't "bidirectional".

[rcrusoe]

5 years late with Vista, 7 years late fixing SMB. You'd think MS wouldn't need that long to find a solution.

Here's hoping they've been working on a way to fix all those Windows botnet machines since 1999

[wjsteele]

Please... I agree with joetesta70's "no conflict of interest" post above. Look at this exceprt from his own bio: "Dave discusses the dynamics of growing a startup company and how the software market is evolving against monolithic software corporations whose corporate hegemony stifle innovation and annoy developers worldwide."

[dinojr]

Never mind that Dave is just excerpting from a PCWorld story. PCWorld! Think they've got a conflict of interest against Microsoft too?

[Penguinisto]

ad hominem all you like, but the guy is correct. How many other exploits/flaws are sitting on the back-burner, or even under wraps, becuase there isn't sufficient time or resources to tackle them?

Not just a condition with Windows, either - it's a problem endemic to all proprietary software products.

@Mark_Anderson: If the victim machine is using SMB, the firewall won't slow things down by much...

/P

[Mark_Anderson]

Sure, but then the corporate anti-virus or the lock down on executable files that is in place will kill it or stop it operating.

Next non-issue please.

[Penguinisto]

...because every Windows uiser on Earth has an active corporate-level A/V solution, right?

[thenovice1]

whether there may or may not be a conflict of interest is irrelevant if he (dave rosenberg) is stating facts.

[daverosenberg]

Thank you. There was no opinion included (purposely) in this post.

[K1821voc]

Imo making news where there is no news is showing your bias Mr. Rosenburg. That and you have to be a really classy guy to tell someone that responds to your post on a site which you are not even technically part of to never come back.

[avgjoe62]

Don't trust David Rosenberg? Then go read the article at PC World.

And the firewall on an individual client won't help. They are talking about network edge firewalls blocking this exploit. All it takes is one compromised client, a malicious email attachment or a war driver on a newly cracked TKIP wireless network to run this exploit inside, behind your edge firewall.

The fact that this took SEVEN YEARS says a lot about the effort to make Microsoft think of security first. The fact that both Vista and Server 2008 are vulnerable to this REALLY defies logic. Then again, I haven't heard much about that whole "Security First" effort lately.

[K1821voc]

Where are the posts in the past from Rosenberg telling us how horrible this exploit is? Show me all the people crying about how there computers have been compromised in the last 7 years by this. Show me where all the security experts have been constantly telling MS they need to fix this over the last 7 years. Oh that's right nobody cared until today.

[daverosenberg]

Everybody just relax. Reporting this kind of stuff is interesting for a variety of reasons and my bias, real or perceived didn't factor into this post.

[estie2007]

Hey, Dave - this seems pretty and self-serving (agree about the conflict of interest).

Can you name a SINGLE COMPANY harmed by this vulnerability? There are holes in every OS, many get fixed before anyone even notices.

[gsekse]

You (daverosenberg) just hit one of those topics that beg for some to come out and fuss. If you want a couple of hundred comments with 50/50 extreme, just make a negative comment about an Apple product.

I would like ALL people to note that when reading a "BLOG", you are almost always reading an opinion of someone. All facts from a blog should be verified by other sources or your own knowledge.

Of course we all know that Linux rules and everything else sucks, blah.. blah blah...

(^^ That is "tongue in check" for all you humor deficient folks out there...)

[ivorycruncher]

Hmm, seven years to fix the flaw. Is this where "Windows 7" came from? ;)

Just fyi, I use Vista at home and work, and I like it a lot despite its flaws, and I can't wait for 7 to come out. So don't think I'm Windows-bashing here.

In all seriousness, I'm willing to bet that the flaw was so low-risk that it got continually back-burnered while they worked on much more serious flaws. As it's been stated, if you're behind a firewall, it's pretty much a non-issue, unless the attack happens in the network behind your firewall, and you have no firewall on your specific machine. But again, I think the risk is very low. If it was a serious hole that was being constantly exploited, it would have been patched ages ago. Still, it's nice to see it fixed.

[cnet_user_0]

Guys, all the more reason to work under standard-user credentials...no viruses, no attacks and no headaches. Geez, you wouldn't even need something called Norton Antivirus :-)!

OSes are made by programmers; programmers are people; people are workers; workers will put the least efforts to reap the most earnings (i.e., people are, by nature, lazy and bound make careless mistakes) ... so don't expect things to be perfect.

If we learn all our life to close the door of your house, why don't we learn to lockdown on the attack surface of our operating systems?

[professionaladventurer]

To all the ass-hats crying about the bias of this article: Thanks for reading it, you did click on or some how otherwise navigate here.

The fact reported here is in and of itself is interesting and I appreciate the reporting.

[Ipopngraphics]

I am noticing something very interesting about this website.... If you read a post who's subject is Windows or Microsoft, you basically see interactive comments from Win/MS users, with very little "bashing" or name calling. In other words, it seems like those who use the "other" guy's software and hardware do not have much propensity for this type of behavior, nor do they waste their time reading posts that have nothing to do with them.

HOWEVER... if you go to an article posted on CNet about Apple it is an entirely different story. There are more hateful comments there from non Apple clients than you can read in one day. Name calling, product bashing, writing long, long, paragraphs that have little to do with the issue at hand, and generally being a nuisance and preventing any real discussion of the matter at hand.

What intrigues me the most about this discrepancy, is those that are exhibiting their hatred the "loudest" are the ones that never show up in comments about their own products.

Imagine that... perhaps it is possible that how you make the choice between the two has more to do with maturity and common sense than loyalty or "coolness"?

There. Now you have something truly interesting to debate. Have at it.

[Walt Connery]

It's only taken 7 (seven) years for some of these publications to figure out what a firewall is and what it does. While I congratulate them on their intellectual expediency, I am somewhat baffled that it hasn't occurred to them that the "flaw" was "fixed" when a firewall became standard in an OS--as it did in Windows--oh, about 7 (seven) years ago. Perhaps 7 (seven) years from now, they will recognize and understand the connection between "the fix" and "the firewall." We can only hope...;)

[Dalkorian]

Wow, do you use bandages for all wounds or just the vulnerabilities in your operating system? I'm glad they finally fixed the problem though, I guess 7 years is better than never.

[avgjoe62]

The whole "A firewall will stop this" arguemnet is so wrong, its scary. A firewall on a client will not help. The attack uses the Server Messaging Block (SMB) protocol (file and print sharing), which is what you need to use to print or access a file server from a client. This means that those ports are already open on that client. Unless you have gone in and set up a custom list to allow file and print connections to specific machines, any malicious machine behind your edge firewall (where you should be blocking file and print sharing) can exploit this attack. A virus scanner will not catch this either, because everything is working in the way the vendor designed it to.

To quote from Security Focus:

"Microsoft uses SMB Protocol for File and Printer sharing service in
all versions of Windows. Upon accessing a network resource, NTLM
Authentication is used to authenticate the client on the server. When
a logged-in user requests for a network share on the server, Windows
automatically sends the encrypted hashed password of the logged-in
username to the target SMB server before prompting for password.
Although the hashed password is not sent in plaintext format, and it
is encrypted by the server challenge, a malicious SMB Server could use
this information to authenticate on the client machine and in many
cases, gain full control over the shared objects of the client such as
C$, etc."

BTW, you got me curious. What firewall was standard seven years ago on, say Windows 2000 SP1?

[gsmiller88]

Well we are talking about Microsoft here, maybe it just took them that long to fix the problem :-P

But seriously, Mark_Anderson made a good point in saying that a firewall would block an attack. The downside to this is that many users do not have a firewall (myself included, but I rarely ever use Windows). It's a shame that Microsoft is relying on the likes of McAfee and Symantec to basically fix its own flaws.

[Walt Connery]

To gsmiller88,

If you don't use Windows then this article doesn't apply to you. If you do use Windows, then hopefully it's at least XP, which shipped in '01 with its own firewall, and every Microsoft OS since has its own firewall built in standard. Hence, the "fix" has been in place for years but some publications would rather pretend it isn't so...;) (Makes for better anti-Microsoft press, of course, even if it is highly misleading.) Basically, if you are still running a Microsoft OS older than XP and without a firewall, you've probably got a ton of problems of which this one is the very least...;) I can't count the "Microsoft fixes flaw!" articles I've read only to discover that the author is writing about a version of the OS so old I haven't used it for years, and that he ignores subsequent versions of the OS in which the problem no longer exists.

[Dalkorian]

If the problem no longer exists, what was fixed then? Man, you almost blow holes in your own arguments. It's like shooting fish in a barrel.

Since many people here seem to have an aversion to looking things up themselves, I checked out the article Dave's talking about. Quoting from it directly:

"This type of attack would be blocked by a firewall, so a hacker would have to already be on a computer within the network in order to launch the SMB relay. Microsoft rates the flaw as "important" for Windows XP, 2000 and Server 2003 users, and as "moderate" for Vista and Server 2008.

Nevertheless Schultze said he considered the patch "critical" for machines on a corporate network.

He said the attack is "pretty easy" to pull off today. "It's a great vector of attack on a corporate network where file and print sharing ports and services may be unprotected," he said."

I noticed a few things there. First, fista is vulnerable. The problem was first discovered 7 years ago in w2k and fista is supposed to be a full rewrite (yeah right), yet it's still vulnerable to this. Second, though it would be blocked by a typical hardware firewall, it specifically didn't mention a software firewall (notice it would work if you're on the local network - doesn't sound like the software firewall is doing much against it). Third, the attack is supposedly pretty easy to pull off TODAY. Not 7 years ago in w2k, but today in fista.

I'm glad they finally got around to fixing it though. Security and M$ never play well together so it's heartening to see M$ fixing old issues that have been exploitable for years.

[Mark_Anderson]

"This type of attack would be blocked by a firewall, so a hacker would have to already be on a computer within the network in order to launch the SMB relay."

Right... so they have to load it on to hardware internally - which means having access to the systems - then get past the barrier of having administrative rights so you can activate executable files and then overcome the anti-virus software.

Next non-issue please.

[GrahamJohnson10]

I have just installed these updates and they totaly crashed my machine once I rebooted.
Im running WindowsXP MCE and it left me with a gray classic style taskbar and loads of things not working.

I recovered my machine back from a backup and then thought I would give it another go and the same thing happened, this time round I was watching it and I noticed that AVG suddenly thought svchost.exe in my system32 folder was a virus and it wanted to remove it, but I stoped AVG from doing so.

The machine booted up but it still had the same problems !!!!!!!

I have stoped windows automatic updates and now then machine is recovered from the backup once more.

[Walt Connery]

To GrahamJohnson10,

You might wish to check out this link:

http://www.techreport.com/discussions.x/15870

AVG is up to some shenanigans...;)

[Dalkorian]

Wait a second Walt, I thought the AVG issue left the box unable to boot at all. Graham sounds like his machine is booting, but is hosed. Could be the update (Google it and see if others have had the same problems), or it could be coincidence (corrupted file on drive? failing drive?).

As a note, I had an issue a few months ago where I was verifying backups for a friend. The disks would open fine and all file inside would run/open without issue, but once I ejected the disk I would get a BSOD. After a few of those I got smart and started verifying the disks with Ubuntu, which wouldn't crash. The next day when I tried to boot the winblows partition, all hell broke loose. Everything was hosed and I basically was forced to re-install winblows and start over. The reason? My friend had updated to sp3, but I was still running sp2 at the time.

It is so easy to be judgmental when you don't have all the facts, hmm?

"We?ve received some questions from customers about MS08-068 and its relationship to an issue that was first discussed in 2001, called the SMBRelay attack.

Specifically, we?ve gotten some questions about why, in 2008, we?re releasing an update that addresses an issue first discussed in 2001. Since I was in the MSRC back in 2001 when this was all first discussed, I feel well placed to answer that.

At a high level, the behavior that was discussed in the original SMBRelay attack is related to some of the basic behavior of the legacy NTLM protocol.

***When this issue was first raised back in 2001, we said that we could not make changes to address this issue without negatively impacting network-based applications. And to be clear, the impact would have been to render many (or nearly all) customers? network-based applications then inoperable.***

For instance, an Outlook 2000 client wouldn?t have been able to communicate with an Exchange 2000 server. We did say that customers who were concerned about this issue could use SMB signing as an effective mitigation, but, the reality was that there were similar constraints that made it infeasible for customers to implement SMB signing."

More here:
http://blogs.technet.com/msrc/archive/2008/11/11/ms08-068-and-smbrelay.aspx

[ckurowic]

MS sucks.