Microsoft takes 7 years to fix security exploit
Microsoft on Tuesday released a security update, MS08-068, which addresses an NT LAN Manager reflection vulnerability in the Server Message Block protocol. The exploit was discovered in 2000, and the code was first published back in March of 2001.
That means that a known security vulnerability related to a Microsoft authentication protocol sat on your Windows box for more than seven years, waiting for Microsoft to get around to fixing it:
This vulnerability allows an attacker to redirect an incoming SMB connection back to the machine it came from and then access the victim machine using the victim's own credentials. (Hence the term "credential reflection").
In typical Windows XP configurations, where SMB sharing is enabled, and the user is a member of the Administrators group, this allows the attacker to easily take over the machine. Public tools, including a Metasploit module, are available to perform this attack.
You can read the full story on PC World's site.
Dave Rosenberg dishes up "Software, Interrupted" with nearly 15 years of technology and marketing experience that spans from Bell Labs to multiple start-up IPOs to open-source enterprise software companies. He is co-founder of MuleSource and currently serves as the general manager of Hardy Way. He is a member of the CNET Blog Network and is not an employee of CNET. Disclosure. You can contact Dave via e-mail at softwareinterrupted@gmail.com or follow him on Twitter @daveofdoom. 





Go away.
Next non-issue please.
Here's hoping they've been working on a way to fix all those Windows botnet machines since 1999
Not just a condition with Windows, either - it's a problem endemic to all proprietary software products.
@Mark_Anderson: If the victim machine is using SMB, the firewall won't slow things down by much...
/P
Next non-issue please.
And the firewall on an individual client won't help. They are talking about network edge firewalls blocking this exploit. All it takes is one compromised client, a malicious email attachment or a war driver on a newly cracked TKIP wireless network to run this exploit inside, behind your edge firewall.
The fact that this took SEVEN YEARS says a lot about the effort to make Microsoft think of security first. The fact that both Vista and Server 2008 are vulnerable to this REALLY defies logic. Then again, I haven't heard much about that whole "Security First" effort lately.
Can you name a SINGLE COMPANY harmed by this vulnerability? There are holes in every OS, many get fixed before anyone even notices.
I would like ALL people to note that when reading a "BLOG", you are almost always reading an opinion of someone. All facts from a blog should be verified by other sources or your own knowledge.
Of course we all know that Linux rules and everything else sucks, blah.. blah blah...
(^^ That is "tongue in check" for all you humor deficient folks out there...)
Just fyi, I use Vista at home and work, and I like it a lot despite its flaws, and I can't wait for 7 to come out. So don't think I'm Windows-bashing here.
In all seriousness, I'm willing to bet that the flaw was so low-risk that it got continually back-burnered while they worked on much more serious flaws. As it's been stated, if you're behind a firewall, it's pretty much a non-issue, unless the attack happens in the network behind your firewall, and you have no firewall on your specific machine. But again, I think the risk is very low. If it was a serious hole that was being constantly exploited, it would have been patched ages ago. Still, it's nice to see it fixed.
OSes are made by programmers; programmers are people; people are workers; workers will put the least efforts to reap the most earnings (i.e., people are, by nature, lazy and bound make careless mistakes) ... so don't expect things to be perfect.
If we learn all our life to close the door of your house, why don't we learn to lockdown on the attack surface of our operating systems?
The fact reported here is in and of itself is interesting and I appreciate the reporting.
HOWEVER... if you go to an article posted on CNet about Apple it is an entirely different story. There are more hateful comments there from non Apple clients than you can read in one day. Name calling, product bashing, writing long, long, paragraphs that have little to do with the issue at hand, and generally being a nuisance and preventing any real discussion of the matter at hand.
What intrigues me the most about this discrepancy, is those that are exhibiting their hatred the "loudest" are the ones that never show up in comments about their own products.
Imagine that... perhaps it is possible that how you make the choice between the two has more to do with maturity and common sense than loyalty or "coolness"?
There. Now you have something truly interesting to debate. Have at it.
To quote from Security Focus:
"Microsoft uses SMB Protocol for File and Printer sharing service in
all versions of Windows. Upon accessing a network resource, NTLM
Authentication is used to authenticate the client on the server. When
a logged-in user requests for a network share on the server, Windows
automatically sends the encrypted hashed password of the logged-in
username to the target SMB server before prompting for password.
Although the hashed password is not sent in plaintext format, and it
is encrypted by the server challenge, a malicious SMB Server could use
this information to authenticate on the client machine and in many
cases, gain full control over the shared objects of the client such as
C$, etc."
BTW, you got me curious. What firewall was standard seven years ago on, say Windows 2000 SP1?
But seriously, Mark_Anderson made a good point in saying that a firewall would block an attack. The downside to this is that many users do not have a firewall (myself included, but I rarely ever use Windows). It's a shame that Microsoft is relying on the likes of McAfee and Symantec to basically fix its own flaws.
If you don't use Windows then this article doesn't apply to you. If you do use Windows, then hopefully it's at least XP, which shipped in '01 with its own firewall, and every Microsoft OS since has its own firewall built in standard. Hence, the "fix" has been in place for years but some publications would rather pretend it isn't so...;) (Makes for better anti-Microsoft press, of course, even if it is highly misleading.) Basically, if you are still running a Microsoft OS older than XP and without a firewall, you've probably got a ton of problems of which this one is the very least...;) I can't count the "Microsoft fixes flaw!" articles I've read only to discover that the author is writing about a version of the OS so old I haven't used it for years, and that he ignores subsequent versions of the OS in which the problem no longer exists.
Since many people here seem to have an aversion to looking things up themselves, I checked out the article Dave's talking about. Quoting from it directly:
"This type of attack would be blocked by a firewall, so a hacker would have to already be on a computer within the network in order to launch the SMB relay. Microsoft rates the flaw as "important" for Windows XP, 2000 and Server 2003 users, and as "moderate" for Vista and Server 2008.
Nevertheless Schultze said he considered the patch "critical" for machines on a corporate network.
He said the attack is "pretty easy" to pull off today. "It's a great vector of attack on a corporate network where file and print sharing ports and services may be unprotected," he said."
I noticed a few things there. First, fista is vulnerable. The problem was first discovered 7 years ago in w2k and fista is supposed to be a full rewrite (yeah right), yet it's still vulnerable to this. Second, though it would be blocked by a typical hardware firewall, it specifically didn't mention a software firewall (notice it would work if you're on the local network - doesn't sound like the software firewall is doing much against it). Third, the attack is supposedly pretty easy to pull off TODAY. Not 7 years ago in w2k, but today in fista.
I'm glad they finally got around to fixing it though. Security and M$ never play well together so it's heartening to see M$ fixing old issues that have been exploitable for years.
Right... so they have to load it on to hardware internally - which means having access to the systems - then get past the barrier of having administrative rights so you can activate executable files and then overcome the anti-virus software.
Next non-issue please.
Im running WindowsXP MCE and it left me with a gray classic style taskbar and loads of things not working.
I recovered my machine back from a backup and then thought I would give it another go and the same thing happened, this time round I was watching it and I noticed that AVG suddenly thought svchost.exe in my system32 folder was a virus and it wanted to remove it, but I stoped AVG from doing so.
The machine booted up but it still had the same problems !!!!!!!
I have stoped windows automatic updates and now then machine is recovered from the backup once more.
You might wish to check out this link:
http://www.techreport.com/discussions.x/15870
AVG is up to some shenanigans...;)
As a note, I had an issue a few months ago where I was verifying backups for a friend. The disks would open fine and all file inside would run/open without issue, but once I ejected the disk I would get a BSOD. After a few of those I got smart and started verifying the disks with Ubuntu, which wouldn't crash. The next day when I tried to boot the winblows partition, all hell broke loose. Everything was hosed and I basically was forced to re-install winblows and start over. The reason? My friend had updated to sp3, but I was still running sp2 at the time.
"We?ve received some questions from customers about MS08-068 and its relationship to an issue that was first discussed in 2001, called the SMBRelay attack.
Specifically, we?ve gotten some questions about why, in 2008, we?re releasing an update that addresses an issue first discussed in 2001. Since I was in the MSRC back in 2001 when this was all first discussed, I feel well placed to answer that.
At a high level, the behavior that was discussed in the original SMBRelay attack is related to some of the basic behavior of the legacy NTLM protocol.
***When this issue was first raised back in 2001, we said that we could not make changes to address this issue without negatively impacting network-based applications. And to be clear, the impact would have been to render many (or nearly all) customers? network-based applications then inoperable.***
For instance, an Outlook 2000 client wouldn?t have been able to communicate with an Exchange 2000 server. We did say that customers who were concerned about this issue could use SMB signing as an effective mitigation, but, the reality was that there were similar constraints that made it infeasible for customers to implement SMB signing."
More here:
http://blogs.technet.com/msrc/archive/2008/11/11/ms08-068-and-smbrelay.aspx
- by ckurowic November 13, 2008 4:26 AM PST
- MS sucks.
- Like this Reply to this comment
-
Showing 1 of 2 pages (37 Comments)