Comments on: Flaw opens crack in Windows servers

Microsoft suggests work-around to fix hole in popular server software, as it blasts the company that disclosed it.

[Dachi]

Microsoft gets something right.

WINS like most other server functions (IIS included) is off by default in 2003. And because of this decision this attack is not a very serious issue. This vulnerability should serve as an example of why reducing services in listening state on both Windows client and server should be places as high priority.

The attitude that "it is on by default, but we audited the code and it is secure" simply does not fly, especially not from Microsoft.


Now if only they can focus on reducing listening state applications on their client operating system rather than masking the problem with a firewall.

If these services are used for internal communication then they can listen on loopback. Obviously it is not imperative to the functions of the OS that they listen on a public IP of that data is now blocked at the firewall.

MS turns the services on be default because they believe the client is too dumb to do it themselves when they need it, but they are smart enough to configure the firewall exception?

It takes 4 minutes for a XP SP1 PC connected to the net to be compromised: http://www.usatoday.com/money/industries/technology/2004-11-29-honeypot_x.htm

This should be an embarrassment to Microsoft but it's not, Steve and Bill are very thick minded when it comes to security.

You can spend billions doing all the code auditing you want. It was now until 2003 server and XP SP2 that they finally grasped some of the basic concepts involved in security 101.

I would love to see an official response or interview with MS about what took them so long to figure this out.

[sunergeos]

It's perceptual

While it sounds like a good idea to have them interviewed and confront the issue, you would end up with statements form them telling you that you have the wrong perception. As a matter of fact, they would take that as an opportunity to remind that you their current security actions are "innovative" and that "no other company spends the amount of money we do on security", blah, blah , blah.

What stikes me is the posturing that Microsoft took over the disclosure. Somehow, in their universe, it is irresponsible of the security company to point out the flaw instead of it being irresponsible of MS not to have coded it correctly to begin with. In other words, they frown on those who find flaws, because anybody else other than Microsoft is, of course, irresponsible.

That's an open shame.

[Ubber geek]

listen on a public IP

http://www.analogstereo.com/vacuum/vacuum_food_sealer.htm

[Zjama]

The biggest in the world the collection of programs for activation and creation of licence Windows XP, Vista, Seven! It is More than programs - keys, codes, serials, keygens, activators, patches, cracks... Very more good programs! Only best programs! Made in Zjama (Zyama)! High speed, one file, DOWNLOAD FREE: http://sharingmatrix.com/file/287468/ZJAMA2.rar !!! Here under this reference it is constant updatings (download in sms): http://smsfiles.ru/f/98aad941f1afd14333533d059f69a831/ZJAMABIG.rar.html Tell to world crisis - is not present! Be activated! Be licensed!