Comments on: Kernel vulnerability found in Vista

Flaw in operating system's networking could allow rootkits to be hidden or denial-of-service attacks to be executed, but no fix is expected until the next service pack.

[TxTom21]

I wonder if their tune changes if the exploit becomes utilized...

[Lerianis]

Yeah, this is the epitome of something that needs to be fixed RIGHT AWAY! I have to disagree with Microsoft's stance that this shouldn't be fixed immediately. When is the next service pack coming out? If it's anything more than 2 months..... Microsoft needs to put out a 'critical', 'out of rotation' fix immediately.

[timber2005]

@Lerianis you are probably looking at somewhere in the next 2-3 months for SP2. It began testing in October. Because it's only a rollup of all currently available updates (and a few minor fixes, speed enhancements, etc, but no big changes like XP SP2) there is very little testing to be done. Its final release date will be determined on this...
"The final release date for Windows Vista SP2 will be based on quality. So we'll track customer and partner feedback from the beta program before setting a final date for the release."
http://windowsteamblog.com/blogs/windowsvista/archive/2008/10/24/windows-vista-service-pack-2-beta.aspx

[Mr. Dee]

The interesting thing is, it requires Administrative privileges, Vista sets up accounts as 'Standard Administrator', even if the system is attacked, the vulnerability cannot fully take advantage of the system because it does not have Full Administrator rights.

Its sad though that features like Patch Guard on 64 bit and ASLR, Driver Signing won't be of any use.

[n3td3v]

another reason to use vista i guess.

[unknown unknown]

Makes me glad I've been using Ubuntu's new Intrepid Ibex release a lot lately.

[Lerianis]

Oh yes.... let the Linux junkies start bashing on Microsoft. Let's me put it so your small Linux-addled brain can understand it: LINUX MIGHT HAVE SOME OF THESE SAME VULNERABILITIES! And uh.... remind me which operating system was hacked first in that competition? Wasn't Windows!

[gsekse]

Lerianis: If you are referring to the "PWN 2 OWN" competition, the MAC fell first, through a Safari bug on the first day. On the third day, Vista fell to the hackers. Ubuntu remained secured by the end of the third day. While not perfect, the Linux system is rather well tested in the field. I suspect Vista will become a rather stable operating system, especially after SP2. I suspect that people just would like to see MS respond quicker to these things. Notice, that I didn't bash MS, I leave Microsoft to it's own devices, it seems they mess themselves up more than any of us could.

[Imalittleteapot]

"LINUX MIGHT HAVE SOME OF THESE SAME VULNERABILITIES!' It may very well, but Linux is more modular. As soon as a fix is released to the kernel you can recompile the kernel or download a kernel binary the next day and plug it right in. In Windows it's not near as easy to swap out the kernel. That's probably why we'll have to wait for a new Service Pack.

[JuggerNaut]

@gsekse

Actually, none of the operating systems fell on the first day. The Mac fell on the second day when the judges relaxed the rules on the use exploits (needing social engineering).

[ckurowic]

Correct. The Mac fell due to SOCIAL ENGINEERING which is NOT a hack, get it straight guys okay? You make yourselves sound really ignorant when you spew "facts" about things you no nothing about. NO system is safe from social engineering.

[rapier1]

What do you mean its not a hack? Its this sort of inane ad hoc redefinition that annoy me the most about (my fellow) mac users. The only 'social engineering' aspect was that you had to visit a site that was serving the exploit. You didn't have to click on anything in the site, run a .dmg, or anything else of that sort. Getting someone to go to that site might have been the 'social' part but its not a very difficult one to sumount. Unless you are willing to grant the same immunity to the same class of exploits in Windows OSes you have to accept that the OS X machine was hacked and fairly so.

[rapier1]

Also, Linux (or at least Ubuntu) does have similar vulnerabilities. http://news.softpedia.com/news/Linux-Kernel-Vulnerability-in-Ubuntu-8-10-Update-Today-97543.shtml

You should make sure you update your kernels.

[unknown unknown]

"let the Linux junkies start bashing on Microsoft."

First of all, I am a Linux junkie. The time I've spent using Windows (Vista of all things) far exceeds my time with Linux. No where was I bashing Windows. Indeed, my greater time in Linux was due to project I am doing and not any fanaticism for the OS.

"Let's me put it so your small Linux-addled brain can understand it: LINUX MIGHT HAVE SOME OF THESE SAME VULNERABILITIES!"

Let me put this simple so you and knee jerk reactionary pea brain can understand, I DID NOT SAY LINUX WAS IMMUNE OR PERFECT IN ANYWAY. Work on your reading comprehension skills.

"And uh.... remind me which operating system was hacked first in that competition? Wasn't Windows!"

You'll have to a be little more specific, to what competition are you referring?

You're way to sensitive, you jump at even the slightest criticism, real or imagined. Lighten up before you have stroke or something, it's not healthy to get religious over software.

[unknown unknown]

Small correction. It should say "I am not a Linux junkie".

[Penguinisto]

Well, the big question is - does it require local access or can it be hit remotely?

Also, can it be hit by something that came in via IE?

Either way, there's only 3 Vista users in the whole company where I work, so I'm not too awful worried about it... but I'd like to know why they think XP is not affected (or Win2k3?)

/P

[timber2005]

Because Vista Networking stack was *entirely* rewritten between XP --> Longhorn --> Vista.
I'm actually a bit surprised it took this long to find a serious flaw in something 100% new.

You do pose some good questions. Since they mentioned needing admin privilages my guess is that it would require user intervention. (Especially with the UAC warning for those with it enabled).

[DrtyDogg]

Quote

However, he also said it was possible--but not yet confirmed--that someone could use a malformed DCHP packet to "take advantage of the exploit without administrative rights."

Possible, but not yet confirmed.

[Seaspray0]

@DrtyDogg

DHCP packets go out over a broadcast ip address which are not routable unless the router is configured to forward bootp. Since the internet routers don't do this, I'm not overly concerned. The attack would have to come from the local area network.

[wolivere]

I would assume the assumption is that you are directly connected to the internet with no router firewall between you and the outside?

[The_Decider]

Given that the many of the attacks on corporate networks come from within, this is a serious problem for companies foolish enough to use Vista.

[rapier1]

Did you read the security bulletin? Most of your questions are answered there.

[DrtyDogg]

Seaspray, I'm not really that worried about it either as it requires Administrative privledges. Or "possibly" somebody with access to your DHCP server, ie somebody within IT who probably already has enough access to do more damage than reboot a machine.

[wolivere]

The Decider

If any corporate company has such a poor security team to allow this to happen internally. Well then they deserve what they get.

Although you are correct the majority of the issues that occur, do come form the inside. This type of issue is at its worst an annoyance, traceable. And the best way to get an exit interview.

[Penguinisto]

Hmmmm... so an internal compromise (or one person infected) - set up a rogue DHCP server...

While not perfect or as easy as, say, Blaster or Code Red, I can see it to be somewhat workable.

[wmyinzer]

Do you have a life? Do you work?

I've been reading your comments on various things...things you've never tried or owned...ever.

It's a Windows world, not a Mac or Linux world, and with the downfall of the traditional iPod lineup, it's going to be a Zune world.

This hack is barely worth the fix. Unless a close friend or family member initiates it on a loosely-secured intranet, the hack is completely pointless. I'm sick of the Vista haters. Macs are extremely proprietary, more so than Windows. It's a Linux distribution Steve Jobs and friends put up for sale and Bill Gates helped to write! haha, and Linux...oh christ...Linux is the exact opposite. Linux users basically sit around all day and update their system, only to have it fail one day...maybe then they'll get a life. Linux is old technology, and only those with no life...and no hopes at having a life...use them. End of Story.

I'm a PC, and I have a life. XD

[slickuser]

pour some more hot oil over the wound...

[TiltedAxis]

Shouldn't the article read "DHCP" instead of "DCHP" in the third paragraph from the end?

[DrtyDogg]

lol and I copied and pasted that with typo in an earlier reply

[3rdalbum]

Dudes, this is not a serious flaw. It requires administrator rights, which Vista doesn't give you unless you accept the UAC warning. In order words, the exploit can allow the attacker to install a rootkit, but only if the attacker has already gained root access anyway! (which is no different to the current situation).

Microsoft will fix it in time for Vista SP2, which I assume should come some time next year. If there is an exploit put into the wild, they'll fix it before then.

Apple had the infamous Applescript root vulnerability, that requires just one line of Applescript to be executed by any user in order to gain a root shell, inside the default install of its operating system for a couple of years.

From the release of Mac OS X 10.0 beta (some time in 2000?) until August of 2008 when the problem was finally fixed, you could get root by running that Applescript command against any setuid OS X application. In 2004, an Apple engineer warned the company of this security problem. In 2006, Apple helpfully started shipping a program as setuid inside a default install of OS X.

Castigate Microsoft if you want, but I don't believe their security flaw requires urgent action unless it can be triggered by DHCP as the article suggests might be possible. If you want to have a go at Microsoft, then maybe first you should take a look at Apple's insecurity history. A good place to start is Rixstep.com - they have a very good article about OS X's latest security flaws here: http://www.rixstep.com/2/20080702,00.shtml

[The_Decider]

I guess you don't realize how easy it is to elevate privileges on Windows OS's?

[The_Decider]

"If there is an exploit put into the wild, they'll fix it before then."

really?

This is the same company that waited over 6 months to fix the blaster worm exploit. That worm used a flaw in a single line of code.

If fixing that single line affected the functionality of anything else, then MS coding practices are the worst in the world, so don't trot out this excuse. A well written program can deal with any changes inside a function without effecting anything else, as long as the function contract is fulfilled.

[ferretboy88]

Microsoft fixes flaws faster than Apple. At least that is what cnet reported.

[DrtyDogg]

@The_Decider: "This is the same company that waited over 6 months to fix the blaster worm exploit. That worm used a flaw in a single line of code."

Typical FUD from The_Decider. The true account of that worm was that the fix was released prior to the worm. In fact the flaw that was used was found by reverse engineering the patch MS03-026 which was released about a month before any variation of the worm even showed up.

Keep trying though, one day something you say will be right, it has got to if for no other reason than the sheer volume.

[OblivionSundae]

Because this is SUCH a HUGE surprise.

[JCCox]

A security hole in a microsoft product? No. Never. Who would have guessed!

[Seaspray0]

There isn' any operating system that doesn't have a security hole. that includes windows, linux, and osx. If you were being totally truethful you should have said... A security hole in a microsoft product? No. Never. Who would have guessed! A security hole in an apple product? No. Never. Who would have guessed! A security hole in a linux product? No. Never. Who would have guessed!

[joelkatz]

"An administrator can crash the system" is not a security hole. An administrator can reboot the machine, install kernel drivers, format the hard drive, or do whatever else he wishes. If malicious software is running on your machine with administrator privileges, you are screwed with or without security holes.

[Dango517]

What so few people realize is, is that Windows is 92% of all the OSs in use. 7% for Mac and less then 1% are using Linux. Even the bad guys know where to spend there time. :)

http://marketshare.hitslink.com/report.aspx?qprid=10

(Information provided from this link changes over time.)

This leads one to wonder why so few seem to have so much to say about an OS they don't use.

[ferretboy88]

When you a half a billion people looking for problems everyday in windows it was only a matter of time. Far more time is spent on windows flaws than any other OS.

[The_Decider]

Excuses, excuses...

Windows is the most hacked, because it is the easiest.

[ferretboy88]

Just like the main Fedora servers were hacked. No one is safe.

[sparrowhyperion]

Typical Mickeysloth... Overcharge for an OS, leave lots of bugs. Then when one which should be considered critical shows up, refuse to make a patch until the next service pack is due out. Oh yeh, and don't even bother setting a date for it's release.. Yup... Typical MS BS.

[The_Decider]

Yeah, no OS is perfect, it is just some OS's are less perfect than others.

The problem is that MS response is the same as always. Wait to fix it. If they think no one will be able to exploit this without user intervention, they are dreaming.

It is not only the number of exploits found, it is how fast and how correctly they fix it. MS fails in this category time and time again.

[DrtyDogg]

http://eval.symantec.com/mktginfo/enterprise/white_papers/b-whitepaper_internet_security_threat_report_xiii_04-2008.en-us.pdf If Microsoft fails in this category, one that they lead in(lowest time to patch). Then who does do a good job?

[ferretboy88]

March 27, 2008 (IDG News Service) Apple's teasing commercials that imply its software is safer than Microsoft's may not quite match the facts, according to new research revealed at the Black Hat conference on Thursday.

Researchers from the Swiss Federal Institute of Technology looked at how many times over the past six years the two vendors were able to have a patch available on the day a vulnerability became publicly known, which they call the 0day (zero-day) patch rate.

They analyzed 658 vulnerabilities affecting Microsoft products and 738 affecting Apple. They looked at only high- and medium-risk bugs, according to the classification used by the National Vulnerability Database, said Stefan Frei, one of the researchers involved in the study (PDF format).

What they found is that, contrary to popular belief that Apple makes more secure products, Apple lags behind in patching.

"Apple was below 20 [unpatched vulnerabilities at disclosure] consistently before 2005," Frei said. "Since then, they are very often above. So if you have Apple and compare it to Microsoft, the number of unpatched vulnerabilities are higher at Apple."

It's generally good for vendors to have a software fix available when a vulnerability is disclosed, since hackers often try to find out where the problem is in order to write malicious software to hack a machine.

For a vendor to have a patch ready when the bug is detailed in public, it needs to get prior information from either its security analysts or from external sources. Otherwise, the vendor has to hurry to create a patch. But that process can be lengthy, given the rigorous testing needed to test the patch to ensure it does not conflict with other software.

Apple only started patching 0day vulnerabilities in late 2003, Frei said.

"We think that Apple had fewer vulnerabilities early on, and they were just surprised or not as ready or not as attentive," Frei said. "It looks like Microsoft had good relationships earlier with the security community."

Over the past few years, Microsoft has tried to cultivate a closer relationship with the security community in order to encourage researchers to give it a heads-up about software problems. Apple, however, doesn't appear to have that same sort of engagement yet, and, "based on our findings, this is hurting them," Frei said.

Curiously, both vendors' abilities to have 0day patches ready at disclosure seemed to dip in the six months before a major product release. That trend was most pronounced in 2004 and 2005. Frei theorized that the buildup to big software releases took away software engineering resources.

Andrew Cushman, director of Microsoft's Security and Research, said he couldn't pinpoint what might cause that trend. But in 2004 and 2005, Microsoft had a rash of vulnerabilities pop up in its Office products that it did not get advance notice of, which may have contributed to a higher percentage of unpatched publicly disclosed bugs.

However, the study proved to be such a glowing affirmation of Microsoft's increased focus on security in the past few years that it prompted Cushman to ask Frei, "Did Microsoft fund this research?"

"This is independent academic research," Frei replied.

[The_happy_switcher]

Windows crashes? Must be a slow news day.

[rhsc]

People who call themselves AppleRocks blindly bash Windows? Must be a slow troll day.

[The_happy_switcher]

People who make lame attempts at humor? Must be a slow news day

[thelemurking]

@sparrowhyperion

Overcharge? I picked up Vista Ultimate 64 for $169. A copy of OS X Leopard is $149. Then again, if you are going by Linux standards, then both Windows and OS X are incredibly overpriced when compared against FREE!

I see updates, patches and security fixes come down the pipe for all 3 OS's! On my Ubuntu box, hardly a day goes by when there's not an update waiting. Does Apple set arbitrary dates for it's patches? Almost always seems like they are announced the day they are released. Microsoft almost always does the "patch Tuesday" every month. I would imagine if an exploit appears in the wild, a patch for this would be released, but until then what is wrong waiting for SP2?

[Ted Miller]

Lot's of comments here... if only Microsoft would listen to their customers. Sad to say they really do not seem to care.

I have used Vista from the very start and I still do not like it to this very day. Microsoft if you are listening... well then I would trade all my Vista complaints for just one fix... The File Management System. Fix that to a XP system dumbed down to a Windows 2000 and you can have my continued business. No? Well how about at least the option to dumb it down ourselves? Right now I simply can't work with Vista, it is just way too annoying to work with. On my computer I have two harddrives with XP on the other to get all my file management done. Please give me break, I really like you guys, but you are really letting me down in a very bad way.

[Dango517]

Some things are best left unsaid. :)

[rapier1]

like a pound of protection beats an ounce of lead...
-J. Thirlwell

[andersbeid]

Um, it requires admin priveledges. If you run a program as administrator, it can do whatever the heck it wants, including format your hard drive. This is true of any OS. Why attack some obscure networking interface when you can just do del *.* and be done with it? Not a story *yawn*

[sonounfrocione]

It's not critical, it's just a local crash (DoS):
secunia.com/advisories/32791/
Critical: Not critical
Impact: DoS
Where: Local system

It requires that the attacker is a member of the "Network Configuration Operators Group".