"unfixable on Server 2003."
Wow... what a coincidence...since server 2003 is (almost) EOL...
Another month, another Patch Tuesday, but this release has a special sting in the tail: a flaw in the fundamental design of Windows that's taken a year to correct, and is unfixable on Server 2003. The critical blunder allows miscreants to completely take over a domain-configured Windows system if it is connected to a malicious …
Same happened with NT4. Support ended in 2004 but the MS03-010 bug was found over a year earlier.
Now you know why it took a year to (not) "fix". Some problems will go away by themselves if you study them long enough. Microsoft of course does have a solution, just buy the latest version.
This "not-fix" is going to put a spoke in the arguments of the people whose plans involved not upgrading from 2003 for economic reasons. No doubt their friendly local Microsoft salesmen will cry crocodile tears over that.
Urmm my cars 12 years old and still got recalled to fix a critical issue (to do with the airbags so quite an important one). But with software though it is a different issue. Roads and driving doesn't change that much in 12 years. Software/hardware/networks/security has changed massively in that time.
Read the EULA, it absolves MS of any liability. It also states in weasel words that MS do not guarantee that their software will work in the way expected or indeed at all.
MS have been crafting broken code since DOS. There is a reason no class action has been brought against MS for providing unfit for purpose software.... I refer you to the previously mentioned EULA.
Read the EULA, it absolves MS of any liability. It also states in weasel words that MS do not guarantee that their software will work in the way expected or indeed at all.
The EULA is only what MS thinks matters and this can always be contested in a court. For example, the clickthrough EULAs have been declared void in Germany. As, indeed, have labels on packaging informing people that by opening the package they agree to be bound by the licence agreement contained within.
IANAL but, based on other unlimited liability cases in the US, I reckon there's good grounds for a case.
@Charlie I thought click through EULAs are okay here, as long as you are presented with them before you agree to purchase / use of a product or service?
It is certainly true that any changes / additions (including any T&Cs inside the sealed package, which the purchaser cannot read) to the contract after initial purchase / agreement are null and void - which is part of Facebook's problem at the moment, they are trying to force all their changes onto their userbase, but in Germany that is illegal, they have to inform the users and they have to individually agree to the changes.
Microsoft TechNet comments: A word on CVD and fixing difficult problems:
In many regards, this security ‘fix’ is more accurately described as completely new functionality in Windows. Adding something of this scale posed a unique challenge to security response. Software vulnerabilities are typically more narrowly constrained in both investigation and remediation – and most response is structured to address that scope. Among the benefits of Coordinated Vulnerability Disclosure (CVD) is it provides for greater flexibility and deeper collaboration with researchers to take the necessary time and perspective to deliver the most complete security solutions to customers. In this case we tackled a vulnerability that required a much greater scope in engineering to deliver a solution.
Most vulnerabilities reported to the MSRC are bugs in a single component, which are investigated, understood, and fixed within industry accepted response times. Creating the new functionality of UNC Hardening, however, required an entirely new architecture which increased development time and necessitated extensive testing. Thanks to CVD, and the close collaboration with the passionate security researchers who reported the vulnerability, Microsoft had sufficient time to build the right fix for a complicated issue. If the security researchers were not willing to refrain from disclosure until our fix was ready, customers would have been put at risk.
Oh, come on, already. The IAOAM* has already deemed that rouge === rogue, in most cases. You can have rogue lips on a pig, and a rouge pirate (actually a rouge rouge.) However it is not ever acceptable to swap in a "rogue" when talking about moulins - just doesn't have that same melody.
* International Association Of Allowed Misspellings
"This remote-code execution flaw affects all supported versions of Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1." So basically anything that displays the Windows logo when you start it, provided it's set up to join a Windows domain. XP is not on the list because it's not supported anymore.
I knew that hot little hotspot was trouble the minute she showed up on my network list. My brain said "no" but Windows had a mind of its own and connected anyway. She turned off network address translation and didn't ask me for a password- said she wanted it naturally, without protection- and that was when she took my heart and the admin rights. And that was also how I got this virus DAMMIT DON'T JUDGE ME IT WAS ONE TIME
If I understand it correctly (and posting here is the easiest way to find out), your internet cafe customer would have to be connecting to an SMB share that had been made available on the public internet (not via VPN). Furthermore, to let the attacker use fake group policy to take over your machine, you'd have to be logging into a domain via the public internet. If you are doing either, then I don't think you give a monkeys about security and you are probably already running a rootkit both on the client and the DC.
It's an interesting case, but I think there's a reason why the design flaw went unnoticed for 25 years.
Feel free to read http://blogs.technet.com/b/srd/archive/2015/02/10/ms15-011-amp-ms15-014-hardening-group-policy.aspx, you may learn a thing or two about what it took to fix the vulnerability and why a 90 days disclosure policy is silly and folly - and designed only to put competitors in bad light even if it means to put many people at risk.
Ah, of course Linux has no such issues - it has nothing anywhere near Active Directory out of the box...
of course Linux has no such issues
Design flaws in Linux? I'm sure there are, but things as severe as this are quite rare, usually because it uses industry standard methodologies that have been tried and tested for the past 40 years, and everything is thrashed out in the open by multiple independent experts whose only motive is to have a working and robust system without unnecessary (sometimes hidden) complexities employed purely to keep the competition away and locked out. It may not be perfect and there are trade-offs, but it's not bad by design.
Pretty sure if you ran the latest kernel source in production you'd find plenty of faults.
If you run enterprise Linux distros then they build and test everything for you. Which is an admission that there would be lots of breakage and faults otherwise.
Exactly. As long as you stay safe in a 45 old design made for a single computer used by a few tens of users, it's much easier. Just, you're almost useless in an actual large network with thousands of users/devices or more. That's another reason why Linux clients went nowhere - from a management point of view, they're just an hassle. Sure, third party technologies exist to make them somewhat better (Puppet... why the need of it?), still they add-ons (which you may have to pay for anyway), lock you in anyway, and still are not integrated into the OS itself.
"It may not be perfect and there are trade-offs, but it's not bad by design."
You must have missed the Linux network stack not being modular - so for instance NIC hardware acceleration requires kernel hacks. And SUDO. And having to tie your OS ACLs to your file system capabilities. And no constrained delegation. And things like SEL being a bolt on after thought. Having to parse flat text files that are randomly distributed everywhere for configs. etc. etc. etc.
This post has been deleted by its author
fopen, strcpy, memcpy, et al. You mean those kinds of "industry standard" methodologies?
No, because those are standard C library functions, not Linux, and also used by Windows, OSX, and every other OS. Of course, all of the above used safer versions of those functions for many years, at least since C99..
Ah, of course Linux has no such issues - it has nothing anywhere near Active Directory out of the box...
PRAISE $DEITY!
I hope not many people access \\10.0.0.100\Share\Login.bat (or anything else over CIFS for that matter) from a coffee shop without VPN?
It looks you didn't understand it was just an example. The client will attempt to connect to the machine it usually use to download GPOs.
To perform the attack, you need first to spot what UNC path the machine to attack actually use, then spoof it rerouting the request to your own share and then delivering the files it's asking for.
Moreover "CIFS" is an outdated term - MS itself now refers to the protocol as SMB only.
I'll not be praising Linux but by defending MS for taking time to fix complex bug is really missing the point. The issue is not about the time it's taken to fix it but rather about not implementing authentication of such a sensitive process. Fail.
Authentication *was* implemented but the design flaw was that if it failed the system fell back to an unsecure one. If you had read the Technet post:
"a vulnerability existed whereby Group Policy could fail to retrieve valid security policy and instead apply a default, potentially less secure, group policy. This could, in turn, be used to disable the domain enforced SMB Signing policy."
http://blogs.technet.com/b/srd/archive/2015/02/10/ms15-011-amp-ms15-014-hardening-group-policy.aspx looks a good read. Not going to feed the troll. It does however raise the question what will happen with samba4 domain controllers, this could be unfun.
Now that they've announced how expect exploits live shortly.
Mind you good work on the fix MS (I don't believe the line about 2003 though)
How exactly are you supposed to "use properly configured VPN solutions when connecting to untrusted networks.”?
Someone with more knowledge please correct me if I'm wrong, but shirley - you need to establish the network connection before you can open your VPN? At which point it's too late.
This makes no fucking sense.
ms15-011-amp-ms15-014-hardening-group-policy.aspx
In this scenario, the attacker has observed traffic across the switch and found that a specific machine is attempting to download a file located at the UNC path: \\10.0.0.100\Share\Login.bat
So cleary, a VPN isn't in use. The specific machine communicates in clear. From starbucks. Yeah, having extreme fun treating the starbucks LAN like like a Domain yet?
"Someone with more knowledge please correct me if I'm wrong, but shirley - you need to establish the network connection before you can open your VPN? At which point it's too late."
No. The VPN is the network connection. Without it connected, there should be no traffic transmitted between the networks.
For ten or more years all decent wifi APs have isolated client stations so they cannot see each other's traffic. Today one would be hard pressed to find even a consumer grade wifi router that does not have client isolation active by default.
And while we've seen a lot of stupid corporate security, I doubt even Sony fails to require encrypted VPN tunnels for remote laptop connectivity.
Also has been ten or more years since anti-ARP-spoofing became standard on corporate switches.
MITM is not so simple these days.
Unless you're the NSA, GCHQ, etc. with limitless resources for mounting multilayered attacks (e.g. hacking Cisco switches, building black boxes to circumvent wifi isolation, etc), this weakness was not of much use.
Considering number of default configurations an attacker can just set a ARP "trap" and some "fool" will eventually bite login.bat, no need to see all the traffic.
Also, any person with access to internal network can try exploiting the bug from the inside. And why not start with granting oneself admin rights.
"Considering number of default configurations an attacker can just set a ARP "trap" and some "fool" will eventually bite login.bat, no need to see all the traffic."
Most corporate switches would stop ARP hacking these days, and switched networks would mean that you would not normally be able to see the traffic to otherwise intercept it.
"Also, any person with access to internal network can try exploiting the bug from the inside"
No - most corporate networks with current / recommended switch settings would block this.
M$'s programmers need to stop doing a copy/paste every time they do a new OS. I've lost count of the number of zero days that infect all versions of the OS up to the current one.
You would expect after 30 years, someone at M$ HQ would have thought to check most of the code, slowly and thoroughly of course. They do have teams of programmers after all, not sure about the QA testers though.
Your response is spot on.
Unfortunately MS Operating Systems are never meant to be secure. Since the whole world is still addicted to MS, Uncle Sam and all the other eyes want it to be open to spying. Besides that, MS is supposed to keep the whole virus "protection" industry alive.
Zero days in IE because of non-existent sandboxing ?.
Since it is 2015, and most of the latest MS zero days make it look like it is 1997, the ones whining about the 90 day fix period of Google probably commute in 1930's cars, without seat belts, security glass, modern brakes and skip obligatory technical checkups
Any good programmer working on large codebases knows it's exactly code written years ago under differnt assumptions that could bite your back later when those assumptions change (just like this and the Bash vuln). Many years ago a LAN was considered a "safe" place, while external "free" networks you can easly get access to were not so common... today those assumptions are false.
Just the "it works, doesn't touch it!" attitude and the lack of time to review every piece of code while adding new functionalites, ensures that this kind of vulnerabilities will emerge later, especially now that deeper analysis are performed.
You're forgetting one thing:
New versions of Windows are always sold to us as having new improved security, "re-imagined", and plenty of work under the hood - when in reality, it's just a different coloured lipstick that's been applied. This is evidenced by the bulk vulnerabilities (such as this one) effecting the entire range of Windows versions that are supported (and possibly unsupported, who knows).
That's the problem us (real) users of Windows have.
"M$'s programmers need to stop doing a copy/paste every time they do a new OS."
Perhaps you can give an example of another OS where between versions, every piece of code was clean room built from scratch as you suggest? No? Didn't think so...
"You would expect after 30 years, someone at M$ HQ would have thought to check most of the code, slowly and thoroughly of course."
Microsoft's OSs do have fewer vulnerabilities these days than say OS-X or the Linux kernel (let alone a Linux distribution!)
As others have pointed out name one single OS that is grounds-up rewritten for every single update?
And MS have tethered themselves to a large extent by always trying to provide backwards compatibility to some degree or other: usually quite a lot of it, in fact.
From a corporate perspective do you want to have to upgrade all of your back end server infrastructure to support that new desktop OS? Let's see - I now need three or four active directory domains because OS version 1, 2 and 3 can't use the other versions...ditto for file services..database..email..web..
In short, you don't have a clue, do you? But let's just bash them blindly because, "..well y'know, it's M$ and they're like really evil and shit and everyone knows they do crap code, yeah??.."
I do, however, think it's fair to bash them for failing to patch 2003 and I would suspect lie about it being technically not possible as opposed to financially less than desirable.
This post has been deleted by its author
That's the patch for VSTO, and it hangs WU. Lots of reports of this today so it's another MS Patch Tuesday screwup. What's funny about this one is, I installed it first on a test machine using Windows Update and when the VSTO update ran it prompted me to accept the EULA, but when I ran it on machines served by WSUS it just hangs, preventing all other updates from running, and short of a reboot you can't kill it. Wanna bet it's waiting for an answer to the EULA without actually displaying it??
Deployment question here.
I've read the release for MS15-14 and am unclear on one aspect. It appears to me that the highest vulnerability is with client machines connecting on disparate networks. If that is the case, then it would follow that those mobile workstations should be patched soonest. I'm seeing less of an issue or need for urgency for DCs unless the UNC hardening is desired?
This stinks of the w2k scenario where m$ wouldn't supply (iirc) dx9 which was about the era I got out of windoze in favour of unix.
<rant>
Of course there's always some clients who insist on windows & sometimes one has to handle their problems. Well here's one. Having applied this month's patches without testing (not me), I get this..
Win7 can't display win 2003 server (w3k) fonts correctly over RDP.
I already fixed that with KB946633 but the latest updates have stuffed it both for machines which did have KB946633 and machines that don't. Spent the day changing terminal server setting from automatic to lan etc because now automatic detection of rdp stuff apparently "doesn't".
Thought I'd sussed it. Noo.. Feedback: still looks a bit shit but we can live with it until EOL except courier new font is illegible. This is indeed true. Eventually I went there & (tada) it looks shit on the console as well.
Nothing on Google about this. Symptoms (best done locally to rule out RDP issues)..
Control Panel -> Fonts -> Courier New (displays fine)
Apps: Firefox,Thunderbird don't display fine - that led me down a dead end, nearly filed a bug report over that but thought to create a libreoffice doc. Same thing. Exported that to pdf & displayed it. Looked fine so we're looking at a display problem.
</rant>
The only thing worse than trawling windoze forums is trawling android forums.
Btw: if anyone has a fix pls post!
"This stinks of the w2k scenario where m$ wouldn't supply (iirc) dx9 which was about the era I got out of windoze in favour of unix."
W2K received DX9 and DX9 updates until 2010. Of the post Win3.1 versions only Windows 95 was limited to DX8 (because Win95 lost support before DX9), and NT4 was limited to DX3 - probably because at the time all the games were for 99% DOS and the rest for Win95 (or 3.1), and NT wasn't sold for consumer use.
God I wish people would grow up. M$? Windoze? Seriously? After all these years?
Linux? Seriously?
Nix systems aren't without their issues either and for an overall enterprise solution MS is still the only game in town.
Extol all the virtues of how secure nix systems are and how awesome your VI skillz are. But nix systems are not particularly practical for getting real work done outside of the server room...
"nix systems are not particularly practical for getting real work done outside of the server room..."
Seriously you can't read a manual, another "IT Pro" who can only use Windows, in 43 years I lost count of OS I have used, get over it, I know you paid big money to a MS engineer, on paper, I suppose if they are not selling tablets/OS they have to get their money from some idiot ......
Windoze, the paper clip returns, this time in 3d with tits, and the Azurb Clod Drive, yes, big year for you guys, but you will need more RAM/HD/CPU, as always .... Maybe if you knew what you where doing & where your files are, you wouldn't need all that Cortana system fat ...
So for windows 2003 servers to be at risk they have to be connected to a rogue network.
Most servers are not connected to a wireless network at all and generally for larger businesses are in physically hard to access locations. Therefore the main vulnerabilities seem to be:
Access to the network connection anywhere between the windows 2003 server the AD server (could be in a remote office, and over a 3rd party link - hello spooks!)
Virtual servers carried around on laptops (eg demos) which you might connect via a wireless network or plug into a home network
Home based and small business servers where they are connected to wireless networks or just generally not too hard to access
Physical server access (duh) though they only have to plug a cable in and not access via console therefore leaving no obvious trace
and this only has to happen anywhere in your domain for you to have an owned server inside the corporate firewall...
So where is the proverbial wailing and gnashing of teeth that accompanied Heartbleed?
Microsoft and many others (eg Adobe, Oracle) pour immense resources into their software but still have regular OMG! patching cycles.
How does the open soutrce community take a beating for each bug in their extremely useful software but MS has inflicted their "quality software" on us for decades with hardly a murmur?
No prizes for guessing that my machines do not run Windoze.
Exactly, they give MS&Apple bulk money for a Secure & reliable OS, then 21 year old bash holes are a issue, that was dealt with by OpenSource, they just made their OS's into Pretty, Bloated, Spyware, with Bloated app's, I've only ever met 2 people who have "kerned" a font in office in over 30 years, works was more than most people needed, but then there is LibreOffice, Great suite, FREE to home users, with anything office can do, well except report back to MS, & MS have to be compatible in European Countries, because the EU didn't like MS owning your documents via Document Format.
I run all my Older MS software on VM's or just wine, I play HALO, HALO2, Call of Duty 1 to Modern Warfare 3 in wine ... I only use VM's for a few that need a big setup, Like older systems I still support (having a .iso of HDD you are trying to work with a 1000 miles away is handy), My Xbox/ps2 sits on boxes of Older systems, cause I have emulators in Xubuntu that let me run the games on Big screen, Also for Amiga/C64/Atari, I could have more, but I have to some work around here, but after I get tired of running over teenagers, with a warthog .....
Some people grew-up with MS & Apple it's all they know, they have divided into camps, cause it's cost them a lot to "keep the faith", so admitting it is a waste of money, to themselves may take some time, while they learn something "new" ....