back to article DAY ZERO, and COUNTING: EVIL 'UNICORN' all-Windows vuln - are YOU patched?

Security researcher Robert Freeman has discovered an 18-year-old, critical, remotely-exploitable vulnerability di tutti vulnerabiliti which affects just about ALL versions of Windows - all the way back to Windows 95. The vulnerability (CVE-2014-6332) rated a critical score of 9.3 in all versions of Windows and was described as …

  1. DropBear

    Hopeless...

    On the one hand, I do understand the nature of software development and how bugs are an inevitable reality. On the other hand, I'm getting quite tired of the perpetual realisation that even with the best intentions, the highest security an internet-facing machine can achieve is about as airtight as a damn fishing net... For a machine that has a practical role to fulfil, is there any meaningful sense left in the word "security" at all?!?

    1. Anonymous Coward
      Anonymous Coward

      Re: Hopeless...

      depends on how you define practical...

      if your main priority is to update facebook, play games and view media, windows is fine.

      if you are a developer, or you absolutely have synergy across all your devices, including your fridge, go with linux

      if you need a sense of belonging and don't need the games that come with windows, go with macOSX

      If you need an internet-facing machine with high security so you can keep the plans for the new spacestation you are drawing up safe from the chinese, then go with OpenBSD.

      Most people (including myself) fall into the first category.

      1. Anonymous Coward
        Anonymous Coward

        Re: Most people (including myself) fall into the first category.

        Oh callow youth, you not been here long? The consumers are IDIOTS who must be EDUCATED, whether they want/need it or not.....

      2. Cipher

        Re: Hopeless...

        What percentage of Windows users run their machines with elevated rights, i.e. admin acounts, 24/7/365? How much damage is done by a mentality that cannot cope with having to manually elevate rights when needed, say a couple of times a day at most?

        These are the same folks who, when trying Linux on, bemoan the fact in forums that the *nix distro they are using doesn't boot to root automatically. Or the *buntu sudo model which has enough holes in it one could drive a fleet of tractor trailers thru it...

        The problem is not in our OSes, rather it is in ourselves..

        1. h4rm0ny

          Re: Hopeless...

          >>"What percentage of Windows users run their machines with elevated rights, i.e. admin acounts, 24/7/365?"

          Almost exactly the same as the percentage of Windows users that have XP, rather than Vista onwards.

          1. Anonymous Coward
            Anonymous Coward

            Re: Hopeless...

            "Almost exactly the same as the percentage of Windows users that have XP, rather than Vista onwards.2

            Partially because the writers of a number of software packages for XP made the assumption that these were single user machines, and the single user would be the machine's admin, ergo they require admin rights to run properly, and many hours of frigging around supporting this crap has caused me no small amount of grief over the years, debugging issues with this stuff running as a.user, issues which magically disappear when it is run as a.n.admin.

            If you think things have changed much, we still have current software for Win7 which requires to be run as admin. I trust it not, but what alternative do I have as it controls a couple of machines we use on a daily basis?

            (Firewalls, firewalls everywhere as these machines need to be networked..)

    2. Anonymous Coward
      Anonymous Coward

      Re: Hopeless...

      ".......... how bugs are an inevitable reality"

      No bugs are not an inevitable reality, even in team dev where they just cost money to remove.

      In my day an OS was written in assembler or CPL both of which would allow you to make real errors unless you knew what you were doing. So why are there more coding errors now than there were then?

      "increased complexity" is used to excuse the coders but as can be seen with MS patches the vast majority of buggy code is in simple things that were broken from day one.

      Yes, people make mistakes but should we leave the errors in just because it would cost money to remove them?

      More importantly should bad coders and businesses be held accountable for their business decisions? personally I think it is high time they were

      1. Anonymous Coward
        Anonymous Coward

        Re: Hopeless...

        "No bugs are not an inevitable reality, even in team dev where they just cost money to remove."

        In any suitably complex system written by humans bugs will occur. I'm afraid the engineering-a-bridge equivalence argument that people like to cite doesn't apply because the software logic in a large system can be exponentially more complex than the maths involved in making a bridge stay up plus a bridge doesn't reconfigure its parameters every nanosecond.

        If you think bugs should not occur then I challenge you to write a million lines of code with ZERO bugs in it from day one.

        "In my day an OS was written in assembler or CPL both of which would allow you to make real errors unless you knew what you were doing. So why are there more coding errors now than there were then?"

        Perhaps because the programs do more than they did in your day. A microwave ovens microcontroller probably has more code on a per instruction basis than the largest batch programs of the 60s or 70s, never mind the multi million lines of code running a typical financial organisation.

        "the vast majority of buggy code is in simple things that were broken from day one."

        Except your conveniently forgetting that there may be literally thousands of these "simple things" in a complex system. Someone has to check them ALL in ALL scenarios to be 100% sure there are no bugs. Are you volunteering?

        "More importantly should bad coders and businesses be held accountable for their business decisions? personally I think it is high time they were"

        Thats right, nail the coders, not the management who insisted they got the code out the door by the end of the month regardless. But if you want to see the IT industry in the UK decimated and all the work head off abroad to countries with far laxer regulations, then sure, go for it.

        1. John H Woods Silver badge

          Re: Hopeless...

          "I'm afraid the engineering-a-bridge equivalence argument that people like to cite doesn't apply because the software logic in a large system can be exponentially more complex than the maths involved in making a bridge stay up" -- boltar

          Exactly - if bridges could fail because of a submillimetre-sized misalignment, there wouldn't be any still standing. There are essentially no engineering problems in any other discipline that approach the complexity of software engineering problems.

          1. Gazareth

            Re: Hopeless...

            The Millennium Bridge had a whopper of a bug.

            "There are essentially no engineering problems in any other discipline that approach the complexity of software engineering problems."

            Nonsense.

            1. P. Lee
              Coat

              Re: Hopeless...

              "There are essentially no engineering problems in any other discipline that approach the complexity of software engineering problems where the engineering company is not deemed liable for anything."

              FTFY

              1. Anonymous Coward
                Anonymous Coward

                Re: Hopeless...

                "There are essentially no engineering problems in any other discipline that approach the complexity of software engineering problems."

                Essentially you are saying Dennis Ritchie was more intelligent than Einstein or Oppenheimer. Ritchie would laugh, but at least Oppenheimer would agree :-/

                One of the most disrespectful things an engineer can do is put down others work, the other is eating the last doughnut.

                P.S. Come and fix my printer smart guy!! Double Dog Dare Ya...!

                1. Anonymous Coward
                  Anonymous Coward

                  Re: Hopeless...

                  "Essentially you are saying Dennis Ritchie was more intelligent than Einstein or Oppenheimer. Ritchie would laugh, but at least Oppenheimer would agree :-/"

                  I would certainly put Babbage and Alan Turing on a level with Oppenheimer and plenty of other physicists, even Steven Hawking. Einstein, like Newton was a once in a couple of centuries genius.

                  However you're conveniently conflating the difficulty of coming up with ultimately fairly simple equations with that of creating a highly complicated system. Apples and oranges.

        2. Captain Scarlet Silver badge

          Re: Hopeless...

          "If you think bugs should not occur then I challenge you to write a million lines of code with ZERO bugs in it from day one"

          Looking at my code I would struggle with one bug per few thousand lines, however in this case I could just cheat and make one million lines of Commented Out lines :D

        3. Oninoshiko

          Re: Hopeless...

          "If you think bugs should not occur then I challenge you to write a million lines of code with ZERO bugs in it from day one."

          That's the problem, 1M LoC is completely unauditable. That's why, when security and stability really matter, microkernels containing less then 2k LoC are used.

        4. Anonymous Coward
          Anonymous Coward

          Re: Hopeless...

          I reject the idea that coding is any more complex that any other modular design and as to coding millions of lines without errors this was never the issue. Yes, people do make mistakes but with a disciplined approach then the mistakes should not find there way into the final product.

          You argue that it is managments fault for pushing buggy code out the door but I am saying that they can only do this whilst the "it is impossible to write bug free code" motto exists. It is possible and irrespective of the idea that problem solving on computers is somehow more complex that it is in any other subject, bug free used to be the norm.

          This idea that coding is more complex that anything else in existance is a convient lie, especially when the code is released with known errors. It is possible to write millions of lines of code without any errors but today they just don't have to. Once upon a time a developer would hold a library of modules that they wrote themselves or at least understood fully, these modules would provide the backbone of each of their projects and we reused over and again. Today these modules have typically been written by someone else and the "coder" using them cares little how they work, as they have time constrains to consider.

          So it is of little suprise that coders who are employeed in the toddler like bashing together of other peoples programing blocks find that when it doesn't work they havent a clue in how to fix it and can get awat with claiming that "oh, computers are more complex than anything else in existance" are upset when people point out that it is bunkum.

          Fundementally if you do not know what you are doing then you should not call yourself a programmer, if you did not write it yourself then how do you know it works. Why do you think that other coders who also believe that it isn't necessary to write correct code are more reliable than yourself can be relied upon.

          If you write the whole thing yourself and conform to a discipline that minimises errors then maybe your "complexity" would disappear. Like your bridge if you build it out of an unknown material and you do not understand everything about what you are doing then how can you say it is fit for purpose or even that you are fit to build it.

      2. Anonymous Coward
        Anonymous Coward

        Re: Hopeless...

        Yes, bugs ARE an inevitable reality. If you think otherwise I hope I never have to work with you.

      3. Fluffy Bunny
        Boffin

        Re: Hopeless...

        "In my day an OS was written in assembler or CPL "

        When you write an OS in assembler, it either works, or it doesn't. You can tell if it didn't work because the display makes the blue screen of death look informative. On the other hand, when you write in high level languages such as CPL*, it tests for a bunch of stupid mistakes and you generally don't get things like buffer overflows. You also learn how to test your programs.

        It's only when you program in pseudo-high level languages like C or C++, really just macro-assemblers on steroids, that you start to see these bugs getting out into the wild. It's impossible to see defects that are clearly visible in genuine high-level languages and it's almost impossible to test properly.

        I once read of a DBMS that had a memory leak to the tune of one megabyte every minute.

        * - oops, I was thinking PL/M. Sorry.

        1. Anonymous Coward
          Anonymous Coward

          Re: Hopeless...

          my point about CPL was was the quality of the error checking

          Typical error messages were along the lines of "error near line..." and typically that line was the last place to look. CPL was used by real computer scientists who were expected to build a solution including the hardware from the ground up. If you didnt know what you were doing then it became apparant very quickly. Today programmers are typically not expected to build the hardware their code will run upon nor are they required to hold the same level of expertise as now complete understanding is deemed no longer necessary.

          So we have "coders" who wouldnt have a clue how to design the system they are coding for and we have the lie that computing is more complex than anything else in existence, it is little surprising that errors of ignorance creep in.

          If you bought a LCD with faulty pixels I expect you would not return it either, for my part I would and have repeatedly. For me it is working completely or not at all there is no middle ground, accepting a defective product as the working has become rife in computing and your belief in the "computing complexity" is just another part of the same lie.

          Programming without errors is simply more expensive than otherwise and whilst people accept defective products instead of demanding what they have paid for it will continue, anyone who claims that "computers are more complex than anything else in existence" are perpetuating the lie and also saying that they don't know what they are doing.

          Oh, for those who like logic

          How can you have something more complex than the universe that holds it, for those that don't then the answer is you cannot.

          Coding is no more complex than any other modular design however if the modules themselves are faulty or misunderstood then how can you expect the project to work correctly.

    3. ElReg!comments!Pierre

      That's the job, kiddo

      Bugs are there, known or not. In many regards the techie's job is to predict and "pre-mitigate" what happens when (not if), the shit hits the fan.

      No-assumptions and strictly "need-to" permission/access policies are your best friends. Absolutely none of the "should/shouldn't" and nice-to-haves nonsense.

  2. Anonymous Coward
    Anonymous Coward

    Pretty sure the NSA know about this one eh?

  3. Forget It

    Some script kiddies weren't born when this bug began life.

  4. Steve Davies 3 Silver badge

    Ouch!

    But will head roll inside MS?

    somehow I doubt it.

    I guess we should all standby for a Patch ***day (*** change as required)

    1. Brewster's Angle Grinder Silver badge

      Re: Ouch!

      I imagine most of the "heads" have moved on or retired. (And, if you read the article, the patch was issued yesterday.)

  5. Tannin

    Simple, for dummies details please

    For dummies like me, what does this actually mean? In particular, what does it mean for people running unsupported, unpatched versions of Windows? Obviously, anyone running (say) IE on XP is going to be vulnerable, but nothing in the two or three El Reg articles I have seen gives any clear hint as to whether a system running (for example) current-release Firefox on XP is vulnerable or not. (XP, let us remember, still accounts for something like 25% of in-service web-connected systems.)

    1. Anonymous Coward
      Anonymous Coward

      Re: Simple, for dummies details please

      The scant details provided in the CVE appears to suggest that the exploit is in OLE objects rendered using the IE engine in Windows. As the IE engine also appears to be used by File Explorer (I am not an expert here, so please feel free to correct me if I am wrong), wherever an OLE object is processed by the engine, the vulnerability appears to be able to be triggered. The engine is available to be used by other software, which means that it may not just be MS software that is vulnerable.

      Basic browsing using Firefox, Chrome or Safari should not be at great risk, because Firefox uses Gecko as it's basic engine, and Chrome uses either Webkit or Blink, and Safari use WebKit.

      If there is no chance of getting an OLE object onto your system, then there is probably little risk. If there is, then there is a chance that commands other than ones you expect could be run, which would allow all of the risks that entails. Getting an OLE object is most likely over the Internet, but not exclusively so (you could get one embedded in a document or spreadsheet, or in a mail).

      The rules must be that if you are in doubt, just don't connect an unpatched Windows system to a network, especially an open one, and don't import any files. But if you just browse the Web using a browser other than IE, from an non-admin account, and you are very careful about importing files, the chances are you will remain fairly safe, at least from this vulnerability.

    2. junior

      Re: Simple, for dummies details please

      There aren't many specific details yet I don't think - although this has been known about privately by MS for some time, details have deliberately been withheld to allow a patch to be created and rolled out before the bad guys / hackers figure out exactly what it is, and how to exploit it (maybe the NSA already have, but not your average bone-headed hacker type).

      Usually hackers will reverse-engineer the patch code to try to figure out what the actual bug is, once it is released publicly, so exploits are probably on the way very soon.

      That's why it's simply not a good idea anymore to be using an unsupported 13 year old OS like XP. No more excuses. It doesn't matter what the details are - you need to be patched or you may be pwned, simple as that. It was only a matter of time before something like this landed, and there will only be more in the future.

  6. wolfetone Silver badge

    Doesn't Affect Me

    I'm rocking Windows 3.11.

    1. Mayhem

      Re: Doesn't Affect Me

      I just recently reinstalled 3.11 to simplify getting networking up and running on an old dos box to fire up a few old games again.

      Jeez, that was substantially harder than I expected - it is surprisingly difficult to create a DOS boot disk that is an older version than the one present on your system.

      1. Anonymous Coward
        Anonymous Coward

        Re: Doesn't Affect Me

        "I just recently reinstalled 3.11 to simplify getting networking up and running on an old dos box to fire up a few old games again."

        A few years ago one bored weekend I installed Windows For Workgroups 3.11 in a little VM. After a few minutes nostalgia I thought to connect to something, at which point I remembered it didn't even come with a TCP/IP stack in those days, let alone a browser!

        I turned it off shortly afterwards and went back to playing with my Windows 98SE VM...

        1. CreosoteChris

          Re: Doesn't Affect Me

          Umm - I think you're wrong there:

          Windows 3.1 - no TCI/IP - requires Trumpet Winsock or similar to connect to the 'net

          WFW 3.11 - introduced TCP/IP as an installable component of the native Windows stack

          IIRC

          1. Chika
            Coat

            Re: Doesn't Affect Me

            ISTR Microsoft did release a TCP/IP stack installation which was usable on all versions of Windows 3.1. As I recall, though, the biggest PITA was NIC drivers back then.

            1. Anonymous Bullard
              Unhappy

              Re: Doesn't Affect Me

              the biggest PITA was NIC drivers back then.

              Ohh god! I thought I forgot all that pain. A large part of my job (at the time) was to install images of the network onto new PCs - we made a few boot disks with various levels of config.sys/autoexec.bat menus.

            2. Mayhem

              Re: Doesn't Affect Me

              Ahh, you see, half the delight of the box was being able to source genuine parts, so an original 486, SB16, intel nic etc, which meant that almost every app has the correct drivers.

              I did a dualboot with 3.11 to simplify copying files onto the drive, and then dos for the games.

              The biggest headache, as anyone could have predicted, was memory management.

              God it has been a LONG time since I had to remember half of that, and playing with EMM386 and QEMM reminded me why we were so glad to get rid of it.

              Still, worth hanging onto for nostalgias sake.

  7. Anonymous Coward
    Anonymous Coward

    SSL lib quietly patched

    Is Microsoft just catching up to the round of fixes OpenSSL got in the months after heartbleed?

    For all we know, SChannel could be a proprietary fork of some old version of OpenSSL.

  8. Palpy

    Ah, the delicious tingle of risk in the morning.

    It's reactive security. No, an OS cannot be made perfect -- "security by perfection" is impossible in anything much more complex than "hello whirled" ^ 2. So, sandbox everything at boot-up. Implement real permission control. Etc. Right now I invoke a Linux container and then run Firefox in that. Limited access to kernel, limited access to filesystem. Not perfect. But the point is to make the process a harder nut to crack, not an uncrackable steel sphere.

  9. TheWeddingPhotographer

    Run before walking competently

    The issue is much more that MS seem to think that "constantly upgrading" is good. Sometimes they do this so quickly, the wheel has rotated and the basics were swept under the carpet.

    I see Windows like an onion, with DOS at or near the centre of it... With layer on layer of complexity and bloat added to it. The difficulty with this, it that you kind of get stuck with the core, and I feel the developers only appear to concentrate on the newest outer layer.

    I have wondered for a long time now if there needs to be a philosophical and architectural shift in the whole approach to windows.

    1. Yeshe

      Re: Run before walking competently

      In fact, that vision of Windows was spot-on -- until the demise of 16-bit Windows. (Methinks Windows Millennium was the nail in THAT coffin.)

      Subsequent versions of Win Blows can trace their ancestry back to Windows NT (aka, "Nice Try"), which is a fairly decent OS at its core.

      1. dan1980

        Re: Run before walking competently

        @Yeshe

        "Subsequent versions of Win Blows can trace their ancestry back to Windows NT"

        Be that as it may, there are still bits of code floating around from the pre-95 days. Maybe not a huge amount in percentage terms but 1% is still half a million lines of code in Windows.

        And some of that code has fingers in important pies.

  10. chivo243 Silver badge
    Windows

    So, where are the patches?

    I think there are a few Win95's still kicking about in some grandma's house, some Win98+se's about, and I know there is a dedicated user base for Win2000. I met both of them at a windows support group!

    1. fearnothing

      Re: So, where are the patches?

      Was this group called WinAdmins Anonymous?

    2. Denarius
      Paris Hilton

      Re: So, where are the patches?

      on Win95, not needed. Run Win98Lite script which rips out exploder, Outlook lite and other odds and ends so Win95 could stay up for days with a whole 50 MB of disk space freed up. . Install earlier LavaSoft firewall and use old Netscape or firefox for simple web browsing. Or one could flash up and old PC with the QNX demo web browser 1.44 Mb floppy. How many holes in QNX so far ? Suggesting Win95, even in jest to avoid ancient bugs. Perhaps I need help. So far have not re-installed a Linux 2.2 kernel at least.

  11. Anonymous Coward
    Anonymous Coward

    No harm done then ;)

    All [Adobe,Apple,Oracle,Windows etc] together now, PATCH SHIT!

  12. Yeshe

    Software Engineering is Dead

    The title "Software Engineer" means nothing, having become the modern replacement for "coder" or "programmer/analyst". In fact, the discipline of Software Engineering was all but founded by the US DoD, when they realized that they were being eaten alive by the life-cycle cost of maintaining their systems.

    Unfortunately, an unintended side effect of the microcomputer revolution was to set the bar so low for what is considered acceptable performance of software systems, that El Reg has a seemingly endless stream of such anecdotes to entertain/scare us with.

    In any other industry, this kind of thing would be met with a flurry of product liability lawsuits. But producers of crappy software (ie, all of it) get a free pass... This will change SOMEDAY, perhaps.

    But no time soon.

  13. Ancientbr IT

    Two kinds of XP...

    I'm still stuck with XP on a box that dates from 2007 and which cannot be used with Win 7 or later (per Microsoft - the hardware doesn't support those OSs) - it's a long story, but I have absolutely no funds for either updated hardware or a more recent MS OS, and I have software I wrote that works well enough under XP but might not under anything else.

    I am experimenting with running evaluation copies of Win 7, 8.1, and even 10 Preview under VMware's free Player on the box that supposedly cannot run any of those operating systems, and so far my tests show that only Win 7 seems to handle my apps without issues. Just my luck that Win 7 is now on the scrapheap too; maybe I can pick up a secondhand CD from a flea-market for a song, and run it under VMware until I can obtain the cash needed to move forward (maybe next year).

    But I am mindful that there are at least two XPs out there: the version I have, totally unsupported by Microsoft (even their own VM app works only with Win 7 or later), and the version(s) that a bunch of well-heeled organizations have paid Microsoft to continue to update.

    All I can hope is that someone breaks ranks and leaks their XP patches to the rest of us second class XPers (who are still pretty sizable in number despite a false claim that many of us had quit using the OS).

  14. iunknown

    The MS released fix (KB3006226) had broken some existing VB6 apps

    The MS released fix (KB3006226) had broken some existing VB6 apps (and I think VBA macro also).

    Try this snippet onto PC that has recieved the MS pach:

    Sub Main()

    Dim dummyArray As Variant

    FillArray dummyArray

    End Sub

    Public Sub FillArray(ByRef refArray As Variant)

    ReDim refArray(0)

    ' no errors

    ReDim Preserve refArray(1 To 5)

    ' Subscript out of range

    refArray(1) = "Subscript out of range"

    End Sub

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like