back to article Microsoft won't patch SMB flaw that only an idiot would expose

A Windows SMB vulnerability revealed late last week at DEF CON won't be patched because Microsoft says the service should be firewalled off from the internet anyway. The 20-year-old bug is in at least Windows 2000 to Windows 10. It was discovered by RiskSense bods, who combed Redmond's file server code for flaws similar to the …

Page:

  1. Likkie

    Enough said

    "... only and idiot would expose".

    1. a_yank_lurker Silver badge

      Re: Enough said

      Only an idiot would think the scenario would not happen, guess the prime qualification to work at Slurp is to be an idiot.

      1. Jonathan 27

        Re: Enough said

        You can't protect idiots from themselves no matter how hard you try. If you have an SMBv1 share exposed to the internet they can brute force the password fairly easily even without a flaw. No one should ever have any SMB shares on the Internet.

        The cost effective solution would be to disable SMB sharing on effected versions of Windows, I imagine you wouldn't like Microsoft doing that unilaterally either.

        1. Danny 14 Silver badge

          Re: Enough said

          I thought a recent MS security patch pretty much disabled smbv1 everywhere? I seem to rememeber reading about it after wannacry surfaced.

          Smbv1 is quite old and outdated. Even my linux boxes arent using smbv1.

          Even basic routers would block internet smbv1 access so you have to be pretty daft to start opening the ports up (or just pppoeing your server to the Internet )

        2. sebbb

          Re: Enough said

          "No one should ever have any SMB shares on the Internet."

          Not really on the internet, but guess what caused the so-damn-fast spread of the wannacry in the NHS... the nationwide private WAN has SMB wide open to and from basically anything. And it is still open now.

          1. Peter2 Silver badge

            Re: Enough said

            Not really on the internet, but guess what caused the so-damn-fast spread of the wannacry in the NHS... the nationwide private WAN has SMB wide open to and from basically anything. And it is still open now.

            When I was working in NHS IM&T we treated the N3 as an externally facing internet connection so every site had it's own firewall. No doubt you can find single site trusts basically without IT staff that are incompetently setup, but there is really no such entity as "THE NHS", it's a patchwork of hundreds of different trusts all running things in radically different ways.

  2. Bill Stewart

    Please Fix The Headline

    It should be SMBLoris there too. SlowLoris was an analogy, but this is about the SMB1 attack.

  3. Teiwaz Silver badge

    But...

    Isn't Windows the idiots O.S?

    Downvote if you wish, but you can't deny they've spent the last couple of decades trying to make it as easy as possible to use.

    1. Nate Amsden Silver badge

      Re: But...

      Till windows 10 ?

      If you can't find it..grind it.

    2. Anonymous Coward
      Anonymous Coward

      Re: But...

      There's nothing wrong with making the OS easy to use, if it's done properly and elegantly.

      Windows became idiotic since Win 8 (Metro! Metro! Metro!) and Win 10 (SatNad and his Insider groupies' data mining project)... it's really the entire Microsoft becoming idiotic, rather than something that's unique to Windows ('new and improved' Skype).

      We have an entire generation of youths who do not know basic DOS commands.

      1. Jonathan 27

        Re: But...

        Who needs DOS commands? DOS is dead, if youths want to learn console commands they need to learn Bash or PowerShell.

        1. JLV Silver badge

          Re: But...

          Powershell is powerful, true. But its early learning curve is very steep. Steeper than bash and much steeper than dos. Even a lowly dir /o:d requires figuring out what the object's date attribute is called and a pipe to the sort. And the whole command will be much longer too. On the positive side you don't need to parse an text stream to isolate that date for further processing. For advanced usage, ps's more structured object mechanism pays off, most of the time it seems overkill.

          I fear the days of the casual command line user, if there ever was such a beast on Windows, are ending.

    3. aaronj2906_01

      Re: But...

      Nope. Linux is...

      Mint / Mandriva / Ubuntu might use RPMs... and Kerberos-5 emulation... but there is a REASON they have gone no-where over the last 40+ years.

      1. Doctor Syntax Silver badge

        Re: But...

        "there is a REASON they have gone no-where over the last 40+ years."

        Yes, Microsoft's leaning on major PC manufacturers to ship them all with Windows.

        1. Anonymous Coward
          Anonymous Coward

          "Yes, Microsoft's leaning on major PC manufacturers "

          Why did not MS do it in the server space too, and let Linux overcome Windows Server?

          Anyway Linux didn't became a desktop alternative until well into the 2000s - just look at kernel releases, and desktop managers state - a lot was missing, especially on laptops.

          MS business "practices" hurt much more previous competitors, and the lack of applications, which in some area is still an issue, didn't really help - just like the distro fragmentation and companies like Mandrake/Mandriva with the wrong business model.

          Also, PC manufacturer today would sell preinstalled whatever they could to improve PC sales. PC manufacturer aren't stupid, if Linux would have sold as much as Windows, they would have said MS goodbye a long ago.

          But keep on believing people don't use desktop Linux just because the evil eye of MS...

          1. nijam

            Re: "Yes, Microsoft's leaning on major PC manufacturers "

            > PC manufacturer aren't stupid, if Linux would have sold as much as Windows, they would have said MS goodbye a long ago

            PC manufacturers get "all-or-nothing" discount deals which make offering non-Windows alternatives very expensive. So the "linux doesn't sell" mantra becomes self-fulfilling.

            1. Anonymous Coward
              Anonymous Coward

              Re: "Yes, Microsoft's leaning on major PC manufacturers "

              "PC manufacturers get "all-or-nothing" discount deals which make offering non-Windows alternatives very expensive."

              In practise, impossible. "Nothing" option means not being able to sell any Microsoft product or advertisements on those and that's a lot of money.

              Almost half of the profit for HW-maker on cheap Windows-laptop is from advertisements and 3rd party programs (systematically called "crapware") pre-installed to it.

              Often so you can't remove them without installing whole system from retail Windows-DVD and *puff*, none of the drivers needed aren't there as they exist only in vendor and version spesific image installed in to the machine. So you live with crapware or don't use the machine. Nice.

              So far that on paper similar Dell-laptops, 1 month between buying, couldn't connect to network with each other's rescue disk as -tadaa- network card had changed in between, totally different.

              Of course neither worked with retail-Windows-DVD either. I wasn't surprised.

              1. Anonymous Coward
                Anonymous Coward

                "Almost half of the profit for HW-maker on cheap Windows-laptop"

                Stop buying them. They're just crap. It's funny how all those Linux power users feel the need to buy such a crap.

                True, Linux may be less resource hungry, but do your really buy such a crap??? Why??? Leave them to the Windows users whom they are designed for.

                It's the whole system which is built with cheap components, why risk for any professional work?? You'll save a lot from not buying software, so, make a gift to yourself, buy better hardware... or aren't you paid enough for all those Linux skills to afford a decent PC???

                Never found, anyway, yet a PC for which drivers were not available for the supported operating systems. The fact that two PC bought a month apart may have different components doesn't surprise me. One component may have been EOL'd and replaced by another. And if the components are released after the OS version, there's a good chance they won't be supported by a retail installer unless you add the drivers yourself.

          2. Anonymous Coward
            Anonymous Coward

            Re: "Yes, Microsoft's leaning on major PC manufacturers "

            "PC manufacturer aren't stupid, if Linux would have sold as much as Windows, they would have said MS goodbye a long ago."

            'Would have sold', right. How would anyone know how much they would sell without Microsoft?

            That's a risk no CEO will take. Not now and not for along time.

            Also MS has a policy which defines that either you sell Windows pre-installed (and _only_ Windows) or you are not selling MS-products at all. That's the evil part: illegal abuse of monopoly, very serious threat to HW makers.

            Linux is not sold, basically, as it's a free software: Where's the profit on that?

            Selling hardware is only one part of profit on HW: Selling advertisements on said hardware is often half of the profit and that's impossible if buyer install his own OS.

            Also Intel is practically married with Microsoft and they haven't been able to invent anything really new since late 80s. There's more profits in making same old shit cheaper than earlier and there basically isn't any competition, so no need to invent anything new.

            Monopolies and cartels always means technical stagnation and are illegal for a reason. Obviously being big enough leads the cartel wagging the Congress and not the oter way round.

            1. Anonymous Coward
              Anonymous Coward

              Re: "Yes, Microsoft's leaning on major PC manufacturers "

              You are with your heads stuck firmly in the past. Actually, many vendors sell PCs with Linux preinstalled. For example Dell sells laptops and desktops with Ubuntu preinstalled (it gives you a choice of three LTS). Which actually shows your assertions are just BS - there's no way MS can forbid it today.

              But you all keep on repeating 1990s era "news", before MS was hit by antitrust investigations, just in the attempt to justify almost no one bothers to buy a desktop/laptop with Linux preinstalled, especially since many will order it anyway without the OS and then install the distro of their choice, because not everybody uses Ubuntu. And even if Linux is free, supporting five or six distro would be expensive anyway - especially as long as Linux integralists keep on complaining about proprietary drivers...

              What's wrong with Linux is too many believe it is is a religion, and believe in dogmas without actually checking if they are still true. They were told in the past, and it has to be still true... take your head out of the sand.

          3. Anonymous Coward
            Anonymous Coward

            Re: "Yes, Microsoft's leaning on major PC manufacturers "

            "But keep on believing people don't use desktop Linux just because the evil eye of MS..."

            Not _just_ because of that, Linux has some serious problems by itself, but money always talks and MS has a lot of money and Linux-people don't.

            Anyone who ignores that is just a fan boy.

            Linux kernel is quite a piece but windows-stupidities with ideology "one piece does everything" (like systemd) and UI nightmares like Gnome 3 are serious drawbacks mostly created by invididuals or small groups who are so full of themselves that even obvious stupidities are dismissed by statements like "you are using it wrong", while fully knowing that documentation doesn't say anything about the "right way" of using it.

            Neither are there error messages that make any sense.

            And third brain damage, sabotage from MS-world: Throroughly useless documentation.

            "This button confirms action" and the button has label "OK". Yea, right, I'm convinced.

      2. ManoDano

        Re: But...

        "but there is a REASON they have gone no-where over the last 40+ years."

        Yeah, and that reason is that the Linux Kernel was only created in 1991, which is only 26 years ago.

        1. Danny 14 Silver badge

          Re: But...

          However in this case smbv1 was succeeded by smbv2 which was refined into smbv3.

          You dont use PPTP even though it is easy to setup and works, because it is insecure and has been superceeded. Same can be said for smbv1.

        2. Anonymous Coward
          Anonymous Coward

          "the Linux Kernel was only created in 1991"

          Exactly. But until version 2.6 (2003) it wasn't really usable for anything serious.

          1. ckm5

            Re: "the Linux Kernel was only created in 1991"

            Interesting - I guess all those commercial Linux deployments I did in 1998 must have been a result of time travel....

            1. Anonymous Coward
              Anonymous Coward

              Re: "the Linux Kernel was only created in 1991"

              The fact you did something with Linux in 1998 didn't make it a useful tool for everybody. Believe me, there were people who actually used Windows 2.0.

              Until kernel 2.6 Linux had several shortcomings in many areas - i.e. threading and memory management that hindered its use in large applications. Feel free to tell us what your "commercial deployments" were....

              From kernel 2.6 onward Linux made great leaps.

    4. phuzz Silver badge

      Re: But...

      Isn't OSX generally considered to be the easiest OS to use? Apple's developers are going to be all sad now :(

    5. Jonathan 27

      Re: But...

      Nah, that's Mac OS. You know the one they advertise as being magically immune to viruses.

    6. Anonymous Coward
      Anonymous Coward

      Re: But...

      There's a fresh DoS bug in NFS too:

      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7645

  4. bombastic bob Silver badge
    Devil

    the problem is Microshaft's design

    the problem is Microshatf's design. The idea that a networked box would expose services on the intarwebs is in and of itself a MAJOR problem.

    In other words, they should have designed it to ONLY listen on RFC1918 IP addresses, and ONLY listen if you enable networking.

    But NOOooo... they have to bind to 0.0.0.0 (i.e. everything) and THAT is the problem!

    And they do that with other "well known" or "easily discoverable" TCP stuff. Just do a "netstat -an" some time on you Winders box, and see what's listening...

    And if it shows up as the SAME port on everybody ELSE's box, and there's a vulnerability on it, and you connect directly to the intarwebs on a publically visible IP address [including _ANY_ IPv6 address!] then you're exposing your winders box's soft underbelly to the intarwebs.

    "Only an idiot" would have DESIGNED! IT! THIS! WAY!! Right, Micro-shaft??

    [the need to bind to publically visible IP addresses could be a kind of "opt in" setting, and THEN it would be the customer's fault for doing it...]

    1. DougS Silver badge
      Facepalm

      Re: the problem is Microshaft's design

      Yeah who would expose services to the internet, like SMTP, HTTP, DNS, NTP, ...

      1. Kevin Johnston

        Re: the problem is Microshaft's design

        He may be Bombastic but there is a perfectly valid point here. The default state for ports should be disabled with the minimum possible exceptions in order to get the box up and running. This may include core network ports but why would HTTP be enabled by default? That should get enabled as part of configuring the HTTP security rather than as soon as the server starts.

        I am not going to claim I know which should or shouldn't be in that minimal set but wide-open is a poor choice for a starting point

        1. LDS Silver badge

          Re: the problem is Microshaft's design

          Because most administration tools today are used via HTTP? The system anyway asks what kind of network connection is used, and if the local firewall is active, it is assigned to different profiles, which does limit the scope of the ports.

        2. Anonymous Coward
          Anonymous Coward

          Re: the problem is Microshaft's design

          I have no issue with Bobs technical views - far from it - just the anti Microsoft diatribe attached to it.

          All OS's have their place and Ill never slag off one over the other, its all rather childish

          1. bombastic bob Silver badge
            Megaphone

            Re: the problem is Microshaft's design

            "just the anti Microsoft diatribe attached to it."

            no diatribe, just POINTING OUT FACTS that are easily verified.

            1. Danny 14 Silver badge

              Re: the problem is Microshaft's design

              The default state for ports on my server2012r2 is closed. I need a domain firewall policy to allow services. I cant say for standalone servers but i imagine uou need to enable in the firewall.

        3. Roland6 Silver badge

          Re: the problem is Microshaft's design

          >The default state for ports should be disabled with the minimum possible exceptions in order to get the box up and running.

          This was the default setting for secure third-party Windows firewalls such as Comodo and Outpost from the very beginning (ie. before 2005), but then they also blocked inbound and outbound traffic and performed stateful inspection, whereas the Windows firewall was only a simple outbound port blocker.

          Also in the case of Outpost, SMB/NetBios traffic (if you enabled it) was limited by default to IANA defined private networks and specifically the subnet the host was attached to.

          I would assume that this is also the case will all modern security suites...

          >but why would HTTP be enabled by default?

          On a system (not a firewall appliance), I would expect outbound HTTP to be enabled by default, given the extent to which browsers have become as essential to system setup and operation as TelNet and FTP were a few decades back.

      2. oldcoder

        Re: the problem is Microshaft's design

        You left out SMB, RPC, and the slew of the one Windows exposes.

        1. Anonymous Coward
          Anonymous Coward

          "You left out SMB, RPC,"

          Psssst... RPC exists in Linux too... give a look to NFS, for example.

          Moreover, RPC, if done properly, and inside a LAN, is much better than all the HTTP stuff and cruft.

    2. Anonymous Coward
      Anonymous Coward

      Re: the problem is Microshaft's design

      OH FFS BOB,

      Change the record,

      LOTS OF PEOPLE LIKE MICROSOFT

      you may not like it, other bleaters may not like it - but get over it FFS.

      Were you scared by a picture of a dog on a Windows 3.1 PC years ago ??? .... just trying to make sense of it that's all

      1. RyokuMas Silver badge
        Joke

        Re: the problem is Microshaft's design

        Bob needs to start adding "[INSERT SOMETHING HERE] FAIL!" at the end of his posts...

      2. Anonymous Coward
        Anonymous Coward

        Re: the problem is Microshaft's design

        "LOTS OF PEOPLE LIKE MICROSOFT"

        Err no they don't.

        People like Amazon for a variety of reasons, same with Google whom people often find useful, and Apple have their loyal fans too.

        But Microsoft? After force-feeding people a crash prone, bug ridden, security nightmare of an OS all these years, most people I meet from general public to programmers really do not like Microsoft much at all. The only people I ever met who said anything nice about Microsoft actually worked for Microsoft in some capacity.

        It's not "hating" or anti-Microsoft bias either, Microsoft have genuinely earned their terrible reputation.

      3. nijam

        Re: the problem is Microshaft's design

        > LOTS OF PEOPLE LIKE MICROSOFT

        "Like" or "have it foisted on them"? Sales do not equate to popularity.

    3. Warm Braw Silver badge

      Re: the problem is Microshaft's design

      I think SMB v1 predates the general availability of a TCP/IP stack for Windows and assumed a single LAN environment. That was a perfectly good design decision at the time. The pity is that it was not retired sooner.

      1. LDS Silver badge

        "I think SMB v1 predates the general availability of a TCP/IP stack for Windows"

        SMB predates Windows, and was designed at IBM, well before TCP/IP became the de-facto standard. It run on IBM LAN protocols and IPX well before TCP/IP, thus there was no way it could have been published directly on the Internet. Only later NetBIOS was made available on top of TCP/IP, and then SMB directly - the issue as usual is "backward compatibility".

    4. ckm5

      Re: the problem is Microshaft's design

      Pretty much every Un*x ever designed does the same thing for most network services, at least until very, very recently.

      It's very unfair to blame MSFT for this - they did, after all, just copy Un*x including the entire TCP stack (from BSD nach)

  5. sqlrob
    Facepalm

    "won't be patched, because Redmond says it only needs a suitable block on connections coming from the Internet."

    Because we all know, boxes on the internal network are never compromised and there's never insider threats.

    1. Adam 52 Silver badge

      That was my thought too. But Microsoft aren't stupid and would have thought of that too, so I wonder if we've misunderstood.

    2. Sil

      If boxes on the internal network are compromised and there are insider threats, a SMB v1 bug is the least of your worries.

      1. Adam 52 Silver badge

        In any organisation bigger than a two person partnership then you've got insider threats and these days you should always treat the internal network as compromised.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019