back to article Microsoft won't patch SMB flaw that only an idiot would expose

A Windows SMB vulnerability revealed late last week at DEF CON won't be patched because Microsoft says the service should be firewalled off from the internet anyway. The 20-year-old bug is in at least Windows 2000 to Windows 10. It was discovered by RiskSense bods, who combed Redmond's file server code for flaws similar to the …

Enough said

"... only and idiot would expose".

13
0
Silver badge

Re: Enough said

Only an idiot would think the scenario would not happen, guess the prime qualification to work at Slurp is to be an idiot.

25
6

Re: Enough said

You can't protect idiots from themselves no matter how hard you try. If you have an SMBv1 share exposed to the internet they can brute force the password fairly easily even without a flaw. No one should ever have any SMB shares on the Internet.

The cost effective solution would be to disable SMB sharing on effected versions of Windows, I imagine you wouldn't like Microsoft doing that unilaterally either.

2
2
Silver badge

Re: Enough said

I thought a recent MS security patch pretty much disabled smbv1 everywhere? I seem to rememeber reading about it after wannacry surfaced.

Smbv1 is quite old and outdated. Even my linux boxes arent using smbv1.

Even basic routers would block internet smbv1 access so you have to be pretty daft to start opening the ports up (or just pppoeing your server to the Internet )

0
0

Re: Enough said

"No one should ever have any SMB shares on the Internet."

Not really on the internet, but guess what caused the so-damn-fast spread of the wannacry in the NHS... the nationwide private WAN has SMB wide open to and from basically anything. And it is still open now.

0
0
Silver badge

Re: Enough said

Not really on the internet, but guess what caused the so-damn-fast spread of the wannacry in the NHS... the nationwide private WAN has SMB wide open to and from basically anything. And it is still open now.

When I was working in NHS IM&T we treated the N3 as an externally facing internet connection so every site had it's own firewall. No doubt you can find single site trusts basically without IT staff that are incompetently setup, but there is really no such entity as "THE NHS", it's a patchwork of hundreds of different trusts all running things in radically different ways.

0
0

Please Fix The Headline

It should be SMBLoris there too. SlowLoris was an analogy, but this is about the SMB1 attack.

0
0
Silver badge

But...

Isn't Windows the idiots O.S?

Downvote if you wish, but you can't deny they've spent the last couple of decades trying to make it as easy as possible to use.

19
15
Silver badge

Re: But...

Till windows 10 ?

If you can't find it..grind it.

9
0
Anonymous Coward

Re: But...

There's nothing wrong with making the OS easy to use, if it's done properly and elegantly.

Windows became idiotic since Win 8 (Metro! Metro! Metro!) and Win 10 (SatNad and his Insider groupies' data mining project)... it's really the entire Microsoft becoming idiotic, rather than something that's unique to Windows ('new and improved' Skype).

We have an entire generation of youths who do not know basic DOS commands.

31
5

Re: But...

Nope. Linux is...

Mint / Mandriva / Ubuntu might use RPMs... and Kerberos-5 emulation... but there is a REASON they have gone no-where over the last 40+ years.

6
24
Silver badge

Re: But...

Isn't OSX generally considered to be the easiest OS to use? Apple's developers are going to be all sad now :(

8
0
Silver badge

Re: But...

"there is a REASON they have gone no-where over the last 40+ years."

Yes, Microsoft's leaning on major PC manufacturers to ship them all with Windows.

14
1

Re: But...

Nah, that's Mac OS. You know the one they advertise as being magically immune to viruses.

2
1

Re: But...

Who needs DOS commands? DOS is dead, if youths want to learn console commands they need to learn Bash or PowerShell.

2
4
Anonymous Coward

Re: But...

There's a fresh DoS bug in NFS too:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7645

0
0
Anonymous Coward

"Yes, Microsoft's leaning on major PC manufacturers "

Why did not MS do it in the server space too, and let Linux overcome Windows Server?

Anyway Linux didn't became a desktop alternative until well into the 2000s - just look at kernel releases, and desktop managers state - a lot was missing, especially on laptops.

MS business "practices" hurt much more previous competitors, and the lack of applications, which in some area is still an issue, didn't really help - just like the distro fragmentation and companies like Mandrake/Mandriva with the wrong business model.

Also, PC manufacturer today would sell preinstalled whatever they could to improve PC sales. PC manufacturer aren't stupid, if Linux would have sold as much as Windows, they would have said MS goodbye a long ago.

But keep on believing people don't use desktop Linux just because the evil eye of MS...

3
5
JLV
Silver badge

Re: But...

Powershell is powerful, true. But its early learning curve is very steep. Steeper than bash and much steeper than dos. Even a lowly dir /o:d requires figuring out what the object's date attribute is called and a pipe to the sort. And the whole command will be much longer too. On the positive side you don't need to parse an text stream to isolate that date for further processing. For advanced usage, ps's more structured object mechanism pays off, most of the time it seems overkill.

I fear the days of the casual command line user, if there ever was such a beast on Windows, are ending.

1
0

Re: But...

"but there is a REASON they have gone no-where over the last 40+ years."

Yeah, and that reason is that the Linux Kernel was only created in 1991, which is only 26 years ago.

3
0
Silver badge

Re: But...

However in this case smbv1 was succeeded by smbv2 which was refined into smbv3.

You dont use PPTP even though it is easy to setup and works, because it is insecure and has been superceeded. Same can be said for smbv1.

2
0
Anonymous Coward

"the Linux Kernel was only created in 1991"

Exactly. But until version 2.6 (2003) it wasn't really usable for anything serious.

0
3
Silver badge

Re: "Yes, Microsoft's leaning on major PC manufacturers "

> PC manufacturer aren't stupid, if Linux would have sold as much as Windows, they would have said MS goodbye a long ago

PC manufacturers get "all-or-nothing" discount deals which make offering non-Windows alternatives very expensive. So the "linux doesn't sell" mantra becomes self-fulfilling.

0
1

Re: "the Linux Kernel was only created in 1991"

Interesting - I guess all those commercial Linux deployments I did in 1998 must have been a result of time travel....

0
1
Anonymous Coward

Re: "Yes, Microsoft's leaning on major PC manufacturers "

"PC manufacturer aren't stupid, if Linux would have sold as much as Windows, they would have said MS goodbye a long ago."

'Would have sold', right. How would anyone know how much they would sell without Microsoft?

That's a risk no CEO will take. Not now and not for along time.

Also MS has a policy which defines that either you sell Windows pre-installed (and _only_ Windows) or you are not selling MS-products at all. That's the evil part: illegal abuse of monopoly, very serious threat to HW makers.

Linux is not sold, basically, as it's a free software: Where's the profit on that?

Selling hardware is only one part of profit on HW: Selling advertisements on said hardware is often half of the profit and that's impossible if buyer install his own OS.

Also Intel is practically married with Microsoft and they haven't been able to invent anything really new since late 80s. There's more profits in making same old shit cheaper than earlier and there basically isn't any competition, so no need to invent anything new.

Monopolies and cartels always means technical stagnation and are illegal for a reason. Obviously being big enough leads the cartel wagging the Congress and not the oter way round.

0
1
Anonymous Coward

Re: "Yes, Microsoft's leaning on major PC manufacturers "

"But keep on believing people don't use desktop Linux just because the evil eye of MS..."

Not _just_ because of that, Linux has some serious problems by itself, but money always talks and MS has a lot of money and Linux-people don't.

Anyone who ignores that is just a fan boy.

Linux kernel is quite a piece but windows-stupidities with ideology "one piece does everything" (like systemd) and UI nightmares like Gnome 3 are serious drawbacks mostly created by invididuals or small groups who are so full of themselves that even obvious stupidities are dismissed by statements like "you are using it wrong", while fully knowing that documentation doesn't say anything about the "right way" of using it.

Neither are there error messages that make any sense.

And third brain damage, sabotage from MS-world: Throroughly useless documentation.

"This button confirms action" and the button has label "OK". Yea, right, I'm convinced.

0
0
Anonymous Coward

Re: "Yes, Microsoft's leaning on major PC manufacturers "

"PC manufacturers get "all-or-nothing" discount deals which make offering non-Windows alternatives very expensive."

In practise, impossible. "Nothing" option means not being able to sell any Microsoft product or advertisements on those and that's a lot of money.

Almost half of the profit for HW-maker on cheap Windows-laptop is from advertisements and 3rd party programs (systematically called "crapware") pre-installed to it.

Often so you can't remove them without installing whole system from retail Windows-DVD and *puff*, none of the drivers needed aren't there as they exist only in vendor and version spesific image installed in to the machine. So you live with crapware or don't use the machine. Nice.

So far that on paper similar Dell-laptops, 1 month between buying, couldn't connect to network with each other's rescue disk as -tadaa- network card had changed in between, totally different.

Of course neither worked with retail-Windows-DVD either. I wasn't surprised.

0
1
Anonymous Coward

Re: "the Linux Kernel was only created in 1991"

The fact you did something with Linux in 1998 didn't make it a useful tool for everybody. Believe me, there were people who actually used Windows 2.0.

Until kernel 2.6 Linux had several shortcomings in many areas - i.e. threading and memory management that hindered its use in large applications. Feel free to tell us what your "commercial deployments" were....

From kernel 2.6 onward Linux made great leaps.

0
0
Anonymous Coward

Re: "Yes, Microsoft's leaning on major PC manufacturers "

You are with your heads stuck firmly in the past. Actually, many vendors sell PCs with Linux preinstalled. For example Dell sells laptops and desktops with Ubuntu preinstalled (it gives you a choice of three LTS). Which actually shows your assertions are just BS - there's no way MS can forbid it today.

But you all keep on repeating 1990s era "news", before MS was hit by antitrust investigations, just in the attempt to justify almost no one bothers to buy a desktop/laptop with Linux preinstalled, especially since many will order it anyway without the OS and then install the distro of their choice, because not everybody uses Ubuntu. And even if Linux is free, supporting five or six distro would be expensive anyway - especially as long as Linux integralists keep on complaining about proprietary drivers...

What's wrong with Linux is too many believe it is is a religion, and believe in dogmas without actually checking if they are still true. They were told in the past, and it has to be still true... take your head out of the sand.

0
0
Anonymous Coward

"Almost half of the profit for HW-maker on cheap Windows-laptop"

Stop buying them. They're just crap. It's funny how all those Linux power users feel the need to buy such a crap.

True, Linux may be less resource hungry, but do your really buy such a crap??? Why??? Leave them to the Windows users whom they are designed for.

It's the whole system which is built with cheap components, why risk for any professional work?? You'll save a lot from not buying software, so, make a gift to yourself, buy better hardware... or aren't you paid enough for all those Linux skills to afford a decent PC???

Never found, anyway, yet a PC for which drivers were not available for the supported operating systems. The fact that two PC bought a month apart may have different components doesn't surprise me. One component may have been EOL'd and replaced by another. And if the components are released after the OS version, there's a good chance they won't be supported by a retail installer unless you add the drivers yourself.

0
0
Silver badge
Devil

the problem is Microshaft's design

the problem is Microshatf's design. The idea that a networked box would expose services on the intarwebs is in and of itself a MAJOR problem.

In other words, they should have designed it to ONLY listen on RFC1918 IP addresses, and ONLY listen if you enable networking.

But NOOooo... they have to bind to 0.0.0.0 (i.e. everything) and THAT is the problem!

And they do that with other "well known" or "easily discoverable" TCP stuff. Just do a "netstat -an" some time on you Winders box, and see what's listening...

And if it shows up as the SAME port on everybody ELSE's box, and there's a vulnerability on it, and you connect directly to the intarwebs on a publically visible IP address [including _ANY_ IPv6 address!] then you're exposing your winders box's soft underbelly to the intarwebs.

"Only an idiot" would have DESIGNED! IT! THIS! WAY!! Right, Micro-shaft??

[the need to bind to publically visible IP addresses could be a kind of "opt in" setting, and THEN it would be the customer's fault for doing it...]

13
21
Silver badge
Facepalm

Re: the problem is Microshaft's design

Yeah who would expose services to the internet, like SMTP, HTTP, DNS, NTP, ...

10
2
Anonymous Coward

Re: the problem is Microshaft's design

OH FFS BOB,

Change the record,

LOTS OF PEOPLE LIKE MICROSOFT

you may not like it, other bleaters may not like it - but get over it FFS.

Were you scared by a picture of a dog on a Windows 3.1 PC years ago ??? .... just trying to make sense of it that's all

13
8
Silver badge

Re: the problem is Microshaft's design

He may be Bombastic but there is a perfectly valid point here. The default state for ports should be disabled with the minimum possible exceptions in order to get the box up and running. This may include core network ports but why would HTTP be enabled by default? That should get enabled as part of configuring the HTTP security rather than as soon as the server starts.

I am not going to claim I know which should or shouldn't be in that minimal set but wide-open is a poor choice for a starting point

17
0
LDS
Silver badge

Re: the problem is Microshaft's design

Because most administration tools today are used via HTTP? The system anyway asks what kind of network connection is used, and if the local firewall is active, it is assigned to different profiles, which does limit the scope of the ports.

1
0
Silver badge

Re: the problem is Microshaft's design

I think SMB v1 predates the general availability of a TCP/IP stack for Windows and assumed a single LAN environment. That was a perfectly good design decision at the time. The pity is that it was not retired sooner.

10
0
Anonymous Coward

Re: the problem is Microshaft's design

I have no issue with Bobs technical views - far from it - just the anti Microsoft diatribe attached to it.

All OS's have their place and Ill never slag off one over the other, its all rather childish

5
4

Re: the problem is Microshaft's design

You left out SMB, RPC, and the slew of the one Windows exposes.

2
0
Silver badge

Re: the problem is Microshaft's design

>The default state for ports should be disabled with the minimum possible exceptions in order to get the box up and running.

This was the default setting for secure third-party Windows firewalls such as Comodo and Outpost from the very beginning (ie. before 2005), but then they also blocked inbound and outbound traffic and performed stateful inspection, whereas the Windows firewall was only a simple outbound port blocker.

Also in the case of Outpost, SMB/NetBios traffic (if you enabled it) was limited by default to IANA defined private networks and specifically the subnet the host was attached to.

I would assume that this is also the case will all modern security suites...

>but why would HTTP be enabled by default?

On a system (not a firewall appliance), I would expect outbound HTTP to be enabled by default, given the extent to which browsers have become as essential to system setup and operation as TelNet and FTP were a few decades back.

1
0
Silver badge
Joke

Re: the problem is Microshaft's design

Bob needs to start adding "[INSERT SOMETHING HERE] FAIL!" at the end of his posts...

0
2
Anonymous Coward

"You left out SMB, RPC,"

Psssst... RPC exists in Linux too... give a look to NFS, for example.

Moreover, RPC, if done properly, and inside a LAN, is much better than all the HTTP stuff and cruft.

1
0
Anonymous Coward

Re: the problem is Microshaft's design

"LOTS OF PEOPLE LIKE MICROSOFT"

Err no they don't.

People like Amazon for a variety of reasons, same with Google whom people often find useful, and Apple have their loyal fans too.

But Microsoft? After force-feeding people a crash prone, bug ridden, security nightmare of an OS all these years, most people I meet from general public to programmers really do not like Microsoft much at all. The only people I ever met who said anything nice about Microsoft actually worked for Microsoft in some capacity.

It's not "hating" or anti-Microsoft bias either, Microsoft have genuinely earned their terrible reputation.

6
5
Silver badge
Megaphone

Re: the problem is Microshaft's design

"just the anti Microsoft diatribe attached to it."

no diatribe, just POINTING OUT FACTS that are easily verified.

4
4
Silver badge

Re: the problem is Microshaft's design

The default state for ports on my server2012r2 is closed. I need a domain firewall policy to allow services. I cant say for standalone servers but i imagine uou need to enable in the firewall.

0
0
Silver badge

Re: the problem is Microshaft's design

> LOTS OF PEOPLE LIKE MICROSOFT

"Like" or "have it foisted on them"? Sales do not equate to popularity.

1
0

Re: the problem is Microshaft's design

Pretty much every Un*x ever designed does the same thing for most network services, at least until very, very recently.

It's very unfair to blame MSFT for this - they did, after all, just copy Un*x including the entire TCP stack (from BSD nach)

1
1
LDS
Silver badge

"I think SMB v1 predates the general availability of a TCP/IP stack for Windows"

SMB predates Windows, and was designed at IBM, well before TCP/IP became the de-facto standard. It run on IBM LAN protocols and IPX well before TCP/IP, thus there was no way it could have been published directly on the Internet. Only later NetBIOS was made available on top of TCP/IP, and then SMB directly - the issue as usual is "backward compatibility".

0
0
Facepalm

"won't be patched, because Redmond says it only needs a suitable block on connections coming from the Internet."

Because we all know, boxes on the internal network are never compromised and there's never insider threats.

32
1
Silver badge

That was my thought too. But Microsoft aren't stupid and would have thought of that too, so I wonder if we've misunderstood.

2
1
Sil

If boxes on the internal network are compromised and there are insider threats, a SMB v1 bug is the least of your worries.

5
0
Silver badge

In any organisation bigger than a two person partnership then you've got insider threats and these days you should always treat the internal network as compromised.

3
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2018