back to article June 2018, and Windows Server can be pwned with a DNS request

Microsoft has released its monthly security update, addressing a total of 51 CVE-listed security vulnerabilities. The June edition of Patch Tuesday includes 11 fixes for critical vulnerabilities in Windows, including Microsoft's solution for the recently-disclosed Spectre Variant 4 chip design flaw. Among the most serious …

  1. J. R. Hartley Silver badge

    The title is no longer required.

    What a time to be alive.

  2. Kabukiwookie Bronze badge

    Maybe MS can find some better code in Github, they can't seem to write anything that's not severely broken themselves.

  3. veti Silver badge

    Let's face it, most code is breakable when a sufficient number of people are sufficiently motivated to break it. Nothing on Github has ever had to withstand that level of attack.

    Maybe 1% of it really could. But I for one sure as heck wouldn't be able to identify which 1%.

  4. Destroy All Monsters Silver badge
    Mushroom

    Let's face it, most code is breakable when a sufficient number of people are sufficiently motivated to break it.

    I'm sick and tired of hearing this strawman repeated over and over and over.

    DNS is not hard to do (it's a database lookup done when it didn't occur to people that it's just a database lookup and they would have to finagle weird stuff like "zone files") and can be written in a secure manner unless one goes full hog on "muh features and cool, wild, unmanaged completely non-MISRA C because I'm so cool and sheeeeet!!" (isn't it, BIND?).

    Then one could find some money behind a sofa to perform proper code analysis of its codebase. Where did Microsoft Secure Code Initiative go?

    Then one could run the thing in a jail because one is the vendor of the whole package. After all, the "integration" and seamlessness of it all is always sold as a big plus.

    Yeah, system engineering. We have heard of it while falling downstairs.

    Nothing on Github has ever had to withstand that level of attack.

    Maybe, but a Microsoft DNS is SUPPOSED to withstand that level of attack.

    Ah no, wait. It's just USD 1000 per pop and then you are all by yourself.

  5. Pascal Monett Silver badge
    Trollface

    Re: Where did Microsoft Secure Code Initiative go?

    To that great Clippy store in the sky.

  6. LDS Silver badge

    I've got a NetGear device using an open source library which couldn't process the DHCP answer from my router - because the answer had additional - and perfectly legit - fields the library writers didn't take into account, and thereby allocated too little space for the answer... I had to change the DHCP server, because that vulnerability was never fixed.

  7. IneptAdept

    So wheres you unbreakable code mate

    So Kabukiwookie where is your unbreakable code mate.....

    Oh thats right Keyboard Warrior Ho....

    Getting a bit fed up of this, not Microsofts issue in the first place, that falls to the chip manufacturers.

    But please continue with your nonsense.... or link to your git repo with the unbreakable fixes You have made

  8. Walter Bishop Silver badge
    Facepalm

    Github has ever had to withstand that level of attack

    @veti: "Nothing on Github has ever had to withstand that level of attack."

    At least the source code and bug reports are fully disclosed. Lets hope Github can also spell:

    "The DnsQueryEx function should be used if an application requires asynchronous querries queries to the DNS namespace." link

  9. Michael Wojcik Silver badge

    Re: So wheres you unbreakable code mate

    Getting a bit fed up of this, not Microsofts issue in the first place, that falls to the chip manufacturers.

    What chip do you believe provides the Windows DNS client?

    (Inept indeed. And the worldwide apostrophe shortage is over, mate.)

  10. IneptAdept

    Re: So wheres you unbreakable code mate

    Replying to the spectre point.

    Not the dns issue, as both related to Microsoft I assumed he was commenting on both.

    So as there was no clear separation I felt no need to make a clear distinction in my response

  11. elvisimprsntr

    From what I read, Edge includes an integrated Adobe Flash player. So Edge security is the product of Microsoft and Adobe combined. Nice.

  12. Michael Habel Silver badge

    Wouldn't this also not hold true of Google as well? I knew that Chrome used to also have its own custom version of Adobe Flash written into it.... What I'm less sure of is if it still has it. As I'm more of a Firefox / Pale Moon luser myself.

  13. boboM

    yes, it used to, but these days Chrome blocks flash by default and only allows it with permission. At least Google is trying to keep things secure. Adding Flash by default these days (Edge) is just stupid. Flash is a security nightmare, always been. Still is.

  14. Sandtitz Silver badge
    Holmes

    "these days Chrome blocks flash by default and only allows it with permission. At least Google is trying to keep things secure."

    Edge has been doing it like that since v1703.

  15. TReko
    FAIL

    Does it fix more than it breaks?

    Most recent MS patches have resulted in more work trying to get servers working again.

    I reckon Microsoft has outsourced testing of its patches to their end-users.

  16. Hans 1 Silver badge

    2018 and Windows Server can be 0wned by a DNS or HTTP packet

    It’s also something that could be easily scripted. This means there’s a system-level bug in a listening service on critical infrastructure servers, which also means this is wormable.

    This looks bloody enough, but what about http.sys ?

    Thank Feynman nobody is silly enough to hook up a Windows Server with IIS to the internet, right ?

    Remember, http.sys is a kernel mode device driver, and it can be owned by a malformed packet ???

    If you really have to use Windows server, install a 3rdparty web server, there are many available ... running as a user with minimal privileges ... all software gets 0wned, but only Novell and Microsoft would attempt to validate 3rdparty packets in kernel space ... and Novell stopped doing that decades ago ...

  17. David Gosnell

    Interesting choice of headline image

    Alt-texted as "window patch", but almost certainly hails from the days of the window tax. If only it were now as easy as getting some bricks and mortar, at least to make more than an individual stand against it.

  18. Anonymous Coward
    Anonymous Coward

    I honestly think bugs can be more efficiently found and fixed

    If Windows were open source.

  19. Anonymous Coward
    Anonymous Coward

    If this DNS exploit doesn't have a scary name and a cool icon, then it cant be that critical.

  20. Frank Marsh
    Holmes

    Device..... *Guard* - I had to look up one of the CVEs

    "Device was a special point of focus" -> "Device Guard was a special point of focus"

    FTFY

  21. GnuTzu Bronze badge
    Megaphone

    Decades of Code-Review Opportunity

    Get this!!! The book Writing Solid Code (20th Anniversary 2nd Edition) written by a former Senior Level Microsoft developer has much to say about parameter checking and code validation. Clearly, the knowledge and ability to identify bad coding was there--two decades ago--at Microsoft (not to mention the rest of the in industry). That's two decades of opportunity for code review. Yet, the rate at which such bugs are being found doesn't seem to be slowing down. Is it that hackers are getting better at finding these things? Probably. But, if the hackers are getting better at finding these things--without the source code (supposedly), then why can't Microsoft get better at finding these things when they have all the source code? Oh yeah; the money thing, and people have been conditioned to accept that patching is a normal and regular thing, especially for companies with monopoly-like (not wanting to get sued for libel) market control. Welcome to the Borg collective! Aaaaaaaaaaaaahhhhhhhh!!!!!!!!!!!!!!

  22. Michael Wojcik Silver badge

    Re: Decades of Code-Review Opportunity

    And Howard and LeBlanc were working for Microsoft when they wrote Writing Secure Code. And they also wrote The N Deadly Sins of Software Security (for various values of N) with John Viega.

    There are plenty of good software-security people who have worked, or still work, for Microsoft. Besides Maguire (Writing Solid Code), Howard, and LeBlanc, there's Mark Russinovich, Cormac Herley, and no doubt many others I'm not recalling at the moment.

    And they have strong research groups in other security fields. In cryptography, for example, Microsoft has, or had, folks like Kristin Lauter, Josh Benaloh, Cynthia Dwork, Frank McSherry... In languages, there's Andrew Gordon. And so on.

    But having even a large collection of great researchers and senior developers doesn't guarantee particularly secure products. When you have a large product line and large, complex products, software security requires pushing secure-development practices all the way down to the junior developers. It requires a development culture built around security. That's what Microsoft worked to develop after the Gates Memo, with their SDLC and other changes. It did make a substantial difference, but that kind of change is hard to sustain after you pick the low-hanging fruit. And that's why people are still finding exploitable bugs in legacy code bases.

    As far as I can tell, senior management (SatNad and other executive-level types) decided the returns from the sustained security push were diminishing, so they pulled resources from it in favor of work that's more visible to the typical buyer - user-visible features and eye candy - and stuff they could sell through other channels, namely SaaS (Office 365 and the like).

  23. Hans 1 Silver badge
    Windows

    Re: Decades of Code-Review Opportunity

    why can't Microsoft get better at finding these things when they have all the source code?

    Remember when some Windows 2000 source code got leaked ? It was a complete unintelligible clusterfuck. They cannot start from scratch as they need backward compatibility, whole parts of the OS have not been touched in decades. Windows XP apparently had 40 million lines of code without third-party drivers! I assume Windows 10 has an order of magnitude more. And, given the skill of Microsoft developers one can witness in the open source code MS releases, thinking about that rm /bin/sh idiocy, I doubt the code is any good ... it works, sort of ... but that is about it.

    How hard can it be to design an update mechanism ? Why does Windows update take ages to find what needs updating, why does it install updates and ask you to reboot, then finishes updating on shutdown and AGAIN on startup, then reboots again ? We will never know because they are too ashamed of themselves to show us their code ...

  24. Ken Hagan Gold badge

    Within speaking distance?

    "physical access to a device (ie within speaking distance)"

    Does the soundtrack of a YouTube video count as "within speaking distance"?

  25. razorfishsl Bronze badge

    Looks like their "red team" is not earning their money.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2018