back to article Patch now: Design flaw in Windows security allows hackers to own corporate laptops, PCs

Another month, another Patch Tuesday, but this release has a special sting in the tail: a flaw in the fundamental design of Windows that's taken a year to correct, and is unfixable on Server 2003. The critical blunder allows miscreants to completely take over a domain-configured Windows system if it is connected to a malicious …

  1. malle-herbert Silver badge
    Devil

    "unfixable on Server 2003."

    Wow... what a coincidence...since server 2003 is (almost) EOL...

    1. Destroy All Monsters Silver badge

      Re: "unfixable on Server 2003."

      Design errors are like that.

    2. Sandtitz Silver badge

      Re: "unfixable on Server 2003."

      Same happened with NT4. Support ended in 2004 but the MS03-010 bug was found over a year earlier.

      "The architectural limitations of Windows NT 4.0 do not support the changes that would be required to remove this vulnerability."

    3. thames

      Re: "unfixable on Server 2003."

      Now you know why it took a year to (not) "fix". Some problems will go away by themselves if you study them long enough. Microsoft of course does have a solution, just buy the latest version.

      This "not-fix" is going to put a spoke in the arguments of the people whose plans involved not upgrading from 2003 for economic reasons. No doubt their friendly local Microsoft salesmen will cry crocodile tears over that.

      1. big_D Silver badge

        Re: "unfixable on Server 2003."

        Well, hopefully, you aren't lugging your Windows 2003 server around and plugging it into strange networks...

    4. Anonymous Coward
      Unhappy

      Re: "unfixable on Server 2003."

      It's not a bug, it's a feature.

      1. chivo243 Silver badge

        Re: "unfixable on Server 2003."

        "It's a hidden feature" fixed that one...

    5. Charlie Clark Silver badge

      Re: "unfixable on Server 2003."

      Can anyone spell class action? If the flaw has been known about for more than a year and Microsoft is unable to provide a fix for some customers, then they are within their legal rights in many jurisdictions to seek redress in the courts.

      1. Anonymous Coward
        Anonymous Coward

        Re: "unfixable on Server 2003."

        You think an unsupported EOL 12 year old OS is worthy of class action?

        1. Charlie Clark Silver badge

          Re: "unfixable on Server 2003."

          You think an unsupported EOL 12 year old OS is worthy of class action?

          Yes, because it's not EOL yet and not when the error was discovered.

          1. Sirius Lee

            Re: "unfixable on Server 2003."

            So upgrade you tight tw**. Linux systems have to be updated every few months. 12 years seems to have been enough time to offer great value. How old is your car, your phone, tablet, gaming console?

            1. Sgt_Oddball Silver badge

              Re: "unfixable on Server 2003."

              Urmm my cars 12 years old and still got recalled to fix a critical issue (to do with the airbags so quite an important one). But with software though it is a different issue. Roads and driving doesn't change that much in 12 years. Software/hardware/networks/security has changed massively in that time.

      2. adnim Silver badge

        @Charlie Re: "unfixable on Server 2003."

        Read the EULA, it absolves MS of any liability. It also states in weasel words that MS do not guarantee that their software will work in the way expected or indeed at all.

        MS have been crafting broken code since DOS. There is a reason no class action has been brought against MS for providing unfit for purpose software.... I refer you to the previously mentioned EULA.

        1. Anonymous Coward
          Anonymous Coward

          Re: @Charlie "unfixable on Server 2003."

          "MS have been crafting broken code since DOS."

          No more than most other OSs. In fact most other OSs have had more holes than current Windows versions over the last year (OS-X and the Linux kernel for instance).

          1. adnim Silver badge
            Stop

            @AC Re: @Charlie "unfixable on Server 2003."

            Way to go... Defend MS by citing the failing of others.

            There should be a word for "defend a failure by citing a different failure"...

            Shillism?

            Excuse making?

            Issue avoidance?

            1. Japhy Ryder

              Re: @AC @Charlie "unfixable on Server 2003."

              Whataboutery

        2. Charlie Clark Silver badge

          Re: @Charlie "unfixable on Server 2003."

          Read the EULA, it absolves MS of any liability. It also states in weasel words that MS do not guarantee that their software will work in the way expected or indeed at all.

          The EULA is only what MS thinks matters and this can always be contested in a court. For example, the clickthrough EULAs have been declared void in Germany. As, indeed, have labels on packaging informing people that by opening the package they agree to be bound by the licence agreement contained within.

          IANAL but, based on other unlimited liability cases in the US, I reckon there's good grounds for a case.

          1. big_D Silver badge

            Re: @Charlie "unfixable on Server 2003."

            @Charlie I thought click through EULAs are okay here, as long as you are presented with them before you agree to purchase / use of a product or service?

            It is certainly true that any changes / additions (including any T&Cs inside the sealed package, which the purchaser cannot read) to the contract after initial purchase / agreement are null and void - which is part of Facebook's problem at the moment, they are trying to force all their changes onto their userbase, but in Germany that is illegal, they have to inform the users and they have to individually agree to the changes.

            1. Charlie Clark Silver badge

              Re: @Charlie "unfixable on Server 2003."

              @big_D: all clickthrough EULAs are unenforceable. It has to be informed consent and whether this has been given or not can be contested in court.

              1. big_D Silver badge

                Re: @Charlie "unfixable on Server 2003."

                Ah, you mean when installing a product on a PC? After you have downloaded it? Yes, there you are correct.

                I was thinking in terms of setting up an online account. My mistake, confused the term.

    6. Anonymous Coward
      Anonymous Coward

      Re: "unfixable on Server 2003."

      Microsoft TechNet comments: A word on CVD and fixing difficult problems:

      In many regards, this security ‘fix’ is more accurately described as completely new functionality in Windows. Adding something of this scale posed a unique challenge to security response. Software vulnerabilities are typically more narrowly constrained in both investigation and remediation – and most response is structured to address that scope. Among the benefits of Coordinated Vulnerability Disclosure (CVD) is it provides for greater flexibility and deeper collaboration with researchers to take the necessary time and perspective to deliver the most complete security solutions to customers. In this case we tackled a vulnerability that required a much greater scope in engineering to deliver a solution.

      Most vulnerabilities reported to the MSRC are bugs in a single component, which are investigated, understood, and fixed within industry accepted response times. Creating the new functionality of UNC Hardening, however, required an entirely new architecture which increased development time and necessitated extensive testing. Thanks to CVD, and the close collaboration with the passionate security researchers who reported the vulnerability, Microsoft had sufficient time to build the right fix for a complicated issue. If the security researchers were not willing to refrain from disclosure until our fix was ready, customers would have been put at risk.

  2. Destroy All Monsters Silver badge
    Trollface

    I see

    Is this why the SSH brute-forcing non-vulnerability on Linux was mentioned today? To provide some "fairness and balance"?

    1. Anonymous Coward
      Anonymous Coward

      Re: I see

      Well, with us bastards using ad blocking tools, they have to get their money from somewhere.

  3. colin79666

    Server 2003

    Less chance of taking your Server 2003 box to a cafe and hooking it up to a rouge WiFi access point. Assume this affects XP though and plenty of that still going about on roaming clients.

    1. James O'Shea Silver badge

      Re: Server 2003

      A 'rouge' Wifi AP? Something special about French wireless APs, or about red wireless APs, or APs which are both red and French? Or are they just wearing makeup? Or, perhaps, the APs in question were set up by a certain bat from Sonic the Hedgehog?

      1. David 132 Silver badge
        Headmaster

        Re: Server 2003

        A 'rouge' Wifi AP?

        A typo that's far too common these days. Your too restrained - I tend to loose my temper when I see those, or assume there stupid.

        </snark>

        1. Anonymous Coward
          Headmaster

          Re: Server 2003

          Your too restrained - I tend to loose my temper when I see those, or assume there stupid.

          Please tell me that was on purpose.

          1. Omgwtfbbqtime Silver badge

            Re: Server 2003

            Both of them.

            1. Anonymous Coward
              Anonymous Coward

              Re: Server 2003

              I sore free, wears my prise?

          2. Anonymous Coward
            Anonymous Coward

            Re: Server 2003

            Whoosh

        2. Tom 35 Silver badge
          Facepalm

          Re: Server 2003

          " assume there stupid"

          1. GrumpyMiddleAgedGuy

            Re: Server 2003

            "assume they're stupid"

        3. Haff
          Facepalm

          Re: Server 2003

          They are or They're

        4. Anonymous Coward
          Anonymous Coward

          Re: Server 2003

          > Your too restrained - I tend to loose my temper when I see those, or assume there stupid.

          Trolling is a art...

        5. regadpellagru

          Re: Server 2003

          "A typo that's far too common these days. Your too restrained - I tend to loose my temper when I see those, or assume there stupid."

          Yeah, happens also on videogames forums where all sorts of people ask tips on playing "rouge" instead of rogue.

        6. asiaseen

          Re: Server 2003

          Sod's law strikes again: their not there? you're not your? lose not loose?

      2. elDog Silver badge

        Re: Server 2003

        Oh, come on, already. The IAOAM* has already deemed that rouge === rogue, in most cases. You can have rogue lips on a pig, and a rouge pirate (actually a rouge rouge.) However it is not ever acceptable to swap in a "rogue" when talking about moulins - just doesn't have that same melody.

        * International Association Of Allowed Misspellings

        1. veti Silver badge

          Re: Server 2003

          Are those the same bastards who are spreading the abomination that is "free reign"?

          1. Ben Liddicott

            Re: Server 2003

            And "shoe in" for "shoo in"..

    2. Anonymous Coward
      Anonymous Coward

      Re: Server 2003

      "This remote-code execution flaw affects all supported versions of Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1." So basically anything that displays the Windows logo when you start it, provided it's set up to join a Windows domain. XP is not on the list because it's not supported anymore.

      1. big_D Silver badge

        Re: Server 2003

        I thought Windows RT couldn't be added to a domain? At best it could use a new guest mode in Windows 2012 domains?

    3. DNTP

      rouge WiFi access

      I knew that hot little hotspot was trouble the minute she showed up on my network list. My brain said "no" but Windows had a mind of its own and connected anyway. She turned off network address translation and didn't ask me for a password- said she wanted it naturally, without protection- and that was when she took my heart and the admin rights. And that was also how I got this virus DAMMIT DON'T JUDGE ME IT WAS ONE TIME

    4. thames

      Re: Server 2003

      Thank goodness no-one would ever dream of connecting a Windows 2003 server to a network.

    5. Ken Hagan Gold badge

      Re: Server 2003

      If I understand it correctly (and posting here is the easiest way to find out), your internet cafe customer would have to be connecting to an SMB share that had been made available on the public internet (not via VPN). Furthermore, to let the attacker use fake group policy to take over your machine, you'd have to be logging into a domain via the public internet. If you are doing either, then I don't think you give a monkeys about security and you are probably already running a rootkit both on the client and the DC.

      It's an interesting case, but I think there's a reason why the design flaw went unnoticed for 25 years.

  4. LDS Silver badge
    Devil

    Thanks to heaven it was not found by Google...

    ... with its silly 90 days deadline for disclosure.

    1. LDS Silver badge
      Devil

      Re: Thanks to heaven it was not found by Google...

      Feel free to read http://blogs.technet.com/b/srd/archive/2015/02/10/ms15-011-amp-ms15-014-hardening-group-policy.aspx, you may learn a thing or two about what it took to fix the vulnerability and why a 90 days disclosure policy is silly and folly - and designed only to put competitors in bad light even if it means to put many people at risk.

      Ah, of course Linux has no such issues - it has nothing anywhere near Active Directory out of the box...

      1. Anonymous Coward
        Anonymous Coward

        Re: Thanks to heaven it was not found by Google...

        of course Linux has no such issues

        Design flaws in Linux? I'm sure there are, but things as severe as this are quite rare, usually because it uses industry standard methodologies that have been tried and tested for the past 40 years, and everything is thrashed out in the open by multiple independent experts whose only motive is to have a working and robust system without unnecessary (sometimes hidden) complexities employed purely to keep the competition away and locked out. It may not be perfect and there are trade-offs, but it's not bad by design.

        1. Anonymous Coward
          Anonymous Coward

          Re: Thanks to heaven it was not found by Google...

          Pretty sure if you ran the latest kernel source in production you'd find plenty of faults.

          If you run enterprise Linux distros then they build and test everything for you. Which is an admission that there would be lots of breakage and faults otherwise.

        2. LDS Silver badge

          Re: Thanks to heaven it was not found by Google...

          Exactly. As long as you stay safe in a 45 old design made for a single computer used by a few tens of users, it's much easier. Just, you're almost useless in an actual large network with thousands of users/devices or more. That's another reason why Linux clients went nowhere - from a management point of view, they're just an hassle. Sure, third party technologies exist to make them somewhat better (Puppet... why the need of it?), still they add-ons (which you may have to pay for anyway), lock you in anyway, and still are not integrated into the OS itself.

        3. Anonymous Coward
          Anonymous Coward

          Re: Thanks to heaven it was not found by Google...

          "It may not be perfect and there are trade-offs, but it's not bad by design."

          You must have missed the Linux network stack not being modular - so for instance NIC hardware acceleration requires kernel hacks. And SUDO. And having to tie your OS ACLs to your file system capabilities. And no constrained delegation. And things like SEL being a bolt on after thought. Having to parse flat text files that are randomly distributed everywhere for configs. etc. etc. etc.

        4. Def Silver badge
          Coat

          Re: Thanks to heaven it was not found by Google...

          Design flaws in Linux? ...because it uses industry standard methodologies that have been tried and tested for the past 40 years...

          fopen, strcpy, memcpy, et al. You mean those kinds of "industry standard" methodologies?

          1. Jaybus

            Re: Thanks to heaven it was not found by Google...

            fopen, strcpy, memcpy, et al. You mean those kinds of "industry standard" methodologies?

            No, because those are standard C library functions, not Linux, and also used by Windows, OSX, and every other OS. Of course, all of the above used safer versions of those functions for many years, at least since C99..

      2. Destroy All Monsters Silver badge
        Paris Hilton

        Re: Thanks to heaven it was not found by Google...

        Ah, of course Linux has no such issues - it has nothing anywhere near Active Directory out of the box...

        PRAISE $DEITY!

        I hope not many people access \\10.0.0.100\Share\Login.bat (or anything else over CIFS for that matter) from a coffee shop without VPN?

        1. LDS Silver badge

          Re: Thanks to heaven it was not found by Google...

          It looks you didn't understand it was just an example. The client will attempt to connect to the machine it usually use to download GPOs.

          To perform the attack, you need first to spot what UNC path the machine to attack actually use, then spoof it rerouting the request to your own share and then delivering the files it's asking for.

          Moreover "CIFS" is an outdated term - MS itself now refers to the protocol as SMB only.

          1. Anonymous Coward
            Anonymous Coward

            Re: Thanks to heaven it was not found by Google...

            Your knowledge on Windows is almost as low as your knowledge of Linux.

      3. joed

        Re: Thanks to heaven it was not found by Google...

        I'll not be praising Linux but by defending MS for taking time to fix complex bug is really missing the point. The issue is not about the time it's taken to fix it but rather about not implementing authentication of such a sensitive process. Fail.

        1. LDS Silver badge

          Re: Thanks to heaven it was not found by Google...

          Authentication *was* implemented but the design flaw was that if it failed the system fell back to an unsecure one. If you had read the Technet post:

          "a vulnerability existed whereby Group Policy could fail to retrieve valid security policy and instead apply a default, potentially less secure, group policy. This could, in turn, be used to disable the domain enforced SMB Signing policy."

          1. sabroni Silver badge

            Re: instead apply a default, potentially less secure, group policy.

            So if you have you windows configured with appropriate default group policy this isn't a problem?

            1. LDS Silver badge

              Re: instead apply a default, potentially less secure, group policy.

              Just to change the defaults you may need to change them manually on each and every machine...

      4. Anonymous Coward
        Anonymous Coward

        Re: Thanks to heaven it was not found by Google...

        "Ah, of course Linux has no such issues - it has nothing anywhere near Active Directory out of the box..."

        Or anything like Group Policy either.

      5. Paul 129
        Paris Hilton

        Re: Thanks to heaven it was not found by Google...

        http://blogs.technet.com/b/srd/archive/2015/02/10/ms15-011-amp-ms15-014-hardening-group-policy.aspx looks a good read. Not going to feed the troll. It does however raise the question what will happen with samba4 domain controllers, this could be unfun.

        Now that they've announced how expect exploits live shortly.

        Mind you good work on the fix MS (I don't believe the line about 2003 though)

      6. Jaybus

        Re: Thanks to heaven it was not found by Google...

        Hmm. RHEL 7 has FreeIPA out of the box.

  5. hplasm Silver badge
    Devil

    Oooh!

    Crapsticks!

  6. Mark 85 Silver badge

    “The architecture to properly support the fix provided in the update does not exist on Windows Server 2003 systems,"

    It probably means: we lost the documentation or the guy who knows how this was done isn't here anymore.

    1. Dan 55 Silver badge
      Devil

      Luckily the newer guys managed to fix the same bug which affected all the following versions of Windows in exactly the same way. Would you like to upgrade your version of Windows for a nominal fee?

      1. Anonymous Coward
        Anonymous Coward

        Pretty sure there's bugs in Windows 3.11, why aren't they patching those still?

        1. Dan 55 Silver badge

          Because that's not supported any more. Server 2003 still is. Except when it's the last year or so and then, well, we can't be bothered any more.

  7. Aslan

    Forbes, of all the paces that you would think would vet the security of their ad network. It would seem the only partial route to safety is to block all advertising, as this is a very common malware vector. Does El Reg have any thoughts on how to guarantee the safety of advertisements?

  8. veti Silver badge

    Huh?

    How exactly are you supposed to "use properly configured VPN solutions when connecting to untrusted networks.”?

    Someone with more knowledge please correct me if I'm wrong, but shirley - you need to establish the network connection before you can open your VPN? At which point it's too late.

    1. Destroy All Monsters Silver badge
      Headmaster

      Re: Huh?

      This makes no fucking sense.

      ms15-011-amp-ms15-014-hardening-group-policy.aspx

      In this scenario, the attacker has observed traffic across the switch and found that a specific machine is attempting to download a file located at the UNC path: \\10.0.0.100\Share\Login.bat

      So cleary, a VPN isn't in use. The specific machine communicates in clear. From starbucks. Yeah, having extreme fun treating the starbucks LAN like like a Domain yet?

    2. Anonymous Coward
      Anonymous Coward

      Re: Huh?

      "Someone with more knowledge please correct me if I'm wrong, but shirley - you need to establish the network connection before you can open your VPN? At which point it's too late."

      No. The VPN is the network connection. Without it connected, there should be no traffic transmitted between the networks.

  9. Anonymous Coward
    Anonymous Coward

    Server 2003

    Damn. I guess I will have to stop lugging my old ML570G3 running server 2003 down to the local MacDonalds to browse the web on their wifi.

    1. Anonymous Coward
      Anonymous Coward

      Re: Server 2003

      " I guess I will have to stop lugging my old ML570G3 running server 2003 down to the local MacDonalds to browse the web on their wifi."

      Or just make sure it's not a member server and remove it from the domain if it is.

      1. JamesTQuirk

        Re: Server 2003

        Yeah Well, Reconfigured the "linux" on Parrot Drone to run the HAM-Libary, so to give me range to suck up their WiFi & send it to me, but if they run windows, Your Right, I better stop using/pinching windoze based WIFI & throw out the Old Junk MS OS/PC, as you suggest....

  10. Binnacle
    Meh

    not a serious vulnerabality

    For ten or more years all decent wifi APs have isolated client stations so they cannot see each other's traffic. Today one would be hard pressed to find even a consumer grade wifi router that does not have client isolation active by default.

    And while we've seen a lot of stupid corporate security, I doubt even Sony fails to require encrypted VPN tunnels for remote laptop connectivity.

    Also has been ten or more years since anti-ARP-spoofing became standard on corporate switches.

    MITM is not so simple these days.

    Unless you're the NSA, GCHQ, etc. with limitless resources for mounting multilayered attacks (e.g. hacking Cisco switches, building black boxes to circumvent wifi isolation, etc), this weakness was not of much use.

    1. joed

      Re: not a serious vulnerabality

      Considering number of default configurations an attacker can just set a ARP "trap" and some "fool" will eventually bite login.bat, no need to see all the traffic.

      Also, any person with access to internal network can try exploiting the bug from the inside. And why not start with granting oneself admin rights.

      1. Anonymous Coward
        Anonymous Coward

        Re: not a serious vulnerabality

        "Considering number of default configurations an attacker can just set a ARP "trap" and some "fool" will eventually bite login.bat, no need to see all the traffic."

        Most corporate switches would stop ARP hacking these days, and switched networks would mean that you would not normally be able to see the traffic to otherwise intercept it.

        "Also, any person with access to internal network can try exploiting the bug from the inside"

        No - most corporate networks with current / recommended switch settings would block this.

    2. Jess

      Re: decent wifi APs have isolated client stations

      So as long as users are trained, to know the difference between a decent one and a poor one and only connect to those, all is fine.

      Connect with another device first and check the netmask, perhaps?

  11. Mr.Bill

    "Most home users shouldn't be hit by this"

    Don't worry, we home users have more than enough worries without this.

  12. Medixstiff

    M$'s programmers need to stop doing a copy/paste every time they do a new OS. I've lost count of the number of zero days that infect all versions of the OS up to the current one.

    You would expect after 30 years, someone at M$ HQ would have thought to check most of the code, slowly and thoroughly of course. They do have teams of programmers after all, not sure about the QA testers though.

    1. naive

      Spot on

      Your response is spot on.

      Unfortunately MS Operating Systems are never meant to be secure. Since the whole world is still addicted to MS, Uncle Sam and all the other eyes want it to be open to spying. Besides that, MS is supposed to keep the whole virus "protection" industry alive.

      Zero days in IE because of non-existent sandboxing ?.

      Since it is 2015, and most of the latest MS zero days make it look like it is 1997, the ones whining about the 90 day fix period of Google probably commute in 1930's cars, without seat belts, security glass, modern brakes and skip obligatory technical checkups

    2. Anonymous Coward
      WTF?

      So...

      ..Linux, OSX, UNIX, Solaris etc are written from he ground up? That brand new Linux kernal just released is completely new and not one bit of code has been reused.

      WOW!

      1. LDS Silver badge

        Re: So...

        Any good programmer working on large codebases knows it's exactly code written years ago under differnt assumptions that could bite your back later when those assumptions change (just like this and the Bash vuln). Many years ago a LAN was considered a "safe" place, while external "free" networks you can easly get access to were not so common... today those assumptions are false.

        Just the "it works, doesn't touch it!" attitude and the lack of time to review every piece of code while adding new functionalites, ensures that this kind of vulnerabilities will emerge later, especially now that deeper analysis are performed.

      2. Anonymous Coward
        Anonymous Coward

        Re: So...

        You're forgetting one thing:

        New versions of Windows are always sold to us as having new improved security, "re-imagined", and plenty of work under the hood - when in reality, it's just a different coloured lipstick that's been applied. This is evidenced by the bulk vulnerabilities (such as this one) effecting the entire range of Windows versions that are supported (and possibly unsupported, who knows).

        That's the problem us (real) users of Windows have.

    3. Anonymous Coward
      Anonymous Coward

      "M$'s programmers need to stop doing a copy/paste every time they do a new OS."

      Perhaps you can give an example of another OS where between versions, every piece of code was clean room built from scratch as you suggest? No? Didn't think so...

      "You would expect after 30 years, someone at M$ HQ would have thought to check most of the code, slowly and thoroughly of course."

      Microsoft's OSs do have fewer vulnerabilities these days than say OS-X or the Linux kernel (let alone a Linux distribution!)

    4. Anonymous Coward
      Anonymous Coward

      Hmm..what?

      As others have pointed out name one single OS that is grounds-up rewritten for every single update?

      And MS have tethered themselves to a large extent by always trying to provide backwards compatibility to some degree or other: usually quite a lot of it, in fact.

      From a corporate perspective do you want to have to upgrade all of your back end server infrastructure to support that new desktop OS? Let's see - I now need three or four active directory domains because OS version 1, 2 and 3 can't use the other versions...ditto for file services..database..email..web..

      In short, you don't have a clue, do you? But let's just bash them blindly because, "..well y'know, it's M$ and they're like really evil and shit and everyone knows they do crap code, yeah??.."

      I do, however, think it's fair to bash them for failing to patch 2003 and I would suspect lie about it being technically not possible as opposed to financially less than desirable.

  13. Allan George Dyer Silver badge

    The nice thing about OSs is that everyone gets a share of the schadenfreude.

  14. This post has been deleted by its author

  15. TaabuTheCat

    Just don't try installing 3001652

    That's the patch for VSTO, and it hangs WU. Lots of reports of this today so it's another MS Patch Tuesday screwup. What's funny about this one is, I installed it first on a test machine using Windows Update and when the VSTO update ran it prompted me to accept the EULA, but when I ran it on machines served by WSUS it just hangs, preventing all other updates from running, and short of a reboot you can't kill it. Wanna bet it's waiting for an answer to the EULA without actually displaying it??

    1. Anonymous Coward
      Anonymous Coward

      Re: Just don't try installing 3001652

      "Just don't try installing 3001652 "

      That patch was apparently not meant to be re-released and has now been withdrawn.

  16. Anonymous Coward
    Anonymous Coward

    samba?

    So what happens if I sit in said rogue coffee shop (Le Moulin Rogue, perhaps) with my windows lappy and try to connect to a domain that is really Samba? Same problem?

  17. TonyJ Silver badge
    Thumb Up

    Kudos to the researcher(s)

    For not spaffing it all over the internet before it was fixed.

  18. John 104

    Legitimate Question

    Deployment question here.

    I've read the release for MS15-14 and am unclear on one aspect. It appears to me that the highest vulnerability is with client machines connecting on disparate networks. If that is the case, then it would follow that those mobile workstations should be patched soonest. I'm seeing less of an issue or need for urgency for DCs unless the UNC hardening is desired?

  19. swampdog

    Unfixable on server 2003

    This stinks of the w2k scenario where m$ wouldn't supply (iirc) dx9 which was about the era I got out of windoze in favour of unix.

    <rant>

    Of course there's always some clients who insist on windows & sometimes one has to handle their problems. Well here's one. Having applied this month's patches without testing (not me), I get this..

    Win7 can't display win 2003 server (w3k) fonts correctly over RDP.

    I already fixed that with KB946633 but the latest updates have stuffed it both for machines which did have KB946633 and machines that don't. Spent the day changing terminal server setting from automatic to lan etc because now automatic detection of rdp stuff apparently "doesn't".

    Thought I'd sussed it. Noo.. Feedback: still looks a bit shit but we can live with it until EOL except courier new font is illegible. This is indeed true. Eventually I went there & (tada) it looks shit on the console as well.

    Nothing on Google about this. Symptoms (best done locally to rule out RDP issues)..

    Control Panel -> Fonts -> Courier New (displays fine)

    Apps: Firefox,Thunderbird don't display fine - that led me down a dead end, nearly filed a bug report over that but thought to create a libreoffice doc. Same thing. Exported that to pdf & displayed it. Looked fine so we're looking at a display problem.

    </rant>

    The only thing worse than trawling windoze forums is trawling android forums.

    Btw: if anyone has a fix pls post!

    1. Anonymous Coward
      Anonymous Coward

      Re: Unfixable on server 2003

      God I wish people would grow up. M$? Windoze? Seriously? After all these years?

      Anyway look here - http://windowsitpro.com/msrc/patch-tuesday-font-corruption-kb3013455

      1. swampdog

        Re: Unfixable on server 2003

        Thanks for the link but no solution. m$ mention there's an issue. No solution. Have I missed something? Perfectly possible. I've been up 36 hours!

    2. Sandtitz Silver badge

      Re: Unfixable on server 2003

      "This stinks of the w2k scenario where m$ wouldn't supply (iirc) dx9 which was about the era I got out of windoze in favour of unix."

      W2K received DX9 and DX9 updates until 2010. Of the post Win3.1 versions only Windows 95 was limited to DX8 (because Win95 lost support before DX9), and NT4 was limited to DX3 - probably because at the time all the games were for 99% DOS and the rest for Win95 (or 3.1), and NT wasn't sold for consumer use.

  20. Anonymous Coward
    Anonymous Coward

    Updates on AMD Windows 7 machines

    One of these Security Updates (I have to find out which one) is borking my AMD machines. The effect is to emulate a 286 processor.

    Sigh.

  21. John 104

    @AC

    God I wish people would grow up. M$? Windoze? Seriously? After all these years?

    Linux? Seriously?

    Nix systems aren't without their issues either and for an overall enterprise solution MS is still the only game in town.

    Extol all the virtues of how secure nix systems are and how awesome your VI skillz are. But nix systems are not particularly practical for getting real work done outside of the server room...

    1. JamesTQuirk

      Re: @AC @John 104

      "nix systems are not particularly practical for getting real work done outside of the server room..."

      Seriously you can't read a manual, another "IT Pro" who can only use Windows, in 43 years I lost count of OS I have used, get over it, I know you paid big money to a MS engineer, on paper, I suppose if they are not selling tablets/OS they have to get their money from some idiot ......

      Windoze, the paper clip returns, this time in 3d with tits, and the Azurb Clod Drive, yes, big year for you guys, but you will need more RAM/HD/CPU, as always .... Maybe if you knew what you where doing & where your files are, you wouldn't need all that Cortana system fat ...

  22. John B Stone
    Holmes

    And the server vulnerability vectors are?

    So for windows 2003 servers to be at risk they have to be connected to a rogue network.

    Most servers are not connected to a wireless network at all and generally for larger businesses are in physically hard to access locations. Therefore the main vulnerabilities seem to be:

    Access to the network connection anywhere between the windows 2003 server the AD server (could be in a remote office, and over a 3rd party link - hello spooks!)

    Virtual servers carried around on laptops (eg demos) which you might connect via a wireless network or plug into a home network

    Home based and small business servers where they are connected to wireless networks or just generally not too hard to access

    Physical server access (duh) though they only have to plug a cable in and not access via console therefore leaving no obvious trace

    and this only has to happen anywhere in your domain for you to have an owned server inside the corporate firewall...

  23. grumpy-old-person

    Now it is clear how "bad" open source is!

    So where is the proverbial wailing and gnashing of teeth that accompanied Heartbleed?

    Microsoft and many others (eg Adobe, Oracle) pour immense resources into their software but still have regular OMG! patching cycles.

    How does the open soutrce community take a beating for each bug in their extremely useful software but MS has inflicted their "quality software" on us for decades with hardly a murmur?

    No prizes for guessing that my machines do not run Windoze.

    1. JamesTQuirk

      Re: Now it is clear how "bad" open source is!

      Exactly, they give MS&Apple bulk money for a Secure & reliable OS, then 21 year old bash holes are a issue, that was dealt with by OpenSource, they just made their OS's into Pretty, Bloated, Spyware, with Bloated app's, I've only ever met 2 people who have "kerned" a font in office in over 30 years, works was more than most people needed, but then there is LibreOffice, Great suite, FREE to home users, with anything office can do, well except report back to MS, & MS have to be compatible in European Countries, because the EU didn't like MS owning your documents via Document Format.

      I run all my Older MS software on VM's or just wine, I play HALO, HALO2, Call of Duty 1 to Modern Warfare 3 in wine ... I only use VM's for a few that need a big setup, Like older systems I still support (having a .iso of HDD you are trying to work with a 1000 miles away is handy), My Xbox/ps2 sits on boxes of Older systems, cause I have emulators in Xubuntu that let me run the games on Big screen, Also for Amiga/C64/Atari, I could have more, but I have to some work around here, but after I get tired of running over teenagers, with a warthog .....

      Some people grew-up with MS & Apple it's all they know, they have divided into camps, cause it's cost them a lot to "keep the faith", so admitting it is a waste of money, to themselves may take some time, while they learn something "new" ....

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019