back to article Microsoft changes DHCP to 'Dammit! Hacked! Compromised! Pwned!' Big bunch of security fixes land for Windows

It's the second Tuesday of the month, and you know what that means: a fresh dump of security fixes from Microsoft, Adobe and others. The March edition of Patch Tuesday includes fixes for 64 CVE-listed vulnerabilities, while Adobe addressed a pair of bugs in Photoshop and Digital Editions. Even SAP has got in on the game. You …

  1. gerdesj Silver badge
    Gimp

    Word

    "These bugs are particularly impactful"

    That word makes me want to go completely postal.

    1. Rich 11 Silver badge

      Re: Word

      Bugs?

    2. Giovani Tapini
      Coat

      Re: Word

      @gerdesj

      Lucky that Microsoft leveraged the power of the CVE system to remediate these potential risks or their performance of their managed software environment...

      ...

      no, sob, I just cant write it. Not even for fun ...

      1. Fred Flintstone Gold badge
        Coffee/keyboard

        Re: Word

        Here I sit, grinning like an idiot at my screen :)

        Have an upvote, you made my day.

      2. hplasm Silver badge
        Devil

        Re: Word

        "no, sob, I just cant write it. Not even for fun ..."

        You did though. You wrote 'leveraged'... Bad you.

        1. Fungus Bob Silver badge

          Re: Word

          No, no, no, MS didn't leverage anything. Yet. They just had high-level meetings in which they dialogged with affected stakeholders in order to determine the scope of the issue. Things are at way too much of a preliminary stage to drill down to any specifics.

  2. Will Godfrey Silver badge
    Unhappy

    Ahead of the game?

    Clever of them to catch bugs so soon in the new and unproven DHCP

    /s

    1. Anonymous Coward
      Anonymous Coward

      Re: Ahead of the game?

      It was implemented in the early 90's...I wonder if any of those coders still work at Microsoft...doing coding.

      1. ReverandDave

        Re: Ahead of the game?

        I don't think anyone at Microsoft codes because they wrote a really advanced copy and paste program to do it for them.

        1. fobobob

          Re: Ahead of the game?

          I'm waiting for them to open source the software they use to convert arbitrary PowerPoint presentations into deployable Windows features.

    2. LDS Silver badge

      Re: Ahead of the game?

      I've seen a couple of years ago Netgear WiFi devices with issues when the DHCP answer was too long for the open source library they used to handle DHCP - and still the answer was fully compliant, albeit with some less common options.

      I didn't have time to investigate if the could have been compromised. Just sent them back and replaced them with something better.

      Guess they too had issue with the new and unproven DHCP protocol....

    3. Fungus Bob Silver badge

      Re: new and unproven

      In Microsoft's case, it's new and improvened...

  3. big_D Silver badge

    Adobe Flash

    Updates from Adobe for Flash for IE and Edge were also included in the flood of updates supplied through Microsoft.

    I'm guessing they were also in the Chrome and Firefox updates, but I don't have Flash for Firefox installed, so I can't be certain.

    1. DailyLlama

      Re: Adobe Flash

      Yep, there were updates for Flash player for all browsers too. I guess they just didn't contain anything exciting enough to be written about.

      1. phuzz Silver badge

        Re: Adobe Flash

        I'm pretty sure that Flash not requiring an update would be newsworthy, not the other way around.

  4. Waseem Alkurdi

    Deja vu?

    First, there are the trio of CVE-2019-0697, CVE-2019-0698, and CVE-2019-0726, all covering holes present in the DHCP server component for Windows. Each of the flaws would potentially allow an attacker on the local network to achieve remote code execution on a targeted machine simply by sending a malformed DHCP network packet.

    I'd swear I've seen this before ... and in an article on El Reg no less ...

    Doesn't M$ learn?

    1. Fred Flintstone Gold badge

      Re: Deja vu?

      Doesn't M$ learn?

      Not if it doesn't impact profit, no.

    2. SNAFUology

      Re: Deja vu?

      Doesn't M$ learn?

      Didn't M$ hire Mark Russinovich (from Winternals ) to teach them - He was visiting them so often they said you may as well work here !

  5. Anonymous Coward
    Anonymous Coward

    MS DHCP - just say no

    Microsoft's DHCP is fundamentally broken and access to a Microsoft DHCP server requires a suitable CAL for every device.

    1. TheVogon Silver badge

      Re: MS DHCP - just say no

      "Microsoft's DHCP is fundamentally broken and access to a Microsoft DHCP server requires a suitable CAL for every device."

      They just fixed it though. And MS DHCP Server has built in features like cross location active active clustering that are way more painful to implement using anything else.

      nb - CALs are also needed if like most companies you use Windows Server for DNS!

    2. bombastic bob Silver badge
      Devil

      Re: MS DHCP - just say no

      yeah but from what the article said about every device having a DHCP client, it ALMOST sounded like the DHCP CLIENT was vulnerable...

      But I remember an earlier article about the server flaw, and I'm sure I snarked all over that.

      I agree with the 'just say no'. The MShaft DHCP server is WORTHLESS. I just use bind for DNS with isc-dhcpd on a Linux or FreeBSD box. It has worked for me for nearly 2 decades, and was relatively painless to set up with a short RTFM session.

      1. Anonymous Coward
        Anonymous Coward

        Re: MS DHCP - just say no

        Presume you're not using ActiveDirectory then?

      2. Anonymous Coward
        Anonymous Coward

        Re: MS DHCP - just say no

        Linux has had the exact same problem a few years back. Was able to execute any command as root using a dhcp response (udhcpc) . Used it to get into a set top box, busybox install, so I could extract the pairing key for the smart card.

      3. david 64
        Thumb Up

        Re: MS DHCP - just say no

        "I agree with the 'just say no'. The MShaft DHCP server is WORTHLESS. I just use bind for DNS with isc-dhcpd on a Linux or FreeBSD box. It has worked for me for nearly 2 decades, and was relatively painless to set up with a short RTFM session."

        Thanks for:

        1) commenting so eloquently on something you demonstrably know nothing about

        2) firing out the 'it's worked for me for 20 years, it must be fine' classic

        3) taking the time to do both in a public IT forum

        Brightened up my day.

  6. PM from Hell
    WTF?

    Disable TFTP services

    TFTP (Trivial/Telephone File Transfer Protocol) is a very insecure protocol from the depths of time, the only valid (back then) use I have come across for it was to download telephone configurations into early 'smart' handsets. Most servers shouldn't be running a TFTP service at all, no authentication. Ironically I only came across it again a couple of years ago when a young developer found this 'new' file transfer process which was easier to use and didn't rely on passwords. Needles to say he received a bit of mentoring on security by design rather than obfuscation and relying on the fact nobody would be looking for the huge security hole he had just introduced into my infrastructure.

    1. Nolveys Silver badge
      Windows

      Re: Disable TFTP services

      I think you need it for pxe. Super-handy for installing winders, just boot a super-basic windows image over tftp, net use a location with Windows installs and run setup. The only crappy part is making sure the basic windows has the right network drivers. That and the part where you are using Windows.

    2. jtaylor

      Re: Disable TFTP services

      VoIP phones

    3. Alan Brown Silver badge

      Re: Disable TFTP services

      "TFTP (Trivial/Telephone File Transfer Protocol) is a very insecure protocol from the depths of time"

      Yup. The _only_ secure way to use it is only to enable the service when you need it, only for long enough to do exactly what you need to do and doublecheck that nothing snuck in whilst you had it enabled.

      (If anything needs it for booting then it needs to be in its OWN isolated VLAN along with the TFTP server, and the server end needs to be locked down enough so that access is read-only)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019