Microsoft rushes out emergency Windows security fix Microsoft has released an emergency security update for a broad swath of its users that patches a critical security hole that is already being exploited in the wild. The vulnerability - which has been subjected to "limited, targeted attacks" - could allow miscreants to create wormable exploits that remotely execute malicious …
There was a previous version of this article, which had more (and different) comments.
An unarticle it is now?
Que?
Oh hang on, found it: "emergency windows update" <> "windows emergency update"
http://www.theregister.co.uk/2008/10/23/windows_emergency_update/
No black helicopters here then.
"An attacker who successfully exploited this vulnerability could take complete control of an affected system remotely."
Good lord M$, what sort of privileges do you allow your users? Wasn't that annoying UAC meant to sort this kinda shite out. Bet you it's because IE is still running at the kernel level instead of being a "normal" app which has restrictions on what it can do.
....another month another "M$ system in complete control of hacker" story.....and so it continues...8...maybe 9 years or so now.....and so i'll carry on not using M$ products.....
LOL, no kidding. The work they did on Vista and such is commendable and all, but still amounts to patches on a leaky boat. RPC is a gigantic hole, that should have never been opened in the first place. Remote execution of code by default is laughable, and the fact that this port needs to be open for Windows machines to perform the most basic operations is even more so. But mostly it is idiotic that this service is completely un-transparent, giving the user little control into seeing which services are running, fire walling those RPC services, etc. And no, the COM+ control panel doesn't count as it is several layers above RPC, and is hard to use anyway. The whole thing is a gapping hole in Windows, and needs to be removed or at least visible to users.
"You're not going to see a worm on Vista or Server 2008."
Is it a technical statement or more a marketing statement? Obviously, to those who've actually been around, what was probably meant was: "You're going to see fewer worms on Vista or Server 2008 (than on earlier versions).".
There are many reasons what MS has failed to do (or chose to ignore/sacrifice) over the years, but I'll point out one: the way the user and (3rd party) software interacts w/ the OS. Giving user admin-level account does makes things easier for users, but also makes this easier to screw-up (I don't think I would need to evaluate on this). Vista did made some changes, such as UAC, to make sure the user actually vetted and wanted certain actions done. But there are already known easy ways to bypass such "security" features, all widely and readily available.
As for the software, do some really need such deep access to the OS/system? The majority doesn't need to install drivers or services just to operate. Heck, they even be able to operate on the own context of the user w/ needing to tamper the whole system. Take for example some messenger software, where (at least one) installs a service. What for? For the Shared Folders feature? That can be done w/n the (security) context of the user. Not only are they prime target for exploitation, but successfully exploitation (and there is little doubt about it) means the attacker has system-level access to the system. With the current trend, it just compounds the former problem: users wants to run admin-level since their "favorite" software requires system access, sometimes frequent access.
Arrggghhh... I'm rambling again...
Have you read the blog post? UAC does block the problem hence why it is an important update (one that gets patched automatically through Windows Update) and not a critical update (runs code without user intervention).
Also what does this even have to do with IE? It is a worm, you don't do anything. Also most home users should find their router protects them from attack, unless an infected computer comes inside the network.
UAC does sort that shite out. That's why it doesn't affect Vista and 2k8 devices. Its actually quite clearly stated in the article, but we wouldn't want to let that get in the way of your rabid fanboyism.
Though arguably, I should have just ignored your post the second I saw you'd used the term "M$". It is quite useful though. It allows me to distinguish between people using other OS's because they suit them better, and people using other OS's to stick it to the man.
"Bet you it's because IE is still running at the kernel level instead of being a "normal" app which has restrictions on what it can do."
Bet you it isn't, because that is an urban myth. IE has never been anything more than a normal app. Of course, since nearly every Windows user runs as administrator, the distinction is not terribly important.
"So if I understand this right, it's a vulnerability in the RPC handling. Now, assuming I have a half-way decent firewall set up that disallows incoming requests from outside my domain, that neutralises the attack entirely?"
Yes. The vulnerability appears to be in the "RPC over SMB" code path used by file sharing (CIFS) and such a firewall is one of the workarounds.
If you're internet connection is a router with either NAT or a half-way decent firewall then the ports aren't visible from the internet, so the vast majority of domestic users (and surely *all* business users) are safe. If your router has an inadequately secured wireless connection, you might be vulnerable to the bloke parked outside in the street.
Any home user without a router, whose Windows box enjoys the IP address provided by their ISP, is probably at risk, but such machines are almost certainly part of a botnet already and presumably their local rootkit would block any further invasion.
All in all, it is hard to see why MS are making such a fuss.
Is it me or is this getting more and more tedious?
"Look Linux is perfect."..No it's f**king not. The sooner you 11 yr olds learn that, the better. Now f**k off and go do your homework.
Google:
linux remote code exploit
PS, I'm no Windows fanbouy, I'm just past this crap my dad is harder than you dad shit. All O/S's have holes, jus f**king get over it before your mum finds out that you're still up after 8pm.
Can I have flame of the week or do I need more capitals?
To remind yourself that Microsoft is allegedly the greatest software provider on the planet with the best brains in the industry...
Best that is, for producing a complete pile of utter, worthless shite
If there stuff was free, downloaded from the Internet, wed chuck it away and laugh the tossers out of court, but its the exact opposite, its f**king horrendously expensive and their ability to shaft their customers with the 'next load of bollox' is beyond belief.
So, in return for a year of constant crashes, 5 minute boot times, slowdowns, UAC warnings, unreliability and unusability with vista, I finally get to smugly turn round to the plebs using XP and say "ha! I'm marginally less susceptible to this vuln than you weenies ". Or at least I would be if we weren't using a firewall. Until they've installed the patch of course, in which case they're not susceptible to it either.
BIG BLOODY DEAL
If you added up the man hours spent cleaning up the mess from blaster, sasser et all, I bet it would pale into insignificance compared to the time spent trying to clean up the mess caused by vista.
Also, anyone notice that this patch is "beta" and no support is offered my microsoft. So you're damned if you do and you're damned if you don't.
about 2-3 days before Patch Bluesday Oktoberfest I had a isolated XP test machine (linux campus here otherwise - this is just me keeping my hand in) that suddenly showed the shield icon and refused to let me change back to automatic updates. So I airgapped it and blew it to an image. Then set a new install back on test.
Sooooo, after yesterday's teatime confession release I gave it a look over in a new light, and sure enough after a sleuthkit session, traces found of this one. It did not, in itself, disable the auto-updates.
It would have been more professional IMHO if the signatures were released earlier. But it was behind an all incoming blocked firewall. So the delivery was by another vector (I'm working on it, but as I'm not deploying or recommending MS stuff any more it's a rainy day job. "job" being the pun here. priority "number 2" geddit? load of old....)
So "limited, targetted attacks" is being economical with the facts.
1:When should you patch? Well, about 3 weeks ago, is my tip.
2:Infocon yellow is entirely justified. The Yawners need to take a few courses and a reality check.
3:Its the wormability thats frightening here, Droppers are one thing but uncontrollable spread is not what I want on my toast these days
:q!
Not much one for study, eh? MSIE is definitely NOT a "normal" application by any stretch of the imagination. Just ask Microsoft ... "Internet Explorer has been an integral part of the Windows operating system for over a decade" ... this during arguments about whether it is able to "unbundle" MSIE from the Windows operating system. They cannot "unbundle" it because it is "an integral part of the Windows operating system", just like Microsoft Media Player.
Everyone saying "I have firewall therefore I am safe" is also blocking every single other vector for zero-day malicious code to maintain that "safety", right?
Never underestimate the capability of a user to do something stupid and, thanks to the nature of this bug, it only takes a very small amount of user-stupid to cause a serious amount of harm.
"MSIE is definitely NOT a "normal" application by any stretch of the imagination. Just ask Microsoft ... "Internet Explorer has been an integral part of the Windows operating system for over a decade" ...
I repeat, MSIE is a normal application. It runs in user space. It no more demands kernel privileges to do its work than firefox. Obviously it is an integral part of the *product*, but you are just being stupid if you think every part of Windows is part of the operating system.
"Google: linux remote code exploit"
I admit I skimmed over a few of these, did not do an in-depth study. Most if not all of them seemed laughably limited. One gave you the privileges of the web server. One said it allowed the local user to get "elevated privileges" but didn't say HOW elevated. None of them seemed to allow you to get root.
M$ (yes, AC, I did that on purpose) on the other hand has a long history of exploits that can take over or completely destroy the machine while simultaneously making it painful if not impossible NOT to run as Administrator.
*nix isn't perfect either. Call me a Linux fanboi if you like. I'm running a FreeBSD server, MacBook with Leopard main plus XP under bootcamp and Parallels, main desktop is XP, backup server is XP. At work it's XP, I'm setting up an Ubuntu server for issue tracking and version control. Been running DOS since 3.3 and Windows since 3.1. I think Windows is pathetic. Having a critical opinion of Windows apparently brands me as a Linux fanboi. Having a Mac brands me as a Mac fanboi. Kthanksbye.
This post has been deleted by its author
i hate to admit this but...what do i know?
i downloaded and ran the patch as suggested. it seems i no longer have control of Outlook -- no preview pane and am unable to send outgoing mail. i've re-started multiple times to no avail...
...suggestions?!?!?
thx in advance for any help
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
