back to article White hats release exploit for critical Windows vuln

White-hat hackers have released reliable code that remotely exploits a critical vulnerability in the Vista and Server 2008 versions of Microsoft's Windows operating system. The exploit code, released Wednesday by security firm Immunity, came as separate researchers with the Metasploit penetration testing project said they were …


This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    Worm unlikely

    The absence of significant Windows worms since Slammer in early 2003, even for eminently wormable vulnerabilities in very widely used network protocols, is interesting in itself. My guess is that exploit developers capable of writing such things are all working either for security boutiques like ImmunitySec, TLAs, or are consumed with (1) churning out client-side drive-by exploits for browsers, plug-ings and media/office apps, and (2) writing throwaway SQL injection attacks to compromise crappy PHP bulletin boards, content management systems, Cpanel and one-off custom webapps. The fruits of (2) are seeded with (1) and lo, the spam keeps a-flowin'.

  2. Mikel


    6,443,852 unique IP's generated 435,608,525 hits to the Conficker Work Group servers yesterday. Both of those numbers are new records.

    That's just one botnet of many. Mean time to clean is what, 2 years? Wouldn't it be nice to opt out of this game?

  3. Anonymous Coward
    Anonymous Coward

    Re: Worm unlikely

    Personally I think worm developers are getting smarter. I am sure they realize that aggressive worms are at higher risk of clogging networks and thus being detected. It is in a worm writer's best interest to own a system and hold onto it undetected. I have a feeling worms are still flying around compromising systems left and right, they are just more subtle.

  4. Big-nosed Pengie


    "It affects the most secure operating system Microsoft has put out other than Windows 7."

    Enough said.

  5. Shagbag

    History Repeats

    Time and again Microsoft releases a new version of its Windows plarform proudly declaring it "the most secure yet".

    Time and again we see exploits appearing shortly thereafter.

    Isn't it about time we all recognised and admitted that the proprietary software development model is not superior to the open-source development model?

  6. Mr Ian


    Technically Microsoft is correct with this claim, as well. Windows 7 is touted as "the most secure yet" and it just so happens that Windows 7 (RTM) is the only one that isn't affected by this new vulnerability.

  7. Anonymous Coward
    Anonymous Coward


    The term "the most [anything] yet" is relative, so it doesn't mean anything really, regardless of platform. If a flaw is found in a new product, it's an inevitable part of the software life cycle, isn't it? As long as it's open source, of course. Otherwise it's something worse.

    As for the superiority argument, I'd say the issue is failing of individual vendors rather than the development model. The typical arguments about being able to check the source code are no use to people who aren't up to reading it or simply need to get on with other things. For most businesses the real appeal of Open Source, at least at first glance, is going to be the cost - money is what business is about, after all. Support? Well, they can buy it or get people in who know (for example,) Linux (which strikes me as the main reason a lot of people want it in their shops; they feel they'll have increased value in the workplace.) Of course, the IT staff already in place can crosstrain too. It's not difficult, after all.

  8. Thomas Bottrill


    "Rather, it means attackers can use the internet to take over vulnerable machines located half-way around the globe."

    And how many people have the SMB2 ports forwarded to their machines?

  9. Anonymous Coward

    @Shagbag... your (very) weak arguement, Open Source is perfect. How many poeple are saying it's superior, except the people who work for said companies.

    However I'm not retarded enough to belive that Open Source is 100% secure, no operating system is. If you think otherwise, then you really should find another career (unless of course your a schoolboy who thinks you know about IT)

  10. Busted
    Thumb Up

    @ Shagbag

    The market share of Windows means it is targetted for exploits way more than Linux or Mac hence why security flaws are shown up more often. I'd love to see MS open source but it won't happen until there is no money in the OS.

    btw. Windows 7 Professional RTM is very nice I've done a side by side comparison with Vista business fully updated with 7 Professional RTM. Using the same hardware I had used for my initial vista test I did all those years ago.

    7 is hands down what Vista should meaning that ageing quad core system with 2GB I have multi tasks like it should and I finally see a worthy upgrade from XP which lets be fair is getting a bit dated.

    Either way the future looks bright no matter what OS your on :)

  11. Anonymous Coward

    RE: @Shagbag...Anonymous Coward 07:40

    I don't think it was suggested that open source is 100% secure, or perfect for that matter. You should attempt to understand the posted comments before you decide to instantly vomit up your knee jerk responses and childish insults. You might come across as something other than a schoolboy yourself.

  12. This post has been deleted by its author

  13. Anonymous Coward
    Anonymous Coward

    Another way to look at the security...

    issues in any OS is how many resources do the creators of that OS have to make that OS secure.

    Let's face it MS has more resources to put into make their OS secure than Open Source, yet they don't seem to achieve this fundamentally important functionality.

    So the question remains, why can MS not create a significantly more secure OS than open source (it would seem not as secure as many other OSs)? Is it because the structure of their OS is flawed? Is it because their OS devs don't know what they're doing (I doubt this is the problem)? Are there other reasons for not making the OS more secure (possibly, but I don't know why)?

    With all the years and resources that MS has had to build a significantly more secure OS I wonder why people still trust them and spend their real, hard earned money for the product.

  14. g e

    Most secure ever

    as designed by MS and by their own standards, not much to shout about.

    Most secure anywhere is the phrase that means something

    Mine's the one with enhanced multimedia performance which will dazzle you....

  15. Martin 75

    @ Mosh Jalan

    BeOS ?

  16. Anonymous Coward
    Anonymous Coward

    White hats? what about Flat Caps?

    Bowlers, Cowboy Hats, Top Hats, Fedoras, Trilbies, a Fez, far more to a hat than just the colour as any Milliner will tell you.

    I am quite partial to a Panama myself.

    I wonder how we would all feel if White Hat Biologists were to detail how biological viruses could be created. I also wonder if Biologists and Chemists should also be classified this way, nothing like the simple ethics of colour.

  17. H 5

    @Shagbag etc

    No system is completely secure. You plug it into other computers, its at risk, simple as.

    I would trust the overall security of Windows7 over any open sauce effort anyday, just becuse no-one is trying to comprimise it doesnt make it more secure.

    Until PCs as a whole are designed and build from the hardware up (including the network/internet) to be bulletproof against tampering, they will never be 100% safe from malicious parties.

  18. Geoff Mackenzie

    On the other foot

    The only reason there seem to be fewer holes in Vista is that nobody's using it.

    Last I read, pound for pound, Windows 2000 was the most secure version.

  19. Anonymous Coward

    I love the smell of troll-baiting in the morning!

    You do all realise that "Shagbag" is probably sitting with a big grin ( amongst other things ), getting off on you lot having a go at them?

    Nothing's perfect, it's all getting bigger and more complex, so unless it have more than 5 lines of code, it's never going to work perfect! Relax and chill, it's nearly the weekend!

  20. Kevin Bailey

    @Let's face it MS has more resources to put into make their OS secure than Open Source

    'Given enough eyeballs, all bugs are shallow' -'_Law

    No they don't - MS may be big - but only a single 'team' will be working on a particular product. Now, that team may be big - but I bet the IIS team is nothing like the size of the community using Apache.

    The key bit is not team size - but how it is organised. With open source you have a core maintainer team who know the product better that their own personality disorders. Then you have millions of users who are effectively continuously beta testing. If an issue comes up it is added to bug lists where it gets found by other users with the same problem. This will generate a big discussion RE exactly what the problem is, how to work-around - how to fix, how important it is etc etc etc.

    The maintainers will be reviewing and part of this process - someone will come up with a killer way of fixing the issue - the maintainer will like this as it's the easiest and quickest way to resolve the issue in a way which won't cause other issues. And so the code gets better and better.

  21. Joe User

    @Mosh Jahan

    But if we ALL used the least popular operating system ever devised, wouldn't it then become the most popular?

This topic is closed for new posts.

Other stories you might like