Whitehats pierce giant hole in Microsoft security shield In late December, Microsoft researchers responding to publicly posted attack code that exploited a vulnerability in the FTP service of IIS told users it wasn't much of a threat because the worst it probably could do was crash the application. Thanks at least in part to security mitigations added to recent operating systems, …
Microsoft ... "told users it wasn't much of a threat because the worst it probably could do was crash the application."
&&
“The point was proven that you could actually start to execute code, as opposed to them saying: 'Don't worry about it. It can only crash your server',”
This is why Microsoft is a joke. The hackers probably cannot steal your data but they can take out your server! And this is not serious?
In today's IT world, a repeatable crash means a red alert for security, any sane vendor, especially AV vendor (they run almost kernel level) will take it very seriously.
I always get Apple security updates mailing list and almost all of updates were crash prevention patches allthough it was NOT demonstrated to exploit the crash. That is Apple! The company we all critize for laid back security updates.
This is 2 strikes, get Avast free, paid or Kaspersky AV. Don't install that junk, they really proved that they microsoftized that AV.
Av software runs in very deep level by design and you wouldn't want it to be abused. Especially on Windows.
but M$ has actually come a long way security wise. They just are faced with a bunch of bad legacy design decision like embedding an internet browser deep in their OS. Adobe on the other hand is far far worse and responsible for at least as many boxes getting owned these days and M$.
what they were saying was it could crash IIS Service not the server. Because its only a service crash Microsoft wouldn't spend time on fixing it as it takes only a few seconds to a minute to bring it back up. if it was to actually crash a the server OS im pretty sure Microsoft would have spent more time to fix the issue. learnt about the OS before you flame it.
server, especially a public facing server shouldn't crash. If it crashes, it should be fixed. If someone manages to crash a server kernel, the entire OS remotely, they should already close the office and go home. Nobody says server os crashes. Tell it to the guy losing connection in middle of 4 GB download, that it is normal.
Even basic afp server on leopard had a mysterious crash, apple fixed it. It is not "server" version, it is the thing for trivial home sharing.
How about starting with the coding habits that *allow* heap overflow in the first place?
Or a set of macros (Can't be a subroutine call because "performance" is *so* important) to ensure check code gets inlined as a matter of course?
This is *not* a pop at MS in particular. They (like *every* development shop on the planet) want code written fast.
It's just the *consequences* of their practices ensure a whole lot *more* people get f****d than most other software suppliers.
Note the fix "Turn off FTP" might as well be "WTF did I buy this in the first place if I can't run something it says it can (in safety)?"
Thumbs up for finding this one. It's good to remember the price of security is eternal vigilance.
A culture where Source Code is fiercely protected from ever seeing the light of day is a culture in which bad coding practices can flourish.
The thought that millions of people all around the world might be looking at your code, is the single greatest incentive to write it in such a way that nobody can point and laugh at it.
It's long past time for some government or other to stand up to Microsoft and others, realise that withholding Source Code from users has done nothing at all to prevent piracy while creating a security nightmare that has cost countless person-hours and probably a few lives, and order vendors to decide between supplying Source Code to any duly-licenced user on request, or having their products banned from sale.
MS do supply the source code to duly licensed customers and have done so for about eight years.
If you're going to slag off a particular OS (it doesn't matter which), suggesting you have superior knowledge of systems and development, you shouldn't be making basic errors like this as it calls into question anything that you say. At the very least it shows you up as someone who, in this case, is slagging off MS from a point of ignorance and allows me to filter your posts appropriately.
This post has been deleted by its author
This post has been deleted by its author
I am a heavy linux user, I like linux, but the whole "it was found so quickly because it was open source" thing, doesn't really wash with me. Here are a few from the first page of a search for "year old linux bug":
http://tech.gaeatimes.com/index.php/archive/six-year-old-linux-bug-eventually-fixed/
http://www.theregister.co.uk/2010/08/19/linux_vulnerability_fix/
http://www.fiercecio.com/techwatch/story/eight-year-old-critical-bug-found-linux-kernel/2009-08-14
And remember that their fixes may well be into the nightly unstable builds quickly, but it's still often up to a month or more before they are in the repos for general end user's consumption.
This post has been deleted by its author
I work in a major UK/Global bank as a Linux specialist and no, we don't check the code, why would we? IBM (z/Linux) and Red Hat (RHEL) do that for us, that's what we pay them a shed-load of money for. Even banks don't have the resources to check the Linux codebase and we certainly don't change the codebase because that would invalidate our support contracts.
Ah Utopia....
I'm not sure I'm ready to live in a world where I have to choose between dozens of half-assed not quite fit for use apps that are all trying to do the same thing and where if I have the temerity to ask why my scanner won't work the assumption is that I'm a retard who shouldn't have access to a network connections.
It has just been proven that if a burglar is determined and skilled enough he will be able to break into your house. No matter how many alarms and fancy locks you have!!
You mean operating systems aren't 100% secure either? Who would have believed that one.
Here we go yet again.
Microsoft are a joke. Microsoft are crap. Windoze is crap. As full of holes as a swiss cheese. I don't use it. I use Linux. I use Mac. They are better, they are more secure. Yeh right.
"Microsoft Security Shield" What is that exactly?
The interesting work these people carried out is being used here to bait the smug M$/Windoze bashers into another tiresome round of predictable responses.
What purpose is served? None.
read the article. The homeowner insisted that the lock could be broken but not in a way that allowed access to the house. The investigators found that, if they first rung the doorbell and ran away then broke the lock when the homeowner was looking round the side of the house they could indeed gain access to it.
>> The interesting work these people carried out is being used here to bait the smug M$/Windoze bashers into another tiresome round of predictable responses. << Go back to your other os and continue to feel smug. As long as Microsoft are the biggest target you're relatively safe.
Yes, that's right.
As long as it remains a minority OS that has almost no desktop market share, hooray, you are secure.
Step over that line, however, and you start to be worth cracking and then it's open season on penguins. Especially since many users are way too smug to even install antivirus.
But you're not. I've had the pleasure of reconsitiuting 2 ubuntu boxes and three early nettops which users thought were "immune to viruses". They weren't immune to browser infestation, sadly.
I'm just glad I know nothing about mac-fixing because mac users are in general even more smug and therefore, an even bigger target.
For a machine that "just works" those "genius bars" - I typed it, I feel ill now - sure are busy.
Yeah, if only you were right!
If you are so good at Ubuntu, you might already know that you can't run it as root so it is almost impossible to ruin a system like one would do with Windows. Oh, and a Linux knowledgeable person wouldn't take that much pleasure bragging how he disinfects Linux PCs.
"If you are so good at Ubuntu, you might already know that you can't run it as root"
not run as root? ever hear of privilege escalation attacks? Linux has been found to be vulnerable to a number of them over the years.
" so it is almost impossible to ruin a system like one would do with Windows."
Accidentally, maybe. But if someone is trying it's not "almost impossible," it's arguably "mildly difficult." (FTR the argument is that it's even THAT hard)
"Oh, and a Linux knowledgeable person wouldn't take that much pleasure bragging how he disinfects Linux PCs."
I think you misread the post, he wasn't bragging about it, just pointing out that Linux isn't the solution to all the worlds woes that the penguinistas seem to think.
Ok, I'll admit it... I maybe trolling a little bit at this point.
But the box is empty, and was empty before you picked it up.
I have Ubuntu (and CentOS and Fedora and XP) on my laptop. I run as root when I want to. On my old machine, that is never on the net, I run as root from login on Ubuntu, Fedora and XP (admin).
The only thing that Ubuntu makes you do to run as root is jump through hoops to re-enable it.
If you do indeed run linux as root and are not just a trolling MS fanboy, then you are a cretin of the highest order.
There is not one possible reason for you to use linux as a root user other than being a dimwitted Windows user who thinks that this is the only way you can be a proper "power user" or something.
There's practically NO reason to run a modern version of Windows as root/admin either - any halfway well written software will save any files that are modified during normal operation to the user folder. It's only badly written (or legacy) applications that tend to try and write to "protected" dive space.
In fact, even if you do run Win 7 as admin, UAC still pops up a privilege escalation prompt whenever needed.
MS guidelines for developers have been to "do it right" (use the user folder) since the fairly early days of XP at least... the problem is they'd never enforced it.
If it wasn't for the fact that this is a story about IIS. Not desktop Windows.
Linux on desktops.. Agreed.. Pretty small. A few percent tops.
Linux on servers.. Different story.
Windows on servers.. Not as common as you think.
Windows desktop OS running servers.. Is that even possible?
And given the number of windows installs of all kinds, including business, with quite frankly horrific security practices that have never seen a single Windows update.. I'd be very careful with that AV stone in your glass house.
"As long as it remains a minority OS that has almost no desktop market share, hooray, you are secure."
IIS, as a server, to deliver websites, will most likely run on a server infrastructure, doing that, serving, not likely on a majority of desktop systems (though didn't they have it enabled by default at some point? Not sure there)
Which OS has a large server market share again?
If I have needed a server only, headless blade, I would install openbsd, buy couple of good books and stay the hell out of its maintainers/bosses sight ;)
They are mean guys and not really social but you don't hear them "oh ftp server crashes, no worries" type of thing. Man even an end user wouldn't consider a crashing program "normal".
> Heap-exploitation mitigation .. works by detecting memory that's been corrupted by heap overflows, and then terminating the underlying process ..
Why not design a platform that is immune to "heap overflows", and don't say it isn't possible or try and blind me with techno-babble, it is patently obvious the combined efforts of WinTEL can't do it. It is curious that design decisions made decades ago still have such a disastrous effect on current security.
This post has been deleted by its author
Best sign up for this - you might learn about, and I quote, "Heap overflows in Linux"
http://www.blackhat.com/html/bh-us-11/training/bh-us-11-training_ss-el.html
rsync has been shown to have the same sort of vulnerabilities as Windows. Now stop believing all the marketing bumpf and actually get to learn about the tools you are using and how they work! Though I run the Penguini, I still believe in proper security...
MS said the bug was exploitable, said it was difficult to exploit and updated IIS two months prior to the conference where this mitigation research was discussed.
Mitigations are used to slow down attackers in their development of exploits, to try and make those exploits unreliable, and to raise the bar of the skill required to create such exploits (e.g. Chris Valasek is a Senior Research Scientist). The mitigations in this case served that purpose. Mitigations don’t take away the need to update the binaries and IIS was still fixed. Mitigations for all platforms are constantly updated to reflect research from White/Grey/Black Hats. Mitigation bypasses generally do not work broadly.
Server DoS's are typically patched by MS anyway, so whether or not it was exploitable is irrelevant, detailing whether it is exploitable or not is to allow the system admin to make a decision in how to prioritise the downloading/testing and rolling out the patch.
The revised blog post, that wasn't referenced by Dan for some reason, said it was exploitable:
http://blogs.technet.com/b/srd/archive/2011/02/08/regarding-ms11-004-addressing-an-iis-ftp-services-vulnerability.aspx
E.g.:
"Since then additional research has shown that it may be possible for this vulnerability to be exploited if DEP and ASLR protections are bypassed."
The bulletin notes from Feb 2011 said it was exploitable:
E.g.:
“Maximum Security Impact - Remote Code Execution”
http://www.microsoft.com/technet/security/bulletin/ms11-004.mspx
MS said they were aware of the research in the mitigation bypass.
http://blogs.technet.com/b/srd/archive/2011/02/08/assessing-the-risk-of-the-february-security-updates.aspx
“Vulnerability details for CVE-2010-3972 are public. However, it will be difficult to build a reliable exploit for code execution. We have heard rumors [sic] of an exploit technique that will be discussed publicly in April by Chris Valasek and Ryan Smith.”
While these newly discovered vulnerabilities are interesting, you need only look at the change in attack vector by viruses in the wild to realise the depth of change related to windows security in recent years.
Long gone are the days of the of the blaster/sasser worms. Even the dreaded conficker worm uses a combination of social engineering and brute force dictionary attacks.
And the drive-by web based attacks rely on exploiting vulnerabilities in commonly installed software like Acrobat, not the OS itself. There in lies the rub.
All the current security issues on the Windows platform can be laid squarly at the feet of badly written 3rd party software.
It all started when MS ditched the home market DOS based OS and consolidated on the NT platform with XP. Prior to this, people who wrote software for the NT platform understood that it was a network based OS with tightly regimented ACLs, and if they didn't take this into account, their software would not work.
Then came the flood of script kiddies, DOS programmers, and beard-stroking old-school Unix zealots, who refused to comply with the windows security model, making it so diffucult to run as a limited user we have to run as admins, giving anything we double-click on full rights to the entire OS.
"Program Files? that has a space in it, and would require some improvement in my programming skills. I'll just install in the root of C:"
"Windows registry? Looks complex. I'll just write back to config files in my install directory"
The net result is that as a sysadmin, you spend days tightly locking down your windows environment, and then weeks punching dirty great holes in it again to get badly written software working. No wonder you're average home user is vulnerable, They've been conditioned into thinking that every bit of software out there needs direct kernel access and sufficient rights to re-partition your hard disk, just so it can self-update.
Firefox behaves like a virus, trying to write-back to its program folder when updating (instead of using an installed service). I've seen Google Chrome install itself into the users profile folder before! Don't think the open source crowd do any better. The first thing that happens when you launch GIMP, is it does a great steaming dump all over your user profile. You'd think by the way these programs behaved the coders had never actually seen a windows computer before in their life.
When these 3rd party programs finally start using the now decade old, well documented windows security model, then so can we! On that day, we will be genuinely worried by the UAC pop-up, rather that just assuming it's Mozillas crappy updating routine.
"It all started when MS ditched the home market DOS based OS and consolidated on the NT platform with XP. Prior to this, people who wrote software for the NT platform understood that it was a network based OS with tightly regimented ACLs, and if they didn't take this into account, their software would not work."
Let me re-write this for you.
"Prior to this, even Microsoft wrote software for the NT platform which didn't take into account the likelihood of tightly regimented ACLs, and this software would not work unless it ran with administrator privileges."
There, fixed the reality for you.
...have written down the very way I see the biggest problems to Windows security.
Yeah, there are holes in Windows. Same with every OS and to be honest nearly every application written.
The majority of issues are piss-poor applications we HAVE To use that are STILL using development pratices from 1997. Lazy ass devs.
<-- That's for you.
Funny thing is, the security model of MS' OS has been migrating its goalposts for some time. A lot of stuff developed for and working fine on w2k fails on XP, and stuff for XP fails for Vista/7
This is more complex that you suggest as MS has changed (or been forced to change) the rules a number of times.
At the start of w2k/XP they should have screwed it down tight and just said "tough" to any application that did not work, user logged in as admin or otherwise. They did not, simply as too much money was to be made keeping compatibility and not having users keep the old 95/98 OS or defecting to something better.
What UNIX-origin programs do on windows comes to how easy it is to adapt, as the models are very different as are the user's expectations and it is often not the main goal of the developers. FF is a bit of an exception sadly.
However, the main difference though is UNIX-like program know they *wont* get admin permissions by default, so have been written more sensibly for native use. Back to the article, I think the main thrust of it is "MS poo-poos bug report as unusable, researcher uses it". Sadly seen that before, and not just MS.
WIndows Registry - a bad idea from the offset and the start of a great many problems. However this does not mean that mixing program files and data files is a good idea, just that writing anything into the registry is dumb. Want to recover your application from a failed OS install and your application has written important configuration settings into the registry? Forget it. On the other hand, if the application has *correctly* asked the OS for where it should store data files and put them there, you can easily recover them.
You are completely right about various apps doing stupid fecking things and "requiring" admin rights or at the least any pretence to security removed.
By the way, the MS documentation on where to store where is well over 10 years old, it's just a shame that MS frequently fail to adhere to any of it themselves with their applications. Not right to imply that all the problems are down to 3rd party software though, as a good pile of the problems are embedded within Windows itself.
I tend to think that storing your critical system configuration in a fully ACLed journaled database is quite a good idea, especially when that database stores multiple copies of itself to allow for recovery in the event of disk corruption. If you knew anything about Windows backup and recovery techniques, you'd also know that there are several ways to backup and recover the registry in whole or in part, built into the system.
ftp server really sounds like a UNIX job and MS IIS has nothing to do with it. So, question comes to mind: "who would need to run ftp servers?"
Let me answer my own question: small business hosting companies, they still prefer ftp account password option to exist as customers demand it.
So based on suggestion, they should turn off ftp and what? Web browser uploads? Let me remind that integrating massive numbers of accounts to a real ftp server, especially on systems like that isn't easy. So "run a vm and *bsd/linux for ftp" isn't that easy.
If I was in hosting business and had this memo, I would call Redhat or any consultant for assistance in moving to UNIX. Turn off ftp server, genius idea!
I did call Red Hat once (about six or seven years ago) for help in moving my skillset off Windows onto RHEL. I asked if they did a course which was suitable to convert an advanced Windows administrator from Windows to RHEL, thier answer:
"We don't do Windows"
So I explained that I was working for a corporation who have a large amount of Windows servers (1000s) and were interested in getting some of our sysadmins trained up for being Linux admins, but weren't interested in the sort of hand holding that you tend to get in simple courses. They merely repeated their answer.
As it happens, I now work with all major non-mainframe enterprise OSes, and yes Red Hat, however I had to go away and learn it myself. I am to this day confused as to their stance as Windows would seem one of their major target markets.
"Heap-exploitation mitigation made its Microsoft debut in Service Pack 2 of Windows XP, and has since been refined in later OSes. It works by detecting memory that's been corrupted by heap overflows, and then terminating the underlying process. The technology was a significant advance for Microsoft. Practically overnight, an entire class of vulnerabilities that once allowed attackers to take full control of the targeted operating system were wiped out."
I suspect this is why Explorer (not IE) has become such an unreliable piece of crap. Since every crappy app you install has some pointless shell extension it installs into Explorer I find Explorer getting terminated ridiculously often. I always bitched that it was so poorly written that it couldn't manage to write an error event identifying the culprit (and thus shaming the companies involved into cleaning up their shell extensions) but the problem is that Explorer isn't generating an exception on its own - its being whacked by this guard process.
How elegant.
Why the HELL does an accounting/time-keeping application use ie and active x and refuse to open the remote time-keeping module from Firefox? To me, the programmers (or their code supplier, hint hint) of that app just didn't want to support users who make use of non-ms browsers. The app is so hooked into ms that it is infuriating, to me at least. (Sorry, i cannot name the app -- just in case...).
It is there since 10.5, way advanced in latest Snow Leopard.
OS X users are alerted (by name) the crasher of Finder for example (input managers etc.)
We all know their developer tools are way too advanced, complex and they would sure code it into windows in couple of weeks. Why not? Their partners, remember the stupid usb key autorun, it was there because of an important partner. They said it themselves.
Heap use comes from new objects which is a consequence of iffy C++ design. I really don't like modern object oriented design; I've got nothing against objects per se, they're a really useful structuring tool, but the way that a generation of programmers have been taught to write code is frightening. They have no idea what their code's doing and why (and as for bloat....).
While this is clagging up Windows PCs I'll just look aside. But from time to time the embedded world gets invaded with this insanity.
What was that they used to say? "When all you have is a hammer everything looks like a nail"?
Step through some of the calls in a CPU view mode and you'll start to wonder just when you'll ever get to the code that actually does what it's intended to do. There's so much boilerplate (mostly unnecessary) that it feels like 95% of the code is non-constructive - it's no wonder that even with multi-core 3GHz systems with 8GB RAM everything is still so flipping slowwwwwwwww....
It's rather noisy in here today! Rhubarb! Rhubarb! M$ suxxorz! No, Mac sucks more! Liniux is shite for weirdy beardy types! Shut up troll! No, you shut up! Linux is not hackable! Oh yes it is! Oh no it isn't! My Mac never dies! You'll die if you shout about your sodding Mac once more! M$ haven't got a clue how to write software! Yes they have I have been writing MS apps for 65 years and never had problem! They've only been in business for 30 years! Shut up troll!
Now to retire to the pub for an hour of peace and sanity...
Lots of mentions of all OS's being full of holes etc but I only saw one mention of OpenBSD. And the real issue with a MS security hole, as ever, is not so much that it's there as their response to it: tell everyone not to worry. Brilliant.
OpenBSD may have had a hole or two as well in its history but using that as a defense of Windows and MS software in general is like saying "nobody's perfect" as a defense of Fred West.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
