"... only and idiot would expose".
A Windows SMB vulnerability revealed late last week at DEF CON won't be patched because Microsoft says the service should be firewalled off from the internet anyway. The 20-year-old bug is in at least Windows 2000 to Windows 10. It was discovered by RiskSense bods, who combed Redmond's file server code for flaws similar to the …
You can't protect idiots from themselves no matter how hard you try. If you have an SMBv1 share exposed to the internet they can brute force the password fairly easily even without a flaw. No one should ever have any SMB shares on the Internet.
The cost effective solution would be to disable SMB sharing on effected versions of Windows, I imagine you wouldn't like Microsoft doing that unilaterally either.
I thought a recent MS security patch pretty much disabled smbv1 everywhere? I seem to rememeber reading about it after wannacry surfaced.
Smbv1 is quite old and outdated. Even my linux boxes arent using smbv1.
Even basic routers would block internet smbv1 access so you have to be pretty daft to start opening the ports up (or just pppoeing your server to the Internet )
Not really on the internet, but guess what caused the so-damn-fast spread of the wannacry in the NHS... the nationwide private WAN has SMB wide open to and from basically anything. And it is still open now.
When I was working in NHS IM&T we treated the N3 as an externally facing internet connection so every site had it's own firewall. No doubt you can find single site trusts basically without IT staff that are incompetently setup, but there is really no such entity as "THE NHS", it's a patchwork of hundreds of different trusts all running things in radically different ways.
There's nothing wrong with making the OS easy to use, if it's done properly and elegantly.
Windows became idiotic since Win 8 (Metro! Metro! Metro!) and Win 10 (SatNad and his Insider groupies' data mining project)... it's really the entire Microsoft becoming idiotic, rather than something that's unique to Windows ('new and improved' Skype).
We have an entire generation of youths who do not know basic DOS commands.
Powershell is powerful, true. But its early learning curve is very steep. Steeper than bash and much steeper than dos. Even a lowly dir /o:d requires figuring out what the object's date attribute is called and a pipe to the sort. And the whole command will be much longer too. On the positive side you don't need to parse an text stream to isolate that date for further processing. For advanced usage, ps's more structured object mechanism pays off, most of the time it seems overkill.
I fear the days of the casual command line user, if there ever was such a beast on Windows, are ending.
Why did not MS do it in the server space too, and let Linux overcome Windows Server?
Anyway Linux didn't became a desktop alternative until well into the 2000s - just look at kernel releases, and desktop managers state - a lot was missing, especially on laptops.
MS business "practices" hurt much more previous competitors, and the lack of applications, which in some area is still an issue, didn't really help - just like the distro fragmentation and companies like Mandrake/Mandriva with the wrong business model.
Also, PC manufacturer today would sell preinstalled whatever they could to improve PC sales. PC manufacturer aren't stupid, if Linux would have sold as much as Windows, they would have said MS goodbye a long ago.
But keep on believing people don't use desktop Linux just because the evil eye of MS...
> PC manufacturer aren't stupid, if Linux would have sold as much as Windows, they would have said MS goodbye a long ago
PC manufacturers get "all-or-nothing" discount deals which make offering non-Windows alternatives very expensive. So the "linux doesn't sell" mantra becomes self-fulfilling.
"PC manufacturers get "all-or-nothing" discount deals which make offering non-Windows alternatives very expensive."
In practise, impossible. "Nothing" option means not being able to sell any Microsoft product or advertisements on those and that's a lot of money.
Almost half of the profit for HW-maker on cheap Windows-laptop is from advertisements and 3rd party programs (systematically called "crapware") pre-installed to it.
Often so you can't remove them without installing whole system from retail Windows-DVD and *puff*, none of the drivers needed aren't there as they exist only in vendor and version spesific image installed in to the machine. So you live with crapware or don't use the machine. Nice.
So far that on paper similar Dell-laptops, 1 month between buying, couldn't connect to network with each other's rescue disk as -tadaa- network card had changed in between, totally different.
Of course neither worked with retail-Windows-DVD either. I wasn't surprised.
Stop buying them. They're just crap. It's funny how all those Linux power users feel the need to buy such a crap.
True, Linux may be less resource hungry, but do your really buy such a crap??? Why??? Leave them to the Windows users whom they are designed for.
It's the whole system which is built with cheap components, why risk for any professional work?? You'll save a lot from not buying software, so, make a gift to yourself, buy better hardware... or aren't you paid enough for all those Linux skills to afford a decent PC???
Never found, anyway, yet a PC for which drivers were not available for the supported operating systems. The fact that two PC bought a month apart may have different components doesn't surprise me. One component may have been EOL'd and replaced by another. And if the components are released after the OS version, there's a good chance they won't be supported by a retail installer unless you add the drivers yourself.
"PC manufacturer aren't stupid, if Linux would have sold as much as Windows, they would have said MS goodbye a long ago."
'Would have sold', right. How would anyone know how much they would sell without Microsoft?
That's a risk no CEO will take. Not now and not for along time.
Also MS has a policy which defines that either you sell Windows pre-installed (and _only_ Windows) or you are not selling MS-products at all. That's the evil part: illegal abuse of monopoly, very serious threat to HW makers.
Linux is not sold, basically, as it's a free software: Where's the profit on that?
Selling hardware is only one part of profit on HW: Selling advertisements on said hardware is often half of the profit and that's impossible if buyer install his own OS.
Also Intel is practically married with Microsoft and they haven't been able to invent anything really new since late 80s. There's more profits in making same old shit cheaper than earlier and there basically isn't any competition, so no need to invent anything new.
Monopolies and cartels always means technical stagnation and are illegal for a reason. Obviously being big enough leads the cartel wagging the Congress and not the oter way round.
You are with your heads stuck firmly in the past. Actually, many vendors sell PCs with Linux preinstalled. For example Dell sells laptops and desktops with Ubuntu preinstalled (it gives you a choice of three LTS). Which actually shows your assertions are just BS - there's no way MS can forbid it today.
But you all keep on repeating 1990s era "news", before MS was hit by antitrust investigations, just in the attempt to justify almost no one bothers to buy a desktop/laptop with Linux preinstalled, especially since many will order it anyway without the OS and then install the distro of their choice, because not everybody uses Ubuntu. And even if Linux is free, supporting five or six distro would be expensive anyway - especially as long as Linux integralists keep on complaining about proprietary drivers...
What's wrong with Linux is too many believe it is is a religion, and believe in dogmas without actually checking if they are still true. They were told in the past, and it has to be still true... take your head out of the sand.
"But keep on believing people don't use desktop Linux just because the evil eye of MS..."
Not _just_ because of that, Linux has some serious problems by itself, but money always talks and MS has a lot of money and Linux-people don't.
Anyone who ignores that is just a fan boy.
Linux kernel is quite a piece but windows-stupidities with ideology "one piece does everything" (like systemd) and UI nightmares like Gnome 3 are serious drawbacks mostly created by invididuals or small groups who are so full of themselves that even obvious stupidities are dismissed by statements like "you are using it wrong", while fully knowing that documentation doesn't say anything about the "right way" of using it.
Neither are there error messages that make any sense.
And third brain damage, sabotage from MS-world: Throroughly useless documentation.
"This button confirms action" and the button has label "OK". Yea, right, I'm convinced.
The fact you did something with Linux in 1998 didn't make it a useful tool for everybody. Believe me, there were people who actually used Windows 2.0.
Until kernel 2.6 Linux had several shortcomings in many areas - i.e. threading and memory management that hindered its use in large applications. Feel free to tell us what your "commercial deployments" were....
From kernel 2.6 onward Linux made great leaps.
the problem is Microshatf's design. The idea that a networked box would expose services on the intarwebs is in and of itself a MAJOR problem.
In other words, they should have designed it to ONLY listen on RFC1918 IP addresses, and ONLY listen if you enable networking.
But NOOooo... they have to bind to 0.0.0.0 (i.e. everything) and THAT is the problem!
And they do that with other "well known" or "easily discoverable" TCP stuff. Just do a "netstat -an" some time on you Winders box, and see what's listening...
And if it shows up as the SAME port on everybody ELSE's box, and there's a vulnerability on it, and you connect directly to the intarwebs on a publically visible IP address [including _ANY_ IPv6 address!] then you're exposing your winders box's soft underbelly to the intarwebs.
"Only an idiot" would have DESIGNED! IT! THIS! WAY!! Right, Micro-shaft??
[the need to bind to publically visible IP addresses could be a kind of "opt in" setting, and THEN it would be the customer's fault for doing it...]
He may be Bombastic but there is a perfectly valid point here. The default state for ports should be disabled with the minimum possible exceptions in order to get the box up and running. This may include core network ports but why would HTTP be enabled by default? That should get enabled as part of configuring the HTTP security rather than as soon as the server starts.
I am not going to claim I know which should or shouldn't be in that minimal set but wide-open is a poor choice for a starting point
>The default state for ports should be disabled with the minimum possible exceptions in order to get the box up and running.
This was the default setting for secure third-party Windows firewalls such as Comodo and Outpost from the very beginning (ie. before 2005), but then they also blocked inbound and outbound traffic and performed stateful inspection, whereas the Windows firewall was only a simple outbound port blocker.
Also in the case of Outpost, SMB/NetBios traffic (if you enabled it) was limited by default to IANA defined private networks and specifically the subnet the host was attached to.
I would assume that this is also the case will all modern security suites...
>but why would HTTP be enabled by default?
On a system (not a firewall appliance), I would expect outbound HTTP to be enabled by default, given the extent to which browsers have become as essential to system setup and operation as TelNet and FTP were a few decades back.
OH FFS BOB,
Change the record,
LOTS OF PEOPLE LIKE MICROSOFT
you may not like it, other bleaters may not like it - but get over it FFS.
Were you scared by a picture of a dog on a Windows 3.1 PC years ago ??? .... just trying to make sense of it that's all
"LOTS OF PEOPLE LIKE MICROSOFT"
Err no they don't.
People like Amazon for a variety of reasons, same with Google whom people often find useful, and Apple have their loyal fans too.
But Microsoft? After force-feeding people a crash prone, bug ridden, security nightmare of an OS all these years, most people I meet from general public to programmers really do not like Microsoft much at all. The only people I ever met who said anything nice about Microsoft actually worked for Microsoft in some capacity.
It's not "hating" or anti-Microsoft bias either, Microsoft have genuinely earned their terrible reputation.
SMB predates Windows, and was designed at IBM, well before TCP/IP became the de-facto standard. It run on IBM LAN protocols and IPX well before TCP/IP, thus there was no way it could have been published directly on the Internet. Only later NetBIOS was made available on top of TCP/IP, and then SMB directly - the issue as usual is "backward compatibility".
I'm done with supporting this shitty OS, everything they do these days makes me facepalm to the point my forehead is red raw and starts to bleed.
The userbase are idiots and many of them think IT support bods are there to do their job for them because the job they're in, the one that requires them to using a fucking computer as part of their main duties, they can't fucking do!
I've lost count the number of times I've received support requests where really they are "I dont know how to do my job, can you do it for me" requests
Windows10 is what has pushed me over the edge, fed up with being dragged along with what ever stupid business decisions Microturd decide to dump out. Like changing the program defaults bypassing domain policy so they can push their new Photos app, which errors because the store is blocked, or where you apply "security" patches, and you end up with new feauters somehow and cortana is more verbose. M$ are so tunnel-visioned as to what Google and Apple are doing, they've lost the fucking plot
This is about SMBv1, an ancient protocol back from the days that the Internet was a kinder, gentler place. The only reasonable use case today is to put it on a tightly air-gapped network to talk to some legacy machines (say you have some Win95 boxes which must be kept alive to support some custom hardware).
It's like insisting that the security issues in Telnet get fixed. They *did* get fixed, and the result is called "ssh".
Unfortunately not. Most "new" multi-function scanners that save to an SMB share only use SMBv1! That means, that if you have a corporate network with multi-function scanners from the likes of, say Konica Minolta and the staff can scan documents to a share, then the share has to have SMBv1 enabled!
Obviously the mitigation here is that no corporate network in its right mind would open up SMB ports to the internet... On the other hand, those leased multi function devices often phone home, so they are the weak link. If they have remote access ports open and have an attack weakness, they can be used as a bridgehead into the network.
Windows XP only uses SMBv1 by default, so any company still using legacy XP machines may also be vulnerable.
1) You now know SMBv1 is a vulnerable protocol - thus you have to harden and monitor its use
2) You can still allow SMBv1 only directly over TCP, and disable the use of NetBIOS, which will remove a whole layer, unless your devices requires NetBIOS (probably because they use some old and outdated open source implementation of SMB...)
It's like insisting that the security issues in Telnet get fixed. They *did* get fixed, and the result is called "ssh".
And domestic routers etc. still get shipped with telnet & no ssh.
In the real world what gets done is what's convenient, not necessarily what's best.
Do any of you technical guys know if people are 'safe' (to a decent enough level) when using WD My Book Live & My Clouds with remote access enabled?
I appreciate this might have nothing to do with this article however always makes me think if I am opening up a can of worms when I select these options.
"But Microsoft aren't stupid" ...
Ok, you say that—and it's a perfectly reasonable statement, which must be true of many people working at MS—but then my thoughts turn to Skype, and most especially, the recent "upgrades" or "improvements" to a product which MS has been laming for years ... and it's therefore clear that there are, indeed, some immensely, nay, *magnificently* stupid people at MS.
So the question becomes: "Which ones do the coding, and which ones make the decisions?"
Even exposing SMBv1 on private networks is a vulnerability for the network.
Refusing to patch it is just unethical, immoral, and should be illegal.
Now patching by giving the administrators the ability to disable it, yes. Patching it by giving the administrators the ability to restrict it to specified networks, yes.
Both of those fixes should be present ANYWAY.
Best of all would be ACTUALLY FIXING THE BUG.
Anything else... just being stupid.
Disabling it has been available for years. Microsoft is even disabling SMB1 server on new Windows 10 installs right now.
If you put the onus on software companies to patch bugs that affect software in ways it was never designed to be used you'd quickly find software prices would skyrocket to insane levels, it's not economically feasible. And if forced to "fix" this problem I'm totally convinced that Microsoft would just release a patch that disables SMB1. It may not even be possible to fix without modifying the protocol enough that it wouldn't be compatible with the current implementation, and then what point would there be in fixing it to create SMB v1.1, might as well just use SMB 2 or 3.
"If you put the onus on software companies to patch bugs that affect software in ways it was never designed to be used you'd quickly find software prices would skyrocket to insane levels"
I hope you didn't mean that in the way I read it. Exploits of vulnerabilities are ways the software was never designed to be used.
My experience with SMB was that malformed SMB packets could crash the login process, requiring rebooting the server. That was serveral years ago and it might be fixed now, but nobody in their right mind would accept any kind of SMB protocol packets from the internet!!! Every business should have some form of firewall that allows filtering on protocol type.
So according to article update, all windows OS from XP up to Win10 are all affected. Not just SMBv1 but SMBv2 is vulnerable too. M$ won't patch it, it was a feature and many 'tools' from powerful agencies won't work if this is patched. Sorry, no patch since it's not a bug but a feature.
Biting the hand that feeds IT © 1998–2020