Microsoft has admitted to a serious flaw in their windows sharing component that affects nearly all Windows version, including the latest “most secure” Windows server 2003. The flaw was discovered by Polish researchers, known as the “Last Stage of Delirium Research Group”. This comes as a big blow to the since Windows Server 2003 was the first product sold under a high-profile “Trustworthy Computing” initiative organized last year by Microsoft founder Bill Gates. Original article here.
Microsoft Admits and Fixes Windows Flaw
About The Author
Eugenia Loli
Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker.
Follow me on Twitter @EugeniaLoli
Flaws, really, in Windows. Who could have though that possible.
These Flaws are so damn serious i would never ever trust a
Microsoft product, never. No matter how many times they have printed secure on the box.
Lots of bugs and security flaws will follow as normal/
I thought windows was the most secure os ever made. Lol.
At least they owned up to it this time…that’s better than normal. I wouldn’t say that it’s a big blow to their Trustworthy Computing initiative…it would have been a big blow if they refused to fix it. Then again, you have to wonder how many of these flaws are floating around that they know about but AREN’T fixing…makes shivers run down my spine.
These are the very same Microsoft products that the Dept of Homeland Security just bought through a very large contract announced a few days ago. Homeland Security and unsecure windows software….oh the irony!
No other operating system has had a buffer overflow in their RPC implementation!
Oh wait, remember the xdr_array buffer overflow from last year: http://www.securityfocus.com/bid/5356/credit/
And that affected Linux, *BSD, Solaris, Irix, and others…
Seriously, people give Microsoft too much grief. These sorts of problems are universal.
i think this will be the fix code…
format c: /u /autotest
read..
no RPC-based services are enabled by default in Unix
in windows they are…
read..
no RPC-based services are enabled by default in Unix
in windows they are…
Are enabled by default in “Unix”? And to what are you referring specifically by “Unix”?
Many RPC-based services are enabled per default in Solaris. Certainly there aren’t any running per default on, say, OpenBSD…
And obviously Microsoft’s DCOM-based RPC implementation is only similar to Sun RPC in name. I was merely making a humorous observation, especially in the wake of all the anti-Microsoft FUD being churned up around here.
Secure by default is a nice idea, but doesn’t seem to work out in reality, especially considering how many security vulnerabilities have been found in recent history in ubiquitous Unix services like OpenSSH…
“no RPC-based services are enabled by default in Unix
in windows they are…”
Well, if servers are working with defaults settings…
Regardless of the vulnerbility, your firewall should be blocking those ports.
Agreed…
True… Having a good firewall (sygate, zone-alarm, tiny) prevents all this stuff.
And here’s a good guide to secure a xp box: http://www.techspot.com/tweaks/windows_security/index.shtml (just in case 😉
That’s just fine for attacks from outside, but what about those disgruntled employees ?
Don’t settle for second or third best if you NEED a real OS.
https://rhn.redhat.com/errata/rh9-errata.html
Yes I definetly see three remote exploitable holes there. *the irony*
really either side of the fence, there is no fault in admitting SECURITY holes and then offering the patches for it, and bugfixes does not equal security holes.
What is however wrong is not admitting the holes in the first place and perhaps admitting and patching them when the researchers /black/white/hatters/ basically have to threaten them with public disclosure to get the patches rolled out.
that is _not_ ok. you should care , as a consumer, not as a admin or ‘puter user.
Roses smelling nice are’nt they.
> Yes I definetly see three remote exploitable holes there.
which ones ?
i use crossover office on my man9.1 installation. When will microsoft release a patch for meeeeee?
Oh wait, i was part of the “not affected” list.
(so the only safe way to run word is through linux?)
http://lsd-pl.net/
“> Yes I definetly see three remote exploitable holes there.
which ones ?”
sorry, i was sarcastic.
but bug found patch released…get over it…I see the “Linux Security Advisory” on Newsforge every week…This does not cause me to distrust Linux distro’s, actually, I don’t completely trust any OS security-wise so I take proper precautions. Well, maybe I trust the blowfish but I don’t actually use it!?
Every OS is going to have security flaws. Patch it and move on!
“Trustworthy Computing” from Microsoft. What a joke! It scares me that Homeland Security has chosen to rely on MS for secure computing. They couldn’t have made a worse choice.
It scares me that Homeland Security has chosen to rely on MS for secure computing. They couldn’t have made a worse choice.
Perhaps that reveals the depth of their knowledge on the matter
What do you care it’s not your homeland? I think some portion of this MS bashing is because it is a U.S. company.
Unfortunately that isn’t really true. I believe Red Hat by default enables NFS, which uses RPC. However, a major difference is that Windows relies heavily on RPC for a lot of things, whereas Linux can be run just fine without it.
Microsoft has said, something like windows server2003 is the most secure os, the most secure windows, new security direction for their development, ans so on….
When i see this kind of secutity flaw, its just blah, blah, blah……
And with longhorn and palladium, i think we will laugh again a lot (at least me!!!).
And because this flaw affects windows nt, 2000, xp and 2003, its shows that microsoft doesn’t make a big change or improvments in their code as they want us to believe. They said that win2003 was a big improvment on the windows series, but what i see is that i find the same flaw in two oses which the development is separated by years.
Well down microsoft!!! and i wonder how some critical government departements can buy some windows machines, are ther crazy or what???
Windows and “security flaw” seem to go hand in hand. You would think that MS with literally an army of security experts and consultants would clean up their act or at least be able to patch the OS before anyone found out.
MS should consider totally rewriting Windows from the ground up because as it is Windows is riddled with holes and patches.
>True… Having a good firewall (sygate, zone-alarm, tiny)
>prevents all this stuff.
Mwwuuaaahhaa..ok no need for OpenBSD or Linux then, Windows XP with Zonealarm makes a good firewall..cough..cough..
>Redhat enables NFS by default
The are more distro’s who do this…i think Mandrake and Suse do this too. However redhat also startsup its firewall by default..and like you said its not depending on RPC.
Microsoft NEVER said it was the most secure OS, they said it was the most secure version of Windows, which it is, by far.
This is the FIRST security hole found in months that even effects the Windows2003 default install.
True, but it’s in my opinion one of the worst holes ever.
“most secure Windows server operating system ever”
Not if it includes holes from NT4!
Glad you stuck “default” in there, but it doesn’t make your case any stronger, there were two this month. Both required a reboot incurring downtime for your server.
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/…
Mwwuuaaahhaa..ok no need for OpenBSD or Linux then, Windows XP with Zonealarm makes a good firewall..cough..cough..
care to explain what’s wrong with zone-alarm? or are you just talking out of your arse?
The patch for the HTML converter does not effect the default install, as IE is locked down, heck, you shouldn’t even be using IE on the server. Yes, the hole is there, but it doesn’t effect the system unless you disable secuirty features (which are there for this exact reason) and are using IE on the server… not to mention you should have a firewall up anyway.
I agree, if I had the choice I would uninstall it. The holes still need to be patched though since you can’t. It’s not necessary to run a firewall on every server in your farm though, and when the network grows beyond your control you can’t promise that someone on another team won’t get rooted, and pass it on to you. 🙁