Home > Privacy, Security > Exploits Released for New Windows Flaws Exploits Released for New Windows Flaws Submitted by danjr 2004-12-24 Privacy, Security 33 Comments A Chinese company has released sample code that exploits new vulnerabilities in the Windows operating system. The LoadImage function and Windows Help program are both affected. About The Author David Adams Follow me on Twitter @david_adams 33 Comments 2004-12-24 4:53 pm Maybe its just me thinking this, but many it would be wise for Microsoft to get to fixing those vulns quick. 2004-12-24 7:02 pm Why did the company post this? The article states that it put out sample code on its forum then another snatched it up and resleased it. Did they do this to spur Microsoft to take some actions? They’re companies, so they could face some litigation. 2004-12-24 7:15 pm And a merry Christmas to you to! LOL 2004-12-24 7:51 pm Exploit code, or even technical discussion of the vulnerability is nowhere to found, if you follow URLs from all these articles. We all remember “10 new critical flaws in XP SP2”- never materialized. Now, is this a real vuln or just someone’s joke making everyone else running and screaming “the sky is falling!” Hard to tell without proper information. Please provide correct URL to the exploit or technical details. 2004-12-24 7:58 pm “Why did the company post this? The article states that it put out sample code on its forum then another snatched it up and resleased it. Did they do this to spur Microsoft to take some actions? They’re companies, so they could face some litigation.” _________________________________________________________ They are not part of the U.S. court system. The DMCA does not apply to China. And yes, this would be done to push MS into doing patchs for said vuln’s in their OS. Perhaps this might also encourage secure coding practices, rather than security through obscurity. 2004-12-24 8:02 pm That must be it, correct URL: http://securityfocus.com/bid/12095 Note, that XP SP2 is not listed as vulnerable. It is also not listed as not vulnerable (do these guys know there is XP SP2???), but proof of concept provided does not work on my XP SP2. Good news: Symantec antivirus has protection for this type of exploit. Business users are safe. Bad news: Apparenlty, every Windows other than XP SP2 is vulnerable. 2004-12-24 9:05 pm “Only stupid people use windoze and .Not. Delete windoze and install Linux and Java.” This must be the most enlightening post this week. I bet you convinced many Windows users to leave the Microsoft platform and switch to Linux with your ‘leet spelling and your clear arguments. Maybe, just maybe, the Windows users you tried to convince here (unless you’re intentionally preaching to the choir) will just think “Hey, this Linux-thing seems like something only pEoPlE wHo WrIte LiKE ThIS and spell “Windows” as “Windoze” will run, i better stay away from it!”. But that’s just maybe. And it’s christmas eve, so merry christmas to you all! 2004-12-25 3:09 am Come on people grow up windoze is getting old, I use linux only but I’m not gonna act like a kid and bash MS. 2004-12-25 3:46 am Not everyone feels the need to compensate for what they lack below the waste. You use what you want, myself likewise and try to remember it’s a piece of software not a token of intelligence. Merry Xmas. 2004-12-25 6:14 am This is just another reason I’m moving to Linux. There’s just too many security vulnerabilities crap, especially after they bragged “Windoze XP SP2 is the most secure O.S. yet!”. B.S! Did they really say that? Anyway, according to whoever made the exploit, SP2 is invunerable: http://www.xfocus.net/flashsky/icoExp 2004-12-25 6:19 am the only thing that bugs me with windows is the amount of spyware, but other than that, no problems with stability and speed. Linux well, am still not satisfied with it, gonna give it a try when slack 11 comes out. I greatly admire the open source movement and have been using php, mysql, java for my development work but havent had any success with linux yet. 2004-12-25 6:50 am Excellent. A Chinese company releases an exploit for an OS that is only vulnerable if you didn’t patch it a couple of months ago. So what? Should we not just be looking at the latest versions of the OSes. I’m sure many companies could go back to Windows prior to SP1 or SP2 and find vulnerabilities. Why is this even news? 8 of the 9 affected OSes in that list are out of date. The 9th is Windows 2003 Server. And you have more issues if you’re surfing from your server machine. 2004-12-25 7:33 am Some exploits work across the servicepacks.If a new vulnerabillity is discovered on a SP1 patched system chances are good they didn’t patch it in SP2. 2004-12-25 8:15 am Correct. But this one is showing XP with SP2 as not being affected. 2004-12-25 8:44 am Maybe if you get out of the little closet you are stuck in you’d realize that not everyone is running XP and that not everyone who runs XP updated to SP2 right away. YES, THESE HOLES STILL MATTER. There are STILL production systems with pre-SP2 XP installed as well as previous MS OSes like 2k and NT. 2004-12-25 10:05 am Not the brightest argument Anonymous. How far back should we look at Windows / Mac / Linux. My point is that if you have updated your OS you are fine. Just because people don’t patch their OS with a 2 month old patch that’s hardly Microsofts fault. I’m sure if a similar article came out saying that and older version of OSX was vulnerable there would be plenty of arguments on this site. And it is obvious from some of the comments on this point that the readers don’t realise that the latest patches aren’t vulnerable. With comments like MS should fix this (they already have) and Thats why I’m leaving Windoze (why? because their Windoze XP SP2 isn’t vulnerable). We need a baseline to compare OSes. Do you assume the OS has never been patched and then complain about it or do we assume that it is patched? It would be nice if the same standards were applied to all the OSes. I’m not expecting intelligent arguements anyway. (I’m not coming out of the closet, I’m hetro). At least you can type in some name Anonymous. There are still production systems using Windows 95. Should we blame Microsoft for vulnerabilites for that too? Same for Macs and Linux. 2004-12-25 10:55 am people jez want to bash windows and microsoft. bias opinions are expected. people want to be unique by not using ms products, they must think they’re l33t. But i got no qualms with linux, jez with the opinions. Linux is a fine os but still needs some work. 2004-12-25 11:30 am There. I added a name. And much more of one than you did, I might add. Where in my post do you see me blaming Microsoft? Where in my post do you see me bashing Microsoft? My point is in response to your “why is this even news” comment. This is news because it still matters. By the way, it *is* Microsoft’s fault that many systems running Windows 95, 98, etc etc are still in production. Why? Because they charge so much for the upgrades. Of course not all systems remain outdated because of price, but that is a major factor. Microsoft should make security patches available for outdated systems, for free, without them having to upgrade to a newer system. Why? Because its Microsoft’s fault that the security hole was there to begin with. You’ll also note that I didn’t say anything about Linux being so much more secure. Or about Macs. Or about anything like that. Not only that, but I didn’t make the comment of “MS should fix this” like you said in your post (though I believe they should). I also didn’t make any comments about how “I’m leaving Windoze” – mainly because I haven’t used Windows for over a year now except for games. I posted under anonymous because I was too lazy to enter my information – not because I have something to hide. You should learn the difference. Besides, a name like “Micko” with no contact information is pretty much as useless as staying anonymous. You challenged me on it, so I’m challenging you. Provide us with a full name and e-mail address if you aren’t afraid. 2004-12-25 2:38 pm Speaks for itself… http://freehost07.websamba.com/greyhats/sp2rc-analysis.htm JT 2004-12-25 3:33 pm So the clue is: A new vulnerabillity affects them all regardless which service pack is installed.Personally i switched to Linux/FreeBSD because they (just my example taken out of the many)are developing more new stuff daily.Windows XP is still windows XP,there doesn’t change much even with SP2.Linux/FreeBSD have more momentum,as a user you are more involved.Unless one is a “moron” it doesn’t realy matter which OS you prefer if you have fun and it does what you think it has to do within your own referential fit. 2004-12-25 4:23 pm My system (win2ksp4) is so vulnerable….that nothing happens. 2004-12-25 4:33 pm no need to access the source code to find as flaws as needed…this deserve open source and it’s code quality in general… Security by obscurity has been always known to fail miserably in the past. 2004-12-25 11:43 pm Maybe, just maybe, the Windows users you tried to convince here (unless you’re intentionally preaching to the choir) will just think “Hey, this Linux-thing seems like something only pEoPlE wHo WrIte LiKE ThIS and spell “Windows” as “Windoze” will run, i better stay away from it!”. I agree here. I do like to advocate FreeBSD as wel, because I think it’s a good operating system. On the other hand I can imagine that Windows users feel not welcome to use Linux (or any other operating system that’s not a hype) because of the aggressive atitude that some people have. Sure, I also tell people who don’t (want to) read to RTFM but I prefer to translate RFTM to “read the fine manual” instead of the other form. And if I am honest I believe that the security problems in Windows (there are security flaws in every code ever written) are mostly that the multiuser implementation really sucks. So (almost) all people have administrator right all the time. So anything can do anything on someone’s system(anti-spyware/virus software is always running behind the facts). 2004-12-26 4:54 pm By the way, it *is* Microsoft’s fault that many systems running Windows 95, 98, etc etc are still in production. I know, I remember seeing Win98 in a local store a few months back for around $90. 2004-12-27 12:45 am “Why is this even news?” Oh, I don’t know. At a wild guess, maybe because half the world still doesn’t run XP, and maybe half the ones who DO run XP DON’T run SP2? Could that be it? I’m just throwing out wild guesses here, mind. 2004-12-27 4:10 am on win4lin of course http://www.netraverse.com (pain in the arse to install it tho) 2004-12-27 7:57 am XP SP2 isn’t vulnerable. This company might as well post exploit code for Windows 95. It’s irrelevant. 2004-12-27 7:59 am Oh, I don’t know. At a wild guess, maybe because half the world still doesn’t run XP, and maybe half the ones who DO run XP DON’T run SP2? Could that be it? I’m just throwing out wild guesses here, mind. So what. People very clearly need to apply patches in a timely manner. If they choose not to do so out of ignorance or neglect, that’s not Microsoft’s fault. 2004-12-27 8:43 am “XP SP2 isn’t vulnerable. This company might as well post exploit code for Windows 95. It’s irrelevant. ” You know what is actually irrelevent? You saying that after not reading the comments that have already discussed this very thing. 2004-12-27 8:45 am “So what. People very clearly need to apply patches in a timely manner. If they choose not to do so out of ignorance or neglect, that’s not Microsoft’s fault.” As I clearly pointed out already, there are non-XP systems still running that are vulnerable. These systems are still running because Microsoft charges for their updates. They should release backpatches for security holes in all their products because it is their fault the holes were there in the first place. Either that or offer free upgrades, which would kill their business model. Please, if you are going to argue, try using some not already discussed points. 2004-12-27 10:27 pm As I clearly pointed out already, there are non-XP systems still running that are vulnerable. These systems are still running because Microsoft charges for their updates. They should release backpatches for security holes in all their products because it is their fault the holes were there in the first place. Either that or offer free upgrades, which would kill their business model. If people are going to insist that Microsoft do this, then everyone needs to decide on just how far back they should go, and then hold all other commercial OS vendors to the same standard, including Apple and any Linux/Unix vendors that charge money. That way, if people say that MS should still be supporting Win98, then all other vendors need to also release security updates in a timely manner for all operating systems they released 5-6 years ago. 2004-12-27 11:16 pm You think you are making sense when you post that companies shouldn’t have to release updates for systems they released many years ago, but you aren’t. These systems are *their* products. If you purchased a fridge that, by design, allowed people to remotely remove food from it (I know, I know, its just an analogy), and people only found out about that eight years after you bought it you’d still want them to fix the fridge. In the fridge case, though, it would take work for them to do it to each indivudial fridge – in the software case, all they have to do is patch it once and release the patch leaving it up to the user to do the rest. You see, no matter how long it has been since the product was released, if it was released with said security holes in it (or they were caused by a security patch given by the company who made it) then it is the companies responsibility to make sure those holes are patched. End of story. If they had released a secure product to begin with they wouldn’t have to be patching systems that are now ten years old. Unfortunately for MS, they can’t seem to do that – or anything even remotely close to that. When a user buys their computer, they do so on the distinct impression that the computer will be safe. Microsoft of course denies all responsibility in the EULA, but there still is such thing as implied responsibilty. They purchased the product, they have a right to know that said product is secure to the best of Microsoft’s ability. By not back-patching, Microsoft is simply ignoring these users and trying to leech more money out of them for upgrading to something they probably don’t even need (if they needed it, they’d likely have upgraded long ago). 2004-12-27 11:18 pm By the way, I completely agree that all vendors should be held to the same responsibility. Linux/Unix vendors are a little different in the way that the system is open and many patches are available online even if the company officially stops supporting them, but I still think they should offer these patches. The last thing I’m trying to be here is someone who hates MS and holds them to different standards. There are plenty of those people floating around the boards already.