bit-tech.net

Microsoft warns of Windows flaw

Microsoft warns of Windows flaw

This latest security flaw exploits one of the few pieces of shared code that link Windows XP and Vista together.

Microsoft has released a security bulletin alerting customers to a privilege escalation vulnerability in its latest and greatest operating systems. Yes, the ones re-built from the ground up for heightened security. Whoops.

The bug occurs when you enable Microsoft's IIS webserver, or if you install the SQL database engine. When exploited, any code run under the IIS or SQL user can be instantly and invisibly upgraded to run under the LocalSystem account – which allows for modification to any file on the computer. Game over, basically.

The flaw is common to all Windows releases including Windows XP Service Pack 2, Windows Vista, Windows Server 2003, and Windows Server 2008. Embarrassingly, Vista is vulnerable even if you've applied the recently-released Service Pack 1. Although there are no known exploits for the issue at the moment, it's still a pretty major hole, and one Microsoft will be keen to plug as soon as possible.

The good news is that because the flaw relies on IIS or SQL being active – aside from an attack against Server 2003 involving the Distributed Transaction Coordinator – it's mainly Windows-based web hosts who'll be sweating until Microsoft releases a patch.

Home users aren't completely off the hook, however: although the hole requires IIS or SQL to be installed and active, the flaw actually resides within Windows itself rather than in the add-on software – it's the way Windows handles the SeImpersonatePrivilege that's at issue here. Accordingly, it's not inconceivable that an exploit could be written that would bypass this requirement and allow standard home installs to be attacked as well.

Anybody here relying on a Windows webhost and reading the advisory with trepidation, or is it an unlikely attack vector that no-one needs to worry about? Perhaps you're just annoyed at Microsoft missing this bit of shared code when it was creating Vista from scratch? Share your thoughts over in the forums.

21 Comments

Discuss in the forums Reply
naokaji 21st April 2008, 15:29 Quote
ouch...

let's hope for a quick fix.
devdevil85 21st April 2008, 16:12 Quote
just another day in the news for MS......nothing surprising to see here people.....
wuyanxu 21st April 2008, 16:42 Quote
if Mac and Windows found similar bug at the same time, i bet MS will fix the bug faster than Apple
sotu1 21st April 2008, 16:50 Quote
Quote:
Originally Posted by wuyanxu
if Mac and Windows found similar bug at the same time, i bet MS will fix the bug faster than Apple

as much as i love my mac i'm inclined to agree with you here
koola 21st April 2008, 16:54 Quote
Quote:
Originally Posted by wuyanxu
if Mac and Windows found similar bug at the same time, i bet MS will fix the bug faster than Apple

The question is not who patches quicker, but who introduces more bugs while supposidly patching.
naokaji 21st April 2008, 17:04 Quote
Mac users dont download patches on releaseday though since they think their OS is save:D
GoodBytes 21st April 2008, 17:57 Quote
At least it is Microsoft that found it and has balls to mention it and not a hacker and have the surprise of your life.
Amon 21st April 2008, 18:05 Quote
Not really that threatening if you look at the big picture. I personally don't know any typical home users who run an SQL database.
Laitainion 21st April 2008, 19:49 Quote
Annoyingly Visual Studio 5005/2008 install SQL server (a limited, testing version), even if you don't want it as I recently had to remove uninstall about half a dozen parts of the bloody thing (I don't do database work, so meh). So I can see a number of developer's being vulnerable.
completemadness 21st April 2008, 20:24 Quote
Quote:
Originally Posted by Laitainion
Annoyingly Visual Studio 5005/2008 install SQL server (a limited, testing version), even if you don't want it as I recently had to remove uninstall about half a dozen parts of the bloody thing (I don't do database work, so meh). So I can see a number of developer's being vulnerable.
i was thinking this too

Just another reason to use linux eh :p
Glider 21st April 2008, 21:14 Quote
Quote:
Originally Posted by completemadness
Just another reason to use linux eh :p
You need a reason for that? :D
LordPyrinc 22nd April 2008, 00:19 Quote
As a software developer myself, I tend to be understanding of MS on issues like this. I know that even during small application development, bugs get past QA testing. I couldn't begin to fathom the effort it takes to build an entire OS. I think MS does a damn good job at notifying the user community when there are issues like this and takes the appropriate steps to fix the security holes in a reasonable time.

No software product goes out the door bug-free.
yakyb 22nd April 2008, 10:10 Quote
as a guy running both IIS and SQL server on my Vista box i cant say im particularly happy about this but to be honest im not that pissed off either
[USRF]Obiwan 22nd April 2008, 10:43 Quote
Quote:
Originally Posted by koola
Quote:
Originally Posted by wuyanxu
if Mac and Windows found similar bug at the same time, i bet MS will fix the bug faster than Apple

The question is not who patches quicker, but who introduces more bugs while supposidly patching.

Thats not the right question: Since the ratio Windows based systems: OsX systems is like 95:1 the discovery of bugs in OSx is also much much much less then Windows. It's more likely that OsX contains hundreds of undiscovered bugs but duo the small application base. I guess there are 1% Apple based SQL servers / Web servers / Application servers (Is OsX capable to run these things anyway?)
steveo_mcg 22nd April 2008, 10:52 Quote
Quote:
Originally Posted by [USRF]Obiwan
Thats not the right question: Since the ratio Windows based systems: OsX systems is like 95:1 the discovery of bugs in OSx is also much much much less then Windows. It's more likely that OsX contains hundreds of undiscovered bugs but duo the small application base. I guess there are 1% Apple based SQL servers / Web servers / Application servers (Is OsX capable to run these things anyway?)

Its a *nix so i'll go out on a limb and say.. yeah.
[USRF]Obiwan 22nd April 2008, 10:59 Quote
Quote:
Originally Posted by steveo_mcg


Its a *nix so i'll go out on a limb and say.. yeah.

Ok, since the last time I worked with a mac, it wa the size of a toaster with a a 3.5 inch floppy drive and a smiling computer icon on the 7" black and white screen. It was called blabla II something...
steveo_mcg 22nd April 2008, 11:13 Quote
Same here... I loved my classic. Even then it was somewhat ahead of the windows curve (about 3-5 years ahead)
Bluephoenix 22nd April 2008, 15:11 Quote
I've known about it since Win2000

I filed a bug report, but it never got dealt with and I never got feedback


it made a fun trick when I used to do penetration testing, as it was a hole no one knew existed and could be used to take over the entire system.

also, there are bugs that allow SQL and IIS to be started without proper authentication, or proper access. I haven't got any feedback on those reports either.
leexgx 23rd April 2008, 03:19 Quote
SQL and IIS just seem plane insecure thay fix one thing and an 5 year old one comes along (or is it 8? heh)

any thing important or web sites should not be used an an windows box
DannyDirect 23rd April 2008, 15:59 Quote
Windows = Fix it soon
Apple = Fit it a bit after
Linux = WOOT! No big in the first place

Well, I am a Linux Ubuntu fan, however, I am restricted to using Vista until more drivers start supporting it :(
GoodBytes 23rd April 2008, 19:46 Quote
Tile.... PLEASE try Vista. I was able to run smoothly Vista 64-bit (if you disable everything down to XP) with 256MB of RAM. I was unable to try lower, as 256MB was the smallest DDR RAM stick I had. And no the RAM usage was not at 100% or anything there. Yes, like XP it was using the HDD. As in reality XP uses about 300-400MB of RAM (disable page file on a 2GB computer and you will see).

512MB of RAM is the minimum if you want to install Vista faster than XP and be able to take a tiny bit of advantage on Super fetch technology, and be able to have Windows defender, indexer, disk defrag utility run all the same time while you surf the web. More RAM you add, the more Windows will use RAM for super fetch until reaching a certain extent. Super Fetch technology is a system that pre-loads your application before you open it. It's VERY smart and does an excellent job (one of the few things that Microsoft got 100% correct). Also thanks to Vista new and improved memory management, it allow such technology to have expendable space. Meaning, more application uses RAM, Super fetch will reduce in size. If you had ever tried Vista in your life, you will quickly find out that if you have 2GB of RAM, 1Gb will be in used, however if you run a big game, Photoshop with several large pictures, Adobe Premier and After Effects, you are still at about 1GB of RAM used. I will not believe that all these application uses 10kb of your RAM.

One big advantage on Vista interface is that it doesn't use your CPU. So you have more CPU power in your hand, unlike XP. It uses your GPU. So yes you do need a video card that is a more powerful, like a Geforce 6200 (for smooth graphics)

If you don't have a compatible video card, you can use Vista Basic, which is essentially using the same engine as XP, just a different look. And if you have an even crappier video card, then Windows classic will do.

Microsoft did not fail with Vista, the only part they failed was to drop support for old hardware like they did with Win95. However, back then the issue was much smaller, as not a lot of people had computers as now.
When Windows 7 will be released, everyone will be like "Wow awesome OS, way better then Vista", however I am sure in reality they just did some tweaks and added 2-3 new features over Vista. And the reason why you and other will probably be happy with Win7 is because you will have a new computer by then, and not old hardware that is not supported by Windows, and not even by the hardware manufacture.

If Vista would have failed, you will see this:
1- Your hardware manufacture releases several latest driver for your hardware
2- No mater what happens the system causes sever issues such as BSOD's all the time, or errors none stop, like WinMe.
However, THIS IS NOT THE CASE.

Yes, Vista has it's issues as they restarted the core system from the ground up, so bugs that did not exists appears. And as a software developer, I can tell you, that even me when I restart the core engine of my personally software I can tell you it's packed with bugs that never existed before, and require fixing and debugging even more, like when you first program the OS. Already, comparing Win95 to Vista, Vista is impressive in stability and number of bugs found. If you read this thread more carefully, you will that the problem mentioned also occurs on WinXP (which makes me to believe in Win2k as well as they are pretty much identical OS, especially at the core level).

As for performance decrease in real life test, that is using the OS without crippling it like BIT-TECH, and others. You will see on a new system using latest standards, the OS outperform XP in many fields. As for gaming, simple: XP core system is the same as Win2k which is the same as NT4... how old is NT4?! yea so companies knew how to optimize drivers. I even recall when I had the Gefore 6600GT, for a moment their was new and newer drivers that made my video card go faster and faster. It's like if I had an OC without doing anything. and the reason was that Nvidia did optimization on the driver sides. Same thing will and is occurring with the new hardware from Nvidia, however Nvidia i more preoccupied to get everything to work perfectly.

The problem with XP core system, is that it is based on WinNT 4 core, back then Microosft was laugthing their head on "virus", "spyware", "malware", "trojans", etc... they were pretty much like "hahaha who in this wonderful world will do such a thing... worst come to worst will we simply patch the problem". Well guess what? now it out of control. So a new core on a new OS was inevitable for Microsoft.

It is true that Vista has/had a fair amount of issues that should have been tested for so that it doesn't occur. The problem I think is that Vista managers team did bad decisions, for one, was to mention Longhorn and Vista. That way investors won't push Microsoft to release Vista so soon. Yea! I said "so soon", as if they tested it even more for a couple of more months probably it would have been like Vista SP1. Another issue could have been bad management of resources which lead them to spend (possibly) more than what really they should have spend, finally not focus more on their new OS. They should have focused more on it to have it released sooner, better, and more feature that the average user will see. As the average user doesn't understand what a "core" system is, and doesn't even have a clue on how complex an OS is.

Another problem is us, we expect perfection. Which is understandable, which leads me to my last point where Microsoft failed, is the price of Vista. For the price (at retail value) Vista should have been more or at least perfect, and it wasn't. If Vista was the same price as XP, and that Business edition was reserved for OEM and enterprises and that the business edition would be the same price as Home Premium. And remove Home Basic edition. Oh and finally, have an automated system on each edition that configure Vista (disable features) depending on your system specification. If you can't run Vista, you have things reduce. However, have something without annoying the user, on information on upgrading their system to enjoy the new features.
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.



Discuss in the forums