|
|
Microsoft warns of Windows flaw
Author: Gareth HalfacreePublished: 21st April 2008
This latest security flaw exploits one of the few pieces of shared code that link Windows XP and Vista together.
The bug occurs when you enable Microsoft's IIS webserver, or if you install the SQL database engine. When exploited, any code run under the IIS or SQL user can be instantly and invisibly upgraded to run under the LocalSystem account – which allows for modification to any file on the computer. Game over, basically.
The flaw is common to all Windows releases including Windows XP Service Pack 2, Windows Vista, Windows Server 2003, and Windows Server 2008. Embarrassingly, Vista is vulnerable even if you've applied the recently-released Service Pack 1. Although there are no known exploits for the issue at the moment, it's still a pretty major hole, and one Microsoft will be keen to plug as soon as possible.
The good news is that because the flaw relies on IIS or SQL being active – aside from an attack against Server 2003 involving the Distributed Transaction Coordinator – it's mainly Windows-based web hosts who'll be sweating until Microsoft releases a patch.
Home users aren't completely off the hook, however: although the hole requires IIS or SQL to be installed and active, the flaw actually resides within Windows itself rather than in the add-on software – it's the way Windows handles the SeImpersonatePrivilege that's at issue here. Accordingly, it's not inconceivable that an exploit could be written that would bypass this requirement and allow standard home installs to be attacked as well.
Anybody here relying on a Windows webhost and reading the advisory with trepidation, or is it an unlikely attack vector that no-one needs to worry about? Perhaps you're just annoyed at Microsoft missing this bit of shared code when it was creating Vista from scratch? Share your thoughts over in the forums.
Related articles on bit-tech.net
Comments (22)
Stats: 0.080 seconds
let's hope for a quick fix.
as much as i love my mac i'm inclined to agree with you here
The question is not who patches quicker, but who introduces more bugs while supposidly patching.
Just another reason to use linux eh :p
No software product goes out the door bug-free.
Thats not the right question: Since the ratio Windows based systems: OsX systems is like 95:1 the discovery of bugs in OSx is also much much much less then Windows. It's more likely that OsX contains hundreds of undiscovered bugs but duo the small application base. I guess there are 1% Apple based SQL servers / Web servers / Application servers (Is OsX capable to run these things anyway?)
Its a *nix so i'll go out on a limb and say.. yeah.
Ok, since the last time I worked with a mac, it wa the size of a toaster with a a 3.5 inch floppy drive and a smiling computer icon on the 7" black and white screen. It was called blabla II something...
I filed a bug report, but it never got dealt with and I never got feedback
it made a fun trick when I used to do penetration testing, as it was a hole no one knew existed and could be used to take over the entire system.
also, there are bugs that allow SQL and IIS to be started without proper authentication, or proper access. I haven't got any feedback on those reports either.
any thing important or web sites should not be used an an windows box
Apple = Fit it a bit after
Linux = WOOT! No big in the first place
Well, I am a Linux Ubuntu fan, however, I am restricted to using Vista until more drivers start supporting it :(
512MB of RAM is the minimum if you want to install Vista faster than XP and be able to take a tiny bit of advantage on Super fetch technology, and be able to have Windows defender, indexer, disk defrag utility run all the same time while you surf the web. More RAM you add, the more Windows will use RAM for super fetch until reaching a certain extent. Super Fetch technology is a system that pre-loads your application before you open it. It's VERY smart and does an excellent job (one of the few things that Microsoft got 100% correct). Also thanks to Vista new and improved memory management, it allow such technology to have expendable space. Meaning, more application uses RAM, Super fetch will reduce in size. If you had ever tried Vista in your life, you will quickly find out that if you have 2GB of RAM, 1Gb will be in used, however if you run a big game, Photoshop with several large pictures, Adobe Premier and After Effects, you are still at about 1GB of RAM used. I will not believe that all these application uses 10kb of your RAM.
One big advantage on Vista interface is that it doesn't use your CPU. So you have more CPU power in your hand, unlike XP. It uses your GPU. So yes you do need a video card that is a more powerful, like a Geforce 6200 (for smooth graphics)
If you don't have a compatible video card, you can use Vista Basic, which is essentially using the same engine as XP, just a different look. And if you have an even crappier video card, then Windows classic will do.
Microsoft did not fail with Vista, the only part they failed was to drop support for old hardware like they did with Win95. However, back then the issue was much smaller, as not a lot of people had computers as now.
When Windows 7 will be released, everyone will be like "Wow awesome OS, way better then Vista", however I am sure in reality they just did some tweaks and added 2-3 new features over Vista. And the reason why you and other will probably be happy with Win7 is because you will have a new computer by then, and not old hardware that is not supported by Windows, and not even by the hardware manufacture.
If Vista would have failed, you will see this:
1- Your hardware manufacture releases several latest driver for your hardware
2- No mater what happens the system causes sever issues such as BSOD's all the time, or errors none stop, like WinMe.
However, THIS IS NOT THE CASE.
Yes, Vista has it's issues as they restarted the core system from the ground up, so bugs that did not exists appears. And as a software developer, I can tell you, that even me when I restart the core engine of my personally software I can tell you it's packed with bugs that never existed before, and require fixing and debugging even more, like when you first program the OS. Already, comparing Win95 to Vista, Vista is impressive in stability and number of bugs found. If you read this thread more carefully, you will that the problem mentioned also occurs on WinXP (which makes me to believe in Win2k as well as they are pretty much identical OS, especially at the core level).
As for performance decrease in real life test, that is using the OS without crippling it like BIT-TECH, and others. You will see on a new system using latest standards, the OS outperform XP in many fields. As for gaming, simple: XP core system is the same as Win2k which is the same as NT4... how old is NT4?! yea so companies knew how to optimize drivers. I even recall when I had the Gefore 6600GT, for a moment their was new and newer drivers that made my video card go faster and faster. It's like if I had an OC without doing anything. and the reason was that Nvidia did optimization on the driver sides. Same thing will and is occurring with the new hardware from Nvidia, however Nvidia i more preoccupied to get everything to work perfectly.
The problem with XP core system, is that it is based on WinNT 4 core, back then Microosft was laugthing their head on "virus", "spyware", "malware", "trojans", etc... they were pretty much like "hahaha who in this wonderful world will do such a thing... worst come to worst will we simply patch the problem". Well guess what? now it out of control. So a new core on a new OS was inevitable for Microsoft.
It is true that Vista has/had a fair amount of issues that should have been tested for so that it doesn't occur. The problem I think is that Vista managers team did bad decisions, for one, was to mention Longhorn and Vista. That way investors won't push Microsoft to release Vista so soon. Yea! I said "so soon", as if they tested it even more for a couple of more months probably it would have been like Vista SP1. Another issue could have been bad management of resources which lead them to spend (possibly) more than what really they should have spend, finally not focus more on their new OS. They should have focused more on it to have it released sooner, better, and more feature that the average user will see. As the average user doesn't understand what a "core" system is, and doesn't even have a clue on how complex an OS is.
Another problem is us, we expect perfection. Which is understandable, which leads me to my last point where Microsoft failed, is the price of Vista. For the price (at retail value) Vista should have been more or at least perfect, and it wasn't. If Vista was the same price as XP, and that Business edition was reserved for OEM and enterprises and that the business edition would be the same price as Home Premium. And remove Home Basic edition. Oh and finally, have an automated system on each edition that configure Vista (disable features) depending on your system specification. If you can't run Vista, you have things reduce. However, have something without annoying the user, on information on upgrading their system to enjoy the new features.