Microsoft issued over 100 security patches for their products in 2000 (that's
about 2 a week). You'd think they'd have run out by now, but April's
performance suggests 2000 was just a warm up. For the first time in a news
article, we need an index!
This is BIG, very big. Several version of SMBRelay now available on the Internet exploit a basic design flaw in Microsoft Networking. The vast majority of Windows 95/NT/2000 servers are vulnerable, and since this is "by design", not a bug, it isn't going to be easily fixed.
This exploit places itself between the server and the workstation. The server thinks it's the workstation and the workstation thinks it's the server. Meanwhile it sends all the passwords to its master for cracking at leisure. Microsoft has a fix called NTLMv2, but it can be disruptive and difficult to deploy. The only other fix is to turn off TCP port 139, which disables SMB, probably breaking important software packages.
Microsoft Networking is derived from IBM's old PCNet (you didn't think Microsoft came up with it all by themselves, did you?) and uses a protocol called SMB (Server Message Block). This was a weak network to start with, designed for very small offices, and Microsoft has added endless layers of Band-Aids and bailing wire to keep it alive, On your Windows system it's called "NetBIOS".
This network should have been scrapped many years ago, but one of Microsoft's big selling points is backwards compatibility. Many DOS/Windows software packages require it. It's importance is exemplified by the popularity of Samba, which allows a Unix / Linux server to act as an SMB server that looks like a Windows NT server to Windows workstations.
Microsoft's fix is difficult to deploy if the network isn't all
Windows NT Service Pack 4 and Windows 2000. We expect millions of
networks won't be fixed for years, and will remain vulnerable. If yours
isn't cracked, it'll be because the script kiddies just couldn't find time
to get around to it.
Ok, this is EVEN BIGGER. affecting at least a million on-line servers, including all versions of Windows 2000 Server, Advanced Server and Datacenter Server running IIS 5.0 (Internet Information Server). Microsoft is pleading with Web administrators to patch this vulnerability immediately.
A buffer overflow problem in Web-based printing allows hackers, crackers, script kiddies and spies to gain system level access to the servers. With IIS v5.0, Web-based printing is turned on by default. "Exploits" have already been posted on the internet.
You just couldn't get much worse than this without posting your admin passwords on your Web site. It will likely result in millions more credit cards compromised. Yes, Microsoft has issued a patch, but their whole selling point is that you don't need skilled (expensive) administrators if you select Microsoft products. Many sites won't even hear about the patch, never mind apply it.
Running a secure Web site requires the same administration skills and the
same amount of attention regardless of whether it's Windows or Solaris or
Linux or what have you. Microsoft tries to hide this fact, and bosses tend
to believe them, so Windows sites are always getting into trouble.
Insurance companies now offering Web site owners insurance against hacker invasion, defacement and data theft. Insurance underwriter Wurzler has just announced they are increasing premiums for Windows NT based sites to 25% above the level for other platforms.
Wurzler admits this is a complex situation and actual security is controlled by the site owner, but says they must set their rates based on actual experience.
Microsoft IIS (Internet Information Server) running on Windows NT/2000 is used on about 20% of commercial Web sites, while Apache (running mostly on Unix / Linux / BSD) holds a 62% share. Despite this, about 55% of successful assaults are against Windows / IIS based sites. This means a Microsoft based Web server are about 8 times more likely to be successfully hacked than a Web server based on some other platform.
These statistics give the lie to Microsoft's oft repeated excuse, "If any other platform were as popular it would be just as vulnerable." Apache is far more popular, yet IIS is broken far more often.
So easy is it to knock over a Windows / IIS site, it carries no prestige in the hacker community. The script kiddies who defaced the Girl Scouts of America site felt it necessary to make excuses for attacking such an easy target. The defaced page is preserved for posterity at attrition.org.
It's not just script kiddies breaking into IIS sites, but real criminals after financial information, as exemplified by the "Russian Mafia" banking and ecommerce raids.
Now that the ice is broken, we expect other insurance underwriters to
follow suit, and 25% is probably not high enough (see above). The added cost
is sure to start factoring in to future platform decisions, and that isn't
good for Microsoft.
Attrition.org keeps statistics on invasive defacing of Web sites. They have noted a very rapid increase in the number of defaced sites running on Windows 2000, a rate more rapid than the deployment of Win2K.
The high incidence of defacement of Win2K Web sites is probably because it has IIS v5.0 (Internet Information Server) built in. IIS v5.0 has been plagued by a number of very serious security problems, and defaults to a rather insecure configuration. Well, so much for getting a lower insurance rate by using Win2K (see above).
A further factor is probably Microsoft heavily advertising that Windows
2000 is much more secure than Windows NT. Under some conditions it can be,
but Web administrators are just trusting Microsoft's word and paying even less
attention to security than with Windows NT.
Microsoft just announced their first major security product, ISA Server (Internet Security and Acceleration Server), a Web proxy and firewall product to protect corporate networks from criminals, hackers and script kiddies out there on the wild, wild Internet.
A major security flaw has already been found. A hacker can simply send an oversize request packet and bring down the proxy server, cutting the corporate network off from the Internet until the server can be brought down and rebooted. Repeat until patched.
Who would buy a firewall from the very company most noted for inattention to security? The sad fact is many businesses will. Many businesses have a policy of forbidding non-Microsoft products in any category where Microsoft has a presence.
I expect this is just the first of many successful exploits as ISA Server
takes its place as a prime hacking target. It's real hard to have any
sympathy for people who deploy this product.
OK, to keep your Windows servers secure, you have to download security patches every week and install them. Well, these patches can be a security problem themselves, apparently. Microsoft patches posted between 6-Apr-2001 and 20-Apr-2001 were infected with the Funlove virus.
This isn't the first time Microsoft has distributed viruses, and it's not
likely to be the last. Others have done the same (Hewlett Packard recently
distributed printer drivers infected with Funlove). Microsoft does a pretty
good job of keeping viruses out of their stuff, but with Windows so vulnerable
in so many ways, it's bound to happen now and then.
Their new .NET initiative is the key to Microsoft's future. A key element of .NET is "Hailstorm", a consumer oriented services package. A key element of Hailstorm is expanding "Passport", a service currently controlling access to their HotMail service. Passport is supposed to keep a central database of personal information for every user of the Internet and control secure transactions with other sites. In other words, it is Microsoft's central clearing house for .NET.
Umm . . somebody actually read the Passport agreement HotMail users sign up to. Briefly, it stated that Microsoft had free and unrestricted rights to the use of anything that passed through the Passport service, regardless of patents, copyrights, or other legal niceties, and could use it any way and for any purpose they pleased.
In other words, if you sent the plans for your newly patented world beating gizmo through HotMail, Microsoft claimed the right to manufacture that gizmo in competition with you.
Details of this license were published by The Register and resulted in an international flap. Many patent, copyright and intellectual property law firms have banned the use of HotMail or any other Microsoft service for transmission of anything.
Many sites started refusing to accept and/or respond to mail coming through any Microsoft service, causing Microsoft to modify the license agreement, but only in the U.S.. It remains the same in other countries.
I just don't see a problem here. Anyone who trusts Microsoft with anything has the space between their ears stuffed with styrofoam packing peanuts and deserves what they will most certainly get.
Sadly, when Microsoft starts deploying .NET, a huge percentage of the
public will trust all their personal and financial information to a
company that has proven over and over they can't be trusted.
"Ethics? We've heard of them."
Scientists have determined that the Foot-and-Mouth Disease virus currently
ravaging England and other countries is NOT, I repeat, NOT
spread by Microsoft Outlook. Microsoft's legal department has expressed
considerable relief. Due to it's involvement with so many other virus
outbreaks, Outlook had been a prime suspect. For details of the discovery see
A new Outlook email worm, apparently written using the same virus writing kit used for the AnnaKournikova worm, ripped through many companies during the first week of May. Some companies had to take their email systems off line to clean up.
Oh, we are just so surprised.
- Analysis by Andrew Grygus
- Automation Access
Velocity Networks: Network Consulting Service - Internet Service Provider - Web Page Design and Hosting
All trademarks and trade names are recognized as property of their owners