Security

Microsoft finally catches the eight year bug

Microsoft released a patch this week for a critical vulnerability. The catch: this vulnerability has been known since 2000, and it's a bug in a service active on almost every MS Windows system in the world. How safe do you feel?

Microsoft Windows systems use the Server Message Block application level network protocol to provide sharing capabilities for files, printers, and other resources. SMB is supported on many other operating systems, primarily by way of the open source Samba project, but most of the time non-Microsoft OSes use SMB only when they must be integrated into a network that also includes MS Windows systems.

In March 2008, Josh Buchbinder published proof of concept exploit code for an SMB relay attack vulnerability in Microsoft's implementation of the Server Message Block protocol. Since that time, a number of security testing tools have become capable of exploiting this vulnerability. According to Microsoft, "Public tools, including a Metasploit module, are able to perform this attack." The result is that for several years now it has been possible to exploit this vulnerability entirely via code written by other people and freely available on the Internet.

The vulnerability was discovered even before March 2007, though. Christien Rioux announced discovery of this flaw in the Microsoft implementation of SMB at DEFCON in 2000. That means this flaw was first discovered and announced at least 8.25 years ago.

Microsoft finally released a patch for the vulnerability two days ago.

I think this is a good time for some reminders about what constitutes good security practice for software vendors. First of all, you should probably refresh your memory with my article from last month, 5 characteristics of security policy I can trust. In it, I pointed out the following characteristics of good security policy:

  1. Full Disclosure
  2. Open Development
  3. Open Formats
  4. Privacy Friendly
  5. (Good) Vulnerability Management

On that last subject -- good vulnerability management -- I have written a few other articles that are relevant:

  1. There's more to security than counting vulnerabilities: The number of discovered vulnerabilities alone provides no useful information about the security of the software. A far more useful metric, if you must select one in a vacuum, would be how the developer responds to vulnerability discovery. The SMB vulnerability that took Microsoft more than eight years to patch is a pretty good indicator that Microsoft is a pretty poor choice for a vendor to trust.
  2. Why there's no such thing as a trusted brand: Corporations are not people. They do not have anything approaching an intrinsic, individual character. The only characteristics that are essentially unchanging in a given corporation are the characteristics that are necessarily intrinsic to all corporations, by their very nature. Everything else can change -- and that means no corporation is really "trustworthy". Don't place your trust in the vendor. Demand proof. Sometimes, "proof" means "source code", and if you can't compile the source yourself, but are only allowed to read source code that someone assures you is the same as what was used to produce a binary that is handed to you separately, you still haven't really seen proof of anything meaningful.
  3. The truth about viruses: Large, corporate software vendors tend to have policies that are optimized for the security of a revenue stream, and not for the security of the customer's data. An entire class of vulnerabilities, in the form of those primarily of use to viruses, is ignored and left unpatched by vendors like Microsoft. It is simply assumed that the slack will be taken up by antivirus vendors. Take heed of this behavior in a corporation, and realize what it means; given the opportunity, that vendor will ignore a vulnerability rather than fix it.
  4. Obscurity is not security: Pretending something doesn't exist doesn't make it safe from malicious security crackers. If security researchers can discover a vulnerability, so can unsavory individuals who actually want to use an exploit for personal gain or to wreak havoc, rather than just using it to demonstrate a vulnerability that should be fixed.
  5. How should we handle security notifications?: When you get notification of a vulnerability in your software, thank the person who discovered it. Fix the bug. Whatever you do, don't punish people for giving you information that can help, unless you actually want to be the absolute last person to find out about vulnerabilities in your software in the future. Let your users know about the vulnerability, especially if you won't be able to fix it quickly, so they can take steps to protect themselves.

This vulnerability is no minor, inconsequential issue. It can be leveraged to take control of a machine without knowing the password. According to the Microsoft Security Bulletin for this issue:

The vulnerability could allow remote code execution on affected systems. An attacker who successfully exploited this vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights.

If nothing else, at least take this piece of advice if you're a software vendor:

Don't wait more than eight years to fix a vulnerability that allows someone to remotely gain control of the entire system without even knowing or cracking the password. That's just irresponsible.

Note: Thanks to Sterling Camden, of TR's own IT Consultant Weblog, for the inspiration to write this article.

Worried about security issues? Who isn't? Delivered each Tuesday, TechRepublic's IT Security newsletter gives you the hands-on advice you need for locking down your systems and making sure they stay that way. Automatically sign up today!

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

43 comments
reisen55
reisen55

Is it Y2K compliant? Sorry 'bout that chief. Missed it by that much.

me19562
me19562

I'll be interesting to know why to it took so long to fixed the vulnerability, but it's not like MS is the only one and the first. In June this year BSD found and fixed a bug that was 25-year-old.

The Scummy One
The Scummy One

Wow, I knew they were slow, but MS usually gets the worst ones fixed, at least, to a degree, in a somewhat timely manner. This should have been on their critical list a long, long, long time ago though.

apotheon
apotheon

In the article, I said: "[i]If nothing else, at least take this piece of advice if you're a software vendor: Don't wait more than eight years to fix a vulnerability that allows someone to remotely gain control of the entire system without even knowing or cracking the password. That's just irresponsible.[/i]" I have a piece of advice for those who are not software vendors, too: [i]Choose your software carefully -- and understand that the security policies of software developers and distributors can be as important as the perceived quality of the software when you acquire it.[/i]

Sterling chip Camden
Sterling chip Camden

This one really skews Microsoft's average response time for serious vulnerabilities, I should think. What took them so long?

sar10538
sar10538

I guess it went in the too hard bin and was swept under the carpet until the exploit code came out and gave the bug some "priority", that's if we accept the M$ explanation If it costs them something to fix, that eats profit so they need real "encouragement" to fix it. If you read into the background of Samba you can see the real mess that constitutes M$ networking from the early days of Lanman right through to present as each different networking protocol were just added to the mix instead of extending a single type. I read somewhere that there was no one in M$ who knew all the different types of networking protocols they used even though the code for all of them was included in each version of Windows for backward compatibility. This gave the Samba team some "interesting" work just trying to make it compatible with all these busted versions.

dogknees
dogknees

Either MS is not telling the truth, or they really need some new programmers. 7 years to find a way to fix one bug! I don't think I could convince my boss to let me spend 1 year fixing a single bug, let alone 7.

apotheon
apotheon

. . . with that vulnerability, it was already broken.

The Scummy One
The Scummy One

but still bad. MS has been known to 'break' applications to change things up in the past. If this was truly the reason, why didnt they put out the patch, and beforehand inform developers of the change and possible effects. Once it was known how to fix their apps, I would think that many vendors would actually have their own patches out around the time, or shortly afterwards. As long as it wasnt a forced patch, it would have had a lesser footprint, especially if it could be undone. However, leaving a hole open which could cause a system to be broken into without even knowing the passwords, and controlled easily, this would seem irresponsible to just ignore it. However, it must not have been an easy one to perpetrate, since it was not a widely used exploit

Neon Samurai
Neon Samurai

Very few exploitable bugs found ever and one or two left outstanding for a long time, bsd, vs Microsoft's average time to patch exploitable bugs. The various BSDs are responsible for the flaws left unpatched as much as Debian is responsible for breaking and quickly fixing SSL. Mentioning other OS doesn't improve MS own record or make eight years vulnerable any shorter.

The Scummy One
The Scummy One

Critical? Known? I do not know which bug this is so I cannot answer that. However, if it were both critical AND known, then that is a sad story as well. This was let known in 2000. The BSD bug may have been there, but when was the bug discovered?

sar10538
sar10538

So what's the colour of the sky on your planet bud?

apotheon
apotheon

I've seen some fixed in about two years before. I've also seen some that were "fixed" by letting them sit there until that version of the software (e.g. MS Windows 98) was obsolete so they didn't have to worry about it any longer. I've also seen the same bugs reappear in a newer version of the software, so that even letting the software become obsolete doesn't fix things. "Timely" is not a word I'd use in reference to MS vulnerability patching policy, even if qualified by "somewhat".

apotheon
apotheon

"[i]I guess it went in the too hard bin and was swept under the carpet until the exploit code came out and gave the bug some 'priority', that's if we accept the M$ explanation[/i]" That's really the crux of the matter. The fact it wasn't a "priority" for Microsoft doesn't mean it wasn't a huge problem for some of Microsoft's customers, though: 1. The vulnerability was publicly known for at least eight years. 2. There was actually known exploit code for at least seven years. 3. What made it a "priority" for Microsoft seems to have only been that an actual exploit generating framework -- the kind of thing that even script kiddies can use -- started supporting the long-standing vulnerability. As a result of the above, I'd have to assume that there were probably exploits for this vulnerability being used "in the wild" for years, and the volume of them wasn't great enough for Microsoft as a whole to give a damn. I'm sure the relatively low number of security compromises that were reported for this vulnerability is a huge comfort to those who were the victims of those compromises. Unfortunately, [url=http://sob.apotheon.org/?p=444][i]corporate responsibility[/i][/url] basically dictates that this sort of problem [b]will[/b] occur. Period. Cost-benefit analyses are performed to measure the immediate financial impact on the corporation, not the inconvenience and harm done to the Microsoft customer base.

Tony Hopkinson
Tony Hopkinson

programmers spending 7 years convincing management they could and should. There's no way they couldn't have coded in some work arounds, risk and cost vs benefit can't have added up. Lets face it MS was so open to attack through most of those eight years, what's one more vulnerability?

Jaqui
Jaqui

It should have been resolved much faster, no doubt about that. unfortunately, with the market share MS has, a fix that breaks operations for 90%+ of the world's business is not really an option, so they had to find a fix and make sure it didn't break anything else.

apotheon
apotheon

"[i]The various BSDs are responsible for the flaws left unpatched as much as Debian is responsible for breaking and quickly fixing SSL.[/i]" Actually, the Debian package is to blame for the SSL problem, and the Samba team is to blame for the BSD problem. The BSD team isn't to blame for the filesystem problem any more than the SSL team was to blame for the Debian SSL problem. In both cases the downstream people (Debian and Samba) -- failed to communicate effectively with the upstream people (SSL and BSD). Neither situation is really comparable with the Microsoft situation, though. In Microsoft's case, the corporation was fully aware of the bug, but did nothing about it for eight years.

me19562
me19562

Actually Samba developers knew about it but didn't care to report it.

apotheon
apotheon

It was known for a while, but the people who knew about it never bothered to report it to anyone in a position to fix it. It was a bug that very rarely affected anything. It was not critical. It was not, in fact, a vulnerability -- it was just a (security-wise) harmless bug.

apotheon
apotheon

The long-standing, unpatched security vulnerabilities in Microsoft's offerings are not really well known. I think it'd be more productive to explain that this is actually part of a (little-known?) trend in Microsoft security patching policies than to simply ridicule him. If he then declares you an idiot for daring to use evidence and logic to point out his error, however, and insists on continuing to describe Microsoft as a security conscious, responsible organization concerned with the well-being of its individual customers in the common case, then it's open season.

sar10538
sar10538

Succinctly put my friend. It all depends on the damage to the public image as to whether some outfits respond to these things. If it looks like it will tarnish the corporate image, it gets fixed and the whole PR department gets involved in damage control. Sadly it's just the wrong type of business ethic, protecting the company and not the customer. But you can see that from the very first moment you read the EULA, assuming you have a choice, of course. It's not even as good as all care and no responsibility today.

Jaqui
Jaqui

after all, MS does test patches before pushing them out, and an smb protocol patch would have networking tested heavily. you might need to remove the network drives and add them because of the patch.

Jaqui
Jaqui

I was just looking at it the way any Fortune 500 IT department would. "don't break anything fixing your screwup" and thinking about what would happen if MS broke it severely enough to kill networks in business use... not a pretty picture, the loss of business lawsuits.. and the lost income for a lot of small companies would be ruinous.

Sterling chip Camden
Sterling chip Camden

I applied that patch to all Windows systems on Wednesday -- I wonder if that's why my wife is suddenly having more trouble keeping her mapped drives online over wireless...

apotheon
apotheon

An optional fix, or a "secure mode" and "compatibility mode" setting, or any of half a dozen other ways to deal with it, would have solved that problem. There's really no excuse for the way this was handled.

apotheon
apotheon

I actually mentioned the BSD bug in an article titled Not Invented Here has no place in open source development back in May.

me19562
me19562

I'm sure that we will see a lot more in the future from MS and others.

The Scummy One
The Scummy One

I read a different article which didnt state it as known. then I scanned this and missed that part. reading the entirety sheds new light.. Sorry bout that. However there was a workaround and it was not critical to fix. Aside from that, yes, it was a slow patch as well.

The Scummy One
The Scummy One

do you have links on this? But in any event, it would not have been critical anyway, and nobody could just take over your system because it was there.

apotheon
apotheon

You haven't been so obstinately nebulous in your pronouncements, pretentious in your choice of words, and small-minded in your attacks on others for a little while, santeewelding. I guess I should have expected you to eventually return to form, though.

apotheon
apotheon

"[i]Imagine if a hypothetical certain make and model of car was prone to serious problems. It would be surely a positive thing to bring this to the attention of others, for the benefit of all, than to assume this is not what one should consider as 'journalism'.[/i]" I made no judgments about what should or should not be considered "journalism" -- I merely pointed out what [b]is[/b] generally considered "journalism". From that basis, I went on to point out that not everyone can be expected to know everything outside of that mainstream impression of "journalism". "[i]As for niche experience, this forum itself is a niche and one needs experience to take part in it. This forum is not broadsheet, mainstream news, by it's very nature input into this stream is going to be a niche market.[/i]" Indeed. I'd expect to occasionally see mention of something like this eight year bug problem here -- though I'd more often expect to see stuff leaning more toward the mainstream journalism run-of-the-mill. If it didn't, the site would probably lose readership at an unacceptable rate. Even so, though, I don't expect everyone who comes here to already know everything that's being discussed before it is brought up. As such, I'm willing to give someone the benefit of the doubt when he or she expresses an impression of how the world works that doesn't take into account things that haven't been mentioned in the current discussion yet, unless I know for a fact that person has been exposed to such evidence before. Thus, I think going for the jugular when ignorance about trends in Microsoft bug handling policy is expressed, without checking to see whether the person has already been exposed to evidence of those trends, is kind of overly harsh. "[i]Some sites are practically owned by the big corporates in one way or the other so in that way any content is going to be sanitised.[/i]" Perhaps you're not aware of this fact, but TechRepublic is a subsidiary of CNET (not exactly a small company, at least in Internet content distributor terms), and CNET was recently bought by CBS. You [b]have[/b] heard of CBS -- right? "[i]My original comment on this thread was that it seemed somewhat blatantly naive for this sort of technical discussion but I do apologise to the original poster for making such a comment now as I really intended no offence. It was intended as a light-hearted joke but seems to have developed like topsy.[/i]" It's good to know you didn't intend any offense.

sar10538
sar10538

and occurs far to frequently for my liking. If this leads one to speculate on a larger argument then perhaps there is one, it's up to you to make your own judgement. Imagine if a hypothetical certain make and model of car was prone to serious problems. It would be surely a positive thing to bring this to the attention of others, for the benefit of all, than to assume this is not what one should consider as "journalism". Indeed failure to do so might be considered cause for bad "journalism". The very action of bringing this matter up is going to have impact on this hypothetical manufacturer, even being called bashing, if you like, but the consequences of not raising the issue could be dire to the customer. Would this be wrong, would this be an agenda, as to me you seem to imply apotheon. My comments indicated that the truth is out there should you seek it, just don't take my word for it, I would not expect anyone to do that. As for niche experience, this forum itself is a niche and one needs experience to take part in it. This forum is not broadsheet, mainstream news, by it's very nature input into this stream is going to be a niche market. If these bugs, problems, failures, whatever, are being discussed openly in any forum then that knowledge is known, it's out there, and certainly in the hands of the parties whose responsibility it is to fix these things. If one lives in this environment and makes responses to these sort of technical forums one should be somewhat expected to be reasonably aware of the real situation. Mainstream journalism is hardly likely to be interested in this sort of banter as it does not fit their demographic but the real deep down technical press are fully aware of what goes on but is not always motivated to disclose. When I used the term "the other press" I intended this to point to sites that publish the sort of truth that would be embarrassing to certain bodies who would likely pull advertising, and put significant pressure on that site not to display this sort of stuff. Some sites are practically owned by the big corporates in one way or the other so in that way any content is going to be sanitised. There was no reference to journalism as I'm sure that any journalists would find it quite a career limiting move to be involved in such disclosure. If you want to know the truth about things you don't ask the party involved about such things, you seek truly independent sources for your learning. My original comment on this thread was that it seemed somewhat blatantly naive for this sort of technical discussion but I do apologise to the original poster for making such a comment now as I really intended no offence. It was intended as a light-hearted joke but seems to have developed like topsy. Sorry, there is too much input here and I'm becoming guilty of the same things that I'm commenting on.

santeewelding
santeewelding

If you disengage the matrix of "social reality" from "the actual intent, content, (and) meaning of what (you) say", you remove one member of your argument leaning against the other. I see your reluctance. Further, if I question "the" social reality as other than "the", and I do, crap collapses.

apotheon
apotheon

What -- you just ignore the actual intent, content, [b]meaning[/b] of what I say because I use the term "mainstream" as shorthand for "that which is most visible and ends up accepted as authoritative because of popularity"? If you want me to avoid referring to the social realities of our world when I'm discussing social phenomena, I'm afraid you're going to be disappointed.

santeewelding
santeewelding

Would you please try making your point(s) without relying on the Great Unwashed, variously referred to as "most people...surrounding nonexpert enthusiasts...a lot of people...mainstream...educable...tools" (at least you didn't use the old, "vast majority"). Remove that prop, that backdrop (dare I say, "straw man"?) and your coterie of "experts", to include you, I guess, would not exist. Nor the self-exaltation. Or is that what you are so blatantly doing? Lose it. I'd like to see what remains. And I don't mean that in meanness. I would cheer you in all that you do more.

apotheon
apotheon

I don't think "the press" in general really comments on this sort of thing at all. The problem is that something like this is only news if it gets fixed -- and even then, it usually isn't considered news. The people who tend to bring something like this up are those who use it as supporting evidence for a larger argument -- which is not the sort of writing that usually goes into what most people think of as "journalism". Most people follow "the news", and don't so much delve into community discussion amongst focused groups of experts and the surrounding non-expert enthusiasts. That's changing to some extent, thanks in large part to the increasing part the Internet takes in the lives of people in the industrialized world, but there are a lot of people still whose major sources of information are mostly the sort of thing that looks "official" and "authoritative", rather than taking into account niche expertise outside of the mainstream. As a result, I don't expect most people to know about this sort of thing. I just expect them to be educable about this sort of thing. When that fails, I know they're just tools who are resistant to learning. Until that point, though, I prefer to assume they want to know the truth about things, and have simply had their knowledge accumulation stunted by exposure to mainstream news sources.

sar10538
sar10538

Referring to a statement like "Wow, I knew they were slow, but MS usually gets the worst ones fixed, at least, to a degree, in a somewhat timely manner." I thought it was common knowledge that this is not the case. I've read so many rants in the past about known vulnerabilities that have not been patched, the existence of this latest security hole did not surprise me in the least. Perhaps I read the other press, not the sanitised ones.

Editor's Picks