Windows Vulnerabilities XPlained
August 18, 2003 11:49 AM   Subscribe

Windows Vulnerabilities XPlained I've always used Gibson Research's website to test my Windows system for vulnerabilities. With the latest BLAST aimed at MS, I thought to share his site with the class. While Mr. Gibson obviously has some axes to grind and bones to pick with Microsoft and with various software firewall makers, his explanations of how Windows can be XPloited in terms that are fairly easy to understand is most appreciated. Be sure to check out the numerous free utiltites (small downloads! I mean, really small!) that will help you plug nearly every hole in your Windows.
Didn't know MS had shut down til just now, either
posted by WolfDaddy (42 comments total)
"Didn't know MS had shut down til just now, either"
posted by mr_crash_davis at 12:00 PM on August 18, 2003

WolfDaddy, try
posted by mathis23 at 12:01 PM on August 18, 2003

stupid faster crash davis
posted by mathis23 at 12:02 PM on August 18, 2003

Erm, I meant to say I didn't know that the domain had been shut down until I found the alternate way to get there from info on Steve's site. Sorry 'bout that.
posted by WolfDaddy at 12:04 PM on August 18, 2003

*pfft* Vulnerabilities... I ask you. Nobody cares about going around your system unless you're exceptionally interesting or depraved. Virus checkers? Pah. Firewalls? Pah. Live on the edge, take a chance!
posted by Resonance at 12:09 PM on August 18, 2003

that guy is on so much crack it isn't funny. and it's not the good crack either, it's the bad, bad crack. but even that doesn't prevent him from being right about stuff on occasion.
posted by dorian at 12:14 PM on August 18, 2003

Gibson is a tool.
posted by machaus at 12:18 PM on August 18, 2003

Fuck Gibson.
posted by angry modem at 12:41 PM on August 18, 2003

Did you hear about the anti-worm that runs around and patches vunerable computers? @slashdot
posted by dabitch at 12:46 PM on August 18, 2003

After looking through the links posted by machaus and angry modem above I don't see anything wrong with Gibson or, other than the fact that some people don't like him.
What am I missing?
posted by Outlawyr at 12:55 PM on August 18, 2003

Gotta say I'm a little mystified as well. As I stated, he's obviously got some axes to grind, but his tools work, at least according to my own security experts.
posted by WolfDaddy at 1:08 PM on August 18, 2003

I have never once seen a cogent argument from the Gibson-haters, nor can I imagine why anyone who doesn't work for one of Microsoft's security teams would want his efforts snuffed out. It seems like blind hatred to me.
posted by Succa at 1:28 PM on August 18, 2003

One aspect of a recent XP virus (w32.blaster.worm) had infected computers pound the windows update site with a DOS attack. maybe it's related?
posted by crunchland at 1:32 PM on August 18, 2003

I just don't understand the whole "we hate MS thing". They build a quality product and made the computer a worthwhile investment.

I won't even go to slashdot anymore because of how asinine the hate is.
posted by Yossarian at 1:56 PM on August 18, 2003

What's the consensus? People who don't hate Gibson for some reason or other and actually did download his patches find they work well?
posted by Triplanetary at 2:13 PM on August 18, 2003

Gibson's a tool, but Microsoft sucks for not patching a well known RPC buffer-overflow exploit quicker, considering it's been around for like 7 or 8 months. Blaster is a poorly written worm, and could have been a hell of a lot more effective if the author had made better coding decisions (such as using ip addresses instead of host names). We got off easy.

Bottom Line: XP is a great home OS, but if you're running business apps on it, go download Linux instead.
posted by SweetJesus at 2:16 PM on August 18, 2003

Not that easy, remember that blackout? might have been the blaster. (I'm still laughing at the worm that cleans up blaster infected machines, how sweet).
posted by dabitch at 2:23 PM on August 18, 2003

Ok, Gibson is a self propagandizing marketing expert not that I have anything against marketing, mind you Who promotes poorly constructed software that claims to be revolutionary by doing stuff people have known about for years.
Now, I know what you're all thinking, the source of my information is biased, but the articles are taken from a variety of sources and hosted on that site. In other words, the bias is real but it didn't influence the writing of the articles, just the selection.
posted by Grod at 2:25 PM on August 18, 2003

Damn, almost forgot this an interesting examination of Gibson's claims in his DoS paper.
posted by Grod at 2:27 PM on August 18, 2003

Mircosoft moved from one of their servers to a Akamai Linux server.

No they didn't. /. got all excited about that too until someone pointed out MS was mirroring their content with Akamai (which is what Akamai does). Take a closer look at your link: know of a Linux port of IIS?
posted by yerfatma at 2:31 PM on August 18, 2003

The links you presented are all questionable to me. First link presents out of date claims mocking Gibson for failing to produce promised utilities when in fact at least two of the utilities are indeed now available. Second link slams Gibson's (or ZoneLab's) free products in order to better sell hardware-based (and non-free) firewalls. Third link questions Gibson's self-aggrandizing (and appropriation of old technologies for his own use) while failing to address the viability of the utilities he provides for free in a manner that's easy to understand by the layperson.

The last link you provided loses all credibility by linking to this right off the bat. Criticism is fine, but grcsucks--as with many *sucks sites--really exposes a level of childishness that is making me tune out. As Succa says, where's the cogent (not to mention adult) arguments? To be honest, after reading all the links you provided I feel that many people feel the same way--irrational and emotional--about Gibson as they do about Microsoft.

I've done some searching and haven't yet found a well-reasoned critique of Gibson's tools in an agenda-free forum. Since I've often recommended his site to people if there's any such critique out there, I'd love to see a link so I can decide for myself if I've been led down a primrose path when it comes to Gibson's tools, but a reasonable critique doesn't seem to exist as I've yet been able to determine so far.
posted by WolfDaddy at 4:50 PM on August 18, 2003

Yeah, yerfatama, I was wondering about that when someone first linked to the "Windows hosting on Linux" on Slashdot. Althought I figured that if anyone had a secret copy of IIS that ran on Linux, it would be Microsoft. Thanks for clearing it up.

Although I'm a great Linux fan, I really feel the major reason Microsoft suffers more security flaws / attacks than Linux is simply because it's the more obvious target. If we ever get to the stage where 95% of desktop PCs are running Linux, you can bet people will be finding exploits for them just as often, although patching Linux tends to be a faster process than in Windows.
posted by Jimbob at 5:14 PM on August 18, 2003

Gibson's a moron. Listening to him whine on about the raw-sockets-in-XP thing was annoying at best. The guy's technical background consists of marketing? har! Almost any decent OS has allowed that to happen since the inception of sockets!

oh, and NanoProbe ? heh. that's just too funny. I guess I was developing NanoProbes when i first learned sockets too.

to summarize: his NanoProbes do work, regardless of how HalfAssed the code may be. He has legit concerns, but just like anyone else that wants to walk in and start screaming about the falling sky, we'll laugh at you and tell you the sky fell a long time ago. (we == us tech nerds).

he should have stuck with something easy, like internet mass marketing.
posted by shadow45 at 5:45 PM on August 18, 2003

forgive the oddly structured post, it was composed and edited over 2 segments while mefi was refusing connections (!!). i ate dinner and came back. burp
posted by shadow45 at 5:46 PM on August 18, 2003

oh, and MS has done _plenty_ to deserve the hatred. Yeah, it's gotten nuts over there on Slashdot and the editorial slant is pretty bad- but there is legit concern at the base of that, for tons of reasons.

I wouldn't expect people to support oil companies that rape women by proxy of military, and I would hope people wouldn't support companies who use thievery, anti-competitive tactics and other legal tricks to silence the opposition. The fact that they got called on their bullshit and walked with a slap on the wrist just shows how weak the courts are for BigBusinessCo. It's sickening.
posted by shadow45 at 5:53 PM on August 18, 2003

yeah and while i'm at it, this whole RPC bug and the host of other critical flaws found in Windows lately - what the fuck! Trustworthy Computing? you're telling me someone scanned that code, with security in mind- and missed that? it's a freaking textbook classic!

it just sucks that this is the state of the code that is supposedly so important to business. and they make so much goddamned money, and a simple audit would have stopped it flat.

you just pray to god, billy g- that the next worm with this kind of exposure doesn't have some nasty disk-erasing payload or something. it might finally illustrate to the rest of the world the kind of crap you force us to renew at top dollar. Open License. great. bleed us more, billyg.. bleed us more...
posted by shadow45 at 5:59 PM on August 18, 2003

Gibson's a tool, but Microsoft sucks for not patching a well known RPC buffer-overflow exploit quicker, considering it's been around for like 7 or 8 months.

Microsoft published a patch a month ago. More than enough time to install it before the worm hit. Still, it's news to me that the vulnerabilty was known for 7 or 8 months... Can you provide a link?
posted by blue mustard at 6:37 PM on August 18, 2003

i dont know when it first hit but some Dutch (i think) group by the name of LSD (Last Stage of Delirium.. heh) put out an official public advisory on ntbugtraq. that was a month or so ago, and we all knew at that moment the shit was going to hit the fan. however long it might have been public is just one thing- what about the assholes that knew of this exploit a while ago? think of what they could have accessed.. it's such a critical flaw.
posted by shadow45 at 7:11 PM on August 18, 2003

shadow45: i dont know when it first hit but some Dutch (i think) group by the name of LSD (Last Stage of Delirium.. heh) put out an official public advisory on ntbugtraq. that was a month or so ago, and we all knew at that moment the shit was going to hit the fan. however long it might have been public is just one thing- what about the assholes that knew of this exploit a while ago? think of what they could have accessed.. it's such a critical flaw.

So what you're saying is that by "7 or 8 months ago," you meant "1 month ago?" I wonder if I can get my boss to multiply my salary eightfold if I just tell him they're the same?
posted by Sinner at 7:20 PM on August 18, 2003

Actually, there were working exploits out in the underground well before the LSD paper came out. More on the lines of a month or two prior to publication than 7 or 8 months though. Some people say that the reason exploit code was released so quickly was that those with the exploits decided to release them once the patch was made available.

LSD is Polish, by the way.
posted by datadawg at 7:42 PM on August 18, 2003

Sinner: when did I ever say 7-8 months? Please, check your facts before you get all snappy. heh.

and yeah, i figured it already existed in the underground... i can remember years back when that was my thing. i had quite the collection of exploits, kinda made it my personal task to find and archive each one related to unix in any way.

it was real useful exactly two times :)
posted by shadow45 at 7:53 PM on August 18, 2003

Speaking as someone who does read all the major security mailing lists, has conducted penetration testing on several servers at the request of their admins and has managed to get into a few, but is far too poor to get himself to either Defcon or Blackhat (read that last one as a disclaimer: security is a personal love, not my job): Gibson is a know-nothing tool.

You can buy McDonald's salads to try and stay healthy . . . but why in God's name WOULD you?

Gibson is the McDonald's, the Disney, the AOL - the friendly shyster corporate fuckwit of security. He is a discredit to the security community, a scare-mongering asshat more frequently wrong than right trying to boogeyman idiots into buying his products and nobody who actually wants to REALLY assess the threats against them should pay the slightest attention to him.

Seriously, people - fuck Steve Gibson. He is the gimpy dwarf of a team mascot compared to security's own Michael Jordans - Bruce Schneier, DJ Bernstein, Theo de Raadt, and others . . .

Get yourself AV and anti-spyware software, avoid IE and Outlook/Outlook Express, keep yourself patched, and buy a hardware router/NAT to act as a firewall (preferrably not Linksys - they are constantly finding new holes in Linksys products). Set it to drop all incoming connection attempts despite the inconvenience with file transfers on IM this may cause you (you can get around it with the latest IM beta, though). If you're an average user, that's all you need to do. If you know a bit about *nix and want honest, solid security funded (until very recently) by DARPA - check out OpenBSD (only one remote hole in the default installation in 7 years).

If you're running a server - replace Sendmail with Postfix (preferrable) or DJ Bernstein's Qmail, consider tossing BIND for Bernstein's DJBDNS if you're not doing anything too heavy, and so on. I don't even need to tell you to use Apache instead of IIS, but I will. Look at the security history of the packages & products you use and take heed - history WILL repeat itself. Yes this means you have to READ and actually know things and maybe do a little research - I'm sorry but the world is a complicated place.

Whatever you do, ignore Steve Gibson. As long as he keeps peddling easy solutions to difficult problems and maintains his sad cult of personality through scare tactics an increasing number of people will fall into his trap and the overall security of the Internet will actually decrease.
posted by Ryvar at 9:14 PM on August 18, 2003

Apologies - latest AIM beta. AIM now has the option to use AOL's servers to proxy file transfers through, and if you have two people both with firewalls set to drop all incoming new connection attempts (most firewalls/NATs/many routers have this option), you'll need this capability.
posted by Ryvar at 9:18 PM on August 18, 2003

Ryvar, the "average user"--at least based on my own seven years working in the industry--still won't even begin to know the questions to prompt the answers you've suggested here, nor will they care enough to wonder why they should give up any software made by Microsoft. There's far, far too many knowledgeable people who refuse to shed the cloak of technopriest superiority to talk to the "average user" in lay terms. Far too often, they simply can't be bothered with the ignorance of the proletariat.

So along comes Gibson, a seeming cyber-Batman, using FUD to keep the ordinary Gothamites in line. If someone uses Gibson's tools and downloads his recommended software firewall of choice, and subsequently every tool that someone can find on his or her own says he or she is satisfactorily protected, how will they ever know enough to care that they are, in your words, decreasing the overall security of the Internet? "Gibson is an asshat," said with conviction, simply isn't enough.
posted by WolfDaddy at 10:12 PM on August 18, 2003

not to mention the inherent dangers of accepting IM file transfers -- it doesn't matter who you are, you have friends that are idiots ;-]

disregarding any of MS' evilness/bugriddenness/etc., just the fact that they do have such a majority of desktop share is reason enough to use something that the crackers and kiddies aren't targetting: buy a mac (a G3 will run OSX quite nicely, I've found), or install BeOS or QNX, BSD, Linux, etc. pick up an old AlphaServer on the cheap and kick some ass.

I dual-booted for the longest time, but am finally at one whole year of being entirely Windows-free. Now I only have to do random light iptables maintenance, instead of all the constant spyware/adware/virus dancing. And occasionally boot a known-good knoppix CD and run the latest version of chkrootkit...I guess you could say that understanding Windows is a good way to build up some healthy paranoia.

also, Gibson is an asshat.

My name is Dorian and I am a Techno-Hippie.
posted by dorian at 10:18 PM on August 18, 2003

>Mircosoft moved from one of their servers to a Akamai Linux server.

Naww, its still windows but netcraft can only see whatever gives it a response, thus all akamai users are Linux because of their Linux proxy/load balance setup.
posted by skallas at 12:27 AM on August 19, 2003

DaBitch -- I have heard about the worm that tries to run patches.

Look at Symantec's website and see what they have to say about that worm
posted by RubberHen at 12:55 AM on August 19, 2003

Well, I downloaded some "utilities" from Gibson's site, then ran antivirus software on the exe before I ran it, as is standard operating procedure...and McAfee said that it was a especially freaked out about the LeakTest.exe. Out of curiosity, I dumped the file onto another box and ran Norton on it...again, virus warning.

And while I'm not an IS security expert, many of my friends are...and none of them are very hip on Mr. Gibson.
posted by dejah420 at 6:35 AM on August 19, 2003

Dabitch - Nachi / Welch, whilst supposedly a 'benevolent' worm has made my day a misery today. In a large network it swamps links with traffic and generally make a nuisance of itself. bah.
posted by viama at 2:02 PM on August 19, 2003

Ryvar - please back your argument that Linksys is full of holes. A brief search on Google turned up nothing for me.
posted by Nauip at 11:15 AM on August 20, 2003

« Older We're number one! We're number one!   |   Images of Native Americans Newer »

This thread has been archived and is closed to new comments