back to article Microsoft releases FixIt for critical flaw in 100 apps

Microsoft has released a software tool that helps system administrators protect PCs against a critical class of vulnerabilities found in more than 100 applications from a variety of software makers. The FixIt Tool works only on machines that have already installed the workaround Microsoft published last week. The latest point- …

COMMENTS

This topic is closed for new posts.
  1. Anomalous Cowturd
    Linux

    Oh deary me, I have Opera AND an Nvidia graphics card...

    Oh wait, this is only a Windows vulnerability.

    Phew, that was close.

    ^^^^^ Put a little penguin in your life!

    1. Tigra 07
      Flame

      Penguins will die from the global warming

      When the world wants a system that will take a long time to learn how to use and set up and is evil.

      Then the take up of apple will really take off.

      Microsoft get a lot of stick for problems that aren't always their fault.

      Whether they had thousands of unpatched flaws or not, i'd stick with them because of how much they donate to charity (especially when Bill was in charge) and how simple to use they are.

      Let's face it, with more old people using the net, it's easier to set up a windows computer and let them use it than sit there explaining how to set up apple drivers and partitions

      1. Penguin herder
        Linux

        Penguins

        Penguins have an interesting life cycle; the ones who tough out the antarctic winters could probably do with a little warming, so it will take a while to kill them off. As for Windows being easy to use, those days are ending. It's not just that Linux is getting better (it is BTW), but Microsoft has been changing stuff around to the point that the argument to stick with them is pretty weak, at least if all the struggling Win7 users I pass on the way back to my Linux box are any indication.

        1. Tigra 07
          Coat

          Penguins need the snow

          "Penguins have an interesting life cycle; the ones who tough out the antarctic winters could probably do with a little warming, so it will take a while to kill them off."

          Penguins will be gone when all the ice is melted and will have no food as the fish move to find the same temperatures.

          And Windows 7 sets itself up, you only have to put your name in when it asks and choose which modem is yours for it to connect.

          If your customers weren't smart enough to do that then no way could they use linux without help

          1. Penguin herder
            Linux

            Smart has nothing to do with it

            "And Windows 7 sets itself up, you only have to put your name in when it asks and choose which modem is yours for it to connect."

            Don't do much software development, eh?

            "If your customers weren't smart enough to do that then no way could they use linux without help"

            They're colleagues, not customers, and VERY smart people. The point is that they are experienced Windows users, and they are no longer able to use Windows without help. Our IT group has not the guts to do it, but I would really like to see us take a couple of our shared workstations and install just about any Gnome based distribution.

      2. Chris Harden
        Thumb Up

        Nice!

        An Apple Bash, directed at a 'Linux Guy' (no sexism intended), which was a Microsoft Bash!

        20 points if you re-comment that, but find a way to include a bash at BeOS as well.

        P.S. Your my hero.

  2. Anonymous Coward
    FAIL

    How the F are you going to confirm this?

    "We recommend users only double-click on file icons from WebDAV shares known to be trusted, safe, and not under the control of a malicious attacker,”

    HA HA HA

    1. Anonymous Coward
      Pint

      Uh ...

      Um, not that hard really ... Don't click on WebDAV shares? Use a lot of them do you ...?

  3. Anonymous Coward
    FAIL

    zzzzzz

    oh another schoolboy coding error from Macroshite. How amazingly surprising.

    ...disable WebClient:

    1. right-click My Computer and select Manage

    2. in the left panel, expand Services and Applications, then click Services

    3. in the right panel, double-click WebClient

    4. change the service to Disabled, then click Stop, and click OK

    while you're there, you can prob disable at least 20 other bits of junk you never use

    1. Charles 9

      One problem...

      WebDAV is also used on corporate INTRAnets, too. Disable WebDAV and you'll probably lose access to internal networks as well. Not a good thing when you're collaborating.

      1. heyrick Silver badge

        Dunno about corporate intranets...

        ...but I run a small intranet in my bedroom with Windows shares, VNC, that sort of stuff. Got rid of the WebDAV client (left the background service "for now") and all continues as normal.

    2. Anonymous Coward
      Welcome

      got any better ideas?

      6 downvotes for the best advice on this page?? OK so I have a bad attitude, that tends to happen after 20 years of this drivel... I have turned off the webclient service (WebDAV client) on many of my customers machines without a single complaint. It is one of the approx 20 services that can be disabled on a default XP install with no loss of functionality **for the average user**. Yes if you have Special Needs such as being foolish enough to integrate your intranet with your productivity software you might need to leave the WebDAV client enabled. But you are 1 in a million, champ, go figure. Disabling redundant services is not only a core security fundamental (minimise the attack surface) but also speeds up the machine, on boot and during operation, plus reduces memory consumption and disk usage, thus boosting productivity, reducing power consumption, reducing heat and noise, and ultimately prolonging the life of the machine. In addition to saving money due to smaller maintenance costs, less power usage and longer-lived hardware.

      1. Anonymous Coward
        Anonymous Coward

        @ac

        if your clients are still using WinXP - a decade old OS that has been replaced both by Vista (okay, not a good thing) and now Win7 (a much better thing) - then I have to wonder if they realise they're being fleeced if they're paying you for advice.

  4. MYOFB
    Pint

    At least that explains why . . . .

    . . . everything else Microo-Shite has gone wrong today/tonight!!

    SNAFU !!

    Beer? Cos I can relax and enjoy it now!!

  5. Henry Wertz 1 Gold badge

    WebDAV?

    Excuse me, but why would anyone think its safe to "double click" on a file on some unknown share of ANY type? Windows is particularly prone to executing code when it feels like when a file is double clicked on, but even on my Gentoo or Ubuntu boxes, I wouldn't go to some random share and rely on gnome or kde to do the right thing when I just start randomly double clicking files on it.

    1. Doug Glass
      Go

      You're Kidding, Right?

      Why would anybody (you did say "anybody") double click on file? Maybe because 90%+ of Windows users are not geeks and simply do what they've seen done before. How about because it's just a computer. It's not important to them like maybe the launch codes for a nuclear tipped ICBM or their bank account balance even. Maybe you forgot, but the geeks of the world exist to make the toys of common users work. Maybe time and time again, but that's what the shops and departments are for: "make my computer work. I have to go ____________ so I'll be back in a couple of hours to pick it up."

    2. heyrick Silver badge

      @ Henry Wertz 1

      "Excuse me, but why would anyone think its safe to "double click" on a file on some unknown share of ANY type?"

      I can point you a fair few Windows users that would not only be unable to tell if a file was local or shared, but would not even understand the difference.

      The geek might inherit the earth, but right now there's a billion non-geeks in the picture. It's them we're trying to protect here.

  6. Stuart 14
    WTF?

    considering

    how many sites are compromised every day can somebody please tell me how the hell anybody is meant to know which ones to trust?

    Just stop with the bull and fix the bug.

    1. Anonymous Coward
      Pint

      Right

      Give us examples of publicly facing websites you regularly use which implement WebDAV. No?

      There you go then

    2. PeterI
      Grenade

      Well it's now an admin problem.

      This is about as much as Microsoft can do for the moment. If you install the fix and tell it to disallow running from the current working directory in all circumstances then it breaks Google Chrome (at least the per-user install I had).

      For Microsoft the problem is that this is a tricky one to get right. Disabling the run from WebDav / file share approach might break 0.05% of apps out there but thats a lot of upset customers, I've gone for the more nuclear disable running from the current working directory approach (which I'd guess could break 2-3% of apps depending on how they're installed)

      For now if I was an admin I'd push this out in disable webdav mode, see what breaks and add the registry entries to unpatch the apps that break while I waited for the app developers to generate fixes.

      All in all a nasty problem which has exploded and there are no easy fixes.

      1. Tom 13

        There are no easy fixes because they've baked this particular exploit into their OS

        since Windows 1.0. You're right they can't do a whole lot more to fix it now, but that doesn't get them off the hook for their previous bad behavior. Some of the first posting about this particular bug noted MS didn't even follow their own guidelines when writing software. I remember the days when you could only figure out how MS intended some new function to work after they released an app they developed that used the function and you saw how they called it.

        1. heyrick Silver badge

          @ Tom 13

          Windows 1.0 supported WebDAV? Wow!

          Seriously, while this might seem to be a problem now, there were actual solid reasons for it back in time, or have you all forgotten the DLL hell of the Win32 era? At least, in some cases, placing a known DLL in the application's folder meant it would be loaded in preference to whatever the hell managed to get itself installed into Windows, not to mention cases of similar-function same-name DLLs that are actually unrelated to each other.

          It is also useful for testing DLL code, just drop the DLL in a folder with a test frame app, and run it; install it into Windows when you're happy with it, though to be honest I don't much like how gigabytes of shit ends up in \Windows\System32...

          Surely, these days, it would be possible to specify that this run-from-folder-first behaviour ONLY applies to local storage? I run some software over the intranet, but its DLLs are already on my machine - it's "the usual set".

  7. Version 1.0 Silver badge
    Happy

    Clear as driven slush

    “We recommend users only double-click on file icons from WebDAV shares known to be trusted, safe, and not under the control of a malicious attacker,”

    Oh - that's all right then - I'll mention it to my mum.

  8. Tom 38
    WTF?

    Not much of a security hole is it?

    Run untrusted, unverified code from an unknown source and you might get pwned!

    Also, Pope is Catholic, Bears defecate in woodland. More at 11.

    1. Vic

      Yes, it is.

      You miss the point.

      You don't *have* to run code from a borked site to hit this one - just do anything that changes the current directory to a compromised one.

      The exploit isn't in the icon you click on, it's the fact that your OS loads libraries from the current directory - wherever that might physically reside - in preference to the known, trusted ones you've installed on your machine. So the icon you click doesn't even need to be executable; you just pick up compromised libraries for apps that are already running on your machine, and your machine is pwned.

  9. Anonymous Coward
    Anonymous Coward

    No shit Sherlock!

    “We recommend users only double-click on file icons from WebDAV shares known to be trusted, safe, and not under the control of a malicious attacker,”

    As opposed to what?

    “We recommend users randomlydouble-click on file icons from WebDAV shares NOT known to be trusted, safe, and that are under the control of a malicious attacker,”

    Sheesh. Who pays these people for their recommendations and where do I apply?

  10. Stuart 14
    Pint

    @ Anonymous Coward Re Considering

    "Give us examples of publicly facing websites you regularly use which implement WebDAV. No?

    There you go then"

    I use bugger all of them, but that wasn't the point of the post. It's already been shown that your more likely to hit a compromised web site with innocent surfing habits (news, films ect) than paying to go to the good old trusted pron sites. Most of these hacked sites will use some form of exploit vector that gives them the best chance at spreading their empire. Now I could have read this exploit wrong but it seems a pretty sure fire way for most non techs to get hit, unless your offering to be their system admin and set up all those lovely workarounds recommended by M$.

    So Gran hits her favorite new site (The telegraph, bless her hart) and due to poor eyesight, the strong smell of wee and her total lack of any tech savey is redirected to a page that says click here to download the news item (or lack of being the telegraph), opps.

    Your comment sort of reminds me of the Sony boss who said "why should people worry about a root kit, most people don't even know what one is."

  11. Anonymous Coward
    Anonymous Coward

    The Real Issue

    Not only a windows problem:

    http://threatpost.com/en_us/blogs/some-linux-distros-vulnerable-version-dll-hijacking-bug-082610

    Developers not correctly coding software is the real problem. The latest fix works so use it.

    http://seclists.org/fulldisclosure/2010/Sep/22

This topic is closed for new posts.