"unfixable on Server 2003."
Wow... what a coincidence...since server 2003 is (almost) EOL...
Another month, another Patch Tuesday, but this release has a special sting in the tail: a flaw in the fundamental design of Windows that's taken a year to correct, and is unfixable on Server 2003. The critical blunder allows miscreants to completely take over a domain-configured Windows system if it is connected to a malicious …
Same happened with NT4. Support ended in 2004 but the MS03-010 bug was found over a year earlier.
Now you know why it took a year to (not) "fix". Some problems will go away by themselves if you study them long enough. Microsoft of course does have a solution, just buy the latest version.
This "not-fix" is going to put a spoke in the arguments of the people whose plans involved not upgrading from 2003 for economic reasons. No doubt their friendly local Microsoft salesmen will cry crocodile tears over that.
Urmm my cars 12 years old and still got recalled to fix a critical issue (to do with the airbags so quite an important one). But with software though it is a different issue. Roads and driving doesn't change that much in 12 years. Software/hardware/networks/security has changed massively in that time.
Read the EULA, it absolves MS of any liability. It also states in weasel words that MS do not guarantee that their software will work in the way expected or indeed at all.
MS have been crafting broken code since DOS. There is a reason no class action has been brought against MS for providing unfit for purpose software.... I refer you to the previously mentioned EULA.
Read the EULA, it absolves MS of any liability. It also states in weasel words that MS do not guarantee that their software will work in the way expected or indeed at all.
The EULA is only what MS thinks matters and this can always be contested in a court. For example, the clickthrough EULAs have been declared void in Germany. As, indeed, have labels on packaging informing people that by opening the package they agree to be bound by the licence agreement contained within.
IANAL but, based on other unlimited liability cases in the US, I reckon there's good grounds for a case.
@Charlie I thought click through EULAs are okay here, as long as you are presented with them before you agree to purchase / use of a product or service?
It is certainly true that any changes / additions (including any T&Cs inside the sealed package, which the purchaser cannot read) to the contract after initial purchase / agreement are null and void - which is part of Facebook's problem at the moment, they are trying to force all their changes onto their userbase, but in Germany that is illegal, they have to inform the users and they have to individually agree to the changes.
Microsoft TechNet comments: A word on CVD and fixing difficult problems:
In many regards, this security ‘fix’ is more accurately described as completely new functionality in Windows. Adding something of this scale posed a unique challenge to security response. Software vulnerabilities are typically more narrowly constrained in both investigation and remediation – and most response is structured to address that scope. Among the benefits of Coordinated Vulnerability Disclosure (CVD) is it provides for greater flexibility and deeper collaboration with researchers to take the necessary time and perspective to deliver the most complete security solutions to customers. In this case we tackled a vulnerability that required a much greater scope in engineering to deliver a solution.
Most vulnerabilities reported to the MSRC are bugs in a single component, which are investigated, understood, and fixed within industry accepted response times. Creating the new functionality of UNC Hardening, however, required an entirely new architecture which increased development time and necessitated extensive testing. Thanks to CVD, and the close collaboration with the passionate security researchers who reported the vulnerability, Microsoft had sufficient time to build the right fix for a complicated issue. If the security researchers were not willing to refrain from disclosure until our fix was ready, customers would have been put at risk.
Oh, come on, already. The IAOAM* has already deemed that rouge === rogue, in most cases. You can have rogue lips on a pig, and a rouge pirate (actually a rouge rouge.) However it is not ever acceptable to swap in a "rogue" when talking about moulins - just doesn't have that same melody.
* International Association Of Allowed Misspellings
"This remote-code execution flaw affects all supported versions of Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1." So basically anything that displays the Windows logo when you start it, provided it's set up to join a Windows domain. XP is not on the list because it's not supported anymore.
I knew that hot little hotspot was trouble the minute she showed up on my network list. My brain said "no" but Windows had a mind of its own and connected anyway. She turned off network address translation and didn't ask me for a password- said she wanted it naturally, without protection- and that was when she took my heart and the admin rights. And that was also how I got this virus DAMMIT DON'T JUDGE ME IT WAS ONE TIME
If I understand it correctly (and posting here is the easiest way to find out), your internet cafe customer would have to be connecting to an SMB share that had been made available on the public internet (not via VPN). Furthermore, to let the attacker use fake group policy to take over your machine, you'd have to be logging into a domain via the public internet. If you are doing either, then I don't think you give a monkeys about security and you are probably already running a rootkit both on the client and the DC.
It's an interesting case, but I think there's a reason why the design flaw went unnoticed for 25 years.
Feel free to read http://blogs.technet.com/b/srd/archive/2015/02/10/ms15-011-amp-ms15-014-hardening-group-policy.aspx, you may learn a thing or two about what it took to fix the vulnerability and why a 90 days disclosure policy is silly and folly - and designed only to put competitors in bad light even if it means to put many people at risk.
Ah, of course Linux has no such issues - it has nothing anywhere near Active Directory out of the box...
of course Linux has no such issues
Design flaws in Linux? I'm sure there are, but things as severe as this are quite rare, usually because it uses industry standard methodologies that have been tried and tested for the past 40 years, and everything is thrashed out in the open by multiple independent experts whose only motive is to have a working and robust system without unnecessary (sometimes hidden) complexities employed purely to keep the competition away and locked out. It may not be perfect and there are trade-offs, but it's not bad by design.
Pretty sure if you ran the latest kernel source in production you'd find plenty of faults.
If you run enterprise Linux distros then they build and test everything for you. Which is an admission that there would be lots of breakage and faults otherwise.
Exactly. As long as you stay safe in a 45 old design made for a single computer used by a few tens of users, it's much easier. Just, you're almost useless in an actual large network with thousands of users/devices or more. That's another reason why Linux clients went nowhere - from a management point of view, they're just an hassle. Sure, third party technologies exist to make them somewhat better (Puppet... why the need of it?), still they add-ons (which you may have to pay for anyway), lock you in anyway, and still are not integrated into the OS itself.
"It may not be perfect and there are trade-offs, but it's not bad by design."
You must have missed the Linux network stack not being modular - so for instance NIC hardware acceleration requires kernel hacks. And SUDO. And having to tie your OS ACLs to your file system capabilities. And no constrained delegation. And things like SEL being a bolt on after thought. Having to parse flat text files that are randomly distributed everywhere for configs. etc. etc. etc.