back to article Patch now: Design flaw in Windows security allows hackers to own corporate laptops, PCs

Another month, another Patch Tuesday, but this release has a special sting in the tail: a flaw in the fundamental design of Windows that's taken a year to correct, and is unfixable on Server 2003. The critical blunder allows miscreants to completely take over a domain-configured Windows system if it is connected to a malicious …

Page:

  1. Anonymous Coward
    Devil

    "unfixable on Server 2003."

    Wow... what a coincidence...since server 2003 is (almost) EOL...

    1. Destroy All Monsters Silver badge

      Re: "unfixable on Server 2003."

      Design errors are like that.

    2. Sandtitz Silver badge

      Re: "unfixable on Server 2003."

      Same happened with NT4. Support ended in 2004 but the MS03-010 bug was found over a year earlier.

      "The architectural limitations of Windows NT 4.0 do not support the changes that would be required to remove this vulnerability."

    3. thames

      Re: "unfixable on Server 2003."

      Now you know why it took a year to (not) "fix". Some problems will go away by themselves if you study them long enough. Microsoft of course does have a solution, just buy the latest version.

      This "not-fix" is going to put a spoke in the arguments of the people whose plans involved not upgrading from 2003 for economic reasons. No doubt their friendly local Microsoft salesmen will cry crocodile tears over that.

      1. big_D Silver badge

        Re: "unfixable on Server 2003."

        Well, hopefully, you aren't lugging your Windows 2003 server around and plugging it into strange networks...

    4. Anonymous Coward
      Unhappy

      Re: "unfixable on Server 2003."

      It's not a bug, it's a feature.

      1. chivo243 Silver badge

        Re: "unfixable on Server 2003."

        "It's a hidden feature" fixed that one...

    5. Charlie Clark Silver badge

      Re: "unfixable on Server 2003."

      Can anyone spell class action? If the flaw has been known about for more than a year and Microsoft is unable to provide a fix for some customers, then they are within their legal rights in many jurisdictions to seek redress in the courts.

      1. Anonymous Coward
        Anonymous Coward

        Re: "unfixable on Server 2003."

        You think an unsupported EOL 12 year old OS is worthy of class action?

        1. Charlie Clark Silver badge

          Re: "unfixable on Server 2003."

          You think an unsupported EOL 12 year old OS is worthy of class action?

          Yes, because it's not EOL yet and not when the error was discovered.

          1. Sirius Lee

            Re: "unfixable on Server 2003."

            So upgrade you tight tw**. Linux systems have to be updated every few months. 12 years seems to have been enough time to offer great value. How old is your car, your phone, tablet, gaming console?

            1. Sgt_Oddball

              Re: "unfixable on Server 2003."

              Urmm my cars 12 years old and still got recalled to fix a critical issue (to do with the airbags so quite an important one). But with software though it is a different issue. Roads and driving doesn't change that much in 12 years. Software/hardware/networks/security has changed massively in that time.

      2. adnim

        @Charlie Re: "unfixable on Server 2003."

        Read the EULA, it absolves MS of any liability. It also states in weasel words that MS do not guarantee that their software will work in the way expected or indeed at all.

        MS have been crafting broken code since DOS. There is a reason no class action has been brought against MS for providing unfit for purpose software.... I refer you to the previously mentioned EULA.

        1. Anonymous Coward
          Anonymous Coward

          Re: @Charlie "unfixable on Server 2003."

          "MS have been crafting broken code since DOS."

          No more than most other OSs. In fact most other OSs have had more holes than current Windows versions over the last year (OS-X and the Linux kernel for instance).

          1. adnim
            Stop

            @AC Re: @Charlie "unfixable on Server 2003."

            Way to go... Defend MS by citing the failing of others.

            There should be a word for "defend a failure by citing a different failure"...

            Shillism?

            Excuse making?

            Issue avoidance?

            1. Japhy Ryder

              Re: @AC @Charlie "unfixable on Server 2003."

              Whataboutery

        2. Charlie Clark Silver badge

          Re: @Charlie "unfixable on Server 2003."

          Read the EULA, it absolves MS of any liability. It also states in weasel words that MS do not guarantee that their software will work in the way expected or indeed at all.

          The EULA is only what MS thinks matters and this can always be contested in a court. For example, the clickthrough EULAs have been declared void in Germany. As, indeed, have labels on packaging informing people that by opening the package they agree to be bound by the licence agreement contained within.

          IANAL but, based on other unlimited liability cases in the US, I reckon there's good grounds for a case.

          1. big_D Silver badge

            Re: @Charlie "unfixable on Server 2003."

            @Charlie I thought click through EULAs are okay here, as long as you are presented with them before you agree to purchase / use of a product or service?

            It is certainly true that any changes / additions (including any T&Cs inside the sealed package, which the purchaser cannot read) to the contract after initial purchase / agreement are null and void - which is part of Facebook's problem at the moment, they are trying to force all their changes onto their userbase, but in Germany that is illegal, they have to inform the users and they have to individually agree to the changes.

            1. Charlie Clark Silver badge

              Re: @Charlie "unfixable on Server 2003."

              @big_D: all clickthrough EULAs are unenforceable. It has to be informed consent and whether this has been given or not can be contested in court.

              1. big_D Silver badge

                Re: @Charlie "unfixable on Server 2003."

                Ah, you mean when installing a product on a PC? After you have downloaded it? Yes, there you are correct.

                I was thinking in terms of setting up an online account. My mistake, confused the term.

    6. Anonymous Coward
      Anonymous Coward

      Re: "unfixable on Server 2003."

      Microsoft TechNet comments: A word on CVD and fixing difficult problems:

      In many regards, this security ‘fix’ is more accurately described as completely new functionality in Windows. Adding something of this scale posed a unique challenge to security response. Software vulnerabilities are typically more narrowly constrained in both investigation and remediation – and most response is structured to address that scope. Among the benefits of Coordinated Vulnerability Disclosure (CVD) is it provides for greater flexibility and deeper collaboration with researchers to take the necessary time and perspective to deliver the most complete security solutions to customers. In this case we tackled a vulnerability that required a much greater scope in engineering to deliver a solution.

      Most vulnerabilities reported to the MSRC are bugs in a single component, which are investigated, understood, and fixed within industry accepted response times. Creating the new functionality of UNC Hardening, however, required an entirely new architecture which increased development time and necessitated extensive testing. Thanks to CVD, and the close collaboration with the passionate security researchers who reported the vulnerability, Microsoft had sufficient time to build the right fix for a complicated issue. If the security researchers were not willing to refrain from disclosure until our fix was ready, customers would have been put at risk.

  2. Destroy All Monsters Silver badge
    Trollface

    I see

    Is this why the SSH brute-forcing non-vulnerability on Linux was mentioned today? To provide some "fairness and balance"?

    1. Anonymous Coward
      Anonymous Coward

      Re: I see

      Well, with us bastards using ad blocking tools, they have to get their money from somewhere.

  3. colin79666

    Server 2003

    Less chance of taking your Server 2003 box to a cafe and hooking it up to a rouge WiFi access point. Assume this affects XP though and plenty of that still going about on roaming clients.

    1. James O'Shea

      Re: Server 2003

      A 'rouge' Wifi AP? Something special about French wireless APs, or about red wireless APs, or APs which are both red and French? Or are they just wearing makeup? Or, perhaps, the APs in question were set up by a certain bat from Sonic the Hedgehog?

      1. David 132 Silver badge
        Headmaster

        Re: Server 2003

        A 'rouge' Wifi AP?

        A typo that's far too common these days. Your too restrained - I tend to loose my temper when I see those, or assume there stupid.

        </snark>

        1. Anonymous Coward
          Headmaster

          Re: Server 2003

          Your too restrained - I tend to loose my temper when I see those, or assume there stupid.

          Please tell me that was on purpose.

          1. Omgwtfbbqtime

            Re: Server 2003

            Both of them.

            1. Anonymous Coward
              Anonymous Coward

              Re: Server 2003

              I sore free, wears my prise?

          2. Anonymous Coward
            Anonymous Coward

            Re: Server 2003

            Whoosh

        2. Tom 35
          Facepalm

          Re: Server 2003

          " assume there stupid"

          1. GrumpyMiddleAgedGuy

            Re: Server 2003

            "assume they're stupid"

        3. Haff
          Facepalm

          Re: Server 2003

          They are or They're

        4. Anonymous Coward
          Anonymous Coward

          Re: Server 2003

          > Your too restrained - I tend to loose my temper when I see those, or assume there stupid.

          Trolling is a art...

        5. regadpellagru

          Re: Server 2003

          "A typo that's far too common these days. Your too restrained - I tend to loose my temper when I see those, or assume there stupid."

          Yeah, happens also on videogames forums where all sorts of people ask tips on playing "rouge" instead of rogue.

        6. asiaseen

          Re: Server 2003

          Sod's law strikes again: their not there? you're not your? lose not loose?

      2. elDog

        Re: Server 2003

        Oh, come on, already. The IAOAM* has already deemed that rouge === rogue, in most cases. You can have rogue lips on a pig, and a rouge pirate (actually a rouge rouge.) However it is not ever acceptable to swap in a "rogue" when talking about moulins - just doesn't have that same melody.

        * International Association Of Allowed Misspellings

        1. veti Silver badge

          Re: Server 2003

          Are those the same bastards who are spreading the abomination that is "free reign"?

          1. Ben Liddicott

            Re: Server 2003

            And "shoe in" for "shoo in"..

    2. Anonymous Coward
      Anonymous Coward

      Re: Server 2003

      "This remote-code execution flaw affects all supported versions of Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1." So basically anything that displays the Windows logo when you start it, provided it's set up to join a Windows domain. XP is not on the list because it's not supported anymore.

      1. big_D Silver badge

        Re: Server 2003

        I thought Windows RT couldn't be added to a domain? At best it could use a new guest mode in Windows 2012 domains?

    3. DNTP

      rouge WiFi access

      I knew that hot little hotspot was trouble the minute she showed up on my network list. My brain said "no" but Windows had a mind of its own and connected anyway. She turned off network address translation and didn't ask me for a password- said she wanted it naturally, without protection- and that was when she took my heart and the admin rights. And that was also how I got this virus DAMMIT DON'T JUDGE ME IT WAS ONE TIME

    4. thames

      Re: Server 2003

      Thank goodness no-one would ever dream of connecting a Windows 2003 server to a network.

    5. Ken Hagan Gold badge

      Re: Server 2003

      If I understand it correctly (and posting here is the easiest way to find out), your internet cafe customer would have to be connecting to an SMB share that had been made available on the public internet (not via VPN). Furthermore, to let the attacker use fake group policy to take over your machine, you'd have to be logging into a domain via the public internet. If you are doing either, then I don't think you give a monkeys about security and you are probably already running a rootkit both on the client and the DC.

      It's an interesting case, but I think there's a reason why the design flaw went unnoticed for 25 years.

  4. Anonymous Coward
    Devil

    Thanks to heaven it was not found by Google...

    ... with its silly 90 days deadline for disclosure.

    1. Anonymous Coward
      Devil

      Re: Thanks to heaven it was not found by Google...

      Feel free to read http://blogs.technet.com/b/srd/archive/2015/02/10/ms15-011-amp-ms15-014-hardening-group-policy.aspx, you may learn a thing or two about what it took to fix the vulnerability and why a 90 days disclosure policy is silly and folly - and designed only to put competitors in bad light even if it means to put many people at risk.

      Ah, of course Linux has no such issues - it has nothing anywhere near Active Directory out of the box...

      1. Anonymous Coward
        Anonymous Coward

        Re: Thanks to heaven it was not found by Google...

        of course Linux has no such issues

        Design flaws in Linux? I'm sure there are, but things as severe as this are quite rare, usually because it uses industry standard methodologies that have been tried and tested for the past 40 years, and everything is thrashed out in the open by multiple independent experts whose only motive is to have a working and robust system without unnecessary (sometimes hidden) complexities employed purely to keep the competition away and locked out. It may not be perfect and there are trade-offs, but it's not bad by design.

        1. Anonymous Coward
          Anonymous Coward

          Re: Thanks to heaven it was not found by Google...

          Pretty sure if you ran the latest kernel source in production you'd find plenty of faults.

          If you run enterprise Linux distros then they build and test everything for you. Which is an admission that there would be lots of breakage and faults otherwise.

        2. Anonymous Coward
          Anonymous Coward

          Re: Thanks to heaven it was not found by Google...

          Exactly. As long as you stay safe in a 45 old design made for a single computer used by a few tens of users, it's much easier. Just, you're almost useless in an actual large network with thousands of users/devices or more. That's another reason why Linux clients went nowhere - from a management point of view, they're just an hassle. Sure, third party technologies exist to make them somewhat better (Puppet... why the need of it?), still they add-ons (which you may have to pay for anyway), lock you in anyway, and still are not integrated into the OS itself.

        3. Anonymous Coward
          Anonymous Coward

          Re: Thanks to heaven it was not found by Google...

          "It may not be perfect and there are trade-offs, but it's not bad by design."

          You must have missed the Linux network stack not being modular - so for instance NIC hardware acceleration requires kernel hacks. And SUDO. And having to tie your OS ACLs to your file system capabilities. And no constrained delegation. And things like SEL being a bolt on after thought. Having to parse flat text files that are randomly distributed everywhere for configs. etc. etc. etc.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like