Critical flaw affects almost all Windows versions

Critical flaw affects almost all Windows versions

By Brian Livingston

Every time Microsoft releases “the most secure operating system ever,” the security flaws just keep on coming. Last week, Microsoft notified users that a hole rated “critical” (the most severe rating) affects not only Windows XP, 2000, and NT 4.0, but also its new, much-vaunted Windows Server 2003 product. Microsoft says Windows Me is not vulnerable, but it didn’t test Windows 9x, which the company no longer supports.

This problem is especially explosive because an attacker can run a rogue program by merely sending packets to a remote machine using any one of various ports. One of these, port 135, is commonly used to send pop-up messages across a network. This feature has been notably exploited in recent months by some spammers, who started sending irritating – but otherwise harmless – ads directly to desktops. Now such payloads threaten to escalate wildly.

Corporations ordinarily block such port access if it originates from outside the firewall. But a malicious person inside the firewall could use the flaw to gain complete control over certain systems. And, of course, not all vulnerable systems are effectively protected by firewalls.

This situation is so dire that I’ve included more information in the paid version of this week’s newsletter; but if you don’t get that version, you should just go directly to Microsoft bulletin MS03-026 and download patches for your affected PCs. (Microsoft revised this bulletin as recently as July 21, so you should re-visit the document if you originally read it before that date.)

I haven’t learned of any negative side-effects of installing the patches, and in any event they would pale in comparison to the threat of your vulnerable machines remaining unpatched. If unexpected gotchas do arise, I’ll alert you in a future Brian’s Buzz. To send me more information about this, or to send me a tip on any other subject, visit WindowsSecrets.com/contact.

More on Service Pack 4 for Windows 2000

In my July 10 issue of Brian’s Buzz, I reported that installing SP4 on Windows 2000 had various unexpected behaviors. My readers have added new findings of previously unknown quirks.

SP4 doesn’t install Java and bars it later. Reader Patrick Slattery explains:

• “One interesting new feature of SP4 is that on slipstreamed installs it will no longer install the Microsoft JVM [Java Virtual Machine] and will not allow the JVM to be installed afterwards. This is partially documented at Microsoft.com.

  “On my new server installs that will run Java services that were written in J++, I have to build the system with a slipstreamed SP3 install, and then install SP4. That’s messy, to say the least.

  “Microsoft are acting like spoiled brats in this Java spat. I for one am ready to spank them!”

SP4 hoses Autodesk VIZ files. The CAD company acknowledges that W2K SP4 wipes out the ability of Autodesk’s VIZ applications to open MAX and DRF files that are saved after the service pack is installed. The firm, however, has no fix as yet, except to recommend that SP4 be uninstalled. (But don’t do this until you read the next item, below.) Reader Mike Herman comments:

• “Service Pack 4 on Windows 2000 kills VIZ 4 deader than dead. Any files created by VIZ after W2K has been upgraded crash Windows Explorer as well as VIZ when VIZ tries to reopen them. This means that the new files cannot be deleted because they crash Explorer, and they cannot be reopened to do further work on them.”

Uninstalling W2K SP4 makes your scheduled tasks not run. If you try to solve the above problems by reversing the install of SP4, any specified tasks will simply fail to occur. A description of the problem and its workarounds are in FAQ 6901 at JSIinc.com:

• “When you install SP4, the credentials database is converted to a SP4-compatible format. When you uninstall SP4, the database is not re-converted to pre-SP4 format, causing housekeeping code, which starts 10 minutes after the Task Scheduler service starts, to remove the tasks’ credentials. To work around this behavior, re-enter each task’s credentials.”

More on the critical flaw affecting NT, XP, 2000, and 2003

My top story, above, concerns the dangerous new security hole that allows an attacker to gain control of remote systems by sending them packets on common communications ports. In this section, I provide additional information.

One of the best analyses of the threat comes from reader Kent England, who holds a Microsoft MVP (Most Valuable Professional) certificate. He minces no words about the importance of installing Microsoft’s latest patch:

• “This patch fixes a serious vulnerability in NetBIOS on port 135. A buffer overflow allows an attacker to send a specially formed packet to a Windows workstation on port 135 and execute code of his choice.

  “As you recall, port 135 is how [Microsoft] Messenger pop-up advertisements get into computers that are attached to the Internet with their NetBIOS enabled on their Internet connection.

  “Given all the people who complain on the Microsoft public newsgroups about Messenger pop-ups and the fact that so many do not use Windows Update, we have a serious crisis on our hands. It won’t be long before someone writes a new and very nasty Messenger pop-up that installs a Trojan or spyware on systems all across the Internet. Spyware already outranks viruses in complain levels on these newsgroups. A malicious Trojan that sneaks in via UDP port 135 will wreak havok on the Internet.

  “Of course, if people would install Windows critical update 823980, available via windowsupdate.microsoft.com and via Automatic Update on XP, they won’t be vulnerable. But they should download and install a personal firewall to block all their NetBIOS ports for added safety.”

The actual flaw involves a DCOM (Distributed Component Object Model) interface to Windows’ RPC (Remote Procedure Call) protocol. As Microsoft dryly remarks in bulletin MS03-026, “Because RPC requests are on by default in all versions of Windows, this in essence means that any user who could establish a connection with an affected computer could attempt to exploit the vulnerability.”

In that bulletin, Microsoft describes several temporary kludges that can be used to reduce the vulnerability of specific machines:

• Block ports at your firewall. The ports that are the most affected are TCP/UDP 135, 139, and 445. But your company may have also made other RPC services or protocols accessible from the Internet. You should investigate this possibility.
• Enable a software firewall. Microsoft notes that use of the Internet Connection Firewall that’s provided with Windows XP and Server 2003 blocks RPC traffic from the Internet by default.
• Disable DCOM on the most vulnerable machines. You can remotely disable a machine’s Distributed COM service as a quick fix. This, of course, will prevent the remote machine from communicating in this way with other machines – and you won’t be able to remotely turn DCOM back on (you’ll have to physically go to the machine to re-configure the capability).

All of these are stopgap measures that do nothing to correct the underlying weakness. It’s essential for Windows administrators to read the latest bulletin (it was revised on July 21), familiarize themselves with the seven different downloads that apply to the various versions of Windows, and plan a rollout. Have a nice weekend.

Other significant new bulletins:

• XP doesn’t allow access to programs marked “allow” on Netware shares
• Fix allows you to stop Media Player 9 from auto-downloading radio presets
• Upgrading Windows 2000 ISA to Server 2003 disables Net access (a fix is described)

A new TweakUI from Microsoft

TweakUI, a configuration utility that’s gone through many versions over the years, has become one of the most popular downloads from Microsoft – even though the Redmond company always officially denies that the program is even supported.

Now a new version, TweakUI 2.10.0.0, has been released. It works only on Windows XP with Service Pack 1 and Windows Server 2003. But people with those configurations should definitely give it a look.

To download it, go to the Microsoft PowerToys page. The right-hand column contains the new TweakUI link, despite the fact that Microsoft carelessly states that this page was last updated as far back as “April 23, 2002.”

Don’t even try to install this version of TweakUI on Windows XP unless it has Service Pack 1. You’ll get an unintelligible error message.

Microsoft seems to have deleted the plain-XP version of TweakUI from the site. You can still get that version from the TweakUI for XP download page at WebAttack.com. They still have TweakUI for 98/NT/Me/2000, too.

The “Woody’s Windows Watch” newsletter has a longer review of the new TweakUI for XP SP1 in its July 24 issue. A handy overview of the older TweakUI and several other PowerToys is also in the April 29, 2002, issue of the now-discontinued “Windows XP Watch” newsletter.

The missing link: Feed Demon
I wrote last issue about a late-stage beta of an acclaimed new aggregator. This application brings together all the RSS (Really Simple Syndication) feeds that you select. I neglected to include a correct Web address, so here it is: Feed Demon

Windows Future Storage promises big changes

In the last of my Window Manager columns that appeared in the print version of InfoWorld on April 21, I described some major moves coming from Microsoft.

I opined that in its upcoming Windows 2005 product (code-named Longhorn), “Microsoft plans to introduce an object file system known as WinFS (Windows Future Storage). This data store will have full database functionality built on SQL Server enhancements code-named Yukon.”

Reader David Matthews doesn’t believe this will be the most benign development for all parties in the software industry:

• “I truly hope that nobody loses sight of where WinFS came from, or the business reason behind it. The primary reason for WinFS has little to due with technology and everything to do with economics.

  “As you may remember, sometime in the past Oracle started claiming that the days of file servers were drawing to a close, because eveyone should really be storing files inside Oracle database systems. Oracle clearly wanted a chunk of the file server market that Microsoft has. As we know, this was not a particularly successful marketing strategy.

  “Microsoft decided to turn the tables. If Microsoft were to provide a high-performance database as a ‘free’ part of the server operating system, then few people would want to pay Oracle for a separate product to provide the database function. Microsoft would again leverage its monopoly in operating systems to completely trash the economics of an otherwise unrelated market. This is precisely the strategy that they used to turn the Web browser market into a non-market.

  “Microsoft, a convicted monopolist, saw that its monopoly made huge profits, while the penalty for being a monopolist cost them relatively little. So now, they’re going to do it again, but on a much grander scale. Think about how much revenue went to database companies last year. That’s how much money Microsoft feels it can now divert into its own pockets by integrating a database system into the operating system.

  “Will the United States Department of Justice have the courage to bring this to a stop? Highly doubtful, given the amount of money Microsoft is contributing to the Republican re-election campaigns in general, and George Bush’s campaign in particular. People used to joke about Microsoft being big enough to buy the U.S. Government. It’s not that funny anymore, now that it’s really happening.”

I welcome your comments and additions on this subject. Visit WindowsSecrets.com/contact.

Internet Explorer error message for WMD

You’ve probably seen IE’s famous “404” error message every time you’ve made a typo when entering a Web address. Now Anthony Cox, a British blogger, has created an error message for our times: “These Weapons of Mass Destruction Cannot Be Displayed.”

For anyone who has a sense of humor left, the text goes on and on like this, with hilarious effect. “The weapons you are looking for are currently unavailable. The country may be experiencing technical difficulties, or you may need to adjust your weapons inspectors’ mandate.” Republicans and Democrats alike will find something here to chuckle at. My thanks to reader Bob Bailin. More info

Correction: Iranian language is Farsi
In the Wacky Web Week for July 10, I linked to a spoof showing the face of bearded actor Sean Connery (in ayatollah garb) inserted onto the front of a proposed new currency for Iran. I said the enscription on the bill was in Arabic, but everyone knows the written language of Iran is Farsi. Silly me. The first reader to remind me of this was Brian Goodhart.