[LUAU] MS to EOL Win98 and WinMe - July 11
Jim Thompson
jim at netgate.com
Thu Jul 6 21:53:47 PDT 2006
On Jul 5, 2006, at 11:37 PM, Eric Hattemer wrote:
> Jim Thompson wrote:
>>
>> I told him to not connect it to the Internet, because it would be
>> rooted in minutes.
>> http://www.realtechnews.com/posts/1511
>>
>> Its ugly out there...
>
> I haven't found a link to the original article or anything, but this
> sounds largely absurd. A statement like this requires many
> qualifications.
>
> First, Windows ME by some definitions can't be rooted, since it
> only has
> one user.
You're going to argue semantics?
> Second, any worms that might do any sort of automatic "rooting" almost
> certainly do NOT apply to the dos-based versions of windows. From
> sarc.com about blaster worm:
>
> *Systems Affected
> <http://securityresponse.symantec.com/avcenter/
> refa.html#systemsaffected>:*
> Windows 2000, Windows NT, Windows Server 2003, Windows XP
> *Systems Not Affected
> <http://securityresponse.symantec.com/avcenter/
> refa.html#systemsnotaffected>:*
> Linux, Macintosh, OS/2, UNIX, Windows 95, Windows 98, Windows Me
Right, so what about the WMF vulnerability? Granted, you have to
display an image (email attachment, web browser, etc), and this
requires "user involvement", but still, dude.. Microsoft has already
said that they wouldn't fix it.
http://securityresponse.symantec.com/avcenter/security/Content/
18322.html
Running 98 or ME? Just click here: http://www.dslreports.com/forum/
remark,15188688#15188722
Or the Music worm (including all variants)?
Or last year's "cursor/icon format" issues that allow remote code
execution:
http://www.microsoft.com/technet/security/bulletin/ms05-002.mspx
(again, email attachments or web browsers are the typical avenues of
restriction).
Or the HTML converter function issue present in *ALL* versions of
Windows:
http://support.microsoft.com/default.aspx?scid=kb;en-us;823559
Or the ZIP file buffer over-run: (Win98 (with "Plus Pack"), ME and XP)
http://support.microsoft.com/default.aspx?scid=kb;[LN];Q329048
Or this: http://support.microsoft.com/kb/q274548/
Or this: http://www.microsoft.com/technet/security/bulletin/
fq99-033.mspx
Or this: http://support.microsoft.com/kb/q238329/
Or this: http://support.microsoft.com/kb/q245729/
Or this: http://www.microsoft.com/technet/security/bulletin/
MS06-015.mspx
Or this: http://www.microsoft.com/technet/security/bulletin/
MS01-020.mspx
To say nothing of anything containing an "ActiveX" component, or what
loading the wrong Sony music CD might do to your machine.
>
> This is true of most if not all non-self-inflicted and
> non-browser-related worms. If you can find me a worm capable of
> automatically infecting a windows ME machine without user input, I
> will
> be extremely surprised. The best I've ever found is one that will
> propagate to shared drives on the network that have manually turned on
> read/write sharing on the root of the hard drive regardless of whether
> they set a password on the share. No sharing is enabled on windows ME
> by default.
Or the five year old "UPNP" exploit. Granted, *Microsoft* didn't
ship with UPNP enabled in WinME, but some OEM
variants enable it (as well as the WinXP Internet Connection Sharing,
which is also vulnerable.) Once again, you can remotely exploit this
one (though no email/web browser is required...)
And though you can't run a remote exploit via this bug:
http://support.microsoft.com/kb/q275567/
Your 98/ME/NT4 computer won't stay on the net very long without the
patch. (There are many others like this.)
>
> If you turn on sharing to the root of your hard drive with read/write
> without ever going to windowsupdate.microsoft.com , then you do
> deserve
> what you get. Otherwise, a default install of windows ME is
> relatively
> safe.
Unless you read email or use the web browser.
Can you really recommend this stance to a *home user*?
> Windows NT/2000/XP all were vulnerable to several classes of network
> worms because they had retarded default security settings with open
> ports for running services normal people would never need. All of
> these
> ports are firewalled by default in XP SP2, and almost all computers
> that
> have been built since August 2004 have SP2 built into the
> installation/restoral CD. Until a worm comes out that hacks the
> firewall itself (hasn't happened yet, but isn't impossible), all of
> these XP SP2 machines are safe by default, and can only be hacked via
> self-inflicted security holes (running randomly obtained exe files,
> turning off the firewall, etc).
Unless, of course the OEM enables the ports. Or something like
"badpack3t" is modified to mount a remote exploit, rather than just
BSOD-ing XPSP2. badpack3t leverages the remote desktop assistant,
which is NOT firewalled in XP SP2's default firewall configuration.
And recommending "a hardware firewall" as a panacea is just... dumb.
Yep, I'll say "dumb". They have their place, but they won't protect
the casual home user against many (if not most) of the types of
attacks illustrated above.
And then there is the whole Finjan debacle. Care to open that can
of worms?
Jim
More information about the LUAU
mailing list