[LUAU] MS to EOL Win98 and WinMe - July 11

Eric Hattemer hattenator at imapmail.org
Fri Jul 7 03:06:36 PDT 2006 

Jim Thompson wrote:
>
>> First, Windows ME by some definitions can't be rooted, since it only has
>> one user.
>
> You're going to argue semantics?
This was mostly a pun, not a structured debate. 
>>
>> *Systems Not Affected
>>     Linux, Macintosh, OS/2, UNIX, Windows 95, Windows 98, Windows Me
>
> Right, so what about the WMF vulnerability?  Granted, you have to
> display an image (email attachment, web browser, etc), and this
> requires "user involvement", but still, dude.. Microsoft has already
> said that they wouldn't fix it.
I'm not too surprised they aren't working hard to fix a relatively
recently discovered bug in an OS they are EOLing next week, and hoped
would go away for years.  I'm not really sure where you get the idea
that they refuse to patch it, though, since on June 13, they were saying
that the patch is available via windows update
http://www.microsoft.com/technet/security/Bulletin/MS06-026.mspx .  I
don't have a DOS based system to try windows update on, nor can I read
Slovakian, Slovenian, nor Thai, but I'm pretty sure they're not making
all of this up.  But if you spend the first 12 minutes of your Windows
ME computer going to windowsupdate.microsoft.com rather than looking at
hacked WMF pictures, this probably shouldn't effect you. 
>
>
> Or the Music worm (including all variants)?
>
> Or last year's "cursor/icon format" issues that allow remote code
> execution:
> http://www.microsoft.com/technet/security/bulletin/ms05-002.mspx
>
> (again, email attachments or web browsers are the typical avenues of
> restriction).
>
> Or the HTML converter function issue present in *ALL* versions of
> Windows:
> http://support.microsoft.com/default.aspx?scid=kb;en-us;823559
>
> Or the ZIP file buffer over-run: (Win98 (with "Plus Pack"), ME and XP)
> http://support.microsoft.com/default.aspx?scid=kb;[LN];Q329048
>
> Or this: http://support.microsoft.com/kb/q274548/
>
> Or this: http://www.microsoft.com/technet/security/bulletin/fq99-033.mspx
>
> Or this: http://support.microsoft.com/kb/q238329/
>
> Or this: http://support.microsoft.com/kb/q245729/
>
> Or this: http://www.microsoft.com/technet/security/bulletin/MS06-015.mspx
>
> Or this: http://www.microsoft.com/technet/security/bulletin/MS01-020.mspx

I'm still looking for a link that doesn't involve Internet Explorer,
telnet, or hyperterminal.  None of these have anything to do with the
Operating System except that they come with the Operating System, and
they probably have unhealthy ties to some of the low level OS code that
they shouldn't.  The article seemed to be talking about Windows machines
automatically being hacked 12 minutes after being connected to the
internet, so I don't think using hyperterminal to go to an untrustable
telnet host is terribly relevant.  Since most of these KB articles some
with security patches, they aren't too relevant unless they help you get
hacked while doing nothing on the Internet or going on your way to
windowsupdate. 

>
> To say nothing of anything containing an "ActiveX" component, or what
> loading the wrong Sony music CD might do to your machine.
>
I'll admit that the Sony thing is bad, but that basically has more to do
with Sony than Microsoft.  This has a lot more to do with privilege
isolation than anything else.  Autorun makes installing programs more
straightforward, but puts a lot of trust in the CD's content.  The DOS
based versions of windows didn't really have a good sense of multiple
users or any sort of privilege isolation.  That was a mistake, and it
does seem silly in retrospect, when looking at OSX and Vista and how
even as administrator you need to run a graphical version of sudo before
your program is able to change system stuff.  This would make people
wonder when their "audio" CD wants to replace critical Windows system
files.  But again, this has nothing to do with networks. 
>>
>
> Or the five year old "UPNP" exploit.  Granted, *Microsoft* didn't ship
> with UPNP enabled in WinME, but some OEM
> variants enable it (as well as the WinXP Internet Connection Sharing,
> which is also vulnerable.)  Once again, you can remotely exploit this
> one (though no email/web browser is required...)
This is the one that I had forgotten about.  You're probably right that
there are some people with Windows ME machines with their default
configurations that are vulnerable to worms that exploit this.  If we
cross off the rest of your examples as irrelevant to disproving what I
was saying, this one still stands as likely proof that some
configurations of one of the three DOS based OSes is vunerable to attack
just by plugging it into a network.  I'm still not clear on whether IP
based NOTIFY commands would get routed across multiple subnets, though. 
If someone knows for sure, I'd like to know. 
>
> And though you can't run a remote exploit via this bug:
> http://support.microsoft.com/kb/q275567/
>
> Your 98/ME/NT4 computer won't stay on the net very long without the
> patch.  (There are many others like this.)
I wish I had statistics on how many home users are randomly targeted for
DOS attacks that don't help to spread any worm or accomplish any goal
other than locking up their computer, but I don't.  You could therefore
be correct on this, but I think its a little unlikely. 
>
>>
>> If you turn on sharing to the root of your hard drive with read/write
>> without ever going to windowsupdate.microsoft.com , then you do deserve
>> what you get.  Otherwise, a default install of windows ME is relatively
>> safe.
>
> Unless you read email or use the web browser.
>
> Can you really recommend this stance to a *home user*?

I've been inline up to here, but I'll discuss this at the bottom (if I
remember). 
>
>> Windows NT/2000/XP all were vulnerable to several classes of network
>> worms because they had retarded default security settings with open
>> ports for running services normal people would never need.  All of these
>> ports are firewalled by default in XP SP2, and almost all computers that
>> have been built since August 2004 have SP2 built into the
>> installation/restoral CD.  Until a worm comes out that hacks the
>> firewall itself (hasn't happened yet, but isn't impossible), all of
>> these XP SP2 machines are safe by default, and can only be hacked via
>> self-inflicted security holes (running randomly obtained exe files,
>> turning off the firewall, etc).
>
> Unless, of course the OEM enables the ports.   Or something like
> "badpack3t" is modified to mount a remote exploit, rather than just
> BSOD-ing XPSP2.   badpack3t leverages the remote desktop assistant,
> which is NOT firewalled in XP SP2's default firewall configuration.
>
The OEM could enable some of the ports on the firewall for some of the
exploited services, but blocking these services is the whole point of
the firewall in the first place, so I think this configuration would be
uncommon. 

Saying that remote desktop is not firewalled is an odd statement. 
Remote Desktop is not ENABLED on most default configurations, except
Windows MCE.  If a user chooses to enable it, Windows will open the
firewall for it (otherwise what was the point in enabling it).  Yes, you
can probably find custom configurations that enable RDC, including MCE. 
But hopefully people don't get hacked before they can get the patch
http://www.microsoft.com/technet/security/bulletin/MS05-041.mspx . 
Plastered all over the badpack3t comments, new sites, and Microsoft's
website are indications that this is DOS only and cannot be turned into
an exploit anyway, though. 
> And recommending "a hardware firewall" as a panacea is just... dumb. 
> Yep, I'll say "dumb".  They have their place, but they won't protect
> the casual home user against many (if not most) of the types of
> attacks illustrated above.
I'll agree with this paragraph as stated.  However, it will protect
against any of the the UPNP worms, which was really the only example you
had that was relevant to the 12-minutes deal. 
>
> And then there is the whole Finjan debacle.   Care to open that can of
> worms?
I guess I don't follow the sector news well enough to know what debacle
you're speaking of.  I found some information on some Finjan stuff that
seemed harmful for UNIX or something, but I got tired of looking and
gave up. 


Anyway, basically, we're arguing two separate things.  You are arguing
that there are many unsafe things you can do on a Windows ME machine.  I
don't doubt this for a minute.  I am arguing that if you plug a Windows
ME machine into an internet jack, you're not going to instantly get
hacked. 

There's a lot I could say about security practices.  I'm not sure I have
anything new or truly insightful to say on the subject.  I am generally
disappointed by the public's ability to use a computer safely.  I've
used Windows 95/98/2000/XP regularly on computers I've been in control
of.  I've never had a virus since I brought home a floppy virus in
elementary school.  I've never had any spyware besides "tracker
cookies", which frankly I don't care about.  Yet the public seems to
consider viruses and spyware as "inevitable" and the fault of Microsoft,
etc.  I know I'm not average, but I'm also no super genius (I had to
look up the word "panacea").  But I think I prove that you can
successfully run Windows without getting rooted everyday. 

I basically think that if you take a brand new install of any version of
Windows, put it alone behind a hardware firewall, go to
windowsupdate.microsoft.com to pickup all of the updates, then remove
the hardware firewall (if you want), you won't have problems unless you
run random executable files you find on the internet.  Of course it's a
good idea to run any browser but IE, too, but depending on whether there
are exploits for a fully patched version of IE and whether you go to
strange websites that try to hack your computer, this might not be such
a big issue.  You'll also want to go to windowsupdate maybe once a week
or turn on automatic updates. 

You might think that last paragraph sounds extreme, but I would
recommend the same thing of any OS.  Be careful of what you do before
you get your OS patches, then make sure that your OS patches stay up to
date.  However, yes, it would be nice if you didn't need the
hardware/software/SP2 firewall because there weren't any open ports to
begin with.  I have read that Vista will ship with no open ports, but
considering how often they change fundamental things in between betas,
who knows whether they'll botch something simple like that or not. 

I firmly believe that if you turn on any network server-like services,
you take responsibility for understanding what they do and certify that
you have the newest, safest version of the service.  If you don't, then
you deserve what you get.  I've seen OSX machines become raging messed
up hacked open mail relays because some fool ran through the Sharing
Preferences and checked all the checkboxes without knowing what any of
them do (turns on samba, ssh, apache, sendmail and several others with
default settings). 

-Eric Hattemer

More information about the LUAU mailing list