[LUAU] MS to EOL Win98 and WinMe - July 11

Fri Jul 7 04:49:25 PDT 2006

On Jul 7, 2006, at 12:06 AM, Eric Hattemer wrote:

> Jim Thompson wrote:
>>
>>> First, Windows ME by some definitions can't be rooted, since it  
>>> only has
>>> one user.
>>
>> You're going to argue semantics?
> This was mostly a pun, not a structured debate.
>>>
>>> *Systems Not Affected
>>>     Linux, Macintosh, OS/2, UNIX, Windows 95, Windows 98, Windows Me
>>
>> Right, so what about the WMF vulnerability?  Granted, you have to
>> display an image (email attachment, web browser, etc), and this
>> requires "user involvement", but still, dude.. Microsoft has already
>> said that they wouldn't fix it.
> I'm not too surprised they aren't working hard to fix a relatively
> recently discovered bug in an OS they are EOLing next week, and hoped
> would go away for years.  I'm not really sure where you get the idea
> that they refuse to patch it, though, since on June 13, they were  
> saying
> that the patch is available via windows update
> http://www.microsoft.com/technet/security/Bulletin/MS06-026.mspx .  I
> don't have a DOS based system to try windows update on, nor can I read
> Slovakian, Slovenian, nor Thai, but I'm pretty sure they're not making
> all of this up.

OK, you found a more recent page.  I'd checked http:// 
www.microsoft.com/technet/security/bulletin/ms06-001.mspx
Check the FAQ section on that page where it says that Win98SE and  
WinME aren't going to be patched because there is no exploitation  
vector.

So first MSFT claimed (this past January) that they wouldn't fix it  
for Win98/WinME because it wasn't critical (no infection vector  
identified) until, apparently someone proved that there was a new  
bug, and presto, in June it was fixed.  Yet CSCIC (NY State) issued  
an advisory on Jan 09, 2006 about this (on Win98/WinME!)  MSFT's  
original response was "Its DoS only, no exploit."

Yet apparently there is an exploit, because Microsoft fixed it.

So between January (when the example code was released) and June, you  
were *screwed* if you were running Win98/WinME.

Thats Microsoft for ya!

> But if you spend the first 12 minutes of your Windows
> ME computer going to windowsupdate.microsoft.com rather than  
> looking at
> hacked WMF pictures, this probably shouldn't effect you.
>>
>>
>> Or the Music worm (including all variants)?
>>
>> Or last year's "cursor/icon format" issues that allow remote code
>> execution:
>> http://www.microsoft.com/technet/security/bulletin/ms05-002.mspx
>>
>> (again, email attachments or web browsers are the typical avenues of
>> restriction).
>>
>> Or the HTML converter function issue present in *ALL* versions of
>> Windows:
>> http://support.microsoft.com/default.aspx?scid=kb;en-us;823559
>>
>> Or the ZIP file buffer over-run: (Win98 (with "Plus Pack"), ME and  
>> XP)
>> http://support.microsoft.com/default.aspx?scid=kb;[LN];Q329048
>>
>> Or this: http://support.microsoft.com/kb/q274548/
>>
>> Or this: http://www.microsoft.com/technet/security/bulletin/ 
>> fq99-033.mspx
>>
>> Or this: http://support.microsoft.com/kb/q238329/
>>
>> Or this: http://support.microsoft.com/kb/q245729/
>>
>> Or this: http://www.microsoft.com/technet/security/bulletin/ 
>> MS06-015.mspx
>>
>> Or this: http://www.microsoft.com/technet/security/bulletin/ 
>> MS01-020.mspx
>
> I'm still looking for a link that doesn't involve Internet Explorer,
> telnet, or hyperterminal.  None of these have anything to do with the
> Operating System except that they come with the Operating System, and
> they probably have unhealthy ties to some of the low level OS code  
> that
> they shouldn't.

Microsoft would have you believe that its "all the operating  
system".   Yes, I know what you're saying.
(Most of them can be exploited via a mail reader (esp "Outlook  
Express"), too.)

> The article seemed to be talking about Windows machines
> automatically being hacked 12 minutes after being connected to the
> internet, so I don't think using hyperterminal to go to an untrustable
> telnet host is terribly relevant.

Note that the (telnet) URL could appear to be something else.  (A  
phishing scam, a link to ebay for an item you've 'won', etc.)

here's the Register article that claims "20 minutes to infect" (WinXP).
http://www.theregister.com/2004/08/19/infected_in20_minutes/
http://www.securityfocus.com/columnists/262
http://isc.sans.org/survivalhistory.php

Check out that last graphic.  The one labeled "Last Year Monthly  
Averages".
http://isc.sans.org/ossurvivalgraph.php?scale=lin&months=12&update=Y

Here it is in log scale: http://isc.sans.org/ossurvivalgraph.php? 
scale=log&months=12&update=Y

> Since most of these KB articles some
> with security patches, they aren't too relevant unless they help  
> you get
> hacked while doing nothing on the Internet or going on your way to
> windowsupdate.

Except that most of them don't have patches available for Win98 or  
WinME.

>> To say nothing of anything containing an "ActiveX" component, or what
>> loading the wrong Sony music CD might do to your machine.
>>
> I'll admit that the Sony thing is bad, but that basically has more  
> to do
> with Sony than Microsoft.  This has a lot more to do with privilege
> isolation than anything else.  Autorun makes installing programs more
> straightforward, but puts a lot of trust in the CD's content.  The DOS
> based versions of windows didn't really have a good sense of multiple
> users or any sort of privilege isolation.  That was a mistake, and it
> does seem silly in retrospect, when looking at OSX and Vista and how
> even as administrator you need to run a graphical version of sudo  
> before
> your program is able to change system stuff.  This would make people
> wonder when their "audio" CD wants to replace critical Windows system
> files.  But again, this has nothing to do with networks.

Please don't forget that to the average home computer user, its all  
the same.  Microsoft went
to great lengths to "prove" that IE was "part of Windows", remember?

Any why would they have any reason to distrust a Ricky Martin CD?
http://www.eff.org/deeplinks/archives/004144.php

>>>
>>
>> Or the five year old "UPNP" exploit.  Granted, *Microsoft* didn't  
>> ship
>> with UPNP enabled in WinME, but some OEM
>> variants enable it (as well as the WinXP Internet Connection Sharing,
>> which is also vulnerable.)  Once again, you can remotely exploit this
>> one (though no email/web browser is required...)
> This is the one that I had forgotten about.  You're probably right  
> that
> there are some people with Windows ME machines with their default
> configurations that are vulnerable to worms that exploit this.  If we
> cross off the rest of your examples as irrelevant to disproving what I
> was saying, this one still stands as likely proof that some
> configurations of one of the three DOS based OSes is vunerable to  
> attack
> just by plugging it into a network.  I'm still not clear on whether IP
> based NOTIFY commands would get routed across multiple subnets,  
> though.
> If someone knows for sure, I'd like to know.
>>
>> And though you can't run a remote exploit via this bug:
>> http://support.microsoft.com/kb/q275567/
>>
>> Your 98/ME/NT4 computer won't stay on the net very long without the
>> patch.  (There are many others like this.)
> I wish I had statistics on how many home users are randomly  
> targeted for
> DOS attacks that don't help to spread any worm or accomplish any goal
> other than locking up their computer, but I don't.  You could  
> therefore
> be correct on this, but I think its a little unlikely.
>>
>>>
>>> If you turn on sharing to the root of your hard drive with read/ 
>>> write
>>> without ever going to windowsupdate.microsoft.com , then you do  
>>> deserve
>>> what you get.  Otherwise, a default install of windows ME is  
>>> relatively
>>> safe.
>>
>> Unless you read email or use the web browser.
>>
>> Can you really recommend this stance to a *home user*?
>
> I've been inline up to here, but I'll discuss this at the bottom (if I
> remember).
>>
>>> Windows NT/2000/XP all were vulnerable to several classes of network
>>> worms because they had retarded default security settings with open
>>> ports for running services normal people would never need.  All  
>>> of these
>>> ports are firewalled by default in XP SP2, and almost all  
>>> computers that
>>> have been built since August 2004 have SP2 built into the
>>> installation/restoral CD.  Until a worm comes out that hacks the
>>> firewall itself (hasn't happened yet, but isn't impossible), all of
>>> these XP SP2 machines are safe by default, and can only be hacked  
>>> via
>>> self-inflicted security holes (running randomly obtained exe files,
>>> turning off the firewall, etc).
>>
>> Unless, of course the OEM enables the ports.   Or something like
>> "badpack3t" is modified to mount a remote exploit, rather than just
>> BSOD-ing XPSP2.   badpack3t leverages the remote desktop assistant,
>> which is NOT firewalled in XP SP2's default firewall configuration.
>>
> The OEM could enable some of the ports on the firewall for some of the
> exploited services, but blocking these services is the whole point of
> the firewall in the first place, so I think this configuration  
> would be
> uncommon.
>
> Saying that remote desktop is not firewalled is an odd statement.
> Remote Desktop is not ENABLED on most default configurations, except
> Windows MCE.  If a user chooses to enable it, Windows will open the
> firewall for it (otherwise what was the point in enabling it).   
> Yes, you
> can probably find custom configurations that enable RDC, including  
> MCE.
> But hopefully people don't get hacked before they can get the patch
> http://www.microsoft.com/technet/security/bulletin/MS05-041.mspx .
> Plastered all over the badpack3t comments, new sites, and Microsoft's
> website are indications that this is DOS only and cannot be turned  
> into
> an exploit anyway, though.

yet.   There is a lot of history that shows where a DoS attack is  
possible, a remote code execution path is likely.
Just go read the Infosec archives.

>> And recommending "a hardware firewall" as a panacea is just... dumb.
>> Yep, I'll say "dumb".  They have their place, but they won't protect
>> the casual home user against many (if not most) of the types of
>> attacks illustrated above.
> I'll agree with this paragraph as stated.  However, it will protect
> against any of the the UPNP worms, which was really the only  
> example you
> had that was relevant to the 12-minutes deal.

You assume that the "casual home PC user" isn't sitting at the  
keyboard, reading email
or surfing the web.

>>
>> And then there is the whole Finjan debacle.   Care to open that  
>> can of
>> worms?
> I guess I don't follow the sector news well enough to know what  
> debacle
> you're speaking of.  I found some information on some Finjan stuff  
> that
> seemed harmful for UNIX or something, but I got tired of looking and
> gave up.

Finjan claimed that WinXP SP2 still had at least 10 huge holes in it.
http://www.computerworld.com/securitytopics/security/holes/story/ 
0,10801,97478,00.html

Six months later, Microsoft bought "a minority share" of the company,  
and a license to Finjan's patents.
This came a mere nine days after the president (of Finjan) was fired.
http://www.eweek.com/article2/0,1895,1839309,00.asp

http://www.finjan.com/Pressrelease.aspx?id=371&PressLan=328&lan=3
http://www.finjan.com/Pressrelease.aspx?id=369&PressLan=328&lan=3

And only about 8 weeks after Finjan reported a security vulnerability  
on the XBox 360:
http://www.finjan.com/Pressrelease.aspx?id=373&PressLan=328&lan=3

Result: all but silence from Finjan.  (Aka <crickets>)
http://biz.yahoo.com/prnews/060411/uktu021.html?.v=18

>
> Anyway, basically, we're arguing two separate things.  You are arguing
> that there are many unsafe things you can do on a Windows ME  
> machine.  I
> don't doubt this for a minute.  I am arguing that if you plug a  
> Windows
> ME machine into an internet jack, you're not going to instantly get
> hacked.

OK, I agree with you.   A Windows ME machine probably won't get  
rooted until the guy at the keyboard
starts doing stupid things.   Then it will take less than 12  
minutes.  :-)

> There's a lot I could say about security practices.  I'm not sure I  
> have
> anything new or truly insightful to say on the subject.  I am  
> generally
> disappointed by the public's ability to use a computer safely.  I've
> used Windows 95/98/2000/XP regularly on computers I've been in control
> of.  I've never had a virus since I brought home a floppy virus in
> elementary school.

You are perhaps unaware that microsoft shipped a virus on at least  
two editions of the MSDN CD subscription.

> I've never had any spyware besides "tracker
> cookies", which frankly I don't care about.  Yet the public seems to
> consider viruses and spyware as "inevitable" and the fault of  
> Microsoft,
> etc.  I know I'm not average, but I'm also no super genius (I had to
> look up the word "panacea").  But I think I prove that you can
> successfully run Windows without getting rooted everyday.
>
> I basically think that if you take a brand new install of any  
> version of
> Windows, put it alone behind a hardware firewall, go to
> windowsupdate.microsoft.com to pickup all of the updates, then remove
> the hardware firewall (if you want), you won't have problems unless  
> you
> run random executable files you find on the internet.

If you start with Win2K or WinXP (not SP2) then,... unlikely.

If you start with XPSP2, maybe.

> Of course it's a
> good idea to run any browser but IE, too, but depending on whether  
> there
> are exploits for a fully patched version of IE and whether you go to
> strange websites that try to hack your computer, this might not be  
> such
> a big issue.  You'll also want to go to windowsupdate maybe once a  
> week
> or turn on automatic updates.
>
> You might think that last paragraph sounds extreme, but I would
> recommend the same thing of any OS.

I don't.  its how I setup computers for people who insist on running  
Windows after they've managed
to become infected beyond my ability to clean them up.  (I drop both  
Firefox and Thunderbird on them,
and turn on WinUpdate, and either give or sell them a small computer  
running m0n0wall.)

> Be careful of what you do before
> you get your OS patches, then make sure that your OS patches stay  
> up to
> date.  However, yes, it would be nice if you didn't need the
> hardware/software/SP2 firewall because there weren't any open ports to
> begin with.  I have read that Vista will ship with no open ports, but
> considering how often they change fundamental things in between betas,
> who knows whether they'll botch something simple like that or not.
>
> I firmly believe that if you turn on any network server-like services,
> you take responsibility for understanding what they do and certify  
> that
> you have the newest, safest version of the service.  If you don't,  
> then
> you deserve what you get.  I've seen OSX machines become raging messed
> up hacked open mail relays because some fool ran through the Sharing
> Preferences and checked all the checkboxes without knowing what any of
> them do (turns on samba, ssh, apache, sendmail and several others with
> default settings).

I really don't disagree with your statements here.  Can we agree that  
Windows in the hands of an unsophisticated home computer user is more  
dangerous than a monkey with a machine gun?

Jim