[LUAU] MS to EOL Win98 and WinMe - July 11

Fri Jul 7 11:00:36 PDT 2006

> be extremely surprised.  The best I've ever found is one that will
> propagate to shared drives on the network that have manually turned on
> read/write sharing on the root of the hard drive regardless of whether
> they set a password on the share.  No sharing is enabled on windows ME
> by default.

I would be very suprised if there isn't some SMB based remote vuln
that works against ME when there are no defined shares.  The code
quality of most MS products pre 2001 is pretty poor.
(I have no idea how secure an ME box is with all windowsupdate
patches applied)

> Windows NT/2000/XP all were vulnerable to several classes of network
> worms because they had retarded default security settings with open
> ports for running services normal people would never need.  All of these
> ports are firewalled by default in XP SP2, and almost all computers that
> have been built since August 2004 have SP2 built into the
> installation/restoral CD.  Until a worm comes out that hacks the
> firewall itself (hasn't happened yet, but isn't impossible), all of
> these XP SP2 machines are safe by default, and can only be hacked via
> self-inflicted security holes (running randomly obtained exe files,
> turning off the firewall, etc).

I wouldn't call a client vulnerability "self inflicted."  They
can't be attacked at the whim of the attacker and instead must
be initiated by an action of the user, but client vulnerabilities
are still very serious.  Using client programs in their normal
mode of operation can result in your machine being "rooted" and
there is little the windows firewall can do about it.  The attack
surface here is huge -- all your network clients, any program that
is used to process files from a third party (media, documents, etc.),
files you place in certain folders (put a shortcut to www.google.com
on your desktop that runs cmd.exe, and guess what happens when you
type "www.google.com" into IE?) and probably a lot of other things
I forgot to mention...

> Furthermore, a windows machine of any sort that is alone behind a
> hardware firewall won't have any hackable open ports either.

Depends... sometimes it will and you wont know it.  Can you say
"teredo"?  Don't know what that is?  Thats the problem.

> It seems
> like almost all broadband ISPs give their customers NAT firewall
> routers/modems nowadays, so this mostly just leaves dialup and static IP
> users of windows NT-2000-XPSP1, who either haven't been to windowsupdate
> before the viruses came out, or who managed to find an installation CD
> for one of those old OSes, which is an increasingly small segment of
> windows users.

It helps, for sure.  It helps a lot.  But there's still lots of
exposure.  At least you're not in a race condition when you hook up
your windows machine to get to windowsupdate as you would be if
you didn't have a firewall (well, assuming nobody on your LAN is
infected).  There's a large computer company that shall remain
nameless that had a large network and had a huge problem with worms.
The network was so large that there were always new machines being
brought up.  These new machines would invariably become infected
before the worm could be eliminated on other machines and they had
old worms running around their network for a long time even though
all new machines were dewormed as soon as possible.  Not much their
firewall could do to help...

> The only people who have it right are OSX and a few linux
> distributions.  OSX has no open ports by default.  Almost all Linux
> distributions have ssh enabled by default, which has had a few
> exploits.  I strongly believe that ALL open ports should be an opt-in
> policy and not an opt-out/firewall policy.

I don't disagree, but this alone does not ensure security.

> -Eric Hattemer

Tim Newsham
http://www.lava.net/~newsham/