June 25, 1998, and June 30, 2008, marked two important milestones in Microsoft's evolution of the
Windows OS -- the passing of the torch from Windows 95 to Windows 98, and the less seemly
transition from XP to Vista.
In the 3,659 days between, users of Windows have been forced to bear witness to another evolution
of sorts: bugs that left Windows open to exploits that appeared almost as fast as you could say,
"On the Origin of Species."
[ For some fun of the hacker and admin variety, see "Stupid hacker tricks, part two: The folly of youth" and "Stupid user tricks 3: IT admin follies." ]
Uncovering -- and exploiting -- Windows vulnerabilities has made sport for many and careers for
many more. Entire industries have sprung up to protect Windows users from previously unknown
flaws, while malware authors have matured their practices from juvenile pranks to moneymaking
criminal enterprises.
Caught in the middle of this never-ending onslaught is the innocent PC user and the besieged IT
admin -- you. And though Microsoft and the entire software industry have labored tirelessly to
handle zero-day exploits and to develop protocols for reporting potential security problems,
we've seen and experienced several colossal security meltdowns thanks to the humble Windows bug.
These errors, buried in millions of lines of code, have steered great corporations and turned the
tide of fortunes. It's high time they got the credit they deserve. Here are the worst Windows
flaws we've endured since the introduction of Windows 98.
Password "password" would have been more secure Bug identifier: VCE-2000-0979,
MS00-072 Description: Share Level Password vulnerability Alias:
Windows 9x share password bypass Date published: Oct. 10, 2000
Windows 9x introduced a nifty little concept wherein users could host a password-protected mini
file server, aka a share, on their PCs. The idea was simple: Allow users of networked computers
to host and share files securely. Only the padlock Microsoft used to lock the door came equipped
with a gaping hole that rendered it useless.
"When processing authentication requests for a NetBIOS share, Windows 95/98 would look at the
length of the password sent by the attacker and then only compare that number of bytes to the
real password," writes vulnerability expert H.D. Moore, who manages the Metasploit Framework
project.
Oops. "This let the attack specify a password of zero bytes and gain access to the share,"
without actually knowing the password at all, Moore explains.
"The real damage," he continues, "was that by trying all characters of incrementing lengths, they
could literally obtain the password for share from the server."
Upshot: Rather than functioning as a lock on a door, the password authentication
scheme for Windows 95/98's File and Print Sharing acted more like a nail through a hasp -- to
open the door you only needed to pull out the nail, with hardly any effort.
Folder traversal: Total server control with a single URL Bug identifier:
MS00-078 Description: Web server folder traversal vulnerability
Alias: Directory traversal bug Date published: Oct. 17, 2000
If there's one thing we've learned from the past decade of Microsoft patches, it?s that not
everyone keeps on top of them. When Microsoft published this particular advisory, the patch that
fixed the problem (MS00-057) had already been released two months prior.
With this bug, if you knew the layout of a Microsoft file system -- which folders appear where --
you could send a command to a Web server that essentially gave you total control.
As anyone who has spent any time using a Windows computer will tell you, it's not hard to find
your way around the hard drive. Documents go in a particular folder path; most applications are
put in another folder path; and so on.
By using dots and backslashes (or their respective unicode representations) in the URL, this bug
allowed you to navigate up and down the file system and execute commands, just by knowing a few
simple rules and how Windows organizes itself. While account permissions for IIS are somewhat
limited, a related exploit helped escalate privileges, giving remote users the ability to do
whatever they wanted to with Windows servers simply by sending a few URLs.
"Originally found as an anonymous post in the PacketStorm forums, this resulted in nearly two
straight years of mass ownage against Windows web servers," Moore writes.
Upshot: Directory traversal opened up a new world for automated attacks that
merely had to call a particular URL to do their dirty work.
Code Red: Deadly bug, disgusting soda Bug identifier: MS01-033
Description: Unchecked buffer in index server ISAPI (Internet Server API)
extension could enable Web server compromise Alias: The Code Red bug
Date published: June 18, 2001
What happens when you send a ton of data at a Microsoft Web server? If it was the summer of 2001,
well, you owned the network. At least that's what happened a little more than a month after
Microsoft released this obscure-sounding patch for IIS Web servers.
The nature of the bug was simple: Take an IIS server, invoke a buffer overflow, and commands
spill into other parts of system memory. Because the commands were issued in the context of the
system itself, the bug opened up for exploitation virtually all aspects of the server's
operation.
And exploitation happened, all right, on a scale that hadn't been seen before.
On the afternoon of Friday, July 13, 2001, security engineers at eEye Digital Security received
reports of a worm that was spreading rapidly through its customers' networks. Fueled by a limited
edition, crimson, caffeinated, high-fructose corn syrup-based beverage, Mark Maiffret and Ryan
Permeh spent a weekend reverse-engineering the worm, and alerted the world to its presence.
What the worm did was probe vulnerable IIS servers, infect them, and create 100 threads of
itself, which then spread to other computers. If the date was between the 20th of the month and
the end of the month, it would attempt to spew data at www.whitehouse.gov. Permeh and Maiffret
estimated that the worm could infect approximately 500,000 unique IP addresses per day.
Upshot: Code Red really drove home the importance of patching bugs soon after
Microsoft released the patch, because the patches themselves give malware authors clues to
exactly where they should look for new vulnerabilities.
Fastest infection. Ever. Bug identifier: MS02-039
Description: Buffer overruns in SQL Server 2000 Resolution Service could enable
remote code execution Alias: The SQL Slammer bug Date
published: July 24, 2002
While technically not an OS bug, the SQL Slammer bug deserves honorary mention due to the sheer
velocity with which vulnerable systems were infected. The bug targeted Microsoft's database
server. Vulnerable computers were subject to buffer overflows that, if properly crafted, could
place commands into memory to cause the targeted system to execute those commands with the
permissions of the database service.
Patching was complicated by the fact that admins needed to run an earlier patch before they could
run the MS02-039 fix. The bug affected primarily corporate server systems, but also affected home
users who had MSDE (Microsoft SQL Server Desktop Engine) installed. That made a number of home
users, some of whom didn't even know they had MSDE on their machines, unwitting participants in
the carnage to come.
Because the Slammer worm primarily targeted servers running databases, it didn't infect millions
of machines. It did, however, spread rapidly -- so rapidly, in fact, that it had infected roughly
9 out of 10 vulnerable machines within 10 minutes of being released on Jan. 25, 2003. The entire worm was only 376
bytes, and fit into a single packet of data.
The MS02-039 bug was "one of the biggest oversights of all time," says Steve Manzuik, senior
manager of security research at Juniper Networks, "not because it was an easy or obvious bug to
find -- it wasn't."
"At the time of the patch, no one realized that every vulnerable SQL installation was also
listening on a UDP (User Datagram Protocol) port that they could be exploited over," Manzuik
explains. "Many administrators simply locked down access to the SQL TCP ports while forgetting
about UDP."
A postmortem by the Cooperative Association for Internet Data Analysis revealed that the worm was a
model of efficiency, doubling the number of infected systems every 8.5 seconds, and flooding
the Internet with so many infection attempts that routers shut down. When restarted, so many
routers attempted to update their routing tables simultaneously that normal Internet traffic
simply couldn't get through the gridlock.
Upshot: SQL Slammer demonstrated the power of a vulnerability that could fit
within a single data packet, and brought home the lesson that a single application weakness could
cause the entire Internet to grind to a standstill. And it's still out there, drifting around on
a few old systems, looking for new hosts to infect.
Billy Gates, stop making money! Make malware instead. Bug identifier: MS03-026
Description: Buffer overrun in RPC interface could allow code execution
Alias: The Blaster Worm bug Date published: July 16, 2003
The DCOM RPC interface is a common component of NT-based Windows OSes, including NT, 2000, XP,
and Server 2003. In the summer of 2003, it became the subject of intense scrutiny.
As Microsoft described in the bulletin that accompanied the patch, a successful exploit only
required the attacker to send a "specially formed request" to a vulnerable PC -- a bit like
dangling candy in front of a ravenously hungry baby.
By Aug. 11, the Blaster worm arrived, and though it spread rapidly, it was fairly easy to
block with a firewall.
Unfortunately, protecting home systems with firewalls wasn't common practice at the time. Home
users' PCs -- connected directly to the Internet -- got whomped by the worm. When the worm's code
crashed the infected computer's RPC service, the computer would display a message warning of
imminent shutdown, and unceremoniously reboot itself.
The worm had another message, this one to Microsoft's founder, and embedded within
its code: "billy gates why do you make this possible? Stop making money and fix your software!!"
But it was fixed. Or at least it would have been if people had patched their systems.
At the end of the summer, Microsoft released a second set of updates in MS03-039 that blocked
additional ports that attackers could use to mess with the RPC service.
Upshot: We're all in better shape thanks to the wide adoption of firewalls in
the home. Thanks in part to Blaster and its ilk, most broadband modems have one built in.
That sassy bug has a lot of spunk Bug identifier: CVE-2003-0533, MS04-011
Description: Stack-based overflow in certain Active Directory service functions
in LSASRV.DLL Alias: The Sasser bug Date published: April 13,
2004
In yet another example of ironic buffer-overflow goodness, this bug made the security subsystem
of Windows the agent of
evil itself. And, once again, malicious coders used Microsoft's own patch to figure out
exactly where to target the OS.
As Windows XP's gatekeeper, LSASS (Local Security Authority Subsystem) manages the permissions of
a PC's user accounts. So when eEye -- the same company that discovered the Code Red bug --
quietly disclosed the details of this flaw to Microsoft in October 2003, it touched off six
months of furious coding in Redmond that culminated in a patch that fixed 13 other Windows 98,
NT, 2000, XP, and Server 2003 flaws, as well as the LSASS bug.
And, within 18 days, the Sasser worm was cruising the Internet, hopping from one unpatched
machine to another. The poorly coded worm wreaked havoc, shutting down networks around the world.
Even though a fix was already available, many users -- in particular, corporate IT managers --
still had not applied MS04-011. By May 1, 2004, work on fixing the unintended damage caused by
Sasser had become a round-the-clock operation, says then director of the Microsoft Security
Response Center, Kevin Kean, with "a number of war rooms and rotating shifts" for MSRC staffers.
Upshot: What was that about patching as soon as the updates are available?
Lessons that should have been learned three years earlier didn't really sink in until Sasser
publicly pummeled patchless PCs to pulp.
WMF: Wherein malware is foisted Bug identifier: CVE-2005-4560, MS06-001
Description: Vulnerability in graphics-rendering engine could allow remote code
execution Alias: Windows Metafile vulnerability, aka drive-by downloads
Date published: Jan. 5, 2006
Over the winter holidays in 2005, security researchers began discussing a newly discovered vulnerability in a Windows library used
by the OS to display various kinds of graphics in apps and the OS itself.
The problem stemmed from a particular image file format, native to Windows since the days of
Windows 3.0, called WMF (Windows Metafile). Used as the native format for storing graphics within
Microsoft Office documents, support for WMF was by that point thoroughly embedded into Microsoft
products.
WMF files contain function calls that a program sends to the GDI (Graphics Driver Interface).
Someone discovered that WMF files can contain executable code as well. This would allow you to,
say, create a WMF file that, merely by being viewing, invokes Internet Explorer to visit a
particular URL, download a file, and execute that file. Special.
The aftermath of the discovery followed a familiar pattern. Microsoft issued a patch on Jan. 5,
2006, in record time. But for a long while, unpatched computers running vulnerable versions of
gdi32.dll roamed the Internet, slurping up mountains of malware.
The bug had far-reaching effects, enabling malicious code to be foisted on unsuspecting users and
executed in a variety of ways: previewing an e-mail containing the malicious WMF file in Outlook;
viewing an image preview in Explorer; viewing a malicious WMF in certain third-party graphics
programs; indexing a hard disk that contained a malicious file; following a URL link in an
e-mail, IM, or on another Web page to a site where the malicious file was embedded in the Web
page.
Upshot: We learned that nothing is sacred, that any file format could be
considered hostile. And we also got a cool new name for an exploit method: drive-by downloads.
MDAC: The component that keeps on giving (headaches) Bug identifier:
CVE-2006-0003, MS06-014 Description: Vulnerability in MDAC (Microsoft Data
Access Components) could allow code execution Alias: MDAC RDS.Dataspace ActiveX
bug Date published: April 11, 2006
Way back in 1998, Microsoft issued a security bulletin about a component of IIS that ran under
Windows NT Server called Microsoft Data Access Components. In the bulletin, MS98-004, Microsoft
warned that a part of MDAC called the RDS (Remote Data Service) had a vulnerability that allowed
unauthorized people to browse databases.
Flash-forward eight years to the spring of 2006. Microsoft released a security bulletin about a
component of MDAC called RDS, which has a vulnerability that permits malicious Web servers to
perform drive-by downloads against the unpatched PCs of unsuspecting victims. Eerily familar.
In the later case, it was an ActiveX control that allowed users to connect to RDS through IE and wreak
havoc. The ActiveX control doesn't behave as intended, and can be loaded and exploited if you
visit the wrong Web site.
Of course, by 2006, MDAC isn't just loaded on servers; you may have it on your PC. Moreover, the
bad guys have changed tactics. No longer content to wait patiently for you to happen upon their
malicious Web site, they spam you with links, buy ads based on Google searches, and load their
pages with SEO (search engine optimization)-rich keywords. The result, however, is the same:
Visit and be exploited.
In fact, the bad guys are now using off-the-shelf exploit software to put malware onto your
machine. A tool called MPack that's loaded on malicious Web sites can check to see what browser
version you're using and what patches you have installed. Based on this analysis, it delivers the
exploits that will do the most damage. More galling is that they don't even bother to hide what
they're doing, naming the Web page that performs the exploit "mdac4.php."
Upshot: The MDAC RDS is a complex system, with a multitude of patches available
depending on which version you have installed. Manually choosing the right patch can be a
complicated task. But with such a serious flaw, you can't afford to make a mistake. Patches like
these have helped push advancements in Windows Update, which scan your system and pick the right
patch automatically, so you don't have to.
Related articles Stupid hacker tricks, part two: The folly of youth
Tech-savvy delinquents set the Net aflame with boneheaded exploits that earn them the wrong
kind of fame Stupid hacker tricks Looking to enter a life of
cybercrime? Beware the boneheaded miscues of these infamous cyberschnooks Stupid user tricks 3: IT admin follies IT heroes toil
away unsung in miserable conditions -- unsung, that is, until they make a colossally stupid
mistake More stupider user tricks: IT horror stories redux
Idiot-proof your enterprise with these 10 hard-luck lessons of boneheaded IT miscues
Stupid user tricks: Eleven IT horror stories A
long-suffering consultant and InfoWorld contributor recounts his tales of user catastrophe and
lessons learned -- and shares astounding stories from readers, too The top 10 security land mines Companies can actually worsen
their risks by failing to take these commonsense approaches to security How to think like an online con artist An enterprise
is only as secure as the weakest human link. Here's how to use social engineering to test
security defenses Top 10 reasons to be paranoid Every bit of your
virtual existence is being monitored -- get scared accordingly Test your network security IQ So you think you know
something about security? Not so fast, smart guy. We've got a hunch you might not know as much as
you think Test your geek IQ If you truly want to know how smart
you are when it counts, then InfoWorld's Geek IQ test is the puzzler for you
Recommandations
)
and reject those that you are not interested in
(
)
