Microsoft won't patch SMB flaw that only an idiot would expose A Windows SMB vulnerability revealed late last week at DEF CON won't be patched because Microsoft says the service should be firewalled off from the internet anyway. The 20-year-old bug is in at least Windows 2000 to Windows 10. It was discovered by RiskSense bods, who combed Redmond's file server code for flaws similar to the …
You can't protect idiots from themselves no matter how hard you try. If you have an SMBv1 share exposed to the internet they can brute force the password fairly easily even without a flaw. No one should ever have any SMB shares on the Internet.
The cost effective solution would be to disable SMB sharing on effected versions of Windows, I imagine you wouldn't like Microsoft doing that unilaterally either.
I thought a recent MS security patch pretty much disabled smbv1 everywhere? I seem to rememeber reading about it after wannacry surfaced.
Smbv1 is quite old and outdated. Even my linux boxes arent using smbv1.
Even basic routers would block internet smbv1 access so you have to be pretty daft to start opening the ports up (or just pppoeing your server to the Internet )
Not really on the internet, but guess what caused the so-damn-fast spread of the wannacry in the NHS... the nationwide private WAN has SMB wide open to and from basically anything. And it is still open now.
When I was working in NHS IM&T we treated the N3 as an externally facing internet connection so every site had it's own firewall. No doubt you can find single site trusts basically without IT staff that are incompetently setup, but there is really no such entity as "THE NHS", it's a patchwork of hundreds of different trusts all running things in radically different ways.
There's nothing wrong with making the OS easy to use, if it's done properly and elegantly.
Windows became idiotic since Win 8 (Metro! Metro! Metro!) and Win 10 (SatNad and his Insider groupies' data mining project)... it's really the entire Microsoft becoming idiotic, rather than something that's unique to Windows ('new and improved' Skype).
We have an entire generation of youths who do not know basic DOS commands.
Powershell is powerful, true. But its early learning curve is very steep. Steeper than bash and much steeper than dos. Even a lowly dir /o:d requires figuring out what the object's date attribute is called and a pipe to the sort. And the whole command will be much longer too. On the positive side you don't need to parse an text stream to isolate that date for further processing. For advanced usage, ps's more structured object mechanism pays off, most of the time it seems overkill.
I fear the days of the casual command line user, if there ever was such a beast on Windows, are ending.
Why did not MS do it in the server space too, and let Linux overcome Windows Server?
Anyway Linux didn't became a desktop alternative until well into the 2000s - just look at kernel releases, and desktop managers state - a lot was missing, especially on laptops.
MS business "practices" hurt much more previous competitors, and the lack of applications, which in some area is still an issue, didn't really help - just like the distro fragmentation and companies like Mandrake/Mandriva with the wrong business model.
Also, PC manufacturer today would sell preinstalled whatever they could to improve PC sales. PC manufacturer aren't stupid, if Linux would have sold as much as Windows, they would have said MS goodbye a long ago.
But keep on believing people don't use desktop Linux just because the evil eye of MS...
> PC manufacturer aren't stupid, if Linux would have sold as much as Windows, they would have said MS goodbye a long ago
PC manufacturers get "all-or-nothing" discount deals which make offering non-Windows alternatives very expensive. So the "linux doesn't sell" mantra becomes self-fulfilling.
"PC manufacturers get "all-or-nothing" discount deals which make offering non-Windows alternatives very expensive."
In practise, impossible. "Nothing" option means not being able to sell any Microsoft product or advertisements on those and that's a lot of money.
Almost half of the profit for HW-maker on cheap Windows-laptop is from advertisements and 3rd party programs (systematically called "crapware") pre-installed to it.
Often so you can't remove them without installing whole system from retail Windows-DVD and *puff*, none of the drivers needed aren't there as they exist only in vendor and version spesific image installed in to the machine. So you live with crapware or don't use the machine. Nice.
So far that on paper similar Dell-laptops, 1 month between buying, couldn't connect to network with each other's rescue disk as -tadaa- network card had changed in between, totally different.
Of course neither worked with retail-Windows-DVD either. I wasn't surprised.
Stop buying them. They're just crap. It's funny how all those Linux power users feel the need to buy such a crap.
True, Linux may be less resource hungry, but do your really buy such a crap??? Why??? Leave them to the Windows users whom they are designed for.
It's the whole system which is built with cheap components, why risk for any professional work?? You'll save a lot from not buying software, so, make a gift to yourself, buy better hardware... or aren't you paid enough for all those Linux skills to afford a decent PC???
Never found, anyway, yet a PC for which drivers were not available for the supported operating systems. The fact that two PC bought a month apart may have different components doesn't surprise me. One component may have been EOL'd and replaced by another. And if the components are released after the OS version, there's a good chance they won't be supported by a retail installer unless you add the drivers yourself.
"PC manufacturer aren't stupid, if Linux would have sold as much as Windows, they would have said MS goodbye a long ago."
'Would have sold', right. How would anyone know how much they would sell without Microsoft?
That's a risk no CEO will take. Not now and not for along time.
Also MS has a policy which defines that either you sell Windows pre-installed (and _only_ Windows) or you are not selling MS-products at all. That's the evil part: illegal abuse of monopoly, very serious threat to HW makers.
Linux is not sold, basically, as it's a free software: Where's the profit on that?
Selling hardware is only one part of profit on HW: Selling advertisements on said hardware is often half of the profit and that's impossible if buyer install his own OS.
Also Intel is practically married with Microsoft and they haven't been able to invent anything really new since late 80s. There's more profits in making same old shit cheaper than earlier and there basically isn't any competition, so no need to invent anything new.
Monopolies and cartels always means technical stagnation and are illegal for a reason. Obviously being big enough leads the cartel wagging the Congress and not the oter way round.
You are with your heads stuck firmly in the past. Actually, many vendors sell PCs with Linux preinstalled. For example Dell sells laptops and desktops with Ubuntu preinstalled (it gives you a choice of three LTS). Which actually shows your assertions are just BS - there's no way MS can forbid it today.
But you all keep on repeating 1990s era "news", before MS was hit by antitrust investigations, just in the attempt to justify almost no one bothers to buy a desktop/laptop with Linux preinstalled, especially since many will order it anyway without the OS and then install the distro of their choice, because not everybody uses Ubuntu. And even if Linux is free, supporting five or six distro would be expensive anyway - especially as long as Linux integralists keep on complaining about proprietary drivers...
What's wrong with Linux is too many believe it is is a religion, and believe in dogmas without actually checking if they are still true. They were told in the past, and it has to be still true... take your head out of the sand.
"But keep on believing people don't use desktop Linux just because the evil eye of MS..."
Not _just_ because of that, Linux has some serious problems by itself, but money always talks and MS has a lot of money and Linux-people don't.
Anyone who ignores that is just a fan boy.
Linux kernel is quite a piece but windows-stupidities with ideology "one piece does everything" (like systemd) and UI nightmares like Gnome 3 are serious drawbacks mostly created by invididuals or small groups who are so full of themselves that even obvious stupidities are dismissed by statements like "you are using it wrong", while fully knowing that documentation doesn't say anything about the "right way" of using it.
Neither are there error messages that make any sense.
And third brain damage, sabotage from MS-world: Throroughly useless documentation.
"This button confirms action" and the button has label "OK". Yea, right, I'm convinced.
The fact you did something with Linux in 1998 didn't make it a useful tool for everybody. Believe me, there were people who actually used Windows 2.0.
Until kernel 2.6 Linux had several shortcomings in many areas - i.e. threading and memory management that hindered its use in large applications. Feel free to tell us what your "commercial deployments" were....
From kernel 2.6 onward Linux made great leaps.
the problem is Microshatf's design. The idea that a networked box would expose services on the intarwebs is in and of itself a MAJOR problem.
In other words, they should have designed it to ONLY listen on RFC1918 IP addresses, and ONLY listen if you enable networking.
But NOOooo... they have to bind to 0.0.0.0 (i.e. everything) and THAT is the problem!
And they do that with other "well known" or "easily discoverable" TCP stuff. Just do a "netstat -an" some time on you Winders box, and see what's listening...
And if it shows up as the SAME port on everybody ELSE's box, and there's a vulnerability on it, and you connect directly to the intarwebs on a publically visible IP address [including _ANY_ IPv6 address!] then you're exposing your winders box's soft underbelly to the intarwebs.
"Only an idiot" would have DESIGNED! IT! THIS! WAY!! Right, Micro-shaft??
[the need to bind to publically visible IP addresses could be a kind of "opt in" setting, and THEN it would be the customer's fault for doing it...]
He may be Bombastic but there is a perfectly valid point here. The default state for ports should be disabled with the minimum possible exceptions in order to get the box up and running. This may include core network ports but why would HTTP be enabled by default? That should get enabled as part of configuring the HTTP security rather than as soon as the server starts.
I am not going to claim I know which should or shouldn't be in that minimal set but wide-open is a poor choice for a starting point
>The default state for ports should be disabled with the minimum possible exceptions in order to get the box up and running.
This was the default setting for secure third-party Windows firewalls such as Comodo and Outpost from the very beginning (ie. before 2005), but then they also blocked inbound and outbound traffic and performed stateful inspection, whereas the Windows firewall was only a simple outbound port blocker.
Also in the case of Outpost, SMB/NetBios traffic (if you enabled it) was limited by default to IANA defined private networks and specifically the subnet the host was attached to.
I would assume that this is also the case will all modern security suites...
>but why would HTTP be enabled by default?
On a system (not a firewall appliance), I would expect outbound HTTP to be enabled by default, given the extent to which browsers have become as essential to system setup and operation as TelNet and FTP were a few decades back.
OH FFS BOB,
Change the record,
LOTS OF PEOPLE LIKE MICROSOFT
you may not like it, other bleaters may not like it - but get over it FFS.
Were you scared by a picture of a dog on a Windows 3.1 PC years ago ??? .... just trying to make sense of it that's all
"LOTS OF PEOPLE LIKE MICROSOFT"
Err no they don't.
People like Amazon for a variety of reasons, same with Google whom people often find useful, and Apple have their loyal fans too.
But Microsoft? After force-feeding people a crash prone, bug ridden, security nightmare of an OS all these years, most people I meet from general public to programmers really do not like Microsoft much at all. The only people I ever met who said anything nice about Microsoft actually worked for Microsoft in some capacity.
It's not "hating" or anti-Microsoft bias either, Microsoft have genuinely earned their terrible reputation.
SMB predates Windows, and was designed at IBM, well before TCP/IP became the de-facto standard. It run on IBM LAN protocols and IPX well before TCP/IP, thus there was no way it could have been published directly on the Internet. Only later NetBIOS was made available on top of TCP/IP, and then SMB directly - the issue as usual is "backward compatibility".
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
