Jim Thompson wrote: > >> First, Windows ME by some definitions can't be rooted, since it only has >> one user. > > You're going to argue semantics? This was mostly a pun, not a structured debate. >> >> *Systems Not Affected >> Linux, Macintosh, OS/2, UNIX, Windows 95, Windows 98, Windows Me > > Right, so what about the WMF vulnerability? Granted, you have to > display an image (email attachment, web browser, etc), and this > requires "user involvement", but still, dude.. Microsoft has already > said that they wouldn't fix it. I'm not too surprised they aren't working hard to fix a relatively recently discovered bug in an OS they are EOLing next week, and hoped would go away for years. I'm not really sure where you get the idea that they refuse to patch it, though, since on June 13, they were saying that the patch is available via windows update http://www.microsoft.com/technet/security/Bulletin/MS06-026.mspx . I don't have a DOS based system to try windows update on, nor can I read Slovakian, Slovenian, nor Thai, but I'm pretty sure they're not making all of this up. But if you spend the first 12 minutes of your Windows ME computer going to windowsupdate.microsoft.com rather than looking at hacked WMF pictures, this probably shouldn't effect you. > > > Or the Music worm (including all variants)? > > Or last year's "cursor/icon format" issues that allow remote code > execution: > http://www.microsoft.com/technet/security/bulletin/ms05-002.mspx > > (again, email attachments or web browsers are the typical avenues of > restriction). > > Or the HTML converter function issue present in *ALL* versions of > Windows: > http://support.microsoft.com/default.aspx?scid=kb;en-us;823559 > > Or the ZIP file buffer over-run: (Win98 (with "Plus Pack"), ME and XP) > http://support.microsoft.com/default.aspx?scid=kb;[LN];Q329048 > > Or this: http://support.microsoft.com/kb/q274548/ > > Or this: http://www.microsoft.com/technet/security/bulletin/fq99-033.mspx > > Or this: http://support.microsoft.com/kb/q238329/ > > Or this: http://support.microsoft.com/kb/q245729/ > > Or this: http://www.microsoft.com/technet/security/bulletin/MS06-015.mspx > > Or this: http://www.microsoft.com/technet/security/bulletin/MS01-020.mspx
I'm still looking for a link that doesn't involve Internet Explorer, telnet, or hyperterminal. None of these have anything to do with the Operating System except that they come with the Operating System, and they probably have unhealthy ties to some of the low level OS code that they shouldn't. The article seemed to be talking about Windows machines automatically being hacked 12 minutes after being connected to the internet, so I don't think using hyperterminal to go to an untrustable telnet host is terribly relevant. Since most of these KB articles some with security patches, they aren't too relevant unless they help you get hacked while doing nothing on the Internet or going on your way to windowsupdate. > > To say nothing of anything containing an "ActiveX" component, or what > loading the wrong Sony music CD might do to your machine. > I'll admit that the Sony thing is bad, but that basically has more to do with Sony than Microsoft. This has a lot more to do with privilege isolation than anything else. Autorun makes installing programs more straightforward, but puts a lot of trust in the CD's content. The DOS based versions of windows didn't really have a good sense of multiple users or any sort of privilege isolation. That was a mistake, and it does seem silly in retrospect, when looking at OSX and Vista and how even as administrator you need to run a graphical version of sudo before your program is able to change system stuff. This would make people wonder when their "audio" CD wants to replace critical Windows system files. But again, this has nothing to do with networks. >> > > Or the five year old "UPNP" exploit. Granted, *Microsoft* didn't ship > with UPNP enabled in WinME, but some OEM > variants enable it (as well as the WinXP Internet Connection Sharing, > which is also vulnerable.) Once again, you can remotely exploit this > one (though no email/web browser is required...) This is the one that I had forgotten about. You're probably right that there are some people with Windows ME machines with their default configurations that are vulnerable to worms that exploit this. If we cross off the rest of your examples as irrelevant to disproving what I was saying, this one still stands as likely proof that some configurations of one of the three DOS based OSes is vunerable to attack just by plugging it into a network. I'm still not clear on whether IP based NOTIFY commands would get routed across multiple subnets, though. If someone knows for sure, I'd like to know. > > And though you can't run a remote exploit via this bug: > http://support.microsoft.com/kb/q275567/ > > Your 98/ME/NT4 computer won't stay on the net very long without the > patch. (There are many others like this.) I wish I had statistics on how many home users are randomly targeted for DOS attacks that don't help to spread any worm or accomplish any goal other than locking up their computer, but I don't. You could therefore be correct on this, but I think its a little unlikely. > >> >> If you turn on sharing to the root of your hard drive with read/write >> without ever going to windowsupdate.microsoft.com , then you do deserve >> what you get. Otherwise, a default install of windows ME is relatively >> safe. > > Unless you read email or use the web browser. > > Can you really recommend this stance to a *home user*? I've been inline up to here, but I'll discuss this at the bottom (if I remember). > >> Windows NT/2000/XP all were vulnerable to several classes of network >> worms because they had retarded default security settings with open >> ports for running services normal people would never need. All of these >> ports are firewalled by default in XP SP2, and almost all computers that >> have been built since August 2004 have SP2 built into the >> installation/restoral CD. Until a worm comes out that hacks the >> firewall itself (hasn't happened yet, but isn't impossible), all of >> these XP SP2 machines are safe by default, and can only be hacked via >> self-inflicted security holes (running randomly obtained exe files, >> turning off the firewall, etc). > > Unless, of course the OEM enables the ports. Or something like > "badpack3t" is modified to mount a remote exploit, rather than just > BSOD-ing XPSP2. badpack3t leverages the remote desktop assistant, > which is NOT firewalled in XP SP2's default firewall configuration. > The OEM could enable some of the ports on the firewall for some of the exploited services, but blocking these services is the whole point of the firewall in the first place, so I think this configuration would be uncommon. Saying that remote desktop is not firewalled is an odd statement. Remote Desktop is not ENABLED on most default configurations, except Windows MCE. If a user chooses to enable it, Windows will open the firewall for it (otherwise what was the point in enabling it). Yes, you can probably find custom configurations that enable RDC, including MCE. But hopefully people don't get hacked before they can get the patch http://www.microsoft.com/technet/security/bulletin/MS05-041.mspx . Plastered all over the badpack3t comments, new sites, and Microsoft's website are indications that this is DOS only and cannot be turned into an exploit anyway, though. > And recommending "a hardware firewall" as a panacea is just... dumb. > Yep, I'll say "dumb". They have their place, but they won't protect > the casual home user against many (if not most) of the types of > attacks illustrated above. I'll agree with this paragraph as stated. However, it will protect against any of the the UPNP worms, which was really the only example you had that was relevant to the 12-minutes deal. > > And then there is the whole Finjan debacle. Care to open that can of > worms? I guess I don't follow the sector news well enough to know what debacle you're speaking of. I found some information on some Finjan stuff that seemed harmful for UNIX or something, but I got tired of looking and gave up. Anyway, basically, we're arguing two separate things. You are arguing that there are many unsafe things you can do on a Windows ME machine. I don't doubt this for a minute. I am arguing that if you plug a Windows ME machine into an internet jack, you're not going to instantly get hacked. There's a lot I could say about security practices. I'm not sure I have anything new or truly insightful to say on the subject. I am generally disappointed by the public's ability to use a computer safely. I've used Windows 95/98/2000/XP regularly on computers I've been in control of. I've never had a virus since I brought home a floppy virus in elementary school. I've never had any spyware besides "tracker cookies", which frankly I don't care about. Yet the public seems to consider viruses and spyware as "inevitable" and the fault of Microsoft, etc. I know I'm not average, but I'm also no super genius (I had to look up the word "panacea"). But I think I prove that you can successfully run Windows without getting rooted everyday. I basically think that if you take a brand new install of any version of Windows, put it alone behind a hardware firewall, go to windowsupdate.microsoft.com to pickup all of the updates, then remove the hardware firewall (if you want), you won't have problems unless you run random executable files you find on the internet. Of course it's a good idea to run any browser but IE, too, but depending on whether there are exploits for a fully patched version of IE and whether you go to strange websites that try to hack your computer, this might not be such a big issue. You'll also want to go to windowsupdate maybe once a week or turn on automatic updates. You might think that last paragraph sounds extreme, but I would recommend the same thing of any OS. Be careful of what you do before you get your OS patches, then make sure that your OS patches stay up to date. However, yes, it would be nice if you didn't need the hardware/software/SP2 firewall because there weren't any open ports to begin with. I have read that Vista will ship with no open ports, but considering how often they change fundamental things in between betas, who knows whether they'll botch something simple like that or not. I firmly believe that if you turn on any network server-like services, you take responsibility for understanding what they do and certify that you have the newest, safest version of the service. If you don't, then you deserve what you get. I've seen OSX machines become raging messed up hacked open mail relays because some fool ran through the Sharing Preferences and checked all the checkboxes without knowing what any of them do (turns on samba, ssh, apache, sendmail and several others with default settings). -Eric Hattemer