All Things Microsoft > Microsoft as a Company
To patch or not to patch?
Duo Maxwell:
http://www.zdnet.com.au/news/security/0,2000061744,39189587,00.htm
--- Quote ---Microsoft plays tag with 'raw sockets'
By Renai LeMay, ZDNet Australia
27 April 2005
Microsoft's continued disabling of a Windows XP TCP/IP feature has prompted a security guru to claim Redmond was asking his peers to "pick their poison".
Microsoft is using a new patch to block sending data via "raw sockets", a technique the security community uses to analyse otherwise inaccessible data, prompting one expert to e-mail his peers: "Pick your poison: Install [the patch] and cripple your operating system, or ignore the hotfix and remain vulnerable to remote code execution and Denial of Service (DoS)."
Raw sockets are a little-known feature of the TCP/IP protocol on which the Internet runs. The feature is heavily relied upon by security professionals as it allows them to bypass certain controls to create more customised TCP/IP packets and analyse Internet data.
The software giant first tried to block the use of raw sockets with the release of Windows XP Service Pack 2 in August last year, claiming the feature could be used to launch denial of service (DoS) attacks. A subsequent workaround devised by the security community has been disabled by the new patch.
Only known as 'Fyodor', the author of the widely-used network scanning tool Nmap -- which uses raw sockets extensively -- said Microsoft's latest move was not aimed at stopping DoS attacks and packets being sent with a forged-source Internet address, as the heavyweight claimed.
Rather, it had to do with deficiencies in Windows' security architecture, he wrote in an e-mail to his 23,000-strong list.
"I know that some of you have been avoiding SP2 to keep your system fully functional," he said. "Now they [Microsoft] have quietly snuck the raw sockets restriction in with their latest critical security patch [MS05-019]."
"Microsoft claims the change is necessary for security," Fyodor said. "This is funny, since all of the other platforms Nmap supports (eg Mac OS X, Linux, the BSD variants) offer raw sockets and yet they haven't become the wasp nest of spambots, worms and spyware that infest so many Windows boxes."
A Microsoft spokesperson was unavailable for comment at the time of publication.
--- End quote ---
Orethrius:
The age-old story: security through obscurity. It doesn't work; not now, not ever - because hackers are inherently curious. If you think they're stopped by the threat of losing their EULA rights, you've got another thing coming. It's sad that Microsoft feels the need to block scanners to conceal their shortcomings.
Kintaro:
Only known as 'Fyodor', the author of the widely-used network scanning tool Nmap -- which uses raw sockets extensively -- said Microsoft's latest move was not aimed at stopping DoS attacks and packets being sent with a forged-source Internet address, as the heavyweight claimed.
Rather, it had to do with deficiencies in Windows' security architecture, he wrote in an e-mail to his 23,000-strong list.
Anyone have a copy of that email?
KernelPanic:
http://seclists.org/lists/nmap-hackers/2005/Apr-Jun/0000.html
Kintaro:
--- Quote from: KernelPanic ---http://seclists.org/lists/nmap-hackers/2005/Apr-Jun/0000.html
--- End quote ---
I don't think Microsoft were targetting scanners with this patch. I don't think they were targetting anything. However I think they have been very irresponsible. If you have a look around at MS05-019's known issues you will notice that there is no mention of it breaking raw sockets. Not only have Microsoft disabled a feature important to certain people, but they have also broken it without mentioning anywhere that it will do so. Microsoft may be working harder to get a reputation for being secure, however once again they have tainted there reputation with the security community.
Is there a third party patch for the bug that does not break raw sockets?
Navigation
[0] Message Index
[#] Next page
Go to full version