The Inquirer-Home
Communications > Security

Microsoft Patch Tuesday bug is scary

So say insecurity experts
By INQUIRER Staff
Wed Jan 14 2009, 17:24

THE FIRST Patch Tuesday fix of 2009 put out by Microsoft addresses a dangerous security vulnerability in its Server Message Block (SMB) protocol, or so say some insecurity experts.

Microsoft says it believes that exploits are unlikely, rating patch MS09-001 at a three on its exploitability index scale. But researchers say users should not neglect to apply the patch, because a successful exploit would enable an attacker to execute arbitrary code or mount a denial-of-service attack without first needing to steal a password to acquire authorisation.

That's because the vulnerability exists in Netbios protocol ports, which are "almost always guaranteed to be open for Windows to function," according to Amol Sarwate, manager of Qualys' vulnerability research lab.

The patch is labeled 'critical' for Windows XP, 2000 and 2003, because those versions have Netbios enabled by default, but is tagged as only 'moderate' for Windows Vista and Server 2008, since those versions have Netbios disabled by default. Many corporate servers have Netbios ports open because those are used for performing remote management activities.

However, unless remote attackers can construct TCP packets that encapsulate malicious Netbios datagrams, most servers should not be terribly vulnerable, because Netbios is an unroutable protocol.

Unless of course the attackers are inside your firewall, on your LAN. µ

L'Inq
Network World

Share this:

< Previous article| Next article >
Comments
@Q

Q - I take your point, but I was more coming from the angle of 'maybe somebody found out how to pick the locks, crack the windows, knock the doors off the hinges, disable the alarm, etc. Such flaws may have been deemed non-existent for years, until some evil jerk chipped in...

posted by : Simon, 16 January 2009 Complain about this comment
@Simon

Dear Simon,

The example with the house you proposed doesn't stand ground. Be cause if someone broke into your house due to a wall falling off that's really the builder's fault. I think this example is closer to reality.

Live happy !

posted by : Q, 15 January 2009 Complain about this comment
@Aldo

Is that what you think, really? Everything is a major security risk given enough exposure and reason. From Linux to Mac, Netscape to Firefox, Wii to PSP, BMW to your coat - everything is prone to a security flaw.

If somebody broke into your house, would you sue the builders? If everybody started living in the same design of house as yours, you might start to question how secure your quarters are, but the risk has suddenly changed because of popularity, not the design of your house. And the blame for theft still lies with the thief.

Sure, there's a responsibility to the manufacturer, and it's within their best interests to make something as secure as possible, but with each new wave of security comes a challenge to some low life scum to crack it - otherwise Las Vegas would not have beefed up any security since the mid 50s.

Microsucks. ha. well done. really.

posted by : Simon, 15 January 2009 Complain about this comment
Every Microsucks product is a security risk

Nothing new here. Every Microsucks product made is a huge security risk. They should be sued for selling such defective products.

posted by : Aldo, 14 January 2009 Complain about this comment
aboutus
Advertisement
Subscribe to INQ newsletters
Click here to sign up
INQ White papers

Databases

Network management

Security

Service oriented architecture

Storage
Advertisement
INQ Jobs
INQ Poll

Facebook starts selling shares

Will you buy Facebook shares?

View other polls
Follow us:
Business & Technology websites:
Business research resources:
Products:
Investment Market IT websites:
Find out what you are worth:
Search for a job:
Recruitment Agency A-Z Directory
Accreditations: