April Security Meltdown

April exceeds all expectations for Microsoft Security problems.





Microsoft issued over 100 security patches for their products in 2000 (that's about 2 a week). You'd think they'd have run out by now, but April's performance suggests 2000 was just a warm up. For the first time in a news article, we need an index!

Windows NT/2000 Security Blown!

This is BIG, very big. Several version of SMBRelay now available on the Internet exploit a basic design flaw in Microsoft Networking. The vast majority of Windows 95/NT/2000 servers are vulnerable, and since this is "by design", not a bug, it isn't going to be easily fixed.

This exploit places itself between the server and the workstation. The server thinks it's the workstation and the workstation thinks it's the server. Meanwhile it sends all the passwords to its master for cracking at leisure. Microsoft has a fix called NTLMv2, but it can be disruptive and difficult to deploy. The only other fix is to turn off TCP port 139, which disables SMB, probably breaking important software packages.


Microsoft Networking is derived from IBM's old PCNet (you didn't think Microsoft came up with it all by themselves, did you?) and uses a protocol called SMB (Server Message Block). This was a weak network to start with, designed for very small offices, and Microsoft has added endless layers of Band-Aids and bailing wire to keep it alive, On your Windows system it's called "NetBIOS".

This network should have been scrapped many years ago, but one of Microsoft's big selling points is backwards compatibility. Many DOS/Windows software packages require it. It's importance is exemplified by the popularity of Samba, which allows a Unix / Linux server to act as an SMB server that looks like a Windows NT server to Windows workstations.

Microsoft's fix is difficult to deploy if the network isn't all Windows NT Service Pack 4 and Windows 2000. We expect millions of networks won't be fixed for years, and will remain vulnerable. If yours isn't cracked, it'll be because the script kiddies just couldn't find time to get around to it.

Windows 2000 / IIS 5.0 Wide Open!

Ok, this is EVEN BIGGER. affecting at least a million on-line servers, including all versions of Windows 2000 Server, Advanced Server and Datacenter Server running IIS 5.0 (Internet Information Server). Microsoft is pleading with Web administrators to patch this vulnerability immediately.

A buffer overflow problem in Web-based printing allows hackers, crackers, script kiddies and spies to gain system level access to the servers. With IIS v5.0, Web-based printing is turned on by default. "Exploits" have already been posted on the internet.


You just couldn't get much worse than this without posting your admin passwords on your Web site. It will likely result in millions more credit cards compromised. Yes, Microsoft has issued a patch, but their whole selling point is that you don't need skilled (expensive) administrators if you select Microsoft products. Many sites won't even hear about the patch, never mind apply it.

Running a secure Web site requires the same administration skills and the same amount of attention regardless of whether it's Windows or Solaris or Linux or what have you. Microsoft tries to hide this fact, and bosses tend to believe them, so Windows sites are always getting into trouble.

Insurance Goes Up for Windows

Insurance companies now offering Web site owners insurance against hacker invasion, defacement and data theft. Insurance underwriter Wurzler has just announced they are increasing premiums for Windows NT based sites to 25% above the level for other platforms.

Wurzler admits this is a complex situation and actual security is controlled by the site owner, but says they must set their rates based on actual experience.


Microsoft IIS (Internet Information Server) running on Windows NT/2000 is used on about 20% of commercial Web sites, while Apache (running mostly on Unix / Linux / BSD) holds a 62% share. Despite this, about 55% of successful assaults are against Windows / IIS based sites. This means a Microsoft based Web server are about 8 times more likely to be successfully hacked than a Web server based on some other platform.

These statistics give the lie to Microsoft's oft repeated excuse, "If any other platform were as popular it would be just as vulnerable." Apache is far more popular, yet IIS is broken far more often.

So easy is it to knock over a Windows / IIS site, it carries no prestige in the hacker community. The script kiddies who defaced the Girl Scouts of America site felt it necessary to make excuses for attacking such an easy target. The defaced page is preserved for posterity at attrition.org.

It's not just script kiddies breaking into IIS sites, but real criminals after financial information, as exemplified by the "Russian Mafia" banking and ecommerce raids.

Now that the ice is broken, we expect other insurance underwriters to follow suit, and 25% is probably not high enough (see above). The added cost is sure to start factoring in to future platform decisions, and that isn't good for Microsoft.

Windows 2000 Even Less Secure than NT

Attrition.org keeps statistics on invasive defacing of Web sites. They have noted a very rapid increase in the number of defaced sites running on Windows 2000, a rate more rapid than the deployment of Win2K.


The high incidence of defacement of Win2K Web sites is probably because it has IIS v5.0 (Internet Information Server) built in. IIS v5.0 has been plagued by a number of very serious security problems, and defaults to a rather insecure configuration. Well, so much for getting a lower insurance rate by using Win2K (see above).

A further factor is probably Microsoft heavily advertising that Windows 2000 is much more secure than Windows NT. Under some conditions it can be, but Web administrators are just trusting Microsoft's word and paying even less attention to security than with Windows NT.

Microsoft ISA Firewall is Flamable

Microsoft just announced their first major security product, ISA Server (Internet Security and Acceleration Server), a Web proxy and firewall product to protect corporate networks from criminals, hackers and script kiddies out there on the wild, wild Internet.

A major security flaw has already been found. A hacker can simply send an oversize request packet and bring down the proxy server, cutting the corporate network off from the Internet until the server can be brought down and rebooted. Repeat until patched.


Who would buy a firewall from the very company most noted for inattention to security? The sad fact is many businesses will. Many businesses have a policy of forbidding non-Microsoft products in any category where Microsoft has a presence.

I expect this is just the first of many successful exploits as ISA Server takes its place as a prime hacking target. It's real hard to have any sympathy for people who deploy this product.

Microsoft Distributes Funlove Virus

OK, to keep your Windows servers secure, you have to download security patches every week and install them. Well, these patches can be a security problem themselves, apparently. Microsoft patches posted between 6-Apr-2001 and 20-Apr-2001 were infected with the Funlove virus.


This isn't the first time Microsoft has distributed viruses, and it's not likely to be the last. Others have done the same (Hewlett Packard recently distributed printer drivers infected with Funlove). Microsoft does a pretty good job of keeping viruses out of their stuff, but with Windows so vulnerable in so many ways, it's bound to happen now and then.

Microsoft Caught Claiming Rights to Your Stuff

Their new .NET initiative is the key to Microsoft's future. A key element of .NET is "Hailstorm", a consumer oriented services package. A key element of Hailstorm is expanding "Passport", a service currently controlling access to their HotMail service. Passport is supposed to keep a central database of personal information for every user of the Internet and control secure transactions with other sites. In other words, it is Microsoft's central clearing house for .NET.

Umm . . somebody actually read the Passport agreement HotMail users sign up to. Briefly, it stated that Microsoft had free and unrestricted rights to the use of anything that passed through the Passport service, regardless of patents, copyrights, or other legal niceties, and could use it any way and for any purpose they pleased.

In other words, if you sent the plans for your newly patented world beating gizmo through HotMail, Microsoft claimed the right to manufacture that gizmo in competition with you.

Details of this license were published by The Register and resulted in an international flap. Many patent, copyright and intellectual property law firms have banned the use of HotMail or any other Microsoft service for transmission of anything.

Many sites started refusing to accept and/or respond to mail coming through any Microsoft service, causing Microsoft to modify the license agreement, but only in the U.S.. It remains the same in other countries.


I just don't see a problem here. Anyone who trusts Microsoft with anything has the space between their ears stuffed with styrofoam packing peanuts and deserves what they will most certainly get.

Sadly, when Microsoft starts deploying .NET, a huge percentage of the public will trust all their personal and financial information to a company that has proven over and over they can't be trusted. "Ethics? We've heard of them."

The GOOD News!

Scientists have determined that the Foot-and-Mouth Disease virus currently ravaging England and other countries is NOT, I repeat, NOT spread by Microsoft Outlook. Microsoft's legal department has expressed considerable relief. Due to it's involvement with so many other virus outbreaks, Outlook had been a prime suspect. For details of the discovery see the original announcement.

And on Into May! The Homepage Worm

A new Outlook email worm, apparently written using the same virus writing kit used for the AnnaKournikova worm, ripped through many companies during the first week of May. Some companies had to take their email systems off line to clean up.


Oh, we are just so surprised.

- Analysis by Andrew Grygus


Most of these links are to The Register because that was easiest for me. The Register articles have links to other supporting pages.
  • The Register - Exploit Devastates WinNT/2K security.
  • Sir Distic - technical details and code for breaking SMB networks.
  • The Register - Microsoft IIS hole gives System-level access.
  • The Register - Exploits for several million Microsoft servers posted.
  • The Register - Anti-Hacking premiums 25% higher for Windows NT.
  • Wurzler - an underwriter providing Web site insurance.
  • Attrition - The Girl Scouts hacked Web page.
  • The Register - The "Russian Mafia" credit card theft.
  • The Register - WIN2K is even easier to deface than NT
  • Attrition - Statistics on Web site defacement.
  • The Register - DoS bug bites Microsoft's first security product.
  • The Register - Microsoft distributes "Fun Love" virus.
  • The Register - The Passport license terms flap.
  • Troubleshooters.Com - Microsoft Passport License Dangers (contains more links).
  • Microsoft - new license terms (the "Feedback or Suggestions" section originally applied to everything passing through Passport).
  • Satire - Foot-and-Mouth Disease
  • The Register - Homepage Net worm spreading like wildfire

©:Andrew Grygus - Automation Access - www.aaxnet.com - aax@aaxnet.com
Velocity Networks: Network Consulting Service - Internet Service Provider - Web Page Design and Hosting
All trademarks and trade names are recognized as property of their owners