Author Topic: To patch or not to patch?  (Read 1936 times)

Duo Maxwell

  • VIP
  • Member
  • ***
  • Posts: 98
  • Kudos: 232
    • http://www.homepage.mac.com/duo_maxwell1/
To patch or not to patch?
« on: 28 April 2005, 12:42 »
http://www.zdnet.com.au/news/security/0,2000061744,39189587,00.htm

Quote
Microsoft plays tag with 'raw sockets'      
By Renai LeMay, ZDNet Australia      
 27 April 2005      

Microsoft's continued disabling of a Windows XP TCP/IP feature has prompted a security guru to claim Redmond was asking his peers to "pick their poison".

          Microsoft is using a new patch to block sending data via "raw sockets", a technique the security community uses to analyse otherwise inaccessible data, prompting one expert to e-mail his peers: "Pick your poison: Install [the patch] and cripple your operating system, or ignore the hotfix and remain vulnerable to remote code execution and Denial of Service (DoS)."

Raw sockets are a little-known feature of the TCP/IP protocol on which the Internet runs. The feature is heavily relied upon by security professionals as it allows them to bypass certain controls to create more customised TCP/IP packets and analyse Internet data.

The software giant first tried to block the use of raw sockets with the release of Windows XP Service Pack 2 in August last year, claiming the feature could be used to launch denial of service (DoS) attacks. A subsequent workaround devised by the security community has been disabled by the new patch.

Only known as 'Fyodor', the author of the widely-used network scanning tool Nmap -- which uses raw sockets extensively -- said Microsoft's latest move was not aimed at stopping DoS attacks and packets being sent with a forged-source Internet address, as the heavyweight claimed.

Rather, it had to do with deficiencies in Windows' security architecture, he wrote in an e-mail to his 23,000-strong list.

"I know that some of you have been avoiding SP2 to keep your system fully functional," he said. "Now they [Microsoft] have quietly snuck the raw sockets restriction in with their latest critical security patch [MS05-019]."

"Microsoft claims the change is necessary for security," Fyodor said. "This is funny, since all of the other platforms Nmap supports (eg Mac OS X, Linux, the BSD variants) offer raw sockets and yet they haven't become the wasp nest of spambots, worms and spyware that infest so many Windows boxes."

A Microsoft spokesperson was unavailable for comment at the time of publication.

Orethrius

  • Member
  • **
  • Posts: 1,783
  • Kudos: 982
Re: To patch or not to patch?
« Reply #1 on: 29 April 2005, 01:46 »
The age-old story: security through obscurity.  It doesn't work; not now, not ever - because hackers are inherently curious.  If you think they're stopped by the threat of losing their EULA rights, you've got another thing coming.  It's sad that Microsoft feels the need to block  scanners to conceal their shortcomings.

Proudly posted from a Gentoo Linux system.

Quote from: Calum
even if you're renting you've got more rights than if you're using windows.

System Vitals

Kintaro

  • Member
  • **
  • Posts: 6,545
  • Kudos: 255
  • I want to get the band back together!
    • JohnTate.org
Re: To patch or not to patch?
« Reply #2 on: 29 April 2005, 07:27 »
Only known as 'Fyodor', the author of the widely-used network scanning tool Nmap -- which uses raw sockets extensively -- said Microsoft's latest move was not aimed at stopping DoS attacks and packets being sent with a forged-source Internet address, as the heavyweight claimed.

Rather, it had to do with deficiencies in Windows' security architecture, he wrote in an e-mail to his 23,000-strong list.


Anyone have a copy of that email?

KernelPanic

  • VIP
  • Member
  • ***
  • Posts: 1,878
  • Kudos: 222
Contains scenes of mild peril.

Kintaro

  • Member
  • **
  • Posts: 6,545
  • Kudos: 255
  • I want to get the band back together!
    • JohnTate.org
Re: To patch or not to patch?
« Reply #4 on: 29 April 2005, 12:38 »
Quote from: KernelPanic
http://seclists.org/lists/nmap-hackers/2005/Apr-Jun/0000.html


I don't think Microsoft were targetting scanners with this patch. I don't think they were targetting anything. However I think they have been very irresponsible. If you have a look around at MS05-019's known issues you will notice that there is no mention of it breaking raw sockets. Not only have Microsoft disabled a feature important to certain people, but they have also broken it without mentioning anywhere that it will do so. Microsoft may be working harder to get a reputation for being secure, however once again they have tainted there reputation with the security community.

Is there a third party patch for the bug that does not break raw sockets?

toadlife

  • Member
  • **
  • Posts: 730
  • Kudos: 376
    • http://toadlife.net
Re: To patch or not to patch?
« Reply #5 on: 3 May 2005, 03:40 »
In case you guys were wondering where all this bullshit raw socket hysteria has come from, it came from self-professed "security guru", Steve Gibson.

Disabling RAW sockets on Windows XP was completely uneccessary, and will accomplish nothing int he way of security. Steve has been badgering Microsoft for years to disable RAW sockets in XP, and for years Microsoft stood up to him (correctly I might add) and refused, but for some unknown reason, they caved in, and ended up breaking raw socket support with SP2.

I've actualy had the displeasure of arguing personally with Steve Gibson on Microosft's BETA SP2 mailing lists back in July 2004. The guy is about as clueless about network security as they come, and he has 'dis-educated' thousands - perhaps MILLIONS of people about computer network security.

If you want to know about the person behind all of the raw sockets bullshit, visit this site.
:)

M51DPS

  • VIP
  • Member
  • ***
  • Posts: 608
  • Kudos: 30
Re: To patch or not to patch?
« Reply #6 on: 3 May 2005, 21:26 »
Quote from: toadlife
Disabling RAW sockets on Windows XP was completely uneccessary, and will accomplish nothing int he way of security. Steve has been badgering Microsoft for years to disable RAW sockets in XP, and for years Microsoft stood up to him (correctly I might add) and refused, but for some unknown reason, they caved in, and ended up breaking raw socket support with SP2.


When microsoft decided to write service pack 2, it was all about security. They even sacrificed a bit of compatibility by changing the way windows handles memory. All of these new ideas are just a desperate attempt to be as good as the competition, even if it means implementing a few bad ideas, to make their product better overall. Most users do not care about raw sockets anyway. Of course, you do not see Apple disabling standard features just for a little more security....

Jenda

  • Member
  • **
  • Posts: 530
  • Kudos: 326
Re: To patch or not to patch?
« Reply #7 on: 3 May 2005, 23:26 »
Quote from: toadlife
If you want to know about the person behind all of the raw sockets bullshit, visit this site.

Cool. A personnal bashing site. I'd love to have a few like that...

toadlife

  • Member
  • **
  • Posts: 730
  • Kudos: 376
    • http://toadlife.net
Re: To patch or not to patch?
« Reply #8 on: 4 May 2005, 00:03 »
Quote from: Jenda
Cool. A personnal bashing site. I'd love to have a few like that...

It's very easy to do. Become a media whore, proclaim yourself to be an expert in an area that you have very little knowledge about, and then "educate" people on the said area.

Someone will set one up for you.:D
:)