Remember the W32.Blaster.Worm that targets only Windows 2000 and Windows XP machines?

"At 11:34 A.M. Pacific Time on August 11, Microsoft began investigating a worm reported by Microsoft Product Support Services (PSS)," said the company delicately here. "The worm, W32.Blaster.Worm and its variants, exploits a security issue that was addressed by Microsoft Security Bulletin MS03-026. This worm also has the potential to exploit a similar issue that is addressed by Microsoft Security Bulletin MS03-039. These issues concern a vulnerability in the Remote Procedure Call (RPC) function."

Re-phrased, this meant an e-bug was on the loose - but only machines running Win2000 and XP would be affected. So, Get Patched Quick!

This is routine. Happens all the time. Merely enter 'Microsoft security flaw' or a similar phrase in your favourite search engine and see what comes up.

Every other day, it seems, Micro$oft - or someone else - finds yet another a large security which calls for the immediate download of a patch to fix it.

In fact, Microsoft security alerts are reaching 50 for the year and if for some reason you didn't know about any or all of these alerts, tough.

Now ........ Get ready for Son of Blaster !!!

"Companies are prepping to re-patch Windows systems to prevent a Microsoft vulnerability and the high likelihood of a second Blaster-like worm that could target the new security flaw," says George V. Hulme in InformationWeek here.

"Businesses have barely had a chance to catch their breaths following the frantic Blaster-related patching of security vulnerabilities in their Windows desktops and servers--not to mention fending off worm attacks. Now they're prepping to patch those very same systems again to prevent a similar Microsoft vulnerability and the high likelihood of a second Blaster-like worm that could target the new vulnerabilities Microsoft disclosed on Wednesday.

" 'We're going to have to patch again, we don't have any choice on this,' says Gene Fredriksen, VP of information security at Raymond James & Associates. He's readying his 'patch swat team' to get the job done as quickly as possible'."

The flaws Microsoft unveiled in Security Bulletin MS03-039 are remarkably similar to the security problems addressed by Security Bulletin MS03-026 released in mid-July, says Hulme. "Blaster used that vulnerability to infect tens of thousands of unpatched systems in early August."

Naturally, being the responsible corporate citizen that it is, Microsloth immediately moved to protect its users by alerting them through radio and TV broadcasts, and by taking ads in major newspapers and trade journals across the country.

Not.

A report by Todd Bishop in Micro$oft's home-town newspaper, the Seattle Post-Intelligencer, asks, Should Microsoft be liable for bugs?

Well, should it?

"Under different circumstances, this scenario might be a class-action lawyer's dream," says Bishop. "But the product in question is software, and the companies that make it claim special protections from liability through the licensing deals that come as a condition of using their programs."

"Those protections help shield Microsoft Corp. and other software companies from paying what could conceivably amount to billions of dollars in damages. But they're coming under increased scrutiny amid a rising tide of computer viruses, many of which exploit known flaws in popular Microsoft programs."

"It's crazy that Firestone can produce this tire with a systemic flaw and they're liable, whereas Microsoft produces an operating system with two systemic flaws per week and they're not liable," Bishop quotes Bruce Schneier, chief technical officer at Counterpane Internet Security and a longtime advocate of changing the software-liability rules, as saying.

Add to the debate the profits Microsoft earns from its lucrative Windows and Office programs, Bishop goes on, "and some users question why the company doesn't spend more to make its products more secure. Microsoft last week reported $8.4 billion in fiscal 2003 operating profit for its desktop Windows division alone."

But, he continues, "the software industry and some legal experts contend that to go after companies such as Microsoft over their product flaws would be to misplace the blame. After all, it's a criminal act - the unleashing of a virus - that turns the flaw into such a problem for computer users.

"For that reason, some want the government to make an example of the teenager arrested for allegedly unleashing one variant of the Blaster worm, which infiltrated computers around the world last month by exploiting a flaw in Microsoft's Windows operating system."

And, "We're all hoping he just gets pounded," says Jim Denison, owner and president of Seattle Micro, a computer support and sales company, quoted in Bishop's report. "The consequences should be very, very high. That's where I would lay the blame, more so than on Microsoft for writing an imperfect product."

His views are echoed by others in the story - including users.

So for the time being, the best way for consumers to protect themselves may be to watch for security alerts and download patches, Bishop concludes, "But even that isn't a perfect solution.

"It has been difficult for Microsoft to persuade some individual consumers to take the time to download and install patches.

"At the same time, hackers have demonstrated the ability to unleash a virus within a few weeks of a flaw's discovery, which is too quick for some companies."

He quotes Steve Larsen, ceo of BigFix, a California patch management company, as saying, "Most organizations will tell you, if they're honest, that it takes them six to eight weeks to deploy a given patch across a large organization without making it an emergency."

"If they drop everything else, they can probably do it a little faster."

The flaw in this statement is that a flaw in software isn't really a flaw until it has been exploited. For example, letting RPC have access to the net could be an advantege, for some obscure reasons.

Buffer overflows, on the other hand, are such BASIC parts of good programming, that it's hard to believe they are so often the cause of many problems.

With programmers being (mostly) overworked and underpaid these days, and software rushed to market without sufficient thorough testing, it's no surprise that buffer loverflows keep slipping through.

Dear Valued Microsoft Customer,

We are contacting you today to make you aware that we have released Microsoft Security Bulletin MS03-039 today, September 10, 2003. This bulletin details three critical vulnerabilities in the Windows operating system and provides instructions for applying the corresponding patch. While there is currently no active exploit of this vulnerability, if successfully exploited, these vulnerabilities would allow an attacker to gain control of the target system.

We strongly encourage you to obtain and deploy this patch to any affected system that connects to your network; this includes systems on your local area network and remote or mobile systems. For the most current information on affected systems and recommended remediation steps, please read the bulletin posted at: http://www.microsoft.com/technet/security/bulletin/ms03-039.asp

We understand the potential effect this situation and the recommended remediation steps may have on you. Microsoft is committed to providing you with information and tools to help run your enterprise safely and reliably on an on-going basis. When we become aware of vulnerabilities, it is our goal to quickly share protection and remediation information and work in partnership with you to eliminate these kinds of threats to your business. In order to help protect your computing environment from security vulnerabilities, we strongly encourage you to visit http://www.microsoft.com/technet/security/protect and implement the following three steps in your enterprise:

1. Verify firewall configuration. Audit Internet and intranet firewalls to ensure they comply with your security policy; these are your first line of defense. In addition, evaluate using host-level firewalls such as the Internet Connection Firewall in Windows XP. This is especially important for systems such as laptops and home PCs that connect to your network remotely.

2. Stay up to date. Use update services from Microsoft to keep your systems up to date.

. Automatic Updates, available on Windows XP, Windows 2000 SP3 and SP4, and Windows Server 2003. Automatic Updates works with the Windows Update Web site to automate the process of updating Windows systems.

. Software Update Services (SUS), a patch-distribution server available for download from our Web site. SUS enables you deploy a server in your business that Automatic Updates clients will use to get only approved and tested patches.
In addition to using these update services, we strongly recommend that you subscribe to Microsoft's free security notification service at http://www.microsoft.com/securitynotification, so that you are proactively kept aware of new security issues.

3. Use and keep antivirus software up-to-date. Antivirus software programs will help protect your systems against many viruses, worms, Trojan horses, and other malicious code. To protect your systems from new viruses, it's also important to obtain up-to-date antivirus signatures through a subscription service from the antivirus software vendor. You should not let remote users or laptops connect to your network unless they have up-to-date antivirus software installed. In addition, consider using antivirus software in multiple points of your computer infrastructure, such as on edge Web proxy systems, as well as on email servers and gateways.

You should also protect your network by requiring employees to take the same three steps with home and laptop PCs they use to remotely connect to your enterprise, and by encouraging them to talk with friends and family to do the same with their PCs. To make this easier, we have set up a new Web site to assist PC users at http://www.microsoft.com/protect.

Again, we want to encourage you to read this security bulletin and deploy the patch to your systems. We want to thank you for your patience and work with you to protect your business from these kinds of security threats.



Thank you,

Microsoft Corporation


For information about Microsoft's privacy policies, please go to http://www.microsoft.com/info/privacy.htm

got to love news letters

"We want to thank you for your patience and work with you to protect your business from these kinds of security threats."

heh. Nice one!

Disturbed Singer Blasts RIAA Lawsuits
Fri Sep 12, 5:00 AM ET

LAUNCH Radio Networks

Disturbed lead singer David Draiman thinks that the music industry should figure out how to distribute music on the Internet, instead of suing people who download songs.



Draiman told the San Francisco Chronicle, "This is not rocket science--instead of spending all this money litigating against kids who are the people they're trying to sell things to in the first place, they have to learn how to effectively use the Internet." Draiman asserts that the actions taken by the Recording Industry Association of America (news - web sites) (RIAA) are protecting corporate profits, not artists: "For the artists, my ass...I didn't ask them to protect me, and I don't want their protection."


On Monday (September , the RIAA filed suit against 261 people--including a 12-year-old girl--who allegedly had more than 1,000 music files on their computers. The RIAA is charging them with copyright violation, seeking as much as $150,000 per violation in some of the cases, and hopes that the lawsuits will help put the brakes on file-sharing.


Disturbed will appear in a documentary called Get Thrashed, due out before the end of the year, which will examine the thrash metal scene of the '80s and its impact on today's heavy rock bands.


A DVD of last spring's Music As A Weapon tour, featuring Disturbed, Chevelle, Taproot, and Unloco, is tentatively scheduled for release on October 22.

Beansprout

You hit the nail on the head.
I should be taking diazepam and xanax and the jolt isnt helping me calm down LOL

I've used M$ OSes since Windows first came out. Windows has never reached a "Golden Master" status..it is constantly beta code, that has more patches than a 1955 Chevrolet original innertube.

I've done tech support of Wintel Boxes as well as Mac Apple Machines...the Macs tend to win on ease of use, stability, and elegance of interface, hands down.

But isn't this kinda OT to the RIAA issue?

From The Age in January...

"Microsoft failed to patch own software against worm"
Microsoft Corp itself was exposed to the virus-like attack that crippled global internet activity last weekend because it failed to install crucial fixes to its own software on many of its own servers.

http://www.theage.com.au/articles/2003/01/29/1043534095219.html
Hehehe...

And more recently...
A few days ago in the Finacial Times...
A software fix issued recently to repair one of the more embarrassing flaws in Microsoft's Windows operating system has failed to deal with other, closely-related problems

http://news.ft.com/servlet/ContentServer?pagename=FT.com/StoryFT/FullStory&c=StoryFT&cid=1059479730570


Ahhh, trustworthy computing... I use linux, no-one specifically trusts it, which is why it's so damn solid and secure

Also, one of the problems is that the Microsoft engineers, come up with ideas that they think would be just so cute and convenient, that essentially render the OS more buggy and bloated.

For example, DCOM, most people don't and shouldn't use DCOM that are using XP, but the engineers just thought it would be so cool to enable this "feature". To find out how to disable DCOM (which you should do) go to:
http://www.grc.com/dcom

~code

Thanks indieWarriors

And code, I guuess it is O/T, but it's good to inform people of new vulnerabilities wherever possible.

Of course, this whole news item was a hint to any coders passing by this site to code a blaster which will DNS the RIAA

Argh, Code, grc.com is awful! Don't ever recommend that site! It would probably make the average user so paranoid as to think that they need a heavy lock, padlock and anchor around their PC tro protect it!

sorry Beansprout..but Steve Gibon's site was the only one I knew that had the DCOM disable program. Steve's progz are written well and are small.
I personally don't do the updates from WIN-DOH$ because, contrary to what some say about it being safe, I have read that packet analysis of the automatic updates, do include info on the contents of your box, and it just is not Gates' business what I run on my drives!

No probs, Code. Gibson's programs are indeed small and quick. I direct newbies at them at times.
Howeeever, he is not all he is piped up to be. His own ShieldsUP! tool can be easily made to produce DOS attacks. I could go on and on and on, but it's so horrendously O/T! www.theinquirer.net and search for "Steve Gibson", if you want to read some more.

I don't know about you folks but I have always had a problem with software folks. What I am talking about is this.

If you went to buy a car and it had square tires on it, would you buy it? If you bought it new and it broke down the next day, would you be happy with your purchase?

Yet we commonly accept the idea that it is ok for a software vendor to rush his product to market, knowing it is not complete. The attitude that we will publish a fix later is rampant throughout the industry. Why should we accept their rush for the money to buy an incomplete product?

Microsoft knows that its product is ungainly, full of holes, and worse their paranoia of protection of the softwares at all cost is what has put the consumer at risk so often.

Yesterday, I downloaded those patches. Only when I went to reboot, the computer failed to do so. Going to the "safe mode" was the only way to get it started so that I could even attempt to make corrections. Yes, it is a legal and licensed copy. Only by removing the downloads and reverting to the previous day could I regain control of the pc.

What a product....

It's nice that MS gives its customers all those extra little goodies. Security flaws and patches that break as many things as they fix make the Windows experience much more exciting and adventurous. Thank God for monopolies!

The problem with PCs is that there are billions of possible combinations, which are never ever the same. So it's impossible to ever make things completely secure. Even relatively embedded systems such as the PS2 can be hacked!

But as I say, it's bad programming methods that cause everything. I don't think I've ever seen a website that conforms to the W3C standards, for instance. And buffer overflows are rmapant. As for "easter eggs" hidden in software, any programmer who has a bug found in his section but who has also coded one of thse eggs should be fired immediately. As should any sysadmin who had port 135 open to the outside world.

Why can't these people create a virus that will take out all of the RIAA's computers??? Personally I use a Mac which means that when all the wintel users were pulling out thier hair, I was sitting back enjoying a large Expresso @ starbucks. The main point here my friends is that the windows operating system has had so many flaws in it from the get go.. I mean the only good Micro$oft os was Dos.. which pretty much sucked A$$. I unfortuneatly have to use a windows 2000 based computer @ my school and i find that the whole system is down every day if not every other day... anyway if you want to start boycotting Microsoft than go to www.microsoftsucks.com
-O

So this is the solution to the whole RIAA problem.

1) The RIAA tells us that each mp3 file is uniquely identifiable by its "fingerprint."

2) Teach a worm to recognize RIAA songs as targets by comparing the "fingerprint" to files on each infected computer.

3) If they match, delete them.

The RIAA's music disappears from the Internet. Completely. Forever. Just like they asked for.

I use Win2K on this machine, but I only use this machine for internet connectivity (I don’t store important information on it). I went from Win95 directly to Win2k, and from the looks of WinXP, I’ll stick to Win2k. And I too agree this is an off topic article, but I don’t mind at all since I’m into developing software. I don’t condone what the Microsoft Corporation is doing. I don’t think they are concerned about anything but PROFIT$, but
I’d like to mention something here that I don’t usually see anybody addressing. Before Microsoft took over the OS market, the Apple Corporation was attempting the same thing; only Apple computers were more expensive than the IBM or IBM clones. I argue that if it were not for Microsoft pushing their software so ferociously, I might not even have a computer right now. I believe prices for computer hardware would be higher than what it is today. I built my last IBM clone for $147. Not nearly top of the line, but it works fine for me just the same.

~goingnova

Here's the thing about windows. My computer works perfectly with windows(crashes maybe once every 3 months) and I would use another system, but I mainly play games on my computer, and do not want to see computers turn into costly consoles...

if you want a perfect example of microsoft programing at its best take a look at the xbox. that thing crashes more times a year then the total number of car wrecks in the US per year its really bad.

i run windows xp corperate (on my machine not this one wich is my parents) and it runs perfectly, want to know why? its not connected to the internet and has never been touched by spyware adware any virus or windows update.

I get the Seattle P-I. I read this in print this morning. Well, Microsoft should be held liable for a lot of things...after all, it's their software, and it's screwing up.

just lucky for them that a worm doesn't exist that forces there computers to connect to a p2p and simultaneously upload/download songs from it. Imagine the chaos that would cause!!!

Just thanks God that confusion doesn't exist.