On Jul 5, 2006, at 11:37 PM, Eric Hattemer wrote:
Jim Thompson wrote:
I told him to not connect it to the Internet, because it would be
rooted in minutes.
http://www.realtechnews.com/posts/1511
Its ugly out there...
I haven't found a link to the original article or anything, but this
sounds largely absurd. A statement like this requires many
qualifications.
First, Windows ME by some definitions can't be rooted, since it
only has
one user.
You're going to argue semantics?
Second, any worms that might do any sort of automatic "rooting" almost
certainly do NOT apply to the dos-based versions of windows. From
sarc.com about blaster worm:
*Systems Affected
<http://securityresponse.symantec.com/avcenter/
refa.html#systemsaffected>:*
Windows 2000, Windows NT, Windows Server 2003, Windows XP
*Systems Not Affected
<http://securityresponse.symantec.com/avcenter/
refa.html#systemsnotaffected>:*
Linux, Macintosh, OS/2, UNIX, Windows 95, Windows 98, Windows Me
Right, so what about the WMF vulnerability? Granted, you have to
display an image (email attachment, web browser, etc), and this
requires "user involvement", but still, dude.. Microsoft has already
said that they wouldn't fix it.
http://securityresponse.symantec.com/avcenter/security/Content/
18322.html
Running 98 or ME? Just click here: http://www.dslreports.com/forum/
remark,15188688#15188722
Or the Music worm (including all variants)?
Or last year's "cursor/icon format" issues that allow remote code
execution:
http://www.microsoft.com/technet/security/bulletin/ms05-002.mspx
(again, email attachments or web browsers are the typical avenues of
restriction).
Or the HTML converter function issue present in *ALL* versions of
Windows:
http://support.microsoft.com/default.aspx?scid=kb;en-us;823559
Or the ZIP file buffer over-run: (Win98 (with "Plus Pack"), ME and XP)
http://support.microsoft.com/default.aspx?scid=kb;[LN];Q329048
Or this: http://support.microsoft.com/kb/q274548/
Or this: http://www.microsoft.com/technet/security/bulletin/
fq99-033.mspx
Or this: http://support.microsoft.com/kb/q238329/
Or this: http://support.microsoft.com/kb/q245729/
Or this: http://www.microsoft.com/technet/security/bulletin/
MS06-015.mspx
Or this: http://www.microsoft.com/technet/security/bulletin/
MS01-020.mspx
To say nothing of anything containing an "ActiveX" component, or what
loading the wrong Sony music CD might do to your machine.
This is true of most if not all non-self-inflicted and
non-browser-related worms. If you can find me a worm capable of
automatically infecting a windows ME machine without user input, I
will
be extremely surprised. The best I've ever found is one that will
propagate to shared drives on the network that have manually turned on
read/write sharing on the root of the hard drive regardless of whether
they set a password on the share. No sharing is enabled on windows ME
by default.
Or the five year old "UPNP" exploit. Granted, *Microsoft* didn't
ship with UPNP enabled in WinME, but some OEM
variants enable it (as well as the WinXP Internet Connection Sharing,
which is also vulnerable.) Once again, you can remotely exploit this
one (though no email/web browser is required...)
And though you can't run a remote exploit via this bug:
http://support.microsoft.com/kb/q275567/
Your 98/ME/NT4 computer won't stay on the net very long without the
patch. (There are many others like this.)
If you turn on sharing to the root of your hard drive with read/write
without ever going to windowsupdate.microsoft.com , then you do
deserve
what you get. Otherwise, a default install of windows ME is
relatively
safe.
Unless you read email or use the web browser.
Can you really recommend this stance to a *home user*?
Windows NT/2000/XP all were vulnerable to several classes of network
worms because they had retarded default security settings with open
ports for running services normal people would never need. All of
these
ports are firewalled by default in XP SP2, and almost all computers
that
have been built since August 2004 have SP2 built into the
installation/restoral CD. Until a worm comes out that hacks the
firewall itself (hasn't happened yet, but isn't impossible), all of
these XP SP2 machines are safe by default, and can only be hacked via
self-inflicted security holes (running randomly obtained exe files,
turning off the firewall, etc).
Unless, of course the OEM enables the ports. Or something like
"badpack3t" is modified to mount a remote exploit, rather than just
BSOD-ing XPSP2. badpack3t leverages the remote desktop assistant,
which is NOT firewalled in XP SP2's default firewall configuration.
And recommending "a hardware firewall" as a panacea is just... dumb.
Yep, I'll say "dumb". They have their place, but they won't protect
the casual home user against many (if not most) of the types of
attacks illustrated above.
And then there is the whole Finjan debacle. Care to open that can
of worms?
Jim
