Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security NTBugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: XP SP2 - Statement of the NTBugtraq list

from [Brian Bergin] Network Security [Permanent Link]
Subject: Re: XP SP2 - Statement of the NTBugtraq list
Date: Tue, 10 Aug 2004 17:47:25 -0400
First Russ, very well said. It's refreshing to see someone who actually wants to wait to pass judgement on something from Microsoft these days.

That having been said, I'm not sure MS has put enough pressure on ISVs to produce SP2 compliant software. MS has spent more than 18 months working on SP2 and yet major vendors continue to have no clue about supporting it. Symantec is a great example. Their various and sometimes conflicting documents talk about updates being ready today (10 Aug 04) for retail products and depending on the rep you get Corp Ed products can either be patched now with a patch that is a pain to deploy (9.0.0.1400) if you're running v9 or wait up to 6 weeks for patches if you're running any build prior to 9. Furthermore, if you find the right rep at Symantec 9.0.1.1000 is available for download (though they had a corrupt version of the file out there for a while). Symantec has made no statements about Norton AV Retail prior to 2004 and I can assure you there are millions of people running their 2003 and 2002 versions who don't feel they should have to upgrade (whether they should or not is not in the argument here).

BTW, be prepared for a 90 minute call if you call Symantec. 80 on hold and 10 with the rep.

Other companies like AutoDesk have no documents that I can find containing XP and SP2 on their support site. How can they not at least have a document that says 'we're fully compatible'? We have 2 firms that use AutoDesk's products and so far we've seen no word from them. In fact AutoCAD LT 2005 doesn't even list SP1 as an option. I spoke with Brian Baker at AutoDesk and he was very helpful and is going to find out for me, but he didn't have any info at present instead first directing me to local resellers for info. If the resellers have it shouldn't customers be able to find it on the software company's web site?

Another problem is the poorly, IMHO, designed Windows Firewall. As a ßeta tester I voiced my concerns and recommended if they wanted it secure they'd have to do at least 2 things:

1) STOP creating admin accounts for every user at installation for workgroup/standalone systems;
2) Bind the WF to the IP stack like ISA is. If the firewall is stopped improperly then all IP traffic stops. They could even use some random text generator like Whois lookups have gone to to prevent the malicious or accidental turning off of the WF.

As it stands now with the file http://www.terabyte.net/temp/disable_xpsp2_firewall.reg any admin can disable the firewall and its related notifications. How long do you think it will be before some hacker creates a virus with this capability? Programmers I know say it's a simple thing to do and you and I both know no amount of warnings will keep some idiots from clicking Yes or Ok on a download. The file above can be installed with 2 clicks (the Run and the Yes button) and the WF is OFF and few general users would know enough to go looking to see.

Is SP2 a great upgrade? Absolutely. Is its new security solid enough to avoid being hacked? IMHO, no. Is it going to be smooth upgrade? Yet to be seen. Could it have been smoother? If MS had pushed harder or even perhaps put more of the known problem software titles like all unpatched Symantec products in a popup that says "You have the following products that are not compatible with SP2. Please contact the vendor for an update." Then listed the corp phone number for each vendor. To stay off that list vendors need to show MS BEFORE the final build they will be able to support the final build on the day MS releases it to the public. If they miss the cut off for the final build they get embarrassed and perhaps they won't sit around on their hands next time around.

Note to ISVs: When MS releases a new SP or new OS, be ready. Customers don't like to wait. Big corporations may wait to deploy patches, but consumers don't like to wait and companies who sit around without a clue lose business.

Note to MS: Use some of that muscle the US claims you use too often against PC makers and make those ISVs tow the line or embarrass them into it.

Brian Bergin
Terabyte Computers, Inc.
Boone, NC USA



At 02:36 10 08 04 Tuesday, you wrote: 
Ok, so I feel like I need to do this, hopefully its understandable.

1. XP SP2 is the most significant security effort Microsoft has ever produced. Granted, it may not be a "silver bullet", or solve all problems, but it is significant in so many ways that we as a security community cannot fail to acknowledge it. I admire "discoverers" as much as the next, but before XP SP2 can be written off it will take many, many, vulnerability announcements.

a) IMO, this is the first time that Microsoft has put security over existing, and frequently used, features.

b) IMO, this is the first time that Microsoft has accepted the fact that their choice is going to lead to "some" incompatibilities.

c) IMO, this is the first time that Microsoft has taken a stand against ISV who are definitely making money out of some features they (MS) made available to them.

2. I, at least, as NTBugtraq Editor, believe we, as the NTBugtraq community, need to stand behind Microsoft's efforts. That means we need to continue to endorse XP SP2 despite what problems have arisen or may arise (within obvious reason.) The media is only going to state the problems. They cannot appreciate, nor do they believe their customers are willing to pay for, stories about XP SP2 successes.

So, I want to hear from you, every one of you, regarding XP SP2 success or failure. Obviously, I want those stories in as much detail as you can provide.

There are, no doubt, some (many?) applications which will not be compatible with XP SP2. I say they represent Vendors who are not prepared to accept the responsibilities we've always felt they should have as reasonably security-minded Vendors. They've had lots of time to figure out how to make their apps compatible, and have *chosen* not to.

I offer any Vendor who feels Microsoft left them "in the lurch", regarding their problems with XP SP2. a forum to express their problems.

Equally, I offer all NTBugtraq subscribers a place to state the problems they are encountering with an ISV application.

It is extremely important for corporate environments to get XP SP2 deployed to all home systems running XP. Let's make sure the media has the right information.

Cheers,
Russ - NTBugtraq Editor



-----Original Message-----
From: Windows NTBugtraq Mailing List [mailto:NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM] On Behalf Of Russ
Sent: Monday, August 09, 2004 6:07 PM
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: XPSP2 for Corp/Dev released today

The full download of XP SP2 final was made available today via;

http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/winxpsp2.
mspx

This is the full 272MB download. Windows Update version will be "coming
soon".

Enjoy.

Cheers,
Russ - NTBugtraq Editor

-----
NTBugtraq Editor's Note:

Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you'll have to copy their email address out of the message and place it in your TO: field.
-----

-----
NTBugtraq Editor's Note:

Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you'll have to copy their email address out of the message and place it in your TO: field.
----- 

-----
NTBugtraq Editor's Note:

Want to reply to the person who sent this message? This list is configured such 
that just hitting reply is going to result in the message coming to the list, 
not to the individual who sent the message. This was done to help reduce the 
number of Out of Office messages posters received. So if you want to send a 
reply just to the poster, you'll have to copy their email address out of the 
message and place it in your TO: field.
-----

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: XPSP2 Load Experience, Melvin Backus
Next by Date:  Symantec XPSP2 Support, David Luxford
Previous by Thread:  XP SP2 - Statement of the NTBugtraq list, Russ
Next by Thread:  Re: XP SP2 - Statement of the NTBugtraq list, David Luxford
Indexes:  [Date] [Thread] [Top] [All Lists]