Technical Tidbits™

I should rephrase that because I actually liked the headlines that InfoWorld used: Microsoft patches ‘super nasty’ Windows bugs.

I love it!

I’ll get back to that article in a minute. First, we need to address this update.

1. Yes you should get it!

2. Immediately!

Okay?

Seriously, the patch fixes two undisclosed vulnerabilities and one publicly disclosed vulnerability in the Microsoft Server Message Block (SMB) Protocol.

Now don’t let the name of the protocol fool you – this does not mean the patch is meant for servers only.

First, for those of you new to our blog and our education site, let me explain that a protocol is nothing more than a set of rules or ordered steps.  In computing, you use IP (Internet Protocol) all the time to surf the web. It’s the set of steps that your computer takes to make those necessary connections.  (And geekie people and techies, please don’t give me a lot of comments about this definition – it’s aimed at the beginners! I know what and how protocols are programmed – k?)

That being said, SMB Protocols main purpose is file sharing but, that’s not all it does. (Are you surprised? NOT) It also covers: determining other Microsoft SMB Protocol servers on the network, or network browsing, printing over a network, file, directory, and share access authentication, file and record locking, file and directory change notification, and a few more things I didn’t want to include because of the technical nature of what they do. (Geekie people and Techies: Please feel free to visit the overview at Microsoft’s Tech Net for more info!)

The first vulnerability in this protocol is – can you guess? - A BUFFER OVERFLOW! (Don’t even get me started again!)

The fix validates the fields in the protocol packets to prevent the overflow.  Microsoft programmers – how many more unchecked buffers are still there? Huh???

The next vulnerability, although being billed as: SMB Validation Remote Code Execution Vulnerability, is nothing more than the same unchecked buffer. But in this instance, it’s Microsoft’s software not validating the size of the buffer before writing it. (Now why does that totally NOT surprise me?)

And the final vulnerability again is related to the same unchecked, unvalidated  buffer size which in turn creates a Denial of Service vulnerability.

If your reading this and you’re one of my students from the hacking course, do you remember this problem? (Hint: Following Shirley Hacker)

Now, this whole mess causes a big problem for the users when someone sends you a packet with a huge amount of data inside that this buffer (or placeholder) can’t handle. I’ve used this example before repeatedly but you’ve experienced a buffer overflow when you tried to send too much information to print on your printer and you got page after page of one line filled with wingding type characters.  That’s because your printer didn’t know what to do with all the excess data so it got all confused.

It’s worse in the situation we’re talking about with the Microsoft packets because malware writers know how to put programming code inside those over stuffed packets that allows them to remotely access your computer. Instead of crashing, restarting, or spewing out junk like a printer, the overflow delivers a set of instructions to your operating system that allows this access!

So that is why I really feel it’s important that you get this update! If you do not have your auto-updates turned on, then go to the Windows update site and get this critical update: MS09-001 or click here: Microsoft Update Site.

Now that we’re done with all that, let me go back a minute to the InfoWorld article mentioned above.  Specifically, this one little paragraph:

“This is super nasty,” said Eric Schultze, the chief technology officer at Shavlik Technologies LLC, who also called today’s update “super critical” as he rang the alarm. “Expect to see a worm on this one in the very near future, [because] this is Blaster and Sasser all over again.”

My, my, my! Where have I heard that before? Let me see……oh yes! I remember now! I said it! No, actually, I predicted it on my Friday’s Quickie on December 12, 2008 only I state it will be much worse than Sasser and Blaster Mr. Schultze and InfoWorld!

2. There will be a IWMD (Internet Weapon of Mass Destruction) launched sometime during this year. It will be considered a mashup blended threat because it will take advantage of the security flaws in a multitude of web apps and will propagate through ad servers.

Enough said?