2024-03-29, 07:29 *
Welcome, Guest. Please login or register.

Login with username, password and session length
 
Pages: [1]
  Print  
Author Topic: MICROSOFT SUCKS (WARNING: RANT)  (Read 9314 times)
0 Members and 1 Guest are viewing this topic.
Dr. Jones
 

Team Member
Tank Commander
********
Posts: 167

WWW
« on: 2003-01-26, 15:15 »

Microsoft seems to have a habit of writing easily exploitable servers...

First, IIS (Internet Information Server -- MS' web server) is hit by destructive worms such as Code Red and Nimda... in the process of spreading to other computers, the worms hammer any web server in the IP range they're scanning, vulnerable or not.  This results in 4.5MB error log on my apache server, as it sees the exploitive URL request, and not being vulnerable, simply returns a 404 and logs the error, the idea being that if that were a valid page request by a user, the admin would look into it and perhaps fix a broken link.  However, any valid 404 errors that are being generated on my server are lost in the sea of repeated requests for "/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir", rendering the log files almost entirely useless.  to make matters worse, each infected server smacks me about 15 times in 3 seconds, and repeats the attack about once an hour.   Now take into account that i get about 4 infected servers a day hammering me.  got denial-of-service?

The thing that pisses me off most about this is that there are users out there with enough technical knowhow to run a web server, yet they can't keep the goddamn thing patched.  Code Red and Nimda are months old.  Actually I think Nimda is over a year old.  These virii should be dead now, except maybe in a few third-world countries where 486's are hot stuff.  However, I still blame Microsoft for not adequately educating their customers on protecting themselves from attack.  Instead, they just silently release a patch and hope it all goes away.

Now a vulnerability has been discovered in Microsoft's SQL server that is resulting in the spread of an exceedingly virulent worm.  This worm is spreading so fast and attempting to replicate so often that it is actually bogging down major internet backbones.  Loading the pages on these forums is taking me about 10 seconds per page, and sometimes requires me reloading a few times to even establish a connection.

Before any of you go scolding me, saying "Microsoft products are only attacked so often because they are the most common... i.e. more linux viruses would be running loose if more people used linux", Netcraft periodically surveys a large portion of web servers across the internet.  Apache holds over 60% of the market, with Microsoft a distant second at about 25%.  That's a big fscking gap.  Yet you never hear about Apache worms, do you?  That's because 1) Apache beta-tests their product first, and consequently httpd (the server itself) is more secure, 2) Apache is open-source, so developers world-wide can look at the code and see any potential holes for exploits.  Then, a hotfix can be built and released in minutes, 3) Apache administrators, including myself, are in general more responsible than IIS administrators, and when a hotfix or new version of the server is released, most of the servers are updated within a week.

Why can't Microsoft at least come close to this standard of product integrity?  Personally, I think it's because they're more concerned with short-term objectives, such as pleasing investors and making money.  Therefore they release products before they've been fully hammered on and all the wrinkles ironed out.  Then, when a problem occurs, they like to release a pay upgrade to fix the problem, which brings in more money, while people who might normally install a free fix won't pay for the upgrade and instead stay with a vulnerable system.  Also, Microsoft products lend themselves to a "set-and-forget" mentality with the administrators, so once a product is installed, it may be used for a year or more before it's upgraded, especially with government organizations.  I know when I worked for the Employment Development Department, our department's web server was running on NT 4.0 SP3 with IIS 3.0 well after Windows 2000/IIS 5.0 was released.  Personally, I check Apache's site at least once a month for updates, and once one is found, if it addresses any security issues or provides functionality i'm interested in, I download and install it.

Yup, that's right, I'm running Apache 1.3.27 (Apache 2.x is still considered beta and 1.x is still under development therefore I go with the more stable 1.x series), and have been running Apache 1.3.27 since about a week after it came out.  I'm also running PHP version 4.3.0, and again, installed it within a week of it's release.  Right now about the only insecure thing I'm doing is using PHP in executable mode rather than as an Apache module, and there have been no CERT advisories detailing vulnerabilities with the executable mode yet... it's just that theoretically if someone could access php.exe directly, they could execute any arbitrary PHP code, which is about as powerful as the DOS prompt.
« Last Edit: 2003-01-26, 15:20 by Lt. Phil » Logged
IEEE1394
 

Pinky
**
Posts: 34

« Reply #1 on: 2003-01-26, 16:41 »

I dont hate microsoft, sure they have made some crappy stuff like windows milenium edition, but in general i like their stuff.
Logged
Dr. Jones
 

Team Member
Tank Commander
********
Posts: 167

WWW
« Reply #2 on: 2003-01-26, 21:46 »

you don't play with their server stuff much, then, do you?

sure it's nice and easy to use, point-and-click this, setup-wizard that.

but imho, they spent too much time making their server applications look pretty, and not enough time on stability and/or security.  it is possible to make a secure, stable, and easy-to-configure server, it's just not as pretty.  Apache is a fine example of this.  Yes, the .conf files themselves are daunting when opened in notepad, however, there are a variety of Apache configuration frontends that nicely convert all the options into GUI elements, thereby making the configuration a snap even for first-timers, while not sacrificing stability or security.

the desktop application market and server application market are two completely different animals.  yes, windows and other microsoft applications dominate the desktop.  and with good reason... for 90% of the users out there, it does everything they want it to in an easy-to-use intuitive interface.  hell, lee has even called XP's default theme a "fisher-price interface".  however, microsoft does not understand the meaning of security, and while this has implications on the desktop market as well, the server market tends to scrutinize this much closer, hence why IIS trails Apache by nearly 40% in server market share.

unfortunately though, microsoft's apparent lack of concern for security impacts the desktop market in a big way, just not as noticeably.  remember "Universal Plug'n'Play"?  The service that was supposed to revolutionize "smart" home appliances, enabling them to communicate to/from your computer?  Well microsoft turned it on by default, and then it turned out to be nothing but a huge security hole in Windows XP.

       :ph34r:
Logged
IEEE1394
 

Pinky
**
Posts: 34

« Reply #3 on: 2003-01-26, 21:55 »

Yea they put more work in looks than in stability and security, and no i dont work with their server stuff, so i cant say anything about that.
Logged
Lilazzkicker
 

Beta Tester
Quad God
**********
Posts: 571

WWW
« Reply #4 on: 2003-01-26, 22:13 »

Lol, if i could dl Linux in under a month i would.....but such a huge dl....
btw what is Apache
Logged
ReBoOt
Mean ol Swede
 
Team Member
Elite
****
Posts: 1294

WWW
« Reply #5 on: 2003-01-27, 00:01 »

Apache is a webserver.
Logged
Dr. Jones
 

Team Member
Tank Commander
********
Posts: 167

WWW
« Reply #6 on: 2003-01-27, 00:32 »

ya, Apache is a web server, and PHP (PHP: Hypertext Preprocessor -- a recursive acronym) is a scripting language.  SQL stands for "Structured Query Language", and describes a standard protocol for a database server.  however, many vendors have released their own implementations of SQL, such as MS SQL, MySQL, mSQL, and PostgresSQL, each with their own proprietary additions that provide extra functionality, but are not compatible with other SQL servers.  the recent attack that has clogged many internet backbones uses an exploit in MS SQL, and is what started my rant in the first place.  the worm takes advantage of a vulnerability found only on MS SQL servers.

Lilazzkicker: for $4 (to cover cost of CDs and shipping) i could send you a copy of Slackware Linux 8.2 with the extras discs.  if you wanted another distro of linux, i could download and burn it for you for an extra buck or two.
Logged
Lilazzkicker
 

Beta Tester
Quad God
**********
Posts: 571

WWW
« Reply #7 on: 2003-01-27, 02:16 »

:ph34r: Aight, give me a week to set up checking account and paypal account, then i will be able to send the money, lol, and of course once it is up, i can send the money, till then right
Logged
WolfCub
 

Pinky
**
Posts: 30

WWW
« Reply #8 on: 2003-01-27, 03:35 »

M$ was ghey enough to show up and presend WINDOWS at LINUX WORLD. Omg, M$ needs to get a life.
Logged
OoBeY
 
Hans Grosse
*******
Posts: 299

« Reply #9 on: 2003-01-27, 05:03 »

sigh, wolfcub...

http://www.penny-arcade.com/view.php3?date=2002-07-22
Logged
dev/null
 
Banned
Vadrigar
**********
Posts: 607

« Reply #10 on: 2003-01-27, 16:42 »

Was that an attempt to make people feel like Trekkies for putting M$? Because if so, I've been missing out...

Anyways, I use Windows 2000 Pro on all of my computers, which is probably the most stable Microsoft OS there is. I actually used to use Linux for my LAN server when I was on dial-up, sadly though my satellite's software doesn't support it Slipgate - Sad
« Last Edit: 2003-01-27, 16:46 by dev/null » Logged
Dr. Jones
 

Team Member
Tank Commander
********
Posts: 167

WWW
« Reply #11 on: 2003-01-27, 22:04 »

Quote from: dev/null
Anyways, I use Windows 2000 Pro on all of my computers, which is probably the most stable Microsoft OS there is. I actually used to use Linux for my LAN server when I was on dial-up, sadly though my satellite's software doesn't support it Slipgate - Sad
have you tried running the satellite software under WINE in linux?  or was your linux box cmdline-only?

Yes, I use Win2K Pro on my computer, and my server alternates between Win2K Pro and Linux (HD swapping), depending on whether I want it to be a game server (win2K) or a real services server, i.e. web server, file server, etc. (Linux)

I use slackware 8.1 right now...

[edit] Lil, I said I'd send you slackware 8.2, however, I goofed.  slackware 8.2 is rather nonexistent.  I guess it comes from the year or two I played with Mandrake 7.2, so the point two part stuck in my head.  I can still send ya slackware 8.1 though  Slipgate - Wink [/edit]
« Last Edit: 2003-01-27, 22:10 by Lt. Phil » Logged
Pages: [1]
  Print  
 
Jump to: