You might have thought that with Microsoft’s “Patch Tuesday” fix of the seven year bug, things would be over.  And in a more perfect world, they would be.  Unfortunately we don’t seem to live in that more perfect world.

The problem is, according to sources like Metasploit, it ain’t over yet.

“The MS08-068 patch addresses this attack only in the case where the attacker connects back to the victim,” says Metasploit.  In fact, Metasploit goes on to say, “The patch does NOT address the case where the attacker relays the connection to a third-party host that the victim has access to.”

And since this is quite possible to do, it basically means that Microsoft’s “fix” ammounts to nothing for any dedicated attacks.

So what does Microsoft have to say about it?  Well, let’s take a gander over here, where Christopher Budd speaks.

Let’s see. “At a high level, the behavior that was discussed in the original SMBRelay attack is related to some of the basic behavior of the legacy NTLM protocol.“  Okay, congratulations on being able to throw acronyms around.  “When this issue was first raised back in 2001, we said that we could not make changes to address this issue without negatively impacting network-based applications.“  Well … yeah.  Obviously fixing the problem would mean changes to every application that uses the faulty code.  It’s a lot of work.  Something that should have gotten on right away, instead of being put off.  But why do that when you can procrastinate?

“We did say that customers who were concerned about this issue could use SMB signing as an effective mitigation, but, the reality was that there were similar constraints that made it infeasible for customers to implement SMB signing.“  So the workaround wasn’t actually feasible.  Microsoft’s own words here.  “As Mark notes in his post, implementing SMB signing is still an option and one that we ultimately recommend.“  Wait, so it’s not feasible, but it’s still the option that Microsoft recommends?  Even after releasing their “fix”?

“However, if you’re like me and remember the SMBRelay attack, you now have a protection option in case you can’t implement SMB signing: apply MS08-068.“  Oh, great.  The MS08-068 that according to Metasploit isn’t actually a fix at all because a hacker can work around it to still execute code remotely.

So let me get this straight.  Microsoft delays a fix to Windows for seven years because it would mean also fixing all of the affected networking clients.  Instead of just fixing it and fixing the clients too.  Their suggestion to people who are afraid of an attack by this route are to use an admittedly “infeasable” workaround.   And when, so much later, Microsoft finally patches the actual security hole, they don’t fully patch it, but just one approach to it.  So that hackers can still get around the patch.  So your options are use a patch that doesn’t work, or use an “infeasable” workaround? And that’s after seven years!

Yep.  That’s security, Microsoft style.

Microsoft Patch Tuesday, a day that everyone holds their breath in wonder.  Which bugs will be fixed today?  How will this affect out IT infrastructure?

Well, this one has a doozy!

A flaw in Server Message Block (SMB) has been fixed.  Yay!  But how long has this flaw really been known?  Well, Metasploit chalks it up to “Sir Dystic” at a hacking conference in 2001.  While elsewhere it is suggested that the original find is credited to “dildog” (AKA Christian Rioux of Veracode) even further back in 2000 at Defcon.

Either way, that’s an awfully long time to just sit on a critical security flaw.  Oh, sorry, Microsoft itself only labels the flaw as “important”.

I guess we should just be glad that it’s finally fixed.

So you got yourself a fancy new G1 cellphone.  It’s so fancy!  It’s so intuitive!

It’s so fancy and intuitive in fact that it even thinks for you.

Like, say, if you were texting someone, and you were telling them how you had to reboot your computer at work, like magic, the fancy G1 would reboot itself upon seeing the word.  It’s that intuitive.

Yes, you read that right.  The G1 handset has a bug that it picks up on keywords you enter, say in texting someone, and operates itself according to those keywords.  So if you text the word reboot to someone, your G1 reboots itself.

Neat!

No, not really.

Even worse, if you had texted that to a server running Google’s Android like your G1 phone does, then that server would have rebooted too.  Or if someone knowing your phone’s flaws was just evil and vindictive, they could keep texting you the word reboot over, and over, and over, and over…

Fortunately Google has issued a fix.  Well, a partial fix it seems.  I guess Android isn’t built in a day.  Or fixed in one either.

Still, how in the world did this bug ever get past testing?  And who even thought this was a useful feature anyway?

What do you get when you find a serious security vulnerability for the Apple Macintosh operating system (Mac OS), like, say, DNS cache poisoning? You get a long wait where nothing gets fixed. Followed by a fix that doesn’t really fix.

Yes, that’s right. Famed security of the Mac fails once again when put up against real-world situations.

Starting their work on the 8th of July, Apple sat around releasing nothing while Microsoft, Cisco, Ubuntu and the Internet Systems Consortium patched their ends of things. While hackers took advantage of exploitation of the vulnerability to redirect web surfers to malicious websites in a way that the surfers have no idea that they were delivered somewhere nasty. Apple twiddled their thumbs and ignored the danger.

Only now has Apple finally updated their part of a cross vendor patching effort by updating the Berkeley Internet Name Domain (BIND) DNS software used by Apple Mac OS. Well, Apple patched the server versions of Mac OS X anyway. Client versions (or in other words pretty much every Apple Macintosh out there) are still vulnerable. So says both nCircle and SANS Institute, who tested Tiger (10.4.11) and Leopard (10.5.4) for the fix, and failed to find it. Oops. Bad Apple. Bad!

So what does this mean? Well, it means Mac owners should be darn careful for the time being. It also means that yet again Apple fails to be secure. It’s getting harder and harder for Mac enthusiasts to live in their little bubble world where they can pretend that Macs are the safest computers out there as the world keeps proving time and again that they just aren’t.

Meanwhile, what is Apple doing over there? Probably working on their new iPhone and MobileMe problems, because we all know just how Apple gets their bread buttered these days.

The world is a scary place. The internet is no different. Everyone is out to get you. Everyone wants to hurt you. And they’re always thinking up horrible new methods to do it.

Okay, so yeah, that’s just a tad over the top. No, life isn’t really that bad. But yes, there really are hackers out there in the world trying to be mean and nasty.

Just ask Adobe. What is more internet than Adobe’s Flash providing all sorts of goofy little Flash applets all over the intarweb? Well Symantec has found a weakness in it. An exploited weakness. With at least 20,000 web pages found to carry links to a site that hosts malicious Flash applets that exploit the weakness. Not good. Fortunately, it’s only Adobe’s own Flash Player stand-alone application that is vulnerable. Internet browsers like Internet Explorer, Firefox, et cetera that support Flash plug-ins aren’t vulnerable. They’re safe. Still, not such a great moment for Adobe.

Speaking of the internet, what about one of the biggest ISPs out there, Comcast? Well just a couple days ago, for a mere few hours, Comcast.net was hacked by a couple of losers who redirected the webpage to one with text that read, “KRYOGENIKS Defiant and EBK RoXed COMCAST. sHouTz To VIRUS Warlock elul21 coll1er seven.” Wondrous stuff that. Just the hack of the ages there. Fortunately Comcast fixed everything by Thursday and is working with the police, even if they are stymied.

Still, a hack is a hack, and of all businesses out there to be well protected, you’d have thought one of the great cable ISPs like Comcast.net would have held up better than that. Oh well.

And speaking of ISPs and hacks, let’s jump across the pond to everyone’s favorite BT Home Hub wi-fi internet router, which has yet another security hole. When left on the default settings. You see, to combat stupidity from being a factor in hacking the device, recently the default administrator password from “admin” to the device’s serial number. Each being unique and relatively harder to guess than “admin”, it seemed a fairly intelligent way to go. And since it’s stamped on the device you never have to go far to find where you wrote it down. Except that, according to GNUCitizen, it’s not actually all that difficult to request the serial number from the device over a network connection. Hmm. Not so brilliant then. Just yet another reason to change from the default settings to actually secure ones. Good advice for everyone out there, not just for BT Home Hub owners.

In fact, when was the last time you Windows users patched your bugs and holes? You naughty naughty lot. Automatic Updating should be fixing it for you. If you haven’t turned it off that is. Why do I ask? Well, according to a new study by Akamai, China and the US lead the way for denial of service and exploit traffic in 2008. Yes, that’s right. Exploits. As in your computer has a security hole the size of Texas that was fixed years ago, but because you don’t think updating is worth it, you got hacked and now hackers are sending out traffic from your computer. Goodness knows that the past years have seen a great number of really effective worms, viruses, and Trojans for Windows PCs. All of them with fixes. Have you updated your computer with those fixes? Because in the world of always-on-line high-speed internet, if you’re not part of the solution, you really are part of the problem. Update your PC today. With Windows it’s just as simple as turning on your Automatic Updates. Or clicking on that little Windows Update button. It’s never been easier. Protect yourself. Protect us all. Update your PC. Please!

So yes, hubs, computers, even cell phones can be hacked.

Cell phones?

Yes, that’s right, cell phones.

Such as a bug found in Motorola’s RAZR firmware allows intentionally malformed JPG images to execute whatever code a hacker’s little black heart desires. Fortunately, after a year of working on it, Motorola finally has a fix. Yipee! Way to keep on top of things Motorola!

But all is not lost. It’s a scary scary world, but there are plenty of folks out there finding the security holes. And plenty of people fixing them. Or telling you how to protect yourself from them. It’s a scary place, but we’re here to help. If you let us.