The Workstation Service vuln is only critical on Windows 2000 SP4. The attacker needs admin access on XP SP2.

Funny how eWeak leaves out those little details like it only affects Windows 2000 SP4 and XP SP2.

Robby, I updated the original entry to clarify that point. Thanks.

_r

From what I gather, any firewalled device (isn't that virtually all of them?) that does not have the workstation service exposed is also not affected. eEye are famous as salesmen for the possible but unlikely security breach.

I'm just a novice, but most people using Windows XP SP2 have computer administrator rights. Without those rights, many programs won't work, because the user wouldn't have rights to run or launch applications, access files on the network, etc.. So when setting up Windows XP on a PC, you always give users "Computer Administrator" rights.

That's why Microsoft has asked software makers coding for Vista to modify their programs so that users don't need administrator rights to use their software. When Software vendors wrote programs to run under Windows XP, they just didn't understand "computer administrator" user rights, or didn't want to fix their programs, so when you called their tech support to tell them their program didn't work, they would just tell you to change your user level to computer administrator. So in my opinion, most Windows XP users are just as vulnerable to attack.

Why are these "security" alerts so broad stroked? I know no one can take the time to deliniate every possible connection scenario but if you know the Windows game you are always behind a hardware firewall as a minimum. If you are even more security minded than perhaps most, you're also multi-homed with the pseudo exposed NIC set without the MS-Client engaged, file and print sharing turned off and NetBIOS disabled as well. I have seen the vast majority of these security breach possiblities offer only the potential for interior network attacks and that one aspect never seems to be broadcast loud enough. That aspect is where brutal attacks can be run as they are described in these updates and bulletins. I just think we are smart enough to be able to craft a method which provides a bit more common sense based information as opposed to the more common & generalized scare-tactics. BOO !

ALS, you should never give regular users administrative rights.

I use Admin only for installing new programs and updates. The other 99.44% of the time, I am logged on as a limited user, and I have no problem doing email, Internet, etc.

If you are on as Admin all the time, you are inviting big trouble.

To Cliff D: In support of ALS, some programs with their origin in the Windows 95/98 era expect to be able to access any directory, file, or registry entry. Take Intuit QuickBooks for example. I have a client that is a construction company. Their internal book keeping staff has multi user access to a common QuickBooks accounting file. When I was new in the account, I thought like you did and clamped down on access rigths so no user had Admin priv. Then QuickBooks would not run. This is a well documented problem on the Intuit support site. Check out the back flips you have to do to make QuickBooks function without global admin privs http://www.quickbooks.com/support/faqs/qb2006/a4edfd81.html. (BTW, the Intuit instructions do not always work.) So as much as I would like to run a tight ship in my customer accounts it is not always possible. The problem here is software that started its life on older Windows operating systems that did not have a concept of security. These software products expect to be able to access any directory, any file, any registry key with read/write access! The vendors (in this case Intuit) have not invested in redesigning their product to comply with the security constraints of modern multiuser computing environments that have to cope with internal and external security threats. Microsoft recognizes the exposure and is trying to get the ISV community to step up to the bar, and for this Microsoft should be commended. It waits to be seen how many of the vendors will respond. I for one am astonished that a major vendor like Intuit has let the security situation with a flagship product like QuickBooks fester for so long.

As for PC's behind firewalls not being vulnerable -- there is less risk, but all it takes is one infected PC behind the firewall (from an email attach, etc), and suddenly everything behind the firewall is infected. That's not a risk I'd recommend to a company with 100 PC's.

To Chris H.

I understand your astonishment, but understand why other major companies do not worry about such issues as much as MS has been forced to (I do NOT object to MS toes being held to the fire). In virtually every chat I've seen except this one, every letter ends (sometimes begins, and contains nothing else) with a statement like "Well, if you're simple enough to run windows you deserve whatever you get."

Thank you Chris H for coming to my defense. We have clients who use QuickBooks 99, 2000, 2001, 2002, 2003, 2004, 2005, 2006, and now 2007. I have been fustrated for many years why Intuit and other companies haven't addressed the Administrator rights issue. Many people still use programs made to run in Windows 98, 95, and before. I informed my clients that Microsoft Automatic Updates will automatically download and install IE7 this week, and this would cause serious problems for users of older version of QuickBooks, based on Intuit's popup box for QuickBooks 2004 and earlier which states:

"Microsoft has introduced Internet Explorer 7 through automatic Updates. QuickBooks 2004 and earlier versions require Internet Explorer 6 and are not compatible with Internet Explorer 7. To continue to use QuickBooks 2004 or earlier versions of QuickBooks, do not upgrade to Internet Explorer 7. If you have already upgraded, we recommend that you uninstall Internet Explorer 7. For more information on how to do this, please see www.QuickBooks.com/support/IE7."

The tech guy at one of my QuickBooks 2002 clients responded:

"I've turned off the Automatic Updates function for all of us here... We
like our old software!

Down with progress!

Hopefully that will keep this from becoming a problem...

Thanks,"

This is what we deal with in the real world, where we use our PCs for more than just web based e-mail and internet exploration.
The software manufacturers don't fix known issues, they recommend you don't install updated and "more" secure software, the users don't understand the risks that are incurred by using older and less secure software, etc.. I understand part of Intuit's thinking, they want to take advantage of IE7 and force their customers to upgrade / buy QuickBooks 2007. They don't want to or can't keep supporting older versions of their software. Microsoft does the same thing, i.e. no support for Windows 98, ME, XP SP1. Also in Intuit's defense, their popup for QuickBooks 2005 states:

"Microsoft has introduced Internet Explorer 7 through Automatic Updates. QuickBooks 2005 currently requires Internet Explorer 6 and is not compatible with Internet Explorer 7. We are currently building a solution so that QuickBooks 2005 will work with Internet Explorer 7 and hope to announce this solution soon. To continue to use QuickBooks 2005 in the interim, do not upgrade to Internet Explorer 7. If you have already upgraded, we recommend that you uninstall Internet Explorer 7. Please check www.QuickBooks.com/support/IE7 periodically for updates on a solution and for more information on how to uninstall Internet Explorer 7."

So there you have it. Software programs aren't secure. Microsoft finally upgrade to IE7 (due to a big push from Firefox's competiton), and you get other software vendors stating their programs won't work with the new IE7, so don't install it.

They should turn this saga into a movie, and I got just the title for it, it's a comedy called: "It's a Mad, Mad, World."

I work at a call center for one of the 3 largest companies in the world. All our users have administrator rights because their apps won't run otherwise. Explain to me again why web based computing is a good idea.