June 25, 1998, and June 30, 2008, marked two important milestones in Microsoft’s evolution of the Windows OS — the passing of the torch from Windows 95 to Windows 98, and the less seemly transition from XP to Vista.
In the 3,659 days between, users of Windows have been forced to bear witness to another evolution of sorts: bugs that left Windows open to exploits that appeared almost as fast as you could say, “On the Origin of Species.”
Uncovering — and exploiting — Windows vulnerabilities has made sport for many and careers for many more .
Entire industries have sprung up to protect Windows users from previously unknown flaws, while malware authors have matured their practices from juvenile pranks to moneymaking criminal enterprises.
Caught in the middle of this never-ending onslaught is the innocent PC user and the besieged IT admin — you. And though Microsoft and the entire software industry have labored tirelessly to handle zero-day exploits and to develop protocols for reporting potential security problems, we’ve seen and experienced several colossal security meltdowns thanks to the humble Windows bug.
These errors, buried in millions of lines of code, have steered great corporations and turned the tide of fortunes. It’s high time they got the credit they deserve. Here are the worst Windows flaws we’ve endured since the introduction of Windows 98.
Password “password” would have been more secure
Bug identifier: VCE-2000-0979, MS00-072
Description: Share Level Password vulnerability
Alias: Windows 9x share password bypass
Date published: Oct. 10, 2000
Windows 9x introduced a nifty little concept wherein users could host a password-protected mini file server, aka a share, on their PCs. The idea was simple: Allow users of networked computers to host and share files securely. Only the padlock Microsoft used to lock the door came equipped with a gaping hole that rendered it useless.
“When processing authentication requests for a NetBIOS share, Windows 95/98 would look at the length of the password sent by the attacker and then only compare that number of bytes to the real password,” writes vulnerability expert H.D. Moore, who manages the Metasploit Framework project.
Oops. “This let the attack specify a password of zero bytes and gain access to the share,” without actually knowing the password at all, Moore explains.
“The real damage,” he continues, “was that by trying all characters of incrementing lengths, they could literally obtain the password for share from the server.”
Upshot: Rather than functioning as a lock on a door, the password authentication scheme for Windows 95/98’s File and Print Sharing acted more like a nail through a hasp — to open the door you only needed to pull out the nail, with hardly any effort.
Folder traversal: Total server control with a single URL
Bug identifier: MS00-078
Description: Web server folder traversal vulnerability
Alias: Directory traversal bug Date published: Oct. 17, 2000
If there’s one thing we’ve learned from the past decade of Microsoft patches, it’s that not everyone keeps on top of them. When Microsoft published this particular advisory, the patch that fixed the problem (MS00-057) had already been released two months prior.
With this bug, if you knew the layout of a Microsoft file system — which folders appear where — you could send a command to a Web server that essentially gave you total control.
As anyone who has spent any time using a Windows computer will tell you, it’s not hard to find your way around the hard drive. Documents go in a particular folder path; most applications are put in another folder path; and so on.
By using dots and backslashes (or their respective unicode representations) in the URL, this bug allowed you to navigate up and down the file system and execute commands, just by knowing a few simple rules and how Windows organizes itself. While account permissions for IIS are somewhat limited, a related exploit helped escalate privileges, giving remote users the ability to do whatever they wanted to with Windows servers simply by sending a few URLs.
“Originally found as an anonymous post in the PacketStorm forums, this resulted in nearly two straight years of mass ownage against Windows web servers,” Moore writes.
Upshot: Directory traversal opened up a new world for automated attacks that merely had to call a particular URL to do their dirty work.
Code Red: Deadly bug, disgusting soda
Bug identifier: MS01-033
Description: Unchecked buffer in index server ISAPI (Internet Server API) extension could enable Web server compromise
Alias: The Code Red bug Date published: June 18, 2001
What happens when you send a ton of data at a Microsoft Web server? If it was the summer of 2001, well, you owned the network. At least that’s what happened a little more than a month after Microsoft released this obscure-sounding patch for IIS Web servers.
The nature of the bug was simple: Take an IIS server, invoke a buffer overflow, and commands spill into other parts of system memory. Because the commands were issued in the context of the system itself, the bug opened up for exploitation virtually all aspects of the server’s operation.
And exploitation happened, all right, on a scale that hadn’t been seen before.
On the afternoon of Friday, July 13, 2001, security engineers at eEye Digital Security received reports of a worm that was spreading rapidly through its customers’ networks. Fueled by a limited edition, crimson, caffeinated, high-fructose corn syrup-based beverage, Mark Maiffret and Ryan Permeh spent a weekend reverse-engineering the worm, and alerted the world to its presence.
What the worm did was probe vulnerable IIS servers, infect them, and create 100 threads of itself, which then spread to other computers. If the date was between the 20th of the month and the end of the month, it would attempt to spew data at www.whitehouse.gov. Permeh and Maiffret estimated that the worm could infect approximately 500,000 unique IP addresses per day.
Upshot: Code Red really drove home the importance of patching bugs soon after Microsoft released the patch, because the patches themselves give malware authors clues to exactly where they should look for new vulnerabilities.
Fastest infection. Ever
Bug identifier: MS02-039
Description: Buffer overruns in SQL Server 2000 Resolution Service could enable remote code execution
Alias: The SQL Slammer bug Date published: July 24, 2002
While technically not an OS bug, the SQL Slammer bug deserves honorary mention due to the sheer velocity with which vulnerable systems were infected. The bug targeted Microsoft’s database server. Vulnerable computers were subject to buffer overflows that, if properly crafted, could place commands into memory to cause the targeted system to execute those commands with the permissions of the database service.
Patching was complicated by the fact that admins needed to run an earlier patch before they could run the MS02-039 fix. The bug affected primarily corporate server systems, but also affected home users who had MSDE (Microsoft SQL Server Desktop Engine) installed. That made a number of home users, some of whom didn’t even know they had MSDE on their machines, unwitting participants in the carnage to come.
Because the Sl
