
The Curious Tale of MS03-007 - luu
http://www.stepto.com/2013/03/the-curious-tale-of-ms03-007/
======
bluedino
>> And in Windows 2000 it had a huge gaping hole. It was enabled by default.
On all versions.

Following "it was done this way for a reason, even though it might not make
sense", what was the rationale behind some of the defaults/decisions Microsoft
made in their NT4/2000 days?

The complete opposite of something like OpenBSD where most everything is
disabled by default.

~~~
cesarb
'Twas not just Microsoft.

Back then, "enabled by default" was the rule. I recall Linux distributions of
that era also enabling a lot of network-facing stuff by default.

For Microsoft in particular, there's also some path dependence: they began
with non-networked (or with local-only networking) desktop operating systems,
where the drawbacks of default-enabling many useful services were not as
severe.

~~~
kbenson
Yes. Having your newly installed linux box connected to the internet after a
base install without first enabling a firewall (or configuring the existing
one to block a bunch of default allowed items) wasn't as bad as the same thing
with a windows box, but it was still bad. Circa 2000/2001 I believe you would
likely be infected or hacked by some SSH or Apache worm within a few hours.

Windows around the same time, maybe a few years later, was _much_ worse
though. They actually had to patch a bug where the system would boot after
install and the firewall might not come on until a second or two after the
network, and there were so many exploits and worms that systems were getting
exploited in this very short time-frame.

------
codezero
I'm probably being thick, but I can't put together why the patch has anything
to do with the war in Iraq.

~~~
icegreentea
Military (or something in the whole war apparatus) was running networked
Windows 2000 in some mission critical role and was worried about being
compromised by a cyber counter-attack once they started offensive action.

~~~
codezero
Gotcha, I guess that makes sense.

I'd like to hear the story of how the military deployed these fixes across the
board in only a few days to ensure they had complete protection. Back in 2003,
even auto-updates tended not to get installed/applied on large systems where
there were complex admin rules about how updates should happen.

~~~
Mtinie
I doubt it required an across-the-board deployment. Rather, specific systems
like the one alluded to in the post (the reason that the Suits appeared in
Redmond) would need to be hardened in advance of the start of offensive
military activities when the secrets housed in the system needed to stay
secret.

------
pjc50
The implication is that the government wasn't going to war until they'd
updated their computers, which is extraordinary when you think about it.

~~~
fiatmoney
Nah, the implication is just that once the shooting starts, there's no reason
not to exploit whatever security holes you've found at the cost of being
"provocative".

------
yuhong
Of course, doing patches for pre-SP4 Win2000 was a pain, and the issues with
this patch were a good example (see actual bulletin at
[https://technet.microsoft.com/en-
us/library/security/ms03-00...](https://technet.microsoft.com/en-
us/library/security/ms03-007.aspx)). This is because Win2000 had no service
pack branching.

------
rasz_pl
>This was bad enough we would have to consider going with how to block the
attack before we actually had an update

ah good old Microsoft, where mere idea of default ingress firewall was a taboo

------
jokoon
So we might know what is was about in 2053 ?

------
malkia
.. And nowadays you can't even trash the "/bin" (latest OSX release) :)

~~~
yuhong
To be honest, WFP has existed since Win2000 too.

