|
|
|
| Do I block access from svchost to DHCP? |
|---|
| message from Mister C on 14 Jun 2005 |
From time to time I get this message from my Sygate firewall.
Should I let this program through?
"Generic Host Process for Win32 Services (svchost.exe)
is trying to connect to [62.255.64.20] using remote
port 67 (BOOTPS - Dynamic Host Configuration Protocol
[DHCP] Server). Do you want to allow this program to
access the network?"
This is my setup:
1. I use WinXP + SP1 at home.
2. My broadband ISP is NTL Cable
3. I connect direct to my ISP am am not part of a network.
4. I have disabled XP's firewall and use only Sygate firewall.
To my untutored eye it seems like a good thing to allow this and let
svchost on PC communicate with what I think is my ISP's DHCP server.
However this web page says I should completely block svchost.exe in
Sygate. http://www.howtodothings.com/ViewArticle.aspx?Article=51
Who is right?
|
| Michael J. Pelletier replied to Mister C on 14 Jun 2005 |
It sounds like this is you dhcp client. I would not advise blocking that!
Michael
|
| Bit Twister replied to Mister C on 14 Jun 2005 |
Hmmm, missing lots of updates there. Poor security practice.
Well that explains it.
nslookup 62.255.64.20
shows name = dhcp1-popl.server.ntli.net.
You are part of NTL cable network and your node gets it's ip address
from NTLI's DHCP server. Your DHCP client and their DHCP server chat with each
other through ports 67,68 to get/renew your DHCP assigned ip address.
|
| Walter Roberson replied to Bit Twister on 14 Jun 2005 |
:On Tue, 14 Jun 2005 18:32:46 GMT, Mister C wrote:
:> This is my setup:
:> 1. I use WinXP + SP1 at home.
:Hmmm, missing lots of updates there. Poor security practice.
As best I (not a Windows expert!) can tell, Microsoft is making
security patches available for both SP1 and SP2 at present.
Is there a significant security difference between fully-patched SP1
and fully-patched SP2?
I was running SP2 but there was something that wasn't working that
did work under SP1 that I installed on a different partition. If
one cannot effectively run one's system with SP2 but can with SP1,
then is it truly "good security practice" to upgrade to the version
that is functionally unusable under the local circumstances?
If so, then would it not be even better security practice to upgrade
to Windows HP -- a version of Windows that consists of nothing other
than repeated processor HALT instructions, to keep the system from
running anything at all ?
|
| Dale Richards replied to Walter Roberson on 15 Jun 2005 |
[snip]
Did I just hear the ever familiar sound of a can of worms being opened...?
|
| Bit Twister replied to Dale Richards on 14 Jun 2005 |
New SP2 with firewall was supposed to stop those pesky worms. :)
|
| David H. Lipman replied to Walter Roberson on 14 Jun 2005 |
From: "Walter Roberson" <roberson@ibd.nrc-cnrc.gc.ca>
| :On Tue, 14 Jun 2005 18:32:46 GMT, Mister C wrote:
| :> This is my setup:
|
| :> 1. I use WinXP + SP1 at home.
|
| :Hmmm, missing lots of updates there. Poor security practice.
|
| As best I (not a Windows expert!) can tell, Microsoft is making
| security patches available for both SP1 and SP2 at present.
| Is there a significant security difference between fully-patched SP1
| and fully-patched SP2?
|
| I was running SP2 but there was something that wasn't working that
| did work under SP1 that I installed on a different partition. If
| one cannot effectively run one's system with SP2 but can with SP1,
| then is it truly "good security practice" to upgrade to the version
| that is functionally unusable under the local circumstances?
|
| If so, then would it not be even better security practice to upgrade
| to Windows HP -- a version of Windows that consists of nothing other
| than repeated processor HALT instructions, to keep the system from
| running anything at all ?
| --
| Oh, to be a Blobel!
There is a big difference in WinXP SP2 and SP1 which includes IE6/OE6 SP2 which is not
available for Win9x/ME and Win2K.
|
| Walter Roberson replied to David H. Lipman on 14 Jun 2005 |
:From: "Walter Roberson" <roberson@ibd.nrc-cnrc.gc.ca>
:| Is there a significant security difference between fully-patched SP1
:| and fully-patched SP2?
:There is a big difference in WinXP SP2 and SP1 which includes IE6/OE6 SP2 which is not
:available for Win9x/ME and Win2K.
David, I've re-read your sentance several times, but I am having
difficulty in parsing it. Are you saying that IE6/OE6 SP2 is available
for XP SP2 but not for XP SP1? I am thrown a bit by the
9x/ME and 2K reference ?
If one does not use IE6 nor OE, are the differences relevant?
|
| David H. Lipman replied to Walter Roberson on 14 Jun 2005 |
From: "Walter Roberson" <roberson@ibd.nrc-cnrc.gc.ca>
| :From: "Walter Roberson" <roberson@ibd.nrc-cnrc.gc.ca>
|
| :| Is there a significant security difference between fully-patched SP1
| :| and fully-patched SP2?
|
| :There is a big difference in WinXP SP2 and SP1 which includes IE6/OE6 SP2 which is not
| :available for Win9x/ME and Win2K.
|
| David, I've re-read your sentance several times, but I am having
| difficulty in parsing it. Are you saying that IE6/OE6 SP2 is available
| for XP SP2 but not for XP SP1? I am thrown a bit by the
| 9x/ME and 2K reference ?
|
| If one does not use IE6 nor OE, are the differences relevant?
|
| Feep if you love VT-52's.
WinXP SP2 containe IE/OE SP2. There is no IE/OE SP2 for earlier MS Operting Systems.
Since the HTML capabilities of the OS are tied to IE then the fact that you do not directly
use IE or OE still means that that the HTML vulnerabilities remain.
There are other pertinent changes in SP2 as well. This includes the XP FireWall and
recoding of some WinXP components.
|
| Adrian replied to David H. Lipman on 15 Jun 2005 |
Only if you use IE. Other browsers, which completely ignore IE, are
available.
|
| David H. Lipman replied to Adrian on 15 Jun 2005 |
From: "Adrian" <toomany2cvs@gmail.com>
| Only if you use IE. Other browsers, which completely ignore IE, are
| available.
No. Not really. Say for example you have a .URL shortcut in a folder and you click on it.
The OS will do a file preview of that URL. It won't be an alternate browser it will be the
IE HTML rendering components that will show the web site in the preview.
|
| Dale Richards replied to Adrian on 15 Jun 2005 |
...or any other application that uses the IE HTML rendering engine. Such
programs are much more common than you seem to realise.
|
| Mark McIntyre replied to Adrian on 15 Jun 2005 |
No. Many apps will and do use the IE rendering engine to interpret
html. And not just MS apps, but many 3rd party ones.
|
| Walter Roberson replied to Mark McIntyre on 16 Jun 2005 |
:Many apps will and do use the IE rendering engine to interpret
:html. And not just MS apps, but many 3rd party ones.
And what HTML is it that those apps are rendering?
If they are rendering HTML from local pages installed with
the product, and those local pages contain malicious HTML, then
I'm not sure that SP2 is going to be very much protection against
having installed that malicious app.
If they are rendering remote HTML from their own servers
(e.g. showing the list of updates available), then again the app
could do much more direct damage.
If they are rendering remote HTML from random sites on the 'net,
then I don't have the app installed.
The only reason I bought a PC in the first place was to act
as a printer driver. Other than printing, all I use it for
is Mozilla and infraview. The number of protection programs I run
outnumber the apps by about 4:1.
|
| Mark McIntyre replied to Walter Roberson on 14 Jun 2005 |
I believe that its generally accepted as better practice to diagnose
and resolve the problem, than avoid it by removing security.
"Since I fitted locks to my house, I often can't get in when I'm
drunk."
"Why not just take the locks back off then?"
"Problem solved"
ROFL.
|
| Walter Roberson replied to Mark McIntyre on 14 Jun 2005 |
:On 14 Jun 2005 20:03:56 GMT, roberson@ibd.nrc-cnrc.gc.ca (Walter
:Roberson) wrote:
:>I was running SP2 but there was something that wasn't working that
:>did work under SP1 that I installed on a different partition. If
:>one cannot effectively run one's system with SP2 but can with SP1,
:>then is it truly "good security practice" to upgrade to the version
:>that is functionally unusable under the local circumstances?
:I believe that its generally accepted as better practice to diagnose
:and resolve the problem, than avoid it by removing security.
Windows is closed-source, and rather obtuse to debug. I spend
*far* more time trying to track down problems on my single XP system
at home than I spend on my routers, switches, firewalls, or
unix systems. I don't have *time* to debug any substantial XP problem.
It is *not* "generally accepted" as "better practice" to spend your
time hitting your head against a wall.
|
| Mark McIntyre replied to Walter Roberson on 16 Jun 2005 |
Frankly, and don't take offense, but thats irrelevant. Nobody's asking
you do debug the source code. If you can't identify why random app X
stops working after you apply security patch Y, then perhaps you're in
hte wrong business.
Personally I don't consider solving problems to be "hitting my head
against a wall". YMMV.
|
| Walter Roberson replied to Mark McIntyre on 17 Jun 2005 |
:On 14 Jun 2005 22:42:18 GMT, roberson@ibd.nrc-cnrc.gc.ca (Walter
:Roberson) wrote:
:>Windows is closed-source,
:Frankly, and don't take offense, but thats irrelevant. Nobody's asking
:you do debug the source code. If you can't identify why random app X
:stops working after you apply security patch Y, then perhaps you're in
:hte wrong business.
Oh, right, I forgot.
Q: "Oh, Magic 8 Ball, after I applied patch KB8931280, why did FranzTunes
start randomly stuttering from time to time?"
Magic 8 Ball: "In mandatory DLL IESkDr7, the developer used
A | B where he should have used A | !!B . To get around the
problem, change the 317 registry keys that will be shown to
you one by one on subsequent shakes of the Magic 8 Ball."
Remember the thesis being expressed here was htat I am tantimant to
being a criminal if I back out or don't apply a Windows Security
Patch, so to find and fix the problem the way you seem to feel
that anyone should be able to, one has to be able to navigate
through scores of DLLs, hundreds of binaries, and thousands of registry
keys. Installation of even a simple program can end up updating
literally hundreds of registry keys.
If you tell me that it is reasonable for anyone (other than really
sharp Windows experts) to know what each of those keys does and how
they interact, then I will not believe you. If you use regedt32 to
export HKLM then that alone is over 28 megabytes -- over 287000 lines!
Just to read it -once- would take over 8 days of continuous reading
at 500 words per minute.
|
| Michael J. Pelletier replied to Mark McIntyre on 17 Jun 2005 |
No it is not. When debugging it is quite helpfull to understand how a
program is written. This can only be accomplished by reading the source
code...
|
| Michael J. Pelletier replied to Mark McIntyre on 14 Jun 2005 |
..if that were the case you would not be using Windows at all!!!
|
| John Hyde replied to Mark McIntyre on 14 Jun 2005 |
SOrry officer, I couldn't get out the door, I had to use Windows . . .
|
| Bit Twister replied to Walter Roberson on 14 Jun 2005 |
(not a Windows expert either) but I would bet they are not.
Then why make a SP2.
See there is a difference between SP1 and SP2. I would guess sp2 closed
a security flaw on a system call used by the defunct application.
Could have been an update to make a system call argument mandatory
which is not provided in the failing application causing it to fail.
You might want to read the above sentence out loud.
Having an unpatched system is negligent.
Let's say someone uses your unpatched system to steal credit cards and
sells them using your system. Do you think, "but, but, judge, I
installed a patch and I could not run one of my applications so I
backed out the patch." is going to keep you out of jail.
Now you are just being stupid. :(
http://www.eeye.com/html/research/upcoming/
My solution was to install Mandrive/Mandrake linux. :)
|
| Walter Roberson replied to Bit Twister on 14 Jun 2005 |
:Having an unpatched system is negligent.
:Let's say someone uses your unpatched system to steal credit cards and
:sells them using your system. Do you think, "but, but, judge, I
:installed a patch and I could not run one of my applications so I
:backed out the patch." is going to keep you out of jail.
In your strawman argument, are you speaking in terms of being
convicted of "negligence" or of being convicted as if you were yourself
the perpetrator of the credit card trafficing?
My Windows XP SP1 system is behind a firewall that is configured to
disallow incoming connections, and is patched with the latest SP1
patches (well, before the ones released earlier today.) A finding
of "negligence" is unlikely in such a matter.
Microsoft has a list of "Top 10 Reasons to Install Windows XP
Service Pack 2",
http://www.microsoft.com/windowsxp/sp2/topten.mspx
Reasons #1 thru 4, and 8 thru 10 have to do with products such
as Internet Explorer and Outlook that I do not run.
Reason 5 has to do with the Windows Firewall -- unnecessary for
someone who has a real firewall.
Reason 6 is the convenience of the Windows Security Centre. Being
able to "manage key security settings in one convenient place" is
not exactly at the top of my list of must-have security features.
Reason 7 is enhancements to Windows Automatic Updates. I have my
system set to notify me of updates, which I then examine first
-before- blindly installing.
If you examine the list of "Key Security Technologies" for SP2,
http://www.microsoft.com/windowsxp/sp2/technologiesoverview.mspx
you will not find much of interest to someone who runs their own
firewall and doesn't use IE or OE.
|
| Mark McIntyre replied to Walter Roberson on 14 Jun 2005 |
You may not run them, but they're installed and the IE rendering
engine is used by a swathe of apps. If you leave this inadequately
patched, you're asking for trouble.
I agree the other three reasons are irrelevant for anyone who has
their own f/w and performs updates religiously.
There's no such thing as "not running" IE or OE....
|
| Bit Twister replied to Walter Roberson on 14 Jun 2005 |
The site cracked could go the negligence route asking for damages.
That is what is going to cost you the big lawyer bucks to get out of
going to prison.
Depending on what kind of firewall, that is a good first step.
SP1 patched systems were getting cracked in about 4 minutes after
connected to the net.
Would guess the cracked site's lawyer would be pushing the fact that
you do not have all updates (SP2) installed so it is negligence.
I seriously doubt MS would publish that SP2 fixes unpatched problems in SP1.
I wonder why MS thought about forcing SP2 or disallow any updates at
one point in time.
Well there is my point. Based on that, there should be no reason for
your application to not run on SP2.
After all, sp2 just fixed a few applications.
|
| Peter M replied to Bit Twister on 15 Jun 2005 |
So would they also scream at you if you didn't use Win XP, but had some
older and therefore "not up to Windows XP SP2" standard version, eg if
one had Win 95, or Win 98 / 98 SE or perhaps Win ME. It's going to be
a very silly lawyer who argues 'negligence' because of flaws in large
and complex applications over which the user has limited control over
the interactions of various libraries of software components. If the
software was entirely self-written, and had flaws, then perhaps there
would be a chance of pinning it down on the individual.
Of course, if you can point to past cases, I'll be happy to admit that
I'm wrong, but on the face of it, I doubt very much that some lawyer
would advise his clients of any value is taking an individual into
court, compared with pushing for the real culprits, and perhaps the
large corporation(s) which provided software (have any cases regarding
flaws in applications actually resulted in court-ordered settlements,
anyone ?) IANAL, of course. [NG list trimmed] Peter M.
|
| Michael J. Pelletier replied to Bit Twister on 14 Jun 2005 |
Ah come on. If all of that were true Bill Gates would have a endless supply
of "soap on a rope"...for he is more guilty than anyone else.
|
| Bit Twister replied to Michael J. Pelletier on 14 Jun 2005 |
I see you are running Knode. If you were able to read the End User
Licence (EUL) you will see you agree to _not_ hold MS responsible for
anything.
Shoot, I can not even cut/paste it for inclusion in a text file.
|
| Stephen Chadfield replied to Walter Roberson on 15 Jun 2005 |
And you do not use any programs which use IE as a componant? Just
because you don't use IE as your main browser does not necessarily
mean that you are not using it all and can therefore neglect security
patches for it.
|
| Walter Roberson replied to Bit Twister on 15 Jun 2005 |
:Having an unpatched system is negligent.
:Let's say someone uses your unpatched system to steal credit cards and
:sells them using your system. Do you think, "but, but, judge, I
:installed a patch and I could not run one of my applications so I
:backed out the patch." is going to keep you out of jail.
An interesting article came out today:
http://www.geekinformed.com/content/view/320/1/
"Windows 2000 is Still used in Half of Businesses"
According to a study by AssetMetrix Research Labs, Windows 2000 has
only dropped in business use by 4 percent since the 1st quarter of
2003. They estimate that Windows 2000 currently holds a desktop
share of 48 percent.
[...]
The trend shows that most of the migration to Windows XP has been
from smaller companies that were switching from Windows 95, 98, and
Me. The larger the business, the stronger the Windows 2000
presence.
There was also an article just a couple of months ago indicating
that only about half of businesses have updated from XP SP1 to XP SP2;
Microsoft indicated in that article that those figures were consistant
with their expectations.
So less than half of businesses have even gone from 2000 to XP, and
of the ones that have, only about half have gone to SP2 -- so XP SP2
is in place in only about 1/4 of businesses.
Those figures suggest to me that it would be highly unlikely that
any judge would find "negligence" for not having updated from SP1 to SP2.
"negligence" requires a "careless disregard", or a failure to perform
a duty which is "positively mandated" by legislation. When one
follows "normal business practices", in an area were there is no
relevant legislation requiring particular procedures, then
that is not "negligence".
|
| Mark McIntyre replied to Walter Roberson on 15 Jun 2005 |
Euh, just because over half of drivers admit to speeding, doesn't mean
that judges regard it as any the less of an offense. In fact, more so.
true.
The operative word is "or". A careless disregard. Or alternatively, a
failure to perform a legal duty.
False.
|
|
