45 comments

[ 3.3 ms ] story [ 96.3 ms ] thread
My thoughts go out to the sys admins patching this on a Friday
If they're just now patching it, I kinda feel like they deserve to spend their weekend patching Windows boxes.

> This bug was patched by Microsoft in June 2022 ...

(comment deleted)
Its only for NFS and not NTFS and only in v4 of NFS at that. Most systems will not need any action and those that do are unique enough that they're should be patched regularly in the first place.
They’re probably also important and harder to support: things like central storage servers or other services which support a wide range of clients, careful security mapping rules, etc. This is less than a month old so I would not be surprised if the places affected are carefully testing since almost by definition anyone running it has a complicated environment to support.
Disaster is often just one patch away.
Just got some background here, the May 10th update literally broke the ability for many people to logon to a domain. It was extremely broken and businesses that deployed it suffered heavily. The June 14th fix being discussed here in turn broke many backup products in ways people are still trying to understand. Edit: The June 14th update being discussed here also broke Wifi hotspot and RRAS services, the latter being relevant to servers.

So most Windows server admins are quite acceptably delayed in deploying updates. Most standards and policies give an organisation 30 or 60 days to apply a security update outside of a particularly critical issue, and in most cases that's considered appropriate risk management. In this case I don't understand why this is news, there were many CVEs fixed this month but I've generally assessed there are as being very low exposure and no reason to panic. For example, across our whole fleet it took a few minutes to test for the NFS service being installed anywhere and I've found it in zero places.

We don't have the Linux luxury up running an "update Apache" command and getting an update that fixed one CVE, every update is a major cumulative update with its own brokenness and test cycles. Remember at one point Microsoft released an update which broke port binding, and every network service including their own SQL and SMTP servers stopped functioning. That update was rated a critical security fix.

The (edit) July 12th update is the first proper fix for Follina vulnerability, which is now months old. That really should be what people are testing and targetting for rollout.

I wonder who Microsoft sees as Windows customers today.

Not the consumer. There are plenty of anti-consumer features in there. Spontanous reboots for patching, fire risks be damned. Privacy nightmare. Forced microsoft account. DRM.

Not the enterprise. Required manual patch validation. Complexity of upgrade rollouts. Neverending random breakage. Retraining for random vanity UI changes.

All of the above are fixable by listening to the customer and doing the necessary work, and not doing change for the sake of change.

> Spontanous reboots for patching

My laptop runs Windows 10 (all my other machines are Debian or Devuan). I have searched, but failed to find any way of preventing this damned OS from downloading and installing updates without asking me. I often get up in the morning to find that all my open windows have been force-closed, because the machine rebooted after an update.

I have no idea what the updates contain; by the time I know about it, it's already installed and running. I don't see much point in reading the release-notes (if I can find them), because they are invariably opaque and full of obfuscation.

And anyway, the updates are unitary; I can't cherry-pick packages or bug-fixes. Win10 is either up-to-date or vulnerable. And "updates" often include new features that I don't want.

I don't know why Windows the OS is so user-unfriendly; possibly because the devs are exclusively focused on enterprise features. I've been using Windows since Win3, but I nowadays find it nigh-impossible to administer my own machine.

I've been thinking of replacing Windows with Devuan on this one hold-out machine for months.

It's user friendly for people that don't know what patches are or why software needs updated. It's frustrating for the people that do and would like control

I remember the Windows XP days where you'd regularly find computers that hadn't successfully updated in months or years and it was a whole day effort to get them patched

Windows 10 Reboot Blocker works ok. It runs as a service and keeps readjusting active hours to prevent reboots

You may have it backwards because in real life patching too soon can be equally risky, specifically with Microsoft products.
Rolling out MS patches without a good testing period is a great way to suffer downtime in prod.

They somehow manage to ship catastrophically everything breaking shit extremely regularly.

Both admins using NFS on windows will be pissed off today :)
Note: N F S , not NTFS.

Presumably almost nobody has NFS enabled on a Windows box?

idk people do weird stuff with windows servers and nfs.
Didn't even know Windows could do that.
Windows 2000 had NFS(v3) support. It's at least that old.
You need windows pro or higher, it is in one of the options dialogs.
It's not that uncommon in lab environments, home or professional

Though you'll usually see samba/cifs more whenever Windows is involved

Who uses Windows NFS? I wouldn’t trust it and honestly, I can’t explain why, I just wouldn’t.
Because you know not enough time has been spent on it.
I don’t know anyone who loved it but if you were trying to get Linux desktops or servers allowed in a Windows shop it was often the path of least resistance.
i used it years ago for sharing media files from a windows server to a linux media player. bonus: said windows server also ran software raid-5. it's like i hit the lottery for worst possible solution for all the things.
I used it for years as a backup datastore location for some VM program. It worked well enough. Even had routine nightly shutdown/startup scripts of the VM that mounted it and then the NFS server.

It worked well enough. Would never run that at work or in production though.

I use one. My windows heavy IT team likes to do big storage appliances in windows and serve them to linux vms with nfs. It is horrible and sketchy, and has all kind of weird file caching, permissions, and locking issues. They havent responded positively to my constant dropping of the ceph promo video on them.

https://www.youtube.com/watch?v=QBkH1g4DuKE

That video is great. Now I want to setup my own Ceph cluster.
I don't disagree, but you would be truly shocked
This is the easiest way to share something with a *nix machine.

I use it for ISO storage in vSphere cluster, works fine.

People use it for storing actual VMs, but that requires a working AD/Krb integration between ESXi and AD which I don't use.

Eh, CIFS (SMB) has been in the kernel for years and would be the easiest way to share Windows <-> Linux.
In the kernel? I guess I never checked, but I was pretty sure all CIFS/SMB on Linux was userspace via FUSE and SAMBA.

Still, have to agree it is the easiest way to file share between them.

> The CIFS VFS was added to mainline Linux kernels in 2.5.42

For me both of them require arcane commands to use which I need to search each time I need them, but NFS is a bit less arcany for me.

Its no more odd than a NFS share mount.

fstab:

//WIN_SHARE_IP/share_name /mnt/win_share cifs credentials=/etc/win-credentials,file_mode=0755,dir_mode=0755 0 0

where a NFS fstab mount is something like this:

10.10.0.10:/backups /var/backups nfs defaults 0 0

No cifsfs is maintained by Samba Team member Steve French (now at Microsoft) and is a kernel SMB1/2/3 redirector.
Maybe because the CIFS/SMB clients for Linux are so good, it makes little sense to do it the other way 'round?
Someone with a San who didn’t want to deal with iscsi to the hypervisor. Who exactly, I can find a few clients that don’t listen to reason.
Seems like all the good zero days are in highly vintage components such as SMB, NFS, True Type Fonts and Windows Fax

If I were a security researcher I would look at anything that came from win 3.11, probably full of holes

NFS 4.1 isn't "highly vintage", the RFC is from 2010.
They're obviously not talking about specific versions, but the heritage of the protocols.
The heritage of a protocol doesn't matter much when it is implemented. Every web browser carries the "heritage" of http.

But NFS probably isn't the top priority for Microsoft, the implementation of NFS 3 felt sketchy, so in that way it's not overly surprising.

Maybe this example was not the best as it is only in Windows for 10 years, NFS however as a component exists since at least NT 4.

Even if this exploit only touches completely new code, my point still stands that windows has multiple layers of archeology which were designed when security was an afterthought.

Some of these are preinstalled with Windows, use networking and run as SYSTEM (WMI, spool) others are used by enough components in windows they will never be removed yet it doesn’t seem they are undergoing any development (COM/OLE)

Brand new code often has vulnerabilities in it too.
Hmmm, there is such a thing in Windows...