Partager via


Why Blaster did not infect Windows Server 2003

I've been meaning to write about this for some time, but while pondering over my very dead laptop (it won't even get to the “Choose an OS to boot' option”, I remembered.

The code which Blaster took advantage of was in the released version of Windows 2003 :( but the worm itself did not infect Windows Server 2003 machines, here's why: the /GS flag. The buffer-overrun was detected by the -GS handling code, which caused the OS to shut the RCPSS process down. Sure, not a good thing - but a heck of a lot better than being infected by the worm. You can read more about /GS in Brandon Bray's blog https://blogs.msdn.com/branbray/archive/2003/11/11/51012.aspx.

In case you're not aware, Windows XP SP2 is also compiled with the latest 'n' greatest version of /GS.

Another cool thing in Whidbey is /GS is implicit; if you compile code using this:

cl -c mycode.cpp

You get the -GS stack-overrun detection code by default :))

If you don't want this option (why don't you want it?), then you must compile with /GS-

Comments

  • Anonymous
    May 23, 2004
    Btw about OS compilation (not relevant to Blaster issue actually): why XP Home tries to load non-existent EFSADU.DLL in each process it starts? Why Home is not properly recompiled to dropp off unsupported features from XP Pro?
  • Anonymous
    May 23, 2004
    Hm.. in "You get the -GS stack-overrun detection code by default :(" did you mean to have ":)" at the end instead? ;) seems like a good thing IMO!
  • Anonymous
    May 23, 2004
    Hm.. in "You get the -GS stack-overrun detection code by default :(", did you mean to have ":)" at the end instead? ;)

    IMO this seems like a good thing!
  • Anonymous
    May 23, 2004
    oh.. sorry for double posting :/
  • Anonymous
    May 23, 2004
    My bad - thanks!
  • Anonymous
    May 24, 2004
    The comment has been removed
  • Anonymous
    May 24, 2004
    Easier indeed. But from the other hand it is also implies potential issues (take a look at example above: what if there is such DLL and it is not authentic?) Does such implications simply considered as acceptable risk?
  • Anonymous
    May 25, 2004
    >>it is not authentic
    Windows File Protection :)
  • Anonymous
    May 25, 2004
    The comment has been removed