Hi all,


I’m new here so please forgive me if this post is in the wrong category.  Having said that here goes: 

I have a BS5/BM5 system that’s been up and running for a while now and the software have been updated twice.  All in all I’m happy with the setup, despite some software related quirks.

When checking my home computer network (in which BM5 is a part) with Nessus, a security scanner (www.nessus.org), BM5 was flagged with several vulnerabilities.    

Microsoft categorizes two of these as critical:

MS08-067: Microsoft Windows Server Service Crafted RPC Request Handling Remote Code Execution (958644)

MS09-001: Microsoft Windows SMB Vulnerabilities Remote Code Execution (958687)

MS-08-067 is perhaps the most severe of these two - it allows an outside hacker to run his or her own software or commands on the BM5, e.g. someone could steal or erase your entire music collection, or use the BM5 to steal personal data from other computers connected to the BM5.

Microsoft released a patch addressing this problem in October 2008, however it appears as if this patch has been omitted in the updates from B&O.

By using Metasploit -tool for exploit research and penetration testing (www.metasploit.com) you can verify that the BM5 is wide open to hackers.

Does anyone here know if there is a patch available or could anyone suggest appropriate rules for a firewall? 

If you have a typical home network with a single IP address provided by your ISP, one must generally configure "port forwarding" for any "outside" computer to access any computer in your home network.  That is, the router "owns" the IP address that is visable to the outside world.  If you haven't forwarded any ports to your BM5, you don't have to worry about a hacker accessing it (unless it is on an unsecure wireless network - but then you have bigger problems).  The BM5 can talk to outside computers (for N.Radio or software downloads) without port forwarding because it initiates the coversation.

Stan

Thanks for the reply and the tips re. router configuration.

I agree with you that anybody setting up port forwarding to the BM5 would be unlikely.

Network security is a complex subject and always entails compromises.

My view is that a chain is only as strong as its weakest link; I would feel much more comfortable with a patched version of XP rather than putting all my trust in the router.

The way I look at it is that it is a very big world.  There are millions of computers on the internet.  There are maybe 10,000 BM5s (I'm only guessing, it could be more or less, but for argument let's just say 10K).  Do I really believe that somebody will hack through my router and go after my BM5 and delete my music (which I have backed up anyway)?  This seems very unlikely (like finding a needle in a hay stack).  There are many more desireable targets among those millions of computers out there.  Maybe I'm blissfully ignorant, but I just don't worry about this.

Stan

In hindsight my example of someone stealing music was a very bad one. 

The probability that someone would put any effort in messing with a music collection is without doubt very low, however not unlikely!

What one could worry about are all the people on the Internet wanting to run a botnet.  They don’t care about the contents on a computer; their incentive is to control it.  Even though BM5’s are rare they are still vulnerable when unpatched and consequently a very desirable target. 

I’m just keeping my fingers crossed that B&O, will include a patched version of XP in a future software update.