Attack Code Found For Recent Windows Bug 184
CWmike writes "Just a day after downplaying the vulnerability that caused it to issue an out-of-cycle patch last week, Microsoft warned customers late yesterday that exploit code had gone public and was being used in additional attacks. 'We've identified the public availability of exploit code that now shows code execution for the vulnerability addressed by MS08-067,' said Mike Reavey, operations manager of Microsoft's Security Response Center, in a post to the MSRC blog. 'This exploit code has been shown to result in remote code execution on Windows Server 2003, Windows XP, and Windows 2000.'"
Clarification (Score:5, Informative)
Re:Another out-of-cycle patch is coming, right? (Score:5, Informative)
No, this is the same exploit we talked about before.
If you patched on the 23rd, you should be fine.
Re:Hotpatching (Score:3, Informative)
Just switch to Linux servers instead. :)
The ability to not require rebooting for years comes as standard.
Downtime due to upgrades is limited to how fast you can restart the app.
You can swap the files while its still running, then just restart it.
Microsoft didn't downplay this (Score:5, Informative)
Instead they issued an out-of-cycle patch and they gave it a very high severity rating in their bulletins. None of us are Microsoft lovers. But you don't have to lie to us just to be able to pat us on the back. It's disgusting, please stop it.
Re:I'm not Microsoft lover, but (Score:3, Informative)
You've always been able to automatically update even cracked copies of Windows automatically, you just can't do it via update.microsoft.com.
I'm not sure where you've got your information from.
Re:That's it! I'm switching to a Linux Desktop (Score:2, Informative)
LOL! Yea... especially considering that doing some SIMPLE things like these:
1.) Stopping "File & Print Sharing", via your local connection, removing it as a Client/Protocol there (if you're not on a Lan Manager based OR Active Directory IP based LAN/WAN, or home network? Who cares! It's slowing you down just broadcasting extra packets anyhow OR listening for them too, wasting IO + resources) & the SYSTEM ICON in Control Panel (as to options &/or quick tasks to perform for that) make it a snap to stop it from being effective
----
2.) Removing ALL shares, hidden or otherwise via say, a batchfile (or even DOS command prompt) like:
C: /DELETE /DELETE /DELETE /DELETE /DELETE /DELETE /DELETE /DELETE /DELETE
NET SHARE C$
NET SHARE ADMIN$
NET SHARE IPC$
NET SHARE DFS$
NET SHARE COMCFG$
NET SHARE FAX$
NET SHARE NETLOGON
NET SHARE PRINT$
NET USE *
----
3.) Stopping the SERVER SERVICE (which allows sharing, & if you're not part of a LAN/WAN (like a single user system online on the internet only), you also save Memory, CPU Cycles, & Other I/O by cutting said service (via service.msc & setting its default startup type to DISABLED, & stopping it there also, once you doubleclick on it in the list)
That also, can stop this exploit from being effective - as IT is what permits shares & file + print sharing...
----
See - Technically, afaik, @ this point (haven't read the EXACT details of this thing's coding & methods though, via this RECENT CURRENT news on it)?
Each/ALL/ANY of those measures SHOULD work, just fine, in mitigating this prior to applying this patch (especially if you're a standalone machine on the internet @ home, with no home LAN present)...
(AND PLEASE - Feel free to correct me if I am off/wrong here fellas... thanks, as again, I have not "RTFA" (/. badge of honor, lol), yet as I noted above...)
APK
P.S.=> Afaik? That's more than adequate to stop this being exploitable, because if there are no SHARED DISKS present? How can you get to anything to execute anything?? File ACL's also being set (to stop remote NETWORK SERVICE, or other remote capable services &/or user-entities, except that which YOU use) helps moreso than the above, maybe overkill, but worth doing & should be by everyone anyhow, imo @ least... apk
Metasploit (Score:5, Informative)
Be warned; this is already on metasploit. The intrepid can find this for themselves...
Testing it to see if it actually works though.
Re:Another out-of-cycle patch is coming, right? (Score:3, Informative)
Re:Microsoft didn't downplay this (Score:3, Informative)
Please mod parent up.
Microsoft even contacted partners to make sure they were applying the patch as soon as possible.
I don't know where the author got the downplaying from...
Re:Hotpatching (Score:4, Informative)
Come on, it's dead simple and it's safe. Just install a page fault handler and mark all the pages of the DLL as being unavailable, examine the current thread state of all processes and mark them if they are currently executing in the unavaiable pages, and if so simply return success from the page fault handler until the thread leaves the locked region (essentially single step through the DLL until it finally returns to the caller). If a thread was not originally executing in the protected pages and enters it, just stall it. Once all threads are stalled or not accessing the locked pages, patch the DLL and mark the pages available and uninstall the page fault handler.
What could possibly go wrong? Only if the data structures that the DLL uses internally are modified will this be difficult, in which case the patched DLL will just have to convert its own data during the patch time. If changes to user data structures are required, then the patched DLL would have to burn some space in each new data structure to identify it as a patched version and treat it appropriately, while detecting the old data structures reliably. That might be a little harder than the general case, but not impossible.
Is getting 0wned something you would want to happen on a production server that can't have downtime?
Re:Hmmm... (Score:3, Informative)
That plus the wireless network card drops randomly. The message in dmesg is that it can't find the AP so it assumes it is gone. Restarting the networking fixes it.
Comment removed (Score:5, Informative)
Re:Hmmm... (Score:3, Informative)