Microsoft Fixes Critical Remotely Exploitable Windows Root-Level Design Bug 136
An anonymous reader writes "In this month's Patch Tuesday, Microsoft has released nine security bulletins to address 56 unique vulnerabilities in Microsoft Windows, Microsoft Office, Internet Explorer, and Microsoft Server software. Of the nine security bulletins, three are rated Critical in severity, and among these three is one that addresses a years-old design flaw that can be exploited remotely to grant attackers administrator-level privileges to the targeted machine or device. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."
Reader jones_supa writes, though, that the most recent patch rollout came with a bug of its own, since corrected: the company apparently botched a rollup update for Visual Studio 2010 Tools for Office Runtime: "There is an issue with KB3001652: many users are reporting that it is locking up their machines while trying to install it. It does not seem that this patch is doing any other damage though, such as bricking the operating system. These days Microsoft appears to be reacting quickly to this kind of news as it looks like the patch has already been pulled from Windows Update."
Tough decision (Score:2)
Would I rather my computer be bricked or p0wned?
In one case I potentially lose my data, in the other, bad guys potentially get it all.
Re: (Score:1)
Would I rather my computer be bricked or p0wned?
Bricked. A bricked computer can't be p0wned. A p0wned computer can still be bricked, and by someone else.
Re: (Score:2)
Re: (Score:2)
I may be a bit pedantic, but how can a general purpose laptop or desktop computer get bricked, unless part of the exploit overwrote the firmware, causing the machine to not be able to be booted?
The OS might need to be repaired or reinstalled, but generally the data should be recoverable.
Of course, having backups is a wise idea.
Re: (Score:2)
Definitely bricked. It's axiomatic that your data is more valuable than your hardware - since you have it all backed up, you just buy new hardware and you are set. (Although you might want to consider changing your OS).
In fact, I have heard security professionals opine that a brick is the ideal secure IT system. It can't store any data, it can't do any computing, and it doesn't do you any good except as part of a wall (or something handy to throw at a politician). But it is VERY secure indeed.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
FTA "this is a design problem not an implementation problem."
So....Microsoft designed a godmode exploit.
Re: (Score:3)
I bet they didn't so much design an exploit, as design another feature, implement it as designed ... and the discovered they'd made a gaping hole.
I suspect at this point the code is so complex they don't even know what it does any more.
Re: (Score:3)
you mean like the desktop gadgets gadget? Yeah, I discovered yesterday while trying to install a lunar cycle widget that MS had deprecated the entire project, saying basically "Oh, we'd discovered that what we'd actually done was enable any old Joe Scumbag to completely own your computer via a widget you might actually find useful like live weather or news tickers".
So why the fuck is it still in my desktop context menu!?
Re: (Score:2)
Re: (Score:1)
Re: (Score:3)
brick
As verb: to brick something. This is the action of rendering any small-medium size electronic device useless. This can happen whilst changing the firmware, soldering or any other process involving either hardware of software.
I bricked my mobile phone when I tried to install Linux on it.
Haha! "When I tried to install Linux on it". Sounds funny reading that thread...
Re: (Score:2)
I think most phones that don't actually come with Linux (read: Android) installed will actually brick when you try to install Linux on them, because the kernel simply isn't designed for the architecture.
Re: (Score:2)
I found this article particularly amusing seeing as I'm not done re-installing my Windows 7 box from the latest attack to take it out from a couple of days ago. I don't even use the box for surfing or email; just for running database servers, builds, and playing internet media.
So it's got about the smallest attack surface you could imagine -- and it still has never survived more than 2 years without being nuked. None of my Windows boxes ever has.
oh you motherf~}NO_CARRIER (Score:4, Interesting)
I read this just SIX MINUTES after I installed the bloody office runtime update.
Which, lucky me, didn't lock the system up. It seems to have installed pretty painlessly.
(wonder if that could be anything to do with the fact that I don't have Office installed?)
Re:oh you motherf~}NO_CARRIER (Score:4, Informative)
It might be an extremely rare issue. Following the links in the article, the last update they pulled in August of 2014 was pulled because it was causing blue screen errors for 0.01% of users [neowin.net], but they pulled it anyways.
Re:oh you motherf~}NO_CARRIER (Score:5, Insightful)
whoa, 0.01% of 800 million (a very conservative estimate of the installed base) is still 80,000. That's a number far greater than 0 and most definitely of concern if you're one of those 80,000.
Re:oh you motherf~}NO_CARRIER (Score:4, Informative)
I read this just SIX MINUTES after I installed the bloody office runtime update.
Microsoft already released a fixed version at least 12 hours before /. posted this story... and pulled the buggy version some hours (8?) before that.
In other words, by the time this story was posted, it was no longer relevant.
Re:oh you motherf~}NO_CARRIER (Score:5, Informative)
After some investigation it looks like the update may not have been configured to do a silent install properly and actually hangs as it is waiting for user input on an invisible dialogue box.
If you have a machine that does hang we have found the following: /im Setup /f /im vstor_redist /f
1. wait until there is virtually no disk activity (counting on you have a light that shows you) and then power the machine down, or
2. use either PowerShell remoting or psexec to kill the two processes involved in the update: "Setup" and "vstor_redist".
With PowerShell: Invoke-Command -ComputerName hostname -ScriptBlock {Stop-Process -Name Setup,vstor_redist -Force}
With PSExec something like this will work:
Psexec \\hostname cmd
Taskkill
Taskkill
Exit
If the machine is doing a number of updates killing the two processes above will allow the machine to continue with the rest of the updates.
Of course the standard disclaimers apply: No guarantees the above will help and not harm you computer, your mileage may vary, batteries not included, objects in code are buggier than they appear, yadda, yadda.
Re:The most insecure OS in the world (Score:5, Funny)
Windows - the most insecure OS in the world.
True, but only because Adobe never made an OS.
Re:The most insecure OS in the world (Score:5, Insightful)
True. But Adobe already creates exploits for all the other OSes in the world, so they don't need to actually create an unsecured OS.
Re: (Score:2)
Windows - the most insecure OS in the world.
True, but only because Adobe never made an OS.
True. But Adobe already creates exploits for all the other OSes in the world, so they don't need to actually create an unsecured OS.
AFAIK no Adobe software even runs on Raspberry Pi, but never-the-less, flash can crash it [slashdot.org]. The mere "aura" of Adobe can break things! :D
Re: (Score:3)
"True, but only because Adobe never made an OS".
A man's gotta know his limitations. And they do.
Re:The most insecure OS in the world (Score:4, Informative)
True, but only because Adobe never made an OS
A man's gotta know his limitations. And they do.
Funny story... Oracle (née Sun) makes an Operating System.
Re: (Score:2)
Re:The most insecure OS in the world (Score:4, Insightful)
Re: (Score:1)
And designed to be a security teaching tool.
Not a production system.
Re: (Score:2)
uh... DVLinux is a security training tool and sandbox for SELinux component testing, not a production desktop platform.
Re: (Score:3)
Re:The most insecure OS in the world (Score:4, Interesting)
Yes, as much as I hate to admit it, I have had WAY more Linux servers exploited than Windows servers.
I have set up hundreds of Windows Small Business servers and less than half as many production Linux servers. I only recall having 1 Windows server exploited, and that was because the customer set up an admin-level user with an extremely simple password and then opened RDP to the world.
On the other hand, I have had several Linux servers exploited via ProFTPD, Horde, Sendmail and other vulnerable services.
Re: (Score:1)
As much as I hate to say it, that is not a Windows exploit, but a PEBKAC issue...
Re: (Score:2, Insightful)
Its all about attack surface bro.
Those windows SMB servers you likely firewalled away from the internet, zero exposed (inbound) services. They're only used to provide services to systems on the local network. Maybe you have SMTP exposed for inbound mail. (Today, though, running your own exchange server(s) for anything smaller than an enterprise is for suckers. Much cheaper to purchase hosted exchange service, and you don't have to deal with your IP blocks being blackholed)
Those linux servers, on the other h
Re: The most insecure OS in the world (Score:1)
There was a time when Sun's (now Oracle) Solaris was considered the swiss cheese of operating systems.
Re: (Score:3, Insightful)
Windows - the most insecure OS in the world. There are probably more viruses, malware and ransonware than actual apps.
I doubt it.
Download.com alone hosts over 51,000 Windows apps. Search Results for all Windows [cnet.com], Sourceforge, 16,000, 2,200 certified Fresh. [sourceforge.net]
Amazon.com 22,000 for retail sale. PC Software [amazon.com]
You could make a very strong case for Android being the most insecure, incompetently planned and managed OS in the wild.
Google's position is complicated, because it has produced a platform that it has no power to update. There's no Windows Update for Android phones, and Google has no ability to push out updates to the operating system; it has to depend on a range of OEMs and network operators to adopt its source code changes and distribute them to users. Both Apple and Microsoft, in contrast, have a direct channel to update their mobile operating systems.
Google won't fix bug affecting 60 percent of Android users [wired.co.uk]
Re: (Score:2)
Re: (Score:2)
Also the most popular hence the attrition to it's security flaws.
VS2010 patch locks up OS? (Score:5, Insightful)
Why would a patch for an IDE lock up an OS?
Is Microsoft able in any way to create products that are not intractably entrenched in their OS?
Re: (Score:2)
In the case of VB it might have to do with the way it installs a debugger (assuming it still does that - has been ages since I've used it).
It is still a stupid design. In Linux I can debug a process without elevated privileges whatsoever. Now, messing with kernel debugging tools could potentially crash your system and requires elevated privileges, but, well, you're messing with the kernel.
Now, I could see a botched installer going nuts and killing other processes or whatever, requiring a user to log off a
Re:VS2010 patch locks up OS? (Score:4, Funny)
"killall --user myself --signal SIGKILL"
Sounds like the type of code a VB developer would write on Linux. :P
Re: (Score:2)
"killall --user myself --signal SIGKILL"
Sounds like the type of code a VB developer would write on Linux. :P
Just an illustration, but I have run stuff like this to clean up orphan processes. If you're running systemd there are also settings you can change which will cause it to clean up orphan processes as well (just don't do this if you like to leave stuff running under screen and so on).
Re:VS2010 patch locks up OS? (Score:4, Informative)
It's not a patch for the IDE, it's for the runtime for programs built with that version of Visual Studio (there are such runtimes for all versions of VS). It sounds like the computer can freeze during patch installation.
Re: (Score:3)
Historically, they've used APIs the rest of us don't see, and since this is also a debugger and who knows what else ... it's probably embedded quite deeply into the OS.
Part of the problem is Microsoft's own software has pretty much always been intractably entrenched in the OS, and they've never seen that as an issue.
It doesn't sound like a modular architecture .. it sounds like they just view all of this as one monolithic thing.
Which is probably why they have a terrible track record of supporting other plat
Re: (Score:3)
I've seen this issue twice (we have a few VS2010 enabled machines). If you apply the patch by going into the Windows Update screen it will simply attempt to install in an infinite loop and you can simply end the process using the task manager. If you shutdown the system while the patch is pending to be installed, Windows will attempt to perform the update before completing the shutdown procedure. This is what creates the appearance of a lock up. Because the patch never appears to end, it remains in shutdown
Seems I didn't get that patch (Score:2)
I updated immediately after release on 2/10, but I don't have the patch mentioned. I presume that is because I don't have Visual Studio installed?
Re: (Score:2)
Probably so. I just checked the incoming updates and the problematic one was in the list, and I do have VS2010 installed. However, I did not install the particular subgroup of tools that the patch is mentioned to target. Good thing I crawled through the list looking for the specific KB#'s of incoming updates and unchecked it. If I were less cautious I would have been hitting "Install" feeling safe under the assumption that since I didn't have those tools installed in VS2010 that I would not be targeted for
Re: (Score:1)
Re: (Score:1)
Yeah, fucking capitalist assholes! Forcing people to upgrade to one of the last few versions of their operating system!
I mean EVEN Debian still makes security packages for Potato and Woody! ... right?
Re: (Score:1)
In practice they're admitting that Windows 2003 is so broken by design that not even them can fix it without causing problems. I'd like to hear no
Re: (Score:1)
I mean EVEN Debian still makes security packages for Potato and Woody! ... right?
I don't know if Debian does or not (I'm going to assume not based on your tone), but at least Debian's customers have everything they need (except maybe skill and time) to fix it themselves.
Microsoft customers? Not so much.
Re: (Score:1)
And realistically, how many people are going to do that instead of just upgrading to a distro from the last decade?
TFA Says Patch is Fixed (Score:5, Informative)
The article says the patch has already been updated and is safe to install.
Re: (Score:3)
Yes, except... if your machine still has updates outstanding then from what we have seen it is best if you "check for updates" again before installing them. It looks like if the patch was already downloaded then it will install unless you refresh by checking for updates again before installing.
Serious IE 11 Vulnerability is left out (Score:2)
Vulnerability Full Disclosure - 31 Jan 2015 [seclists.org]
No patch for XP (Score:1, Flamebait)
How convenient that 15% of all Windows computers are (and will remain) vulnerable to this problem (yes, I mean Windows XP). Good one.
Re: (Score:1)
Re: (Score:1)
It's amazing that XP is so bug-ridden that there are still critical vulnerabilities left after 12 years of patching. Even more amazing is that people are lining up to buy Windows 10 from the same company.
But, but, it's going to be BETER... They changed the name and upped the version number to 10!
Sad Hacker (Score:5, Funny)
Somewhere in the world, there is a hacker crying into his keyboard right now, because MS finally found the hole he's been exploiting for the last 10 years.
Re: (Score:2)
No hacker, no cry.
I remember when we used to sit
In the IRC channel in Trenchtown, yeah...
Re: (Score:1)
Re: (Score:3)
Re: (Score:2)
The script kiddie would have no idea that the security hole they were exploiting was fixed until they suddenly find out that their l33t hax0r t00lz no longer work.
The XP Killer? (Score:5, Insightful)
We've been waiting for that vulnerability that will finally create such havoc on XP that people will abandon it.
The security bulletin [microsoft.com] is vague, as usual, but it does say:
Which would seem to put the XP/2003 lineage one malware download away from connecting to a botnet that spoke just enough Domain protocol to exploit it and being pwned.
NSA could have such an exploit ready next week, Russian mafia in a month. The Prize is controlling close to 19% of the installed base.
Re:The XP Killer? (Score:5, Funny)
Everyone runs Admin on XP anyway, so privilege escalation is less of a problem than it could be.
Re:The XP Killer? (Score:5, Informative)
It only affects domain-joined PCs. If you're running XP Home (can't join a domain to begin with), then it really doesn't affect you.
It's a basic downgrade attack - similar to how those TLS bugs were done. You force the client and/or server to revert to an older less secure authentication protocol and then use that to get your way in.
And most businesses have moved off XP.
Re: (Score:2)
Are there still that many business using old Windows XP Pro SP3 with domain connections?
Re: (Score:3, Interesting)
Let me suggest another scenario:
NSA have had the exploit for years since they asked for it to be put there.
It was only removed just now since the Russian Mafia found and started to use the exploit.
Re: (Score:2)
1) Are members of an 'active domain' (i.e. corporate machines). ...Microsoft's bread and butter... ...no, they just have to be in a place that a fake domain server can forge packets pretending to be from the real one.
2) Are connecting to an exploited domain server.
Given the state of ethernet security these days (some vendors even still sell brand spanking new switches without ARP/IP validation features) that is not a hard environment to find.
Patching is NOT ENOUGH (Score:5, Informative)
One very important part of this latest vulnerability is that patching your systems is NOT ENOUGH. The patch is not so much a fix as an entirely new security functionality which must be configured properly.
It is required to configure a group policy to harden your systems. Any domain-joined system must have both the patch installed and a group policy setup to force the system to use secure authentication and validation mechanism on any sensitive share. Domain shares such as NETLOGON and SYSVOL are an obvious priority, but any share used for software deployment or script execution must be similarly listed.
Make sure you read the KB article and take the proper steps to secure your systems:
https://support.microsoft.com/... [microsoft.com]
Re: (Score:2)
Well, considering this is an MITM attack that targets a service that is typically only used on private internal networks (That likely use switches), or computers connected to one over VPN this is a bit less serious.
You vastly overestimate the competency of corporate LAN departments. When the LAN is not properly hardened, and it very often isn't, all you need is one owned box/printer inside the broadcast domain to own all the AD Windows clients in that broadcast domain.
Re: (Score:2)
The problem in this case is that there are workarounds allowing you to impersonate a DC. For example, someone could sniff your DNS requests and use ARP poisoning to redirect your requests for GPO files or login scripts to its own servers, and Windows would automatically downgrade its SMB security to connect to this fake DC. This could easily be done to a computer connecting in a remote network, even if its corporate trafic is in a VPN. Read up on this article from the guys who found the vulnerabiltiy:
https: [jasadvisors.com]
Fancy Vulnerability Name (Score:3, Funny)
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Seconded. I'm surprised nothing called "Skullfuck" has hit the security newswires to date...
KB3013455 (Score:1)
Re: (Score:1)
Just so I understand (Score:2)
Everywhere I look people still blissfully using completely insecure authentication methods for VPN access effectively broadcasting plaintext passwords to anyone snooping the wire... but hey at least if someone tricks you into connecting to their evil network Microsoft has your back.
Would love an education how this bug is worthy of mention while other much more egregious issues such as true type vulnerabilities affecting anyone who browses to an attacker controlled website were also patched.
Re: (Score:2)
on patch day, not only the trutype thingie got fixed, but 35 other remote code executions in MSIE.
thirtyfive!
Shows code quality.
Looks like the bug was in credential sharing (Score:2)
From what I could make out, the bug is in credential sharing across a network. If some computer configured to be part of remotely administered network "joins" the network controlled by the attacker, then the attacker can get admin privilege. Most hom
Re: (Score:2)
So it would involve some social engineering to get the user to run a malware trojan
Not even wrong. Any machine joined to a domain can be tricked into believing another machine is the server in that domain, and then that other machine installs a new group policy disabling all the protections set up by the legitimate domain admin. No social engineering required, just a way to successfully deliver forged packets or poison DNS.
Patch breaks Cisco Anyconnect VPN client too (Score:3)
Cisco opened a priority 1 case with Microsoft yesterday as soon as we found out about this issue. We are continuing to escalate this issue with Microsoft for a resolution timeframe. We recommend that all customers open their own cases with Microsoft since the ultimate fix will need to come from them. You can feel free to reference Cisco's case # which is 115021112390273 in order to expedite having your ticket properly triaged by their support team.
https://supportforums.cisco.co... [cisco.com]
Windows XP? (Score:2)
Is Windows XP affected?
Re: (Score:3)
yes. and not patched.
like windows 2003, which is stull in support, but so badly designed that a patch is not possible.
Re: (Score:2)
Re: (Score:2)
Did you manage to sleep through the big new stories the past year about 'Heartbleed' (OpenSSL) and 'Shellshock' (bash)?
Re: (Score:2)
and glibc "ghost"
oh wait...
that one was mostly a publicity stunt from the security company.