Hot Potato Exploit Gives Attackers the Upper Hand On Multiple Windows Versions 127
An anonymous reader writes: By chaining together a series of known Windows security flaws, researchers from Foxglove Security have discovered a way to break into almost all of Microsoft's recent versions of Windows. The exploit, named Hot Potato, relies on three different types of attacks, some of which were discovered back at the start of the new millennium, in 2000. Going through these exploits one by one may take attackers from minutes to days, but if successful, the attacker can elevate an application's permissions from the lowest rank to system-level privileges. All of these security flaws have been left unpatched by Microsoft, with the explanation that by patching them, the company would effectively break compatibility between the different versions of their operating system.
Was bound to happen... (Score:3, Funny)
Re: (Score:2)
Mr. Potato Head has gone to dark side, becoming Hot Potato and joining forces with Evil Bernie and Evil Ernie to rule the world. One Windows machine at a time.
https://en.wikipedia.org/wiki/... [wikipedia.org]
Re: (Score:2)
I meant the gang from Sesame Street.
https://i.ytimg.com/vi/E97Pg6YuOqk/hqdefault.jpg [ytimg.com]
Re: (Score:2)
I don't know about Ernie, but Bert has been a known evildoer for a long time [bertisevil.tv]
And, Suddenly... (Score:1, Funny)
Thousands of slashdotters have a simultaneous joygasm.
Re: (Score:3)
>by patching them, the company would effectively break compatibility between the different versions of their operating system.
Since when did MS seriously worry about compatibility between versions? They're trying to force everyone onto W10 and who cares what breaks ... !
Re:because in windows broken security is a feature (Score:5, Informative)
They put a lot of effort into backwards compatibility in each version. They've been known to create "shims" to duplicate previous undocumented/buggy behavior that a particular app depends on that get loaded for just that app, because they know that if you update windows and your app stops working, it's not the app using unsupported functionality that's gonna get blamed.
Re:because in windows broken security is a feature (Score:5, Informative)
They put a lot of effort into backwards compatibility in each version.
That's an urban legend. When I worked there, I didn't hear of any effort at all made for backwards compatibility, except for a few tools we used internally. We just didn't give a damn about it, and that's why Windows is so horrific at it.
For example, the company I work for now uses 29 pieces of official software, and 26 of them have at least minor problems on Windows 7 or newer. They all work fine on Vista, so we're stuck with Vista. We've even offered a bounty* for anyone that can get Lotus 2.3 to run. On Windows 10, when you run 123.EXE, it displays the message "This app can't run on your PC." Even right clicking on the file in Exploder, Properties, Compatibility tab, Compatibility Mode then Windows 95 doesn't help. That option doesn't seem to do anything on the ~50 different programs I've tried it on. Microsoft doesn't give a damn about backwards compatibility.
* We have six hundred thousand legal documents in Lotus that we can't convert to other formats because there's just too much paging and formatting problems. OpenOffice is damn good, but it isn't perfect. Obviously with that many files and with having to run Vista or older on all of our computers means we're willing to pay quite a stiff bounty to anyone that can help us solve this Microsoft-created problem without resorting to running a vm.
Re: because in windows broken security is a featur (Score:1)
DOS ain't done 'till Lotus won't run.
Re: (Score:1)
Re: (Score:1)
I've had several applications work by setting a compatibility mode. Ha! My anecdote beats your anecdote! Take that!
So you think it works because it worked a few times while it didn't work hundreds of times for someone else? Do you work QA for Microsoft?
Re: because in windows broken security is a featur (Score:4, Interesting)
The main use I've found for it are for games that came out in that time between Direct3D and Windows 2000 that assume that Windows NT == No Direct3D and pop up a "This program doesn't support Windows NT" error. Setting them to Win95/98 compatibility mode make them work just fine. I can think of Viper Racing for one, and it helps Grand Prix Legends' graphics work better. On the other hand, Homeworld works better in NT 4.0 mode because it disables the slightly buggy-on-new-Windows DirectX and forces it into OpenGL mode, which works great.
In more recent times I've had it help with a couple utilities and tweaks like Mute on Lock that break with Windows 7's (and Vista's?) updated audio engine.
I can't think of too many things I've tried it on that haven't worked, really. Most of the complaints I've seen about it are people trying to run DOS or 16-bit Windows apps on 64-bit Windows, which isn't going to work no matter how many compatibility modes you try.
Re: (Score:2, Insightful)
Microsoft doesn't give a damn about backwards compatibility.
No doubt that's why we can still use the same API calls sixteen years later...
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
That's an urban legend. When I worked there,
You are using appeal to authority and you are not doing a very good job at it.
CD C:\windows\WinSxS
Dir *CRT*
That whole directory is *designed* for backwards compat. If you fire up windows 7 and fully patched you can see no less than 3 full copies of media player.
To get 123.exe to work on windows 10 will take a bit of work and a bit of copying. You need the old DLLs and a manifest. You will need something like dependency walker and something like process explorer
Re: (Score:2)
Lotus 1-2-3 2.x is a DOS application. There're no DLLs, manifests, etc except for NTVDM, which as we already know doesn't exist in the 64-bit Windows world and as far as I know no one has hacked in. It'll need to be run either in a VM (whether a "light" one like dosbos or a full one like VirtualBox or VPC) or on a 32-bit version of Windows, where it'll run just fine as-is.
Re:because in windows broken security is a feature (Score:5, Interesting)
I'm going to stay away from ad hominem, because it's not useful, but you pretty clearly haven't done even a little bit of research into the problem. If you get that error running a DOS program, you're likely trying to run it on a 64-bit version of the OS. This is a well-known issue (if you even want to call it an issue, because it's advertised as such) and the compatibility modes are only for 32-bit Windows programs. If the rest of your 50 programs are also DOS, I'd expect as much.
If you need to run a DOS application, and a VM isn't an option, use a 32-bit version of Windows 10. For funsies I found a copy of Lotus 1-2-3 (2.2, as it happens, because that was what I had handy. I don't expect 2.3 to run differently) and tried it on my 32-bit Windows 10 laptop and it ran fine. Even ran in a window.
Drop me a line and I'll be happy to claim my bounty ;)
Re: (Score:2)
Re: (Score:2)
messages that don't give you a hint about how to proceed
The modern message does.
This app can't run on your PC
To find a version for your PC, check with the software publisher
Which is quite accurate. It won't even run in that configuration so the obvious answer is to check with the maker of the software and find a version that does work, not changing the OS. A more verbose error message describing the bits of the software and the bits of the OS is not going to be of any use to 99.999% of windows users out there.
Windows 7 actually had a very VERY long error message complete with information about the 32bit or 64bit version and asked users to check their S
Re: (Score:2)
This is a tough balance to find, and one you often see Slashdotters (such as the post below this currently) erring on the wrong side because we like verbose error messages that tell us exactly how to fix things. Whether we like it or not, computers are used by far more Joe Users than geeks, and being told to check system information because they may need x86 or x64 is only going to lead to the "Computers are hard, I'll never figure them out" thought. I've seen a lot of discussion on oldnewthing and similar
Re: (Score:2)
So it sounds like you didn't work in the app compat group. MS is a big beast of an organization so it's forgivable to not know everything. They do have an entire group devoted to this. That's what the whole compatibility mode is for.
Re: (Score:1)
really? Lotus 1-2-3 2.2 runs fine in dosemu on Linux - earlier versions had copy protection on disk and won't run without hardware but 2.2 onward should run without copy protection
pay bounty money to get someone to port spreadsheet to 21st century...!
Re: (Score:2)
I guess the former co-worker that previously wrote shims at MS all the way up until she left there in 2012 was all in my imagination, then.
Re: (Score:1)
Funny. Windows 95 drivers that refused to install due to an OS version check in the installer worked perfectly fine after switching compatibility mode on... and Win7 having a WinXP virtual machine seamlessly built in ... but I guess your one instance means they don't care at all.
Re: (Score:2)
Score one more for MS [giphy.com]
Re: (Score:1, Flamebait)
For all those idiot shit-faces moderating this Informative, try reading "The Old New Thing" blog by Raymond Chen. He actually works for MS, and he details many instances of Windows backwards compatibility work.
Re: (Score:2)
That's an urban legend.
There was a code leak from Windows about 5 years ago that was very heavily analysed. Among the discoveries was that the coding style was very neat and convention quite good, comments were average, but among the leak were several such "urban legends" intended to ensure a software update kept certain programs working, one of them even called out a specific Symantec product in the comments.
Re: (Score:1)
Lotus 2.3 is old. Really, really old. As in 1991 old. We are talking about the DOS version, right? Didn't Lotus go straight to version 4 on Windows? I don't remember exactly... I never worked in a Lotus shop. There are versions released for windows into the 2000's, with support ending a couple of years ago. I'm going to go out on a limb and ask if you've tried updating to those versions? In theory you could chain together a series of format conversions to get to a modern spreadsheet - like Excel or
Re: (Score:1)
Re: (Score:2)
They put a lot of effort into press releases, brochures and presentations about backwards compatibility in each version.
FTFY.
Re:because in windows broken security is a feature (Score:5, Interesting)
Since when did MS seriously worry about compatibility between versions?
They made a huge effort in Windows95. You can read about it here [joelonsoftware.com] (though they've changed somewhat too). Quote:
Raymond Chen writes, "I get particularly furious when people accuse Microsoft of maliciously breaking applications during OS upgrades. If any application failed to run on Windows 95, I took it as a personal failure. I spent many sleepless nights fixing bugs in third-party programs just so they could keep running on Windows 95."
Re: (Score:3)
Had to go back 20 years to find an example so the point stands.
And yet the only actual counter-example that has been given by anybody so far is Lotus 1-2-3 version 2.3, which predates Windows 95 by four years.
I still run a 32-bit Windows 7 system as a games PC so I can run old games. I have been amazed to find games from Windows 95 era work, and been blown away when I found some old Windows 3.1 programs and tried them for a laugh only to find that they too worked.
Of course, these wouldn't work on a 64-bit version of Windows, since they lost the ability to run 16-bit ap
Re: (Score:2)
With all that going on in different versions, it makes me wonder about the truthfulness of the Anonymous Cowards who supposedly worked at Microsoft and who have been claiming that they had never heard backwards compatibility being mentioned there.
There's an AC who's been posting here for a while who somehow seems to be an expert on every subject. If it's a story about medicine, he says "I'm a doctor and...." If it's a story about law, he says, "I'm a lawyer and....." If it's a story about child abuse, he says, "I was abused as a child and....." But if you read the post carefully, there are frequently mistakes that draw the claims into question.....
Re: (Score:2)
The reason OS/2 failed is because it didn't include backwards compatibility, despite being a better operating system.
Re: (Score:2)
Q: Since when did abattoirs care about inducing stress in doomed cattle walking the ramp?
A: Ever since Temple Grandin showed them it was the easiest way to get the cattle to enter the building with the least effort in the most desirable condition.
I've been following Microsoft since forever.
True story: I went to a local homebrew meeting in the late seventies (I live on the Canadian side of the Pacific Northwest) and people were muttering
I really feel sorry (Score:2, Troll)
Re: (Score:2)
"I really feel sorry for those locked in to that OS, every day it seems there is a new problem with their security, and maybe MS should break backwards compatibility and fix that shit."
If Microsoft did that, they would loose the lock on those people, so that won't happen.
"Anyway, it's not my problem I've been MS free for years"
Me too. I should add, anyway, that you can't get completely free from Microsoft as long as you interact with other people, be it "you really need to have a look at this business powe
Re: (Score:3)
Backwards compatibility is what's keeping them in business, if you're going to break backwards compatibility you are better off just going straight to linux.
Re: (Score:2)
Re: (Score:2)
It happened to all versions of MSDOS as well (Windows 3.1 days). Hardware like dot-matrix printers, VGA, SVGA graphics boards would all depend on their own 16-bit DOS drivers. Those became useless once everything moved to 32-bit Windows 95. And again when everything moved to 64-bit Windows. Even moves from Windows XP to Windows 7/8/10 usually involved new drivers. Then there's being able to boot a PC from USB. Old PC's can't do that. Modern PC's can. Even UEFI has problems booting from CD/DVD unless the ma
Re: (Score:2)
Windows 95 made a point of supporting virtually all existing 16-bit Windows 3.1 drivers. This would occasionally cripple the 32-bit enhancements to things like file access and hard drives, but they'd work. In fact, this was the biggest reason Microsoft stuck with the "significantly enhanced Windows 3.x" kernel instead of just going to Windows NT-based at the time. Silliest thing I did was manually install the EGA driver from Win3.1 on Windows 95 (or 98? Can't remember) and run it with an EGA card. I also ha
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
Windows safe mode gives you the same login options as a regular boot, just with minimal stuff loaded. On some versions (XP at least; I don't feel like rebooting my WIn7 box to check it) you'll also have the normally-hidden Administrator account visible. This can be a problem for computers on domains - if you boot in pure safe mode and have a domain admin, getting logged in can be problematic. This is where Safe Mode with Network Support comes in handy.
Re: (Score:2)
On Millennia (Score:2)
The last millennium ended Dec 31, 2000 - in my time zone.
Re: (Score:1)
we start the count at 1, IE 2001. 1-2000, 2001-3000 etc.
1-1000, 1001-2000, 2001-3000, etc.
FTFY
Re: (Score:2)
we start the count at 1, IE 2001. 1-2000, 2001-3000 etc.
1-1000, 1001-2000, 2001-3000, etc.
FTFY
No, the first millennium AD was a leap millennium and included a bonus 1000 years.
Re: (Score:2)
That method of labeling millennium is quite frankly bizarre, When someone says last millennium I and many people will think up to 1999 Dec 31 at 23:59:59, which was pretty much the time when the big celebrations were.
So, essentially, this means... (Score:2)
...that Windows needs to be compatible with software that relies on security holes.
At least that's what I take from this statement.
Re: So, essentially, this means... (Score:2)
What it means is that this chain of exploits is about to become exceptionally popular as Microsoft can't fix them, thereby ensuring that soon even the least knowledgeable of script kiddies will be able to gain access to systems on which they're not welcome.
Nice (Score:3, Insightful)
Whatever you do, for the love of god, don't give us a broad outline of attack vectors, who might be vulnerable, or attack mitigation practices.
Re:RTFA (Score:5, Interesting)
Well, it assumes an awful lot. But I think they are saying they can, for example, spoof a ton of responses to any machine that MIGHT be about to connect to you, and thus gain some privilege escalation from that conversation. Quite how they get higher than the privileges assigned to the user making those requests isn't clear, but it sounds like it could be possible.
But they even think SMB signing might defeat it, but haven't finished looking into that (which is suggestive that it does indeed defeat it, to be honest).
The fake WPAD responses? I don't know about you, by my WPAD data is given out by my DHCP server, not by anything else, and I believe that overrides most things. It's then double-set by a GPO and a DNS entry too. You'd have be in my network faking DHCP or able to override GPO settings and that's quite a way past what you need to be able to attack me anyway (P.S. my network switches will go ape-shit and cut you off if you do that).
They seem to be claiming that when something makes a request from the network for a WPAD query, they can fake every possible response until whatever was asking takes the FAKE response as genuine. That might well cause a machine to switch a proxy. But it would seem by that point to be already inside the network and able to do an awful lot worse damage anyway.
"Extended Protection for Authentication" is the mitigation for "the last stage of the attack" (where they are already spoofing WPAD settings and intercepting all web access from the machine in question, and just attack NTLM authentication via that for services that still try to use NTLM and WPAD entries). That was introduced in XP and Vista, by the way. I think by that point, you're fucked anyway.
I'm more interested in quite how something gets to do things like take up EVERY UDP socket on your system without otherwise cocking up and giving you tons of warnings elsewhere, and then manages to be in the line of fire for replying to a WPAD setting that's overridden by other browsers, by GPO, by DHCP settings, etc. and then use that to suddenly send all your requests to... yourself it looks like, and try to defeat NTLM auth.
It seems like one of these "LOOK HOW DANGEROUS" attacks that, although technically they aren't lying when they say they've got it to work on all these things, requires a combination of circumstances so extraordinary that you're already fucked before they start sending a packet.
The biggest problem I have? Minus some keywords that are pure filler in this article, there isn't a single mention of this that I can find anywhere else on a search engine. Literally, it's all regurgitated press releases with the same phrasing, ALL pointing to the same article. Yet it was supposedly released a while ago.
And the only thing we can apparently do about it at the moment is enable an option that breaks shit and only combats the very last stage, where it's already game over and they get to choose from a myriad of services that might trigger an NTLM-authenticated HTTP connection using a given WPAD proxy (which I imagine can't be that hard to find in major pieces of software or other areas of Windows).
Wait for a fix, or at least a decent analysis, but I wouldn't really go into a panic.
Sounds sexy (Score:3)
Hot Potato Exploit
Name me one potato exploit that isn't hot.
Re: (Score:2)
Hot Potato Exploit
Name me one potato exploit that isn't hot.
The couch potato achievement.
Clear priorities... (Score:2)
"All of these security flaws have been left unpatched by Microsoft, with the explanation that by patching them, the company would effectively break compatibility between the different versions of their operating system".
Because that is far more important than security.
"Windows, The Compatible Family: All Members Are Equally Vulnerable - And In The Same Way!!!"
Re: (Score:1)
It is. Nobody uses Windows because of security.
16 bits Windows 3 applications... (Score:2)
Re: (Score:2)
Re: (Score:1)
Dear Mr. Anonymous Troll, do you have any verifiable citation to support your typings?
Perfectly Secure Computer: unplugged (Score:2)
Linus did say that security is not the end-all be-all of Linux. [slashdot.org]
"Security in itself is useless. The upside is always somewhere else. The security is never the thing that you really care about."
Which is not to say that it's insecure; given that it runs on more devices than any other OS, any exploits would be huge. I'm not really sure how Windows security measures up these days, but I get the impression that the typical Windows install has a greater amount of exposed moving parts.
Re: (Score:1)
“I don’t think you have an alternative,” Torvalds said in the interview with The Post. “I don’t think you can design things better than they evolve.