Patched Windows Bug Was Actually a Dangerous Wormable Code-Execution Vulnerability (arstechnica.com) 20
Ars Technica reports on a dangerously "wormable" Windows vulnerability that allowed attackers to execute malicious code with no authentication required — a vulnerability that was present "in a much broader range of network protocols, giving attackers more flexibility than they had when exploiting the older vulnerability."
Microsoft fixed CVE-2022-37958 in September during its monthly Patch Tuesday rollout of security fixes. At the time, however, Microsoft researchers believed the vulnerability allowed only the disclosure of potentially sensitive information. As such, Microsoft gave the vulnerability a designation of "important." In the routine course of analyzing vulnerabilities after they're patched, IBM security researcher Valentina Palmiotti discovered it allowed for remote code execution in much the way EternalBlue did [the flaw used to detonate WannaCry]. Last week, Microsoft revised the designation to critical and gave it a severity rating of 8.1, the same given to EternalBlue....
One potentially mitigating factor is that a patch for CVE-2022-37958 has been available for three months. EternalBlue, by contrast, was initially exploited by the NSA as a zero-day. The NSA's highly weaponized exploit was then released into the wild by a mysterious group calling itself Shadow Brokers. The leak, one of the worst in the history of the NSA, gave hackers around the world access to a potent nation-state-grade exploit. Palmiotti said there's reason for optimism but also for risk: "While EternalBlue was an 0-Day, luckily this is an N-Day with a 3 month patching lead time," said Palmiotti.
There's still some risk, Palmiotti tells Ars Technica. "As we've seen with other major vulnerabilities over the years, such as MS17-010 which was exploited with EternalBlue, some organizations have been slow deploying patches for several months or lack an accurate inventory of systems exposed to the internet and miss patching systems altogether."
Thanks to Slashdot reader joshuark for sharing the article.
One potentially mitigating factor is that a patch for CVE-2022-37958 has been available for three months. EternalBlue, by contrast, was initially exploited by the NSA as a zero-day. The NSA's highly weaponized exploit was then released into the wild by a mysterious group calling itself Shadow Brokers. The leak, one of the worst in the history of the NSA, gave hackers around the world access to a potent nation-state-grade exploit. Palmiotti said there's reason for optimism but also for risk: "While EternalBlue was an 0-Day, luckily this is an N-Day with a 3 month patching lead time," said Palmiotti.
There's still some risk, Palmiotti tells Ars Technica. "As we've seen with other major vulnerabilities over the years, such as MS17-010 which was exploited with EternalBlue, some organizations have been slow deploying patches for several months or lack an accurate inventory of systems exposed to the internet and miss patching systems altogether."
Thanks to Slashdot reader joshuark for sharing the article.
Win7 users beware (Score:3)
People on Win10 and Win11 who patch regularly, even if they delay the patches are protected.
Also, people on *nix-land are free of trouble.*
But not all machines with Win7 could be updated to Win10, even if the users wanted...
But, since support for Win7 for plebs like us ended on Jan 2020, and many of us plebs still use Win7**, unless MS releases the patch developed for paying customers as an emergency patch to the general public (like they did in 2017 with Wannacry, Three years after the end of support), Win7 Users are SOL.
* If you slashdoter were able to migrate your Win7-only machine to linux/bsd/chromeOS, more power to you, I am also able to do it (if I wanted), but you have to realize that many people are not.
** Not me, I use MacOS + BootCampWin10***, but, for example, my brother still uses Win7 at his SMB fleet (~6 desks) because the people available in our HomeTown are not capable of keeping the Machines on the Win10 that I installed way back when (that was a One-Off, I am not in the bussiness of tech support).
*** MacOS for day to day activities, including MSOffice, BootcampWin10 for project and visio, and other things required by corporate.
Re: (Score:2)
They should have stopped at win7. Kept patching as necessary but never did win8,10,11.
Re: (Score:2)
Also, people on *nix-land are free of trouble.*
This is quite funny when we have this [slashdot.org] only a story apart from the Microsoft one on the main Slashdot page :).
Re: (Score:1)
For this Windows one you don't need an account.
Re:Win7 users beware (Score:4, Interesting)
How about checking at the source?
https://msrc.microsoft.com/upd... [microsoft.com]
Sep 13, 2022
Windows 7 for x64-based Systems Service Pack 1
Security Only : https://catalog.update.microso... [microsoft.com]
Re: (Score:2)
How about checking at the source?
https://msrc.microsoft.com/upd... [microsoft.com]
Sep 13, 2022
Windows 7 for x64-based Systems Service Pack 1
Security Only : https://catalog.update.microso... [microsoft.com]
Yes, of course microsoft developed a patch for Win7, but that patch is only for Extended Paid Support Customers only, as of today (26/12/2022) It will not show on the updater of a normal version of win7 used by Jill the plumber and Joe Six pack...
And yes, there are hacks (or the high seas) to trick a run of the mill copy of Win7 to get that patch, but again, those hacks are not within reach of Jake the plumber or Jane six pack
Re: (Score:2)
So if I understand correctly, the security update for WannaCry was pushed though the windows updater to all windows 7 installations, but the current one requires manual installation.
Still, it is available for all to download and install.
The question I always ask in those case is did they bake in telemetry in the "security" release?
That's what I'd like to know before installing.
Re: (Score:2)
So if I understand correctly, the security update for WannaCry was pushed though the windows updater to all windows 7 installations, but the current one requires manual installation.
Still, it is available for all to download and install.
The question I always ask in those case is did they bake in telemetry in the "security" release?
That's what I'd like to know before installing.
The wannacry patch was pushed to all Win7 installs on god's green earth since all of them were on support at the time, as well as to all winXP installs (which were 3 years out of support at the time) as a sorta "goodwill patch".
Part (but not all) of the telemetry of Win10 was backported to Win7 and Win8 a couple of years after Win10 was released (2015~2017), so that ship has sailed, you will get neither more nor less telemetry in your Win7 if you install this patch.
Having said that, if you manually download
Re: (Score:2)
"If you have not patched since 2017 to "avoid MS telemetry" you have bigger problems than this exploit in particular."
Such as?
They have f****** remote exploits on OS level? (Score:1)
And then they do not even notice what is going on after having discovered the bug? What kind of back-road software shack is this "Microsoft"? Certainly not anything I would trust.
Re: (Score:2)
Is there any modern OS that hasn't shipped with remote exploits?
Even OpenBSD has.
Re: They have f****** remote exploits on OS level? (Score:2)
SEL4?
Re: (Score:2)
Good call. A quick search revealed nothing interesting.
But then why isn't its use more common place? I recall we looked at it a loooong time ago and setup/maintenance was a bitch but this was forever ago so I could be misremembering why we took a pass.
Re: (Score:2)
Yeah, it has its own build system, so setup would certainly be more painful than for other systems.
I also believe networking is either a new addition or something that was an optional unverified extra. (I don't recall if it's something they provided in the early days, or merely gave you a link to a TCP/IP stack you could use.)
IIRC, the proofs are mostly for the ARM and ARM64 builds, so that might be another reason for mainstream avoidance - greatly reduced confidence on x64 builds, so any flexibility or per
Re: (Score:2)
Very interesting, thank you.
Do you know if the reason for x86 not qualifying is things like spectre and other cpu level attacks?
Re: (Score:1)
same as these people?
https://it.slashdot.org/story/... [slashdot.org]
Re: (Score:2)
That is a privilege escalation for authenticated users. This one is a remote exploit (for anybody). I do get that the massive difference is lost on you.
Just a hint: An authenticated privilege escalation is a) not a remote explit and b) not wormable.
Potentially much worse (Score:3)
This is potentially much worse than MS17-010, as it occurs in the authentication code used by multiple services...
MS17-010 *should* have been a non event at the time, the problem is users keeping backwards compatibility around.
MS17-010 vulns were all in SMBv1.
SMBv2 came out in 2006 (vista)
SMBv3 came out in 2012
The last versions of windows which required SMBv1 (xp/2003) reached end of life in 2014.
So by rights in 2017, everyone should have moved to SMBv2 if not SMBv3, and support for SMBv1 should have been turned off for several years already. If you had moved onto current technology and turned off the legacy junk then these vulns released in 2017 would not have affected you.
Suspicious AF (Score:1)
I believe Heartbleed was a cryptographic backdoor. Not a bug.
I think that we're seeing rolling backdoors being created in the hope that those backdoors get replaced before 'other' actors discover them.
Seeing something as critical as this makes me wonder.