Microsoft Fixes Critical Remotely Exploitable Windows Root-Level Design Bug

An anonymous reader writes "In this month's Patch Tuesday, Microsoft has released nine security bulletins to address 56 unique vulnerabilities in Microsoft Windows, Microsoft Office, Internet Explorer, and Microsoft Server software. Of the nine security bulletins, three are rated Critical in severity, and among these three is one that addresses a years-old design flaw that can be exploited remotely to grant attackers administrator-level privileges to the targeted machine or device. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights." Reader jones_supa writes, though, that the most recent patch rollout came with a bug of its own, since corrected: the company apparently botched a rollup update for Visual Studio 2010 Tools for Office Runtime: "There is an issue with KB3001652: many users are reporting that it is locking up their machines while trying to install it. It does not seem that this patch is doing any other damage though, such as bricking the operating system. These days Microsoft appears to be reacting quickly to this kind of news as it looks like the patch has already been pulled from Windows Update."

This is your computer on Windows...

[msobkow]

SEGFAULT

Re:This is your computer on Windows...

[BreakBad]

FTA "this is a design problem not an implementation problem."

So....Microsoft designed a godmode exploit.

Re:This is your computer on Windows...

[gstoddart]

I bet they didn't so much design an exploit, as design another feature, implement it as designed ... and the discovered they'd made a gaping hole.

I suspect at this point the code is so complex they don't even know what it does any more.

Re:This is your computer on Windows...

[courteaudotbiz]

Bricking an OS? It's just like the guy don't actually know what a brick is. Bricking something is to break an actual object to the point where its only use is to be a doorstopper. Thie is the Urban Dictionnary quote:

brick
As verb: to brick something. This is the action of rendering any small-medium size electronic device useless. This can happen whilst changing the firmware, soldering or any other process involving either hardware of software.

I bricked my mobile phone when I tried to install Linux on it.

Haha! "When I tried to install Linux on it". Sounds funny reading that thread...

Re:This is your computer on Windows...

[ihtoit]

you mean like the desktop gadgets gadget? Yeah, I discovered yesterday while trying to install a lunar cycle widget that MS had deprecated the entire project, saying basically "Oh, we'd discovered that what we'd actually done was enable any old Joe Scumbag to completely own your computer via a widget you might actually find useful like live weather or news tickers".

So why the fuck is it still in my desktop context menu!?

Re:This is your computer on Windows...

[ihtoit]

I think most phones that don't actually come with Linux (read: Android) installed will actually brick when you try to install Linux on them, because the kernel simply isn't designed for the architecture.

Re:This is your computer on Windows...

[msobkow]

I found this article particularly amusing seeing as I'm not done re-installing my Windows 7 box from the latest attack to take it out from a couple of days ago. I don't even use the box for surfing or email; just for running database servers, builds, and playing internet media.

So it's got about the smallest attack surface you could imagine -- and it still has never survived more than 2 years without being nuked. None of my Windows boxes ever has.

Re:This is your computer on Windows...

well then pebkac.

Re: This is your computer on Windows...

I've been wondering that for years. :/

Re:This is your computer on Windows...

[tjbutt58]

Probably a developer's backdoor. There was allegedly a /etc/passwd backdoor propagated through gcc for many years - a truly legendary hack. Developers like to leave these so they can back in if something goes wrong (putting a benign spin on it). I've brok a pam config before and wished I had a backdoor...

oh you motherf~}NO_CARRIER

[ihtoit]

I read this just SIX MINUTES after I installed the bloody office runtime update.

Which, lucky me, didn't lock the system up. It seems to have installed pretty painlessly.

(wonder if that could be anything to do with the fact that I don't have Office installed?)

Re:oh you motherf~}NO_CARRIER

[Bacon+Bits]

It might be an extremely rare issue. Following the links in the article, the last update they pulled in August of 2014 was pulled because it was causing blue screen errors for 0.01% of users, but they pulled it anyways.

Re:oh you motherf~}NO_CARRIER

[ihtoit]

whoa, 0.01% of 800 million (a very conservative estimate of the installed base) is still 80,000. That's a number far greater than 0 and most definitely of concern if you're one of those 80,000.

Re:oh you motherf~}NO_CARRIER

Yeah, and that's why they pulled it, but that's still very rare.

Re:oh you motherf~}NO_CARRIER

[VGPowerlord]

I read this just SIX MINUTES after I installed the bloody office runtime update.

Microsoft already released a fixed version at least 12 hours before /. posted this story... and pulled the buggy version some hours (8?) before that.

In other words, by the time this story was posted, it was no longer relevant.

Re:oh you motherf~}NO_CARRIER

[WasteOfAmmo]

After some investigation it looks like the update may not have been configured to do a silent install properly and actually hangs as it is waiting for user input on an invisible dialogue box.

If you have a machine that does hang we have found the following:
1. wait until there is virtually no disk activity (counting on you have a light that shows you) and then power the machine down, or
2. use either PowerShell remoting or psexec to kill the two processes involved in the update: "Setup" and "vstor_redist".
With PowerShell: Invoke-Command -ComputerName hostname -ScriptBlock {Stop-Process -Name Setup,vstor_redist -Force}
With PSExec something like this will work:
Psexec \\hostname cmd
Taskkill /im Setup /f
Taskkill /im vstor_redist /f
Exit

If the machine is doing a number of updates killing the two processes above will allow the machine to continue with the rest of the updates.

Of course the standard disclaimers apply: No guarantees the above will help and not harm you computer, your mileage may vary, batteries not included, objects in code are buggier than they appear, yadda, yadda.

Re:oh you motherf~}NO_CARRIER

It's probably in the order of around 0-10% of that with a system that actually downloads and installs the patch before it is pulled (and I would guess a lot closer to 0 than to 10). That brings it down to a couple of thousand systems at most worldwide, which is probably less than the number of systems that go down each day due to catastrophic hardware failure. It really is next to nothing. Like the guy in the linked post said, 99.99% is pretty good in most jobs, it's a noble thought that he strives to do better, but I doubt it is realistically possible.

In contrast, 50% of the global population of computer users cannot even get past the installation instructions of the average linux distro. It's easy to think that anyone can do a flawless upgrade if all your friends are computer savvy, it's a different thing when you're dealing with a global population of average consumers.

The most insecure OS in the world

Windows - the most insecure OS in the world. There are probably more viruses, malware and ransonware than actual apps.

Re:The most insecure OS in the world

[monkeyzoo]

Windows - the most insecure OS in the world.

True, but only because Adobe never made an OS.

Re:The most insecure OS in the world

So what? By not installing spurious applications, a geek can these days keep his Windows installation malware-free very easily.

Re:The most insecure OS in the world

[sinij]

Please, the most insecure OS in the world is Linux (Damn Vulnerable Linux)

Re: The most insecure OS in the world

[AcerbusNoir]

Can't argue with that.

There was a time when Sun's (now Oracle) Solaris was considered the swiss cheese of operating systems.

Re:The most insecure OS in the world

And designed to be a security teaching tool.

Not a production system.

Re:The most insecure OS in the world

[Archangel+Michael]

True. But Adobe already creates exploits for all the other OSes in the world, so they don't need to actually create an unsecured OS.

Re:The most insecure OS in the world

[ihtoit]

uh... DVLinux is a security training tool and sandbox for SELinux component testing, not a production desktop platform.

Re:The most insecure OS in the world

[The-Ixian]

Yes, as much as I hate to admit it, I have had WAY more Linux servers exploited than Windows servers.
 
I have set up hundreds of Windows Small Business servers and less than half as many production Linux servers. I only recall having 1 Windows server exploited, and that was because the customer set up an admin-level user with an extremely simple password and then opened RDP to the world.
 
On the other hand, I have had several Linux servers exploited via ProFTPD, Horde, Sendmail and other vulnerable services.

Re:The most insecure OS in the world

As much as I hate to say it, that is not a Windows exploit, but a PEBKAC issue...

Re:The most insecure OS in the world

Its all about attack surface bro.

Those windows SMB servers you likely firewalled away from the internet, zero exposed (inbound) services. They're only used to provide services to systems on the local network. Maybe you have SMTP exposed for inbound mail. (Today, though, running your own exchange server(s) for anything smaller than an enterprise is for suckers. Much cheaper to purchase hosted exchange service, and you don't have to deal with your IP blocks being blackholed)

Those linux servers, on the other hand, were probably internet facing. Providing services anyone on the wild wild interwebs could hammer. If you put those windows servers in the same situation you'd see them pwnd too.

Re:The most insecure OS in the world

[sinij]

Yes, but GPP did not specify "a production desktop platform". My point was that blanket "X OS is the most insecure" statements are largely pointless. With enough effort and expertise you could secure any OS, or you could exploit any OS, even when airgaped. With enough ignorance you could misconfigure even the most secure OS. The devil is in the details.

Re:The most insecure OS in the world

So, you're some sort of MSCE or similar. Screwed Linux up royally, eh?

I have also set up a number of Linux servers, and none of them ever got pwned. Not even with Heartbleed; many apparently tried, according to the logs I've seen, but it's hard to get past the wrong version of OpenSSL. Similarly, many tried exploiting Shellshock - within a few hours - but it's hard to get past /bin/ash as the shell for web scripts.

Re:The most insecure OS in the world

[Archtech]

"True, but only because Adobe never made an OS".

A man's gotta know his limitations. And they do.

Re:The most insecure OS in the world

[westlake]

Windows - the most insecure OS in the world. There are probably more viruses, malware and ransonware than actual apps.

I doubt it.

Download.com alone hosts over 51,000 Windows apps. Search Results for all Windows, Sourceforge, 16,000, 2,200 certified Fresh.

Amazon.com 22,000 for retail sale. PC Software

You could make a very strong case for Android being the most insecure, incompetently planned and managed OS in the wild.

Google's position is complicated, because it has produced a platform that it has no power to update. There's no Windows Update for Android phones, and Google has no ability to push out updates to the operating system; it has to depend on a range of OEMs and network operators to adopt its source code changes and distribute them to users. Both Apple and Microsoft, in contrast, have a direct channel to update their mobile operating systems.

Google won't fix bug affecting 60 percent of Android users

Re:The most insecure OS in the world

[VGPowerlord]

True, but only because Adobe never made an OS

A man's gotta know his limitations. And they do.

Funny story... Oracle (née Sun) makes an Operating System.

Re:The most insecure OS in the world

Those windows SMB servers you likely firewalled away from the internet, zero exposed (inbound) services. They're only used to provide services to systems on the local network.

...said everyone from the Iranian engineerss to the Chief Security Officer at Anthem/BlueCross/Wellpoint, just before they got pwn3d.

Re:The most insecure OS in the world

[Ravaldy]

Also the most popular hence the attrition to it's security flaws.

Re:The most insecure OS in the world

Technically, it's not adobe's fault that their crappy software is a gateway to OS-level exploits, it's STILL the OSes fault. This makes both Windows and OSX look very bad.

Re:The most insecure OS in the world

[dfsmith]

You don't count PostScript as an OS? It's so much more than a language....

Re:The most insecure OS in the world

[Zaiff+Urgulbunger]

Windows - the most insecure OS in the world.

True, but only because Adobe never made an OS.

True. But Adobe already creates exploits for all the other OSes in the world, so they don't need to actually create an unsecured OS.

AFAIK no Adobe software even runs on Raspberry Pi, but never-the-less, flash can crash it. The mere "aura" of Adobe can break things! :D

Re:The most insecure OS in the world

I think they make another one too... don't they have versions of their database that run on bare metal?

Re:The most insecure OS in the world

[nuckfuts]

The security of an operating system should be judged by its default configuration, not by how insecure it is after you've installed a bunch of 3rd party apps. Even a security-oriented OS like OpenBSD can't prevent other people from doing insecure things to it.

You heard it here first.

It's almost like they are trying to keep some vulnerabilities open for some client...

Clench your buttcheeks

Windows Updates are just the worst. You never know how it's going to fuck up your system, and if it'll happen instantly or weeks down the road, but it always will.

Tough decision

[monkeyzoo]

Would I rather my computer be bricked or p0wned?
In one case I potentially lose my data, in the other, bad guys potentially get it all.

Re:Tough decision

Would I rather my computer be bricked or p0wned?

Bricked. A bricked computer can't be p0wned. A p0wned computer can still be bricked, and by someone else.

Re:Tough decision

[mlts]

I may be a bit pedantic, but how can a general purpose laptop or desktop computer get bricked, unless part of the exploit overwrote the firmware, causing the machine to not be able to be booted?

The OS might need to be repaired or reinstalled, but generally the data should be recoverable.

Of course, having backups is a wise idea.

Re:Tough decision

[Archtech]

Definitely bricked. It's axiomatic that your data is more valuable than your hardware - since you have it all backed up, you just buy new hardware and you are set. (Although you might want to consider changing your OS).

In fact, I have heard security professionals opine that a brick is the ideal secure IT system. It can't store any data, it can't do any computing, and it doesn't do you any good except as part of a wall (or something handy to throw at a politician). But it is VERY secure indeed.

Re:Tough decision

I may be a bit pedantic, but how can a general purpose laptop or desktop computer get bricked, unless part of the exploit overwrote the firmware, causing the machine to not be able to be booted?

welcome to UEFI land

Re:Tough decision

[dimeglio]

Ah yes; but a bricked computer can't be used, a p0wned computer can still be used - sometimes by many.

Re:Tough decision

[jhantin]

Let me Google that for you.

Re:Tough decision

I had to kill Vs2010ToolsSetup.exe*32 or something like that, but my machine isn't bricked.

VS2010 patch locks up OS?

[jfbilodeau]

Why would a patch for an IDE lock up an OS?

Is Microsoft able in any way to create products that are not intractably entrenched in their OS?

Re:VS2010 patch locks up OS?

[Rich0]

In the case of VB it might have to do with the way it installs a debugger (assuming it still does that - has been ages since I've used it).

It is still a stupid design. In Linux I can debug a process without elevated privileges whatsoever. Now, messing with kernel debugging tools could potentially crash your system and requires elevated privileges, but, well, you're messing with the kernel.

Now, I could see a botched installer going nuts and killing other processes or whatever, requiring a user to log off and back on. You can't really prevent that sort of thing without going the SELinux route and restricting what a user's own processes can do within the context of their own account. If in linux as an unprivileged user I type "killall --user myself --signal SIGKILL" then I'm going to see a "crash" of sorts, but I'll just end up being dumped back at a getty or XDM screen or whatever.

Re:VS2010 patch locks up OS?

[jfbilodeau]

"killall --user myself --signal SIGKILL"

Sounds like the type of code a VB developer would write on Linux. :P

Re:VS2010 patch locks up OS?

[Pope+Hagbard]

It's not a patch for the IDE, it's for the runtime for programs built with that version of Visual Studio (there are such runtimes for all versions of VS). It sounds like the computer can freeze during patch installation.

Re:VS2010 patch locks up OS?

[gstoddart]

Historically, they've used APIs the rest of us don't see, and since this is also a debugger and who knows what else ... it's probably embedded quite deeply into the OS.

Part of the problem is Microsoft's own software has pretty much always been intractably entrenched in the OS, and they've never seen that as an issue.

It doesn't sound like a modular architecture .. it sounds like they just view all of this as one monolithic thing.

Which is probably why they have a terrible track record of supporting other platforms. Because support for something else is hard even for them.

Re:VS2010 patch locks up OS?

It is also called "logout". :)

Re:VS2010 patch locks up OS?

[Ravaldy]

I've seen this issue twice (we have a few VS2010 enabled machines). If you apply the patch by going into the Windows Update screen it will simply attempt to install in an infinite loop and you can simply end the process using the task manager. If you shutdown the system while the patch is pending to be installed, Windows will attempt to perform the update before completing the shutdown procedure. This is what creates the appearance of a lock up. Because the patch never appears to end, it remains in shutdown mode for as long as you don't reboot manually. This is very different than an actual OS lock. Just though I'd clarify.

Re:VS2010 patch locks up OS?

[Rich0]

"killall --user myself --signal SIGKILL"

Sounds like the type of code a VB developer would write on Linux. :P

Just an illustration, but I have run stuff like this to clean up orphan processes. If you're running systemd there are also settings you can change which will cause it to clean up orphan processes as well (just don't do this if you like to leave stuff running under screen and so on).

Re:VS2010 patch locks up OS?

The answer is yes. They do publish some quality app for Android and iOS.

But to the point: In your statement Microsoft can be replaced by any company.

> Is Apple able in any way to create products that are not intractably entrenched in their OS?

> Is Google able in any way to create products that are not intractably entrenched in their Services/OS?

> Is Taco Bell able in any way to create products that are not intractably entrenched in their Menu?

> Is HP able in any way to create ink cartridges that are not intractably entrenched in their printer?

Seems I didn't get that patch

[monkeyzoo]

I updated immediately after release on 2/10, but I don't have the patch mentioned. I presume that is because I don't have Visual Studio installed?

Re:Seems I didn't get that patch

[eyenot]

Probably so. I just checked the incoming updates and the problematic one was in the list, and I do have VS2010 installed. However, I did not install the particular subgroup of tools that the patch is mentioned to target. Good thing I crawled through the list looking for the specific KB#'s of incoming updates and unchecked it. If I were less cautious I would have been hitting "Install" feeling safe under the assumption that since I didn't have those tools installed in VS2010 that I would not be targeted for that update.

Re:Seems I didn't get that patch

Visual Studio Tools for Office (VSTO) is a runtime - you often don't know you have it installed as it would come as a dependency with another application. It is generally safe to say that if you don't have MS Office installed, you don't have VSTO installed either because the applications written with VSTO are generally ad-ins for Office. Things like WebEx scheduling ad-ins for MS Office Outlook, etc.

It could've been worse ... oh wait....

[davidwr]

"Microsoft Does Not Fix Critical Remotely Exploitable Windows Root-Level Design Bug"

To all Windows Server 2003 users still out there: Oh wait...

Or even worse:

For the last several years there's been a critical no-workaround vulnerability that even the vendor didn't know about. Oh wait...

Re:It could've been worse ... oh wait....

Not to defend Microsoft here, but Server 2003 is out of support in a couple of months anyway so if you've not moved off it by now you're just going to have to get used to not getting patches for it any more.

Re:It could've been worse ... oh wait....

Yeah, fucking capitalist assholes! Forcing people to upgrade to one of the last few versions of their operating system!

I mean EVEN Debian still makes security packages for Potato and Woody! ... right?

Re:It could've been worse ... oh wait....

[peppepz]

The interesting part is not so much that they're no longer fixing bugs in Windows Server 2003, but rather the reason why they aren't:

Although Windows Server 2003 is an affected product, Microsoft is not issuing an update for it because the comprehensive architectural changes required would jeopardize system stability and cause application compatibility problems.

In practice they're admitting that Windows 2003 is so broken by design that not even them can fix it without causing problems. I'd like to hear now the opinion of those who were lamenting over the quality of open source software after the heartbleed bug.

Re:It could've been worse ... oh wait....

[davidwr]

I mean EVEN Debian still makes security packages for Potato and Woody! ... right?

I don't know if Debian does or not (I'm going to assume not based on your tone), but at least Debian's customers have everything they need (except maybe skill and time) to fix it themselves.

Microsoft customers? Not so much.

Re:It could've been worse ... oh wait....

And realistically, how many people are going to do that instead of just upgrading to a distro from the last decade?

TFA Says Patch is Fixed

[Bacon+Bits]

The article says the patch has already been updated and is safe to install.

Re:TFA Says Patch is Fixed

[WasteOfAmmo]

Yes, except... if your machine still has updates outstanding then from what we have seen it is best if you "check for updates" again before installing them. It looks like if the patch was already downloaded then it will install unless you refresh by checking for updates again before installing.

Design "Bug"

[MagickalMyst]

Hahahahahhahahaha... breathe.. hahahahaha

Serious IE 11 Vulnerability is left out

[neo00]

Apparently the update left out a serious universal XSS vulnerability in IE11 unpatched. Source
Vulnerability Full Disclosure - 31 Jan 2015

PowerShell module

For those who want to try it out, this stuff can now be managed also from CLI using the Windows Update PowerShell module. :)

No patch for XP

[ugen]

How convenient that 15% of all Windows computers are (and will remain) vulnerable to this problem (yes, I mean Windows XP). Good one.

Re:No patch for XP

Don't join the system to the domain. That avoids the really critical one.

Re:No patch for XP

Yeah if you can't afford to use something other than XP you get what you deserve.

Re:No patch for XP

It's amazing that XP is so bug-ridden that there are still critical vulnerabilities left after 12 years of patching. Even more amazing is that people are lining up to buy Windows 10 from the same company.

Re:No patch for XP

Err Mah Gerd, There's no patch for Windows 95 either!! Microsoft sucks, Microsoft is evil!

Re:No patch for XP

Except if it were Linux, someone would've back-ported the patch. See the difference?

Re:No patch for XP

[bobbied]

It's amazing that XP is so bug-ridden that there are still critical vulnerabilities left after 12 years of patching. Even more amazing is that people are lining up to buy Windows 10 from the same company.

But, but, it's going to be BETER... They changed the name and upped the version number to 10!

Re:No patch for XP

Unless they didn't. See the difference?

Re:No patch for XP

Would they really? How many security/new technology updates for 2001-era Linux distros do you see?

Re:No patch for XP

[CaTfiSh]

That's mighty cavalier of you, but the fact remains that exploited machines affect the rest of us as well.

Sad Hacker

[sir-gold]

Somewhere in the world, there is a hacker crying into his keyboard right now, because MS finally found the hole he's been exploiting for the last 10 years.

Re:Sad Hacker

No hacker, no cry.

Re:Sad Hacker

[H0p313ss]

No hacker, no cry.

I remember when we used to sit
In the IRC channel in Trenchtown, yeah...

Re:Sad Hacker

[cyberchondriac]

I think you meant, "Somewhere in the world, there is a **script-kiddie** crying into his keyboard right now, because MS finally found the hole he's been exploiting for the last 10 years."

Re:Sad Hacker

[toddestan]

The script kiddie would have no idea that the security hole they were exploiting was fixed until they suddenly find out that their l33t hax0r t00lz no longer work.

Important details

[Hiroto.+S]

SpaceX would use portable “port-o-potties” during landing operations.

The XP Killer?

[bill_mcgonigle]

We've been waiting for that vulnerability that will finally create such havoc on XP that people will abandon it.

The security bulletin is vague, as usual, but it does say:

A remote code execution vulnerability exists in how Group Policy receives and applies policy data when a domain-joined system connects to a domain controller. To exploit this vulnerability, an attacker would have to convince a victim with a domain-configured system to connect to an attacker-controlled network.

An attacker who successfully exploited this vulnerability could take complete control of an affected system and then install programs; view, change, or delete data; or create new accounts with full user rights. The security update addresses the vulnerability by improving how domain-configured systems connect to domain controllers prior to Group Policy accepting configuration data. ...

Although Windows Server 2003 is an affected product, Microsoft is not issuing an update for it because the comprehensive architectural changes required would jeopardize system stability and cause application compatibility problems. Microsoft recommends that security-conscious customers upgrade to a later operating system in order to keep pace with the changing security threat landscape and benefit from the more robust protections that later operating systems provide.

Which would seem to put the XP/2003 lineage one malware download away from connecting to a botnet that spoke just enough Domain protocol to exploit it and being pwned.

NSA could have such an exploit ready next week, Russian mafia in a month. The Prize is controlling close to 19% of the installed base.

Re:The XP Killer?

[Dwedit]

Everyone runs Admin on XP anyway, so privilege escalation is less of a problem than it could be.

Re:The XP Killer?

Did you even read the description?

This exploit only works on machines that:
1) Are members of an 'active domain' (i.e. corporate machines).
2) Are connecting to an exploited domain server.

I would figure that the majority of XP installs are on home computers _or_ on corporate machines that aren't connecting to a hacked AD server..

Re:The XP Killer?

[tlhIngan]

We've been waiting for that vulnerability that will finally create such havoc on XP that people will abandon it.

It only affects domain-joined PCs. If you're running XP Home (can't join a domain to begin with), then it really doesn't affect you.

It's a basic downgrade attack - similar to how those TLS bugs were done. You force the client and/or server to revert to an older less secure authentication protocol and then use that to get your way in.

And most businesses have moved off XP.

Re:The XP Killer?

[skids]

1) Are members of an 'active domain' (i.e. corporate machines). ...Microsoft's bread and butter...
2) Are connecting to an exploited domain server. ...no, they just have to be in a place that a fake domain server can forge packets pretending to be from the real one.

Given the state of ethernet security these days (some vendors even still sell brand spanking new switches without ARP/IP validation features) that is not a hard environment to find.

Re:The XP Killer?

ARP/IP validation features?
Do you even understand what you are talking about?

Re:The XP Killer?

[antdude]

Are there still that many business using old Windows XP Pro SP3 with domain connections?

Just you wait...

I'm sure all the fans will blame this on Linux and open source too somehow.

Re:Just you wait...

[BronsCon]

Well, of course! All the hackers use Linux and other Open Source software because they don't want to be vulnerable to the same exploits they're using! Damn Linux! :P

Patching is NOT ENOUGH

[jeffasselin]

One very important part of this latest vulnerability is that patching your systems is NOT ENOUGH. The patch is not so much a fix as an entirely new security functionality which must be configured properly.

It is required to configure a group policy to harden your systems. Any domain-joined system must have both the patch installed and a group policy setup to force the system to use secure authentication and validation mechanism on any sensitive share. Domain shares such as NETLOGON and SYSVOL are an obvious priority, but any share used for software deployment or script execution must be similarly listed.

Make sure you read the KB article and take the proper steps to secure your systems:

https://support.microsoft.com/...

Re:Patching is NOT ENOUGH

NO, that's just retarded. The only viable solution is to rid of AD and use Samba on Linux, fucking sheeple!

Re:Patching is NOT ENOUGH

Well, considering this is an MITM attack that targets a service that is typically only used on private internal networks (That likely use switches), or computers connected to one over VPN this is a bit less serious.

Patch and configure for sure, but you'd have to impersonate a DC to attack a vulnerable system. Thats typically not something you can do remotely. Though if you had a foothold on an internal system (a trojaned box or somesuch) you could conceivably try to impersonate one of the DCs to start attacking other machines.

Re:Patching is NOT ENOUGH

[skids]

Well, considering this is an MITM attack that targets a service that is typically only used on private internal networks (That likely use switches), or computers connected to one over VPN this is a bit less serious.

You vastly overestimate the competency of corporate LAN departments. When the LAN is not properly hardened, and it very often isn't, all you need is one owned box/printer inside the broadcast domain to own all the AD Windows clients in that broadcast domain.

Re:Patching is NOT ENOUGH

[jeffasselin]

The problem in this case is that there are workarounds allowing you to impersonate a DC. For example, someone could sniff your DNS requests and use ARP poisoning to redirect your requests for GPO files or login scripts to its own servers, and Windows would automatically downgrade its SMB security to connect to this fake DC. This could easily be done to a computer connecting in a remote network, even if its corporate trafic is in a VPN. Read up on this article from the guys who found the vulnerabiltiy:

https://www.jasadvisors.com/ab...

One issue which Microsoft also did not mention is how AD-joined Windows systems by default leak a lot of info, and will send out DNS requests for domain resources from ANYWHERE. It doesn't matter that the servers aren't available from the Starbucks WiFi, Windows will still do DNS requests for "domain.local" and try to run "\\domain.local\NETLOGON\logon.bat".

Re:Patching is NOT ENOUGH

He's right, we're pretty much all total dumbasses and fuckups. Our admin passwords are all 12345 because I actually can't count any higher.

In other words, go fuck yourself.

Russian Mafia Re:The XP Killer?

NSA could have such an exploit ready next week, Russian mafia in a month. The Prize is controlling close to 19% of the installed base.

Don't underestimate the Russian Mafia.

Don't underestimate the NSA either - they've probably had an exploit in their arsenal for awhile now.

Re:Russian Mafia Re:The XP Killer?

Let me suggest another scenario:
NSA have had the exploit for years since they asked for it to be put there.
It was only removed just now since the Russian Mafia found and started to use the exploit.

Fancy Vulnerability Name

[organgtool]

Why is it that this bug doesn't have a fancy name like Heartbleed and Shellshock? Given that this bug will allow an attacker to completely dominate the target machine, I recommend the name "Skullfuck".

Re:Fancy Vulnerability Name

[jones_supa]

Actually the vulnerability has been nicknamed "JASBUG". JAS Global Advisors founder Jeff Schmidt cooperated with Microsoft to fix the bug behind the scenes during 2014, while he was working an engagement with ICANN.

Re:Fancy Vulnerability Name

[ihtoit]

Seconded. I'm surprised nothing called "Skullfuck" has hit the security newswires to date...

Re:Fancy Vulnerability Name

[BronsCon]

Damn, sad to hear that... WindowPain would have been a better fit. That or Glasscutter since, you know, it lets pretty much anyone cut a huge hole in Windows.

Re:Fancy Vulnerability Name

[freeze128]

Maybe they should have called the patch "ICANN FIXIT".

It's funny...

Fixes like this happens all the time in software. Why is it critical news when it's Microsoft and not Linux or Unix? Considering the vast majority of Internet-connected servers are not Microsoft?

I know I know, I'm a shill or something. I'll move on.

Re:It's funny...

Maybe because 80% of home computers are running Windows?

I know that you don't think of things before spouting off bullshit questions, but could you at least refrain from making them so fucking dumb?

TIA, the world.

Re:It's funny...

And how many of those home machines are using Active Directory Group Policy, genius? Or did you not even bother reading the article?

Maybe you should think before spouting bullshit.

Re:It's funny...

[toddestan]

Did you manage to sleep through the big new stories the past year about 'Heartbleed' (OpenSSL) and 'Shellshock' (bash)?

Re:It's funny...

[Gunstick]

and glibc "ghost"
oh wait...
that one was mostly a publicity stunt from the security company.

KB3013455

[Old+Aylesburian]

After successfully forcing the machine to reboot into safe mode last night (to stop a perpetual cyclic restart) I found that the screen fonts were being incorrectly rendered to the point of being unreadable. Hours later it turned out to be KB3013455, now uninstalled. Today several sites say that this affects Vista and several flavours of Windows Server.

Re:KB3013455

Same thing happened to me.

Re:KB3013455

That's why I would rather risk getting my computer pwned than to risk getting it bricked or rendered unusable.

And that's also why I disable auto updates.

Microsoft's patch quality standards have dropped significantly since Nadella took helm. Maybe he outsourced the patch testing division, who knows?

Let the early guinea pigs patch first. If nothing happens, after a few weeks or months then MAYBE I'll consider doing Windows Update.

Meanwhile, have fun interacting with the nincompoops on the Microsoft feedback forums and looking up the KB number of the faulty patch.

Re:KB3013455

[Old+Aylesburian]

To be fair the problem may have been caused by a local configuration e.g. I have many fonts and work in three scripts, one of which is right-to-left. The testers might simply have overlooked that particular case. OTOH...

Just so I understand

[WaffleMonster]

Everywhere I look people still blissfully using completely insecure authentication methods for VPN access effectively broadcasting plaintext passwords to anyone snooping the wire... but hey at least if someone tricks you into connecting to their evil network Microsoft has your back.

Would love an education how this bug is worthy of mention while other much more egregious issues such as true type vulnerabilities affecting anyone who browses to an attacker controlled website were also patched.

Re:Just so I understand

[Gunstick]

on patch day, not only the trutype thingie got fixed, but 35 other remote code executions in MSIE.
thirtyfive!
Shows code quality.

Looks like the bug was in credential sharing

[140Mandak262Jamuna]

The fine article is quite skimpy on the details about who is vulnerable. Throw in a little "If attacked" at the beginning of the sentence and then tack on all sorts of scary things. Sort of like, "If zombies were real." then write a whole host of scary things.

From what I could make out, the bug is in credential sharing across a network. If some computer configured to be part of remotely administered network "joins" the network controlled by the attacker, then the attacker can get admin privilege. Most home computers and small business computers are locally managed not remotely managed. So medium to large company computers which are typically administered by dedicated IT departments are at risk. To be at risk this computer must be persuaded to "join" another network controlled by the attacker. It involved editing the workgroup/network setting of the computer. So it would involve some social engineering to get the user to run a malware trojan, a script or an executable to change the settings. But, at that point, once they run a trojan, you can't help them.

Looks like the bug is in networked machines sharing credentials.

Re:Looks like the bug was in credential sharing

[skids]

So it would involve some social engineering to get the user to run a malware trojan

Not even wrong. Any machine joined to a domain can be tricked into believing another machine is the server in that domain, and then that other machine installs a new group policy disabling all the protections set up by the legitimate domain admin. No social engineering required, just a way to successfully deliver forged packets or poison DNS.

For Microsoft, vulnerabilities are profitable.

[Futurepower(R)]

"Windows - the most insecure OS in the world."

Microsoft makes more money if Windows has vulnerabilities. See this article, for example: Corrupted PC's Find New Home in the Dumpster .

Re:For Microsoft, vulnerabilities are profitable.

Microsoft makes even more money by withholding critical patches from older software, make up some bullshit about software end of life, just to coerce users to upgrade to the latest and greatest offerings.

Planned obsolescence - keeping shareholders, MBAs and corporate America happy.

Patch breaks Cisco Anyconnect VPN client too

[Kernel+Kurtz]

Cisco opened a priority 1 case with Microsoft yesterday as soon as we found out about this issue. We are continuing to escalate this issue with Microsoft for a resolution timeframe. We recommend that all customers open their own cases with Microsoft since the ultimate fix will need to come from them. You can feel free to reference Cisco's case # which is 115021112390273 in order to expedite having your ticket properly triaged by their support team.

https://supportforums.cisco.co...

Comment removed

[account_deleted]

Comment removed based on user account deletion

Comment removed

[account_deleted]

Comment removed based on user account deletion

"i wan to shot something"

how many FPS (frames-per-second) will this "update" kill in FPS (first-person-shooter)?

Let's just wait for Windows 10

Let Microsoft sort out its sorry mess first.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Windows 7 with nothing else

I run windows 7 with no IDE, am I still vulnerable?

lmao

you think the NSA are better coders than the russians?

keep dreaming imperialist scum!

Windows XP?

[fluor2]

Is Windows XP affected?

Re:Windows XP?

[Gunstick]

yes. and not patched.
like windows 2003, which is stull in support, but so badly designed that a patch is not possible.