Slashdot Mirror
Microsoft Fixes Critical Remotely Exploitable Windows Root-Level Design Bug
An anonymous reader writes "In this month's Patch Tuesday, Microsoft has released nine security bulletins to address 56 unique vulnerabilities in Microsoft Windows, Microsoft Office, Internet Explorer, and Microsoft Server software. Of the nine security bulletins, three are rated Critical in severity, and among these three is one that addresses a years-old design flaw that can be exploited remotely to grant attackers administrator-level privileges to the targeted machine or device. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."
Reader jones_supa writes, though, that the most recent patch rollout came with a bug of its own, since corrected: the company apparently botched a rollup update for Visual Studio 2010 Tools for Office Runtime: "There is an issue with KB3001652: many users are reporting that it is locking up their machines while trying to install it. It does not seem that this patch is doing any other damage though, such as bricking the operating system. These days Microsoft appears to be reacting quickly to this kind of news as it looks like the patch has already been pulled from Windows Update."
I read this just SIX MINUTES after I installed the bloody office runtime update.
Which, lucky me, didn't lock the system up. It seems to have installed pretty painlessly.
(wonder if that could be anything to do with the fact that I don't have Office installed?)
Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
Would I rather my computer be bricked or p0wned?
In one case I potentially lose my data, in the other, bad guys potentially get it all.
Why would a patch for an IDE lock up an OS?
Is Microsoft able in any way to create products that are not intractably entrenched in their OS?
Goodbye Slashdot. You've changed.
I updated immediately after release on 2/10, but I don't have the patch mentioned. I presume that is because I don't have Visual Studio installed?
Windows - the most insecure OS in the world.
True, but only because Adobe never made an OS.
The article says the patch has already been updated and is safe to install.
The road to tyranny has always been paved with claims of necessity.
FTA "this is a design problem not an implementation problem."
So....Microsoft designed a godmode exploit.
Apparently the update left out a serious universal XSS vulnerability in IE11 unpatched. Source
Vulnerability Full Disclosure - 31 Jan 2015
Please, the most insecure OS in the world is Linux (Damn Vulnerable Linux)
Can't argue with that.
There was a time when Sun's (now Oracle) Solaris was considered the swiss cheese of operating systems.
Somewhere in the world, there is a hacker crying into his keyboard right now, because MS finally found the hole he's been exploiting for the last 10 years.
And designed to be a security teaching tool.
Not a production system.
We've been waiting for that vulnerability that will finally create such havoc on XP that people will abandon it.
The security bulletin is vague, as usual, but it does say:
Which would seem to put the XP/2003 lineage one malware download away from connecting to a botnet that spoke just enough Domain protocol to exploit it and being pwned.
NSA could have such an exploit ready next week, Russian mafia in a month. The Prize is controlling close to 19% of the installed base.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
One very important part of this latest vulnerability is that patching your systems is NOT ENOUGH. The patch is not so much a fix as an entirely new security functionality which must be configured properly.
It is required to configure a group policy to harden your systems. Any domain-joined system must have both the patch installed and a group policy setup to force the system to use secure authentication and validation mechanism on any sensitive share. Domain shares such as NETLOGON and SYSVOL are an obvious priority, but any share used for software deployment or script execution must be similarly listed.
Make sure you read the KB article and take the proper steps to secure your systems:
https://support.microsoft.com/...
If he explores all forms and substances Straight homeward to their symbol-essences; He shall not die.
I bet they didn't so much design an exploit, as design another feature, implement it as designed ... and the discovered they'd made a gaping hole.
I suspect at this point the code is so complex they don't even know what it does any more.
Lost at C:>. Found at C.
brick
As verb: to brick something. This is the action of rendering any small-medium size electronic device useless. This can happen whilst changing the firmware, soldering or any other process involving either hardware of software.
I bricked my mobile phone when I tried to install Linux on it.
Haha! "When I tried to install Linux on it". Sounds funny reading that thread...
Why is it that this bug doesn't have a fancy name like Heartbleed and Shellshock? Given that this bug will allow an attacker to completely dominate the target machine, I recommend the name "Skullfuck".
you mean like the desktop gadgets gadget? Yeah, I discovered yesterday while trying to install a lunar cycle widget that MS had deprecated the entire project, saying basically "Oh, we'd discovered that what we'd actually done was enable any old Joe Scumbag to completely own your computer via a widget you might actually find useful like live weather or news tickers".
So why the fuck is it still in my desktop context menu!?
Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
I think most phones that don't actually come with Linux (read: Android) installed will actually brick when you try to install Linux on them, because the kernel simply isn't designed for the architecture.
Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
True. But Adobe already creates exploits for all the other OSes in the world, so they don't need to actually create an unsecured OS.
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
uh... DVLinux is a security training tool and sandbox for SELinux component testing, not a production desktop platform.
Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
Yes, as much as I hate to admit it, I have had WAY more Linux servers exploited than Windows servers.
I have set up hundreds of Windows Small Business servers and less than half as many production Linux servers. I only recall having 1 Windows server exploited, and that was because the customer set up an admin-level user with an extremely simple password and then opened RDP to the world.
On the other hand, I have had several Linux servers exploited via ProFTPD, Horde, Sendmail and other vulnerable services.
My eyes reflect the stars and a smile lights up my face.
As much as I hate to say it, that is not a Windows exploit, but a PEBKAC issue...
Let me suggest another scenario:
NSA have had the exploit for years since they asked for it to be put there.
It was only removed just now since the Russian Mafia found and started to use the exploit.
Well, of course! All the hackers use Linux and other Open Source software because they don't want to be vulnerable to the same exploits they're using! Damn Linux! :P
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
Its all about attack surface bro.
Those windows SMB servers you likely firewalled away from the internet, zero exposed (inbound) services. They're only used to provide services to systems on the local network. Maybe you have SMTP exposed for inbound mail. (Today, though, running your own exchange server(s) for anything smaller than an enterprise is for suckers. Much cheaper to purchase hosted exchange service, and you don't have to deal with your IP blocks being blackholed)
Those linux servers, on the other hand, were probably internet facing. Providing services anyone on the wild wild interwebs could hammer. If you put those windows servers in the same situation you'd see them pwnd too.
Yes, but GPP did not specify "a production desktop platform". My point was that blanket "X OS is the most insecure" statements are largely pointless. With enough effort and expertise you could secure any OS, or you could exploit any OS, even when airgaped. With enough ignorance you could misconfigure even the most secure OS. The devil is in the details.
Yeah, fucking capitalist assholes! Forcing people to upgrade to one of the last few versions of their operating system!
I mean EVEN Debian still makes security packages for Potato and Woody! ... right?
"True, but only because Adobe never made an OS".
A man's gotta know his limitations. And they do.
I am sure that there are many other solipsists out there.
Windows - the most insecure OS in the world. There are probably more viruses, malware and ransonware than actual apps.
I doubt it.
Download.com alone hosts over 51,000 Windows apps. Search Results for all Windows, Sourceforge, 16,000, 2,200 certified Fresh.
Amazon.com 22,000 for retail sale. PC Software
You could make a very strong case for Android being the most insecure, incompetently planned and managed OS in the wild.
Google's position is complicated, because it has produced a platform that it has no power to update. There's no Windows Update for Android phones, and Google has no ability to push out updates to the operating system; it has to depend on a range of OEMs and network operators to adopt its source code changes and distribute them to users. Both Apple and Microsoft, in contrast, have a direct channel to update their mobile operating systems.
Google won't fix bug affecting 60 percent of Android users
After successfully forcing the machine to reboot into safe mode last night (to stop a perpetual cyclic restart) I found that the screen fonts were being incorrectly rendered to the point of being unreadable. Hours later it turned out to be KB3013455, now uninstalled. Today several sites say that this affects Vista and several flavours of Windows Server.
Everywhere I look people still blissfully using completely insecure authentication methods for VPN access effectively broadcasting plaintext passwords to anyone snooping the wire... but hey at least if someone tricks you into connecting to their evil network Microsoft has your back.
Would love an education how this bug is worthy of mention while other much more egregious issues such as true type vulnerabilities affecting anyone who browses to an attacker controlled website were also patched.
True, but only because Adobe never made an OS
A man's gotta know his limitations. And they do.
Funny story... Oracle (née Sun) makes an Operating System.
GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
From what I could make out, the bug is in credential sharing across a network. If some computer configured to be part of remotely administered network "joins" the network controlled by the attacker, then the attacker can get admin privilege. Most home computers and small business computers are locally managed not remotely managed. So medium to large company computers which are typically administered by dedicated IT departments are at risk. To be at risk this computer must be persuaded to "join" another network controlled by the attacker. It involved editing the workgroup/network setting of the computer. So it would involve some social engineering to get the user to run a malware trojan, a script or an executable to change the settings. But, at that point, once they run a trojan, you can't help them.
Looks like the bug is in networked machines sharing credentials.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
Cisco opened a priority 1 case with Microsoft yesterday as soon as we found out about this issue. We are continuing to escalate this issue with Microsoft for a resolution timeframe. We recommend that all customers open their own cases with Microsoft since the ultimate fix will need to come from them. You can feel free to reference Cisco's case # which is 115021112390273 in order to expedite having your ticket properly triaged by their support team.
https://supportforums.cisco.co...
I mean EVEN Debian still makes security packages for Potato and Woody! ... right?
I don't know if Debian does or not (I'm going to assume not based on your tone), but at least Debian's customers have everything they need (except maybe skill and time) to fix it themselves.
Microsoft customers? Not so much.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Also the most popular hence the attrition to it's security flaws.
Comment removed based on user account deletion
Comment removed based on user account deletion
Comment removed based on user account deletion
And realistically, how many people are going to do that instead of just upgrading to a distro from the last decade?
You don't count PostScript as an OS? It's so much more than a language....
I found this article particularly amusing seeing as I'm not done re-installing my Windows 7 box from the latest attack to take it out from a couple of days ago. I don't even use the box for surfing or email; just for running database servers, builds, and playing internet media.
So it's got about the smallest attack surface you could imagine -- and it still has never survived more than 2 years without being nuked. None of my Windows boxes ever has.
I do not fail; I succeed at finding out what does not work.
Is Windows XP affected?
Windows - the most insecure OS in the world.
True, but only because Adobe never made an OS.
True. But Adobe already creates exploits for all the other OSes in the world, so they don't need to actually create an unsecured OS.
AFAIK no Adobe software even runs on Raspberry Pi, but never-the-less, flash can crash it. The mere "aura" of Adobe can break things! :D
The security of an operating system should be judged by its default configuration, not by how insecure it is after you've installed a bunch of 3rd party apps. Even a security-oriented OS like OpenBSD can't prevent other people from doing insecure things to it.
That's mighty cavalier of you, but the fact remains that exploited machines affect the rest of us as well.
Did you manage to sleep through the big new stories the past year about 'Heartbleed' (OpenSSL) and 'Shellshock' (bash)?
and glibc "ghost"
oh wait...
that one was mostly a publicity stunt from the security company.
Atari rules... ermm... ruled.
Probably a developer's backdoor. There was allegedly a /etc/passwd backdoor propagated through gcc for many years - a truly legendary hack.
Developers like to leave these so they can back in if something goes wrong (putting a benign spin on it). I've brok a pam config before and wished I had a backdoor...