Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Fixes Critical Remotely Exploitable Windows Root-Level Design Bug

Posted by timothy on from the lurking-beneath-the-surface dept.

An anonymous reader writes "In this month's Patch Tuesday, Microsoft has released nine security bulletins to address 56 unique vulnerabilities in Microsoft Windows, Microsoft Office, Internet Explorer, and Microsoft Server software. Of the nine security bulletins, three are rated Critical in severity, and among these three is one that addresses a years-old design flaw that can be exploited remotely to grant attackers administrator-level privileges to the targeted machine or device. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights." Reader jones_supa writes, though, that the most recent patch rollout came with a bug of its own, since corrected: the company apparently botched a rollup update for Visual Studio 2010 Tools for Office Runtime: "There is an issue with KB3001652: many users are reporting that it is locking up their machines while trying to install it. It does not seem that this patch is doing any other damage though, such as bricking the operating system. These days Microsoft appears to be reacting quickly to this kind of news as it looks like the patch has already been pulled from Windows Update."

36 of 136 comments (clear)

  1. oh you motherf~}NO_CARRIER by ihtoit · · Score: 3, Interesting

    I read this just SIX MINUTES after I installed the bloody office runtime update.

    Which, lucky me, didn't lock the system up. It seems to have installed pretty painlessly.

    (wonder if that could be anything to do with the fact that I don't have Office installed?)

    --
    Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
    1. Re:oh you motherf~}NO_CARRIER by Bacon+Bits · · Score: 3, Informative

      It might be an extremely rare issue. Following the links in the article, the last update they pulled in August of 2014 was pulled because it was causing blue screen errors for 0.01% of users, but they pulled it anyways.

      --
      The road to tyranny has always been paved with claims of necessity.
    2. Re:oh you motherf~}NO_CARRIER by ihtoit · · Score: 4, Insightful

      whoa, 0.01% of 800 million (a very conservative estimate of the installed base) is still 80,000. That's a number far greater than 0 and most definitely of concern if you're one of those 80,000.

      --
      Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
    3. Re:oh you motherf~}NO_CARRIER by VGPowerlord · · Score: 3, Informative

      I read this just SIX MINUTES after I installed the bloody office runtime update.

      Microsoft already released a fixed version at least 12 hours before /. posted this story... and pulled the buggy version some hours (8?) before that.

      In other words, by the time this story was posted, it was no longer relevant.

      --
      GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
    4. Re:oh you motherf~}NO_CARRIER by WasteOfAmmo · · Score: 4, Informative

      After some investigation it looks like the update may not have been configured to do a silent install properly and actually hangs as it is waiting for user input on an invisible dialogue box.

      If you have a machine that does hang we have found the following:
      1. wait until there is virtually no disk activity (counting on you have a light that shows you) and then power the machine down, or
      2. use either PowerShell remoting or psexec to kill the two processes involved in the update: "Setup" and "vstor_redist".
      With PowerShell: Invoke-Command -ComputerName hostname -ScriptBlock {Stop-Process -Name Setup,vstor_redist -Force}
      With PSExec something like this will work:
      Psexec \\hostname cmd
      Taskkill /im Setup /f
      Taskkill /im vstor_redist /f
      Exit

      If the machine is doing a number of updates killing the two processes above will allow the machine to continue with the rest of the updates.

      Of course the standard disclaimers apply: No guarantees the above will help and not harm you computer, your mileage may vary, batteries not included, objects in code are buggier than they appear, yadda, yadda.

  2. VS2010 patch locks up OS? by jfbilodeau · · Score: 4, Insightful

    Why would a patch for an IDE lock up an OS?

    Is Microsoft able in any way to create products that are not intractably entrenched in their OS?

    --
    Goodbye Slashdot. You've changed.
    1. Re:VS2010 patch locks up OS? by jfbilodeau · · Score: 3, Funny

      "killall --user myself --signal SIGKILL"

      Sounds like the type of code a VB developer would write on Linux. :P

      --
      Goodbye Slashdot. You've changed.
    2. Re:VS2010 patch locks up OS? by Pope+Hagbard · · Score: 3, Informative

      It's not a patch for the IDE, it's for the runtime for programs built with that version of Visual Studio (there are such runtimes for all versions of VS). It sounds like the computer can freeze during patch installation.

    3. Re:VS2010 patch locks up OS? by gstoddart · · Score: 2

      Historically, they've used APIs the rest of us don't see, and since this is also a debugger and who knows what else ... it's probably embedded quite deeply into the OS.

      Part of the problem is Microsoft's own software has pretty much always been intractably entrenched in the OS, and they've never seen that as an issue.

      It doesn't sound like a modular architecture .. it sounds like they just view all of this as one monolithic thing.

      Which is probably why they have a terrible track record of supporting other platforms. Because support for something else is hard even for them.

      --
      Lost at C:>. Found at C.
    4. Re:VS2010 patch locks up OS? by Ravaldy · · Score: 2

      I've seen this issue twice (we have a few VS2010 enabled machines). If you apply the patch by going into the Windows Update screen it will simply attempt to install in an infinite loop and you can simply end the process using the task manager. If you shutdown the system while the patch is pending to be installed, Windows will attempt to perform the update before completing the shutdown procedure. This is what creates the appearance of a lock up. Because the patch never appears to end, it remains in shutdown mode for as long as you don't reboot manually. This is very different than an actual OS lock. Just though I'd clarify.

  3. Re:The most insecure OS in the world by monkeyzoo · · Score: 5, Funny

    Windows - the most insecure OS in the world.

    True, but only because Adobe never made an OS.

  4. TFA Says Patch is Fixed by Bacon+Bits · · Score: 4, Informative

    The article says the patch has already been updated and is safe to install.

    --
    The road to tyranny has always been paved with claims of necessity.
    1. Re:TFA Says Patch is Fixed by WasteOfAmmo · · Score: 2

      Yes, except... if your machine still has updates outstanding then from what we have seen it is best if you "check for updates" again before installing them. It looks like if the patch was already downloaded then it will install unless you refresh by checking for updates again before installing.

  5. Re:This is your computer on Windows... by BreakBad · · Score: 2

    FTA "this is a design problem not an implementation problem."

    So....Microsoft designed a godmode exploit.

  6. Re:The most insecure OS in the world by sinij · · Score: 3, Insightful

    Please, the most insecure OS in the world is Linux (Damn Vulnerable Linux)

  7. Sad Hacker by sir-gold · · Score: 4, Funny

    Somewhere in the world, there is a hacker crying into his keyboard right now, because MS finally found the hole he's been exploiting for the last 10 years.

  8. The XP Killer? by bill_mcgonigle · · Score: 4, Insightful

    We've been waiting for that vulnerability that will finally create such havoc on XP that people will abandon it.

    The security bulletin is vague, as usual, but it does say:

    A remote code execution vulnerability exists in how Group Policy receives and applies policy data when a domain-joined system connects to a domain controller. To exploit this vulnerability, an attacker would have to convince a victim with a domain-configured system to connect to an attacker-controlled network.

    An attacker who successfully exploited this vulnerability could take complete control of an affected system and then install programs; view, change, or delete data; or create new accounts with full user rights. The security update addresses the vulnerability by improving how domain-configured systems connect to domain controllers prior to Group Policy accepting configuration data. ...

    Although Windows Server 2003 is an affected product, Microsoft is not issuing an update for it because the comprehensive architectural changes required would jeopardize system stability and cause application compatibility problems. Microsoft recommends that security-conscious customers upgrade to a later operating system in order to keep pace with the changing security threat landscape and benefit from the more robust protections that later operating systems provide.

    Which would seem to put the XP/2003 lineage one malware download away from connecting to a botnet that spoke just enough Domain protocol to exploit it and being pwned.

    NSA could have such an exploit ready next week, Russian mafia in a month. The Prize is controlling close to 19% of the installed base.

    --
    My God, it's Full of Source!
    OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
    1. Re:The XP Killer? by Dwedit · · Score: 4, Funny

      Everyone runs Admin on XP anyway, so privilege escalation is less of a problem than it could be.

    2. Re:The XP Killer? by tlhIngan · · Score: 4, Informative

      We've been waiting for that vulnerability that will finally create such havoc on XP that people will abandon it.

      It only affects domain-joined PCs. If you're running XP Home (can't join a domain to begin with), then it really doesn't affect you.

      It's a basic downgrade attack - similar to how those TLS bugs were done. You force the client and/or server to revert to an older less secure authentication protocol and then use that to get your way in.

      And most businesses have moved off XP.

  9. Patching is NOT ENOUGH by jeffasselin · · Score: 5, Informative

    One very important part of this latest vulnerability is that patching your systems is NOT ENOUGH. The patch is not so much a fix as an entirely new security functionality which must be configured properly.

    It is required to configure a group policy to harden your systems. Any domain-joined system must have both the patch installed and a group policy setup to force the system to use secure authentication and validation mechanism on any sensitive share. Domain shares such as NETLOGON and SYSVOL are an obvious priority, but any share used for software deployment or script execution must be similarly listed.

    Make sure you read the KB article and take the proper steps to secure your systems:

    https://support.microsoft.com/...

    --
    If he explores all forms and substances Straight homeward to their symbol-essences; He shall not die.
  10. Re:This is your computer on Windows... by gstoddart · · Score: 2

    I bet they didn't so much design an exploit, as design another feature, implement it as designed ... and the discovered they'd made a gaping hole.

    I suspect at this point the code is so complex they don't even know what it does any more.

    --
    Lost at C:>. Found at C.
  11. Re:This is your computer on Windows... by courteaudotbiz · · Score: 2
    Bricking an OS? It's just like the guy don't actually know what a brick is. Bricking something is to break an actual object to the point where its only use is to be a doorstopper. Thie is the Urban Dictionnary quote:

    brick
    As verb: to brick something. This is the action of rendering any small-medium size electronic device useless. This can happen whilst changing the firmware, soldering or any other process involving either hardware of software.

    I bricked my mobile phone when I tried to install Linux on it.

    Haha! "When I tried to install Linux on it". Sounds funny reading that thread...

  12. Fancy Vulnerability Name by organgtool · · Score: 2, Funny

    Why is it that this bug doesn't have a fancy name like Heartbleed and Shellshock? Given that this bug will allow an attacker to completely dominate the target machine, I recommend the name "Skullfuck".

    1. Re:Fancy Vulnerability Name by jones_supa · · Score: 2

      Actually the vulnerability has been nicknamed "JASBUG". JAS Global Advisors founder Jeff Schmidt cooperated with Microsoft to fix the bug behind the scenes during 2014, while he was working an engagement with ICANN.

  13. Re:This is your computer on Windows... by ihtoit · · Score: 2

    you mean like the desktop gadgets gadget? Yeah, I discovered yesterday while trying to install a lunar cycle widget that MS had deprecated the entire project, saying basically "Oh, we'd discovered that what we'd actually done was enable any old Joe Scumbag to completely own your computer via a widget you might actually find useful like live weather or news tickers".

    So why the fuck is it still in my desktop context menu!?

    --
    Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
  14. Re:The most insecure OS in the world by Archangel+Michael · · Score: 5, Insightful

    True. But Adobe already creates exploits for all the other OSes in the world, so they don't need to actually create an unsecured OS.

    --
    Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
  15. Re:The most insecure OS in the world by The-Ixian · · Score: 3, Interesting

    Yes, as much as I hate to admit it, I have had WAY more Linux servers exploited than Windows servers.
     
    I have set up hundreds of Windows Small Business servers and less than half as many production Linux servers. I only recall having 1 Windows server exploited, and that was because the customer set up an admin-level user with an extremely simple password and then opened RDP to the world.
     
    On the other hand, I have had several Linux servers exploited via ProFTPD, Horde, Sendmail and other vulnerable services.

    --
    My eyes reflect the stars and a smile lights up my face.
  16. Re:Russian Mafia Re:The XP Killer? by Anonymous Coward · · Score: 3, Interesting

    Let me suggest another scenario:
    NSA have had the exploit for years since they asked for it to be put there.
    It was only removed just now since the Russian Mafia found and started to use the exploit.

  17. Re:The most insecure OS in the world by Anonymous Coward · · Score: 2, Insightful

    Its all about attack surface bro.

    Those windows SMB servers you likely firewalled away from the internet, zero exposed (inbound) services. They're only used to provide services to systems on the local network. Maybe you have SMTP exposed for inbound mail. (Today, though, running your own exchange server(s) for anything smaller than an enterprise is for suckers. Much cheaper to purchase hosted exchange service, and you don't have to deal with your IP blocks being blackholed)

    Those linux servers, on the other hand, were probably internet facing. Providing services anyone on the wild wild interwebs could hammer. If you put those windows servers in the same situation you'd see them pwnd too.

  18. Re:The most insecure OS in the world by sinij · · Score: 2

    Yes, but GPP did not specify "a production desktop platform". My point was that blanket "X OS is the most insecure" statements are largely pointless. With enough effort and expertise you could secure any OS, or you could exploit any OS, even when airgaped. With enough ignorance you could misconfigure even the most secure OS. The devil is in the details.

  19. Re:The most insecure OS in the world by Archtech · · Score: 2

    "True, but only because Adobe never made an OS".

    A man's gotta know his limitations. And they do.

    --
    I am sure that there are many other solipsists out there.
  20. Re:The most insecure OS in the world by westlake · · Score: 2, Insightful

    Windows - the most insecure OS in the world. There are probably more viruses, malware and ransonware than actual apps.

    I doubt it.

    Download.com alone hosts over 51,000 Windows apps. Search Results for all Windows, Sourceforge, 16,000, 2,200 certified Fresh.

    Amazon.com 22,000 for retail sale. PC Software

    You could make a very strong case for Android being the most insecure, incompetently planned and managed OS in the wild.

    Google's position is complicated, because it has produced a platform that it has no power to update. There's no Windows Update for Android phones, and Google has no ability to push out updates to the operating system; it has to depend on a range of OEMs and network operators to adopt its source code changes and distribute them to users. Both Apple and Microsoft, in contrast, have a direct channel to update their mobile operating systems.

    Google won't fix bug affecting 60 percent of Android users

  21. Re:The most insecure OS in the world by VGPowerlord · · Score: 3, Informative

    True, but only because Adobe never made an OS

    A man's gotta know his limitations. And they do.

    Funny story... Oracle (née Sun) makes an Operating System.

    --
    GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
  22. Patch breaks Cisco Anyconnect VPN client too by Kernel+Kurtz · · Score: 2

    Cisco opened a priority 1 case with Microsoft yesterday as soon as we found out about this issue. We are continuing to escalate this issue with Microsoft for a resolution timeframe. We recommend that all customers open their own cases with Microsoft since the ultimate fix will need to come from them. You can feel free to reference Cisco's case # which is 115021112390273 in order to expedite having your ticket properly triaged by their support team.

    https://supportforums.cisco.co...

  23. Comment removed by account_deleted · · Score: 2

    Comment removed based on user account deletion

  24. Re:Windows XP? by Gunstick · · Score: 2

    yes. and not patched.
    like windows 2003, which is stull in support, but so badly designed that a patch is not possible.

    --
    Atari rules... ermm... ruled.