BadTunnel Bug Hijacks Network Traffic, Affects All Windows Versions

An anonymous reader writes: Microsoft has just patched a vulnerability that affects all Windows versions ever released. Called BadTunnel, the security flaw allows attackers to pass as a WAPD or ISATAP server and intercept all network traffic. Exploitation is trivial and firewalls are natively designed to open the port through which the attack is carried out. BadTunnel can be triggered whenever the user clicks URI or UNC links/paths in Office files, IE, Edge, or other applications that support the URI/VNC scheme (and most do). Additionally, an attacker can carry out his attack from the other side of the world, and does not need to have a foothold on the victim's network. While recent Windows OS versions received patches, exploitation points remain open for non-supported Windows operating systems such as XP, Windows Server 2003, and others. For these operating systems, and for those that can't be updated just yet, system administrators should disable NetBIOS.

WinXP Patch?

Probably not....

Re:WinXP Patch?

[phrostie]

just upgrade to Win 10 and everything will be ok.
let go of your old OS and let MS set you free.

for a limited time only.

Re: WinXP Patch?

I wonder if this had been known and maybe even disclosed by Microsoft to the NSA, especially since it's all known windows versions.

Re:WinXP Patch?

"just upgrade to Win 0xA, and everything will be A-ok." Blaah, I'm not drunk enough.

Re:WinXP Patch?

[uncqual]

Yes, and if you're interested in being approached for interesting jobs, once the LinkedIn acquisition is complete, Microsoft will probably punish anyone not running Windows 10 by burying their names in search results. Get with the program - NOW!

Re:WinXP Patch?

> everything will be ok. ... for a limited time only.

Exactly, until the next zero day is exploited.

Re:WinXP Patch?

[donaldm]

just upgrade to Win 10 and everything will be ok. let go of your old OS and let MS set you free.

for a limited time only.

Why would I want to install Windows 10 when my perfectly good Fedora 23 distro works perfectly?

If I want to install Malware then Microsoft Windows 10 would be the way to go, after all, take a look at what Windows 10 is doing to get people to "upgrade" and what settings are on by default. Sure you can turn most of these settings to "off" but even after hacking the Registry, which most people can't do, are you quite sure you really have turned everything off?

Of course, we all really know that Big Brother^H^H^H^H^H^H^H^H^H^H^H Microsoft has our best interests at heart.

Re:WinXP Patch?

[phrostie]

it was a joke.

I'm more of a debian guy myself, but fedora is good too.

Re: WinXP Patch?

netbios is easy to deactivate in winxp.

in win10 not. removing t from network interface is not enough.

Re:WinXP Patch?

[Coren22]

Yeah, the next zero day to come along affecting XP will be a big deal since it is out of support and therefore the problem will never be patched. I totally agree that you are going to be more secure running Windows 7, 8, or 10 than XP.

Re:WinXP Patch?

[doccus]

Yeah. but hey. c'mon now. Net Bios? Anyone still even *using* it? ;-)

Break out my Windows 3.11 box

[jfdavis668]

16 bit software will save the day again.

Re: Break out my Windows 3.11 box

...a vulnerability that affects all Windows versions ever released.

Re: Break out my Windows 3.11 box

[jfdavis668]

Ok, I have a copy of Windows 2.11 around here somewhere. Not sure if that counted as being released.

Re: Break out my Windows 3.11 box

Windows 1.0

Should run Crysis just fine.

Re: Break out my Windows 3.11 box

[jfdavis668]

Then I can play Reversi to my heart's content.

Re: Break out my Windows 3.11 box

[BronsCon]

More reliable sources say 95 and on, which makes sense as prior versions didn't ship with a network stack.

Re: Break out my Windows 3.11 box

Kind of hard when that version doesn't have an IP stack.

Re: Break out my Windows 3.11 box

[werewolf1031]

Maybe I'm just old and senile, but didn't 3.11, ie. "Windows for Workgroups", include one?

Re: Break out my Windows 3.11 box

[BronsCon]

Ah, I stand corrected, as I forgot about WFW.

However, it appears that WFW gained NetBIOS support via NWNBLink, which provided support for NetBIOS over IPX/SPX, rather than ICP/IP. That is, it would not have been vulnerable to BadTunnel.

Re: Break out my Windows 3.11 box

[flyingfsck]

Well apart from having to dig up the books on IPX/SPX, the tunnel would likely work over that too. When MS creates a network backdoor for the NSA, they are very thorough...

Re: Break out my Windows 3.11 box

[BronsCon]

At worst, it could have been exploited by a system on the same LAN, as IPX/SPX was very frame-size and frame-order dependent, rendering it effectively useless as a WAN protocol.

Additionally, read up on how the vulnerability functions. I had to read up on it a bit more than I already had in order to write this reply, but here's a summary: The attack involved convincing a Windows machine, via a flaw in NetBIOS over TCP/IP, that the attacking machine is a valid WPAD or ISATAP server. ISATAP is an IPv6 transition mechanism so we can rule that out as a WFW attack vector. WPAD hadn't been created by Netscap yet in 1993 when WFW was released (it was developed in 1996 as part of Netscape Navigator 2.0), so that's ruled out as well.

Looks like WFW was safe.

Re: Break out my Windows 3.11 box

[wierd_w]

WFW used NETBEUI, and IPX, yes.

It did have a TCP/IP implementation though. It just didnt do netbios over it.

win3.1 needed trumpet tcp, or some other 3rd party stack, but WFW had it natively. This was the era where Netscape was really starting to hit the scene, and the web was an emerging phenomenon. IIRC, there was an early version of IE for WFW.

That is why when win95 rolled out, with IE preinstalled (but not thuroughly baked in), it started MS's ascendency. When win98 hit with it permanently baked in, it started the lawsuit.

History lesson over, netbios over tcp debuted on win9x. Prior to that, it was NETBEUI and IPX.

Re: Break out my Windows 3.11 box

[BronsCon]

For the sake of those who will only read up to the quoted line:

It did have a TCP/IP implementation though. It just didnt do netbios over it.

This is correct; and BadTunnel is initiated via an exploit in NetBIOS over IPX/SPX and relies on one of two additional services for which WFW had no support.

Re: Break out my Windows 3.11 box

[BronsCon]

GAH!! I meant:

BadTunnel is initiated via an exploit in NetBIOS over TCP/IP

Proofread.
Every.
Post.

Re: Break out my Windows 3.11 box

[sconeu]

Piker. I am going to install my copy of Windows 1.03. As soon as I can find a 5.25" 360K drive.

Re: Break out my Windows 3.11 box

[drolli]

Yay! I'll filter everthing which is not IPX in the router!

Re: Break out my Windows 3.11 box

What about NT 3.1 (NBT) and 3.5 (NetBT)? Those were released before Windows 95 and support NetBIOS over TCP/IP.

Re: Break out my Windows 3.11 box

[Maritz]

I don't even think the first win95 had TCP/IP stack. What did they call it, winsock? I think they rolled it out in a service pack. I realise I could just google this, but I don't care enough.

Re: Break out my Windows 3.11 box

[DarkOx]

Microsoft did provide a tcp driver for wfw3.11 as an add on.

I

Re: Break out my Windows 3.11 box

[DaveMikulec]

Amateur. My copy's on datasette.

Re: Break out my Windows 3.11 box

[Bob+the+Super+Hamste]

I think I still have one in my basement. It probably still works given how damn near indestructible those things were.

Re: Break out my Windows 3.11 box

Win3.1 runs like a champ in DOSBox.

Re: Break out my Windows 3.11 box

*in my moms basement aka my bedroom*

FTFY :P

Re: Break out my Windows 3.11 box

[BronsCon]

They actually released the Windows TCP/IP stack in 3.11a or b, I forget which. NetBIOS didn't use it until Win95, though.

Re: Break out my Windows 3.11 box

[BronsCon]

Yes, but NetBIOS didn't gain the ability to use it until Win95 and WFW never supported WPAD or ISATAP, one or the other of which was required, in conjunction with NetBIOS over TCP/IP, in order to exploit the flaw.

Re: Break out my Windows 3.11 box

[BronsCon]

Did they support WPAD and/or ISATAP?

Registry change for XP Patches

The 1% of you can thank me later:

All versions of Windows, ever released?

[evilviper]

Wow! And to think, Windows 1.0, 2.0 and 3.0 didn't have any networking support! Yet they somehow have bugs that allows diverting network traffic that they don't and can't generate!

Windows 3.11 was the first to include networking, and I'm going to bet it wasn't affected, either.

Re:All versions of Windows, ever released?

Windows 3.11 relied on dos for the network stack.

Re:All versions of Windows, ever released?

[msauve]

"Microsoft has just patched a vulnerability that affects all Windows versions ever released."

But fortunately, according to the summary, they still patched all versions. Where do I get the patch for XP?

Re:All versions of Windows, ever released?

You are just mistaken about how ahead of the game Microsoft was back then. Makes their decline to where they are now even worse.

Re:All versions of Windows, ever released?

[evilviper]

Nope.

in August 1994, Microsoft released an add-on package (codenamed Wolverine) that provided TCP/IP support in Windows for Workgroups 3.11. Wolverine was a 32-bit stack

https://en.wikipedia.org/wiki/...

Re:All versions of Windows, ever released?

[MikeBabcock]

Some of us remember installing Trumpet Winsock on Windows 3.1; it certainly was not DOS.

Re:All versions of Windows, ever released?

[flyingfsck]

It's OK, Peter Tattam's Trumpet Winsock network stack will fix that little problem for you: http://www.trumpet.com.au/

Re:All versions of Windows, ever released?

Nope.

in August 1994, Microsoft released an add-on package (codenamed Wolverine) that provided TCP/IP support in Windows for Workgroups 3.11. Wolverine was a 32-bit stack

https://en.wikipedia.org/wiki/...

I swear I had a Microsoft TCP/IP add on for WFW 3.10.

Re:All versions of Windows, ever released?

no you didn't,. You may have found a 3rd party one. MS didn't release one till 94 with the upgrade to 3.11

Re:All versions of Windows, ever released?

no you didn't,. You may have found a 3rd party one. MS didn't release one till 94 with the upgrade to 3.11

Yep, found the Microsoft disks for both WFW 3.11 and WFW3.10. Well the WFW 3.10 version was nothing more than a Beta (along with a lot of their software. :( )

Re:All versions of Windows, ever released?

[drinkypoo]

Some of us remember installing Trumpet Winsock on Windows 3.1; it certainly was not DOS.

If you were very very lucky you had the TCP stack from TGV (Two guys and a vax) instead. They got bought by Cisco at the same time that Windows 95 came out with its own TCP stack, so they abandoned the main product and turned them into a cable modem development facility because Cisco.

Re:All versions of Windows, ever released?

[DaveMikulec]

Yup. Along with Spry Mosaic!

Microsoft please stop this madness

[WaffleMonster]

For the life of me I can't figure out why all of these tunneling/transition protocols are enabled by default in Windows. Who uses automatic IPv6 transition schemes in 2016? They certainly are not now nor have they ever been sufficiently reliable for production use and TTL for IPv6 amateur hour has long since expired. Why is this worth the massive security headaches these things invite?

Have a script that I run on any new windows boxes. Part of it does the following.

netsh interface teredo set state disabled
netsh interface isatap set state disabled
netsh interface 6to4 set state disabled

I'm honestly perplexed and dumbfounded why Microsoft is (still) doing this.

Re:Microsoft please stop this madness

This really cuts to the heart of the Windows/Linux debate that's been going on for years. Linux ships completely secure and locked down by default, and as a result half the things people try to do don't work and most people don't have the computer and networking skills and the time to jockey the command line configurations and networking tweaks to get anything to work. Windows just works, but because everything is up and running from day one there are security concerns because most people are running systems they do not use or need.

Re:Microsoft please stop this madness

. Linux ships completely secure and locked down by default, .

WTF lol was that meant to be a joke? If not then you are probably one of the reasons so many linux web servers get owned in that you don't understand it requires configuration to make it secure.

Re:Microsoft please stop this madness

Being forced to Windows10 and then having to find out that your internet isn't working anymore doesn't contribute much to the Windows10 vibe.

Re:Microsoft please stop this madness

[Monoman]

IIRC it all started with Windows 7/Server 2008and some features that *required* IPV6. You didn't really have to be running IPv6 running on your network because MS was enabling tunneling and IPv6 by default so things would work automagically.

https://en.wikipedia.org/wiki/...
https://technet.microsoft.com/...

Re:Microsoft please stop this madness

And then somehow your Windows clients and servers manage to register a 2002: AAAA record via Dynamic DNS. Once this happens, natually, your client machine communicates with the server, that is physically about 50m away, over a tunnel that wraps around the entire planet.

Re:Microsoft please stop this madness

Have a script that I run on any new windows boxes. Part of it does the following.

netsh interface teredo set state disabled
netsh interface isatap set state disabled
netsh interface 6to4 set state disabled

I'm honestly perplexed and dumbfounded why Microsoft is (still) doing this.

Please post the rest of the script! I wanna see if I missed anything. :)

Re:Microsoft please stop this madness

Only the web server. Not the entire OS.

And the most web servers that get broken into is IIS via ASP.NET.
Those running PHP are rated higher, but PHP runs on IIS as well.

Re:Microsoft please stop this madness

I am a fan of Linux and free software, working for many years in it, hosting, but your argument is incorrect. I know the reality of webservers. Breaking into ASP.NET is not easy because of the default protection mechanisms such as asp.net sessionstate (encrypted). The problem with ASP.NET often is that the applications are slow, the applications are often complex custom code for just 1 time implementation (enterprise applications).
PHP servers on the other hand are often configured by non-profit organizations or in a hurry without any consideration for security. Then you have millions of php "'developers" who know often know very little and install OS applications such as wordpress. There are then so many wordpresses that hackers can automate attacks and create worms etc... There are also those who have more skills but usually those skills are mostly concentrated on multimedia and performance, not security.

Re:Microsoft please stop this madness

no

Re:Microsoft please stop this madness

Are you kidding me? Having worked as a developer in a (small) web hosting service, I can state with certainty that you don't know what you're talking about.

Our couple-dozen PHP sites ran on a single Linux box, using a LAMP stack, and were mostly WordPress. They got taken over time and time again, and every patch to fix one security hole simply opened more security holes. Even the ones that weren't PHP would get owned periodically, mostly because they ran on the same box that ran all of those shitty WP sites. They were mostly collateral damage. That box was horribly rooted at one point and had to be quarantined on its own VLAN while we spun it down and never started it up again.

Meanwhile, we ran 4 Windows boxes (2003 R2, IIRC, as this was several years ago), with hundreds of sites on each hosted in IIS 6. Most of these sites were DotNetNuke, with some of the larger sites being ASPDotNet Store Front (*shudder*) or custom ASP.Net. There were maybe a half-dozen intrusions, with the worst incident causing a site to be defaced for a few hours. None of these escaped the site instance that they started in or caused any permanent data loss.

Linux and Windows are secure enough. Apache and IIS are secure enough. ASP.Net is secure enough. None of these pose much threat. But PHP is an unholy mess that allows, and even encourages, things that shouldn't be able to even happen.

Now, sure, you can fuck up an IIS configuration to allow it to get owned quicker. But you really have to try. And when a developer says "I need X, Y, and Z to be configured in a non-default manner at the web server level", the answer should almost always be "oh hell no".

Re: Microsoft please stop this madness

u still have ipv6 enabled on win 10 after that

Re: Microsoft please stop this madness

What you've just said is one of the most insanely idiotic things I have ever heard. At no point in your rambling, incoherent response were you even close to anything that could be considered a rational thought. Everyone in this room is now dumber for having listened to it. I award you no points, and may God have mercy on your soul.

Repeat after me. Operating system != programming language and programming languages != operating systems.

Your web server got hacked because of Wordpress most likely. Nothing at all to do with the programming language and certainly nothing to do with the the operating system.

Re:Microsoft please stop this madness

share your full script?

some of us want to harden our machines and would appreciate your starting point!!!

Re: Microsoft please stop this madness

Repeat after me. Operating system != programming language and programming languages != operating systems.

lol.. so how come you linux cheerleaders never make this distinction everytime a Windows machine is rooted?

The _Fact_ remains that the Linux kernel has had INSANELY more security bugs than the NT kernel. Linux is a giant monolith blob with all kinds of shit thrown in, unlike the modular hybrid NT kernel design.

Re:Microsoft please stop this madness

[skids]

That... really depends on the distro. There are plenty of unnecessary discovery services distros can be tempted to install because they want their product to satisfy users who expect their OS to "see their printer" and such crap without being told to. All such services offer more potential code surface for network-borne attacks.

NetBIOS?

People still use it?

Re:NetBIOS?

You don't have to use it. It's enough to be there

So sorry

[Dunbal]

I'm sorry but I'm done with Microsoft patches. If hackers want to watch me play CS:GO or post on slashdot they're welcome to do it, but I won't risk Microsoft's definite installation of spyware.

Re:So sorry

[Nunya666]

I'm sorry but I'm done with Microsoft patches. If hackers want to watch me play CS:GO or post on slashdot they're welcome to do it, but I won't risk Microsoft's definite installation of spyware.

On my own laptops, I agree completely. Unfortunately, my day job requires Microcrap Windoze.

Even though my wife is not computer savvy and is a little resistant to change, her next laptop will get Windoze wiped from it and replaced with some version of Linux.

I am currently configuring a second-hand laptop for a young family friend who is starting college this fall. It will have Linux on it, not Windoze. I warned him that he has to give Linux a try for two weeks. I will only install Windoze on it if he gives Linux a fair shot first. Of course, he would have to pay for the Windoze licence, which should encourage him to give the free option (meaning Linux) an honest effort. Hopefully, I can create another Linux convert.

Re:So sorry

Oh please, this article clearly states... keep up your windows updates and you won't have an issue.

Re:So sorry

Bullshit. This bug exists in everything since Windows 95, and is only being fixed in 2016. That's over 20 years of keeping Windows up to date and still having this issue. And I can guarantee you, this is not the last bug in Windows, so even if you do install this update, you will still have other issues.

Re:So sorry

Thanks for the free skins!

- Friendly Neighborhood Kiddie

Re:So sorry

Absolutely yes. This is certainly not the last bug from times primordial that will be found in Windows. Wasn't something GDIish dating from Win3 patched only a year or 2 ago?

I guess my practice of running non-supported Windows versions needed for specific software in a VM (XP, 98 in VirtualBox, 3.1 in DOSBox) with networking turned off, for a virtual air gap, is worth continuing, not that I would want to use Compuserve's clone of Mosaic in Win3.1 anyway. Better yet would be running them in VMs under Linux, which probably will happen with one box that's unhappy with Win10 (tried, looked good but sounded horrible due to driver issues, reverted to 7 where the sound works fine) when EOL comes for 7.

I like that little script, too. My ISP and router support IPv6 directly, so there's no need for the tunnels.

Re:So sorry

One zealot trying to create another zealot. Absolutely disgusting.

Now I wonder if I saw this in action?

I suddenly was unable to access popular websites recently, replaced by "WARNING. The web page has been blocked. Please CONTRACT (contact +R) your administrator." for most pages like google, apple, big pages. Smaller pages, subpages loaded as if javascript were disabled, like it was being stripped out of my http session or something. I have screenshots that can document this. I thought "ok, you've been hacked for sure now, wtf did I download recently.." but I couldn't think of anything and I scanned backwards to front in safe mode, etc. Nothing. I rebooted my router with a new address and got a new IP from the ISP and suddenly everything's back to normal. Now I wonder.

Re:Now I wonder if I saw this in action?

[ShaunC]

Do some Googling for the make and model of your modem, and of the router if it's a separate piece of equipment. There are exploits going around for some CPE, cable modems in particular, that allow a remote attacker to change the configured name servers among other things. If rebooting the modem or router fixed the problem, it's more likely that's what was compromised, not a NetBIOS tunnel in Windows.

XP isn't affected by ISATAP...

XP out of the box (even with all patches) doesn't even have IPv6. Neither does windows 2003.

You have to go to the trouble of manually adding IPv6 as a protocol.

And it isn't WAPD, it's WPAD (Web Proxy Auto-Discovery).

Re:Told folks turn off NetBIOS since 1996

[Pikoro]

I tend to use a philosophy of "less is more"

That's why you have a multi megabyte host file right?

Also. Bing? Really?

Re:Told folks turn off NetBIOS since 1996

Proof that he's a completely incompetent tool, if he's using Bing.

Nothing to do with VNC protocol

[scdeimos]

I'm assuming that's a typo in the summary, that "URI/VNC" should read "URI/UNC".

Natively

firewalls are natively designed to open the port

My firewalls don't open any ports without me saying so.

Re:Natively

yep the article has a lot of blatantly false information around how firewalls work, like that they don't/can't block UDP. This vulnerability while serious isn't exactly something you would classify as critical and hence even MS only gave it an "important" rating. basic usual stuff of the researchers exaggerating to make their find look much more important than it actually is.

Re:Natively

yep the article has a lot of blatantly false information around how firewalls work, like that they don't/can't block UDP. This vulnerability while serious isn't exactly something you would classify as critical and hence even MS only gave it an "important" rating. basic usual stuff of the researchers exaggerating to make their find look much more important than it actually is.

You seem to be confusing a Cisco Firewall appliance, or a Checkpoint firewall at the gateway perimeter with the local Windows Firewall, which typically is broken in many respects to issues like this. Stupid article really.

Re:Answer = convenience, essentially... apk

Some of that looks dated; I don't have time to read it all now, but skimming through, the gist looks good. I'll check out the rest tomorrow. Maybe this is what you should be promoting instead of a 3 million line hosts file, especially if you can bring it modern to include steps for Windows 7/8. No sense trying to write a guide for 10, as there's no securing 10 no matter what you do.

Re:Yes & I've blown YOU away 9x on it... apk

Looks like Whipslash is failing in stopping APK bullshit.

I feel stupider the more I read

... from softpedia, about microsoft. Either/or, really. Getting a better news source would be a good start, editors.

Told folks turn off NetBIOS since 1996

See subject: & use Port Filtering (@ IP stack level + in routers combined) allowing ONLY ports you absolutely need (in my case, 80/8080/443/53) in security guides I put out online HOW TO SECURE WINDOWS 2000/XP http://www.bing.com/search?q=%...

1st in 1996-1997 & later more complete models in 2006 that go way, Way, WAY beyond "std. fare" security suggestions by far!

* "Closing doors" or "bolting them shut permanently as possible" works & it's less to have to watch as well...

(I.E. - Running services of ANY KIND you don't need = risk you take...)

APK

P.S.=> Security CAN be pretty 'simple' - I tend to use a philosophy of "less is more" & use what you already have natively vs. "Bolting on 'MoAr'" illogically (especially when it has massive holes in it for excess complexity that will lead to those holes eventually when a tech's NOT proven over time)... apk

Researcher doesn't understand firewalls

"Firewalls won't stop the attack, because UDP is a connectionless protocol. We are using it to establish a tunnel. That is why it be named 'BadTunnel'," Yu explains.

My border firewall certainly stops this attack from outside the network since it does not allow IP protocol 41 which is used by ISATAP.

Submitter doesn't understand firewalls either:

firewalls are natively designed to open the port through which the attack is carried out

That's may be true of the built-in Windows firewall, but it is not generally true for other ("real") firewalls.

Can I patch my Win7 without "upgrading" to Win10?

[KWTm]

Agree! I am trying to decide whether to allow Windows Update on my precious Windows 7 laptop which I finally bought for work after having been subject to Windows 8 crap (I'm trying to avoid the freshly-crapped Windows 10 with which one co-worker was saddled). Never thought I'd ever actually type the sequence of characters "precious Windows" in my lifetime, but after a lot of looking, I found a laptop Dell was selling that still had Windows 7 (Dell Vostro); it comes with a "Recovery CD-ROM" that installs Windows 8, so if my Windows 7 installation ever craps out, I'll have to be dragged screaming and kicking back into the Windows 8+ world.

As soon as I got wind of Microsoft's "We'll upgrade you to Win10 for free! Whether or not you like!" scam, I disabled Windows updates. Now I have to figure out whether I want to get Win7 updated to protect me from this vulnerability, and risk having the entire system turned into a Win10 system. :sigh:

Re:Can I patch my Win7 without "upgrading" to Win1

. it comes with a "Recovery CD-ROM" that installs Windows 8, so if my Windows 7 installation ever craps out, I'll have to be dragged screaming and kicking back into the Windows 8+ world.

Tip: A disk-image is your friend here. Make one of your (as) clean (as possible) system and you're golden. Or put Linux on it, but I get the impression that is not possible for your work. Making a disk image with a (Live) CD should not be that hard.

Mostly OK for 7 (8 onward != Windows imo)

See subject: CIS Tool for 7 (they took 3 of my suggestions to improve it) = fine (see ps below) & I don't CONSIDER 8/8.1/10 "windows" but an advertising-spying platform w/ a dumbed-down 'crippled' interface.

Hosts program's been my 'focus' 2013 on - others can "take the ball" on security guides!

It's NO "3 million line" hosts file - my PERSONAL one crosses almost 4++ million but I don't hand it out to everyone!

Mine tests how BIG I can grow it before perf hits (has stale entries but program allows purge by reverse DNS w/ a downside (servers can set ICMP replies off deceiving it). Hardcodes @ top avoid it as I spend a GOOD 95++% of my time @ them vs. meandering - what MOST do like w/ TV channels)

Others can build their own via my program (w/ current data - MOST important type) - MOST you get initially ~ 250k lines

APK

P.S.: Dated iirc = AdBlock & MS removed PortFilters @ IP stack (how you did 'em in 2000/XP) + services 8-10 past 7 turned off vs. auto

Is there a source

Is there a source for this besides softpedia, because everyone reporting on it refers to that article.

will never be patched

[cellocgw]

Given how many "stealth Win10 install" patches are lined up in all our "windows updates" notifications, and that plenty of people on /. and elsewhere have stated clearly they've just plain shut down all updates rather than try to weed out the crapware ones, it's pretty clear this vulnerability will remain on plenty of machines for a long time.

Re:Can I patch my Win7 without "upgrading" to Win1

This. Standard IT practice: if you're going to nuke the system for some reason (installing a new OS *is* nuking the system) make a full set of backups including an image before starting. I had to use the image to revert to Win7 after Win10 messed up on one computer out of the 4 in the house (the laptops are running 10 fine).

As for the updates: in Windows 7 updates are still a la carte, and you can review them before downloading. And it's not all (automatic) or nothing (off). Instead of turning them off entirely, set them to notify you before downloading; that still works to keep Win10 off your system as long as you don't allow the updates that are related to it (I think about 10 of them now). Install GWX Control Panel and lock down against Win10 (Never10 does it too), enable GWX's "monitor" mode to catch anything you miss, then look at the updates. Most "Important" updates that are labeled "security" updates, and this is one of them, are OK, but check each anyway for evidence of relation to Win10 or "enhancing the upgrade experience" or "checking compatibility" or terms like that. Be aware that one of the recent IE cumulative updates (which ARE needed) includes a nag to get Win10 though it doesn't actually download it - but who uses IE any more anyway? Yes, it's a little more work, and if you're a business with a bunch of computers you may need other options.

NetBIOS should be disabled anyway

[evolutionary]

NetBIOS was always a bit of a hack anyway. We shouldn't be using it anymore, period. An internal DNS is enough and easy to setup.

Re:Told folks turn off NetBIOS since 1996

[cellocgw]

I tend to use a philosophy of "less is more"

Actually, less is more than more.

Just ask any csh jock.

Re:Can I patch my Win7 without "upgrading" to Win1

Just grab the .msu file for this fix & for your specific OS (e.g. Win7x32 or Win7x64 or whatever) and apply it manually.
That's what I do with my systems. I save the important ones in case I have to reinstall from scratch.

Re:Yes & I've blown YOU away 9x on it... apk

Go be cancerous somewhere else.

There's a reason YOU have to post anonymously all the time.

Re:Yes & I've blown YOU away 9x on it... apk

"... said the truly anonymous coward hypocrite pot calling a kettle black..." while not using your FAKE NAME online (the testament to your "ne'er-do-well" life itself) hahaha!

Answer = convenience... apk

See subject: That's a good question & I asked it myself - answer is "so it all 'just works'" right outta the box + whether you use it, or not - which also probably makes for LESS support calls like "why isn't (insert X here) working?"...

* Which is the "why" of WHY I popped this guide together https://news.slashdot.org/comm...

(...& the philosophy's MUCH like what you expound (less is more)).

APK

P.S.=> Leaving 'doors' open = dumb, & I agree w/ where you're coming from... only diff. between us really? Is that I put that out there for others (especially 'less saavy' others in 'things networking/security') but I had the SAME thoughts on the matter you do... I truly DO suspect the reason MS does it. is what I wrote above... apk

It's not bullshit... apk

See subject: That's why there's no stopping it (or me) - & what I post on (as of late, hosts & my program for them) HELP ALL OF YOU/US in many ways + for considerably less minus security issues galore other "so-called 'solutions'" added on vs. using hosts/what you natively have that's proven, DO have (bad ones & many of them).

APK

P.S.=> I invite my naysayers to do something better OR to validly technically prove me wrong on my points on hosts - neither has EVER happened to date (since 2012 when I put it out for public consumption/use, gratis)... apk