Slashdot Mirror
BadTunnel Bug Hijacks Network Traffic, Affects All Windows Versions (softpedia.com)
An anonymous reader writes: Microsoft has just patched a vulnerability that affects all Windows versions ever released. Called BadTunnel, the security flaw allows attackers to pass as a WAPD or ISATAP server and intercept all network traffic. Exploitation is trivial and firewalls are natively designed to open the port through which the attack is carried out. BadTunnel can be triggered whenever the user clicks URI or UNC links/paths in Office files, IE, Edge, or other applications that support the URI/VNC scheme (and most do). Additionally, an attacker can carry out his attack from the other side of the world, and does not need to have a foothold on the victim's network. While recent Windows OS versions received patches, exploitation points remain open for non-supported Windows operating systems such as XP, Windows Server 2003, and others. For these operating systems, and for those that can't be updated just yet, system administrators should disable NetBIOS.
just upgrade to Win 10 and everything will be ok.
let go of your old OS and let MS set you free.
for a limited time only.
For the life of me I can't figure out why all of these tunneling/transition protocols are enabled by default in Windows. Who uses automatic IPv6 transition schemes in 2016? They certainly are not now nor have they ever been sufficiently reliable for production use and TTL for IPv6 amateur hour has long since expired. Why is this worth the massive security headaches these things invite?
Have a script that I run on any new windows boxes. Part of it does the following.
netsh interface teredo set state disabled
netsh interface isatap set state disabled
netsh interface 6to4 set state disabled
I'm honestly perplexed and dumbfounded why Microsoft is (still) doing this.
More reliable sources say 95 and on, which makes sense as prior versions didn't ship with a network stack.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
I'm sorry but I'm done with Microsoft patches. If hackers want to watch me play CS:GO or post on slashdot they're welcome to do it, but I won't risk Microsoft's definite installation of spyware.
Seven puppies were harmed during the making of this post.
I tend to use a philosophy of "less is more"
That's why you have a multi megabyte host file right?
Also. Bing? Really?
"Freedom in the USA is not the ability to do what you want. It is the ability to stop others from doing what THEY want"
Nope.
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
Yes, and if you're interested in being approached for interesting jobs, once the LinkedIn acquisition is complete, Microsoft will probably punish anyone not running Windows 10 by burying their names in search results. Get with the program - NOW!
Why is there an "insightful" mod and why isn't it "-1"? If I wanted insight, I wouldn't be reading
At worst, it could have been exploited by a system on the same LAN, as IPX/SPX was very frame-size and frame-order dependent, rendering it effectively useless as a WAN protocol.
Additionally, read up on how the vulnerability functions. I had to read up on it a bit more than I already had in order to write this reply, but here's a summary: The attack involved convincing a Windows machine, via a flaw in NetBIOS over TCP/IP, that the attacking machine is a valid WPAD or ISATAP server. ISATAP is an IPv6 transition mechanism so we can rule that out as a WFW attack vector. WPAD hadn't been created by Netscap yet in 1993 when WFW was released (it was developed in 1996 as part of Netscape Navigator 2.0), so that's ruled out as well.
Looks like WFW was safe.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
Do some Googling for the make and model of your modem, and of the router if it's a separate piece of equipment. There are exploits going around for some CPE, cable modems in particular, that allow a remote attacker to change the configured name servers among other things. If rebooting the modem or router fixed the problem, it's more likely that's what was compromised, not a NetBIOS tunnel in Windows.
Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
It did have a TCP/IP implementation though. It just didnt do netbios over it.
This is correct; and BadTunnel is initiated via an exploit in NetBIOS over IPX/SPX and relies on one of two additional services for which WFW had no support.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.