Microsoft Researchers Reveal Remote Encryption-Bypassing 'Evil Butler' Exploit

A security researcher demonstrated a way to bypass the full disk encryption in Windows BitLocker last November -- but that attack required physical access. Inserting the PC into a network with a counterfeit domain controller with incorrect time settings "allowed the attacker to poison the credentials cache and set a new password on the targeted device." An anonymous Slashdot reader writes: Microsoft fixed this vulnerability, and then fixed it again when two researchers pointed out in February 2016 that the fix was incomplete. At this year's Black Hat security conference, two Microsoft researchers have discovered a way to carry out the Evil Maid attack from a remote location, even over the Internet.

The two researchers say that an attacker can compromise a PC, configure it to work as a rogue domain controller, and then use Remote Desktop Protocol to access computers (that have open RDP connections) on the same network and carry out the attack from a distance. This particular attack, nicknamed a Remote Evil Butler, can be extremely attractive and valuable for cyber-espionage groups.
The article points out that Microsoft's February fix prevents this exploit, adding "The reason the two Microsoft researchers disclosed this variation of the original attack is to make companies understand the need to keep their systems up to date at all times."

how lucky i am

to use dm-crypt. winsuckers.

MICROSOFT IS ONLY evil butler in this FBI STORY

Slashdot is FBI, everything on this site is FBI agenda.

Microsoft is US Government.

You have an OS that puts you on the Internet with all of your private data? That is your butler serving you Internets.

Spy? yes literally 100%

Why is remote desktop on by default?

[ArtemaOne]

There are so many settings that I turn off on a new Windows installation. I really don't see why every back or front door has to be left open on a fresh install, upgrade, or update.

Re:Why is remote desktop on by default?

[akozakie]

That's one thing. The other one is:

"The reason the two Microsoft researchers disclosed this variation of the original attack is to make companies understand the need to keep their systems up to date at all times."

At least one company I know blocked all updates for two reasons entirely under MS control. 1: Win10 is not cleared for use yet for many reasons, updates pushed GWX. 2: High priority updates containing nothing but telemetry. Not enough resources to test & review everything. That's one company looking for other options. Probable outcome - Win cleared for VM use only, under a different host.

MS's feet are like a sieve from all the self-shooting. Future is not looking all that bright. Surprisingly, it's not due to buggy software - they're doing their best ever in that category. That's the price of allowing marketing&sales to touch the security feed.

Re:Why is remote desktop on by default?

It's not enabled by default:

https://technet.microsoft.com/en-us/magazine/ff404238.aspx
https://technet.microsoft.com/en-us/library/cc794832(v=ws.10).aspx

Re:Why is remote desktop on by default?

At least one company I know blocked all updates for two reasons entirely under MS control. 1: Win10 is not cleared for use yet for many reasons, updates pushed GWX.

Any half-competent company sysadmin can select updates to push using WSUS, that's why companies don't have any issues with Windows 7 machines being updated to 10. Not knowing that is really an unacceptable level of ignorance for any sysadmin.

2: High priority updates containing nothing but telemetry.

Citation? This seems to just be more ignorance.

In any case you should be actively monitoring your network traffic anyway, I'm fairly sure you don't vet the source code of every application install to see what it is doing and if you can't even secure your network for computer operating systems then what do you do when you need to install applications?

I know hating on Microsoft is popular here but it is becoming a constant excuse for IT incompetence. Microsoft tells you what they may collect and what they may do with that anonymized data, do you just trust that every bit of software that doesn't say anything isn't sending data? Secure you network and systems!

Re: Why is remote desktop on by default?

[Billly+Gates]

Then that admin needs to be fired. I hope this company doesn't do any HIPPA or credit card processing.

Re: Why is remote desktop on by default?

What is HIPPA? Health Insurance Portability and Paccountability Act?

Re: Why is remote desktop on by default?

No, he deserves a raise for using his fucking brain. Look, we've got 20+ years of history regarding the quality of patches from Microsoft. If there's one thing everyone should have learned by now is that unless you understand exactly what it's going to do, don't apply it. Test it mercilessly. You do not blindly install them if you value your job.

Of course with Win 10's cryptification of KBs even more, every Win admin should be polishing up their resume if they value their sanity.

Re: Why is remote desktop on by default?

[Billly+Gates]

Right because security is never important and ransomware is never an issue. Please do not say just shut the whole business down for half a day while you go get the tape backups.

Not acceptable! It amazes me at the incompetence I see in IT departments these days. If I get my identity stolen buying something because you didn't want to do your job I will sue.

Patches rarely cause issues and Windows XP and 7 from RTM have HUNDREDS of vulnerabilities! How can any IT professional say with a smile he never updates? It drives me crazy.

Re: Why is remote desktop on by default?

Relax honey, you'll get your identity stolen because you clicked on a link in an email from the Honorable Najoree McNamara Punjab, not from an unpatched machine. Patches don't need to be applied immediately, competent IT guys rarely do.

A few weeks/months to test for a screwup by Microsoft isn't the end of the world. And trust me they do indeed screw up often, I get paid the big bucks to be a dick about it.

Re: Why is remote desktop on by default?

[Billly+Gates]

The grandparent stated they do 0 patching and testing and defended it.

Very different than applying only crucial updates and waiting a month to 6 weeks for misc security patches to verify they are not problematic. A competent system administrator checks weekly for security bulletins, does testing and pushes things out within a few weeks or right away if a big scare hits the news like shellshock or code red. Testing of course too.

My credit card data was stolen 3 times due to incompetent IT at Wendy's, Home Depot, and TigerDirect. Probably from the same folks who bash updates here with a smile.

Re:Why is remote desktop on by default?

Not enough resources to test & review everything.

An automatic comparison between an application-system and patch-system profiles could ease the issue. The next problem is how to create a reliable way of obtaining such profiles in these times of DRM.

Re:Why is remote desktop on by default?

[antdude]

To make them easy for users to start using them. :(

Re: Why is remote desktop on by default?

[akozakie]

Hey, take back "defended it"! I wasn't defending anything, I was stating a fact and presenting the reasoning behind it. Sure, the more this happens, the more machines go unpatched with serious vulnerabilities due to incompetent or heavily understaffed IT. This was much less of a problem a year ago, when in the same situation such companies just applied all important patches. That trust is now gone and that is entirely MS fault.

Seriously, years of work to get to a situation where either IT has the knowledge and resources to control the patches (a good idea) or the machines autoupdate (worse, but still good)... all wasted in a few months, leading to a situation where IT unable to do the former may actually feel like turning off the latter is better than the alternative. Who cares if they're right or wrong, the point is it used to be very rare and now it really happens. Nightmare.

Re:Why is remote desktop on by default?

>Why is remote desktop on by default?

    Great question, and it all began with Windows XP. In those halcyon days of getting computers into peoples' homes and making them more friendly for domestic use, Microsoft (and others) used to offer a service where you could ask them to fix your computer over the internet. Yes! So the "Desktop Sharing" thing was for any IT service to remote into your computer and repair or install things for non-technical users at home. It was always on so those customers "needn't be burdened" with navigating simple menus to turn it on. This was a more trusting time where servicing customers was considered a point of pride, and helpdesks were expected to be ethical and not abusive.

Which KB fixes this?

[Mister+Transistor]

I read the article and the researcher's PDF and neither really points out which "February Fix" MS released that addresses this particular bug. Anyone know which one, specifically?

I have all Windows Updates turned off normally, so they can't pull a drive-by WinX install on me, but I would sideload this one KB if it was really worthwhile.

Re:Which KB fixes this?

[Mister+Transistor]

Did a little more research; MS-16-014 addresses the fix, and the KB's resulting from it are KB3126587 and KB3126593.

However, oddly, they are not included in the "SP2" roll-up released on 5/12/2016. Weird. I tried to find out if those two KB's were replaced by something newer and I haven't been able to turn up anything.

I did find a couple of articles about the KB's causing some errors and failing to install on some systems, usually caused by a lack of an earlier update that they apparently are dependent upon.

Re:Which KB fixes this?

Actually, all of the files from 3126587 (MS16-004) are updated by 3125574 (the convenience rollup). You can look at the files list from the KB article for 3126587 and download the files list for 3125574, and see the newer versions (in fact, the binaries are also put on the LDR branch when you install 3125574, which you may or may not want).

Re:Which KB fixes this?

That's just lovely. We've been running unprotected from this for almost 3 months. What a clusterfuck.

Re:Which KB fixes this?

[Mister+Transistor]

Thanks! I didn't drill that far down into the KB descriptions. Thanks for taking the time to confirm they are in fact addressed by "SP2".

Re: Which KB fixes this?

It's your own damn fault for not applying updates

WIndows is complicated, not because it is advanced

Windows is a hack that will take years to fix. All that simple linking functionality with every api with no regard to *who* is doing what to *whom*s data.

If it were not for the marketing assholes, I think many users would not even know that windows is a completely fucked up system.

Each update fixes at least as much as it breaks

...making the prospect of regularly upgrading a complete nightmare. Particularly for home users who don't have IT on hand to fix things when their machine won't boot.

Re:WIndows is complicated, not because it is advan

Thank god for advertising abuse.

My grandmother now bitches. Lol

Two researchers?

I'd like to see their outfits on Halloween, and see which one's the Maid (or butler).

Can't microsoft just give up on internet?

Microsoft is adding new holes faster than it can (correctly close them, so the only waht to reasonably secure a Windows computer is to not connect a network cable. At that point the internet, cloud, software as a service, email, skype, etc. doesn't work anymore, so they may as well just give up. Just send me OS updates on CD-rom, and try to prevent all forms of autorun for USB drives this time, please..

if your bitlocker drive is unlocked....

[shione]

If your bitlocker drive is unlocked, wouldn't anything be able to read the drive anyway?

If it can still read your bitlocker drive when you haven't unlocked it yet then can it still read pre-win8 bitlocker drives before microsoft dumbed it down? https://encrypted.google.com/s...