Google Researchers Find Wormable 'Crazy Bad' Windows Exploit

An anonymous reader quotes a report from BleepingComputer: Two Google security experts have found a severe remote code execution (RCE) bug in the Windows OS, which they've described as "crazy bad." The two experts are Natalie Silvanovich and Tavis Ormandy, both working for Project Zero, a Google initiative for discovering and helping patch zero-days in third-party software products. The two didn't release in-depth details about the vulnerability, but only posted a few cryptic tweets regarding the issue. Drilled with questions by the Twitter's infosec community, Ormandy later revealed more details: the attacker and the victim don't necessarily need to be on the same LAN; the attack works on a default Windows install, meaning victims don't need to install extra software on their systems to become vulnerable; the attack is wormable (can self-replicate). The tweets came days before Microsoft's May 2017 Patch Tuesday, scheduled tomorrow, May 9. The researchers said a report is coming, alluding the vulnerability might be patched this month, and they'll be free to publish their findings.

I feel left out

[TheDarkener]

Can we post some equally-bad Linux vulns please? Intel, Microsoft, they can't be the only ones having all the fun.

Re:I feel left out

[hcs_$reboot]

Can we post some equally-bad Linux vulns please? Intel, Microsoft, they can't be the only ones having all the fun.

Yeah but to be fair, it's way funnier when it's Windows!

Re:I feel left out

Go find some? Maybe, if you find any in android or chromeos, you might even get redmond to pay you for them. This is part of an on-going corporate war, of course.

Me, I'm just sick of the superlatives, the "funny" names, the identikit websites with more teasing, and the total and chronic lack of details. Just tell it like it is, already. But noooooo, we have to suffer through a teaser and advertising campaign first. FOR SOME STUPID HOLE IN SOME STUPID SOFTWARE. This is the state of "computer security", along with the bickering about "being ETHICAL" and the hats and the imperial textile and the meaningless words. which is to say, it'd be laughable if it wasn't so sad.

PoC||GTFO, already.

Re:I feel left out

[BlueStrat]

Can we post some equally-bad Linux vulns please? Intel, Microsoft, they can't be the only ones having all the fun.

I've got you covered, no worries! Here is a single vulnerability that affects every single device, OS, and piece of software there is;

"Government."

Government is and has always been, even prior to the internet, the biggest threat to citizens' privacy and security. As well as their freedom and their lives. More people have died at the hands of their own governments than have died in war.

Strat

Re: I feel left out

Dude, it's "crazy bad." CrAzY! Bad!!!

It almost make you feel, wait for it, "mildly nauseous."

Re:I feel left out

Arch

Re: I feel left out

[sound+vision]

I was waiting for some insightful analysis of how governments influence computer security, but it never came.

Re: I feel left out

cray CRAY!

Re:I feel left out

[fph+il+quozientatore]

More people have died at the hands of their own governments than have died in war.

Given that usually it's governments that declare wars, maybe you should count war deaths as caused by the government, too.

Re:I feel left out

[hairyfeet]

You mean like Heartbleed or Shellshock? Or how about the one that not only affected Linux PCs but also affected every Android device from 4.4 on up thus leaving tens of millions vulnerable on devices that will never be patched? Or how about when the Linux Mint site was serving malware? Like that?

Joke all you want about MSFT but at least their OS gets 10 years of patches, you don't see tens of millions of Windows machines at risk because MSFT won't provide patches. Oh and just FYI since the Linux community was so quick to claim "Android is Linux!" you might want to know that by that metric Linux infections are skyrocketing while windows infections are dropping like a stone making Linux the most malware ridden OS on mobile networks which it has been for 3 years running now...congrats!

Re:I feel left out

[Big+Hairy+Ian]

One does have to wonder what they were smoking to come up with a name like Crazy Bad

Re:I feel left out

You just need to press the enter key for 70 seconds to get root access
http://thehackernews.com/2016/11/hacking-linux-system.html

Send the correctly formatted packet and get root access
https://nvd.nist.gov/vuln/detail/CVE-2010-3904

There were a couple of display related bugs:
https://bugs.launchpad.net/ubuntu/+source/nvidia-graphics-drivers-updates/+bug/1032344

Datagram Congestion Control Protocol
https://www.theregister.co.uk/2017/02/23/linux_kernel_gets_patch_against_12yearold_bug/

Re: I feel left out

Seeing as how you want to lump android in with linux and continue to whine about 4.4.... Are mobile windows phones around still to even receive patches?

Re:I feel left out

[rgbatduke]

The one I recall is an email spammed to a typical Linux User that says something like:

Dear Sir or Madam:

This email is the infection vector for a Linux virus! Please follow the instructions below. Do not break the chain, or you will have twenty years of bad luck and all of your hair will fall out as well! No fair making a backup copy of your user directory(s) first!

a) First, please forward this email to all of your friends. If you have no friends, forward it to anyone you know well enough to send email to. Sending it to company mailing list servers especially recommended!

b) When this step is completed, please login as root and enter the following string into a terminal window:

      "cp /usr/bin/rm /tmp; /tmp/rm -rf /home/*; /tmp/rm -rf /usr/*; /tmp/rm -rf /var/*; /tmp/rm -rf /boot/*; /tmp/rm -rf /etc/*"

At some point this last step will render your system unusable as it deletes the dynamic library cache, and you will be forced to reinstall it in order to use it.

Thank you for your cooperation. We each must do our part to make users of Microsoft products feel better about the oozing pustulated orifice of an operating system that they are coerced into buying preinstalled on their computers.

Sincerely,

The Nefarious Linux Virus Hackers, Ass.

Re:I feel left out

[syn3rg]

1.) The Zero-day Flaw you reference is, once again, not a remote exploit.
2.) Regarding Mint, from the referenced article: "Because the crooks didn’t manage to hack the actual Linux Mint repositories, they weren’t able to compromise the Mint source code, or the official Mint download ISOs (disk images), or even the list of official download checksums."
3.) Comparing the Andriod & iOS installed user bases with that of Windows phones is somewhat deceptive.

Re:I feel left out

[Penguinisto]

Heartbeed is an exploit in openssl, not the OS. Shellshock is also not tied to the OS itself - it is a privilege escalation exploit that was useful in Apache (if you had mod_cgi in place and on), and was maybe useful in a convoluted way in SSH (*if* you knew the account and *if* it had an ssh keypair set, and *if* you had those keys).

Gonna have to try a bit harder for that one ;)

PS: patches are usually back-ported for RedHat for 10 years (longer if you bought ELS... to put it into perspective, they just barely stopped ELS for RHEL 4 back in March.) So if you're comparing like-for-like (that is, purchased OSes), RH has Microsoft stomped, hands-down.

As for Android? Two items for that:

1) Phone OSes are a way different planet when it comes to vulns and patching, but whose fault is that - the carrier (who rarely bothers pushing patches to their subscribers), or the manufacturer (who usually won't bother after the first year or two)? Google provides patches for 3 years after release, which given the short lifespans of most phones, is not a huge deal.

2) The Dalvik JVM is your main source of the vast majority (if not nearly all) of the vulns to come out... not the Linux kernel underneath it all.

Re:I feel left out

[Penguinisto]

b) When this step is completed, please login as root and enter the following string into a terminal window:

      "cp /usr/bin/rm /tmp; /tmp/rm -rf /home/*; /tmp/rm -rf /usr/*; /tmp/rm -rf /var/*; /tmp/rm -rf /boot/*; /tmp/rm -rf /etc/*"

That's a bit cumbersome... why not just do sudo rm -rf .* ?

Re:I feel left out

I wonder if this will kill off Win7 the way the blaster work did for base XP with no service pack. Redmond: "We can't fix it for Win7, the solution is upgrade to Win10".

Re:I feel left out

[rgbatduke]

Because in that case it will delete /etc long before /home and /usr (both typically mounts). Deleting /etc makes it quite likely, although not certain, that the system will crash before it actually damages the contents of /home, /usr and /var. That makes it too easy to recover with a partial reinstall without losing any actual data beyond the system's ssh keys and any work that went in to setting up printers or the like.

Most of which I learned, long ago, the hard way. It is probably less of an issue with the elf dynamic loader than it is with a.out and /etc/ld.so.cache, but /etc is used for many things. Removing /boot is probably not super likely to leave you stable as well.

Re:I feel left out

[BlueStrat]

More people have died at the hands of their own governments than have died in war.

Given that usually it's governments that declare wars, maybe you should count war deaths as caused by the government, too.

Governments and the politicians in them may declare wars, but the populace has to be willing in all but the most brutally-authoritarian regimes like N. Korea. That's why an informed, educated, and non-apathetic populace was deemed so important by the US founders. Also, wars are often fought over trade/economic and resources like fossil fuels. Japan decided to go to war against the US in the practical sense because the US was strangling their ability to get oil and ship it where they needed it to feed their growing empire

Besides, adding the numbers from wars serves no point. It wouldn't increase the total that much in any case, that's how large the numbers of people who died by their own government is.

Government is the single most dangerous, lethal, and statistically-likely non-natural/non-accident-related threat to individuals lives and freedoms regardless of nation, race, ideology, religion, or culture. It would seem only logical, prudent, and wise for people of any nation to do their best to ensure their government gets no more powerful or larger than necessary and that the tasks it is obligated to perform are as few as possible to that end.

Strat

Re:I feel left out

Linux is no longer a kernel, people associate it with being a complete OS distribution, so quit your whining.

And to the rest of your dumb comment, if you ship it, you own it. Using your toddler logic, there are no bugs in NT since its _BY FAR_ the most secure kernel. The Linux kernel is on a constant security patch treadmill. This is not even debatable. Hands down Linux kernel is more buggier because its a non-modular monolithic blob. But we don't consider Windows to be less buggier because of all the bugs in other Non-OS components that ship with it.

PS: patches are usually back-ported for RedHat for 10 years (longer if you bought ELS... to put it into perspective, they just barely stopped ELS for RHEL 4 back in March.) So if you're comparing like-for-like (that is, purchased OSes), RH has Microsoft stomped, hands-down.

I get my Windows patches for free. How do you like them apples?

but whose fault is that - the carrier (who rarely bothers pushing patches to their subscribers)

No, its the fault of Linux developers who keep adding the security vulnerabilities in the code base. Why do they keep doing that? Like every day some random LAMP box on the net gets rooted and websites get defaced. When is Linux finally going to be secure? Any timeline on that?

Whaaat?

Are you telling me Windows isn't secure? Windows called me and said my PC had malware and only charges me $666 per month to keep it clean.

Re:Whaaat?

It's not an exploit, it's the Windows 10 upgrade 2.0

Re:Whaaat?

Still cheaper than running Linux.

I already removed the virus

[bobbied]

And installed debian instead of windows..

Re:I already removed the virus

And ended up with a bacterial infection that makes you drip from unmentionable places.

Re:I already removed the virus

And now you have an S(ys)T(em)D.

Re: I already removed the virus

Pulseaudio works wonderfully.

As long as you have the exact hardware that Lennart is running.

Re:I already removed the virus

[jellomizer]

What I don't like is the obscurity of the article about the problem. Granted they may not want to give out too much info to prevent someone to make such a worm. However not knowing the nature of the vulnerability, how do we know what to do to protect our systems? Going to Linux may work for your home PC but for work you may have those silly legacy apps that you just can't move over.

Listening by default

[djinn6]

I'll bet it's some service that's running by default and listening on a port. Probably SMB or some crap they've created in the name of convenience.

Re:Listening by default

[AvitarX]

I feel like it has to be in update or something.

Something that actively pulls.

but I may be reading too much into being on a different LAN.

Re:Listening by default

My money is on Remote Registry.

Re:Listening by default

[toadlife]

I'm hoping for something novel, like an IP stack vuln exploitable via TCP.

Re:Listening by default

I hope its not in my unpatched Windows 7 boxes, which is all M$ I run since Microsoft started spying.

Re:Listening by default

[jemmyw]

Malware protection service https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5

Re:Listening by default

Ever since I saw the active firewall rule for the mDNS I have wondered..

Re:Listening by default

[DigiShaman]

By default,the Remote Registry settings is set to "Automatic" for Windows XP. It's set to "Manual" for Windows 7. And for Windows 8 and above, it's set to "Disabled".

Re:Listening by default

[DigiShaman]

I'm thinking you're right. There's already known SMB badness in the stack thanks to the CIA hacks. And, it doesn't have to be on the same LAN so long as you've got routes between your subnets. Meaning, being within the subnet (broadcast / "LAN") has nothing to do with it.

You know, I've always feared RPC ports being exposed, next to RDP and Remote Registry within a Domain trusted network (cause some bastard is bound to get a worm). However, I never suspected SMB would ever be an issue. That's like, core functionality of Windows!!

Re: Listening by default

[sound+vision]

SMB is just the beginning - from Vista on they've packed all kinds of listening-by-default crap into each successive version. Stuff way less useful than SMB.

Re:Listening by default

It would have to be something that also gets through consumer routers/firewalls. Just checked mine last night and it was enabling Samba file shares by default. These days, if there's something hokey going on, it's either SSDP, video-streaming, telemetry, or auto-update.

Re:Listening by default

Thanks for the info, I was not aware Win 8 and beyond it is disabled by default. That's good.

In that case, I am going to second-guess a couple other services I have been disabling for a decade+: Homegroup Listener/Provider, or Shell Hardware Detection.

slashdoted already

[ruir]

See this alternate link http://securityaffairs.co/word...

dirty cow

Here you go, it's an oldie, but goodie.... https://en.wikipedia.org/wiki/...

Given the number of abandonware Linux devices in the field... I'm sure this one is still alive and kicking, though...

Re:dirty cow

[GameboyRMH]

That's a local privilege escalation exploit, not a remote code execution vulnerability.

All hands on deck!

[toadlife]

Arm the WSUS servers!

crazy bad

crazy bad ... experts ... the attack is wormable (can self-replicate)

Which is it then, RCE exploit or some kind of malware? Sounds like bullshit.

Re:crazy bad

[guruevi]

It's both. It's an RCE exploit that either gives sufficient privileges to self-replicate or uses a process that has inherently sufficient privileges to self-replicate without requiring any further privileges.

Windows Defender - CVE-2017-0290

[Etcetera]

Official announcement: https://technet.microsoft.com/en-us/library/security/4022344

More background / report: https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5

On workstations, attackers can access mpengine by sending emails to users (reading the email or opening attachments is not necessary), visiting links in a web browser, instant messaging and so on. This level of accessibility is possible because MsMpEng uses a filesystem minifilter to intercept and inspect all system filesystem activity, so writing controlled contents to anywhere on disk (e.g. caches, temporary internet files, downloads (even unconfirmed downloads), attachments, etc) is enough to access functionality in mpengine. MIME types and file extensions are not relevant to this vulnerability, as MsMpEng uses it's own content identification system.

Vulnerabilities in MsMpEng are among the most severe possible in Windows, due to the privilege, accessibility, and ubiquity of the service.

The core component of MsMpEng responsible for scanning and analysis is called mpengine. Mpengine is a vast and complex attack surface, comprising of handlers for dozens of esoteric archive formats, executable packers and cryptors, full system emulators and interpreters for various architectures and languages, and so on. All of this code is accessible to remote attackers.

tl;dr: The Javascript engine in Windows Defender (which tries to figure out if it's a virus) has a flaw. Exploit works and can be leveraged if you can force the victim to write something to disk (triggering a scan): eg, sending an email, viewing an image, writing a log entry, etc.

Not a Windows Update, the fix is coming as part of the Windows Defender definitions updates rollout process.

Re: Windows Defender - CVE-2017-0290

[sound+vision]

Within the past few months I have seen Windows boxes where Defender refuses to update and/or work correctly... Is there any evidence of this being exploited in the wild?

Re: Windows Defender - CVE-2017-0290

No, but you can crash Windows Defender with a tweet if it's vulnerable

https://twitter.com/natashenka/status/861748397409058816

Saving that page on a vulnerable system should do the trick.

Re:Windows Defender - CVE-2017-0290

With a Defender like that, you don't need enemies.

Re:Windows Defender - CVE-2017-0290

Already got an update. That was quick.

Re:Windows Defender - CVE-2017-0290

How is that "wormable"? As bad as the MsMpEng bug is, I don't think it allows a computer to be infected over the network without actions by the user - i.e. not wormable.

The Google announced bug must be something else.

Re:Windows Defender - CVE-2017-0290

[Shimbo]

It's not wormable out of the box on a client but any service that hands off an incoming file to the scanning engine is potentially vulnerable. You could get a long way with a worm that spreads over HTTP, SMTP, SMB, IM.

Re:Windows Defender - CVE-2017-0290

[computational+super]

What jumps out most about this posting to me is this: "Mpengine is a vast and complex attack surface". This is why I don't see this getting any better (probably getting worse) any time in the future: reducing complexity is never, ever, ever a goal that warrants any time or budget in any organization, least of all Microsoft. If you can find a way to reduce complexity that takes no time and costs no money, go for it, but otherwise, you must be adding features, all the time.

Informative although quite misleading

[CustomSolvers2]

Remotely accessing parts of (many versions of) Windows written in JavaScript (!) without the user having to do almost anything (!) by granting what sounds like almost absolute privileges! Wow! How couldn't I want to know more about such an apocalypse-like situation? So, I took a look at the Google report linked by some comments above.

Apparently, it seems that they are provoking certain part of Windows Defender (which is triggered automatically by virtually any action on the target computer) to take a wrong input which it cannot gracefully manage. By quoting the aforementioned report:

Nscript supports "short" strings, with length and values contained in the handle and "long" strings with out-of-line memory. If the string is "long" (or appears to be due to type confusion), a vtable call is made to retrieve the length.

As I understand it, this isn't precisely an ideal situation although seems to belong to the kind of software-crashing-because-of-not-adequately-managing-all-scenarios problems. An assumption which seems to be confirmed in that same report when they say:

The attached proof of concept demonstrates this, but please be aware that downloading it will immediately crash MsMpEng in it's default configuration and possibly destabilize your system.

So, how is this weak point expected to be truly exploited? Are they only planning to provoke Windows Defender in random machines to crash and, eventually, the system to become unstable? This should certainly be looked at, but is it a real threat? Another part of this report seems to clarify this point further:

Integer handles are represented as four-byte values with the final bit set to one by the engine. The integer itself is left shifted by one bit, and the final bit set to create the handle. Handles to most objects, including strings are represented as the value of the pointer to the object with no modification. Therefore, this type confusion allows an integer to be specified and treated as pointer (though the bits need to shifted to get the correct value in the handle, and only odd pointer values are possible).

Are they implying that the only way of this attack to perform any action on the target computer (other than crashing Windows Defender) is to guess how a pointer might look like (by bearing in mind that they have to perform some bit-shifting actions and that only half of all the possible scenarios can be considered!)??!! How such a thing could ever by accomplished under absolutely any circumstance? Guessing the pointers of the objects in a (very complex) code from an external machine? This is orders of magnitude more complicated (actually, it can be considered plainly impossible) than exploiting a problem which I analysed in an old version of CoreRun.exe (used to test open-source modifications in one of the most basic .NET libraries) and my conclusion back then was that it wasn’t a threat! (Although Microsoft did modify this part a short time later; not sure if because of my public analysis, nobody said never anything to me. Anyone interested in all this can take a look at Project 8 in varocarbas.com).

This situation can also be described by using a perhaps-clearer-for-a-wider-audience SQL injection analogy: by assuming that you can access a database because its inputs aren't adequately sanitised (refer to the famous Little Bobby Tables study), you would need to know where to look at (e.g., table or column names), an action which is relatively easy when dealing with the most logical configuration of almost any database. But now imagine that you are accessing a database where the names of all the entities are randomly assigned and you have no way to know about their current values; in that scenario, how would accessing that database via injection be useful at all? Should the inputs be adequately sanitised and each single step should be done properly just in case and because developing properly-built-at-each-poi

Re: Informative although quite misleading

By your logic, stack-smashing to trigger arbitrary code execution is impossible. I think you just don't really know what you are talking about.

Tavis Ormandy is legit.

Re: Informative although quite misleading

[CustomSolvers2]

By your logic, stack-smashing to trigger arbitrary code execution is impossible. I think you just don't really know what you are talking about.

Thanks for providing a practical sample of the kind of throwing-random-guesses-without-knowing-well-what-they-are-doing behaviours which I was criticising in my previous comment.

Although I am quite sure that you will not understand it in this way either (you seem to be very ignorant regarding anything related to programming and to have a poor-understanding-prone attitude), I will try an even clearer approach: imagine that you have the method EverythingStartsHere where the referred error is triggered (do you understand that there has to be method wrongly analysing all this and provoking the error, right?). This method expects strings but the attacker sends a different-type variable (you know that string is one of different variable types which many programming languages accept, right?) because they claim that that methods deals (or they can somehow provoke that behaviour) with pointers (= specific locations in the memory of the corresponding computer associated with each single object/variable, which can be defined by any value with a huge range of possible alternatives). When you have a pointer, the type of the variable or any other abstraction aren't relevant any more, the code is now dealing with specific memory addresses where everything is fine. They claim that by sending the pointer they want they might provoke EverythingStartsHere to perform virtually any action, because this method is the start point for many other ones. As said, the pointers take specific values (= random ones within a huge range of possible alternatives + might conflict with other pointers and provoke a crash) in each specific moment in each specific computer. Forget about this tiny issue and imagine that you can accurately determine the signature of a pointer for any object in an external computer; still you have the question: how could you accomplish the specific actions you want from that starting point? Bear in mind that each variable is associated with a memory location/pointer! Even the simplest action might involve thousands of variables!!

Thinking that you can provoke a complex (even the simplest) piece of software to do what you want by providing a specific input pointer is the closest thing I have ever heard to the most absolute ignorance. Pointers are one of the most variable and problematic aspects of programming; addressing them (= allowing programmers, who are writing the given code by presumably knowing quite well what they are doing, to not use pointers at all) has been precisely one of the common features in all the programming languages created since quite a few years ago. Trying to control a pointer from outside (the code itself and the computer!!) is so far from making any sense that I don't even know why I have to write it here! Or do you think that controlling is not required? That you have millions of potential possible values (+ thousands of them being already in use, which have to be avoided) and you can just try a random input to see if you are lucky? Even the luckiest person of the world would only be able to get one positive result: emulating one the expected arguments of EverythingStartsHere (valid/invalid analysis?) and then allow that method to perform all the actions which it is designed to perform (do what is necessary when the input is deemed valid/invalid). This is all what your 1 in millions lottery ticket (by bearing in mind that many of them would provoke the program to crash) can get: provoking Windows Defender to do what it is expected to do.

What worries (perhaps this isn't the best word; my exact feelings are more a mixture of sadness, pity and kind of not believing what I am seeing) me about people like you is not your insulting ignorance (which you use to arbitrarily attack any person around you like the "you just don't really know what you are talking about" you said to me, which is clearly a perfec

Re: Informative although quite misleading

[CustomSolvers2]

Right after writing this reply my initial post got -1 Overrated. Pfff.... Sad people with sad expectations doing sad things. So much sadness!

Re: Informative although quite misleading

[CustomSolvers2]

The brilliant comment of this other AC above, basically consisting in "you just don't really know what you are talking about" + "Tavis Ormandy is legit" has got +1 informative. Pfff, pfff... All this reminds me that I haven't got any mod points in a while (in fact, the longest while since over 1 year ago! Is this normal?) and have been writing too much lately. I will better stop writing posts for some time to see if that makes my mod points come back (they should!).

Re: Informative although quite misleading

This is because you don't. Your longwinded explanation can be basically summarized as "I don't know how to exploit this myself therefore nobody else can" peppered with an attitude like "you know what's a datatype, I know and can explain it to you tee hee".

You substitute length for quality and when someone calls your bullshit you lose it and start looking at the posters themselves because it just isn't possible that there's something actually wrong with your own thinking and knowledge. So perhaps they are on a vendetta, have personal issues, are too stupid to know how stupid they are (hey there was an article about that!) or something. After all you've been doing this software stuff for almost a decade which makes you an expert. This happens over and over again in various contexts and you don't seem to figure that for such a recurring phenomenon there's an alternate explanation with less variables.

No, I'm not going to go shooting down your points in detail. Fuck that. Technicalities would spoil a good ad hominem.

Besides, I'm not even an expert on the topic, and I would make an ass out of myself.

Re: Informative although quite misleading

[CustomSolvers2]

Firstly, apologies for the delay in replying (you know? You ACs don't trigger a warning and didn't come here again. Now I came back to comment a related issue regarding today's ransomware).

Your longwinded explanation can be basically summarized as "I don't know how to exploit this myself therefore nobody else can"

I am a programmer who builds, develops, creates, not who exploits or tries to break anything. I haven't ever been in the situation of having to break in any system, but I trust quite a lot in my skills and am reasonably sure that, in case of being ever required, I would do an excellent job. My point wasn't me not being able to do it, but anyone because of not making any sense, certainly not as advertised (via affecting a pointer from an external computer). I merely highlighted an intrinsic flaw of the reasoning: wishing to do something, putting together some words which might not sound too bad, etc. is quite different than something actually being possible.

You substitute length for quality and when someone calls your bullshit you lose it

Sorry about that. In any case, note that I consider all what I wrote evident to anyone with some programming knowledge. As far as my explanations were addressed to quite-ignorant-on-this-front people, I clarified as many issues as I thought that might be required. I do recognise my bad skills at teaching to those not knowing too much, even to anyone in general. Honestly, I thought that my first post was so clear that I wasn't expecting any kind of reply, much less one telling me that I didn't know what I was saying?!

and start looking at the posters themselves...

All what follows seems a bunch of ridiculous-premise-out-of-proportion-consequence nonsense, similar to your initial "Tavis Ormandy is legit" as an answer to my original post!?!

Besides, I'm not even an expert on the topic, and I would make an ass out of myself.

I am surprised with this last sentence! In fact, I did kind of regret some of the things I wrote above and deleted them. This is an honest and respectful attitude. Why not applying it since the start? Why did you think that you should get involved into something without even understanding what you were talking about? Why not trying to understand my original post properly (+ asking as many questions as required) and/or plainly not minding it rather than arbitrarily feeling attacked (?!) and attacking me?! Although my tone might sound a bit too aggressive, my intention was good (censoring a bad-to-everyone attitude, not even a person or a company) and I was completely open to any reasonable critic. You are in the worst possible position and you decide to attack! What can I say? Hopefully, you will eventually learn or not. I don't really care.

As said before, I am trying to not write too much to see if my mod points come eventually back, so I will not reply any other comment you might write.

Re:Informative although quite misleading

[CustomSolvers2]

Today, there were quite a few ransomware attacks everywhere, this was relevant enough to get its own Slashdot submission! These attacks spread so quickly everywhere that the typical infection (e.g., a random sucker opening the attachment of an email promising whatever) seemed improbable. That's why I read this article which explains the whole process in detail.

According to that document, these attacks happened thanks to another remote-execution bug which Windows (not the infected machines) officially patched on 14-March (just during that month they fixed 12 remote-code-execution bugs, some of them allowing to take control of the whole system!). There isn't any information in either that report or the Microsoft pages about what was exactly this remote execution expected to consist in.

"The most severe of the vulnerabilities could allow remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server"

Does it mean that the attackers encrypted the files from a remote location or automatically-downloaded a piece of software to do so? No idea, but I guess that the aforementioned typical infection should be dismissed (otherwise, the report would mentioned it, right?)

The reason why I am writing this new post (even though I am trying to not write too much to see if my mod points come eventually back) is to give a bit more of context to my original comment. I was plainly referring to a very specific claim about a very specific problem and took advantage from it to critic unnecessary-alarmist attitudes. Nothing more and nothing else than that. Too evident/not actually required? Look at the (other) AC comments!

Re:Informative although quite misleading

[CustomSolvers2]

Note that today it is the first time when I have got mod points since some weeks ago. By assuming that the system works objectively and exactly as advertised (no reason to think otherwise), it seems that my relatively-high-ID and current karma allow to regularly get mod points unless I post too much; every new post which isn't modded high enough, what happens with most of my posts, seems to be associated with a slight penalisation. It seems that writing around 1 post (modded my default 2 or higher) every 1-2 days should be enough to continue getting mod points, what sounds quite fair.

Already fixed

[trawg]

MS have already pushed a fix for this out; everything should magically auto-update to fix the vulnerability.

More details here.

Good job by all. Responsible disclosure plus super fast response time.

Already patched

[kantos]

For those not aware the vulnerability has already been patched as part of KB4016240 which is already been pushed out on windows update. The details of the issue are fully disclosed.

Re:Already patched

It was not patched by that KB from two weeks ago. It was patched through an update to Windows Defender / Microsoft Security Essentials definitions that was pushed yesterday afternoon. If you auto/update the malware definitions the issue is fixed.

wormable

[Tom]

Remote exploit that can replicate is bad, very, very bad. The Sapphire worm reached exponential growth and infected 90% of vulnerable systems in 10 minutes. It was a single UDP packet (no timeouts, handshakes, etc.) but some research I did a decade ago proved that, at least theoretical, a TCP-based worm can perform in the same order of magnitude.

Not much has happened in this area recently, mostly because the bad guys have shifted to spam, botnets and ransomware. With the IoT, there's a lot of fun just around the corner.

Windows Update or the IP stack

I'm going to guess that it has to do with Windows Update. A service that always runs, randomly consumes all CPU and RAM, and loves to talk on the network. It's as bad as a botnet. Please, oh please, tell me it is Windows Update.

Either that or a TCP/IP or UDP/IP "malformed" packet issue. I put malformed in quotes because maybe it's the NSA backdoor that everyone's been looking for since Windows NT 4.

Levels of Bad

You see, there are CVE Levels Of Bad:

1). Not Bad
2). Not Too Bad
3). Bad-ish
4). Bad
5). Very Bad
6). Really Bad
7). Mega Bad
8). Crazy Bad
9). Batshit Bad
10). systemd Bad
11). Narco-Terrorists in Your Livingroom Bad!

The scale goes to 11 because, you know, that's one more than the highest on most scales.