News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon

Daily Archives: January 14, 2020

  • Patch Lady – forget that crypto one, worry about this one

    Posted on January 14th, 2020 at 21:41 Susan Bradley Comment on the AskWoody Lounge

    If you are a IT consultant or admin with an Essentials 2012 (or later) server, or use the RDgateway role and expose it over port 443 to allow users to gain access to RDweb or their desktops, forget that crypt32.dll bug.  This one is one to worry about.

    Impacts 2012 and above – so no impact to SBS 2011 or SBS 2008, yes to Essentials 2012 and higher.

    Essentials 2012 exposes RDgateway over port 443 and 3389 is not open to the web (well, not normally) but given that this is a pre-authentication exploit, all an attacker has to do is to throw that crafted request to port 443 rather than 3389 (assuming I’m reading this right).

    So if you patch SMB servers that use RDgateway, worry about patching those servers this time faster than you would normally do.

    https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0609

    A remote code execution vulnerability exists in Windows Remote Desktop Gateway (RD Gateway) when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

    To exploit this vulnerability, an attacker would need to send a specially crafted request to the target systems RD Gateway via RDP.

    (edit:  for anyone asking, 2008 R2 is not vulnerable and thus SBS 2011 is not vulnerable.  It’s only vulnerable on Server 2012 and later, remember SBS 2011’s base operating system drops out of support today)

  • January 2020 Patch Tuesday running commentary, from the skeptic’s corner

    Posted on January 14th, 2020 at 07:18 woody Comment on the AskWoody Lounge

    We’re in for a hum-dinger of a Patch Tuesday today, with knowledgeable folks anticipating a big, scary new Windows exploit and a ‘Softie Captain America shield patch. We’ll be covering it all right here.

    There’s some history to this one. See the details in Computerworld Woody on Windows, and keep watching here for the full blow-by-blow.

    UPDATE: Brian Krebs has an inside peek:

    NSA says they discovered the flaw on their own and that Microsoft will report that MS has seen no active exploitation of this vulnerability so far… NSA’s dir. of cybersecurity Anne Neuberger says the critical cryptographic vulnerability resides in Windows 10 and Windows Server 2016, and that the concern about this particular flaw is that it “makes trust vulnerable.”

    The odds are favoring Kevin Beaumont at this point.

    Another UPDATE: Ellen Nakashima at the Washington Post has an article out in the past hour that draws parallels to EternalBlue and WannaCry (which I mention in the Computerworld article):

    The National Security Agency recently discovered a major flaw in Microsoft’s Windows operating system — one that could potentially expose computer users to significant breaches or surveillance — and alerted the firm of the problem rather than turn it into a hacking weapon, according to people familiar with the matter…“Code-signing is one of the most effective tools we have to keep malicious software off of computers,” said Matthew Green, a cryptographer and computer science professor at Johns Hopkins University. If the flaw is patched quickly, it’s not that dangerous, he added. “If a lot of people don’t patch, it could be a disaster.”

    In response, Tavis Ormandy — another infosec luminary with a long history of straight shooting — tweeted this:

    I’m reliably informed that the washington post don’t know what they’re talking about, it’s not an authenticode issue, and is in fact a big deal.

    It’s going to be an interesting afternoon here at the not-so-OK Corral.

    Kevin Beaumont has some sage advice:

    Here’s a question – do you use digital signatures as a key security boundary control? I can count on my left little finger the amount of orgs that do. Patch your Citrix, Fortigate, Pulse Secure SSL VPN boxes and your 11 month old SharePoint vuln. And turn off SMB1.

    I would also mention patching Equation Editor, but I’ve beaten that dead horse for far too long. CVE-2017-11882 is the 2017-era Achilles Heel for many unpatched punters.

    ….Aaaaaaaand we’re off!

    214 separate patches available on the Microsoft Update Catalog.

    Dustin Childs has his usual well-researched overview on the Zero Day Initiative blog:

    Microsoft released patches for 49 CVEs covering Microsoft Windows, Internet Explorer (IE), Office and Office Services and Web Apps, ASP.NET, .NET Core, .NET Framework, Modern Apps, and Microsoft Dynamics. Five of these CVEs were submitted through the ZDI program. Of these 49 CVEs, eight are listed as Critical and 41 are listed as Important in severity. According to Microsoft, none of these are publicly known or under active attack at the time of release.

    So much for the Chicken Littles in the audience. But the day is yet young. Notably, Will Dorman (mentioned above) continues to warn that it’s a major problem, even though it’s not listed as exploited, and isn’t even listed as Critical.

    Martin Brinkmann has his detailed list on ghacks.net.

    According to Kevin Beaumont:

    The Microsoft advisory is out now.

    1) it’s only rated Important

    2) it’s a spoofing issue

    3) to get RCE [Remote Code Execution] with it you would need auth[orization], and to have code exec[ecuting] already. 

    The NSA did a big press tour so before announcement so expect big media play. portal.msrc.microsoft.com/en-US/security

    Exactly.

    The NSA begs to differ (PDF):

    The vulnerability places Windows endpoints at risk to a broad range of exploitation vectors. NSA assesses the vulnerability to be severe and that sophisticated cyber actors will understand the underlying flaw very quickly and, if exploited, would render the previously mentioned platforms as fundamentally vulnerable. The consequences of not patching the vulnerability are severe and widespread. Remote exploitation tools will likely be made quickly and widely available. Rapid adoption of the patch is the only known mitigation at this time and should be the primary focus for all network owners.

    Which sounds a whole lot like NSA tooting its own horn. That said, I think it’s great that NSA is disclosing at least some of the security holes that it discovers.

    Unless more evidence turns up, I’m going to file this one away as a potential problem, for somebody, some day.

    Now back to our usual crowdsourced Windows patch bug catching.

    I don’t see any acknowledgment of — much less a solution to — the longstanding File Explorer search bug in Win10 1909.

    Look at all of the other security patches out today — Adobe, SAP, VMWare, Oracle, and Intel. Thx, Catalin Cimpanu.