News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • Good news: The “wormable” security hole in XP, 7, and related Servers, isn’t being exploited yet

    Home Forums AskWoody blog Good news: The “wormable” security hole in XP, 7, and related Servers, isn’t being exploited yet

    This topic contains 17 replies, has 11 voices, and was last updated by  b 3 months ago.

    • Author
      Posts
    • #1638449 Reply

      woody
      Da Boss

      If you’re running Windows XP (including Embedded) Windows Server 2003, Server 2003 Datacenter Edition Windows 7 Windows Server 2008, Server 2008 R2 Yo
      [See the full post at: Good news: The “wormable” security hole in XP, 7, and related Servers, isn’t being exploited yet]

      4 users thanked author for this post.
    • #1639004 Reply

      geekdom
      AskWoody Plus

      I usually serve as beta (guinea) pig for patches. This is one instance, as per instructions, that everyone should serve as beta (guinea) pig.

      Group G{ot backup} Win7Pro · x64 · SP1 · i3-3220 · TestBeta · Microsoft Security Essentials
      3 users thanked author for this post.
    • #1641191 Reply

      TheSuffering
      AskWoody Lounger

      Woody, will you warn us when the first cases appear? I wanna patch asap but I don’t feel comfortable patching without knowing what to expect so I was thinking of waiting 1 or 2 more days to see if any problems arise with the patches

      • #1641199 Reply

        woody
        Da Boss

        I strongly suggest that you patch preemptively.

        When it hits, it’ll hit hard. There are a lot of people working on turning the hole into money.

        4 users thanked author for this post.
        • #1641257 Reply

          TheSuffering
          AskWoody Lounger

          Ok then, will patch when I get home, any known bugs so far?

    • #1642708 Reply

      anonymous

      MDS seems like a bigger problem for ordinary users in my opinion, and much harder to stay safe from.

      “Allow remote assistance connections to this computer” is an default setting when you install windows 7 and also windows 10(maybe all microsoft operating systems). This has been an “wormable” for ages or atleast a weakspot for normal users because microsoft has it on as default. The first thing you do after installing the os: Turn off this and block port 3389 in firewall or anything with “Remote” in firewall.

      What will even microsoft do with this when you patch with may update, turn of remote asssistance?

      The bigger problem and why you should update(and all  operating systems) is the Microarchitectural Data Sampling (MDS) or Zombieload, and everyone with an Intel cpu with Hyper-Threading is extra exposed.

      • CVE-2018-12126 Microarchitectural Store Buffer Data Sampling (MSBDS)
      • CVE-2018-12130 Microarchitectural Fill Buffer Data Sampling (MFBDS)
      • CVE-2018-12127 Microarchitectural Load Port Data Sampling (MLPDS)
      • CVE-2019-11091 Microarchitectural Data Sampling Uncacheable Memory (MDSUM)

      Not that I understand much of this but this seems bad https://youtu.be/Oeb-O4yKK2c

      1 user thanked author for this post.
      • #1648698 Reply

        GoneToPlaid
        AskWoody Plus

        I disabled hyperthreading in BIOS on all of the office computers with Intel CPUs which supported hyperthreading. Doing so instantly got rid of many random BSODs, and nobody has either noticed or complained about any change in their computer’s performance.

        • #1649578 Reply

          satrow
          AskWoody MVP

          Upload some of those old BSOD minidumps please, I’d like to take a look at them.

    • #1645335 Reply

      Ummm…. so this one from yesterday was a “Red Herring” (no pun intended)?

      “UPDATE: I’ve now seen one reliable report that there’s an RDP exploit in the wild. The attacks are said to come from China.”

      I’m easily confused. 🙂

      Win7 Pro SP1 64-bit, Dell Latitude E6330, Intel CORE i5 "Ivy Bridge", Group "Wait for the all-clear", Multiple Air-Gapped backup drives in different locations, "Don't check for updates-Full Manual Mode."
      --
      "...All the people, all the time..." (Peter Ustinov ad-lib from "Logan's Run")

    • #1648464 Reply

      GoneToPlaid
      AskWoody Plus

      I went ahead and installed the May security only update KB4499175 on my primary Win7 production machine. Thankfully, it installed cleanly and with no apparent issues so far. Given the potential seriousness of the threat, I figured that I would bite the bullet and run KB4499175 through its paces in a daily production environment.

      No known issues are presently listed for the May security only update KB4499175.

      Two known issues are presently listed for the May monthly rollup KB4499164. One issue is serious and involves McAfee products. Yeah, more AV issues!

      Woody says that all XP, Win7 and related servers should get patched. I agree. Win8 and Win10 users have nothing to worry about.

      For Win7 users on Group A and for the time being, you could install the May security only update KB4499175, just for the sake of getting patched against this wormable security hole, since the security only update presently has no known issues. Later and if and when the “all clear” is given for the May monthly rollup KB4499164, one would uninstall KB4499175 and reboot, and then install KB4499164. Or one could wait until June and install the June monthly rollup when that is given the “all clear.” The latter might be preferable since there are issues with IE and Edge in the May monthly rollup KB4499164.

      Note that the May security only update KB4499175 also includes the separate pciclearstalecache.exe utility. I can’t remember if one is supposed to run this EXE before or after installing the update since the underlying issue only affects those who run some types of virtual machine software.

      Needless to say, hopefully everyone is aware that it is a really good idea to disable remote assistance connections and Remote Desktop. There are alternative products which are far more secure.

      2 users thanked author for this post.
      • #1671445 Reply

        GoneToPlaid
        AskWoody Plus

        Yep. HSTS doesn’t work in any web browser with the May Win7 security only update installed. I am Group B. I am torn between letting this issue ride for now, or rolling back to December 2018.

        • #1677894 Reply

          b
          AskWoody Plus

          Only IE should be affected, for a small number of gov.uk sites.

          Knuckle dragger Cannon fodder Chump Daft glutton Idiot Crazy/Ignorant Toxic drinker Blockhead Unwashed mass Seeker/Sucker "Ancient/Obsolete" (Group ASAP) Win10 v.1903

          2 users thanked author for this post.
    • #1649658 Reply

      I went ahead and installed the May security only update KB4499175 on my primary Win7 production machine.

      Yup, all patched here too with no ill effects…but I did NOT know about RDP, RA and such matters, Networking being my weakest point.

      “Ah, the tangled wed we weave, when first we practice to…network?”

      Still wondering about that one report Woody posted about a confirmed exploit originating from China…

      Win7 Pro SP1 64-bit, Dell Latitude E6330, Intel CORE i5 "Ivy Bridge", Group "Wait for the all-clear", Multiple Air-Gapped backup drives in different locations, "Don't check for updates-Full Manual Mode."
      --
      "...All the people, all the time..." (Peter Ustinov ad-lib from "Logan's Run")

      • #1657794 Reply

        woody
        Da Boss

        Still wondering about that one report Woody posted about a confirmed exploit originating from China…

        I was wondering about that, too. My guess is that it’s a case of mistaken identity. The people who watch over such things say there’s nothing (yet) in the wild.

        2 users thanked author for this post.
    • #1654665 Reply

      honx
      AskWoody Lounger

      despite defcon 3 for windows 7 i still wait. i remember march 2018, having to roll back to december 2017 patch level because of patch screw ups. i’m not gonna repeat that. i stay put. i wait until there is something exploiting it.

      btw. remote desktop services startup type ist set to manual, it isn’t even runnung. so is my computer even at risk without this service running?

      PC: Windows 7 Ultimate, 64bit, Group B
      Notebook: Windows 8.1, 64bit, Group B

      • #1657619 Reply

        woody
        Da Boss

        I’m still trying to confirm that, one way or another, with people who would know.

        It’s a tough question – and Microsoft isn’t answering it.

    • #1654851 Reply

      rdgwalker
      AskWoody Plus

      Does anyone know if Windows 7 embedded is vulnerable?

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Good news: The “wormable” security hole in XP, 7, and related Servers, isn’t being exploited yet

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.