News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • Good news: The “wormable” security hole in XP, 7, and related Servers, isn’t being exploited yet

    Home Forums AskWoody blog Good news: The “wormable” security hole in XP, 7, and related Servers, isn’t being exploited yet

    Viewing 8 reply threads
    • Author
      Posts
      • #1638449 Reply
        woody
        Da Boss

        If you’re running Windows XP (including Embedded) Windows Server 2003, Server 2003 Datacenter Edition Windows 7 Windows Server 2008, Server 2008 R2 Yo
        [See the full post at: Good news: The “wormable” security hole in XP, 7, and related Servers, isn’t being exploited yet]

        4 users thanked author for this post.
      • #1639004 Reply
        geekdom
        AskWoody Plus

        I usually serve as beta (guinea) pig for patches. This is one instance, as per instructions, that everyone should serve as beta (guinea) pig.

        G{ot backup} TestBeta
        offline▸ Win7Pro SP1 x64 Storage
        online▸ Win10Pro 1909.18363.900 x64 i5-9400 RAM8GB HDD Firefox79.0b7 Windows{Image/Defender/Firewall}
        3 users thanked author for this post.
      • #1641191 Reply
        TheSuffering
        AskWoody Lounger

        Woody, will you warn us when the first cases appear? I wanna patch asap but I don’t feel comfortable patching without knowing what to expect so I was thinking of waiting 1 or 2 more days to see if any problems arise with the patches

        • #1641199 Reply
          woody
          Da Boss

          I strongly suggest that you patch preemptively.

          When it hits, it’ll hit hard. There are a lot of people working on turning the hole into money.

          4 users thanked author for this post.
          • #1641257 Reply
            TheSuffering
            AskWoody Lounger

            Ok then, will patch when I get home, any known bugs so far?

      • #1642708 Reply
        anonymous
        Guest

        MDS seems like a bigger problem for ordinary users in my opinion, and much harder to stay safe from.

        “Allow remote assistance connections to this computer” is an default setting when you install windows 7 and also windows 10(maybe all microsoft operating systems). This has been an “wormable” for ages or atleast a weakspot for normal users because microsoft has it on as default. The first thing you do after installing the os: Turn off this and block port 3389 in firewall or anything with “Remote” in firewall.

        What will even microsoft do with this when you patch with may update, turn of remote asssistance?

        The bigger problem and why you should update(and all  operating systems) is the Microarchitectural Data Sampling (MDS) or Zombieload, and everyone with an Intel cpu with Hyper-Threading is extra exposed.

        • CVE-2018-12126 Microarchitectural Store Buffer Data Sampling (MSBDS)
        • CVE-2018-12130 Microarchitectural Fill Buffer Data Sampling (MFBDS)
        • CVE-2018-12127 Microarchitectural Load Port Data Sampling (MLPDS)
        • CVE-2019-11091 Microarchitectural Data Sampling Uncacheable Memory (MDSUM)

        Not that I understand much of this but this seems bad https://youtu.be/Oeb-O4yKK2c

        1 user thanked author for this post.
        • #1648698 Reply
          GoneToPlaid
          AskWoody Plus

          I disabled hyperthreading in BIOS on all of the office computers with Intel CPUs which supported hyperthreading. Doing so instantly got rid of many random BSODs, and nobody has either noticed or complained about any change in their computer’s performance.

          • #1649578 Reply
            satrow
            AskWoody MVP

            Upload some of those old BSOD minidumps please, I’d like to take a look at them.

      • #1645335 Reply

        Ummm…. so this one from yesterday was a “Red Herring” (no pun intended)?

        “UPDATE: I’ve now seen one reliable report that there’s an RDP exploit in the wild. The attacks are said to come from China.”

        I’m easily confused. 🙂

        Win7 Pro SP1 64-bit ESU, Dell Latitude E6330, Intel CORE i5 "Ivy Bridge", Group "Patch List", Multiple Air-Gapped backup drives in different locations, "Don't auto-check for updates-Full Manual Mode." Linux Mint Greenhorn
        --
        "A committee is the only known form of life that has at least four legs and no brain."

        -Robert Heinlein

      • #1648464 Reply
        GoneToPlaid
        AskWoody Plus

        I went ahead and installed the May security only update KB4499175 on my primary Win7 production machine. Thankfully, it installed cleanly and with no apparent issues so far. Given the potential seriousness of the threat, I figured that I would bite the bullet and run KB4499175 through its paces in a daily production environment.

        No known issues are presently listed for the May security only update KB4499175.

        Two known issues are presently listed for the May monthly rollup KB4499164. One issue is serious and involves McAfee products. Yeah, more AV issues!

        Woody says that all XP, Win7 and related servers should get patched. I agree. Win8 and Win10 users have nothing to worry about.

        For Win7 users on Group A and for the time being, you could install the May security only update KB4499175, just for the sake of getting patched against this wormable security hole, since the security only update presently has no known issues. Later and if and when the “all clear” is given for the May monthly rollup KB4499164, one would uninstall KB4499175 and reboot, and then install KB4499164. Or one could wait until June and install the June monthly rollup when that is given the “all clear.” The latter might be preferable since there are issues with IE and Edge in the May monthly rollup KB4499164.

        Note that the May security only update KB4499175 also includes the separate pciclearstalecache.exe utility. I can’t remember if one is supposed to run this EXE before or after installing the update since the underlying issue only affects those who run some types of virtual machine software.

        Needless to say, hopefully everyone is aware that it is a really good idea to disable remote assistance connections and Remote Desktop. There are alternative products which are far more secure.

        2 users thanked author for this post.
        • #1671445 Reply
          GoneToPlaid
          AskWoody Plus

          Yep. HSTS doesn’t work in any web browser with the May Win7 security only update installed. I am Group B. I am torn between letting this issue ride for now, or rolling back to December 2018.

          • #1677894 Reply
            b
            AskWoody Plus

            Only IE should be affected, for a small number of gov.uk sites.

            2 users thanked author for this post.
      • #1649658 Reply

        I went ahead and installed the May security only update KB4499175 on my primary Win7 production machine.

        Yup, all patched here too with no ill effects…but I did NOT know about RDP, RA and such matters, Networking being my weakest point.

        “Ah, the tangled wed we weave, when first we practice to…network?”

        Still wondering about that one report Woody posted about a confirmed exploit originating from China…

        Win7 Pro SP1 64-bit ESU, Dell Latitude E6330, Intel CORE i5 "Ivy Bridge", Group "Patch List", Multiple Air-Gapped backup drives in different locations, "Don't auto-check for updates-Full Manual Mode." Linux Mint Greenhorn
        --
        "A committee is the only known form of life that has at least four legs and no brain."

        -Robert Heinlein

        • #1657794 Reply
          woody
          Da Boss

          Still wondering about that one report Woody posted about a confirmed exploit originating from China…

          I was wondering about that, too. My guess is that it’s a case of mistaken identity. The people who watch over such things say there’s nothing (yet) in the wild.

          2 users thanked author for this post.
      • #1654665 Reply
        honx
        AskWoody Lounger

        despite defcon 3 for windows 7 i still wait. i remember march 2018, having to roll back to december 2017 patch level because of patch screw ups. i’m not gonna repeat that. i stay put. i wait until there is something exploiting it.

        btw. remote desktop services startup type ist set to manual, it isn’t even runnung. so is my computer even at risk without this service running?

        PC: Windows 7 Ultimate, 64bit, Group B
        Notebook: Windows 8.1, 64bit, Group B

        • #1657619 Reply
          woody
          Da Boss

          I’m still trying to confirm that, one way or another, with people who would know.

          It’s a tough question – and Microsoft isn’t answering it.

      • #1654851 Reply
        rdgwalker
        AskWoody Plus

        Does anyone know if Windows 7 embedded is vulnerable?

    Viewing 8 reply threads

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Good news: The “wormable” security hole in XP, 7, and related Servers, isn’t being exploited yet

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.

    Cancel