News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • Proof of concept code published for one of this month’s Win7 zero-days

    Home Forums AskWoody blog Proof of concept code published for one of this month’s Win7 zero-days

    This topic contains 18 replies, has 11 voices, and was last updated by  anonymous 2 months, 1 week ago.

    • Author
      Posts
    • #341696 Reply

      woody
      Da Boss

      Catalin Cimpanu reports on ZDNet that the Chinese giant Qihoo 360 Core has published proof of concept code for the Win7 zero day identified as CVE-201
      [See the full post at: Proof of concept code published for one of this month’s Win7 zero-days]

      8 users thanked author for this post.
    • #341720 Reply

      Seff
      AskWoody Plus

      Thanks Woody.

      There’s a new Chrome update – Version 73.0.3683.75 (Official Build) (64-bit) which was found and installed when I checked Chrome a few minutes ago.

      3 users thanked author for this post.
    • #341727 Reply

      anonymous

      Does this also affect 64-bit users? Since I read it was affecting 32-bit users and wondered if it’s not actually just them.

      Also how would you know if you were affected? Will they be seeking out the generic home user or would it be more important/business computers.. how would they actually know the difference in fact?

      • #341735 Reply

        woody
        Da Boss

        Right now, it’s exclusively APT — nation-state actors.

        But that can change quickly if PoC code is available. I’ll only know for sure if reports start popping up about infections due to this particular 0day.

      • #341747 Reply

        Sinclair
        AskWoody Lounger

        The ZDNet article that Woody refers to explains it rather well.

        Win32k is a required part of Windows and exists in both the 32 and 64bit version of Windows 7.

        The file is called win32k.sys. The exploits effect both 32 and 64bit Windows.

        The first exploit is a combination of two exploits working together to get results. One exists in Chrome (CVE-2019-5786) and the other in Windows 7 (CVE-2019-0808).

        The second one is a stand alone exploit in Windows (CVE-2019-0797) that effects all versions of Windows not just 7.

        Both work along the same lines and have other already patched exploits preceding them CVE-2018-8453, CVE-2018-8589 and CVE-2018-8611.

        Microsoft said the zero-day affected the Win32k component in Windows 7 and Windows Server 2008 operating systems to allow attackers to run code with admin rights.

        W7 x64 Pro&Home

        2 users thanked author for this post.
    • #341743 Reply

      Sessh
      AskWoody Lounger

      Possibly another vulnerability created from previous patches? I know this happens a lot, but I wonder just how many current vulnerabilities were created from previous patches on any Windows version. If this really does account for the majority of “new” vulnerabilities, I wonder if unpatched systems are safer than patched ones to some degree in an objective way.

      Both would have vulnerabilities, of course, but which has more? Would unpatched systems completely lack some or many of the attack vectors and vulnerabilities that patched systems have? Could some of these be avoided completely by not patching? I don’t know if these questions can be answered, but I wonder…

      Create your own problems, then come to the rescue. Be the villain and the hero simultaneously.

      • #341787 Reply

        warrenrumak
        AskWoody Plus

        This has been well-studied and is definitely not true.

        Almost all security vulnerabilities in Windows can be traced back to Windows Vista or earlier.  The number of outright horrible security decisions and practices in XP is absolutely shocking.  Microsoft didn’t even begin to address this until halfway through Vista’s development, and even though there have been thousands of security fixes, there are still many more.

        One of the currently-discussed vulnerabilities is an exception. The kernel team did a major rewrite of the compositing window manager (DWM) in Windows 8 to take advantage of the fact that the OS no longer needed to support running without it.  This produced performance improvements and simplified the display code, but a coding error in the implementation exposed a race condition that could be exploited for local privilege escalation purposes.

        It happens. Programmers aren’t perfect, and they make mistakes… sometimes really dumb mistakes.

        The old adage applies: Never attribute to malice that which can be adequately be explained by stupidity.

         

        7 users thanked author for this post.
        • #341797 Reply

          GoneToPlaid
          AskWoody Plus

          Actually, Microsoft had planned to lock down Vista’s kernel, similar to Unix, but the AV manufacturers threatened to sue Microsoft. Microsoft then agreed to keep the hooks into the kernel which the AV manufacturers needed for their products to function. Agreements, undisclosed to this day, were made between Microsoft and the AV manufacturers at the time.

          1 user thanked author for this post.
          • #341823 Reply

            warrenrumak
            AskWoody Plus

            What you said is only half-way correct, and also completely misses my point.

            PatchGuard was indeed introduced in Windows Vista as one of many hundreds of changes related to improving the security of the operating system.  There were tons of things that went largely unnoticed, such as lowering the default COM launch & activation permissions, Mandatory Integrity Control, the Interactive Services Detection service, MSVC++ compiler improvements that detected insecure code, the whole Windows Service Hardening initiative…. on and on and on.

            You’re also mis-stating how things went with the AV vendors in the Vista timeframe.  Microsoft implemented PatchGuard in Vista 64-bit RTM (it was never going to be in 32-bit Windows due to implementation details).  They later provided a set of APIs in SP1, developed in conjunction with 26-ish different security software vendors (they’d invited many more), that provided the ability to hook into specific things without directly patching the kernel call tables.

            This whole thing was widely covered in the tech media at the time… and Microsoft did release API documentation.  It’s available on the Wayback Machine here: http://web.archive.org/web/20100525025318/http://download.microsoft.com/download/4/4/b/44bb7147-f058-4002-9ab2-ed22870e3fe9/Kernal%20Data%20and%20Filtering%20Support%20for%20Windows%20Server%202008.doc

            That doc is dated 2007, but it all still applies. You can find modern versions of the docs in the Windows DDK. Microsoft even has samples on Github demonstrating how to do a lot of this.

            The only potentially scurrilous detail here is that third-party minifilter drivers are loaded in an order that is assigned by Microsoft.  This is so that “trusted” vendors that have clear legitimacy will have their AV drivers loaded before some random kid who fancies himself a hacker.  Again, all documented in excruciating detail: https://docs.microsoft.com/en-us/windows-hardware/drivers/ifs/allocated-altitudes

             

            So…. what was that you were saying about “undisclosed to this day”, hm?

            • #341833 Reply

              anonymous

              Thank you for the clarifications. I based what I wrote on an online computer magazine article which I read before Vista was released. Several years ago, I had to reinstall Vista on a single Vista machine at the office because the computer had been infected with malware. I must say that Vista, once all updating was done on the Dell computer which had the required hardware, was nicer than XP and was quite stable.

            • #341834 Reply

              GoneToPlaid
              AskWoody Plus

              I forgot to log in again.

        • #341841 Reply

          Morty
          AskWoody Plus

          Wow, warrenrumak, this is a keeper:

          The old adage applies: Never attribute to malice that which can be adequately be explained by stupidity.

          It reminds me of a line I heard, “If you make something idiot-proof, they’ll just make a better idiot.”

          2 users thanked author for this post.
    • #342065 Reply

      anonymous

      “That isn’t good news for Win7 users.”

      In what way? Unless, of course, you don’t apply the latest patches that address the issue. Even if you don’t, your anti-virus software will likely protect you (providing you don’t ignore warnings).

      See: Symantic Anti-Virus Write-up (March 13, 2019)

      See: Microsoft “CVE-2019-0808; Win32k Elevation of Privilege Vulnerability”

      One interesting finding that I came across is that “Failed exploit attempts may result in a denial of service condition.”

      Source: SecurityFocus

      Oddly, on Mar 12, my router shut down a DOS for nearly 20 minutes. One can only wonder …

      – Carl –

      1 user thanked author for this post.
      • #342121 Reply

        b
        AskWoody Plus

        “That isn’t good news for Win7 users.”

        In what way? Unless, of course, you don’t apply the latest patches that address the issue.

        – Carl –

        Because Woody and Susan won’t recommend installing those patches for weeks yet.

        Knuckle dragger Cannon fodder Chump Daft glutton Idiot Sucker More intrepid Crazy/ignorant Toxic drinker Saluted blockhead "Unwashed mass" (Group ASAP) Win10 v.1903

    • #342307 Reply

      anonymous

      Regardless, all major anti-virus vendors should have new mitigations in place to prevent CVE-2019-0808 from executing. The Symantec link above describes Norton’s patches (my vendor).

      Defense in depth. OS, browser, firewall, A-V, etc.

      I’m a bit dismayed that some (e.g. Google) state that Win 7 is unsafe because of CVE-2019-0808. This is NOT true – far from it.

      Did no one notice that “CVE-2019-0797: Win32k Elevation of Privilege Vulnerability” (also fixed in latest patches) affects all versions of Windows EXCEPT Win 7/Server 2008. This too is a Win32k related vulnerability.

      Ah, so let’s call Win 10 insecure because of this?

      Microsoft, while slow, does a reasonably good job of patching security issues. Wait … did I just give MS a compliment???

      – Carl –

      1 user thanked author for this post.
    • #342405 Reply

      Noel Carboni
      AskWoody_MVP

      …the Chinese giant Qihoo 360 Core has published proof of concept code…

      Addressing the elephant in the room…

      Is it just me or does someone publishing “proof of concept” code do nothing that couldn’t be accomplished just as well by privately contacting the OS company? And for what, some kind of marketing advantage? To show that their product can detect attacks where others fall down?

      -Noel

    • #342619 Reply

      anonymous

      Also, the timing of the Qihoo 360 Core POC (Mar 14) and stated purpose was peculiar.

      1) MS released patches on Mar 12.
      2) A-V vendors began releasing mitigations on the same day.

      Qihoo 360 Core said that they “constructed the POC and reproduced the vulnerability triggering process so that security vendors can reference to increase the corresponding protection measures.”

      It appears that security vendors already had this information prior to the Mar 10 KB4489885 patch date (Google notified MS more than 3 months ago). The speed and timing of the mitigations/disclosures indicates they were working with MS to develop heuristics strategy (it’s not a virus). So why did Qihoo 360 Core release this now – after the fact?

      Also, I’m not convinced what Qihoo 360 provided can be accurately described as new or original research – the problematic API call (NULL pointer dereference) was already well understood.

      Qihoo 360 did demonstrate that the patch works (well, yeah). But, I’m with you Noel – what’s the real motive here?

      – Carl –

      2 users thanked author for this post.
    Reply To: Proof of concept code published for one of this month’s Win7 zero-days

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.

    Your information:




    Cancel