There’s now a freely available proof of concept exploit for the “wormable” WinXP/Win7 bug

[woody]

But it isn’t yet capable of inflicting damage https://twitter.com/GossiTheDog/status/1130425920987303936
[See the full post at: There’s now a freely available proof of concept exploit for the “wormable” WinXP/Win7 bug]

5 users thanked author for this post.

walker, jburk07, Elly, geekdom, abbodi86

[geekdom]

Well, you warned us that this vulnerability was apt to be exploited; it’s getting closer.

It probably wouldn’t hurt to keep virus checker definitions up to date.

G{ot backup} TestBeta
offline▸ Win10Pro 1909.18363.959 x64 i3-3220 RAM8GB HDD Firefox79.0 WindowsDefender
online▸ Win10Pro 1909.18363.1082 x64 i5-9400 RAM16GB HDD Firefox81.0 WindowsDefender
TargetReleaseVersion=1909
WUMgr

[VVet69]

I have disabled Remote Desktop and Remote Assistance through the Win7  System->Advanced System Settings -> Remote settings. Won’t this block the attempt to even connect to a PC using the exploit? Thanks!

 

[Arctic_Eddie]

I’ve done that but also have three firewalls blocking all unsolicited incoming. The modem, router, and all computers have the block in place. I’m hoping this is enough until the May update can be installed. I’ve found that rushing into an MS update is not always safe.

 

 

[jagshemash]

I’ve installed the May updates to 50+ Win7 Pro 64 PC’s and 4 2008R2 Production Servers and all is well so far. I’m not one to jump the gun on updates, but when MS releases a fix for XP, it gets my attention.

[StoopidMonkey]

As it stands now, do these patches have known side effects like CPU degradation? I was just about to roll out the April patches but I’m holding off until these are safe and stable.

[PKCano]

If you are running Win XP/7 you should go ahead and install the May updates.

2 users thanked author for this post.

geekdom, StoopidMonkey

[GoneToPlaid]

I installed the May security only update on my Winy7 production machine. I haven’t seen any additional performance degradation whatsoever.

2 users thanked author for this post.

Lori, Cybertooth

[StoopidMonkey]

PKCano wrote:

If you are running Win XP/7 you should go ahead and install the May updates.

Thanks PKCano! What if we’re running a mixed environment with 7/10/2008R2/2016? Will rolling it out mess with any of those OS’s?

[PKCano]

I have updated Win10 1803 and 1809 without a problem. That’s just my experience.
Suggest you read through the reports about Patch Tues and DEFCON for your situation. I think McAfee and Sophos are still having problems with patches.

[OscarCP]

Not being familiar with the concept in this particular context, I am asking the following questions:

Can this “proof of concept” be weaponized? If it is, then why was this “proof of concept” posted where, I think, anyone can get a copy from? How is a “proof of concept” of a malware concept supposed to work and what else is it for, besides proving that a hypothesized threat can be implemented? Is publishing in this way software as a “proof of concept” of potential malware a normal and accepted thing to do?

Windows 7 Professional, SP1, x64 Group W (ex B) & macOS + Linux (Mint)

1 user thanked author for this post.

StoopidMonkey

[anonymous]

Can this “proof of concept” be weaponized?

Ask or continue to read Mr. Beaumont’s Twitter account to gain knowledge.

Kaspersky/@oct0xor got Blue Screen with #BlueKeep. The GIF is authentic. Three different researchers at different companies have reached this stage so far. Note this in itself does not allow code execution. pic.twitter.com/EqppV2Xb8D

— Kevin Beaumont (@GossiTheDog) May 20, 2019

How is a “proof of concept” of a malware concept supposed to work and what else is it for, besides proving that a hypothesized threat can be implemented?

I believe you already understand by the nature of your question a proof of concept is supposed to demonstrate the viability of claimed security flaws.

Is publishing in this way software as a “proof of concept” of potential malware a normal and accepted thing to do?

This would be a good question to directly ask a more informed person in this case; As an example, the Spectre speculative execution flaws were responsibly disclosed and then proof of concept code was widely available on Github shortly after public disclosure.

[OscarCP]

Anonymous: ” I believe you already understand by the nature of your question a proof of concept is supposed to demonstrate the viability of claimed security flaws.”

That is only the general idea. But I am not familiar with the particulars, that is why I wrote, quoting your quote: “How is a “proof of concept” of a malware concept supposed to work and what else is it for, besides proving that a hypothesized threat can be implemented?” and that is why I am asking these questions.

For all I know, once in possession of said particulars I might just as well conclude that publishing a “proof of concept of the possibility of certain kinds of cyber warfare or criminal attacks” is a great thing to do, or else a terrible and tremendously irresponsible thing to do. Or even something in between.

Windows 7 Professional, SP1, x64 Group W (ex B) & macOS + Linux (Mint)

[Noel Carboni]

Proof of concept publication serves what purpose, exactly?

No one in the world ever thought this exploit up before, then someone did, and now because of the publication of a “proof of concept” (innocent-sounding, eh?) it’s suddenly available for every bad actor in the world to try to use against others?

To what end?

I’m personally protected from this exploit in a number of ways. Even better, I know that I am. What about most folks, who are not sure?

How does it make you feel to wonder whether you may now be vulnerable to any number of terrible people presumably now poking at your computer systems from abroad?

Does it make you feel like taking action that otherwise you might not?

-Noel

5 users thanked author for this post.

Lori, jburk07, satrow, OscarCP, Sessh

[mn–]

In the general case or this specific case?

Back in the day, vulnerability reports often wouldn’t be believed unless there was a proof of concept to show for it. And I mean even, if the software vendor would pay attention and issue an update to fix it, getting end users to install that fix…

Or in some cases, having the operating system vendor’s own applications division to approve that update for installing on servers running the high-end applications that were all bought as a single package deal… BTDT, “unapproved patch, configuration is unsupported” …

1 user thanked author for this post.

OscarCP

[warrenrumak]

There are lots of bad people out there, and you can categorize them into two groups:

1. Ne’er-do-wells who want tools to attack other people… be it for profit (criminals), subterfuge (government-sponsored spying), industrial espionage (learning your competitors’ trade secrets), or for fun (teenagers, mostly).
2. Bumbling  business leaders who don’t fully have their heads wrapped around item #1, and allow technical decisions to be made that expose their company to security risks.  The only way this lot gets their feet held to the fire, is if the company takes a major public reputational hit…. your typical Board of Directors doesn’t understand side-channel execution attacks, but they do understand bad press.

Unfortunately, the rest of us have to cobble together a sustainable computing experience in a world full of people in both those groups.

Sometimes, the IT & engineering folks need every little bit of help they can get their hands on to convince their bosses that changes are necessary.  Easy-to-use proof-of-concept code published on GitHub (a reputable site) is very compelling.

 

1 user thanked author for this post.

OscarCP

[Sessh]

Well sure, but posting a PoC code for anyone to get their hands on is what makes #1 a bigger issue or even an issue at all if no one would have thought to do it before. It’s like advertising to the whole neighborhood that the lock on your neighbor’s front door is broken and can be easily opened even when locked. Not only that, but also giving people the tools they need to open that door that have been proven by you to work.

The act of posting a PoC instantly makes the situation worse than it was before. I think that’s the point here. Is there really no other way to accomplish #2 than literally telling everyone in category #1 exactly how to use this code for their malicious ends and giving them the code fully intact? I don’t know, it seems like an extremely flawed way of doing things to me. There’s really no other way? Really?

It’s almost like the method is to convince people that a threat is real and dangerous by deliberately making it real and dangerous. Okay, you don’t want to take it seriously? Well, now we’re going to give the code to anyone that wants it. You going to take it seriously now? It’s an awfully silly way to do things IMO.

5 users thanked author for this post.

Noel Carboni, jburk07, SueW, OscarCP, Cybertooth

[OscarCP]

Category No. 3: Unfriendly nation states.

Windows 7 Professional, SP1, x64 Group W (ex B) & macOS + Linux (Mint)

[Noel Carboni]

To imply that a modern tech company would ignore a proven security threat unless Proof Of Concept code is published publicly is not really a reasonable position. Companies take such security threats very seriously.

What other justification might there be for such publication?

-Noel

[geekdom]

Echo.

– Get Microsoft May patches.
– Turn off remote access.
– Keep anti-virus software up-to-date.

G{ot backup} TestBeta
offline▸ Win10Pro 1909.18363.959 x64 i3-3220 RAM8GB HDD Firefox79.0 WindowsDefender
online▸ Win10Pro 1909.18363.1082 x64 i5-9400 RAM16GB HDD Firefox81.0 WindowsDefender
TargetReleaseVersion=1909
WUMgr

4 users thanked author for this post.

Lori, jburk07, SueW, Myst

[GoneToPlaid]

Aside from disabling Remote Desktop and disabling Remote Assistance, one should block incoming TCP and UDP connections on port 3389 in their router. If you can’t block 3389 in your router, you can block it in your firewall program. Steve Gibson has a web page which can check that you have port 3389 blocked. See:

https://www.grc.com/port_3389.htm

 

6 users thanked author for this post.

Lori, jburk07, SueW, lmacri, OscarCP, Cybertooth

[OscarCP]

GTP: The site explains why keeping the port wide open is dangerous, but not how to fix it.

An explanation of the latter, particularly how one does it in Windows 7, would be most gratefully appreciated. Thanks in advance for it, as it might also be of interest to more than one person here.

Windows 7 Professional, SP1, x64 Group W (ex B) & macOS + Linux (Mint)

1 user thanked author for this post.

fernlady

[Bluetrix]

OscarCP wrote:

An explanation of the latter, particularly how one does it in Windows 7, would be most gratefully appreciated.

A simple search as  “How to close ports in Windows 7” returned 49,000,400 hits in .58 seconds.

Do a search on Youtube, there are many HOW TO Videos on subject.

1 user thanked author for this post.

OscarCP

[anonymous]

Oscar, that is a good question. A search would reveal much, but one has to know what sites are respectable.

Check out these two. I hope they help.

How to block ports in Windows
by Martin Brinkmann
https://www.ghacks.net/2017/05/19/how-to-block-ports-in-windows/

How to Block Ports in Windows 7 – video using the windows firewall

Please follow the –Lounge Rules–

4 users thanked author for this post.

Lori, Myst, jburk07, OscarCP

[OscarCP]

Thank you so much, Anonymous and Bluetrix. As usual, of all those tens of thousands of “hits” probably a good many have nothing to do with closing that port, but there will be plenty about “port”, both the nautical term and the fortified wine, the word “in”, the number “7”, and many with “windows” in it (actual house windows, windows of opportunity…), etc. But still there will be many that will seem relevant.  So being given the links to, among all those sites, a couple where nobody is waiting in ambush to give misleading advice and lead the unwary to perdition, is a very good and helpful thing to do, and totally appreciated as such.

Windows 7 Professional, SP1, x64 Group W (ex B) & macOS + Linux (Mint)

[Bluetrix]

@oscarcp,
I see your concern. I only showed how easy it was to do a search for the information.
I didn’t offer which ‘hits’ were a port for ships or the best Port Wine in California.

The 1st three results I looked at before posting were about “How to close ports in Windows 7”, just as my search parameters requested.

Are you up to the task of separating the wheat from chaff and offer AW readers safe and correct advice on “How and why to close ports in Win7”, it could help a lot of people.

Maybe start a Topic on the subject.

1 user thanked author for this post.

Myst

[OscarCP]

Bluetrix,

My answer to your searching question is: “sadly, no.” I won’t pretend for one second to be up to the job of deciding on the worthiness of the advice to be gained online on this issue. So I am thankful to our Anonymous friend ( #1720873 ) for his contribution of those two URL links, and hope to see more like that — as probably may others here, as well.

Windows 7 Professional, SP1, x64 Group W (ex B) & macOS + Linux (Mint)

[GoneToPlaid]

Hi OscarCP,

The methods to block incoming ports varies, depending on on whether you want to do so in your router, or depending on whether you want to do so in Windows Firewall or in a third party firewall. Some routers, especially routers which are provided by cable companies, won’t allow you to block specific ports (mine won’t). This probably is to reduce support calls to cable companies.

Anyway, what firewall are you using?

Best regards,

–GTP

 

3 users thanked author for this post.

Lori, Myst, Bluetrix

[OscarCP]

GTP, Thanks for asking:

My firewall is that of the AV WebrootSecureAnywhere. I could also use the Windows 7 one, but have this notion that the AV one is better. Windows itself says it does not mind and is OK with that. Which puts something of an odd twist on the whole thing, does it not? Something your pointed question has now brought up to the surface of my consciousness. And that I am not too happy about.

Windows 7 Professional, SP1, x64 Group W (ex B) & macOS + Linux (Mint)

[GoneToPlaid]

Hi OscarCP,

I did some Googling, and I don’t see how to block specific ports under the settings for the Webroot SecureAnywhere firewall. Some more Googling reveals that Webroot SecureAnywhere firewall has to run on top of either Windows Firewall or another third party firewall! See:

https://community.webroot.com/webroot-secureanywhere-internet-security-plus-13/windows-firewall-and-webroot-firewall-254759#post292617

Get Windows Firewall turned back on! Then ask how to either block Remote Desktop Protocol in Windows Firewall or how to block port 3389 in Windows Firewall.

Best regards,

–GTP

 

1 user thanked author for this post.

OscarCP

[satrow]

A lot of modern 3rd party firewalls now work with the default Windows firewall (rules), not instead of it.

Any odd connection problems, enable it, reboot and test the affected software. A previously blocked program should then trigger the native firewall pop-up to ask if you want it to connect and on which network, private or public.

6 users thanked author for this post.

jburk07, woody, Lori, Elly, Myst, OscarCP

[OscarCP]

GTP and Satrow, thanks for your views on this issue of setting up the firewall to stop people snooping, or worse, on me and on my PC through port 3389. At this point I think that what is left is for me to apply the good old experimental method to investigate this question and see what happens when, keeping the AV firewall on, I block that port. And, if necessary, playing around with turning one of the firewalls on or off while doing something with the other (not permanently, of course).

At the moment I  am busy with a job I want to finish as soon as possible, mostly because I do not much like it. It’s a necessary thing that makes sense doing, but is not my favorite thing. When I am done I’ll go ahead and do the experimenting.

I also would like to bring your attention to the article that Geo (#1727332 )gave the URL link to, where it says (at least as I read it) that the possible malicious exploit under consideration here, because it is “wormable”, has nothing to do with the RDP. What do you make of that?

 

Windows 7 Professional, SP1, x64 Group W (ex B) & macOS + Linux (Mint)

[anonymous]

For business and governments companies that still pay MS for Windows Xp support, MS sent an update patch that address some slow downs with this patch. It seems MS will not releasing the re-updated patch to the public. Check with your contact at MS for the re-updated patch for Windows Xp.

[anonymous]

Thanks for the heads up. We were planning to deploy on our system. I check with our MS rep and he said that he did not get a chance to sent it out yet since we did not pay. I had to forward the proof that we paid for the next three years. MS is getting worse with sending out notifications since they made us sign the non-disclosure agreement to keep getting Windows Xp Updates.

How is IE11 running on Windows XP for your clients? It is bugging since last months updates but seems to be running well.

[anonymous]

XP running IE11! In what alternate timeline does XP support running any IE Version beyond IE8?

[anonymous]

How is IE11 running on Windows XP for your clients? It is bugging since last months updates but seems to be running well.

IE11 is running fine but some of apps require IE6 so those system have firefox or chrome installed.

XP running IE11! In what alternate timeline does XP support running any IE Version beyond IE8?

If you are government agency or businesses that are paying for Windows XP Pro support with payments of $6M or more every year. It is not available for the general public of XP home version.

[Geo]

https://www.scmagazine.com/home/security Some more info mentioned from this site.

3 users thanked author for this post.

Lori, OscarCP, Cybertooth

[OscarCP]

Quoting from this article (the bold-formatting is mine):

“Microsoft also released a patch for a number of currently unsupported operating systems (Windows 7, Windows 2003, Windows Server 2008 R2, Windows Server 2008 and Windows XP) for CVE-2019-0708 because if properly exploited could allow malware to move from one system to another in the same fashion as WannaCry in 2017.”

“The Remote Desktop Protocol (RDP) itself is not vulnerable. This vulnerability is pre-authentication and requires no user interaction. In other words, the vulnerability is ‘wormable’, meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017,” Microsoft wrote in its security blog.”

 

Windows 7 Professional, SP1, x64 Group W (ex B) & macOS + Linux (Mint)

2 users thanked author for this post.

Myst, Cybertooth

[Author]

Posts