![]() |
MS-DEFCON 2:
Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don't do it.
|
-
There’s now a freely available proof of concept exploit for the “wormable” WinXP/Win7 bug
Home › Forums › AskWoody blog › There’s now a freely available proof of concept exploit for the “wormable” WinXP/Win7 bug
- This topic has 37 replies, 17 voices, and was last updated 1 year, 8 months ago.
Viewing 11 reply threads-
AuthorPosts
-
-
May 20, 2019 at 8:19 am #1705055
woody
ManagerBut it isn’t yet capable of inflicting damage https://twitter.com/GossiTheDog/status/1130425920987303936
[See the full post at: There’s now a freely available proof of concept exploit for the “wormable” WinXP/Win7 bug] -
May 20, 2019 at 9:03 am #1705448
geekdom
AskWoody PlusWell, you warned us that this vulnerability was apt to be exploited; it’s getting closer.
It probably wouldn’t hurt to keep virus checker definitions up to date.
Beta Work {Got backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender TRV=1909 WuMgr
offline▸ Win10Pro 20H2.19042.685 x86 Atom N270 RAM2GB HDD WindowsDefender WuMgr GuineaPigVariant
online▸ Win10Pro 2004.19041.746 x64 i5-9400 RAM16GB HDD Firefox85.0 WindowsDefender TRV=2004 WuMgr -
May 20, 2019 at 10:02 am #1705870
-
May 20, 2019 at 11:06 am #1706648
Arctic_Eddie
AskWoody Lounger-
May 20, 2019 at 12:29 pm #1707324
jagshemash
AskWoody Lounger
-
-
May 20, 2019 at 12:36 pm #1707331
StoopidMonkey
AskWoody Plus-
May 20, 2019 at 12:41 pm #1707334
PKCano
ManagerIf you are running Win XP/7 you should go ahead and install the May updates.
2 users thanked author for this post.
-
May 20, 2019 at 12:56 pm #1707461
GoneToPlaid
AskWoody PlusI installed the May security only update on my Winy7 production machine. I haven’t seen any additional performance degradation whatsoever.
2 users thanked author for this post.
-
-
May 20, 2019 at 12:50 pm #1707369
StoopidMonkey
AskWoody PlusIf you are running Win XP/7 you should go ahead and install the May updates.
Thanks PKCano! What if we’re running a mixed environment with 7/10/2008R2/2016? Will rolling it out mess with any of those OS’s?
-
May 20, 2019 at 12:58 pm #1707463
-
-
May 20, 2019 at 2:00 pm #1707856
OscarCP
AskWoody PlusNot being familiar with the concept in this particular context, I am asking the following questions:
Can this “proof of concept” be weaponized? If it is, then why was this “proof of concept” posted where, I think, anyone can get a copy from? How is a “proof of concept” of a malware concept supposed to work and what else is it for, besides proving that a hypothesized threat can be implemented? Is publishing in this way software as a “proof of concept” of potential malware a normal and accepted thing to do?
Windows 7 Professional, SP1, x64 Group W (ex B) & macOS Mojave + Linux (Mint)
1 user thanked author for this post.
-
May 21, 2019 at 2:30 am #1714350
anonymous
GuestCan this “proof of concept” be weaponized?
Ask or continue to read Mr. Beaumont’s Twitter account to gain knowledge.
Kaspersky/@oct0xor got Blue Screen with #BlueKeep. The GIF is authentic. Three different researchers at different companies have reached this stage so far. Note this in itself does not allow code execution. pic.twitter.com/EqppV2Xb8D
— Kevin Beaumont (@GossiTheDog) May 20, 2019
How is a “proof of concept” of a malware concept supposed to work and what else is it for, besides proving that a hypothesized threat can be implemented?
I believe you already understand by the nature of your question a proof of concept is supposed to demonstrate the viability of claimed security flaws.
Is publishing in this way software as a “proof of concept” of potential malware a normal and accepted thing to do?
This would be a good question to directly ask a more informed person in this case; As an example, the Spectre speculative execution flaws were responsibly disclosed and then proof of concept code was widely available on Github shortly after public disclosure.
-
May 21, 2019 at 12:43 pm #1718628
OscarCP
AskWoody PlusAnonymous: ” I believe you already understand by the nature of your question a proof of concept is supposed to demonstrate the viability of claimed security flaws.”
That is only the general idea. But I am not familiar with the particulars, that is why I wrote, quoting your quote: “How is a “proof of concept” of a malware concept supposed to work and what else is it for, besides proving that a hypothesized threat can be implemented?” and that is why I am asking these questions.
For all I know, once in possession of said particulars I might just as well conclude that publishing a “proof of concept of the possibility of certain kinds of cyber warfare or criminal attacks” is a great thing to do, or else a terrible and tremendously irresponsible thing to do. Or even something in between.
Windows 7 Professional, SP1, x64 Group W (ex B) & macOS Mojave + Linux (Mint)
-
-
-
May 20, 2019 at 9:30 pm #1712501
Noel Carboni
AskWoody_MVPProof of concept publication serves what purpose, exactly?
No one in the world ever thought this exploit up before, then someone did, and now because of the publication of a “proof of concept” (innocent-sounding, eh?) it’s suddenly available for every bad actor in the world to try to use against others?
To what end?
I’m personally protected from this exploit in a number of ways. Even better, I know that I am. What about most folks, who are not sure?
How does it make you feel to wonder whether you may now be vulnerable to any number of terrible people presumably now poking at your computer systems from abroad?
Does it make you feel like taking action that otherwise you might not?
-Noel
-
May 21, 2019 at 4:36 am #1715221
mn–
AskWoody LoungerIn the general case or this specific case?
Back in the day, vulnerability reports often wouldn’t be believed unless there was a proof of concept to show for it. And I mean even, if the software vendor would pay attention and issue an update to fix it, getting end users to install that fix…
Or in some cases, having the operating system vendor’s own applications division to approve that update for installing on servers running the high-end applications that were all bought as a single package deal… BTDT, “unapproved patch, configuration is unsupported” …
1 user thanked author for this post.
-
May 21, 2019 at 8:36 am #1716769
warrenrumak
AskWoody LoungerThere are lots of bad people out there, and you can categorize them into two groups:
- Ne’er-do-wells who want tools to attack other people… be it for profit (criminals), subterfuge (government-sponsored spying), industrial espionage (learning your competitors’ trade secrets), or for fun (teenagers, mostly).
- Bumbling business leaders who don’t fully have their heads wrapped around item #1, and allow technical decisions to be made that expose their company to security risks. The only way this lot gets their feet held to the fire, is if the company takes a major public reputational hit…. your typical Board of Directors doesn’t understand side-channel execution attacks, but they do understand bad press.
Unfortunately, the rest of us have to cobble together a sustainable computing experience in a world full of people in both those groups.
Sometimes, the IT & engineering folks need every little bit of help they can get their hands on to convince their bosses that changes are necessary. Easy-to-use proof-of-concept code published on GitHub (a reputable site) is very compelling.
1 user thanked author for this post.
-
May 21, 2019 at 12:17 pm #1718594
Sessh
AskWoody LoungerWell sure, but posting a PoC code for anyone to get their hands on is what makes #1 a bigger issue or even an issue at all if no one would have thought to do it before. It’s like advertising to the whole neighborhood that the lock on your neighbor’s front door is broken and can be easily opened even when locked. Not only that, but also giving people the tools they need to open that door that have been proven by you to work.
The act of posting a PoC instantly makes the situation worse than it was before. I think that’s the point here. Is there really no other way to accomplish #2 than literally telling everyone in category #1 exactly how to use this code for their malicious ends and giving them the code fully intact? I don’t know, it seems like an extremely flawed way of doing things to me. There’s really no other way? Really?
It’s almost like the method is to convince people that a threat is real and dangerous by deliberately making it real and dangerous. Okay, you don’t want to take it seriously? Well, now we’re going to give the code to anyone that wants it. You going to take it seriously now? It’s an awfully silly way to do things IMO.
5 users thanked author for this post.
-
May 21, 2019 at 12:46 pm #1718631
-
May 28, 2019 at 9:31 pm #1752383
Noel Carboni
AskWoody_MVP
-
-
May 21, 2019 at 6:48 am #1715946
geekdom
AskWoody PlusEcho.
– Get Microsoft May patches.
– Turn off remote access.
– Keep anti-virus software up-to-date.Beta Work {Got backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender TRV=1909 WuMgr
offline▸ Win10Pro 20H2.19042.685 x86 Atom N270 RAM2GB HDD WindowsDefender WuMgr GuineaPigVariant
online▸ Win10Pro 2004.19041.746 x64 i5-9400 RAM16GB HDD Firefox85.0 WindowsDefender TRV=2004 WuMgr -
May 21, 2019 at 10:46 am #1717774
GoneToPlaid
AskWoody PlusAside from disabling Remote Desktop and disabling Remote Assistance, one should block incoming TCP and UDP connections on port 3389 in their router. If you can’t block 3389 in your router, you can block it in your firewall program. Steve Gibson has a web page which can check that you have port 3389 blocked. See:
https://www.grc.com/port_3389.htm
-
May 21, 2019 at 12:54 pm #1718700
OscarCP
AskWoody PlusGTP: The site explains why keeping the port wide open is dangerous, but not how to fix it.
An explanation of the latter, particularly how one does it in Windows 7, would be most gratefully appreciated. Thanks in advance for it, as it might also be of interest to more than one person here.
Windows 7 Professional, SP1, x64 Group W (ex B) & macOS Mojave + Linux (Mint)
1 user thanked author for this post.
-
May 21, 2019 at 1:18 pm #1718935
Bluetrix
AskWoody MVPAn explanation of the latter, particularly how one does it in Windows 7, would be most gratefully appreciated.
A simple search as “How to close ports in Windows 7” returned 49,000,400 hits in .58 seconds.
Do a search on Youtube, there are many HOW TO Videos on subject.
1 user thanked author for this post.
-
May 21, 2019 at 6:50 pm #1720873
anonymous
GuestOscar, that is a good question. A search would reveal much, but one has to know what sites are respectable.
Check out these two. I hope they help.
How to block ports in Windows
by Martin Brinkmann
https://www.ghacks.net/2017/05/19/how-to-block-ports-in-windows/How to Block Ports in Windows 7 – video using the windows firewall
Please follow the –Lounge Rules–
-
May 21, 2019 at 8:44 pm #1721888
OscarCP
AskWoody PlusThank you so much, Anonymous and Bluetrix. As usual, of all those tens of thousands of “hits” probably a good many have nothing to do with closing that port, but there will be plenty about “port”, both the nautical term and the fortified wine, the word “in”, the number “7”, and many with “windows” in it (actual house windows, windows of opportunity…), etc. But still there will be many that will seem relevant. So being given the links to, among all those sites, a couple where nobody is waiting in ambush to give misleading advice and lead the unwary to perdition, is a very good and helpful thing to do, and totally appreciated as such.
Windows 7 Professional, SP1, x64 Group W (ex B) & macOS Mojave + Linux (Mint)
-
May 22, 2019 at 12:25 am #1723093
Bluetrix
AskWoody MVP@oscarcp,
I see your concern. I only showed how easy it was to do a search for the information.
I didn’t offer which ‘hits’ were a port for ships or the best Port Wine in California.The 1st three results I looked at before posting were about “How to close ports in Windows 7”, just as my search parameters requested.
Are you up to the task of separating the wheat from chaff and offer AW readers safe and correct advice on “How and why to close ports in Win7”, it could help a lot of people.
Maybe start a Topic on the subject.
1 user thanked author for this post.
-
May 22, 2019 at 5:03 pm #1727666
OscarCP
AskWoody PlusBluetrix,
My answer to your searching question is: “sadly, no.” I won’t pretend for one second to be up to the job of deciding on the worthiness of the advice to be gained online on this issue. So I am thankful to our Anonymous friend ( #1720873 ) for his contribution of those two URL links, and hope to see more like that — as probably may others here, as well.
Windows 7 Professional, SP1, x64 Group W (ex B) & macOS Mojave + Linux (Mint)
-
-
-
May 22, 2019 at 4:21 pm #1727623
GoneToPlaid
AskWoody PlusHi OscarCP,
The methods to block incoming ports varies, depending on on whether you want to do so in your router, or depending on whether you want to do so in Windows Firewall or in a third party firewall. Some routers, especially routers which are provided by cable companies, won’t allow you to block specific ports (mine won’t). This probably is to reduce support calls to cable companies.
Anyway, what firewall are you using?
Best regards,
–GTP
-
May 22, 2019 at 4:55 pm #1727665
OscarCP
AskWoody PlusGTP, Thanks for asking:
My firewall is that of the AV WebrootSecureAnywhere. I could also use the Windows 7 one, but have this notion that the AV one is better. Windows itself says it does not mind and is OK with that. Which puts something of an odd twist on the whole thing, does it not? Something your pointed question has now brought up to the surface of my consciousness. And that I am not too happy about.
Windows 7 Professional, SP1, x64 Group W (ex B) & macOS Mojave + Linux (Mint)
-
May 22, 2019 at 5:43 pm #1727878
GoneToPlaid
AskWoody PlusHi OscarCP,
I did some Googling, and I don’t see how to block specific ports under the settings for the Webroot SecureAnywhere firewall. Some more Googling reveals that Webroot SecureAnywhere firewall has to run on top of either Windows Firewall or another third party firewall! See:
Get Windows Firewall turned back on! Then ask how to either block Remote Desktop Protocol in Windows Firewall or how to block port 3389 in Windows Firewall.
Best regards,
–GTP
1 user thanked author for this post.
-
May 22, 2019 at 6:51 pm #1728233
satrow
AskWoody MVPA lot of modern 3rd party firewalls now work with the default Windows firewall (rules), not instead of it.
Any odd connection problems, enable it, reboot and test the affected software. A previously blocked program should then trigger the native firewall pop-up to ask if you want it to connect and on which network, private or public.
-
May 23, 2019 at 12:05 am #1729751
OscarCP
AskWoody PlusGTP and Satrow, thanks for your views on this issue of setting up the firewall to stop people snooping, or worse, on me and on my PC through port 3389. At this point I think that what is left is for me to apply the good old experimental method to investigate this question and see what happens when, keeping the AV firewall on, I block that port. And, if necessary, playing around with turning one of the firewalls on or off while doing something with the other (not permanently, of course).
At the moment I am busy with a job I want to finish as soon as possible, mostly because I do not much like it. It’s a necessary thing that makes sense doing, but is not my favorite thing. When I am done I’ll go ahead and do the experimenting.
I also would like to bring your attention to the article that Geo (#1727332 )gave the URL link to, where it says (at least as I read it) that the possible malicious exploit under consideration here, because it is “wormable”, has nothing to do with the RDP. What do you make of that?
Windows 7 Professional, SP1, x64 Group W (ex B) & macOS Mojave + Linux (Mint)
-
-
-
-
-
May 21, 2019 at 11:18 am #1718245
anonymous
GuestFor business and governments companies that still pay MS for Windows Xp support, MS sent an update patch that address some slow downs with this patch. It seems MS will not releasing the re-updated patch to the public. Check with your contact at MS for the re-updated patch for Windows Xp.
-
May 21, 2019 at 7:04 pm #1721211
anonymous
GuestThanks for the heads up. We were planning to deploy on our system. I check with our MS rep and he said that he did not get a chance to sent it out yet since we did not pay. I had to forward the proof that we paid for the next three years. MS is getting worse with sending out notifications since they made us sign the non-disclosure agreement to keep getting Windows Xp Updates.
How is IE11 running on Windows XP for your clients? It is bugging since last months updates but seems to be running well.
-
May 21, 2019 at 9:25 pm #1721889
-
May 22, 2019 at 9:28 am #1725680
anonymous
GuestHow is IE11 running on Windows XP for your clients? It is bugging since last months updates but seems to be running well.
IE11 is running fine but some of apps require IE6 so those system have firefox or chrome installed.
XP running IE11! In what alternate timeline does XP support running any IE Version beyond IE8?
If you are government agency or businesses that are paying for Windows XP Pro support with payments of $6M or more every year. It is not available for the general public of XP home version.
-
-
-
May 22, 2019 at 3:03 pm #1727332
Geo
AskWoody Plushttps://www.scmagazine.com/home/security Some more info mentioned from this site.
3 users thanked author for this post.
-
May 22, 2019 at 5:10 pm #1727667
OscarCP
AskWoody PlusQuoting from this article (the bold-formatting is mine):
“Microsoft also released a patch for a number of currently unsupported operating systems (Windows 7, Windows 2003, Windows Server 2008 R2, Windows Server 2008 and Windows XP) for CVE-2019-0708 because if properly exploited could allow malware to move from one system to another in the same fashion as WannaCry in 2017.”
“The Remote Desktop Protocol (RDP) itself is not vulnerable. This vulnerability is pre-authentication and requires no user interaction. In other words, the vulnerability is ‘wormable’, meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017,” Microsoft wrote in its security blog.”
Windows 7 Professional, SP1, x64 Group W (ex B) & macOS Mojave + Linux (Mint)
2 users thanked author for this post.
-
-
-
AuthorPosts
Viewing 11 reply threads -
Welcome to our unique respite from the madness.
It's easy to post questions about Windows 10, Win8.1, Win7, Surface, Office, or browse through our Forums. Post anonymously or register for greater privileges. Keep it civil, please: Decorous Lounge rules strictly enforced. Questions? Contact Customer Support.

Plus Membership
Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.
AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments. Click here for details and to sign up.
Search The Lounge
Recent Replies
WCHS on Comments on AKB 2000016: Guide for Windows Update Settings for Windows 10
7 minutes agomn-- on So I opened up an HP and where’s the hard drive?
10 minutes agoPKCano on Comments on AKB 2000016: Guide for Windows Update Settings for Windows 10
11 minutes agoTex265 on Comments on AKB 2000016: Guide for Windows Update Settings for Windows 10
15 minutes agoOscarCP on Google threatens to remove search engine from Australia
18 minutes agoSteveTree on WinSlap 1.4 (Windows 10 Privacy tool) Portable
26 minutes agoMHCLV941 on Adobe Flash Not working for School test
31 minutes agoTex265 on Comments on AKB 2000016: Guide for Windows Update Settings for Windows 10
35 minutes agoMHCLV941 on Adobe Flash Not working for School test
39 minutes agoMHCLV941 on Adobe Flash Not working for School test
43 minutes agoMHCLV941 on Adobe Flash Not working for School test
46 minutes agoMHCLV941 on Adobe Flash Not working for School test
50 minutes agoWCHS on Comments on AKB 2000016: Guide for Windows Update Settings for Windows 10
53 minutes agoTex265 on Comments on AKB 2000016: Guide for Windows Update Settings for Windows 10
1 hour, 5 minutes agoAlex5723 on What Linux is and why it has persisted
1 hour, 11 minutes agoOscarCP on Adobe Flash Not working for School test
1 hour, 26 minutes agoCharlie on What Linux is and why it has persisted
1 hour, 28 minutes agoCybertooth on Google threatens to remove search engine from Australia
1 hour, 34 minutes agoAlex5723 on Chrome browser stopped playing video
1 hour, 34 minutes agobrian1248 on Websites that still require Flash after EOL
1 hour, 36 minutes agoAlex5723 on Google threatens to remove search engine from Australia
1 hour, 42 minutes agoCharlie on Websites that still require Flash after EOL
1 hour, 53 minutes agoAl Taylor on Freeware spotlight — 3 tiny tech tools for your flash drive
2 hours, Just nowOscarCP on Google threatens to remove search engine from Australia
2 hours, 19 minutes agoAlex5723 on Websites that still require Flash after EOL
2 hours, 30 minutes agoSusan Bradley on Computer running slowly when using Wi-Fi since last Windows update
2 hours, 47 minutes agoCybertooth on So I opened up an HP and where’s the hard drive?
3 hours, 1 minute agoSusan Bradley on Giving you the choice
3 hours, 23 minutes agoAlex5723 on Can’t install any programs since Win 2004 update
3 hours, 26 minutes agoanonymous on Google threatens to remove search engine from Australia
4 hours, 25 minutes ago
Recent Topics
-
Potential for iPhone 12 and MagSafe to Interfere With Medical Devices
1 hour, 58 minutes ago
-
Computer running slowly when using Wi-Fi since last Windows update
2 hours, 48 minutes ago
-
Websites that still require Flash after EOL
1 hour, 36 minutes ago
-
WinSlap 1.4 (Windows 10 Privacy tool) Portable
27 minutes ago
-
Using USB flash drive for both windows and on a Chromebook
6 hours, 40 minutes ago
-
Chrome browser stopped playing video
1 hour, 35 minutes ago
-
The Classic Browser v6.3
10 hours, 56 minutes ago
-
Apple News Wrap Up: January 23, 2020
13 hours, 39 minutes ago
-
Tasks for the Weekend – January 23, 2021
9 hours, 54 minutes ago
-
Need inexpensive domain
13 hours, 12 minutes ago
-
Outlook 2019 send and receive
12 hours, 56 minutes ago
-
Can’t add, or remove, any bluetooth device
8 hours, 34 minutes ago
-
Customize the mouse w10 2004–19041.746
1 day ago
-
Can’t install any programs since Win 2004 update
3 hours, 27 minutes ago
-
SFC errors not repairable, upgrade to 2004?
21 hours, 41 minutes ago
-
Slow file copy
1 day, 1 hour ago
-
Do we need Java?
6 hours, 2 minutes ago
-
Windows 10 version changes
1 day ago
-
Lost Post
1 day, 6 hours ago
-
Hasta la vista, TeamViewer Free
21 hours, 33 minutes ago
-
Files don’t copy from Win7 HDD to Win10 computer
13 hours, 7 minutes ago
-
Does the HP Spectre Notebook (2016 model) have a removable wireless LAN Card?
1 day, 15 hours ago
-
Windows 10 2004 and Intel Ethernet Problem Solving
1 day, 2 hours ago
-
KB4023057 while on Win10-2004
1 day, 3 hours ago
-
MS Shared Experience warning
1 day, 21 hours ago
-
Google threatens to remove search engine from Australia
18 minutes ago
-
macOS Catalina running on iPad Pro 2020
14 hours, 37 minutes ago
-
How to check if someone else accessed your Google account
2 days, 12 hours ago
-
This should be the best patching experience
13 hours, 4 minutes ago
-
Windows 10 Insider build 19042.782 (20H2) released to Beta & Release Preview
2 days, 17 hours ago
Search for Topics
Recent blog posts
- Tasks for the Weekend – January 23, 2021
- Slow file copy
- This should be the best patching experience
- So I opened up an HP and where’s the hard drive?
- What Linux is and why it has persisted
- Find the cable modem that’s just right for your ISP
- Four GB of RAM vanishes … but then reappears
- Wow! Even more Office updates!
Key Links
Copyright © 2004 – 2021 AskWoody Tech LLC. All rights reserved.