There’s now a freely available proof of concept exploit for the “wormable” WinXP/Win7 bug

Topic

New Reply

But it isn’t yet capable of inflicting damage https://twitter.com/GossiTheDog/status/1130425920987303936
[See the full post at: There’s now a freely available proof of concept exploit for the “wormable” WinXP/Win7 bug]

5 users thanked author for this post.

walker, jburk07, Elly, geekdom, abbodi86

Reply | Quote

Replies

Well, you warned us that this vulnerability was apt to be exploited; it’s getting closer.

It probably wouldn’t hurt to keep virus checker definitions up to date.

Carpe Diem {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.674 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1194 x64 i5-9400 RAM16GB HDD Firefox110.0b6 MicrosoftDefender

Reply | Quote

I have disabled Remote Desktop and Remote Assistance through the Win7  System->Advanced System Settings -> Remote settings. Won’t this block the attempt to even connect to a PC using the exploit? Thanks!

 

Reply | Quote

I’ve done that but also have three firewalls blocking all unsolicited incoming. The modem, router, and all computers have the block in place. I’m hoping this is enough until the May update can be installed. I’ve found that rushing into an MS update is not always safe.

 

 

Reply | Quote

I’ve installed the May updates to 50+ Win7 Pro 64 PC’s and 4 2008R2 Production Servers and all is well so far. I’m not one to jump the gun on updates, but when MS releases a fix for XP, it gets my attention.

Reply | Quote

As it stands now, do these patches have known side effects like CPU degradation? I was just about to roll out the April patches but I’m holding off until these are safe and stable.

Reply | Quote

If you are running Win XP/7 you should go ahead and install the May updates.

2 users thanked author for this post.

geekdom, StoopidMonkey

Reply | Quote

I installed the May security only update on my Winy7 production machine. I haven’t seen any additional performance degradation whatsoever.

2 users thanked author for this post.

Lori, Cybertooth

Reply | Quote

PKCano wrote:

If you are running Win XP/7 you should go ahead and install the May updates.

Thanks PKCano! What if we’re running a mixed environment with 7/10/2008R2/2016? Will rolling it out mess with any of those OS’s?

Reply | Quote

I have updated Win10 1803 and 1809 without a problem. That’s just my experience.
Suggest you read through the reports about Patch Tues and DEFCON for your situation. I think McAfee and Sophos are still having problems with patches.

Reply | Quote

Not being familiar with the concept in this particular context, I am asking the following questions:

Can this “proof of concept” be weaponized? If it is, then why was this “proof of concept” posted where, I think, anyone can get a copy from? How is a “proof of concept” of a malware concept supposed to work and what else is it for, besides proving that a hypothesized threat can be implemented? Is publishing in this way software as a “proof of concept” of potential malware a normal and accepted thing to do?

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

1 user thanked author for this post.

StoopidMonkey

Reply | Quote

Can this “proof of concept” be weaponized?

Ask or continue to read Mr. Beaumont’s Twitter account to gain knowledge.

https://twitter.com/GossiTheDog/status/1130541773783228417

How is a “proof of concept” of a malware concept supposed to work and what else is it for, besides proving that a hypothesized threat can be implemented?

I believe you already understand by the nature of your question a proof of concept is supposed to demonstrate the viability of claimed security flaws.

Is publishing in this way software as a “proof of concept” of potential malware a normal and accepted thing to do?

This would be a good question to directly ask a more informed person in this case; As an example, the Spectre speculative execution flaws were responsibly disclosed and then proof of concept code was widely available on Github shortly after public disclosure.

Reply | Quote

Anonymous: ” I believe you already understand by the nature of your question a proof of concept is supposed to demonstrate the viability of claimed security flaws.”

That is only the general idea. But I am not familiar with the particulars, that is why I wrote, quoting your quote: “How is a “proof of concept” of a malware concept supposed to work and what else is it for, besides proving that a hypothesized threat can be implemented?” and that is why I am asking these questions.

For all I know, once in possession of said particulars I might just as well conclude that publishing a “proof of concept of the possibility of certain kinds of cyber warfare or criminal attacks” is a great thing to do, or else a terrible and tremendously irresponsible thing to do. Or even something in between.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

Proof of concept publication serves what purpose, exactly?

No one in the world ever thought this exploit up before, then someone did, and now because of the publication of a “proof of concept” (innocent-sounding, eh?) it’s suddenly available for every bad actor in the world to try to use against others?

To what end?

I’m personally protected from this exploit in a number of ways. Even better, I know that I am. What about most folks, who are not sure?

How does it make you feel to wonder whether you may now be vulnerable to any number of terrible people presumably now poking at your computer systems from abroad?

Does it make you feel like taking action that otherwise you might not?

-Noel

5 users thanked author for this post.

Lori, jburk07, satrow, OscarCP, Sessh

Reply | Quote

In the general case or this specific case?

Back in the day, vulnerability reports often wouldn’t be believed unless there was a proof of concept to show for it. And I mean even, if the software vendor would pay attention and issue an update to fix it, getting end users to install that fix…

Or in some cases, having the operating system vendor’s own applications division to approve that update for installing on servers running the high-end applications that were all bought as a single package deal… BTDT, “unapproved patch, configuration is unsupported” …

1 user thanked author for this post.

OscarCP

Reply | Quote

There are lots of bad people out there, and you can categorize them into two groups:

1. Ne’er-do-wells who want tools to attack other people… be it for profit (criminals), subterfuge (government-sponsored spying), industrial espionage (learning your competitors’ trade secrets), or for fun (teenagers, mostly).
2. Bumbling  business leaders who don’t fully have their heads wrapped around item #1, and allow technical decisions to be made that expose their company to security risks.  The only way this lot gets their feet held to the fire, is if the company takes a major public reputational hit…. your typical Board of Directors doesn’t understand side-channel execution attacks, but they do understand bad press.

Unfortunately, the rest of us have to cobble together a sustainable computing experience in a world full of people in both those groups.

Sometimes, the IT & engineering folks need every little bit of help they can get their hands on to convince their bosses that changes are necessary.  Easy-to-use proof-of-concept code published on GitHub (a reputable site) is very compelling.

 

1 user thanked author for this post.

OscarCP

Reply | Quote

Well sure, but posting a PoC code for anyone to get their hands on is what makes #1 a bigger issue or even an issue at all if no one would have thought to do it before. It’s like advertising to the whole neighborhood that the lock on your neighbor’s front door is broken and can be easily opened even when locked. Not only that, but also giving people the tools they need to open that door that have been proven by you to work.

The act of posting a PoC instantly makes the situation worse than it was before. I think that’s the point here. Is there really no other way to accomplish #2 than literally telling everyone in category #1 exactly how to use this code for their malicious ends and giving them the code fully intact? I don’t know, it seems like an extremely flawed way of doing things to me. There’s really no other way? Really?

It’s almost like the method is to convince people that a threat is real and dangerous by deliberately making it real and dangerous. Okay, you don’t want to take it seriously? Well, now we’re going to give the code to anyone that wants it. You going to take it seriously now? It’s an awfully silly way to do things IMO.

5 users thanked author for this post.

Noel Carboni, jburk07, SueW, OscarCP, Cybertooth

Reply | Quote

Category No. 3: Unfriendly nation states.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

To imply that a modern tech company would ignore a proven security threat unless Proof Of Concept code is published publicly is not really a reasonable position. Companies take such security threats very seriously.

What other justification might there be for such publication?

-Noel

Reply | Quote

Echo.

– Get Microsoft May patches.
– Turn off remote access.
– Keep anti-virus software up-to-date.

Carpe Diem {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.674 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1194 x64 i5-9400 RAM16GB HDD Firefox110.0b6 MicrosoftDefender

4 users thanked author for this post.

Lori, jburk07, SueW, Myst

Reply | Quote

Aside from disabling Remote Desktop and disabling Remote Assistance, one should block incoming TCP and UDP connections on port 3389 in their router. If you can’t block 3389 in your router, you can block it in your firewall program. Steve Gibson has a web page which can check that you have port 3389 blocked. See:

https://www.grc.com/port_3389.htm

 

6 users thanked author for this post.

Lori, jburk07, SueW, lmacri, OscarCP, Cybertooth

Reply | Quote

GTP: The site explains why keeping the port wide open is dangerous, but not how to fix it.

An explanation of the latter, particularly how one does it in Windows 7, would be most gratefully appreciated. Thanks in advance for it, as it might also be of interest to more than one person here.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

1 user thanked author for this post.

fernlady

Reply | Quote

OscarCP wrote:

An explanation of the latter, particularly how one does it in Windows 7, would be most gratefully appreciated.

A simple search as  “How to close ports in Windows 7” returned 49,000,400 hits in .58 seconds.

Do a search on Youtube, there are many HOW TO Videos on subject.

1 user thanked author for this post.

OscarCP

Reply | Quote

Oscar, that is a good question. A search would reveal much, but one has to know what sites are respectable.

Check out these two. I hope they help.

How to block ports in Windows
by Martin Brinkmann
https://www.ghacks.net/2017/05/19/how-to-block-ports-in-windows/

How to Block Ports in Windows 7 – video using the windows firewall
https://www.youtube.com/watch?v=KA8BIshUcXw

Please follow the –Lounge Rules–

4 users thanked author for this post.

Lori, Myst, jburk07, OscarCP

Reply | Quote

Thank you so much, Anonymous and Bluetrix. As usual, of all those tens of thousands of “hits” probably a good many have nothing to do with closing that port, but there will be plenty about “port”, both the nautical term and the fortified wine, the word “in”, the number “7”, and many with “windows” in it (actual house windows, windows of opportunity…), etc. But still there will be many that will seem relevant.  So being given the links to, among all those sites, a couple where nobody is waiting in ambush to give misleading advice and lead the unwary to perdition, is a very good and helpful thing to do, and totally appreciated as such.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

@oscarcp,
I see your concern. I only showed how easy it was to do a search for the information.
I didn’t offer which ‘hits’ were a port for ships or the best Port Wine in California.

The 1st three results I looked at before posting were about “How to close ports in Windows 7”, just as my search parameters requested.

Are you up to the task of separating the wheat from chaff and offer AW readers safe and correct advice on “How and why to close ports in Win7”, it could help a lot of people.

Maybe start a Topic on the subject.

1 user thanked author for this post.

Myst

Reply | Quote

Bluetrix,

My answer to your searching question is: “sadly, no.” I won’t pretend for one second to be up to the job of deciding on the worthiness of the advice to be gained online on this issue. So I am thankful to our Anonymous friend ( #1720873 ) for his contribution of those two URL links, and hope to see more like that — as probably may others here, as well.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

Hi OscarCP,

The methods to block incoming ports varies, depending on on whether you want to do so in your router, or depending on whether you want to do so in Windows Firewall or in a third party firewall. Some routers, especially routers which are provided by cable companies, won’t allow you to block specific ports (mine won’t). This probably is to reduce support calls to cable companies.

Anyway, what firewall are you using?

Best regards,

–GTP

 

3 users thanked author for this post.

Lori, Myst, Bluetrix

Reply | Quote

GTP, Thanks for asking:

My firewall is that of the AV WebrootSecureAnywhere. I could also use the Windows 7 one, but have this notion that the AV one is better. Windows itself says it does not mind and is OK with that. Which puts something of an odd twist on the whole thing, does it not? Something your pointed question has now brought up to the surface of my consciousness. And that I am not too happy about.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

Hi OscarCP,

I did some Googling, and I don’t see how to block specific ports under the settings for the Webroot SecureAnywhere firewall. Some more Googling reveals that Webroot SecureAnywhere firewall has to run on top of either Windows Firewall or another third party firewall! See:

https://community.webroot.com/webroot-secureanywhere-internet-security-plus-13/windows-firewall-and-webroot-firewall-254759#post292617

Get Windows Firewall turned back on! Then ask how to either block Remote Desktop Protocol in Windows Firewall or how to block port 3389 in Windows Firewall.

Best regards,

–GTP

 

1 user thanked author for this post.

OscarCP

Reply | Quote

A lot of modern 3rd party firewalls now work with the default Windows firewall (rules), not instead of it.

Any odd connection problems, enable it, reboot and test the affected software. A previously blocked program should then trigger the native firewall pop-up to ask if you want it to connect and on which network, private or public.

6 users thanked author for this post.

jburk07, woody, Lori, Elly, Myst, OscarCP

Reply | Quote

GTP and Satrow, thanks for your views on this issue of setting up the firewall to stop people snooping, or worse, on me and on my PC through port 3389. At this point I think that what is left is for me to apply the good old experimental method to investigate this question and see what happens when, keeping the AV firewall on, I block that port. And, if necessary, playing around with turning one of the firewalls on or off while doing something with the other (not permanently, of course).

At the moment I  am busy with a job I want to finish as soon as possible, mostly because I do not much like it. It’s a necessary thing that makes sense doing, but is not my favorite thing. When I am done I’ll go ahead and do the experimenting.

I also would like to bring your attention to the article that Geo (#1727332 )gave the URL link to, where it says (at least as I read it) that the possible malicious exploit under consideration here, because it is “wormable”, has nothing to do with the RDP. What do you make of that?

 

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

For business and governments companies that still pay MS for Windows Xp support, MS sent an update patch that address some slow downs with this patch. It seems MS will not releasing the re-updated patch to the public. Check with your contact at MS for the re-updated patch for Windows Xp.

Reply | Quote

Thanks for the heads up. We were planning to deploy on our system. I check with our MS rep and he said that he did not get a chance to sent it out yet since we did not pay. I had to forward the proof that we paid for the next three years. MS is getting worse with sending out notifications since they made us sign the non-disclosure agreement to keep getting Windows Xp Updates.

How is IE11 running on Windows XP for your clients? It is bugging since last months updates but seems to be running well.

Reply | Quote

XP running IE11! In what alternate timeline does XP support running any IE Version beyond IE8?

Reply | Quote

How is IE11 running on Windows XP for your clients? It is bugging since last months updates but seems to be running well.

IE11 is running fine but some of apps require IE6 so those system have firefox or chrome installed.

XP running IE11! In what alternate timeline does XP support running any IE Version beyond IE8?

If you are government agency or businesses that are paying for Windows XP Pro support with payments of $6M or more every year. It is not available for the general public of XP home version.

Reply | Quote

https://www.scmagazine.com/home/security Some more info mentioned from this site.

3 users thanked author for this post.

Lori, OscarCP, Cybertooth

Reply | Quote

Quoting from this article (the bold-formatting is mine):

“Microsoft also released a patch for a number of currently unsupported operating systems (Windows 7, Windows 2003, Windows Server 2008 R2, Windows Server 2008 and Windows XP) for CVE-2019-0708 because if properly exploited could allow malware to move from one system to another in the same fashion as WannaCry in 2017.”

“The Remote Desktop Protocol (RDP) itself is not vulnerable. This vulnerability is pre-authentication and requires no user interaction. In other words, the vulnerability is ‘wormable’, meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017,” Microsoft wrote in its security blog.”

 

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

2 users thanked author for this post.

Myst, Cybertooth

Reply | Quote