News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • There’s now a freely available proof of concept exploit for the “wormable” WinXP/Win7 bug

    Home Forums AskWoody blog There’s now a freely available proof of concept exploit for the “wormable” WinXP/Win7 bug

    Tagged: ,

    This topic contains 37 replies, has 17 voices, and was last updated by  Noel Carboni 5 months, 2 weeks ago.

    • Author
      Posts
    • #1705055 Reply

      woody
      Da Boss
    • #1705448 Reply

      geekdom
      AskWoody Plus

      Well, you warned us that this vulnerability was apt to be exploited; it’s getting closer.

      It probably wouldn’t hurt to keep virus checker definitions up to date.

      Group G{ot backup} TestBeta On hiatus.
      Win7Pro · x64 · SP1 · i3-3220 · RAM 8GB · Firefox: uBlock Origin - NoScript · HDD · Canon Printer · Microsoft Security Essentials · Windows: Backup - System Image - Rescue Disk - Firewall
    • #1705870 Reply

      VVet69
      AskWoody Plus

      I have disabled Remote Desktop and Remote Assistance through the Win7  System->Advanced System Settings -> Remote settings. Won’t this block the attempt to even connect to a PC using the exploit? Thanks!

       

    • #1706648 Reply

      Arctic.Eddie
      AskWoody Lounger

      I’ve done that but also have three firewalls blocking all unsolicited incoming. The modem, router, and all computers have the block in place. I’m hoping this is enough until the May update can be installed. I’ve found that rushing into an MS update is not always safe.

       

       

      • #1707324 Reply

        jagshemash
        AskWoody Lounger

        I’ve installed the May updates to 50+ Win7 Pro 64 PC’s and 4 2008R2 Production Servers and all is well so far. I’m not one to jump the gun on updates, but when MS releases a fix for XP, it gets my attention.

    • #1707331 Reply

      StoopidMonkey
      AskWoody Plus

      As it stands now, do these patches have known side effects like CPU degradation? I was just about to roll out the April patches but I’m holding off until these are safe and stable.

      • #1707334 Reply

        PKCano
        Da Boss

        If you are running Win XP/7 you should go ahead and install the May updates.

        2 users thanked author for this post.
      • #1707461 Reply

        GoneToPlaid
        AskWoody Plus

        I installed the May security only update on my Winy7 production machine. I haven’t seen any additional performance degradation whatsoever.

        2 users thanked author for this post.
    • #1707369 Reply

      StoopidMonkey
      AskWoody Plus

      If you are running Win XP/7 you should go ahead and install the May updates.

      Thanks PKCano! What if we’re running a mixed environment with 7/10/2008R2/2016? Will rolling it out mess with any of those OS’s?

      • #1707463 Reply

        PKCano
        Da Boss

        I have updated Win10 1803 and 1809 without a problem. That’s just my experience.
        Suggest you read through the reports about Patch Tues and DEFCON for your situation. I think McAfee and Sophos are still having problems with patches.

    • #1707856 Reply

      OscarCP
      AskWoody Plus

      Not being familiar with the concept in this particular context, I am asking the following questions:

      Can this “proof of concept” be weaponized? If it is, then why was this “proof of concept” posted where, I think, anyone can get a copy from? How is a “proof of concept” of a malware concept supposed to work and what else is it for, besides proving that a hypothesized threat can be implemented? Is publishing in this way software as a “proof of concept” of potential malware a normal and accepted thing to do?

      Windows 7 Professional, SP1, x64 Group B & macOS + Linux (Mint) => Win7 Group W(?) + Mac&Lx

      1 user thanked author for this post.
      • #1714350 Reply

        anonymous

        Can this “proof of concept” be weaponized?

        Ask or continue to read Mr. Beaumont’s Twitter account to gain knowledge.

        How is a “proof of concept” of a malware concept supposed to work and what else is it for, besides proving that a hypothesized threat can be implemented?

        I believe you already understand by the nature of your question a proof of concept is supposed to demonstrate the viability of claimed security flaws.

        Is publishing in this way software as a “proof of concept” of potential malware a normal and accepted thing to do?

        This would be a good question to directly ask a more informed person in this case; As an example, the Spectre speculative execution flaws were responsibly disclosed and then proof of concept code was widely available on Github shortly after public disclosure.

        • #1718628 Reply

          OscarCP
          AskWoody Plus

          Anonymous: ” I believe you already understand by the nature of your question a proof of concept is supposed to demonstrate the viability of claimed security flaws.

          That is only the general idea. But I am not familiar with the particulars, that is why I wrote, quoting your quote: “How is a “proof of concept” of a malware concept supposed to work and what else is it for, besides proving that a hypothesized threat can be implemented?” and that is why I am asking these questions.

          For all I know, once in possession of said particulars I might just as well conclude that publishing a “proof of concept of the possibility of certain kinds of cyber warfare or criminal attacks” is a great thing to do, or else a terrible and tremendously irresponsible thing to do. Or even something in between.

          Windows 7 Professional, SP1, x64 Group B & macOS + Linux (Mint) => Win7 Group W(?) + Mac&Lx

    • #1712501 Reply

      Noel Carboni
      AskWoody_MVP

      Proof of concept publication serves what purpose, exactly?

      No one in the world ever thought this exploit up before, then someone did, and now because of the publication of a “proof of concept” (innocent-sounding, eh?) it’s suddenly available for every bad actor in the world to try to use against others?

      To what end?

      I’m personally protected from this exploit in a number of ways. Even better, I know that I am. What about most folks, who are not sure?

      How does it make you feel to wonder whether you may now be vulnerable to any number of terrible people presumably now poking at your computer systems from abroad?

      Does it make you feel like taking action that otherwise you might not?

      -Noel

      5 users thanked author for this post.
      • #1715221 Reply

        mn–
        AskWoody Lounger

        In the general case or this specific case?

        Back in the day, vulnerability reports often wouldn’t be believed unless there was a proof of concept to show for it. And I mean even, if the software vendor would pay attention and issue an update to fix it, getting end users to install that fix…

        Or in some cases, having the operating system vendor’s own applications division to approve that update for installing on servers running the high-end applications that were all bought as a single package deal… BTDT, “unapproved patch, configuration is unsupported” …

        1 user thanked author for this post.
      • #1716769 Reply

        warrenrumak
        AskWoody Plus

        There are lots of bad people out there, and you can categorize them into two groups:

        1. Ne’er-do-wells who want tools to attack other people… be it for profit (criminals), subterfuge (government-sponsored spying), industrial espionage (learning your competitors’ trade secrets), or for fun (teenagers, mostly).
        2. Bumbling  business leaders who don’t fully have their heads wrapped around item #1, and allow technical decisions to be made that expose their company to security risks.  The only way this lot gets their feet held to the fire, is if the company takes a major public reputational hit…. your typical Board of Directors doesn’t understand side-channel execution attacks, but they do understand bad press.

        Unfortunately, the rest of us have to cobble together a sustainable computing experience in a world full of people in both those groups.

        Sometimes, the IT & engineering folks need every little bit of help they can get their hands on to convince their bosses that changes are necessary.  Easy-to-use proof-of-concept code published on GitHub (a reputable site) is very compelling.

         

        1 user thanked author for this post.
        • #1718594 Reply

          Sessh
          AskWoody Lounger

          Well sure, but posting a PoC code for anyone to get their hands on is what makes #1 a bigger issue or even an issue at all if no one would have thought to do it before. It’s like advertising to the whole neighborhood that the lock on your neighbor’s front door is broken and can be easily opened even when locked. Not only that, but also giving people the tools they need to open that door that have been proven by you to work.

          The act of posting a PoC instantly makes the situation worse than it was before. I think that’s the point here. Is there really no other way to accomplish #2 than literally telling everyone in category #1 exactly how to use this code for their malicious ends and giving them the code fully intact? I don’t know, it seems like an extremely flawed way of doing things to me. There’s really no other way? Really?

          It’s almost like the method is to convince people that a threat is real and dangerous by deliberately making it real and dangerous. Okay, you don’t want to take it seriously? Well, now we’re going to give the code to anyone that wants it. You going to take it seriously now? It’s an awfully silly way to do things IMO.

          5 users thanked author for this post.
        • #1718631 Reply

          OscarCP
          AskWoody Plus

          Category No. 3: Unfriendly nation states.

          Windows 7 Professional, SP1, x64 Group B & macOS + Linux (Mint) => Win7 Group W(?) + Mac&Lx

        • #1752383 Reply

          Noel Carboni
          AskWoody_MVP

          To imply that a modern tech company would ignore a proven security threat unless Proof Of Concept code is published publicly is not really a reasonable position. Companies take such security threats very seriously.

          What other justification might there be for such publication?

          -Noel

    • #1715946 Reply

      geekdom
      AskWoody Plus

      Echo.

      – Get Microsoft May patches.
      – Turn off remote access.
      – Keep anti-virus software up-to-date.

      Group G{ot backup} TestBeta On hiatus.
      Win7Pro · x64 · SP1 · i3-3220 · RAM 8GB · Firefox: uBlock Origin - NoScript · HDD · Canon Printer · Microsoft Security Essentials · Windows: Backup - System Image - Rescue Disk - Firewall
      4 users thanked author for this post.
    • #1717774 Reply

      GoneToPlaid
      AskWoody Plus

      Aside from disabling Remote Desktop and disabling Remote Assistance, one should block incoming TCP and UDP connections on port 3389 in their router. If you can’t block 3389 in your router, you can block it in your firewall program. Steve Gibson has a web page which can check that you have port 3389 blocked. See:

      https://www.grc.com/port_3389.htm

       

      6 users thanked author for this post.
      • #1718700 Reply

        OscarCP
        AskWoody Plus

        GTP: The site explains why keeping the port wide open is dangerous, but not how to fix it.

        An explanation of the latter, particularly how one does it in Windows 7, would be most gratefully appreciated. Thanks in advance for it, as it might also be of interest to more than one person here.

        Windows 7 Professional, SP1, x64 Group B & macOS + Linux (Mint) => Win7 Group W(?) + Mac&Lx

        1 user thanked author for this post.
        • #1718935 Reply

          Bluetrix
          AskWoody MVP

          An explanation of the latter, particularly how one does it in Windows 7, would be most gratefully appreciated.

          A simple search as  “How to close ports in Windows 7” returned 49,000,400 hits in .58 seconds.

          Do a search on Youtube, there are many HOW TO Videos on subject.

          Windows10 Home 1809 | Mint19 on VM

          1 user thanked author for this post.
        • #1720873 Reply

          anonymous

          Oscar, that is a good question. A search would reveal much, but one has to know what sites are respectable.

          Check out these two. I hope they help.

          How to block ports in Windows
          by Martin Brinkmann
          https://www.ghacks.net/2017/05/19/how-to-block-ports-in-windows/

          How to Block Ports in Windows 7 – video using the windows firewall

          Please follow the –Lounge Rules

          4 users thanked author for this post.
          • #1721888 Reply

            OscarCP
            AskWoody Plus

            Thank you so much, Anonymous and Bluetrix. As usual, of all those tens of thousands of “hits” probably a good many have nothing to do with closing that port, but there will be plenty about “port”, both the nautical term and the fortified wine, the word “in”, the number “7”, and many with “windows” in it (actual house windows, windows of opportunity…), etc. But still there will be many that will seem relevant.  So being given the links to, among all those sites, a couple where nobody is waiting in ambush to give misleading advice and lead the unwary to perdition, is a very good and helpful thing to do, and totally appreciated as such.

            Windows 7 Professional, SP1, x64 Group B & macOS + Linux (Mint) => Win7 Group W(?) + Mac&Lx

            • #1723093 Reply

              Bluetrix
              AskWoody MVP

              @oscarcp,
              I see your concern. I only showed how easy it was to do a search for the information.
              I didn’t offer which ‘hits’ were a port for ships or the best Port Wine in California.

              The 1st three results I looked at before posting were about “How to close ports in Windows 7”, just as my search parameters requested.

              Are you up to the task of separating the wheat from chaff and offer AW readers safe and correct advice on “How and why to close ports in Win7”, it could help a lot of people.

              Maybe start a Topic on the subject.

              Windows10 Home 1809 | Mint19 on VM

              1 user thanked author for this post.
            • #1727666 Reply

              OscarCP
              AskWoody Plus

              Bluetrix,

              My answer to your searching question is: “sadly, no.” I won’t pretend for one second to be up to the job of deciding on the worthiness of the advice to be gained online on this issue. So I am thankful to our Anonymous friend ( #1720873 ) for his contribution of those two URL links, and hope to see more like that — as probably may others here, as well.

              Windows 7 Professional, SP1, x64 Group B & macOS + Linux (Mint) => Win7 Group W(?) + Mac&Lx

        • #1727623 Reply

          GoneToPlaid
          AskWoody Plus

          Hi OscarCP,

          The methods to block incoming ports varies, depending on on whether you want to do so in your router, or depending on whether you want to do so in Windows Firewall or in a third party firewall. Some routers, especially routers which are provided by cable companies, won’t allow you to block specific ports (mine won’t). This probably is to reduce support calls to cable companies.

          Anyway, what firewall are you using?

          Best regards,

          –GTP

           

          3 users thanked author for this post.
          • #1727665 Reply

            OscarCP
            AskWoody Plus

            GTP, Thanks for asking:

            My firewall is that of the AV WebrootSecureAnywhere. I could also use the Windows 7 one, but have this notion that the AV one is better. Windows itself says it does not mind and is OK with that. Which puts something of an odd twist on the whole thing, does it not? Something your pointed question has now brought up to the surface of my consciousness. And that I am not too happy about.

            Windows 7 Professional, SP1, x64 Group B & macOS + Linux (Mint) => Win7 Group W(?) + Mac&Lx

            • #1727878 Reply

              GoneToPlaid
              AskWoody Plus

              Hi OscarCP,

              I did some Googling, and I don’t see how to block specific ports under the settings for the Webroot SecureAnywhere firewall. Some more Googling reveals that Webroot SecureAnywhere firewall has to run on top of either Windows Firewall or another third party firewall! See:

              https://community.webroot.com/webroot-secureanywhere-internet-security-plus-13/windows-firewall-and-webroot-firewall-254759#post292617

              Get Windows Firewall turned back on! Then ask how to either block Remote Desktop Protocol in Windows Firewall or how to block port 3389 in Windows Firewall.

              Best regards,

              –GTP

               

              1 user thanked author for this post.
            • #1728233 Reply

              satrow
              AskWoody MVP

              A lot of modern 3rd party firewalls now work with the default Windows firewall (rules), not instead of it.

              Any odd connection problems, enable it, reboot and test the affected software. A previously blocked program should then trigger the native firewall pop-up to ask if you want it to connect and on which network, private or public.

              6 users thanked author for this post.
            • #1729751 Reply

              OscarCP
              AskWoody Plus

              GTP and Satrow, thanks for your views on this issue of setting up the firewall to stop people snooping, or worse, on me and on my PC through port 3389. At this point I think that what is left is for me to apply the good old experimental method to investigate this question and see what happens when, keeping the AV firewall on, I block that port. And, if necessary, playing around with turning one of the firewalls on or off while doing something with the other (not permanently, of course).

              At the moment I  am busy with a job I want to finish as soon as possible, mostly because I do not much like it. It’s a necessary thing that makes sense doing, but is not my favorite thing. When I am done I’ll go ahead and do the experimenting.

              I also would like to bring your attention to the article that Geo (#1727332 )gave the URL link to, where it says (at least as I read it) that the possible malicious exploit under consideration here, because it is “wormable”, has nothing to do with the RDP. What do you make of that?

               

              Windows 7 Professional, SP1, x64 Group B & macOS + Linux (Mint) => Win7 Group W(?) + Mac&Lx

    • #1718245 Reply

      anonymous

      For business and governments companies that still pay MS for Windows Xp support, MS sent an update patch that address some slow downs with this patch. It seems MS will not releasing the re-updated patch to the public. Check with your contact at MS for the re-updated patch for Windows Xp.

      • #1721211 Reply

        anonymous

        Thanks for the heads up. We were planning to deploy on our system. I check with our MS rep and he said that he did not get a chance to sent it out yet since we did not pay. I had to forward the proof that we paid for the next three years. MS is getting worse with sending out notifications since they made us sign the non-disclosure agreement to keep getting Windows Xp Updates.

        How is IE11 running on Windows XP for your clients? It is bugging since last months updates but seems to be running well.

        • #1721889 Reply

          anonymous

          XP running IE11! In what alternate timeline does XP support running any IE Version beyond IE8?

        • #1725680 Reply

          anonymous

          How is IE11 running on Windows XP for your clients? It is bugging since last months updates but seems to be running well.

          IE11 is running fine but some of apps require IE6 so those system have firefox or chrome installed.

          XP running IE11! In what alternate timeline does XP support running any IE Version beyond IE8?

          If you are government agency or businesses that are paying for Windows XP Pro support with payments of $6M or more every year. It is not available for the general public of XP home version.

    • #1727332 Reply

      Geo
      AskWoody Plus

      https://www.scmagazine.com/home/security Some more info mentioned from this site.

      3 users thanked author for this post.
      • #1727667 Reply

        OscarCP
        AskWoody Plus

        Quoting from this article (the bold-formatting is mine):

        “Microsoft also released a patch for a number of currently unsupported operating systems (Windows 7, Windows 2003, Windows Server 2008 R2, Windows Server 2008 and Windows XP) for CVE-2019-0708 because if properly exploited could allow malware to move from one system to another in the same fashion as WannaCry in 2017.”

        The Remote Desktop Protocol (RDP) itself is not vulnerable. This vulnerability is pre-authentication and requires no user interaction. In other words, the vulnerability is ‘wormable’, meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017,” Microsoft wrote in its security blog.”

         

        Windows 7 Professional, SP1, x64 Group B & macOS + Linux (Mint) => Win7 Group W(?) + Mac&Lx

        2 users thanked author for this post.

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: There’s now a freely available proof of concept exploit for the “wormable” WinXP/Win7 bug

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.

    Cancel