|
Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don't do it. |
The vulnerability affects all modern versions of Windows and Windows Server.
[Moderator edit] moved to new forum
Microsoft acknowledges there were no known active exploits
…
Microsoft considers exploitation of the vulnerability “less likely,”
…
The patch eliminating the security vulnerability was released on June 11.
No. Master Patch List says Defer for June’s Cumulative Updates.
Stay tuned Monday morning for my official take.
I’ll give a hint. Do you connect to wifi in a coffee shop? Then you should worry. (you should worry in general doing it). Do you connect to your OWN wifi? Attackers have to be on the SAME network before they can attack you.
So unless you don’t trust your wife or your husband, you are fine.
Susan Bradley Patch Lady/Prudent patcher
Or your kids!
cheers, Paul
Attackers have to be on the SAME network before they can attack you.
That seems an unlikely prerequisite from the descriptions:
Obviously, the target would need to be in Wi-Fi range of the attacker and using a Wi-Fi adapter, but that’s the only restriction.
https://www.zerodayinitiative.com/blog/2024/6/11/the-june-2024-security-update-review
When the victim’s computer scans Wi-Fi networks and encounters the attacker’s SSID, the code is remotely executed on the victim’s system.
In order for the exploit to work, I would have to connect to the bogus SSID, and join that network in order for anything else in this exploit to continue.
You would not have to connect to that network:
When the victim’s computer scans Wi-Fi networks and encounters the attacker’s SSID, the code is remotely executed on the victim’s system.
In the original MSRC write up they have “An unauthenticated attacker could send a malicious networking packet to an adjacent system that is employing a Wi-Fi networking adapter, which could enable remote code execution.”
The CVENews site is “CVE.news is an independent publication launched in August 2022 by IVAN NOVIKOV” and is the only place I’ve seen leap from merely scanning for wifi access points will trigger this attack.
I’m not reading anywhere that this can occur without connecting to the network. Got another source because Ivan is the only one saying that as I can see?
Susan Bradley Patch Lady/Prudent patcher
MSRC also indicates that no user interaction with a malicious SSID is needed.
Don’t you trust “Wi-Fi range … the only restriction” at Zero Day Initiative?
Microsoft has confirmed that with no special access conditions or extenuating circumstances needed, apart from the proximity requirement, an attacker could “expect repeatable success against the vulnerable component.” Microsoft also warns that an attacker requires no authentication as a user before exploiting this vulnerability, nor any access to settings or files on the victim’s machine before carrying out the attack. Furthermore, the user of the targeted device does not need to interact at all: there is no link to click, no image to load, and no file to execute.
CVE-2024-30078 Can Be Exploited Without Any User Interaction [Davey Winder at Forbes]
Exploits are available, with some details of how it works [at various locations on the Web]
Moderator’s Note: Link to explanation removed due to linking to exploit code.
are planning a talk or blogpost on this vulnerability.
Susan Bradley Patch Lady/Prudent patcher
B honey, dear let me remind you of the conversation:
You are arguing now for arguing sake and this thread will be closed shortly if you continue to be ridiculous.
=========
In order for the exploit to work, I would have to connect to the bogus SSID, and join that network in order for anything else in this exploit to continue.
You then said: You would not have to connect to that network:
And then linked to this
When the victim’s computer scans Wi-Fi networks and encounters the attacker’s SSID, the code is remotely executed on the victim’s system.
Then you said and pointed to Forbes:
“MSRC also indicates that no user interaction with a malicious SSID is needed.
Don’t you trust “Wi-Fi range … the only restriction” at Zero Day Initiative?
Microsoft has confirmed that with no special access conditions or extenuating circumstances needed, apart from the proximity requirement, an attacker could “expect repeatable success against the vulnerable component.” Microsoft also warns that an attacker requires no authentication as a user before exploiting this vulnerability, nor any access to settings or files on the victim’s machine before carrying out the attack. Furthermore, the user of the targeted device does not need to interact at all: there is no link to click, no image to load, and no file to execute.
CVE-2024-30078 Can Be Exploited Without Any User Interaction [Davey Winder at Forbes]
What Davey left out was “user has to connect to unknown wifi”. Which is a huge mitigation. If it’s an open wifi with no security – honey I never connect to that. If it’s a wifi with a security lock and it’s not one that I’ve personally set up, know who set it up I am seriously questioning should I connect to that and the potential for someone to have malicious code on that network. Like for example anyone travelling to Blackhat should wipe their computer before going and then once they get back as the Blackhat/Defcon gang are notorious for historical hacks and cracks. But John Q Askwoody reader connecting to their own wifi has nothing to fear.
Susan Bradley Patch Lady/Prudent patcher
If this was truly what you say we’d see reports of attacks by now.
Give it up b. You have to connect to the access point and be on the same wifi.
Microsoft notoriously has lousy vulnerability documentation these days partly to ensure they don’t give pointers to the attackers and partially because they’ve cut perssonnel.
At no place in their documentation do they say you merely have to be there. What they are referring to is once you’ve connected to wifi AND the person is on the same network THEN there is no action needed and no firewall protects you (and no vpn either for that matter). You won’t need to click on a file or a popup or an email. once you and the attacker share the same subnet then they can throw a malicious packet at you. If you are not connected to their wifi, you can’t.
For the benefit of the Askwoody readership, please understand this vulnerability. It is not what you keep trying to say it is.
You must connect to the malicious wifi first.
Susan Bradley Patch Lady/Prudent patcher
P.S. Steve Gibson wrote that a week or so ago. My guess if I showed him the various githubs and information on the web today, he wouldn’t say what he said.
Security guidance changes as we understand the vulnerability more. Microsoft is not clear with their documentation these days at all.
Susan Bradley Patch Lady/Prudent patcher
What concerns me most is various pundits on the web like Mr. Gibson that are overreacting to this vulnerability. It’s not wormable. I don’t like it when the security industry spins and clickbaits security information and misinforms. That is what is going on here.
At this point in time I urge any of the readership to install the June updates that were released on June 11, but don’t freak out and not connect to the Internet if you have not. This vulnerability is only a risk if the attacker is on the same network that you are. Merely connecting to a known wifi like that of your house will not be enough to trigger this vulnerability.
Do not install any preview updates that may have downloaded to your machine. Microsoft has pulled the June 25th update due to issues triggering reboots.
We will be getting ready for July’s updates next week.
Susan Bradley Patch Lady/Prudent patcher
All that is showcasing is that he’s not understanding the vulnerability. You have to connect to the SSID and be on the same subnet as the attacker.
https://xz.aliyun.com/t/14941?time__1311=mqmxyD0iDtD%3DKAKDsYoYKw1nD9GKrDu76YD
Translated …
”
Get it now? You have to connect. Merely having your machine running and scanning for SSIDs is not enough. You then connect to the SAME wifi as the attacker.
With all due respect to Mr. Gibson this is not a wormable 10. It’s a “I have to be stupid and jump in shark infested waters”. It’s not a “I merely have to stand on the beach and look at the shark to be attacked”.
Understand the nuance here?
Susan Bradley Patch Lady/Prudent patcher
My laptop cannot “hear” other SSID’s without me first disconnecting from my home network. Only then does it listen for SSID’s.
Not true. Click on the wifi connection in the tray and you will see all the local wifi networks, without having to disconnect from your current connection.
When you fire the machine up it listens for all networks and then connects to the one you have specified, if it’s available.
cheers, Paul
Not true. Click on the wifi connection in the tray and you will see all the local wifi networks, without having to disconnect from your current connection.
Clearly, I’m doing a really poor job of explanation.
When you fire the machine up it listens for all networks and then connects to the one you have specified, if it’s available.
It never gets shutdown, merely signed off; I’ll try to explain once more. When my laptop is connected to my home network, it receives/sends packets only from the connected network. It is not going to receive packets from any other WiFi network.
When I plug in an Ethernet cable, my WiFi is automatically turned off. My laptop can only support one connection at a time. The only time it would be vulnerable is when it is not actively connected via WiFi or Ethernet. Connected to my home network via WiFi, it can only support (send/receive packets) that single connection.
But in this case you have to connect to the same wifi network as the attacker. So if you don’t trust that wifi, haven’t set it up personally, don’t connect to it.
If you do connect to untrusted wifi perhaps you need to review the risk of doing that in the first place?
Susan Bradley Patch Lady/Prudent patcher
There are sharks in fresh waters
Asia and Australia. I’m in south central Florida.
“The bull shark (Carcharhinus leucas), also known as the Zambezi shark (informally zambi) in Africa and Lake Nicaragua shark in Nicaragua, is a species of requiem shark commonly found worldwide in warm, shallow waters along coasts and in rivers. It is known for its aggressive nature, and presence mainly in warm, shallow brackish and freshwater systems including estuaries and (usually) lower reaches of rivers.” I live near Peace River, but many, many, many ‘river’ miles from the “lower reaches” of the river.
And, I’m not in the river. But I still have a higher risk of shark attack than of having my laptop reconfigured remotely to support two WiFi connections simultaneously.
Asia and Australia. I’m in south central Florida
You have freshwater crocodiles 
I don’t know which is worse.
Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.
AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments.
Notifications
