Thread: Patch Your XP & Win 7 Boxen!
View Single Post
  #5  
Old May 17th 19, 06:56 AM posted to microsoft.public.windowsxp.general
Paul[_32_]
external usenet poster
  
Posts: 11,873
Default Patch Your XP & Win 7 Boxen!
wrote:
On Thu, 16 May 2019 23:58:15 +0000, Klaus wrote:

https://www.wsj.com/articles/microsoft-warns-of-a-monster-computer-bug-in-a-week-of-them-11557900716

https://www.theverge.com/2019/5/14/18623565/microsoft-windows-xp-remote-desktop-services-worm-security-patches

https://blogs.technet.microsoft.com/msrc/2019/05/14/prevent-a-worm-by-updating-remote-desktop-services-cve-2019-0708

If I knew I was never going to run remote console support, which files
can I delete to be sure it can't ever run? I already have it disabled
but I assume a real hacker could get by that.

https://support.microsoft.com/en-ca/...date-kb4500331

File name File version File size Date Time Platform
Termdd.sys 5.1.2600.7701 40,968 19-Apr-2019 18:06 x86

I'm guessing that's the file they change on WinXP, but the Windows 7
patch could include more than that.

*******

https://www.reddit.com/r/sysadmin/co...vulnerability/

"A partial mitigation is to enable Network Level Authentication, which
still leaves you open to remote code execution, but requires the attacker
to have valid credentials."

Whatever that means.

https://en.wikipedia.org/wiki/Remote_Desktop_Services

"The server component of RDS is Terminal Server (termdd.sys),
which listens on TCP port 3389."

Uh, OK then, so if I'm behind NAT, exactly how is someone going
to access my port 3389. I can see me being "worm-able" if another
machine on my LAN has the exploit and attacks my 3389, but if
I'm on IPV4 (not IPV6) and that has NAT, then 3389 should not
be port forwarded or the like.

So a partial mitigation would be to wear your clue hat.

If you connect your WinXP machine *directly* to an ADSL modem say
(there is at least one poster here who does that!), and WinXP
terminates PPPOE, then you might have an exposure on 3389.

*******

Since that patch is available for WinXP and Windows 7, if you
use "WinXP Mode" on Windows 7 (Windows Virtual PC 20MB plus
WinXP vhd file 500MB), you might want to verify that the
WinXP Mode rootless program windows still open properly
after applying the patch to Windows 7. As it's possible termdd.sys
is used for WinXP Mode program display windows.

Paul
Ads