If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Display Modes |
#1
|
|||
|
|||
Patch Your XP & Win 7 Boxen!
https://www.wsj.com/articles/microsoft-warns-of-a-monster-computer-bug-in-a-week-of-them-11557900716
https://www.theverge.com/2019/5/14/18623565/microsoft-windows-xp-remote-desktop-services-worm-security-patches https://blogs.technet.microsoft.com/msrc/2019/05/14/prevent-a-worm-by-updating-remote-desktop-services-cve-2019-0708 |
Ads |
#2
|
|||
|
|||
Patch Your XP & Win 7 Boxen!
On Thu, 16 May 2019 23:58:15 +0000, Klaus wrote:
https://www.wsj.com/articles/microsoft-warns-of-a-monster-computer-bug-in-a-week-of-them-11557900716 https://www.theverge.com/2019/5/14/18623565/microsoft-windows-xp-remote-desktop-services-worm-security-patches https://blogs.technet.microsoft.com/msrc/2019/05/14/prevent-a-worm-by-updating-remote-desktop-services-cve-2019-0708 If I knew I was never going to run remote console support, which files can I delete to be sure it can't ever run? I already have it disabled but I assume a real hacker could get by that. |
#3
|
|||
|
|||
Patch Your XP & Win 7 Boxen!
|
#4
|
|||
|
|||
Patch Your XP & Win 7 Boxen!
pjp wrote:
In article , says... https://www.wsj.com/articles/microsoft-warns-of-a-monster-computer-bug-in-a-week-of-them-11557900716 https://www.theverge.com/2019/5/14/18623565/microsoft-windows-xp-remote-desktop-services-worm-security-patches https://blogs.technet.microsoft.com/msrc/2019/05/14/prevent-a-worm-by-updating-remote-desktop-services-cve-2019-0708 I read some article about that which included the link to MS for the patch. At the same time I let it connect to Windows Update. It only had little over 200 updates for an XP laptop I seldom use. GEEZ!!!! But you didn't have to use Windows Update. The catalog link would give a download of a standalone KB install you could have run by double clicking. "remote code execution vulnerability in Remote Desktop Services" https://www.catalog.update.microsoft...px?q=KB4500331 windowsxp-kb4500331-x86-custom-enu_d7206aca53552fececf72a3dee93eb2da0421188.exe 531,496 bytes SHA256: 7A3140B38A7C37B7635D47243BE8141199E2E8E7F5E85A966E D9C73A17A6EF56 One thing you have to be careful of, is the out-of-band patches are not reflected in wsusscn2.cab download. Windows Update may not actually have KB4500331 in it. So while you think you got 200 patches in your Windows Update melee, in fact you could be missing the SMBV1 patch and that RDP patch, as they're out-of-band. Microsoft does this, to prevent wsusscn2 from growing any larger, on behalf of the WinXP entries. And this prevents custom patches from being acquired simply by using Windows Update. Check and see what happened in this case. Paul |
#5
|
|||
|
|||
Patch Your XP & Win 7 Boxen!
wrote:
On Thu, 16 May 2019 23:58:15 +0000, Klaus wrote: https://www.wsj.com/articles/microsoft-warns-of-a-monster-computer-bug-in-a-week-of-them-11557900716 https://www.theverge.com/2019/5/14/18623565/microsoft-windows-xp-remote-desktop-services-worm-security-patches https://blogs.technet.microsoft.com/msrc/2019/05/14/prevent-a-worm-by-updating-remote-desktop-services-cve-2019-0708 If I knew I was never going to run remote console support, which files can I delete to be sure it can't ever run? I already have it disabled but I assume a real hacker could get by that. https://support.microsoft.com/en-ca/...date-kb4500331 File name File version File size Date Time Platform Termdd.sys 5.1.2600.7701 40,968 19-Apr-2019 18:06 x86 I'm guessing that's the file they change on WinXP, but the Windows 7 patch could include more than that. ******* https://www.reddit.com/r/sysadmin/co...vulnerability/ "A partial mitigation is to enable Network Level Authentication, which still leaves you open to remote code execution, but requires the attacker to have valid credentials." Whatever that means. https://en.wikipedia.org/wiki/Remote_Desktop_Services "The server component of RDS is Terminal Server (termdd.sys), which listens on TCP port 3389." Uh, OK then, so if I'm behind NAT, exactly how is someone going to access my port 3389. I can see me being "worm-able" if another machine on my LAN has the exploit and attacks my 3389, but if I'm on IPV4 (not IPV6) and that has NAT, then 3389 should not be port forwarded or the like. So a partial mitigation would be to wear your clue hat. If you connect your WinXP machine *directly* to an ADSL modem say (there is at least one poster here who does that!), and WinXP terminates PPPOE, then you might have an exposure on 3389. ******* Since that patch is available for WinXP and Windows 7, if you use "WinXP Mode" on Windows 7 (Windows Virtual PC 20MB plus WinXP vhd file 500MB), you might want to verify that the WinXP Mode rootless program windows still open properly after applying the patch to Windows 7. As it's possible termdd.sys is used for WinXP Mode program display windows. Paul |
#7
|
|||
|
|||
Patch Your XP & Win 7 Boxen!
pjp wrote:
In article , lid says... pjp wrote: In article , says... https://www.wsj.com/articles/microsoft-warns-of-a-monster-computer-bug-in-a-week-of-them-11557900716 https://www.theverge.com/2019/5/14/18623565/microsoft-windows-xp-remote-desktop-services-worm-security-patches https://blogs.technet.microsoft.com/msrc/2019/05/14/prevent-a-worm-by-updating-remote-desktop-services-cve-2019-0708 I read some article about that which included the link to MS for the patch. At the same time I let it connect to Windows Update. It only had little over 200 updates for an XP laptop I seldom use. GEEZ!!!! But you didn't have to use Windows Update. The catalog link would give a download of a standalone KB install you could have run by double clicking. "remote code execution vulnerability in Remote Desktop Services" https://www.catalog.update.microsoft...px?q=KB4500331 windowsxp-kb4500331-x86-custom-enu_d7206aca53552fececf72a3dee93eb2da0421188.exe 531,496 bytes SHA256: 7A3140B38A7C37B7635D47243BE8141199E2E8E7F5E85A966E D9C73A17A6EF56 One thing you have to be careful of, is the out-of-band patches are not reflected in wsusscn2.cab download. Windows Update may not actually have KB4500331 in it. So while you think you got 200 patches in your Windows Update melee, in fact you could be missing the SMBV1 patch and that RDP patch, as they're out-of-band. Microsoft does this, to prevent wsusscn2 from growing any larger, on behalf of the WinXP entries. And this prevents custom patches from being acquired simply by using Windows Update. Check and see what happened in this case. Paul Reread what I posted. I did download and install the patch firth and then afterwards I figured I'd give Windows Update a go. Was surprised to find soo many updates for XP on a pc I'd always kept updated till well past it's eof cycle. I wonder if adding that little "hack" to make it think it was a "pos" machine did that? Laptop itself is running fine even fixed some of the certificate errors I was getting for some sites, MS included (but not all). At some point, the POS hack was supposed to "age out". What you're seeing, could be a result of the POS thing no longer being supported. But there really should not have been any "blowback" from that. What should happen, is patches that were already installed, they should block the same patch from coming in. While Windows Update could (mistakenly) download a patch twice, the install logic will reject the patch the second time. Unless the patch is versioned, and the first instance is Version 1 and the second instance is Version 2, in which case identical KB numbers can be installed more than once. (This is how KB890830 scanner keeps coming in, twelve times a year.) The installer logic is supposed to be "bulletproof to stupid stuff". So no matter how bad it looks (like when your system "loses" all the history of updates), in fact at the individual update level, they still know what's going on, and won't allow bad things to happen. I've not seen a case yet, where the last line of defense seemingly failed. The logic that figures out you need an update, is terrible (it has unbounded behavior). It should have been re-written from scratch years ago. The package installer on the other hand, is pretty good. Paul |
#8
|
|||
|
|||
Patch Your XP & Win 7 Boxen!
"Paul" wrote
| The catalog link would give a download of a standalone KB install | you could have run by double clicking. | | "remote code execution vulnerability in Remote Desktop Services" | Also worth noting: The services for this do not have to be enabled. Anyone who doesn't use remote desktop should disable the service. The same goes for remote access in general. Patches are great if you use the service, but it's like allowing ActiveX in IE: The whole design is very useful while at the same time it cannot be made safe. |
#9
|
|||
|
|||
Patch Your XP & Win 7 Boxen!
On Sat, 18 May 2019 22:26:44 -0400, "Mayayana"
wrote: "Paul" wrote | The catalog link would give a download of a standalone KB install | you could have run by double clicking. | | "remote code execution vulnerability in Remote Desktop Services" | Also worth noting: The services for this do not have to be enabled. Anyone who doesn't use remote desktop should disable the service. The same goes for remote access in general. Patches are great if you use the service, but it's like allowing ActiveX in IE: The whole design is very useful while at the same time it cannot be made safe. That is why I asked if there was a file or two that could be deleted or renamed that would make remote console support go away forever |
#10
|
|||
|
|||
Patch Your XP & Win 7 Boxen!
|
#11
|
|||
|
|||
Patch Your XP & Win 7 Boxen!
In message , Mr Pounder Esquire
writes: wrote: [] That is why I asked if there was a file or two that could be deleted or renamed that would make remote console support go away forever It was disabled in Control Panel, System - Remote here. I think you can also disable in msconfig - Services. Google first to see if it is safe to do so. If someone has done the above, is there still any advantage to applying the patch? -- J. P. Gilliver. UMRA: 1960/1985 MB++G()AL-IS-Ch++(p)Ar@T+H+Sh0!:`)DNAf Who is Art, and why does life imitate him? |
#12
|
|||
|
|||
Patch Your XP & Win 7 Boxen!
In message , pjp
writes: In article , says... https://www.wsj.com/articles/microso...r-computer-bug -in-a-week-of-them-11557900716 When I load the above page, my CPU usage takes off, whether in my old Firefox or Chrome; the old Firefox locks up. https://www.theverge.com/2019/5/14/1...ndows-xp-remot e-desktop-services-worm-security-patches _That_ one says it's in 7 as well. https://blogs.technet.microsoft.com/...ent-a-worm-by- updating-remote-desktop-services-cve-2019-0708 They don't half like to make you go round the houses to actually find details of where to get the patch, don't they! That last one _implies_ - though doesn't explicitly _state_, AFAICS - that for 7SP1 it's _included_ in 4499164 "Monthly Rollup" and 4499175 "Security Only" (superseding 4493472). (With other systems, such as Server 2008, having their own.) [8 and 10 are claimed to be immune.] You can search by KB number at http://www.catalog.update.microsoft.com/Home.aspx; the results show links which, on the left, tell you what's needed, what it supersedes, _whether it has been superseded_, and other information, and on the right link to the actual downloads. For 7-32 these might be http://download.windowsupdate.com/d/... 97881d801.exe and http://download.windowsupdate.com/d/...89ab10bf41b.ms u ; I'm not sure why there are two, but as the first one includes "clearstalecache" in its name, I presume it does that. It's only 30K, and seems to flash up a command window briefly. (I tried calling it from a command window, and it just comes back to the prompt - no error message, but no other message either.) The .msu file took about 5 minutes to run here, not counting the restart which it called for and I haven't done yet. I read some article about that which included the link to MS for the patch. At the same time I let it connect to Windows Update. It only had little over 200 updates for an XP laptop I seldom use. GEEZ!!!! Had you not used it (or at least let it connect to WU) since before end of support? (Had you implemented the POS hack?) As (I think is becoming) usual, the patch installer (TrustedInstaller.exe - an ironic name if I ever saw one!) is using about 24-25% of my 4-core CPU, even _after_ it's got to the point where it says it's completed, tells me it needs a restart, and I've told it "not now". I don't know what it's doing. Ah - it has settled down, after _another_ 7½ minutes or so. (Still shows as a running Image Name, but 00 CPU.) -- J. P. Gilliver. UMRA: 1960/1985 MB++G()AL-IS-Ch++(p)Ar@T+H+Sh0!:`)DNAf Who is Art, and why does life imitate him? |
#13
|
|||
|
|||
Patch Your XP & Win 7 Boxen!
On Thu, 6 Jun 2019 03:57:03 +0100, "J. P. Gilliver (John)"
wrote: In message , DK writes: In article , wrote: On Thu, 16 May 2019 23:58:15 +0000, Klaus wrote: https://www.wsj.com/articles/microso...er-computer-bu g-in-a-w eek-of-them-11557900716 https://www.theverge.com/2019/5/14/1...indows-xp-remo te-deskt op-services-worm-security-patches https://blogs.technet.microsoft.com/...vent-a-worm-by -updatin g-remote-desktop-services-cve-2019-0708 If I knew I was never going to run remote console support, which files can I delete to be sure it can't ever run? I already have it disabled but I assume a real hacker could get by that. No need to delete the files. Just stop the service and set it to start as "Manual". DK A hacker worth his salt would turn it back to Automatic. Which would be more difficult if it wasn't there. I agree and since a lot of them are just script kiddies who are using canned hacking tools, anything you can do to make the expected exploits disappear will make the job harder. |
#14
|
|||
|
|||
Patch Your XP & Win 7 Boxen!
In message , DK
writes: In article , wrote: On Thu, 16 May 2019 23:58:15 +0000, Klaus wrote: https://www.wsj.com/articles/microso...er-computer-bu g-in-a-w eek-of-them-11557900716 https://www.theverge.com/2019/5/14/1...indows-xp-remo te-deskt op-services-worm-security-patches https://blogs.technet.microsoft.com/...vent-a-worm-by -updatin g-remote-desktop-services-cve-2019-0708 If I knew I was never going to run remote console support, which files can I delete to be sure it can't ever run? I already have it disabled but I assume a real hacker could get by that. No need to delete the files. Just stop the service and set it to start as "Manual". DK A hacker worth his salt would turn it back to Automatic. Which would be more difficult if it wasn't there. -- J. P. Gilliver. UMRA: 1960/1985 MB++G()AL-IS-Ch++(p)Ar@T+H+Sh0!:`)DNAf .... although we regard it as undesirable for children to drive cars, own credit cards or enter public houses, we don't prevent grown-ups from choosing to do so. (Quoted by Paul Bray in Computing, 3 October 1996.) |
Thread Tools | |
Display Modes | |
|
|