A Windows XP help forum. PCbanter

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

Go Back   Home » PCbanter forum » Microsoft Windows XP » General XP issues or comments
Site Map Home Register Authors List Search Today's Posts Mark Forums Read Web Partners

Patch Your XP & Win 7 Boxen!



 
 
Thread Tools Display Modes
  #1  
Old May 17th 19, 12:58 AM posted to alt.windows7.general,microsoft.public.windowsxp.general
Klaus[_2_]
external usenet poster
 
Posts: 1
Default Patch Your XP & Win 7 Boxen!

https://www.wsj.com/articles/microsoft-warns-of-a-monster-computer-bug-in-a-week-of-them-11557900716

https://www.theverge.com/2019/5/14/18623565/microsoft-windows-xp-remote-desktop-services-worm-security-patches

https://blogs.technet.microsoft.com/msrc/2019/05/14/prevent-a-worm-by-updating-remote-desktop-services-cve-2019-0708
Ads
  #2  
Old May 17th 19, 01:49 AM posted to microsoft.public.windowsxp.general
No_Name
external usenet poster
 
Posts: 627
Default Patch Your XP & Win 7 Boxen!

On Thu, 16 May 2019 23:58:15 +0000, Klaus wrote:

https://www.wsj.com/articles/microsoft-warns-of-a-monster-computer-bug-in-a-week-of-them-11557900716

https://www.theverge.com/2019/5/14/18623565/microsoft-windows-xp-remote-desktop-services-worm-security-patches

https://blogs.technet.microsoft.com/msrc/2019/05/14/prevent-a-worm-by-updating-remote-desktop-services-cve-2019-0708


If I knew I was never going to run remote console support, which files
can I delete to be sure it can't ever run? I already have it disabled
but I assume a real hacker could get by that.
  #4  
Old May 17th 19, 06:23 AM posted to alt.windows7.general,microsoft.public.windowsxp.general
Paul[_32_]
external usenet poster
 
Posts: 11,873
Default Patch Your XP & Win 7 Boxen!

pjp wrote:
In article , says...
https://www.wsj.com/articles/microsoft-warns-of-a-monster-computer-bug-in-a-week-of-them-11557900716

https://www.theverge.com/2019/5/14/18623565/microsoft-windows-xp-remote-desktop-services-worm-security-patches

https://blogs.technet.microsoft.com/msrc/2019/05/14/prevent-a-worm-by-updating-remote-desktop-services-cve-2019-0708


I read some article about that which included the link to MS for the
patch. At the same time I let it connect to Windows Update. It only had
little over 200 updates for an XP laptop I seldom use. GEEZ!!!!


But you didn't have to use Windows Update.

The catalog link would give a download of a standalone KB install
you could have run by double clicking.

"remote code execution vulnerability in Remote Desktop Services"

https://www.catalog.update.microsoft...px?q=KB4500331

windowsxp-kb4500331-x86-custom-enu_d7206aca53552fececf72a3dee93eb2da0421188.exe
531,496 bytes
SHA256: 7A3140B38A7C37B7635D47243BE8141199E2E8E7F5E85A966E D9C73A17A6EF56

One thing you have to be careful of, is the out-of-band patches
are not reflected in wsusscn2.cab download. Windows Update may not
actually have KB4500331 in it.

So while you think you got 200 patches in your Windows Update melee,
in fact you could be missing the SMBV1 patch and that RDP patch,
as they're out-of-band. Microsoft does this, to prevent
wsusscn2 from growing any larger, on behalf of the WinXP
entries. And this prevents custom patches from being acquired
simply by using Windows Update.

Check and see what happened in this case.

Paul
  #5  
Old May 17th 19, 06:56 AM posted to microsoft.public.windowsxp.general
Paul[_32_]
external usenet poster
 
Posts: 11,873
Default Patch Your XP & Win 7 Boxen!

wrote:
On Thu, 16 May 2019 23:58:15 +0000, Klaus wrote:

https://www.wsj.com/articles/microsoft-warns-of-a-monster-computer-bug-in-a-week-of-them-11557900716

https://www.theverge.com/2019/5/14/18623565/microsoft-windows-xp-remote-desktop-services-worm-security-patches

https://blogs.technet.microsoft.com/msrc/2019/05/14/prevent-a-worm-by-updating-remote-desktop-services-cve-2019-0708


If I knew I was never going to run remote console support, which files
can I delete to be sure it can't ever run? I already have it disabled
but I assume a real hacker could get by that.


https://support.microsoft.com/en-ca/...date-kb4500331

File name File version File size Date Time Platform
Termdd.sys 5.1.2600.7701 40,968 19-Apr-2019 18:06 x86

I'm guessing that's the file they change on WinXP, but the Windows 7
patch could include more than that.

*******

https://www.reddit.com/r/sysadmin/co...vulnerability/

"A partial mitigation is to enable Network Level Authentication, which
still leaves you open to remote code execution, but requires the attacker
to have valid credentials."

Whatever that means.

https://en.wikipedia.org/wiki/Remote_Desktop_Services

"The server component of RDS is Terminal Server (termdd.sys),
which listens on TCP port 3389."

Uh, OK then, so if I'm behind NAT, exactly how is someone going
to access my port 3389. I can see me being "worm-able" if another
machine on my LAN has the exploit and attacks my 3389, but if
I'm on IPV4 (not IPV6) and that has NAT, then 3389 should not
be port forwarded or the like.

So a partial mitigation would be to wear your clue hat.

If you connect your WinXP machine *directly* to an ADSL modem say
(there is at least one poster here who does that!), and WinXP
terminates PPPOE, then you might have an exposure on 3389.

*******

Since that patch is available for WinXP and Windows 7, if you
use "WinXP Mode" on Windows 7 (Windows Virtual PC 20MB plus
WinXP vhd file 500MB), you might want to verify that the
WinXP Mode rootless program windows still open properly
after applying the patch to Windows 7. As it's possible termdd.sys
is used for WinXP Mode program display windows.

Paul
  #6  
Old May 17th 19, 09:15 PM posted to alt.windows7.general,microsoft.public.windowsxp.general
pjp[_10_]
external usenet poster
 
Posts: 1,183
Default Patch Your XP & Win 7 Boxen!

In article , lid says...

pjp wrote:
In article ,
says...
https://www.wsj.com/articles/microsoft-warns-of-a-monster-computer-bug-in-a-week-of-them-11557900716

https://www.theverge.com/2019/5/14/18623565/microsoft-windows-xp-remote-desktop-services-worm-security-patches

https://blogs.technet.microsoft.com/msrc/2019/05/14/prevent-a-worm-by-updating-remote-desktop-services-cve-2019-0708


I read some article about that which included the link to MS for the
patch. At the same time I let it connect to Windows Update. It only had
little over 200 updates for an XP laptop I seldom use. GEEZ!!!!


But you didn't have to use Windows Update.

The catalog link would give a download of a standalone KB install
you could have run by double clicking.

"remote code execution vulnerability in Remote Desktop Services"

https://www.catalog.update.microsoft...px?q=KB4500331

windowsxp-kb4500331-x86-custom-enu_d7206aca53552fececf72a3dee93eb2da0421188.exe
531,496 bytes
SHA256: 7A3140B38A7C37B7635D47243BE8141199E2E8E7F5E85A966E D9C73A17A6EF56

One thing you have to be careful of, is the out-of-band patches
are not reflected in wsusscn2.cab download. Windows Update may not
actually have KB4500331 in it.

So while you think you got 200 patches in your Windows Update melee,
in fact you could be missing the SMBV1 patch and that RDP patch,
as they're out-of-band. Microsoft does this, to prevent
wsusscn2 from growing any larger, on behalf of the WinXP
entries. And this prevents custom patches from being acquired
simply by using Windows Update.

Check and see what happened in this case.

Paul


Reread what I posted. I did download and install the patch firth and
then afterwards I figured I'd give Windows Update a go. Was surprised to
find soo many updates for XP on a pc I'd always kept updated till well
past it's eof cycle. I wonder if adding that little "hack" to make it
think it was a "pos" machine did that? Laptop itself is running fine
even fixed some of the certificate errors I was getting for some sites,
MS included (but not all).
  #7  
Old May 17th 19, 11:27 PM posted to alt.windows7.general,microsoft.public.windowsxp.general
Paul[_32_]
external usenet poster
 
Posts: 11,873
Default Patch Your XP & Win 7 Boxen!

pjp wrote:
In article , lid says...
pjp wrote:
In article ,
says...
https://www.wsj.com/articles/microsoft-warns-of-a-monster-computer-bug-in-a-week-of-them-11557900716

https://www.theverge.com/2019/5/14/18623565/microsoft-windows-xp-remote-desktop-services-worm-security-patches

https://blogs.technet.microsoft.com/msrc/2019/05/14/prevent-a-worm-by-updating-remote-desktop-services-cve-2019-0708
I read some article about that which included the link to MS for the
patch. At the same time I let it connect to Windows Update. It only had
little over 200 updates for an XP laptop I seldom use. GEEZ!!!!

But you didn't have to use Windows Update.

The catalog link would give a download of a standalone KB install
you could have run by double clicking.

"remote code execution vulnerability in Remote Desktop Services"

https://www.catalog.update.microsoft...px?q=KB4500331

windowsxp-kb4500331-x86-custom-enu_d7206aca53552fececf72a3dee93eb2da0421188.exe
531,496 bytes
SHA256: 7A3140B38A7C37B7635D47243BE8141199E2E8E7F5E85A966E D9C73A17A6EF56

One thing you have to be careful of, is the out-of-band patches
are not reflected in wsusscn2.cab download. Windows Update may not
actually have KB4500331 in it.

So while you think you got 200 patches in your Windows Update melee,
in fact you could be missing the SMBV1 patch and that RDP patch,
as they're out-of-band. Microsoft does this, to prevent
wsusscn2 from growing any larger, on behalf of the WinXP
entries. And this prevents custom patches from being acquired
simply by using Windows Update.

Check and see what happened in this case.

Paul


Reread what I posted. I did download and install the patch firth and
then afterwards I figured I'd give Windows Update a go. Was surprised to
find soo many updates for XP on a pc I'd always kept updated till well
past it's eof cycle. I wonder if adding that little "hack" to make it
think it was a "pos" machine did that? Laptop itself is running fine
even fixed some of the certificate errors I was getting for some sites,
MS included (but not all).


At some point, the POS hack was supposed to "age out".
What you're seeing, could be a result of the POS thing
no longer being supported. But there really should not
have been any "blowback" from that.

What should happen, is patches that were already installed,
they should block the same patch from coming in. While Windows
Update could (mistakenly) download a patch twice, the install
logic will reject the patch the second time. Unless the patch
is versioned, and the first instance is Version 1 and
the second instance is Version 2, in which case identical KB
numbers can be installed more than once. (This is how KB890830
scanner keeps coming in, twelve times a year.)

The installer logic is supposed to be "bulletproof to stupid stuff".
So no matter how bad it looks (like when your system "loses"
all the history of updates), in fact at the individual update
level, they still know what's going on, and won't allow
bad things to happen. I've not seen a case yet, where
the last line of defense seemingly failed.

The logic that figures out you need an update, is terrible
(it has unbounded behavior). It should have been re-written
from scratch years ago. The package installer on the other hand,
is pretty good.

Paul
  #8  
Old May 19th 19, 03:26 AM posted to alt.windows7.general,microsoft.public.windowsxp.general
Mayayana
external usenet poster
 
Posts: 6,438
Default Patch Your XP & Win 7 Boxen!

"Paul" wrote

| The catalog link would give a download of a standalone KB install
| you could have run by double clicking.
|
| "remote code execution vulnerability in Remote Desktop Services"
|

Also worth noting: The services for this do not have
to be enabled. Anyone who doesn't use remote desktop
should disable the service. The same goes for remote
access in general. Patches are great if you use the service,
but it's like allowing ActiveX in IE: The whole design is very
useful while at the same time it cannot be made safe.


  #9  
Old May 19th 19, 05:42 PM posted to microsoft.public.windowsxp.general
No_Name
external usenet poster
 
Posts: 627
Default Patch Your XP & Win 7 Boxen!

On Sat, 18 May 2019 22:26:44 -0400, "Mayayana"
wrote:

"Paul" wrote

| The catalog link would give a download of a standalone KB install
| you could have run by double clicking.
|
| "remote code execution vulnerability in Remote Desktop Services"
|

Also worth noting: The services for this do not have
to be enabled. Anyone who doesn't use remote desktop
should disable the service. The same goes for remote
access in general. Patches are great if you use the service,
but it's like allowing ActiveX in IE: The whole design is very
useful while at the same time it cannot be made safe.


That is why I asked if there was a file or two that could be deleted
or renamed that would make remote console support go away forever
  #11  
Old May 20th 19, 02:54 PM posted to microsoft.public.windowsxp.general
J. P. Gilliver (John)[_4_]
external usenet poster
 
Posts: 2,679
Default Patch Your XP & Win 7 Boxen!

In message , Mr Pounder Esquire
writes:
wrote:

[]
That is why I asked if there was a file or two that could be deleted
or renamed that would make remote console support go away forever


It was disabled in Control Panel, System - Remote here.
I think you can also disable in msconfig - Services.
Google first to see if it is safe to do so.


If someone has done the above, is there still any advantage to applying
the patch?
--
J. P. Gilliver. UMRA: 1960/1985 MB++G()AL-IS-Ch++(p)Ar@T+H+Sh0!:`)DNAf

Who is Art, and why does life imitate him?
  #12  
Old May 20th 19, 03:55 PM posted to alt.windows7.general,microsoft.public.windowsxp.general
J. P. Gilliver (John)[_4_]
external usenet poster
 
Posts: 2,679
Default Patch Your XP & Win 7 Boxen!

In message , pjp
writes:
In article , says...


https://www.wsj.com/articles/microso...r-computer-bug
-in-a-week-of-them-11557900716


When I load the above page, my CPU usage takes off, whether in my old
Firefox or Chrome; the old Firefox locks up.



https://www.theverge.com/2019/5/14/1...ndows-xp-remot
e-desktop-services-worm-security-patches


_That_ one says it's in 7 as well.



https://blogs.technet.microsoft.com/...ent-a-worm-by-
updating-remote-desktop-services-cve-2019-0708


They don't half like to make you go round the houses to actually find
details of where to get the patch, don't they! That last one _implies_ -
though doesn't explicitly _state_, AFAICS - that for 7SP1 it's
_included_ in 4499164 "Monthly Rollup" and 4499175 "Security Only"
(superseding 4493472). (With other systems, such as Server 2008, having
their own.) [8 and 10 are claimed to be immune.]

You can search by KB number at
http://www.catalog.update.microsoft.com/Home.aspx; the results show
links which, on the left, tell you what's needed, what it supersedes,
_whether it has been superseded_, and other information, and on the
right link to the actual downloads. For 7-32 these might be
http://download.windowsupdate.com/d/... 97881d801.exe
and
http://download.windowsupdate.com/d/...89ab10bf41b.ms
u
; I'm not sure why there are two, but as the first one includes
"clearstalecache" in its name, I presume it does that. It's only 30K,
and seems to flash up a command window briefly. (I tried calling it from
a command window, and it just comes back to the prompt - no error
message, but no other message either.) The .msu file took about 5
minutes to run here, not counting the restart which it called for and I
haven't done yet.

I read some article about that which included the link to MS for the
patch. At the same time I let it connect to Windows Update. It only had
little over 200 updates for an XP laptop I seldom use. GEEZ!!!!


Had you not used it (or at least let it connect to WU) since before end
of support? (Had you implemented the POS hack?)

As (I think is becoming) usual, the patch installer
(TrustedInstaller.exe - an ironic name if I ever saw one!) is using
about 24-25% of my 4-core CPU, even _after_ it's got to the point where
it says it's completed, tells me it needs a restart, and I've told it
"not now". I don't know what it's doing. Ah - it has settled down, after
_another_ 7½ minutes or so. (Still shows as a running Image Name, but 00
CPU.)
--
J. P. Gilliver. UMRA: 1960/1985 MB++G()AL-IS-Ch++(p)Ar@T+H+Sh0!:`)DNAf

Who is Art, and why does life imitate him?
  #13  
Old June 6th 19, 03:38 AM posted to microsoft.public.windowsxp.general
No_Name
external usenet poster
 
Posts: 627
Default Patch Your XP & Win 7 Boxen!

On Thu, 6 Jun 2019 03:57:03 +0100, "J. P. Gilliver (John)"
wrote:

In message , DK
writes:
In article ,
wrote:
On Thu, 16 May 2019 23:58:15 +0000, Klaus wrote:

https://www.wsj.com/articles/microso...er-computer-bu
g-in-a-w
eek-of-them-11557900716

https://www.theverge.com/2019/5/14/1...indows-xp-remo
te-deskt
op-services-worm-security-patches

https://blogs.technet.microsoft.com/...vent-a-worm-by
-updatin
g-remote-desktop-services-cve-2019-0708

If I knew I was never going to run remote console support, which files
can I delete to be sure it can't ever run? I already have it disabled
but I assume a real hacker could get by that.


No need to delete the files. Just stop the service and set it to start
as "Manual".

DK

A hacker worth his salt would turn it back to Automatic. Which would be
more difficult if it wasn't there.


I agree and since a lot of them are just script kiddies who are using
canned hacking tools, anything you can do to make the expected
exploits disappear will make the job harder.
  #14  
Old June 6th 19, 03:57 AM posted to microsoft.public.windowsxp.general
J. P. Gilliver (John)[_4_]
external usenet poster
 
Posts: 2,679
Default Patch Your XP & Win 7 Boxen!

In message , DK
writes:
In article ,
wrote:
On Thu, 16 May 2019 23:58:15 +0000, Klaus wrote:

https://www.wsj.com/articles/microso...er-computer-bu
g-in-a-w

eek-of-them-11557900716

https://www.theverge.com/2019/5/14/1...indows-xp-remo
te-deskt

op-services-worm-security-patches

https://blogs.technet.microsoft.com/...vent-a-worm-by
-updatin

g-remote-desktop-services-cve-2019-0708

If I knew I was never going to run remote console support, which files
can I delete to be sure it can't ever run? I already have it disabled
but I assume a real hacker could get by that.


No need to delete the files. Just stop the service and set it to start
as "Manual".

DK

A hacker worth his salt would turn it back to Automatic. Which would be
more difficult if it wasn't there.
--
J. P. Gilliver. UMRA: 1960/1985 MB++G()AL-IS-Ch++(p)Ar@T+H+Sh0!:`)DNAf

.... although we regard it as undesirable for children to drive cars, own
credit cards or enter public houses, we don't prevent grown-ups from choosing
to do so. (Quoted by Paul Bray in Computing, 3 October 1996.)
 




Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off






All times are GMT +1. The time now is 06:06 PM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Copyright ©2004-2024 PCbanter.
The comments are property of their posters.