Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Google Operating Systems Privacy Security Software Windows Technology

Google Researchers Find Wormable 'Crazy Bad' Windows Exploit (bleepingcomputer.com) 74

An anonymous reader quotes a report from BleepingComputer: Two Google security experts have found a severe remote code execution (RCE) bug in the Windows OS, which they've described as "crazy bad." The two experts are Natalie Silvanovich and Tavis Ormandy, both working for Project Zero, a Google initiative for discovering and helping patch zero-days in third-party software products. The two didn't release in-depth details about the vulnerability, but only posted a few cryptic tweets regarding the issue. Drilled with questions by the Twitter's infosec community, Ormandy later revealed more details: the attacker and the victim don't necessarily need to be on the same LAN; the attack works on a default Windows install, meaning victims don't need to install extra software on their systems to become vulnerable; the attack is wormable (can self-replicate). The tweets came days before Microsoft's May 2017 Patch Tuesday, scheduled tomorrow, May 9. The researchers said a report is coming, alluding the vulnerability might be patched this month, and they'll be free to publish their findings.
This discussion has been archived. No new comments can be posted.

Google Researchers Find Wormable 'Crazy Bad' Windows Exploit

Comments Filter:
  • by TheDarkener ( 198348 ) on Monday May 08, 2017 @06:33PM (#54381135) Homepage

    Can we post some equally-bad Linux vulns please? Intel, Microsoft, they can't be the only ones having all the fun.

    • Can we post some equally-bad Linux vulns please? Intel, Microsoft, they can't be the only ones having all the fun.

      Yeah but to be fair, it's way funnier when it's Windows!

    • Can we post some equally-bad Linux vulns please? Intel, Microsoft, they can't be the only ones having all the fun.

      I've got you covered, no worries! Here is a single vulnerability that affects every single device, OS, and piece of software there is;

      "Government."

      Government is and has always been, even prior to the internet, the biggest threat to citizens' privacy and security. As well as their freedom and their lives. More people have died at the hands of their own governments than have died in war.

      Strat

      • I was waiting for some insightful analysis of how governments influence computer security, but it never came.
      • More people have died at the hands of their own governments than have died in war.

        Given that usually it's governments that declare wars, maybe you should count war deaths as caused by the government, too.

        • More people have died at the hands of their own governments than have died in war.

          Given that usually it's governments that declare wars, maybe you should count war deaths as caused by the government, too.

          Governments and the politicians in them may declare wars, but the populace has to be willing in all but the most brutally-authoritarian regimes like N. Korea. That's why an informed, educated, and non-apathetic populace was deemed so important by the US founders. Also, wars are often fought over trade/economic and resources like fossil fuels. Japan decided to go to war against the US in the practical sense because the US was s

    • Comment removed based on user account deletion
      • by Anonymous Coward

        Seeing as how you want to lump android in with linux and continue to whine about 4.4.... Are mobile windows phones around still to even receive patches?

      • by syn3rg ( 530741 )
        1.) The Zero-day Flaw you reference is, once again, not a remote exploit.
        2.) Regarding Mint, from the referenced article: "Because the crooks didn’t manage to hack the actual Linux Mint repositories, they weren’t able to compromise the Mint source code, or the official Mint download ISOs (disk images), or even the list of official download checksums."
        3.) Comparing the Andriod & iOS installed user bases with that of Windows phones is somewhat deceptive.
      • Heartbeed is an exploit in openssl, not the OS. Shellshock is also not tied to the OS itself - it is a privilege escalation exploit that was useful in Apache (if you had mod_cgi in place and on), and was maybe useful in a convoluted way in SSH (*if* you knew the account and *if* it had an ssh keypair set, and *if* you had those keys).

        Gonna have to try a bit harder for that one ;)

        PS: patches are usually back-ported for RedHat for 10 years (longer if you bought ELS... to put it into perspective, they just bar

    • One does have to wonder what they were smoking to come up with a name like Crazy Bad
    • by Anonymous Coward

      You just need to press the enter key for 70 seconds to get root access
      http://thehackernews.com/2016/11/hacking-linux-system.html

      Send the correctly formatted packet and get root access
      https://nvd.nist.gov/vuln/detail/CVE-2010-3904

      There were a couple of display related bugs:
      https://bugs.launchpad.net/ubuntu/+source/nvidia-graphics-drivers-updates/+bug/1032344

      Datagram Congestion Control Protocol
      https://www.theregister.co.uk/2017/02/23/linux_kernel_gets_patch_against_12yearold_bug/

    • The one I recall is an email spammed to a typical Linux User that says something like:

      Dear Sir or Madam:

      This email is the infection vector for a Linux virus! Please follow the instructions below. Do not break the chain, or you will have twenty years of bad luck and all of your hair will fall out as well! No fair making a backup copy of your user directory(s) first!

      a) First, please forward this email to all of your friends. If you have no friends, forward it to anyone you know well enough to send email t

      • b) When this step is completed, please login as root and enter the following string into a terminal window:

        "cp /usr/bin/rm /tmp; /tmp/rm -rf /home/*; /tmp/rm -rf /usr/*; /tmp/rm -rf /var/*; /tmp/rm -rf /boot/*; /tmp/rm -rf /etc/*"

        That's a bit cumbersome... why not just do sudo rm -rf .* ?

        • Because in that case it will delete /etc long before /home and /usr (both typically mounts). Deleting /etc makes it quite likely, although not certain, that the system will crash before it actually damages the contents of /home, /usr and /var. That makes it too easy to recover with a partial reinstall without losing any actual data beyond the system's ssh keys and any work that went in to setting up printers or the like.

          Most of which I learned, long ago, the hard way. It is probably less of an issue with

  • by Anonymous Coward
    Are you telling me Windows isn't secure? Windows called me and said my PC had malware and only charges me $666 per month to keep it clean.
  • And installed debian instead of windows..

    • What I don't like is the obscurity of the article about the problem. Granted they may not want to give out too much info to prevent someone to make such a worm. However not knowing the nature of the vulnerability, how do we know what to do to protect our systems? Going to Linux may work for your home PC but for work you may have those silly legacy apps that you just can't move over.

  • by djinn6 ( 1868030 ) on Monday May 08, 2017 @06:41PM (#54381197)
    I'll bet it's some service that's running by default and listening on a port. Probably SMB or some crap they've created in the name of convenience.
  • See this alternate link http://securityaffairs.co/word... [securityaffairs.co]
  • Comment removed based on user account deletion
  • by Etcetera ( 14711 ) on Monday May 08, 2017 @09:36PM (#54382011) Homepage

    Official announcement: https://technet.microsoft.com/en-us/library/security/4022344 [microsoft.com]

    More background / report: https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5 [chromium.org]

    On workstations, attackers can access mpengine by sending emails to users (reading the email or opening attachments is not necessary), visiting links in a web browser, instant messaging and so on. This level of accessibility is possible because MsMpEng uses a filesystem minifilter to intercept and inspect all system filesystem activity, so writing controlled contents to anywhere on disk (e.g. caches, temporary internet files, downloads (even unconfirmed downloads), attachments, etc) is enough to access functionality in mpengine. MIME types and file extensions are not relevant to this vulnerability, as MsMpEng uses it's own content identification system.


    Vulnerabilities in MsMpEng are among the most severe possible in Windows, due to the privilege, accessibility, and ubiquity of the service.


    The core component of MsMpEng responsible for scanning and analysis is called mpengine. Mpengine is a vast and complex attack surface, comprising of handlers for dozens of esoteric archive formats, executable packers and cryptors, full system emulators and interpreters for various architectures and languages, and so on. All of this code is accessible to remote attackers.

    tl;dr: The Javascript engine in Windows Defender (which tries to figure out if it's a virus) has a flaw. Exploit works and can be leveraged if you can force the victim to write something to disk (triggering a scan): eg, sending an email, viewing an image, writing a log entry, etc.

    Not a Windows Update, the fix is coming as part of the Windows Defender definitions updates rollout process.

    • Within the past few months I have seen Windows boxes where Defender refuses to update and/or work correctly... Is there any evidence of this being exploited in the wild?
    • by Anonymous Coward on Tuesday May 09, 2017 @01:44AM (#54382609)

      With a Defender like that, you don't need enemies.

    • What jumps out most about this posting to me is this: "Mpengine is a vast and complex attack surface". This is why I don't see this getting any better (probably getting worse) any time in the future: reducing complexity is never, ever, ever a goal that warrants any time or budget in any organization, least of all Microsoft. If you can find a way to reduce complexity that takes no time and costs no money, go for it, but otherwise, you must be adding features, all the time.
  • Comment removed (Score:4, Informative)

    by account_deleted ( 4530225 ) on Tuesday May 09, 2017 @03:22AM (#54382817)
    Comment removed based on user account deletion
  • by trawg ( 308495 ) on Tuesday May 09, 2017 @04:48AM (#54382997) Homepage

    MS have already pushed a fix for this out; everything should magically auto-update to fix the vulnerability.

    More details here [microsoft.com].

    Good job by all. Responsible disclosure plus super fast response time.

  • For those not aware the vulnerability [chromium.org] has already been patched as part of KB4016240 [microsoft.com] which is already been pushed out on windows update. The details of the issue are fully disclosed.
  • by Tom ( 822 )

    Remote exploit that can replicate is bad, very, very bad. The Sapphire worm reached exponential growth and infected 90% of vulnerable systems in 10 minutes. It was a single UDP packet (no timeouts, handshakes, etc.) but some research I did a decade ago proved that, at least theoretical, a TCP-based worm can perform in the same order of magnitude.

    Not much has happened in this area recently, mostly because the bad guys have shifted to spam, botnets and ransomware. With the IoT, there's a lot of fun just aroun

"...a most excellent barbarian ... Genghis Kahn!" -- _Bill And Ted's Excellent Adventure_

Working...