Follow Slashdot blog updates by subscribing to our blog RSS feed


Forgot your password?
Google Operating Systems Privacy Security Software Windows Technology

Google Researchers Find Wormable 'Crazy Bad' Windows Exploit ( 74

An anonymous reader quotes a report from BleepingComputer: Two Google security experts have found a severe remote code execution (RCE) bug in the Windows OS, which they've described as "crazy bad." The two experts are Natalie Silvanovich and Tavis Ormandy, both working for Project Zero, a Google initiative for discovering and helping patch zero-days in third-party software products. The two didn't release in-depth details about the vulnerability, but only posted a few cryptic tweets regarding the issue. Drilled with questions by the Twitter's infosec community, Ormandy later revealed more details: the attacker and the victim don't necessarily need to be on the same LAN; the attack works on a default Windows install, meaning victims don't need to install extra software on their systems to become vulnerable; the attack is wormable (can self-replicate). The tweets came days before Microsoft's May 2017 Patch Tuesday, scheduled tomorrow, May 9. The researchers said a report is coming, alluding the vulnerability might be patched this month, and they'll be free to publish their findings.
This discussion has been archived. No new comments can be posted.

Google Researchers Find Wormable 'Crazy Bad' Windows Exploit

Comments Filter:
  • by TheDarkener ( 198348 ) on Monday May 08, 2017 @07:33PM (#54381135) Homepage

    Can we post some equally-bad Linux vulns please? Intel, Microsoft, they can't be the only ones having all the fun.

    • Can we post some equally-bad Linux vulns please? Intel, Microsoft, they can't be the only ones having all the fun.

      Yeah but to be fair, it's way funnier when it's Windows!

    • Can we post some equally-bad Linux vulns please? Intel, Microsoft, they can't be the only ones having all the fun.

      I've got you covered, no worries! Here is a single vulnerability that affects every single device, OS, and piece of software there is;


      Government is and has always been, even prior to the internet, the biggest threat to citizens' privacy and security. As well as their freedom and their lives. More people have died at the hands of their own governments than have died in war.


      • I was waiting for some insightful analysis of how governments influence computer security, but it never came.
      • More people have died at the hands of their own governments than have died in war.

        Given that usually it's governments that declare wars, maybe you should count war deaths as caused by the government, too.

        • More people have died at the hands of their own governments than have died in war.

          Given that usually it's governments that declare wars, maybe you should count war deaths as caused by the government, too.

          Governments and the politicians in them may declare wars, but the populace has to be willing in all but the most brutally-authoritarian regimes like N. Korea. That's why an informed, educated, and non-apathetic populace was deemed so important by the US founders. Also, wars are often fought over trade/economic and resources like fossil fuels. Japan decided to go to war against the US in the practical sense because the US was s

    • You mean like Heartbleed or Shellshock? Or how about the one that not only affected Linux PCs but also affected every Android device from 4.4 on up [] thus leaving tens of millions vulnerable on devices that will never be patched? Or how about when the Linux Mint site was serving malware? [] Like that?

      Joke all you want about MSFT but at least their OS gets 10 years of patches, you don't see tens of millions of Windows machines at risk because MSFT won't provide patches. Oh and just FYI since the Linux community

      • by Anonymous Coward

        Seeing as how you want to lump android in with linux and continue to whine about 4.4.... Are mobile windows phones around still to even receive patches?

      • by syn3rg ( 530741 )
        1.) The Zero-day Flaw you reference is, once again, not a remote exploit.
        2.) Regarding Mint, from the referenced article: "Because the crooks didn’t manage to hack the actual Linux Mint repositories, they weren’t able to compromise the Mint source code, or the official Mint download ISOs (disk images), or even the list of official download checksums."
        3.) Comparing the Andriod & iOS installed user bases with that of Windows phones is somewhat deceptive.
      • Heartbeed is an exploit in openssl, not the OS. Shellshock is also not tied to the OS itself - it is a privilege escalation exploit that was useful in Apache (if you had mod_cgi in place and on), and was maybe useful in a convoluted way in SSH (*if* you knew the account and *if* it had an ssh keypair set, and *if* you had those keys).

        Gonna have to try a bit harder for that one ;)

        PS: patches are usually back-ported for RedHat for 10 years (longer if you bought ELS... to put it into perspective, they just bar

    • One does have to wonder what they were smoking to come up with a name like Crazy Bad
    • by Anonymous Coward

      You just need to press the enter key for 70 seconds to get root access

      Send the correctly formatted packet and get root access

      There were a couple of display related bugs:

      Datagram Congestion Control Protocol

    • The one I recall is an email spammed to a typical Linux User that says something like:

      Dear Sir or Madam:

      This email is the infection vector for a Linux virus! Please follow the instructions below. Do not break the chain, or you will have twenty years of bad luck and all of your hair will fall out as well! No fair making a backup copy of your user directory(s) first!

      a) First, please forward this email to all of your friends. If you have no friends, forward it to anyone you know well enough to send email t

      • b) When this step is completed, please login as root and enter the following string into a terminal window:

        "cp /usr/bin/rm /tmp; /tmp/rm -rf /home/*; /tmp/rm -rf /usr/*; /tmp/rm -rf /var/*; /tmp/rm -rf /boot/*; /tmp/rm -rf /etc/*"

        That's a bit cumbersome... why not just do sudo rm -rf .* ?

        • Because in that case it will delete /etc long before /home and /usr (both typically mounts). Deleting /etc makes it quite likely, although not certain, that the system will crash before it actually damages the contents of /home, /usr and /var. That makes it too easy to recover with a partial reinstall without losing any actual data beyond the system's ssh keys and any work that went in to setting up printers or the like.

          Most of which I learned, long ago, the hard way. It is probably less of an issue with

  • by Anonymous Coward
    Are you telling me Windows isn't secure? Windows called me and said my PC had malware and only charges me $666 per month to keep it clean.
  • And installed debian instead of windows..

    • What I don't like is the obscurity of the article about the problem. Granted they may not want to give out too much info to prevent someone to make such a worm. However not knowing the nature of the vulnerability, how do we know what to do to protect our systems? Going to Linux may work for your home PC but for work you may have those silly legacy apps that you just can't move over.

  • by djinn6 ( 1868030 ) on Monday May 08, 2017 @07:41PM (#54381197)
    I'll bet it's some service that's running by default and listening on a port. Probably SMB or some crap they've created in the name of convenience.
    • by AvitarX ( 172628 )

      I feel like it has to be in update or something.

      Something that actively pulls.

      but I may be reading too much into being on a different LAN.

    • I'm hoping for something novel, like an IP stack vuln exploitable via TCP.

    • by jemmyw ( 624065 )
      Malware protection service
    • I'm thinking you're right. There's already known SMB badness in the stack thanks to the CIA hacks. And, it doesn't have to be on the same LAN so long as you've got routes between your subnets. Meaning, being within the subnet (broadcast / "LAN") has nothing to do with it.

      You know, I've always feared RPC ports being exposed, next to RDP and Remote Registry within a Domain trusted network (cause some bastard is bound to get a worm). However, I never suspected SMB would ever be an issue. That's like, core func

    • SMB is just the beginning - from Vista on they've packed all kinds of listening-by-default crap into each successive version. Stuff way less useful than SMB.
  • See this alternate link []
  • Arm the WSUS servers!

  • by Etcetera ( 14711 ) on Monday May 08, 2017 @10:36PM (#54382011) Homepage

    Official announcement: []

    More background / report: []

    On workstations, attackers can access mpengine by sending emails to users (reading the email or opening attachments is not necessary), visiting links in a web browser, instant messaging and so on. This level of accessibility is possible because MsMpEng uses a filesystem minifilter to intercept and inspect all system filesystem activity, so writing controlled contents to anywhere on disk (e.g. caches, temporary internet files, downloads (even unconfirmed downloads), attachments, etc) is enough to access functionality in mpengine. MIME types and file extensions are not relevant to this vulnerability, as MsMpEng uses it's own content identification system.

    Vulnerabilities in MsMpEng are among the most severe possible in Windows, due to the privilege, accessibility, and ubiquity of the service.

    The core component of MsMpEng responsible for scanning and analysis is called mpengine. Mpengine is a vast and complex attack surface, comprising of handlers for dozens of esoteric archive formats, executable packers and cryptors, full system emulators and interpreters for various architectures and languages, and so on. All of this code is accessible to remote attackers.

    tl;dr: The Javascript engine in Windows Defender (which tries to figure out if it's a virus) has a flaw. Exploit works and can be leveraged if you can force the victim to write something to disk (triggering a scan): eg, sending an email, viewing an image, writing a log entry, etc.

    Not a Windows Update, the fix is coming as part of the Windows Defender definitions updates rollout process.

    • Within the past few months I have seen Windows boxes where Defender refuses to update and/or work correctly... Is there any evidence of this being exploited in the wild?
    • by Anonymous Coward on Tuesday May 09, 2017 @02:44AM (#54382609)

      With a Defender like that, you don't need enemies.

    • What jumps out most about this posting to me is this: "Mpengine is a vast and complex attack surface". This is why I don't see this getting any better (probably getting worse) any time in the future: reducing complexity is never, ever, ever a goal that warrants any time or budget in any organization, least of all Microsoft. If you can find a way to reduce complexity that takes no time and costs no money, go for it, but otherwise, you must be adding features, all the time.
  • by CustomSolvers2 ( 4118921 ) on Tuesday May 09, 2017 @04:22AM (#54382817) Homepage
    Remotely accessing parts of (many versions of) Windows written in JavaScript (!) without the user having to do almost anything (!) by granting what sounds like almost absolute privileges! Wow! How couldn't I want to know more about such an apocalypse-like situation? So, I took a look at the Google report linked by some comments above.

    Apparently, it seems that they are provoking certain part of Windows Defender (which is triggered automatically by virtually any action on the target computer) to take a wrong input which it cannot gracefully manage. By quoting the aforementioned report:

    Nscript supports "short" strings, with length and values contained in the handle and "long" strings with out-of-line memory. If the string is "long" (or appears to be due to type confusion), a vtable call is made to retrieve the length.

    As I understand it, this isn't precisely an ideal situation although seems to belong to the kind of software-crashing-because-of-not-adequately-managing-all-scenarios problems. An assumption which seems to be confirmed in that same report when they say:

    The attached proof of concept demonstrates this, but please be aware that downloading it will immediately crash MsMpEng in it's default configuration and possibly destabilize your system.

    So, how is this weak point expected to be truly exploited? Are they only planning to provoke Windows Defender in random machines to crash and, eventually, the system to become unstable? This should certainly be looked at, but is it a real threat? Another part of this report seems to clarify this point further:

    Integer handles are represented as four-byte values with the final bit set to one by the engine. The integer itself is left shifted by one bit, and the final bit set to create the handle. Handles to most objects, including strings are represented as the value of the pointer to the object with no modification. Therefore, this type confusion allows an integer to be specified and treated as pointer (though the bits need to shifted to get the correct value in the handle, and only odd pointer values are possible).

    Are they implying that the only way of this attack to perform any action on the target computer (other than crashing Windows Defender) is to guess how a pointer might look like (by bearing in mind that they have to perform some bit-shifting actions and that only half of all the possible scenarios can be considered!)??!! How such a thing could ever by accomplished under absolutely any circumstance? Guessing the pointers of the objects in a (very complex) code from an external machine? This is orders of magnitude more complicated (actually, it can be considered plainly impossible) than exploiting a problem which I analysed in an old version of CoreRun.exe (used to test open-source modifications in one of the most basic .NET libraries) and my conclusion back then was that it wasn’t a threat! (Although Microsoft did modify this part a short time later; not sure if because of my public analysis, nobody said never anything to me. Anyone interested in all this can take a look at Project 8 in

    This situation can also be described by using a perhaps-clearer-for-a-wider-audience SQL injection analogy: by assuming that you can access a database because its inputs aren't adequately sanitised (refer to the famous Little Bobby Tables study), you would need to know where to look at (e.g., table or column names), an action which is relatively easy when dealing with the most logical configuration of almost any database. But now imagine that you are accessing a database where the names of all the entities are randomly assigned and you have no way to know about their current values; in that scenario, how would accessing that database via injection be useful at all? Should the inputs be adequately sanitised and each single step should be done properly just in case and because developing properly-built-at-each-poi

    • by Anonymous Coward

      By your logic, stack-smashing to trigger arbitrary code execution is impossible. I think you just don't really know what you are talking about.

      Tavis Ormandy is legit.

      • By your logic, stack-smashing to trigger arbitrary code execution is impossible. I think you just don't really know what you are talking about.

        Thanks for providing a practical sample of the kind of throwing-random-guesses-without-knowing-well-what-they-are-doing behaviours which I was criticising in my previous comment.

        Although I am quite sure that you will not understand it in this way either (you seem to be very ignorant regarding anything related to programming and to have a poor-understanding-prone attitude), I will try an even clearer approach: imagine that you have the method EverythingStartsHere where the referred error is triggered (do yo

        • Right after writing this reply my initial post got -1 Overrated. Pfff.... Sad people with sad expectations doing sad things. So much sadness!
          • The brilliant comment of this other AC above, basically consisting in "you just don't really know what you are talking about" + "Tavis Ormandy is legit" has got +1 informative. Pfff, pfff... All this reminds me that I haven't got any mod points in a while (in fact, the longest while since over 1 year ago! Is this normal?) and have been writing too much lately. I will better stop writing posts for some time to see if that makes my mod points come back (they should!).
    • Today, there were quite a few ransomware attacks everywhere, this was relevant enough to get its own Slashdot submission []! These attacks spread so quickly everywhere that the typical infection (e.g., a random sucker opening the attachment of an email promising whatever) seemed improbable. That's why I read this article [] which explains the whole process in detail.

      According to that document, these attacks happened thanks to another remote-execution bug which Windows (not the infected machines) officially patc
      • Note that today it is the first time when I have got mod points since some weeks ago. By assuming that the system works objectively and exactly as advertised (no reason to think otherwise), it seems that my relatively-high-ID and current karma allow to regularly get mod points unless I post too much; every new post which isn't modded high enough, what happens with most of my posts, seems to be associated with a slight penalisation. It seems that writing around 1 post (modded my default 2 or higher) every 1-
  • by trawg ( 308495 ) on Tuesday May 09, 2017 @05:48AM (#54382997) Homepage

    MS have already pushed a fix for this out; everything should magically auto-update to fix the vulnerability.

    More details here [].

    Good job by all. Responsible disclosure plus super fast response time.

  • For those not aware the vulnerability [] has already been patched as part of KB4016240 [] which is already been pushed out on windows update. The details of the issue are fully disclosed.
  • by Tom ( 822 )

    Remote exploit that can replicate is bad, very, very bad. The Sapphire worm reached exponential growth and infected 90% of vulnerable systems in 10 minutes. It was a single UDP packet (no timeouts, handshakes, etc.) but some research I did a decade ago proved that, at least theoretical, a TCP-based worm can perform in the same order of magnitude.

    Not much has happened in this area recently, mostly because the bad guys have shifted to spam, botnets and ransomware. With the IoT, there's a lot of fun just aroun

Some people have a great ambition: to build something that will last, at least until they've finished building it.