Google Researchers Find Wormable "Crazy Bad" Windows Exploit

Discussion in 'other security issues & news' started by itman, May 8, 2017.

  1. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    https://www.bleepingcomputer.com/ne...hers-find-wormable-crazy-bad-windows-exploit/
     
  2. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    Let's hope MS fixes this before they release more info (patch Tuesday coming tomorrow).
     
  3. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Microsoft's response: o_O:rolleyes::argh:
    http://www.securityweek.com/google-researchers-find-worst-windows-rce-flaw
     
  4. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
  5. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
  6. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    1,556
  7. Sordid

    Sordid Registered Member

    Joined:
    Oct 25, 2011
    Posts:
    235
    CVE-2017-0290??
     
  8. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    Good news for users of MS' antimalware software. :thumb:
     
  9. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
  10. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    I can't way with 100% certainty, but I do know that several prominent Microsoft security dev team members had mentioned that, despite the severity of this bug, latest Windows 10 releases (assuming Anniversary Update and Creators Update) the bug would have been mitigated with Control Flow Guard (CFG). Anniversary Update had received some significant improvements to CFG over the initial implementation. Therefore no matter the vuln, Windows 10 users on the latest major platforms (AU/CU) are always going to be more secure in comparison to Windows 7/8.1 through to Windows 10 initial release, at least from a vulnerability perspective.

    But this bug was still pretty bad considering viewing a web site or an unopened email could trigger this. There were warning within the Project Zero bug report about even simply viewing the PoC in the bug report would crash Defender and potentially the whole system. I did not end up reading too much details other then what several trusted developers from Google and MS were discussing, but this was quite low-level. It's a good thing that they were able to push out an update this quickly for Defender engine as opposed to waiting for a regular patch day. My first guess was that they wouldn't make a patch until June patch release at least. So they surprised many people with this quick response. Good, safe vulnerability disclosure along with a fast and efficient patch.
     
  11. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    According to this: https://technet.microsoft.com/en-us/library/security/4022344.aspx , it only affected MS security software.

    More info below. And yes, it is CVE-2017-0290.
    https://www.bleepingcomputer.com/ne...f-band-update-to-fix-crazy-bad-vulnerability/
     
    Last edited: May 9, 2017
  12. Bill_Bright

    Bill_Bright Registered Member

    Joined:
    Jun 29, 2007
    Posts:
    4,041
    Location:
    Nebraska, USA
    I agree - especially since, apparently, the researchers who discovered the vulnerability recklessly (IMO), in an irresponsible selfish attempt to get attention :thumbd: decided to announce their findings publicly over the weekend without giving the security community or Microsoft a chance to address it first. Yet, in just 2 days, Microsoft developed the fix and was able to roll it into the normal Windows Defender/Windows Update engine. Very impressive.

    Even one of Microsoft's biggest bashers was impressed with how fast Microsoft fixed this, as noted by Woody at InfoWorld.

    Frankly, beside the reckless publication of this vulnerability, I think this "crazy bad" description was mostly hype to grab more attention. Yes, it is bad, but in order to exploit this vulnerability, the Malware Protection Engine would have to scan a "specially crafted file" that somehow was downloaded and already saved on the local computer. So while the Malware Protection Engine in question is installed during Windows installation, that "specially crafted file" is not. So there are a lot of "ifs" and other conditions that must come into play before this "crazy bad" vulnerability could be exploited by a bad guy.

    I am not defending Microsoft because the vulnerability should not have been there in the first place. But there are 30+ million lines of code in Windows and contrary to the expectations of Microsoft bashers and many in the IT press who blindly follow and repeat each other, the developers at Microsoft are not infallible. But they sure look good today! :)
     
  13. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    In regards to the vulnerability:
    https://arstechnica.com/information...indows-defender-nscript-remote-vulnerability/
     
  14. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    MS bashers, Google bashers... all the same :)
     
  15. Bill_Bright

    Bill_Bright Registered Member

    Joined:
    Jun 29, 2007
    Posts:
    4,041
    Location:
    Nebraska, USA
    Except Microsoft routinely gets bashed for things not under their control. This is often over security issues going way back to XP when MS tried to put AV code in XP, but the anti-virus program makers whined and cried "monopoly" to Congress and the EU claiming that it was their job to rid the world of malware.

    But who got blamed for the security mess we are in? Norton, McAfee, TrendMicro, AVG and the others for their failure to rid the world of malware? Nope! Did the users get blamed for failing to keep their computers updated? Nope! Did the bad guys get blamed? Nope!!! Microsoft got blamed - relentlessly for years and years.

    So it is good to see MS get some credit this time.
     
  16. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    Yes I agree. I give kudos to both - researchers for responsible disclosure and to MS for quick fix.
     
  17. Bill_Bright

    Bill_Bright Registered Member

    Joined:
    Jun 29, 2007
    Posts:
    4,041
    Location:
    Nebraska, USA
    Responsible? It was irresponsible! Responsible disclosure would be to discretely report the findings to the responsible organization so they can fix it BEFORE the bad guys learn about it. It is irresponsible to report the finding to the public first.

    If your neighbor discovered you forgot to close a window before you left on vacation, would it be responsible if they posted a sign in your front yard saying, "Owners are gone, back window is unlocked"? Or would the responsible thing be for your neighbors to contact you first so you can make arrangements to have your home secured before a burglar discovers the open window?
     
  18. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,741
    Location:
    UK
    The way I understand it is that they disclosed it to Microsoft giving them 90 days to fix it. Failing that, they would then fully disclose the vulnerability to the public.

    Whether this is the correct way to disclose vulnerabilities I don't know but it seems to be the method in which 'responsible' security experts work. I think this is how Tavis Ormandy has been doing it in recent months with his findings of flaws in various products.
     
  19. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    No, Bill it was responsible disclosure. Bug was reported to MS, which released a patch. After release, bug was released to public. (that's why I mentioned Google bashing in post #14 - don't bash their researchers, they are making great effort to secure other companies products)
     
  20. Bill_Bright

    Bill_Bright Registered Member

    Joined:
    Jun 29, 2007
    Posts:
    4,041
    Location:
    Nebraska, USA
    Yes, that is how it should work.

    If the researcher who discovered the flaw reported it discretely to Microsoft first, and waited for Microsoft to release the patch before announcing it, then that is definitely good! But is that good enough?

    But patches don't get distributed and installed across the globe in minutes or even hours. Patches are distributed in waves to prevent overloading severs and the entire Internet. And from what I saw, this update requires a reboot. Users can delay reboots until the middle of the night, or even for up to a week.
     
    Last edited: May 9, 2017
  21. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Here's something else that is interesting.

    I just checked my WD scan engine ver. and it is 1.1.12805.0. Any ver. less than 1.1.13704.0 is vulnerable. I just got done with this month's Win 10 updates and no update to WD.

    I use a third party AV and as such WD is disabled. So the question is if the patch to WD will be delivered if WD is disabled? In any case, best people check to see if the patch has indeed been applied to their OS ver..

    -EDIT- OK. I received the WD patch as part of the Win 10 1607 April cumulative update. Appears MS is splitting up the downloads since I did not receive this update in my first download attempt.

    In any case, it appears that MS is delivering the WD patch via the Win update channel; at least for Home versions. So anyone who hasn't updated yet is vulnerable. And I am sure this vulnerability is now being actively exploited since its details have been made public.
     
    Last edited: May 9, 2017
  22. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,065
    I am on Windows 10 Version 1703 and i have looked at the defender UI and it doesnt seem to list engine version anymore. it only lists threat definition version which is currently 1.243.69.0
    I am running Sophos home at my AV and have enabled periodic scanning for windows defender so i can check which version it is and also try to update it.

    windows update has installed a May 9th patch but in the release notes i do not see any mention of fixes for windows defender: https://support.microsoft.com/en-gb/help/4016871/windows-10-update-kb4016871
     
  23. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,741
    Location:
    UK
    If you go to Settings / Update & Security and click on Windows Defender, it lists version info, including the engine version.
     
  24. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    I have Eset and had issues with engine version, etc. showing up in Win 10 WD settings. I had to temporarily disable Eset's protection settings in the GUI, not the firewall. Then I ran a WD definition update which I believe updated the engine ver. to 1.1.13704.0. I also enabled WD periodic scanning like you to keep the Win 10 WD settings showing.

    Also I misspoke about April cum update updating WD's engine. You have to do so manually.:rolleyes:
     
  25. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    1,556
    Thanks for the info.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.