How would you get infected?

The MS bulletins that refer very clearly, unless you can't read and comprehend, are clear. Read 'em and weep.

 

What...? LOL

I truly don't care what what the general language of the bulletins is, I know exactly what is meant and what I (people) need to know. YOU are the one that can't seem to comprehend, which is why I was trying to say before you shouldn't be picking and choosing when you can't seem to figure out that fact. *shrug*

I've been reading them for, I don't know, maybe 10 years, so I'm very familiar with their wacky language.

You can probably ask me about any Windows update (KBnnnnnnn) and I can tell you TRULY whether or not you could skip it, and the exact details why or why not.

These things are so absolutely critical, you shouldn't be messing around...


So I guess now you're back to not understanding again, after Hungry Man just told ya!

 

All your trolling aside, they're two different things - apples to oranges.

 

So the conclusion is, in order to gain root access you would need : 1) highly skilled *hat directing an attack on your machine specifically and taking advantage of a 2) userland vulnerability and 3) targeting a kernel vulnerability that plays well with 2)

I'd say the probability is just too small and realistically the success of such an attack would depend on at least two vulnerabilities that not only play well together but those vulnerabilities must be left unpatched for an extended period of time, but yeah, it could happen.

 

It isn't trolling, and they're not. That's what he's trying to explain.

 

I'll spell it out for you one last time:

http://technet.microsoft.com/en-us/security/bulletin/ms13-031

This is Microsoft stating this. I believe they've got some reasonably qualified people writing these bulletins.

 

That isn't very clear. They say it's an issue with how Windows handles objects in memory - I see no reason why exploiting that would require login credentials.

But they say it quite clearly, so it's really confusing.

I wish they provided more information.

Regardless, most local privilege escalation exploits do not require login credentials.

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1284

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1294

I think MS is trying to say they need to be logged on... but that's dumb. What they should say is that they need the ability to run code as a user.

Nothing in these vulns sounds like it requires credentials. At all.

I see why there's confusion. On the one hand there is seemingly no reason whatsoever for credentials to be required. On the other hand they explicitly list that as a mitigating factor.

 

Again, standard wording for EoP. Doesn't need credentials -- <insert name of exploited program> is already running (by user) with those credentials. That's basically what everything says that's not direct RCE.

All expected. I'm surprised YOU don't understand what they're like.

Not a chance. You could put all the descriptions from the last 10 years into a pile, pick some, and there's no way you could tell what they're referring to! Everything is "specially crafted," an "issue," with how such-and-such "handles" something "incorrectly," and on-and-on.

Of course not. That's why I don't understand why wat keeps believing that nonsense.

Right. BTW, CVE-2013-1284/1294 should be fairly minor, in that they're difficult to exploit (from j00ru's blog), so not likely to be a target, I'd guess...

Expected. Repeat x INF.

I really didn't think it was that difficult. Like I said, when running everything as unrestricted admin, I would skip some of the EoP updates, because if something was exploited, it didn't need to elevate anyway. As soon as I started running with dropped rights (then later with Sandboxie), I went back and reviewed ones I had previously skipped, since they were then VERY relevant/important.

I thought it would be pretty clear to "IT Professionals" (what the bulletins are for) what the meaning of "logged on locally" was. But maybe I just have a higher-comprehending brain, unlike what wat said (even though I'm a self-untrained, professional idiot).

Bottom line: If you're too "dumb" to figure them out, don't try. Use Auto Updates or whatever.


And if you've done a fresh install, and decide to skip some EoP update you think you don't need, without taking into account ALL previous updates it replaced (could be tons, including RCE)... Then it's just hopeless for you.

 

I don't think most users here are "IT Professionals". Very few. Not that being an "IT Professional" means all that much.

But, again, I Think the confusion is really understandable. They make it explicit that you need login credentials despite it really not being the case - they're being disingenuous, and it's no wonder that users are confused.

 

I'm not either... I'm not, anything really. Barely graduated kidnergarden.

But yeah, they really should change this stuff after all these years. See below.

I should have remembered this simpler monthly summary before: Assessing risk for the April 2013 security updates

Read "Most likely attack vector."


And... WEEP!

 

My point is I don't think it's fair to be insulting, whether you're correct or not, about an issue that is purposefully vague. MS is making their advisories vague specifically so that a circumstance like this will exist.

Regardless, wat understand what I'm talking about in this topic, and, for me, that's really all I care about.

 

HE started it. Definitely worse to be insulting when you're dead wrong. And told several times.


My point is don't try to tell people how to understand something that they SO obviously have no clue about. Again: I don't care about their wording, I know exactly what it means. And so do you Hungry Man (even if you don't ). They are what they are.

In a way, I can see why they're like they are with their wording...


The good news is, in wat's world, none of these things exist without physical access. Too bad we can't all live in that world... for reals.


These last couple months, there have been those USB drive vulnerabilities (maybe only 1 was for XP), which I did skip, since those actually are a physical access thing (first I've seen of those in... ever?). Nobody's plugging stuff in here, except my couple USB sticks every once in awhile. I still analyzed the bulletin(s) very carefully to make sure...

 

IMO, you insulted Wat. Let's keep the discussion on a friendly level.

 

Thank you for providing evidence that fully supports my statements and my approach for skipping patches that address exploits that require

Good man

Oh that wacky Microsoft language

Since you point out Most likely attack vector, please see Bulletins MS13-031, MS13-033 and MS13-034.

 

Yes, and please don't lie. WHERE?

A (getting-more-obvious-by-the-post) dummy telling ME I can't "read and comprehend?"

Truly hopeless...

What can you still not understand about "Attacker who is already running code?"

http://blogs.technet.com/b/srd/arch...k-for-the-february-2013-security-updates.aspx
http://blogs.technet.com/b/srd/arch...sk-for-the-january-2013-security-updates.aspx
http://blogs.technet.com/b/srd/arch...k-for-the-november-2012-security-updates.aspx
http://blogs.technet.com/b/srd/arch...sk-for-the-october-2012-security-updates.aspx
http://blogs.technet.com/b/srd/arch...isk-for-the-august-2012-security-updates.aspx
Bad wording still: http://blogs.technet.com/b/srd/arch...k-for-the-february-2012-security-updates.aspx
Bad wording still: http://blogs.technet.com/b/srd/arch...sk-for-the-january-2012-security-updates.aspx
http://blogs.technet.com/b/srd/arch...risk-of-the-august-2011-security-updates.aspx
http://blogs.technet.com/b/srd/arch...ng-the-risk-of-the-june-security-updates.aspx
http://blogs.technet.com/b/srd/arch...g-the-risk-of-the-april-security-updates.aspx

MS11-034: "An attacker must have valid logon credentials and be able to log on locally to exploit these vulnerabilities. The vulnerabilities could not be exploited remotely or by anonymous users."
http://blogs.technet.com/b/srd/arch...-vulnerabilities-in-the-win32k-subsystem.aspx
"For a local attacker able to run code on a compromised system, most of the vulnerabilities fixed in this package are straightforward to exploit."

http://blogs.technet.com/b/srd/arch...he-risk-of-the-february-security-updates.aspx
http://blogs.technet.com/b/srd/arch...the-risk-of-the-october-security-updates.aspx
Bad wording still: http://blogs.technet.com/b/srd/arch...-the-risk-of-the-august-security-updates.aspx
Bad wording ("EXE"): http://blogs.technet.com/b/srd/arch...-the-risk-of-the-june-security-bulletins.aspx
Some bad wording: http://blogs.technet.com/b/srd/arch...-risk-of-the-february-security-bulletins.aspx
Bad wording: http://blogs.technet.com/b/srd/arch...e-risk-of-the-october-security-bulletins.aspx


GET IT THROUGH YOUR HEAD! Sorry if you find that "insulting."

 

LarryPepper is correct. The wording is poor, and I would think purposefully vague. These should not require valid login credentials, only the ability to execute code.

 

Quote:
Originally Posted by wat0114
That clears it up, thanks! I figured I was missing the boat

DR_LaRRY_PEpPeR wrote:
Now you understand...?

This was uncalled for don't you think. It's obvious Microsoft does not clearly state what they _really_ had in mind when they talk about local access so why is it so surprising that readers could get confused by this. Let's leave it at that.

I ain't no liar.

 

DR_LaRRY_PEpPeR is right. MS is using very misleading language, which will give folks the wrong impression of how these vulnerabilities can be exploited.

Unfortunately for us, the people writing MS's security bulletins write like they were running for congress. They're being intentionally vague and robotic in their use of language, and the things they write are to be considered "true from a certain point of view".

When MS says "attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability", they're telling the truth from a certain point of view.

The truth is the attacker does not need to know your logon credentials, and he does not need to be able to log on to your system. The only thing the attacker does need is the ability to run code on your system, and he can get that with any successful exploit of a perfectly commonplace remote code execution vulnerability, like the monthly IE or Firefox vulns.

So, the way to exploit a "local" privilege escalation vulnerability is this:
- step 1: exploit a remote code execution vulnerability to get your code running with the privileges of the user who gets exploited
- step 2: then execute the exploit code for the privilege escalation vulnerability to
- step 3: gain escalated privileges and
- step 4: profit!

So, how is this "local"? Well, it's not, really. You can exploit these local privilege escalation vulnerabilities remotely very easily, if you can first exploit a remote code execution vulnerability to get your code running on the system. But sure, there are the rare cases of "remote" privilege escalation vulnerabilities, where you don't need that step 1 at all, you can just send a few packets at the vulnerable TCP/IP stack, speak the elvish word for friend, and have whatever code you want instantly run as SYSTEM. But that stuff is not so common.

And yes, I am in fact drinking too much whisky today.

 

Whereas I have been taking part in a 17 hour (so far - straight- , 48 total) capture-the-flag 'hacking' competition, and am too tired to attempt some type of mediation where it seems unnecessary.

Wat, you can take our word for it or not. It's that simple.

 

My first post? A question is insulting/uncalled for? Wow!

I was shocked if we finally got through to him, and wanted to verify.

That's the term I was looking for, Congress! Thanks.

 

Microsoft posts their statements like it is a 100% fact:

Are you disputing that? You seem to be. So what? There is nothing vague at all in that statement. There is no "could be" "might need", etc...

My entire premise to patching is to omit updates that are summarized with these type statements. The fact MS is using these statements would strongly suggest that these particular exploits are very difficult to pull off successfully, thus my approach to omitting them when I update, because I am confident my security approach can address them more than adequately, and until I'm hit by one, I will continue to do things this way in spite of the warnings given by those who feel otherwise.

Otherwise I apply any updates that suggest an attacker can exploit successfully without valid local login credentials. That's all.

 

What MS is doing there is basically what Linux developers are doing when they call an arbitrary code execution bug a "possible DoS"... i.e. lying by omission.

Technically that's true! However, coupled with a second vulnerability that does allow remote access, it becomes more dangerous.

If an attacker has only the privilege elevation vulnerability, and no physical access, he can't do much. OTOH, if he has that and, say, a remote vulnerability in Internet Explorer, he can use the remote vulnerability as a springboard to get to the local one. First IE is compromised, gaining the necessary local access credentials (because IE is your user's process); then the local exploit is run, via payload or within IE's address space. Bam, rooted.

 

Right. It was meant to be funny more than anything else. I do not know that I know how to answer the question. If I knew how I would get infected, I expect I would do something to prevent that very thing. I expect someone would just have to find some type of exploit. I do not installed unknown software, I do not respond to email from unknown people and if I do anything that I think has any kind of risk I do it in a virtual machine and if I don't like the result I just kill the VM without saving any changes. That or someone would have to physically access my machine and plant it. If I happen to catch them doing it they will likely end up with some scratches and dents.

 

Yes, we are disputing that. Most people would interpret these statements of "attacker needs valid logon credentials" in a way that would give them exactly the wrong idea of how these vulnerabilities can or cannot be exploited. People reading that statement will think the attacker needs to know their password and be able to log on locally. This is not true. The attacker does not need those things. The attacker only needs some code running on your system, and that's as easy as exploiting a remote code execution vulnerability.

The truth of it is really quite simple. MS is being dangerously misleading in their descriptions of these vulnerabilities and their supposedly mitigating factors. These exploits are not difficult to pull off in general, certainly not very difficult. All it takes is that one additional step of first exploiting a remote code execution vulnerability.

Remote code execution + local privilege escalation = bad code running with escalated privileges, all done remotely, with no need to have logon credentials or physical local access

So, why is MS using such misleading words? Who knows these things? Because they have a culture of using political style speak? Perhaps to differentiate from those truly remote vulnerabilities, where you can just send some packets to the TCP/IP stack and have instant code execution with high privileges. I will now attempt to explain how the MS statement is true "from a certain point of view".

Let's say your browser is vulnerable to a remote code execution, and this is exploited by an infected web site you visit. What does that mean? It means that the attacker's code is now executing within your browser, with all the privileges your browser has - typically the privileges of the user account running that browser. Let's say user Dave is running Firefox and has this happen to him. Now the attacker effectively has Dave's privileges. In other words, the attacker is effectively logged on to the system as Dave! The attacker can now execute the exploit code for a privilege escalation vulnerability as Dave, and it will work if the system is vulnerable. So in this sense, MS's statement is true. The attacker did "sort of" need valid credentials, just not in the way people expected. If Dave isn't running Firefox, but just sitting there reading a text file on his own HDD, what's going to happen? The remote code execution vulnerability in his browser cannot be exploited then. That means the attacker's code doesn't get to run in Dave's account, and cannot attempt to exploit any privilege escalation vulnerabilities. He can't just send some packets to Dave's IP and hope they'll magically give him access. For that to work, he'd need a far more serious vulnerability to exploit. Perhaps this helps?

Not installing patches for these "local" privilege escalation vulnerabilities is a risky move. Privilege escalation attacks still aren't commonplace, because so many are still running around with full privileges, but these attacks will get more and more common with time, and then those who haven't patched these holes will increasingly risk trouble. It's impossible to say whether or not that will ever cause an actual infection, but the vulnerability at least will be there.

Edit: Gullible Jones just said the same thing, only faster and better and with considerably less whiff of Lagavulin.

 

KB2790655 - are they not telling us the truth here either? They call it denial of service but it could mean local access and privilege escalation..?