Patch all those windows boxes
 

Probably well known already but on Tuesday Microsoft released two patches among others that fix nasty holes in windows, all the way from windows 95 to windows 10. The SSL/TLS (schannel) bug is worse than the recent Heartbleed bug as it gives full remote command execution without any interaction. The OLE bug could potentially be used in drive-by exloits from visiting a url.

The patches have been reverse engineered and there is an unofficial metasploit module to exploit this but it's not 100% reliable yet. As the patches added some new ciphers too, a scanner looks for these new ssl options as a way to see if the box is patched. Not 100% foolproof either.

Home machines should already have the updates from windows update but servers may need some special love and attention. Patch details are in the CVE links.

Some news stories about these bugs:

http://www.bbc.co.uk/news/technology-30019976
http://www.theregister.co.uk/2014/11...rary_megaflaw/

CVE-2014-6321

CVE-2014-6332

Re: Patch all those windows boxen
 

:D I really must stop reading the threads in the Virus and Security Discussion area. They make me twitchy for the rest of the day as I wouldn't have a clue where to start dealing with the issues they raise.

Thanks for the information though as it's kind of reassuring that at least some of you on here know enough about all this to explain it to us less than savvy members. :tu:

Re: Patch all those windows boxen
 

Too true!!! :erm:

I'm hoping you'll be sending me your layman's interpretation of the OP shortly Jo... ;)

This is the subject for another thread but should we really be rushing into a world in which our whole lives are 'stored' in the ether by one corporation/agency or another when there are all sorts of security issues evident for all to see and some to exploit?

Re: Patch all those windows boxen
 

l am a bit like Jo as l have no clue about these things but alas that's no surprise as l am a expert at nothing.:D

Re: Patch all those windows boxen
 

My take. :D

An broken Window is letting some potential baddies, in a car driving passed with a pair of long distance binoculars, look in to our little magic boxes to see what they can nick. https://www.cableforum.co.uk/images/local/2014/11/2.gif
As a result some goodies have sent aound a glazier to fit obscured glass to try and block the baddie's view. https://www.cableforum.co.uk/images/local/2014/11/3.gif

https://www.cableforum.co.uk/images/local/2014/11/4.gif

Re: Patch all those windows boxen
 

Windows update.

Reboot.

Simples.

Re: Patch all those windows boxen
 

Over 32,000 posts here suggests you're pretty damned good at something... ;)

---------- Post added at 16:15 ---------- Previous post was at 16:14 ----------

So it's all sorted until the find the next one, or worse still, don't find the next one until it's too late... :erm:

Re: Patch all those windows boxen
 

I'm starting to feel like it's time for a career change

Re: Patch all those windows boxen
 

Well if they make it all too safe, secure and layman-user friendly that's what might happen anyway... ;)

Re: Patch all those windows boxen
 

Not always that simple on a production domain controller and when the patch isn't on windows update. This new bug which lets any domain user become admin is a very nice privilege escalation goodie and is serious enough for MS to make an out-of-cycle patch quickly instead of waiting for the next patch date:)

Broken kerberos

http://blogs.technet.com/b/srd/archi...2014-6324.aspx

---------- Post added at 00:44 ---------- Previous post was at 00:39 ----------

Mostly info for system administrators, so leave the worrying to them :) You have a nice router giving you good protection via NAT (forget their mostly useless firewalls) so half of these problems can't get to you. So sleep well and forget all about the other half still left... :D

Re: Patch all those windows boxen
 

Why would your production domain controller be used for hosting public websites and/or drive-by web browsing?

Re: Patch all those windows boxen
 

I used to drive by print at my mates. I would sit outside and print rude messages on his wireless printer and it would send him potty lol.

Re: Patch all those windows boxen
 

I think the concern is more internal users escalating privileges and playing games as far as DCs go.

You'd hope nothing on the public Internet had Kerberos exposed.

Re: Patch all those windows boxen
 

Ah, I was referring to the two CVE's listed in the OP. Yes the later KDC issue isn't quite as simple a fix but the Windows update => Reboot solution does still apply to the end user(s) scenario I was replying to.

That said Microsoft has been making more extensive use of Kerberos authentication for services that are often internet-accessible lately, including Remote Desktop, Direct Access, and so forth.

Re: Patch all those windows boxes
 

Admins in some companies have to do change management requests and even testing of patches before they get applied to production servers. Certainly would not be done through windows updates for these servers.

Was talking about the new priv escalation in that particular post as Ignition pointed out. Internal users or even guest accounts for visitors with limited access being able to become admin and give themselves access to anything is a big issue, especially for organisations that want to keep their trade secrets secret.

OWA/the outlook web app is another thing that is often configured with kerberos.

Re: Patch all those windows boxes
 

Yes, we have change management and tons of over the top RFC processes though none of my servers have to deal with them (nor are any of them running Windows).

However both here and at many other HEIs there are domain controllers operating AD accounts for many thousands of uncontrolled users, including public and guest accounts. This'll be very fun for them to deal with - given there'll be a distribution of tens of thousands of student accounts and any staff member has the ability to auto-create guest accounts for anyone who walks off the street without requiring approval. Public libraries and the like will likewise be highly vulnerable.

Makes that other incident at an institution-who-shall-not-be-named that recently found some hardware keyloggers plugged into the back of their corporate machines seem pretty tame in comparison.

Re: Patch all those windows boxes
 

Network/traffic monitoring and applying related snort rules (or similar) is the best bet for stopping these. These days there is a market for selling efficient rules quickly, so companies and organisations that subscribe to various services are better prepared than others that might wait for public info. Might not be so bad for your lot due to this :)

These rules are not always perfect at first though.

Re: Patch all those windows boxes
 

Sadly our border firewalls are too primitive to do much deep filtering, plus we have a global block-inbound rule anyway which helps against many server-side vulnerabilities.

Regardless I just look after the research servers and nobody really cares if they break. We've yet to suffer any detectable compromise, almost miraculous considering I caught somebody running phpMyAdmin on a public server yesterday with the username and password set to 'root' and 'root'. I may need to dig out the good ol' LART.

But seriously, human error (aka PEBKAC) is generally a bigger problem than many of these mentioned vulnerabilities for organizations that don't really have any commercially sensitive information.