Patch all those windows boxes

[Qtx]

Probably well known already but on Tuesday Microsoft released two patches among others that fix nasty holes in windows, all the way from windows 95 to windows 10. The SSL/TLS (schannel) bug is worse than the recent Heartbleed bug as it gives full remote command execution without any interaction. The OLE bug could potentially be used in drive-by exloits from visiting a url.

The patches have been reverse engineered and there is an unofficial metasploit module to exploit this but it's not 100% reliable yet. As the patches added some new ciphers too, a scanner looks for these new ssl options as a way to see if the box is patched. Not 100% foolproof either.

Home machines should already have the updates from windows update but servers may need some special love and attention. Patch details are in the CVE links.

Some news stories about these bugs:

http://www.bbc.co.uk/news/technology-30019976
http://www.theregister.co.uk/2014/11...rary_megaflaw/

CVE-2014-6321

Quote:

Overview
Schannel in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to execute arbitrary code via crafted packets, aka "Microsoft Schannel Remote Code Execution Vulnerability."

Impact Subscore: 10.0
Exploitability Subscore: 10.0
Access Vector: Network exploitable
Access Complexity: Low
Authentication: Not required to exploit
Impact Type: Allows unauthorized disclosure of information; Allows unauthorized modification; Allows disruption of service

CVE-2014-6332

Quote:

Overview
OLE in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to execute arbitrary code via a crafted web site, aka "Windows OLE Automation Array Remote Code Execution Vulnerability."
Impact


Impact Subscore: 10.0
Exploitability Subscore: 8.6


Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism
Access Complexity: Medium
Authentication: Not required to exploit
Impact Type: Allows unauthorized disclosure of information; Allows unauthorized modification; Allows disruption of service

[joglynne]

I really must stop reading the threads in the Virus and Security Discussion area. They make me twitchy for the rest of the day as I wouldn't have a clue where to start dealing with the issues they raise.

Thanks for the information though as it's kind of reassuring that at least some of you on here know enough about all this to explain it to us less than savvy members.

[Osem]

Quote:

Originally Posted by joglynne

I really must stop reading the threads in the Virus and Security Discussion area. They make me twitchy for the rest of the day as I wouldn't have a clue where to start dealing with the issues they raise.

Thanks for the information though as it's kind of reassuring that at least some of you on here know enough about all this to explain it to us less than savvy members.

Too true!!!

I'm hoping you'll be sending me your layman's interpretation of the OP shortly Jo...

This is the subject for another thread but should we really be rushing into a world in which our whole lives are 'stored' in the ether by one corporation/agency or another when there are all sorts of security issues evident for all to see and some to exploit?

[denphone]

l am a bit like Jo as l have no clue about these things but alas that's no surprise as l am a expert at nothing.

[joglynne]

Quote:

Originally Posted by Osem

Too true!!!

I'm hoping you'll be sending me your layman's interpretation of the OP shortly Jo...

This is the subject for another thread but should we really be rushing into a world in which our whole lives are 'stored' in the ether by one corporation/agency or another when there are all sorts of security issues evident for all to see and some to exploit?

My take.

An broken Window is letting some potential baddies, in a car driving passed with a pair of long distance binoculars, look in to our little magic boxes to see what they can nick.
As a result some goodies have sent aound a glazier to fit obscured glass to try and block the baddie's view.

[qasdfdsaq]

Windows update.

Reboot.

Simples.

[Osem]

Quote:

Originally Posted by denphone

l am a bit like Jo as l have no clue about these things but alas that's no surprise as l am a expert at nothing.

Over 32,000 posts here suggests you're pretty damned good at something...

---------- Post added at 16:15 ---------- Previous post was at 16:14 ----------

So it's all sorted until the find the next one, or worse still, don't find the next one until it's too late...

[qasdfdsaq]

I'm starting to feel like it's time for a career change

[Osem]

Well if they make it all too safe, secure and layman-user friendly that's what might happen anyway...

[Qtx]

Quote:

Originally Posted by qasdfdsaq

Windows update.

Reboot.

Simples.

Not always that simple on a production domain controller and when the patch isn't on windows update. This new bug which lets any domain user become admin is a very nice privilege escalation goodie and is serious enough for MS to make an out-of-cycle patch quickly instead of waiting for the next patch date

Broken kerberos

Quote:

Vulnerability Details
CVE-2014-6324 allows remote elevation of privilege in domains running Windows domain controllers. An attacker with the credentials of any domain user can elevate their privileges to that of any other account on the domain (including domain administrator accounts).

The exploit found in-the-wild targeted a vulnerable code path in domain controllers running on Windows Server 2008R2 and below. Microsoft has determined that domain controllers running 2012 and above are vulnerable to a related attack, but it would be significantly more difficult to exploit. Non-domain controllers running all versions of Windows are receiving a “defense in depth” update but are not vulnerable to this issue.

http://blogs.technet.com/b/srd/archi...2014-6324.aspx

---------- Post added at 00:44 ---------- Previous post was at 00:39 ----------

Quote:

Originally Posted by joglynne

I really must stop reading the threads in the Virus and Security Discussion area. They make me twitchy for the rest of the day as I wouldn't have a clue where to start dealing with the issues they raise.

Mostly info for system administrators, so leave the worrying to them You have a nice router giving you good protection via NAT (forget their mostly useless firewalls) so half of these problems can't get to you. So sleep well and forget all about the other half still left...

[qasdfdsaq]

Quote:

Originally Posted by Qtx

Not always that simple on a production domain controller and when the patch isn't on windows update. This new bug which lets any domain user become admin is a very nice privilege escalation goodie and is serious enough for MS to make an out-of-cycle patch quickly instead of waiting for the next patch date

Why would your production domain controller be used for hosting public websites and/or drive-by web browsing?

[alanbjames]

I used to drive by print at my mates. I would sit outside and print rude messages on his wireless printer and it would send him potty lol.

[Ignitionnet]

Quote:

Originally Posted by qasdfdsaq

Why would your production domain controller be used for hosting public websites and/or drive-by web browsing?

I think the concern is more internal users escalating privileges and playing games as far as DCs go.

You'd hope nothing on the public Internet had Kerberos exposed.

[qasdfdsaq]

Ah, I was referring to the two CVE's listed in the OP. Yes the later KDC issue isn't quite as simple a fix but the Windows update => Reboot solution does still apply to the end user(s) scenario I was replying to.

That said Microsoft has been making more extensive use of Kerberos authentication for services that are often internet-accessible lately, including Remote Desktop, Direct Access, and so forth.

[Qtx]

Admins in some companies have to do change management requests and even testing of patches before they get applied to production servers. Certainly would not be done through windows updates for these servers.

Was talking about the new priv escalation in that particular post as Ignition pointed out. Internal users or even guest accounts for visitors with limited access being able to become admin and give themselves access to anything is a big issue, especially for organisations that want to keep their trade secrets secret.

OWA/the outlook web app is another thing that is often configured with kerberos.