Feeds

back to article New code-execution bug found in Windows and 40 apps

Microsoft Windows and about 40 applications that run on it are vulnerable to remote-code execution attacks that are "trivial" to carry out, a noted security researcher warned Wednesday. The flaw involves the way Windows loads "safe" file types from remote network locations, and is almost identical to one that Apple excised in …

COMMENTS

This topic is closed for new posts.
Thumb Down

Right, all you have to do is get SMB across the internet backbone.

Actually, that's really difficult these days, most ISPs block 139/445. Low risk.

... except of course that HD Moore, who I always thought was on the full-disclosure side, won't tell us what the work-around mechanism is that apparenlty means this bug could be exploited by other protocols. Thanks for that, HD.

2
2

This post has been deleted by its author

Badgers

Odd question.

"Social engineering or a trivial script needs to be executed on the client PC to connect to this."

I wonder if a maliciously rigged SharePoint site (somewhere out there, perhaps delivered via IFRAME or similar) could do the delivery?

0
0
FAIL

The title is required, and must contain letters and/or digits.

> Actually, that's really difficult these days, most ISPs block 139/445.

That must be why my firewall reports so many connection attempts to these ports. /sarc

0
0
Flame

Not just an ISP/home issue

SMB noise from Windows boxes is not just an issue for people sat at home.

I have a BSD box sitting in a data centre and before I curtailed the logs, I used to see them filling up with zillions of broadcast attempts from Windows boxes on the same subnet. And these are machines in a data centre for goodness sake!!

I wonder how much bandwidth is wasted by this crap? God I HATE Windows!!!!

5
0

@AC 09:51

Oh noes, not... The dreadded broadcast packet.

Seriously why bother to log broadcasts? If you really have to, either stick your box on another subnet or block access to all the Windows machines. It really uses sod all bandwidth and makes Windows very good at sharing data and generally knowing about other Windows boxes.

0
1

wasn't authorized to provide additional details

Who does he need 'authorisation' from?

2
0

Who does he need 'authorisation' from?

We aren't authorized to tell you that. None of us are, by anyone.

2
0
Black Helicopters

That'll be Rapid 7

Who bought HD, I mean Metasploit a little while ago now and probably have a big fat veto on all reasearch work communication with the public.

0
0
Happy

No 80/139/445 port

Total isolation is good too. And leaving the PC switched off is even better.

Luv it. Ready made excuse to do nothing on the job today ... and tomorrow .... and ...

0
0
Linux

malicious DLL

iirc, once upon a time if you planted a DLL in the same directory as your app, and gave it the same name as a system DLL, then the default Windows behavior was for the app to look in the local DLL for its functions. I wonder is this a variant.

"New code-execution bug found in Windows" or the return of DLL hell ...

1
0
FAIL

Why?

And the reason Windows has the WebDAV service (whatever the hell that is) enabled by default as opposed to disabled until needed? When it's highly unlikely to be used by 99.9% of the ordinary home users of that OS? And those business users that do have a need for it are likely to have a group policy that could toggle it on?

4
1
FAIL

Enabled by default?

Uhm ... The default setting for the Web Client service is "manual" not "autostart" or "autostart(delayed)".

This means that until you actually NEED the service, it's not started.

Of course, this doesn't block real-stupid-users from shooting their own foot and webdav-mount the "pictures of <celebrity> naked" they received a link to in their mail, from someone in russia with bad memory for recipient addresses. The best malware-protection still needs to be installed in wetware.

//Svein

1
0

Just looked...

On my vista box, it's enabled by default. On my 2003 server, it's disabled and on my 2008 server it's not even installed.

0
0
WTF?

WebDAV

WebDAV is HTTP v1.1 file transfers / uploads; though a better way of thinking of is HTTP's version of FTP. Aka, it’s a method of file sharing. Web browsers all support it to a degree (not to full spec generally). Windows, OS-X, and Linux all have native client support for it through their various methods of connecting to remote server shares.

So to answer your questions, a large majority of people at home have probably utilized WebDAV without knowing the process has a name. Not including WebDAV connectivity on a modern desktop OS is pretty much on par with not providing a web browser, ability to connect to network shares, or even the ability to understand TCP/IP networking.

This particular bug can just be abused over a network because when you connect to a remote server share directly through an OS, it treats that connection like any other drive/folder being opened. Abusing it through a web browser is at least slightly more difficult because they don't render those connections like an actual desktop does.

0
0
Silver badge
Happy

MS Windows makes even Jobs look good and they both make ...

Linux almost perfect.

Little wonder near-Linux Android Operating System is busy setting new records - and it seem to have incremental error correcting versions, either.

2
2

Linux is almost perfect

Nah .. nearly but please do "Just go update" and purge that 5 year old kernel hole.

You probably meant to say "OpenBSD" 8-)

0
0
Silver badge

Where's WebDAV?

It as fairly easy to run services.msc and locate the WebClient service (was running, is now disabled, nothing appears to have noticed (yet?)).

Thing is, the WebClient says it has a dependency. The "WebDav Client Redirector". Now, can I find this in the list of services? Can I hell... It isn't even listed in the processes under svchost (Process Explorer) yet it surely must be running when WebClient is running? This all sounds a bit odd.

So, here's how to kill the invisible process if you want to [WinXP]: regedit -> Local Machine\System\CurrentControlSet\Services\MRxDAV and set the "Start" number to zero. FWIW, the default on my machine is three.

I've knocked off the WebClient, and if all goes okay for a few days, I'll take down the super-secret service too. After all, on an eeePC, getting rid of nnecessary stuff frees memory and resources!

0
0
Anonymous Coward

"on an eeePC, getting rid of nnecessary stuff "

Start with Windows !

3
0
Anonymous Coward

WebDav Client Redirector seems to be a driver, not a service

at least, shows up as such on win2k8.

The process I really don't like is some monitoring jobbie or another, can't remember name. I've seen it grow to nearly 450 meg.

0
0
Bronze badge

WebDav Redirector

The WebDav Redirector is part of your file system, like your "Network Redirector", it allows you to open, close, edit files as if they were on your local hard disk. It "redirects" the file operations to a WebDav server.

The WebDav Client is a COM object that was originally included with IE and MSOFFICE, and allowed IE and MSOFFICE and Windows Explorer to use WebDav.

The Original WebDav Client predated the WebDav Redirector, it just connected directly to the network. Since it was completely independent, it had different flaws and limitations than the WebDav Redirector, in particular it allowed "basic" authentication.

The New WebDav Client just uses the WebDav Redirector.

0
0

Staying Vigilant on Security Issues

With all these different types of security vulnerabilities, it seems like its worthwhile to get a overall view of the vulnerabiltiy areas we can address.

I really love this research report (from Infoweek) -- great perspective on the key areas where companies are focusing on security.

www.fortify.com/SSSIW_050510

Would love some feedback on the report and its value.

Dale

0
0
This topic is closed for new posts.