Please login or register.

Login with username, password and session length
gfx gfx
76781 Posts in 13501 Topics by 1651 Members - Latest Member: Arnold99 July 22, 2024, 10:59:23 pm
WinMX World :: Forum  |  Discussion  |  WinMx World News  |  Microsoft fixes '19-year-old' bug with emergency patch

Author Topic: Microsoft fixes '19-year-old' bug with emergency patch  (Read 1298 times)

0 Members and 1 Guest are viewing this topic.

Offline DaBees-Knees

  • WMW Team
  • *****
Microsoft fixes '19-year-old' bug with emergency patch
« on: November 13, 2014, 07:52:59 pm »

Microsoft has patched a critical bug in its software that had existed for 19 years.

IBM researchers discovered the flaw, which affects Windows and Office products, in May this year - but worked with Microsoft to fix the problem before going public. The bug had been present in every version of Windows since 95, IBM said. Attackers could exploit the bug to remotely control a PC, and so users are being urged to download updates. Microsoft has addressed the problem in its monthly security update, along with more than a dozen patches to fix other security issues, with a further two to be rolled out soon.

In a blog post explaining the vulnerability in depth, IBM researcher Robert Freeman wrote: "The bug can be used by an attacker for drive-by attacks to reliably run code remotely and take over the user's machine."

In computer security, a drive-by attack typically means making users download malicious software.

The bug had been "sitting in plain sight", IBM said. The vulnerability - dubbed WinShock by some - has been graded as 9.3 out of a possible 10 on the Common Vulnerability Scoring System (CVSS), a measure of severity in computer security.

Six figures
One of the other bugs affects Microsoft's Windows Server platforms - putting the security of websites that handle encrypted data at risk. Specifically, it relates to Microsoft Secure Channel, known as Schannel, Microsoft's software for implementing secure transfer of data. Schannel now joins the other major secure standards - Apple SecureTransport , GNUTLS, OpenSSL and NSS - in having a major flaw discovered this year.

Security experts had compared this latest flaw to other significant problems that had come to light this year such as the Heartbleed bug. However, they added that while its impact could be just as significant, it might be more difficult for attackers to exploit. As with Heartbleed, the exploit relates to vulnerabilities in the technology used to transfer data securely - known as SSL (Secure Sockets Layer).

Potentially 'disastrous'

There is no evidence the bug identified by IBM has been exploited "in the wild", but now that a patch has been issued and the problem made public, experts have predicted attacks on out-of-date machines would be "likely". The bug would have probably been worth more than six figures had it been sold to criminal hackers, the researchers added.

Gavin Millard, from Tenable Network Security, said the fact there had been no known attacks yet should not dampen concerns. "Whilst no proof-of-concept code has surfaced yet, due to Microsoft thankfully being tight-lipped on the exact details of the vulnerability, it won't be long until one does, which could be disastrous for any admin that hasn't updated."

I always get Microsofts updates, but I know a lot don't bother. It might be worth having a rethink.

Offline GhostShip

  • Ret. WinMX Special Forces
  • WMW Team
  • *****
Re: Microsoft fixes '19-year-old' bug with emergency patch
« Reply #1 on: November 13, 2014, 10:47:08 pm »
From a brief look at this one it seems there are two potential scenarios, one is that of Microsoft web servers being compromised by a specially crafted packet, and the second issue is that of a compromised web server distributing another type of specially crafted packet to hit your machines, the powerpoint extension type from MS  office was used in IBM's own tests but I suspect there may be other vectors in legacy code just waiting to be explored.

How can you defend yourself somewhat ?

The first item of interest is that the exploit will require you to either visit a compromised website or download the ppt file onto your machine and in the case of the web based exploit Internet Explorer is a key to doing this so its time to dump the old friend and move to another browser, this will prevent the site based attack, but to be safe you can use non microsoft products such as Open Office etc to deal with any office file types, MS Office is not needed by most home users and its safe to remove it, this will kill the other avenue of possible exploit, as always beware of dodgy links embedded in emails and on instant messenger.

I also noted the good advice given of setting yourself up a user account on your machine instead of running the admin account, we have all done this but it might be time to get into the habit of running in a lower ring of trust so if an attacker gets into your machine his/her hands are tied due to not being able to do anything without admin authority.

Offline White Stripes

  • Core
  • *****
  • ***
  • Je suis aimé
Re: Microsoft fixes '19-year-old' bug with emergency patch
« Reply #2 on: November 14, 2014, 12:23:29 am »
the problem with limited user accounts in windows is the 'root' and ring 0 dickery that many programs do that are used a little too often dont have any 'system service' versions... hence needing to run as admin to check S.M.A.R.T. to see why the hdd just made that terrifying noise... ...or a better example... peerblock...

WinMX World :: Forum  |  Discussion  |  WinMx World News  |  Microsoft fixes '19-year-old' bug with emergency patch

©2005-2024 All Rights Reserved.
SMF 2.0.19 | SMF © 2021, Simple Machines | Terms and Policies
Page created in 0.02 seconds with 22 queries.
Helios Multi © Bloc
Powered by MySQL Powered by PHP Valid XHTML 1.0! Valid CSS!