SoylentNews is people
SoylentNews
Submitted via IRC for TheMightyBuzzard
The United States Computer Emergency Readiness Team (US-CERT) published a vulnerability note yesterday about a new zero-day vulnerability affecting Microsoft Windows 8, 10 and Server editions. It reads:
Microsoft Windows contains a memory corruption bug in the handling of SMB traffic, which may allow a remote, unauthenticated attacker to cause a denial of service or potentially execute arbitrary code on a vulnerable system.
Attackers may cause a denial of service attack against affected versions of Windows by causing Windows devices to connect to a malicious SMB share. US-CERT notes that the possibility exists that the vulnerability may be exploited to execute arbitrary code with Windows kernel privileges.
Attacked systems may throw a blue-screen on successful attacks.
[...] US-CERT confirmed the vulnerability on fully-patched Windows 8.1 and Windows 10 client systems. Bleeping Computer notes that security researcher PythonResponder claimed that it affects Windows Server 2012 and 2016 as well. While there is no official confirmation of that yet, it seems likely that the Server products are also affected by the vulnerability.
[...] Microsoft has not released a security advisory yet, but it is probably only a matter of time before the company publishes a security advisory to inform customers about the vulnerability and mitigation options. US-CERT recommends to block outbound SMB connections on TCP port 139 and 445, and UDP ports 137 and 138 from the local network to the WAN. to protect Windows devices.
Source: http://www.ghacks.net/2017/02/03/smb-zero-day-affecting-windows-8-10-and-server/
(Score: 2, Insightful) by Anonymous Coward on Saturday February 04 2017, @03:20AM
US-CERT recommends to block outbound SMB connections on TCP port 139 and 445, and UDP ports 137 and 138
This is new? No one would want to hang an SMB share on the wild internet? Am I missing something?
(Score: 2) by c0lo on Saturday February 04 2017, @04:13AM
Wanna bet? [google.com]
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 2) by zeigerpuppy on Saturday February 04 2017, @04:45AM
to be fair, most of the links that come up in that search say "don't do it!".
the main reasons they list are:
- poor protocol for high latency connections
- insecure (not encrypted)
- ports often blocked by ISPs
in the first 5 links I read, the recommendations were:
- use SCP instead
- use WebDAV over HTTPS
- if you must use SMB, tunnel it over a VPN or SSH tunnel
all of this should be obvious and it looks like most of the people eho persisted in exposing SMB hardly had the technical understanding to succeed.
In my experience SMB is nasty enough on a local network, not to mention exposing it!
(Score: 0) by Anonymous Coward on Saturday February 04 2017, @04:37AM
Note that its outgoing SMB. I know I normally worry less about outgoing compared to incoming.
(Score: 1) by andersjm on Saturday February 04 2017, @11:22AM
The bad news is that it might be very easy to trick a target into accessing an attacker-controlled share.
I wonder what an XMLHttpRequest for \\evil.invalid\evil\evil.html embedded in malvertisment would do in Internet Explorer? I don't have an MSWin computer nearby, so I can't try myself.
(Score: 2, Informative) by Anonymous Coward on Sunday February 05 2017, @08:25AM
It's simpler than an XMLHttpRequest. All it take would take is embedding an image into a page that pointed to a malicious server. Both IE and Edge will attempt to load images over SMB.
Then again, why bother with malvertising when you can just get the user's username and password for their computer by embedding an image on a specially hosted webserver?
https://www.bleepingcomputer.com/news/security/understanding-the-windows-credential-leak-flaw-and-how-to-prevent-it/ [bleepingcomputer.com]