Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 18 submissions in the queue.
posted by janrinok on Wednesday June 15 2016, @07:27PM   Printer-friendly
from the physical-access-required dept.

"Microsoft is today closing off a vulnerability that one Chinese researcher claims has "probably the widest impact in the history of Windows." Every version of the Microsoft operating system going back to Windows 95 is affected, leaving anyone still running unsupported operating systems, such as XP, in danger of being surreptitiously surveilled.

According to Yang Yu, founder of Tencent's Xuanwu Lab, the bug can be exploited silently with a "near-perfect success rate", as the problems lie in the design of Windows. The ultimate impact? An attacker can hijack all a target's web use, granting the hacker "Big Brother power", as soon as the victim opens a link or plugs in a USB stick, claimed Yu. He received $50,000 from Microsoft's bug bounty program for uncovering the weakness, which the researcher has dubbed BadTunnel. Microsoft issued a fix today in its Patch Tuesday list of updates.

"Even security software equipped with active defense mechanisms are not able to detect the attack," Yu told FORBES. "Of course it is capable of execute malicious code on the target system if required.""

Complete Story:

http://www.forbes.com/sites/thomasbrewster/2016/06/14/microsoft-badtunnel-big-brother-windows-vulnerability/ [Requires cancellation of AdBlocker to view]
(Archived) https://archive.is/6My6c [ Viewable by all]


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by tangomargarine on Wednesday June 15 2016, @07:35PM

    by tangomargarine (667) on Wednesday June 15 2016, @07:35PM (#360714)

    in danger of being surreptitiously surveilled.

    As opposed to being officially surveilled, har har.

    No wait, that's surreptitious, too.

    --
    "Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
  • (Score: 4, Informative) by frojack on Wednesday June 15 2016, @07:59PM

    by frojack (1554) on Wednesday June 15 2016, @07:59PM (#360719) Journal

    To disable NetBIOS over TCP/IP support
    From the Network and Dial-up Connections icon in Control Panel , select Local Area Connection and right-click Properties .
    On the General tab, click Internet Protocol (TCP/IP) in the list of components, and click the Properties button.
    Click the Advanced button.
    Click the WINS tab. Click Disable NetBIOS over TCP/IP .

    Seriously, I haven't a single machine with NETBIOS over TCP running. I remember it in the distant past.

    --
    No, you are mistaken. I've always had this sig.
    • (Score: 0) by Anonymous Coward on Thursday June 16 2016, @06:21PM

      by Anonymous Coward on Thursday June 16 2016, @06:21PM (#361201)

      One major issue: NetBios has to be manually disabled for every connection.

      Including virtual (and on the fly) ones, and including "hey I am tethered via a different USB port than last time so now this is a new WhateverConnection#5"

      • (Score: 2) by frojack on Thursday June 16 2016, @07:03PM

        by frojack (1554) on Thursday June 16 2016, @07:03PM (#361226) Journal

        In some old versions, yes. But it is typically not even installed anymore on later windows OSs.

        --
        No, you are mistaken. I've always had this sig.
        • (Score: 0) by Anonymous Coward on Thursday June 16 2016, @08:09PM

          by Anonymous Coward on Thursday June 16 2016, @08:09PM (#361256)

          Frojack that is NOT TRUE. I tested on win7 and GP's method was the only way I could find without powershell or regedit. Win7 and Win10 DEFINITELY have NetBIOS installed by default, for every OEM instance I've deployed.

          Frojack we love you but please stop posting misinformation. Don't bullshit. In fact please read http://www.stoa.org.uk/topics/bullshit/pdf/on-bullshit.pdf [stoa.org.uk] and take it to heart. Care about the truth or we'll stop caring about you.

  • (Score: 2, Interesting) by Anonymous Coward on Wednesday June 15 2016, @08:13PM

    by Anonymous Coward on Wednesday June 15 2016, @08:13PM (#360727)

    I've got over a dozen zero day exploits for MS windows and every other popular OS, only 6 for the BSDs though.

    I only ever tried to go the responsible disclosure route once with MS. Until the bug starts getting exploited severely MS doesn't do shit. If they were FLOSS I could just make a patch and submit it. Such patches to Linux or BSD distros get fixed in a day, mostly a week, but sometimes a month. MS took 5 years, and only patched the vulnerability I discovered after it was running rampant in the wild.

    Nowadays I just make a proof of concept together, add a wrapper for the payload deployment API, encrypt the white paper and bug and add it to my insurance files. I could sell them on the black market, but I'm not a (giant) dick. Eventually the OS gets upgraded enough that the bugs stop working... However one my undisclosed 0-day vulns works against every version of Windows since XP.

    At this point we should just acknowledge that "Computer Security" is an oxymoron.

    • (Score: 2) by SomeGuy on Thursday June 16 2016, @12:05AM

      by SomeGuy (5632) on Thursday June 16 2016, @12:05AM (#360806)

      "But if you install the latest Windows 10 and keep up to date you will be perfectly secure!!!"

      I'm just saying that is what probably 99% of the people out there honestly believe. They shit themselves and hug their blue security blankey whenever they see a computer that is (responsibly) running an older, unsupported, version of Windows.

      They don't believe me when I tell them there are security holes in what they are running right NOW. (I'm not a security expert or anything, I am just cursed with possessing common sense - any sizable code base like Windows will have bugs and exploits)

      • (Score: 2) by mcgrew on Thursday June 16 2016, @03:41PM

        by mcgrew (701) <publish@mcgrewbooks.com> on Thursday June 16 2016, @03:41PM (#361087) Homepage Journal

        As you say, no computer is 100% secure. That said, there's no way I'd plug the old XP tower into my network. Hated Windows 10, have W7 Home Premium on the big laptop ($150 at a pawn shop) and W7 starter and kubuntu on the little Acer. The HP installed updates and booted itself last night, I forgot to plug the Acer in and it was hibernating this morning.

        That said, in 35 years of using computers I've only been bitten twice: Once with Michelangelo back in the early '90s I got from taking work home (there was a highly educated but stupid women who kept infecting the office) and early this century when my then teenaged daughter played a Sony-BMG CD in the computer and infected it with the EVIL Sony's XCP malware.

        Never again will I buy another Sony product. Buying digital gear from someone proven to deliberately spread malware is brain-dead stupid.

        --
        mcgrewbooks.com mcgrew.info nooze.org
  • (Score: 5, Informative) by jmorris on Wednesday June 15 2016, @08:45PM

    by jmorris (4844) on Wednesday June 15 2016, @08:45PM (#360734)

    NetBIOS is a roach motel, yea we all know that. If your firewall hasn't been dropping all traffic, in or out, on ports 135:139 and 445 for the last decade I want to question your security because you probably don't have it if you missed the obvious things. Trying to make Windows safe isn't possible, minimizing the impact of it infesting the Internet is the only path. Keep it off of your networks to the maximum extent possible, wall off what you end up having to keep as securely as possible to contain the damage when, not if, it goes bad.

    • (Score: 0) by Anonymous Coward on Wednesday June 15 2016, @08:53PM

      by Anonymous Coward on Wednesday June 15 2016, @08:53PM (#360736)

      Lol, hype of nothing? Pretty sure this is rather big tech news which will hopefully make more people realize how insecure their systems are.

      • (Score: 4, Informative) by jmorris on Wednesday June 15 2016, @09:27PM

        by jmorris (4844) on Wednesday June 15 2016, @09:27PM (#360756)

        Any admin so clueless as to have left the needed ports open isn't likely to get this clue either. We have all known since the 1990s that the Windows networking protocols are an unfixable mess and that the only solution is to firewall it off so it can't enter or leave the local LAN. This exploit is just another chapter in the same sad story of fail by Microsoft. The only good thing about Microsoft networking is they only use the six ports I mentioned above so it is pretty simple to block it at the router. None of those ports should be active on the Internet, they should be treated as 'local use only' like the 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 blocks of IP addresses and dropped on sight.

        • (Score: 2) by NotSanguine on Wednesday June 15 2016, @09:46PM

          Absolutely. I'd also point out that NetBIOS (over TCP/IP or, heaven forbid, straight up) hasn't been necessary in Windows environments since Windows 2000 [wikipedia.org]/Active Directory [wikipedia.org] was released.

          --
          No, no, you're not thinking; you're just being logical. --Niels Bohr
          • (Score: 0) by Anonymous Coward on Thursday June 16 2016, @02:43AM

            by Anonymous Coward on Thursday June 16 2016, @02:43AM (#360843)

            not true. netbios straight up is calles netbeui. it is not in use anymore.
            it was possible to add only this network protocol to a network adaptor without tcp/ip. so the computer has no ip address but could share a file (for example) just fine on the local network.
            i acctually had a mainboard with two network card and bound tcp/ip without netbios to one and only netbeui to the other.

            i personally think that there should be something "more" in the network word, not just tcp/ip (in whatever version).
            i cannot understand why it would be used in a lan.
            tcp.ip is the internet. the network protocol used inside a lan to network devices should be something completly different (and non-routable).

            forgive tablet typos :)

            • (Score: 2) by NotSanguine on Thursday June 16 2016, @10:55AM

              not true. netbios straight up is calles [sic] netbeui. it is not in use anymore.

              NetBEUI was just one of several underlying protocols used by LAN Manager and early Windows products. NetBIOS, as an (OSI) Layer 4 is/was supported by a variety of underlying protocols.

              it was possible to add only this network protocol to a network adaptor without tcp/ip. so the computer has no ip address but could share a file (for example) just fine on the local network.

              In fact, there was a time when IBM-PC and compatible operating systems didn't have integrated TCP/IP stacks at all, and 3rd party stacks (Notably, FTP Software's stack), mostly on top of . the Packet Driver [wikipedia.org] specification back in the 1980s. Phil Karn's KA9Q NOS [wikipedia.org] was one of the first full featured TCP/IP implementations for CP/M and DOS.

              I had the pleasure of working with those long before Microsoft (or IBM, for that matter) offered their first integrated TCP/IP stacks.

              i personally think that there should be something "more" in the network word, not just tcp/ip (in whatever version).
              i cannot understand why it would be used in a lan.
              tcp.ip is the internet. the network protocol used inside a lan to network devices should be something completly different (and non-routable).

              There are quite a few other (primarily historical at this point) networking protocols which had no routing capabilities. However, TCP/IP has become ubiquitous and well it should, as it is more versatile and more widely supported than any other networking stack.

              As for TCP/IP being "The Internet" and not suitable for LANs, you're talking out of your ass and it smells that way too. TCP/IP works quite nicely as a LAN protocol and doesn't have to be routed at all, assuming you have a single network segment.

              There's a great deal more in terms of the history and development of physical, data-link, network, transport, and session layer protocols which I haven't touched upon here. You might want to educate yourself, friend.

              You seem to be confused as to how various networking protocols fit into the OSI Model [wikipedia.org]. While it's unnecessary for most people to understand this stuff anymore, if you're going to make broad pronouncements, you should probably get your facts straight. Just a crazy thought.

              --
              No, no, you're not thinking; you're just being logical. --Niels Bohr
    • (Score: 2) by DannyB on Wednesday June 15 2016, @09:03PM

      by DannyB (5839) Subscriber Badge on Wednesday June 15 2016, @09:03PM (#360742) Journal

      I thought that NetBIOS was the butt sniffing protocol that Windows machines use to find each other on a local area network.

      --
      A 'midden heap' is a reserved area of memory that the Java GC simply refuses to service.
      • (Score: 2) by frojack on Wednesday June 15 2016, @09:31PM

        by frojack (1554) on Wednesday June 15 2016, @09:31PM (#360761) Journal

        Pretty much, it was,

        However somewhere halfway through the life of Windows 98 it became optional as they went straight TCP for that, and sane people turned off netbios over tcp.

        --
        No, you are mistaken. I've always had this sig.
        • (Score: 0) by Anonymous Coward on Thursday June 16 2016, @03:52AM

          by Anonymous Coward on Thursday June 16 2016, @03:52AM (#360864)

          I do a surprisingly large amount of networking over IPX/SPX. One benefit is that I'm really certain none of that goes out over the Internet. I just wish newer OSes still supported it.

          • (Score: 2) by maxwell demon on Thursday June 16 2016, @06:34AM

            by maxwell demon (1608) on Thursday June 16 2016, @06:34AM (#360895) Journal

            Of course NetBIOS is not IPX. There is, however, a NetBIOS over IPX, just as there is a NetBIOS over TCP.

            --
            The Tao of math: The numbers you can count are not the real numbers.
            • (Score: 0) by Anonymous Coward on Thursday June 16 2016, @04:52PM

              by Anonymous Coward on Thursday June 16 2016, @04:52PM (#361142)

              Different AC here, but I'm pretty sure anyone who knows what IPX is is probably aware of the network protocol stack and that NetBIOS is higher on said stack than TCP/IP and IPX/SPX.

  • (Score: 4, Touché) by Anonymous Coward on Wednesday June 15 2016, @09:10PM

    by Anonymous Coward on Wednesday June 15 2016, @09:10PM (#360746)

    Because it's wide open to the world.

    • (Score: 0) by Anonymous Coward on Wednesday June 15 2016, @10:14PM

      by Anonymous Coward on Wednesday June 15 2016, @10:14PM (#360779)

      Nah, it's called windows because every fucking thing is a "window". The screen is a window, the application is a window, the buttons are windows, etc.

      They should have called it widgets. Window = Widget is MS Windows, at least at the low level implementation details. So many fucking inefficient event pumps, it's enough to blow a gasket.

      Reminds me of games that use the hammer approach with the "Entity Component" model. Marginally easier to program because everything is just an entity with a bunch of components attached, but fucking painful as hell to debug because that's essentially type erasure + mono-typing. Same thing with MS Windows. It's a bitch to debug because everything is a window with stream of events, and there's no good way to record and play back the event stream exactly due to timers and other things so bugs can disappear into the fray and lie dormant for decades.

      Not this bug though. This bug is a batshit stupid bug in a core API that should have been fuzz tested and hardened at least once in these past 20 years. Then you realize it's in the friends of MS's best interest (intelligence agencies) for MS Windows to be a pile of insecure shite.

      • (Score: 3, Interesting) by SDRefugee on Wednesday June 15 2016, @10:27PM

        by SDRefugee (4477) on Wednesday June 15 2016, @10:27PM (#360786)

        I used/supported Windows from 1991 to 2010, but when I retired I decided I was *done* with ANY MS product. Since 2010, its Linux only.. Looks like I'm gonna have to dump LinkedIn since MS has announced they're absorbing it.. FUCK YOU MICROSOFT!! (somebody *had* to say it..)

        --
        America should be proud of Edward Snowden, the hero, whether they know it or not..
        • (Score: 2) by mcgrew on Thursday June 16 2016, @03:46PM

          by mcgrew (701) <publish@mcgrewbooks.com> on Thursday June 16 2016, @03:46PM (#361092) Homepage Journal

          That was my plan, too, but since I retired I've been submitting stories to SF magazines and almost all of them demand Word format, which M$ makes sure the open source word processors (Oo is my favorite, I do all my writing in it and copy/paste to Word before submitting).

          --
          mcgrewbooks.com mcgrew.info nooze.org
  • (Score: 4, Informative) by NotSanguine on Wednesday June 15 2016, @09:41PM

    Without the relevant vulnerability info:

    Microsoft Security Bulletin MS16-077 [microsoft.com].
    A CVE (CVE-2016-3213) has been assigned, but is currently only a placeholder [mitre.org] as Microsoft (surprise, surprise) hasn't updated the CVE/NVD databases.

    Better treatments of the issue/patch can be found at:
    Threatpost [threatpost.com] and Information Week [darkreading.com].

    While there are no known exploits in the wild, chaining the vulnerabilities to exploit this issue isn't very complicated.

    On a related note, El Reg [theregister.co.uk] has reported that another MS security fix (MS16-072, CVE-2016-3223 -- again, shockingly, Microsoft has not updated the assigned CVE) breaks group policy elements exposing hidden drive letters to end users.

    --
    No, no, you're not thinking; you're just being logical. --Niels Bohr
  • (Score: 5, Insightful) by Anonymous Coward on Wednesday June 15 2016, @10:55PM

    by Anonymous Coward on Wednesday June 15 2016, @10:55PM (#360790)

    Microsoft has done such a good job pissing people off with Windows 10 sneakware, and Telemetry Spyware, that people have turned off the updates. What's not to say that this patch will require a tool that mandates an upgrade to Windows 10?

    • (Score: 2) by mcgrew on Thursday June 16 2016, @03:48PM

      by mcgrew (701) <publish@mcgrewbooks.com> on Thursday June 16 2016, @03:48PM (#361094) Homepage Journal

      You can't reinstall W7? That's odd, I had no trouble rolling back to 7 when I tried 10 and saw how awful it was. Actually it was worse than awful, it was offal.

      --
      mcgrewbooks.com mcgrew.info nooze.org
      • (Score: 0) by Anonymous Coward on Thursday June 16 2016, @04:55PM

        by Anonymous Coward on Thursday June 16 2016, @04:55PM (#361147)

        Be sure to check your scheduled tasks. A well know bug in the rollback process is improper recreation of the task files.

  • (Score: 0) by Anonymous Coward on Thursday June 16 2016, @01:02AM

    by Anonymous Coward on Thursday June 16 2016, @01:02AM (#360825)

    Skip the bash here.

    The idea of punching a hole in your NAT router to make this work is pretty interesting. He can launch an attack from any computer type. Which is interesting too.

    Did he create a whole new class of vulins that we will be chasing at the NAT layer for years to come?

    • (Score: 0) by Anonymous Coward on Thursday June 16 2016, @02:48AM

      by Anonymous Coward on Thursday June 16 2016, @02:48AM (#360847)

      does it work with nat lezs ipv6 toooooo?

      • (Score: 0) by Anonymous Coward on Thursday June 16 2016, @10:28PM

        by Anonymous Coward on Thursday June 16 2016, @10:28PM (#361306)

        Most ipv6 from my understanding is just a straight firewall. So probably not. It is the ipv4 bit where most things are under NAT.

  • (Score: 1) by Ambient Sheep on Friday June 17 2016, @02:59AM

    by Ambient Sheep (2148) on Friday June 17 2016, @02:59AM (#361380)

    I remember us all being told to turn off NetBIOS back in the 1990s. Surprised that anybody still has it on.

  • (Score: 0) by Anonymous Coward on Tuesday June 28 2016, @10:47PM

    by Anonymous Coward on Tuesday June 28 2016, @10:47PM (#367311)

    $50K for a Netbios security flaw which is very widely known to be insecure and is mostly obsolete? Sounds suspicious?