Microsoft Patches Six Zero-Day Security Holes(krebsonsecurity.com)
krebsonsecurity.com
Microsoft Patches Six Zero-Day Security Holes
https://krebsonsecurity.com/2021/06/microsoft-patches-six-zero-day-security-holes/
78 comments
Extended Support ended January 14, 2020, however Microsoft is offering Extended Security Updates (ESU) until January, 2023. It's a paid program to extend security patches, having to be paid once a year for each of the 3 years; so only truly desperate companies are paying for this privilege.
[1] https://docs.microsoft.com/en-us/lifecycle/faq/extended-secu...
[2] https://techcommunity.microsoft.com/t5/windows-it-pro-blog/y...
[1] https://docs.microsoft.com/en-us/lifecycle/faq/extended-secu...
[2] https://techcommunity.microsoft.com/t5/windows-it-pro-blog/y...
But the Update Catalog shows updates that you can apparently download as usual for Windows 7 in this case. There is a specific rationale given on at least one of the reports[1] for why a patch is still being issued even though Windows 7 is out of support. So I'm not sure this time it has anything to do with ESU.
[1] https://msrc.microsoft.com/update-guide/en-US/vulnerability/...
[1] https://msrc.microsoft.com/update-guide/en-US/vulnerability/...
Last week I saw a friend using dot net software that scrapes the Catalog, automatically downloads all patches and applies them to the system. It's apparently common in enterprises without an ESU subscription... I was quite surprised and amused
If that software is available to the public it would be a great service to name or link it if you can find out what it is.
It's not public because of licensing. But it's a simple reimplementation of https://www.wsusoffline.net.
Source code here: https://gitlab.com/wsusoffline/wsusoffline
Source code here: https://gitlab.com/wsusoffline/wsusoffline
Hahah, that's actually awesome. Of course someone out there put in the leg work to work around the licensing issue, and then shared it to the (minor?) masses.
Incidentally I just finished building a new Win7 machine yesterday and applying all the updates.
You are correct, this one wasn't caught organically through Windows Update. I had to install the KB4555449 Servicing Stack update first (https://www.catalog.update.microsoft.com/Search.aspx?q=KB455...), after which I was able to install the patch you linked. Did it on two machines (one freshly formatted, one old) and it took several minutes on each to install (longer than a typical update), and required a reboot after.
You are correct, this one wasn't caught organically through Windows Update. I had to install the KB4555449 Servicing Stack update first (https://www.catalog.update.microsoft.com/Search.aspx?q=KB455...), after which I was able to install the patch you linked. Did it on two machines (one freshly formatted, one old) and it took several minutes on each to install (longer than a typical update), and required a reboot after.
Rollup Patches following 2020-01 will install and then rollback after reboot if you're not following the ESU requirements. Most likely the new patch just rollbacked and you're still on KB4534310.
paulpauper(1)
maxrev17(1)
are these the six zero days that were used to get those bit coins back?
State actors don't need zero days to take control of a rented server.
Do the Microsoft links not work for anyone else too? I get a "Something went wrong" error on all the links. Would like to read more about specific vulns.
Microsoft is asking the user to enable Javascript. There is no technical reason in this case why Javascript is necessary.
https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/...
https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/...
https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/...
https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/...
https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/...
https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/...
https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/...
https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/...
To add insult to injury, Microsoft's server refuses to honour the Accept-Encoding header, e.g., setting the value to "identity" has no effect. It returns compressed content no matter what, even when the content size is very small.
To create a simple HTML page with all the info you need, no Javascript required
https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/...
https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/...
https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/...
https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/...
https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/...
https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/...
https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/...
https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/...
To add insult to injury, Microsoft's server refuses to honour the Accept-Encoding header, e.g., setting the value to "identity" has no effect. It returns compressed content no matter what, even when the content size is very small.
To create a simple HTML page with all the info you need, no Javascript required
sed '/^e/!s/^/url=/'<<eof|curl -K-|gzip -dc|sed 's/",/\"<br>/g;s/\\n//g' > 1.htm
https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-33742
https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31955
https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31956
https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-33739
https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31201
https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31199
https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31959
https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31963
eof
firefox ./1.htm tnftp instead of curl
ftp -4o'|zcat' $(printf "%s\40" $(cat<<eof
https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-33742
https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31955
https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31956
https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-33739
https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31201
https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31199
https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31959
https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31963
eof
))|sed 's/",/\"<br>/g;s/\\n//g' > 1.htm;
firefox ./1.htm[deleted]
I love your use of piped commands in your comment history, thanks so much for these examples.
Wow... patch tuesday analysis from a reporter who doesn't know how virus total works https://twitter.com/silascutler/status/1383085248381128715
There is nothing in their terms of service or privacy policy that says personal information can't be used for an ongoing investigation.. just that it can't be used by "the Community". They even say that they collect personal information when submitting. When it is shared with the Community at large, it is assigned a non-personal identifier.
I view Krebs as a tabloid. It is a stopgap for layman's with slightly above average opsec knowledge. It is rather dangerous because he is wrong or misrepresents reality rather often. And there's something sensationalist about every article. They always have this rushed, panic driven, sophomoric writing style.
To quote a comment I read on HN once, "Krebs is a security entertainer, not a security researcher."
To quote a comment I read on HN once, "Krebs is a security entertainer, not a security researcher."
Could you provide some examples to bolster your claim about this person's journalistic integrity?
There are some technical details that may be abstracted or analogized in less-than-accurate fashion, but I don't recall reading an article or post and thinking "gosh, that's just _wrong_"
There are some technical details that may be abstracted or analogized in less-than-accurate fashion, but I don't recall reading an article or post and thinking "gosh, that's just _wrong_"
Ok,
[1] https://itwire.com/security/infosec-researchers-slam-ex-wapo...
[2] Note: This looks like the same issue as above, but it is separate; https://itwire.com/security/krebs-accused-of-doxxing-man-bas...
To his credit, he never claims to be a hands-on researcher who disassembles and analyzes malware himself. I guess that's why I scratch my head when people point to his work as substantial. He has no skin in the game, no hands on technical experience, and just reblogs more technical articles from actual experts. His only real experience is getting personally hacked and hijacked.
Also, to clarify I never questioned his journalistic integrity. I just think he's a mediocre writer. It's his style that I, personally, don't like. One thing he does that I can't wrap my head around is writing about himself in the third person. He uses phrases like "...this author..." in reference to himself. Most authors would not be injecting themselves into a journalistic piece in the first place, but to do it with such bravado is awkward for the reader. Am I supposed to be impressed that you operate a WordPress blog?
[1] https://itwire.com/security/infosec-researchers-slam-ex-wapo...
[2] Note: This looks like the same issue as above, but it is separate; https://itwire.com/security/krebs-accused-of-doxxing-man-bas...
To his credit, he never claims to be a hands-on researcher who disassembles and analyzes malware himself. I guess that's why I scratch my head when people point to his work as substantial. He has no skin in the game, no hands on technical experience, and just reblogs more technical articles from actual experts. His only real experience is getting personally hacked and hijacked.
Also, to clarify I never questioned his journalistic integrity. I just think he's a mediocre writer. It's his style that I, personally, don't like. One thing he does that I can't wrap my head around is writing about himself in the third person. He uses phrases like "...this author..." in reference to himself. Most authors would not be injecting themselves into a journalistic piece in the first place, but to do it with such bravado is awkward for the reader. Am I supposed to be impressed that you operate a WordPress blog?
He's generally a "good guy", but if you haven't figured out he's a cowboy, just read more of his shit.
Any of it, really.
Any of it, really.
[deleted]
Are these on the same level as Stuxnet? For an amazing technical deep dive into each 0-day Stuxnet vulnerability watch this talk with Bruce Dang from Microsoft[1]. I really enjoy his natural speaking style (it's like talking about Stuxnet over beers with him).
[1] https://youtu.be/rOwMW6agpTI?t=409
[1] https://youtu.be/rOwMW6agpTI?t=409
–CVE-2021-33742, a remote code execution bug in a Windows HTML component.
The only one that stands out as being a real concern, but who's willing to bet it requires JS to exploit (or even if not, the attackers prefer to obfuscate it using JS)? Turning off JS by default in IE is probably the single most effective way of preventing these attacks. Even if you don't use IE, it'll greatly reduce the attack surface. I've browsed the shadier parts of the Internet for literally decades this way.
The only one that stands out as being a real concern, but who's willing to bet it requires JS to exploit (or even if not, the attackers prefer to obfuscate it using JS)? Turning off JS by default in IE is probably the single most effective way of preventing these attacks. Even if you don't use IE, it'll greatly reduce the attack surface. I've browsed the shadier parts of the Internet for literally decades this way.
> Turning off JS by default in IE
But the only reason to use IE is for enterprise apps that probably require JavaScript to function.
And the ability to toggle JavaScript is probably locked down by Mordac the Preventer, aka group policy.
But the only reason to use IE is for enterprise apps that probably require JavaScript to function.
And the ability to toggle JavaScript is probably locked down by Mordac the Preventer, aka group policy.
Fortunately IE lets you apply different settings to groups of sites, so you can stop JS from any random site on the Internet while allowing the enterprise apps that need it:
https://support.microsoft.com/en-us/windows/change-security-...
This is one of the notable features missing from Edge.
https://support.microsoft.com/en-us/windows/change-security-...
This is one of the notable features missing from Edge.
Only if the Mordac did not do the job properly, as it can also be disabled in AD.
You may not be using IE directly, but it's embedded in many places where it may still work very well without JavaScript (e.g. the CHM help viewer).
We see JS as insecure because we can turn it off, and it's history is pretty bad. We can't turn off parsing, rendering, and other features necessary to display a webpage - and those are just as well exploited. JS at least gets multi layered sandboxing and isolation.
Modern browsers are not well fit for security and anonymity. Torbrowser is the only one that actually removes tracking data and the wider attack surfaces of modern browser features like webgl. However it's still not 'secure'. You still have plenty of features that come from complex codebases, such as media decoders.
Modern browsers are not well fit for security and anonymity. Torbrowser is the only one that actually removes tracking data and the wider attack surfaces of modern browser features like webgl. However it's still not 'secure'. You still have plenty of features that come from complex codebases, such as media decoders.
I was told at my last workplace that continuing to use IE was a war crime.
If it required JS it would not be a bug in Windows HTML component.
It's a bug in Trident/MSHTML, which includes a 'JScript' engine.
Anecdotally code execution exploits in pure HTML (that don't require JS) are exceedingly rare, so it is unlikely it doesn't use JS.
Anecdotally code execution exploits in pure HTML (that don't require JS) are exceedingly rare, so it is unlikely it doesn't use JS.
Turning off JS is not the single most effective way.
Turning off the internet. Or your PC entirely is.
Just not visiting most of the Internet is a solid move too, JS or not.
Turning off the internet. Or your PC entirely is.
Just not visiting most of the Internet is a solid move too, JS or not.
> Microsoft also patched five critical bugs — flaws that can be remotely exploited to seize control over the targeted Windows computer without any help from users.
seems pretty bad...
seems pretty bad...
So these vulns weren't needed any more by some 3 letter agency? Or were they being used by someone a 3 letter agency didn't like? Or were about to be?
Security warfare is fascinating to watch from the mud huts.
Security warfare is fascinating to watch from the mud huts.
–CVE-2021-33742, a remote code execution bug in a Windows HTML component.
Acknowledgements: Clément Lecigne of Google’s Threat Analysis Group
–CVE-2021-31955, an information disclosure bug in the Windows Kernel
Acknowledgements: Boris Larin (oct0xor) of Kaspersky Lab
–CVE-2021-31956, an elevation of privilege flaw in Windows NTFS
Acknowledgements: Boris Larin (oct0xor) of Kaspersky Lab
–CVE-2021-33739, an elevation of privilege flaw in the Microsoft Desktop Window Manager
Acknowledgements: Jinquan(@jq0904) with DBAPPSecurity Lieying Lab
Acknowledgements: Clément Lecigne of Google’s Threat Analysis Group
–CVE-2021-31955, an information disclosure bug in the Windows Kernel
Acknowledgements: Boris Larin (oct0xor) of Kaspersky Lab
–CVE-2021-31956, an elevation of privilege flaw in Windows NTFS
Acknowledgements: Boris Larin (oct0xor) of Kaspersky Lab
–CVE-2021-33739, an elevation of privilege flaw in the Microsoft Desktop Window Manager
Acknowledgements: Jinquan(@jq0904) with DBAPPSecurity Lieying Lab
An interesting tidbits is Google's Project Zero was known to discover zero day used by Western government agencies for counterterrorism operation and made such vulnerability patched.
Any chance you have a source handy? P.S. your tgs link is 404
Interesting. Are you conspiracy theorizing or is there a reputable basis for this?
> is there a reputable basis for this?
Yes. The NSA has disclosed hoarded zero-days to Microsoft when they have fallen into the hands of people they did not like. See the Shadow Brokers incident [1]:
> the critical vulnerabilities for four exploits previously believed to be zero-days were patched in March, exactly one month before a group called Shadow Brokers published Friday's latest installment of weapons-grade attacks
Obviously, the problem with this is that the NSA were unaware their zero-days had fallen into enemy hands until the Shadow Brokers very publicly advertised the fact that they had them.
[1]: https://arstechnica.com/information-technology/2017/04/purpo...
Yes. The NSA has disclosed hoarded zero-days to Microsoft when they have fallen into the hands of people they did not like. See the Shadow Brokers incident [1]:
> the critical vulnerabilities for four exploits previously believed to be zero-days were patched in March, exactly one month before a group called Shadow Brokers published Friday's latest installment of weapons-grade attacks
Obviously, the problem with this is that the NSA were unaware their zero-days had fallen into enemy hands until the Shadow Brokers very publicly advertised the fact that they had them.
[1]: https://arstechnica.com/information-technology/2017/04/purpo...
Take the EternalBlue exploit [1] as an example, NSA had been aware of the vulnerability for years, but only informed Microsoft once it slipped out of their control:
"The NSA did not alert Microsoft about the vulnerabilities, and held on to it for more than five years before the breach forced its hand. The agency then warned Microsoft after learning about EternalBlue's possible theft, allowing the company to prepare a software patch issued in March 2017,[19] after delaying its regular release of security patches in February 2017.[20] On Tuesday, March 14, 2017, Microsoft issued security bulletin MS17-010,[21] which detailed the flaw and announced that patches had been released for all Windows versions that were currently supported at that time
...
Many Windows users had not installed the patches when, two months later on May 12, 2017, the WannaCry ransomware attack used the EternalBlue vulnerability to spread itself"
[1] https://en.wikipedia.org/wiki/EternalBlue#Details
"The NSA did not alert Microsoft about the vulnerabilities, and held on to it for more than five years before the breach forced its hand. The agency then warned Microsoft after learning about EternalBlue's possible theft, allowing the company to prepare a software patch issued in March 2017,[19] after delaying its regular release of security patches in February 2017.[20] On Tuesday, March 14, 2017, Microsoft issued security bulletin MS17-010,[21] which detailed the flaw and announced that patches had been released for all Windows versions that were currently supported at that time
...
Many Windows users had not installed the patches when, two months later on May 12, 2017, the WannaCry ransomware attack used the EternalBlue vulnerability to spread itself"
[1] https://en.wikipedia.org/wiki/EternalBlue#Details
A reputable basis for three letter agencies failing to report zero days? Yeah, it's called Zerodium.
https://www.catalog.update.microsoft.com/Search.aspx?q=KB500...
Is there a third party program that finds/installs the windows 7 updates?