Good news: The “wormable” security hole in XP, 7, and related Servers, isn’t being exploited yet

Topic

New Reply

If you’re running Windows XP (including Embedded) Windows Server 2003, Server 2003 Datacenter Edition Windows 7 Windows Server 2008, Server 2008 R2 Yo
[See the full post at: Good news: The “wormable” security hole in XP, 7, and related Servers, isn’t being exploited yet]

4 users thanked author for this post.

SueW, jburk07, AJNorth, geekdom

Reply | Quote

Replies

I usually serve as beta (guinea) pig for patches. This is one instance, as per instructions, that everyone should serve as beta (guinea) pig.

On permanent hiatus {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1992 x64 i5-9400 RAM16GB HDD Firefox116.0b3 MicrosoftDefender

3 users thanked author for this post.

woody, jburk07, AJNorth

Reply | Quote

Woody, will you warn us when the first cases appear? I wanna patch asap but I don’t feel comfortable patching without knowing what to expect so I was thinking of waiting 1 or 2 more days to see if any problems arise with the patches

Reply | Quote

I strongly suggest that you patch preemptively.

When it hits, it’ll hit hard. There are a lot of people working on turning the hole into money.

4 users thanked author for this post.

Elly, SueW, GoneToPlaid, TheSuffering

Reply | Quote

Ok then, will patch when I get home, any known bugs so far?

Reply | Quote

MDS seems like a bigger problem for ordinary users in my opinion, and much harder to stay safe from.

“Allow remote assistance connections to this computer” is an default setting when you install windows 7 and also windows 10(maybe all microsoft operating systems). This has been an “wormable” for ages or atleast a weakspot for normal users because microsoft has it on as default. The first thing you do after installing the os: Turn off this and block port 3389 in firewall or anything with “Remote” in firewall.

What will even microsoft do with this when you patch with may update, turn of remote asssistance?

The bigger problem and why you should update(and all  operating systems) is the Microarchitectural Data Sampling (MDS) or Zombieload, and everyone with an Intel cpu with Hyper-Threading is extra exposed.

• CVE-2018-12126 Microarchitectural Store Buffer Data Sampling (MSBDS)
• CVE-2018-12130 Microarchitectural Fill Buffer Data Sampling (MFBDS)
• CVE-2018-12127 Microarchitectural Load Port Data Sampling (MLPDS)
• CVE-2019-11091 Microarchitectural Data Sampling Uncacheable Memory (MDSUM)

Not that I understand much of this but this seems bad https://youtu.be/Oeb-O4yKK2c

1 user thanked author for this post.

GoneToPlaid

Reply | Quote

I disabled hyperthreading in BIOS on all of the office computers with Intel CPUs which supported hyperthreading. Doing so instantly got rid of many random BSODs, and nobody has either noticed or complained about any change in their computer’s performance.

Reply | Quote

Upload some of those old BSOD minidumps please, I’d like to take a look at them.

Reply | Quote

Ummm…. so this one from yesterday was a “Red Herring” (no pun intended)?

“UPDATE: I’ve now seen one reliable report that there’s an RDP exploit in the wild. The attacks are said to come from China.”

I’m easily confused. 🙂

Win7 Pro SP1 64-bit, Dell Latitude E6330 ("The Tank"), Intel CORE i5 "Ivy Bridge", 12GB RAM, Group "0Patch", Multiple Air-Gapped backup drives in different locations. Linux Mint Newbie
--
"The more kinks you put in the plumbing, the easier it is to stop up the pipes." -Scotty

Reply | Quote

I went ahead and installed the May security only update KB4499175 on my primary Win7 production machine. Thankfully, it installed cleanly and with no apparent issues so far. Given the potential seriousness of the threat, I figured that I would bite the bullet and run KB4499175 through its paces in a daily production environment.

No known issues are presently listed for the May security only update KB4499175.

Two known issues are presently listed for the May monthly rollup KB4499164. One issue is serious and involves McAfee products. Yeah, more AV issues!

Woody says that all XP, Win7 and related servers should get patched. I agree. Win8 and Win10 users have nothing to worry about.

For Win7 users on Group A and for the time being, you could install the May security only update KB4499175, just for the sake of getting patched against this wormable security hole, since the security only update presently has no known issues. Later and if and when the “all clear” is given for the May monthly rollup KB4499164, one would uninstall KB4499175 and reboot, and then install KB4499164. Or one could wait until June and install the June monthly rollup when that is given the “all clear.” The latter might be preferable since there are issues with IE and Edge in the May monthly rollup KB4499164.

Note that the May security only update KB4499175 also includes the separate pciclearstalecache.exe utility. I can’t remember if one is supposed to run this EXE before or after installing the update since the underlying issue only affects those who run some types of virtual machine software.

Needless to say, hopefully everyone is aware that it is a really good idea to disable remote assistance connections and Remote Desktop. There are alternative products which are far more secure.

2 users thanked author for this post.

SueW, Nibbled To Death By Ducks

Reply | Quote

Yep. HSTS doesn’t work in any web browser with the May Win7 security only update installed. I am Group B. I am torn between letting this issue ride for now, or rolling back to December 2018.

Reply | Quote

Only IE should be affected, for a small number of gov.uk sites.

2 users thanked author for this post.

SueW, satrow

Reply | Quote

GoneToPlaid wrote:

I went ahead and installed the May security only update KB4499175 on my primary Win7 production machine.

Yup, all patched here too with no ill effects…but I did NOT know about RDP, RA and such matters, Networking being my weakest point.

“Ah, the tangled wed we weave, when first we practice to…network?”

Still wondering about that one report Woody posted about a confirmed exploit originating from China…

Win7 Pro SP1 64-bit, Dell Latitude E6330 ("The Tank"), Intel CORE i5 "Ivy Bridge", 12GB RAM, Group "0Patch", Multiple Air-Gapped backup drives in different locations. Linux Mint Newbie
--
"The more kinks you put in the plumbing, the easier it is to stop up the pipes." -Scotty

Reply | Quote

Nibbled To Death By Ducks wrote:

Still wondering about that one report Woody posted about a confirmed exploit originating from China…

I was wondering about that, too. My guess is that it’s a case of mistaken identity. The people who watch over such things say there’s nothing (yet) in the wild.

2 users thanked author for this post.

Elly, SueW

Reply | Quote

despite defcon 3 for windows 7 i still wait. i remember march 2018, having to roll back to december 2017 patch level because of patch screw ups. i’m not gonna repeat that. i stay put. i wait until there is something exploiting it.

btw. remote desktop services startup type ist set to manual, it isn’t even runnung. so is my computer even at risk without this service running?

PC: Windows 7 Ultimate, 64bit, Group B
Notebook: Windows 8.1, 64bit, Group B

Reply | Quote

I’m still trying to confirm that, one way or another, with people who would know.

It’s a tough question – and Microsoft isn’t answering it.

Reply | Quote

Does anyone know if Windows 7 embedded is vulnerable?

Reply | Quote

The MS downloads don’t list embedded, so you should be OK.
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708

cheers, Paul

1 user thanked author for this post.

woody

Reply | Quote