Microsoft scrambles to fix worst Windows issue 'in recent memory'

[markandkim]

MICROSOFT

Microsoft scrambles to fix worst Windows issue 'in recent memory'

By Brooke CrothersPublished May 11, 2017

File photo: A sign marks the Microsoft office in Cambridge, Massachusetts, U.S. January 25, 2017. (REUTERS/Brian Snyder)

There’s a hole in Windows big enough that Microsoft did an emergency fix this week.

Called the “worst Windows remote code exec in recent memory” and "crazy bad" by the Google security expert that discovered it, the malware requires no interaction from a user. Often malware requires a PC user to, for example, click on a bad link or do something that -- unbeknownst to the user -- downloads rogue code. 

The fact that Microsoft took action immediately to fix it – a so-called “emergency out-of-band update” – means it’s very serious. 

“Unlike past incidents, where Microsoft has allowed exploited zero-day vulnerabilities to fester in the wild without being bothered to deliver a patch for months, this time around, the company moved lightning fast to address the issue,” according to a report at Bleeping Computer. 

MICROSOFT HAS TECHNOLOGY THAT CAN HELP PARKINSON'S DISEASE

Zero-day vulnerabilities are defined as a vulnerability not made public before becoming active, meaning that the entity responsible for the software with the vulnerability has, in effect, zero days to fix the problem. 

The Microsoft fix was issued on Monday. “Customers are protected by an update released on Monday, May 8. More information is available in our security advisory," a Microsoft spokesperson told Fox News.

What makes this exploit worrisome on a broader level is the very nature anti-malware software. "That's one of the big problems with anti-malware software: by trying to protect the system from every angle, they also expose their own vast attack surface," said Ars Technica.

Discovered by Google security expert

The vulnerability was discovered last week by Tavis Ormandy‏ and Natalie Silvanovich. Ormandy is a vulnerability researcher at Google, while Silvanovich also works at Google.

Ormandy said in a tweet that the exploits were "wormable," meaning they could self-replicate and move to other vulnerable computers. 

"Still blown away at how quickly @msftsecurity responded to protect users, can't give enough kudos. Amazing," Ormandy wrote on Monday.

Windows software affected

The security hole affects PCs and computer systems running Windows 7, Windows 8.1, Windows 10, and Windows Server 2016 and Microsoft software products running on those systems and exploits the Microsoft Malware Protection Engine included on Windows 7 and later. The vulnerability can be triggered “if the Microsoft Malware Protection Engine scans a specially crafted file,” according to the Microsoft Security Advisory. That could include email and web sites. That is, anything this is scanned by the Malware Protection Engine. 

MICROSOFT'S NEW WINDOWS: HOW 10 S IS DIFFERENT

That engine is part of Microsoft’s Windows Defender which is preinstalled on PCs. 

The Microsoft advisory goes on to say that IT administrators and individual users should not need to proactively install the update. “Typically, no action is required of enterprise administrators or end users to install updates for the Microsoft Malware Protection Engine, because the built-in mechanism for the automatic detection and deployment of updates will apply the update within 48 hours of release.”

But Microsoft also offers a caveat. “Best practices recommend that customers regularly verify whether software distribution, such as the automatic deployment of Microsoft Malware Protection Engine updates and malware definitions, is working as expected in their environment.”

For most Windows users that means checking the Windows Defender software that comes with their Windows 7, Windows 8, or Windows 10 PC and making sure it’s activated and running.

[markandkim]

Discovered by Google security experts

[Pieere]

Getting worse and worse instead of Better! THis is why I use Opera browser! I believe I will delete my Outlook Email.!

[Darryl&Rita]

That's not how it works. Opera won't help, & Outlook isn't the problem. Stay on top of updates, & use a supported version of your OS. Don't open attachments. 

[dewilso]

Apple

[RV_]

Guys,

The short version, that article from Fox News was worse than inaccurate. This is in the links and discussion below But for those who want the bottom line here it is. This vulnerability was patched in March:

"EternalBlue, an offensive hacking tool allegedly developed by the NSA, exploits a Windows SMBv1 vulnerability that was patched by Microsoft in March in security bulletin MS17-010.

Before you all panic and fall for the Fox News click-bait article above, let me explain it again.

The emergency was to develop a rare patch for the unsupported versions of Microsoft that are basically XP and Vista both of which do not get security updates and users were expected to upgrade as they chose.

So who needs to worry? If you do all your Windows updates, as I also just wrote about, you got the patch that prevents this last March.

Why the massive attacks and why in Europe, India, the UK, and Russia primarily? Because they still have millions who still use XP, Vista, and they knew they could not get any newer security updates. So if you did all your Windows updates, as I said a couple of days ago, the OS' are so hardened that today exploits like this one, that can be dropped remotely, are just about obsolete.

Microsoft, realizing that there were hospitals and major companies still using XP and Vista, even some here, were issuing custom patches for some large firms. But if they don't apply them, they would have been in trouble had Microsoft not made it impossible to ignore updates for Windows home users, and only let people and businesses owners running Pro like me and Enterprises editions only a limited number of days you can defer updates.

Folks who read here a lot can remember many of my posts that urge folks to do updates religiously. And always telling them that the estimate of the percentage of folks running Windows who do not do their updates was around 60%!!!!

This is the malware I posted here about six days ago here, on May 9th in Connecting on the road and to prevent the click-bait like the Fox News article above from several days ago, I Posted the explanation link as a duplicate here below, the article it was from is http://www.tomshardware.com/news/microsoft-windows-malware-protection-vulnerability,34364.html 

and :

This was not a gaping hole as it would not affect most computers because this malware was patched in the March updates:

Excerpt:

"Microsoft has taken the extraordinary step of providing an emergency update for unsupported Windows XP and Windows 8 machines in the wake of Friday’s WannaCry ransomware outbreak.

Unknown attackers were using the EternalBlue exploit leaked by the ShadowBrokers in April to spread WannaCry, a variant of the WCry malware, which surfaced in February. EternalBlue, an offensive hacking tool allegedly developed by the NSA, exploits a Windows SMBv1 vulnerability that was patched by Microsoft in March in security bulletin MS17-010.

Yesterday’s attack overran many businesses in Europe at the start, hitting hardest in Russia, Ukraine and India. Large telecommunications companies in Spain and many NHS healthcare facilities in the United Kingdom were also affected, as were other enterprises worldwide. Employees were told to shut down and unplug machines, and in the case of the U.K. hospitals, patient care at many facilities was affected. Non-emergency surgeries were postponed and patients were diverted to other facilities.

The ransomware locked up machines, encrypted files and demanded approximately $600 in Bitcoin for a recovery key.

Microsoft acknowledged the dire straits many of its customers were in, and rolled out a patch for all computers that were not protected by the March update.

“Seeing businesses and individuals affected by cyberattacks, such as the ones reported today, was painful,” Microsoft said last night. “Microsoft worked throughout the day to ensure we understood the attack and were taking all possible actions to protect our customers.”

The March update was made available one month before the ShadowBrokers’ high-profile leak of Windows exploits, including the Fuzzbunch platform that included EternalBlue and other exploits. EternalBlue targeted a then-unknown Windows SMBv1 remote code execution vulnerability. The widespread impact of yesterday’s attack—close to 100,000 infections so far in 99 countries by some accounts—indicates a lack of patching vigilance despite ample warning.

Source Kaspersky Labs Threatpost:

https://threatpost.com/microsoft-releases-xp-patch-for-wannacry-ransomware/125671/

OK folks, it was only folks who refused to upgrade to Windows 8.1 and 10. Microsoft made it clear, and I posted it here too, that when XP went out of support that no more security patches would be made available.

Last week I posted that there were some really bad bugs being exploited and to not delay doing the May 9 Microsoft patches.

Here is the May 9th post about this in connecting on the road, May 9th:

http://www.rvnetwork.com/index.php?/topic/127541-microsoft-patches-critical-malware-protection-engine-vulnerability/
 

So relax if you did your updates. And now you see why MS essentially force feeds security updates. The same folks who gripe about MS updates can go with Linux if they choose.

Microsoft supports their Windows software for ten years and you can Google Microsoft support dates for Windows. Very clear and ten years.

For those that invariably come in suggesting Apple, they don't publish end of support dates and drop support without telling their user. This article about their dropping Snow Leopard support because it was the second set of OSX patches that ignored Snow Leopard:

Source PC World 2014:http://www.computerworld.com/article/2487996/malware-vulnerabilities/apple-retires-snow-leopard-from-support--leaves-1-in-5-macs-vulnerable-to-at.html

We all started warning XP users that next April they will be SOL so don't wait till the last minute upgrade whatever now. I doubt anyone will argue with me that getting a new computer every ten years, or taking a free upgrade if your hardware can support it is just common sense.

Apple's 4.5 years then buy a new machine or software is a bit too short a time interval.

My current main system is a high end Dell that was originally shipped in 2014 with Windows 8. Ten I upgraded it free to 8.1. Then I upgraded it free to Windows 10. Then I upgraded it free to the Anniversary Edition last year, and this year updated it free to Creator's Edition. In September 2017 they are releasing a second half of features free for Creator's Edition.  If my system were Apple apparently they would drop support for it soon. now.

 

[RV_]

Markandkim,

I've made this suggestion to you before.

I post about Windows malware as well as good news and new products. You can do the same for Macs.

 

 

[RV_]

Darryl&Rita,

You are absolutely right. Pieeere, listen up.

[markandkim]

8 hours ago, RV_ said:

Markandkim,

I've made this suggestion to you before.

I post about Windows malware as well as good news and new products. You can do the same for Macs.

 

 

Why, are there still folks using Macs too? Never touched one.

 

Isn't this my thread?

[Pieere]

22 hours ago, Darryl&Rita said:

That's not how it works. Opera won't help, & Outlook isn't the problem. Stay on top of updates, & use a supported version of your OS. Don't open attachments. 

I don't open attachments! It also seems like Opera browser  is faster with Speed Dial I don't like the format of Edge. Outlook is slower than Gmail and outlook sometimes locks up and I have to refresh or close than reopen. And it's not my computer as it would do it on other websites!

[RV_]

Mark and Kim,

It is your thread. My suggestion was to become a resource for the Apple community you love. My post corrected the very poorly written article you used as a source. But again your thread, you are the OP, so I addressed the corrections to you. If you don't like Microsoft, fine.

I included a link to the first time I suggested that you write about Apple, but if you don't great. 

Bottom line is the facts are that this is only infecting old unsupported systems, and new systems that refused to do the March updates, IT managers with large organizations can defer some updates until they have time to test them in their networks.

However, not doing Microsoft security updates at all would be grounds for firing, if I owned one of the hospitals with newer OS's and/or hardware that is less than ten years old.

If the IT guys say they could not make it work then they need to be fired for incompetence and get some folks in there that knows how to test and implement security Patches.

Bottom line is this affects no users with patched and up to date systems.

My hat is off to Microsoft for doing the out of sequence patch for XP and Vista to prevent any more organizations and individuals losing their systems. But in reality Microsoft deserves kudos for committing resources to save folks who would not lift a finger proactively to prevent this when they were warned for years to upgrade.

If one does not like Microsoft then Linux or straight Linux are some viable alternatives. Apple's secrecy and seemingly capricious, unpublished, support cycles, make them a non starter for me. I don't want to have to depend on hearing about end of life support from third party sources after the fact. I found out about more than a few Apple issues that they refused to discuss or post about. They have gotten better at providing anti-malware programs, post Jobs.

[RV_]

Pieere,

I too dislike Edge, tried Opera but it was not as easy to adapt. I actually am using Firefox's latest version 53.0.2and it seems fine. The memory leakage/usage has gotten much better. Chrome is OK but be careful when you change browsers. If you decide to change from one to the other make sure you make the new browser the default browser before you uninstall Chrome or Opera which is very similar to Chrome. I found that out the hard way when Opera was my default browser.

I will likely go back to Edge after a year after Microsoft does some more fine tuning of it. My wife, who is not OS literate and depends on me to buy and install, monitor and repair or upgrade all her systems, uses Edge and likes it. Go figure!.

 

[RV_]

Pieere,

Read my new post about Chrome security problem.