Microsoft is patching a major Windows 10 flaw discovered by the NSA

[Burrito]

My question is, how many things like this will there be?

Infinity.

These types of vulnerabilities have always been found by multiple US agencies. Some agencies report them, some have a history or not reporting them.

Agencies of the US government detecting and reporting vulnerabilities has occurred since DARPA of the US government created the internet.

The strange thing is it's being discussed publicly... and discussed implying that this is a new thing.

I'll delay the update a few weeks to see if they got it right.

 

[ForgottenSeer 823865]

Infinity.
These types of vulnerabilities have always been found by multiple US agencies. Some agencies report them, some have a history or not reporting them.

Personally if i was a government leader, and one of the country's company became such a tech giant than the OS they created is used worldwide even by my rivals/enemies and the source code is proprietary, i would be stupid not to request/coerce the said company CEO to add a little backdoor for my intel agencies...

This is not paranoia, this is just common sense.

 

[shmu26]

I assume they reported it because they found out that the enemy now knows this vulnerability (which NSA probably have been using for years), so it's national defense to patch it.

 

[ItsReallyMe]

From my agency: all computers must be on the network and will be updated today 1/14, anybody logging in without the update on 1/15 will be quarantined and locked out of the network. They’re taking it pretty seriously.

How to quarantine and lock a PC from network?? How to do that?

 

[shmu26]

My Windows Enterprise edition, running in VM, didn't get the update. It wasn't even available when I tried to update manually. I needed to download the installer from the MS update catalog.
If this is so critical, why no updates for enterprise?

 

[Burrito]

How to quarantine and lock a PC from network?? How to do that?

That's pretty easy.

In an enterprise architecture, a Systems Administrator type would utilize a management console to send a query to all endpoints.

The query in this case would have a simple script checking for a certain update on every computer in the network. If the update is not there, the "if/then" in the simple script would direct the endpoint to be put in a quarantine state. Typically, a quarantined state would make the computer unusable for anybody who does not have an Administrator LOGIN.

 

[blackice]

That's pretty easy.

In an enterprise architecture, a Systems Administrator type would utilize a management console to send a query to all endpoints.

The query in this case would have a simple script checking for a certain update on every computer in the network. If the update is not there, the in/then in the simple script would direct the endpoint to be put in a quarantine state. Typically, a quarantined state would make the computer unusable for anybody who does not have an Administrator LOGIN.

Yep, and they gave us about zero notice.

 

[South Park]

The NSA itself says: "The consequences of not patching the vulnerability are severe and widespread. Remote exploitation tools will likely be made quickly and widely available. Rapid adoption of the patch is the only known mitigation at this time and should be the primary focus for all network owners." I don't quite understand why Ask Woody is still telling people that this isn't a big deal: The morning after — I recommend that you hold off on installing this month’s patches @ AskWoody

 

[shmu26]

The NSA itself says: "The consequences of not patching the vulnerability are severe and widespread. Remote exploitation tools will likely be made quickly and widely available. Rapid adoption of the patch is the only known mitigation at this time and should be the primary focus for all network owners." I don't quite understand why Ask Woody is still telling people that this isn't a big deal: The morning after — I recommend that you hold off on installing this month’s patches @ AskWoody

There are people who reported issues with this cumulative update, and we haven't heard yet about any exploits in the wild. So I can understand Ask Woody's position. I have Windows 10 Enterprise running in a VM, and the update was not even available this morning, although I checked manually for updates. But it was automatically installed on my regular Windows 10 Pro installation.
The fact that the patch was pushed so aggressively makes it unattractive for malcoders to try and target it, because most systems will be patched before the malware gets out there.

 

[blackice]

There are people who reported issues with this cumulative update, and we haven't heard yet about any exploits in the wild. So I can understand Ask Woody's position. I have Windows 10 Enterprise running in a VM, and the update was not even available this morning, although I checked manually for updates. But it was automatically installed on my regular Windows 10 Pro installation.
The fact that the patch was pushed so aggressively makes it unattractive for malcoders to try and target it, because most systems will be patched before the malware gets out there.

He always recommends that and almost always finds issues reported (because someone inevitably will always have a problem). I don’t bother reading his articles anymore, but he can share good info sometimes.

 

[shmu26]

He always recommends that and almost always finds issues reported (because someone inevitably will always have a problem). I don’t bother reading his articles anymore, but he can share good info sometimes.

Yes, his attitude toward Microsoft updates is always quite cynical, but this time I believe it because @harlan4096 reported an issue on one of his machines.

 

[South Park]

Update from Kenneth White: Windows Defender (and other AV's) detects the 2020-0601 exploit. OTOH, POC code has already been published.

Microsoft's Chain of Fools

Some initial impressions on CVE-2020-0601

blog.lessonslearned.org

 

[plat]

This is currently on the New York City news.

MS update catalog.
If this is so critical, why no updates for enterprise?

Yes, this is baffling. The five o'clock news lady was urging everyone to update their devices last night. Yet, my Insider build 19541.1000 got nothing yesterday and zero today thus far. A lotta Defender definitions, and no, no patch was hiding in there either. Hmmm.

 

[MacDefender]

The NSA itself says: "The consequences of not patching the vulnerability are severe and widespread. Remote exploitation tools will likely be made quickly and widely available. Rapid adoption of the patch is the only known mitigation at this time and should be the primary focus for all network owners." I don't quite understand why Ask Woody is still telling people that this isn't a big deal: The morning after — I recommend that you hold off on installing this month’s patches @ AskWoody

Yeah I strongly disagree here. It would be really easy to turn this into an exploit kit that can force Windows Update to find completely bogus signed updates and hence code execution as SYSTEM. It's basically only a matter of time until someone packages this exploit in a way that's easy to run. It's IMO irresponsible to treat this as a boring Patch Tuesday or Windows feature release.

 

[shmu26]

This is currently on the New York City news.


Yes, this is baffling. The five o'clock news lady was urging everyone to update their devices last night. Yet, my Insider build 19541.1000 got nothing yesterday and zero today thus far. A lotta Defender definitions, and no, no patch was hiding in there either. Hmmm.

It was probably pushed out hastily, due to concerns of national security. Most IT admins will probably download and install it manually, due to the big scare campaign, even if the update isn't offered on Enterprise, so that they won't be blamed for a disaster. And if the patch causes mishaps, M$ can't be blamed for downtime, since they didn't offer it through the usual update channel.

 

[blackice]

It was probably pushed out hastily, due to concerns of national security. Most IT admins will probably download and install it manually, due to the big scare campaign, even if the update isn't offered on Enterprise, so that they won't be blamed for a disaster. And if the patch causes mishaps, M$ can't be blamed for downtime, since they didn't offer it through the usual update channel.

My agency got the update pushed through our software management tool, not windows update. The problem is everyone was supposed to get it, and I’m one of the only ones who did. And I had to manually install it. No one else in my group of 8 or so got it. Trying to push out to thousands of endpoints in one day was ambitious. Not sure how many people got quarantined.

 

[shmu26]

My agency got the update pushed through our software management tool, not windows update. The problem is everyone was supposed to get it, and I’m one of the only ones who did. And I had to manually install it. No one else in my group of 8 or so got it. Trying to push out to thousands of endpoints in one day was ambitious. Not sure how many people got quarantined.

Ask around tomorrow, I bet no one actually got quarantined.

 

[blackice]

Ask around tomorrow, I bet no one actually got quarantined.

As far as I can tell no one in my group did. I asked different people what build numbers they had. Some were as far back as 1803 builds. I think they weren’t even close to prepared for this.

 

[upnorth]

Less than a day after Microsoft disclosed one of the most critical Windows vulnerabilities ever, a security researcher has demonstrated how attackers can exploit it to cryptographically impersonate any website or server on the Internet.

Critical Windows 10 vulnerability used to Rickroll the NSA and Github

Attack demoed less than 24 hours after disclosure of bug-breaking certificate validation.

arstechnica.com

Readers who haven't patched yet should do so immediately.

 

[yuanyasmine]

The updates were live on January 14, which include security fixes for Windows App Platform and Frameworks, Windows Input and Composition, Windows Management, Windows Cryptography, Windows Storage and Filesystems, the Microsoft Scripting Engine, and Windows Server. And I’ve updated to the latest version yesterday.