this is inside a component that is on nearly every Microsoft machine worldwide. this includes all versions of xp, vista, 7 and the server versions. There is no Windows Update yet. Please use the fixit for me link for a hotfix. This is a patch for this issue but it may cause issues since it’s not been fully validated. However this problem allows remote system takeover via IE AND Office.
The link to the fixit is here.
Update your machines now. If you are running a server with rdp exposed first firewall it off the internet then use another actual secure vpn to get to that server and update. I would then never allow rdp direct access to the net again.
Microsoft has plugged a critical hole in all supported versions of Windows that allows attackers to hit high-value computers with self-replicating attacks that install malicious code with no user interaction required.The vulnerability in the Remote Desktop Protocol is of particular concern to system administrators in government and corporate settings because they often use the feature to remotely trouble-shoot e-mail servers, point-of-sale terminals and other machines when they experience problems. RDP is also the default way to manage Windows machines that connect to Amazons EC2 and other cloud services. That means potentially millions of endpoints are at risk of being hit by a powerful computer worm that spreads exponentially, similarly to the way exploits known as Nimda and Code Red did in 2001.”This type of vulnerability is where no user intervention or user action is required and an attacker can just send some specially crafted packets or requests, and because of which he or she can take complete control of the target machine,” Amol Sarwate, director of Qualys vulnerability research lab, said in an interview. While RPD is not enabled by default, he said the number of machines that have it turned on is a “big concern” because it is so widely used in large organizations and business settings.The bug affects Windows XP and all versions of Windows released since, including the developer preview of Windows 8. It was privately reported by Luigi Auriemma, an Italian security researcher who frequently focuses on vulnerabilities in industrial control systems and SCADA, or supervisory control and data acquisition, systems used to control dams, gasoline refineries, and power plants. Microsoft said theres no indication the vulnerability is being used in the public to attack Windows users at the moment, but the company predicts that could change.”Due to the attractiveness of this vulnerability to attackers, we anticipate that an exploit for code execution will be developed in the next 30 days,” Suha Can and Jonathan Ness, of Microsoft Security Response Center Engineering, wrote in an advisory published Tuesday.
via Critical Windows bug could make worm meat of millions of high-value machines.
I just figured out SBS2008 does NOT automatically setup roaming profiles. This explains why i’m having issues with the desktops not matching when the users roam because the profiles are all local. Unfortunately one of the users has his hdd die and this spewed corruption into the network portion of his “local” profile. Now i can get rid of these corrupted profiles. These are the steps to creating a baseline roaming profile…
1. Prepare the roaming user profile
- Log on to a Windows Server 2008 with the domain user account to produce a user profile. Log off the computer.
- Log on to the Windows Server 2008 with a domain administrator account.
- Click Start—>right-click Computer—>Properties—>Advanced System Settings—>Advanced—>User Profiles Settings…—>Settings—>Copy To. Copy the profile to the file server, such as ‘\\filesrv\profiles\username.v2′
Note: A “.v2″ suffix to the name of the user profile folder on the file server must be added to distinguish between version 1 and version 2 profiles.
- In Permitted to use, click Change. Type the proper users or groups and then click OK.
2. Prepare the user Profile path setting
- In the Active Directory Users and Computers, type the profile location such as ‘\\filesrv\profiles\username’ in the user’s Profile path attributes.
Note: Do NOT add “.v2″ to the Profile path of the user object. This indicates that for Windows Server 2008 it will load the profile from ‘username.v2′ folder and for former Windows operating systems they will load from ‘username’ folder if it exists.
If you manually create user profile folder, please check the NTFS and share permission on the roaming profile share folder.
- Locate the roaming profile share folder, and check the NTFS permission to make sure that the user, SYSTEM, and administrators have Full Controller permission on their folders and all sub-folder under the roaming profile folder has inherited proper permission.
- Check the share permission to ensure that Everyone has Full Control permission.
Please pay attention to the Event logs in Windows Logs—>Application. User Profile Service will log events to show the reason why the roaming profile is not applied.
via SBS 2008 Profile.
I tire of the MS lockin. What I’ve done is begun to build another deployment option for my clients( all of which are under 10 users. For now i’ll user server 2008 for authentication and file/print sharing…in a vm. Another vm holds a vmware appliance running zimbra collaboration suite. I get 90% of the SBS functions for nothing. All i have to do is then backup two vmware images which easily compress by a factor of 2-5. Done..and it’s highly portable to new hardware if something bad happens to the host box. Once Samba 4 gets done I won’t need MS for the main server either..then i can run everything under one Linux VM and only have one vm to backup. I’m hoping to procure a fast host server to test this on both on my network and my “guinea pig” network..:) I already have a non-virtual version of this running at my church(one physical box running server 2003..another physical server running centos 5.5 with Zimbra Collaboration Suite). My goal is to get these two virtualized on one box..:) The ultimate goal is for the whole thing to be Linux based.
Microsoft has released the fix for the LNK issue. this coming Tuesday is going to be a monster patch day with a total of 37 issues fixed in 14 patches.
Normally I advocate caution in major patches. This hole however is so important that i am going to immediately patch and then workaround any issues this is going to cause. Again on mOnday htis patch gets released. PATCH IMMEDIATLY!!! Read the previous advisories I posted about this here.
Steve Gibson talks about this issue in a very understandable manner. Look at my previous post at the bottom..aka update 3.
Well the vulnerabilities threat profile has expanded:http://www.f-secure.com/weblog/archives/00001994.htmlIf the .lnk is inside a document windows will execute the code. Again..i hope this fizzles..if it doesn’t I want folks to be aware.
http://www.emmanuelcomputerconsulting.com/archives/2421
The podcast software crashed so I was able to make a written update to the post with the help of Arstechnica.com. Go checkout the updated post.
I am going to provide you with the summary from Ars Technica as it’s the clearest explanation of the problem I have seen:
The attack uses specially crafted shortcut (.lnk) files, which trick Windows into running code of an attacker’s choosing. Any Windows application that tries to display the shortcut’s icon—including Explorer—will cause exploitation, so even the mere act of browsing a directory with the malicious shortcuts is sufficient for a system to be exploited. Analysis suggests that the shortcuts are not improperly formed; rather they depend on a flaw in the way that Windows handles shortcuts to Control Panel icons.
The first reports of the problem came last month from Belorussian security company VirusBlokAda. The company found systems infected with the flaw through infected USB keys. The keys use the flaw to install a rootkit to hide the shortcuts, dubbed Stuxnet, including kernel-mode drivers, and a malicious payload. The rootkit is itself noteworthy: the drivers it installs are signed. The certificate used to sign them belongs to Realtek, suggesting that somehow the attackers have access to Realtek’s private key. The certificate used to sign the rootkit has now been revoked by Verisign.
The current in-the-wild attacks are using USB keys to distribute the shortcuts, but the attack could equally use network shares or local disks. The malware payload appears to be designed to specifically compromise the databases used by Siemens’ SIMATIC WinCC software. WinCC is SCADA software, used to control and monitor industrial systems, found in manufacturing plants, power generation facilities, oil and gas refineries, and so on. Siemens’ software uses hardcoded passwords, making attack particularly simple.
The best option for mitigating the flaw is to disable Windows’ ability to show shortcuts’ icons; details on how to do this are provided in Microsoft’s security bulletin. However, this mitigation comes at some cost; it removes all the icons from the Start menu, for example, which is sure to be detrimental to usability. Disabling Autorun provides slight protection, as it prevents Explorer windows from opening automatically when a USB key or CD is inserted.
This one has the potential to be very very bad. What I am going to do is put some of the links below. I am going to record a podcast tonight about this and have it posted in the next 24 hours. While the threat right now is low the potential for this one to explode is very very high. I do not get concerned about Windows exploits very often..this one has the very real potential to be on the scale of sasser, code red, or conficker. ECC is gearing up for this to be a widespread event and I am hoping it fizzles(which is dependent on a timely patch from Microsoft.) As of right now there is no anti-anything that will stop the .LNK vulnerability itself and any malware that appears WILL be able to leverage this before the a/v vendors can react as of right now. I am sure the security companies will be able to catch up..however we really need a patch from Microsoft on this one. The big problem for Microsoft is this is endemic to their ENTIRE codebase from Windows 95 on up. They have to now re-engineer every version of Windows to protect against this flaw. This is one time that if it takes Microsoft more than a week to come up with a fix there’s a very good reason. The following operating systems will NOT get a patch from Microsoft:
Windows 95
Windows 98
Windows ME
Windows NT
windows 2000(all versions)
Windows XP below SP3(this includes XP 64-bit which is now end of life..no support)
Windows VistaRTM (all versions). Vista SP1 is still supported until July 12 2011. You really should upgrade to SP2 of Vista.
I have some of the links below I have been following for this:
*UPDATE* Microsoft has posted their workaround. This nukes ALL shortcuts on the system though. If you want to guarentee your protection use this patch..but you won’t be able to easily launch anything.
*UPDATE 2*
There are several attack vectors. It can be triggered via a webpage. it may even be able to be done from within any browser…not just IE. I just just got done informing a client that this could have many more attack vectors due to this being a problem with the core of windows.
*UPDATE 4* Normally I advocate caution in major patches. This hole however is so important that i am going to immediately patch and then workaround any issues this is going to cause. Again on mOnday htis patch gets released. PATCH IMMEDIATLY!!! Read the previous advisories I posted about this here.
