top of page
  • Stefan Prandl

Wormable windows exploit now in the wild, patch now!

Every now and then some smart security researcher discovers a bug inside windows that results in an exploit that could be used to take out most machines on earth. Usually when this happens the result is eventually a worm of some kind that goes on to cause some level of damage. The amount of damage is entirely related to how long ago the windows exploit was actually patched, and which version of the operating system was affected (did you ever update your Windows XP? I didn’t). Given that Windows 10 these days pretty much forces you to update outside of a business context, generally you’re pretty okay. However patches can’t always be applied immediately, especially in the case of Windows Servers, which very often need to be kept quite stable or available otherwise people can’t access whatever services are running on them. These are usually the machines the badguys want to target as they have juicy data (and networks) behind them, and sometimes it can be rather bad. For an easy example of how bad it can get, remember back to that one time NotPetya took out the NHS.

Last week it was discovered (through routine reverse engineering of the Windows Patch Tuesday security patches) that Microsoft had recently patched a… rather problematic exploit. This exploit was discovered by a Chinese researcher sometime in the last few months who disclosed existence of the bug to Microsoft (which is by far the best thing to do with these kinds of exploits, this could easily have become a potent cyberweapon in the wrong hands) and it basically allows anyone with access to any service running on a Windows machine to execute just about anything really. This is done without authentication so you can take over machines without having to log into them, which is very considerate of Microsoft as I often forget other people’s passwords. The existence of this kind of exploit kind of imply that (if there isn’t one already) there’s about to be a very powerful windows worm on the Internet that will be able to assume control of machines regardless of which services are being run. If it’s visible from the open net, it’s vulnerable. To make it doubly problematic, even if this doesn’t come to pass, the exploit allows a sort of skeleton key access to any windows machine… meaning that if you’re an attacker inside a network, this is a really easy way to assume control of any machine you can talk to.

If you’re not technical, the best advice I have for you is to make sure your IT team has patched every Windows machine in your organisation recently… And by recently what I mean is at least once since Tuesday the 12th of April. If you haven’t, your Windows machines are vulnerable. Impact wise, if you run external facing services on Windows Servers, a worm could take control of one of those servers and use that to pivot into the rest of your network… and if your network is running all Windows machines they could very easily ransom your entire network. So it’s not great, so you probably want to update your machines. Preparing for and updating Windows machines shortly after Microsoft’s Patch Tuesday (the second Tuesday of every month) is a good way to ensure you’re protected from most Windows exploits.

If you are technical well this is far more interesting. As we all know the most chronically vulnerable network service on Windows server is the SMB service, used for basically everything that a Windows network would want to do. That’s basically been responsible for Blaster, Conficker, Wannacry, NotPetya… And basically every other major worm that we’ve ever seen passed through Windows systems. This one is different! It’s a vulnerability affecting windows RPC itself. What is windows RPC you might ask? Why it’s the remote procedure call capability inside Windows services. It’s responsible for the functioning of basically every service on a Windows machine, including some that aren’t just mainline services. Some crafty companies I know run some of their remote services through remote procedure calls, and they will want to be paying attention to this because it means that their services are also vulnerable. If you’re looking for a comparison, it’s like if we found a vulnerability in iron and now everything made of iron is now susceptible to compromise. Hammers, swords, building materials… Basically everything suddenly becomes a target, and the only way to fix it is to well replace the compromised iron, or to to stop using it (which really isn’t possible). Mitigation is to firewall services relating to Windows Servers to keep them invisible to the open Internet. This will reduce the impact of the problem… but it still won’t save you as if attackers get into your network via any means, they now have a skeleton key to all of your machines. The only real solution is to patch, and patch quickly... And given that this will need to be done for all of your Windows servers (where patching can be notoriously tricky)… I think most of us are gonna have a very fun weekend. Conveniently we here at Hyprfire work entirely on UNIX so, this isn’t really a problem for us. That said, we certainly are preparing to help out in detecting early worm access and misuse of Windows protocols using Firebug.

92 views0 comments
bottom of page