
Windows non-LAN, wormable RCE 0-day discovered - nerdy
https://twitter.com/taviso/status/860681252034142208
======
buster
I'm curious what "don't need to be on the same LAN" means. If it would be
exploitable over internet wouldn't you just write that oder even leave the
part about LAN out?

~~~
rdtsc
Because other remote vulnerabilities weren't exploitable outside the LAN. So
while they are "remote" it's a different class of "remote" so to speak.

------
Kenji
So little information. We will have to wait until this is patched to know more
about it, won't we.

------
mynewtb
I don't understand the LAN bit, does this mean 'over the internet'?

~~~
paulv
Yes. Non-LAN meaning the attacker doesn't have to be inside your home/work
local network.

~~~
londons_explore
It could mean two things.

Either it could mean it is not a requir mentioned to be able to send broadcast
packets to the machine. Windows uses broadcast packets for lots of things,
like discovering UPnP devices, media centers, other machines file/printer
shares, etc.

Or it could mean no need to have the ability to send the machine IP packets
directly, so one can attack even if the machine is behind NAT.

There are far fewer ways to attack a machine behind NAT with no user
interaction, but things like sending back false NTP or DNS responses, spoofing
windowsupdate servers, or some of the peer to peer services built into windows
sound like possible ways.

~~~
pdkl95

        s/NAT/firewall/g
    

NAT does _not_ provide security on its own, it's the firewall that drops
packets. Most of the time you see both together on the same device; it's very
rare to see a NAT-only device, which usually _will_ route packets to hosts on
the LAN.

~~~
rocqua
Nat certainly does provide basic security. If you aren't routable, they can't
setup a connection to you.

~~~
mshook
They can, it's called firewall punching...

Skype does that routinely: ever wondered how it can setup a point to point
connection without port forwarding?

So to agree with PP, NAT is not a firewall...

~~~
dec0dedab0de
I believe that's called ICE. and still needs both clients aware that theyre
about to connect, and making outbound connections to each other with the goal
of opening up sourceports.

This does not negate the fact that NAT(PAT) provides protection against
directly connecting to a device.

~~~
mshook
If you know a bug in the DNS resolving stack of the client, you can make it
send a query to your DNS server and exploit it to establish a connection. So
no, it doesn't have to know it's about to connect.

A query is easily triggered by sending an email with a an external picture
embedded or something like that.

Nothing NAT/PAT can protect you against.

~~~
dec0dedab0de
thats also something a firewall cant protect you against.

~~~
rocqua
The difference is that NAT doesn't track the counter party, so after you
reached out to the DNS, any other service can use the opened port to connect
to your PC.

With a stateful firewall, it tracks that the port was opened only used for the
DNS server. If a connection to that port from a different IP address than the
DNS server is made, the firewall will block it.

------
ENTP
A wild stab in the dark: remote code execution using a standard codec/library,
easily triggered in the context of an ad.

------
atroll
does this mean that it can be triggered by a web browser ?

------
disposablename
Clickbait title? Zero info? Windows is evil! To the front of hacker news we
go!

~~~
anon1385
Are you suggesting that Tavis Ormandy is making this up?

This is upvoted because of the reputations of the people reporting it and
because it sounds very serious. It's nothing to do with any kind of anti-
Windows agenda.

~~~
UnoriginalGuy
There's absolutely zero info.

So even if he isn't making it up, there's still nothing to discuss on this,
and he's ratcheted the hype up to 11.

~~~
rdtsc
> there's still nothing to discuss on this,

Oh I think there is a lot to discuss. How Windows has handled vulnerabilities
in the past. Can talk about how disclosure works. Maybe mention recent Intel
vulnerabilities as well. Connect to CIA and NSA leaks them hoarding 0-days and
so on.

