Hacker News new | past | comments | ask | show | jobs | submit login
Microsoft Patches Six Zero-Day Security Holes (krebsonsecurity.com)
243 points by parsecs 51 days ago | hide | past | favorite | 66 comments



So these vulns weren't needed any more by some 3 letter agency? Or were they being used by someone a 3 letter agency didn't like? Or were about to be?

Security warfare is fascinating to watch from the mud huts.


–CVE-2021-33742, a remote code execution bug in a Windows HTML component.

Acknowledgements: Clément Lecigne of Google’s Threat Analysis Group

–CVE-2021-31955, an information disclosure bug in the Windows Kernel

Acknowledgements: Boris Larin (oct0xor) of Kaspersky Lab

–CVE-2021-31956, an elevation of privilege flaw in Windows NTFS

Acknowledgements: Boris Larin (oct0xor) of Kaspersky Lab

–CVE-2021-33739, an elevation of privilege flaw in the Microsoft Desktop Window Manager

Acknowledgements: Jinquan(@jq0904) with DBAPPSecurity Lieying Lab


An interesting tidbits is Google's Project Zero was known to discover zero day used by Western government agencies for counterterrorism operation and made such vulnerability patched.


Any chance you have a source handy? P.S. your tgs link is 404


Interesting. Are you conspiracy theorizing or is there a reputable basis for this?


> is there a reputable basis for this?

Yes. The NSA has disclosed hoarded zero-days to Microsoft when they have fallen into the hands of people they did not like. See the Shadow Brokers incident [1]:

> the critical vulnerabilities for four exploits previously believed to be zero-days were patched in March, exactly one month before a group called Shadow Brokers published Friday's latest installment of weapons-grade attacks

Obviously, the problem with this is that the NSA were unaware their zero-days had fallen into enemy hands until the Shadow Brokers very publicly advertised the fact that they had them.

[1]: https://arstechnica.com/information-technology/2017/04/purpo...


Take the EternalBlue exploit [1] as an example, NSA had been aware of the vulnerability for years, but only informed Microsoft once it slipped out of their control:

"The NSA did not alert Microsoft about the vulnerabilities, and held on to it for more than five years before the breach forced its hand. The agency then warned Microsoft after learning about EternalBlue's possible theft, allowing the company to prepare a software patch issued in March 2017,[19] after delaying its regular release of security patches in February 2017.[20] On Tuesday, March 14, 2017, Microsoft issued security bulletin MS17-010,[21] which detailed the flaw and announced that patches had been released for all Windows versions that were currently supported at that time

...

Many Windows users had not installed the patches when, two months later on May 12, 2017, the WannaCry ransomware attack used the EternalBlue vulnerability to spread itself"

[1] https://en.wikipedia.org/wiki/EternalBlue#Details


A reputable basis for three letter agencies failing to report zero days? Yeah, it's called Zerodium.


–CVE-2021-33742, a remote code execution bug in a Windows HTML component.

The only one that stands out as being a real concern, but who's willing to bet it requires JS to exploit (or even if not, the attackers prefer to obfuscate it using JS)? Turning off JS by default in IE is probably the single most effective way of preventing these attacks. Even if you don't use IE, it'll greatly reduce the attack surface. I've browsed the shadier parts of the Internet for literally decades this way.


> Turning off JS by default in IE

But the only reason to use IE is for enterprise apps that probably require JavaScript to function.

And the ability to toggle JavaScript is probably locked down by Mordac the Preventer, aka group policy.


Fortunately IE lets you apply different settings to groups of sites, so you can stop JS from any random site on the Internet while allowing the enterprise apps that need it:

https://support.microsoft.com/en-us/windows/change-security-...

This is one of the notable features missing from Edge.


Only if the Mordac did not do the job properly, as it can also be disabled in AD.


You may not be using IE directly, but it's embedded in many places where it may still work very well without JavaScript (e.g. the CHM help viewer).


We see JS as insecure because we can turn it off, and it's history is pretty bad. We can't turn off parsing, rendering, and other features necessary to display a webpage - and those are just as well exploited. JS at least gets multi layered sandboxing and isolation.

Modern browsers are not well fit for security and anonymity. Torbrowser is the only one that actually removes tracking data and the wider attack surfaces of modern browser features like webgl. However it's still not 'secure'. You still have plenty of features that come from complex codebases, such as media decoders.


I was told at my last workplace that continuing to use IE was a war crime.


If it required JS it would not be a bug in Windows HTML component.


It's a bug in Trident/MSHTML, which includes a 'JScript' engine.

Anecdotally code execution exploits in pure HTML (that don't require JS) are exceedingly rare, so it is unlikely it doesn't use JS.


Turning off JS is not the single most effective way.

Turning off the internet. Or your PC entirely is.

Just not visiting most of the Internet is a solid move too, JS or not.


> Microsoft also patched five critical bugs — flaws that can be remotely exploited to seize control over the targeted Windows computer without any help from users.

seems pretty bad...


So wait, Microsoft is still making patches for Windows7, they just aren't supplied via the windows-update ?

https://www.catalog.update.microsoft.com/Search.aspx?q=KB500...

Is there a third party program that finds/installs the windows 7 updates?


Extended Support ended January 14, 2020, however Microsoft is offering Extended Security Updates (ESU) until January, 2023. It's a paid program to extend security patches, having to be paid once a year for each of the 3 years; so only truly desperate companies are paying for this privilege.

[1] https://docs.microsoft.com/en-us/lifecycle/faq/extended-secu...

[2] https://techcommunity.microsoft.com/t5/windows-it-pro-blog/y...


But the Update Catalog shows updates that you can apparently download as usual for Windows 7 in this case. There is a specific rationale given on at least one of the reports[1] for why a patch is still being issued even though Windows 7 is out of support. So I'm not sure this time it has anything to do with ESU.

[1] https://msrc.microsoft.com/update-guide/en-US/vulnerability/...


Last week I saw a friend using dot net software that scrapes the Catalog, automatically downloads all patches and applies them to the system. It's apparently common in enterprises without an ESU subscription... I was quite surprised and amused


If that software is available to the public it would be a great service to name or link it if you can find out what it is.


It's not public because of licensing. But it's a simple reimplementation of https://www.wsusoffline.net.

Source code here: https://gitlab.com/wsusoffline/wsusoffline


Hahah, that's actually awesome. Of course someone out there put in the leg work to work around the licensing issue, and then shared it to the (minor?) masses.


Incidentally I just finished building a new Win7 machine yesterday and applying all the updates.

You are correct, this one wasn't caught organically through Windows Update. I had to install the KB4555449 Servicing Stack update first (https://www.catalog.update.microsoft.com/Search.aspx?q=KB455...), after which I was able to install the patch you linked. Did it on two machines (one freshly formatted, one old) and it took several minutes on each to install (longer than a typical update), and required a reboot after.


Rollup Patches following 2020-01 will install and then rollback after reboot if you're not following the ESU requirements. Most likely the new patch just rollbacked and you're still on KB4534310.


Are these on the same level as Stuxnet? For an amazing technical deep dive into each 0-day Stuxnet vulnerability watch this talk with Bruce Dang from Microsoft[1]. I really enjoy his natural speaking style (it's like talking about Stuxnet over beers with him).

[1] https://youtu.be/rOwMW6agpTI?t=409


Do the Microsoft links not work for anyone else too? I get a "Something went wrong" error on all the links. Would like to read more about specific vulns.


Microsoft is asking the user to enable Javascript. There is no technical reason in this case why Javascript is necessary.

https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/...

https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/...

https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/...

https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/...

https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/...

https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/...

https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/...

https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/...

To add insult to injury, Microsoft's server refuses to honour the Accept-Encoding header, e.g., setting the value to "identity" has no effect. It returns compressed content no matter what, even when the content size is very small.

To create a simple HTML page with all the info you need, no Javascript required

    sed '/^e/!s/^/url=/'<<eof|curl -K-|gzip -dc|sed 's/",/\"<br>/g;s/\\n//g' > 1.htm
    https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-33742
    https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31955
    https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31956
    https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-33739
    https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31201
    https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31199
    https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31959
    https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31963
    eof 
    firefox ./1.htm


   tnftp instead of curl
   
   ftp -4o'|zcat' $(printf "%s\40" $(cat<<eof
   https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-33742
   https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31955
   https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31956
   https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-33739
   https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31201
   https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31199
   https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31959
   https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-31963
   eof
   ))|sed 's/",/\"<br>/g;s/\\n//g' > 1.htm;
   firefox ./1.htm


There is a technical reason: they want to track you.


s/you/members of the public/


I love your use of piped commands in your comment history, thanks so much for these examples.


[flagged]


I think the term you are looking for is “abacus”. Just use an abacus.


Or even better, just don’t write bugs.


uhh... there are zero-days in linux distros


I use Linux exclusively. You don't need a zero-day when everyone forgets to patch or takes a month to do so. To say nothing of the documented vulnerabilities with no available patch.


How many are RCEs though?

There was the bluetooth thing but patches for that were available instantly.


Just use templeOS...


[flagged]


Yeah, let's get that weather app engineer working on NTFS privilege flaws.


And why not :)

People have different preferences for what they like to work on, but you seem to be implying the weather app engineers are incapable of doing that work. Like they're some kind of lower caste that must be kept away from working on security mitigations for filesystem drivers.

I don't believe there's some category of human that's capable of shipping Windows 10 feature apps, and only that. People can move internally! People can leave and other people can be hired. It's all priorities and task allocation.

The impression I get (and please correct me) is not really that there's an oversupply of news feed app builders on the market, but that the Windows team at Microsoft has been shifting to more user-facing features rather than internal deep kernel work.


There are more than 1500 developers working on visual studio alone ( not VS code).

I'm pretty sure that a developer that wants to switch can and not many kernel developers would be impacted in total.

Besides, paint and notepad getting a make-over doesn't make a dent of difference for a company at this size.


There are many engineers who do super-boring stuff as main work, working on mind-bogglingly hard problems afterhours.

Also that weather-widget engineer could do some basic tasks offloading more experienced engineer, who would offload even more experienced engineer until that chain of offloading makes enough time for NTFS-ninja to hunt down and fix that bug or write a fuzzer that finds new zero-days.


What a silly straw man. Engineers may not be fungible but funding is.


So they shouldn't fund adding local weather to task bar while there are potential security flaws anywhere in the OS? This seems like a sillier straw man.


You have to look at the customers. If you push for Linux throughout your organisation and you got hit with a linux zero day, it's your fault.

If you use MS, then it's Microsoft s fault, you won't be blamed because almost everyone was exposed to it and you got hit.

These companies also have older workforce who are used to windows and the switch would be difficult. Yes I know some older users would be fine but that is not the majority.

It's similar to the "no one got fired for buying oracle" situation


You can push for Linux with paid support, from a vendor like RedHat.

Being Linux-based does not preclude support.


I don't think you can. MS offers a lot of things "for free".


absolutely. and if there is a skill gap then train them so they can.


Training isn’t some magical way to transform an engineer with a skill set into one with a different skillset.

I don’t think it’d be possible to train the React dev in kernel programming unless they had a serious interest in low level stuff to start with.


That’s a ridiculous claim. Kernel programming isn’t some fantasy world where only the most passionate developers can do effective work. Most software engineers are web engineers because that’s where the market says they should focus. It says nothing about talent or ability to learn. smh.


Haha yeah... I think it shows where their overall focus is placed.


are these the six zero days that were used to get those bit coins back?


State actors don't need zero days to take control of a rented server.


But they might need one to parallel construct the chain of evidence needed to find who you're renting the server from.


True.


No


Wow... patch tuesday analysis from a reporter who doesn't know how virus total works https://twitter.com/silascutler/status/1383085248381128715


There is nothing in their terms of service or privacy policy that says personal information can't be used for an ongoing investigation.. just that it can't be used by "the Community". They even say that they collect personal information when submitting. When it is shared with the Community at large, it is assigned a non-personal identifier.


I view Krebs as a tabloid. It is a stopgap for layman's with slightly above average opsec knowledge. It is rather dangerous because he is wrong or misrepresents reality rather often. And there's something sensationalist about every article. They always have this rushed, panic driven, sophomoric writing style.

To quote a comment I read on HN once, "Krebs is a security entertainer, not a security researcher."


Could you provide some examples to bolster your claim about this person's journalistic integrity?

There are some technical details that may be abstracted or analogized in less-than-accurate fashion, but I don't recall reading an article or post and thinking "gosh, that's just _wrong_"


Ok,

[1] https://itwire.com/security/infosec-researchers-slam-ex-wapo...

[2] Note: This looks like the same issue as above, but it is separate; https://itwire.com/security/krebs-accused-of-doxxing-man-bas...

To his credit, he never claims to be a hands-on researcher who disassembles and analyzes malware himself. I guess that's why I scratch my head when people point to his work as substantial. He has no skin in the game, no hands on technical experience, and just reblogs more technical articles from actual experts. His only real experience is getting personally hacked and hijacked.

Also, to clarify I never questioned his journalistic integrity. I just think he's a mediocre writer. It's his style that I, personally, don't like. One thing he does that I can't wrap my head around is writing about himself in the third person. He uses phrases like "...this author..." in reference to himself. Most authors would not be injecting themselves into a journalistic piece in the first place, but to do it with such bravado is awkward for the reader. Am I supposed to be impressed that you operate a WordPress blog?



He's generally a "good guy", but if you haven't figured out he's a cowboy, just read more of his shit.

Any of it, really.




Applications are open for YC Winter 2022

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: