Installation, updates, general problem solving and assistance.
Steven W
VIP
Posts: 2429
Joined: 2013-08-10 22:40

2021-07-07 07:34 »

https://www.theverge.com/2021/7/6/22565 ... tch-hotfix
Microsoft has started rolling out an emergency Windows patch to address a critical flaw in the Windows Print Spooler service. The vulnerability, dubbed PrintNightmare, was revealed last week, after security researchers accidentally published proof-of-concept (PoC) exploit code. Microsoft has issued out-of-band security updates to address the flaw, and has rated it as critical as attackers can remotely execute code with system-level privileges on affected machines.
https://msrc.microsoft.com/update-guide ... 2021-34527

https://www.catalog.update.microsoft.co ... =kb5004951

User avatar
!
30%
Posts: 3127
Joined: 2013-02-25 18:36

2021-07-08 07:03 »

This is one of the first things in Windows that I disable, done it for ~20 years. :lol: :lol: :lol:

Steven W
VIP
Posts: 2429
Joined: 2013-08-10 22:40

2021-07-08 23:20 »

What exactly do you do? Shut down the spooler?

User avatar
!
30%
Posts: 3127
Joined: 2013-02-25 18:36

2021-07-11 06:42 »

I have a thread somewhere, I shown that MANY services can be deactivated without any problems. Yes, just disable the service.

Steven W
VIP
Posts: 2429
Joined: 2013-08-10 22:40

2021-07-12 08:02 »

https://winbuzzer.com/2021/07/08/micros ... ng-xcxwbn/
We have been following the “PrintNightmare” vulnerability that affects the Windows Print Spooler. From an exploit PoC accidentally leaking online last week, to Microsoft this week issuing an emergency out of band patch. However, it seems threat actors have already found a way to work around Microsoft’s fix.

There’s no doubt that Microsoft rushed out the patch. In fact, I am struggling to think of a quicker response to an emergency from the company. So, maybe it is no surprised that a record-breaking patch may have some holes in it.


LOL, yeah like it's only the rushed patches that have issues.
bhex.gif
bhex.gif (1.26 MiB) Viewed 1917 times

Steven W
VIP
Posts: 2429
Joined: 2013-08-10 22:40

2022-02-02 05:36 »

! wrote:
2021-07-11 06:42
I have a thread somewhere, I shown that MANY services can be deactivated without any problems. Yes, just disable the service.
We should probably have that discussion of things to kill, particularly for dead (no longer supported Operating Systems).

Right off the top of my head:

BITS (Background Intelligent Transfer Service)
UPNP (Universal Plug and Pray) :lol:
RDP (Remote Desktop Protocol)
Obviously, the Print Spooler
Windows Update Service (obviously if you're not using it...)

Steven W
VIP
Posts: 2429
Joined: 2013-08-10 22:40

2022-02-02 05:48 »

Obviously, ***most*** people running operating systems from MS that *are still supported/getting updates* probably don't want to kill BITS and WU Service, but those running a computer that are *NOT using any devices over a network, could consider killing UPNP. Killing the Print Spooler, obviously kills all printing...

Some browsers may have a setting to kill off printing in them too...

Steven W
VIP
Posts: 2429
Joined: 2013-08-10 22:40

2022-02-02 06:16 »

I know this is a bit old, but:

https://news.thewindowsclub.com/hackers ... ks-105464/
Background Intelligent Transfer Service, also known as BITS, is one of the Windows OS’s core features. It assists the Operating System in using idle network bandwidth to download necessary files. Now, reports claim that hackers are trying to use the BITS feature to download malicious payload to Windows systems by evading the firewall protection.

The new hacking technique works because activities done through the BITS job container can stay exempt from Windows Firewall surveillance. The Mandiant cyber forensics arm of FireEye found this during their analysis of several attacks last year.
Obviously, I'd like to think this was patched by MS (still supported versions of Windows, obviously), but it does prove the point.

Steven W
VIP
Posts: 2429
Joined: 2013-08-10 22:40

2022-02-02 06:37 »

You'll love this one:

https://www.wired.com/story/zloader-mic ... tion-hack/
The widely used malware ZLoader crops up in all sorts of criminal hacking, from efforts that aim to steal banking passwords and other sensitive data to ransomware attacks. Now, a ZLoader campaign that began in November has infected almost 2,200 victims in 111 countries by abusing a Windows flaw that Microsoft fixed back in 2013.

Microsoft calls its code-signing process “Authenticode.” It released a fix in 2013 that made Authenticode's signature verification stricter, to flag files that had been subtly manipulated in this way. Originally the patch was going to be pushed to all Windows users, but in July 2014 Microsoft revised its plan, making the update optional.
https://www.zdnet.com/article/malsmoke- ... erattacks/
"Microsoft addressed the issue in 2013 with a Security Bulletin and pushed a fix," the researchers say. "However, they stated after implementing it that they "determined that impact to existing software could be high." Therefore, in July 2014, they pulled the stricter file verification and changed it to an opt-in update. In other words, this fix is disabled by default, which is what enables the malware author to modify the signed file."
I have the fix in my XP download shit, but it's not activated. Don't necessarily think I should turn it on either. I don't wanna listen to people bitch. But, if you want it on:

https://docs.microsoft.com/en-us/securi ... dfrom=MSDN
For 32-bit versions of Microsoft Windows

Paste the following text in a text editor such as Notepad. Then, save the file by using the .reg file name extension (for example, enableAuthenticodeVerification.reg).

Code: Select all

Windows Registry Editor Version 5.00  
[HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config]   
"EnableCertPaddingCheck"="1"
You can apply this .reg file to individual systems by double-clicking it.

Note You must restart the system for your changes to take effect.
I guess if you don't like the results, turning it off should be easy:

Code: Select all

Windows Registry Editor Version 5.00  
[HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config]   
"EnableCertPaddingCheck"="0"
Again, double-click, restart.

Steven W
VIP
Posts: 2429
Joined: 2013-08-10 22:40

2022-02-02 06:57 »

For thoroughness, assuming you're running a 64-bit of XP - 10 with all the patches (***I assume***), don't know about 11, to implement the stricter verification:
For 64-bit versions of Microsoft Windows

Paste the following text in a text editor such as Notepad. Then, save the file by using the .reg file name extension (for example, enableAuthenticodeVerification64.reg).

Code: Select all

Windows Registry Editor Version 5.00  
[HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config]   
"EnableCertPaddingCheck"="1"

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config] 
"EnableCertPaddingCheck"="1"
Again, I think shutting it off should be simple:

Code: Select all

Windows Registry Editor Version 5.00  
[HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config]   
"EnableCertPaddingCheck"="0"

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config] 
"EnableCertPaddingCheck"="0"

Post Reply