13
Apr 16

‘Badlock’ Bug Tops Microsoft Patch Batch

Microsoft released fixes on Tuesday to plug critical security holes in Windows and other software. The company issued 13 patches to tackle dozens of vulnerabilities, including a much-hyped “Badlock” file-sharing bug that appears ripe for exploitation. Also, Adobe updated its Flash Player release to address at least two-dozen flaws — in addition to the zero-day vulnerability Adobe patched last week.

Source: badlock.org

Source: badlock.org

The Windows patch that seems to be getting the most attention this month remedies seven vulnerabilities in Samba, a service used to manage file and print services across networks and multiple operating systems. This may sound innocuous enough, but attackers who gain access to private or corporate network could use these flaws to intercept traffic, view or modify user passwords, or shut down critical services.

According to badlock.org, a Web site set up to disseminate information about the widespread nature of the threat that this vulnerability poses, we are likely to see active exploitation of the Samba vulnerabilities soon.

Two of the Microsoft patches address flaws that were disclosed prior to Patch Tuesday. One of them is included in a bundle of fixes for Internet Explorer. A critical update for the Microsoft Graphics Component targets four vulnerabilities, two of which have been detected already in exploits in the wild, according to Chris Goettl at security vendor Shavlik.

Just a reminder: If you use Windows and haven’t yet taken advantage of the Enhanced Mitigation Experience Toolkit, a.k.a. “EMET,” you should definitely consider it. I describe the basic features and benefits of running EMET in this blog post from 2014 (yes, it’s time to revisit EMET in a future post), but the gist of it is that EMET helps block or blunt exploits against known and unknown Windows vulnerabilities and flaws in third-party applications that run on top of Windows. The latest version, v. 5.5, is available here

brokenflash-aOn Friday, Adobe released an emergency update for Flash Player to fix a vulnerability that is being actively exploited in the wild and used to foist malware (such as ransomware). Adobe updated its advisory for that release to include fixes for 23 additional flaws.

As I noted in last week’s piece on the emergency Flash Patch, most users are better off hobbling or removing Flash altogether. I’ve got more on that approach (as well as slightly less radical solutions ) in A Month Without Adobe Flash Player.

If you choose to update, please do it today. The most recent version for Mac and Windows users is 21.0.0.213, and should be available from the Flash home page. Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.). Chrome and IE should auto-install the latest Flash version on browser restart (I had to manually restart Chrome to get the latest Flash version).

Tags: , , , , , , , , ,

64 comments

  1. Regarding Badlock:
    In a corporate active directory environment, do we only need to worry about domain controllers? That’s where all the user information is stored. It’s not clear to me from any of the resources available why there should be a rush to patch non-domain controllers to mitigate Badlock.

    • This a good write-up of Bad Lock:

      http://rhelblog.redhat.com/2016/04/15/how-badlock-was-discovered-and-fixed/

      «CVE-2015-5370 is a Samba issue, also allowing a DCE RPC server to cause an overallocation of a memory at the client side and a subsequent crash. The conditions are hard to meet, to be fair, but not impossible. The context is what matters here. The ‘client’ here could be an Samba smbd or winbindd daemon talking to another DCE RPC server. Such clients are typical for Samba serving as a domain member in an Active Directory domain or in a traditional NT4-style domain. A winbindd daemon would use a channel connection to talk to its Domain Controller to ask it for a user or group resolution, or other operations.  If this connection could be taken over by the man in the middle, it could cause the winbindd daemon on the domain member to crash and, perhaps, execute remotely supplied code.

      The winbindd daemon runs under root privileges. A remote code execution means take over the server in question. Even if the domain member’s integrity is not compromised, a vulnerable implementation could be used to take over the secure channel on that domain member. This gives an intruder the privilege to talk to a Domain Controller with the credentials of a machine enrolled into the domain. It opens a number of possible vectors for an attack: setting up a honey pot to wait until domain administrator logs in one of them.»

      In short if you have any devices that speak SMB (server message block), you should update them. Or disable all software on the device that speaks SMB/DCE (the underlying vulnerable protocol).

      Bad Lock is a series of bugs based on the protocol, as opposed to simply a bug in one implementation (e.g. Microsoft’s).

      I’m not sure when we’ll start seeing active exploits or when it starts being added to exploit kits or viruses, but I won’t be shocked by any of these outcomes.

      • Hey i would like to know i have 3 servers. One having samba server 3.0 and other two having only samba-winbind 3.6.23 and samba-client 3.6.23.

        As my samba server is out of danger .How do i patch and other 2 machines also with winbind and client.

        Please help

  2. The EMET link is to the tag, not the post itself.. The post is this link http://krebsonsecurity.com/2013/06/windows-security-101-emet-4-0/

  3. and among the IMPORTANT updates:

    https://support.microsoft.com/en-us/kb/3035583

    Update installs Get Windows 10 app in Windows 8.1 and Windows 7 SP1

    This update installs the Get Windows 10 app that helps users understand their Windows 10 upgrade options and device readiness. For more information about Windows 10, see Windows 10.

    This update applies to Windows 8.1 and Windows 7 Service Pack 1 (SP1). Before you install this update, check out the Prerequisites section.

    • Yep, and that sucker reappears even after you’ve chosen to Hide the update. It’s maddening.

      • Maddening? It’s makes little financial sense. Microsoft withdraws from retail sale, two operating systems that people are quite willing to pay for, XP and 7. While pulling out the stops, to give away for free, an OS that few people want (10).

        From a shareholder perspective, MS should be offering retail pricing on XP support (not just to corporate/government clients). And continue to sell Win 7 to all customers. To do otherwise, is simply leaving money on the table.

        • Eh?

          Maintenance is a very expensive thing. Testing is also expensive.

          Marketing is much harder when you don’t have a unified message. It’s hard to tell developers to use a new API if it will only be available for a fraction of the potential user base– because a vendor choosing to do that is unable to sell to the portion without that API, limiting sales.

          By unifying its user base, Microsoft makes its development platform more appealing. It also reduces its costs, and simplifies its support structure.

  4. Brian…I received an email report yesterday that really shocked me: It seems that some of the most popular/widely used Firefox addons pose a security vulnerability: NoScript (!!), WOT and others. As far as I can interpret, each Firefox extension is a separate “entity,” not part of a single extension architecture, and is therefore a vulnerability. I immediately disabled the above. But NoScript?? Oh, no! Here I was thinking how secure this critical extension is, but according to the report, it turns out that there is a false sense of safety, like the revelation of PayPal’s last 4 digits of your Social Security number “security.” I feel terribly vulnerable without NoScript.

    • I’ve gone back to chrome and chromium, since firefox was considered too easy to hack to include in this years pwn2own contest.

      There is something similar to noscript on chrome called scriptsafe. Which is a little more strict then noscript and shows more scripts. Chrome also handles the plugins differently then firefox so they are considered more secure used on chrome.

      • I found uMatrix to be a good NoScript substitute on Chrome. It’s actually easier to use than NoScript, with its graphical grid of all the “stuff” the site and 3rd parties want to run. Very easy to turn things on and off, you can be very specific (e.g. block iframes, but allow everything else from a site). Note: all selections are temporary, for that browser session only. To make your selections stick, you have to go to the My Rules tab in settings and make that choice (it’s one click for the entire session, but you have to remember to go there).

        uMatrix’s default is: allow for the first-party site (what’s in the URL box), and deny for 3rd parties, except for images. You may want to change that if you’re uncomfortable. Since Chrome’s sandbox is much better than Firefox’s, I’ll take this trade of convenience vs. security. uMatrix settings has several site blocking options using the *contents* of several HOSTS files. I’m not using them, as that increases the memory and CPU footprint. And I already have a modified HOSTS file in place.

        If there’s a disadvantage to uMatrix, it’s memory consumption. You can see it on the Chrome Task manager. 15-45 MB or so, sometimes more. More efficient than AdBlock and not a surprise to veteran Chrome users. But I come from the old school and I hate seeing even a 15 MB process.

    • Ellen,

      Firefox addons are vulnerable to other Firefox addons. These are not remotely exploitable by visiting malicious web pages.

      Keep NoScript enabled. You are much much safer with it on.

    • I think a better way to look at this is a water park / swimming pool.

      Often you will go to a place which has a baby pool, a separate free swim pool, a pool for swimming laps, and another for diving. When you let someone into a pool, you share the pool with them. If they foul it up, everyone in that pool is affected.

      Firefox the application shares its pool with all extensions you add to Firefox. The pool is not the same as the pool it uses for web sites.

      The complaint in question was basically “anyone I let in the pool can pee on everything else in the pool.” It’s true, but silly. You shouldn’t take a baby into the free swim pool, and you shouldn’t put a child of unknown abilities in there either — get assurances first.

  5. Ellen, what are your sources for the Firefox plugin security problems, and how to mitigate these?

  6. Ellen,
    The vulnerability requires you to install a malicious add-on, which takes advantage of the security vulnerability (essentially admin access) in no-script. Just don’t randomly install add-ons.
    For more info: https://it.slashdot.org/story/16/04/09/1758255/popular-firefox-add-ons-open-millions-to-new-attack

    Charles,
    I’m assuming KB3035583 is this month’s KB to avoid, so you don’t get hit with the Win 10 “upgrade”.

  7. Ellen/DaaBoss,

    For a good article on the Firefox addon concern, see the article on Ars Technica dated 5 April 2016.

    http://arstechnica.com/security/2016/04/noscript-and-other-popular-firefox-add-ons-open-millions-to-new-attack/

    Firefox allows installed extensions to call other extensions’ code. As a result, if the user installs a malicious extension, it can call other addons functions to help perform malicious actions. So the first step is to be very careful about what extensions you install.

    The biggest concern was that the researchers were able to submit a proof-of-concept extension that passed Mozilla’s review process. This means that some compromised extensions could appear legitimate.

    So, having NoScript is not a vulnerability. Downloading a compromised addon is the issue.

  8. twinmustangranchdressing

    http://www.adobe.com/software/flash/about/
    The most recent version of the Flash Player PPAPI for Chrome is 21.0.0.216, not .213. (Oddly, Opera and other Chromium-based browsers don’t get .216.)

  9. “The Windows patch that seems to be getting the most attention this month remedies seven vulnerabilities in Samba, a service used to manage file and print services across networks and multiple operating systems.”

    Samba isn’t a Microsoft product, it’s an open-source GPL product not affiliated with MS in any way. Samba is the open-source implementation, used on Linux and Unix, of the proprietary Server Message Block protocol developed by Microsoft. Samba is not used on any Windows system.

  10. Microsoft appears to be actively discouraging Windows 10 users from downloading EMET 5.5. Read the Microsoft blurb concerning EMET 5.5 here: “With Windows 10 we have implemented many features and mitigations that can make EMET unnecessary on devices running Windows 10. EMET is most useful to help protect down-level systems, legacy applications, and to provide Control Flow Guard (CFG) protection for 3rd party software that may not yet be recompiled using CFG.”
    Does this comment from Microsoft.org concerning EMET 5.5 change the need for individual computer users to download this tool?

    • Good question. Amplifying further, is there any downside to using EMET with Windows 10?

    • Microsoft is simply saying that all you need to do is make sure you have everything updated. No other additional software is needed. They will take care of everything and you have nothing to worry about.

      Just update your system and move on.

    • I had also read that Microsoft was discouraging EMET use in recent versions of Windows. I’ve been away from this blog for about 3 years now. It’s concerning to see that after 3 years, Brian is still hammering on the same topics: EMET, disable Flash, etc. Maybe it’s time to start saying: use EMET if you’re still on Windows 7, if you need Flash, use Google Chrome which patches its pepper flash even before Adobe does, etc.

      • twinmustangranchdressing

        Some time ago, there was one version of the Flash Player plugin (I don’t recall which one) that Google lagged behind Adobe in releasing. So absent-mindedly playing Flash content in Chrome isn’t risk-free.

      • I would agree that it can get pretty boring saying the same thing and reading the same thing all the time. But, people are still falling into the same traps they were twenty years ago. Flash is a problem that so many people refuse to deal with. It’s easier to just accept what came pre-installed and auto update. It isn’t Brian so much as it is everyone else. Otherwise he wouldn’t have anything to write about.

    • EMET versions 5.2 and 5.5 actually slow down and destabilize applications, when the EAF+ mitigation is used. That’s what I found, on I.E., Chrome, and Firefox. I’m sticking with 5.1 at the moment with EAF+ turned off everywhere. From looking at other forums, others are reporting the “regular” EAF causes problems too.

      I also found reduced performance when the System-wide mitigations were forced on all applications. That’s on EMET’s main screen. I switched system-wide DEP/SEHOP/ASLR back to Opt-in, which is the Recommended setting anyway.

      I’ve been concerned as the EMET developers are now in an arms race with hackers and they’ve been adding more and more to EMET. Maybe at the cost of performance. And perhaps also without a whole lot of testing.

  11. twinmustangranchdressing

    Chrome (the browser) reached version 50 yesterday. Older versions of Chrome running on Windows XP or Vista or OS X 10.6 or 10.7 or 10.8 can’t be updated to 50. :(

  12. Why replace a machine. The machine may be perfectly useful in its current state. There are applications that only run on dated machinery. Win 10 will not run some of my favorite DOS applications. My latest laptop and tablets won’t either. But my old laptop, an HP single core just keeps plugging along doing what I tell it to do. The modern machines, are fine for the net, fine for media, but if I want a project in a program I’m totally used too, my DOS machine, save to a stick, and hand transfer to output. And it’s readable on the other machines. So, am I saving, money, time, or skills.

    • Sounds like your Windows 10 machine is 64-bit, which is why it won’t run ancient 16-bit DOS applications. Just find a cheap Windows 7, or even Windows 10, 32-bit license and install that on a system and keep running your DOS apps, or just install them in a VM on newer hardware.

    • Install VirtualBox, then install an OS that supports your legacy software. But don’t give that virtual machine access to the Internet. And only use it for that specific software

      Brian uses virtual machines, you should too.

  13. I don’t know what’s going on with update for Windows 7. I left to run a few errands, gone 3 hours and it’s still checking for updates! I purchased a new, larger hard drive and did a fresh install on Windows 7 this weekend and it refuses to update! I left this checking for updates for 30 hours! Nothing! This is torquing me off badly. Is this a Micro$oft conspiracy to get be to buckle under and migrate to Windows 10? I’m fine with Win 7 for now.

    • You’re not alone. I had the same problem in California late last night, and had the same thoughts on what’s behind it.

      • Thanks for providing the extremely useful article. What should be a simple procedure has turned into a nightmare! Now I know why I was stymed doing the updates. I will use the tools provided in the article in my next attempt when I get some time.Great hat tip. Thanks again muchly! Really appreciate you pointing me in the right direction. Google searches came up empty.

      • Here’s an “update” [Ha, Ha!! Hee, Hee,Hee!] Well, this article you sent me to was THE Answer to getting the updates for Windows 7 rolling!
        After installing the 2 update the article suggested, the rest of the update process worked smoothly albeit time consuming with about 9-10 restarts and a total of 12 hours in all. The one thing Microoft apparently responded to was to remove the nagware optional update of Windows 10, where if you were not careful and did not uncheck the box, you could inadvertently upgrade your system to Windows 10.
        Well thanks again for steerig me in the right direction with the extremely useful article on how to get the update process on Windows 7 rolling. I was able to do the fresh install without a hitch after following the instruction. I really appreciate the help!

    • I ran into this also. Last month it was somewhat slow (10-15 minutes), this month it was glacial (an hour +, I didn’t track it). I tried everything:
      – Run the Windows Update problem analyzer
      – I already have KB3102810 installed
      – Change update checking from Manual to “Ask before install”

      I had already run GRC’s Never10.exe. My theory is that every update calculates what will be required to update to Win 10 , even with the Never10 registry settings.

      I have nothing against Win10, but this machine must not be upgraded for a number of reasons. I have Win10 running on other machines.

      • Did it finally give you a list of updates, or did you throw in the towel?

        • It gave a list of updates by the time I got back 6 hours later. One processor is at 100% the whole time, so that doesn’t seem to be network related.

          Not in California nor on AT&T

      • Also, are you in California, and is AT&T your ISP?

        • I’m not in California, but AT&T is my ISP and it’s been taking forever to download updates on my Windows 7 machine. Are they deliberately slowing down access to the Windows Update servers?

          • A word of caution: my Windows 7 Pro is HP Proprietary, and sometimes behaves differently than ordinary Windows OSs. That said…

            Problem finally solved. First, I reconfigured to get automatic downloads (my bad for not doing it in the first place). Then, with the downloads ‘in hand,’ by process of elimination, I discovered that even though it was listed as already downloaded, Optional update #KB3139923 tries and FAILS to download. I’m going to contact Microsoft.

            On a previous phonecall, a Microsoft tech from India also advised me to 1) always do manual installs from my Admin account even though I’m always asked for an administrative password from my User account before any systemic changes, 2) never install more than 10 updates manually at the same time, 3) uninstall CCleaner. He also told me that it was OK to install NET updates with the others, so his word isn’t gospel.

            Hope this helps.

          • PS. Here in California’s Central Valley, for the last 6 months, I’ve been having consistent late night connectivity problems, and occasional daytime problems with AT&T. The point of sale data processing at most retail outlets here is slow, so I assume the IT networks are old and low capacity. I’m not alone.

  14. Something that not too many users of Windows 10 are aware. Many early adopters chose not to ‘automatically up-grade’ to the Windows 10 up-grade and revision last November. The fixes noted in this Krebs alert are available to either of the Windows 10 versions. Each version being different. I apparently did everything the hard way…LOL I applied the correct bug patch fix, then a bit later decided to actually do the Windows 10 up-grade to the newest public release, then applied the ‘different’ patch/bug fix to the OS. All-in-all I wasted an hour or more of time…would have been easier to have up-graded to the newer OS version and then patched…

  15. Update, it took over 9 hours to get the 11 updates for the latest patch release for Windows 7 and another 90 minutes to get these installed. Exceedingly painfully slow. Very aggravating. Also thank you to the other commentator for the link to the Zdnet article regarding the fresh install issues for Windows 7. This should be a non-issue. I just can’t understand why a great company like Microsoft would put its’ paying customers through this kind of computer hell. Can you hear me out there oh Microsoft?
    Thanks for keeping us apprised of all the latest updates Brian, you are the best!

    • The problem started showing last fall, Oct. or Nov. For April 2016, I finally had enough and did my updates manually. I read through each of the security bulletins on Microsoft TechNet to figure out what I needed. Each bulletin has links to standalone installers for each operating system or application.

      Some bulletins require more than one patch download, depending on what you have installed. It’s tedious: I do the reading and downloading to a separate directory, first. Then installing one by one, don’t reboot in between each one, reboot after all are done. Do the .Net updates separate from the rest. It took about an hour. Sure beats 6 hours!

      It’s not as convenient as automatic updates. And there’s a risk that you will miss something or find a patch that needs some prerequisite installed beforehand. The bulletins also don’t cover non-security updates. So, if I continue manual security updates, I’ll need to use the Automatic Updates once or twice a year, to ensure I didn’t miss anything.

      Don’t forget to run the monthly Malicious Software Removal Tool. It’s not in the bulletins, but a Google search will give you the right KB link.

    • I’ve seen a more technical write-up elsewhere, but the simplified write-up here should be helpful:
      http://answers.microsoft.com/en-us/windows/forum/all/why-are-windows-updates-so-slow-and-long-with/b785ff84-b00e-43b1-8628-40cdccb77aca

      Basically, each version of each file that Microsoft releases can come in something like 4-8 minor variations; your system has to keep each of them up to date; it’s possible to have multiple incompatible versions of libraries, so all versions that you have installed must be maintained; Windows doesn’t want to download or install software you aren’t using (that would make things worse).

      It ends up being a really complicated problem to signs l solve.

      And I do mean solve, the software to address this problem is called a “solver”. It’s a fairly frustrating part of mathematics and computer science.

      In case you’re wondering how other distributions handle this, the answer is that they also don’t do a great job. Debian (a Linux distribution) had a solver in “apt” (its package manager) which could take a really long time trying to find a solution. It was more likely to give up than solve it for complicated problems. Debian also cheats in that it refuses to maintain more than one version of a youngest (this leads to fun problems when a library claims a space and makes a breaking change — open SSL did this recently). Also, Debian limits the duration of support. Windows 7 gets about 10 years, Debian gets 5 with “extended support”. Debian also isn’t concerned with supporting third party software, but that’s precisely what Microsoft has to do with Windows.

      This was less of a problem for Windows in the past because Microsoft would release a service pack which would close off a portion of the problem space. But each time Microsoft issues a service pack, they are required to extend their product’s support window (they made this promise when they initially shipped their products), so Microsoft has decided it doesn’t want to use service packs anymore, which is why there was only one for Windows 7.

  16. You should probably look over the actual patch notes for the “badlock bug” as it relates to MS… it’s labelled as “Important” not critical, and the CVEE score is only a 7.1

    Not to mention, the only way to exploit this vuln. is to MITM the traffic…

    Badlock is NOT the most important patch in the release, and was WAY overhyped by this guy – which BTW also contributes to samba – I’m betting you will find that the bug was in part caused by code he submitted to the samba project…

    Badlock needs to be nominated for the most overrated bug (pwnie award).

    Also, check out sadlock.org !

  17. It is amazing how many vulnerabilities continue to be found in Adobe Flash. You would think Adobe would perform a complete review and rewrite of Flash, instead of just fixing vulnerabilities as they are discovered. As a corporate entity, Adobe practices and treatment of users of its products is pathetic. I block Flash in my browsers and try to avoid using it all costs, but people still use it and still publish Flash videos in places like YouTube.

    • ESPN and DirecTV still require Flash for their streaming. This is if you’re using a cable/satellite log-in to watch their streaming content, particularly sports. Even worse, DirecTV still requires you to install an additional browser plug-in video player, on top of the Flash requirement. The safest way to use Flash (if there is a safe way!) is through Chrome and its sandbox.

      Just about everywhere else, sites still using Flash, will serve up HTML5 video for those who don’t have any Flash installed. The site operators don’t want to lose the traffic, so they’ll grudgingly offer an alternative.

      In Firefox, if you have Flash installed but click to play or disabled, the site will insist that you turn on Flash. The HTML5 is only offered if there’s no Flash *installed at all* in the browser.

      • twinmustangranchdressing

        I have the Flash Player plugin installed in Firefox but set to never activate. YouTube, Yahoo and AOL (and probably other sites) work fine.

  18. He’s wearing handcuffs in that picture. I’m guessing Russian Intel has already tuned him up and made him lead them to that car. That or it’s so dirty because he led them on a chase and that’s the end result.

  19. twinmustangranchdressing

    As I’ve mentioned in earlier comments, I still use (sparingly and very cautiously) a netbook running Windows XP. I have Microsoft Security Essentials on it and I was last able to get definition updates for it three days ago. Since then, I’ve gotten an error when trying to download the latest update, be it from within MSE or via Microsoft Update. Anyone know if Microsoft finally stopped allowing MSE on XP to update?

    • If your going to continue running XP then the best thing you can do is NOT update it anymore. Microsoft does not want you using it anymore.

    • Glad you reported it, same thing happened to my xp machine, so maybe they won’t support us with more updates.

  20. Will emet work with firefox? Has vista in addition to xp been cut off. thanks.

  21. Thank you… my adobe flash recently not work commonly on my pc.. i should to try this http://iceteainfo.blogspot.co.id/2016/05/ahli-saraf-mencari-tahu-reaksi-otak.html