nav search
Data Centre Software Security DevOps Business Personal Tech Science Emergent Tech Bootnotes
BOFH
Lectures

back to article
Worrying Windows 10 wrecking-ball weapon weirdly wanders wildly on worldwide web

Alister Silver badge

Windows 10

The gift that keeps on giving...

malle-herbert Silver badge
Trollface

Re: Windows 10

The gift that keeps f*cking up your computer !

Someone Else Silver badge

Re: Windows 10

This is a gift?

ma1010 Silver badge
Coat

Re: Windows 10

@ Someone Else

This is a gift?

Absolutely! But they were speaking German, in which language "Gift" = "Poison."

TwistedPsycho

Re: Windows 10

This is a gift?

Absolutely! But they were speaking German, in which language "Gift" = "Poison."

The Germans are crafty, they like going to the Redmond Cathedral because it has a 123ft spire that looks like Bill Gates.

Usermane

Re: Windows 10

But they don't seems so smart

https://www.theregister.co.uk/AMP/2018/07/27/lower_saxony_to_dump_linux/

As they back to the "gift".

vtcodger Silver badge

How?

"The researcher, who goes by the pseudonym SandboxEscaper, says the bug is present in the code handling advanced local procedure calls (ALPCs)..."

In case anyone else is curious:

"Advanced Local Procedure Calls (ALPCs) An advanced local procedure call (ALPC) is an interprocess communication facility for high-speed message passing. It is not directly available through the Windows API; it is an internal mechanism available only to Windows operating system components."

Apparently Windows 10's internal communications channels aren't as internal or private as they hoped. Kind of ironic isn't it?

Destroy All Monsters Silver badge
Paris Hilton

Re: How?

available only to Windows operating system components

Maybe Edge browser?

Michael Wojcik Silver badge

Re: How?

an internal mechanism available only to Windows operating system components

This is meant in the sense "it's not documented and you're not supposed to look at it", not "there's some security boundary that prevents hoi polloi from invoking it".

You can find several explanations of ALPCs and how to call them online, such as this.

nematoad Silver badge
FAIL

Snap.

"..with the added twist of the attacker now being able to wipe files."

Oh? I thought that the OS already did that for you.

phuzz Silver badge
Facepalm

Re: Snap.

They're never going to live that down are they?

In ten years, in comment threads, we're still going to be getting jokes along the lines of "yeah but Windows will delete all your data".

Scunner

Re: Snap.

And for good reason. Randomly deleting your files must be number 1 on the list of things that an OS shouldn't do.

phuzz Silver badge

Re: Snap.

Well yes, but other OS's seem to get a slightly easier time of it than Windows.

I had a nasty bug in a grub update towards the start of the year that prevented a bunch of systems from booting*, but it never made it as far as the front page of elReg.

* (not technically data loss, except that these systems used LUKS encryption and recovering the data turned out to be a lot more complicated than running undelete on a Windows system.)

billdehaan

Re: Snap.

I've bricked my share of machines over the decades, from embedded video and MP3 players, and simpler time Z80 CP/M boxes to modern i7 based Ubuntu machines. I've even brought down a Control Data Cyber back in the day, and several Vaxen.

However, none of those compares with scrubbing user data at the vendor level. Microsoft has had bad rollouts before that have bricked huge swaths of the user base, at the cost of time and money. So have IBM, Dec, Apple, and many application vendors.

But deleting user data is a different story. And this was not as the result of a user operation, it was inflicted on users by the vendor. That alone makes Microsoft's cockup much worse, and singles them out for well-deserved scorn.

If Apple pushed out an update that locked every iPhone for 24 hours, it would be a disaster as well, but it they were able to return the phones to their previous state, it would be an "outtage". But for people with 80GB of user data, waking up to find that they only have 1GB of user data left, because an unrequested Microsoft update scrubbed 79GB of is an unparalleled screw up, and Microsoft well and truly deserves to have their noses rubbed in it for a decade to come.

And I say that as some who, while not exactly a cheerleader for Microsoft, has been referred to as an "apologist" because I happily ran a Windows Phone for several years.

Screwing up an update is one thing. Deleting user data is something else, and falls into the "you had one job" level of screwup.

Destroy All Monsters Silver badge
Black Helicopters

Ever-morphing killer bug more persistent than an Xenomorph in a Space Trucker cargo ship

Now, could it be that that bug hunter has "sources" at the NSA?

Also:

“Microsoft has a strong commitment to security and a demonstrated track record"

Okay ... "Microsoft has a strong commitment to cash flow and a demonstrated stuck record"

J. Cook Bronze badge
Coat

Re: Ever-morphing killer bug more persistent than an Xenomorph in a Space Trucker cargo ship

Also, a track record of releasing bugs in their flagship OS bad enough to make square pigs look appetizing.

Mine's not the company driver suit.

Michael Wojcik Silver badge

Re: Ever-morphing killer bug more persistent than an Xenomorph in a Space Trucker cargo ship

could it be that that bug hunter has "sources" at the NSA?

Assuming the "bug hunter" in question is SandboxEscaper: It's certainly possible, but hardly necessary. There was a HITB talk a couple years back about finding and fuzzing ALPCs. It's a well-known area for Windows security research in the hacker community. This is just a typical "Microsoft provided a service with elevated privileges and didn't establish the correct boundaries" bug.

DJV Silver badge
Facepalm

Security

But... but... but... Microsoft have been telling us for years that their latest OS is the fastest, best, most secure etc.?

I'm beginning to suspect that they derive their levels of fastness, bestness and most secureness something like this:

secLevel = abs (get_security_level ());

if (secLevel > previousWindowsSecLevel) printf ("Hey look, it's more secure!");

Alister Silver badge

Re: Security

No, that's what they meant to code, however, nobody picked up the typo:

if (secLevel < previousWindowsSecLevel) printf ("Hey look, it's more secure!");

Usermane

Re: Security

Probably some people need to fast few days to pay somebody to fix the problems that windows made.

David Adams

Monthly Updates?

"That also likely means that Microsoft will opt not to issue an out-of-band update for the coding cockup, and wait until next month's Patch Tuesday to post a permanent fix for the vulnerability."

Have you not seen the updates for Windows10 recently? They are almost weekly not monthly!

A new patch for 1803 dropped yesterday, 1709 and 1607 were patched on the 18th these are all in addition to the "Monthly" patch that dropped on the 9th.

Usermane

Re: Monthly Updates?

Yes, patches, patches for the patches, patches for the patches of the patches...

onefang

Re: Monthly Updates?

"Yes, patches, patches for the patches, patches for the patches of the patches..."

Which is why we are now talking about "micropatches".

Big fleas have little fleas upon their backs to bite 'em,

And little fleas have lesser fleas, and so, ad infinitum.

...

Usermane

Re: Monthly Updates?

But in this case seems that the big fleas had bigger fleas upon their back and so.

Rich 11 Silver badge

Re: Monthly Updates?

Yes, patches, patches for the patches, patches for the patches of the patches...

More patches than the jacket of a 1970s Open University lecturer.

onefang
Pint

Re: Monthly Updates?

Ah, that's the other half of Augustus De Morgan's poem "Siphonaptera" that no one ever quotes. The entire thing is -

Big fleas have little fleas upon their backs to bite 'em,

And little fleas have lesser fleas, and so, ad infinitum.

And the great fleas, themselves, in turn, have greater fleas to go on;

While these again have greater still, and greater still, and so on.

Have a beer, likely there's no fleas in it.

lesession

Sorry, but ...

New zero day flaw: 'It can be exploited by a malicious logged-in user or malware on an already infected computer' ...

Last December's RID hijacking: 'The technique requires a hacker to obtain administrative rights on a box, and can be used to assign admin rights to other users and guests.'

So to summarise both of these techniques rely on the attacker *already being an admin on the machine.* So the game is already up, the Visigoths are already inside the gates, and the attacker could install what they like and wreak all sorts of havoc without going to the trouble of mucking about with reg keys etc.

The 1809 update; that's a monumental cockup and MS deserve all the heat they're getting for that. This, not so much.

MJB7

Re: Sorry, but ...

The canonical expression is that "the attacker is the wrong side of the air-tight hatchway". At least it is if you read "The Old New Thing" by Raymond Chen (and you should).

lesession

Re: Sorry, but ...

Already do, just couldn't remember the canonical phrasing (and couldn't be bothered to look it up) at the time of posting :)

Michael Wojcik Silver badge

Re: Sorry, but ...

So to summarise both of these techniques rely on the attacker *already being an admin on the machine

Today's ALPC vulnerability does not require admin privileges. Technically it doesn't require local user, either; but in practice it probably requires that and the ability to create or download a program, since you're unlikely to find suitable gadgets in anything you can overflow and ROP.

The RID hijacking vulnerability does require elevation, but that's not the point. It's a concealment technique, not an elevation one: you can use it to grant administration-level access to any SID without adding that SID to the Administrators group or granting it additional system privileges.

This is not very complicated. You and your eight upvoters might try reading a bit before you dismiss these issues.

bombastic bob Silver badge
Devil

safe surfing

1. never surf the web logged in as an 'administrator' (group or otherwise)

2. never surf the web using a micro-shaft browser

3. avoid surfing the web from windows, if possible (especially windows 10)

4. use a white-listing script blocker such as 'noscript'

5. never read (especially preview) e-mails as HTML (or with inline attachments)

6. never just 'open' downloaded files. save to disk, first. Same with e-mail attachments.

7. Don't use the shell to open (i.e. double-clicking in a file browser). Use the correct application, and 'File Open'. (this avoids the problem of executable files hiding as something else via the extension)

etc.

yeah, THESE rules probably mitigate this particular 0-day, at least to SOME extent. That goes TRIPLE for the one about being an administrator. that was sorta mentioned in the bootnote...

Usermane

Re: safe surfing

8. Never surf the web with windows, use a live Linux instead.

nematoad Silver badge
Thumb Up

Re: safe surfing

"8. Never surf the web with windows, use a live Linux instead."

Yes indeed.

TAILS will do nicely.

ArrZarr Silver badge

Re: safe surfing

3. avoid surfing the web from windows, if possible

That'll do a pretty good job of saving you from this particular 0-day as it's windows specific.

Anonymous Coward
Anonymous Coward

Re: safe surfing

"6. never just 'open' downloaded files. save to disk, first."

What difference does that make? Wouldn't Windows open it with the same application, just from a different folder (Temp vs Downloads)?

Asking for a friend, of course.

Captain Badmouth
FAIL

"It can be exploited by a malicious logged-in user or malware on an already infected computer to arbitrarily delete or tamper with anything from application .dll files to critical system components."

The silly man has just discovered the latest windows update.

Dave 15 Silver badge

oh God

Another update coming, my creaking and groaning machine will slow down even more. It already takes so long to boot that I not only get a cup of tea but lunch as well. My little take on trip laptop can manage 1 application at a time without running out of memory, is perpetually showing 100% processor use while doing no more than sitting idle with a browser open

onefang

Re: oh God

A recent update of Windows on a not particularly fast laptop I had enough time to walk home, eat dinner, watch TV, sleep, eat brekky, walk back to the office, and still had to wait an hour for it to finish.

Anonymous Coward
Stop

If you're on Windows 10...

...it seems a very good time to start planning your migration off it. Microsoft has lost control of the beast. No-one can afford to run their business or indeed personal life on this pile of fail.

adam payne Silver badge

“Microsoft has a strong commitment to security"

Just not privacy.

Tigra 07 Silver badge
Facepalm

"Microsoft has a strong commitment to security

Just not privacy."

Or bug testing apparently...

Tigra 07 Silver badge
Linux

What more can i say...

*Cough*

el_oscuro
Coat

Delete files?

I thought Microsoft already added that feature to Windows 10 with build 1809.

Mine is the one with the USB backup in the pocket.

whitepines Bronze badge
Trollface

Re: Delete files?

Don't plug that USB drive into a Windows machine -- it might just upload all the files to the Microsoft cloud for "intelligence gathering", Email the more intimate files to your professional contacts, and secure erase the USB drive for good measure....

dnicholas Bronze badge

"Attackers never stop thinking of new ways to abuse our customers and neither do we" - Windows 10 developer, October 2018

Bitsminer

new Microsoft slogan

"We're not happy until you're not happy."

"Borrowed" from Air Canada.

thosrtanner

what's with wild wacky awwitewation?

I had numb wips after weading the article title out woud

Claptrap314 Bronze badge

At some point

Microsoft is going to decide it's cheaper to hire this guy for $10M/year so that he'll have to keep quiet...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

The Register - Independent news and views for the tech community. Part of Situation Publishing