Guest just bob Posted April 13, 2009 Posted April 13, 2009 What happened? No word in the press if they were current on Windows updates but I assume they were not. http://www.google.com/hostednews/ap/articl...4skvowD97GPM6G0 Quote
Guest Virus Guy Posted April 13, 2009 Posted April 13, 2009 just bob wrote: <span style="color:blue"> > What happened?</span> How many IT staff does it take to screw in a windows patch? Evidently what-ever the answer, U of Utah needs more. "It can do a lot of bad things," Tueller said. "Every university member should be concerned about this if they're using Windows-based devices." Except if you're using Windows 98. I still want to know if removing the IPC$ Share on XP systems would have made it impossible for Conficker to spread via the MS08-067 exploit. Nobody's posted a definative yes or no answer. Quote
Guest FromTheRafters Posted April 14, 2009 Posted April 14, 2009 "just bob" <kilbyfan@aol.com> wrote in message news:49e2ee56$0$95493$742ec2ed@news.sonic.net...<span style="color:blue"> > > What happened? No word in the press if they were current on Windows > updates > but I assume they were not. > > http://www.google.com/hostednews/ap/articl...4skvowD97GPM6G0</span> This is (or was) a multiple vector worm. Not all vectors were related to software flaws (RPC vector) or inconsistent configuration options like [disable|really disable] or confusion in terms [AutoRun|AutoPlay], but rather weak passwords and abuse of function. Quote
Guest FromTheRafters Posted April 14, 2009 Posted April 14, 2009 "Virus Guy" <Virus@Guy.com> wrote in message news:49E32EEC.96DC47BC@Guy.com...<span style="color:blue"> > just bob wrote: ><span style="color:green"> >> What happened?</span> > > How many IT staff does it take to screw in a windows patch? > > Evidently what-ever the answer, U of Utah needs more. > > "It can do a lot of bad things," Tueller said. "Every > university member should be concerned about this if > they're using Windows-based devices." > > Except if you're using Windows 98. > > I still want to know if removing the IPC$ Share on XP systems would > have > made it impossible for Conficker to spread via the MS08-067 exploit. > Nobody's posted a definative yes or no answer.</span> You just didn't like my answer. From: http://www.fortiguardcenter.com/virusency/...onficker.B!worm a.. First, it tries to connect to \\System Name\IPC$. a.. Then, it tries user accounts retrieved from the Backup Domain Controller(BDC) and one of following password to log on the targeted machine: a.. 123 b.. 1234 c.. 12345 d.. 123456 e.. 1234567 f.. 12345678 g.. 123456789 h.. 1234567890 The list goes on.... This is NOT the software flaw exploit vector - it is the human nature exploit vector. Quote
Guest just bob Posted April 14, 2009 Posted April 14, 2009 "FromTheRafters" <erratic@nomail.afraid.org> wrote in message news:ugVok9JvJHA.5888@TK2MSFTNGP05.phx.gbl...<span style="color:blue"> > "just bob" <kilbyfan@aol.com> wrote in message > news:49e2ee56$0$95493$742ec2ed@news.sonic.net...<span style="color:green"> >> >> What happened? No word in the press if they were current on Windows >> updates >> but I assume they were not. >> >> http://www.google.com/hostednews/ap/articl...4skvowD97GPM6G0</span> > > This is (or was) a multiple vector worm. Not all vectors were related to > software flaws (RPC vector) or inconsistent configuration options like > [disable|really disable] or confusion in terms [AutoRun|AutoPlay], but > rather weak passwords and abuse of function.</span> Hello, Are you saying you are not safe from Conficker even if you are current on Windows and Microsoft updates? Has anyone confirmed the UoU computers infected were up to date on patches? Thank you, -Bob Quote
Guest David H. Lipman Posted April 14, 2009 Posted April 14, 2009 From: "just bob" <kilbyfan@aol.com> | Hello, | Are you saying you are not safe from Conficker even if you are current on | Windows and Microsoft updates? | Has anyone confirmed the UoU computers infected were up to date on patches? | Thank you, | -Bob Not entirely - no. Was AutoRun/AutoPlay disabled on all machines ? Are all machines current on their anti virus software ? -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp Quote
Guest FromTheRafters Posted April 15, 2009 Posted April 15, 2009 "just bob" <kilbyfan@aol.com> wrote in message news:49e4db9c$0$95553$742ec2ed@news.sonic.net...<span style="color:blue"> > > "FromTheRafters" <erratic@nomail.afraid.org> wrote in message > news:ugVok9JvJHA.5888@TK2MSFTNGP05.phx.gbl...<span style="color:green"> >> "just bob" <kilbyfan@aol.com> wrote in message >> news:49e2ee56$0$95493$742ec2ed@news.sonic.net...<span style="color:darkred"> >>> >>> What happened? No word in the press if they were current on Windows >>> updates >>> but I assume they were not. >>> >>> http://www.google.com/hostednews/ap/articl...4skvowD97GPM6G0</span> >> >> This is (or was) a multiple vector worm. Not all vectors were related >> to software flaws (RPC vector) or inconsistent configuration options >> like [disable|really disable] or confusion in terms >> [AutoRun|AutoPlay], but rather weak passwords and abuse of function.</span> > > Hello, > > Are you saying you are not safe from Conficker even if you are current > on Windows and Microsoft updates?</span> Inasmuch as the "worm" has more than one way to gain access to a new environment to infest, yes. Consider the creator of a worm program incorporating many methods of spreading by abusing functions like AutoRun and AutoPlay, guessing passwords, sending trojans by p2p or file sharing or e-mail etcetera. These methods, while undoubtedly sucessful, pale in comparison to an exploit aimed at a vulnerability in internet facing software such as is noted in MS08-067. Having created the worm with a the aforementioned vectors beforehand - he just waits for the next wormable vulnerability to rear its ugly head. MS08-067 comes along and the released worm has been modified to use this vector as well. Spreading very quickly, the worm establishes a "beachhead" so to speak and later relies more (or entirely) on the previous not-so-efficient vectors. Maybe eventually ceasing to be a worm at all but an updateable bot instead. <span style="color:blue"> > Has anyone confirmed the UoU computers infected were up to date on > patches?</span> I don't think there is any way to determine this - it is most likely that not all computers that are allowed to join their network were up to par. It is also quite likely that the USB AutoRun/AutoPlay feature (as ill advised as it might be, is still a feature) was abused. Keep in mind that the patch for this was a patch for the configurability of the feature, not a flaw in the feature itself. Basically, install the patch and then treat it just as you would any other worm. Quote
Guest Virus Guy Posted April 15, 2009 Posted April 15, 2009 FromTheRafters wrote: <span style="color:blue"><span style="color:green"> > > I still want to know if removing the IPC$ Share on XP systems > > would have made it impossible for Conficker to spread via the > > MS08-067 exploit. > > > > Nobody's posted a definative yes or no answer.</span> > > You just didn't like my answer.</span> (a dozen lines deleted). Wouldn't it have been simpler and faster to just type "yes" or "no" ? <span style="color:blue"><span style="color:green"> > > Nobody's posted a definative yes or no answer.</span></span> Still waiting for yes or no. Quote
Guest FromTheRafters Posted April 16, 2009 Posted April 16, 2009 "Virus Guy" <Virus@Guy.com> wrote in message news:49E55C0F.6C56E670@Guy.com...<span style="color:blue"> > FromTheRafters wrote: ><span style="color:green"><span style="color:darkred"> >> > I still want to know if removing the IPC$ Share on XP systems >> > would have made it impossible for Conficker to spread via the >> > MS08-067 exploit. >> > >> > Nobody's posted a definative yes or no answer.</span> >> >> You just didn't like my answer.</span> > > (a dozen lines deleted). > > Wouldn't it have been simpler and faster to just type "yes" or "no" ? ><span style="color:green"><span style="color:darkred"> >> > Nobody's posted a definative yes or no answer.</span></span> > > Still waiting for yes or no.</span> Okay then - - NO! You asked: "That's why I'm asking if disabling the IPC$ share (as described in the original post) would have mitigated the MS08-067 vulnerability." I answered: "No, not the vulnerability, but it removes one ingress vector that this blended threat uses to infest a system." Note the word "No" in the above quote. I expanded on the answer because I thought you (or others) might want more than just a "NO" with no explanation. The question itself indicated that you didn't understand the vulnerability's relationship to the worm's vector to get the exploit code to the vulnerable software. It stops that vector from being used (like bricking up your front door in your analogy) but does not prevent other ingress vectors that may lead to the vulnerable software. You have to decide whether you are asking about the exploit that Conficker uses, or the vulnerability it attacks. Your question references the IPC$ share that Conficker uses - yet asks about the vulnerability itself which doesn't 'care' how the exploit code gets there. As far as simple answers go - see the reply to my post with subject "RPC on localmachine" in microsoft.public.security 4/11. Yes or no is not always a sufficient answer. Quote
Guest Virus Guy Posted April 16, 2009 Posted April 16, 2009 FromTheRafters wrote: <span style="color:blue"><span style="color:green"> > > Still waiting for yes or no.</span> > > Okay then - - NO! > > You asked: > > "That's why I'm asking if disabling the IPC$ share (as described in the > original post) would have mitigated the MS08-067 vulnerability." > > I answered:</span> NO! You answered -> NO!. <span style="color:blue"> > "No, not the vulnerability, but it removes one ingress vector > that this blended threat uses to infest a system."</span> I wasn't asking about any other ingress vectors from a specific blended threat. I did not ask -> "would disabling the IPC$ share prevent Conficker from gaining access to a system". That was not the question being posed. My question did not pertain to Conficker. It pertained specifically and only to MS08-067. I asked specifically about the vulnerability or issue described by (or addressed by) MS08-067 and if disabling the IPC$ share would have mitigated that issue or vulnerability. You answered NO. You just said here that disabling the IPC$ share would not have mitigated the vulnerability addressed or described by MS08-067. Do you now want to change your answer (now that you know the question) - or is the answer still NO! ? Or do you still want to re-design the question? Quote
Guest FromTheRafters Posted April 17, 2009 Posted April 17, 2009 "Virus Guy" <Virus@Guy.com> wrote in message news:49E73E62.87BF9485@Guy.com... [...] <span style="color:blue"> > I wasn't asking about any other ingress vectors from a specific > blended > threat.</span> Exactly, which is why the question cannot be answered as asked. You have to have a vector for an exploit, but not for a vulnerability. Closing a door may thwart an attack that uses that door, but it does not close all doors that might be used in attacks on that vulnerability. <span style="color:blue"> > I did not ask -> "would disabling the IPC$ share prevent Conficker > from > gaining access to a system". That was not the question being posed.</span> I understand that, but maybe you should have. At least define a specific attack against the vulnerability and ask about blocking that attack by disabling a share or using a strong password. <span style="color:blue"> > My question did not pertain to Conficker. It pertained specifically > and > only to MS08-067.</span> ....so it cannot be answered - please excuse me for trying. <span style="color:blue"> > I asked specifically about the vulnerability or issue described by (or > addressed by) MS08-067 and if disabling the IPC$ share would have > mitigated that issue or vulnerability. > > You answered NO. You just said here that disabling the IPC$ share > would > not have mitigated the vulnerability addressed or described by > MS08-067.</span> No I didn't. By "mitigated the vulnerability" do you still mean "prevented the exploit"? Where you said "Mitigation means I have prevented the vulnerability from being exposed." and "I see no conceptual problem with calling an exploit for the MS08-067 vulnerability as an "MS08-067 exploit"." vulnerability = exploit? mitigated = prevented? You never referenced a specific "exploit" leveraging that "vulnerability" for me to determine what vector is being used. Sure, if the vector is through a specific share then disabling that share closes off that vector. The vulnerability is still there and may be attacked via another vector. This is indeed "mitigation" (but not by your definition) because it reduces the number of attack vectors. <span style="color:blue"> > Do you now want to change your answer (now that you know the > question) - > or is the answer still NO! ?</span> No answer. <span style="color:blue"> > Or do you still want to re-design the question?</span> Absolutely, but I want you to redesign the question. What exploit are you talking about? Does it use the IPC$ share exclusively? If so, then yes closing the door will stop that exploit code from getting to the vulnerable software. The "vulnerability" is still there, and another "exploit" may use another ingress vector. Quote
Guest Virus Guy Posted April 17, 2009 Posted April 17, 2009 FromTheRafters wrote: <span style="color:blue"><span style="color:green"> > > Or do you still want to re-design the question?</span> > > Absolutely, but I want you to redesign the question. > > What exploit are you talking about?</span> Microsoft released a patch for MS08-067 before (I believe) there was any circulating threat. Now either it was just lucky that MS08-067 provided a complete remedy for that aspect of system intrusion used later by Conficker, or Conficker was designed to exploit that specific vector being addressed by MS08-067. But in any case, Microsoft did not release MS08-067 version 2 once Conficker emerged. If disabling the IPC$ share renders an entire family of vectors (both known and theoretical) to exploit port-445 vulnerabilities (both known and theoretical) then why do I have to frame my question specifically about Conficker? If I have disabled the IPC$ share, then is the application of the MS08-067 patch superflous? Does the MS08-067 patch give a system added protection to future threats that disabling the IPC$ share would not? If I disable the IPC$ share (and have also disabled file and printer sharing), is there any possibility of system intrusion via port 445 - Conficker or otherwise? Quote
Guest FromTheRafters Posted April 17, 2009 Posted April 17, 2009 "Virus Guy" <Virus@Guy.com> wrote in message news:49E88C8E.D325A679@Guy.com...<span style="color:blue"> > FromTheRafters wrote: ><span style="color:green"><span style="color:darkred"> >> > Or do you still want to re-design the question?</span> >> >> Absolutely, but I want you to redesign the question. >> >> What exploit are you talking about?</span> > > Microsoft released a patch for MS08-067 before (I believe) there was > any > circulating threat.</span> Actually, there was an active exploit that clued them in on the vulnerability. The patch preceded the worm though. <span style="color:blue"> > Now either it was just lucky that MS08-067 provided a complete remedy > for that aspect of system intrusion used later by Conficker, or > Conficker was designed to exploit that specific vector being addressed > by MS08-067. But in any case, Microsoft did not release MS08-067 > version 2 once Conficker emerged.</span> The patch should fix the vulnerability no matter what vector an exploit used to attack it. Configuration options (blocking ports, disabling shares etc...) are work-arounds you can use until you get patched. <span style="color:blue"> > If disabling the IPC$ share renders an entire family of vectors (both > known and theoretical) to exploit port-445 vulnerabilities (both known > and theoretical) then why do I have to frame my question specifically > about Conficker?</span> It doesn't have to be about Conficker, it is just that a "vulnerability" can exist even without any "exploit" at all. To address a "vulnerability" you must patch (fix) or remove the broken software. Exploits on the other hand can be of many varieties that attack the same vulnerability, it can be like swatting flies. <span style="color:blue"> > If I have disabled the IPC$ share, then is the application of the > MS08-067 patch superflous?</span> Absolutely not, and that is the whole point of my argument. That is the reason you must draw a distinction between a "vulnerability" and an "exploit". <span style="color:blue"> > Does the MS08-067 patch give a system added > protection to future threats that disabling the IPC$ share would not?</span> I believe so, but I have no proof to offer. <span style="color:blue"> > If I disable the IPC$ share (and have also disabled file and printer > sharing), is there any possibility of system intrusion via port > 445 - > Conficker or otherwise?</span> I'm not sure. I know that a remote procedure call can call the same machine but I don't know if the vulnerable software can be reached that way. Someone might be working on that as we speak. Best practice is to patch - as well as to not expose services that you don't need to. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.