Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Just when you thought it safe to go into the water . . . 5

Status
Not open for further replies.
2ffat

2ffat

Programmer
Oct 23, 1998
4,811
US
This Zero Day Exploitation affects all Windows including Win 7. :-(



James P. Cottingham
[sup]I'm number 1,229!
I'm number 1,229![/sup]
 
Holy smokes!
This sounds bad. Looks like M$ will be scrambling trying to find a fix to that!
[nosmiley]

[navy]"We had to turn off that service to comply with the CDA Bill."[/navy]
- The Bastard Operator From Hell
 
Thanks for posting that timely info. I imagine I may be getting some new side work in the upcoming weeks or month. [wink]
 
So you combine this flaw with SCADA systems that have hard coded admin passwords that can't be changed and you have great recipe for fun and entertainment.

(The list of people that I need to find and kick in the face grows every day.) [cannon]

Jeff
[small][purple]It's never too early to begin preparing for [/purple]International Talk Like a Pirate Day
"The software I buy sucks, The software I write sucks. It's time to give up and have a beer..." - Me[/small]
 
MasterRacker,

Out of curiosity (as I couldn't tell from reading the reports so far), what's a real world example of what could be affected? I mean is this something that is used in multiple different applications, or is it just a more server-specific thing, or what? I'm not sure I understand it at this point.

Thanks for any other references, insights, opinions, etc.
 
Not the original person being responded, but...

This actually is a pretty nasty hole that was found. It's a lot like the other LNK holes. Just change the LNK file a little bit, point it to your DLL and then it's off to the races on whatever you want to do. In effect, it's a universal drive-by type hole a hacker can use to make anything happen. Seems to effect everything, too.

More details and more links can be found in the following forum post:


It is not possible for anyone to acknowledge truth when their salary depends on them not doing it.
 
Kjv,

If you're asking about the Windows flaw itself, Glen covered it. Any Windows system anywhere could be subverted to do anything.

If you're asking about SCADA systems, those are the control systems for industrial automation. Robotic assembly lines, chemical processing plants, water treatment plants, power plants, etc. Compromise the system and you're controlling the plant.

Jeff
[small][purple]It's never too early to begin preparing for [/purple]International Talk Like a Pirate Day
"The software I buy sucks, The software I write sucks. It's time to give up and have a beer..." - Me[/small]
 
I was asking about the SCADIA piece. So, desktop computers not at risk on that one, but I think I'd rather desktop computers were at risk than what IS at risk there. That's a really scary perspective.

And kinda makes me think of a particular Bible verse that might well be worth applying in our day:
Prov 5:15 (KJV)
15 Drink waters out of thine own cistern, and running waters out of thine own well.
Click to expand...
The primary use of that verse would be to be taken spiritually, I believe, however taking it literally in a physical sense right now would not be a bad idea. [wink]
 
That Siemens system is quite specific. Most of their SCADA system run under any normal PC Operating system.
What I am saying is that vunerability is not going to be bringing down all of the worlds industrial automation systems.


Steve: N.M.N.F.
If something is popular, it must be wrong: Mark Twain
 
That's definitely good to know. I hope our nearest nuclear power plant isn't using one of those systems. [spineyes]
 
And the fix is available........... when??? Now?? Sooner than now, please. I'm wondering if they this is such a basic function of Windows that it might not be patchable.
 
Windows has issued a "Fix It". Unfortunately, it disables all shortcut links. See this article for more info. This is a temporary patch and not a true fix. I suspect that since this effects so many Window versions that it is deep in the bowels of core code so a true fix may take some time.


James P. Cottingham
[sup]I'm number 1,229!
I'm number 1,229![/sup]
 
So, is this where they call Bill Gates, and say, Bill, who was it you bought the source from? We need to see them NOW! [wink]
 
sggaunt said:
What I am saying is that vunerability is not going to be bringing down all of the worlds industrial automation systems.
Click to expand...
Not easily. I think the point of targeting the Siemens system is that it has a known admin password that can't be changed. With other SCADA systems, the underlying Windows can be compromised, but the the hacker still needs to figure out how to hack the SCADA itself after getting access to the underlying OS. In addition, most SCADA systems are isolated to private VLANS or even physically separate LANS to help protect them.


If you like the "we're all gonna DIE!" stories, here's a couple:
And an opposing view:

As far as the Windows flaw goes, the icon fetching mechanism is probably pretty well baked in, probably in a number of places. It'll take some work to patch without breaking things I would guess.



Jeff
[small][purple]It's never too early to begin preparing for [/purple]International Talk Like a Pirate Day
"The software I buy sucks, The software I write sucks. It's time to give up and have a beer..." - Me[/small]
 
That "Fix It" from Microsoft is quite funny. From the computerworld.com article 2ffat pointed to, explaining the fix:
the tool ... is only a makeshift defense, one that many users may resist applying, since it makes much of the Windows system, including the desktop, taskbar and Start menu, almost unusable
Click to expand...
Baahhh, who uses the desktop, taskbar and Start menu anyway? Command Prompt all the way, baby.
 
Baahhh, who uses the desktop, taskbar and Start menu anyway? Command Prompt all the way, baby.
Click to expand...

We all know that deep down, even the Microsoft developers are a bunch of Command Line Interface Terrorists. [tongue]
 
SCADA systems are isolated to private VLANS or even physically separate LANS to help protect them.
Click to expand...

In fact the networks used are extremely diverse, use of TCP/IP is a very new concept in this field.
Proprietary Fieldbus networks like (Siemens own) Profibus or Devicenet are far more common, and there are many, many more systems and protocols all running on specialised hardware (PC's need to be fitted with interface cards), Bus level control is usually done by a PLC.
Hacking this sort of thing is a non starter as there is virtually no standardisation.


In fact I wrote the Modbus control panel interface firmware running in softstarters at least one UK power station.
A second MODbus port connects the starter to a Devicenet 'gateway' module, that links back to a PLC and that is connected by ethernet to a PC running SCADA software, no doubt it has an Internet connection.
So if anyone thinks they can remotely change the underlying functionality of the firmware running on the starters, be my guest!


Steve: N.M.N.F.
If something is popular, it must be wrong: Mark Twain
 
Steve, I'm not disputing the security of the automation networks. Even in your system though, what if someone could get through the LAN, connect to the SCADA PC and was able log in to the SCADA software with operator privleges? Bet they could do some 'entertaining' things.

Granted even that is not 'easy' but it is conceivable.

Jeff
[small][purple]It's never too early to begin preparing for [/purple]International Talk Like a Pirate Day
"The software I buy sucks, The software I write sucks. It's time to give up and have a beer..." - Me[/small]
 
MasterRacker said:
If you like the "we're all gonna DIE!" stories, here's a couple:
Click to expand...
Thanks, those links will provide some interesting reading.

And a very interesting discussion to be sure. I've always been curious as to how such things as the utilites run, with modern technology and all...

Reading the high level details from sggaunt definitely puts some fears at least partially at ease. Wait a minute... maybe TOO much at ease! [SURPRISE]
 
More good news:

In the revised security advisory published yesterday Microsoft acknowledged the new attack vector.

"An attacker could also set up a malicious Web site or a remote network share and place the malicious components on this remote location," the company said in the advisory. "When the user browses the Web site using a Web browser such as Internet Explorer or a file manager such as Windows Explorer, Windows will attempt to load the icon of the shortcut file, and the malicious binary will be invoked."

That language was a change from earlier statements by Microsoft, which had said that attackers could hijack Windows PC by setting up a remote network share, a much more complicated task than building a malware-spreading Web site. In the earlier advisory, Microsoft also said that "the malicious binary may be invoked; the most recent warning instead said "the malicious binary will be invoked [emphasis added in both cases].
Click to expand...
 
Status
Not open for further replies.

Similar threads

goombawaho
  • Locked
  • News
Malware Injected Into CCleaner 3
Replies
2
Views
128
goombawaho
goombawaho
DrB0b
  • Locked
  • Question
GMail Google Docs Phishing Attempt
Replies
5
Views
153
goombawaho
goombawaho
xit
  • Locked
  • News
Just a sad, sad story. What are people thinking? 2
Replies
4
Views
107
edfair
edfair
Shimmy613
  • Locked
  • Question
Avira Free: "Your computer is not secure! A Service is not working correctly"
Replies
14
Views
393
ChrisHirst
ChrisHirst
DrB0b
  • Locked
  • Question
Crytowall 3.0 and How I dealt with it 2
Replies
7
Views
165
DrB0b
DrB0b

Part and Inventory Search

Sponsor

Back
Top