Please run windows update now

As much as I hate, loathe, and despise Microsoft, there's always going to be someone/something out there that is "the worst". Eliminate the current "worst", and there will be another one right behind them.

I do believe that Microsoft is directly responsible for trillions of dollars/euros of damage done to economies worldwide, due to their lax security practices over the years. Their advances have only come at the cost of great pain on the part of others, and they have been kicking and screaming all the while being dragged into the modern world.

The rest of us will continue to bear the pain and anguish that they create. That's just the way things are. Not the way they should be, but the way they are.

Spot on. Shame on Microsoft for releasing patches and not
forcing the installation versus letting security managers
open up ISC^, and other nonsensical frameworks to do things
like "change/patch management" tasks. I mean, who cares if
one little patch knocks a business out of existence.

I do believe Microsoft is directly responsible for making
people such daft "To patch or not to patch" admins. Force
feed patches on everyone! Then your next message will be:
"I believe Microsoft is responsible for trillions of
dollars by pushing out patches forcefully and negatively
impacting businesses worldwide."

Pain and anguish? I'm smiling and drinking coffee. I adore
when security shenanigas occur. That is the sound of a cash
register to me.

They even released updates for XP & 2003

http://www.catalog.update.microsoft.com/search.aspx?q=4012598

I should clarify, the link in my email below is only for windows versions that are considered unsupported.
  
This one has links for the currently supported versions of windows

  https://support.microsoft.com/en-us/help/4013389/title

I do not see any links to actually download the actual patches. Just a bunch of text drivel.

https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

Look near the bottom under Further Resources.

Spot on. Shame on Microsoft for releasing patches and not
forcing the installation versus letting security managers
open up ISC^, and other nonsensical frameworks to do things
like "change/patch management" tasks. I mean, who cares if
one little patch knocks a business out of existence.

If Microsoft didn't open the security hole in the first place, then there wouldn't be a need to patch it afterwards.

Of course, there will always be patches that need to be applied, and people do have to decide what is a sane patching process. But if a patch can be completely avoided because they were more careful and rigorous in their development to begin with, then as a whole the world would be better off.

I do believe Microsoft is directly responsible for making
people such daft "To patch or not to patch" admins. Force
feed patches on everyone! Then your next message will be:
"I believe Microsoft is responsible for trillions of
dollars by pushing out patches forcefully and negatively
impacting businesses worldwide."

An ounce of prevention on their part would prevent a pound of cure having to be applied by everyone else in the world.

But then Microsoft couldn't extract their value from selling that pound of cure, so that would be another problem.

Pain and anguish? I'm smiling and drinking coffee. I adore
when security shenanigas occur. That is the sound of a cash
register to me.

Not everyone licks their chops and thinks "fresh meat" when they see worldwide panic that results from a massive security hole like this.

Some of us just want to get regular work done.

If Microsoft didn't open the security hole in the first place, then there wouldn't be a need to patch it afterwards.

You are very correct. Microsoft opened the hole because
they had nothing better to do. Or, could it be that these
things happen, akin to a car having to perform a recall.
I am sure (with the exception of Volkswagen's clusterf^W)
no vendor in any vertical wants to put out subpar products
(call me a dreamer.)

Of course, there will always be patches that need to be applied, and people do have to decide what is a sane patching process. But if a patch can be completely avoided because they were more careful and rigorous in their development to begin with, then as a whole the world would be better off.

Rigorous in development means little. Go pick an RFC and
you will find that over time, even the foundations have at
some point or another been broken/circumvented. I have a
mental running joke "Blame Paul Vixie!!!" (Sorry Paul :))
When the world lost their ability to use common sense,
anything related to DNS became a blame Paul for writing
BIND. No... Old saying: "Any time you point the finger,
remember, there are more of your fingers pointing back at
you."

Organizations do perform testing, and some don't. Just
because some don't does not mean the industry as a whole
won't, or doesn't do it. The fact MS went out of their way
to make patches for systems they SPECIFICALLY stated they
would not support no more gives them kudos across the
board.

An ounce of prevention on their part would prevent a pound of cure having to be applied by everyone else in the world.

With 20/20 vision, should that mean I should be expected
to see someone throwing a 100MPH fastball at me from
my back? Would my pound of cure be ESP for seeing the
future?

But then Microsoft couldn't extract their value from selling that pound of cure, so that would be another problem.

Sorry to tell you this, that comment makes little sense.
I didn't know Microsft sold that pound of cure (patch).

Not everyone licks their chops and thinks "fresh meat" when they see worldwide panic that results from a massive security hole like this.

Jump in the security space, where we may gladly trade our
cats and dogs for Porsche Panameras

Some of us just want to get regular work done.

And some of us find that life goes on. This is no different
than Nimda, and other minor fiascos that occur every once
in a while. With the exception of Morris. No one, not even
the worms in the dirt like him.

Thanks, but no. I am already forced to do much more in the security space than I would like.

And I love my little miracle kitty very much. I wouldn't trade her for any kind of vehicle in this world. I am rather less materialistic than that.

You, sir, are to be congratulated! I have been on this list for many years
- mainly to keep in the loop. Up until today the list went to a catch-all
account as I have never felt the need to post. Today, though, I felt the
need to create the mailbox just so I could reply since your posts have been
the most irritating I have ever seen on this list. The complete ineptness
in any of the points you shared was astonishing. If you are on this list
you are most likely in some business associated with the Internet so if you
are like some of those that "just want to get some regular work done" let me
remind you that this _is_ regular work. Get it done. Microsoft isn't to
blame here. It's the people who refuse to upgrade their Operating Systems
or patch religiously who are (read: IT departments here too). A lot more of
the world use Microsoft products than you seem to think - it is the dominant
and it's not going away. If this causes you more work than the random
scripts you google on the Internet to run on your *nix boxes perhaps your
time in the business is up. I too prefer and enjoy running all sorts of
flavors of unix/Linux and sometimes you will find that I bash the occasional
Windows user for being less than diligent but there is a limit to this
bashing and you, Rich, have well exceeded that IMO.

For those of you on this list that feel that this post was not necessary, I
am sorry and would normally agree with you and I hardly think it will happen
again.

Phillip White

Calling someone who uses Windows un-professional would be a "gossip" style
phrase.
This is a piece of software which can be tested and compared to others.
Would Android be better then windows only because it is based on the Linux
kernel or since it's based on the full engineering it was invested from the
bottom up?

So from my point of view on things:
Windows is good
Linux is good
BSD is good
Mac is good
Others, good...

But depends on what you need.
If you need to work with a system that has a specific compatibility or
usability levels then this is what you need.
If it works for me it doesn't mean that it's either good or bad for me and
others!

I love Linux based systems but they all need some "magic hands" on them to
convert them from Linux to "something better".
So with this in mind: If you are a magician and Linux feels good for you it
doesn't mean that everybody should be magicians!

All The Bests,
Eliezer

<https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/&gt; /blog/2017/05/customer-guidance-for-wannacrypt-attacks/

Look near the bottom under Further Resources.

Those are the links appear to be patches for older versions of Windows.

The link that Josh sent initially is probably the most straight forward for currently supported versions.

                MSRC - Microsoft Security Response Center

Scroll down below “Affected Software and Vulnerability Severity Ratings” and click on the link in the left column it will being you to the MS Update Catalog download page for the patch in question.

Keep in mind that since MS started doing monthly patch rollups instead of individual patches, they are listing a “rollup” KB# and “security only” KB# for each version of Windows.

For example, look at Windows 2012/2012R2 above – there are four different KB#s depending on the OS version and update method being used.

KB4012217 : “monthly rollup” version for 2012 (gets delivered via windows update - contains this patch and several others)

KB4012214 : “security only” version for 2012 for this one patch

KB4012216 : 2012R2 version of the rollup

KB4012213 : 2012R2 version of the security only patch

Since everyone else is bloviating I may as well also...

The underlying problem is that Microsoft tried to produce basically
one operating system for both servers and end-users and most anything
in between.

Putting some lipstick on them and names such as "server 2008" doesn't
negate that.

Ok so did everyone, sort of (does Apple even make servers? ok ok I
know the response, cylindrical things.)

But others, which means the un*x sphere, at least had the excuse that
they were practically unfunded with a few notable exceptions (but Sun
is gone no sense beating the dead.)

MS has about $100B cash on hand and has generally been a quite
profitable enterprise for longer than probably most people on this
list have been alive.

So for example why does a client OS produced with that much money
available even allow things like wholesale encryption of files without
at least popping up one of those warnings to confirm that you really
meant to run a program on $THRESHOLD files, opening them for update
etc, not just read? Even backup doesn't do that. I suppose update does
but that and similar could be handled specially.

Why?

Because it would be annoying to their server customers if they
interfered and it seems that's how decisions are made. Over and
over. And over.

What we really have is the end result of a company spending as little
as possible on their product and optimizing their bottom line because
no one has any power to make them produce anything better.

  One code base to rule them all, One code base to sell them, One code
  base to bring them all, And in their darkness bind them.

That's what MS needs to be held accountable for, sucking literally
hundreds of billions from companies and consumers (that is, no lack of
money) and passing the pain of an inferior product to those consumers
much like the car industry did until Ralph Nader ("Unsafe At Any
Speed") and others began pointing this out in the 1960s and action was
taken and we got some omg seat belts and attention paid to how easily
a car of that era could roll over on a turn at 25mph, etc.

I think making feelgood comments like one has to be an idiot to run
Windows is a huge waste of time at this point. That horse is out of
the barn, has sailed, the barn door is still wide open, and it's
become too way late to fret over saving nine except forward.

Well Barry, I can tell you why, with examples from the Unix world.

for i in *; do encrypt < $i > $i.new; mv $i.new $i; done

How do you throw a pop-up warning for that? Pre-run it and see how many >
might get executed? And how do you tell that the sequence ends up destroying
the file rather than creating a new one?

OK. How about this one?

cat > ./wombat << EOF
##!/bin/bash
encrypt < $1 > $1.new; mv $1.new $1
EOF
chmod +x ./wombat
for i in *; do ./wombat $i; done

Now convert that to C and bury that whole thing inside a binary. How does the
operating system detect that and throw a pop-up *before* that executes?

It's a lot harder problem than you think. Hint: Fred Cohen's PhD thesis
showed that detecting malware is isomorphic to the Turing Halting Problem.

The general problem might well be that hard, I don’t know, it seems
plausible. However Barry’s suggestion doesn’t seem impossible.

One strategy is as follows. Have a counter in the kernel about writes to
files. Have some sort of log-structured filesystem with checkpoints or
whatever. When the counter goes too fast, show Barry’s dialog box and
if the user says no, roll back the filesystem to the time just before the
process (or its parent, or its parent’s parent, …) started. There are
details to be ironed out, of course, but there’s no reason in principle
that it couldn’t be done like this.

The reason that you don’t have to make the operating system solve
the halting problem is because you ask the user.

William Waites
Laboratory for Foundations of Computer Science
School of Informatics, University of Edinburgh
Informatics Forum 5.38, 10 Crichton St.
Edinburgh, EH8 9AB, Scotland

The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.

> > So for example why does a client OS produced with that much money
> > available even allow things like wholesale encryption of files without
> > at least popping up one of those warnings to confirm that you really
> > meant to run a program on $THRESHOLD files, opening them for update
> > etc, not just read?
>
> Well Barry, I can tell you why, with examples from the Unix world.
>
> for i in *; do encrypt < $i > $i.new; mv $i.new $i; done

Oh great a design review!

Hello Valdis, I am Barry Shein. I've done decades of internals and
kernel work.

Ever use any Windows since about Vista? It throws up those warning
pop-ups when you're about to do something it decides needs
confirmation?

That was almost certainly my invention.

I described the idea on an anti-spam list and two Microsoft engineers
contacted me to discuss whether this is feasible etc.

Never got a thank you tho.

>
> How do you throw a pop-up warning for that? Pre-run it and see how many >
> might get executed? And how do you tell that the sequence ends up destroying
> the file rather than creating a new one?

You count the number of destructive opens in the kernel and if it
exceeds a threshold (for example) you stop it and pop up a warning.

For example.

As I said this is the sort of thing which is suitable for an end-user
OS and no doubt annoying in a server OS.

>
> OK. How about this one?
>
> cat > ./wombat << EOF
> ##!/bin/bash
> encrypt < $1 > $1.new; mv $1.new $1
> EOF
> chmod +x ./wombat
> for i in *; do ./wombat $i; done
>
> Now convert that to C and bury that whole thing inside a binary. How does the
> operating system detect that and throw a pop-up *before* that executes?
>
> It's a lot harder problem than you think. Hint: Fred Cohen's PhD thesis
> showed that detecting malware is isomorphic to the Turing Halting Problem.
>
>
> x[DELETED ATTACHMENT <no suggested filename>, application/pgp-signature]

You don't seem to understand how OS's work which surprises me in your
case.

My $0.02, for people doing internal/private triage:

- If your use of IPv4 space is sparse by routes, dump your internal
routing table and convert to summarized CIDR.

- Feed your CIDRs to masscan [1] to scan for internal port 445 (masscan
randomizes targets, so destination office WAN links won't saturate, but
local/intermediate might if you're not careful, so tune):

    sudo masscan -p445 --rate=[packets-per-second safe for your network]
-iL routes.list -oG masscan-445.out

- Use https://github.com/RiskSense-Ops/MS17-010/tree/master/scanners (the
python2 one, or the Metasploit one if you can use that internally) to
detect vuln. the python one is not* a parallelized script, so consider
breaking it into multiple parallel runners if you have a lot of scale.

Note - I've learned that the detection rate for the Python script above is
*much* lower than this nmap script. I recommend using the nmap script
instead:

Microsoft aren't stupid. They have learned lessons from the days in the
90s and early 2000s when they were a laughing stock in terms of
security, and since then Windows security has improved enormously. OK,
so it's not perfect, but what software is? Dirty Cow, Shellshock and
Heartbleed for example weren't exactly minor flaws, but the world moved on.

What's key is that administrators need to know how to secure their
estates. If they've failed to apply the patch, that's their failure, not
Microsoft's, but patching was not the only way to have curtailed this
weekend's outbreak. Admins may have had their reasons for not patching -
maybe to do so would have invalidated some kind of certification on an
embedded system for example - but there should have been other controls
in place to limit the spread of this outbreak or others like it.

Something that's puzzled me about events this weekend is that hardly
anyone is mentioning firewalling. Servers generally need ports
135-139/445 to be accessible in order to act as, well, servers - but
workstations don't. Why aren't people - even cash-starved organisations
like the NHS - using the Windows firewall to protect at least their
workstations on an ongoing basis? How did this infection spread between
organisations without being stopped by a border firewall at any point?
Was nothing learned from the Blaster days? (I don't have the answer.)

Although the malware was probably injected into multiple organisations
in numerous countries via multiple phishing attacks, the spread as
reported seemed too fast between organisations and countries for it to
have been driven by phishing attacks alone, and I haven't seen any
reports showing people how to spot the phishing attempts. So I'm
guessing a lot of the propagation even between orgs was by MS17-010.

It would be interesting to find out if anyone saw unusual spikes in SMB
traffic over the weekend? Or if there are insights into any of the
semi-rhetorical questions I posed above?

Cheers,
Jon

*popcorn* ... What was the original thread about? Because
once upon a time as a proof of concept for "undetectable"
viruses on *nix, (was for a competition where I was not
allowed to be play post disclosure of PoC), anyway, I
created a really really bad mechanism to negatively
impact ALL BSDs, Solaris, Linux, it was *nix agnostic.

Bigger takeaway, malware/scumware/whateverware authors
target Windows because there are more users. For someone
dealing with security 24x7x365, I can state MS has come
a very long way from what they were, including dealing
with MSRC and other departments. Do you have any idea
how difficult it is to deal with certain *nix projects?
Freshmeat? Github, hobby...

Apples and oranges. And I CAN COUNT the number of
destructive opens read, and write on any nix system, so
perhaps we should kill this thread before it becomes:
my NetBSD toaster is better than your windows powered
refrigetor.

That's basically what I did. I got tired of users constantly opening
any attachment that came at them through e-mail and encrypting all the
files on their systems and other network systems....so...I installed a
Linux box running Samba backed by a ZFS file store.

Samba spits out syslog records on file writes.

Combine that with fail2ban. When one user has more than 60 writes in
60 seconds *or* a write contains a well-known cryptolocker name (i.e.
*DECRYPT_INSTRUCT*) it immediately blocks their IP on the server,
looks up their MAC address, scans the switch for their MAC, and
disables the switch port.

Then I have a list of files in syslog that were encrypted and ZFS
snapshots I can restore from.

Additionally, some of the workstations were PXE or iSCSI booted from
the NAS so it was as simple as "Hold down the power button to turn off
your computer. Ok, let me 'zfs rollback' your machine image...ok, now
turn your computer back on. All set."

Plus adding new workstations was as easy as getting the MAC address
and doing a 'zfs clone' of a clean machine image.

Upgrades are easy too--boot a VM, install the latest version of
WIndows, update drivers, install software packages, then shutdown,
snapshot and clone. Tell the user to reboot their PC and they are now
running the newer OS.

Windows isn't hard if you have Linux and Unix running underneath,
behind, and between everything.

-A