Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
  • Post
  • Reply
Wiggly Wayne DDS
Sep 11, 2010



and if that wasn't enough have some http/2 DoS: https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md

Adbot
ADBOT LOVES YOU

Lain Iwakura
Aug 5, 2004

The body exists only to verify one's own existence.

Taco Defender
some kids are probably going to jail

https://twitter.com/Techmeme/status/1161348231911104513

The_Franz
Aug 8, 2003

Cocoa Crispies posted:

like, I bet every other desktop os has similar poo poo going on under the hood

windows is amazing though because there's no such thing as a server build that doesn't ship with fool rear end poo poo on par with rendering fonts in the kernel

"xorg is horribly buggy" is to security conference talks as "the drinking age in america is bs" is to intro college communication courses

an easy, low effort topic that can be thrown together at the last minute

Volmarias
Dec 31, 2002

EMAIL... THE INTERNET... SEARCH ENGINES...

:holymoley:

Wiggly Wayne DDS
Sep 11, 2010



so good news these are patched:
bad news:
https://twitter.com/metr0/status/1161381376060358656

Number19
May 14, 2003

HOCKEY OWNS
FUCK YEAH


sounds like so long as you have NLA on those RDP vulnerabilities aren't wormable and thus you don't need to rush to patch them

if you somehow have NLA off in 2019 then wtf are you doing?

BangersInMyKnickers
Nov 3, 2004

I have a thing for courageous dongles

Number19 posted:

sounds like so long as you have NLA on those RDP vulnerabilities aren't wormable and thus you don't need to rush to patch them

if you somehow have NLA off in 2019 then wtf are you doing?

there are unfortunately some problems with nla where it is impossible to connect from an azuread system to an AD system because "Microsoft. gently caress you." Just straight up bounces the connection, doesn't bother saying its untrusted do you want to connect or whatever

Potato Salad
Oct 23, 2014

nobody cares


BangersInMyKnickers posted:

there are unfortunately some problems with nla where it is impossible to connect from an azuread system to an AD system because "Microsoft. gently caress you." Just straight up bounces the connection, doesn't bother saying its untrusted do you want to connect or whatever

Under what circumstances do you see this happen? :confused:

ewiley
Jul 9, 2003

More trash for the trash fire

Good lord I picked a good time to implement client firewalls w/ipsec. Windows firewall authenticated/encrypted connections make these attacks way harder.

Phone posted:

lmao deleted comment #21

What was it? Someone bitching about disclosing automatically at day 90 again?

BangersInMyKnickers
Nov 3, 2004

I have a thing for courageous dongles

Potato Salad posted:

Under what circumstances do you see this happen? :confused:

Hybrid environments syncing their on-prem ad to azuread with adsync

Phone
Jul 30, 2005

親子丼をほしい。

ewiley posted:

What was it? Someone bitching about disclosing automatically at day 90 again?

https://forums.somethingawful.com/showthread.php?threadid=3887592&userid=0&perpage=40&pagenumber=74#post497475385

quote:

Comment 21 by taviso@google.com on Tue, Aug 13, 2019, 12:56 PM EDT (9 minutes ago)
Apparently this attachment is necessary because Microsoft employees can't count.

mystes
May 31, 2006

They don't release after 90 days have elapsed? They release on the 90th day?

mystes fucked around with this message at 01:08 on Aug 14, 2019

Doom Mathematic
Sep 2, 2008

mystes posted:

They don't release after 90 days have elapsed? They release on the 90th day?

Ah, Biblical timekeeping, like how sunset on Good Friday to Easter Sunday morning is somehow "three days".

Phone
Jul 30, 2005

親子丼をほしい。
my job is 90% figuring out the length between two dates

Trabisnikof
Dec 24, 2005

mystes posted:

They don't release after 90 days have elapsed? They release on the 90th day?

Day 89 is the 90th day.

JawnV6
Jul 4, 2004

So hot ...
maybe his calendar is bricked

~Coxy
Dec 9, 2003

R.I.P. Inter-OS Sass - b.2000AD d.2003AD

7of7 posted:

Sure, posting Taviso is easy mode but this thing he just posted is mind blowing.

Completely unauthenticated message passing and method execution across Windows applications at any privilege level.

if this capability always existed then why can you not use your media keys or drag-drop in elevated apps

ErIog
Jul 11, 2001

:nsacloud:

~Coxy posted:

if this capability always existed then why can you not use your media keys or drag-drop in elevated apps

Those were vectors they considered while the more generic one taviso found was not?

mystes
May 31, 2006

~Coxy posted:

if this capability always existed then why can you not use your media keys or drag-drop in elevated apps
Because you weren't exploiting vulnerabilities in the CTF protocol?

Charun
Feb 8, 2003


BangersInMyKnickers posted:

Hybrid environments syncing their on-prem ad to azuread with adsync

Also, no way to RDP into an AzureAD connected PC from a PC not connected to the same AzureAD with NLA enabled.

CRIP EATIN BREAD
Jun 24, 2002

Hey stop worrying bout my acting bitch, and worry about your WACK ass music. In the mean time... Eat a hot bowl of Dicks! Ice T



Soiled Meat

JawnV6 posted:

maybe his calendar is bricked

lmao

ewiley
Jul 9, 2003

More trash for the trash fire

oh duh, thanks :) Taviso is very abrasive and yelled at me on twitter about antivirus once, so I'm not surprised.

Potato Salad
Oct 23, 2014

nobody cares


BangersInMyKnickers posted:

Hybrid environments syncing their on-prem ad to azuread with adsync

swear on me mum this is working with a client; maybe it's not doing what I thought it was doing

Cybernetic Vermin
Apr 18, 2005

i presume taviso's point is that they reported before business open day 1 and disclosed after business close on day 90 or some such, but since afaik we don't know that the public snark was pretty uncalled for.

Wiggly Wayne DDS
Sep 11, 2010



the whole "barely respond for the first two months of disclosure" probably soured him a bit, which is understandable as this isn't exactly a simple issue to fix

e: also i guess this is why everyone was talking about updating pulse secure, etc yesterday:
https://twitter.com/wdormann/status/1161595148251336704

Cocoa Crispies
Jul 20, 2001

Vehicular Manslaughter!

Pillbug

Cybernetic Vermin posted:

i presume taviso's point is that they reported before business open day 1 and disclosed after business close on day 90 or some such, but since afaik we don't know that the public snark was pretty uncalled for.

Wiggly Wayne DDS posted:

the whole "barely respond for the first two months of disclosure" probably soured him a bit, which is understandable as this isn't exactly a simple issue to fix

yeah, like, I know if I got an email from taviso I’d probably reply within seconds but I’m not in a role where I would

BangersInMyKnickers
Nov 3, 2004

I have a thing for courageous dongles

Potato Salad posted:

swear on me mum this is working with a client; maybe it's not doing what I thought it was doing

I dug in to way too much documentation on this and the answer was "lol wontfix" and its known on MS's end. They do not support hybrid environments well.

infernal machines
Oct 11, 2012

we have sealed ourselves away behind our money, growing inward, generating a seamless universe of self.

BangersInMyKnickers posted:

I dug in to way too much documentation on this and the answer was "lol wontfix" and its known on MS's end. They do not support hybrid environments well.

we wanted to do passwordless for a client in a hybrid environment and once you get through all the hype the answer is "you can't".

CRIP EATIN BREAD
Jun 24, 2002

Hey stop worrying bout my acting bitch, and worry about your WACK ass music. In the mean time... Eat a hot bowl of Dicks! Ice T



Soiled Meat
if i won the lottery i would fund taviso to just disclose every 0-day he discovered immediately and see what sort of chaos could come about.

responsible disclosure is boring.

Lain Iwakura
Aug 5, 2004

The body exists only to verify one's own existence.

Taco Defender
I’ve worked somewhere on the receiving end of taviso

BangersInMyKnickers
Nov 3, 2004

I have a thing for courageous dongles

lol some dumb poo poo symantec is doing blocks win7/2008r2 systems from seeing updates that are only sha2 signed for some reason and they aren't saying why but it affects every version of their client

Perplx
Jun 26, 2004


Best viewed on Orgasma Plasma
Lipstick Apathy
it would be hilarious if that why they backdated certs, like the av department has a bug and calls the cert department to backdate certs for a big client because its easier than fixing the bug

Captain Foo
May 11, 2004

we vibin'
we slidin'
we breathin'
we dyin'

Lain Iwakura posted:

I’ve worked somewhere on the receiving end of taviso

I would like to know more

but I suspect nda

Wiggly Wayne DDS
Sep 11, 2010



BangersInMyKnickers posted:

lol some dumb poo poo symantec is doing blocks win7/2008r2 systems from seeing updates that are only sha2 signed for some reason and they aren't saying why but it affects every version of their client
microsoft's holding the updates back. these are the first sha2-only signed updates which was meant to go ahead in june but guess who's too incompetent to support it?
https://support.microsoft.com/en-us/help/4512486/windows-7-update-kb4512486

quote:

Symptom: Microsoft and Symantec have identified an issue that occurs when a device is running any Symantec or Norton antivirus program and installs updates for Windows that are signed with SHA-2 certificates only. The Windows updates are blocked or deleted by the antivirus program during installation, which may then cause Windows to stop working or fail to start.

Workaround: Microsoft has temporarily placed a safeguard hold on devices with an affected version of Symantec Antivirus or Norton Antivirus installed to prevent them from receiving this type of Windows update until a solution is available. We recommend that you do not manually install affected updates until a solution is available.

Guidance for Symantec customers can be found in the Symantec support article.
e: and guess what happened to biostar 2? turns out the biometrics were held in a public elasticsearch db:
https://www.theguardian.com/technology/2019/aug/14/major-breach-found-in-biometrics-system-used-by-banks-uk-police-and-defence-firms

quote:

The researchers had access to over 27.8m records, and 23 gigabytes-worth of data including admin panels, dashboards, fingerprint data, facial recognition data, face photos of users, unencrypted usernames and passwords, logs of facility access, security levels and clearance, and personal details of staff.
https://www.vpnmentor.com/blog/report-biostar2-leak/

quote:

Instead of saving a hash of the fingerprint (that can’t be reverse-engineered) they are saving people’s actual fingerprints that can be copied for malicious purposes.

Wiggly Wayne DDS fucked around with this message at 17:42 on Aug 14, 2019

BangersInMyKnickers
Nov 3, 2004

I have a thing for courageous dongles

Wiggly Wayne DDS posted:

microsoft's holding the updates back. these are the first sha2-only signed updates which was meant to go ahead in june but guess who's too incompetent to support it?
https://support.microsoft.com/en-us/help/4512486/windows-7-update-kb4512486

lol I assumed it was some kind of signed code validation problem since I know their engine does that but just nuking anything that doesn't present a sha1 hash is pretty lol

Wiggly Wayne DDS
Sep 11, 2010



i didn't mention it earlier as i was hoping it was a minor joke amongst yesterday's pile of issues and wouldn't affect anyone here, alas

Lain Iwakura
Aug 5, 2004

The body exists only to verify one's own existence.

Taco Defender

Captain Foo posted:

I would like to know more

but I suspect nda

it has been years and it wasn't so bad minus him giving a talk on the whole matter and work getting uppity about me being at said conference, fearing that the media would somehow figure out that i worked for them

i don't really care anymore but taviso does strike fear into some companies and i know this first-hand

redleader
Aug 18, 2005

Engage according to operational parameters

Wiggly Wayne DDS posted:

microsoft's holding the updates back. these are the first sha2-only signed updates which was meant to go ahead in june but guess who's too incompetent to support it?
https://support.microsoft.com/en-us/help/4512486/windows-7-update-kb4512486

e: and guess what happened to biostar 2? turns out the biometrics were held in a public elasticsearch db:
https://www.theguardian.com/technology/2019/aug/14/major-breach-found-in-biometrics-system-used-by-banks-uk-police-and-defence-firms

https://www.vpnmentor.com/blog/report-biostar2-leak/

reminder to everyone affected to change their fingerprints

Hed
Mar 31, 2004

Fun Shoe
Is SentinelOne security snake oil?

An exec friend was asking me and while it looks like nothing I would want on in one of my companies, I was curious. It’s a low IP company so the threat model is likely stopping cryptolocker and spear phishing poo poo. For that I usually would recommend AppLocker and PS1 signing since it’s an all-Windows environment sans the marketing Dept.

Adbot
ADBOT LOVES YOU

~Coxy
Dec 9, 2003

R.I.P. Inter-OS Sass - b.2000AD d.2003AD

BangersInMyKnickers posted:

I dug in to way too much documentation on this and the answer was "lol wontfix" and its known on MS's end. They do not support hybrid environments well.

I'm more surprised you actually managed to get that kind of answer out of MS documentation

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply