Emergency Windows 10 Critical Security Update: Microsoft Urges Users To ‘Take Action’

[duddy]

Emergency Windows 10 Critical Security Update: Microsoft Urges Users To ‘Take Action’

 

Microsoft has urged Windows 10 users to apply an emergency critical security update:  ASSOCIATED PRESS

 

Just days after the monthly Patch Tuesday swathe of Windows security updates was released, Microsoft has issued an emergency "out of band" update for Windows 10 users in response to the leaking of a critical vulnerability.

 

Microsoft issues critical out of band security update for Windows 1o users

Microsoft has urged Windows 10 users to "take action" as the out of band security update for CVE-2020-0796 is released. A critical vulnerability, named as SMBGhost or EternalDarkness by various security vendors, that is both wormable and affects the Server Message Block (SMB) network communications protocol. Yes, the protocol that enables shared access to your files and printers as well as serial ports. And, yes, the same SMB protocol that was exploited by the NSA-developed EternalBlue to such devastating effect during the WannaCry attacks in 2017.

 

Kieran Roberts, head of penetration testing at Bulletproof, said at the time of the leak that "SMB is the protocol used for sharing files, this is the same protocol that was vulnerable to the EternalBlue (CVE-2017-0144) exploit back which was weaponized into the WannaCry ransomware. It appears that this new vulnerability has several of the same hallmarks as EternalBlue. This means that this new vulnerability could result in a resurgence of ransomware attacks such as WannaCry and NotPetya, which both used the very similar EternalBlue exploit."

 

How did the CVE-2020-0796 leak happen?

The reason that SMBGhost was disclosed would seem to be a miscommunication in the patching and disclosure process that led to some vendors thinking CVE-2020-0796 would have a fix included in the Patch Tuesday updates. They then accidentally published details of it in their update round-up blogs. Although those disclosures were quickly removed, details rapidly spread across social media, especially within the online Infosecurity community.

 

What has Microsoft said about the SMBGhost vulnerability?

As I reported on March 11, the vulnerability sits in the SMB 3.0 network communication protocol, and if successfully exploited by an attacker could enable remote and arbitrary code execution and potentially take control of the system. Microsoft said that it had not yet "observed an attack exploiting this vulnerability," but recommended that users "apply this update to your affected devices with priority." There have, however, already been proof-of-concept exploits developed by security researchers. Which likely means it is only a matter of time, a very short period of time at that, before unpatched systems start being exploited by attackers.

 

What you need to do now

The good news for Windows 10 users is, assuming you have automatic updates enabled, no further action will be required as the system will apply the patch to protect against any exploit of this critical vulnerability. However, if automatic updates are disabled, then you will need to update manually and as soon as possible. Microsoft said that it's important to note that the KB4551762 update needs to be applied even if you installed the Patch Tuesday updates. Likewise, if you implemented the workaround measures to disable SMBv3 compression in Microsoft Security Advisory ADV200005, you still need to install this out of band update. If you cannot apply the update, then that workaround is still recommended for organization admins who should also block TCP port 445 at the network perimeter. Everyone else should use Windows Update to check for updates and kick-start the installation process if required or download the KB4551762 update patch directly from the Microsoft update catalog.

 

Which versions of Windows are affected?

 

The following versions of Windows 10 are impacted by this vulnerability:

•    Windows 10 Version 1903 for 32-bit Systems
•    Windows 10 Version 1903 for ARM64-based Systems
•    Windows 10 Version 1903 for x64-based Systems
•    Windows 10 Version 1909 for 32-bit Systems
•    Windows 10 Version 1909 for ARM64-based Systems
•    Windows 10 Version 1909 for x64-based Systems

And also:

•    Windows Server, version 1903 (Server Core installation)
•    Windows Server, version 1909 (Server Core installation)

 

Source

 

[Karlston]

Widespread reports of problems with the second March Win10 cumulative update, KB 4551762, the SMBv3 patch

I was afraid this would happen. When Microsoft releases two security patches back-to-back, it’s rare that the second patch goes in without problems.

 

I’m seeing lots of reports with problems with Thursday’s post-Patch-Tuesday cumulative update, KB 4551762.

 

Günter Born kicked off the discussion on Borncity with Windows 10: KB4551762 causes errors 0x800f0988 and 0x800f0900.

 

Mayank Parmar at Windows Latest has more complaint reports — and they’re extensive:

• The aforementioned errors on installation
• Random reboots
• Performance hits (which are always hard to verify)

People who already have installation issues will be lucky enough to have Windows to automatically repair the patch is manually removed. Alternatively, some will have to undergo the recovery process and reinstall their Windows 10 copy if the PC remains slow and buggy.

We’re also getting lots of reports about the new cumulative update zapping user profiles, just like the original Patch Tuesday patch and last month’s cumulative update.

 

There are no in-the-wild exploits of the SMBv3 security hole, although there are many Proof of Concept demos. Kevin Beaumont has tried and failed to crack it in a meaningful way. We’ve had a couple of anonymous posts that point to other potential problems, but I haven’t seen any of them in the real world.

 

Finally, @Alex5723 notes that MS has changed the Knowledge Base article associated with the patch, with a worthwhile inclusion:

SMB Compression is not yet used by Windows or Windows Server, and disabling SMB Compression has no negative performance impact.

Microsoft also inserted a clarification (for Dummies like me!) explaining why the Server Core versions are the ones affected.

 

‘Softie Nate Warfield tweeted:

Full Server is not released as part of the Windows Semi-Annual Channel releases; only Server Core.

 

As such, Full Server is not affected, only the listed Server Core editions.

Which is what numerous people told me here on the forum. Thanks, all!

 

We’re still at MS-DEFCON 2.

 

 

Source: Widespread reports of problems with the second March Win10 cumulative update, KB 4551762, the SMBv3 patch (AskWoody - Woody Leonhard)

[duddy]

Dear @Karlston,

Thanks for merging my post with yours.

I knew prior to posting mine, that there was already one by you on the same topic, though with a slightly different narrative.

My problem was that I didn't know as how to append mine with yours in succession.

Is there a way really where one can resort to this kind of posting?

Please guide considering me as a newbie.

Thanks for your engagement with so many of my earlier posts too. 

[Karlston]

22 minutes ago, duddy said:

Thanks for merging my post with yours.

 

In this topic I just added a reply, no merging here

 

22 minutes ago, duddy said:

My problem was that I didn't know as how to append mine with yours in succession.

 

Just add a reply to the existing topic, though because topic posts are sorted chronologically (oldest at top, newest at bottom) there's no guarantee they will be adjacent.

[duddy]

16 hours ago, Karlston said:

 

In this topic I just added a reply, no merging here

 

 

Just add a reply to the existing topic, though because topic posts are sorted chronologically (oldest at top, newest at bottom) there's no guarantee they will be adjacent.

OK. Nice, @Karlston bro.

What I learnt anew is that one can add his post as a reply to another post too, with one disadvantage though, that it won't be possible to add 'Tags' in such a reply post.

Addition of posts chronologically would certainly rule out the possibility of any two specific posts being adjacent just in case there is another third post post that got posted in-between the two with respect to time point. That I understand well. Thanks for your engagement to bail me out.