Posted on 06/15/2016 6:01:38 PM PDT by Utilizer
Microsoft is today closing off a vulnerability that one Chinese researcher claims has “probably the widest impact in the history of Windows.” Every version of the Microsoft operating system going back to Windows 95 is affected, leaving anyone still running unsupported operating systems, such as XP, in danger of being surreptitiously surveilled.
According to Yang Yu, founder of Tencent’s Xuanwu Lab, the bug can be exploited silently with a “near-perfect success rate”, as the problems lie in the design of Windows. The ultimate impact? An attacker can hijack all a target’s web use, granting the hacker ”Big Brother power”, as soon as the victim opens a link or plugs in a USB stick, claimed Yu. He received $50,000 from Microsoft’s bug bounty program for uncovering the weakness, which the researcher has dubbed BadTunnel. Microsoft issued a fix today in its Patch Tuesday list of updates.
“Even security software equipped with active defense mechanisms are not able to detect the attack,” Yu told FORBES. “Of course it is capable of execute malicious code on the target system if required.”
Yu, who is one of only three ever recipients of more than $100,000 Microsoft bounty, said there are myriad ways a hacker could exploit the flaw. “This vulnerability can be exploited through Edge, Internet Explorer, Microsoft Office and many other third-party software on Windows,” Yu added. “It can also be exploited through web servers … or even through thumb drives – insert the thumb drive into one of the ports on the system and the exploitation is complete.”
(Excerpt) Read more at forbes.com ...
Guys, some of you tangle with windows users, and some of you (I think) have worked on government contracts. There are all kinds of govt. computers which rely on old software due to budget constraints.
I thought I read once that our Aegis cruisers were running on Windows ME. Even if it was entirely a joke, such a thing is too horrible to contemplate.
I miss DOS
I’m going to link to this thread from the one I posted earlier today on the Patch Tuesday updates, since one of those updates fixes this bug.
Problem is, even manual/custom updates will attempt to download the dreaded Windows 10 nagware.
MS really needs to stop letting the marketing dept run the security dept.
I don't think there is any need for any form of NetBIOS to be connected to your network adapter settings, any more.
Some of us have done both, mate. As far as running WinMD (joke) on our cruisers... without revealing any confidential data I am informed that they run a very specialized version of ‘doze (or DOS, depending upon the need) but the civilian equivalent is nowhere near what they do run. So, some dangers do exist but there are protocols in place to mitigate any danger.
Anything other than that readily-available information would be pure speculation on anyone’s part, and there are severe penalties for any person fool enough to discuss our Military’s operational capabilities and practices.
Mrs. Bill’s poor example of security not withstanding.
I will add for the record that I, of course, have no idea whatsoever what the military does run at any time so any fedgov pukes lurking about need have no worries in that regard.
Some corp networks still utilize some NetBios functions like WoL, but I agree that a normal user should leave it disabled.
I as well. I resisted for the longest time migrating to the ‘doze environment since it was so bloated and sluggish. It seems that there are still some issues that need to be worked out to this day.
(as long as we can reminisce) A group of like minded, but with varied skills would gather on Saturdays.
We never thought ‘computers’ would go anywhere and constantly disparaged that new Microsoft (stole Dos) thing.
Could have bought at $18 share. (yeah, then all the way up to around $75 when we said ... oops).
Good idea, mate, and glad to see you on this thread. Hope you and others find it useful, no doubt.
It could be worse. For instance, I recently acquired a refurb win7 machine for research purposes with w7Home preinstalled and with the valid (I assume) SerNo and RegNo stickers attached from a recognized Microsoft Refurb Agency... and upon bootup the machine promptly stated that it needed to be connected to the internet to validate the installed copy of Win7 or a number needed to be called to speak to a MS rep and get a valid CertNo to verify the installed version or the machine would cease functioning in 30 days.
Needless to say, I was quite displeased. So if I need to use the machine after any given 30-day period I need to reinstall the OS or it simply sits there upon boot-up.
NOT what I bargained for, and I think we are fortunate that MS has not yet done the same thing for anyone who does not install their vaunted “upgrade”.
Then again, it may be only a matter of time...
” turning off NetBIOS over TCP/IP”
I remember doing that- on advice -back in W3!
It gets even worse than that :
US military uses 8-inch floppy disks to coordinate nuclear force operations
“I miss DOS”
yeah, the great thing about DOS was it couldn’t be connected to the Internet, so it was totally hackproof, not to mention it would be pointless to hack a device that couldn’t phone home.
Also, DOS was good for writing snail-mail letters and any other task whose results you could print on paper and put in a filing cabinet.
here’s the correct link:
*laugh* You might be surprised at how many coders I know to this day who STILL hate little Billy Gates and his “proprietary” code, and openly sneer at how he not only blatantly stole the whole GUI concept entirely and got away with it, but as the years progressed when any other great program would come out he would either try to produce an equivalent product and then muscle them out of the market or outright buy them out and either remarket it as an MS product or sit on it to make it disappear.
I was forced to switch to ‘doze at the 3.1-3.11 transitional level since the new workplace demanded it, but I (and we) were never too thrilled about it.
Now so many things are ‘doze-dependent and malware has become a constant concern.
It’s a whole new Matrix. :)
.
Somehow, the link I originally posted for this thread no longer points to the correct article, I am not certain why.
Please change the pointers in the beginning of the thread to point to where the article is currently:
Thanks in advance.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.