A Windows Vulnerability Reported by the NSA Was Exploited To Install Russian Malware (arstechnica.com) 17
"Kremlin-backed hackers have been exploiting a critical Microsoft vulnerability for four years," Ars Technica reported this week, "in attacks that targeted a vast array of organizations with a previously undocumented tool, the software maker disclosed Monday.
"When Microsoft patched the vulnerability in October 2022 — at least two years after it came under attack by the Russian hackers — the company made no mention that it was under active exploitation." As of publication, the company's advisory still made no mention of the in-the-wild targeting. Windows users frequently prioritize the installation of patches based on whether a vulnerability is likely to be exploited in real-world attacks.
Exploiting CVE-2022-38028, as the vulnerability is tracked, allows attackers to gain system privileges, the highest available in Windows, when combined with a separate exploit. Exploiting the flaw, which carries a 7.8 severity rating out of a possible 10, requires low existing privileges and little complexity. It resides in the Windows print spooler, a printer-management component that has harbored previous critical zero-days. Microsoft said at the time that it learned of the vulnerability from the US National Security Agency... Since as early as April 2019, Forest Blizzard has been exploiting CVE-2022-38028 in attacks that, once system privileges are acquired, use a previously undocumented tool that Microsoft calls GooseEgg. The post-exploitation malware elevates privileges within a compromised system and goes on to provide a simple interface for installing additional pieces of malware that also run with system privileges. This additional malware, which includes credential stealers and tools for moving laterally through a compromised network, can be customized for each target.
"While a simple launcher application, GooseEgg is capable of spawning other applications specified at the command line with elevated permissions, allowing threat actors to support any follow-on objectives such as remote code execution, installing a backdoor, and moving laterally through compromised networks," Microsoft officials wrote.
Thanks to Slashdot reader echo123 for sharing the news.
"When Microsoft patched the vulnerability in October 2022 — at least two years after it came under attack by the Russian hackers — the company made no mention that it was under active exploitation." As of publication, the company's advisory still made no mention of the in-the-wild targeting. Windows users frequently prioritize the installation of patches based on whether a vulnerability is likely to be exploited in real-world attacks.
Exploiting CVE-2022-38028, as the vulnerability is tracked, allows attackers to gain system privileges, the highest available in Windows, when combined with a separate exploit. Exploiting the flaw, which carries a 7.8 severity rating out of a possible 10, requires low existing privileges and little complexity. It resides in the Windows print spooler, a printer-management component that has harbored previous critical zero-days. Microsoft said at the time that it learned of the vulnerability from the US National Security Agency... Since as early as April 2019, Forest Blizzard has been exploiting CVE-2022-38028 in attacks that, once system privileges are acquired, use a previously undocumented tool that Microsoft calls GooseEgg. The post-exploitation malware elevates privileges within a compromised system and goes on to provide a simple interface for installing additional pieces of malware that also run with system privileges. This additional malware, which includes credential stealers and tools for moving laterally through a compromised network, can be customized for each target.
"While a simple launcher application, GooseEgg is capable of spawning other applications specified at the command line with elevated permissions, allowing threat actors to support any follow-on objectives such as remote code execution, installing a backdoor, and moving laterally through compromised networks," Microsoft officials wrote.
Thanks to Slashdot reader echo123 for sharing the news.
Shame on Microsoft (Score:5, Insightful)
Re:Shame on Microsoft (Score:4, Insightful)
The "shame on you" phase is long, long over for Microsoft. Now it is "shame on me for using that crap"...
I still haven't been able to install... (Score:5, Insightful)
As a security update is was designed to plug a few security holes and likely came with documentation of some sort. This means that microsoft sent out a memo with a list of vulnerabilities in windows 10 and then served an update THAT ISNT ABLE TO PATCH THOSE VULNERABILITIES.
Microsoft is a data theft cartel. Windows is spyware. Tech has broken bad and let the mask slip. This is pure villainy.
Re: (Score:2)
I still haven't been able to install the 2024-01 Security Update. It's been several months and this update just doesn't seem to work. And my machine doesn't seem like an isolated incident. This update doesn't seem to be working for most people
Isn't this the one where you have to dork around with diskpart for half an hour to resize your recovery partition before it'll install? Yeah, the average end-user is gonna do that.
Re: (Score:2)
I still haven't been able to install the 2024-01 Security Update. It's been several months and this update just doesn't seem to work. And my machine doesn't seem like an isolated incident. This update doesn't seem to be working for most people
Isn't this the one where you have to dork around with diskpart for half an hour to resize your recovery partition before it'll install? Yeah, the average end-user is gonna do that.
While the issue with the recovery partition running out of space and preventing application of the patch is indeed annoying, I suspect the "average" user isn't going to be running on such a small hard drive that it's an issue. The only place I have seen it is on small (disk) sized virtual machine images. The average user is unlikely to be running Windows as a VM or on a machine that has had the OS upgraded many times (and has an ancient, small recovery partition).
For the GP, what size of hard disk (virtual
Re:I still haven't been able to install... (Score:4, Informative)
While the issue with the recovery partition running out of space and preventing application of the patch is indeed annoying, I suspect the "average" user isn't going to be running on such a small hard drive that it's an issue. The only place I have seen it is on small (disk) sized virtual machine images. The average user is unlikely to be running Windows as a VM or on a machine that has had the OS upgraded many times (and has an ancient, small recovery partition).
For the GP, what size of hard disk (virtual or otherwise) do you have Windows on? I am curious to know if this occurs on "typically" sized Windows installs.
The problem isn't hard drive space it's that the recovery partition created by **DEFAULT** by Microsoft was no longer big enough. To fix you have to mount the partition (mountvol z: /s) and delete about 20 megs of useless files, from what I remember MS recommended one of the font folders. You can't just repartition because by default the C drive is the very next and there is no such thing as shrink left using Microsoft tools. Otherwise you have to use GPartd or some such.
Absolutely bonkers that Microsoft isn't properly addressing this problem. It's not like people intentionally made the recovery partition too small or don't have a big enough disk space. This is 100% Microsoft's fault.
Re: (Score:2)
And MS wants its users do the technical instructions to fix it. Hahaha.
Re: (Score:2)
I still haven't been able to install the 2024-01 Security Update. It's been several months and this update just doesn't seem to work. And my machine doesn't seem like an isolated incident. This update doesn't seem to be working for most people As a security update is was designed to plug a few security holes and likely came with documentation of some sort. This means that microsoft sent out a memo with a list of vulnerabilities in windows 10 and then served an update THAT ISNT ABLE TO PATCH THOSE VULNERABILITIES. Microsoft is a data theft cartel. Windows is spyware. Tech has broken bad and let the mask slip. This is pure villainy.
It it breaks your computer, it is very secure.
Re: (Score:2)
Surprise! (Score:2, Insightful)
Windoze is insecure and broken.
Water is wet.
Film at 11.
Re: (Score:1)
So get a Mac then, dumbfuck. Only morons think running Windoze is a good idea.
Micro$hit hasn't ever been able to write a good OS. Shit, they can't even write an OS, they had to buy DOS, and that was a bad rip-off of CP/M.
Possible criminal negligence? (Score:4, Interesting)
If a manufacturer knows that a system has a specific defect that makes it dangerous to use in certain contexts, it is usually obliged by law to report those circumstances. The license agreement is not necessarily considered legally binding or protective where there is a case of wilful neglect. Deliberate actions are not treated the same as lack of awareness or even negligence. But even negligence may be treated unsympathetically by the courts, no matter what customers sign up to.
Given that this defect could have left exposed critical infrastructure, banks, and businesses whose work is in the national interest, one might even be able to argue a case that this gave succour to hostile powers.
The most probable outcome is nothing happening. Companies are risk-averse and Microsoft has expensive lawyers. But a class action suit for wilful endangerment isn't wholly impossible, and I could see the DOJ investigating whether laws were broken, but only after the election.
sigh, no (Score:4, Informative)
Windows users frequently prioritize the installation of patches based on whether a vulnerability is likely to be exploited in real-world attacks.
No. You prioritize patches on risk.
If there is an exploit in a service, feature, or program that I don't have running or installed, then that patch will be deprioritized completely unrelated to if it is being exploited in the wild or not.
If the exploit only requires software present in the base install, then it will be prioritized completely unrelated to if it is currently being exploited in the wild.
I'm not going to wait until after we discover people using an exploit and its too late.
I will wait however if the nature of the exploit can't effect me.
This is also why different people have different patch priorities. It is all based on use case.