WTF is happening with Windows 10? And nothing else
-
@levicki You can. It's not difficult.
-
@Mason_Wheeler Not with the intuitive method: on the article it says
Comments are closed.
-
@JBert No it doesn't. I just added one!
-
@Mason_Wheeler Did you follow the link I posted? You replied to the newest article, not the old one.
-
@JBert You're right.
Yeah, comments close on old articles fairly quickly.
-
@levicki said in WTF is happening with Windows 10? And nothing else:
WTF #3 -- not forcing DLL directory to %SystemRoot%\System32 to avoid DLL hijacking attacks for security critical tools such as signtool.exe.
Eh
This seems like one of those "airtight hatchway" issues. If some malicious hacker can replace a DLL in the exe's folder with their own version, you're already pwned. Unless signtool.exe acts like Chrome by default and installs itself to AppData or something.
-
@Mason_Wheeler said in WTF is happening with Windows 10? And nothing else:
@JBert You're right.
Yeah, comments close on old articles fairly quickly.
I thought it was just articles that were imported from the old version of the site. IIRC they updated it last year or something.
-
@levicki said in WTF is happening with Windows 10? And nothing else:
But if the security critical application (which signtool.exe definitely is because it is dealing with your private RSA keys for code signing) enforced DLL loading from C:\Windows\system32, then a hacker would have to overcome the TrustedInstaller permissions and replace a DLL which by the way is probably in use by dozen of system processes and thus locked and replacing it requires a reboot, which is a considerable hurdle to overcome even with admin rights and is much more noticeable, not to mention that it would have been repaired right away by first system integrity check or failing that, an update to said DLL.
Ok, so instead of loading a DLL sitting next to the executable in its folder, it would only load the system32 version. But if the attacker has enough access to replace a DLL in the same folder as the exe, they can just as easily replace the exe itself and wouldn't need to worry about any DLL anyway.
-
Also,
@levicki said in WTF is happening with Windows 10? And nothing else:
Even browsers have higher security standards.
Chrome installs itself into AppData, to avoid having to elevate to update itself.
-
@hungrier said in WTF is happening with Windows 10? And nothing else:
@levicki said in WTF is happening with Windows 10? And nothing else:
But if the security critical application (which signtool.exe definitely is because it is dealing with your private RSA keys for code signing) enforced DLL loading from C:\Windows\system32, then a hacker would have to overcome the TrustedInstaller permissions and replace a DLL which by the way is probably in use by dozen of system processes and thus locked and replacing it requires a reboot, which is a considerable hurdle to overcome even with admin rights and is much more noticeable, not to mention that it would have been repaired right away by first system integrity check or failing that, an update to said DLL.
Ok, so instead of loading a DLL sitting next to the executable in its folder, it would only load the system32 version. But if the attacker has enough access to replace a DLL in the same folder as the exe, they can just as easily replace the exe itself and wouldn't need to worry about any DLL anyway.
To replace that DLL next to signtool, they would have to elevate (since it's in Program Files). Not sure how file/directory permissions end up if you install to some non-default location...
-
@dcon Right, and that was my point. If the attacker has the capability to replace or modify the DLL, they can just as easily replace the EXE or pwn the system in any other way
-
@Mason_Wheeler said in WTF is happening with Windows 10? And nothing else:
Yeah, comments close on old articles fairly quickly.
That's unfortunately necessary on many blogs. Otherwise they get overrun with spam.
-
@hungrier said in WTF is happening with Windows 10? And nothing else:
Ok, so instead of loading a DLL sitting next to the executable in its folder, it would only load the system32 version. But if the attacker has enough access to replace a DLL in the same folder as the exe, they can just as easily replace the exe itself and wouldn't need to worry about any DLL anyway.
Just move signtool.exe into system32.
-
@dkf said in WTF is happening with Windows 10? And nothing else:
@Mason_Wheeler said in WTF is happening with Windows 10? And nothing else:
Yeah, comments close on old articles fairly quickly.
That's unfortunately necessary on many blogs. Otherwise they get overrun with
spamcomments.
-
@hungrier said in WTF is happening with Windows 10? And nothing else:
Chrome installs itself into AppData, to avoid having to elevate to update itself.
But Firefox, installed into Program Files, can update itself just fine without needing to elevate too.
-
@Atazhaia said in WTF is happening with Windows 10? And nothing else:
@hungrier said in WTF is happening with Windows 10? And nothing else:
Chrome installs itself into AppData, to avoid having to elevate to update itself.
But Firefox, installed into Program Files, can update itself just fine without needing to elevate too.
Ha! It installs a program that runs as admin so that can do the installs. Hence, I always do a custom install and turn that shit off.
-
@Atazhaia said in WTF is happening with Windows 10? And nothing else:
But Firefox, installed into Program Files, can update itself just fine without needing to elevate too.
It's handled by the "Mozilla Maintenance Service" which runs as Local System.
edit:
-
@levicki said in WTF is happening with Windows 10? And nothing else:
And which I never install.
That must be why you're still running Firefox 42
Oh, wait... wrong guy
-
-
@TimeBandit said in WTF is happening with Windows 10? And nothing else:
The vulnerability exists in version 3.1.1 of the Server Message Block, the service that’s used to share files, printers, and other resources on local networks and over the Internet.
Letting such a protocol access the internet seems like a profoundly bad idea.
-
@TimeBandit said in WTF is happening with Windows 10? And nothing else:
Haha! Suckers!
The flaw, which is tracked as CVE-2020-0796, affects Windows 10, versions 1903 and 1909
@boomzilla said in WTF is happening with Windows 10? And nothing else:
Getting updated to 1809 as I post.
-
@levicki
1903
, obviously.
-
@boomzilla said in WTF is happening with Windows 10? And nothing else:
@levicki
1903
, obviously.1909 fixes it by stopping Windows from booting.
-
-
@levicki
- susceptible-versions: ["1903","1909"] + susceptible-versions: ["1809"]
-
Attention needed? Huh... *click*
Oh... guess Windows Update just wanted some attention.
-
@LB_ I think they're doing A/B-testing on that one. My Surface Book has that top bar, my desktop does not. Both at the same update level.
-
@Rhywden said in WTF is happening with Windows 10? And nothing else:
@LB_ I think they're doing A/B-testing on that one. My Surface Book has that top bar, my desktop does not. Both at the same update level.
Yeah, I'm not sure what makes that bar appear. My Insider VM has it but none of my actual machines do.
-
-
VirtualBox is installed. VirtualBox no longer shows up in the Start Menu. Searching "VirtualBox" does a web search instead. I now have to launch VirtualBox by finding the .exe in C:\Program Files.
-
@mott555 VirtualBox is broken on my work laptop. If I start a VM, it errors out with "The process has more than one thread assigned."
-
@mott555 Did you try turning it off and on again?
-
@TimeBandit Yes, as well as uninstalling/reinstalling VirtualBox which didn't work either but is the official recommendation. I found a VirtualBox forum thread with the same error, everyone's demanding "Go away noob and don't come back until you've re-installed VirtualBox like it effing told you to," to which the guy keeps replying "I already did that and it didn't help which is why I'm here you retards!"
Windows 10 and Oracle issues combined...good grief.
-
@mott555 which version of VirtualBox are you
runningfailing to run?
-
@boomzilla 6.1.4
-
@mott555 said in WTF is happening with Windows 10? And nothing else:
@boomzilla 6.1.4
Hmmm...I'm on 6.0.4 but my software center says that 6.1.14 is available. Think I'll hold off on updating for now. Maybe try downgrading? Did you recently upgrade?
-
@boomzilla I haven't done anything. This is a work laptop that hasn't been powered on for 3 - 4 months until this week when I started working from home.
-
@mott555 said in WTF is happening with Windows 10? And nothing else:
when I started working from home.
When all problems tend to appear...
-
@dcon said in WTF is happening with Windows 10? And nothing else:
@mott555 said in WTF is happening with Windows 10? And nothing else:
when I started working from home.
When all problems tend to appear...
Oddly enough, there's a recurring VPN problem at
client
on their (locked down) hardware that kept happening to me when I remoted in from my job, but so far since starting to work from home on it, it hasn't happened.
-
@levicki Windows Updates die a miserable death because they don't work when you have mandatory full-disk encryption. At worst, they wipe out the disk's bootloader and brick the laptop.
-
@levicki It's something Symantec, I think.
-
I've had the occasional update fail to install (see above) but never had a problem with my bootloader. Maybe different disk encryption?
-
@boomzilla It has to do with some Windows Updates being a full-blown OS upgrade/reinstall. It copies a bunch of stuff to the encrypted C drive, wipes out the bootloader (and decryption software) with the Windows pre-install environment, then everything goes up in flames when it reboots and can't access the encrypted partition anymore.
-
@mott555 hmm...I know the 1809 or whatever that was was a much more involved process. It put up special wall paper saying "don't login" or something, along with the company logo and the number for the helpless desk, so obviously corporate IT did something special with the update.
-
@mott555 said in WTF is happening with Windows 10? And nothing else:
@levicki It's something Symantec, I think.
Bitlocker works. Even with dual boot and an encrypted Ubuntu on the other side.
-
@dcon Our IT department sold their souls to Symantec, so Bitlocker's not an option.
-
@levicki said in WTF is happening with Windows 10? And nothing else:
charges $700/yr for an EV code signing certificate
Did they drop their rates? As I recall, ours was $5000 for 3 years.
-
-
@levicki said in WTF is happening with Windows 10? And nothing else:
@mott555 They have been bought by DigiCert. Or was it the other way around? Can't tell, because regular code signing certs which were $220 at DigiCert are now $500, and their once outstanding support now sucks donkey's balls.
At least the donkeys are happier, right?
-
Hey, not bad, that almost looks like KDE Plasma!