Technical Discussion
  >> Windows Issues


Register (or login) on our website and you will not see this ad.


Pages in this thread: 1 | 2 | 3 | [4] | 5 | (show all)   Print Thread
Standard User Oliver341
(eat-sleep-adslguide) Wed 17-May-17 15:20:01
Print Post

Re: What's the URL of the latest Windows Update website?


[re: ian72] [link to this post]
 
In reply to a post by ian72:
I do not believe that is the route it got in - far more likely it was via malware on a website or a phishing email but at this point they haven't found the root cause.

That still wouldn't explain why so many networks got infected within a short space of time.

Oliver.
Standard User ian72
(eat-sleep-adslguide) Wed 17-May-17 15:58:51
Print Post

Re: What's the URL of the latest Windows Update website?


[re: Oliver341] [link to this post]
 
What you don't know is how long the infection was in the wild before it activated. It may have been distributing for a month before it activated the payload.
Standard User meditator
(fountain of knowledge) Wed 17-May-17 17:38:00
Print Post

Re: What's the URL of the latest Windows Update website?


[re: caffn8me] [link to this post]
 
Banger and caffn8me,

Although the other day, on my WinXp machine, I downloaded that patch with the long alphanumeric string in its filename, I've not installed it yet. Call me paranoid if you like but I've had an uneasy feeling about it from the outset.

Doing a bit of background research on the patch (using my Mac), I've discovered in a Microsoft Answers forum that - apparently - lots of people with XP SP3 x86 machines have been experiencing failures of this file to install, and word has it that, at the catalog site, Microsoft has posted up the wrong file. (Here, we're talking about the one that's near the top of that catalog list). Whereas XP SP3 x86 machines require a file that suits a non-embedded SP3, the version that Microsoft's posted on the site for that is, so everybody seems to think, the embedded version. Consequently, when people try to install the file it fails and they get the message "The version of Windows does not match the update you're trying to install".

Others in the Microsoft Answers forum maintain that if instead of using the catalog site you use the XP SP3 x86 link tucked away with others in the blogs.technet.microsoft.com article, you get the correct file. It's one without a whopping great alphanumeric string in its title.

At the catalog site there are at least three different versions of the patch made available for WinXP SP3 x86 (32-bit): a non-embedded version, an embedded version, and a POS (commercial upgrade) version. There's also a 64-bit version there. But it seems that Microsoft's dropped a clanger and got some of them mixed up, and now nobody's quite sure which one they should download and use. Indeed, there's now just as much doubt cast on the blogs.technet version. The link on the blogs.technet page renders you just one, single short-named file, which if you look at its details is apparently good for all versions of XP SP3.

Why on earth can't people be more precise about these things?! Accuracy is all-important. And it surely isn't rocket science to post the correct patch for the particular version, is it? So much for the 'emergency wonder patch' that the media's been raving about since Saturday; the facts don't fit the media hype. I for one will not be installing the patch until such time that it's 100% certain which one it is!


Register (or login) on our website and you will not see this ad.

Standard User Oliver341
(eat-sleep-adslguide) Wed 17-May-17 18:36:28
Print Post

Re: What's the URL of the latest Windows Update website?


[re: ian72] [link to this post]
 
In reply to a post by ian72:
It may have been distributing for a month before it activated the payload.

Maybe, although there seems to be no evidence of that.

There is evidence however that over 1 million devices have port 445 listening to the internet, over 800,000 of which are Windows devices, 30% of which are estimated to be vulnerable to wannacry: https://community.rapid7.com/community/infosec/blog/...

Oliver.
Standard User David_W
(knowledge is power) Thu 18-May-17 07:39:07
Print Post

Re: What's the URL of the latest Windows Update website?


[re: ian72] [link to this post]
 
In reply to a post by ian72:
It is possible but I think unlikely that most of these large organisations would have punched holes in their firewalls to allow SMB in. I do not believe that is the route it got in - far more likely it was via malware on a website or a phishing email but at this point they haven't found the root cause.
I agree this is more likely correct - original infection via an e-mail attachment or web download, then propagation over SMB.



ZeN Unlimited Fibre 2 with native IPv6
thinkbroadband speed test : speedtest.net : thinkbroadband quality monitor IPv4 IPv6
Standard User meditator
(fountain of knowledge) Thu 18-May-17 12:04:37
Print Post

Re: What's the URL of the latest Windows Update website?


[re: meditator] [link to this post]
 
I don't know if Microsoft have been reacting to criticism over the precision of the patch version but when I now look at the link for the WinXP SP3 x86 patch on the blogs.technet site what you get given is the file version with the long alphanumeric string. This is the same filename you get if you choose the non-embedded WinXP SP3 at the catalog site and which, it is claimed, fails to install on WinXP SP3 x86 machines. However, if you download the patch from yet a third site - the MS Downloads site - you get a filename without the long string, and by inference that's a version that suits all versions of XP SP3 (which in all probability it doesn't).
Standard User Oliver341
(eat-sleep-adslguide) Thu 18-May-17 13:04:18
Print Post

Re: What's the URL of the latest Windows Update website?


[re: David_W] [link to this post]
 
In reply to a post by David_W:
agree this is more likely correct - original infection via an e-mail attachment or web download, then propagation over SMB.

I agree it's likely patient zero was infected in this way. I was talking about how other, unrelated networks became infected so rapidly, which seems to be due to their exploitable SMB ports listening to the internet.

Oliver.
Standard User ian72
(eat-sleep-adslguide) Thu 18-May-17 13:25:55
Print Post

Re: What's the URL of the latest Windows Update website?


[re: Oliver341] [link to this post]
 
I still don't believe that most of those big organisations had their firewalls configured to allow SMB traffic in bound from random Internet addresses.
Standard User Oliver341
(eat-sleep-adslguide) Thu 18-May-17 14:02:31
Print Post

Re: What's the URL of the latest Windows Update website?


[re: ian72] [link to this post]
 
I think it's very possible, and it only takes one machine/firewall to be configured poorly on a huge network to expose the rest of the network.

On a similar note, at ISP-level for instance, all Sky Hubs listen to the whole of the internet on port 30005, and we've already seen CWMP/TR-069 exploits on D-Link routers. Obviously that port should be firewalled to only accept packets from safe IP addresses, but it's not.

One for Sky Hub users: https://www.grc.com/x/portprobe=30005

Oliver.
Standard User ian72
(eat-sleep-adslguide) Thu 18-May-17 14:22:46
Print Post

Re: What's the URL of the latest Windows Update website?


[re: Oliver341] [link to this post]
 
Most of the sites hit we are talking about are going to be running industry grade firewalls that will by default have everything incoming closed. Opening a port to the whole Internet for SMB is a somewhat unusual move to make in that sort of environment.
Pages in this thread: 1 | 2 | 3 | [4] | 5 | (show all)   Print Thread

Jump to