Security Week 23: Notepad vulnerability, a million systems with unpatched RDP
Notepad in Windows is an island of stability amidst the orgy of progress. An application that never fails. The Notepad functionality has hardly changed in the 34 years of its existence (unless the limits on the size of the documents being opened were raised), and the design of the current version is not much different from the version for Windows 3.0. Expanding the functionality of a large office suite Microsoft has led to the emergence of a mass of vulnerabilities, and against this background minimalistic Notepad seems to be the epitome of security.
Not anymore. Researcher Tavis Ormandy of the Google Project Zero team found a vulnerability in Notepad leading to the execution of arbitrary code. The real danger of a problem is still difficult to assess: details are not disclosed until the release of the patch. Ormandy himself believes that the bug is serious, other experts doubt that there is a real threat. True, their score is based on the only screenshot Tavis provided, so it’s still worth waiting for a full description. But the fact itself!
The researcher was able to implement a memory corruption script in Notepad, leading to the execution of arbitrary code. It can be assumed that the real attack involves sending a prepared text file that needs to be opened using the program. With what rights this code will be executed and how then the attack can develop - it is not yet clear. Tavis suggested that he was the first to successfully open the console from Notepad. Chaouki Bekrar, the founder of the resale exploit company Zerodium, claims that exploits for Notepad already exist, but information about them has not been published.
There is a possibility that the bug will be fixed on June 11, when Microsoft releases the next monthly set of patches. By the way, previous patches covered a much more serious vulnerability in Remote Desktop Services, known as BlueKeep . We wrote more about it in this digest and in this news. Vulnerability allows you to gain full access to the device with Windows when three conditions are met: the ability to establish a RDP connection, the absence of a patch, and the disabled Network Level Authentication .
')
Rob Gram from Errata Security was able to estimate the number of vulnerable systems available from the Internet: more than a million turned out ( news , article by Rob). A self-written utility was used for scanning, which found network nodes with an open RDP port (3389) and evaluated their properties.
A total of 7.6 million open port systems were found. Of these, the majority (53%) either did not respond to requests, or responded using the HTTP protocol, or dropped the connection. 34% of the systems are either patched or use network authentication. 16% of computers or 1.2 million are most likely vulnerable. Access to them can be obtained without the administrator's knowledge, exploiting Bluekeep. Unfortunately, cybercriminals will definitely take advantage (if they have not already used it) of such a large base of vulnerable devices. If your computer is accessible from outside for some reason, you should definitely turn on NLA or upgrade the system (patches are released for all OS up to Windows XP). It is advisable to do one thing and another and once again evaluate: is it really necessary to access computers outside the protected perimeter.
Disclaimer: The opinions expressed in this digest may not coincide with the official position of Kaspersky Lab. Dear editors generally recommend to treat any opinions with healthy skepticism.
Not anymore. Researcher Tavis Ormandy of the Google Project Zero team found a vulnerability in Notepad leading to the execution of arbitrary code. The real danger of a problem is still difficult to assess: details are not disclosed until the release of the patch. Ormandy himself believes that the bug is serious, other experts doubt that there is a real threat. True, their score is based on the only screenshot Tavis provided, so it’s still worth waiting for a full description. But the fact itself!
The researcher was able to implement a memory corruption script in Notepad, leading to the execution of arbitrary code. It can be assumed that the real attack involves sending a prepared text file that needs to be opened using the program. With what rights this code will be executed and how then the attack can develop - it is not yet clear. Tavis suggested that he was the first to successfully open the console from Notepad. Chaouki Bekrar, the founder of the resale exploit company Zerodium, claims that exploits for Notepad already exist, but information about them has not been published.
There is a possibility that the bug will be fixed on June 11, when Microsoft releases the next monthly set of patches. By the way, previous patches covered a much more serious vulnerability in Remote Desktop Services, known as BlueKeep . We wrote more about it in this digest and in this news. Vulnerability allows you to gain full access to the device with Windows when three conditions are met: the ability to establish a RDP connection, the absence of a patch, and the disabled Network Level Authentication .
')
Rob Gram from Errata Security was able to estimate the number of vulnerable systems available from the Internet: more than a million turned out ( news , article by Rob). A self-written utility was used for scanning, which found network nodes with an open RDP port (3389) and evaluated their properties.
A total of 7.6 million open port systems were found. Of these, the majority (53%) either did not respond to requests, or responded using the HTTP protocol, or dropped the connection. 34% of the systems are either patched or use network authentication. 16% of computers or 1.2 million are most likely vulnerable. Access to them can be obtained without the administrator's knowledge, exploiting Bluekeep. Unfortunately, cybercriminals will definitely take advantage (if they have not already used it) of such a large base of vulnerable devices. If your computer is accessible from outside for some reason, you should definitely turn on NLA or upgrade the system (patches are released for all OS up to Windows XP). It is advisable to do one thing and another and once again evaluate: is it really necessary to access computers outside the protected perimeter.
Disclaimer: The opinions expressed in this digest may not coincide with the official position of Kaspersky Lab. Dear editors generally recommend to treat any opinions with healthy skepticism.
Source: https://habr.com/ru/post/454634/
All Articles