back to article Microsoft has a workaround for 'HiveNightmare' flaw: Nuke your shadow copies from orbit

After setting the "days since a security cock-up" counter back to zero, Microsoft has published an official workaround for its Access Control Lists (ACLs) vulnerability (CVE-2021-36934). The solution? Use the icacls command to deal with the permissions set for the contents of system32\config, which are at the root of the …

  1. Anonymous Coward
    Anonymous Coward

    That counter must be bored.

    It finally manages to incriment itself up off zero only to be reset so fast it probably leaves friction burns on its backside. Poor poor counter.

    1. Lee D Silver badge

      Re: That counter must be bored.

      Nah, it just keeps overflowing because they forgot the bounds check, it's only vulnerable one in every 65,535 Windows Updates. So about twice a day.

  2. FuzzyTheBear
    Pint

    Why ?

    This is so dang pathetic. I mean .. i know it's used a lot , targeted a lot , but seems to me Windows is going to loose all credibility and be considered a PlaySchool OS not worthy of serious uses ... oh it already is .. sorry .. time for a cold pint ..

    1. HAL-9000
      Pint

      Re: Why ?

      Have another beer on me, to your good health

    2. ecofeco Silver badge

      Re: Why ?

      No downvotes yet? It appears the fan bois haven't shown up yet.

      1. ecofeco Silver badge

        Re: Why ?

        Ah! There they are! Asleep at the switch as always!

    3. khjohansen
      Pint

      Re: Why ?

      Well it _is_ the workplace OS with the "Xbox Game Bar" installed by default!

  3. Anonymous Coward
    Anonymous Coward

    AC Naturally

    That CVE describes the attack vector as local, so I thought to myself meh... it's a big nothingburger, but wait a minute!!! How can this be described as local:

    The vulnerable component is not bound to the network stack and the attacker’s path is via read/write/execute capabilities. Either: the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or remotely (e.g., SSH); or the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., tricking a legitimate user into opening a malicious document)

    I'm so glad they're looking after their customers, imagine how bad it could be if they weren't

    1. Anonymous Coward
      Anonymous Coward

      Re: AC Naturally

      "That CVE describes the attack vector as local, so I thought to myself meh"

      I tend to have the same gut reaction to "local" attacks. Of course, there are also remote access vulnerabilities that are relatively harmless because at least you can't get admin access. Now combine the two and you've got big problems.

      1. J. Cook Silver badge

        Re: AC Naturally

        "Local" attack also means being able to, say, access the admin share on the machine in order to drop a script which leverages the vuln on it and have the machine execute it. Or from a phishing attack. Or any other way of getting the unwitting user to download and execute the payload...

      2. Doctor Syntax Silver badge

        Re: AC Naturally

        All attacks are local for some value of local.

        1. David 132 Silver badge
          Happy

          Re: AC Naturally

          With a sufficiently long USB and display cable, all attacks can be remote.

    2. Ken Hagan Gold badge

      Re: AC Naturally

      It's local in the sense that you need the ability to run code of your choice on the target system. If you've got SSH access or a "willing" accomplice, you've got that. It looks local to me.

      Remote would be "I only need the IP address.".

  4. W.S.Gosset Silver badge

    icacls

    What a magnificently onomatopoeic name for a tool used to mess with user permissions.

    "icacls, yes, yessss, I doooooo, ha harrrrrr *clickety-click*"

  5. W.S.Gosset Silver badge

    all versions of Windows from 1809

    Arrrr yes, by God what a stirring sight it was back then in 1809, those early armadas of square-rigged wooden Windows turning the tables in the war against Napoleon.* Square-rigged, by God! None of these newfangled steam-driven RoundRects.

    And the kids today, throwing around "bights" like Lords ; well let me tell you, back then we counted out every piece of eight like the precious silver bits they were.

    .

    * Or as the Americans nicknamed him: "The Little Chapparal".

    1. IanD

      Re: all versions of Windows from 1809

      Stefan deJobbes was already setting sail with his crew of trusty patent lawyers to claim the land of RoundRects for King Bob Fer'Apples, in conflict with the brigand Sir Gay Brin and his wife Anne Droid. Never more would they make land in the established Port of Headphone.

      1. W.S.Gosset Silver badge

        Re: all versions of Windows from 1809

        Stefan deJobbes and his lieutenant Gassée fought furiously against ALL ports!

  6. Trigun Bronze badge

    Understandably, I suspect Microsoft may be taking their time on this for testing as they don't want to bork everyones credentials access due to rushing out a flawed fix. However, boy do we need that fix as quickly as possible. No pressure! :D.

    1. Anonymous South African Coward Silver badge

      Imagine the first fix they rush out borks world+dog (even Azure) authentication 100% solid.

      Now that will be a nuclear solution to a problem.

      1. Trigun Bronze badge

        They'd have to call it The Fatman Patch in honour of Fallout 3.

  7. Snake Silver badge

    Did the mitigation yesterday on my office workstation

    El Reg is behind 1 day for me :p

    Note that the icacls command line to delete the VSS shadows seems functionally the same as turning off System Restore, then turning it back on again (that is, it deletes all restore points, then starts it back up again).

    I have not performed the operation on any other Win10 computer I am responsible for managing (10 total), I used my workstation as the guinea pig (some guinea pig, eh? :p) All seems fine with no impact that I can tell.

    I'll probably roll out the mitigation to the balance of the computers within the next week. But frankly I would believe that, beyond my workstation, the computers represent a low-ROI target and unlikely to be hit.

    1. Steve Davies 3 Silver badge

      Re: unlikely to be hit.

      Said the Actress to the Bishop...

      I hope that those words do not turn out to be your 'famous last words'.

  8. Anonymous Coward
    Anonymous Coward

    Time to 'Nuke' Microsoft

    With this and the decades old printer fiasco, why would you choose them in this day and age?

    Don't answer that or the pro MS bots will be out in force to downvote you.

    1. Snake Silver badge
      Facepalm

      Re: Time to 'Nuke' Microsoft

      Oh please. Rabid MS-haters really need to get a grip on yourselves. Didn't bother to read

      https://www.theregister.com/2021/07/21/windows_linux_privilege_escalation/

      from July 21, the first time we were notified of HiveNightmare?

      Didn't bother to read the addendum regarding a Linux root privilege exploit, an out-of-bounds file system write, from 2014? HiveNightmare only exists on Win10 and Win11 machines, meaning that the Linux exploit mentioned is a year older than Hive.

      But let's not replace Linux on our desktops, oh no. Windows needs to be nuked from orbit! It is devils spawn itself! Get me an exorcist!! Argh!!!

      :sigh:

      And note: I almost never downvote anyone (as I didn't downvote you). If you can't say something nice about someone (an upvote), don't say anything at all.

      1. bombastic bob Silver badge
        Linux

        Re: Time to 'Nuke' Microsoft

        > But let's not replace Linux on our desktops, oh no.

        too late (by about 17 years or so)

        (even if my 'Linux' is actually FreeBSD)

        I actually think it might be time for Micros~1 to start open sourcing a lot of its stuff, to be peer reviewed and rapidly patched by the community at large.

        (and maybe we'd get security fixes for XP and 7 to go with it, via pull request)

        1. Anonymous Coward
          Anonymous Coward

          Re: Time to 'Nuke' Microsoft

          At the current rate of Linux component/compatibility adoption by the Redmond boys, Windows will have a 100% GPL backend, with just a modest cosmetic layer to preserve the familiar looks in a couple more years.

      2. Waseem Alkurdi

        Re: Time to 'Nuke' Microsoft

        Linux is flexible, free / FOSS, light, tinkering-friendly, but not secure.

        https://madaidans-insecurities.github.io/linux.html

    2. Glenn Amspaugh
      Coat

      Re: Time to 'Nuke' Microsoft

      It plays Skyrim pretty well. Less than 1 crash an hour!

  9. fidodogbreath Silver badge
    FAIL

    Just rebrand it as Windows Oprah

    "You get root! And you get root! And you get root!"

  10. Henry Wertz 1 Gold badge

    ACLs too complicated

    I said this on the previous article about this, but the Windows ACL system is simply too complicated. If Linux (or OSX, BSD, etc.) had a backup password file readable by anyone who's not supposed to be able to, it'd be apparent at a glance (the user, group, and RWX permissions are listed as soon as you run "ls -l", and quite a few GUI file browsers also show them.)

    I don't have any big suggestion on what to do about this, I guess even the possibility of replacing or changing it much depends on how much of Windows stuff is tied deeply into ACLs, and how much just kind of "sits on top", it's still restricted where it can read and write but would not care what security mechanism was doing the restrictions.

    1. -v(o.o)v-

      Re: ACLs too complicated

      Ahha a noob detected.

      Most file systems in Linux have ACLs just like Windows. The + after the mode bits in ls signify this.

  11. Aussie Doc Bronze badge
    Pint

    Optional sensible title here

    i-c-a-c-l-s

    sitting on my PC

    there's a WHOOSH

    and a WHOOSH

    and I have a Hive-Nightmare

    Ac-cessControlLists very, very frightening me

    Galileo, Galileo

    Galileo, Galileo

    Galileo, Figaro - magnificoo

    Or some such thing.

    Pub O' clock here --------------------->

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021