back to article Microsoft patches scary wormable hijack-my-box-via-IPv6 security bug and others

Microsoft has disclosed 90 flaws in its products – six of which have already been exploited – and four others that are listed as publicly known. There's another dozen in the list from third-party vendors that are now included in Microsoft's monthly update. Happy August Patch Tuesday, folks. Of the 102 total bugs listed this …

  1. Richard 12 Silver badge

    Assuming a criminal can find a system that runs macros downloaded from the internet

    Or you know, can bypass Mark Of The Web, perhaps by using the vulnerability a little further on in the same article?

    MotW is very fragile, always has been. Not to mention that it pops up so often that it's basically trained users to ignore it.

    Many of the documents I get sent by other businesses are still Word docs, even when they're explicitly intended to be read-only. And for some reason Word can't print in view-only mode, so loads of people immediately disable that.

    1. diodesign (Written by Reg staff) Silver badge

      Yup, it's fragile

      MOTW is pretty fragile, yeah, we've covered past exploits - and now noted the one in the article, too.

      C.

  2. Grunchy Silver badge

    I finally signed up for “Ubuntu Pro”

    I didn’t know what’s it do, it’s a premium update scheme for upper crustys (or so I thought), and then all of the sudden it’s free for personal use. But only for up to 5 computers, and only for LTS=long term support versions. Plus, you have to give em an email address, which has to work, and they make you identify all the fire hydrants out of a photo lineup.

    Now I am Pro! And the very first thing it did was crash and send two complete system reports to Ubuntu Pro HQ presumably for chuckles!

    1. FirstTangoInParis Bronze badge

      Re: I finally signed up for “Ubuntu Pro”

      And then your next job is to enable unattended upgrades so your machine will patch itself whenever patches are released, including all the extra security patches you get through the Advantage programme. Then just check your machine once a week or so to see if a kernel update needs a reboot.

  3. Kev99 Silver badge

    How long have these companies been writing code and they STILL don't know how to avoid these and other vulnerabilities? Are they that stupid or that uncaring?

    1. IGotOut Silver badge

      Feel free to write your own.

    2. A random security guy

      Most (probably 90%) , can be caught using code analyzers. The rest is proper reviews, testing.

      What you are seeing is probably the result of those efforts. Security fixes take time to implement and test.

      One can implement processes that reduce defect counts.

  4. Colin Bull 1

    WTF

    'CVE-2024-38199 – a Windows Line Printer Daemon (LPD) Service RCE Vulnerability with a 9.8 CVSS rating.'

    How can a printer daemon have a 9.8 rating. It listens, gets a bunch of data and sends it to a port. It perhaps has permissions to write to its own temp files. If it has data out of bounds it can just write an error log and abort the job.

    Am i being naive?

    1. diodesign (Written by Reg staff) Silver badge

      Re: WTF

      It's a memory safety failure. The LPD is designed to do the things you've said and expect. But the vulnerability is a use-after-free, so what happens is, someone sends it some specially crafted data that causes the daemon to reuse free'd memory leading to exploitation.

      I don't know the specifics but usually what happens is that you trick vulnerable software into freeing some memory, you cause that memory to be reallocated and filled with your attacker-controlled data, then the software uses the memory again in the original context after it was freed. Rather than using its own information, now it's using that attacker-controlled data - and if that data is function pointers (usually is) then now you can direct program control to your own functions you included in the payload. Or similar.

      'Friends are always telling me you’re a user. I don’t care what you do to them. Just be good to free().'

      From Microsoft's disclosure about the bug: "An unauthenticated attacker could send a specially crafted print task to a shared vulnerable Windows Line Printer Daemon (LPD) service across a network. Successful exploitation could result in remote code execution on the server."

      C.

      1. Richard 12 Silver badge

        Re: WTF

        Plus of course line printers are really old.

        Chances are that this driver started off in a cooperatively multitasked, or even single-task OS like MS-DOS and has been gradually dragged into the 21st century, screaming and kicking.

      2. RedGreen925 Bronze badge

        Re: WTF

        "From Microsoft's disclosure about the bug: "An unauthenticated attacker could send a specially crafted print task to a shared vulnerable Windows Line Printer Daemon (LPD) service across a network. Successful exploitation could result in remote code execution on the server.""

        Total morons, as I have many times they have not one single clue how to do anything securely. A bunch of clowns running a shit show for laughs and giggles about how much the even bigger morons who will pay them actual money to buy their garbage. The crowd who whine on about how hard done by they are by the mean old hackers exploiting the trash they bought. Looks good on ever god damn one of them fools.

  5. DJV Silver badge

    hijack-my-box-via-IPv6 security bug

    Well, that's all us Vermin Media cable users safe then... sigh...

    Vermin Media: IPv6 - um, yeah, we've heard of it.

    1. druck Silver badge

      Re: hijack-my-box-via-IPv6 security bug

      It can be exploited via IPv6 from another machine on your local network, regardless of whether your ISP supports it. You need to have disabled the IPv6 stack.

      Microsoft quality software at it's best.

      1. Anonymous Coward
        Anonymous Coward

        Re: hijack-my-box-via-IPv6 security bug

        > It can be exploited via IPv6 from another machine on your local network, regardless of whether your ISP supports it.

        Yeah, I think he knew that and was sarcastically making the point that VM have yet to reach the end of the 20th century, let alone enter the 21st.

  6. isdnip

    Using Windows 10 Pro, where I control whether and when I do updates, it looks like I don't have to hurry and do an update this month. I turned off the most dangerous virus vector, Children's Crusade Protocol a/k/a IPv6, so that one won't reach me. And I don't use the things with the other vulns.

    1. Snake Silver badge

      It is noted that there aren't any reports of attacks in the wild and I wonder if some of that is due to many people still using IPv4 routers, thereby being unable or unwilling (IPv6 mode turned off) to route those vulnerable packets.

    2. bemusedHorseman
      Big Brother

      ...I also have Win10 Pro, and on the last update check I told it not to check again until mid September.

      It did an update check this morning regardless.

      I guess certain updates can be flagged as "bypass user update deferral and download now", and MICROS~1 deemed this particular Patch Tuesday as worthy of a bypass?

  7. Anonymous Coward
    Anonymous Coward

    Imagine this critical flaw in a Windows that ran out of support.

    1. 142

      Are we sure it isn't present? It looks like every single currently supported version of windows is affected per the CVE.

      What's MS's policy here - do they mention unsupported versions in CVEs? Does Windows 7's omission from the list mean the bug isn't present?

      1. Ken Hagan Gold badge

        MS do not discuss versions that are out of support.

        I think there have been perhaps two exceptions to that policy which I've read about on this site over the last decade or two.

        You should assume that Windows versions XP to 8.1, and corresponding Server releasrs, are wide open.

  8. Lee D Silver badge

    I'm all for IPv6 (hey, Reg, how's that new IPv6 access to the website coming along for the last.... 12 years now?).

    But why is it enabled on any system where it's not in active use (i.e. one where you don't have an IPv6 router, gateway, or other setup)?

    Surely, just basic IT management should tell you that something that's not in active use on your internal network should be DISABLED if for no other reason than to reduce your attack surface area?

    I have nothing against anyone using it - it's perfectly simple to manage and all my personal sites and services use it (but my ISP doesn't support it).

    But unless your internal network is IPv6 numbered, or you have to access an IPv6-only service... why is it enabled?

    And even in the latter case, why is the GATEWAY not just doing the 4->6 translation and you just access the gateway as per normal? Almost every ordinary business is behind a NAT gateway already, it's the perfect barrier to externally-triggerable and technical issues like this.

    IPv6 gets a bad rap, but not because of its security (this is a poor IMPLEMENTATION, not a flaw in the protocol itself), it's because everyone insisted - as one point - that we have to use it for everything, by default, make all internal systems use it (when that really doesn't matter) and abandon NAT forever (which is never going to happen even in an excluslively IPv6 world).

    And this is why. Because on an internal network with no need for IPv6, you're now exposed and vulnerable to a range of bugs in a protocol you didn't want, didn't explicitly enable, and which was "on by default", which nobody wanted.

    There's a reason that for 20 years I've been disabling the IPv6 protocols on my personal home devices, and on the networks I manage. I don't need it. And it just presents another hole to attackers. On Windows I unbind the protocol from network adaptors, on Linux I have to jump through sysctl hoops.

    When I want it (e.g. my web server, email server, NTP server, etc.) then I will enable it and configure it myself.

    As yet, operating entire IPv4-only networks with thousands of clients for 25+ years has had zero implications. When it does, then I will research, enable and configure appropriately. Not you, Microsoft. Not you, Ubuntu. You don't get to decide that for me.

    1. donk1

      "on Linux I have to jump through sysctl hoops."

      grubby --update-kernel ALL --args ipv6.disable=1

      1. Anonymous Coward
        Anonymous Coward

        Or just edit /etc/default/grub, then run update-grub. But yes to this concept, I do it on all my boxes.

    2. MatthewSt Silver badge

      The tricky thing is how does the device know if it needs it without having it enabled?

      Sky and BT have rolled it out quite successfully in the UK, but it wouldn't have been possible if they needed to tell everyone to enable IPv6 on every single device they own.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like