Bad month for Microsoft

Avatar
20

It never rains, but it pours, as they say…

 

After Printnightmare came the Windows Hello zero-day, which allowed a hacker to access any account using PC using a Hello capable camera for authentication (they just needed an infrared image of the user, which could be obtained using any IR camera – E.g. walking past them with the camera, putting a camera in an elevator etc. where the user would pass by). While it would be highly targeted, it is a serious problem.

 

Now we have Hivenightmare. A bug in a recent(?) Windows update, first noticed in Windows 11 Beta, but also in all versions of Windows 10 in support, allows any user to read key system files, including the SAM password database – passwords are hashed, but there are known workarounds for finding passwords.

 

There is currently no patch, but you can manually re-apply the correct protection to the files and you will have to manually remove an VSS copies on your system (and generate a new one, if you want to have a recovery point).

 

Restrict access to the contents of %windir%\system32\config

 

1. Open Command Prompt or Windows PowerShell as an administrator.

2. Run this command: `icacls %windir%\system32\config\ *.* /inheritance:e`

 

Delete Volume Shadow Copy Service (VSS) shadow copies

 

1. Delete any System Restore points and Shadow volumes that existed prior to restricting access to %windir%\system32\config.

2. Create a new System Restore point (if desired).

 

 

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934

Comments (20)

20 responses to “Bad month for Microsoft”

  1. Avatar

    wright_is

    Aha, it finally turned up. I posted this about 7 hours ago, but nothing appeared, then I tried again a couple more times, but nothing.


    @Paul was it held up for verification, because of the links or the backslashes?

  2. Avatar

    lwetzel

    Maybe I miss read. Shouldn't the "Delete Volume Shadow Copy Service (VSS) shadow copies" come before "Restrict access to the contents of %windir%\system32\config"?


    The "1. Delete any System Restore points and Shadow volumes that existed prior to restricting access to %windir%\system32\config." Kind of indicates that.


    However, I just blindly followed and am not sure what I did takes care of the problem.


    • Avatar

      wright_is

      The official order is rights first, VSS delete second, although it probably doesn’t matter, just as long as Windows doesn’t create a new shadow copy before you change the rights. Unlikely in most cases, but if they are set on a schedule or Windows starts an update in the background, you could end up with another unprotected copy of the files.


      That is why the delete is recommended after changing the rights.

  3. Avatar

    longhorn

    Please explain this to me those who use biometric login methods: fingerprint or facial recognition.

    So, if your password gets leaked/hacked you have to get a new password.

    If your fingerprint or face get leaked/hacked you have to get a new finger or face.

    So I stick with passwords.

    What is the general feeling about this? Are doctors inexpensive where you live? :)


    • Avatar

      longhorn

      Thanks guys. I read your discussion below.

      My personal take on this regarding my personal PC is that there isn't anything that is really valuable on my personal PC. Mostly stuff that has some emotional value to me, but close to zero value to anyone else.


      So whether it is my PC or smartphone I consider my biometric data more valuable than the things stored on those devices. Yes, it would be a PITA if someone accessed my mail accounts or browsers, but not much to steal really.


    • Avatar

      anoldamigauser

      My favorite billboard was one for a plastic surgeon that said, "Go ahead, pick your nose."

    • Avatar

      geoff

      If your username and password are leaked, then anyone, anywhere, can use those credentials to login as 'you'.


      Facial recognition and fingerprint recognition doesn't work that way.

      It's restricted to the single device (actually, the TPM) that holds the certificate that the PC biometrics unlocks.


      Having a picture of my face would not allow you to log in as me on the PC you use.

      Knowing (or guessing) my username and password *does* allow you to log on as me on the PC that you use.

      • Avatar

        wright_is

        No, but having your biometric data allows somebody who steals your device to log on / open it. That is the point.


        Biometrics are purely an identifier, not a security measure. Because of the ease with which it can be broken, it should never be used as a point of trust, it is purely a point of convenience to unlocking a device/account.


        Theoretically, it should always be used with a second form of authorization, a password, a token etc.

        • Avatar

          anoldamigauser

          US Customs has authority to inspect the contents of any electronic device coming into the country, despite the 4th Amendment. They are allowed to compel you to open the device via biometrics (something you are), but cannot compel you to give them the password or PIN (something you know).

          I always remove biometric options for login prior to crossing the border, though I haven't had to in quite a while.

          It does not protect me from other governments, but at least I should be safe from my own.

          • Avatar

            wright_is

            We aren't allowed to use biometrics on company laptops or smartphones. Passwords or PIN only - the PIN on my iPhone has to be min 10 digits, 2 numerals, 2 special symbols and upper and lower case... Not exactly quick and convenient, when you need to make a quick call.

            • Avatar

              ivarh

              Just use a custom numeric pin. It allows you to have as many digits as you want with the advantage that there is no indication in the pin entry screen of how many digits there are. So even if you only use 4 the entry screen will happily accept an endless string of them, you have to press ok once you enter the correct pin. This combined with the way IOS adds forced breaks between unsuccessful attempts means that brute forcing even a 4 pin code will be very difficult since unless they see you enter the code or you tell them they will not know how many digits there are.

              • Avatar

                wright_is

                That isn't possible, the policy, pushed to the phone via MDM, before I receive it, sets the PIN complexity to 10 digits, 2 numeric, 2 special, mixed case.

                • Avatar

                  ivarh

                  Corporate MDM/Group policies can backfire though. When I installed teams on my mobile to be reachable for a couple of hours outside my working hours on my iPhone it downloaded a policy disallowing 3rd party keyboards in all MS apps. End result I had to uninstall teams and delete my work account from my phone. That did not help so I had to uninstall and reinstall all the MS apps I was using with my home subscription to get the Grammarly keyboard back in my MS apps. So now work can't reach me while I am not at my desk, neither on teams or outlook.


                  Pretty crappy by MS by applying the corporate policies on apps where I am not signed into my corporate account as well. This is my private phone. If it was a corporate-owned phone I would live with it but having them limit my personal use of my personal devices is a step to far for me.

        • Avatar

          geoff

          The likelihood of a person physically stealing my laptop, and also having my biometric information is extremely low.

          And, of course, my laptop will be blocked (or even wiped remotely) when I report it stolen.

          The time window for an exploit in the wild seems to me to be extremely small, and the complexity extremely high.


          The hacker with username/password details is free to carry on however they choose - especially if I don't know that they have my information. Everyone knows when their laptop in stolen. There are potentially many millions of people who have absolutely no idea that their password has been stolen.

          • Avatar

            wright_is

            Fingerprint on the case of the laptop, on the desk where it was etc. You leave latent fingerprints all of the place, all the time. Photographed with a standard digital camera (>12mp), printed using laser printer set to heaviest toner setting (to get physical ridges) and pour melted Gummi Bears onto the paper, et voila, you have a usable fingerprint.


            IR camera, placed where you will walk past it, will get them your thermal image. If they are stealing your laptop for the data (as opposed to plain theft), catch you on the camera as you leave your desk, just before they pick up your laptop.


            As to remote wipe - yes, once it is online. Anyone stealing your data is likely to keep it offline, until they have the data they want off of it, then try moving online to see what they can grab there.


            Biometrics are convenient, but lousy security.

    • Avatar

      wright_is

      Yes, biometrics are identification, not authorisation. Biometrics are an equivalent to usernames, not passwords.

  4. Avatar

    lwetzel

    One more thing. How do we finde the VSS copies?


  5. Avatar

    anoldamigauser

    Yes, it has been a bit rough. Sort of takes the shine off the news of a new version coming out. PrintNightmare is, obviously, the big one. Welcome to the paperless office.


    The bit about bypassing the Windows Hello facial recognition is sort of a non-issue in my opinion, since to pull it off, requires both physical access to the computer and a good quality IR image of the target. Basically that means that the bad actors likely have physical access to both the target and the target's computer. If that is the case, there are far easier ways to get into the system, as the obligatory XKCD comic ( https[://]xkcd[.]com/538/) points out.





  6. Avatar

    hrlngrv

    In some ways the Windows Hello exploit seems worse for MSFT as it tends to undercut the value of Windows Hello, at least facial recognition. As soon as there's a fingerprint exploit, will web cams become retina scanners? Then what happens when someone comes up with an effective exploit against them?


    %SYSTEMROOT%\System32\config has been a vulnerability when bad people have physical access to PCs. At least back in 2006-2009 it was possible to boot Linux from DVD or usb drive, mount the Windows C: drive partition, edit the registry to enable the Administrator account, and blank its password if the account were already enabled. One of the few benefits to whole disk encryption for C: was encrypting this directory and making that far more difficult.


    [I still see no benefit to encrypting anything else under %SYSTEMROOT%, %PROGRAMFILES% or %PROGRAMFILES(x86)%; benefit to encrypting %PROGRAMDATA% is debatable; OTOH, %USERPROFILE% and %SYSTEMDRIVE%\PAGEFILE.SYS should be encrypted by default.]


    Maybe it's time to consider whether either PCs can be administered remotely OR they can be secure, but not both.


    That is, reengineer OSes so that elevation can only be used with directly connected keyboard and mouse AND without network connection. Similar to Linux/Unix run level 1. Yes, this would be MUCH MORE EXPENSIVE than remote admin, so maybe not worth the cost for MOST PCs, but it may be worth it for A FEW PCs.

Leave a Reply