Wednesday, April 26th 2017

NSA's Windows Exploit "DoublePulsar" Being Actively Utilized in the Wild

The "DoublePulsar" exploit exposed recently as part of the leaked NSA-derived hacking toolkit posted online, is set to become one of the more significant issues related to the leak. Not because it is unpatched, because it has been patched for roughly a month, but rather because according to a threatpost.com report, few users are as up to date as they should be.
The exploit is described as "Zero-Day" in nature, and if that sounds serious, it's because that's exactly what we are dealing with. The exploit uses a bug in the Windows Server Message Block (SMB) stack, the protocol Windows uses to share files with PCs on the local network. The issue is so severe, it allows an unauthenticated attacker with access to the SMB port complete root-level control over your PC. Basically, if they can touch your SMB port, it doesn't matter what antivirus you are running, it's "game over dude." Worse yet, the report indicates the exploit is already in use "internet-wide."

One way to defend against this is using a decent hardware or even software firewall and blocking SMB access (Windows does not do this by default, for functionality reasons). SMB utilizes port TCP 445, if you want to go this route. But honestly, the best thing to do is just ensure you are up to date. Microsoft has had a patch out for this for over a month: Use it. Windows Update can get you there, or you can simply download it here.

If nothing else, this is a reminder of the dangers of running an unpatched Windows system (Windows XP gets no fix for this, as an example). Please keep your system up to date, or if unable or unwilling, stay on top of the latest exploit news to at least know what you are up against and have your firewall and antivirus ready.Source: threatpost.com
Add your own comment

10 Comments on NSA's Windows Exploit "DoublePulsar" Being Actively Utilized in the Wild

#1
alucasa
Pc enthusiasts keep their OS secure.

.... Right?

Hmm, on the second thought. I have doubts.
Posted on Reply
#2
R-T-B
Might I add as an editorial-twist post-article, that the fact that MS is denying users critical fixes like this over what CPU they are running on supported OSes seem like borderline criminal behavior? In my mind at least, it is.

Maybe we should order them to stop that in the name of "national security." Would be more legit than several uses of the word I've seen.
Posted on Reply
#3
alucasa
In a lot of people's mind's, they feel Microsoft should not exist. At the same time, they couldn't use Unix, either, probably.
Posted on Reply
#4
R-T-B
alucasa said:
In a lot of people's mind's, they feel Microsoft should not exist. At the same time, they couldn't use Unix, either, probably.
Meh, there's a middleground I straddle. I still feel that the move with CPUs and updates is pretty messed up.

By the way, I can use Linux/*nix and so can probably anyone who tries a bit now. But it has it's own limitations.
Posted on Reply
#5
TheGuruStud
R-T-B said:
Might I add as an editorial-twist post-article, that the fact that MS is denying users critical fixes like this over what CPU they are running on supported OSes seem like borderline criminal behavior? In my mind at least, it is.

Maybe we should order them to stop that in the name of "national security." Would be more legit than several uses of the word I've seen.
I've been arguing that it's fraud, but seems like most think it's ok for corporations to swindle you and do as they please (which is obvious by the state of the world).
Posted on Reply
#6
NRANM
"I disable updates because they are bad and annoying because of... reasons."
- A lot of users

As for the blocking updates on new CPUs, I do consider it illogical and counter productive for users.

As much as I like to defend Microsoft, as they are often overly scrutinized because it's cool to do that, even if they aren't doing anything other major companies aren't doing as well (without much of the criticism), but in this particular case what they did was I would describe in layman's terms as a "dick move".
Posted on Reply
#7
Boosnie
NRANM said:
"I disable updates because they are bad and annoying because of... reasons."
- A lot of users
To be fair, the Win10 update system was initially something like a fascist tyrant installed on your computer. For most users in the first 6/10 months of windows 10 deploy the experience was like someone, somewhere, shutting down your system for *reasons* WHILE you were actively working on the machine.
Over the years MS has adopted an increasingly aggressive strategy to keep the millions of Win pc out there secure and as safe as possible from becoming part of giant botnets. That's due in part from the increased effort(and money) that MS has put on the table to quash these botnets, and in part to a grand joined UN strategy to keep the amount of "cyber threats" to a minimum.
As for the blocking updates on new CPUs, I do consider it illogical and counter productive for users.
This is in part a commercial strategy and, for the most part, the extension of what I've said earlier. Windows 10 is way, way, way more secure an OS than Windows 7 is.
To be frank, I really don't get why people are sticking with 7 and passed the chanche to update to 10 when they where elegible to do so for free.
Posted on Reply
#8
efikkan
R-T-B said:

...it doesn't matter what antivirus you are running, it's "game over dude." Worse yet, the report indicates the exploit is already in use "internet-wide."
...
stay on top of the latest exploit news to at least know what you are up against and have your firewall and antivirus ready.
Antivirus can't protect against exploits, they can only recognize known malware and remove it. That's why we usually see hundreds of variants of the same virus, which continues until the exploit is actually fixed. Firewalls can't protect against specific exploits in protocols either, they are about blocking ports, applications, IPs, etc.
Posted on Reply
#9
R-T-B
efikkan said:
Firewalls can't protect against specific exploits in protocols either, they are about blocking ports, applications, IPs, etc.
All of the tcp/ip protocol stack utilizes ports, so port blocking can be used as protection in a pinch and thus, in this instance.
Posted on Reply
#10
Prima.Vera
efikkan said:
Antivirus can't protect against exploits, they can only recognize known malware and remove it. That's why we usually see hundreds of variants of the same virus, which continues until the exploit is actually fixed. Firewalls can't protect against specific exploits in protocols either, they are about blocking ports, applications, IPs, etc.
That's why all the quality antivirus software out there are also coming with IDPS and Malware/Rootkit detection. Or at least they should...
Posted on Reply