First, the vulnerability description:
1. vulnerabilities:
<1> vulnerabilities: it is an important factor affecting network security;
<2> exploit: to become the most common means of malicious attacks;
<3> exploits: industrialization, low cost, diversification means lower threshold trend;.
<4> information age: whether individuals / businesses, are facing serious vulnerabilities;
<5> .Windows, Office, IE, Edge, Flash and other high-risk vulnerabilities frequent exposure.
2.Windows vulnerabilities:
<1> .MS08-067 RCE vulnerabilities;
<2> .MS12-020 DoS / blue / RCE vulnerabilities;
<3> .MS15-034 HTTP sys RCE vulnerabilities;
<4>.MS16-114 SMB RCE;
<5> 2017: WannaCry extortion virus, MS17-010 Eternal Blue Eternal Blue vulnerability, Meltdown / Spectre CPU characteristics vulnerabilities, hackers Oscar God sees, Equation Editor vulnerability, CVE-2017-7269 IIS RCE vulnerabilities;
. <6> 2018: Ghost, CPU fuse, Stuxnet 3,412 horse hung storm;
<7> 2019: CVE-2019-0708 Remote Desktop RCE vulnerabilities;
Second, trend charts that show loophole
1. In recent years, Windows vulnerabilities shown a rising trend year by year the number of submissions. 2018, 2019, outbreak of the year on the network security industry is extremely tested.
2.Microsoft product vulnerabilities classification statistics:
3.Windows vulnerability and exploit: the distribution of viruses exploited vulnerabilities & distribution: Non-PE (phishing e-mail Office macro viruses, script class), more difficult to detect, accounting for 66%:
Three, Windows over the years well-known high-risk vulnerabilities
Windows every time it was disclosed publicly, the outbreak of high-risk vulnerabilities, causing an uproar in the community as a whole, affecting all sectors, because the Windows and Windows System various production services.
1.MS08-067(CVE-2008-4250):
<1> Vulnerability Information:
MS08-067 (CVE-2008-4250), a milestone in a Windows SMB vulnerability, far-reaching, is one of the most classic of vulnerability. Hackers use the program in 2017, Shadow Brokers leaked inside, there is vulnerability MS08-067, MS08-067 (CVE-2008-4250) is typical
Windows buffer overflow vulnerability. At that time, Windows memory stack protection (ASLR technology) have not matured.
Server Service vulnerability is to call the program NetPathCanonicalize function through MS RPC over SMB channel (PIPE) caused by trigger. NetPathCanonicalize function when remotely accessing other hosts, will call NetpwPathCanonicalize function, remote access path to regulate
Of, and in the presence of logical errors NetpwPathCanonicalize function, resulting in a stack buffer overflow may be, the final RCE (remote command / code execute).
Resulting in a large area of influence, can get SYSTEM privileges, complete control of Windows, manufacture worm, extortion virus, remote control Trojans and other malicious attacks.
<2> Effect of components: svchost.exe netapi32.dll.
<3> The official announcement:
https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2008/ms08-067
https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2GDlB
<4> Check Patch:
wmic qfe GET hotfixid | findstr /C:"KB958644"
2.MS17-010 (KB4012212):
<1> Vulnerability Information:
Windows SMB plurality of remote code execution (RCE) vulnerability when the Microsoft Server Message Block 1.0 (SMBv1, vulnerability file sharing protocol) server process certain requests, the presence of a plurality of remote code execution vulnerability. An attacker who successfully exploited these vulnerabilities can be obtained on the target system to perform on behalf of the
Capability of the code. To exploit this vulnerability, in most cases, the attacker could send unauthenticated specially designed SMBv1 data packets to the target server.
The past two years, "the eternal blue" loophole has become one of the highest degree of security vulnerability from being exploited! Malicious use of "Eternal Blue" loophole, active dissemination worm-type virus extortion, "Eternal Blue" (WannaCry) opened the extortion the new era of the virus.
Note: WannaCry extortion virus, exploited by malicious people The Shadow Brokers release of Eternal Blue vulnerability to blackmail disease
Poison, worm propagation, worldwide more than 230,000 infected hosts. Currently there are variants of the virus. ,
<2> Effect range:
Windows XP、2003、Windows7、Windows Server 2008 R2、Windows8.1、Windows Server2012、Windows10、Windows Server 2016
<3> performance: extortion virus infection, file damage.
<4> the official announcement:
https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2017/ms17-010
<5> Check Patch:
wmic qfe GET hotfixid | findstr /C:"KB4012212"
3.CVE-2018-8174 / CVE-2018-8893: IE double play 0day, high-risk vulnerabilities:
<1> Vulnerability Information:
IE user clicks the move to open the bait document, Word processes the first remote access; Word documents via OLE Autolink of CVE-2017-0199 exploits the way embedded malicious Web page, all the exploits and malicious code that loads are loaded by the remote server vbscript 0day (CVE-
2018-8174) Web page, the vulnerability is triggered after the execution Shellcode, and then initiate multiple requests to get data payload decryption executed from a remote server; Payload word during the execution of the process will release three DLL backdoor locally, through powershell command and rundll32 command are executed to install a backdoor
Program execution using the back door open to bypass UAC technology, and take advantage of the way files steganography reflection and memory load to avoid traffic monitoring and ground-free file loaded.
With this 0day vulnerability for IE core browser and Office conducted APT attacks (eg APT-C-06 organization, for the Chinese government, scientific research, foreign trade, long dormant, monitoring); the latest version of IE browser and use the IE kernel s application. Users browse the web or open Office documents are
May be caught eventually be implanted hacker backdoor Trojan full control of the computer.
Using multiple UAF (Use After Free Vulnerability release reference weight) to complete the type of confusion, to complete any write address by forging array object, to obtain the final configuration of the object code is performed by the release. Code is executed does not use the conventional ROP (Return orientedProgramming (returned for
Programming)) or GodMode (NT6 system hidden in a simple folder window contains almost all the system settings), but to stabilize the script by using the layout Shellcode.
<2> The official description:
<3> Check Patch:
wmic qfe GET hotfixid | findstr /C:"KB4134651"
<4> due to the generation of the patch does not completely solve the problem, derived from new vulnerabilities:
CVE-2018-8242, IE double play, second generation 0day vulnerabilities;
CVE-2018-8373, IE double play, three generations 0day vulnerabilities;
4.CVE-2019-0708:
<1> Vulnerability Information:
May 14, 2019, Windows Remote Desktop Services (Remote Desktop Services, TCP / UDP 3389 RDP) there is a serious security flaw (huge destructive power), the use of pre-authentication, without user authorization, arbitrary code execution (RCE), install a backdoor view, tampering with the number of privacy
It is, with full user rights to create new accounts and other attacks, full control of the target computer. The vulnerability can be used to make WannaCry like worms comparable to 2017 swept the world, the spread of large-scale destruction;
<2> affect system version:
Windows XP(KB4500331)、Windows 2003(KB4500331)、Vista(KB4499180)、2008/2008 R2( KB4499180)、Windows 7(KB4499175)。
<3> Official Information:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708
<4> free testing tool:
https://free.360totalsecurity.com/CVE-2019-0708/detector_release.zip
<5> Vulnerability detection:
wmic qfe GET hotfixid | findstr /C:"KB4499175"
NOTE: Turn Windwos command line interface, type "regedit" to open the registry -> to view and modify the port number in the following two ways:
Note: The text of all the command patches to detect the presence or absence of: wmic qfe GET hotfixid | findstr / C: "X", if there is an instruction will rebound patch "X", otherwise it is not displayed.