NSA's Windows Exploit "DoublePulsar" Being Actively Utilized in the Wild

R-T-B · Apr 27, 2017

The "DoublePulsar" exploit exposed recently as part of the leaked NSA-derived hacking toolkit posted online, is set to become one of the more significant issues related to the leak. Not because it is unpatched, because it has been patched for roughly a month, but rather because according to a threatpost.com report, few users are as up to date as they should be.

The exploit is described as "Zero-Day" in nature, and if that sounds serious, it's because that's exactly what we are dealing with. The exploit uses a bug in the Windows Server Message Block (SMB) stack, the protocol Windows uses to share files with PCs on the local network. The issue is so severe, it allows an unauthenticated attacker with access to the SMB port complete root-level control over your PC. Basically, if they can touch your SMB port, it doesn't matter what antivirus you are running, it's "game over dude." Worse yet, the report indicates the exploit is already in use "internet-wide."

One way to defend against this is using a decent hardware or even software firewall and blocking SMB access (Windows does not do this by default, for functionality reasons). SMB utilizes port TCP 445, if you want to go this route. But honestly, the best thing to do is just ensure you are up to date. Microsoft has had a patch out for this for over a month: Use it. Windows Update can get you there, or you can simply download it here.

If nothing else, this is a reminder of the dangers of running an unpatched Windows system (Windows XP gets no fix for this, as an example). Please keep your system up to date, or if unable or unwilling, stay on top of the latest exploit news to at least know what you are up against and have your firewall and antivirus ready.

View at TechPowerUp Main Site

alucasa · Apr 27, 2017

Pc enthusiasts keep their OS secure.

.... Right?

Hmm, on the second thought. I have doubts.

R-T-B · Apr 27, 2017

Might I add as an editorial-twist post-article, that the fact that MS is denying users critical fixes like this over what CPU they are running on supported OSes seem like borderline criminal behavior? In my mind at least, it is.

Maybe we should order them to stop that in the name of "national security." Would be more legit than several uses of the word I've seen.

alucasa · Apr 27, 2017

In a lot of people's mind's, they feel Microsoft should not exist. At the same time, they couldn't use Unix, either, probably.

R-T-B · Apr 27, 2017

alucasa said:
In a lot of people's mind's, they feel Microsoft should not exist. At the same time, they couldn't use Unix, either, probably.

Meh, there's a middleground I straddle. I still feel that the move with CPUs and updates is pretty messed up.

By the way, I can use Linux/*nix and so can probably anyone who tries a bit now. But it has it's own limitations.

TheGuruStud · Apr 27, 2017

R-T-B said:
Might I add as an editorial-twist post-article, that the fact that MS is denying users critical fixes like this over what CPU they are running on supported OSes seem like borderline criminal behavior? In my mind at least, it is.

Maybe we should order them to stop that in the name of "national security." Would be more legit than several uses of the word I've seen.

I've been arguing that it's fraud, but seems like most think it's ok for corporations to swindle you and do as they please (which is obvious by the state of the world).

NRANM · Apr 27, 2017

"I disable updates because they are bad and annoying because of... reasons."
- A lot of users

As for the blocking updates on new CPUs, I do consider it illogical and counter productive for users.

As much as I like to defend Microsoft, as they are often overly scrutinized because it's cool to do that, even if they aren't doing anything other major companies aren't doing as well (without much of the criticism), but in this particular case what they did was I would describe in layman's terms as a "dick move".

Boosnie · Apr 27, 2017

NRANM said:
"I disable updates because they are bad and annoying because of... reasons."
- A lot of users

To be fair, the Win10 update system was initially something like a fascist tyrant installed on your computer. For most users in the first 6/10 months of windows 10 deploy the experience was like someone, somewhere, shutting down your system for *reasons* WHILE you were actively working on the machine.
Over the years MS has adopted an increasingly aggressive strategy to keep the millions of Win pc out there secure and as safe as possible from becoming part of giant botnets. That's due in part from the increased effort(and money) that MS has put on the table to quash these botnets, and in part to a grand joined UN strategy to keep the amount of "cyber threats" to a minimum.

As for the blocking updates on new CPUs, I do consider it illogical and counter productive for users.

This is in part a commercial strategy and, for the most part, the extension of what I've said earlier. Windows 10 is way, way, way more secure an OS than Windows 7 is.
To be frank, I really don't get why people are sticking with 7 and passed the chanche to update to 10 when they where elegible to do so for free.

efikkan · Apr 28, 2017

R-T-B said:
...it doesn't matter what antivirus you are running, it's "game over dude." Worse yet, the report indicates the exploit is already in use "internet-wide."
...
stay on top of the latest exploit news to at least know what you are up against and have your firewall and antivirus ready.

Antivirus can't protect against exploits, they can only recognize known malware and remove it. That's why we usually see hundreds of variants of the same virus, which continues until the exploit is actually fixed. Firewalls can't protect against specific exploits in protocols either, they are about blocking ports, applications, IPs, etc.

R-T-B · Apr 28, 2017

efikkan said:
Firewalls can't protect against specific exploits in protocols either, they are about blocking ports, applications, IPs, etc.

All of the tcp/ip protocol stack utilizes ports, so port blocking can be used as protection in a pinch and thus, in this instance.

Prima.Vera · Apr 29, 2017

efikkan said:
Antivirus can't protect against exploits, they can only recognize known malware and remove it. That's why we usually see hundreds of variants of the same virus, which continues until the exploit is actually fixed. Firewalls can't protect against specific exploits in protocols either, they are about blocking ports, applications, IPs, etc.

That's why all the quality antivirus software out there are also coming with IDPS and Malware/Rootkit detection. Or at least they should...

System Name	Pioneer
Processor	Ryzen R9 9950X
Motherboard	GIGABYTE Aorus Elite X670 AX
Cooling	Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory	64GB (4x 16GB) G.Skill Flare X5 @ DDR5-6000 CL30
Video Card(s)	XFX RX 7900 XTX Speedster Merc 310
Storage	Intel 905p Optane 960GB boot, +2x Crucial P5 Plus 2TB PCIe 4.0 NVMe SSDs
Display(s)	55" LG 55" B9 OLED 4K Display
Case	Thermaltake Core X31
Audio Device(s)	TOSLINK->Schiit Modi MB->Asgard 2 DAC Amp->AKG Pro K712 Headphones or HDMI->B9 OLED
Power Supply	FSP Hydro Ti Pro 850W
Mouse	Logitech G305 Lightspeed Wireless
Keyboard	WASD Code v3 with Cherry Green keyswitches + PBT DS keycaps
Software	Gentoo Linux x64 / Windows 11 Enterprise IoT 2024

System Name	Pioneer
Processor	Ryzen R9 9950X
Motherboard	GIGABYTE Aorus Elite X670 AX
Cooling	Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory	64GB (4x 16GB) G.Skill Flare X5 @ DDR5-6000 CL30
Video Card(s)	XFX RX 7900 XTX Speedster Merc 310
Storage	Intel 905p Optane 960GB boot, +2x Crucial P5 Plus 2TB PCIe 4.0 NVMe SSDs
Display(s)	55" LG 55" B9 OLED 4K Display
Case	Thermaltake Core X31
Audio Device(s)	TOSLINK->Schiit Modi MB->Asgard 2 DAC Amp->AKG Pro K712 Headphones or HDMI->B9 OLED
Power Supply	FSP Hydro Ti Pro 850W
Mouse	Logitech G305 Lightspeed Wireless
Keyboard	WASD Code v3 with Cherry Green keyswitches + PBT DS keycaps
Software	Gentoo Linux x64 / Windows 11 Enterprise IoT 2024

System Name	Pioneer
Processor	Ryzen R9 9950X
Motherboard	GIGABYTE Aorus Elite X670 AX
Cooling	Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory	64GB (4x 16GB) G.Skill Flare X5 @ DDR5-6000 CL30
Video Card(s)	XFX RX 7900 XTX Speedster Merc 310
Storage	Intel 905p Optane 960GB boot, +2x Crucial P5 Plus 2TB PCIe 4.0 NVMe SSDs
Display(s)	55" LG 55" B9 OLED 4K Display
Case	Thermaltake Core X31
Audio Device(s)	TOSLINK->Schiit Modi MB->Asgard 2 DAC Amp->AKG Pro K712 Headphones or HDMI->B9 OLED
Power Supply	FSP Hydro Ti Pro 850W
Mouse	Logitech G305 Lightspeed Wireless
Keyboard	WASD Code v3 with Cherry Green keyswitches + PBT DS keycaps
Software	Gentoo Linux x64 / Windows 11 Enterprise IoT 2024

Processor	OCed 5800X3D
Motherboard	Asucks C6H
Cooling	Air
Memory	32GB
Video Card(s)	OCed 6800XT
Storage	NVMees
Display(s)	32" Dull curved 1440
Case	Freebie glass idk
Audio Device(s)	Sennheiser
Power Supply	Don't even remember

Processor	AMD Ryzen 9 5900X \|\|\| Intel Core i7-3930K
Motherboard	ASUS ProArt B550-CREATOR \|\|\| Asus P9X79 WS
Cooling	Noctua NH-U14S \|\|\| Be Quiet Pure Rock
Memory	Crucial 2 x 16 GB 3200 MHz \|\|\| Corsair 8 x 8 GB 1333 MHz
Video Card(s)	MSI GTX 1060 3GB \|\|\| MSI GTX 680 4GB
Storage	Samsung 970 PRO 512 GB + 1 TB \|\|\| Intel 545s 512 GB + 256 GB
Display(s)	Asus ROG Swift PG278QR 27" \|\|\| Eizo EV2416W 24"
Case	Fractal Design Define 7 XL x 2
Audio Device(s)	Cambridge Audio DacMagic Plus
Power Supply	Seasonic Focus PX-850 x 2
Mouse	Razer Abyssus
Keyboard	CM Storm QuickFire XT
Software	Ubuntu

Processor	Intel® Core™ i7-13700K
Motherboard	Gigabyte Z790 Aorus Elite AX
Cooling	Noctua NH-D15
Memory	32GB(2x16) DDR5@6600MHz G-Skill Trident Z5
Video Card(s)	ZOTAC GAMING GeForce RTX 3080 AMP Holo
Storage	2TB SK Platinum P41 SSD + 4TB SanDisk Ultra SSD + 500GB Samsung 840 EVO SSD
Display(s)	Acer Predator X34 3440x1440@100Hz G-Sync
Case	NZXT PHANTOM410-BK
Audio Device(s)	Creative X-Fi Titanium PCIe
Power Supply	Corsair 850W
Mouse	Logitech Hero G502 SE
Software	Windows 11 Pro - 64bit
Benchmark Scores	30FPS in NFS:Rivals