Jump to content

POSReady 2009 updates ported to Windows XP SP3 ENU

glnz

By glnz
in Windows XP

 Share

Recommended Posts

glnz

glnz

Posted
  • Author
Posted (edited)

den - I have an idea!  

592af991091b8_Grampy-A-Ha3.jpg.1fef629aecfd831e153c723433838341.jpg
If you were to compare our last XP-valid mrt.exe (from August 2016) to this new one, would the comparison show other changes/differences you could undo in the new one to get it to work?

I don't have the savvy, but you do.

Edited by glnz
Link to comment
Share on other sites

glnz

glnz

Posted
  • Author
Posted (edited)

PKCano just wrote:

Quote

Other than it’s running in a Parallels VM, as far as I know it’s a standard install.

Edited by glnz
Link to comment
Share on other sites
glnz

glnz

Posted
  • Author
Posted (edited)

PKCano sent me a PM:

Quote

@glnz
Just to let you know what I’ve done since last post:
I pulled out my laptop that has the other XP VM to see if I had the same resultswith MSRT. Thought it might be something that Parallels was doing in the VM.
Same procedure to download and save to the desktop. It DID NOT run, with the same “it’s not a valid Win32 program” that you all have been getting.
Then I went back in the desktop VM and tried to run it again – with the same failure.
I don’t know what the quirk was the first time, because it DID run. I can’t reproduce it now.

Letting you know that you aren’t mistaken and I’m evidently not some miracle worker. It had to be some fluke.
PKCano

So it was just another

FALSE ALARM.

Edited by glnz
Link to comment
Share on other sites
dencorso

dencorso

Posted
Posted
8 hours ago, glnz said:

den - I have an idea!  

592af991091b8_Grampy-A-Ha3.jpg.1fef629aecfd831e153c723433838341.jpg
If you were to compare our last XP-valid mrt.exe (from August 2016) to this new one, would the comparison show other changes/differences you could undo in the new one to get it to work?

I don't have the savvy, but you do.

Maybe. Then again, it's a signed file: if it checks for a valid signature before running, it's no go. So, before anything, we'd have to find out whether it can run on one of the OSes it likes (say, 7 x86, for instance) after being stripped of the signature. In case it does, then it's possible to do. But is it worth it? IMO, no. MSE works. Malwarebytes anti-malware works. Clam antivirus works. Other similar software does work, too. Ain't that enough?

Link to comment
Share on other sites
erpdude8

erpdude8

Posted
Posted
On 5/14/2017 at 4:23 AM, Dave-H said:

Interesting that bulletin still lists Vista as a supported OS. I thought support for that ended a month ago!
Vista users should still have had the patch back in March though.
Are there any instances of machines on current fully patched operating systems being affected by the exploit?
I'd be surprised if Windows 10 was affected, because as we all know, you can't avoid getting patched on that, unless you make a deliberate decision to prevent it!
Let's hope that the next evolution of the malware is blocked before it has a chance to strike.
:yes:
 

the WannaCry ransomware only infects Win7 based computers and NOT XP machines (whether KB4012598 for XP is installed or not):

https://www.askwoody.com/2017/the-original-wannacry-does-not-infect-windows-xp-boxes/

Link to comment
Share on other sites
erpdude8

erpdude8

Posted
Posted (edited)
On 5/16/2017 at 0:56 AM, Winfried said:

After reading more about this hack, I'm having second thoughts, and would rather remove it.
 

it's not a good idea to remove the posready registry entries after installing any posready specific updates - that will prevent installation of posready specific updates on your XP computer after removing the posready keys.  best to leave the posready reg key alone

Edited by erpdude8
Link to comment
Share on other sites
heinoganda

heinoganda

Posted
Posted (edited)
1 hour ago, patclash said:

Hi , I got it this morning as automatic update

KB4018556 has been revised and is now available as KB4018556-v2!

(POSReady 2009 KB4018556-v2 via WSUS catalog)

Info:
In the WSUS catalog, all possible language variants are now offered at the download, with the web browser Firefox or Google Chrome. Miracles still happen!

:)

Edited by heinoganda
1
Link to comment
Share on other sites
Mathwiz

Mathwiz

Posted
Posted

Good! Downloaded & installed.

Now if M$ would just fix the EsteemAudit vulnerability (since it affects XP and Server 2003, it's a good bet it affects POSReady '09 too)....

Link to comment
Share on other sites
heinoganda

heinoganda

Posted
Posted

Reading about EsteemAudit:
https://researchcenter.paloaltonetworks.com/2017/05/unit42-dissection-esteemaudit-windows-remote-desktop-exploit/

Possible Countermeasure: 

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services]
"fEnableSmartCard"=dword:00000000

To test:
https://github.com/BlackMathIT/Esteemaudit-Metasploit

:)

Link to comment
Share on other sites
glnz

glnz

Posted
  • Author
Posted (edited)

Mathwiz and heinoganda -

For those of us with typical XP machines at home or small offices - workgroup, not domain - do we need to worry about EsteemAudit?  Heinoganda - your researchcenter article has a comment at bottom that non-domain PCs need not worry.

My system32 folder has these files:  scardsvr.exe, scarddlg.dll, scardssp.dll and winscard.dll.    In services.msc, my Smart Card service is set to "Manual".  In regedit, the key [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services] has nothing in it - no entries at all.  In Accessories, Control Panel and Open Network Connections, I have not found anything related to Smart Cards.

Thanks.

PS - you both OK after installing the new KB4018556 ?

Edited by glnz
Link to comment
Share on other sites
heinoganda

heinoganda

Posted
Posted (edited)
1 hour ago, glnz said:

In regedit, the key [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services] has nothing in it - no entries at all.

The entry does not exist, but if this key is entered this, the smart card authentication is disabled in RDP and thus the authentication at EsteemAudit stopped. Specifically, it is about a vulnerability in the file gpkrsrc.dll (resources for Gemplus cryptographic service providers). This makes EsteemAudit ineffective. Even I use RDP to access some computers in the internal network.

KB4018556 (KB4018556-v2) works perfectly for me, no problems.

:)

Edited by heinoganda
Link to comment
Share on other sites
glnz

glnz

Posted
  • Author
Posted

heinoganda - I just installed KB4018556, and it also solved a problem I was having.  This morning, my CD-DVD unit had an error! in Device Manager, it was not showing in Explorer, I couldn't fix it, but after installing KB4018556, that is fixed.

Same for a virtual CD function in my Western Digital external drive - exact same symptoms and fix.

Very nice !!!!  Thanks, as always.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...