Jump to content
Strawberry Orange Banana Lime Leaf Slate Sky Blueberry Grape Watermelon Chocolate Marble
Strawberry Orange Banana Lime Leaf Slate Sky Blueberry Grape Watermelon Chocolate Marble

MSFN is made available via donations, subscriptions and advertising revenue. The use of ad-blocking software hurts the site. Please disable ad-blocking software or set an exception for MSFN. Alternatively, register and become a site sponsor/subscriber and ads will be disabled automatically. 


glnz

POSReady 2009 updates ported to Windows XP SP3 ENU

Recommended Posts

I don't know :w00t:, but maybe this thingy is becoming a mountain out of a molehill :ph34r:.

If you check the actual CVE's supposedly "covered" by KB3013455, the first three:

CVE-2015-0003

CVE-2015-0057

CVE-2015-0058

are about a LOCAL AUTHENTICATED USER possibly being able to gain elevate privileges.

The last two:

CVE-2015-0059

CVE-2015-0060

are about being tricked into opening a specially malformed TrueType Font and/or a specially crafted document.

ALL FIVE are rated as "Exploitability: Unproven".

The first three are not a threat as long as you don't allow local access to your PC, the last two while more preoccupying in theory are very unlike to happen if you use some "common sense" when browsing the Internet.

Call me reckless or crazy as much as you want, but personally I will sleep fine tonight (and slept also really fine yesterday and the night before) even if I have not patched these vulnerabilities.

jaclaz

Edited by jaclaz

Share this post


Link to post
Share on other sites

jaclaz - You and most others here are far more knowledgeable than I about computers.  What does it mean, and how do I make sure, that I don't allow local access to my PC?  Sorry for noob question, and thanks.

Share this post


Link to post
Share on other sites

Thanks for the information, jaclaz.

So, what's you guess on how many of the other updates around (be it xp, w7, w8) would fall into that same category? 90+%?

Just a question, I've always wondered about stuff like that, would love your opinion on it...

Share this post


Link to post
Share on other sites

@Outbreaker

 

Yes, I compared these two files.

 

I'm trying to create a patch for XP's win32k.sys right now.

Share this post


Link to post
Share on other sites

Sounds great, harkaz. So that's a patch from the latest official POS ("bad fonts") version, back to a fully updated version without problems? It would be great if we could start that patch after the update was already installed (from any of the packs out there).

Thanks for the effort!

Share this post


Link to post
Share on other sites

jaclaz - You and most others here are far more knowledgeable than I about computers.  What does it mean, and how do I make sure, that I don't allow local access to my PC?  Sorry for noob question, and thanks.

Basically it means that IF someone physically enters the room where your PC is AND he/she logs in with a valid login/password THEN he/she might be able to get full control of the machine.

These kind of vulnerabilities make no sense[1], meaning that IF someone can put his/her hands physically on your machine there are tens of ways he/she can get full control of it, including by-passing or cracking login password, and what not.

 

Now if you leave your home front door open and have on it a sign to the effect of "Please come in and feel free to use my PC, login is "Admin" and password is "password", THEN  it is possible that the "guest" will use one of these vulnerabilities, though it is very unlikely because as said there are tens possible (and actually proved/working) ways to get full privileges.

 

Thanks for the information, jaclaz.

So, what's you guess on how many of the other updates around (be it xp, w7, w8) would fall into that same category? 90+%?

Just a question, I've always wondered about stuff like that, would love your opinion on it...

The issue - generally speaking - revolves around the differences between "vulnerability", "risk", "threat" and "probability" and they are interconnected.

 

As I see the matter:

  • A vulnerability is something that in theory can be done.
  • A risk is something that in theory and in practice can be done and that has a given (low) probability of being done.
  • A threat is something that in theory and in practice can be done and that has a given (high) probability of being done.

 

Let's use an example in another field, let's start within your home, specifically your front door lock.

  • Your front door lock is vulnerable, as it can in theory be opened in several ways.
  • There is a risk of the door lock to be opened, as there are several documented ways to open it, let's say by picking it or bumping it.
  • Bad guys are known to go around opening other people's door locks so there is also a threat.

 

The probabilities of your front door lock being opened, i.e. the "step" between "risk" and "threat"  depends on a number of factors, the place where you live, if it is a flat in a combo or a family house, your habits, etc.

 

You can change your front door lock with a high security one that cannot (in theory)  be picked nor bumped, this way you have eliminated a vulnerability of the lock, BUT this wont' prevent the burglar from opening it with the key copy that is under your door mat or in the flower vase on the left.

 

As well, nothing prevents the burglar to kick open the door, nor to enter from the windows on the back you left open :w00t:.

 

You have eliminated a vulnerability or two of the lock, but you have not in anyway reduced the risk or the threat of a burglar entering your home.

 

This does not mean in any way that you should remove the lock from your front door or leave it open on purpose, only that the difference in reducing the risk or nullifying the threat between having a "common" lock and a "high security" one is in practice non existing as a given vulnerability has been patched but there are several other vulnerabilities, actually easier to implement or more probable to be used, that would allow anyway the burglar to enter.

 

As it is common to say, a chain is only as strong as its weakest link, and usually, when it comes to computers, that link is the actual user.

Previous discussions:

http://www.msfn.org/board/topic/163539-are-ms-updates-for-xp-really-necessary/

http://www.msfn.org/board/topic/171606-xp-os-vulnerabilities-after-april-8-2014/

 

jaclaz

 

[1] in any "controlled" environment, i.e. they may apply to - say - a PC in an Internet Cafe or in a public Library, but not on the average PC at home or in an office.

Edited by jaclaz

Share this post


Link to post
Share on other sites

Patch is ready.

 

 

Thanks, I had a laptop setup already to test. But it's ENU only I guess? Any way I can apply the patch to a different language?

Share this post


Link to post
Share on other sites

@harkaz

Tested it and the fronts problem is gone and i also didn't run into any other problems. :thumbup

Is there any reason why you used the win32k.sys file verison 5.1.2600.6733 and not 5.1.2600.6713 (only one number higher than the KB3013455)? I think there could be an installation problem if Microsoft releases next month a win32k.sys with a file version below 5.1.2600.6734. :)

Edited by Outbreaker

Share this post


Link to post
Share on other sites

Aahh, now I'm jealous, outbreaker!!


I really hope harkaz can explain the patch, to allow other languages to use it too!


Share this post


Link to post
Share on other sites

 

Aahh, now I'm jealous, outbreaker!!

I really hope harkaz can explain the patch, to allow other languages to use it too!

 

Yeah, that would be great! I'm using a german version of Windows XP, but can't install the patch because of the warning message "Setup cannot update your Windows XP files because the language

installed on your system is different from the update language." Changing the regional and language settings via the control panel has no effect, unfortunately :-(

Edited by Mister Floppy

Share this post


Link to post
Share on other sites

Thanks harkaz! So now we can patch our localized versions of win32k.sys?

Please confirm which version we need and where to get it.

Can we use your patch,zip structure, and only replace win32k.sys?

Share this post


Link to post
Share on other sites

@Atari800XL Creating your own catalog file for your patched, language-specific win32k.sys is required. Also, update the update.ver file with the new checksums. Otherwise, use the same zip structure. (Make sure it's language-specific)

 

The version to patch is: 5.1.2600.6712 (botched KB3013455 from Microsoft Update catalog)

 

Make sure you increment the version number at least by one (i.e. minimum 5.1.2600.6713)

 

ADDED (forgot): Also, patch the language-specific update.exe to accept modified update.inf file, and use language-specific installation files.

Edited by harkaz

Share this post


Link to post
Share on other sites

@harkaz

Tested it and the fronts problem is gone and i also didn't run into any other problems. :thumbup

Is there any reason why you used the win32k.sys file verison 5.1.2600.6733 and not 5.1.2600.6713 (only one number higher than the KB3013455)? I think there could be an installation problem if Microsoft releases next month a win32k.sys with a file version below 5.1.2600.6734. :)

Yes, I wondered about that too.

Wouldn't it have been better to keep the same version number as the faulty version of the file on the "fixed" version?

Then Windows Update will just think you've got the "official" faulty version installed.

:)

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...