Home » Computer » Software » OS » Archive by category "Windows" (Page 2)

在 EC2 上 Windows 用的 EC2Rescue

看到「Amazon EC2Rescue is now available」這個,在「How can I use EC2Rescue to troubleshoot and fix common issues on my EC2 Windows instance?」這邊則解釋了用途。

拿來解 Windows 上常見的問題的工具,也可以單純拿來拉 log?不過要注意的是版本:

Note: EC2Rescue can only be run on Windows Server 2008 R2 or later, but it can also analyze the offline volumes of Windows Server 2008 or later.

像是 Windows 2003 這些古董是沒辦法跑的 XDDD

用 SessionGopher 拉出機器上各種密碼與 Key

同事在 Slack 上提到 fireeye/SessionGopher 這個工具,可以從機器上拉出各種敏感資訊:

SessionGopher is a PowerShell tool that uses WMI to extract saved session information for remote access tools such as WinSCP, PuTTY, SuperPuTTY, FileZilla, and Microsoft Remote Desktop. It can be run remotely or locally.

方法是掃 registry 或是硬碟:

SessionGopher works by querying the HKEY_USERS hive for all users who have logged onto a domain-joined box at some point. It extracts PuTTY, WinSCP, SuperPuTTY, FileZilla, and RDP saved session information. It automatically extracts and decrypts WinSCP, FileZilla, and SuperPuTTY saved passwords. When run in Thorough mode, it also searches all drives for PuTTY private key files (.ppk) and extracts all relevant private key information, including the key itself, as well as for Remote Desktop (.rdp) and RSA (.sdtid) files.

是個... 好玩... 的... 東西...

Firefox 49 將可以吃系統的 Certificate Trust Store

在「Upcoming Changes to Root Certificates in Firefox on Windows」這邊看到 Firefox 49 將會有選項可以讓 Firefox 多吃系統的 Certificate Trust Store:

This feature is available in Firefox 49 and up (currently in beta). To give it a try, set the preference security.enterprise_roots.enabled to true. After that, Firefox should connect successfully to sites using certificates issued by 3rd party root certificates that have been added to the Windows trust database.


These features are still in the early stages, so if you encounter any unexpected behavior, please feel free to file a bug.


Badlock Bug 總算公佈了...

關於 SambaWindows 網芳的安全性問題,拖了三個禮拜的「Badlock Bug」的細節總算公佈了 (網頁還不支援 HTTPS)。

果然是為了打名氣而事前公佈的... 都不是無條件的 RCE (Remote Code Execution),而是透過 MITM 後的 RCE。

Badlock 安全性問題同時影響 Windows 與 Samba

前幾天發佈了 Windows 與 Samba 共同有的安全性問題,叫做 Badlock:「Hype Around the Mysterious ‘Badlock’ Bug Raises Criticism (WIRED)」。但這個 bug 在 4/12 前不會公佈:

On April 12th, 2016, a crucial security bug in Windows and Samba will be disclosed. We call it: Badlock.

長達三個禮拜的時間可以讓其他人找出問題是很罕見的,主要是因為這已經提供足夠多資訊去挖掘。名稱叫做 Badlock,看起來是某種 lock + race condition 造成的,而 Windows 與 Samba 同時都有問題,應該是 Microsoft 與 Samba 合作後的程式碼,或是某種 protocol workflow 的問題造成的。

It's especially interesting in this case since we have a name "Badlock" so we know it probably involves locking. We know it affects Samba and Windows. And we know who it was found by so we can look at which bits of Samba they've been working on lately. That's a lot of information for a clever person.

我預期這三個禮拜內應該就會有人公佈,目前的資訊真的太多了。更糟糕的有可能不是發 0-day exploit,而是這個漏洞進入黑市被利用。

先發表有漏洞,再給三個禮拜讓 vendor patch 的行為,看起來就是研究團隊為了出名造勢,而搞砸真正的資安問題。

聯想的 BIOS 會自動安裝軟體,即使你整台重灌...

這家公司與這類事情,好像不怎麼意外:「Lenovo used a hidden Windows feature to ensure its software could not be deleted」。

每次開機時 BIOS 會檢查是不是 Windows 7 或 Windows 8,如果是,而 C:\Windows\system32\autochk.exe 不是 Lenovo 所簽名的版本,那麼就會蓋掉變成自己版本:

If Windows 7 or 8 is installed, the BIOS of the laptop checks ‘C:\Windows\system32\autochk.exe’ to see if it’s a Microsoft file or a Lenovo-signed one, then overwrites the file with its own.

接著這個 autochk.exe 在開機被執行時就會建立 LenovoUpdate.exe 以及 LenovoCheck.exe,然後透過網路下載程式回來跑:

Then, when the modified autochk file is executed on boot, another two files LenovoUpdate.exe and LenovoCheck.exe are created, which set up a service and download files when connected to the internet.


A wide range of Lenovo laptops are affected by the issue: Flex 2 Pro-15/Edge 15 (Broadwell/Haswell models), Flex 3-1470/1570/1120, G40-80/G50-80/G50-80 Touch/V3000, S21e, S41-70/U40-70, S435/M40-35, Yoga 3 14, Yoga 3 11, Y40-80, Z41-70/Z51-70 and Z70-80 / G70-80.

如果已經買了這批電腦,請依照官方提供的新 BIOS 更新:「Lenovo Service Engine (LSE) BIOS for Notebook」。

如果還沒買的話,以後也請不要買,像是「My dream machine: Lenovo may build a new “classic” ThinkPad」這種消息看看就好...

Microsoft Windows 10 對 CDN 的影響

在「Microsoft's Windows 10 launch is going to strain CDNs, already passed 10 Tbps」這邊看到 Microsoft 推出 Windows 10 已經吃掉 10Tbps 的 capacity 了。

預定還會吃到 40Tbps,就當作八卦消息看一看好了:

Streaming Media is citing internal sources and is saying that Microsoft has reserved up to 40 Tbps with all of the key CDNs which is a massive amount of bandwidth. As of July 28th at 1PM ET, Microsoft is said to already be consuming over 10 Tbps and seeing that all regions are not yet online for deployment, it's only going to go higher.

是個熱鬧的祭典 XD