Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

The main one is to have _all_ machines patched through windows update. That is what will protect you.

SMBv1 is an outdated protocol, in which there have been some severe vulnerabilities disclosed in the last few weeks, hence why I recommended to get rid of it at the same time.

That being said, the vulnerability being exploited here is in SMBv2, hence why patching all machines is crucial.



I notice that Microsoft is claiming the exploit is in SMBv1 in their patch description [1].

[1] https://support.microsoft.com/en-us/help/4012598/title


There are two exploits. One targets SMBv1 and the other SMBv2. Then there's the backdoor.


If you are working with SCCM and 20,000+ clients (computers), you will know that all machines will never be patched. It just does not happen. On any given large network there will always be a certain number of unpatched clients. There are a myriad of reasons for patching to fail, from advertisement errors to installation issues, to machines simply being offline (and later coming back online).


You are right that this is often the reality of things. Some systems also will just never be patched because the software running on them stops working if you do and the vendor cannot or will not provide an update that addresses this.

However, in such cases it becomes crucial to have e.g. proper network segmentation in place to help mitigate the risk.

Unfortunately, at this time, there are seldom perfect solutions when it comes to security and a patching scenario can only do so much. In this case, patches are available, but the day a ransomware starts using proper 0-day we'll see a different scenario play out.

It therefore remains important to also keep focus on the reduction of attack surface, and the reduction of software complexity, besides resolving individual technical vulnerabilities.


Thanks for the info. I patched all client machines last night.

Here is the offline installer:

https://support.microsoft.com/en-us/help/3125574/convenience...

Prerequisites: must have installed SP1, along with the April 2015 convenience rollup. Links are provided in the prerequisites section.

Here's a direct link to the catalog download for the May 2017 security rollup (this supercedes all previous monthly rollups):

http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB...

For more information on the monthly rollups and how they supersede each other, see:

https://blogs.technet.microsoft.com/windowsitpro/2016/08/15/...




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: