Zero-day Windows file-sharing flaw can crash systems, maybe worse

BSOD

The implementation of the SMB network file sharing protocol in Windows has a serious vulnerability that could allow hackers to, at the very least, remotely crash systems.

The unpatched vulnerability was publicly disclosed Thursday by an independent security researcher named Laurent Gaffié, who claims that Microsoft has delayed releasing a patch for the flaw for the past three months.

Gaffié, who is known on Twitter as PythonResponder, published a proof-of-concept exploit for the vulnerability on GitHub, triggering an advisory from the CERT Coordination Center (CERT/CC) at Carnegie Mellon University.

“Microsoft Windows contains a memory corruption bug in the handling of SMB traffic, which may allow a remote, unauthenticated attacker to cause a denial of service or potentially execute arbitrary code on a vulnerable system,” CERT/CC said in the advisory.

Microsoft’s implementation of the Server Message Block (SMB) protocol is used by Windows computers to share files and printers over a network and also handles authentication to those shared resources.

The vulnerability affects Microsoft SMB version 3, the most recent version of the protocol. CERT/CC has confirmed that the exploit can be used to crash fully patched versions of Windows 10 and Windows 8.1.

An attacker can exploit the vulnerability by tricking a Windows system to connect to a malicious SMB server which would then send specially crafted responses. There are a number of techniques to force such SMB connections and some require little or no user interaction, CERT/CC warned.

The good news is that there are no confirmed reports of successful arbitrary code execution through this vulnerability yet. However, if this is a memory corruption issue as described by CERT/CC, code execution might be a possibility.

“The crashes we’ve observed so far do not manifest in a manner that suggests straight-forward code execution, but that may change, though, as we have time to analyze it more in-depth,” said Carsten Eiram, the chief research officer at vulnerability intelligence firm Risk Based Security, via email. “This is only the initial stage of the analysis.”

Carsten’s company also confirmed the crash on a fully patched Windows 10 system, but has yet to establish if this is just a NULL pointer dereference crash or the result of a deeper issue that could have a more severe impact. Just to be on the safe side, the company is following CERT/CC’s lede in treating this as a potential code execution flaw. CERT/CC scored this vulnerability’s impact with 10, the maximum in the Common Vulnerability Scoring System (CVSS).

Gaffié said on Twitter that Microsoft plans to patch this issue during its next “Patch Tuesday,” which this month will fall on February 14 — the second Tuesday of the month. However, it’s possible that Microsoft could break out of its regular patch cycle if the vulnerability is indeed critical and starts to be exploited in the wild.

Microsoft did not immediately respond to a request for comment.

Both CERT/CC and Eiram advise network administrators to block outbound SMB connections — TCP ports 139 and 445 along with UDP ports 137 and 138 — from local networks to the Internet. This won’t completely eliminate the threat, but will isolate it to local networks

source”cnbc”

 

Skyrocketing memory prices may get worse before getting better

ram install 10 of 11

The price of desktop RAM keeps on going up, and the disappointing trend is expect to continue for a good chunk of 2017.

Right now, the best price you’re going to find for 2 x 8GB desktop DDR4 RAM modules on Newegg is about $73. But if you want something from a larger brand like G.Skill or Corsair, expect to pay more—those 16GB kits are frequently selling for more than $100.

The price increases began around mid-2016, as Newegg Business noted in a blog post in August. PCPartPicker’s memory price trend page indeed shows the cost of all types of RAM surging upward since May or so. The reason at the time was that the big money was in producing DRAM for mobile devices, followed by servers, and then finally desktops.

Since then not much has changed, with mobile device production being so big the demand is outstripping supply. At least that’s the word from DigiTimes. The newspaper spoke with Pei-Ing Lee, president of Nanya Technology, a RAM manufacturer based in Taiwan. Lee told DigiTimes that global RAM supply is still falling just short of demand—a situation Lee doesn’t expect to see improve in the spring.

corsair128gb 3

Ads by Kiosked

Gordon Mah Ung

By the third quarter (July through September) prices could stabilize, according to Lee. But all that really means is the price will stop going up.

Lee’s view is, of course, only one opinion, but it’s a well informed one, and corresponds to overall trends in RAM pricing. As PC Gamer points out, pricing is seriously rising. A 2 x 8GB kit of G.Skill DDR4-2400 RAM was priced around $75 at Newegg in late November (the cheapest vendor at the time), but that RAM is now hitting $92 at the same outlet, according to PC Part Picker’s pricing history. In mid-December you could’ve picked-up Patriot Viper Elite 2 x 8GB DDR4-2133 RAM for $80, but today that kit would set you back at least $100.

The impact on you at home: If you need to buy RAM for a new system, it appears there’s no real reason to wait as you’ll be paying extra now and possibily paying even more in the coming weeks. Anyone planning a rebuild later in 2017, however, might want to buy their RAM now, as reusing your DDR3 from an older PC may not work.

With the switch to Intel’s Skylake and Kaby Lake processors, modern systems require the newer DDR4 RAM or low-voltage DDR3L memory. On the AMD side, the DDR4-supporting Ryzen is rolling out in the coming weeks.

The price of desktop RAM keeps on going up, and the disappointing trend is expect to continue for a good chunk of 2017.

Right now, the best price you’re going to find for 2 x 8GB desktop DDR4 RAM modules on Newegg is about $73. But if you want something from a larger brand like G.Skill or Corsair, expect to pay more—those 16GB kits are frequently selling for more than $100.

The price increases began around mid-2016, as Newegg Business noted in a blog post in August. PCPartPicker’s memory price trend page indeed shows the cost of all types of RAM surging upward since May or so. The reason at the time was that the big money was in producing DRAM for mobile devices, followed by servers, and then finally desktops.

Since then not much has changed, with mobile device production being so big the demand is outstripping supply. At least that’s the word from DigiTimes. The newspaper spoke with Pei-Ing Lee, president of Nanya Technology, a RAM manufacturer based in Taiwan. Lee told DigiTimes that global RAM supply is still falling just short of demand—a situation Lee doesn’t expect to see improve in the spring.

corsair128gb 3

Ads by Kiosked

Gordon Mah Ung

By the third quarter (July through September) prices could stabilize, according to Lee. But all that really means is the price will stop going up.

Lee’s view is, of course, only one opinion, but it’s a well informed one, and corresponds to overall trends in RAM pricing. As PC Gamer points out, pricing is seriously rising. A 2 x 8GB kit of G.Skill DDR4-2400 RAM was priced around $75 at Newegg in late November (the cheapest vendor at the time), but that RAM is now hitting $92 at the same outlet, according to PC Part Picker’s pricing history. In mid-December you could’ve picked-up Patriot Viper Elite 2 x 8GB DDR4-2133 RAM for $80, but today that kit would set you back at least $100.

The impact on you at home: If you need to buy RAM for a new system, it appears there’s no real reason to wait as you’ll be paying extra now and possibily paying even more in the coming weeks. Anyone planning a rebuild later in 2017, however, might want to buy their RAM now, as reusing your DDR3 from an older PC may not work.

With the switch to Intel’s Skylake and Kaby Lake processors, modern systems require the newer DDR4 RAM or low-voltage DDR3L memory. On the AMD side, the DDR4-supporting Ryzen is rolling out in the coming weeks.

 source”cnbc”

How The Food We Eat Makes Climate Change Worse

How The Food We Eat Makes Climate Change Worse

ROME: The way we produce and eat food must change urgently both to cut the amount of planet-warming emissions produced by agriculture, and to help farmers adapt to climate change, the Food and Agriculture Organization (FAO) said on Monday.

Without swift action, climate change will put millions of people at risk of hunger and poverty, the UN agency said in a report to mark World Food Day on October 16.

Here are some key facts:

1. Agriculture, forestry and changes in land use combined are the second largest source of greenhouse gases, producing 21 percent of global emissions. The top emitter is the energy sector at 47 percent.

2. To feed a growing global population, agricultural production must rise by about 60 percent by 2050.

3. Climate change is expected to cut harvests in developing countries in the long term – although it may also improve some crop yields in the short term.

4. If climate change continues unchecked, it will make an additional 42 million people vulnerable to hunger in 2050, according to FAO calculations. However, that figure does not include people affected by extreme weather events such as drought or floods.

5. Small farmers, cattle herders and fishermen are the most vulnerable to climate change, and will need better access to technologies, markets, information and credit to adapt to climate change.

6. Agriculture suffered some 25 percent of the total economic losses caused by climate-related disasters in developing countries between 2003 and 2013. For drought-related disasters, the share rose to 84 percent.

7. Livestock alone produces nearly two thirds of agricultural emissions – mainly from animal burping, manure and feed production. Synthetic fertilisers are the next major contributor, producing 12 percent, and rice cultivation 10 percent.
8. Carbon dioxide emissions from agriculture are mainly caused by changes in land use, such as converting forests to pasture or cropland, and land degradation from over-grazing.

9. Most direct emissions of methane and nitrous oxide are caused by livestock flatulence, rice production in flooded fields and the use of nitrogen fertilisers and manure.

10. Nearly 50 percent of world food production depends on nitrogen fertiliser. The other half depends on nitrogen found in soil, animal manure, nitrogen-fixing plants, crop residues, wastes and compost.

11. More than a third of food produced worldwide is lost or wasted. Rotting food produces methane, which is a greenhouse gas 25 times more potent than carbon dioxide.

12. Deforestation and forest degradation account for about 11 percent of all greenhouse gas emissions, more than the world’s entire transport sector.

13. Reducing agriculture emissions depends partly on cutting food waste and loss, as well as shifting people’s diets – including consuming less animal products – and changing farming practices.

source”cnbc”