Windows Memory Exhaustion Network Crash Warning — No Microsoft Fix
Microsoft is no stranger to vulnerabilities; heck, there were 684 Windows Server security flaws confirmed in 2024 alone. This is, in fact, a positive thing as it's far better to know about a vulnerability than only discover it once it has been exploited. Which is why Microsoft has paid hackers $60 million in bug bounties for such responsible disclosures. But what if I were to tell you that one security researcher has found a vulnerability that enables a remote attacker to crash your enterprise network at will, and Microsoft isn't interested in paying them diddly squat, or fixing the problem for that matter. Welcome to the worrying world of the Windows Deployment Services memory exhaustion attack technique. Forbes Confirmed — 19 Billion Compromised Passwords Published Online By Davey Winder
You can read any number of reports and warnings about remote code execution vulnerabilities and exploits against Windows networks. The security research community might be said to be fascinated by them. And for good reason: The ability to execute arbitrary code remotely leaves your network, and ultimately the operation of your organization, vulnerable to ransomware attacks, cyber-espionage, and more.
Writing in a detailed technical blog posting, Peng warns of the dangers presented by a denial-of-service attack exploiting a vulnerability pattern in User Datagram Protocol remote services that are employing Windows Deployment Services.The associate professor demonstrated how an attacker can crash your Windows enterprise network without any authentication or user interaction by deploying a remote Denial of Service attack in WDS.
'WDS is critical for IT administrators managing corporate networks, data centers, or educational institutions requiring streamlined, secure OS deployments,' Peng said, explaining that an attacker can easily forge client IP addresses and port numbers, to create new sessions until all system resources are exhausted. Forbes Google Issues New Windows Password Security Alert By Davey Winder
The full technical methodology is in Peng's report, but just know that this easy-to-exploit vulnerability enables an attacker to disrupt a network rapidly and effectively as it literally collapses from memory exhaustion.
You might think that Microsoft would be all over this, but that doesn't appear to be the case. Peng disclosed the vulnerability to Microsoft Feb. 8. and it was confirmed March 4. Come April 23, Microsoft told Peng that the vulnerability is 'moderate' and doesn't meet the bar for security action, including bounty payments. The same day, Peng responded to urge Microsoft to react as it was 'an important DoS bug without authentication (preach) or user interaction (0-click)' but as nothing more was heard, decided to publish the blog.
Peng recommends that users abandon Windows Deployment Services as 'there is currently no good way to mitigate this issue unless Microsoft takes responsibility and releases a patch.'
I have reached out to Microsoft for a statement. Forbes Government Security Warning Issued As Password And 2FA Hackers Strike By Davey Winder
Hashtags
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
The Hill
4 minutes ago
- The Hill
Tech companies building massive AI data centers should pay to power them
The projected growth in artificial intelligence and its unprecedented demand for electricity to power enormous data centers present a serious challenge to the financial and technical capacity of the U.S. utility system. Appreciation for the sheer magnitude of that challenge has gotten lost as forecast after forecast projects massive growth in electric demand over the coming decade. The idea of building a data center that will draw 1 gigawatt of power or more, an amount sufficient to serve over 875,000 homes, is in the plans of so many data center developers and so routinely discussed that it no longer seems extraordinary. The challenge, when viewed in the aggregate, may be overwhelming. A recent Wood Mackenzie report identified 64 gigawatts of confirmed data center related power projects currently on the books with another 132 gigawatts potentially to be developed. 64 gigawatts are enough to power 56 million homes — more than twice the population of the 15 largest cities in America. The U.S. electric utility system is struggling to meet the projected energy needs of the AI industry. The problem is that many utilities do not have the financial and organizational resources to build new generating and transmission facilities at the scale and on the data center developers' desired timeline. The public policy question now on the table is who should pay for and bear the risk for these massive mega-energy projects. Will it be the AI developers such as Amazon, Microsoft, Meta and Alphabet — whose combined market value is seven times that of the entire S&P 500 Utility Sector — or the residential and other customers of local electric utilities? The process to answer this and related questions is underway in the hallways of the U.S. Congress, at the Federal Energy Regulatory Commission and other federal agencies, in tariff proceedings before state regulatory authorities and in public debate at the national, state and local levels. Whether they are developed at the federal, state or local level, the following values and objectives should form the core of public policy in this area: Data centers developers that require massive amounts of electric power (e.g. above 500MW or another specified level) should be required to pay for building new generating and transmission facilities. The State of Texas recently enacted legislation that requires data centers and other new large users to fund the infrastructure necessary to serve their needs. Although it is customary to spread the cost of new facilities across the user base of a utility, the demands that data center developers are placing on utility systems across the country are sufficiently extraordinary to justify allocating the costs of new facilities to those developers. Moreover, data center developers have the financial resources to cover those costs and incorporate them into the rates charged to users of their AI services. The developers of large data centers should bear the risk associated with new utility-built generating and transmission facilities, not the utility. As an example of such a policy, the Public Utility Commission of Ohio just approved a compromise proposed by American Electric Power of Ohio that would require data centers with loads greater than 1 gigawatt and mobile data centers over 25 megawatts to commit to 10-year electric service contracts and pay minimum demand charges based on 85 percent of their contract capacity, up from 60 percent under the utility's current general service tariff. Another option included in the Texas legislation requires significant up-front payments early in the planning process and mandates that data center developers disclose where they may have simultaneously placed demands for power. It is not unusual for data center requests for service to be withdrawn once they decide on the best location and package of incentives. Data center developers have the financial capacity and ability to manage this risk, utilities do not. Generating facilities that are co-located at large data centers should be integrated with the local utility electric grid, with appropriate cost allocation. Although a few projects have examined the option of a co-located power generation 'island' fully independent of the grid, most projects intend to interconnect with the grid system for back-up power and related purposes. Properly managed, this interconnection could be advantageous for both the data center and the utility system, provided that costs are appropriately allocated across the system. The U.S. government should continue to support the development of nuclear technology, including small modular reactors. U.S. utilities do not have the financial resources to assume the risk of building new nuclear-powered generating facilities. The emergence of a new set of customers, data center developers with enormous needs for electric power and deep pockets, changes the equation. The U.S. government has provided billions of dollars of support for new nuclear technologies and should continue to do so for the purpose of bringing their costs down. The U.S. government should continue to support energy efficiency improvements at data centers. Data centers use massive amounts of power for running servers, cooling systems, storage systems, networking equipment, backup systems, security systems and lighting. The National Renewable Energy Laboratory has developed a 'handbook' of measures that data centers can implement to reduce energy usage and achieve savings. In addition, there now are strong market forces to develop new super-efficient chips that will lower the unit costs of training and using AI models. The U.S. government should help accelerate the development of these chips given their leverage on U.S. electricity demand. The stakes in this public policy debate over our energy future could not be higher. If we get these policies right, AI has the potential to remake the U.S. economy and the energy infrastructure of this country. If we get it wrong, the push to build new generating and transmission facilities to provide gigawatts of power has the potential to overwhelm the financial and operational capacity our electric utility system, impose burdensome rate increases on homeowners and businesses, undercut efforts to reduce the use of fossil fuels to meet climate-related goals and compromise the reliability of our electricity grid for years to come. David M. Klaus is a consultant on energy issues who served as deputy undersecretary of the U.S. Department of Energy during the Obama administration and as a political appointee to two other Democratic presidents. Mark MacCarthy is the author of 'Regulating Digital Industries' (Brookings, 2023), an adjunct professor at Georgetown University's Communication, Culture & Technology Program, a nonresident senior fellow at the Institute for Technology Law and Policy at Georgetown Law and a nonresident senior fellow at the Brookings Institution.
Entrepreneur
an hour ago
- Entrepreneur
Step Away From Subscriptions and Access Windows 11 Pro and Microsoft Office Pro 2019 for $46
Disclosure: Our goal is to feature products and services that we think you'll find interesting and useful. If you purchase them, Entrepreneur may get a small share of the revenue from the sale from our commerce partners. The subscription economy has grown by more than 435% over the last decade, leaving companies to adjust their offerings to fit this new experiential, scarcity-based model, according to The Subscription Economy Index. But as a business owner, why are you adding recurring monthly fees when you could purchase a product outright? For just $45.97, get a lifetime license for Windows 11 Pro and Microsoft Office 2019 Pro. Instead of paying monthly fees to access these programs remotely, this bundle offers instant delivery and activation to your software keys, so you can go nose to the grind as soon as you complete your purchase. Each license can be redeemed for one eligible PC for home or work. Access your favorite Microsoft applications, including: Word Excel PowerPoint Outlook OneNote Publisher Access In addition to these powerful programs, upgrade your operating system to Microsoft's latest — Windows 11 Pro. The seamless interface, advanced security features, and AI-powered optimizations bring a world of improvement to your personal and professional life. Microsoft Copilot answers queries and helps you to streamline your workflows to work more efficiently. Unlock the power of some of our favorite programs for just $45.97 with the Microsoft Office 2019 Pro and Windows 11 Pro Bundle from StackSocial. The All-in-One Microsoft Office Pro 2019 for Windows: Lifetime License + Windows 11 Pro Bundle See Deal StackSocial prices subject to change.
Geek Wire
2 hours ago
- Geek Wire
How AI is changing the way companies listen and build, with Brad Anderson of Qualtrics
Brad Anderson at Qualtrics Tower in Seattle, where he sat down to talk about AI, product development, and customer experience for a new episode of the GeekWire Podcast. (GeekWire Photo / Todd Bishop) This week on the GeekWire Podcast, my guest is Brad Anderson — an engineering and product leader who spent more than 17 years at Microsoft. For nearly five years, he's been at Qualtrics, the experience management technology company, where he's president of products, user experience, engineering, and security. I've known Brad for a while. In fact I've been a guest on two of his shows back when he was a leader in enterprise mobility and cloud technology at Microsoft, when it was all the rage for executives to have their own video shows. There was 'Lunch Break with Brad Anderson,' where he drove his guests around the streets of Redmond in his Tesla. And there was 'The Ship Room,' where he talked about the cloud transformation and played games with guests, challenging me to distinguish real startups from fake ones. Qualtrics, acquired in a private equity deal in 2023, has dual headquarters in Seattle and Provo, Utah. For this week's show, I went to the Qualtrics Tower in Seattle to talk with Brad about how he thinks about building tech today, and how AI agents are changing the experiences the company creates and measures. He also discussed the importance of security in the AI era. (Qualtrics announced a key security milestone this week.) In the final segment, I turned the tables on Brad with a game about cloud and AI terms called 'Real or Ridiculous' (see below). Listen to the end to play along. But first, he reminded me about the random case of mistaken identity that brought us together in the first place, back in the day. Listen to the episode to hear the story, and continue reading for highlights from his comments, edited for context and clarity. On the unprecedented pace of AI innovation: 'My team sends out a summary of what changed in the last seven days every single Monday to the engineering team, because it's moving that fast. I've never seen anything like that.' How AI is transforming customer feedback: 'Worldwide right now, when someone starts a survey, the completion rate is 75%. … With our Gen AI enabled surveys, what we call conversational feedback, it increases to 83%. … When we ask the follow-up question, we get 30 times the number of words back in the second response. And so with generative AI, we've been able to increase the amount of data coming back by 10%, and double the quality.' On AI's impact on engineering productivity: 'What we're seeing right now is, Cursor is literally generating millions of lines of new code for us. Of course, it's AI generated, human-reviewed, human approved, human corrected. But 45% of all that code that's being generated, we're checking into the product.' The changing shape of engineering organizations: 'I think, as an industry, there will be fewer entry level [positions]. If a typical pyramid for an engineering organization is that 20%, 15% of their engineers are entry level, that probably goes down by 3% to 5% over the next couple years.' On trust as the key to AI success: 'If you ask yourself the question, who are going to be the organizations that are going to thrive in this world of AI, I would argue it's going to be the organizations that business leaders trust.' On using AI to accelerate decision-making: 'I've spent hours and hours inside of ChatGPT just asking questions such as, 'Hey, if you were the president of a 1,500-person organization with revenue in the multiple billions … what would you do if you wanted to significantly increase the capabilities and the skill set of the engineering team in AI? … It may not have all the answers, but boy, it puts things in your mind, it gives you ideas.' And here's the quiz that I gave Brad in the final segment, which I created with help from ChatGPT, Claude and Gemini. Listen to the show to hear the answers. Real or Ridiculous? Are these cloud and AI buzzwords real industry terms, or just expertly crafted nonsense? Quantum Cloud Orchestration: A system that manages and schedules workloads for quantum computers hosted in the cloud. Federated Learning: A machine learning approach where a shared model is trained across multiple decentralized devices or servers, keeping data local. Cognitive Load Balancing: An advanced load balancing technique that uses AI to predict and distribute network traffic based on the cognitive state of individual users. Serverless AI Inference: Running AI model predictions without managing the underlying servers, scaling automatically based on demand. Hyper-Personalized Edge AI Microservices: A highly granular AI architecture that delivers customized intelligent services directly on edge devices, tailored to individual user preferences in real time. Sentient Cloud Nexus: A fully autonomous cloud infrastructure capable of self-awareness and independent decision-making, optimizing its own operations without human intervention. Emotion-Centric Journey Taxonomy: A proprietary framework for categorizing user sentiment patterns across multi-channel experience touchpoints, enabling micro-adjustments to brand resonance in real time. Real or ridiculous? Listen to the final segment to play along and hear the answers. Subscribe to GeekWire in Apple Podcasts, Spotify, or wherever you listen. Audio editing by Curt Milton.
