Newsletter Archives

• MS-DEFCON 2: Time to make sure you turned off Automatic Update

  Posted on July 9, 2017 at 20:30 CDT by woody • Comment in the Forums

  With Patch Tuesday imminent, make sure you have Automatic Update turned off. You have to patch sooner or later, but there’s no reason to expose your machine to malformed missives from Microsoft.

  Details in Computerworld Woody on Windows.

  Windows Patches/Security July 2017 Black Tuesday

• List of problematic SMBv1-only hardware, from NedPyle

  Posted on July 7, 2017 at 19:31 CDT by woody • Comment in the Forums

  No doubt you’ve been following the SMBv1 controversy, where an ancient protocol is exposing lots of machines to WannaCry-class malware. You or your company may well have started disabling it.

  Microsoft’s Ned Pyle (@NerdPyle on Twitter) has compiled a lengthy list of hardware that only works with SMBv1. It’s a sobering list.

  Windows Patches/Security SMBv1

• Win10 Creators Update 1703 no longer able to set “Pause Updates” to 35 days

  Posted on July 6, 2017 at 18:36 CDT by woody • Comment in the Forums

  A letter from SC:

  I am running Widows 10 Pro Version 1703, Build 15063.413.

  Several weeks ago I was able to set “Pause Updates” for up to 35 days.

  Now I am only able to “Pause Updates” for up to 7 days.

  What has happened? Is there some way to  revert to  35 days?

  I don’t know what the problem might be. Do any of you? I see there’s a similar complaint from Gabe1972 on the Microsoft Answers forum.

  UPDATE: I seem to recall there was a change from 35 to 7 days when the beta version of 1703 finally hit RTM. Could that be the source of the confusion?

  Windows Patches/Security 1703 Pause Updates stuck at 7 days

• Widespread problems with last week’s Win10 1703 patch, KB 4022716

  Posted on July 3, 2017 at 21:29 CDT by woody • Comment in the Forums

  There’s a reason why I keep recommending that you avoid Windows 10 Creators Update. It ain’t baked yet.

  Case in point: KB 4022716, the June 27 cumulative update for Win10 version 1703, which is supposed to bring the version up to build 15063.447.

  There’s a lengthy Microsoft Answers forum thread about how KB4022716 kills web browser Google Chrome, Firefox, Internet Explorer. Another one about black screens with flickering cursor after unlocking, which is repeated on a Lenovo forum. A laundry list of additional problems.

  Comodo says:

  We strongly advise Comodo users not to update to latest MS update KB4022716, which is available for Windows 10 users till they have new fixed version of Comodo internet security products installed.

  Some people are reporting that the patch has been pulled. Others say that it’s still being offered.

  If you ignored my advice and upgraded to Win10 Creators Update, you would be well advised to avoid the latest cumulative update.

  Windows Patches/Security build 15063.447, KB 4022716, Win10 1703

• MS-DEFCON 3: Get patched, but watch out for Outlook

  Posted on July 2, 2017 at 23:05 CDT by woody • Comment in the Forums

  With the first non-security Office patches due out on Tuesday, July 4, we’re kinda backed up against a wall.

  The simple problem: Some of the patches dribbled out in June still don’t work right. For example, the June 27 patch for Outlook 2010, KB 3015545, was pulled a few days ago because it crashes 32-bit Outlook.

  The original download package for the 32-bit version was removed from the Download Center after a problem was discovered that could cause Outlook to crash when you preview messages that have attachments. If you already downloaded and installed the 32-bit update, we recommend that you remove it until a new version is available.

  A new update for 32-bit Outlook 2010 is under development and will be posted in this article when it becomes available.

  According to the official bug-tracking list at Outlook known issues in the June 2017 security updates, we also have these problems:

  There is no Outlook 2007 fix for Issue #1, the “program is not installed” and/or “unsafe attachments” error when opening an attachment. In addition, the 32-bit Outlook 2010 fix has been pulled because it, you know, crashes Outlook.

  There is no Outlook 2007 fix for Issue #2, the “untrustworthy source” bug. Same comment about 32-bit Outlook 2010.

  Issue #4 (VBScript doesn’t run on custom Outlook forms) has not been fixed for any version of Outlook.

  Issue #5 (iCloud doesn’t work with Outlook) hasn’t been fixed for Outlook 2007. For other versions of Outlook, you need to uninstall and reinstall iCloud.

  Issue #7 (iframe part of a web page doesn’t print) has been fixed by various Windows patches.

  That’s the kind of garbage we’re facing at the moment. As many of you know, I’ve never been a fan of Microsoft’s patching. This month marks (yet another) new low in patch quality. Believe me, that’s saying something.

  Over on the Win10 side of the patching puddle, in addition to the iSCSI problems I reported last week, we have a new, officially acknowledged, bug:

  After you install this update, Internet Explorer 11 may close unexpectedly when you visit some websites. When the problem occurs, you may receive an error message that resembles the following:

  We were unable to return you to [previous URL].
  Internet Explorer has stopped trying to restore this website. It appears the website continues to have a problem.
  The problem may occur if the website is complex and uses certain web API’s.

  Microsoft is researching this problem and will update this article when more information becomes available.

  The solution, of course, is to avoid Internet Explorer, but I’ve been saying that for more than a decade.

  If you’re having trouble printing iframes from inside web pages, using IE, I recommend the same solution – ditch IE. But if you insist on using IE, and want to be able to print inside iframes, you have to install one of the recent Windows patches.,

  Anyway, it’s time to strap on your hip waders and get patched. Here are my latest recommendations. Remember you have three basic choices for Win7 and 8.1:

  • Group A – installation of Monthly Rollups via a manual run of Windows Update
  • Group B – manual installation of specific Security-Only patches
  • Group W – folks who sat on the bench and didn’t patch at all.

  In this post-Shadow-Brokers era, where Microsoft is screwing up patches by the bushelfull and compounding bugs in security patches (which is to say, patches for security bugs appear in non-security patches), I figure you only have a few choices:

  Win7/8.1 Group W — R.I.P.

  With Shadow Brokers guaranteeing that major Windows vulnerabilities are coming every month, Group W is just plain dangerous. It’s not an option. Sorry.

  Win7/8.1 Group B — Only for experts with a high tolerance for pain

  Group B, which is based on Microsoft’s commitment to deliver Security-only updates every month, has gone from relatively simple to very complex. Officially, Internet Explorer patches have been broken off from the main download. There’s all sorts of confusion about .NET patches — which are Security-only, which Rollups? We’ve seen security patches released outside the monthly Security-only stream. There have been bugs in Security-only patches that were fixed outside of the Security-only stream. There’s a host of problems documented in this Topic.

  Group B isn’t dead, but it’s no longer within the grasp of typical Windows customers. Many of you reading this post are fully capable of sticking with Group B. Most Windows customers are not.

  If you want to pursue Group B, in spite of the warnings, look at PKCano’s AKB 2000003.

  Win7/8.1 Group A – Go ahead and patch, but understand the consequences

  Microsoft is still blocking updates to Win 7 and 8.1 on recent computers. If you are running Windows 7 or 8.1 on a PC that’s a year old, or newer, follow the instructions in AKB 2000004 or @MrBrian’s summary of @radosuaf’s method to make sure you can use Windows Update to get updates applied.

  If you want to minimize Microsoft’s snooping but still install all of the offered patches, turn off the Customer Experience Improvement Program (Step 1 of AKB 2000007: Turning off the worst Windows 7 and 8.1 snooping) before you install any patches. (Thx @MrBrian).

  For those of you interested in the nuances, @ch100 has a good synopsis here and a follow-up here.

  For most Windows 7 and 8.1 users, I recommend following AKB 2000004: How to apply the Win7 and 8.1 Monthly Rollups. Watch out for driver updates — you’re far better off getting them from the manufacturer’s web site.

  Microsoft also has huge Monthly Rollup Preview, KB 4022720 for Win 8.1, and a smaller KB 4022168 for Win7. As usual, I don’t recommend that you install the Previews. You’ll be able to pick up the patches when they roll out for real later in July.

  After you’ve installed the latest Monthly Rollup, if you’re intent on minimizing Microsoft’s snooping, run through the steps in AKB 2000007: Turning off the worst Win7 and 8.1 snooping. Realize that we don’t know what information Microsoft collects on Win7 and 8.1 machines.

  Windows 10

  It’s still too early to jump to Win10 Creators Update, version 1703. Wait for it to be designated “Current Branch for Business.” You can block the upgrade with a few simple steps, detailed in this Computerworld post.

  To get Win10 patched, run the steps in AKB 2000005: How to update Windows 10 – safely. You may want to use wushowhide to hide any driver updates. All of the other updates should be OK, including Servicing stack updates, Office, MSRT, or .Net updates (go ahead and use the Monthly Rollup if it’s offered).

  One more Win10 oddity this month: If you’re using the Creators Update, version 1703, and run Windows Update, you’ll get the massive June 27 non-security patch, KB 4022716, bringing you to build 15063.447. There are analogous patches for the earlier versions of Win 10, but they won’t be installed during a Windows Update run. You can search for the patches for Win10 Anniversary Update (version 1607), or Win10 Fall Update (version 1511), and install them manually, if you really want to, fur I don’t see any pressing reason to do so. Wait for the other guinea pigs, eh?

  The only major bugs I see at this point are Internet Explorer-related — and for those of you afflicted I say, hey, you shouldn’t be using IE anyway. The rest of the world has switched to Chrome or Firefox. (Netmarketshare pegs desktop usage share at 60% Chrome, 17% IE, 12% Firefox and 6% Edge.) Get with the program and kick the Microsoft browser habit.

  Office updates

  There’s a post from Pim saying that, as of very early Monday morning:

  This morning Outlook 2010 June 2017 update KB3203467 was (still) offered as an important update on my Windows 7 system, but unticked. It is not retired.

  As is always the case, DON’T CHECK ANYTHING THAT’S UNCHECKED.

  .NET updates

  As of late Sunday night, @ch100 advises:

  .NET Framework Preview patches released in May 2017 (latest for all versions other than 4.7) have been pulled due to conflict with the .NET Framework 4.7 installer.
  https://blogs.msdn.microsoft.com/dotnet/2017/05/17/net-framework-may-2017-preview-of-quality-rollup/

  Again, don’t check anything that’s unchecked.

  I sincerely apologize for all the if’s and’s and but’s in this month’s go-ahead. If it’s any consolation, just about everybody at Microsoft is off for a four-day weekend, so things aren’t likely to get any worse.

  Time to get patched. Tell your friends, but make sure they understand what’s happening. An for heaven’t sake, as soon as you’re patched, turn off automatic updating! I see no reason at all to believe that the July patches will be any better than the June crop.

  Windows Patches/Security June 2017 Black Tuesday, MS-DEFCON 3

• Turn off SMBv1 on Windows, but be aware of the consequences

  Posted on June 30, 2017 at 18:01 CDT by woody • Comment in the Forums

  Good series of articles from Barb Bowman, taking normal everyday users through the steps to disable SMBv1, the Windows system utility that put the “cry” in WannaCry.

  The first article explains how to turn it off.

  The second article gives workarounds for common problems with disabling the ancient protocol.

  Windows Patches/Security SMBv1

• Evidence that PetyaWrap is from a Russia-linked hacking group “TeleBots”

  Posted on June 30, 2017 at 17:51 CDT by woody • Comment in the Forums

  Interesting tweet stream from Catalin Cimpanu.

  He connects the dots and, based on a report from ESET, deduces that PetyaWrap comes from a hacking organization known as TeleBots, which targeted the US before 2015, and the Ukraine after 2015.

  ESET now confirms Telebots hacked MEDoc and installed a backdoor

  which apparently was used to seed PetyaWrap.

  That doesn’t explain all of the PetyaWrap infections, but it does explain the best-known infection vector.

  In addition, Dan Goodin has more evidence on Ars Technica that the people behind PetyaWrap got the leaked NSA code weeks before Shadow Brokers released it to the world. Dan calls it an “unproven theory” but it’s a interesting one.

  Thx @Kirsty

  Windows Patches/Security PetyaWrap

• Contrary opinion: PetraWrap is buggy, poorly constructed ransomware

  Posted on June 29, 2017 at 20:15 CDT by woody • Comment in the Forums

  Yesterday, I ran an article that says PetyaWrap (NyetPetya, Petya.2017, nPetya, pick your name) “was designed to make headlines, not to make money.” There’s convincing evidence for that conclusion, offered by highly regarded malware researchers.

  But there’s a second opinion which says, roughly, “PetyaWrap was (is) a buggy piece of real ransomware.” Vess Bontchev goes on to assert that it’s from an “idiot ransomware writer.”

  Rob Graham has an excellent expose of that assertion in his Errata Security blog, NonPetya: no evidence it was a “smokescreen”:

  Certainly, things look suspicious. For one thing, it certainly targeted the Ukraine. For another thing, it made several mistakes that prevent them from ever decrypting drives. Their email account was shutdown, and it corrupts the boot sector.

  But these things aren’t evidence, they are problems. They are things needing explanation, not things that support our preferred conspiracy theory.

  Three things I know for sure.

  First, it’s still a problem. According to Ian Thomson at The Reg, FedEx reportedly halted trading on the NYSE because its TNT subsidiary got infected – likely with PetyaWrap.

  Second, the antivirus companies are in hype overdrive mode, claiming this or that about their products and PetyaWrap. I don’t believe any of it.

  Third, the people who say “install all Windows patches right away to prevent PetyaWrap infections” don’t have a clue. The infection method for PetyaWrap is still unknown, and the subject of much conjecture. What we do know is that, if your Windows PC has all of the March patches installed, it won’t get infected by one method, but it may get infected by a different method. Having all of your Windows patches up to date won’t protect you, in spite of what the self-proclaimed “experts” say.

  As for the major network TV show that claimed you could improve protection against PetyaWrap by using strong passwords…. pffffffffffffffft.

  

  Welcome to the scary new world of Windows, folks.

  Windows Patches/Security PetyaWrap

• PetyaWrap was designed to make headlines, not to make money

  Posted on June 28, 2017 at 20:10 CDT by woody • Comment in the Forums

  … and it certainly succeeded.

  Security researcher Matt Suiche has published more details about PetyaWrap (NyetPetya, Petya.2017, choose your favorite cute name) that show quite conclusively that the person/organization behind PetyaWrap wasn’t interested in making money — they just wanted to make a big splash. Suiche calls it a “wiper,” as opposed to ransomeware:

  The goal of a wiper is to destroy and damage. The goal of a ransomware is to make money. Different intent. Different motive. Different narrative. A ransomware has the ability to restore its modification such as (restoring the MBR like in the 2016 Petya, or decrypting files if the victim pays) — a wiper would simply destroy and exclude possibilities of restoration.

  Dan Goodin at Ars Technica has a new analysis that strengthens Suiche’s conclusion: Tuesday’s massive ransomware outbreak was, in fact, something much worse:

  the payload delivered in Tuesday’s outbreak wasn’t ransomware at all. Instead, its true objective was to permanently wipe as many hard drives as possible on infected network…

  Tuesday’s malware was impressive. It used two exploits developed by and later stolen from the National Security Agency. It combined those exploits with custom code that stole network credentials so the malware could infect fully patched Windows computers. And it was seeded by compromising the update mechanism for M.E.Doc, a tax-filing application that is almost mandatory for companies that do business in Ukraine. The shortcomings in the ransomware functions aren’t likely to be mistakes, considering the overall quality of the malware.

  If the intent of the PetyaWrap author(s) was to sow fear of Windows, they certainly succeeded. Because of the way PetyaWrap infects, very few of you have been hit. The next version may not be so kind.

  Chromebooks are looking better every day.

  Windows Patches/Security PetyaWrap

• ELSA: How the CIA tracked the location of an infected PC using WiFi signals

  Posted on June 28, 2017 at 08:28 CDT by woody • Comment in the Forums

  The latest WikiLeaks release talks about ELSA, reportedly a CIA project that allowed the government (and now, apparently, everybody) to snoop on the location of an infected PC.

  ELSA is a geo-location malware for WiFi-enabled devices like laptops running the Micorosoft Windows operating system. Once persistently installed on a target machine using separate CIA exploits, the malware scans visible WiFi access points and records the ESS identifier, MAC address and signal strength at regular intervals. To perform the data collection the target machine does not have to be online or connected to an access point; it only needs to be running with an enabled WiFi device. If it is connected to the internet, the malware automatically tries to use public geo-location databases from Google or Microsoft to resolve the position of the device and stores the longitude and latitude data along with the timestamp.

  Clever.

  Windows Patches/Security CIA, ELSA, Wi-Fi

• Massive batch of bug fixes for Windows, Office – KB 4022716, 4022723, with known problems

  Posted on June 27, 2017 at 23:06 CDT by woody • Comment in the Forums

  The dust is still settling, but here’s what people are seeing right now:

  • Win10 version 1703 – KB 4022716 includes a long list of bug fixes, brings build up to 15063.447. Known problem with iSCSI targets.
    UPDATE: Neowin reports that, nine hours after announcing this patch, it’s now available via Windows Update. MS also pulled the warning about connecting to iSCSI targets. (Thx, @Kirsty)
  • Win10 version 1607 – KB 4022723 also includes lots and lots of fixes, build 14393.1378, also has a problem with iSCSI. The KB article states that you have to manually download and install this patch, if you want it. Confused yet?
  • Win10 version 1511 – KB 4032693 has a much shorter list of fixes, build 10586.965, no identified problems. You also have to manually download and install this one, if you want it. (Thx, @MrBrian.)
  • Win 8.1 – KB 4022720, the preview of next month’s (July’s) non-security patches, also has a massive list of bug fixes, with a known problem with iSCSI attachment.
  • Win 7 – KB 4022168, also a preview of next month’s patches, has a much shorter list of fixes. I have no idea why Microsoft released the Previews on this, the fourth Tuesday of the month. They’re supposed to come out on the third Tuesday.

  I believe the 1703, Win 8.1 and Win7 patches are currently available through Windows Update and WSUS – but please drop a line if you aren’t seeing yours.

  Just to make life a little more complicated, Microsoft has officially announced that it has released KB 4022716 — the 1703 patch, mentioned above — to the Insiders Program Slow ring. Yes, if the documentation is correct, that means this same patch is available to Insiders Slow Ring (currently at build 10563.413, the same as the “old” build of 1703), but is not available to Insiders Fast Ring — nor is it available to Insiders Release Preview Ring. I think somebody at Microsoft didn’t press the right red button.

  Please tell me if you can translate this paragraph from the announcement:

  When we release a new Windows 10 Fall Creators Update build to Insiders in the Slow ring, they can wait to be targeted to install the new build, or instead of waiting Insiders can manually check for updates via Windows Update to get the new build. We know this is different from our usual “everyone at once” model to the WIP rings, however this testing will provide invaluable insights to ensure this new targeting framework is functioning as expected.

  I’m seeing confused/confusing reports about the Outlook patches – do they fix all of the identified issues, or only some? What and where are they? According to the Outlook known issues in the June 2017 security updates page, these fixes are available:

  • June 27, 2017, update for Outlook 2010 (KB3015545) – for Issues #1 and #2 but there’s no analogous patch for Outlook 2007 as yet.
  • June 27, 2017, update for Outlook 2013 (KB3191849) – for Issue #2 and #3 but, similarly, there’s no analogous patch for Outlook 2007 as yet, nor is there a fix for Outlook 2016.

  Microsoft also says it has fixed the Outlook Search problems, as well as the Internet Explorer printing problems… by the above-mentioned fixes to Windows.

  And of course MrBrian’s reports from the Internet Explorer bug trenches remain clouded.

  Can anybody remember back when patching Windows wasn’t so complicated? Yeah, me neither. It’s becoming increasingly difficult to put lipstick on the pig.

  Until we have some indication of the problems generated by this latest round of patches, I’m keeping us at MS-DEFCON 1:  Current Microsoft patches are causing havoc. Don’t patch.

  Windows Patches/Security KB 4022168, KB 4022716, KB 4022720, KB 4022723, KB 4032693

• The grugq: PetyaWrap causing lots of havoc, making little profit

  Posted on June 27, 2017 at 20:56 CDT by woody • Comment in the Forums

  Dan Goodin at Ars Technica has the definitive report on the latest ransomware outbreak:

  A new ransomware attack similar to last month’s self-replicating WCry outbreak is sweeping the world with at least 80 large companies infected, including drug maker Merck, international shipping company Maersk, law firm DLA Piper, UK advertising firm WPP, and snack food maker Mondelez International. It has attacked at least 12,000 computers, according to one security company.

  If you haven’t seen the grugq’s technical analysis, it’s well worth a gander.

  Although the worm is camouflaged to look like the infamous Petya ransomware, it has an extremely poor payment pipeline.

  Of course, you have nothing to worry about because you installed MS17-010 last month, right?

  Vess Bontchev nudged me about the spreading mechanisms. At this point, we don’t really know how PetyaWrap spread, but once it infects one machine on a system, the MS17-010 patch doesn’t block it from moving from machine to machine on that same network. I have no idea how it spread so rapidly.

  Microsoft has a security blog on the topic. It lists one of the spreading mechanisms and says that one is blocked by MS17-010 — but there are two other identified mechanisms.

  We recommend customers that have not yet installed security update MS17-010 to do so as soon as possible. Until you can apply the patch, we also recommend two possible workarounds to reduce the attack surface:

  • Disable SMBv1 with the steps documented at Microsoft Knowledge Base Article 2696547 and as recommended previously

  • Consider adding a rule on your router or firewall to block incoming SMB traffic on port 445

  If you want to double down on your protection, you can also block PetyaWrap by creating a read-only file called c:\Windows\perfc. Full instructions on Bleeping Computer.

  Windows Patches/Security MS17-010, PetyaWrap
• « Older Entries

  Newer Entries »