Newsletter Archives

  • FBI Private Industry Notification: Win7 is a leaky boat

    The US Federal Bureau of Investigation released PIN number 20200803-002 which says, inter alia,

    The FBI has observed cyber criminals targeting computer network infrastructure after an operating system achieves end of life status. Continuing to use Windows 7 within an enterprise may provide cyber criminals access into computer systems. As time passes, Windows 7 becomes more vulnerable to exploitation due to lack of security updates and new vulnerabilities discovered. Microsoft and other industry professionals strongly recommend upgrading computer systems to an actively supported operating system.

    Migrating to a new operating system can pose its own unique challenges, such as cost for new hardware and software and updating existing custom software. However, these challenges do not outweigh the loss of intellectual property and threats to an organization.

    The announcement is long on conventional wisdom but, as best I can tell, presents no new information. There are some old examples of long-patched security holes (EternalBlue, BlueKeep) and advice that you check your antivirus, spam filters, and close up Remote Desktop access. Most of all, though, the FBI says you should move from Win7 to Win10.

    Which shouldn’t surprise anybody.

    Catalin Cimpanu has a detailed look on ZDNet.

  • New Win7 Extended Security Updates licensing package

    Yesterday Microsoft released a new Licensing Prep package for those of you who are paying for Windows 7 Extended Security Updates. Per KB 4575903

    This update provides an additional set of licensing changes to enable installation of the ESU add-on key. This is one of the steps to prepare for installation of Extended Security Updates. For the full set of steps, please see KB4522133.

    If you previously successfully installed and activated your ESU key on your Windows 7 SP1 device, you do not have to re-install or reactivate it after applying this update.

    It’s my understanding that you don’t need to install this particular update in order to get the August patches (which aren’t out yet), but that you will need it to install the September ESU patches.

    Thx Günter Born

  • Yes, you read that correctly: Win7 machines don’t get free security patches, but they do get a free copy of Chredge

    Microsoft has officially announced that those of you with Win7, who (accidentally?) run Windows Update, will get a fresh, new copy of the Chromium based version of Edge.

    And it’ll happen whether you’ve signed up (and paid) for Extended Security Updates or not.

    You need to have at least the March, 2019 Servicing Stack Update, and the SHA-2 update KB 4474419. But if you have those, you get Chredged.

    Imagine. MS can’t give you security updates, but they sure as shootin’ will push Chredge on ya.

    Same applies, mutatis mutandis, for Win8.1.

  • 0patch posts a patch for the “PrintDemon” security hole CVE-2020-1048

    I still haven’t seen any in-the-wild exploits for the security hole announced last week, PrintDemon or CVE-2020-1048 — and I still don’t recommend that you install this month’s patches — but those of you running Windows 7 without the paid Extended Security Updates should take note of the latest “micropatch” offering from 0patch.

    According to the 0patch blog:

    Windows 7 and Server 2008 R2 users without Extended Security Updates have just received a micropatch [from 0patch] for CVE-2020-1048, a privilege elevation vulnerability allowing a local non-admin attacker to create an arbitrary file in an arbitrary location.

    When time comes to install this month’s patches, if you don’t have Win7 Extended Security Updates, you should keep this micropatch in mind. (It’s OK, I’ll remind you if you forget.)

    Just a reminder: We’re still at MS-DEFCON 2. There are no widespread threats out and about and you don’t need to patch just yet. Go outside and get some fresh air. At a distance, of course.

    Thx @etguenni

  • Many reports of errors when trying to install the latest .NET patch on Win7 systems with Extended Security Updates enabled

    Looks like a clunker.

    @BobT reports:

    KB4556399 (Security and Quality Rollup for .NET Framework 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2, 4.8 for Windows 7 SP1 and Windows Server 2008 R2 SP1) is failing with error 643 for me and many others on the MyDigitalLife forum.

    W7 Ultimate x64.

    And sure enough, MDL is lit up. See the lengthy list of problems starting here.

    Bottom line: Even if you’ve paid for Win7 Extended Security Updates, wait for MS to re-issue KB4556399.

    Susan edit:  This appears to only fail if you have used the bypass script.  On a Windows 7 with an ESU key it installs just fine.

  • Patch Lady – KB4538483 revised

    KB4538483 for Windows 7 was updated on May 6th.  For my machine behind WSUS it automatically got it on May 9th (I have security approvals set to install updates on Saturdays.)

    My understanding is this fixes up some issues with the various licensed versions of Win7 ESUs.

    …but…. I’m not sure if it will impact the script.  Based on folks posting in the forums I don’t think it does.

    Per Abbodii “this is mostly to fix ESU keys activation issues listed in this article:

    https://support.microsoft.com/en-us/help/4547184/troubleshoot-issues-in-extended-security-updates

    Remember with these Windows 7’s there are servicing stack update patches that need to be installed EVERY month otherwise you won’t see the NEXT month’s updates.  So make sure you have KB4550738 

    This update gets offered up after the main April updates and you’ll need to have it installed otherwise you won’t see May’s updates.

     

     

  • Microsoft will continue supporting Chredge (the Chromium-based version of Edge) on Windows 7 at least until July 15, 2021

    No security patches for Win7, unless you pay extra, but you can keep Chredge up to date:

    We will continue to support Microsoft Edge on Windows 7 and Windows Server 2008 R2 until July 15, 2021. These operating systems are out of support and Microsoft recommends you move to a supported operating system such as Windows 10. While Microsoft Edge helps keep you more secure on the web, your PC may still be vulnerable to security risks. In order for IE mode to be supported on these operating systems the devices will need to have the Extended Security Updates for Windows 7. Without the Windows 7 Extended Security updates Internet Explorer functionality will be vulnerable to security risks. Additionally, IE mode functionality may cease to work without the continued servicing through the extended security updates.

  • What would you put on a Windows 7 “rescue” disk?

    Just had an interesting question. Many of you have been assembling “doomsday” restoration disks for your Win7 systems. What did you put on them?

    The big challenge is to assemble the “Group B” security-only patches, wrap them up, and combine them with whatever is necessary to get rid of the upgrade nag screens, minimize telemetry, and the like.

    Interesting challenge, methinks.

  • Yes, you can install the latest Win7 security patches

    Even if you don’t have the official Extended Security Update package.

    @abbodi86 has details and a batch script that does the trick.

    No guarantee the script will work after this month’s crop of Win7 patches. But it works fine for now.

  • Windows Health Release – the AskWoody version

    So I’ve started a new knowledge base section that I’m calling the Ask Woody version of the Windows Health Release dashboard.  The Windows Health Release dashboard is great…but… if there is something that SOME people are seeing but not ALL people are seeing they won’t acknowledge it.

    So the goal here is to gather the places where we’re seeing issues and possible solutions.  I will be noting if issues are not widespread and if Microsoft is not acknowledging the issue.

    Let me know what you think!

    https://www.askwoody.com/forums/topic/askwoody-windows-health-release-dashboard/

  • More help with Windows 7 extended support

    WIN7 EXTENDED SUPPORT

    By Susan Bradley

    Windows 7 extended-security updates are easier to buy than to deploy. The entire process seems to be a work in progress.

    It’s been over a week since the February Win7 Extended Security Updates (ESU) patches were released … and I’m still helping people get these updates in place. In many cases, folks ran into problems through no fault or misstep of their own. For sure, Microsoft has not made keeping Windows 7 patched an easy process. Here are some of the things we’ve found:

    Read the full story in AskWoody Plus Newsletter 17.8.0 (2020-02-24).

  • Patch Lady – Windows 7 ESU last minute requirement

    Microsoft has thrown a wrench into the last minute Windows 7 ESU updates.

    Now even though you’ve installed the ESU key and everything “was” ready to go, you now need KB4538483 to be MANUALLY installed in order to make Windows update show you updates for both any Windows 7 post ESU security updates *AS WELL AS* the Office updates.

    To get this manual update you have to go to the catalog site — http://www.catalog.update.microsoft.com/Search.aspx?q=KB4538483 And download either the 64 bit or 32 bit version of this update (depending on your computer version) before any security updates for February will show up when you go to Windows update.  (*)

    Note this is a late breaking change to the instructions and were NOT listed as a requirement until just today:  This procedure page just added this additional update requirement today:  https://support.microsoft.com/en-us/help/4522133/procedure-to-continue-receiving-security-updates

    To anyone who has purchased updates through any ESU program, as a shareholder of Microsoft I want to apologize for this really  not well done, not automatic process.  I personally will be calling several businesses that I assisted to obtain these extended security patches and will apologize for having to bother them to get their machines in a condition to get additional updates when I thought I already had them ready to go.

    Bottom line, my apologies to anyone who thought they were all set.  You are not.  You need http://www.catalog.update.microsoft.com/Search.aspx?q=KB4538483 to be able to get Windows 7 security updates in February.

    (*) For corporate patchers this update is available via WSUS but NOT available via windows update.

    If you need ANY help with these updates please reach out at https://www.askwoody.com/forums/forum/askwoody-support/windows/windows-7/

    Rant (and warning) in Computerworld Woody on Windows.