If you didn’t get MS17-010 installed six weeks ago, you may be hurting now

Topic

New Reply

On April 24, I warned everybody that y’all needed to install the March Windows patch MS17-010 right away. I sure hope you did. Even those among you wh
[See the full post at: If you didn’t get MS17-010 installed six weeks ago, you may be hurting now]

10 users thanked author for this post.

Lori, Elly, GoneToPlaid, LostintheZone, SueW, amraybt, JDeC, MrBrian, ch100, AJNorth

Reply | Quote

Replies

Thanks Woody. I sent an email to all my clients last month. Those that did not reply confirming the update, have just been reminded again.

CT

Reply | Quote

I put most in my care back on Automatic Updates once the GWX campaign was passed. Better a blue screen on patch Tues than EternamBlue.

1 user thanked author for this post.

ch100

Reply | Quote

Excellent! 99% of (non-technical, non-managed) Windows users are better off by doing this. 🙂

Reply | Quote

Get rid of SMB1, you don’t need it:

https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012

3 users thanked author for this post.

Elly, MrBrian, ch100

Reply | Quote

This is exactly the point I try to make to people about why Windows Updates are so important. It’ll help prevent threats like this. But no. All they do is sit there saying “I don’t want to update. It takes too long.” And then two weeks later they come to me and tell me they got infected; while asking me to fix it.

Anytime I work on a computer for someone, whether it be a reinstall of Windows, or if I change s simple setting, anytime before I let it out of my shop all available updates will be installed. It does take time, but it is a standard procedure for my shop. Some of my clients do update which pleases me, but the vast majority don’t. So when I work on their computers, whether they like it or not I update for them.

Edit for content

1 user thanked author for this post.

MrBrian

Reply | Quote

Are those that have the port eternalblue goes through stealthed, safe?

Reply | Quote

If you don’t have the March 2017 Microsoft update installed, then the answer is no if your port 445 is open to other devices on your local network, which it probably is because port 445 is used for Microsoft file and printer sharing functionality.

2 users thanked author for this post.

Elly, ch100

Reply | Quote

Considering internet side only infections, having Port 445 stealth on the router means safety against EternalBlue, right?

 

The only possible scenario for a spread under these conditions if one system in the network became compromised, isn’t it?

Reply | Quote

Technically yes, but it is still risky.
The best and only long term protection is to have the OS patched.

2 users thanked author for this post.

Great Lake Bunyip, woody

Reply | Quote

If the router itself is compromised, perhaps it could also infect any of the devices behind the router.

Reply | Quote

But how can one be sure of a router being compromised?

Also, if all the ports are coming as perfect stealth, it is not responding to outer pings and its settings are correctly configured (no “malicious” DNS, carefully managed uPnP, remote management off, no WPS… etc) is it even possible to be vulnerable to those wide spread threats?

Reply | Quote

Routers can have vulnerabilities also.

Reply | Quote

Woody, you may warn most of the unsuspecting users here that they may not be able to install the March 2017 patch if they have a later update installed.
The best course of action is to install everything available on Windows Update, including all Recommended and Optional – the Preview patches are not available until next Tuesday, but for most of those who still insist to perform the manual updating, the best patch to install now is the May 2017 Security Monthly Quality Rollup, regardless of the current MS-DEFCON rating, which can go temporarily to Level 3 with a view of upgrading later in the cycle if the current patches prove reliable beyond doubt.

KB4019264 for Windows 7
KB4019215 for Windows 8.1

2 users thanked author for this post.

Great Lake Bunyip, woody

Reply | Quote

I used to have the March patches but they are now gone; replaced by the April patches, KB 4015549 and KB 4014565.

Reply | Quote

Yes I went into the catalogue and down loaded the March update  and it said this up date is not applicable to your computer.  The April up date  did install.

Reply | Quote

I went back in and downloaded and installed KB 4012212 .  KB4012215 was the one that didn`t install.  It said not applicable on your computer.

Reply | Quote

I wonder how many of the “soft” targets were “soft” not because they haven’t patched their OS with the relevant updates but because they haven’t upgraded their OS beyond e.g. XP or Vista?

Just to clarify – the attack on the NHS in the UK hasn’t brought the whole NHS to its knees, it’s affected some hospitals and doctors’ surgeries in England (it sounds like a lot but is actually comparatively few out of the total number) together with a few in Scotland.  Wales and Northern Ireland are reported to be unaffected. Previously several hospitals have been hit by individual ransomware attacks including in both the UK and the US.

Russia is apparently the worst affected country, with 99 countries in all affected to some degree by today’s attack which is indeed believed to originate from the hacking tools stolen from the US NSA and subsequently put into the public domain.

This won’t just test companies’ and organisations’ patching routines, it will also test their backup arrangements, as well as their funding of IT provision and support generally.

1 user thanked author for this post.

Elly

Reply | Quote

Seff wrote:

This won’t just test companies’ and organisations’ patching routines, it will also test their backup arrangements, as well as their funding of IT provision and support generally.

It is very true.
A lot of larger companies have additional measures in place at the gateway which protect them from malware coming from the internet.
But it is only a matter of time until someone gets the malware inside of such a company protected only at the gateway level and not at the OS level. This happened before with Welchia/Nachi worm https://en.wikipedia.org/wiki/Welchia
Disabling SMB1 or any other SMB version and closing port 445 may be useful to a limited number of home users who do not use LANManServer service functionality, but it is of little use to any sort of business or even power home user. However disabling SMB1 only may be good practice, not only in this case, but in general.

Reply | Quote

I wonder whether an article on disabling SMB1 etc  in layman’s terms would be useful with particular reference to any distinctions between business and other server-based users and domestic home users with just one or two non-linked devices?

2 users thanked author for this post.

Elly, ch100

Reply | Quote

The URL posted earlier in this thread by @TweakHound is relevant.
https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012

1 user thanked author for this post.

Bill C.

Reply | Quote

Thanks, yes I’d read that earlier link and it’s why I worded my suggestion the way I did. Those of us who aren’t professionals or otherwise expert in this field would benefit from a layman’s explanation of what SMB versions are and the relevance of the recommended registry changes to their particular circumstances be they running a small server or just an isolated home device.

I think it’s very important to recognise that this site has always catered for all knowledge levels and isn’t simply a discussion forum for technical experts. I hope it continues to do so in ways that help all of us to gain a better understanding of these issues.

4 users thanked author for this post.

jburk07, Elly, SueW, ch100

Reply | Quote

@seff

I don’t have time to write a full article, but I will try to get something started for someone else to take over, or at least to give a short basic explanation for now, as this seems to be a hot subject right now.

The family of SMB protocols allow Windows to function as File Server in a wide understanding of the concept, which include administrative functions, remote console access and the traditional file serving functionality. It is implemented in Windows as the Server service, known in the registry by the old name LANManServer. This is core Windows functionality and while there are legitimate security guides which recommend disabling it for highly secure environments, this comes to a price which is reduced functionality and sometimes less responsiveness from Windows.

SMB1 is the classical SMB (officially known as CIFS), which is implemented in all Windows versions, including Windows 10 and Server 2016.
SMB2 is the enhanced version of the protocol implemented from Windows Vista and later.
Another enhancement named SMB3 has been implemented starting with Windows 8 and Server 2012.

The highest version is the preferred one in all cases, but all versions co-exist for compatibility reasons.
SMB2 and SMB3 are essentially identical with tiny differences, but completely redesigned when compared to SMB1.
I found recently that Microsoft recommends the disabling of SMB1 only, based on the idea that most attacks are likely to happen on SMB1 being the most compatible protocol of all and also based on the idea that Windows XP and Server 2003 are no longer in use. Please follow the Knowledge Base article and do what it says there. This is a good KB document. The PowerShell commands change registry keys, so there is no need to do both. Configuring registry keys and uninstalling SMB1 where this is available would do the job completely.

This has the advantage that in theory SMB2 and SMB3 which are faster would be forced instead of the legacy SMB1.

The TCP port for communication using any of the SMB protocols is 445.
EDIT: Legacy communication may use NetBIOS ports UDP 137, UDP 138 and TCP 139 in certain conditions instead of 445.

Various Linux distributions implement a reverse engineered version of the protocol named SAMBA.
Microsoft has never published the full specification of SMB1, but as far as I know, they fully documented SMB2.

References:
https://en.wikipedia.org/wiki/Server_Message_Block
https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012

10 users thanked author for this post.

jburk07, thymej, woody, Bill C., Elly, LostintheZone, SueW, Seff, Sailor, MrBrian

Reply | Quote

Like Seff, I’m a bit confused. Should those of us with home or office computers that are not networked to a company server, other than our ISP, implement the command to disable SMBv1? Or is the March security patch enough protection? Thanks.

1 user thanked author for this post.

jburk07

Reply | Quote

@grayslady: The March 2017 Microsoft update should be sufficient to fix this issue. Disabling SMB1 would protect you from any future exploits targeting SMB1 vulnerabilities before you install Microsoft’s future updates to fix them.

8 users thanked author for this post.

jburk07, woody, Bill C., Elly, SueW, Alice, Seff, grayslady

Reply | Quote

It is enough to do the patching up to date.
If you do not understand the technicalities behind registry editing, you are better off by not doing the configuration in the KB article.
As @seff mentioned,this forum addresses a large audience of people with a wide range of technical skills and interested in a variety of techniques for configuring Windows or other technologies.

3 users thanked author for this post.

jburk07, woody, SueW

Reply | Quote

Thanks, but my question wasn’t about how to edit the registry, rather it was about whether it was necessary in light of the patch. I have, infrequently, edited the registry before, as well as implementing command scripts. However, between the MS patch, and having file sharing disabled on my computer, I simply wondered whether it was necessary to take the extra precaution of disabling SMBv1 as well. I believe Mr. Brian’s response covers it.

1 user thanked author for this post.

Seff

Reply | Quote

I am not sure if this the right forum for my question, but since there is discussion here about Windows Update I decided to post my question here.

Back when Microsoft was transitiong to their new updating system there was much discussion of how, slowly over time, Microsoft would roll into their monthly cumulative updates for Windows all their prior updates.  I am wondering if this is now happening?

Reply | Quote

They are getting things ready. They just retired a bunch of ole KBs. It will not be all at once.

1 user thanked author for this post.

280park

Reply | Quote

Watch out for the next months patch.
There are high expectations that the whole process will get more traction starting with June 2017.
However it is far better not to have another incomplete implementation released and have it released to the public only when ready (or almost, as few bugs are still expected regardless, if history would teach us anything).

2 users thanked author for this post.

280park, woody

Reply | Quote

Yup, I keep my OS 7 desktop up-to-date per your “DEFCON”  guidance…  this is why I am a (charter) member of Group B (and not Group W) & why I would like to see the Group B track continue as long as possible (I voted accordingly on your “viability” survey).  Thanks much, Woody!

As a fall-back, I am now also doing monthly system image backups (instead of 3-4 times per year as before).  If the MS perimeter is ever unexpectedly breached by such a “black swan” event, I can always wipe the drive clean & recover an intact & functioning system no more than 30 days out-of-date, rather than being forced to choose between losing everything & capitulating to a thief.  I do this also in anticipation of the time when extended MS support for OS 7 eventually ends.  Cheers!

1 user thanked author for this post.

SueW

Reply | Quote

March 2017 security only patch for win7 sp1 http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012212

Reply | Quote

I was group W, but I’m guessing I ought to get back on B. I didn’t see why MS needed to update things almost weekly if not daily and it made me suspicious giving their pushing of WIN 10 but yeah, I guess I ought to get back to do security updates if I’m not already too late.

Reply | Quote

Somewhat related: Microsoft’s May 2017 updates fixed 4 SMB v1 vulnerabilities (CVE-2017-0272, CVE-2017-0277, CVE-2017-0278, and CVE-2017-0279) that could allow remote code execution. All 4 are rated as “Exploitation Less Likely” by Microsoft.

Reply | Quote

Just really chiming in to say thank you all so much, especially Woody, for the fabulous information generously shared over time. I’ve used you guys to do updates to my Win 7 laptop over time and then after Oct 2016 I gave up, just tired of it all, and by default joined group W. Now hastily getting back up to date with security-only updates/patches, starting with 4012212. I’m guessing there are a few of us staying up late tonight doing this… thanks again.

Reply | Quote

WOW, its 11PM Eastern DST here in Montreal Canada.  The MS Catalog site is completely bogged down!  Takes like 10 minutes to display any page and just as long to download the 19.2MB and 30.6MB  KB4019263 files.  Understandable, given the immediate urgency of the current situation!  I guess also that lots of people (that includes me, but I follow MS-Defcon) were procrastinating with the installation of this months’ patches.

No timeout errors though, just sssslllllooooowwwww as a snail 😉

Gotta go, download from the catalog is finally available!

Reply | Quote

Even all day Saturday, the Update Catalog is taking forever or just timing out. All I want is the current Flash Player updates as stand alone installer. It took the better part of an hour to accomplish these downloads, and then I had one driver to update, and four more to check.  (The new driver was revealed by wushowhide, and it is the same one Intel would have provided through their driver update utility. Since it was Bluetooth, the whole stack had to be checked, as well as Firmware and Network drivers.) There went my morning!

-- rc primak

Reply | Quote

so, all of us in Group B who are currently updated through April Security only updates are OK?

I ask because your post said Group A was probably OK, and Group W could be in trouble, but didn’t specifically call out Group B.

Reply | Quote

For this particular exploit, the March 2017 security-only update should be sufficient.

Reply | Quote

Bear in mind that those in Win 7/8.1 Group A & B who are patched through April 2017 are also being processor-blocked by M$ = secure from the above malware/ransomware but cannot buy the latest high-end computers til 2020/2023, for some.

Reply | Quote

Antivirus software can also protect against this exploit. I use ESET Antivirus which recently added ransomware protection. ESET calls this one “Win32/Filecoder.WannaCryptor”, it currently has 4 variants.

1 user thanked author for this post.

HiFlyer

Reply | Quote

@ KootchieKoo

Private security firms identified the ransomware as a new variant of “WannaCry” that had the ability to automatically spread across large networks by exploiting a known bug in Microsoft’s Windows operating system.

http://www.reuters.com/article/us-britain-security-hospitals-idUSKBN18820S

So, to be fully secure against this WannaCry ransomware and prevent it from spreading on your network, your AV software has to be updated with the latest virus-definition and your Windows computer has been updated with the March 2017 Patch(MS17-010) eg …
https://www.microsoft.com/en-us/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Ransom:Win32/WannaCrypt

Reply | Quote

@KootchieKoo
Antivirus products are excellent for alerting, but very poor for protecting against anything.
In this case, the antivirus is only the second line of defence.
To be protected, you have to patch your system and use an antivirus only as another (good for most users and situations) option.

2 users thanked author for this post.

Bill C., woody

Reply | Quote

@ ch100

In this case, you are incorrect, AV programs and email spam filters are the 1st line of defence.
. . The MS17-010 patch against the EternalBlue/SMBv1/MS Office exploit stops the WannaCry ransomware in an infected computer from worming or spreading throughout a network, eg a company or home network. …

Cyber extortionists tricked victims into opening malicious malware attachments to spam emails that appeared to contain invoices, job offers, security warnings and other legitimate files.

The ransomware encrypted data on the computers, demanding payments of $300 to $600 to restore access. …

…. Only a small number of U.S.-headquartered organizations were hit because the hackers appear to have begun the campaign by targeting organizations in Europe, said Thakur.

By the time they turned their attention to the United States, spam filters had identified the new threat and flagged the ransomware-laden emails as malicious, Thakur added. …

….Private security firms identified the ransomware as a new variant of “WannaCry” that had the ability to automatically spread across large networks by exploiting a known bug in Microsoft’s Windows operating system.

The hackers, who have not come forward to claim responsibility or otherwise been identified, likely made it a “worm”, or self spreading malware, by exploiting a piece of NSA code known as “Eternal Blue” that was released last month by a group known as the Shadow Brokers, researchers with several private cyber security firms said.

http://www.reuters.com/article/us-britain-security-hospitals-idUSKBN18820S

Reply | Quote

Good information on (Edit: site removed, unreliable sponsored content).

Reply | Quote

That link goes to this article:

Cry Ransomware
Posted by Max Lehmann on September 9, 2016

which does not relate to today’s crisis. This link may be more helpful:
https://www.theguardian.com/technology/2017/may/13/accidental-hero-finds-kill-switch-to-stop-spread-of-ransomware-cyber-attack

Reply | Quote

As you can imagine, Twitter is quite busy on this subject.
Check out a search on wannacry and #wannacry

Reply | Quote

Yes, the cry and wannacry ransomware are different, …
(Edit: links removed, unreliable, sponsored sites)

Reply | Quote

From Microsoft Technet:
Customer Guidance for WannaCrypt attacks
MSRC Team | May 12, 2017

“…we are taking the highly unusual step of providing a security update for all customers to protect Windows platforms that are in custom support only, including Windows XP, Windows 8, and Windows Server 2003. Customers running Windows 10 were not targeted by the attack today.

Details are below.

In March, we released a security update which addresses the vulnerability that these attacks are exploiting. Those who have Windows Update enabled are protected against attacks on this vulnerability. For those organizations who have not yet applied the security update, we suggest you immediately deploy Microsoft Security Bulletin MS17-010.
For customers using Windows Defender, we released an update earlier today which detects this threat as Ransom:Win32/WannaCrypt. As an additional “defense-in-depth” measure, keep up-to-date anti-malware software installed on your machines. Customers running anti-malware software from any number of security companies can confirm with their provider, that they are protected.
This attack type may evolve over time, so any additional defense-in-depth strategies will provide additional protections. (For example, to further protect against SMBv1 attacks, customers should consider blocking legacy protocols on their networks).”

 
Read the full blogpost here

5 users thanked author for this post.

woody, SueW, Ascaris, MrBrian, ch100

Reply | Quote

Wow, this is a huge issue if Microsoft releases patches for Windows XP and Windows 2003.
Thank you @Kirsty for posting, I think this should be a blog post by itself.
This shows the importance of being patched correctly now.

3 users thanked author for this post.

woody, Alice, Kirsty

Reply | Quote

This mirror.co.uk article may help to explain why the patch was extended to XP…

Reply | Quote

It it wasn’t Mirror, I would pay more attention 🙂

Reply | Quote

The Mirror’s reliability is somewhere south of Microosoft’s

Windows 10 Home 22H2, Acer Aspire TC-1660 desktop + LibreOffice, non-techie

Reply | Quote

Does this update apply to any Windows XP system or only in those flagged as “custom support” (thus paying for it)?

Have anyone here tryied installing it on a legacy system yet?

Reply | Quote

It applies to any system, no (paid) custom support is necessary. MS has decided to make the update available for everyone, instead of only the corporations that pay for custom support. You can download the update manually via Microsoft’s Update Catalog. I do not know whether it would also show up in Windows Update when you scan for updates.

I have not tested it, but I assume it will work because the update comes straight from MS.

3 users thanked author for this post.

woody, grayslady, ch100

Reply | Quote

Some of my customers which are running really old legacy Windows XP systems are asking me if there could be any implications if they have non genuine Windows XP copies and install this update, since themselves do not know if those systems are genuine or not.

I have no idea if it is adivasable to make a test, since some of those systems are critical for their bussiness, and despite warning, most don’t want or can’t affort to upgrade right now… So what could happen here?

Reply | Quote

I don’t think there’s any way to know for sure. XP has been pirated in so many different ways, I’d be very hesitant to say that the new XP patch will work.

They’re caught between a rock and a hard place.

Reply | Quote

But could it in someway “break” the system, or only not having any effect on the system?

Reply | Quote

Seriously?

Of course they should run the update.

If the installed OS in the process is detected as being non-genuine, then it’s a win-win. They will buy a legit license while also getting protection.

Or did I misunderstand? It’s a pirated xp, they want to continue running non-legal? As a business critical tool? If that’s the case, what else do they steal? Lamps? Hammers? 😛

Of course they should update!

Reply | Quote

I hope they are genuine but since I did not build those systems I can’t make sure of that, and apparently neither can the owners…

The only problem is that Windows XP licenses are not sold anymore, and there are people that are either too stuborn or reckless, or maybe both, to move on to newer OS, and of course there are those who can’t affort the upgrade…

I do not want to defend nobody, but I can not make any assumptions on what people do… All I want is to awnser to that question which I’m not sure, if it could break any of those systems, what would compromise their operation, just that…

I don’t have here a XP license or even non genuine image which I could put in a VM to test this update, so if anyone has any info regarding this standalone installation package I would be very happy…

Reply | Quote

I would suggest you make a system image of one PC then try the update (if you or someone there knows how to make and restore system images) There are free software to do this. Macrium Reflect is one, but there are others. Restoring a system image restores OS, programs and data.

Reply | Quote

Sorry for being little negative.

Well, don’t download anything from windows update, is what I see here on askwoody.

Maybe there should be an sticky on critical issues like this (or that I am blind and missed it) because the reason why I dont update windows 7 since september 2016 is because of this page.

So maybe I should just listen to Barnacules Nerdgams and download everything in windows update. What is so bad about .net update actually, and the “quality” updates? And windows update only shows the latest quality update, 2017-05 so how do I get the march one?

And one other tip would be a link to an safe program that tests my port security, if anyone know about any?

Reply | Quote

You will see various opinions here.
Nobody will tell you not to download from Windows Update, quite the opposite.
There are a number of people who decide not to download and install from Windows Update (you will see them mentioned as being part of Group B) but this is their own business and goes against Microsoft’s advice. It is possible, but complicated and the risk of error and not having the system secure using that method is extremely high. This is compounded by the fact that those who practice Group B style of updating are in general less technical and not able to understand all the issues involved, although most believe otherwise.
Just go ahead and download from Windows Update for keeping your system safe and optimally functional.
The only issue which you may consider and this is specific to this site and Woody’s advice is to delay installing the current patches, i.e. May 2017 releases until the MS-DEFCON changes to 3 or above.
This is based on the assumption that you are patched until April 2017 inclusive.
If you haven’t been patched since September 2016, due to the urgency of the ongoing issues, I assume responsibility and advice you against the MS-DEFCON to install everything coming on Windows Update today to secure your system immediately. This include the May 2017 patches, because the older patches are invisible on Windows Update, being superseded.

Reply | Quote

ch100 wrote:

Nobody will tell you not to download from Windows Update, quite the opposite.

Except Woody. At the top of every page.

Having “don’t do it” and “do it” on the same page is nonsense for casual or infrequent visitors.

If the current situation isn’t “widespread attacks make patching prudent”, what is?

Reply | Quote

[Edited to reduce the ad hominem attacks. -Woody]

A majority of people drive down the street every day and manage somehow not to run into everyone else. People are capable of dealing with reality.

Windows took over the world not by being dumbed-down like Apple, but by providing sometimes very complex functionality and letting people decide what to do with it.

The world is complicated. People need to educate themselves to deal with it, and to understand that Microsoft has motives other than just their well being.

There is no better site for getting a whole lot smarter about what’s really going on than this one, right here. We see a consistently rational view of the necessary risk management.

As an opposing opinion:

Let us never forget who built these vulnerabilities into the operating system in the first place. Let us remember that it has always been touted to be “the most secure Windows ever”.

Yet somehow systems worldwide are falling prey; people are being hurt.

Microsoft houses the very same programmers we are asked to trust implicitly to deliver bug-free patches to us, no questions asked.

I DO ask, as everyone should: What can I lose if they botch one?

Everything involves risk. Seek to understand the risk and you will consistently be able to make better decisions. Just like deciding for oneself not to drive into oncoming traffic by thinking through what could happen ahead of time.

-Noel

6 users thanked author for this post.

ch100, pc, Sessh, SueW, Seff, satrow

Reply | Quote

Good point. As soon as I moderate the attacks on this thread, I’m going to write up a very simple, detailed recommendation.

3 users thanked author for this post.

ch100, satrow, PKCano

Reply | Quote

@b
I am mostly on your side on many issues, including the fact that Windows 7 is now a dinosaur and its use should be discontinued by end-users, although I don’t particularly agree with your literary style.
Woody is not telling anyone not to use Windows Update. Woody is telling end-users to use common sense and wait a little while until installing the updates due to past history of bugs in the updates. There is some sensationalism in Woody’s posts due to him being a journalist, but for all that I can tell, Woody advises correctly end-users to keep their systems secure and functional as they are, with minimal enhancements, unless they are experienced enough to decide for themselves to install the optional and recommended updates, like I and many others do, if I have to use legacy OS.

You may turn the internet off now and read some of Woody’s books to understand better what Woody stands for and his efforts in educating end-users.

Note: If you read my post to which you make reference, you will see that I advised against MS-DEFCON those users who are not patched to April 2017. MS-DEFCON is based on the assumption that the followers here have the April 2017 patches installed.

1 user thanked author for this post.

satrow

Reply | Quote

I personally think (and do):

Develop good habits and a world class security setup to watch your back.

Get and stay educated about security. Read this site and others, but don’t stop at the “OMG, that sounds scary” parts. Try to understand the “why”.

Wait for a few weeks after most patches are released for others to find the problems. Microsoft does seem to listen for cries of anguish, and fixes the fixes quickly.

Test the patches yourself first on non-critical systems, if you have them.

Consider accepting all the patches Microsoft releases, because the “cumulative” set is what they tested all together. There can be legitimate exceptions to this, but only you can decide how much risk you put your operating system in through your own actions (or the actions of users if you’re not the only one).

Bear in mind Microsoft doesn’t have the in-house test staff they once did, so the likelihood of their having tested a configuration exactly like yours is pretty slim. Thus it’s good to try to make your configuration more like theirs.

It’s all a job of risk management, and no one – NO ONE – gets that right 100% of the time. There are unknowns!

-Noel

Reply | Quote

Yes, but as you admitted yourself this is only doable, not feasible for anybody. It requires dedication and interest that a vast majority of users simple don’t have and can’t afford. Neither can it be expected that corporate techs will be able to prevent disasters.

Ultimately we will have no choice but limit our dependence on technology and the Net. That’s where it’s ultimately going.

 

Reply | Quote

You’re not negative. You simply misinterpret what is being advised here.

Reply | Quote

With respect to port vulnerabilities (discussed above, and in recent other discussions), don’t forget Gibson Research Corporation’s Shield’s Up!! — https://www.grc.com/x/ne.dll?rh1dkyd2 (and, for browsers’ proper encryption protocols, Qualys SSL Labs’ SSL/TLS Capabilities of Your Browser — https://www.ssllabs.com/ssltest/viewMyClient.html ). May The Force be with you.

1 user thanked author for this post.

SueW

Reply | Quote

A very good piece has been posted by theregister.co.uk:

“This bug was, once upon a time, exploited by the NSA to hijack and spy on its targets. Its internal tool to do this, codenamed Eternalblue, was stolen from the agency, and leaked online in April – putting this US government cyber-weapon into the hands of any willing miscreant. Almost immediately, it was used to hijack thousands of machines on the internet.

Now someone has taken that tool and strapped it to ransomware: the result is a variant of WannaCrypt, which spreads via SMB and, after landing on a computer, encrypts as many files as it can find. It charges $300 or $600 in Bitcoin to restore the documents. It is adept at bringing offices and homes to a halt by locking away their data.

And it installs Doublepulsar, a backdoor that allows the machine to be remotely controlled. That’s another stolen NSA tool leaked alongside Eternalblue. The malware is also controlled via the anonymizing Tor network by connecting to hidden services to receive further commands from its masters.

Fortunately, a kill switch was included in the code. When it detects that a particular web domain exists, it stops further infections. That domain was created earlier today by a UK infosec bod, who spotted the dot-com in the reverse-engineered binary; that registration was detected by the ransomware, which immediately halted its worldwide spread…”

 
This is recommended reading, here

6 users thanked author for this post.

woody, HiFlyer, SueW, Noel Carboni, AJNorth, ch100

Reply | Quote

Make sure to read the Talos article that one links to, if you want to get really geeky. I like it when the mechanics of malware are uncovered and published, because it means you can check all the more carefully whether systems have the problem. For example, you can look for whether executables such as tasksche.exe, taskdl.exe, taskse.exe, and @wanadrecryptor.exe are on systems in question, or whether domain iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea has been contacted.

It’s interesting to see the sheer complexity and flexibility the malware authors are building into these things. There is only longer “just one way” they work.

-Noel

1 user thanked author for this post.

woody

Reply | Quote

Which is why there is no hope in h**l that corporate behemoth can ever win defense against their attacks. I think there will come a day when there will be deep regret that we became so dependent on technology and the Net to not be able to function without them. This, without even mentioning all the regress and dumbing down that inflicts on humans.

Edit for content

Reply | Quote

MS has put a standalone patch for this on the update catalog: http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598

There are versions for Vista and XP too.

But… the catalog.update site is struggling – I got into it once, but many tries later, no response.

Reply | Quote

Vista was already patched in March, when it was still in extended support. XP is indeed an extraordinary exception.

1 user thanked author for this post.

ch100

Reply | Quote

Another post from Microsoft: WannaCrypt ransomware worm targets out-of-date systems.

1 user thanked author for this post.

Noel Carboni

Reply | Quote

I don`t know about this particular ransomware but many are sloppy and you can get out of them using  the old windows technique,  pressing down  Alt, Ctrl and Delete at the same time.  When task manager appears hit end task.

Reply | Quote

I have posted a question regarding patches for Win10 1511 in the Win10 section of the lounge that is related to the issue at hand. Can any of the techies knowledgeable about that pls respond?

Thanks.

Reply | Quote

Amazing. Microsoft issues this patch for Windows XP

https://www.theverge.com/2017/5/13/15635006/microsoft-windows-xp-security-patch-wannacry-ransomware-attack

CT

1 user thanked author for this post.

ch100

Reply | Quote

@CT
My reply to you takes in consideration your point of view about ongoing patches and the Group W following.
Is this out of band release which include Windows XP and Server 2003 the only REQUIRED patch for all those years of patching? I think the answers to this issue would make for an interesting debate.
Not discussing functionality fixes and enhancements here, this is strictly about protection against malware.

Reply | Quote

Noel Carboni wrote:

The world is complicated. People need to educate themselves to deal with it, and to understand that Microsoft has motives other than just their well being.

Unfortunately, this seems to be a trend on these forums now with a few users: “Stop thinking for yourself and just do what MS tells you to do like a good little sheep. What? You don’t want to? Well then, allow me to talk down to you like the morons I believe you to be as I attempt to convince you that your PC will start throwing errors and blue screens at your “unsupported configurations” any minute now. Just submit already!” They speak exactly like MS employees would speak.

Let us never forget who built these vulnerabilities into the operating system in the first place

.

There are more exploits on the way as well from the infamous CIA.

Let us remember that it has always been touted to be “the most secure Windows ever”. Yet somehow systems worldwide are falling prey; people are being hurt. Microsoft houses the very same programmers we are asked to trust implicitly to deliver bug-free patches to us, no questions asked. I DO ask, as everyone should

I ask as well. This stuff really irritates me.

People should never be discouraged from asking questions and acting accordingly when their trust has been breached and the answers are not satisfactory. These things aren’t exaggerations and the concerns aren’t unwarranted nor should there be any attempt on here by anyone to shame or talk down to those people.

[Edited to reduce ad hominem attacks. I don’t believe Microsoft and NSA are in cahoots about this (or any other) security breach. If you want to debate the point, please move it to the Rants forum. Also, the CIA and NSA are two entirely different bodies. The links you have refer to Wikileaks and the CIA dump. They have nothing to do with NSA. I’m trying diligently to remove instances of people shaming and talking down to others. The intelligence level here is very high, and I want to keep it that way.  -Woody]

1 user thanked author for this post.

GoneToPlaid

Reply | Quote

@ Sessh ….. About Shadow Brokers

In Aug 2016, Shadow Brokers first publicize their capture of NSA hacking tools and demanded 1 million bitcoins(US$568 million) from the US govt/NSA, …
https://motherboard.vice.com/en_us/article/hackers-hack-nsa-linked-equation-group

After nil response from the US govt, in Jan 2017, the Shadow Brokers offered the NSA hacking tools to individual parties, …
https://hotforsecurity.bitdefender.com/blog/shadow-brokers-re-emerge-with-nsas-secret-exploits-for-sale-17381.html

Again, there was no response. So, in April 2016, Shadow Brokers released the NSA hacking tools into the wild.

Surprisingly, M$ had already patched the NSA-related Windows exploits, eg Eternalblue, in March 2017.
. . . Tech journalists assumed that M$ had paid off Shadow Brokers in Feb 2017. Others conjectured that the NSA had tipped-off M$ in Feb 2017.

[Edited to remove the MS-NSA collusion theory. Feel free to debate it, guys, but move it over to the Rants forum. I should also add that some people figure Shadow Brokers tipped off Microsoft, possibly anonymously, as prelude to charging more for the next round. There are many possible permutations, with some reason to believe all of them. Or none of them. -Woody]

Reply | Quote

… correction ….

… in April 2017 …. (not 2016)

Reply | Quote

I was very glad to find a specific link for KB 4012212 in Woody’s initial column on this subject.  That is because — even before the advent of the rollups format, where we seem to have lost the a la carte option for patches — various MS Updates had demonstrated a propensity for utterly trashing systems here, rendering them all but unrecoverable.  And so raising the question, ‘Which is worse: the Cure or the Disease ?’  If a rollup contains a conglomeration of who knows what, that creates quite the dilemma.  Woody and others have written about fatal MS updates that have come down the pike, and about the rollup conundrum.  This became like having to traverse a new minefield every patch Tuesday.  So I mostly opted out, some time ago, while still accepting certain things like the monthly Malicious Software Removal Tool or IE updates.  It’s just not worth that known risk to me.  I’d rather take my chances and make more frequent boot partition images.  And NO, I would not even remotely consider doing Win over from scratch, plus innumerable updates, about 200 apps and utilities, and tons of user preference choices.  I would move to Linux before I’d do that.  (That may be coming before too long anyway, as I have pretty much zero interest in Win 10.)

 

It was also good to see the info re XP.  An elderly relative still runs that on a desktop system, although that particular computer was disconnected from the internet a few years back as a precaution, so she’s probably safe.  (You see, this is ALL doable, when it needs to be . . . . )

 

I was curious to learn if this current threat (or family of exploits) might somehow be detectable, if it is already lurking somewhere on your computer, but Noel may have partially answered that.

Reply | Quote

anonymous wrote:

I don`t know about this particular ransomware but many are sloppy and you can get out of them using the old windows technique, pressing down Alt, Ctrl and Delete at the same time. When task manager appears hit end task.

A good suggestion.  In my experience, the Google Chrome browser has proved to be much more vulnerable to attempted intrusions and exploits than Firefox.  On a number of occasions, something unseen on a web page tried to “break in.”  In several instances it threw up one of those bogus pages warning that your system has just been seriously infected, and you must immediately call a service company at their 800-# and pay to have this remedied.  This is by now a well known scam.  It was fairly elaborate, with audio narration going on as this began, as if someone was speaking directly to you.  The perpetrators are counting on users who have not been at this awhile to panic.  Within split seconds I reflexively bailed and killed all the processes.  (Bye Bye, you J**** !)  Then I did thorough scans with Avast! and MBAM, just in case.

Reply | Quote

The fact that you see warnings and the pages simply freeze in Chrome instead of silently infecting the system, points towards the fact that Chrome actually does a better job of trapping intrusion attempts than IE or Firefox.

I use Chrome on Linux, and with the proper extensions to block rogue scripts and Flash autoplay content, these sorts of warnings and actually seeing the pages before damages can be done, has impressed me that Chrome is better at protecting my system than Firefox.

Blocking Flash and Scripts is also a good defense, possibly as good as any active web shields in antivirus arsenals. Further sandboxing might also help prevent browsers from downloading malicious content silently.

-- rc primak

Reply | Quote

Please forgive me for having to ask this, but MS17-010 means nothing to me, I need the KB number!  If I have to go onto the MS Update Catalog site I will not be able (I don’t think) to enter an MS number.  Also, I can’t even check my installed updates because only KB numbers are shown.  So, can someone please give me the appropriate KB number for this MS17-010?  I will appreciate it very much!

Being 20 something in the 70's was far more fun than being 70 something in the insane 20's

Reply | Quote

See https://technet.microsoft.com/en-us/library/security/ms17-010.aspx.

Reply | Quote

https://support.microsoft.com/en-us/help/4013389/title

For Group A, if you have already installed the April 2017 Rollup, there is no need to install the March 2017 Rollup because they are cumulative, ie your Win 7/8.1 is patched.

For Group B, you need to install the March 2017 Security-Only update because they are not cumulative. Group C/W may also install this update.

Reply | Quote

Good question. Detailed instructions coming.

Reply | Quote

If you can’t install an older rollup yet have a later rollup installed, the reason why you can’t install the older rollup is because you have already installed a later rollup which replaced it. I will give an example further below.

GROUP B…

I have had no issues so far with the March and May Security Only Rollups on my Windows 7 computers. I did have at least three issues with the April Security Only Rollup. The most serious issue which I had with the April Security Only Rollup is that it prevented Windows Update from being able to download any other updates. For the time being, I have skipped the April Security Only Rollup on my Win7 computers. This is not to say that I am recommending that others skip this rollup.

The April and May Security Only Rollups do not replace the previous Security Only Rollups since these Security Only Rollups are NOT cumulative. The March Security Only Rollup WAS cumulative and replaced the January Security Only Rollup.

For example, if you have the March Security Only Rollup installed, then you will get an error message if you download and try to install the January Security Only Rollup which was replaced by the March Security Only Rollup.

January 2017 Security Only Rollup: http://www.catalog.update.microsoft.com/Search.aspx?q=3212642

Error message when trying to install the above rollup when you already have the following rollup installed: “This update is not applicable to your computer.”

March 2017 Security Only Rollup: http://www.catalog.update.microsoft.com/search.aspx?q=4012212

GROUP A…

The March, April and May Security Monthly Quality Rollups ARE cumulative and do replace the previous Security Monthly Quality Rollups.

2 users thanked author for this post.

slowdog, Volume Z

Reply | Quote

Interesting…, This may explain why Belarc Advisor says I am missing the January Security ONLY patch (kb3212642), after I did the March and April Security-only patches. It showed up in my history of being installed, but did not show up in the Installed Updates list. Belarc had said I was fully patched after the January patch was applied.

I tried to do the patch again, but it said it did not apply to my system.

Now I know why. Thanks.

Win7-64Pro-SP1, Group B for Security and IE, WU for Office and .NET.

Reply | Quote

An update that is not cumulative is not called a Rollup:

Windows 7 SP1 and Windows Server 2008 R2 SP1 update history

1 user thanked author for this post.

SueW

Reply | Quote

Correct.

Reply | Quote

b wrote:

An update that is not cumulative is not called a Rollup: Windows 7 SP1 and Windows Server 2008 R2 SP1 update history

Yep. My bad. Yet the March, 2017 Security Only Quality Update for Windows 7 for x64-based Systems (KB4012212) should have been called a Rollup since this update actually does replace the January 2017 Security Only Quality Update.

Reply | Quote

Thank you! I joined Group W in the fall but installed March’s kb 4012212 at Woody’s plea. I’ve now decided to join Group B and easily made it through October, November, and December, but January gave me “not applicable.” I now know not to worry about it and keep moving on with the updating process.

Reply | Quote

PKCano wrote:

They are getting things ready. They just retired a bunch of ole KBs. It will not be all at once.

After Microsoft retires a KB does Windows Update uninstall it from our computers?

Reply | Quote

Yes – If you run Disk Cleanup\System Files and clean up Windows Update.

4 users thanked author for this post.

SueW, 280park, rc primak, ch100

Reply | Quote

Thank you for that information.  What I meant to ask was:

After Microsoft retires a KB does Windows Update uninstall the actual patch to which the KB refers?

 

Reply | Quote

No. WU doesn’t uninstall patches.

2 users thanked author for this post.

280park, ch100

Reply | Quote

James Bond 007 wrote:

amraybt wrote:

My question is, do I need to reboot between installing each security update or can I do them all back to back without reboots in between? Am I missing anything else? Thanks for the advice and to Woody for the heads up on the ransomware.

Personally, I will allow the reboot between each installation, to make sure that the necessary files are properly updated. I have no idea if you can do them all in one go without risking the possibility that some files may not be properly updated. I would also suggest you keep the internet off on that machine until after you finished installing the security updates.

I agree with 007 that it would be best to reboot after installing each of these Security Only updates. Why? Because sometimes the installation of an update can hang on reboot if there is another update which is also to be processed during reboot. I don’t think that it is necessary to keep off the internet while installing these security updates — unless you have an email program configured to automatically start and to automatically download email when Windows boots up.

1 user thanked author for this post.

rc primak

Reply | Quote

I think I may have tripped the spam filter with an Amazon Link last time. Won’t be repeating that mistake again. 🙂

 

1. I highly recommend everyone go check this book: Countdown to Zero Day – Kim Zetter.

Edit to remove political implications
Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

Reply | Quote

Regarding what Noel Carboni said above to look out for:  “you can look for whether executables such as tasksche.exe, taskdl.exe, taskse.exe, and @wanadrecryptor.exe are on systems in question, or whether domain iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea has been contacted”,

how does the non-techie individual home user look on her/his computer for those things?  Is there a simple way?

—

Background:  I have not been to AskWoody since early December, when I reluctantly decided that I was forced to be in Group W.

I can’t be in Group A because my Windows 7 computer demonstrably can’t work after installing two important updates from prior years, so I can’t allow them to be installed.  (I have described those problems ad nauseum before!)

Group B just seemed so complex to try to manage as a non-techie, and I worried that the looming, enforced ultra-cumulative rollup would make Group B a short-term path anyway.

Therefore, since December, I have been in an even-beyond-Group W (more like “Group P for poohsticks”!) bubble, and my non-techie mind has been absolutely out of the loop on, and actively forgetting, this stuff;

therefore, while for about a year I was really following along on this site as best I could given my limited knowledge, when I took my first, very brief look at the NEW forums here about a month ago, I realized it would take days of reading for me to get up to speed again on everything that had been discussed here since December.

I do keep pretty safe, considering.  In fact, I’ve locked so many things down that I sort of don’t remember all of them and how to unlock them.     😉  oh dear

But now, given this current crisis unfolding, I have been wrenched out of my Group C/P bubble and I am trying to figure out what I can do, in my situation.  Tonight I have read Woody’s most recent two blog posts and all the forum comments linked to them, and I read his InfoWorld article from April 24th (because he linked to it in the present blog post), and I have done the GRC ShieldsUp test which says I’m at “stealth” level in terms of port 445, though I don’t know the whys and wherefores of that.

Some IP addresses that I had never been bothered by before the last 2 days have been bombarding my computer’s Peerblock for the last 36 hours, and they have not been allowing me to see a number of websites that I’ve always been able to see before with no trouble.  There isn’t much info on them out on the internet (as far as I could find using 3 so-so search engines — I don’t use Google)…

Peerblock calls them “Xerox” and one source said that they are registered to Microsoft in Virginia and Washington, and I don’t know why they are absolutely following everything I do – when I first turn the internet wi-fi on on my computer (the first millisecond) before I click on anything, and then when I go to any and every web address, it’s hitting my Peerblock and being blocked, and it’s keeping me from seeing some sites I’ve never had trouble with seeing before, such as Amazon.  The addresses start with 13.90. and 13.32 and so forth.  One that is banging away at me right now is 13.32.172.143:443.  Early yesterday, when I first noticed these “13.xxx.xxx.xxx IPs causing me trouble and flooding my Peerblock list, I also had a couple of blocked IPs from “Russian Federation” (that’s what the name of the IP address was named by the blocklist author, whichever blocklist had flagged it up), but once in a great while, I do see that one on the Peerblock history (I block IPs wholesale from about 40 countries, as well as using other criteria).

Sorry to be so verbose.

Do I understand correctly from Woody’s April 24th InfoWorld article that I should, from a Group W standing-start (having done nothing since early December on the update installation front), install KB 4012212 standalone from the update catalog?

From that article:  “Don’t worry about Group A or Group B at this point. Installing KB 4012212 will protect you without committing your system to either Group A or Group B.”  Is this still the case?  Is it going to have pre-requisites (between December and May) that I would also not have on my machine and should get first?

I’m sorry to be so clueless and helpless, normally I would have stayed abreast of all this stuff, but last year MS just WORE ME OUT.

I am worried about rushing into doing something with my computer out of fear, and getting into a pickle.  Before doing anything, I would rather have time to read up on this site on ALL that’s happened and been discussed since December, as well as get back up to speed on my poor laptop’s peculiarities and fatal-update-allergies, but I realize that I don’t have the “luxury” of studying all that at this time.

I did read the disabling-SMB1 (I think it was) technical guide from MS that someone linked to in this discussion, but as someone else commented, that is beyond the non-techie.  I saw ch1oo’s further (brief) explanation of it, but I still don’t have enough of an idea of the ramifications that would allow me to boldly mess around with my registry on that topic, when the main issue for protection seems to be in trying to get 4012212 installed.

If the “13.xxx.xxx.xxx” IP addresses refuse to let me see the Windows update catalog unless I unblock them, should I unblock them in order to get through to the Update Catalog?

My relative home-user Win 7 laptop is set up very similarly to mine (deliberately, as I am the inadequate “IT department” for both of them), and that laptop has NOT been behaving like mine has in the last 36 hours — it is not being warned that a handful of “13.xxx.xxx.xxx” IP addresses are being blocked by Peerblock every few minutes — when I test out the websites that I’m suddenly being blocked from seeing on my laptop (such as, to take one example out of dozens that I’ve noticed, the Amazon site), on that machine, I can still see them just fine, like normal.

I know I should just try this stuff and get on with it, and I’m not complaining — it was my own choice in December not to be in Group B, and not to spend a lot of time in the first part of 2017 trying to grasp everything being discussed on this excellent website which would have been the most prudent pathway even if I were going to be in Group W (C; P division), but I’m just nervous at the moment as it’s the middle of the night and I feel pushed to make some quick changes in the next few hours on two computers that I would rather have been able to do with more study and deliberation.

—

I have also noticed in the last day or so that a lot of what seem like expected and typical emails (even a couple that were sent by me from one of my other email accounts) have been showing up in my spam folder — in the last 36 hours I’ve been telling the email program that they are “not spam” and opening a few of them, because they were not unexpected and seemed reasonable and appropriate, but now I worry that maybe the spam filter was seeing some hidden dangers in them that I didn’t think about at the time.

I don’t think I clicked on any external links in the emails I rescued from the spam folder, but on one of the emails I did tell the email program, “this sender is trustworthy, so you can show the blocked images that are in the body of the email” – it was a local supermarket chain’s “weekly coupons” email which I am signed up for and which I unblock the images on every week.  I don’t know if merely opening an email is enough to get this new hacking virus — I am unclear on how it might affect the humble home user who has a firewall in place and who is not on a network.

So I’m worried by the new persistent onslaught by “13.xxx.xxx.xxx” on my computer’s Peerblock, and the “normal and expected” emails that were oddly in my spam folder which I took out of the spam folder and opened, and this is why I would like to understand if there is any way that a non-techie can look at her/his machine to see if it’s been hit with anything weird in the last 2 days, perhaps looking at what Noel Carboni suggested above.

(I do have Norton Security, which decision I’ve also explained several times previously on this site 🙂 , which has helped me a lot over the years to stay safe, and it hasn’t noted anything untoward — except for a weird thing when its File Insight reputation-checker would not work yesterday on my machine even though it worked on my relative’s machine — I was updating our Win 7 Flash Player, which program we do not normally use and which we keep *disabled* in Internet Explorer’s tools/add-ons, but which we sometimes need to view some reputable media websites like the BBC, which I had last updated a month ago — and *my* Norton’s File Insight said that the Adobe website’s update file was unknown and untrusted, while my relative’s laptop’s Norton File Insight said that, as is expected, millions of people have downloaded that Adobe Flash update in the last couple of weeks and that it was trustworthy.  While that File Insight weirdness was happening, the 13.xxx.xxx.xxx IP addresses were hitting away at my computer’s Peerblock.  So I don’t know if my Norton Security has an accurate picture of what my computer is actually connecting to, or what the communication problem was.)

(Immediately I ran a scan on my free version of Malwarebytes – it didn’t find anything.)

Then I came here to see if there was a “quick plan” for those Group W people who’ve been on their own private Gilligan’s Island (sans Professor) in recent months,

and naturally I twigged how complicated and serious this current hacking/virus situation is (I had not previously been aware of Woody’s April 24th missive)  —  gosh  🙁

I don’t want to go blindly searching on my computer for Noel’s suspicious .exe files and accidently start one up by pressing an enter key in a search box!

 
Hey, I’ve missed you folks

(most of you  ;-p )!

(But I sure enjoyed having a respite from the brain-hurt and time-suck caused by the MS malarkey)

poohsticks  🙂

Reply | Quote

anonymous wrote:

Do I understand correctly from Woody’s April 24th InfoWorld article that I should, from a Group W standing-start (having done nothing since early December on the update installation front), install KB 4012212 standalone from the update catalog?

From that article: “Don’t worry about Group A or Group B at this point. Installing KB 4012212 will protect you without committing your system to either Group A or Group B.” Is this still the case? Is it going to have pre-requisites (between December and May) that I would also not have on my machine and should get first?

Yes, if you have KB4012212, then you should be protected from WannaCrypt and other similar worms attempting to exploit the MS17-010 hole.

No, that patch does not have pre-requisites, as far as I know (apart from the fact that you need Windows 7 SP1).

Hope for the best. Prepare for the worst.

Reply | Quote

Hello,

An excellent [free] utility that will show virtually everything that’s running under Windows’ hood is the Sysinternals Process Explorer (which was purchased by Microsoft several years ago, with its lead developer, Mark Russinovich, hired by MS to continue its development, and that of several other excellent utilities they craft): https://technet.microsoft.com/en-us/sysinternals/processexplorer.aspx (here is a guide to its use: https://www.howtogeek.com/school/sysinternals-pro/lesson2/). In particular is the integration of VirusTotal, which is virtually the gold standard of malware identification. (One handy feature is that it can be set to start with Windows; be sure to use the Run As Administrator option.)

Since no antimalware detects every threat, another free on-demand scanner that I have high regard for and regularly use on the numerous Windows boxes under my care is Kaspersky’s Virus Removal Tool: http://www.softpedia.com/get/Antivirus/Kaspersky-Virus-Removal-Tool.shtml — which is continually being updated (sometimes more than once a day). As with all antimalware scanners, be aware that it will sometimes produce a false positive; so if there is a detection and you are uncertain, do a web search on its findings before effecting any removals — and be sure to set a Restore Point.

Hope this is helpful.

Cheers,

AJN

Reply | Quote

You can also link Sysinternals Autoruns to VirusTotal.  So in addition to the already running processes shown in Process Explorer, you have the VirusTotal results for every startup program, scheduled task, driver, everything else, etc., on your system.

And you can also add a column to Process Explorer that shows “Verified Signer” and to Autoruns that shows “Publisher”.   So you can make sure that everything has a valid signature.

Windows 10 Pro 22H2

1 user thanked author for this post.

ch100

Reply | Quote

Thanks, JohnW. Indeed one can.

I neglected to mention Autoruns, as it is an advanced tool that can cause great havoc in inexperienced hands.

For those unfamiliar with Autoruns, here is an introductory guide to its use: Using Autoruns to Deal with Startup Processes and Malware (Lesson 6 in their series What Are the SysInternals Tools and How Do You Use Them?), and a discussion of the VirusTotal feature in particular: SysInternals Autoruns Introduces Virustotal Integration (also see: Startup Manager Autoruns 13 Introduces Virustotal Integration).

Finally, one step that I always recommend taking when using Autoruns is to set a Restore Point; to that end, some may benefit from this guide to using System Restore: How to Use System Restore in Windows 7, 8, and 10 (which I should actually have included above…).

Cheers,

AJN

 

 

 

Reply | Quote

Well I mostly just use Autoruns as a VirusTotal scanner.  Just to see what’s running on my system, besides the Microsoft stuff.

The least confusing way to run Autoruns that I have found is to use “Options > Hide Microsoft Entries”.  That does two things: 1 – eliminates a lot of clutter; 2 – reduces the odds of disabling a Windows process.

On Windows 8.1 or 10 you can use the “Startup” tab in Task Manager to disable some unwanted startup items.  I usually use that option first, if available.

Windows 10 Pro 22H2

1 user thanked author for this post.

ch100

Reply | Quote

Or may have been hurting weeks ago already: Massive cryptocurrency botnet used leaked NSA exploits weeks before WCry.

1 user thanked author for this post.

ch100

Reply | Quote

From How did the WannaCry Ransomworm spread?:

“Indeed, the ‘ransomworm’ that took the world by storm was not distributed via an email malspam campaign. Rather, our research shows this nasty worm was spread via an operation that hunts down vulnerable public facing SMB ports and then uses the alleged NSA-leaked EternalBlue exploit to get on the network and then the (also NSA alleged) DoublePulsar exploit to establish persistence and allow for the installation of the WannaCry Ransomware.”

1 user thanked author for this post.

ch100

Reply | Quote

From Multiple Groups Have Been Exploiting ETERNALBLUE Weeks Before WannaCry:

“We have found evidence of much more sophisticated actors leveraging the NSA ETERNALBLUE exploit to infect, install backdoors and exfiltrate user credentials in networks around the world, including the US, three weeks prior to the WannaCry attack.”

1 user thanked author for this post.

ch100

Reply | Quote

From The NSA has linked the WannaCry computer worm to North Korea:

“The National Security Agency has linked the North Korean government to the creation of the WannaCry computer worm that affected more than 300,000 people in some 150 countries last month, according to U.S. intelligence officials.

The assessment, which was issued internally last week and has not been made public, is based on an analysis of tactics, techniques and targets that point with “moderate confidence” to North Korea’s spy agency, the Reconnaissance General Bureau, according to an individual familiar with the report.”

Reply | Quote

I’ve run into a problem, am wondering how bad it might be, and what the next options are.  First, let me mention that I successfully applied KB 4012212 to a couple W7 x86 computers (one of them a laptop), and also to a W7 x64 desktop at another location.  The problem involves one key desktop that is W7U x64.  This KB has failed twice.  I’m not sure about the first attempt, but the second time it was from a downloaded KB, applied locally.  There is the “Configuring Windows.  Do NOT turn Off your computer message.” but that circle keeps on spinning — for like 6 hours — and it never restarts.  Finally I must hit the Reset button, as there is nothing else left to do.  Then on the reboot Windows fails to start, and brings up the repair routine.  That fails, so I must take the System Restore option that (hopefully) dials everything back to the last Restore Point.  If that had also failed, I’d have to resort to the most recent boot partition image.

[Incidentally, I think the Repair apparatus in W7 is probably better than the “Recovery Console” from NT through XP — which I used to call the MS “Funeral Wreath” — but it’s still not very good.  I tried the NeoSmart “Easy RE Pro” for W7, but so far I’m very unimpressed with that also.  I also have “Boot Genius”, but have not tested that yet, for non-booting scenarios like this.  I probably will however, since I also have one 8.1 box and one W-10 test box that simply croaked at the OS level.  Haven’t had enough time or motivation to work on resuscitating those two.   Win 10 really bites the Big One though, so I’m not missing it at all.  But if you know of some other recovery product out there that actually lives up to its claims, I’d like to hear about it.]

THIS is why I joined whatever the camp is that just says ‘NO’ to a lot of the MS update patches.  There is a demonstrated history of certain MS updates being fatal to a couple of the systems I maintain.  They seem to continue working reliably without them.  (I pretty much stay away from any of them that have the word “Kernel” mentioned in the description, as those have been the most consistent offenders.  Others — like anything involving RDP — I also skip, because we have had no need for the Remote Desktop functionality here.)

I’m also not comfortable with the Rollups, so long as I can’t know exactly what they contain in advance.  I think one of the security Rollups also failed on the system in question, in the manner mentioned above, probably because it included that KB.

Why that KB worked for me on some rigs but not on others (x86 vs. x64 ?  Ultimate 7 vs. Enterprise 7 ?) seems academic to me, at best.  It won’t affect the outcome.

So, I’m wondering what the alternatives are now for _this_ desktop box.  I’m absolutely NOT going to redo it from scratch: please don’t even bother suggesting that.

How much risk is there for W7 ?  I’ve heard that this exploit was mostly an XP problem.  I don’t click on unknown or even slightly-suspect links in emails.  On the other hand, I don’t want to be concerned about browsing over to this or that website I’ve never seen before.  I’m using a decent AV program, with MBAM as a second opinion.

Would adding an extra layer like Sandboxie provide sufficient protection, for s system that can’t tolerate KB 4012212 ?

 

Reply | Quote

About the March Security only patch KB 4012212, MS says this

This Security Only Quality Update is not applicable for installation on a computer where the Security Monthly Quality Rollup or Preview of Monthly Quality Rollup from March 2017 (or a later month) is already installed, because those updates contain all of the security fixes that are included in this Security Only Quality Update.

Check the update history to see if you have inadvertently installed anything that would cause it to fail.
The problem is, you need the April patch also, either Security only or Rollup, to be secure.

Reply | Quote

PKCano wrote:

About the March Security only patch KB 4012212, MS says this

This Security Only Quality Update is not applicable for installation on a computer where the Security Monthly Quality Rollup or Preview of Monthly Quality Rollup from March 2017 (or a later month) is already installed, because those updates contain all of the security fixes that are included in this Security Only Quality Update.

Check the update history to see if you have inadvertently installed anything that would cause it to fail. The problem is, you need the April patch also, either Security only or Rollup, to be secure.

Thanks.  I’ll check the history on that.  What are the other respective KB #s I should be looking for ?

Reply | Quote

Security Monthly Quality Rollup: March KB4012215, April KB4015549, May KB4019264, June KB4022719

Preview for Monthly Quality Rollup> March KB4012218, April KB4015552, May KB4019265

Reply | Quote

IDT got hit two weeks before WannaCry. From A Cyberattack ‘the World Isn’t Ready For’:

“Two weeks after IDT was hit, the cyberattack known as WannaCry ravaged computers at hospitals in England, universities in China, rail systems in Germany, even auto plants in Japan. No doubt it was destructive. But what Mr. Ben-Oni had witnessed was much worse, and with all eyes on the WannaCry destruction, few seemed to be paying attention to the attack on IDT’s systems — and most likely others around the world.

The strike on IDT, a conglomerate with headquarters in a nondescript gray building here with views of the Manhattan skyline 15 miles away, was similar to WannaCry in one way: Hackers locked up IDT data and demanded a ransom to unlock it.

But the ransom demand was just a smoke screen for a far more invasive attack that stole employee credentials. With those credentials in hand, hackers could have run free through the company’s computer network, taking confidential information or destroying machines.

[…]

Since IDT was hit, Mr. Ben-Oni has contacted everyone in his Rolodex to warn them of an attack that could still be worming its way, undetected, through victims’ systems.

[…]

More distressing, Mr. Dillon tested all the major antivirus products against the DoublePulsar infection and a demoralizing 99 percent failed to detect it.”

Reply | Quote

From New tally: WannaCry cyberattack by North Korea hit 1 to 2 million computers worldwide:

‘A vicious attack that was powered by a stolen U.S. cyber weapon and deployed by a North Korean hacking unit was worse than originally thought, locking up one to two million computers, a congressional panel heard Thursday.

And only the lucky discovery of a “kill switch” prevented the WannaCry ransomware attack last month from encrypting the hard drives of 10 to 15 million computers, Salim Neino, the founder of Kryptos Logic, a Los Angeles cybersecurity company, told legislators.’

Reply | Quote

From WannaCry: Two Weeks and 16 Million Averted Ransoms Later:

“Here we argue that the real number of affected systems, by assessing the sinkhole data, is in the millions, and we further estimate between 14 to 16 million infections and reinfections have been mitigated avoiding what would have been chaos, since May 12th.”

1 user thanked author for this post.

ch100

Reply | Quote

Perhaps Microsoft could consider changing the exploited status for some of the CVEs in Microsoft Security Bulletin MS17-010 from “no” to “yes.”

Reply | Quote

When is it safe to install multiple standalone Windows updates without a reboot?

Reply | Quote

My question is, do I need to reboot between installing each security update or can I do them all back to back without reboots in between?

Am I missing anything else? Thanks for the advice and to Woody for the heads up on the ransomware.

Personally, I will allow the reboot between each installation, to make sure that the necessary files are properly updated. I have no idea if you can do them all in one go without risking the possibility that some files may not be properly updated.

I would also suggest you keep the internet off on that machine until after you finished installing the security updates.

Hope for the best. Prepare for the worst.

4 users thanked author for this post.

GoneToPlaid, HiFlyer, AlanH, ch100

Reply | Quote