|
Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don't do it. |
ISSUE 21.33.1 • 2024-08-16 By Susan Bradley It’s been a long time since we’ve had a Microsoft worm event. Last week’s patches contained a fix for the
[See the full post at: MS-DEFCON 3: Blocking a potential wormable event]
Susan Bradley Patch Lady/Prudent patcher
This vulnerability is directly connected to IPv6. Disable that, and you are protected, even without the patch.
My DSL internet connection does not support IPv6 (“Modem IPv6 IP Address” shows “N/A”). Can I conclude that this is of no concern to me — assuming I’m not worried about attacks from inside my LAN?
Correct
Susan Bradley Patch Lady/Prudent patcher
Thanks for the heads up and advice. As a home user I’ve chosen to disable IPv6 as my option for now. I’ll let the August Win 10 updates age a bit longer…
The following may not affect Win 10 but there are at least some people reporting issues with Win 11 updates (ghacks: https://www.ghacks.net/2024/08/16/latest-windows-11-update-is-reportedly-causing-freezes-and-lags-for-some-users/).
Win10 Pro x64 22H2, Win10 Home 22H2, Linux Mint + a cat with 'tortitude'.
If you’re not using IPv6 for internet connectivity, make sure IPv6 is disabled in your Router. This will fully prevent WAN attacks from this vulnerability. Or just patch Windows with the August Updates.
You can also test if your internet connection is using IPv6 here under IPv6 connectivity: https://ipv6-test.com/
Example on an Asus Router:
Instead of de-selecting the IPv6 protocol in the UI, I run in this mode:
Disable IPv6 on all nontunnel interfaces (except the loopback) and on IPv6 tunnel interface
from here:
https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/configure-ipv6-in-windows
I feel like this is sufficient mitigation for CVE-2024-38063, since it disables IPv6 on all Ethernet ports. Would anyone disagree?
About IPv6… I don’t have it enabled, but this MS-DEFCON alert sent me back to early in the previous decade when there were a number of stories in the tech press about how we were running out of IPv4 addresses and soon we’d have to switch to IPv6, otherwise new devices coming online would have no way to get onto the Internet.
So here we are, some twelve years later, and IPv4 addresses don’t seem to be a problem anymore. Was that back then just more of the usual media scaremongering, or was a technical solution found to the dwindling reserves of IPv4 addresses?
No, it happened around nine years ago at the top levels; e.g:
ARIN IPv4 Free Pool Reaches Zero [Archived] — 24 September 2015
Here’s some more information about this: https://mspoweruser.com/ipv4-address-exhaustion-date/
Apparently, Europe ran out of IPv4 addresses in 2019 (according to the linked article, the 2015 date was for North America). So, why wasn’t there a crisis 5 or 9 years ago? The article goes on to explain:
In theory, IPv4 address exhaustion should mean no new IPv4 devices could be added to the Internet, but in practice, a number of factors make this a non-issue.
The first is that ISPs can reuse and recycle unused IPv4 addresses. The second is that due to NAT (network address translation) the same IP addresses can be used privately behind the ISPs router.
(note: The search term I used to find this was “IPv4 apocalypse”. 🙂 )
UPDATE: Fuller discussion of the topic in Wikipedia.
So if the https://www.ipchecktool.com/ipv6test tool says:
<h3>IPv6 Connection:</h3>
<h4 id=”ipv6test”>Not supported</h4>
Do I then need to take further action or am I safe from this? (My ISP does not currently use IPv6.)
I use both wired and wireless connections. Does this mean that I have to disable it for each machine. Or can I disable it from my desktop pc? Furthermore, is it the same option for both wireless and wired connection? I didn’t quite fully understand how to disable it for my wireless connection. Lastly, did it matter that I did the update first before proceeding to disabling the IPv6?
If you installed the Aug 13 security update, you don’t need to disable IPv6.
(This was not clear from, “my basic recommendations are threefold: patch immediately, disable IPv6 on all PCs on your network, or …”.)
The word “or” means pick one.
Susan Bradley Patch Lady/Prudent patcher
The word “threefold” means three times or parts.
Yes, only Windows machines are affected.
Well, apparently the (only) other option is to simply let Windows install the August updates. If you have already done so (or once you do that) you can entirely avoid any complication in order to disable IPv6. That said, Susan’s instructions at the top of this thread are very simple to follow and should be understandable by anyone with the bare minimum knowledge of Windows to disable IPv6.
Correct.
So this is an either/or situation? Do the update OR disable IPv6? Not both?
Correct.
What do you do with IPv6, if you want to wait a while to do the Aug 13 updates, and you take the alternative, ie., disable IPv6 right now, and then you install the updates down the road? What is the state of IPv6 after that? Is it still disabled? And if so, is it OK to re-enable it? Or do you leave it disabled? Or does the update re-enable it?
What do you do with IPv6, if you want to wait a while to do the Aug 13 updates, and you take the alternative, ie., disable IPv6 right now, and then you install the updates down the road?
@b answered that above.
What is the state of IPv6 after that? Is it still disabled?
Yes
Or does the update re-enable it?
The update does not re-enable IPV6. If you want it re-enabled, you will have to do so.
The update does not re-enable IPv6. If you want it re-enabled, you will have to do so.
Thanks PK.
And it is safe to re-able IPv6 after the update?
What about my router?
And after changing IPv6 to IPv4 before the update, I don’t need to change anything in my router? (If I do have to do that, I’ll have to figure out how to get to the settings in my router.)
And if I just do the update (leaving IPv6 checked), do I need to change anything in my router afterwards?
And it is safe to re-able IPv6 after the update?
Yes. You will be patched against this vulnerability.
What about my router?
And after changing IPv6 to IPv4 before the update, I don’t need to change anything in my router? (If I do have to do that, I’ll have to figure out how to get to the settings in my router.)
If you changed anything in your router instead of applying this update now, you will have to change it back if you want IPv6 to be restored later.
And if I just do the update (leaving IPv6 checked), do I need to change anything in my router afterwards?
If you haven’t changed anything in your router, your OS (Windows) settings or elsewhere in your computer or on your network, nothing needs to be changed after this update.
If you have changed anything in the computer, the OS (Windows settings) or in the router, you will have to reverse all those changes yourself after patching, if you so desire.
(But ask yourself: Do you really need IPv6 for your network? Eventually, probably most of us will need IPv6, but not necessarily right now. It depends on what you use your network for.)
-- rc primak
Does that mean I am safe?
Yes
After doing 8/2024 updates, is there any reason to again check IPv6 box in Network properties?
Not unless you find IPV6 is necessary at the present time.
Four Windows 10 Pro 64-bit Version 22H2 computers updated last night and today without incident.
Also installed available NVIDIA and Intel updates.
Will post additional comments if additional computers in our fleet run into update problems.
I would appreciate knowing why, for a home user, Susan advises either “Install updates” or “Disable IPv6 for your network connections”. If I were to choose the second option, I’m still going to have to install the August updates at some point in the future, so why not now? Susan’s assessment is, and I quote, “… updating now should be safe.”. Is there perhaps still some nervousness concerning the fact that Patch Tuesday was only four days ago?
Follow Susan’s advice.
If some are concerned that this is faster than I normally approve updates or your pause routine is such that you aren’t wanting to install now – I like to give options.
There are some sites reporting side effects for the updates but I’m not seeing widespread issues and more offs that are typically triggered by gaming rigs or older third party shell software.
Susan Bradley Patch Lady/Prudent patcher
I disabled IPv6, did the updates then enabled IPv6.
I don’t see any problems yet.
Windows 11 Pro
Version 23H2
OS build 22631.4890
It doesn’t matter if you have installed the Aug. 13 update. Either way the update has your back.
What is the difference between IPv4 and IPv6…
IPv4 has a limit of 2^32 addresses (2 to the 32nd power) or 4,294,967,296 individual IP addresses (with about 288 million of those reserved for one purpose or another) whereas IPv6 has a limit of 2^128 addresses (2 to the 128th power). So IPv6 buys a LOT more space for individual items being connected to the Internet (and a LOT more internal addresses for networks to use as well I would think). Here are the snippets from Wikipedia:
IPv4 addresses
An IPv4 address has a size of 32 bits, which limits the address space to 4294967296 (2^32) addresses. Of this number, some addresses are reserved for special purposes such as private networks (≈18 million addresses) and multicast addressing (≈270 million addresses).
And a little further down in the same article:
IPv6 addresses
In IPv6, the address size was increased from 32 bits in IPv4 to 128 bits, thus providing up to 2^128 (approximately 3.403×10^38) addresses. This is deemed sufficient for the foreseeable future.
I had to add symbols to the snippets to indicate powers of 2 and 10 since the software here doesn’t seem to support superscripts.
Both snippets came from the following article in Wikipedia: https://en.wikipedia.org/wiki/IP_address.
I hope this answers your question.
My reply above (#2697319) is what’s considered to be the biggest difference between IPv4 and IPv6, but there are other differences between the the two besides the number of individual addresses they can handle. The following link has an in-depth explanation of the differences between the two, but can be a bit technical: https://en.wikipedia.org/wiki/IPv6#Comparison_with_IPv4
No prob with 5041580, or 5042352(net).
Edition Windows 10 Pro
Version 22H2
Installed on 4/12/2024
OS build 19045.4780
Experience Windows Feature Experience Pack 1000.19060.1000.0
With an image backup at the ready and peace of mind, I installed the August updates without issue. In case you are not on the image backup bandwagon this issue makes it a perfect time to reconsider.
Desktop Asus TUF X299 Mark 1, CPU: Intel Core i7-7820X Skylake-X 8-Core 3.6 GHz, RAM: 32GB, GPU: Nvidia GTX 1050 Ti 4GB. Display: Four 27" 1080p screens 2 over 2 quad.
I use Terabyte image – fast.
On both systems, running the ipconfig command from a Command Prompt before applying the reg file shows some “Tunnel Adapters”.
What does this ipconfig command from a Command Prompt look like?
And what does the output from the command look like?Is the command for servers only?
I just opened a Command Prompt and then type ipconfig then press enter. It is not necessary to use an “elevated” command prompt (running as administrator).
An example of an output :
Windows IP Configuration
Ethernet adapter Ethernet:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . :
IPv4 Address. . . . . . . . . . . :
Subnet Mask . . . . . . . . . . . :
Default Gateway . . . . . . . . . :Tunnel adapter isatap.{AAAAAAAA-AA11-11AA-AABB-BBBBBBBBBBBB}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
The first is about the addresses used by your Ethernet Adapter (if you use Ethernet). If you use wireless a seperate wireless entry may also be listed.
{AAAAAAAA-AA11-11AA-AABB-BBBBBBBBBBBB} is a string of characters and numbers that can be different for different systems. There may be more than one “Tunnel Adapters” entry. This example is before applying the reg file. After applying the reg file and rebooting the “Tunnal Adapters” entries should be gone.
The ipconfig command can be used on client versions of Windows like Windows 7 and Windows 8.1, not just for Windows Server.
Hope for the best. Prepare for the worst.
I just opened a Command Prompt and then type ipconfig then press enter. It is not necessary to use an “elevated” command prompt (running as administrator).
Looks like my system has no tunnel adapter, right?
I made a REG file by copying the following text into Notepad and then saving it as a .reg file :
The command runs off the line. This is what it looks like.
Command reposted to show complete content of Reg file.
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\TCPIP6\Parameters] "DisabledComponents"=dword:00000001
Sorry, I must have screwed up that link somehow (and too late to edit). But this one works:
I use a Mac, but every month I read what seems to be a myriad of Window updates horror stories on this Forum. Do they ever go smoothly? How is the average PC user supposed to know about these issues and what are they supposed to do about them?
iPhone 13, 2019 iMac(SSD)
How is the average PC user supposed to know about these issues and what are they supposed to do about them?
Quite simply, subscribe to Susan’s newsletter and follow her advice. I have done that for many years and never hit the buffers.
Chris
Win 10 Pro x64 Group A
@pmcjr6142 – I use a Mac and Windows 10. I’ve had more trouble with Mac updates than with Windows updates. That said, there is definitely a new episode of the Microsoft Soap Opera every month; those episodes are documented here at AskWoody.
I’ve wondered why there is apparently no Mac Soap Opera. Is it really because Mac patches are so good? In my experience the answer is no. Rather I think that Apple is far more reticent to divulge what exactly their patches are doing and they never address known issues with their updates, a feature that is almost always present on the MS support pages for the monthly cumulative updates. Here’s a link to the Apple support page for the latest Monterey update: https://support.apple.com/en-us/120910 IMHO it’s not very useful . For every patch you get one sentence that says something can go wrong (duh!) and that they “fixed” the vulnerability with improved code (gosh, really??!! but why not just do it right the first time?).
Before someone accuses me of being an MS fanboy, I’m absolutely not. For me both Apple Macs and Windows leave much to be desired. I use them because for various tasks I need to use them. However for day to day computer use I’ll take – and do take – Linux Mint in a nanosecond.
Quite simply, subscribe to Susan’s newsletter and follow her advice
How would the average Windows home user know about Susan’s newsletter ?
How is the average PC user supposed to know about these issues and what are they supposed to do about them?
He doesn’t know and let Microsoft do the updating every months.
In case of crashes, BSODs…he turns to a family wiz kid, technicians…
Rather than try to configure something I know nothing about, I used Susan’s first suggestion and installed the KB5041580 Cumulative Update for Windows 10 22H2 for x64-based systems. It took three attempts (and 2 hours wasted) before it finally completed a successful install of KB5041580, although the two .Net files installed okay on the first attempt. The second attempt was so stuck that I had to do a Ctrl-Alt-Delete to get my computer back for the successful third attempt. Why it took 3 tries I do not know. My PC seems to be working fine now.
Thanks, Susan,for all you do for us.
Moderator’s Note: Post retrieved from the spam bucket.
I patched last evening. While working on the last update, Cumulative for W10, it generated an error I never saw before. “We could not complete the install because an update service was shutting down.” Huh??? That’s a new one! (See image attached. It doesn’t show properly within the message but will if you click on it.)
‘Retry’ was unsuccessful, exiting and restarting update didn’t help, so I restarted the machine. Upon restart I got the spinning dots and it just sat there, so I finally cycled power. Thank god it came back up and started installing updates. It went through about 3 cycles of installing then restarted OK.
I checked for updates again and it still generated the pictured error. I clicked ‘Retry’ and after several seconds it started installing the Cumulative W10. After several seconds progress showed “Installing – 100%.” It sat there for a minute, then went back to Installing – 14% , etc. and continued. Update finished and the machine restarted OK.
I checked for updates again and there were none.
As I’d had these problems, I ran dism.exe /online /cleanup-image /restorehealth and sfc /scannow. Dism reported Image version 10.0.19045.4780. sfc said it found corrupt files and repaired them.
So far things have been going OK.
I kinda feel like a dodged a bullet this time…
How would the average Windows home user know about Susan’s newsletter ?
Alex
Friendly people like you or I make the recommendation.
Chris
Win 10 Pro x64 Group A
So this is an either/or situation? Do the update OR disable IPv6? Not both?
Yes, I asked this yesterday. Either or…
Correct.
Either disable IPv6 and wait – or don’t disable it and do the updates – no need to do both IMO.
All was fine on my Win 10 laptop – did the update – not disable first.
Folks, I cannot believe that we are arguing about misinterpretation of basic English grammar, instead of focusing on the primary issue, which is securing our systems., Why don’t we just read PKCano”s responses and get on with the job.
Chris
Win 10 Pro x64 Group A
Some are confused. The only reason to “disable IPv6” is because you do NOT want to install August Windows updates yet. Considering that the updates are not causing issues, just do the updates. Once you do the updates, the IPv6 issue is Moot. There are also other critical vulnerabilities that the updates fix that can’t be mitigated. Just install the Updates Now.
IPv6 tunneling is simply a way for two computers to use IPv6 to communicate with each other over an IPv4 network that may exist between them. It’s a way (with the help of the aforementioned “adapters”) to pass IPv6 packets over an IPv4 network.
If you patch your IPv6 stack (by installing KB5041580) then you shouldn’t be vulnerable to any attack that’s the subject of CVE-2024-38063. As you quoted @Intrepid,
Once you do the updates, the IPv6 issue is Moot.
As far as the concept of tunneling goes, there are bigger fish to fry right now…
There are also other critical vulnerabilities that the updates fix that can’t be mitigated.
I hope this helps add some clarity to the situation right now.
P.S. I patched both of my machines on Friday evening (late) and Saturday morning. On both machines, the patch installed fairly quickly (compared to other recent monthly Windows patches) and both machines rebooted with no problems and have had no problems since then.
and I’m OK even though I have IPv6 Enabled??
Even if you think you are OK I would have disabled ipv6 in you network card/wi-fi unless you use ipv6 in your home network.
Try restarting your computer (not shutdown/Power up).
That’s click the start button. choose Restart.
I use the “Pause Updates” method for deferring Windows Updates on my Windows 10 Pro computer.
Since you have Win 10 Pro, I’d suggest controlling the monthly updates via settings in the Group Policy Editor.
With the setting outlined below the monthly updates don’t begin downloading or installing until you open click the download button.
Press the Start button, type GPE, to open the Group Policy Editor. Now head to:
Computer Configuration > Administrative Templates > Windows Components > Windows Update and open Configure Automatic Updates.
Enable the setting and under Configure automatic updating, choose 2 – Notify for download and auto install.
After configuring for “2 – Notify for download and auto install”, open Windows 10 settings to “Windows Update” and click on “Check for updates” button.
After it checks for updates, you will see the yellow notice: “Some setting are managed by your organization” at the top. Windows does not apply the changes until a manual “check for updates” is done. The “organization” is you.
Desktop Asus TUF X299 Mark 1, CPU: Intel Core i7-7820X Skylake-X 8-Core 3.6 GHz, RAM: 32GB, GPU: Nvidia GTX 1050 Ti 4GB. Display: Four 27" 1080p screens 2 over 2 quad.
Do you mean you tried restarting and it did not restart or do you mean it did restart normally then resumed the “checking for updates” message
I mean the latter. It restarted normally, and resumed the “checking for updates” message.
You could try disconnecting your computer from the internet, then restarting again without internet access. Just a long shot but sometimes they work unexpectedly
That’s the way I always restart my computer. I disconnect from the Internet, restart it, and then connect back up to the Internet. But just to be sure, I tried restarting again that way, and it’s still checking for updates.
In the taskbar search box, type powercfg and hit Enter.
Click on “Choose what the power buttons do”
Click on “Change settings that are currently unavailable”
Uncheck the box about “Fast Startup”
Click “Save changes”
Close the Control Panel
Disconnect from the Internet
Go to the Start button.
DO NOT click on “Shutdown”
Click on “Restart”
When the computer restarts, log in. Do not reconnect to the Internet.
Go to Settings App\Update & Security\Windows Update
With the Internet disconnected, searching for updates, if it resumes, should fail.
Report back what you see.
If you are not connected to the Internet, under normal operations, when Windows Update searches and cannot find a connection to MS, the search will fail.
It seems you have something else wrong.
Rather than hijack this thread with your problem, create a new Topic about your problem and we will help with it.
Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.
AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments.
