Time to get off the Group W bench – at least for a few minutes

Topic

New Reply

If you haven’t yet installed March patches for Windows, listen up. One of those leaked NSA exploits, EternalBlue, has been pulled out of the Shadow Br
[See the full post at: Time to get off the Group W bench – at least for a few minutes]

5 users thanked author for this post.

JDeC, Elly, SueW, lizzytish, MrBrian

Reply | Quote

Replies

Most non-business users are probably not exposed to this through the internet. You can test for internet exposure to port 445 (the vulnerable code in non-patched Windows listens to port 445) by doing the Common Ports test at https://www.grc.com/x/ne.dll?bh0bkyd2. Nonetheless, I still agree with Woody’s advice because I believe that port 445 is usually open within local networks.

10 users thanked author for this post.

HiFlyer, Cesar, SueW, 212louis, JDeC, jelson, Elly, woody, lizzytish

Reply | Quote

https://en.wikipedia.org/wiki/Blaster_(computer_worm)

https://en.wikipedia.org/wiki/Welchia

Reply | Quote

Mr. Brian,

Thanks for the really helpful Common Ports test link. Much appreciated.

1 user thanked author for this post.

MrBrian

Reply | Quote

Most of those exploits, like EternalBlue, depend on any user related action or they are mostly “point-and-pwn” sort of tools?

If they fall on the second category the affected system still have to be manually found and targeted in order to be exploited or there is already a more advanced, automated way of deliverying this threat?

Reply | Quote

EternalBlue is unlike most other exploits because it involves no user actions other than being connected to a network that is able to send network traffic to port 445.

4 users thanked author for this post.

Noel Carboni, HiFlyer, JDeC, Elly

Reply | Quote

Thanks for the heads up MrBrian…

So with port 445 open, any unpatched system is still vulnerable… But it still depends on manual targetting, right? Which would might indicate that home users are less prone to infection?

 

On a legacy machine running Windows XP SP3 which I barely ever use, I disabled the file/printer sharing on the network settings, does this does any good against those kinds of SMB exploits?

Reply | Quote

You’re welcome :).

Most home users shouldn’t be “reachable” to port 445 through the internet, but most home users should be “reachable” to port 445 by other devices on your local network (because of printer and file sharing). So if somebody else on your local network gets malware, if you’re vulnerable to this then their malware could be used to exploit your computer also.

I don’t see any technical reason why an attack on devices “reachable” on port 445 through the internet couldn’t be automated (if it isn’t already).

4 users thanked author for this post.

HiFlyer, JDeC, Elly, woody

Reply | Quote

Hmm… So the biggest issue for home users is not direct internet access to the port 445 but somekind of lateral access to it by compromised systems on the same network…

 

So disabling file/printer sharing is somehow effective as it renders the XP machine “invisible”, at least directly, to the other machines on the same network, is it correct?

Reply | Quote

@anonymous: That is correct, I believe. You can use a port scanner program such as SuperScan to scan if port 445 is open in your local network after you disable file and printer sharing.

Reply | Quote

If I scanned the ports and got a stealth result does this mean 445 is safe?

Reply | Quote

The theory is that stealth is safety. The report probably told you that as the ports could not be seen, it appears as though the computer does not exist, or words to that effect.

2 users thanked author for this post.

HiFlyer

Reply | Quote

“If I scanned the ports and got a stealth result does this mean 445 is safe?”

Assuming you scanned port 445 of the target computer from another computer in your local network, and used the internal IP address of the target computer, a result of either “stealth” or “closed” is fine, I believe.

1 user thanked author for this post.

HiFlyer

Reply | Quote

The article Leaked NSA hacking tools are a hit on the dark web states that some claim that Microsoft’s March 2017 patch is not good enough.

1 user thanked author for this post.

HiFlyer

Reply | Quote

Maybe not, but it’s a start toward improved security.  Hopefully May’s patch will take the rest of the punch out of this.

Fortran, C++, R, Python, Java, Matlab, HTML, CSS, etc.... coding is fun!
A weatherman that can code

1 user thanked author for this post.

HiFlyer

Reply | Quote

That’s my #1 concern at the moment… if I tell people all’s safe, when it isn’t….

3 users thanked author for this post.

HiFlyer, JDeC, jelson

Reply | Quote

Well, to be realistic there is NEVER a time when any patch (or computer usage) is PERFECTLY safe.

-Noel

3 users thanked author for this post.

HiFlyer, JDeC, ch100

Reply | Quote

@ MrBrian

In that case, Win 7/8.1 users should move to Group L , … L for Linux. … ( :

Reply | Quote

Technical info: Cyber Security Awareness Month – Day 1 – Port 445 – SMB over TCP

Reply | Quote

Will a personal computer not be protected by leaving its Homegroup and disabling all sharing options?

I also have 4012212 installed on my Win7.

Reply | Quote

Installing the March 2017 Windows update should be sufficient, unless the suggestion in an above link that the March 2017 Windows update isn’t good enough is true.

1 user thanked author for this post.

HiFlyer

Reply | Quote

Estimate of number of users who are “reachable” to port 445 through the internet: From Millions Of Systems Worldwide Found Exposed On The Public Internet (2016):

“Meanwhile, some 4.7 million systems expose port 445/TCP, which is used for Microsoft SMB network communications.”

1 user thanked author for this post.

HiFlyer

Reply | Quote

I have Win 7 Home Premium. X 64 When trying to install 212 and 215 it said not applicable.  It did install KB4012218.

Reply | Quote

For Windows 7 or 8.1 users: Because of the cumulative nature of the monthly rollups, if you have a monthly rollup or preview monthly rollup from March 2017 or later, you’re also protected from this.

1 user thanked author for this post.

woody

Reply | Quote

MrBrian wrote:

For Windows 7 or 8.1 users: Because of the cumulative nature of the monthly rollups, if you have a monthly rollup or preview monthly rollup from March 2017 or later, you’re also protected from this.

If they know how to patch the system to prevent infection, does that imply that the MSRT would remove an existing one?

-Noel

2 users thanked author for this post.

HiFlyer, ch100

Reply | Quote

That would be the ideal situation and hopefully will happen.
Situations like this one are the only reason to justify the monthly (daily after Windows 7) scan and the existence of MSRT.
The regular antivirus software only treat the symptoms and while useful to some extent because they raise the alert, are not the answer to this sort of malware.

1 user thanked author for this post.

HiFlyer

Reply | Quote

Are home users connected to a comcast xfinity modem-router, that has to literally plug the printer into a usb port on the computer vulnerable?

Reply | Quote

I believe the router or modem itself, if it has malware on it, could infect your computer via this exploit.

Reply | Quote

You need two things to keep you from being vulnerable.
1. You need to have the latest Office updates if you have MS Office (any version) installed on the computer.
2. You need to have EITHER March 2017 Security Monthly Quality Rollup (delivered through Windows Update) OR March 2017 Security Only Quality Update (downloaded from the Microsoft Update Catalog) installed on your computer.

Edited to correct patch date

1 user thanked author for this post.

HiFlyer

Reply | Quote

Unfortunately, to fix the Office and WordPad issue (CVE-2017-0199) for Office, it seems that both the relevant Office update and also the April 2017 Windows monthly rollup or security-only update must be installed. More info: see https://www.askwoody.com/forums/topic/a-panoply-of-problems-with-this-weeks-210-critical-windows-and-office-patches/#post-108385.

3 users thanked author for this post.

HiFlyer, woody, PKCano

Reply | Quote

MrBrian wrote:

Unfortunately, to fix the Office and WordPad issue (CVE-2017-0199) for Office, it seems that both the relevant Office update and also the April 2017 Windows monthly rollup or security-only update must be installed.

I believe the March patches fixed CVE-2017-0199.

Reply | Quote

For CVE-2017-0199 the fixes are in April 2017 according to https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199.

Also, here are three pieces of evidence that the April 2017 Windows monthly rollup or security-only update is also needed to fix CVE-2017-0199:

1. https://www.askwoody.com/forums/topic/a-panoply-of-problems-with-this-weeks-210-critical-windows-and-office-patches/#post-108385

2. https://www.askwoody.com/forums/topic/booby-trapped-word-documents-in-the-wild-exploit-critical-microsoft-0day/#post-107727

3. https://www.askwoody.com/forums/topic/a-panoply-of-problems-with-this-weeks-210-critical-windows-and-office-patches/#post-108481

1 user thanked author for this post.

Noel Carboni

Reply | Quote

Also, if that ‘doublepulsar’ is malware, wouldn’t a malware blocker block it?

Reply | Quote

I believe you need the updates mentioned above.

Reply | Quote

I have read that DoublePulsar is quite stealthy.

Reply | Quote

Apparently yes, DoublePulsar isn’t something new… It is a trojan with backdooring capabilities and a lot of variants in the wild…  What is new is the delivery method via the SMB vulnerability aka EternalBlue… So, at least in theory, it should be detected by security software as a resident infection because it is listed in a lot of AV databases, hence also in the signature updates…

The updates make systems immune to the exploit, which is one of the spread methods, not to the threat itself…

Reply | Quote

In general antivirus software generate alerts and blocks the symptom, but do not treat the root cause.
Antivirus software is over-rated and in most cases useless, but it looks well to those less technical end-users or managers.

2 users thanked author for this post.

JDeC, woody

Reply | Quote

And it uses a lot of resources (i.e., it slows things down) to accomplish what protection it does provide.

-Noel

Reply | Quote

Ok PKCano. Will the update from the catalog run even if I have windows update deactivated in services?

Reply | Quote

If you DISABLE the Windows Update Service the installer will NOT run.
In WU, change settings to “Never Check for updates”
In Services, put WU Service on manual (if it isn’t already).
Reboot
Open Services, scroll down and highlight WU Service, then at the top left “stop” the service.
Run the update from the catalog.

 

Reply | Quote

While in Services, it may pay to check that BITS is turned on/started (Background Intelligent Transfer Service).

Reply | Quote

Out of curiosity, what scanners can detect this “stealthy” malware?

-Noel

Reply | Quote

I wonder myself the same…

Reply | Quote

DoublePulsar is on the wild for some time right now, even some time befere the Shadow Brokers episode which “unleashed” some vulnerabilities that made that particular malware such a potential threat, what me wonder myself why there is no malware scanning tests published for it, I mean, there is A LOT of sources claiming NUMBERS of affected systems, based mostly on what they call “internet scans”, so if the code can be identified remotely by some tool it can’t be that stealth as expected…

I might be acting ingenous here, but I’d really want to see some insight, some research of that particular side of this malware, of how stealth is that piece of code…

Reply | Quote

Analyzing the DOUBLEPULSAR Kernel DLL Injection Technique

Reply | Quote

I’ve read this article before, great quote by the way, it’s an excelent in depth analysis of DOUBLEPULSAR injection technique, but as it is pretty much silent and “stealth” while injecting the DLLs, it is a malware code, it has a signature and by such it should be caught up by full scanning software, right?

I mean, it probably won’t be caught doing the injection, but it could, at least in theory, be caught and eventually removed by a scanning tool…

Reply | Quote

DoublePulsar itself is fileless and in memory-only.

Reply | Quote

Yes it runs in RAM and apparently can be caught at the moment maily by manually monitoring memory behavior… And it ain’t easy…

For systems that hasn’t been rebooted it might leave a trace on memory, but I don’t know for sure how trackable it is, if it is trackable at all…

 

But DoublePulsar itself is harmless right? The main issue is the backdoor it leaves behind, which whatever manages to pass through will probably be identifyied by later scanning, correct?

Reply | Quote

@anonymous: I think what you wrote is accurate.

Reply | Quote

>If you have version 1511, you need to be on Build 105867.839 or later.

I am on 10586.494 and I have applied no patches since last year. I cleaned out Cortana, Edge and all apps and bloat. I consider their return with any update worse than the risk from NSA and all the idiots they enabled. I make frequent backups so if anything happens I will restore the latest. This to me is a superior alternative to letting MS shove stuff my stuff that I have to learn and can screw my system for no reason whatsoever.

Reply | Quote

anonymous wrote:

>If you have version 1511, you need to be on Build 105867.839 or later.

I am on 10586.494 and I have applied no patches since last year. I cleaned out Cortana, Edge and all apps and bloat. I consider their return with any update worse than the risk from NSA and all the idiots they enabled. I make frequent backups so if anything happens I will restore the latest. This to me is a superior alternative to letting MS shove stuff my stuff that I have to learn and can screw my system for no reason whatsoever.

An update to a higher build dot number in the same version (e.g., from 10586.494 to 10586.later) won’t return Cortana as far as I have seen (though it might depend on how you removed it).

Per my experience, an update to a later version (i.e., 1607 or 1703) WILL return Cortana and any default Apps you have removed. That’s one reason I wrote a re-tweaker script I can use to remove them all again.

-Noel

1 user thanked author for this post.

ch100

Reply | Quote

That’s what I thought too, but I asked and Woody was pretty sure they would return. But the reality is I just don’t want anything to do with what MS does. My current configuration is just what I need and is stable and there is no reason that justifies taking the risk.
I keep myself informed with everything going on and I have seen nothing to compel me to mess around with my system. I see only problems and no benefits.
BTW, I removed Cortana and Edge with the Winaero scripts. I’m sure there are traces of them left, but they are inactive and as far as I can tell they’re dead given my settings.

Edit: html to text, caused by copy>paste

Reply | Quote

While many of the Microsoft Windows-specific exploits contain remote code execution vulnerabilities, they need to be deployed against a host in order to be successful. In other words, a connection to the organization must already be established for many of these exploits to work — as port 445, which is used in Microsoft’s SMB, is typically blocked internet-wide.

https://www.cyberscoop.com/nsa-hacking-tools-shadow-brokers-dark-web-microsoft-smb/

IOW, vulnerable Windows computers do not get infected by the EternalBlue/DoublePulsar/Fuzzbunch exploit by just connecting to the Internet or visiting a website, ie the exploit has to come from within a LAN or WAN or Remote Network, eg from an already-infected/compromised computer/device on the LAN or WAN or Remote Network(eg the computer user had clicked on files with other malware).
https://www.exploit-db.com/docs/41896.pdf

Reply | Quote

I dk how to write such scripts. Are you confident that the script will work on any subsequent version of Win10?

Reply | Quote

@ fp

The link refers to hackers writing such scripts while using the EternalBlue exploit.

Those Windows exploits were used by NSA from 2011 onward and were “stolen” by Shadow Brokers in 2013. Win 10 was only released on 29 July 2015. So, those exploits were only used by the NSA to exploit pre-Win 10 systems. Today, hackers may use those same recently-leaked exploits against unpatched pre-Win 10 systems.
. . . But this does not mean that the NSA did not apply the same exploits against Win 10 from 2015 onward or hackers cannot use the exploits against unpatched Win 10 systems today.

Reply | Quote

… continuing from above …

Note that the Fuzzbunch hacking tool that is needed for the EternalBlue exploit is only available for Win XP. Why ? Because many Chinese and Russian hackers are still using pirated Win XP which is not illegal in their countries.
. . . As we know, Win XP will never be patched against all the Shadow Brokers’ leaked exploits. What gives ?

Reply | Quote

Some systems are exposed to port 445 over the internet.

Example: This guy purposely exposed a vulnerable system to port 445 on the internet. It was hacked in 15 minutes.

1 user thanked author for this post.

HiFlyer

Reply | Quote

@ MrBrian

That is why computer users should always disable Remote Management/Assistance in their computers and routers(which also uses port 445), except when needed, eg when they request M$’s staffs to provide technical support and trouble-shooting of Windows problems remotely.
http://www.speedguide.net/port.php?port=445 (RPC = Remote Procedure Call)

Reply | Quote

I do have Remote Assistance disabled for my Windows 7 computers since I don’t use it. Remote Assistance seems to use port 135, not port 445, according to Remote Assistance and Resulting Internet Communication in Windows 7 and Windows Server 2008 R2.

Reply | Quote

@ MrBrian

Yes, you are correct, ie Remote Assistance and Remote Desktop do not use port 445. Sorry.
. . . It’s actually the Windows Servers’ Remote Desktop Service that uses port 445, as per …
https://social.technet.microsoft.com/wiki/contents/articles/16164.rds-2012-which-ports-are-used-during-deployment.aspx
. . This means, companies and websites who have Windows Servers and Remote Desktop Service(= port 445 is open to the Internet) are vulnerable to the EternalBlue exploit if unpatched.

Most home computer users access the Internet through port 80 on their home-routers, and not through port 445, ie port 445 is mainly accessed by their own internal LAN/WAN for file and printer sharing with Windows SMB protocol.
……. So, hackers would usually need to infiltrate port 80 through the Internet with some other malware before they could deploy the EternalBlue/SMB exploit through port 445.

My point is that pre-Win 10 home computer users are not vulnerable to the EternalBlue exploit by just being connected to the Internet for web-browsing, even if unpatched with the March 2017 update because they do not connect to the Internet through port 445.

Also, a fully patched Windows computer is of no use against malware infection if the user does not practice safe-browsing and good house-keeping, eg foolishly open unfamiliar email attachments or download torrent files, does not change the default router admin password or disable Remote Management/Assistance.

1 user thanked author for this post.

MrBrian

Reply | Quote

@ MrBrian

Windows Networking/SMB through port 445 has been vulnerable since 2005, …
http://www.infoworld.com/article/2669579/security/experts-split-on-port-445-security-risk.html

1 user thanked author for this post.

MrBrian

Reply | Quote

So I have been trying to figure this out. I have a semi-custom Windows 7 64-bit Skylake computer (an early Intel Core i7 6700K). As it is custom, it is not on the list I saw of a few of the brands like Asus, Dell, etc. that have committed to extra testing for future Windows 7 updates.
Also, I am more or less in Group B. The last time I patched was during the recent MS-Defcon 5 time, following instructions here on AskWoody.
Can I install KB 4012212 or other updates? Will I be blocked? How should I proceed?
Thanks!

Reply | Quote

TheWatch wrote:

Can I install KB 4012212 or other updates? Will I be blocked? How should I proceed?

I don’t know about that particular processor. What I can tell you from the threads on this site is – if you install the patch and your computer is blocked, you can then uninstall the patch and the blocking is reversed. That applies to both the Monthly ROLLUP delivered through Windows Update and the Security Only UPDATE downloaded from the MS Catalog because both/either contain the blocking mechanism.

3 users thanked author for this post.

HiFlyer, TheWatch, MrBrian

Reply | Quote

I put my Win7 64bit machine through it’s paces at Steve Gibson’s Sheilds Up…. and came out with a good score. Claiming that my computer is well hardened. I would hazard a guess as I’m not tech minded to the extent of being able to tweak my machine, that either my router firewall, Norton Security and SpyBot Anti Beacon are playing a part. I do feel despite what others think that these programmes are helpful…….. perhaps not for those who are capable of writing scripts and engineering/tweaking their machines to do their bidding……… but for us lesser mortals!
So please don’t disparage us by saying certain things…… thank you!
Am attaching one of the reports given. All the ports tested were STEALTH with the exception of 139 and 445 which were CLOSED to connections.

1 user thanked author for this post.

HiFlyer

Reply | Quote

It’s basic to the nature of a router not to forward incoming connection requests and connectionless packets TO connected computers on the LAN side – even if there’s only one of them. You have to set that up specifically if you want such connectivity. Gamers sometimes do this, or people with special requirements.

It automatically sets up the return pathways when you make requests FROM your computer on the LAN side.

Thus just having a router protects you from all kinds of trouble, with little downside.

-Noel

3 users thanked author for this post.

HiFlyer, ch100, SueW

Reply | Quote

I am sure you actually described the default behaviour of a NAT router, like most home users have on their networks, and not the behaviour of any other regular router

Reply | Quote

Yes, perhaps I should have said “home router” or “edge router” – i.e., one that serves only one WAN IP address but allows multiple systems to be connected. Thanks for the clarification.

-Noel

Reply | Quote

Thank you for that suggestion ‘just saying’……….. was wondering myself if there was anything else I could do. Will most certainly look into that and close it down!

You never fail until you stop trying.

Reply | Quote

Is there a way to close those ports manually for older systems or those who can’t “affort” to get patched at the moment?

Also, could rolling back to an early restore point, before the leakage happened, remove any DoublePulsar infections?

Reply | Quote

If I recall, disabling file and printer sharing closes port 445 for your machine to your local network.

DoublePulsar reportedly is non-persistent; a reboot is all that is needed for removal.

Reply | Quote

That’s what I did… So at least in theory port 445 should be closed here…

I did not know that, so after breaching a system via the exploit, DoublePulsar tries one injection or opens one backdoor whatever it’s payload is designed for and disappears/delete itself?

 

Thanks a lot MrBrian!

 

Reply | Quote

You’re welcome :).

From There’s now a tool to test for NSA spyware:

“Rebooting a system will remove the implant, but not necessarily any malware associated with it.”

1 user thanked author for this post.

ch100

Reply | Quote

Oh I see…

And for those other malware that might be inserted using DoublePulsar do you think might be valid to run a preventive system restore or a simple scanning will do the trick?

Reply | Quote

@anonymous: I guess that would depend on the nature of the malware that DoublePulsar installs. Can system restore remove virus from the computer?

1 user thanked author for this post.

HiFlyer

Reply | Quote

After reboot the infection is gone?

Reply | Quote

@ anonymous#110315

Better to just disable the out-dated SMBv1. How ? Please refer to …
https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012

Or close port 445 with the Windows Firewall or a 3rd-party Firewall program, and then open it only when needed.
. . . Bear in mind that port 445 is required for Windows file and printer sharing over an internal LAN or WAN network(eg between the computers of family members in a home or workers in an office), and for Remote Access(eg calling M$’s or ISP’s staff for tech support remotely)

Reply | Quote

EternalBlue targets SMBv2 also.

Reply | Quote

@ MrBrian

Microsoft also recommends that organizations disable SMBv1, unless they absolutely need to hang on to it for compatibility reasons, which may block Eternalblue.

https://arstechnica.com/security/2017/04/nsa-leaking-shadow-brokers-just-dumped-its-most-damaging-release-yet/

Reply | Quote

I have Microsoft DS disabled, don’t have a printer so all that is disabled and I have port 445 (among others) blocked several times over. A good tool to do this for those that aren’t technically inclined is Windows Worms Doors Cleaner 1.4.1. It doesn’t install anything, it’s just one file that runs and will allow you to easily close the following ports manually: 135, 137-139 and 445. It will also disable UPNP and SSDP services and will close the Messenger exploit if applicable (mine is disabled in services already). Handy little program to close off these ports for you if you so desire.

Reply | Quote

Closing those ports might imply in any issue?

Reply | Quote

Doesn’t work in Win10.

Reply | Quote

Thanks Woody. I have sent the patch link to all of my 150 client machines to be installed. Well on the way to patching.

CT

Reply | Quote

Morning all, Happy Spring,

I just ran my Secunia PSI, and it says that I have some .NET Framework (2.x 64-bit ; 2.x ; 3.x ; 4.x) programs that need updating.  Am I ok to update the .NET, or should I hold off on it for now?  I think I remember reading that it is ok to update the .NET, but I wanted to run it by you to be sure.

Also, one of my machines gets automatic Office 3013 updating, but the other machine has Office 2010, and that one doesn’t seem to get the automatic updating.  Will those updates for the Office 2010 come through with our regular security updating? I’ve never seen it do that, so I am curious how Office 2010 gets updated.

Thanks,  Chip

 

 

 

Reply | Quote

My mistake.  I typed Office 3013, when it is Office 2013.

Chip

Reply | Quote

Oh yeah, there’s always another piece to the puzzle.  If I click on the Secunia update for the .NET stuff, it wants to use IE.  I haven’t been using that, and am not sure about the wisdom of doing the .NET updating with it.

Do .NET updates come through to us the same way the Group B security updates come?

Thanks,  Chip

Reply | Quote

.NET comes through Microsoft Update.

Reply | Quote

Chip wrote:

Am I ok to update the .NET, or should I hold off on it for now?

The .NET patches for March and before are OK to install. The April patches are still under DEFCON 1.

Chip wrote:

Will those updates for the Office 2010 come through with our regular security updating?

If you are using Microsoft Update (checked box “Give me updates for other MS products), the Office updates will come through Windows/MS Update. If not, the Office patches are available on the Microsoft TechNet
It is advisable to go ahead and install the latest Office patches now.

Reply | Quote

PKCano,   When I look at my Windows Update > Change settings screen, I don’t see “Give me updates for other MS products.  I have Important Updates (which is set to Never check for updates).  It also shows “Recommended updates” (which I have unchecked).

It also has a “Note: Windows Update might update itself automatically first when checking for other updates”, which puts a comforting feeling into my stomach.

Regarding Office 2010, can I just install the April update?  I’ve never patched Office 2010 on this machine, and am wondering if April is all that I need.

Thanks again,  Chip

Reply | Quote

Here is a .vbs script that I have used to fix this problem on Windows 7: https://blogs.technet.microsoft.com/danbuche/2010/01/06/enabling-and-disabling-microsoft-update-in-windows-7-via-script/

If you need more help on what to do, please say so.

2 users thanked author for this post.

HiFlyer, PKCano

Reply | Quote

Mr. Brian,  thanks for this.  I don’t think I’m up to the technical skill needed to use scripts, so I’ll have to let this slide.

Chip

Reply | Quote

@Chip: I’m not sure if this helps or if it’s too advanced yet?

1. Copy these lines into a new file with an extension of .vbs: https://pastebin.com/w08Q3SBe.

2. At a command prompt that is elevated, run the file created in step 1.

Reply | Quote

Please allow a bit more info on this Office 2010 thing.  The machine in question used to get the automatic updating from MS, but I stopped that in September 2015.  I wasn’t too focused on updating for it, as that machine is not used very much, mainly being used as a live backup for my main machine.  I started doing the updates for windows at that time, so windows has always been updated following the all clear from you good folks.

Thank you for the info on Microsoft TechNet.  Now I’ll be able to stop by there each month.

Chip

Reply | Quote

Well, that didn’t work. I got to the Microsoft Update Catalog, found KB3141538 (64-bit Edition) for Office 2010 Security Update , got it onto my download area, but when I applied/extracted it, I got a prompt saying something was missing and wouldn’t install.

It was kind of a slog, getting to a spot that allowed the download.

Thanks for you help.  Chip

Reply | Quote

Do you know if you have 32-bit or 64-bit Office 2010?

Reply | Quote

Chip, I’d certainly check you’re trying to install the right version.  Open any Word document, look under File/Help and the version details will be shown including whether 32 or 64 bit. You also need to have Office 2010 SP2 installed, which means that the version details need to list the version number as 14.07015.1000 or higher.

Mine qualifies on that basis but I’m not even being offered this update (nor have I been offered any definition or other updates since August 2016). I plan on tackling the main Windows updates (security and .Net roll-ups) when Woody raises the defcon  and then once it’s all proved to be working ok I’ll search from Word (same page as the version details) for Office 2010 updates and see what transpires.

Reply | Quote

Seff,

Thank you for your response with helpful info.  I’m showing, in a Word document, in Office 2010, a version of 14.7153.5000 (32-bit).  I think that’s meeting your requirement of v14.07015.1000, isn’t it?  (Would that mean that it has SP2?) It was pretty easy finding the version with your directions.  Office 2010 is on a Dell 390 Optiplex, which I think is a 64-bit machine; it’s Windows 7 Professional.   When I look at the Device Manager, it says that the 390 is: Computer – ACPI x64 based PC.  Would that mean that the 390 is a 64-bit machine?  I think the answer is yes.

So, on the 390, would I go for the Office 2010 Update in the 32 or 64 bit flavor?  Can a machine be a 64-bit OS, but run Office 2010 at 32-bit?  I’ve been installing the Windows Security Updates (Group B) in 64-bit form on this 390, and everything seems to update correctly.

My other machine is a Dell M6800 Precision Mobil Workstation, Win7 Pro.  It has Office 2013 and gets automatic Office Updates.  Looking in the Device Manager for the 6800 shows: Computer – ACPI x64 based PC; same as the 390, which makes me think the 390 is a 64-bit machine running Office 2010 in 32-bit.  Am I correct, so far?

In the 6800, I’m not able to find the Word version, as you showed how to find it on the 390.  Maybe that’s because the 6800 has Office 2013, and is 64-bit?  I’m pretty sure that Office 2013 is 64-bit.

I appreciate you help with this.  Chip

Reply | Quote

Chip,
It is good to run Office 32-bit on a 64-bit machine. You will have less compatibility problems.

To help you get the updates you need, try this MS website.

Reply | Quote

Seff,

I went for the 32-bit version of KB3141538 Security Update for Microsoft Office 2010 (32-bit Edition) and it installed promptly.  It also brought along 41 of it’s buddies, that hadn’t been installed since 9/8/2015.

So, I’m thinking that Office 2010, on the 390, is now caught up. When I started handling the Windows Security Updates, I must have not focused on the separate updating for Office 2010.  Now I know.

Thanks for you help.  Chip

1 user thanked author for this post.

Seff

Reply | Quote

anonymous wrote:

@ MrBrian In that case, Win 7/8.1 users should move to Group L , … L for Linux. … ( :

Always assuming that Linux is absolutely safe – would anyone really claim that?

1 user thanked author for this post.

ch100

Reply | Quote

FWIW, as one searches the Internet looking for reliable tests of firewall and various port penetrations, one observes that Mr. Steve Gibson, of GRC, is thought of, by some people, as a legend unto himself. There appears to be an especially bad small program called ‘Firewall Leakage Tester’ which is almost 12 years old, supplying you with false errors. Moral?… Investigate before blindly running tests mentioned, with links, in various help forums, blogs, fortune cookies, etc.

Reply | Quote

DoublePulsar infections:

“106,410 – 21/04/2017
116,074 – 22/04/2017
164,715 – 23/04/2017”

2 users thanked author for this post.

HiFlyer, woody

Reply | Quote

is this a ms-related only problem?
or does mac android and linux also affected?
or all computers that connect to internet expose to port 445?

TIA

back to fishing for better dreams

Reply | Quote

Only Windows.

Reply | Quote

“183,107 – 24/04/2017”

Reply | Quote

Woody posted this link in updates to the post: From Over 36,000 Computers Infected with NSA’s DoublePulsar Malware:

“Earlier this week, trying to assess the number of users vulnerable to the malware leaked last Friday, cyber-security firm Below0Day has performed an Internet-wide scan for Windows computers with open SMB ports (port 445).

Their scan returned a number of 5,561,708 Windows computers with port 445 exposed to external connections.”

Reply | Quote

Noel Carboni wrote:

Per my experience, an update to a later version (i.e., 1607 or 1703) WILL return Cortana and any default Apps you have removed. That’s one reason I wrote a re-tweaker script I can use to remove them all again.

There is a method to preserve the settings during the upgrade which was posted by Susan Bradley on patchmanagemnt.org.
It is a command line for setup.exe on the full ISO with a specific switch which I don’t remember now, instead of using Windows Update for doing the upgrade.

Reply | Quote

Thanks for the tip. I did the upgrade via the ISO, but I wasn’t aware of a command line switch to have it be more apt to leave my settings and App choices alone. However, in my case I got what I wanted since I always test the Apps at each new release.

-Noel

Reply | Quote

Here it is
http://marc.info/?l=patchmanagement&m=149218946129446&w=2

1 user thanked author for this post.

Noel Carboni

Reply | Quote

Thanks.

Kind of makes you wonder, though… If an OOBE in-place upgrade can have its problems, would a SETUP.EXE /AUTO UPGRADE – which is presumably less intrusive still – be more apt to have problems?

Time was I would never consider installing a whole new version of Windows as anything but a fresh, clean setup. That, of course, comes with baggage – having to set up EVERYTHING again. That wasn’t all bad, though, because when doing so you could re-evaluate your current working environment – you could choose to get new versions of some things, or change to better solutions for some things.

Now… Not having to go through all that twice a year is worth taking a chance on the in-place upgrade. And even so it’s as though you never have time to finish the finer points of re-tweaking a given version by the time the next one comes out.

I shall have to try a SETUP.EXE /AUTO UPGRADE. I still have snapshots from before the upgrade.

-Noel

2 users thanked author for this post.

BobbyB, ch100

Reply | Quote

Maybe I should mention that I haven’t tested the switch.

Reply | Quote

I have Window 10 Home Version 1607 (14393.1066 Build) with the last Security Update listed in Update history being  Security Update for Windows 10 Version 1607 (KB4015217). I had tried to update to the Build 14393.953 back in March but WU kept failing to install  KB4015438 so I decided to just disable WU for the time being to avoid getting untested updates in April, using Noel Carboni’s ConfigureAutomaticUpdates tool.

Per Woody’s recent instructions to get my “build number up to snuff,” I just temporarily enabled WU to run WUSHOWHIDE but only driver updates for Intel, Realtek, Dell are listed – no cumulative updates. Please help provide a link to the correct KB needed to be installed and instructions how to do manually.

Also of concern is that WU was still set at ‘disabled’ via the ConfigureAutomaticUpdates tool before I just enabled it today (4/23) but in checking the update history, not only was there an update done on 4/22 but there is also an Adobe Flash security update installed on 4/15. How is WU able to override these settings? Many thanks!—-DP

Reply | Quote

For those of us in Group W, which of these 3 do we need? As in, which ones are “Do, or likely die?”

• KB 4012213 the Security-Only “Group B” patch, or
• KB 4012216 the March Monthly Rollup “Group A” patch, or
• KB 4015550 the April Monthly Rollup

Fortran, C++, R, Python, Java, Matlab, HTML, CSS, etc.... coding is fun!
A weatherman that can code

Reply | Quote

I followed Woody’s advice KB4012212. I and my clients are basically W, with a few selected Security-Only updates and office updates, applied once they have aged well.

https://www.askwoody.com/2017/time-to-get-off-the-group-w-bench-at-least-for-a-few-minutes/

CT

Reply | Quote

KB4012212 is Win7

Reply | Quote

Win8.1
You need at least the security patch
KB4012213 March Security-only is the least deviation from W – It’s Group B
Unless Woody or MrBrian says the April Security only KB4015547 is necessary.
The two Rollups contain the non-security as well.

1 user thanked author for this post.

AlexN

Reply | Quote

Thanks PK Cano!

I did that patch the other day, but with the updates to Woody’s post since then I was no longer certain.

Fortran, C++, R, Python, Java, Matlab, HTML, CSS, etc.... coding is fun!
A weatherman that can code

Reply | Quote

Woody is getting to change the DEFCON number.
We should know more about the relevance of the April patches then.

Reply | Quote

For the issue that is the subject of this topic, you need either the March 2017 security-only update, or any monthly rollup from March 2017 or later.

Reply | Quote

From https://twitter.com/GossiTheDog/status/856631418167971841:

“DoublePulsar is purely a kernel level remote backdoor. It has no payload. You use it to own, then load payload later.”

Reply | Quote

In PK Cano’s post upstream #110219 he says we need to apply April 2017 patches to be safe, but Woody has not changed MS-DEFCON yet.  Are we supposed to apply April patches and ignore Woody’s DEFCON rating?  I have March 2017 patch applied.  I have Stealth rating when checking port 445.  Is there evidence that April patches are still causing issues?

Reply | Quote

That should be March patches. I have corrected it. Thanks.

Reply | Quote

Thanks PKCano!

Reply | Quote

hi:

we have servers dropping of network, like this: https://www.askwoody.com/forums/topic/ms17-006-kb4012216-kb4012215-kb1042204-and-servers-dropping-off-of-the-network/

so we removed the patch. now what should we install to prevent the virus?

thanks a lot for help!!

 

Reply | Quote

This is reply #110425 above, sent in my request for help 2 days ago: I’m still at Build 14393.1066  on Window 10 Home Version 1607 and need help to patch up to Build 14393.953. I used Noel Carboni’s ConfigureAutomaticUpdates tool to enable WU and re-ran wushowhide tool to show hidden updates but no cumulative patches were made available. WU is back being disabled till I get much needed help. Much thanks!

Reply | Quote

anonymous wrote:

This is reply #110425 above, sent in my request for help 2 days ago: I’m still at Build 14393.1066 on Window 10 Home Version 1607 and need help to patch up to Build 14393.953.

Build 14393.1066 is dated 4/11/2017. It is the latest Build of 1607

Build 14393,953 is dated 3/11/2017. Since it was released there have been two additional Builds – 14393.969 on 3/20/and Build 14393.970 on 3/22.

You have the latest build. Did you want to roll back to an earlier build?

Reply | Quote

Thank you, PKCano, for the clarification and no, I don’t want to roll back to earlier build if this one is considered stable enough and that the computer is relatively safe from exploits mentioned in this post.

However, I’m concerned that even though I had used Noel Carboni’s ConfigureAutomaticUpdates tool to set WU as “disabled”, somehow there are several updates installed after the computer had been restarted. Is there an alternative way I can double check that WU is really disabled (with Win10 Home, I can’t edit registry easily)?

Many thanks for your guidance and to all who keep this site going!

Reply | Quote

Help! Trying to patch a windows 7 group W laptop with KB 4012212 by downloading it directly using the link provided. However, I’m not able to install it because the KB 4012212 installer hangs when it checks for updates before installing, the same way my windows update hangs forever. Im not able to install anything.

Reply | Quote

Try using the procedure described in this thread to get Windows Update working again:

https://answers.microsoft.com/en-us/windows/forum/windows_7-update/windows-update-doesnt-work-even-with-the-solution/1e7c6642-fd2b-4122-a62d-b5dff90b777d?tm=1477181520617

CT

Reply | Quote

Reply to #110284. I have a question about ping. My Win7 Home Prem laptop has all the recent Security Only patches and all ports show as stealth on the grc.com common ports test. However, that site says that my computer is receiving pings.
I looked into that, unchecked the one box that was checked in the Inbound rules for Echo ICMP, tried the test again, still failed. I looked further and created a block ping rule, still failed. I’m not hugely technical, and this is at my boundary, it appears.
I don’t know anything about router settings or where to find those. My understanding from my reading is that the Windows Firewall settings should block ping even if the router is letting it through. (It’s a Qwest wireless modem/router. I have no idea where I would find settings for it.) Just seeing if any of you knowledgeable folks have any suggestions. Thanks

Reply | Quote

I found an article, published in ITWorld, PCWorld, ComputerWorld and others, saying false positives were not found.
Now There’s a Tool to Test for NSA Spyware

1 user thanked author for this post.

HiFlyer

Reply | Quote

Do a search online for your router and the internet address you need to type, (if that doesn’t show up, ring tech support at your ISP, no need for them to have remote access, they can just give you the address). Go to that address, and access your dashboard, (admin settings).You need to change, (if your router will allow it), the admin password, and your (default) password. (Important). Make it a complex password, but one that you can remember/store and type out again. Not words from a dictionary, increases “entropy”, ie, a longish nonsense word and maybe a number will do fine. Check if you can update firmware. After you have updated firmware, if it doesn’t do that automatically, (it will say so in settings), save settings, log out and then go back to the internet address again. (Some routers, not all, will lose password in a firmware update, just do this to check it is ok). (Then log out again, and relax).

Some advocate changing this (password/s) now and then. Up to you, if it is a good password and not the defaults. Maybe check 2 times a year that it is all ok.

It seems that MS is now no longer able to support printers on networks??? (joke).

Reply | Quote

? says:

look up your CL dsl modem and apply the “IPV4 firewall steath mode.” It fixed the ShieldsUP ICMP Echo Request hole for me.

eg: for c1000z

http://internethelp.centurylink.com/internethelp/modem-c1000z-adv-firewall-stealth-mode.html

or for c2100t

http://internethelp.centurylink.com/internethelp/modem-c2100t-adv-firewall.html

Reply | Quote