|
Patch reliability is unclear, but widespread attacks make patching prudent. Go ahead and patch, but watch out for potential problems. |
I asked the other day if Windows 10 was more vulnerable. Turns out we have another problem with Windows 10 – and Windows 11 for that matter. CVE-2021-
[See the full post at: Windows 10 more vulnerable – revisited]
Susan Bradley Patch Lady/Prudent patcher
Specifically for business users, there are far better ways to handle system recovery actions than relying on shadow copies. Critical systems should have nightly bare metal backups. User profile data should be redirected to a central NAS with it’s own snapshot capability. Performing system restore on a domain joined PC often breaks domain trust. While that’s not very difficult to fix, it’s just not necessary to do if your infrastructure is setup right. It’s been my experience that formatting a computer is significantly faster than trying to troubleshoot major problems 90% of the time. When your user data is disjoined from the PC, the PC is disposable.
The reality of small business, my users want their desktops just so. I feel that at this time the need for VSS, previous versions, an exact image, is too great. And the recommendations from Microsoft (as that’s not bleeping computers’s mitigations but Microsoft’s) are too much like what ransomware does to our systems to be considered reasonable for anyone other than Government or other high risk entities.
Susan Bradley Patch Lady/Prudent patcher
Disabling VSS would cause many backup software to have issues, but that’s not what the workaround does. It “fixes” the permission (possibly to pre-1809 permission) and flushes VSS copies with the bad permission.
As far as breaking backup software by using the work-around, backup software worked fine before the permission was mis-set…
Martin
Updated: the work-around is Microsoft-Official
It will appear here: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36934
The CVE was reserved yesterday, give it time.
My question: instead of spending time centering the taskbar and such like, why doesn’t Microsoft poke around and discover – and fix – overlooked problems like this? It may not be flashy, but surely people would respond to a simple description of how an update really does make their computer better by being safer.
Fine tuning Windows 10 so it will become stable, reliable and slim does not seem to be goal of Microsoft.
Microsoft has stable, reliable, slim, no bloat.. Windows OS. It is called LTSC. There is a workstation version as well. Pity they don’t sell it to home users.
LSTC is good we use them on 10-15% of our computers and honestly, I cant see why you cant use the version for your notebook at home, for example. Im not aware, that home users cant buy LSTC, but I belive your statement, why would you tell the lie.
The Long-Term Servicing Channel (LTSC) is designed for Windows 10 devices and use cases where the key requirement is that functionality and features don’t change over time.
We use LSTC for kiosk-mode computers, touch panels and so. Bottom line is, that offline computer with Windows 7 can do the same job 
But some computers must communicate with ERPs, so we need them on the network. Thats where LSTC comes handy.
I really dislike the fact, that Windows 10 Pro (upgraded to Enterprise with license key) comes with Candy Crush saga, Solitaire and other bloat preinstalled. And with the cadence that Windows 10 updates comes, my USB image with Windows instalation is obsolete literally two weeks later. If I fine tune my Windows, create image of it and want to deploy that image (PXE, SCCM or USB flash disk, …), I should do that very frequently.
If I install that USB image or SCCM image to PC, user must go through the process of patching and fixing bugs. Downloading from internet or WSUS, waiting, restarting, .. And sometimes users call, that update broke something.
I mean this is really poorly designed. Windows is pretty schizofrenic – targeting home users and selling them stuff from Store? Or targeting enterprise ans selling them mothly subscriptions? This “One system fits all” is quite crappy in the end. Its a hybrid, that promises more security and functionality, but at the same time its adding more and more features, thus making the system vulnerable.
I know Im complaining all the time, but this situation is.. unprecedent and I dislike the amount of attention it requires. Not metioning the betatesting amongst unaware users.
Cospiracy: The goal is to have all users on the internet so Microsoft can have the control over all. Disagree or not, you are forced to do so (Windows and O365 updates, Cloud PC). How is that safe to connect all PCs to the internet?
Dell Latitude 3420, Intel Core i7 @ 2.8 GHz, 16GB RAM, W10 22H2 Enterprise
HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29
PRUSA i3 MK3S+
Off topic warning to Small Biz folks: A friend tells me hackers got his signature and enough info to attempt to transfer several million $’s from his co’s account to a Chinese bank..fortunately the bank checked and the transfer didn’t go through. My takeaway would be to instruct bank to block & check transfers over a certain amount or to a foreign domiciled entity unless that’s in the regular course of biz.
Florian Roth on Twitter: “That’s what the last 20 days for MS customers looked like https://t.co/OIyWuM9Eno” / Twitter
Saw this on twitter
Susan Bradley Patch Lady/Prudent patcher
W/regard to the title of this thread…
Sometimes it helps to think in extremes.
Is the latest Win 10, with upwards of 200 processes doing all kinds of things online with hundreds of different servers more or less likely to be compromised than a Win 7 or 8.1 system that’s had many now well-known configuration changes to keep it from contacting, well, virtually anything online? I think the answer’s clear.
That’s ignoring the fact that these things don’t accomplish quite the same things. The industry wants us to have our calendars and our communications and our purchases all integrated. And our choices to be less ours.
Anyone can look around and see that their surroundings are becoming richer with programs and information from elsewhere. I dare say a lot smaller percentage of folks today than ever before write any software of any kind for their computers. It’s possible that most folks now only consume what others have made available.
IMO Win 10 (and other modern fruity OSs) aren’t doing things anywhere near as efficiently as is possible – or as privately as we’d like. Why? Because they want to sell you their new hardware.
Maybe we’re just in a transition. Maybe things’ll get better. Or maybe they’ll get so much worse we haven’t a prayer of living our lives without intrusion. Losing everything will become just one more thing to deal with. Time after time.
Fast forward a few decades and imagine generations of folks who will then have grown up being forced to trust their service providers with all aspects of their lives. No one will even flip an eyelash. We oldsters who know “better” will die off soon enough. We’ve already been marginalized as “outdated”. Yet look closely at what the youngsters who “know it all” actually accomplish.
We’ve come in just 30 short years from Windows Defender being an anti-adware/spyware application to something that jealously protects Microsoft’s ability to do exactly those things, for business gain and – being fair – a few gains to users in capabilities. Or the promises of gains at least.
-Noel
BTW, my Win 10 computer system, on which I’m typing this, which has been online now for just 3 hours and with which I browsed a few web comics sites, listened to Pandora via their website, and interacted with you here, has attempted to communicate with 154 unique different servers online. A whole bunch of servers I never overtly visited have names that include “microsoft”, “msft”, “office”, “edge”, “skype”, “teams”, etc. The way of the future is to create programs of such online promiscuity that there is no way to track or even enumerate all the accesses.
My small locked down Win 7 system that sits in the corner and hums (and provides me some essential services), by contrast and which has NOT been used for web browsing, but which has been online 24/7 for years, in the past 11 hours has communicated with exactly 13 servers, 12 of which I can attribute specifically to scheduled jobs to do useful things I’ve set up such as download blacklists of servers never to contact, to check if my business website remains online, etc. The one and only server Windows itself contacted was http://www.microsoft.com.
-Noel
Nope, too long and complex for my taste. 
cheers, Paul
Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.
AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments.
Notifications
