Zeroing in on zero days

Topic

New Reply

PATCH WATCH By Susan Bradley September’s updates are out, with several zero days and several interesting vulnerabilities. The good news is that for co
[See the full post at: Zeroing in on zero days]

Susan Bradley Patch Lady/Prudent patcher

10 users thanked author for this post.

Joseph Moran, WSGeo, Kathy Stevens, DLivesInTexas, fisher75, WCHS, windbg, J9438, lmacri, rc primak

Reply | Quote

Replies

My 25-Aug-2023 post #2583486 in Foothills Dave’s What Backup Program Do You Recommend mentions some of the limitations of the “new” Windows Backup app that was pushed out to my Win 10 v22H2 laptop with the Sept 2023 KB5030211 monthly Quality Update. This doesn’t sound like something I would use for regular backups of my user data (at least in it’s current state), even if it could back up files somewhere other than OneDrive.
————
Dell Inspiron 15 5584 * 64-bit Win 10 Pro v22H2 build 19045.3448 * Firefox v117.0.1 * Microsoft Defender v4.18.23080.2006-1.1.23080.2005 * Malwarebytes Premium v4.6.2.281-1.0.2131 * Macrium Reflect Free v8.0.7279

1 user thanked author for this post.

Cybertooth

Reply | Quote

It looks like the BSOD/microcode issue only effects PCs with the recent microcode (0x119 and 0x4119).  My system has microcode 0x108.

“In its latest statement, Intel states that its latest microcode for 13th Gen Raptor Lake CPUs, versions 0x119 and 0x4119 (released in June 2023), have mismatched GDS_NO flag values between P-Cores & E-Cores. This issue affects processors with the IDs 0xB0671, 0xB06A2, and 0xB06A3.”

https://wccftech.com/intel-microcode-unsupported-cpu-bsod-issue-new-bios-updated-microcode-fix-soon/

 

2 users thanked author for this post.

Berserker79, J9438

Reply | Quote

After running Susan’s Intel utility I did have the 306C3.

Then from

sheldon wrote:

It looks like the BSOD/microcode issue only effects PCs with the recent microcode (0x119 and 0x4119)

I tried to find my Microcode. After much Google searching it led back to the CPURevision entry on Susan’s Intel display but that display is in decimal base. After getting a Google conversion to Hex it shows my 27 as 0x1B, but that seems completely out of range with the 0x119 and 0x4119 mentioned above. Did I miss something or is 0x1B a valid microcode and thus no issue for my PC?

Reply | Quote

It’s displayed in HEX

See this example from Intel

“The microcode version is listed in the CPUID DATA section and is called “CPU Revision”. In the sample screenshot below the microcode version is “84” (sometimes written as 0x84).”

https://www.intel.com/content/www/us/en/support/articles/000055672/processors.html

 

 

1 user thanked author for this post.

J9438

Reply | Quote

At CPUID, intel has instructions on how to use a command prompt to get the CPUID, namely

Reply | Quote

OK, so I have no choice in the matter — the September Tuesday Patch KB5030211 (for 22H2, x64) will install the Windows Backup app. What if I don’t want it? Is it uninstall-able?

Reply | Quote

I took a look through the normal channels but couldn’t find a way to uninstall/turn off/block the new “Windows Backup”. If someone finds a way it would be nice to know about it.

Reply | Quote

Can’t be uninstalled

Reply | Quote

Hi @Alex5723
Your link is about Windows Backup on a Windows 11 machine. Susan’s Patch Watch is about Windows Backup on a Window 10 machine (she says “For those running Windows 10 22H2, a new icon will appear in the Recently added section of your start menu. …” ) and so is the post of @lmacri above at #258114 (“limitations of the ‘new’ Windows Backup app that was pushed out to my Win 10 v22H2 laptop with the Sept 2023 KB5030211 monthly Quality Update“.

So, I’m specifically asking about its uninstall-ability on a Win 10 machine.

Reply | Quote

WCHS wrote:

Your link is about Windows Backup on a Windows 11 machine.

It doesn’t matter. Its the same app

Reply | Quote

Alex5723 wrote:

It doesn’t matter. Its the same app

But, maybe the ability to uninstall it is different. Windows 10 and Windows 11 are different versions and do not handle everything in the same way.

Reply | Quote

There is no known way uninstall Windows Backup.

Reply | Quote

I’m hoping with all of the business backlash that a script will be pushed out.  For now, you can’t uninstall it.

Susan Bradley Patch Lady/Prudent patcher

1 user thanked author for this post.

Alex5723

Reply | Quote

Susan
Will the Intel Driver & Support Assistant identify afflicted processors and make available the appropriate Microcode fixes?

https://www.intel.com/content/www/us/en/support/intel-driver-support-assistant.html

Reply | Quote

Kathy Stevens wrote:

Will the Intel Driver & Support Assistant identify afflicted processors and make available the appropriate Microcode fixes?

Hi Kathy Stevens:

I assume these microcode patches for affected 13th gen CPUs will be delivered via BIOS updates released by the original manufacturer of the motherboard (HP, Dell, etc.), but hopefully someone will correct me if I’m wrong about that. That means it’s unlikely that the Intel Driver & Support Assistant (DSA) will offer the patch to affected computers unless you own an Intel NUC (Next Unit of Compute, pronounced as “nuke” as Alex5723 noted) mini-computer.

I’ve used Intel Driver & Support Assistant (DSA) for several years and the only update it has ever recommended for my Dell Inspiron 5584 is for a graphics driver for my on-board Intel UHD Graphics 620 GPU. If I run the Intel DSA the summary report correctly identifies my Dell BIOS version and reports that the CPUID of my 8th Gen Intel i5-8265U CPU is 0x806EC (confirmed by the command wmic cpu get processorid as shown below) …

… but if you click the View a List of Exclusions link in the Intel DSA browser page as shown below you will be directed to the support article Intel Products That Aren’t Supported by Intel Driver & Support Assistant (Intel DSA) that has a long list of drivers and firmware updates that “the Intel DSA does not currently offer, but may still appear as a detected component in your system when you perform an Intel DSA scan” . That list of unsupported items includes chipset drivers, Ethernet drivers (only offered for Intel NUCs and Intel Compute Sticks) and BIOS files (again, only offered for Intel NUCs and Intel Compute Sticks).

Just FYI, Intel recently stopped making NUC mini-computers and announced that ASUS would take over their NUC business as of 18-Jul-2023 – see the 19-Jul-2023 PCWorld article Intel kills its NUC line, but the tiny PC will live on.
———–
Dell Inspiron 15 5584 * Intel i5-8265U CPU * Intel UHD Graphics 620 * 64-bit Win 10 Pro v22H2 build 19045.3448 * Firefox v117.0.1 * Microsoft Defender v4.18.23080.2006-1.1.23080.2005 * Malwarebytes Premium v4.6.2.281-1.0.2131 * Macrium Reflect Free v8.0.7279 * Intel Driver & Support Assistant v23.3.25.6

1 user thanked author for this post.

Kathy Stevens

Reply | Quote

Imacri

Thank you.

I was not aware of Intel NUC mini-computer.

Reply | Quote

This intel microcode bsod stuff, does it only affect gen 13 intel processors? My 9th gen i7-9700F is not affected by this?

Reply | Quote

Only gen 13 with certain microcode installed

Reply | Quote

Thank you!

Reply | Quote

Looking at my domain controller, I do see entries for event ID 42. The details of events read:

The Kerberos Key Distribution Center lacks strong keys for account krbtgt.

You must update the password of this account to prevent use of insecure cryptography.

See https://go.microsoft.com/fwlink/?linkid=2215265 to learn more.

Am I understanding correctly that changing the password for the krbtgt account will address the issue? I’ve done some research and the only potential peril I’ve found with changing that password is that it should be changed twice, but it should not be changed twice in quick succession. 10 hours or so should be allowed in between changes. I believe this pertains to domains with multiple domain controllers to allow time for the change to replicate across all DCs. Can anyone offer input on this?

 

Reply | Quote

I wish I could help you, but I’m in the same boat. I’m getting the same error 42 re: krbtgt (once an hour). FWIW, everything I’ve read also says you should change the krbtgt password twice, at least 10 hours apart. Here’s a link I found that seems to explain it well enough (bascially you’re clearing out the two retained old passwords), but the more I read on this Kerberos hardening issue the more confused I get.

I only have 1 DC and I can see from the attributes that the password for my krbtgt account has not been changed since the dinosaurs roamed the earth (2003). So I guess I will change the password as described and hope I don’t break anything.

Big thanks to Microsoft, for making all of this as confusing as humanly possible.

Reply | Quote

Yes and changing the kerberos password won’t hurt anything.  Done it here.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

Thanks Joseph and Susan. After I posted this I found an article that you (Susan) authored on CSO. I went ahead and changed the krbtgt password with no negative side effects. After I did that the event ID 42 entries went away. I’m hoping that this means I’m out of the woods and the October updates won’t have any negative impact on my environment.

Reply | Quote

https://www.windowslatest.com/2023/09/17/windows-11-kb5030219-trashes-pcs-gaming-performance-issues-affect-starfield/

No the sky is not falling, I’m not seeing MASSIVE trashing.  Again, you can see the gamers have the most issues and a lot of these appear to be one-offs.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

Kathy Stevens wrote:

Susan
Will the Intel Driver & Support Assistant identify afflicted processors and make available the appropriate Microcode fixes?

https://www.intel.com/content/www/us/en/support/intel-driver-support-assistant.html

Only if you have an Intel made PC (Nuke…).
Intel said its OEM responsibility to issue firmware.

Reply | Quote

Alex5723 wrote:

Only if you have an Intel made PC (Nuke…).

I did not realize that Intel “made” computers.

We have HP computers with Intel components and use Intel Driver & Support Assistant to automatically notify us when Intel driver or software updates are available for our systems.

It also works on Dell, Lenovo, and other computers.

Reply | Quote

Of course it turns out my i5-13600KF has the problematic microcode version 0xB0671… As per my standard practice I never install preview updates, but am I right to assume that the risk of the “Unsupported CPU” BSOD will manifest when I install the regular September CU?

Reply | Quote

First of all 0xB0671 isn’t the microcode version it’s the CPUID. The microcode version is also available on the Intel Processor Identifier.

from one of my previous posts:

“It looks like the BSOD/microcode issue only effects PCs with the recent microcode (0x119 and 0x4119).  My system has microcode 0x108.

“In its latest statement, Intel states that its latest microcode for 13th Gen Raptor Lake CPUs, versions 0x119 and 0x4119 (released in June 2023), have mismatched GDS_NO flag values between P-Cores & E-Cores. This issue affects processors with the IDs 0xB0671, 0xB06A2, and 0xB06A3.”

https://wccftech.com/intel-microcode-unsupported-cpu-bsod-issue-new-bios-updated-microcode-fix-soon/ “

 

 

1 user thanked author for this post.

Berserker79

Reply | Quote

Thanks for the clarification! I was under the impression that a CPU having ID 0xB0671 meant the microcode version would be one of 0x119 or 0x4119, but now I understand this is not the case.

The Intel processor identification utility reports that the “CPU Revision” in the CPUID DATA section is “10E”, so my system does not seem to have one of the affected microcodes. Looks like I don’t need to worry further about the updates for Windows throwing that unsupported CPU BSOD.

Reply | Quote

Ok, so the Windows Backup app can’t yet be uninstalled, as pointed out by folks’ posts above.

BUT, can it be hobbled by disabling any tasks in Task Scheduler or by setting any services it depends on (or that are otherwise dedicated exclusively to it) to the “Disabled” startup type??

Inquiring minds would love to know!!  😉

After all WE didn’t go looking for this piece of, um, software; it was installed without individuals’ consent in many folks’ opinion, and those folks deserve a choice.

[Tin foil hat on] In the future, what if the MS app creates issues with another installed backup solution of the computer owner’s choosing that may render the other backup solution unusable, thereby making the computer owner resort to having to use the MS app instead?? I.E What if, in the future, an update to the MS app changes Windows’ registry settings to disable another already-installed backup solution of the computer owner’s choosing which would then force the user/owner to use the MS app for backup?? [Tin foil hat off]

Reply | Quote

Bob99 wrote:

I.E What if, in the future, an update to the MS app changes Windows’ registry settings to disable another already-installed backup solution of the computer owner’s choosing which would then force the user/owner to use the MS app for backup?? [Tin foil hat off]

What if in the future a Windows update will disable all browsers forcing users to use only Edge ?
Windows Backup doesn’t run in the background/startup so there is nothing to disable.

Reply | Quote

Alex5723 wrote:

Windows Backup doesn’t run in the background/startup so there is nothing to disable.

Are you sure about this? If you have set up a schedule for backup, it seems to me that it must run in the background in order to know when it has to do it.

Reply | Quote

WCHS wrote:

If you have set up a schedule for backup

Who uses Microsoft backup ? The OP has another backup app so do I and Microsoft Backup doesn’t run by default

Reply | Quote

As Susan says, the term ‘Windows Backup’ can be confusing and I fell prey to that — neglecting to remember that Windows Backup is a backup to OneDrive, not the same as Backup and Restore (Windows 7), which I use and was thinking of here. Mea Culpa.

1 user thanked author for this post.

Alex5723

Reply | Quote

WCHS wrote:

Alex5723 wrote:

Windows Backup doesn’t run in the background/startup so there is nothing to disable.

Are you sure about this? If you have set up a schedule for backup, it seems to me that it must run in the background in order to know when it has to do it.

Although things just love to run in the background for no particularly good reason, they don’t actually need to do so to run on a schedule: they can set up a normal Windows Task Scheduler task to fire them off as required.

1 user thanked author for this post.

WCHS

Reply | Quote