Replies

I always put my Xfinity gateways into bridge mode and use my own routers so I can take complete control of my Internet experience.  At one small property, I have a decent router that isn’t too expensive.  At another larger, three floor property that must have been designed by a secret government agency in the early 2000’s to make each room a Faraday Cage, I use a very expensive three router mesh system using powerline networking for the Ethernet backhaul (and I frequently think profane thoughts in the home builder’s general direction — alternated with daydreams of pulling Cat 6 through the entire house to serve the backhaul).

https://www.xfinity.com/support/articles/wireless-gateway-enable-disable-bridge-mode

1 user thanked author for this post.

windbg

I had no idea.  I shall have to return my computer science degrees — I do not deserve them.  🙂

Thanks, Peter!

1 user thanked author for this post.

Peter Deegan

Joost van Haaren wrote:

On another note, has anyone noticed a trend lately of more computer systems blue-screening

Now that you mention it, I haven’t seen a BSOD in many years.  I wouldn’t have bet anyone $5 that I could go a year without seeing one.

Thanks for the Verifier tip in the event my streak of good fortune ends soon!

1 user thanked author for this post.

Fred

b wrote:

Is the WinRE bypass really simple? It sounds quite complex to me and I wonder if anyone outside of Microsoft knows how it could be exploited?

Seems pretty simple in concept to me?  Anyone who has examined the underlying code should be able to figure out how to get the right bad input into it — since it’s not sanitized.

The opinion re: the attack complexity is not mine — it’s Microsoft’s: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-20666

Great find in the acknowledgements — thanks for sharing that!  He sure keeps busy!

1 user thanked author for this post.

b

b wrote:

Bitlocker is not broken without the recovery partition patch, it’s just slightly less secure for a stolen computer if a pre-boot authentication PIN has not been enabled.

Well… I’d call having my encrypted data exposed to a low complexity attack using a simple WinRE bypass “broken?”

Agree with your point that not having a PIN is kinda crazy, but this potential exploit is not like the other known potential PIN-less exploits (e.g. a bootable eDrive).  The plain English version of this exploit is “If I have your PC and you have the bad WinRE installed, you don’t really have encryption.”  That’s broken in my book.

MHCLV941 wrote:

A poorly laid-out partition table might be uncommon on a new computer, but many OLD computers have them.

True.  Anyone who has an old computer has the same problem as someone who has an old car or old knees: at some point, the ROI for repairs goes down.

I don’t disagree with any of the points you made, and I said in my first post on this thread that Microsoft did a bad job IMO.

The fact remains: anyone who has a broken Bitlocker and wants it not to be broken is currently short on options.  A very good option is the scripts, and the last fallback for a DIYer is the easy to follow list of manual steps.  I don’t doubt that some users will have a situation where both methods fail — as usual for Microsoft updates from the beginning of Windows (2.1 for me).

I can solder new capacitors onto my TV’s power board and replace the run capacitor in my HVAC condenser unit.  But, sometimes I have to call a pro to repair or replace.  It’s the same thing here.

This problem has a pretty decent DIY solution, and I continue to be confused by how much consternation it has caused.  Microsoft has never cared about fixing unusual update problems that have a workaround — and they still don’t.  Once we get past the fact that things shouldn’t be this way, we’re left with doing what we need to do.

If anyone out there has tried the scripts and/or manual workarounds and failed to install — and actually needs Bitlocker working, of course — post your problems here.  Maybe the rest of us here can help.  I’ll burn some time trying.

MHCLV941 wrote:

Perhaps you have not seen a sufficiently large sample of PC HDD/SSDs to realize how screwed-up partition tables can get.  <snip> If it was all that easy, Microsoft would have updated the patch to handle it automatically. Also, many of the people who read this newsletter are responsible for dozens or hundreds of computers. <snip>

In 2024, it’s pretty rare to have partition table problems on a working drive.  Anyone who does have those problems should be dealing with them and not worrying about problems with this update.

To your scripting point, it is hard to automate to handle every situation.  The scripts and instructions that Microsoft did provide (posted several times on several threads in this forum) are very straightforward.  Have you looked at them?

If you look at the several threads on this forum about this topic, you will see that most of the people posting are clearly not supporting dozens or hundreds of computers.  Anyone who does have dozens or hundreds of computers to support with this issue has a legit gripe with Microsoft — no argument from me.

So, my point remains: anyone who needs Bitlocker to work on a machine that has a broken Bitlocker should manually install this update using the very clear, very easy to follow instructions and scripts provided.  That’s my opinion — fair enough if you have a different one.

Microfix wrote:

So, it’s up to the end-user to expand the WinRE partition and mitigate the bitlocker vulnerability only IF using bitlocker, <snip>

And it’s very easy to do.  I am greatly puzzled by the angst on this topic.  The Microsoft software update process has been awful since the 80’s.  This is not breaking news.

The people who subscribe to this forum can do this in their sleep.

Without disagreeing directly with anything written above, I note two things:

1. If you want to keep your hard drive encrypted and are in the cohort at-risk of not having working Bitlocker protection, not worrying about this is not an option.
2. The manual steps are very well documented and easy to follow.  It’s a very low-risk manual process.  It’s not like installing Windows Updates is somehow guaranteed to be lower risk.  If that were true, I wouldn’t wait for Susan’s DEFCON 4-5 declarations.  And I almost always do.

Yes, Microsoft should have done better.  Yes, there is an easy workaround if your Bitlocker is broken.  Don’t the let the first item keep you from fixing the second item.

Here are my suggestions:

If you are NOT using BitLocker or you are using BitLocker on a machine w/ a TPM chip and you have set a PIN: put a note on your calendar for, say, three months from now to see if Microsoft has made the update process easier.  You’re safe from an attack (according to Microsoft).

Otherwise, you should update now or set the PIN (assuming you have a TPM) if you would be upset if the data on your BitLocker-encrypted hard drive made it into the wild.  

My WinRE partition is 450MB — it was large enough.  No one seems to be sure how large it needs to be on any given machine.

The instructions for increasing the size and/or moving the partition may seem daunting if you’re not used to doing that kind of thing, but it’s not a complex process and Microsoft explained it very clearly in the links posted above.

IMO, the simplest thing to do is to run the Microsoft-supplied script I and others posted above.  If it works, you’re done.  If it doesn’t work, you follow the steps Microsoft outlined to fix the size and/or position.

What I don’t recommend if you consider your encrypted data sensitive: waiting more than a short period of time for Microsoft to make this even easier than it already is.  If they’re going to write a tool that resizes and moves partitions automatically, it’s going to be a while before it’s created and tested.  It’s pretty easy to do that manually on a given machine — and it’s pretty difficult to write general code that will safely do it on all machines.  Microsoft has already annoyed many users on this thread by releasing a buggy update that doesn’t cause any damage — imagine the blowback re: disk and operating system corruption…

1. After Nov updates, Advanced System Care says I’m using 50% RAM when idle.
2. Held my breath and allowed Dec updates, had no size issues.
Everything appears okay.
ASC now says I’m using 35% RAM when idle.

So…. A few RAM points (is it OK to go off on a tangent on an Ask Woody thread, or is that discouraged?):

• Idle RAM usage is not a particularly useful measure.  If you’re not doing anything, you’re not doing anything.
• As Paul T pointed out, high RAM usage can be very good.
• Generally, it’s fine when the operating system uses a lot of RAM.  That’s good and means that slow disk access is less used than it would be otherwise.
• Generally, it’s bad when an application pegs your RAM — say, like Chrome was famous for.  It means the OS has to fight for RAM.  If you’re using something like Stable Diffusion and it’s maxing out your RAM and VRAM and CPU, it is what it is.  But, your system is most responsive when your apps are using a smaller amount of RAM and leaving a decent amount for the OS to manage as it doles out memory to apps and background processes.
• I used the term “generally” because exceptions abound.  The memory management stuff I did as a young computer scientist in the late 70’s and early 80’s is ancient history compared to today’s modern memory management techniques using specialized memory chips.  It’s fascinating.

Anyway, 640K is all the RAM anyone would ever need! https://www.computerworld.com/article/2534312/the–640k–quote-won-t-go-away—-but-did-gates-really-say-it-.html

Yep! I don’t understand why anyone would leave their data unencrypted or set up Bitlocker without a pin?

My point, though, remains: knowingly leaving software with an egregious security flaw on your machine because you are not *currently* at risk is not an IT best practice.

The recent iPhone hack that chained four unrelated flaws together to produce a total pwn shows that security is pretty complex.

I spent 30 mins researching this flaw, and two minutes running the script to fix it. A good time investment IMO.

I observe that the down side of skipping this update b/c you are not *currently* running Bitlocker is that you may forget to update your WinRE if you decide to use Bitlocker in the future (i.e. a buggy WinRE renders the encryption process worthless)…

Well, let’s see..

1. Under normal circumstances, a DEFCON-1 from Susan would result in a quick skim and then I’d go do something else.  I def wouldn’t update my computer.  🙂
2. But, Bitlocker…  I’m sure the contents of my hard drive in the wild would result in identify theft for my family — maybe even for my grandkids.
3. Macrium Reflect (thanks, Susan) seemed like the easiest way to refresh my memory re: my disk layout.  I have a couple of partitions (0, 1) before C: (2).  But then I have a small (< 1 GB) unnamed partition (3) after C:.  So, my WinRE partition is #4.  I was a little concerned, since it says that WinRE must be right after the operating system partition.
4. I decided to assume that, since WinRE currently works, that my current location of WinRE is OK. Maybe the extra partition after C: is Macrium’s work.  If I did know, I have forgotten.
5. My WinRE partition is 450MB w/ 354MB used (according to Macrium).  Do I feel lucky?  I do…
6. So, followed the instructions here: https://support.microsoft.com/en-us/topic/kb5034957-updating-the-winre-partition-on-deployed-devices-to-address-security-vulnerabilities-in-cve-2024-20666-0190331b-1ca3-42d8-8a55-7fc406910c10
7. Very easy, and all appears to be well.  I guess I’ll boot into it to make sure the next time the Macrium choices screen shows up after I next reboot my system…

Tangentially-related from the other side of the table (i.e. Web site provider as opposed to user)…

I tried using Cloudflare a while back on several of my Web sites.  Who doesn’t love the idea of enhanced security and threat prevention?

Everything became so hard — so much extra time spent solving problems that were sometimes caused by Cloudflare and sometimes not — something to confirm after disabling Cloudflare to rule it out as the cause.

If I ever experience a DDOS, I’ll have to reconsider.  Absent a compelling reason to use Cloudflare, though, I certainly won’t.

I feel your pain.