Win10 version 1803 declared “fully available,” throwing Update for Business under the bus

Microsoft just announced that Win10 1803 is “fully available” thus overriding at least one of your settings for blocking the inevitable upgrade. This, in spite of the fact that 1803 has multiple, known, acknowledged, hard bugs.

Why?

Computerworld Woody on Windows.

Eid Mubarak

Best wishes to those of you finishing Ramadan today.

Patch Lady – 1803 declared Semi-annual

Microsoft today declared 1803 as “ready for business” and is flipping from the Semi-annual targeted (the old CB) to Semi-annual (the old CBB). (*)

What this means:

If you have your Windows 10 pro settings to defer feature updates for Semi-annual channel and have a deferral setting of “0”, you will soon get 1803.  I have mine set at 364 days of deferral so that I can choose exactly when I deploy 1803.

Susan’s take:  I think it’s still a bit early to roll out 1803 to businesses.  I’m still seeing nagging issues.  Check with your vendors if they are ready for 1803, and if they aren’t ask they why they haven’t been testing for 1803 already?

As long at 1803 is getting updates twice a month (it’s had two already in the month of June one of which was fixing a big bug for my industry the multi-user QuickBooks problem) I’m not comfortable with rolling out 1803 widely at this time.

https://blogs.windows.com/windowsexperience/2018/06/14/ai-powers-windows-10-april-2018-update-rollout/

Things still unfixed:

1.  SMBv1 issues – patch later in June per known issues in 1803 – https://support.microsoft.com/en-us/help/4284835

2.  https://answers.microsoft.com/en-us/windows/forum/windows_10-files/new-partitions-may-appear-in-file-explorer-after/115d2860-542e-410f-983c-2aeb8bbd7d13

As far as I am aware the partition issue is still unfixed.

3.  Watch out for third party vpn programs  Barb helped a recent forum user that had kerio VPN software – it got to a certain percent and barfed

Issues that have been fixed

1.  Alienware no longer blocked  – https://answers.microsoft.com/en-us/windows/forum/windows_10-windows_install/hybrid-laptops-with-discrete-gpu-connected-to/3518f6b4-c267-4d38-b5b9-d5ea0c16e975

2. Surface SSD’s okay to install since May — https://answers.microsoft.com/en-us/windows/forum/windows_10-windows_install/devices-with-intel-ssd-600p-series-or-intel-ssd/703ab5d8-d93e-4321-b8cc-c70ce22ce2f1

(*) yup screwed up and had them the other way around, now fixed.  Thanks Zero2Dash

White paper: How to use Trend Micro Vulnerability Protection to patch virtually

An interesting PDF (link below) from Daniel Portenlanger:

Microsoft’s new patching policies have introduced new challenges to keeping Windows endpoints safe. Patches are now a cumulative package instead of small individual fixes. Should a cumulative group of patches break functionality, removing the cumulative removes the entire group of patches reintroducing vulnerabilities. Additionally, products like WSUS only support Microsoft products and not third party software. Lastly, systems may not be able to be taken offline immediately to apply patches. This is where virtual patching fills the gap.

The version of Vulnerability Protection in this document is self-hosted and integrated with the endpoint security product Officescan. The product demonstrated here was implemented because the customer had a license. There was no evaluation of competing products. This primer simply describes how Trend Micro Vulnerability Protection virtual patching works and why virtual patching is useful in between patch cycles. In this example, Adobe, Microsoft and others recently released a patch for a critical Flash Player flaw.

TrendVulnerabilityProtection-VirtualPaching

Patch Lady – light reading for the evening

For those of you that like to dig a bit deeper into the details of patching, I highly recommend the Zero Day blog.  For those who remember the detailed Microsoft MSRC blogs from years ago, the author is one that USED to write those detailed Microsoft blogs:  Dustin Childs.  Now he works for the Zero day Initiative and writes these fantastic blogs that go a long way to help me understand the risks of *not* patching.

The other day I said that when the point in time occurs that I’m more scared of *not* patching than I am of patching, that’s the point in time I need to patch.

So right now, we are day four of the updating process.  I’ve installed updates on a few of my home pcs, I will be rolling an update on a sample (in my office that means ONE) production machine to see if I spot any issues.  I’m watching the forums for side effects.  I’m waiting for Microsoft to fix any metadata detection issues (they already expired KB4284880 as there was a duplicate up there), and I’m basically not approving anything at this time until my testing process is done.  

But what I am doing is reading and understanding what this month’s updates include.   Here’s my light reading I’m doing tonight:

https://www.zerodayinitiative.com/blog/2018/6/12/the-june-2018-security-update-review

The blog post spells out the security issues per CVE or Common Vulnerabilities and Exposures, not per patch.  So while it doesn’t showcase the updates as you can I see them on your computer, (as we see them in one glob per operating system) it does give a way better deep dirty explanation of the overall risks related to not updating so you and I can get a feel for how long we should wait before we update.

It also helps me to determine what I currently have in place for mitigations or protections that will also give me time to not patch.

Flash zero day – “primarily targeting the Middle East region and is wrapped in an Office document”.  Okay so I’m not located in the Middle East and I not only warn users about opening attachments, we have email attachment filtering.

DNS server bug –   “The more likely scenario is simply tricking a target DNS server into querying an evil server that sends the corrupted response”.  In small firms or home users, the way I see this probably used is getting your system to reach out to a malicious DNS server bypassing your DNS entries (or your ISPs).  For servers in large firms that handle handling out DNS inside of a firm, because you can’t always control what your servers connect to, this is one you’ll probably want to patch sooner versus later.

Http.sys bug – bug in a web service, “A remote attacker could cause code execution by sending a malformed packet to a target server”.  If I’ve got a web server out there, I’ll be testing this and rolling it out sooner versus later.  But we don’t (well, we shouldn’t) run web servers on workstations so this will be lower risk there.

Cortana bug – “someone close enough to speak to a Cortana-enabled system could execute programs with elevated privileges”  Doesn’t impact Windows 7, and like the Alexa bugs, you have to be local to the machine to do your evil deeds.  Bottom line anything these days that you yell “Hey….” to is being targeted these days because it’s sexy to go after the voice recognition stuff.

The other thing of interest to me that ran across my radar was YASMB (yet another Spectre Meltdown bug).  This time the v4 bug is NOT enabled by default.  Based on my read it’s due to two things:

Thing one, it’s another Spectre Meltdown with a performance hit.  As per this blog post “If enabled, we’ve observed a performance impact of approximately 2 to 8 percent based on overall scores for benchmarks.”.  Thing two there are no active attacks and it reads to me that it’s going to be hard to exploit.  Not to say it’s impossible to exploit, but there are lots of other low hanging fruit that they can use to get me.

There’s a nice recap on the bottom of the portal page that describes which patches are and are not enabled by default in the Spectre/Meltdown patches:

• • After installing Windows updates, refer to the following table for further action to be protected from Spectre/Meltdown vulnerabilities:

I’m still not convinced that on desktops this is as big of an issue we are making it, I still think this is a bigger risk on cloud servers or hosted servers where you may not monitor the access as much as you do on a desktop in front of you.

Just hot off the presses tonight we have another Intel vulnerability that will make our heads hurt trying to figure out the patches on.  Called Lazy FP State restore vulnerability

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180016

Intel Releases Security Advisory on Lazy FP State Restore Vulnerability
06/13/2018 06:47 PM EDT

Original release date: June 13, 2018

Intel has released recommendations to address a vulnerability—dubbed Lazy FP state restore—affecting Intel Core-based microprocessors. An attacker could exploit this vulnerability to obtain access to sensitive information.

NCCIC encourages users and administrators to review Intel’s Security Advisory INTEL-SA-00145, apply the necessary mitigations, and refer to software vendors for appropriate patches, when available.

At this time Microsoft is still determining updates to be released.  If you have VM’s in Azure they are not affected by this vulnerability.

All of this just showcases that you can’t just update your operating system these days, you HAVE to update your bios and hardware drivers.

Here’s another example of hardware patches — Surface 3 has a standalone TPM update tool in order to fix that vulnerability. It can’t come down via Windows update, it has to be done manually.

Lots of fun.

June 2018 Patch Tuesday is upon us

The June Security Updates have been released for all versions of Windows, Office and various other Microsoft products.

As usual, Martin Brinkman has his amazing overview available on the ghacks site. The updates according to operating system:

• Windows 7: 9 vulnerabilities of which 2 are rated critical and 7 important.
• Windows 8.1: 8 vulnerabilities of which 2 are rated critical and 6 important.
• Windows 10 version 1607: 25 vulnerabilities of which 4 are rated critical and 21 important.
• Windows 10 version 1703: 25 vulnerabilities of which 3 are rated critical and 22 important.
• Windows 10 version 1709: 27 vulnerabilities of which 4 are rated critical and 23 important.
• Windows 10 version 1803: 26 vulnerabilities of which 4 are rated critical and 22 important.

Windows Server products

• Windows Server 2008 R2: 9 vulnerabilities which 2 are rated critical and 7 important.
• Windows Server 2012 and 2012 R2: 8 vulnerabilities which 2 are rated critical and 6 important.
• Windows Server 2016: 24 vulnerabilities of which 4 are rated critical and 22 important.

Other Microsoft Products

• Internet Explorer 11: 4 vulnerabilities, 2 critical, 2 important
• Microsoft Edge: 7 vulnerabilities, 3 critical, 4 important

Martin also has a list of known issues for Windows 7 SP1, Windows 10 v.1607, Windows 10 v.1709, and Windows 10 v.1803 on his site.

UPDATE: Security Updates are available for Microsoft Office 2010, 2013, and 2016. Also for the Excel Viewer 2007 and the Office Compatibility Pack SP3. These updates do not include Office 365 or C2R.

Patch reliability is unknown at this time. Unless you have a specific reason to install updates, you should wait until Susan Bradley (Patch Lady) has had time to evaluate them and/or Woody gives the DEFCON go-ahead.

MS-DEFCON 2: Get auto update turned off — and watch out for SMBv1 blocking complications this month

Patch Tuesday’s tomorrow. You know what that means.

I’m moving us to MS-DEFCON 2: Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don’t do it.

Computerworld Woody on Windows

Is it OK to run patches on 500+ VMs?

Just saw this message from ME:

I haven‘t approved updates since 12/2017 for our infrastructure with 500+ VMs.

I‘m not new to that topic but your team recently wrote that it is not wise to approve updates when your on patch level 12/2017. I think it was in march. Since then i didn‘t found a topic if to update or not. All thoughts was about if and how to update one single machine. Is there anything related to my problems to read from you?

Susan Bradley does a great Job but it would be interesting to have a algorithm how to patch when you’re on 12/2017 or similar. Its not something i ask you to do but in those times Microsoft does a horrible job which leads to spectacular ransom attacks in the future. I patch servers for 3 years now – i‘m definitely not a pro but why do i feel like Microsoft always tries to shoot our infrastructure into pieces. :/

Best regards, and thank you and your team for the great work.

Since Susan Bradley joined AskWoody several months ago, we have something of a dichotomy. On the one hand, we have people who just want to know when it’s safe to patch their individual (home or business) PCs. On the other hand, we have a widening group of admins who are in charge of hundreds — thousands — of machines.

As you’ve seen, the expectations and needs of those two groups is related, but still quite different in many respects. More than that, there’s a spectrum of needs — from folks who’d rather be playing mahjong, to folks who have to be concerned about protecting key corporate data.

One size doesn’t fit all. What’s evolved is kind of a dual system that’s grown out of my background helping individuals and Susan’s long background working with organizations.

The MS-DEFCON system is geared for people who really just want to get the furshlugginer thing working. I don’t even try to differentiate between a Win7 system running Office 2010

and a Win10 1803 system running Office 365. There are just too many variables. What I give with MS-DEFCON is a red light/green light system, with warnings about particularly irksome problems.

The Patch Lady recommendations (and her unique, lengthy Master Patch List) are designed for people who want — or need — to take a closer look at the patches.

The Patch Lady approach is a scalpel. The MS-DEFCON approach is a sledge hammer.

That doesn’t answer your question. But it should help you put into perspective the comments that are bound to come from people who have experienced your exact situation.

If you bought a new Surface Pro 2 from Microsoft four years ago, you can’t get any official help

(At least, not free help on the Microsoft Answers Forum.)

In a Saturday morning news dump, a Microsoft contractor announced the end of Answers Forum support for Win 7 and 8.1, Office 2010 and 2013, Surface Pro and Pro 2, IE 10 and earlier, Security Essentials, and much more.

Does this mean we won’t get any official word about new bugs in Win7 and 8.1 patches?

Computerworld Woody on Windows.

Microsoft to stop participating in Windows 7 forums

Following up on Woody’s post here, I spotted this in the Windows 7 forum.  Windows 7 will still get security updates after this time, Microsoft is just pulling the proactive support out of the consumer forums.

Please be advised that effective July 2018, the forum topics for products that reached end of support will no longer receive technical support from Microsoft agents. There will be no proactive reviews, monitoring, answering or answer marking of questions. The forums will still have Microsoft moderation to ensure participants can engage in a safe and positive environment.

Forum support for these products will be discontinued:

• Windows version 7
• Windows 8.1, 8.1 RT

Microsoft Community participants are welcome and encouraged to continue to use the forum to ask questions and post answers with each other.

To answer Woody’s question – Microsoft agents are normally folks that work for third party support companies that are working under the authority of Microsoft.  Normally when a Microsoft agent is working a forum, they will report back any trending issues to Microsoft. With this monitoring being pulled it loses a bit of that early warning system when there are trending issues.

Update also note the following products will stop having forum support:

Lumia
Microsoft Security Essentials
Office 2010/2013
IE11

Microsoft re-releases the KB 4287903 Flash zero-day patch

Remember that Flash zero-day patch Microsoft released on June 7? You know, the really out of band patch that fixes the zero-day hole that’s so easy to exploit Adobe’s been stumbling all over itself to get everybody updated?

Scrolling through the Microsoft Update Catalog this morning, I discovered that Microsoft has re-issued the patch, KB 4287903. No idea why. Neither that KB article, nor the Security Advisory ADV 180014 has been updated.

Usually that just signifies a metadata change — Microsoft had to change the way the patch gets installed. But there have been problem reports attributed to the patch that — again, reportedly — go away when the patch is uninstalled.

UPDATE: Joke’s on me. Now the Microsoft Update Catalog says all of the patches were released on June 6. Which, of course, they weren’t.

Microsoft to stop contributing to Surface RT, 2, Pro, Pro 2 forums next month

A snarkier person than I would note that they never had much support anyway, but a blog post this morning makes it official:

Please be advised that effective July 2018, the forum topics for products that reached end of support will no longer receive technical support from Microsoft agents. There will be no proactive reviews, monitoring, answering or answer marking of questions. The forums will still have Microsoft moderation to ensure participants can engage in a safe and positive environment. 

Support for these products will be discontinued

• Surface RT
• Surface 2
• Surface Pro
• Surface Pro 2

Microsoft Community participants are welcome and encouraged to continue to use the forum to ask questions and post answers with each other.

Of course, we’ll continue to support Surface owners until the bits rot away. And, golly, we didn’t make billions of dollars from the Surface. (To be fair, neither did we take a $900 million dollar write-off.)

(I still marvel at the phrase “Microsoft Agent.” Not an employee. Not a contractor. Not a volunteer. Not a bot. Could somebody tell me what an Agent is?)

Funny how Microsoft posted this on a Saturday, eh?