Patch Lady – How to update Win10 to fix Spectre, Meltdown and other side channel vulnerabilities

Patch Lady Susan Bradley’s latest column in CSOOnline:

In January 2018, security news media was abuzz over a new class of vulnerability called side channel vulnerabilities. Spectre, Meltdown and Foreshadow are some of the best known. They exploit weaknesses in speculative execution in microprocessors to leak unauthorized information. Side channel vulnerabilities allow attackers to bypass account permissions, virtualization boundaries and protected memory regions.

Patching these vulnerabilities is not easy. They are mitigated by a combination of patches from both the chipset vendor and the operating system provider. Worse, there is often a noticeable performance hit after installing these updates…

Windows servers in particular need specific guidance as most of the protections are not enabled by default.

If you’re running a server that’s potentially at risk, it would behoove you to read this article.

New 7-Zip version 19.00

Igor Pavlov just released a new version of 7-Zip. He’s bumped the version number up from 18.06 to 19.00.

Details coming from OlderGeeks.com.

Getting to know the Windows Update History KB articles

It’s easy to be snarky about Microsoft’s documentation — I do it all the time, when it’s warranted — but this strikes me as a genuine attempt to both extend and explain the documentation.

Christine Ahonen on the Windows IT Pro blog talks about the Windows Update History pages, particularly the ones with update histories for Win10, Win8.1, and Win7. I visit them several times a day — and lambaste them at least a few times a month.

Ahonen talks about the structure of the pages, tosses in a bit of marketing jargon, but then she gets to the heart of the matter, without addressing it directly.

Somehow, in the past year or so, the Update History pages have become much more useful. Where they used to hide descriptions of bugs or coddle them in language that required substantial parsing, they’re considerably more forthright these days. Not perfect, mind you, but much better.

We’re seeing more frank discussion of bugs, and the acknowledgments are appearing a day or two (or three or four) days after discovery, instead of seeing them buried in various forums, including this one, and languishing for weeks.

We’re also seeing (recently, with Win10 1809) notes about version change hangups that Microsoft’s customers can identify with — “we blocked 1809 rollout on such-and-such because of so-and-so, and it’ll get fixed sooner-or-later.”

That kind of openness — call it “transparency” if you must — goes a long way toward making me feel better about the inevitable mayhem of supporting 8 or 10 versions of Windows simultaneously and sending out hundreds of separate patches every month.

I just wish MS would acknowledge less-common bugs, give us more details about changes in the patches, and… turned out better patches in general, eh?

February 2019 Update to Win10 1809 KB 4487044 causes loss of access to One Drive

@F-A-Kramer reports an auto update to Win10 1809 caused loss of access to One Drive.

MS auto updated my computer (64 bit Win 10 1809) this morning and rebooted my computer. Gone from the system tray is my Office 365 One Drive app. Attempts to connect to One Drive from the Start menu result in nothing happening. The computer can not access my One Drive at all. I even tried using the web (Edge no less) and when I try to enter my email address, half way through, the dialog box blanks out.

The “Update” is listed as a Feature Update for Win 10 1809 but no KB number given. The build is 17763.316.

It seems it took some effort to find the answer to the problem. He further relates his experience finding the solution.

Finally, after several runarounds and attempts find the right place to ask, I was able to connect with a Microsoft One Drive Support person. Said I should download a One Drive installer. Did, and it did not work. Then told to run a reset procedure. Did not work.

Then the big gun was brought out. I was instructed to edit the registry to change One Drive’s DisableFileSyncNGSC from 1 to 0. This would, and did(!) “enable” One Drive after restarting the computer. All is now as it should be. I have no idea how this bit (Dword actually) got changed. Hit by a cosmic ray is as good an explanation as any.

Has anyone else experienced a problem connecting to One Drive after installing the February patch?

New cumulative update KB 4491113 for IE in Win7 and 8.1 fixes the backslash bug

Microsoft broke IE’s behavior earlier this month. With the update released yesterday, it’s fixed… but under odd circumstances.

Here’s the bigger picture.

This month’s Patch Tuesday patches for Win7 and 8.1 contained this weird, acknowledged, bug:

After installing this update, Internet Explorer may fail to load images with a backslash (\) in their relative source path.

That bug, and several others, were fixed in this week’s Monthly Rollup preview patches – but those aren’t distributed through normal channels. You have to wait until next month, when the Monthly Rollup Preview patches will (presumably) be added to the March Monthly Rollups.

Here’s where things get weird. On Feb. 19, Microsoft released a Cumulative update for Internet Explorer: February 19, 2019, a silver bullet patch with the sole intent:

This cumulative update includes improvements and fixes for Internet Explorer 11 that is running on Windows 8.1 or Windows 7, and resolves the following issue:

Internet Explorer cannot load images that have a backslash (\) in their relative sources path.

So we have a cumulative update, KB 4491113, that fixes a bug introduced in this month’s Monthly Rollups, but which is also fixed in this month’s Monthly Rollup previews. The previews fix other bugs as well, but I guess this one was problematic enough to warrant a single silver bullet.

@PKCano has added the appropriate admonitions to the “Group B” AKB 2000003 list.

Patch Lady – so should we freak out about passwords?

We urge folks to use stronger passwords, but then it’s hard to keep track of them.  So we use password managers.  But there’s news out that these manager programs aren’t as secure as we’d like them to be and may leak things like… oh the master password.  But if I’m reading the white paper correctly, some of the techniques used to discover these secrets means that the system was either compromised to begin with, or it’s being examined physically and forensically – that is the researcher is looking at dump files, and examining memory in such a way that you have to have physical access to the machine.  If an attacker has physical access to your machine, it’s not your machine anymore.

There is an old old old post of which I can only find other blog posts about the original post about 10 laws of security that was first put out by Microsoft:

Law #1: If a bad guy can persuade you to run his program on your computer, it’s not solely your computer anymore.
Law #2: If a bad guy can alter the operating system on your computer, it’s not your computer anymore.
Law #3: If a bad guy has unrestricted physical access to your computer, it’s not your computer anymore.
Law #4: If you allow a bad guy to run active content in your website, it’s not your website any more.
Law #5: Weak passwords trump strong security.
Law #6: A computer is only as secure as the administrator is trustworthy.
Law #7: Encrypted data is only as secure as its decryption key.
Law #8: An out-of-date antimalware scanner is only marginally better than no scanner at all.
Law #9: Absolute anonymity isn’t practically achievable, online or offline.
Law #10: Technology is not a panacea.

I think number 3 is at play.  Granted it still may be safer to buy and do this.  And add multi factor authentication where you can.  And realize we’re never 100% secure.  Just acceptably secure.  For now.  Until the next headline.

Excuse me while I go buy some aluminum foil.

Microsoft: New non-security updates prevent attack on Win10 Servers running IIS — but there are no instructions

Now you know why I’m skeptical of the “optional non-security” description about the second monthly Win10 cumulative updates.

Ends up that the patches are not “optional” (click Check for updates and see what happens) and, at least this month, for Servers running IIS, they’re not “non-security.”

Case in point: Microsoft Security Advisory ADV190005 | Guidance to adjust HTTP/2 SETTINGS frames, released yesterday. From the Advisory:

Microsoft is aware of a potential condition which can be triggered when malicious HTTP/2 requests are sent to a Windows Server running Internet Information Services (IIS). This could temporarily cause the system CPU usage to spike to 100% until the malicious connections are killed by IIS.

The HTTP/2 specification allows clients to specify any number of SETTINGS frames with any number of SETTINGS parameters. In some situations, excessive settings can cause services to become unstable and may result in a temporary CPU usage spike until the connection timeout is reached and the connection is closed.

To address this issue, Microsoft has added the ability to define thresholds on the number of HTTP/2 SETTINGS included in a request. These thresholds must be defined by the IIS administrator, they are not preset by Microsoft.

The solution? Install this month’s second set of cumulative updates — the ones released earlier this week, KB 4487006, KB 4487011, KB 4487021, KB 4487029 — and then follow these instructions:

Customers should review Knowledge Base Article 4491420 and take appropriate action.

Except, well, golly, there is no KB 4491420.

UPDATE: Microsoft published the instructions, Define thresholds on the number of HTTP/2 Settings parameters exchanged over a connection.

Microsoft pushes odd third-Tuesday cumulative updates for Win10 1803, 1709, 1703 and 1607 – but not for 1809

I think this is good news.

Yesterday Microsoft published cumulative updates for the older versions of Windows 10, but didn’t release one for the latest, version 1809. I take that as a good sign — perhaps Microsoft is letting its 1809 patches bake a little longer.

Moral of the story: Don’t click Check for Updates!

Details in Computerworld Woody on Windows.

UPDATE

We also have:

KB 4487016 – Preview of the Win8.1 March Monthly Rollup

KB 4486565– Preview of the Win7 March Monthly Rollup

The Microsoft Update Catalog also shows that several of this month’s Win10 Cumulative Updates were re-issued. Not sure what’s up with that, but it usually means there was a change in the metadata — which means it changes the installation logic.

ANOTHER UPDATE

Now at least one of the Knowledge Base articles is being changed to say that yesterday’s non-security updates do NOT fix the acknowledged bug:

• After installing this update, some users cannot pin a web link on the Start menu or the taskbar.