|
Patch reliability is unclear, but widespread attacks make patching prudent. Go ahead and patch, but watch out for potential problems. |
Newsletter Archives
-
A year and counting
WINDOWS 10
By Susan Bradley • Comment about this article
We are a year away from the official end of the road for Windows 10.
It’s pretty clear that you and I, and a lot of other individuals and companies, will be using Windows 10 after its end of life in October 2025. I want to assure you that I will continue to provide the best information available about how to keep Windows 10 PCs safe and secure.
I have business systems that will need to stay on Windows 10 for compatibility reasons. I also have PCs that I will keep on Windows 10 because there is no reason to change — they work well and do their intended jobs. But we all must eventually decide when and how to take the next step, no matter what that may be.
Read the full story in our Plus Newsletter (21.43.0, 2024-10-21).
-
Security information for an end-of-life operating system is lacking
ON SECURITY
By Susan Bradley
Lately, I’ve been working on painting the trim on my house.
We have old-fashioned caulked windows. To make sure that the caulk doesn’t crack with the weather, maintenance is required. That means painting.
I like doing it because it gets me off the computer and thinking of other things. Painting the house is great for appearances and — more importantly — protects it from weather and other damage.
Read the full story in our Plus Newsletter (21.28.0, 2024-07-08).
-
Patching year 2022 comes to a close
ISSUE 19.51 • 2022-12-19 PATCH WATCH
By Susan Bradley
Every vendor brought us a lump of coal.
No matter which platform you use, we are closing out a year in which we have been very vulnerable. From Microsoft to Apple to our firewall vendors — and even to Linux distros such as Ubuntu and Mint — just about every vendor has ended the year with patches, vulnerabilities unfixed, and new releases.
Read the full story in our Plus Newsletter (19.51.0, 2022-12-19).
This story also appears in our public Newsletter. -
Zero day for Windows 7
Bleeping computer reports that 0-patch is releasing a fix for a zero day in Windows 7 and server 2008 R2.
I haven’t yet seen an out of band patch released to Windows 7 ESUs but I’ll keep you posted.
One clarification on that post, Sergiu says “At the moment, only small-and-midsize businesses or organizations with volume-licensing agreements can get an ESU license until January 2023.” You actually don’t need a volume licensing agreement in order to buy Windows 7 patches. Amy Babinchak is still selling Windows 7 ESUs and for anyone who bought them last year, she’ll be contacting you to see if you want the updates again this year. Microsoft hasn’t yet set it up so that the 2021 Windows 7 ESUs are on their price list, but I’m guessing December 1st is when they will post it to the price list. It’s expected to be twice the price of last years.
-
0patch posts a patch for the “PrintDemon” security hole CVE-2020-1048
I still haven’t seen any in-the-wild exploits for the security hole announced last week, PrintDemon or CVE-2020-1048 — and I still don’t recommend that you install this month’s patches — but those of you running Windows 7 without the paid Extended Security Updates should take note of the latest “micropatch” offering from 0patch.
According to the 0patch blog:
Windows 7 and Server 2008 R2 users without Extended Security Updates have just received a micropatch [from 0patch] for CVE-2020-1048, a privilege elevation vulnerability allowing a local non-admin attacker to create an arbitrary file in an arbitrary location.
When time comes to install this month’s patches, if you don’t have Win7 Extended Security Updates, you should keep this micropatch in mind. (It’s OK, I’ll remind you if you forget.)
Just a reminder: We’re still at MS-DEFCON 2. There are no widespread threats out and about and you don’t need to patch just yet. Go outside and get some fresh air. At a distance, of course.
Thx @etguenni
-
Microsoft Office gets a drenching of updates
PATCH WATCH
By Susan Bradley
COVID-19’s impact on patching doesn’t extend to Office releases.
If April’s updates prove anything, it’s that Office is a prime target for malware attacks. This month, all supported versions of Microsoft’s productivity suite received a dozen or more security patches. And most of these fixes have a common purpose: breaking a specific risk to our networks — Office apps using Visual Basic scripts to pull information from the Internet. This change is good, for the most part, but it might cause line-of-business apps with sloppy coding to stop working.
Read the full story in AskWoody Plus Newsletter 17.15.0 (2020-04-20).
-
Worth considering: 0patch for Win7 after January 2020
I just got a note from @Microfix that pointed me to an interesting discussion from Ionut Ilascu at BleepingComputer:
After Microsoft ends support for Windows 7 and Windows Server 2008 on January 14, 2020, 0Patch platform will continue to ship vulnerability fixes to its agents.
“Each Patch Tuesday we’ll review Microsoft’s security advisories to determine which of the vulnerabilities they have fixed for supported Windows versions might apply to Windows 7 or Windows Server 2008 and present a high-enough risk to warrant micropatching”
Micropatches will normally be available to paying customers (Pro – $25/agent/year – and Enterprise license holders). However, Kolsek says that there will be exceptions for high-risk issues that could help slow down a global-level spread, which will be available to non-paying customers, too.
Many of you know that 0Patch has been issuing quick fixes for bad bugs in recent patches. In all cases, I’ve refrained from recommending them, simply because I’m concerned about applying third party patches directly to Windows binaries. That said, to date, they’ve had a very good track record. Whether they can continue that record with patches-on-patches-on-patches remains to be seen, of course.
I fully expect Microsoft to release patches for newly discovered major security flaws, even after January 14. Whether those will step on the 0Patch patches is anybody’s guess.
Definitely something worth considering….
-
That Internet Explorer XXE zero day poking through to Edge
I’ve been slammed for the past few days, and haven’t kept you folks apprised of the latest Internet Explorer 0day.
It depends on you opening an infect MHT file. MHT is an old file format that’s almost always opened by IE — no matter which browser you’re using, no matter which version of Windows. Catalin Cimpanu has a good overview of this XXE vulnerability on ZDNet.
It’s a doozy of security hole as it affects every recent version of IE, and it infects whether you’re actively browsing with IE or not.
When you download files from the internet, they’re marked — the “Mark-Of-The-Web” — to tell programs that special care is required when opening the files. Thus, if you download an infected MHT file, IE will know that it needs to open the MHT file with caution (at “low integrity,” in a sandbox). That severely limits this exploit’s reach.
There’s a lot of controversy about how bad this XXE hole really is. There have been lots of XXE holes discovered in the past. They’re used to pull files off your machine and send them to the bad guys. Microsoft figured this one isn’t all that bad, in part because of the MOTW mechanism. The folks who discovered this particular hole aren’t so sanguine. They responded to Microsoft’s snub last week by releasing details, proof of concept code, and even a video.
Yesterday, Mitja Kolsek at 0patch revealed something disconcerting. If you use Edge to download an infected MHT file, Internet Explorer will open it like any other file. Says Kolsek:
Does Edge not put the mark-of-the-web on downloaded files, or does it do it differently and somehow confuses Internet Explorer? That would be a serious flaw.
He goes on to explain how Edge changes the permissions on downloaded files and, thus, why IE will open the infected MHT file as if it had no Mark-Of-The-Web.
All fascinating stuff if you’re into this kind of thing. Ionut Ilascu has a synopsis on BleepingComputer.
The 0patch company has a quick patch that you can apply, free, if you’re concerned about getting burned. I’m not going to link to it — I don’t want to take responsibility for 3rd-party patches to Windows — but you can find it quite easily if you’re really interested. That said, 0patch is highly regarded, and has made many useful hotfixes for Windows.
What to do? That’s easy. Don’t open MHT files. And don’t use IE.
Thx to @Alex5723 and others who have been posting about this problem while I’m off doing other things…..
Let’s see if I get a definitive answer from this:
About the IE/XXE 0day… does anybody know for sure…. If you reassign the default handler for the MHT filename extension – does that short-circuit the attack, even with Edge as intermediary? Sure is easier than removing IE. @mkolsek @BleepinComputer @GossiTheDog
— Ask Woody https://infosec.exchange/@askwoody (@AskWoody) April 18, 2019
UPDATE: @mkolsek, who published the report yesterday, confirms that reassigning the default handler for MHT files breaks the attack. He tested it. I’ll write this up.
Plus Membership
Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.
AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments.
Get Plus!
Recent Topics
-
Solid color background slows Windows 7 login
by 2 hours, 10 minutes ago
-
Windows 11, version 24H2 might not download via Windows Server Updates Services
by 2 hours, 38 minutes ago
-
Security fixes for Firefox
by 4 hours, 15 minutes ago
-
Notice on termination of services of LG Mobile Phone Software Updates
by 4 hours, 1 minute ago
-
Update your Apple Devices Wormable Zero-Click Remote Code Execution in AirPlay..
by 13 hours, 7 minutes ago
-
Amazon denies it had plans to be clear about consumer tariff costs
by 4 hours, 6 minutes ago
-
Return of the brain dead FF sidebar
by 10 hours, 8 minutes ago
-
windows settings managed by your organization
by 14 hours, 13 minutes ago
-
Securing Laptop for Trustee Administrattor
by 1 hour, 33 minutes ago
-
The local account tax
by 5 hours, 48 minutes ago
-
Recall is back with KB5055627(OS Build 26100.3915) Preview
by 1 day, 2 hours ago
-
Digital TV Antenna Recommendation
by 18 hours, 40 minutes ago
-
Server 2019 Domain Controllers broken by updates
by 1 day, 14 hours ago
-
Google won’t remove 3rd party cookies in Chrome as promised
by 1 day, 15 hours ago
-
Microsoft Manager Says macOS Is Better Than Windows 11
by 1 day, 18 hours ago
-
Outlook (NEW) Getting really Pushy
by 21 hours, 17 minutes ago
-
Steps to take before updating to 24H2
by 12 hours, 6 minutes ago
-
Which Web browser is the most secure for 2025?
by 1 day, 1 hour ago
-
Replacing Skype
by 14 hours, 16 minutes ago
-
FileOptimizer — Over 90 tools working together to squish your files
by 1 day, 12 hours ago
-
Excel Macro — ask for filename to be saved
by 10 hours, 13 minutes ago
-
Trying to backup Win 10 computer to iCloud
by 14 hours, 3 minutes ago
-
Windows 11 Insider Preview build 26200.5570 released to DEV
by 3 days, 18 hours ago
-
Windows 11 Insider Preview build 26120.3941 (24H2) released to BETA
by 3 days, 20 hours ago
-
Windows 11 Insider Preview Build 22635.5305 (23H2) released to BETA
by 3 days, 20 hours ago
-
No April cumulative update for Win 11 23H2?
by 2 days, 8 hours ago
-
AugLoop.All (TEST Augmentation Loop MSIT)
by 3 days, 21 hours ago
-
Boot Sequence for Dell Optiplex 7070 Tower
by 4 days, 12 hours ago
-
OTT Upgrade Windows 11 to 24H2 on Unsupported Hardware
by 6 hours, 11 minutes ago
-
Inetpub can be tricked
by 2 days, 23 hours ago
Remembering Woody
