Newsletter Archives

• The “new” XP patch KB 982316 is a dud, but the new MSRT is for real

  Posted on May 23, 2017 at 06:12 CDT by woody • Comment in the Forums

  Yesterday, I wrote about the mysterious “new” Windows XP patch KB 982316. There’s speculation all over the web that Microsoft is now patching Windows XP again.

  Wrong.

  @abbodi86 dug in and confirmed:

  The digital signature of the downloaded file indicates that it’s still the same old one, “Monday, ‎June ‎14, ‎2010”. So this is just a review/renew of the download page for some reason

  On the other hand, the new Malicious Software Removal Tool, KB 890830, is very real. An anonymous poster notes that it’s marked “Important” in Windows 7. The Windows Update list says that the program has changed, and the metadata has changed. @ch100 theorizes that it’s a WannaCry detector, which is confirmed in the Technet post Customer Guidance for WannaCrypt attacks:

  Update 5/22/2017: Today, we released an update to the Microsoft Malicious Software Removal Tool (MSRT) to detect and remove WannaCrypt malware. For customers that run Windows Update, the tool will detect and remove WannaCrypt and other prevalent malware infections. Customers can also manually download and run the tool by following the guidance here. The MSRT tool runs on all supported Windows machines where automatic updates are enabled, including those that aren’t running other Microsoft security products.

  As I’ve said many times over the past week, WannaCrypt only attacks Windows 7. No matter which version of Windows you have, you’d be well advised to run the new MSRT and see if it picks up any vestiges.

  (Historical note: Microsoft’s sticking to the “WannaCrypt” name while most of the popular press has moved to “WannaCry.” I switched from WannaCrypt to WannaCry, too, in response to an edit. The worm calls itself “Wana Decrypt0r” with a zero. Malware researchers pick their own names, and there’s no central authority assigning names to specific infections. It’s all about branding, folks — I guess “WannaCry” sounds more compelling.)

  Windows Patches/Security KB 890830, KB 982316, MSRT, WannaCry, WannaCrypt

• What’s up with the “new” XP patch KB 982316?

  Posted on May 22, 2017 at 13:37 CDT by woody • Comment in the Forums

  I don’t know what to make of it.

  I’m seeing reports all over the internet that Microsoft has released a new Windows XP patch, KB982316.

  Yes, Windows XP.

  There’s a download link that’s dated May 19, 2017 — last Friday.

  But there’s no Microsoft Update Catalog listing.

  The KB article says it was last reviewed on June 10, 2011:

  This update implements a defense-in-depth change that some customers may decide to deploy.. This update changes the Access Control Lists (ACLs) for the following registry entry:

  HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Telephony

  By default, Network Service (NS) users explicitly have full permission to this registry entry. After you install this update, NS users will have Read-Only access to this registry entry. The update will apply the same ACLs to all subkeys of the registry entry.

  The KB article points to Security Advisory 2264072, Elevation of Privilege Using Windows Service Isolation Bypass, but that article’s dated Aug. 10, 2010. Version 1.0.

  Is this another supercedence screw-up? (We’ve seen many, lately.) Is it related to the Shadow Brokers trove?

  And, if it’s really a new patch – not some phantom resurrected erroneously — is Microsoft going to patch XP for NSA-derived exploits?

  Windows Patches/Security KB 982316, Windows XP