Posted on April 24th, 2017 at 11:50 Comment on the AskWoody Lounge
If you don’t have last month’s MS17-010 installed, better get off your duff.
InfoWorld Woody on Windows
Posted on April 23rd, 2017 at 11:51 Comment on the AskWoody Lounge
Details in InfoWorld Woody on Windows.
In honor of the 400th anniversary of The Bard’s demise:
Horatio says ’tis but our fantasy,
And will not let belief take hold of him
Touching this dreaded sight, twice seen of us:
Therefore I have entreated him along
With us to watch the minutes of this night;
That if again this apparition come,
He may approve our eyes and speak to it.
Actually, KB 3150513 has appeared many times. Has anything changed since the last run a month ago? I certainly don’t see any redeeming social value.
Posted on April 23rd, 2017 at 07:44 Comment on the AskWoody Lounge
UPDATE: Technical details have been posted by zero sum at the @zerosum0x0 blog. Bottom line, “Many of the vulnerabilities that are exploited were fixed in MS17-010, perhaps the most critical Windows patch in almost a decade.”
UPDATE: Catalin Cimpanu, BleepingComputer: “Over 36,000 Computers Infected with NSA’s DoublePulsar Malware” and “5.5 million computers haven’t installed patches Microsoft made available for the SMB flaws exploited by the NSA tools, they are vulnerable to exploits.”
UPDATE (Sunday morning, Central time): tweet from Below0Day: 56,586 DoublePulsar infections detected.
If you haven’t yet installed March patches for Windows, listen up.
One of those leaked NSA exploits, EternalBlue, has been pulled out of the Shadow Brokers steaming pile of malware and used to install a backdoor called DoublePulsar. Dan Goodin at Ars Technica says that:
there’s growing consensus that from 30,000 to 107,000 Windows machines may be infected by DoublePulsar. Once hijacked, those computers may be open to other attacks.
EternalBlue can attack any machine with the Windows “SMB” service accessible to the internet. Our tax dollars at work.
Rik van Duinj at dearBytes has published step-by-step instructions for locating exposed SMB services, running EternalBlue, using it to install DoublePulsar, and then using DoublePulsar to run just about anything. It’s pretty straightforward.
Yesterday Iain Thomson posted a delightful expose in The Register:
DOUBLEPULSAR, being a nation-state-grade backdoor, is extremely stealthy and unlikely to be discovered on a hacked box unless whichever miscreant is using it gets clumsy.
Amazon’s AWS and Microsoft’s Azure showed up on the top 100 most-infected domains as you’d expect as large hosts of customer virtual machines. Then there are systems at big names such as Ricoh in India, various universities, and machines on Comcast connections.
Moral of the story: If you haven’t yet installed March’s MS17-010, better pull your machine out of the mothballs and get it patched. If it’s connected to the internet, it’s exposed.
It looks like I’ll be changing the MS-DEFCON level in the next few days, to take the sting out of some other exposed problems, but for now, if you haven’t installed the March updates, better get to it.
Not sure if you’re caught up? Here’s how to check.
For Win10: In the Cortana search box, type winver.
- If you have version 1703, you’re fine.
- If you have version 1607, you need to be on Build 14393.953 or later. (Note that the documentation in the KB article is wrong.)
- If you have version 1511, you need to be on Build 105867.839 or later.
- If you have Build 10240 (commonly called “version 1507” but Microsoft didn’t figure out the naming until later), you need to be on Build 10240.17319 or later.
In all cases, for Win10, if you aren’t up to those build numbers, you need to install the latest cumulative update. Follow my instructions to get your build number up to snuff, but don’t be tempted to install anything else at this point.
For Win7: Right-click Start > Control Panel > Windows Update > View installed updates. You should have one of these listed:
- KB 4012212 the Security-Only “Group B” patch, or
- KB 4012215 the March Monthly Rollup “Group A” patch, or
- KB 4015549 the April Monthly Rollup
If you don’t have any of those listed, at a very minimum, you should download and install KB 4012212. Don’t worry about Group A or Group B at this point. Installing KB 4012212 will protect you without committing your system to either Group A or Group B. There’s a full description at @PKCano’s AKB 2000003, but if you only want the download links, look at this line:
Similarly, for Win 8.1, look for these installed updates:
- KB 4012213 the Security-Only “Group B” patch, or
- KB 4012216 the March Monthly Rollup “Group A” patch, or
- KB 4015550 the April Monthly Rollup
If you don’t have any of those, look at @PKCano’s list:
That’s what you need to do right now, to protect yourself from the NSA’s swirling spitstorm.
Posted on April 22nd, 2017 at 15:02 Comment on the AskWoody Lounge
New report from Günter Born about multi-partition support on USB drives, in the new Win10 Creators Update:
we have an extension allowing Windows 10 Version 1703 to mount multiple partition on removable media and show the logical volumes within file manager. But the tools required to create such media structures are not updated in a proper way.
I wonder what other wonders await?
Posted on April 21st, 2017 at 17:14 Comment on the AskWoody Lounge
Simon Pope, Security group manager at the Microsoft Security Response Center really wants to know.
This month marked our first release when security update information was published entirely in the new format… We remain committed to ensuring transparency with our releases and providing tools to enable a more personal computing experience. If you have questions about the change, or how to accomplish certain tasks, we have a FAQ, as well as a TechNet support forum for the Security Update Guide.
Over to you, folks.
Posted on April 20th, 2017 at 13:01 Comment on the AskWoody Lounge
I guess an eight month development cycle isn’t fast enough.
InfoWorld Woody on Windows
Posted on April 20th, 2017 at 07:18 Comment on the AskWoody Lounge
Zeffy’s approach works, for now, but the new update engine is already out.
You gotta wonder why Microsoft’s continuing this self-destructive push. We need more carrots, fewer sticks.
I wonder if @abbodi86’s approach could be turned into a simple program?
InfoWorld Woody on Windows.
Posted on April 19th, 2017 at 09:00 Comment on the AskWoody Lounge
For those of you new to this game…
Yesterday, Microsoft released
- April, 2017 Preview of Monthly Quality Rollup for Windows 7 and Windows Server 2008 R2 (KB4015552)
- April, 2017 Preview of Monthly Quality Rollup for Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2 (KB4015553)
- April, 2017 Preview of Monthly Quality Rollup for Windows Embedded 8 Standard and Windows Server 2012 (KB4015554)
No, you don’t want them. They’re test versions. The finals will come out next month. Nothing in them of interest — unless you’re supporting software that has to live with the next versions of Win7 and 8.1 (in which case, you have my sympathy).
Günter Born reports (in German) that he’s heard of two complaints about the Win 8.1 patch preview, KB 4105553, not installing properly.
No need to hide them. Just ignore them. And remember we’re at MS-DEFCON 1 at the moment – no need to install anything. Non, not even the .NET patches that were just changed from “Optional” to “Recommended.”
- April, 2017 Security and Quality Rollup for .NET Framework 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2 on Windows Embedded Standard 7, Windows 7, and Windows Server 2008 R2 (KB4014981)
- April, 2017 Security Only Update for .NET Framework 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2 on Windows Embedded Standard 7, Windows 7, and Windows Server 2008 R2 (KB4014985)
If you’re concerned about Daylight Savings Time in Magallenas, Chile, you might consider installing KB 4015193. As you do so, contemplate why it’s so infernally difficult to change something that should be easy and transparent — like, say, the time on your phone.Windows Patches/Security KB 4014981, KB 4014985, KB 4015193, KB 4015552, KB 4015553, KB 4015554, Monthly rollup