Woody Leonhard's no-bull news, tips and help for Windows, Office and more… Please disable your ad blocker – our (polite!) ads help keep AskWoody going!
Home icon Home icon Home icon Email icon RSS icon
  • What every Windows customer should know about last week’s deluge of malware

    Home Forums AskWoody blog What every Windows customer should know about last week’s deluge of malware

    This topic contains 86 replies, has 13 voices, and was last updated by  PKCano 1 day ago.

    • Author
      Posts
    • #109126 Reply

      woody
      Da Boss

      It’s not as bad as you think – but you need to keep a couple of things in mind.

      The full story is  here:

      What every Windows customer should know about last week’s deluge of malware

      • This topic was modified 1 week, 3 days ago by  woody.
      4 users thanked author for this post.
    • #109155 Reply

      anonymous

      Not a huge fan of the teaser headline Woodster : / …..looking forward to the article all the same 🙂 Thanks Woody

      • #109252 Reply

        woody
        Da Boss

        I think I was showing considerable restraint with “deluge.” The term “spitstorm” came to mind. 🙂

        In retrospect… “malware” isn’t quite correct. There was malware aplenty with the Word 0day. But the Shadow Brokers leaks were, more correctly, vulnerability exploits, with code ready to be turned in to malware.

        • This reply was modified 1 week, 3 days ago by  woody.
        1 user thanked author for this post.
    • #109253 Reply

      Pim
      AskWoody Lounger

      I am not sure whether MS really says that three exploits are unpatched in Vista: EnglishmanDentist, EsteemAudit, and ExplodingCannone. They said that these three exploits were not reproduced on supported platforms. They may however also not reproduce on Vista, but MS simply will not state that as, I assume, they only make announcements about supported platforms. MS is sneaky enough to issue patches for Vista on April 11th and then state on April 12th that it is unsafe, while not supported. This would only be true to the extent that Vista did not receive an update that would otherwise have been released. normally that would be the next Patch Tuesday.

      I am trying to evaluate my situation, as my migration from Vista to Windows 7 takes a bit longer than anticipated and therefore am still running Vista. How much hurry is there for me to upgrade to Windows 7 ASAP, even when that means not fulfilling some of my other obligations towards clients on time, or should take it a bit more relaxed and if I upgrade over the next 2-3 weeks or so, it will be all right?

      • This reply was modified 1 week, 3 days ago by  Pim. Reason: Edited for clarity
      • This reply was modified 1 week, 3 days ago by  Pim.
      2 users thanked author for this post.
      • #109259 Reply

        woody
        Da Boss

        I don’t see anything forcing you to upgrade from Vista to 7 right now.

        You won’t “miss” any Vista patches until next month anyway.

        By the way… the details about Vista are in Efrain’s spreadsheet. Click on it to enlarge.

        2 users thanked author for this post.
        • #109274 Reply

          anonymous

          It’s still unclear whether Vista is vulnerable to the three exploits named by Microsoft as not reproduced on “supported systems”.  At this point, I haven’t seen any definitive statements by anyone that has tried to reproduce the exploits on a fully patched Vista system.  For all we know, the chart above merely assumes that Vista is vulnerable due to the lack of a definitive statement by Microsoft.

          • #109276 Reply

            woody
            Da Boss

            I believe that’s quite correct.

          • #109483 Reply

            Pim
            AskWoody Lounger

            For all we know, the chart above merely assumes that Vista is vulnerable due to the lack of a definitive statement by Microsoft.

            The vulnerabilities in the chart only has a Y for issues that have been fixed (see the Notes column that states the corresponding bulletin which describes the issue and the released patches). The three vulnerabilities I was referring to do not have a Y for Vista, but neither for Win7. Please also note that the tweet states “based on public info”.  In other words, it is a summary of public info, but not the result of a separate investigation that was carried out.

      • #109271 Reply

        Canadian Tech
        AskWoody MVP

        Pim, I would certainly not panic over this. It should be done but not urgently. The process is not that difficult. I strongly recommend you do not use the “upgrade” path in the install process. Choose the “Custom” path and delete all partitions. Back up all your data and be prepared to re-install your aps. Check you hard drive to make sure it is sound. Chances are, if your system came with Vista, it is more than 5 years old and could be a lot older. Chances are the drive is a 160. A $70 investment in a new 500G 7200rpm drive might be a very prudent thing to do. Many people think if chkdsk reports OK, the drive is OK. Not true! That does not check the drive hardware. Download and run the drive tester software offered by your hard drive manufacturer. It is usually thought of as a warranty claim kind of thing, but is very good at checking to see if your drive is beginning to fail. If yours is a laptop, 5 years or older, just replace the drive. Odds are high, that drive will fail in the next year.

        CT

        2 users thanked author for this post.
        • #109485 Reply

          Pim
          AskWoody Lounger

          Thanks for your reply. I was trying to estimate the urgency of my migration, not panicking fortunately.

          I am familiar with the upgrade process and do know that a fresh install is better. However, since I have a lot of software and adjusted a lot of settings I want to go the upgrade route. I plan on a fresh install somewhere in the future, but because this is my main machine, everything has to work to keep my business running.

          The installation already was from a computer that crashed some time years ago and I restored it on a newly bought Dell Latitude laptop, which originally had Windows 7 on it. It was quite a challenge to restore Vista on that machine, but Dell had published most drivers for Vista and the ones missing I downloaded from Intel and Nvidia. My efforts have really proven to be a life saver.

          I have both a Samsung 850 Pro SSD and a 2 year old hard drive for data in that laptop, so the current status is fine. But thanks for your tips, I appreciate it much. Since about 5 years or so I have Hard Disk Sentinel on my systems to continuously monitor the status of my hard drives and SSD’s. It has proven to be a good investment on a few occasions where I replaced a hard drive after a warning. In most cases it was only a pending sector and after performing a surface test these sectors appeared to be good, as they were not flagged “bad” after the test but were restored. In other cases it was a faulty hard drive and another case I still have to investigate. That hard drive is not in use until I finish that investigation.

          And last but not least: I do have a strict backup policy for both my data and systems. Ever since I started doing that I never lost data and have always been able to recover my system in case of an error. I can absolutely recommend having a good discipline and preferably backup “system”. I never panicked when something happened, I have only been frustrated because of the time lost 🙂

      • #109323 Reply

        MrBrian
        AskWoody MVP

        The fixes were delivered in March 2017, not April 2017.

        • #109337 Reply

          Pim
          AskWoody Lounger

          I know, but MS’s statement re Shadow Brokers was made after April 11th (Vista EOL). That is the reason why MS does not state anything about Vista, because as far as MS is concerned they do not care anymore about unsupported OS’es. The point I was making that even though Vista has been patched on April 11th, on April 12th MS gives up on it. It is just like Security Essentials stopped working right after April 11th. In theory Vista would still be versions (sort of) as secure as other Windows until the next patch is issued for those other Windows versions, which Vista then misses.

      • #109344 Reply

        MrBrian
        AskWoody MVP

        The chart at https://twitter.com/etlow/status/853439288926777344 appears to be accurate for all three of those exploits.

        See:

        hxxps://github.com/DonnchaC/shadowbrokers-exploits/blob/master/windows/exploits/Explodingcan-2.0.2.0.xml

        hxxps://github.com/DonnchaC/shadowbrokers-exploits/blob/master/windows/exploits/Englishmansdentist-1.2.0.0.xml

        hxxps://github.com/DonnchaC/shadowbrokers-exploits/blob/master/windows/exploits/Esteemaudit-2.1.0.0.xml

        • #109386 Reply

          anonymous

          I looked at the xml on github for the three exploits and was unable to discern how they establish that Vista (fully patched) is vulnerable.  Unless I’m mistaken, none of the three even mentions Vista as a targeted OS.  Can you clarify your comment?

           

          • #109443 Reply

            MrBrian
            AskWoody MVP

            Apparently Vista isn’t vulnerable to those three exploits :).

            • This reply was modified 1 week, 2 days ago by  MrBrian.
            • #109487 Reply

              Pim
              AskWoody Lounger

              But do bear in mind that, according to the tweet, the chart is base on public info. It is not the result of testing done by Efrain Torres.

    • #109268 Reply

      Canadian Tech
      AskWoody MVP

      Word 2010 has the macro settings recommended by default. In other words, those are the settings on the vast majority of users installations unless they specifically changed them, which is highly unlikely.

      CT

      1 user thanked author for this post.
    • #109266 Reply

      anonymous

      What I find interesting, these exploits are blocked by a march patch. And the exploits are just now coming out… Did the calendar change to where March comes after April?

      • #109278 Reply

        woody
        Da Boss

        No, Microsoft apparently got advanced warning prior to the March Patch Tuesday activities. See the article.

    • #109269 Reply

      anonymous

      Hi Woody,

      If I have a Windows 7 machine that’s in Group Wait, i.e. I haven’t installed any security update since a clean install earlierlast year, should I apply the security-only patch for this one, and if so, is it suffice to install KB4012212 (MS17-010)?

      • #109280 Reply

        woody
        Da Boss

        Yes. If I were you, I would install the March Security-Only Win7 patch, KB 4012212.

        Edit to correct KB number

         

        • This reply was modified 1 week, 2 days ago by  PKCano.
        • #109504 Reply

          anonymous

          Woody,

          Did you make a typo? Should it be KB4012212? I just downloaded the file (not installed) and it said KB4012212 and not KB4102212.

          George

          • #109507 Reply

            PKCano
            AskWoody MVP

            You are correct. The March Security Only Update is KB4012212

    • #109292 Reply

      anonymous

      Re. Word Zero-Day – there is no Protected View if you are still using Office 2007

      1 user thanked author for this post.
    • #109246 Reply

      anonymous

      It’s not “malware” woody, or any other individual using the term.

      NSA had these tools for a very long time for a very good reason.

      The problem now is… some dumb kid distributing these tools to shadow brokers for a profit which failed… they didn’t profit -boohoohohoo- so they again distributed them to the public realm, which script-kiddies can get their hands on and thus now can cause malicious intent.

      • This reply was modified 1 week, 3 days ago by  PKCano.
      • This reply was modified 1 week, 3 days ago by  satrow.
      • #109327 Reply

        woody
        Da Boss

        It’s not “malware” woody, or any other individual using the term.

        The Word 0day is malware.

        The Shadow Brokers dump is not, in fact malware, as you say. It’s a set of tools apparently meticulously assembled by the US government that will enable many malware writers to add additional “features” to their wares. Script kiddies are the most obvious candidates, but clandestine services in other countries are all over them.

    • #109313 Reply

      MrBrian
      AskWoody MVP

      Tweet from Ryan Hanson:

      “Protected View is a great protection mechanism against the Word RCE, but it can be chained with the bypass I discovered.”

      (RCE = Remote Code Execution)

      From https://twitter.com/ryHanson/status/851852981213331456:
      “CVE-2017-0204 (Protected View Bypass)”

      From CVE-2017-0204:

      ‘Microsoft Outlook 2007 SP3, Microsoft Outlook 2010 SP2, Microsoft Outlook 2013 SP1, and Microsoft Outlook 2016 allow remote attackers to bypass the Office Protected View via a specially crafted document, aka “Microsoft Office Security Feature Bypass Vulnerability.”‘

      Microsoft’s CVE-2017-0204 page: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0204.

      Ryan Hanson is ackknowledged by Microsoft for CVE-2017-0204 at https://portal.msrc.microsoft.com/en-us/security-guidance/acknowledgments.

      • #109316 Reply

        MrBrian
        AskWoody MVP

        From the first link in my last post:

        “[Dan Goodin] Does this mean exploits can execute code without a target having to actively disable Protected View?

        [Ryan Hanson] yes, that is correct. When this is combined with the RCE, protected view is bypassed”

        2 users thanked author for this post.
      • #109469 Reply

        anonymous

        But the vuln. described in https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0204 have been patched, haven’t they? In last weeks Patch Round?

        • #109556 Reply

          MrBrian
          AskWoody MVP

          CVE-2017-0204 was fixed in April 2017 patches.

    • #109317 Reply

      SkipH
      AskWoody Lounger

      @woody:

      Link to your ‘article’ about Windows and Office hacks on InfoWorld come up “Page not found”

      http://www.infoworld.com/article/3190412/malware/fact-or-fiction-the-truth-about-the-windows-and-office-hacks.html

       

      • This reply was modified 1 week, 3 days ago by  SkipH.
      • This reply was modified 1 week, 3 days ago by  SkipH.
    • #109339 Reply

      Bill C.
      AskWoody Lounger

      DOes anyone know if using LibreOffice or OpenOffice to view a MSWord doc would be a solution?

      Additionally, I suspect opening a Word document in Notepad is also possible if you wade through the formatting text.

      Just looking to options for those who do not have (of want to have) a Google account.

    • #109347 Reply

      MrBrian
      AskWoody MVP

      From Downloads and the Mark-of-the-Web:

      “Windows uses a simple technique to keep track of which binary files were downloaded from the Internet (or a network share).

      Each downloaded file is is tagged with a hidden NTFS Alternate Data Stream file named Zone.Identifier. You can check for the presence of this “Mark of the Web” (MotW) using dir /r or programmatically, and you can view the contents of the MotW stream using Notepad:

      […]

      Microsoft Office documents bearing a MotW open in Protected View, a security sandbox that attempts to block many forms of malicious content.

      […]

      With such a simple scheme, what could go wrong? Unfortunately, quite a lot.

      […]

      The first hurdle is that Internet clients must explicitly mark their downloads using the Mark-of-the-Web

      […]

      One simple trick that attackers use to try to circumvent MotW protections is to enclose their data within an archive like a .ZIP, .7z, or .RAR file.

      […]

      Mark-of-the-Web is valuable, but fragile.”

      2 users thanked author for this post.
      • #109557 Reply

        MrBrian
        AskWoody MVP

        The significance of this is that some Office documents that one would have wished were opened in Protected View are not actually opened in Protected View.

      • #109772 Reply

        MrBrian
        AskWoody MVP

        Adobe Reader doesn’t propagate the “mark of the web” for Word files embedded within PDF files.

        Also, malicious Word documents are being distributed embedded within PDF files.

        Source: Malicious Documents: The Matryoshka Edition.

    • #109348 Reply

      MrBrian
      AskWoody MVP

      Background info: What is Protected View?

      2 users thanked author for this post.
    • #109379 Reply

      anonymous

      Q: Is the Word document exploit a threat only to Word, or would it also be dangerous to open an infected document in LibreOffice Writer? Writer doesn’t seem to provide anything equivalent to Word’s Protected Mode.

      — Bill Bruner

      • #109384 Reply

        woody
        Da Boss

        I’m no expert, but the other Word wannabes – Google Docs, LibreOffice, and the like — don’t have the kind of linking that’s supported in Word on the desktop. For that matter, Word Online doesn’t either. So all of those should be safe.

        • #109640 Reply

          anonymous

          Thanks Woody — that was what I was hoping to hear. Of course, I would never tempt fate by opening an unsolicited or suspicious attachment, but I do occasionally receive Office attachments that I have to deal with in the course of my business (always something expected, from a university or government lab I have been corresponding with regarding an order — and of course, I always scan them with my AV and Malwarebytes before opening).

          Thanks very much for the info.

          — Bill

    • #109396 Reply

      Geo
      AskWoody Lounger

      Just received KB4015552 a major  update to correct KB4015549.  I still won`t down load it.

      • This reply was modified 1 week, 3 days ago by  Geo.
      • #109471 Reply

        anonymous

        @geo:
        April 18, 2017—KB4015552 (Preview of Monthly Rollup)

        This non-security update includes improvements and fixes that were a part of Monthly Rollup KB4015549 (released April 11, 2017) and also includes these new quality improvements as a preview of the next Monthly Rollup update:

        Addressed issue to improve the reliability of dual-controller storage systems.
        Addressed issue that prevents V2 Message Queuing (MSMQ) performance counters from returning data after a clustered resource failure or failover.
        Addressed issue to updated time zone information.

        It’s the preview, I don’t think it includes any additional security fixes.

    • #109451 Reply

      Noel Carboni
      AskWoody MVP

      It’s not as bad as you think

      Very true.

      So far I haven’t received any unsolicited eMail with Office attachments in my inbox at all this month, even though my eMail has been public for decades. Beyond that, MalwareBytes scans tell me no threats have made it onto any of my systems.

      Perhaps being hacked is not as inevitable as some might suggest, though it’s always good to be wary.

      To be fair I haven’t detected any problems with the April updates on my test systems so far either. I guess I’m having a good week.

      -Noel

    • #109490 Reply

      anonymous

      Hi Woody,

      I guess I’m in Group W? I no longer update my Windows 7, but had posted to ask you about the safety of that seeing that I only use my computer to watch stuff on-line on network/cable tv sites, check Gmail, and access doctor chart stuff, and you had stated that I should be fine not updating. So I just wanted to verify that’s still the case with this whole new thing going on I just found out about. Also, I don’t even have any Office products on my laptop (so no Word, etc.), and never download/open any kind of Word documents anyways (and would always look at them via Gmail viewer, if the need were to arise). So I’m guessing I’m still good as is considering all that, but just wanted to make sure. Thanks!

      Jack

      • #109565 Reply

        MrBrian
        AskWoody MVP

        Woody said, “If you didn’t get caught up on March’s Windows patches, make sure you install MS17-010. For Win7 and 8.1, you can use either the Monthly Rollup or the Security-Only version.”

        In my opinion, even Group W users should install MS17-010.

        • This reply was modified 1 week, 2 days ago by  MrBrian.
        1 user thanked author for this post.
        • #109576 Reply

          anonymous

          @ MrBrian

          Can you guarantee Group W users that the March 2017 Rollups do not contain any hidden Telemetry updates(not referring to KB2952664) from MS ?

          To some Win 7/8.1 Group W users, MS’s Windows Update is the greater malware, spyware, ransomware, etc than the Word 0-day exploit-ware, esp for those who do not use Office/Word.

          The Spybot Anti-beacon and O&O Shutup programs indicate that the Win 7/8.1 Rollups very likely contain hidden Telemetry updates, the same ones already mandated by MS for Win 10 Home and Pro.

          • #109597 Reply

            PKCano
            AskWoody MVP

            The March Security Only Quality UPDATE (not Rollup) should provide the fix without added telemetry. A link to the download is here
            Be sure you get March and the right bittedness.

            1 user thanked author for this post.
          • #109606 Reply

            MrBrian
            AskWoody MVP

            As PKCano mentioned, you can also use the March 2017 security-only update.

            The March 2017 monthly rollup installs Diagnostics Tracking Service (as all of the monthly rollups since I believe November 2016 do). KB2952664 is an update that gathers telemetry. I can’t guarantee that Diagnostics Tracking Service by itself doesn’t also gather telemetry. More tests will be done soon on this matter.

            • #109700 Reply

              anonymous

              @ MrBrian

              Group W users have so far also avoided installing ALL monthly Security-Only “Quality” Updates since Oct 2016, ie besides avoiding all the Security Monthly Quality Rollups. It makes little sense for them to only install the March 2017 Security-Only Update and not install the other monthly Security-Only Updates.
              FUD and trickery from MS … push them into Group B?

              “To each, his/her own.”

            • #110145 Reply

              woody
              Da Boss

              I don’t think it’s FUD and trickery from MS. I’ve looked at it hard, and think that installing that one Security-only patch is your only hope for protecting Win7 and 8.1 systems.

              https://www.askwoody.com/2017/time-to-get-off-the-group-w-bench-at-least-for-a-few-minutes/

      • #109633 Reply

        woody
        Da Boss

        Unfortunately, Group W is becoming a less-valid option.

        I’ll have an update tomorrow…

        • #109680 Reply

          anonymous

          I am wondering what exactly is the risk for me in my specific situation as described? I do not have MS Office on my laptop, I don’t surf the web randomly, but only go to specific sites for watching shows (ABC, Fox, USA, FX), a secure website to view medical chart info, and another secure website where I post family related messages to one specific person. That’s all. I do no other web browsing. And any document or attachment viewing (which is pretty much nil) is done via Gmail viewer and/or Google docs. Honestly, I don’t receive documents from anyone to view at all, really. And would only ever look at anything if necessary via Gmail’s document viewer. I’m on-line only for 15-60min at a time, and that only maybe every few days at most, and only in the way described above.

          I stopped doing MS security updates (Windows 7) when they switched how they were offered, so have not updated at all since that time. (And more for the reason of not willing to risk issues of my laptop not working due to bad bundled updates and the whole headache of that new process, more so than the whole telemetry thing, because I simply can’t lose access to my laptop and my ability to access those sites listed.) Unless there is still a series risk factor involved with continuing to not update even with my limited computer/internet use as described, I definitely do not want to have to risk starting to do updates again.

          I hope that all makes sense, and I appreciate the feedback and thoughts. Thanks!

          — Jack

          • #109760 Reply

            MrBrian
            AskWoody MVP

            If there are other local devices on your network, I recommend that you consider installing the March 2017 security-only update to fix MS17-010.

            • #109823 Reply

              anonymous

              Not sure if that response was for me (? — if so, thanks!). No other local devices on network that I know of (?). I share a secure wireless internet connection with a few other computers and probably Netflix in the house, but there is no server.

            • #109831 Reply

              PKCano
              AskWoody MVP

              Other local devices on your network = computers, phones, TVs, tablets, routers, as well as servers.

              2 users thanked author for this post.
            • #109840 Reply

              MrBrian
              AskWoody MVP

              Jack: it was for you indeed. Also see PKCano’s reply.

            • #110991 Reply

              anonymous

              Ok, I see.  But what is the risk there?

              Thanks!

            • #110994 Reply

              MrBrian
              AskWoody MVP

              A device in your local network that has malware could spread malware to other vulnerable Windows computers in your local network, just by virtue of having the vulnerable Windows computers on at the same time as the device with malware on it.

            • #110995 Reply

              anonymous

              Posted too soon. Sorry!

              I don’t want to start up again with doing updates, because it’s too problematic and I can’t risk my laptop not working any more. I’m looking at what Woody posted in the InfoWorld article here: http://www.infoworld.com/article/3191897/microsoft-windows/more-shadow-brokers-fallout-doublepulsar-zero-day-infects-scores-of-windows-pcs.html

              …and I want to make sure I’m understanding correctly. Please note, I have not done any security updates (or otherwise) since MS changed the way they offer them, and I have had Windows Update turned off since then. I really do not want to turn that back on. But am I to understand that I can/should manually install the following?

              Mar 2017 KB 4012212 – Download 32-bit or 64-bit

              (It would be 64-bit for me, I have Windows 7 Home Premium SP1, 64-bit.)

              And that I can do so without by just right clicking and downloading, then running the downloaded file from this link: http://download.windowsupdate.com/d/msdownload/update/software/secu/2017/02/windows6.1-kb4012212-x64_2decefaa02e2058dcd965702509a992d8c4e92b3.msu

              …is that correct? I do not need to turn on Windows Update to do so? It has no bearing that I have had no updates of any kind since the month prior to MS changing their update process? And manually installing this will not cause any issues on my laptop for any reason?

              Thanks for the continued help — it is much appreciated!

              Jack

               

            • #111006 Reply

              PKCano
              AskWoody MVP

              Jack,
              Here’s what you need to protect yourself against the current set of exploits:
              The manual installer will not work if you have the Windows Update Service DISABLED.
              1. Go to Windows Update and “Change settings.” Choose “Never check for updates” then OK.
              2. Control Panel\Administrative Tools\Services – scroll down and and double click on Windows Update Service. Set it to “Manual
              3. You need to download for Win7 64-bit to your PC – KB4012212 (March) AND KB4015546 (April) security only patches. Put them on the desktop or some place easy to get to.
              4. In Services, highlight the Windows Update Service, then in the upper left, click on “Stop
              5. After the WU Service stops, double click on the March update. When it finishes click close and double click on the April update.
              6. Reboot when asked.
              Keep Winsows Update set on “Never” and the WU Service set to “Manual

              If you have any version of MS Office on your PC, you also need to do the updates for it. You can find instructions on this Microsoft website

              Edit Security only for March KB4012212

              • This reply was modified 2 days, 22 hours ago by  PKCano.
              • This reply was modified 2 days, 13 hours ago by  PKCano.
            • #111016 Reply

              anonymous

              Thank you for the reply. But I’m confused because the article says, “[…] at a very minimum, you should download and install KB 4012212. Don’t worry about Group A or Group B at this point. Installing KB 4012212 will protect you without committing your system to either Group A or Group B.” The KB’s you are suggesting appear to be the full security updates for those months, and that’s what I actually want to avoid doing. I don’t want to start doing security updates, nor install everything I may have missed up until this point. I just want to install (if need be, even) the bare minimum needed, which the article seems to say is KB 4012212. Know what I mean?

              (See my OP, https://www.askwoody.com/forums/topic/what-every-windows-customer-should-know-about-last-weeks-deluge-of-malware/#post-109680 for reasons, actual computer use, etc.)

              Thank you!

            • #111093 Reply

              PKCano
              AskWoody MVP

              KB4012212 and KB4015546 are the SECURITY ONLY patches are the MINIMUM you need to protect you system from the current vulnerabilities. Without them you are exposed. They are not the full March and April patches.

            • #111172 Reply

              MrBrian
              AskWoody MVP

              @pkcano: Which vulnerability caused KB4015546 to be mentioned here?

            • #111179 Reply

              PKCano
              AskWoody MVP
            • #111219 Reply

              MrBrian
              AskWoody MVP

              @pkcano: That is the fix for CVE-2017-0199, the Office and Wordpad issue. I believe that Woody has not declared that Group W users must patch CVE-2017-0199. If one desires to patch CVE-2017-0199 for Office, both the Windows April 2017 update (either monthly rollup or security-only update) and the relevant Office update must be installed.

            • #111327 Reply

              anonymous

              Okay, I was also confused because you had posted the wrong KB number at first (but you fixed it, thanks!). So now it sounds like I only need to intall KB4012212, correct?

              I do not have any Office products, though I do have Wordpad. *However,* I only use Wordpad for documents I create. I never open any other files of any kind not of my own creation in it (and, honestly, I never open any files not of my own creation at all, other than in Google doc viewer via gmail).

              Also, if I follow that process to install KB4012212, at the end I’m back to where I started with my system not updating nor every checking for updates, correct?

              And just to verify, to make sure there’s no confusion, installing KB4012212 even though I’ve not installed anything since the month prior to the MS bundle update change fiasco, will not cause my system any issues?

              Is KB4012212 just a single security update for this one issue, or is it a bundle of everything up until March? (Which I don’t think I’d want, as that’s why I stopped updating in the first place and would be fearful for issues caused by installing all those bundled updates.)

              Thanks again for the help!

               

            • #111329 Reply

              PKCano
              AskWoody MVP

              KB4012212 is not cumulative.
              If you leave Windows Update set to “Never check for updates” and the Windows Update Service on Manual, you should not have a problem.
              You will have to “stop” the Windows Update Service to manually install the update.

            • #111500 Reply

              Canadian Tech
              AskWoody MVP

              PK, I just installed KB4012212 on about 100 computers and never set WU on manual.

              CT

            • #111501 Reply

              PKCano
              AskWoody MVP

              You don’t HAVE to. I just use that as a precaution.

            • #111505 Reply

              anonymous

              Thanks, PKCano! KB4012212 successfully installed. (Interestingly enough, in the list of installed updates, it only shows it as being “Important” not “Critical.”)

              Just wondering why we’d want to leave Windows Update service set to “Manual” instead of “Disabled?” (For some reason, it was previously set to “Automatic – Delayed Start.”)

              Also, I have always had Windows Update set to “Never Check for Updates” since stopping updating, and have it still set at that.

            • #111507 Reply

              PKCano
              AskWoody MVP

              If the Windows Update Service is DISABLED, you cannot do a manual install of updates b/c the installer uses that service. If it’s on manual, it still works. For ME, it’s just an extra precaution.

          • #110269 Reply

            Noel Carboni
            AskWoody MVP

            Jack, if you don’t have a good ad blocking and antimalware solution you could be subject to “drive by” malvertising.

            In short, what that means is that any site that puts ads on the page you’re looking at could inadvertently host one that installs malware on your system.

            You can be sure that the media sites you mentioned getting shows from DO try to monetize your visits by not only showing you their own commercials but by putting ads on their web pages. They are anything but trustworthy sites.

            I don’t know what the probability of getting “drive by” malware is, but certainly people are getting malware from somewhere… I have an extremely effective multi-layer ad blocking setup myself and have had no malware try to get into my system ever.

            I’d suggest considering adding ad-blocking, whether or not you feel you surf the wild internet. I presume you at least use Microsoft Security Essentials already. If not, you probably should.

            -Noel

            • #110328 Reply

              Canadian Tech
              AskWoody MVP

              Not a blocking tool but a very good clean up tool: ADWcleaner

              https://toolslib.net/downloads/viewdownload/1-adwcleaner/

              CT

            • #110659 Reply

              anonymous

              Hi Noel,

              I do have MS Security Essentials. I don’t think it’s the most recent version because I believe there was a problem with whatever latest build that was offered right before the whole MS updates thing changed, but it is definitely kept up to day with definitions. I also only use Firefox and use AdBlock Plus (although I actually have to disable it on certain show sites in order to get the shows to play, unfortunately). I also have the free version of Malwarebytes Anti-Malware. I don’t run it often to scan (it’s not real-time, just a scanner), but when I do, I update the definitions and it always comes up clean. However, it is an older version (1.70.0.1100) and I know that there is at least a 2.0 out, as it’s mentioned on the update tab in the program itself. I was hesitant to update it not knowing if it’s still a “safe” program, and if it’s an ok idea to just do so through the program itself. But that’s where I’m at, basically. Let me know what you think. Thanks!

              — Jack

    • #109531 Reply

      anonymous

      (Win764bit)”If you didn’t get caught up on March’s Windows patches, make sure you install MS17-010. For Win7 and 8.1, you can use either the Monthly Rollup or the Security-Only version”

      I originally planned to stay in group A but ended up drifting into group W just by being overwhelmed by the whole thing.

      I did work out by going through the exploit list and update solutions that I needed and could update the MS17-010 March security only update prior to your article being published but……..

      ……is there a simple list of group A update’s month by month or should I just do a Group B rollup in April (when it’s safe) and accept that I’m not group A material?

      This shadow brokers thing was a wake up call that I need to stay proactive with my security updates.

      Thanks Woody & valued askwoody.com contributors 🙂

       

      • #109564 Reply

        MrBrian
        AskWoody MVP

        My Windows 7 updates recommendation: Run Windows Update. When you get the results, leave everything at defaults except uncheck these updates if they are checked:

        kb2952664

        kb3021917

        kb3068708

        kb3080149

        3 users thanked author for this post.
        • #109822 Reply

          ch100
          AskWoody MVP

          @mrbrian

          The recommendation to avoid KB3068708 and KB3080149 seems to be obsolete, as updated functionality seems to be included in further updates.
          Those two patches are offered to all server versions and are core functionality for all versions of Windows now.
          For those interested in having a fully functional and supported system, please install everything which comes on Windows Update including all Optional Updates EXCEPT:

          KB971033
          KB2952664/KB3150513
          KB3021917
          Preview Updates

          There is no big issue if either of those updates above are actually installed, but they are the only true Optional updates released and which do not impact functionality.

          PS Please stop messing around with the Microsoft Catalog if you are interested in a properly functioning system and use Windows update instead, as intended. Those who can correctly handle the Catalog updating style (Group B) are not those taking advice from posters on this forum, but those using Enterprise tools for this purpose.
          Those in Group B, please ask yourselves what is your reference to know at any time that your installation is fully up to date when using the Group B updating style? Various lists compiled by posters on Internet sites do not qualify as reference.

          • This reply was modified 1 week, 1 day ago by  ch100.
          3 users thanked author for this post.
          • #109834 Reply

            woody
            Da Boss

            Excellent. So what do you say to Win7 users who don’t want to participate in Microsoft s telemetr y/snooping activities?

            We have a list of the 1699 data items Microsoft collects, as a minimum on Creators Update machines. But we haven’t a clue about fully patched win 7 machines.

            7 users thanked author for this post.
            • #109852 Reply

              ch100
              AskWoody MVP

              Excellent. So what do you say to Win7 users who don’t want to participate in Microsoft s telemetr y/snooping activities?

              We have a list of the 1699 data items Microsoft collects, as a minimum on Creators Update machines. But we haven’t a clue about fully patched win 7 machines.

              I think there is a Group Policy which can redirect telemetry data collection to an internal server, which can be fake. This applies to those with KB2952664 installed on Windows 7. Windows 10 comes with the equivalent functionality built-in and I believe it can be configured in the same way.
              For those without KB2952664 on Windows 7, CEIP configured to not report should be enough as proved on the old site by MrBrian’s exhaustive testing.
              Even so, the telemetry is over-rated as being dangerous and the Basic configuration for Windows 10 Pro should suffice in general.
              There was not long ago a post in relation to Windows 10 Enterprise being fully compliant with HIPAA and if that OS can be made compliant with the HIPAA or Department of Defense requirements worldwide, I don’t see why it cannot be used safely by any John Doe.

            • #109981 Reply

              Elly
              AskWoody Lounger

              Group Policy isn’t available to Win 7 Home… so one option that would make that kind of configuration possible, would be to upgrade…

              Doesn’t leave much for Win 7 Home users that don’t want telemetry or to mess with the system that they have and is working perfectly well…

              I’m successfully updating with the security only updates every month. Thank you Woody, and PKCano for helping to make that a breeze.

              Elly-

              Win 7 Home, Group B

              1 user thanked author for this post.
          • #109835 Reply

            MrBrian
            AskWoody MVP

            Thank you for your input, and welcome back :).

            When I wrote that post, I thought about mentioning that, of Windows 7 updates that are checked by default, only KB2952664 and probably also KB3021917 should be avoided, but I want to test KB3068708 and KB3080149 further before saying so publicly. I didn’t mention KB3150513 because it is offered only if KB2952664 is already installed, if I recall correctly. I didn’t mention KB971033 because it’s unchecked by default now; I recommend avoiding KB971033.

            About Optional updates: in my Windows 7 update history, I have installed 5 Optional updates but avoided some of the other Optional updates.

            In my opinion, Windows 7 users who want to avoid the telemetry additions of the past few years would be better off installing updates through Windows Update than by being in Group B.

            About recent Windows telemetry additions: see Knowledge Base article 2952664: Telemetry in Win7/8.1 – KB2952664, KB2977759, KB2976978, & KB3150513.

            • This reply was modified 1 week, 1 day ago by  MrBrian.
            • This reply was modified 1 week, 1 day ago by  MrBrian.
            • This reply was modified 1 week ago by  MrBrian.
            1 user thanked author for this post.
            • #109853 Reply

              ch100
              AskWoody MVP

              KB3021917 is also unchecked now if Recommended are to be considered as Important.
              I am in favour of installing all Optional updates offered which are unchecked, except for those already mentioned.
              The classification of Security, Critical, Update Rollups, Recommended, Optional, Feature Packs is purely arbitrary and all updates are equally important, if Windows 10 is any indication of the current approach.
              I think this was mentioned few times by @abbodi86 and it is my view as well.

              • This reply was modified 1 week ago by  ch100.
            • #111352 Reply

              ch100
              AskWoody MVP

              In my opinion, Windows 7 users who want to avoid the telemetry additions of the past few years would be better off installing updates through Windows Update than by being in Group B.

              It is not only you.
              This issue is getting out of hand and while it was fun to observe for a while, it is beyond ridiculous now after more than 6 months of so much non-sense.

              1 user thanked author for this post.
      • #109568 Reply

        PKCano
        AskWoody MVP

        I wonder if you have Group A and Group B mixed up.

        Group A installs everything that is already CHECKED (except the telemetry patches as mentioned by @mrbrian above). This is the easiest for non-techies.

        Group B does NOT install the “Security Monthly Quality ROLLUP for Windows” that is offered through Windows Update. Group B instead downloads from the MS Catalog the “Security Only Quality UPDATE for Windows” and the Cumulative update for IE11 and installs them manually.
        If you need the Group B patches, they are listed here every month

        Edited to add link

        • This reply was modified 1 week, 2 days ago by  PKCano.
        1 user thanked author for this post.
    • #109710 Reply

      anonymous

      ^^^

      I wonder if you have Group A and Group B mixed up.

      Group A installs everything that is already CHECKED (except the telemetry patches as mentioned by @mrbrian above). This is the easiest for non-techies.

      Group B does NOT install the “Security Monthly Quality ROLLUP for Windows” that is offered through Windows Update. Group B instead downloads from the MS Catalog the “Security Only Quality UPDATE for Windows” and the Cumulative update for IE11 and installs them manually.
      If you need the Group B patches, they are listed here every month->

       

      Thanks PKCano – 100% correct – I did indeed mix up group A&B – Thanks for the link <3 Love you guys !!

    • #110587 Reply

      Steve
      AskWoody Lounger

      {edit} Additionally, I suspect opening a Word document in Notepad is also possible if you wade through the formatting text. Just looking to options for those who do not have (of want to have) a Google account.

      If you can’t fit it into Notepad, Wordpad should be able to handle it. But you will have to scroll through it to excise the non-textual data.

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: What every Windows customer should know about last week’s deluge of malware

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.

    Your information:


    Comments are closed.