AskWoody

MS-DEFCON 2: Pause on patching

ISSUE 18.17.1 • 2021-05-10 By Susan Bradley It’s time for both business users and consumer or home users to pause Windows updates. Accordingly, I’m changing the AskWoody MS-DEFCON level to 2. Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don’t do it. Consumer and home users If you are a home/consumer user, I recommend two actions to ensure you do not get inadvertent updates. First, select Start, Settings, Network & Internet, and then Wi-Fi or Ethernet (whichever connection you are using). Next, click Manage known networks; click on the network that you use, click Properties, and turn on Set as metered connection. This “tricks” the computer into thinking that your Internet connection is not unlimited (i.e., you might incur charges) and thus will download patches only after you approve the process. The second action is picking a deferral date after May 11, when Microsoft will push out the next Patch Tuesday security releases. Click on Start, Settings, Update & Security; then click on Advanced Options. Pick a date far enough in the future to give you comfort. I always wait at least a week, usually more. I’ll be re-evaluating the update situation closer to the end of the month, but for now choosing May 28 should be safe enough. For those of you with an Office click-to-run (CTR) edition, I strongly recommend that you change to the semiannual channel rather than the monthly one because it will keep you from the Autocomplete bug. Business users Coming this month in the May Security releases, Microsoft will be including a new “News and Interests” taskbar item featuring items of interest to your users. Remember, if you want to proactively block it, there are registry keys and group policy to control it. References AskWoody Master Patch List Read the full story in the AskWoody Plus Alert 18.17.1 (2021-05-10).

Anatomy of a malware

ISSUE 18.17 • 2021-05-10

SAFETY

By Ben Myers

Things are not always as they seem. What might appear to be a devastating, PC-destroying piece of malware can sometimes be a spoof.

Recently, a client gave me his laptop, which displayed a frightening message as soon he logged in. This variety of malware is all too popular. Here is a step-by-step process to remove it, expecting that the antivirus software installed in the computer cannot do its job. Along the way, you will see where malware is often hidden.

Read the full story in the AskWoody Plus Newsletter 18.17.0 (2021-05-10).
This story also appears in the AskWoody Free Newsletter 18.17.F (2021-05-10).

Buy the drives you need before ‘chia’ gets them all

PUBLIC DEFENDER

By Brian Livingston

Prices of high-capacity solid-state drives (SSDs) have almost doubled at the producer level just in the past few weeks — and shortages are already affecting us. The cause is a new kind of cryptocurrency that demands vast amounts of disk space around the world for its financial network to function.

The new digital coins, which began trading only a week ago, bear the odd moniker of “chia.”

Read the full story in the AskWoody Plus Newsletter 18.17.0 (2021-05-10).

From bad to worse: A repair goes awry

LANGALIST

By Fred Langa

Sometimes, well-intentioned repairs can actually make things worse than before. That’s what happened to a reader who was trying to correct a Windows login error but ended up with a completely unbootable PC!

Is it possible for him to get Windows running again with its already installed software still intact and working? Or is a full reinstall in his future?

Plus: The care and feeding of that little coin-cell battery on your PC’s mainboard.

Read the full story in the AskWoody Plus Newsletter 18.17.0 (2021-05-10).

Freeware Spotlight — O&O Lanytix

BEST UTILITIES

By Deanna McElveen

When showing up at a new client’s small business, the first thing you need to know is where the heck everything is. Or maybe you just want to take inventory of your home network.

How many routers are there? How many computers? How many people are using the company Wi-Fi for their personal phones? Is your kid using his/her laptop at 3 a.m.? What are the IP addresses and MAC addresses?

Read the full story in the AskWoody Plus Newsletter 18.17.0 (2021-05-10).

Is the cloud unsafe?

ON SECURITY

By Susan Bradley

Using the cloud isn’t always a bad thing.

During this year of the pandemic, we’ve pivoted from doing many things in person to many things online. In my industry, one of the key changes is moving from in-person meetings to online meetings via services such as Zoom, Google Meet, and Microsoft Teams. Another is doing more and more financial transactions online, including accounting for them.

Read the full story in the AskWoody Plus Newsletter 18.17.0 (2021-05-10).

Tasks for the weekend – May 8th – Should I remove KB4023057?

Youtube here

KB4023057 is an update that comes out normally before a feature update is released. In theory it’s supposed to help a machine get the feature update installed by ensuring that there’s enough hard drive space, that the system won’t snooze and that the windows update components are “healthy” to then install the feature release.

Now if it really wanted to help machine get a feature release installed, it would check drivers, flag which ones would cause issues and warn you in plain English what issues you would face. If  I were coding it up, I would make it so that when it found a machine with Conexant drivers it would remove them and ensure it was set to install 2004. But I digress…

Because it doesn’t have a reputation of being well behaved, you’ll see it recommended to either block the  install (use Wushowhide from Oldergeeks or your favorite hiding tool of choice), or if it sneaked in while you weren’t looking, to uninstall it. If it snuck in, look for “Microsoft Update Health Tools” in the classic control panel/programs and features and remove it.

Conexant and the 2004 saga continues

I’m scratching my head a bit this morning reading the post on Bleeping computer.

Microsoft has addressed the last remaining known issues affecting Windows 10 computers with Conexant or Synaptics devices causing errors and problems when updating to Windows 10 versions 2004 or 20H2.

But when you go to the underlying Windows Health dashboard item it still is the same lousy resolution as before:

Resolution: The safeguard hold with safeguard IDs 25702617, 25702660, 25702662, and 25702673 has been removed for all devices as of May 7, 2021, including devices with affected drivers. If updated drivers are not available for your device and you are offered Windows 10, version 2004 or Windows 10, version 20H2, a small number of devices might roll back to the previous version of Windows 10 when attempting to update. If this occurs, you should attempt to update to Windows 10, version 2004 or Windows 10, version 20H2 again.

I don’t read “gee, we scan your computer, see that it has an impacted driver, remove it DURING the 2004 install so that you have a nice install process”, I still read that you will have a horrible upgrade experience and you’ll have to try it several times before it completes.

Should we trust our routers?

Michael Horowitz has a story about how the Asus GT-AC2900 router had THREE password bypass flaws….

The Asus GT-AC2900 router had 3 password bypass flaws. They were fixed. But . . . what about the many other Asus routers? Neither Asus nor the researcher addressed this. It is hard to trust *any* Asus router.
https://t.co/pH6ALelv4d

— Michael Horowitz (@defensivecomput) May 7, 2021

Dell computers put at risk

So today’s headline that I wrote above is one that I see too often. It gets you to be worried about something that I honestly don’t think attackers will use as a means to attack us.

Here’s the background (thanks to reader RougeSec58 for the links:)

Dell support article

Reddit thread with N-Able script to remove it.

So the other day I read this twitter post….

Due to the introduction of Driver Signature Enforcement & Kernel Patch Protection, it’s become increasingly rare for attackers to create and execute #Windows rootkits.

All of these firmware/rootkit headlines make me ponder… gee… why is it that attackers use phishing lures so much? Because that’s the low hanging fruit. It’s not easy to attack us to go after Spectre style attacks. I see this Dell issue in the same way. It’s way easier to get us with phishing lures and click baits than it is with these sort of attacks.

“there is no evidence at this time that its flaws have been exploited in the wild.”

Just because there is a possibility of attack doesn’t mean it is probable that it’s  being attacked.

As always, feel free to disagree with me and educate me that I’m in the wrong. That’s what security is all about anyway ….weighing the risks and trying to determine if THAT is going to get me or if it’s just headlines to make me worry.

Ghacks report Defender bug

https://www.ghacks.net/2021/05/05/windows-defender-bug-may-fill-your-hard-drive-with-thousands-of-files/

Martin reports postings about defender scan files filling up hard drives. I’m plain old Defender here and not seeing this issue so it appears like it’s an interaction between Defender and possibly Sophos? Note that to see that location you’ll need to have “Show/hide” box ticked to show Hidden items and then you’ll have to click through a UAC prompt to see into that Store folder.

The May 2021 Office non-Security Updates have been published

The May 2021 Office non-Security updates have been released Tuesday, May 4, 2021. They are not included in the DEFCON-4 approval for the April 2021 patches. Unless you have a specific need to install them, you should wait until Susan Bradley (Patch Lady) approves them and any problems have been reported.

Remember, Susan’s patching sequence and recommendations are based on a business environment that has IT support and may have time constraints on the updating process. Consumer patching should be more cautious due to limited technical and mechanical resources. The latter is the reason for the AskWoody DEFCON system.

Office 2016
Update for Microsoft Office 2016 (KB4462117)
Update for Skype for Business 2016 (KB4493155)
Update for Microsoft Outlook 2016 (KB5001921)

There were no non-security listings for Office 2010 (which reached EOS on October 13, 2020) nor for Office 2013.
On April 10, 2018, Office 2013 reached End of Mainstream Support. Extended Support will end for Office 2013 on April 11, 2023.
Office 2016 also reached  End of Mainstream Support on October 13, 2020. EOS for Office 2016 is October 14, 2025.

Updates are for the .msi version (perpetual). Office 365 and C2R are not included.

Security updates for all supported versions of Microsoft Office are released on the second Tuesday of the month (Patch Tuesday).