AskWoody

Minor problems with this week’s Win10 versions 1903/1909 and 2004 cumulative updates

Mayank Parmar reports on Windows Latest:

When installing Windows 10 KB4565351 (v1903/1909) and KB4566782 (v2004), users are saying that they are being greeted with unhelpful error messages, including 0x800f0988, 0x800f081f, and 0x800f08a.

The most-reported error code is 0x800f081f and it could be related to missing files in the WinSXS folder that stores different copies of DLL and system files.

[The Win10 version 1903/1909 cumulative update] is also breaking audio for some users and there are reports of Blue Screen of Death with “SYSTEM THREAD UNHANDLED EXCEPTION” error on Feedback Hub.

I haven’t seen a lot of reports of those problems, but they’re irritating nonetheless.

See Parmar’s article for descriptions and workaround.

Patch Lady – want to know what is in those URLs?

https://dfir.blog/unfurl/

Came across this in my forensic reading the other day.

Unfurl takes a URL and expands (“unfurls”) it into a directed graph, extracting every bit of information from the URL and exposing the obscured. It does this by breaking up a URL up into components, extracting as much information as it can from each piece, and presenting it all visually. This “show your work” approach (along with embedded references and documentation) makes the analysis transparent to the user and helps them learn about (and discover) semantic and syntactical URL structures.

If you’ve ever seen a URL and seen all that tracking stuff on the back end, this parses all that info out and lets you see how all of these browsers and vendors can track us.  Next time you have a link with unusual info on the back side, stick it in there and see what it says it’s parsed out from the link.

Patch Lady – Defender not having a good week

So the other day we had folks reporting issues with Defender and Western Digital drivers.

Today Citrix Broker service was flagged as malicious and well.. a whole bunch of work from home remote workers weren’t working anymore.

Bottomline the best antivirus is silent and does it’s job.  And when it doesn’t…. it often is very painful.  It’s a tight tap dance around our operating systems to determine what is malicious and what is not. And when the attackers try EXTREMELY hard to LOOK like a normal application doing it’s job.  Bottom line we depend so much on antivirus and curse at them when they don’t work.

Details from Kaspersky on this month’s IE 0day, CVE-2020-1380

Boris Larin at Kaspersky has published details on one of the two “OMG! It’s a ZERO-DAY!” security holes plugged yesterday, CVE-2020-1380 – “Scripting Engine Memory Corruption Vulnerability”

Looks like it’s Internet Explorer-only, JavaScript based, and used in an attack “on a South Korean company.”

That’s pretty standard fare for Patch Tuesday zero-days. Yep, you have to patch eventually. Yep, if you’re defending state secrets you need to be aware of it. But for most of us it’s no big deal.

Report that this month’s Win10 version 2004 cumulative update, KB 4566782, is throwing error 0x800f0988

Looks like the error also occurred in the preview, released July 31.

From artins90 on Reddit:

Anybody else see the same problem?

The Surface Duo is now official

Ho hum.

Microsoft is now taking preorders for the Surface Duo, with delivery starting September 10

Two screens of Android phone (each screen at 1800 x 1350), a 19th-century hinge, 6 GB of RAM, and wide, fluid expanses of bezels. For a mere $1,400, you get 128 GB of storage ($1,500 for 256 GB) — and a free nano SIM card, if you go with AT&T. $75 for a pen, $200 for earbuds or $250 for headphones.

Developers can  “optimize the layouts of their apps to really take advantage of the two displays and span across them.” I’m guessing that we’ll see maybe two developers who spend real money to make Duo screens work. “There is an algorithm in there that’s very smart and trying to be predictive. If you’re on one screen and you’re invoking a link, it will fill the other screen.”

A worthy addition to the Surface line, eh? The Surface D.O.A.

SANS Institute security breach

Wow. If SANS can’t keep their systems secure, what hope do the rest of us have?

Looks like somebody sent a malicious Office 365 add-in to a SANS employee, who installed it. The program started forwarding emails, including some with personally identifiable information on 28,000 accounts.

Details here.

Welcome to the August 2020 Patch Tuesday plop

Willkommen, bienvenue, welcome!
Fremde, étranger, stranger
Glücklich zu sehen, je suis enchanté, happy to see you
Bleibe, reste, stay

Patch Tuesday is upon us. Here’s a quick look at what’s coming down the pike (updated in real-enough time):

• 261 separately downloadable patches. It’s a big one.
• They fix 120 separately identified security holes (CVEs). I believe that’s a record.
• Cumulative updates for all recent versions of Win10, including KB 4566782  for Win10 version 2004 and KB 4565351 for Win10 1903 and 1909 (once again the same patch for both versions).

Great quote from Dustin Childs:

This volume – along with difficult servicing scenarios – puts extra pressure on patch management teams.

There are two “actively exploited” zero-days (notes from Childs):

• CVE-2020-1464 – Windows Spoofing Vulnerability This spoofing bug is publicly known and currently being exploited. It allows an attacker to load improperly signed files, bypassing signature verification. Microsoft does not list where this is public or how many people are affected by the attacks.
• CVE-2020-1380 – Scripting Engine Memory Corruption Vulnerability
  This bug in IE is currently under active attack. Attackers could run their code on a target system if an affected version of IE views a specially crafted website. It is not known how extensive the attacks are, but considering this bug was reported by Kaspersky, it’s reasonable to assume malware is involved.

Expect to hear lots of wailing from the blogosphere about those two security holes. “Microsoft advises hundreds of millions of Windows users to patch Right Now.” Meh. The first one is only rated “Important,” not “Critical,” which means it’s mighty obscure and likely to stay so for quite some time. As for the second one, if you’re still using Internet Explorer, you already have a sign out that says, “Kick me.”

That said, I’m deeply trouble by Mozilla’s announcement that it’s laying off 250 employees. See Catalin Cimpanu’s analysis on ZDNet.

There’s also KB 4569751 the Cumulative Update for .NET Framework 3.5 and 4.8 for Windows 10 Version 1903 and Windows Server 1903 RTM and Windows 10, version 1909 and Windows Server, version 1909 . Odd. On the main .NET update page, this one’s listed (in the left column) as a Preview. Not likely, but it’s hard to say.

And I see Servicing Stack Update, uh, updates all over the place.

There’s a codec security hole, again, CVE-2020-1585, that’s being plugged via the Windows Store, again. Looks like you could only get the buggy codec from the Store, thus the unconventional (but increasingly more common) distribution route.

Martin Brinkmann has his usual thorough list on ghacks.net.