AskWoody

Windows 10 more vulnerable – revisited

I asked the other day if Windows 10 was more vulnerable. Turns out we have another problem with Windows 10 – and Windows 11 for that matter.

CVE-2021-36934 has been released to track an issue that a researcher has stumbled on … and it’s honestly been around for a while. Starting with Windows 10 1809 and later, the default permissions on the “Security accounts manager database” (also known as SAM database)  aren’t set right and if you are a non administrator user where you shouldn’t have the ability to access that file, in Windows 10 1809 and later you DO have rights to that file.

While on consumer and home computers this isn’t a huge issue, in businesses where keeping ransomware at bay is near impossible these days, it’s not a good thing at all.

Bleeping computer explains the situation…. “With these low file permissions, a threat actor with limited privileges on a device can extract the NTLM hashed passwords for all accounts on a device and use those hashes in pass-the-hash attacks to gain elevated privileges.”

The SANS site tells how specifically this vulnerability takes place….“The only issue here is how do we read those files: when Windows are running, the access to the files is locked and even though we have read permission, we won’t be able to read them.  As two great researchers found (@jonasLyk and @gentilkiwi), we can actually abuse Volume Shadow Copy to read the files. VSS will allow us to bypass the file being locked, and since we have legitimate read access, there’s nothing preventing us from reading the file. VSS is a feature that is enabled automatically on Windows and that allows us to restore previous copies in case something got messed up during installation of a new application or patch, for example. If your system disk is greater than 128 GB, it will be enabled automatically!”

Action items to take as a consumer:  Nothing.  The potential mitigation “apart from disabling/removing VSS copies. Keep in mind that the permission on the hives will still be wrong, but at least a non-privileged user will not be able to easily fetch these files due to them being locked by Windows as the system is running.” to me is not viable and puts your system at risk for not being able to use previous versions tab, backups and other goodness. I’d rather not change any permissions because given that this has been in place since 1809, software may be expecting these permissions. I’ll let you know when a patch or fix comes out, or a mitigation that I consider safe.

Actions to take as an IT Pro or MSP: Also nothing at this time. Again, I consider VSS copies too important to disable.

Bottom line, stay tuned.

Edit 7/23/2021 For IT Pros and MSPs, I’d recommend that you inventory your servers and clients to see if they are impacted.  See VU#506989 – Microsoft Windows gives unprivileged user access to system32\config files (cert.org)

Windows 10 more vulnerable?

ISSUE 18.27 • 2021-07-19

PATCH WATCH

By Susan Bradley

Every month brings the usual suspects — zero-day vulnerabilities, remote code execution, denial of service attacks, plus the odd Defender bug here and there.

But as we count up the vulnerabilities, there is a disturbing trend. If you go by head counts of the bugs in each version, Windows 10 has more bugs this month than Windows 7.

Read the full story in the AskWoody Plus Newsletter 18.27.0 (2021-07-19).
This story also appears in the AskWoody Free Newsletter 18.27.F (2021-07-19).

How to tell whether a fintech app such as Chime is a scam

PUBLIC DEFENDER

By Brian Livingston

We’ve recently seen an explosion of activity in the field of fintech — financial technology — which is causing ripples in the old-school world of banking and Wall Street.

The most-downloaded fintech app in the first six months of 2021, according to data firm Apptopia, belonged to Chime Financial, Inc., a seven-year-old, San Francisco–based unicorn that’s a darling of Silicon Valley venture capitalists.

Read the full story in the AskWoody Plus Newsletter 18.27.0 (2021-07-19).

Windows 11 says good-bye to these familiar features

WINDOWS 11

By Lance Whitney

Windows 11 jettisons a bunch of items from Windows 10. But which losses will cause the most pain among loyal Windows users?

To paraphrase a famous biblical quote, “Microsoft giveth, and Microsoft taketh away.” And that’s certainly true with Windows 11. With this new version of Windows, the folks in Redmond have added a range of features including a new visual design, a new Start menu, a widgets pane, and a revamped Microsoft Store, as well as upcoming integration with Microsoft Teams and support for Android apps.

Read the full story in the AskWoody Plus Newsletter 18.27.0 (2021-07-19).

Window 10 Home vs. Pro: A real-life test drive

LANGALIST

By Fred Langa

An upgrade from Home to Pro edition costs around US$100, but is it really worth it?

What does Pro edition offer that Home lacks? What does a Pro edition user give up in switching to Home? And, besides price and somewhat differing features, do the dissimilarities really matter in normal day-to-day Windows operation?

Read the full story in the AskWoody Plus Newsletter 18.27.0 (2021-07-19).

Sliding over to LibreOffice — or not

PRODUCTIVITY

By Sandra Henry-Stocker

LibreOffice is a great replacement for Microsoft Office.

It provides a very similar set of applications. All are top-quality, easy to use, versatile, and well supported. This includes tools to create documents, spreadsheets, slide shows, databases, drawings, etc. LibreOffice and MS Office are similar enough that you’re likely to get off to a fast start when you first use any of the apps. LibreOffice is also completely free — no initial price tag and no monthly fees.

Read the full story in the AskWoody Plus Newsletter 18.27.0 (2021-07-19).

Tasks for the weekend – July 17 – what’s your password?

(Youtube here)

Just the other day I was reminded to be careful with any of the social media “game” questions that try to make you build a name from various information you provide. What these are doing it trying to get you to expose your security password reset answers…. typical password reset questions include:

What Is your favorite book?
What is the name of the road you grew up on?
What is your mother’s maiden name?
What was the name of your first/current/favorite pet?
What was the first company that you worked for?
Where did you meet your spouse?
Where did you go to high school/college?
What is your favorite food?
What city were you born in?
Where is your favorite place to vacation?

As a study indicated, “All four of the most popular webmail providers – AOL, Google, Microsoft, and Yahoo! – rely on personal questions as the secondary authentication secrets used to reset account passwords. The security of these questions has received limited formal scrutiny, almost all of which predates webmail. We ran a user study to measure the reliability and security of the questions used by all four webmail providers. We asked participants to answer these questions and then asked their acquaintances to guess their answers. Acquaintances with whom participants reported being unwilling to share their webmail passwords were able to guess 17% of their answers. Participants forgot 20% of their own answers within six months. What’s more, 13% of answers could be guessed within five attempts by guessing the most popular answers of other participants, though this weakness is partially attributable to the geographic homogeneity of our participant pool.”

Bottom line be careful when social media games try to get information from you, they may be trying to trick you. And next time you pick a password reset answer, try NOT to pick the usual stuff.

Print spooler – here we go again

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34481

Just out right now.

Here we go again: Yes, another Print spooler vulnerability, no patch yet. Not sure which platforms are vulnerable.

So if you took mitigation such as disabling print spooler – leave it off.

As we know more, you’ll know more.

(Susan is saying… really? More Print spooler bugs?  Can’t we get them all fixed at the same time?)

Edit 7/18:  New Windows print spooler zero day exploitable via remote print servers (bleepingcomputer.com) Even more print spooler bugs.

EFI Partition issues?

Passing this along as a heads up… now mind you I have installed this patch on several machines with zero issues.  And point number two – remember ANY issue is recoverable if you have a backup.

On a reddit thread, a poster is indicating issues with EFI partitions causing a no boot situation after the install of the July updates. An EFI partition is “The EFI partition (similar to the System Reserved partition on drives with the MBR partition table), stores the boot configuration store (BCD) and a number of files required to boot Windows. When the computer boots, the UEFI environment loads the bootloader”.

Some things to keep in mind that monthly patches don’t move a EFI partition so I don’t think that’s what’s going on. When you have two EFI partitions that typically means you dual boot and I always consider a dual booting machine an advanced setup that you should consider a bit more carefully and ensure it’s backed up.

I personally don’t dual boot, rather I use virtual machines as I feel it’s safer.

But bottom line we’ll keep an eye on it and keep you posted.

Is your next PC a cloud?

Alex in the forum posts about Microsoft’s latest announcements about their “Windows 365” product.

(yes yet another groaner of a name from Redmond, let’s not confuse it with Microsoft 365 that is merely the suite of Office apps, Windows 365 is a hosted desktop running Windows that includes Microsoft 365 apps)

This week is Microsoft’s partner event called Inspire and they often make announcements and product releases.  Mind you in this era of cloud nothing is really “RTM” or in the old days “release to manufacturer and thus code complete, now days it’s called public or private previews and then later on general availability.

Windows 365 is a hosted desktop that you can log into from anywhere/anything … sort of like Remote desktop protocol/RDGatewaying into your desktop at home or the office. It remains to be seen if this is offered to consumers. It will be interesting to see how this patches up on a monthly basis. Similar to Surface machines where in theory this should be the BESTEST/MOSTEST/FANTASTIC patching experience EVER, we shall see how well this goes. These machines should have ZERO patching issues.  None.  Zilch. In theory at least.

Other announcements impacting small businesses – or rather the Managed service providers that support small businesses – Microsoft Lighthouse.  A remote tool for a partner to manage many clients.  Yes, right now attackers are sooooooo going after the consultants that manage lots of businesses because it’s easy picking. Just the other day the remote management company Kaseya had their product used as a means to launch ransomware against consultant’s customer base.

Another tool is called Project “Orland” and is touted as “…. is a new experience in Partner Center to help cloud solution provider (CSP) partners grow their cloud businesses by sharing Microsoft-powered insights about their customers to improve account management. CSP partners will get recommendations from their existing customer base such as customers with trial conversion potential, customers who may need follow-up engagements or customers ready for new workloads to deploy.”  I raised my eyebrow a bit on that description. Okay Mr. or Ms. Consultant, you are explaining to your customer that you are spying on them, yes? It will be interesting to read that eula.

July 2021 security updates are out

Which means we wait and see how the month fares before dipping our toes into the patching waters.

Remember the Print spooler patch that was released earlier this month is also included in this batch. Microsoft has included the fix for the USB label printers (Zebra/Dymo) but if you have any label printer it would be wise to hold off – or at least prepare yourself to uninstall if you have to.

Exchange (email server) has another patch so if you are still patching an on premises Email server, heads up!

As always, holler if you do see issues and report in when you don’t, as it helps to see how many come through okay.

Windows 7 ESU folks have a servicing stack update.

Resources to read in the meantime:

Dustin Childs’ Zero day blog

Firefox 90 is out

Security updates for Firefox

Bleeping Computer – 9 zero days fixed

Edit 7/14/2021 – added links to Master Patch page (Plus members only)

So far not seeing anything major trending at this time, keeping an eye on things.

Microsoft Edge imports other browsers’ passwords

ISSUE 18.26 • 2021-07-12

PUBLIC DEFENDER

By Brian Livingston

When some readers installed the new Microsoft Edge browser — which replaces the old “legacy Edge” — they got a big surprise. They discovered that Edge had somehow magically absorbed all the usernames and passwords they’d carefully saved in their previously installed browsers, such as Chrome, Firefox, Internet Explorer, and legacy Edge.

What’s even more surprising is that Edge — which until recently couldn’t import or export passwords at all — may be doing this new behavior by design.

Read the full story in the AskWoody Plus Newsletter 18.26.0 (2021-07-12).
This story also appears in the AskWoody Free Newsletter 18.26.F (2021-07-12).