AskWoody

16-year U.S. data leakage: KrebsOnSecurity

Security supremo Brian Krebs has published details of a long-standing data leak he stemmed this week:

The Web site for Fortune 500 real estate title insurance giant First American Financial Corp. leaked hundreds of millions of documents related to mortgage deals going back to 2003, until notified this week by KrebsOnSecurity. The digitized records — including bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and drivers license images — were available without authentication to anyone with a Web browser.
…
I should emphasize that these documents were merely available from First American’s Web site; I do not have any information on whether this fact was known to fraudsters previously, nor do I have any information to suggest the documents were somehow mass-harvested (although a low-and-slow or distributed indexing of this data would not have been difficult for even a novice attacker).

See Brian’s blogpost “First American Financial Corp. Leaked Hundreds of Millions of Title Insurance Records” for details.

We were down – but we’re now back up and limping

There was a gap of almost seven hours in posts. I still don’t know what happened, for sure – and we’re still missing some important pieces, like the list of most recent posts.

Patience, please. But in the interim, post away! We’re all still here.

Windows Release Health Dashboard now live

Some time ago Microsoft announced they would be more transparent about the status of Windows 10 regarding known issues and fixes. With the release of Windows 10 version 1903 aka the Windows 10 May 2019 update, the status pages are now live. In the release announcement, How to get the Windows 10 May 2019 Update, these pages are referred to as the Windows release health dashboard.

Be aware that the known issues are only the ones Microsoft has acknowledged. There will always be more than what Microsoft confesses to. In any event, these pages have the potential to be an invaluable resource and be one of the first places to check when problems occur.

Here’s a link to the top level page – Windows 10 release information.

Here’s a link to the Windows 10 version 1903 status – Windows 10, version 1903 and Windows Server, version 1903.

Under Win10 1903, Edge refusing to open HTTPS sites

I’m seeing reports of bugs in Edge. The error messages say:

SEC7120: [CORS] The origin ‘ms-appx-web://microsoft.microsoftedge’ failed to allow a cross-origin font resource at ‘ms-appx-web:///assets/Fonts/BrowserMDL.ttf#Browser MDL2 Assets’.

CSS3119: No fonts available for @font-face rule ErrorPageStyles.css (11,7)

Remember “Download and install now” – the big reason to upgrade to 1903? Yeah. Not so much.

I have high hopes for “Download and install now,” the new feature in Win10 version 1903, just out. Six weeks ago I wrote about it, saying:

By the time Microsoft ships Win10 1903, theoretically in late May, we’re supposed to have the tools necessary to block it. At the very least, you should block it until Microsoft says it’s ready to be deployed on business machines (what used to be called “Current Branch for Business,” then the “Semi-Annual Channel” — and now it doesn’t have a name)…

If we get what’s been promised, there’ll likely be some new traps to avoid, but life will indeed be better.

and guess what? We have new traps to avoid.

I’m still trying to get the “Download and install now” patch on my Win10 1809 machine. So far, no luck. But it’s being added to 1803 right now – KB 4499183 contains the new link:

Starting with update KB4499183, we are introducing functionality that allows you to decide when to install a feature update. You control when you get a feature update while simultaneously keeping your devices up to date. Feature updates that are available for eligible devices will appear in a separate module on the Windows Update page (Settings > Update & Security > Windows Update). If you would like to get an available update right away, select Download and install now.

With the May 21 announcement, we found out when Microsoft’s going to start pushing 1903 on Win10 1803 machines:

Starting this June, we will begin updating devices running the April 2018 Update, and earlier versions of Windows 10, to ensure we can continue to service these devices and provide the latest updates, security updates and improvements. We are starting this machine learning (ML)-based rollout process several months in advance of the end of service date to provide adequate time for a smooth update process.

Of course, Win10 1803 and then Win10 1809 were both pushed out using new, improved machine learning rollout processes. Look at all the good it did us.

So the short story is that, if you want to continue to use 1803 until it dies in November, you need to proactively block 1903. Microsoft will take your lack of a block as a signal that you really want 1903. And the “Download and install now” link may or may not work the way you might expect.

Stay tuned.

New forum for Win10 1903

With its official release, it’s time to give Win10 version 1903 its own forum.

Et viola: https://www.askwoody.com/forums/forum/askwoody-support/windows/windows-10/windows-10-version-1903-may-2019-update/

Is it time to install Win10 1903?

I can hear you scoffing. But nevermind. I just got this bit of mail:

Dear Mr. Leonhard,

In your article, you tell us *how* to prevent Windows 10 from updating to version 1903, (and a lot of time complaining about Microsoft in general), but you entirely neglect to tell your readers *why* we may wish to do so.  The closest you come is a link to a different article listing new features in the update (which is behind a paywall, so I can’t read that anyway).

Those of you who have been reading my stuff for the past decade (or two) will know the answer immediately. But this reader has a very good point – if you’re coming at this cold, or at least coming at this from the “rah rah” tech press sycophancy, why should you avoid Win10 1903? After all, Microsoft was nice enough to release 1903 yesterday — only for “seekers” who click “Check for updates” at this point — and declare Win10 1809 ready for business/broad deployment, at the same time.

The simple, and I think overwhelming, answer is that Microsoft has never, ever delivered a stable new version of Windows. Ever. Going back for as long as I’ve been writing about Windows – Pterodactyl Edition or thereabouts.

The last two versions –Win10 1803 and 1809 — were particularly heinous.

Combine the inherent risk with the dearth of worthwhile features — it really says something when the #1 new feature is the ability to delay updates, yes? — and you have the perfect combination: Minimal gain at significant risk.

Let’s be clear, though. If you want to install the latest and greatest, by all means do so! We’ll even help you here on AskWoody. Tell us what you find — and we’ll keep you posted on the howls of pain in the populace at large.

It’s kinda like wearing a red shirt on a Star Trek away team.

Microsoft issues new cumulative updates for Windows 10 1803 and 1809

On Tuesday, May 21, Microsoft released Cumulative updates for Windows 10 v1803 and v1809.

v 1803 KB 4499183 Build 17134.799
v 1809 KB 4497934 Build 17763.529

Starting with update [KB4499183 and KB4497934], we are introducing functionality that allows you to decide when to install a feature update. You control when you get a feature update while simultaneously keeping your devices up to date. Feature updates that are available for eligible devices will appear in a separate module on the Windows Update page (Settings > Update & Security > Windows Update). If you would like to get an available update right away, select Download and install now. To find out more about this feature, please go to this blog.

When Windows 10 devices are at, or within several months of reaching, end of service, Windows Update will begin to automatically initiate a feature update. This keeps those devices supported and receiving the monthly updates that are critical to device security and ecosystem health.

The changes to v1803 and v1809 will be available in the June Patch Tuesday updates.
These Cumulative Updates are Previews. You don’t need to install them.