Woody Leonhard's no-bull news, tips and help for Windows, Office and more… Please disable your ad blocker – our (polite!) ads help keep AskWoody going!
Home icon Home icon Home icon Email icon RSS icon
  • Patch Lady – following up on Office update KB4011730

    Posted on March 14th, 2018 at 20:51 Susan Bradley Comment on the AskWoody Lounge

    Susan here, following up on the Office patch that was talked about here.

    Office 2016 Click to run:  You will not see this issue as you get your updates as a bundle.

    Office 2016 received via volume license are the only folks that receive individual updates these days.  The side effect whereby a Word document can’t be opened directly from Explorer appears to be as a result of only installing Security updates and not installing the non security updates.

    As now noted in the KB4011730

    Known issues in this security update


    • Symptoms
      After you install this security update, you may be unable to open or save a Word document.

      Workaround
      To work around this issue, install the March 6, 2018 update for Office 2016 (KB4018295)

      Microsoft is researching this problem and will post more information in this article when the information becomes available.

    Showcasing that sometimes you do want to install those optional updates.

  • Insider trading charge leveled at Equifax CIO

    Posted on March 14th, 2018 at 11:59 woody Comment on the AskWoody Lounge

    Remember how three Equifax execs sold $1.8 million in Equifax stock, after the company was hacked but before the hack was announced?

    The SEC just nailed one of them:

    Jun Ying, who was next in line to be the company’s global CIO, allegedly used confidential information entrusted to him by the company to conclude that Equifax had suffered a serious breach.  The SEC alleges that before Equifax’s public disclosure of the data breach, Ying exercised all of his vested Equifax stock options and then sold the shares, reaping proceeds of nearly $1 million.

    Let’s see what happens.

  • Massive March Patch Tuesday relaxes antivirus restrictions, but there are problems

    Posted on March 14th, 2018 at 08:17 woody Comment on the AskWoody Lounge

    With 74 separately identified plugged holes, every version of Windows and Office gets goosed. No known exploits for any “Critical” vulnerabilities, but there’s a report of more forced upgrades.

    Computerworld Woody on Windows.

    UPDATE: Win7/Win2008 R2 Monthly Rollup KB 4088875 and Security-only KB 4088878 are causing problems on Server 2008 R2 because the updates blow away virtual Network Interface Cards (VMWare hit bad) and on Win7 because it overwrites static IP addresses. Discussion on Reddit and an apprently related post on KB 3125574.

    ANOTHER UPDATE: It looks like the Word 2016 security patch KB 4011730 causes Word 2016 to crash when you double-click on a file with a DOCX filename extension. Uninstalling the patch fixes the problem.

    ANOTHER UPDATE: We’re getting reports that the beleaguered Win7 Monthly Rollup, KB 4088875, now appears in Windows Update as unchecked. It’s still available through the Microsoft Update Catalog, however.

  • Patch Lady: Tracking some post release issues

    Posted on March 14th, 2018 at 02:04 Susan Bradley Comment on the AskWoody Lounge

    Update:  Mark Berry has an excellent blog post about how to do a group policy update on the network as well a warning about not setting that value too soon!

    Susan here with early reports from the Tuesday releases (or Wednesday depending on your time zone).  Normally we don’t start seeing issues until tomorrow but already we have a few issues bubbling up.  This issue is actually expected and you’ll need to look for updates for any third party remote desktop software that may be impacted.  The reason for this is a major change in the Credential security support provider.  You’ll probably see this in the news talked about as the CredSSP issue.  In the security portal the issue is called out here:

    To be fully protected against CVE-2018-0886, users must enable Group Policy settings on their systems and update their Remote Desktop clients. The Group Policy settings are disabled by default to prevent connectivity problems and users must follow the instructions documented HERE to be fully protected.

    But I’ll be flat honest, I missed it upon first reviewing the security portal and didn’t realize the impact until later.

    The issue impacts remote desktop protocol. If you’ve ever launched the remote desktop connection application on any of your Windows computers, you’ve used CredSSP in your use to remote into computers.

    The flaw will be demonstrated next week at a BlackHat conference, but that said you can tell from the description that this will be difficult to exploit in a consumer setting:

    Exploiting the flaw requires the attacker to wage a man-in-the-middle attack between the client and server in an RDP or WinRM session. He or she would need WiFi or physical access to the targeted network. A WiFi exploit could be set up using a key reinstallation attack such as KRACK, for example, according to the researchers. Other vectors are Address Resolution Protocol (ARP) poisoning and exploiting vulnerable network devices such as routers, to reach servers inside.

    The security fix is actually going to be phased in over the next several months. This month (as per Microsoft) is phase one.  All supported workstations and servers will get the update this month, next month in April, Microsoft will start phasing in error messages if you rdp from a patched client into an unpatched server and finally in May the registry setting to better protect servers from unpatched system will kick in.

    Bleeping computer even has a video that the researchers have shared discussing the flaw and it’s impact. As is noted, attackers have to have a toe hold into your network before this can be successful, they would have to do a Man in the middle attack to intercept your rdp transmission.  In a peer to peer network that would mean they’d have to have malicious code and be in your router.  Given the complexity, time spent to craft the packets just so, this one is more in the “they really have to target you” and not in what I call “roadkill” variety of vulnerabilities.

    It impacts ALL versions of supported windows, so for anyone in businesses still using Windows XP, and relying on remote desktop protocol, just be aware that this may impact interaction between the platforms as these adjustments roll out over the next several months.

    Initially in March, they are rolling out the new protocol.  Later in April they will make it so that an error message will occur when you attempt to remote from a patched machine to an unpatched machine, and then later in May (tentative at this time) the default will be to enforce that remoting from a patched machine to an unpatched machine will not work.

    If you still need to go between patched and unpatched after May security updates come out, you’ll have to make a manual registry adjustment to lower the security of your system.  Hopefully no one has to do that.

    Consumer recommendations:  

    Actions needed:  Patch [after we wait a bit just to make sure it’s all clear for any other issues]

    I’ve not seen any side effects on Windows machines at this time.  I’ve even patched a workstation and left another workstation unpatched to see if there was any issues.  I personally saw none.  I have seen reports of issues where after installing the update on the Windows based machine, folks couldn’t use the RDP client on a Mac to remote into the Windows machine.  So on a consumer machines, if you only RDP between Windows machines you should be fine.  For a mixed network with Macs or other non Windows machines that use RDP protocol, check with your vendors for updates.

    In May the setting to set the protocol so that clients can’t fall back to using insecure versions of the CredSSP will kick in and thus there is no other action you need to do on standalone peer to peer networks other than to make sure that if you use RDP to remote into computers that all of your remoting still works after you apply the updates.

     

    Mitigated

    1

    Client applications that use CredSSP will not be able to fall back to insecure versions. Services that use CredSSP will accept unpatched clients.

    Domain/Network recommendations:

    If you are in a domain setting whereby you connect to a file server (not peer to peer), but something called a domain controller, here’s where the guidance differs as Microsoft recommends you roll these settings out now.  You actually need to set registry keys or group policy settings to allow for the phase in of this update.

    You can make the registry change/group policy in advance before you roll out the updates.

    In a Windows 10 Pro – when you go into edit group policy you can see the setting there.

    Double click to enable it and then set it to the value of Mitigated.  “Mitigated” whereby “Client applications that use CredSSP will not be able to fall back to insecure versions” will be the default value in May.

    Test.  See if anything breaks.  If it does, set it to vulnerable and then go see about getting an update to the RDP client that doesn’t work.

    Microsoft has stated that

    We recommend that administrators apply the policy and set it to  “Force updated clients” or “Mitigated” on client and server computers as soon as possible.  These changes will require a reboot of the affected systems.

    Hopefully I’ve made this a bit more clearer?  I’ll be working on updating the master patch listing for March and will post it Wednesday and will keep an eye out for any other issues along the way.