News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon

Daily Archives: February 21, 2019

  • February 2019 Update to Win10 1809 KB 4487044 causes loss of access to One Drive

    Posted on February 21st, 2019 at 18:59 PKCano Comment on the AskWoody Lounge

    @F-A-Kramer reports an auto update to Win10 1809 caused loss of access to One Drive.

    MS auto updated my computer (64 bit Win 10 1809) this morning and rebooted my computer. Gone from the system tray is my Office 365 One Drive app. Attempts to connect to One Drive from the Start menu result in nothing happening. The computer can not access my One Drive at all. I even tried using the web (Edge no less) and when I try to enter my email address, half way through, the dialog box blanks out.

    The “Update” is listed as a Feature Update for Win 10 1809 but no KB number given. The build is 17763.316.

    It seems it took some effort to find the answer to the problem. He further relates his experience finding the solution.

    Finally, after several runarounds and attempts find the right place to ask, I was able to connect with a Microsoft One Drive Support person. Said I should download a One Drive installer. Did, and it did not work. Then told to run a reset procedure. Did not work.

    Then the big gun was brought out. I was instructed to edit the registry to change One Drive’s DisableFileSyncNGSC from 1 to 0. This would, and did(!) “enable” One Drive after restarting the computer. All is now as it should be. I have no idea how this bit (Dword actually) got changed. Hit by a cosmic ray is as good an explanation as any.

    Has anyone else experienced a problem connecting to One Drive after installing the February patch?

  • New cumulative update KB 4491113 for IE in Win7 and 8.1 fixes the backslash bug

    Posted on February 21st, 2019 at 12:53 woody Comment on the AskWoody Lounge

    Microsoft broke IE’s behavior earlier this month. With the update released yesterday, it’s fixed… but under odd circumstances.

    Here’s the bigger picture.

    This month’s Patch Tuesday patches for Win7 and 8.1 contained this weird, acknowledged, bug:

    After installing this update, Internet Explorer may fail to load images with a backslash (\) in their relative source path.

    That bug, and several others, were fixed in this week’s Monthly Rollup preview patches – but those aren’t distributed through normal channels. You have to wait until next month, when the Monthly Rollup Preview patches will (presumably) be added to the March Monthly Rollups.

    Here’s where things get weird. On Feb. 19, Microsoft released a Cumulative update for Internet Explorer: February 19, 2019, a silver bullet patch with the sole intent:

    This cumulative update includes improvements and fixes for Internet Explorer 11 that is running on Windows 8.1 or Windows 7, and resolves the following issue:

    Internet Explorer cannot load images that have a backslash (\) in their relative sources path.

    So we have a cumulative update, KB 4491113, that fixes a bug introduced in this month’s Monthly Rollups, but which is also fixed in this month’s Monthly Rollup previews. The previews fix other bugs as well, but I guess this one was problematic enough to warrant a single silver bullet.

    @PKCano has added the appropriate admonitions to the “Group B” AKB 2000003 list.

  • Patch Lady – so should we freak out about passwords?

    Posted on February 21st, 2019 at 11:03 Susan Bradley Comment on the AskWoody Lounge

    We urge folks to use stronger passwords, but then it’s hard to keep track of them.  So we use password managers.  But there’s news out that these manager programs aren’t as secure as we’d like them to be and may leak things like… oh the master password.  But if I’m reading the white paper correctly, some of the techniques used to discover these secrets means that the system was either compromised to begin with, or it’s being examined physically and forensically – that is the researcher is looking at dump files, and examining memory in such a way that you have to have physical access to the machine.  If an attacker has physical access to your machine, it’s not your machine anymore.

    There is an old old old post of which I can only find other blog posts about the original post about 10 laws of security that was first put out by Microsoft:

    Law #1: If a bad guy can persuade you to run his program on your computer, it’s not solely your computer anymore.
    Law #2: If a bad guy can alter the operating system on your computer, it’s not your computer anymore.
    Law #3: If a bad guy has unrestricted physical access to your computer, it’s not your computer anymore.
    Law #4: If you allow a bad guy to run active content in your website, it’s not your website any more.
    Law #5: Weak passwords trump strong security.
    Law #6: A computer is only as secure as the administrator is trustworthy.
    Law #7: Encrypted data is only as secure as its decryption key.
    Law #8: An out-of-date antimalware scanner is only marginally better than no scanner at all.
    Law #9: Absolute anonymity isn’t practically achievable, online or offline.
    Law #10: Technology is not a panacea.

    I think number 3 is at play.  Granted it still may be safer to buy and do this.  And add multi factor authentication where you can.  And realize we’re never 100% secure.  Just acceptably secure.  For now.  Until the next headline.

    Excuse me while I go buy some aluminum foil.

  • Microsoft: New non-security updates prevent attack on Win10 Servers running IIS — but there are no instructions

    Posted on February 21st, 2019 at 07:51 woody Comment on the AskWoody Lounge

    Now you know why I’m skeptical of the “optional non-security” description about the second monthly Win10 cumulative updates.

    Ends up that the patches are not “optional” (click Check for updates and see what happens) and, at least this month, for Servers running IIS, they’re not “non-security.”

    Case in point: Microsoft Security Advisory ADV190005 | Guidance to adjust HTTP/2 SETTINGS frames, released yesterday. From the Advisory:

    Microsoft is aware of a potential condition which can be triggered when malicious HTTP/2 requests are sent to a Windows Server running Internet Information Services (IIS). This could temporarily cause the system CPU usage to spike to 100% until the malicious connections are killed by IIS.

    The HTTP/2 specification allows clients to specify any number of SETTINGS frames with any number of SETTINGS parameters. In some situations, excessive settings can cause services to become unstable and may result in a temporary CPU usage spike until the connection timeout is reached and the connection is closed.

    To address this issue, Microsoft has added the ability to define thresholds on the number of HTTP/2 SETTINGS included in a request. These thresholds must be defined by the IIS administrator, they are not preset by Microsoft.

    The solution? Install this month’s second set of cumulative updates — the ones released earlier this week, KB 4487006, KB 4487011, KB 4487021, KB 4487029 — and then follow these instructions:

    Customers should review Knowledge Base Article 4491420 and take appropriate action.

    Except, well, golly, there is no KB 4491420.

    UPDATE: Microsoft published the instructions, Define thresholds on the number of HTTP/2 Settings parameters exchanged over a connection.