Newsletter Archives

  • MS-DEFCON 2: 2004 is out of support

    alert banner

    ISSUE 19.18.1 • 2022-05-05

    By Susan Bradley

    Check your Windows version, then update accordingly.

    I regularly come across PCs that are running old, out-of-support versions of Windows because they aren’t on the Web long enough to be “serviced” by Windows Update. For example, there are two Surface laptops in my office that are used by people on cellular connections. As a result of sporadic use, they never get a feature update.

    Just the other day, I realized they were running Windows 10 2004 and thus no longer were getting security updates, a serious matter.

    Anyone can read the full MS-DEFCON Alert (19.18.1, 2022-05-05).

  • Things that annoy me – Windows 11 edition

    You can tell that Microsoft is starting to react to some of the feedback on Windows 11, well at least their Enterprise customers.  In the Insider release comes new group policies:

    What’s new in Build 22610
    Additional new MDM and group policies for IT administrators
    We are introducing new policies so that IT administrators can simplify their Windows 11 experience across Start, taskbar, and the system tray. The following policies are available today:

    Disable Quick Settings flyout
    Disable Notification Center and calendar flyouts
    Disable all taskbar settings
    Disable search (across Start & taskbar)
    Hide Task View from taskbar
    Block customization of ‘Pinned’ in Start
    Hide ‘Recommended’ in Start
    Disable Start context menus
    Hide ‘All apps’ in Start
    To configure these new group policies locally, open the group policy editor and navigate to User Configuration > Administrative Templates > Start Menu and Taskbar. You can also deploy these policies via Microsoft Endpoint Manager as well.

    Let me know if you want any of these options in registry keys?  As typically if you can do it via group policy, you can also do it via a registry key in Home versions.

    You know what slows me down in Windows 11 the most?  The Cut and paste function in the File explorer.  It’s now hidden in the “show more options” section of the right mouse click

    Once you click on “show more options” then you see copy and paste.  Now yes, I can do control C and Control V, but that typically means I have to move my fingers off my mouse and over to the keyboard.

  • Today’s edition of things that annoy me

    Today’s edition of things that annoy me in Microsoftland:

    1. Whom did you get your feedback from?

    Peter Deegan writes on Microsoft’s latest huh move. In a recent post to their alerts, they indicate that they are going to move people from the semi-annual enterprise channel to the monthly channel because people in the monthly channel “Customers on a monthly feature update cadence, such as those on Monthly Enterprise Channel, have reported higher satisfaction than those receiving semi-annual feature updates.”  I don’t know about you but I hardly ever click on Office smiley face feedback so exactly whom did you speak to?  Note this does not impact consumer 365 subscribers, just business subscribers.

    2. The dribble changes

    Microsoft announces changes in their platform but then doesn’t push things out right away. So weeks go by and suddenly things change for some – but not all – of your computers and you have to figure out what change occurred. If you suddenly see your search results change, remember I wrote about this a bit back.

    Right-click the Windows taskbar, select Search from the popup menu, and then click Show search highlights.

    I prefer the second option, setting a Registry key because options set like this in the Registry tend to stick — further updates to this “feature” should not turn them back on. To block the external content, add the key Windows Search, add another dword key called EnableDynamicContentInWSB, and set it to 0. This is represented by the following:

    • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search\EnableDynamicContentInWSB=0

    To make it easier for you, I’ve coded up an easily installable registry key to place the block in your system. To install the block, merely click here and then click on Open file in your browser’s download dialog. Click to run the program, and then click yes to install the registry key.

    Bottom line, every day there’s something new to be aware of.  We try to keep you informed!

  • MS-DEFCON 4: Protect yourself with patches

    alert banner

    ISSUE 19.17.1 • 2022-04-26


    By Susan Bradley

    I’ve been holding my breath.

    For the past few weeks, I’ve been watching for attacks that researchers indicated would be coming due to a vulnerability in all versions of Windows. All I’m seeing so far are theoretical attacks, not actual attacks.

    CVE-2022-26809, the headline vulnerability of the April updates that impacts Windows 7 through Windows 10 — as well as Windows Server versions — sounded like it had the potential of being a worm inside a network. Microsoft complicated the matter when it first indicated that this vulnerability was triggered by SMB file sharing. Then it clarified that the original researcher had provided a proof of concept that used SMB file sharing, but that additional methodologies could be used in attacks.

    Anyone can read the full MS-DEFCON Alert (19.17.1, 2022-04-26).

  • Gearing up for cyberwar


    Susan Bradley

    By Susan Bradley

    Once upon a time, I used to publish maps showing the location of each water pump in the city where I live.

    Fresno residents rely on the underground water supply and pump much of the drinking water from various wells throughout the city. And then Fresno — like every other city — realized that publishing information about critically important infrastructure items, such as drinking water, probably wasn’t wise. That was especially driven home after 9/11; governments realized that they were handing over helpful data to those who might use it to attack us.

    Read the full story in our Plus Newsletter (19.17.0, 2022-04-25).

  • Are you prepared?

    It’s Saturday night or Sunday morning where you are and I’d like to challenge you to test that you can restore a file that has been damaged, deleted or removed or worse yet, you got hit by ransomware.

    So first step is to move a file to a different location on your computer. Next launch your backup software. Launch the recovery window and see if you can restore that file.

    Ransomware is now being used by commercial attackers and they are using zero days to gain access into systems.

    One-third of all hacking groups exploiting zero-days in 2021 were financially motivated criminals as opposed to government-backed cyberespionage groups, according to Mandiant’s research. During the last decade, only a very small fraction of zero-days were deployed by cybercriminals. Experts believe the rapid change has to do with the illicit, multibillion-dollar ransomware industry.

    For businesses, they are going after VPN software, Exchange on premises software among other vulnerabilities.

    So I challenge you tonight/tomorrow to test a backup and restoration process.

  • From remote? From local?

    Alex posted earlier about UEFI vulnerabilities in certain models of consumer Lenovo laptops.

    The official notice is here at the Lenovo site.

    I try to weed out the hype and get to “how will I be attacked”?

    If the attack has to occur locally I discount the attack.

    According to Lenovo there are three vulnerabilities:

    One local access the other two described as “attacker with elevated privileges”

    CVE-2021-3970: A potential vulnerability in LenovoVariable SMI Handler due to insufficient validation in some Lenovo Notebook models may allow an attacker with local access and elevated privileges to execute arbitrary code.

    CVE-2021-3971: A potential vulnerability by a driver used during older manufacturing processes on some consumer Lenovo Notebook devices that was mistakenly included in the BIOS image could allow an attacker with elevated privileges to modify firmware protection region by modifying an NVRAM variable.

    CVE-2021-3972: A potential vulnerability by a driver used during manufacturing process on some consumer Lenovo Notebook devices that was mistakenly not deactivated may allow an attacker with elevated privileges to modify secure boot setting by modifying an NVRAM variable.

    I can’t figure out from reading the details from the ESET site if the attacker modifying the boot settings would manifest itself into some other side effect that you and I would then take action to reinstall the operating system? Or some other drastic action?

    What the realistic risk here?

  • Drenched in patches


    Susan Bradley

    By Susan Bradley

    As is typical for this time of year, Microsoft is releasing a deluge of security patches for our Windows machines.

    One threat has already been used in the wild. CVE-2022-24521 is a vulnerability in the Windows Common Log File System Driver and can lead to elevation of privileges on a system. Troubling to me is CVE-2022-26809, which is a potentially wormable remote code vulnerability that could be especially damaging if the attacker gets inside your firewall or network.

    Read the full story in our Plus Newsletter (19.16.0, 2022-04-18).

  • Moving away from basic auth

    I have a variety of email accounts. Some business, some personal, some purchased strictly to see how the experience of something is like, some because I’ve had them for years. So I still have the first ISP  based email I ever had (remember the old phone company of Pacific Bell? I have an old email account)

    So over the years I’ve had to move to different email clients and platforms in order to still use them. Over the years I’ve also moved ways that I’ve accessed email.  For example I no longer use pop and pst files. I’ve lost too much data over the years to rely on pop anymore. Also because I use email on phones, tablets, devices, as well as computers and laptops I’ve moved to imap. If your mail is hosted on an Exchange server or hosted Exchange server it allows you to get the same email on different devices and in different locations.

    If your email is hosted on Godaddy they have moved to Microsoft 365 a few months (years?) ago. Lately they’ve been phasing out basic authentication. So what you’ve had to do to get your email working again is to delete the account out of your email client and walk through setting it back up again.

    In my case I use em email software on one particular computer and when you walk through setting it back up again you get prompts to authenticate to Godaddy using modern authentication. So when you put in your name and email address you get the Godaddy log in window and then an approval screen that looks like the image below:


    After you’ve set it back up again in the case of godaddy email it no longer connects to pop or imap but rather

    So while this has been a PAIN to reset up all of these email accounts on various devices – especially since I’ve had to reset passwords on a few accounts that I couldn’t remember the passwords for all of these years – it’s wise to stop using basic authentication. Why? Because attackers can perform brute force techniques more easily on email that only uses basic authentication.

    Bottom line, if all of a sudden your email stops working – it may not be your email client – it may be that you need to reset up your account again so it gets the new more secure setup.



  • Master Patch List as of April 12th 2022

    Patches came out yesterday. So far not seeing anything major trending … yet.  But it’s honestly too early to tell the impact at this time. Edit 4/14/2022: Seeing some reports of issues with browsers with Norton and ESET antivirus.  I’m not seeing issues here with Defender. Based on comments it’s not widespread and thus too early to determine root cause at this time. I’d also make sure your browser is up to date.

    Edit 4/14/2022 3:21 pacific – check for updated a/v – this appears to have been resolved at least with ESET.

    I’ve updated the Master Patch Listing for the releases this month. Note, other than the browsers, I have pause or defer on everything else at this time.

    If there is anything I’ve typed in wrong, forgive me, I’m a bit bleary eyed this week as we are almost to the USA tax due date of April 18th. (No, not the 15th, but the 18th).  Take pity on your CPA and stop emailing or texting them photos of your tax documents. Not only is it not secure to be sending your sensitive tax data that way, it makes it EXTREMELY hard for us to print out or save the tax documents. The CPA listserve recently had a thread about how to deal with issue and we were all indicating how often this occurs. Remember if you can see that sensitive social security number as you email or text me that document, so can the attacker.

    Stay tuned for the details in the newsletter this weekend about the Patching issues and headlines and as always, I’ll keep the Master Patch Listing up to date with the latest.

    As always, thank you all for supporting the cause! Remember a mere $1 donation will give you access and if you donate $50 or more you’ll get a special code to enable text messages sent to your phone each time the Master Patch List gets updated and when I change the MS-DEFCON level.

  • April patching showers here we go

    It’s that time of the month for all computer users to get in the habit of checking their devices.

    While “Patch Tuesday” is the big one for Windows users, it’s also wise to check your Apple devices.  I know that my iPhone has been offering – but not pushing – the latest updates. They too are doing a “let’s dribble them out and see how well they go” methodology these days.

    But back to Microsoft:

    Remember this month they push out “Search highlights will roll out to Windows 10 customers over the next several weeks. We are taking a phased and measured approach. ” in Windows 10.

    I’ll be adding more links as folks post up analysis.  Here at Askwoody we track the side effects and try to weed out what is “corner cases” from those issues that are widespread.

    145 vulnerabilities

    1 publicly disclosed

    10 critical

    .NET security updates are included in the April 2022 updates for denial of service issues.

    Dustin Child’s zero day write up here.  Clearly we have a difference between home users and business computers this year with a bug that will provide lateral movement inside a network once they get in.  Port 135 is a typical file and printer sharing port – but it not exposed to the outside world. But in an office network, once they get in, ouchie!

  • Is this the end of the road for Windows 7?


    Susan Bradley

    By Susan Bradley

    Vendors start to draw the line.

    Ahh, Windows 7. I remember when you first came out. I remember when people hated — truly hated — your User Account Control (UAC) system that required administrator approval any time they wanted to do something that had been perfectly normal in Windows XP. I remember that UAC was so annoying that Apple lampooned it (more like harpooned it) in several of its famous Mac-versus-PC TV ads.

    Susan's UAC Slider cartoon

    I went so far as having a cartoon made, urging people to “zip up” their UAC setting rather than disabling it, because I saw both users and administrators removing the UAC prompt entirely. But that represented a lowering of security for Windows 7. I thus urged people not to disable it, despite the annoyance. I told them to zip the slider all the way to the top. Remember the slider?

    Read the full story in our Plus Newsletter (19.15.0, 2022-04-11).