News, tips, advice, support for Windows, Office, PCs & more
Home icon Home icon Home icon Email icon RSS icon

We're community supported and proud of it!

Newsletter Archives

  • Out of band for Print Nightmare is out

    Posted on July 6th, 2021 at 16:22 Comment on the AskWoody Lounge

    https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527

    Remember the print nightmare post from the other day?  Microsoft has released out of band updates to fix the issue.

    “CVE updated to announce that Microsoft is releasing an update for several versions of Window to address this vulnerability. Updates are not yet available for Windows 10 version 1607, Windows Server 2016, or Windows Server 2012. Security updates for these versions of Windows will be released soon. Other information has been updated as well. This information will be updated when more information or updates are available”

    If you are a home user, I don’t see a need to rush this patch on. If you are a MSP or IT professional, and you haven’t already disabled the print spooler on your domain controllers – look for these updates. ( I don’t think they’ve been fully posted yet)

    https://support.microsoft.com/en-us/topic/31b91c02-05bc-4ada-a7ea-183b129578a7

    “Prior to installing the July 6, 2021, and newer Windows Updates containing protections for CVE-2021-34527, the printer operators’ security group could install both signed and unsigned printer drivers on a printer server. After installing such updates, delegated admin groups like printer operators can only install signed printer drivers. Administrator credentials will be required to install unsigned printer drivers on a printer server going forward.”

    Edit on 7/7/2021:  Seeing it start to trend that Zebra label printers can’t print after installing this update.  I’m going to flip DefCon to 2 to be safe.

    Edit on 7/7/2021 12:10:  Lawrence from Bleepingcomputer indicates that the patch doesn’t fully protect from “local privilege esPrintNightmare calation” attacks.  If you have enabled any “Point and print” options you may still be vulnerable even with the update installed.  “To bypass the patch and achieve RCE and LPE, a Windows policy called ‘Point and Print Restrictions’ must be enabled, and the “When installing drivers for a new connection” setting configured as “Do not show warning on elevation prompt.”  Note I have not done this on any local printer or network printer under my control – so my guess is that most of us won’t have to worry about this corner case.

    Edit 7/10/2021: Microsoft is saying that the issue with usb based label printers (Zebra and Duo) isn’t caused by this specific update but from earlier updates and we just didn’t realize it. They have implemented the “known issue rollback” process where the non security bits causing the issue are automatically rolled back.

     

  • Tasks for the weekend – July 3, 2021 – Taming Word

    Posted on July 4th, 2021 at 00:20 Comment on the AskWoody Lounge

    Youtube Video here

    Recently Word (and Outlook) has added a new feature that it “predicts” what you are typing and urges you to hit tab to speed it up.

    If this annoys you, for Outlook click on File then on Options then on Mail then on Compose messages then uncheck Show text predictions while typing

    For Word, click on File then Options then Advanced, Under Editing Options, check the box for “Show Text Predictions While Typing” to enable the feature and click “OK.”

    For Outlook on the web, go to Settings then to View all Outlook settings then to Mail then to compose and reply, and uncheck the option “Suggest words or phrases as I type” under text predictions

    Note this is not new but dribbling out to the various versions of Office.

  • Kaseya VSA has been hit with a ransomware attack

    Posted on July 2nd, 2021 at 14:25 Comment on the AskWoody Lounge

    https://www.reddit.com/r/msp/comments/ocggbv/crticial_ransomware_incident_in_progress/

    “We are monitoring a REvil ‘supply chain’ attack outbreak, which seems to stem from a malicious Kaseya update. REvil binary C:\Windows\mpsvc.dll is side-loaded into a legit Microsoft Defender copy, copied into C:\Windows\MsMpEng.exe to run the encryption from a legit process.”

    This not good for those who rely on consultants who then use common tools. Kaseya is the name of a company that provides various tools for consultants to remotely access and manage networks for their customers.

    Consumer/Home user impact:  You don’t use Kasaya VSA so you are safe.

    Small business impact/Consultant impact:  So far it looks like it’s only 4 MSPs that Huntresslabs are tracking, but you may want to check your networks to be safe.

  • Got a Western Digital NAS?

    Posted on July 2nd, 2021 at 11:24 Comment on the AskWoody Lounge

    I just told a coworker to unplug his WD mycloud/mybook devices.  We have another zero day for the Western Digital line up.

    Brian Krebs has the details.

    I’m going back to plain old external hard drives as the backup media of choice these days.

  • Does your router auto update?

    Posted on July 1st, 2021 at 11:18 Comment on the AskWoody Lounge

    Michael Horowitz has long opined that router security needs a LOT of work. He has often complained about the sad state of firmware and router software.  Now comes several disclosures via Microsoft and Netgear that some of their firmware needs updating to fix holes that attackers can use to get in.

    It’s a reminder that things we take for granted are often ways that attackers can wiggle in as well.

    Make sure you regularly patch your router (check for firmware) or enable automatic updates. Most router OS’s are purpose built distributions that typically have zero issues during the update process. And don’t forget to review how old your router is. Sometimes they do die and you do need to replace them. Othertimes they fall out of support and you SHOULD replace them. Remember there is software under the hood as well. If you can’t remember when you last updated it, checked for updates, or when you bought it, today would be a good day to check on those items!

  • Print Nightmare is going to be a nightmare

    Posted on June 30th, 2021 at 14:38 Comment on the AskWoody Lounge

    This is me. This is me trying to figure out what best to do with a security issue in the news today. CVE-2021-1675 Or rather it’s what I’d like to be doing but I can’t.

    So here’s the deal. There’s a security vulnerability for Print spooler that was patched back on June 8th but the patch didn’t fully fix the issue.  On June 21, the vuln was updated to critical severity as a potential for remote code execution was found. There is now a zero day proof of concept of this issue out on Github and various places.  Specifically the proof of concept is for Windows Server 2019 but as I understand it, it impact more platforms as well.

    Edit:  Turns out this appears to be a new bug and not an unfixed vulnerability. Bottom line it’s still just as bad but now just a regular old zero day instead of a slightly unfixed zero day. And it also works on Windows 11 as well.

    Edit 7-2-2021 Micropatches from 0patch have been released for this issue 

    Action items if you are a consumer and DO print.

    As I’m reading it, this is a big deal on domain controllers – not so much on stand alone computers. This allows attackers to wiggle in via a remote authenticated user and raise the rights of that account.  Since home computers do not have “remote authenticated users”  I’m not freaking out here and recommending that you disable print spooler (yet).  I don’t know about you but I DO print so I cannot disable the print spooler service without severely impacting my productivity. I’ll keep monitoring the situation and update if I see anything where I think consumers/home users/small peer to peer networks should be taking action other than the usual “be careful out here” and watch what you click on. So for now if you run windows and print, take no action, other than to be your normal, careful, slightly paranoid self.

    Action items if you are a consumer and DON’T print.

    Print spooler lately has been a big target. If you know you don’t ever print or print to pdf or anything like that you can proactively click on the search box and type in “services”, scroll down to print spooler, double click and click to change the service to stop and then to disable the startup type. Note you need to be an administrator (or have admin rights) to be able to stop this service.

    Action items if you are a IT pro or MSP.

    Determine if you can follow this post and disable the print spooler service especially on Servers, Domain controllers in particular. You might want to go through server hardening guidance while you are at it.  Bottom line evaluate your risk for this attack and take action accordingly.  Recommendation is to disable the print spooler service on the Domain controllers first. If you are a SMB consultant where your Domain controller is ALSO your Print server there’s no good alternative especially if your folks have to print.

    TrueSec have come out with a workaround that allows you to deny permissions to keep attackers from gaining system rights and leave print spooler service as is.

    And if you are running Mint, Chromebook, Apple, etc. etc.  just try not to look so smug, okay?

  • The confusion of .NET

    Posted on June 28th, 2021 at 02:40 Comment on the AskWoody Lounge

    PATCH WATCH

    Susan Bradley

    By Susan Bradley

    Recently I’ve noticed that some folks are getting a bit confused about my recommendations regarding .NET updates.

    If you are a regular follower of my Master Patch Lists, you know that I don’t always recommend installing .NET updates right away, in the months they are released. Why? Because I’m trying to encourage the “business-style” of patching, in which you focus only on the offered security updates and skip the non-security fixes. By configuring your systems this way, the automatic patching process approves and installs only the security-related patches, not the quality fixes.

    Read the full story in the AskWoody Plus Newsletter 18.24.0 (2021-06-28).

  • Tasks for the weekend – June 26 – dealing with the Store

    Posted on June 26th, 2021 at 23:19 Comment on the AskWoody Lounge

    Youtube here

    So yesterday and earlier today I had to deal with two computers that spontaneously had an Xbox gaming widget on the system that greyed out the screen. (you can see it in action here)

    Once I rebooted the systems the widget went away and I proactively put a registry key to ensure it didn’t come back. I think, based on reviewing the event logs on both systems, that a Microsoft Store update that got installed yesterday on my home pc and early this morning at the office.

    EventData
    updateTitle 9WZDNCRFJBD8-Microsoft.XboxApp
    updateGuid {69e8be91-65f1-4436-96b8-9025450413d7}

    Remember that there is more that gets updated behind the scenes than just the Windows updates that you visually see. Office 365 click to run silently updates in the background unless you overtly stop the Office updating process. The Microsoft store is another behind the scenes updating process as well.

    If you want to stop/block the Microsoft store, there are ways to do it as well as following PK’s excellent tutorial. Now mind you this is advanced stuff and not for all.  Many a system has been rendered unbootable if removing the apps weren’t done correctly. So I recommend this only for advanced users.

    Bottom line when your computer does weird things, sometimes it’s not you. It’s REALLY not you.

  • WUshowhide is back!

    Posted on June 25th, 2021 at 22:05 Comment on the AskWoody Lounge

    A big thank you to Bruce to providing feedback to Microsoft to get WUshowhide resigned with a SHA-2 certificate. It’s now been reposted to the download site.

    Sure enough it was what we thought….

    Thank you all for your patience. The troubleshooter was initially removed as part of our SHA-1 deprecation, where we removed all content on the DLC which had only SHA-1 signing. We are working to re-sign this with a SHA-2 certificate and verify that it works as expected, and will re-publish. I will follow up again shortly.

    He did and just reposted it tonight.

    http://download.microsoft.com/download/f/2/2/f22d5fdb-59cd-4275-8c95-1be17bf70b21/wushowhide.diagcab 

    The full URL is there.

     

  • Got a Western Digital My book?

    Posted on June 24th, 2021 at 18:37 Comment on the AskWoody Lounge

    Dan Goodwin on Twitter says:

    Western Digital is advising customers to disconnect their My Book storage devices while the company investigates the mass wiping of data from devices all over the world.
    See more here
  • MS-DEFCON 4: Get those June updates installed

    Posted on June 24th, 2021 at 02:50 Comment on the AskWoody Lounge
    AskWoody Plus Alert Logo
    ISSUE 18.23.1 • 2021-06-24
    MS-DEFCON 4: Get those June updates installed

    MS-DEFCON 4

    By Susan Bradley

    It’s time to deal with “News and Interests.”

    Consumer and home users

    If you’ve been procrastinating with the June updates so you didn’t have to deal with the new “News and Interests” feature and its side effects, the time has come.

    Microsoft has released KB5003698 to fix issues with blurry images in 1909 for Enterprise. Windows 10 2004/20H2 and 21H1 received KB5003690 to fix the blurry text on the News and Interests button for some screen resolutions. KB5003690 also fixes a problem with search box graphics on the Windows taskbar, which occurs if you right-click the taskbar and turn off News and Interests. This graphics issue is especially visible when using dark mode. If it is a problem for you, install this optional update.

    There are other issues to work out, such as interactions with the desktop if you are using Classic Shell or other menu programs. AskWoody readers have noted cases in which sign in to customize the news selections did not work. If you have problems with the News and interests feature, try setting it to icons only instead of icons and text.

    For Office updates, open up any Office software application, click on File, Account, Office Updates, and enable updates. Then click on Update Now to trigger their installation.

    Business users

    This month’s releases showcase that timing is everything. If you apply updates to workstations before applying them to servers and then attempt to use remote event-log tools, you will find that you cannot access the event logs. As noted by Microsoft, affected apps are using certain legacy Event Logging APIs. Ensure that you apply the updates for both workstations and servers before attempting to use such software.

    References

    Read the full story in the AskWoody Plus Alert 18.23.1 (2021-06-24).

  • 2004’s being pushed?

    Posted on June 24th, 2021 at 00:01 Comment on the AskWoody Lounge

    In the Windows update twitter account they indicate:

    Today we are starting a new rollout phase for Windows 10, version 21H1 using our latest machine learning model to begin the multi-month process to automatically update devices running Windows 10, version 2004, that are approaching end of servicing.

    So. What does that mean? Same old, same old, unfortunately.

    If you have a device on 2004 and do not have the targetreleaseversion in place to keep it on 2004, Microsoft will begin pushing you to 21H1.

    Well first I think they are pushing a little too quickly as 2004 doesn’t age out until December.  Furthermore I still see people struggling to get off of 1909 and on to 2004. So if you have a reason to stay on 2004 – even if that reason is that you are too busy right now to deal with it- make sure you have the targetreleaseversion setting in place otherwise you may find yourself rebooting when you don’t want it.

    I’ll be soon adding the approval of 21H1 to my recommended versions.  Bottom line my recommendation is to use the TRV (aka targetreleaseversion) setting to be the guard rails on your system.  You then get to choose exactly when you want to go through the feature upgrade process. It’s on your time schedule, not Microsoft.

    Will spotted this video the other day… scroll to the 9 minute mark and listen.