Newsletter Archives

  • Attack surface reduction rule triggers a mess on Friday the 13

    #Fridaythethirteenthmess

    Microsoft 365 Status on Twitter: “The revert is in progress and may take several hours to complete. We recommend placing the offending ASR rule into Audit Mode to prevent further impact until the deployment has completed. For more details and instructions, please follow the SI MO497128 in your admin center.” / Twitter

    If you set up the Attack surface reduction rule to check Office macros, you have woken up to missing shortcuts. It appears to have been triggered after a defender update. Note this will only occur IF you have attack surface reduction rule enabled. On machines where this is not set, no issues will be seen using Defender.  It is just those with ASR rules enabled.

    The specific rule causing this is

    Block Win32 API calls from Office macros

    Rule-ID 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b

    In Intune or group policy set the rule to audit if Microsoft hasn’t done it for you already.  Now how to deal with the missing shortcuts?

    Emin reports that “If you’ve volume shadow copy enabled, you can find these shorcuts in a VSS snapshot. I still use nowadays this code whenever I’ve to mount/dismount VSS snapshots. https://p0w3rsh3ll.wordpress.com/2014/06/21/mount-and-dismount-volume-shadow-copies/

    Alternatively you can get the shortcuts from Onedrive if the Desktop synchronization was enabled.

    Microsoft’s guidance here:

    I’ll also note this on the Master Patch list – but it’s NOT exactly patch related side effect.

  • So how do you get to 21H2 without 22H2?

    • Windows 11 22H2: Not recommended
    • Windows 11 21H2: If you have a Windows 11 PC, recommended
    • Windows 10 22H2: Not recommended
    • Windows 10 21H2: Recommended

    That’s my current recommended versions of Windows 10 and Windows 11.  But how do you get to just 21H2 without installing 22H2?

    Easy. EITHER use the registry keys/group policy showcased here:

    Or use the tool at Incontrol. I consider this a bit easier to use.

    You download the tool and choose the version and release you want.  It will keep your machine at just that version and Microsoft won’t push you to 22H2.

    Now right now before next Tuesday, if you get offered 21H2 in the update window go ahead and install it and then set your deferral window to push off updates.

    If you purchased a Windows 11 computer and want to keep it on 21H2, use the same tool and pick version Windows 11 and then Version 21H2.

  • It’s time for those August updates to be deferred

    Annnndddd here we go again….

    It’s Second Tuesday of the Month and Microsoft is releasing their updates:

    Remember first and foremost to always update your browsers so ensure Firefox, Chrome, Brave, Tor, Edge, Safari, whatever you use is up to date.

    Now onto the updates:  https://patchtuesdaydashboard.com/

    21 Critical

    2 already in the wild and exploited

    227 vulnerabilities patched

    The majority are “elevation of privilege” — translation the attackers want to get inside the office.

    I’ll link up more as we know it and in the meantime I’ll keep an eye out for side effects.

    Dustin Child’s zero day write up – https://www.zerodayinitiative.com/blog/2022/8/9/the-august-2022-security-update-review

    Dogwalk Zero day (the OTHER Microsoft support tool bug) got fixed

    There is a “Secure boot patch” I’ll be recommending you defer at least until we know more about it. Impacting all the way back to Windows 8.1.

     

  • Here come the May updates

    First up consumer advice:

    Remember this is the time that your main machine should be in deferral mode. So either defer updates for a later date, choose to be on metered connection, use WUshowhide to choose what updates you want ….but not now… today is wait and see what us testers find out.

    Business patchers:

    • I’m still tracking an issue with Windows Server 2022 and RDgateway brokerage service. I’ll let you know if that’s fixed.  It’s not been fixed. Still occurring.
    • Installation issues – as noted on the BornCity blog should be fixed in the May releases. Note I only saw this in corporate networks so to me it appears to be a build/deployment triggered event.

    Remember — “Windows 10, version 1909, and Windows 10, version 20H2 have reached end of servicing.  As of May 10, 2022, the Home and Pro editions of Windows 10, version 20H2, and all editions of Windows 10, version 1909 have reached end of servicing. The May 2022 security update, released on May 10, is the last update available for these versions. After that date, devices running these editions will no longer receive monthly security and quality updates containing protections from the latest security threats.”

    And now we pop the popcorn and see what today’s releases bring to us:

    from Dustin Childs he says…. “Some really interesting bugs in today’s #Microsoft patch release, incl one under active attack. I’ll have my thoughts out soon. #PatchTuesday

    Stay tuned, I’ll be adding links and comments here as well.

    Consumer comments:

    • Print spooler bugs being patched again, so I’ll be watching for printing bugs
    • The one bug in active attack is more corporate targeted (LDAP) not consumer.
    • .NET is getting patched (IMHO the whole retirement of the older .net versions is still extremely and frustratingly not clear, while .net updates no longer throw off quite the side effects they did before, the communication regarding the support of older .nets and lack of good informative tools to let you know what you have and what you are vulnerable to is frustrating to me. Look for more articles/guidance on this in the future)
    • Windows 11 is having issues with applications that want .NET 3.5.  Looks like Microsoft is handling this with a “known issue rollback”.  If you have 11 look in the comments link for more reports.

    Business comments:

    • If you still patch on premises Exchange there are updates out this month.
    • The “in the wild” vulnerability where we are patching PetitPotam again (CVE-2022-26925) is triggering some side effects with patches.  You may want to keep an eye out for NPS policies side effects
  • April patching showers here we go

    It’s that time of the month for all computer users to get in the habit of checking their devices.

    While “Patch Tuesday” is the big one for Windows users, it’s also wise to check your Apple devices.  I know that my iPhone has been offering – but not pushing – the latest updates. They too are doing a “let’s dribble them out and see how well they go” methodology these days.

    But back to Microsoft:

    Remember this month they push out “Search highlights will roll out to Windows 10 customers over the next several weeks. We are taking a phased and measured approach. ” in Windows 10.

    I’ll be adding more links as folks post up analysis.  Here at Askwoody we track the side effects and try to weed out what is “corner cases” from those issues that are widespread.

    145 vulnerabilities

    1 publicly disclosed

    10 critical

    .NET security updates are included in the April 2022 updates for denial of service issues.

    Dustin Child’s zero day write up here.  Clearly we have a difference between home users and business computers this year with a bug that will provide lateral movement inside a network once they get in.  Port 135 is a typical file and printer sharing port – but it not exposed to the outside world. But in an office network, once they get in, ouchie!

  • Unicorn Friday – what do you want from updating?

    Microsoft product manager for Windows updating Aria tweets today:

    If I were to have a magic unicorn that could grant one wish that would give you what you have always wanted within the world of Windows Updating, what would your wish be?  She asks would it be related to:

    Good Reporting
    More Control(s)
    Better documentation
    Better enduser experience
    So what would your one wish be?

    For those that are consumers/home users we often have to ride the leftovers from the enterprises. If THEY want something we then GET that something.  I think there is one more item we want that EVERYONE wants:  That of quality updates that don’t break our stuff.
  • March Madness patching begins

    While over at Apple they are having a livestream event, Microsoft is releasing their updates. Will Apple release updates today as well?

    Windows 11 gets weather on the left hand side where start menu is in Windows 10.  You know you are getting old when moving the weather icon around annoys you.  While Microsoft said that Windows 11 would only get feature releases once a year, they are dribbling out these task bar changes constantly. Remember the changes that were in preview last time, will be in the Windows 11 updates this month. My advice?  Use Start11 or any of the other classic menu offerings if you are on Windows 11.

    Meanwhile, for those of us on Windows 10, 8.1, 7 and server operating systems, keep an eye out for the security updates releasing today.

    Also be aware that Windows 10 20H2 Home and Pro edition drops out of support on May 10, 2022 and Windows 10 1909 Enterprise and Education drops out on May 10, 2022 as well.

    For those on Linux, look out for “Dirty pipe” a vulnerability that recently came to light and has been fixed in Linux versions 5.16.11, 5.15.25, and 5.10.102 as of February 23, 2022.  A proof of concept has been released.

    As always, pop that popcorn, sit on the sidelines as we weed through the releases and see what side effects will occur.

    I’ll be adding links and resources as the patches and information is released. Of course, full analysis will be in next week’s newsletter.

    Updated info:

    92 vulnerabilities, 2 publicly disclosed, 3 critical

    If you have an on premises Exchange server – once again you want to test and patch as soon as you can.

    Remote Desktop client needs a patch- but it needs a malicious server to trigger the remote control execution.

    Windows 10 2004 and later (only) have a SMBv3 bug and Xbox has a bug unique to it and it alone.

    HEVC video extensions are getting a patch which means if you are one who blocks updates through the Microsoft store, you’ll need to manually update this.

    Gunther Born reports that Remote desktop connection role on Server 2022 is impacted. Note I am not seeing this on Server 2019 or earlier versions.

     

  • Don’t move your printer spooler files

    Video here

    This came up the other day on one of the patching lists. Someone was trying to install the recent patches that include print spooler fixes and the updates kept failing/causing issues. Turns out the print spooler was moved to a different drive and the update was expecting it to be on the C drive. Once they moved it back all was well.

    Moving the print spooler is something that can be done with a registry key, but it’s something I honestly don’t recommend doing. While we can say Microsoft shoulda/coulda/woulda and gee shouldn’t it be able to know where your spooler is located and not care which drive it’s on? I just feel that your best patching experience is when you stay with a normal Windows location for the files on the system. And while in a perfect world, every patch should be such that it wouldn’t care where the spooler is located, we live in the real world where your patching experiences are just better if you stick with “normal”.

    So what else do you do to stay with normal when it comes to patching?

  • Beware of firmware updates on Surface book 3

    Barb Bowman passed this along and I’m seeing other posts on the subject.

    The recent firmware update to Surface Book 3’s are bricking some of the devices. it appears

    Arnaud van Galen posted in No disks after firmware update “also had this combination of 2 firmware updates (13.101.140.0 and 13.0.1889.2 sounds right) last night, but the machine didn’t boot at all anymore this morning. When I enter the UEFI it says System UEFI = 13.101.140 and Intel Management Engine = 13.0.1889.2 so it does seem that both firmwares got installed correctly.

    I tried booting from a recovery USB and from inside diskpart it showed that there were no partitions anymore.

    I tried reinstalling (both with secureboot on and off) but Windows gives Error 0x80300024 and from inside diskpart I get “The request failed due to a fatal device hardware error” after giving a ” list disk, select disk 0, detail disk, clean, create partition efi””

    “While not conclusive, it looks like this firmware update and the Hynix drive (HFM256GDGTNG-87A0A) have issues about 50% of the time, rendering the surface useless.”

    More threads are here: Windows 11 update blue-screened my Surface Book 3 – Microsoft Community

    Surface Book 3 – The newest update has completely bricked my Surface – Microsoft Community

    “HoopersX on Twitter: “Hey @karaswisher did you hear about the @microsoft firmware update for their Surface Book 3’s that has completely bricked the devices and they have no answers since it started last Thursday? It kills the BIOS ability to see the drive. So no easy fix in Windows” / Twitter”

  • February 2022 Patch Tuesday early reports

    It’s that time of the month again that we wait on news of update side effects. It’s my philosophy that you shouldn’t rush into anything and patching (with very few exceptions) falls into that as well.

    This month includes patches for Print spooler (ugh) but it remains to be seen if we’ll see more printer side effects.

    So ensure you have (for Windows 10/11) start/settings/update and security/advanced options/pause updates/choose the date of February 22 and then sit back and let’s see how February shakes out. In the meantime here’s a Valentine’s day poem from Kelley Robinson:

    Roses are red
    Violets are blue
    Turning on 2FA
    Is good for me and you

    Links to keep an eye on for those of you that want to dig through the weeds yourself – but as always we’ll be recapping the side effects in the newsletter and Master patch list so you don’t have to wade through all of the weedy stuff.

    Raw link from MSRC
    Dustin Child’s Security update review
    SANS patch recap
    Patch Tuesday dashboard
    Reddit’s Patch Tuesday megathread (lots and lots to dig through)

     

  • November patches here we come

    Here comes updates for November. Remember at this time I urge you to defer, not install UNLESS you have a test bed/good backup plan and you are one of the regulars that love to test for the rest of us to let us know how the patching looks.

    For those updating Macs, recently they fixed an issue where the Monterey release was bricking some machines with the T2 security chip.

    Peter Deegan over on Office-Watch has a post about how Microsoft is “aligning support of consumer OneDrive sync with the life cycles of the platforms.” Once again Windows 8.1 is the red headed step child of the operating systems and I’m not buying this “alignment” when it’s still fully supported for another year. We’ll have more on alternatives in an upcoming newsletter.

    I always link to resources like the Zero day blog, because to me it’s like the green start flag on the patching race. It’s now officially the release date. However here at Askwoody, we’re always flying the yellow warning flag to slow down, watch and be cautious.

    So far the only patch I’d urge business patchers to jump on is the Exchange security updates – and for that you first need to ensure you have a backup/a maintenance window to deploy updates/and recovery plans just in case. There are several Office bugs and make sure that you don’t open up attachments blindly – like Excel files. Finally there’s a bug in Remote desktop and for that there’s another “duh” workaround – make sure you don’t click on any RDP files offered or emailed to you.

    As always I’ll be looking for side effects and issues and will be reporting on them in the newsletter. Remember, you want to be the tortoise, not the hare when it comes to updating. Ensure your browser is updated, be a bit more paranoid about clicking, and stay tuned as I keep an eye out for the side effects and issues and report on them in the Plus newsletter.

  • September 2021 – it’s patch day!

    This week is clearly “patch the zero day” week.  Yesterday we had Apple, also Chrome fix several zero days.

    Today we have the Microsoft version.  Now while Adobe doesn’t have any zero days in their release bundle, if you are (still) a user of Adobe Acrobat or Reader, you’ll be getting and wanting an update.

    Today we are fixing the Microsoft zero day MSHTML vulnerability I wrote about the other day. If you used the registry key to protect yourself, when I give the all clear I’ll remind you to undo that.

    One thing I’m not clear on from initial read of my usual sources of Dustin Childs and Bleeping computer is the situation with the print spooler. There are more print spooler bugs being fixed – but are they the ones we were concerned about that were carried over from prior months that kept me urging you to keep the print spooler service disabled? I’ll be digging into that question.

    Stay tuned, deeper analysis by this weekend.

    As always for those that DO have a backup, like to be the beta testers for the rest of us, do let us know of any issues you see. In the meantime I’ll be watching and accumulating the facts – and not the rumors – as we always do here on AskWoody.

    Don’t forget to sign up for either the twitter alerts or the newly minted text alerts:

    Want to get alerted when the AskWoody MS-DEFCON status changes?

    MS-DEFCON Alert system

    If you want to get alerted when the MS-DEFCON status changes there are two ways to do so:

    Twitter:  https://twitter.com/defconpatch Sign up for twitter and follow that account. Then set up notifications in the twitter app so that you get alerted when the account tweets a change. COST:  free – other than now having a twitter account but I honestly find that some of the best security information and advice is freely given on twitter. You can also follow the official Askwoody twitter account as well.

    Cell phone notifications via text:  You need to be a PLUS member to get the fullest benefit from this service.  We request a small fee requested (along the lines of the decide what you want to pay as the main site has) in order to cover the costs of the monthly texting service and server hosting. Click here to sign up. COST:  We ask a minimum of $1 a month to keep the lights on and the chipmunks powering the servers fed, but if you’d like to donate more to the cause we’d all be appreciative!