News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • Still no April second cumulative updates for Win10, or Monthly Previews for Win7 or 8.1

    Posted on April 23rd, 2019 at 14:13 woody Comment on the AskWoody Lounge

    10 am Redmond time on the third  fourth Tuesday of the month has come and gone, and… no patches.

    Is Microsoft messin’ with me?

    Or is there a deeper reason?

    I’m still willing to venture a guess that MS is having problems with its promised 1809-blocking “Download and install now” feature.

    Details and an update in my Computerworld Woody on Windows article.

  • Google’s JavaScript team: Spectre mitigation doomed to failure

    Posted on April 23rd, 2019 at 11:38 woody Comment on the AskWoody Lounge

    That isn’t exactly what they said, but it’s pretty close. Here’s what they do say:

    A year with Spectre… When it was shown that JavaScript could be used to mount Spectre attacks, the V8 team became involved in tackling the problem…  offensive research [from the white and gray hats] advanced much faster than our defensive research, and we quickly discovered that software mitigation of all possible leaks due to Spectre was infeasible… the engineering effort diverted to combating Spectre was disproportionate to its threat level… the increasingly complicated mitigations that we designed and implemented carried significant complexity, which is technical debt and might actually increase the attack surface, and performance overheads… We still know of no attacks in the wild, outside of the curious tinkerers and professional researchers developing proof of concept gadgets

    Make no mistake, Meltdown and Spectre could become nightmares. At some point in the far future. For now, don’t worry about it, OK?

  • Yet another conflict acknowledged with this month’s Win7 and 8.1 Monthly Rollups, this time with McAfee Endpoint Security

    Posted on April 19th, 2019 at 06:29 woody Comment on the AskWoody Lounge

    And the hits keep on rolling…

    Last night, Microsoft added a new “Known issues with this update” entry to both KB 4493472, this month’s Win7 and Server 2008 R2 Monthly Rollup, and to KB 4493446, this month’s Win8.1 and Server 2012 R2 Monthly Rollup.

    Microsoft and McAfee have identified an issue on devices with McAfee Endpoint Security (ENS) Threat Prevention 10.x or McAfee Host Intrusion Prevention (Host IPS) 8.0 installed. It may cause the system to have slow startup or become unresponsive at restart after installing this update.

    We are presently investigating this issue with McAfee.

    Guidance for McAfee customers can be found in the following McAfee support articles:

    McAfee Security (ENS) Threat Prevention 10.x

    McAfee Host Intrusion Prevention (Host IPS) 8.0

    Both of those links are to essentially identical pages, which state:

    Changes in the Windows April 2019 update for Client Server Runtime Subsystem (CSRSS) introduced a potential deadlock with ENS.

    Workaround: Disable any Access Protection rule that protects a service.

    The announcement’s strange, not so much for what it contains (we’ve had similar reports for Sophos, Avast and Avira), but for what it doesn’t contain.

    First, the corresponding Security-only patches don’t have the same admonition. With Sophos, Avast and Avira we also got warnings for this month’s Win7 and 8.1 Security-only patches.

    Second, there’s no announcement for Server 2018.

    Third… why did it take so long? The bad patch is ten days old.

    The first two points may just be sloppy documentation. Heaven knows we’ve seen a lot of that lately. But the third one has me scratching my well-scratched pate.

    I’ll have more on this in Monday morning’s AskWoody Plus Newsletter.

  • To block the latest zero day, instead of removing Internet Explorer, just short-circuit access to MHT files

    Posted on April 18th, 2019 at 11:26 woody Comment on the AskWoody Lounge

    It’s pretty easy, if you know the tricks.

    Step-by-step details in Computerworld.

  • That Internet Explorer XXE zero day poking through to Edge

    Posted on April 18th, 2019 at 07:51 woody Comment on the AskWoody Lounge

    I’ve been slammed for the past few days, and haven’t kept you folks apprised of the latest Internet Explorer 0day.

    It depends on you opening an infect MHT file. MHT is an old file format that’s almost always opened by IE — no matter which browser you’re using, no matter which version of Windows. Catalin Cimpanu has a good overview of this XXE vulnerability on ZDNet.

    It’s a doozy of security hole as it affects every recent version of IE, and it infects whether you’re actively browsing with IE or not.

    When you download files from the internet, they’re marked — the “Mark-Of-The-Web” — to tell programs that special care is required when opening the files. Thus, if you download an infected MHT file, IE will know that it needs to open the MHT file with caution (at “low integrity,” in a sandbox). That severely limits this exploit’s reach.

    There’s a lot of controversy about how bad this XXE hole really is. There have been lots of XXE holes discovered in the past. They’re used to pull files off your machine and send them to the bad guys. Microsoft figured this one isn’t all that bad, in part because of the MOTW mechanism. The folks who discovered this particular hole aren’t so sanguine. They responded to Microsoft’s snub last week by releasing details, proof of concept code, and even a video.

    Yesterday, Mitja Kolsek at 0patch revealed something disconcerting. If you use Edge to download an infected MHT file, Internet Explorer will open it like any other file. Says Kolsek:

    Does Edge not put the mark-of-the-web on downloaded files, or does it do it differently and somehow confuses Internet Explorer? That would be a serious flaw.

    He goes on to explain how Edge changes the permissions on downloaded files and, thus, why IE will open the infected MHT file as if it had no Mark-Of-The-Web.

    All fascinating stuff if you’re into this kind of thing. Ionut Ilascu has a synopsis on BleepingComputer.

    The 0patch company has a quick patch that you can apply, free, if you’re concerned about getting burned. I’m not going to link to it — I don’t want to take responsibility for 3rd-party patches to Windows — but you can find it quite easily if you’re really interested. That said, 0patch is highly regarded, and has made many useful hotfixes for Windows.

    What to do? That’s easy. Don’t open MHT files. And don’t use IE.

    Thx to @Alex5723 and others who have been posting about this problem while I’m off doing other things…..

    Let’s see if I get a definitive answer from this:

    UPDATE: @mkolsek, who published the report yesterday, confirms that reassigning the default handler for MHT files breaks the attack. He tested it. I’ll write this up.

  • What happened to the second monthly “C Week” cumulative updates?

    Posted on April 17th, 2019 at 04:31 woody Comment on the AskWoody Lounge

    Image by Free-Photos from Pixabay

    As of very early Wednesday morning, I don’t see any of the usual second monthly cumulative updates. For all versions  of win10 except 1809, we’ve had “optional non-security” updates on the third Tuesday of the month – for quite some time. Win7 and 8.1 usually get a “Preview of Monthly Rollup.”

    I’ve looked high and low and can’t find them.

    Is somebody asleep at the wheel? Or is there some sort of surprise lurking?

    I wonder if it has something to do with the promised 1809-blocking “Download and install now” feature giving Redmond fits?

  • MS-DEFCON 2: Patching conflicts with Sophos and Avast are getting better, but Avira’s a no-show. Don’t patch.

    Posted on April 16th, 2019 at 07:33 woody Comment on the AskWoody Lounge

    It’s still much too early to install the April patches.

    Details in Computerworld Woody on Windows.

    I’m moving us down to MS-DEFCON 2: Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don’t do it.

  • MS-DEFCON 1: There’s no reason to stick your finger in the pencil sharpener – DON’T UPDATE

    Posted on April 12th, 2019 at 06:36 woody Comment on the AskWoody Lounge

    We have confirmed reports of six bad patches this month – Monthly Rollups and Security-only patches for Win7, 8.1, Server 2008 R2, 2012, 2012 R2 – and troubling reports of a slowdown with the Win10 version 1809 cumulative update.

    Who should be testing this stuff? The answer’s not as straightforward as you may think.

    Details in Computerworld Woody on Windows.

    I’m moving us to MS-DEFCON 1: Current Microsoft patches are causing havoc. Don’t patch.