Newsletter Archives

• Attack surface reduction rule triggers a mess on Friday the 13

  Posted on January 13, 2023 at 09:00 CST by Susan Bradley • Comment in the Forums

  

  #Fridaythethirteenthmess

  Microsoft 365 Status on Twitter: “The revert is in progress and may take several hours to complete. We recommend placing the offending ASR rule into Audit Mode to prevent further impact until the deployment has completed. For more details and instructions, please follow the SI MO497128 in your admin center.” / Twitter

  If you set up the Attack surface reduction rule to check Office macros, you have woken up to missing shortcuts. It appears to have been triggered after a defender update. Note this will only occur IF you have attack surface reduction rule enabled. On machines where this is not set, no issues will be seen using Defender.  It is just those with ASR rules enabled.

  The specific rule causing this is

  Block Win32 API calls from Office macros

  Rule-ID 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b

  In Intune or group policy set the rule to audit if Microsoft hasn’t done it for you already.  Now how to deal with the missing shortcuts?

  Emin reports that “If you’ve volume shadow copy enabled, you can find these shorcuts in a VSS snapshot. I still use nowadays this code whenever I’ve to mount/dismount VSS snapshots. https://p0w3rsh3ll.wordpress.com/2014/06/21/mount-and-dismount-volume-shadow-copies/

  Alternatively you can get the shortcuts from Onedrive if the Desktop synchronization was enabled.

  Microsoft’s guidance here:

  I’ll also note this on the Master Patch list – but it’s NOT exactly patch related side effect.

  Windows Patches/Security Master Patch List, Patch Lady Posts

• So how do you get to 21H2 without 22H2?

  Posted on November 4, 2022 at 21:26 CDT by Susan Bradley • Comment in the Forums
  • Windows 11 22H2: Not recommended
  • Windows 11 21H2: If you have a Windows 11 PC, recommended
  • Windows 10 22H2: Not recommended
  • Windows 10 21H2: Recommended

  That’s my current recommended versions of Windows 10 and Windows 11.  But how do you get to just 21H2 without installing 22H2?

  Easy. EITHER use the registry keys/group policy showcased here:

  Or use the tool at Incontrol. I consider this a bit easier to use.

  

  You download the tool and choose the version and release you want.  It will keep your machine at just that version and Microsoft won’t push you to 22H2.

  Now right now before next Tuesday, if you get offered 21H2 in the update window go ahead and install it and then set your deferral window to push off updates.

  If you purchased a Windows 11 computer and want to keep it on 21H2, use the same tool and pick version Windows 11 and then Version 21H2.

  Windows 10, Windows Patches/Security Patch Lady Posts

• It’s time for those August updates to be deferred

  Posted on August 9, 2022 at 12:11 CDT by Susan Bradley • Comment in the Forums

  Annnndddd here we go again….

  It’s Second Tuesday of the Month and Microsoft is releasing their updates:

  Remember first and foremost to always update your browsers so ensure Firefox, Chrome, Brave, Tor, Edge, Safari, whatever you use is up to date.

  Now onto the updates:  https://patchtuesdaydashboard.com/

  21 Critical

  2 already in the wild and exploited

  227 vulnerabilities patched

  The majority are “elevation of privilege” — translation the attackers want to get inside the office.

  I’ll link up more as we know it and in the meantime I’ll keep an eye out for side effects.

  Dustin Child’s zero day write up – https://www.zerodayinitiative.com/blog/2022/8/9/the-august-2022-security-update-review

  Dogwalk Zero day (the OTHER Microsoft support tool bug) got fixed

  There is a “Secure boot patch” I’ll be recommending you defer at least until we know more about it. Impacting all the way back to Windows 8.1.

   

  Windows Patches/Security, Windows Security Patch Lady Posts

• Here come the May updates

  Posted on May 10, 2022 at 12:21 CDT by Susan Bradley • Comment in the Forums

  First up consumer advice:

  Remember this is the time that your main machine should be in deferral mode. So either defer updates for a later date, choose to be on metered connection, use WUshowhide to choose what updates you want ….but not now… today is wait and see what us testers find out.

  Business patchers:

  • I’m still tracking an issue with Windows Server 2022 and RDgateway brokerage service. I’ll let you know if that’s fixed.  It’s not been fixed. Still occurring.
  • Installation issues – as noted on the BornCity blog should be fixed in the May releases. Note I only saw this in corporate networks so to me it appears to be a build/deployment triggered event.

  Remember — “Windows 10, version 1909, and Windows 10, version 20H2 have reached end of servicing.  As of May 10, 2022, the Home and Pro editions of Windows 10, version 20H2, and all editions of Windows 10, version 1909 have reached end of servicing. The May 2022 security update, released on May 10, is the last update available for these versions. After that date, devices running these editions will no longer receive monthly security and quality updates containing protections from the latest security threats.”

  And now we pop the popcorn and see what today’s releases bring to us:

  from Dustin Childs he says…. “Some really interesting bugs in today’s #Microsoft patch release, incl one under active attack. I’ll have my thoughts out soon. #PatchTuesday“

  Stay tuned, I’ll be adding links and comments here as well.

  Consumer comments:

  • Print spooler bugs being patched again, so I’ll be watching for printing bugs
  • The one bug in active attack is more corporate targeted (LDAP) not consumer.
  • .NET is getting patched (IMHO the whole retirement of the older .net versions is still extremely and frustratingly not clear, while .net updates no longer throw off quite the side effects they did before, the communication regarding the support of older .nets and lack of good informative tools to let you know what you have and what you are vulnerable to is frustrating to me. Look for more articles/guidance on this in the future)
  • Windows 11 is having issues with applications that want .NET 3.5.  Looks like Microsoft is handling this with a “known issue rollback”.  If you have 11 look in the comments link for more reports.

  Business comments:

  • If you still patch on premises Exchange there are updates out this month.
  • The “in the wild” vulnerability where we are patching PetitPotam again (CVE-2022-26925) is triggering some side effects with patches.  You may want to keep an eye out for NPS policies side effects
  Windows Patches/Security May 2022 Black Tuesday, Patch Lady Posts

• April patching showers here we go

  Posted on April 12, 2022 at 12:40 CDT by Susan Bradley • Comment in the Forums

  It’s that time of the month for all computer users to get in the habit of checking their devices.

  While “Patch Tuesday” is the big one for Windows users, it’s also wise to check your Apple devices.  I know that my iPhone has been offering – but not pushing – the latest updates. They too are doing a “let’s dribble them out and see how well they go” methodology these days.

  But back to Microsoft:

  Remember this month they push out “Search highlights will roll out to Windows 10 customers over the next several weeks. We are taking a phased and measured approach. ” in Windows 10.

  I’ll be adding more links as folks post up analysis.  Here at Askwoody we track the side effects and try to weed out what is “corner cases” from those issues that are widespread.

  145 vulnerabilities

  1 publicly disclosed

  10 critical

  .NET security updates are included in the April 2022 updates for denial of service issues.

  Dustin Child’s zero day write up here.  Clearly we have a difference between home users and business computers this year with a bug that will provide lateral movement inside a network once they get in.  Port 135 is a typical file and printer sharing port – but it not exposed to the outside world. But in an office network, once they get in, ouchie!

  Windows Patches/Security April 2022 Black Tuesday, Patch Lady Posts

• Unicorn Friday – what do you want from updating?

  Posted on March 18, 2022 at 14:40 CDT by Susan Bradley • Comment in the Forums

  Microsoft product manager for Windows updating Aria tweets today:

  If I were to have a magic unicorn that could grant one wish that would give you what you have always wanted within the world of Windows Updating, what would your wish be?  She asks would it be related to:

  Good Reporting
  More Control(s)
  Better documentation
  Better enduser experience
  So what would your one wish be?

  For those that are consumers/home users we often have to ride the leftovers from the enterprises. If THEY want something we then GET that something.  I think there is one more item we want that EVERYONE wants:  That of quality updates that don’t break our stuff.
  Windows Patches/Security Patch Lady Posts

• March Madness patching begins

  Posted on March 8, 2022 at 12:00 CST by Susan Bradley • Comment in the Forums

  While over at Apple they are having a livestream event, Microsoft is releasing their updates. Will Apple release updates today as well?

  Windows 11 gets weather on the left hand side where start menu is in Windows 10.  You know you are getting old when moving the weather icon around annoys you.  While Microsoft said that Windows 11 would only get feature releases once a year, they are dribbling out these task bar changes constantly. Remember the changes that were in preview last time, will be in the Windows 11 updates this month. My advice?  Use Start11 or any of the other classic menu offerings if you are on Windows 11.

  Meanwhile, for those of us on Windows 10, 8.1, 7 and server operating systems, keep an eye out for the security updates releasing today.

  Also be aware that Windows 10 20H2 Home and Pro edition drops out of support on May 10, 2022 and Windows 10 1909 Enterprise and Education drops out on May 10, 2022 as well.

  For those on Linux, look out for “Dirty pipe” a vulnerability that recently came to light and has been fixed in Linux versions 5.16.11, 5.15.25, and 5.10.102 as of February 23, 2022.  A proof of concept has been released.

  As always, pop that popcorn, sit on the sidelines as we weed through the releases and see what side effects will occur.

  I’ll be adding links and resources as the patches and information is released. Of course, full analysis will be in next week’s newsletter.

  Updated info:

  92 vulnerabilities, 2 publicly disclosed, 3 critical

  If you have an on premises Exchange server – once again you want to test and patch as soon as you can.

  Remote Desktop client needs a patch- but it needs a malicious server to trigger the remote control execution.

  Windows 10 2004 and later (only) have a SMBv3 bug and Xbox has a bug unique to it and it alone.

  HEVC video extensions are getting a patch which means if you are one who blocks updates through the Microsoft store, you’ll need to manually update this.

  Gunther Born reports that Remote desktop connection role on Server 2022 is impacted. Note I am not seeing this on Server 2019 or earlier versions.

   

  Security, Windows Patches/Security March 2022 Black Tuesday, Patch Lady Posts

• Don’t move your printer spooler files

  Posted on March 6, 2022 at 00:37 CST by Susan Bradley • Comment in the Forums

  Video here

  This came up the other day on one of the patching lists. Someone was trying to install the recent patches that include print spooler fixes and the updates kept failing/causing issues. Turns out the print spooler was moved to a different drive and the update was expecting it to be on the C drive. Once they moved it back all was well.

  Moving the print spooler is something that can be done with a registry key, but it’s something I honestly don’t recommend doing. While we can say Microsoft shoulda/coulda/woulda and gee shouldn’t it be able to know where your spooler is located and not care which drive it’s on? I just feel that your best patching experience is when you stay with a normal Windows location for the files on the system. And while in a perfect world, every patch should be such that it wouldn’t care where the spooler is located, we live in the real world where your patching experiences are just better if you stick with “normal”.

  So what else do you do to stay with normal when it comes to patching?

  Tech Help, Windows Patches/Security Patch Lady Posts

• Beware of firmware updates on Surface book 3

  Posted on February 12, 2022 at 20:45 CST by Susan Bradley • Comment in the Forums

  Barb Bowman passed this along and I’m seeing other posts on the subject.

  The recent firmware update to Surface Book 3’s are bricking some of the devices. it appears

  Arnaud van Galen posted in No disks after firmware update “also had this combination of 2 firmware updates (13.101.140.0 and 13.0.1889.2 sounds right) last night, but the machine didn’t boot at all anymore this morning. When I enter the UEFI it says System UEFI = 13.101.140 and Intel Management Engine = 13.0.1889.2 so it does seem that both firmwares got installed correctly.

  I tried booting from a recovery USB and from inside diskpart it showed that there were no partitions anymore.

  I tried reinstalling (both with secureboot on and off) but Windows gives Error 0x80300024 and from inside diskpart I get “The request failed due to a fatal device hardware error” after giving a ” list disk, select disk 0, detail disk, clean, create partition efi””

  “While not conclusive, it looks like this firmware update and the Hynix drive (HFM256GDGTNG-87A0A) have issues about 50% of the time, rendering the surface useless.”

  More threads are here: Windows 11 update blue-screened my Surface Book 3 – Microsoft Community

  Surface Book 3 – The newest update has completely bricked my Surface – Microsoft Community

  “HoopersX on Twitter: “Hey @karaswisher did you hear about the @microsoft firmware update for their Surface Book 3’s that has completely bricked the devices and they have no answers since it started last Thursday? It kills the BIOS ability to see the drive. So no easy fix in Windows” / Twitter”

  Windows Patches/Security Patch Lady Posts

• February 2022 Patch Tuesday early reports

  Posted on February 8, 2022 at 12:31 CST by Susan Bradley • Comment in the Forums

  It’s that time of the month again that we wait on news of update side effects. It’s my philosophy that you shouldn’t rush into anything and patching (with very few exceptions) falls into that as well.

  This month includes patches for Print spooler (ugh) but it remains to be seen if we’ll see more printer side effects.

  So ensure you have (for Windows 10/11) start/settings/update and security/advanced options/pause updates/choose the date of February 22 and then sit back and let’s see how February shakes out. In the meantime here’s a Valentine’s day poem from Kelley Robinson:

  Roses are red
  Violets are blue
  Turning on 2FA
  Is good for me and you

  Links to keep an eye on for those of you that want to dig through the weeds yourself – but as always we’ll be recapping the side effects in the newsletter and Master patch list so you don’t have to wade through all of the weedy stuff.

  Raw link from MSRC
  Dustin Child’s Security update review
  SANS patch recap
  Patch Tuesday dashboard
  Reddit’s Patch Tuesday megathread (lots and lots to dig through)

   

  Windows Patches/Security, Windows Security February 2022 Black Tuesday

• November patches here we come

  Posted on November 9, 2021 at 12:34 CST by Susan Bradley • Comment in the Forums

  Here comes updates for November. Remember at this time I urge you to defer, not install UNLESS you have a test bed/good backup plan and you are one of the regulars that love to test for the rest of us to let us know how the patching looks.

  For those updating Macs, recently they fixed an issue where the Monterey release was bricking some machines with the T2 security chip.

  Peter Deegan over on Office-Watch has a post about how Microsoft is “aligning support of consumer OneDrive sync with the life cycles of the platforms.” Once again Windows 8.1 is the red headed step child of the operating systems and I’m not buying this “alignment” when it’s still fully supported for another year. We’ll have more on alternatives in an upcoming newsletter.

  I always link to resources like the Zero day blog, because to me it’s like the green start flag on the patching race. It’s now officially the release date. However here at Askwoody, we’re always flying the yellow warning flag to slow down, watch and be cautious.

  So far the only patch I’d urge business patchers to jump on is the Exchange security updates – and for that you first need to ensure you have a backup/a maintenance window to deploy updates/and recovery plans just in case. There are several Office bugs and make sure that you don’t open up attachments blindly – like Excel files. Finally there’s a bug in Remote desktop and for that there’s another “duh” workaround – make sure you don’t click on any RDP files offered or emailed to you.

  As always I’ll be looking for side effects and issues and will be reporting on them in the newsletter. Remember, you want to be the tortoise, not the hare when it comes to updating. Ensure your browser is updated, be a bit more paranoid about clicking, and stay tuned as I keep an eye out for the side effects and issues and report on them in the Plus newsletter.

  Windows Patches/Security MS-DEFCON 2, November 2021 Black Tuesday, Patch Lady Posts

• September 2021 – it’s patch day!

  Posted on September 14, 2021 at 12:53 CDT by Susan Bradley • Comment in the Forums

  This week is clearly “patch the zero day” week.  Yesterday we had Apple, also Chrome fix several zero days.

  Today we have the Microsoft version.  Now while Adobe doesn’t have any zero days in their release bundle, if you are (still) a user of Adobe Acrobat or Reader, you’ll be getting and wanting an update.

  Today we are fixing the Microsoft zero day MSHTML vulnerability I wrote about the other day. If you used the registry key to protect yourself, when I give the all clear I’ll remind you to undo that.

  One thing I’m not clear on from initial read of my usual sources of Dustin Childs and Bleeping computer is the situation with the print spooler. There are more print spooler bugs being fixed – but are they the ones we were concerned about that were carried over from prior months that kept me urging you to keep the print spooler service disabled? I’ll be digging into that question.

  Stay tuned, deeper analysis by this weekend.

  As always for those that DO have a backup, like to be the beta testers for the rest of us, do let us know of any issues you see. In the meantime I’ll be watching and accumulating the facts – and not the rumors – as we always do here on AskWoody.

  —

  Don’t forget to sign up for either the twitter alerts or the newly minted text alerts:

  Want to get alerted when the AskWoody MS-DEFCON status changes?

  MS-DEFCON Alert system

  If you want to get alerted when the MS-DEFCON status changes there are two ways to do so:

  Twitter:  https://twitter.com/defconpatch Sign up for twitter and follow that account. Then set up notifications in the twitter app so that you get alerted when the account tweets a change. COST:  free – other than now having a twitter account but I honestly find that some of the best security information and advice is freely given on twitter. You can also follow the official Askwoody twitter account as well.

  Cell phone notifications via text:  You need to be a PLUS member to get the fullest benefit from this service.  We request a small fee requested (along the lines of the decide what you want to pay as the main site has) in order to cover the costs of the monthly texting service and server hosting. Click here to sign up. COST:  We ask a minimum of $1 a month to keep the lights on and the chipmunks powering the servers fed, but if you’d like to donate more to the cause we’d all be appreciative!

  Windows Patches/Security Patch Lady Posts, September 2021 Black Tuesday
• « Older Entries