Blog Archives

• Getting ready for Windows 10 1909

  Posted on October 28th, 2019 at 01:05 Tracey Capen Comment on the AskWoody Lounge

  PATCH WATCH

  By Susan Bradley

  Many of us are still pondering Win10 1903 — and now Version 1909 is almost upon us. Here’s how not to be the next release’s beta tester.

  If the rumors are true, the next feature release for Windows 10 will begin trickling out on November 12. It looks like Version 1909 won’t be the big deal we thought it might be, which is all the more reason to not be one of the early adopters — unless you really like testing “beta” operating systems.

  Read the full story in AskWoody Plus Newsletter 16.39.0 (2019-10-28).

  Patch Watch AskWoody Plus Newsletter, Office patching, Windows 10 1909, Windows 7 EoL, Windows patching

• October’s updates look promising; however …

  Posted on October 14th, 2019 at 01:10 Tracey Capen Comment on the AskWoody Lounge

  PATCH WATCH

  By Susan Bradley

  First, a mea culpa: I said I was comfortable with installing the out-of-band Internet Explorer update released October 3. I have to take that back.

  The update was designed to block the new IE vulnerability CVE-2019-1367. The October 3 release was the third time Microsoft sent out essentially the same fix, but it’s the only one I’ve called a true out-of-band update. Unlike the two previous attempts, Microsoft pushed this patch out to everyone via the usual channels: Windows Server Update Services (WSUS) and Windows Update.

  Read the full story in AskWoody Plus Newsletter 16.37.0 (2019-10-14).

  Patch Watch AskWoody Plus Newsletter, Office updating, Out-of-band patches, Windows updating

• Finally! We have a true out-of-band IE update

  Posted on October 7th, 2019 at 01:10 Tracey Capen Comment on the AskWoody Lounge

  PATCH WATCH SPECIAL EDITION

  By Susan Bradley

  After a series of confusing missteps, Microsoft has somewhat belatedly released an “urgent,” out-of-the-usual-cycle update in the expected way: All supported versions of Windows receive the patch via WSUS or Windows Update.

  This is how an “out-of-band” update is supposed to look and act. All Microsoft customers get protected quickly and easily. We don’t have to download anything from the Microsoft Update Catalog, install preview updates, or otherwise stand on our heads to be safe from a new exploit.

  Read the full story in AskWoody Plus Newsletter 16.36.0 (2019-10-07).

  Patch Watch AskWoody Plus Newsletter, Internet Explorer zero day, Out-of-band patches

• Patch Lady – what’s the real risk?

  Posted on October 4th, 2019 at 23:28 Susan Bradley Comment on the AskWoody Lounge

  So the zero day IE is finally out as an out of band patch.  On the Windows Defender security portal (1) they talk about the risk of this zero day….

  For attacks to be successful, targets will need to use Internet Explorer or another application that utilizes the Internet Explorer scripting engine to open a link containing the exploit. Initial reports of attacks indicate the use of Microsoft Word documents (.docx) with lure content that entice recipients to click on malicious links. If the links are launched by Internet Explorer—the default web browser on machines running older platforms like Windows 7—exploitation can occur.

  This analysis is based on limited, initial reports about actual attacks that exploit this vulnerability.

  Customers have encountered Microsoft Word documents (.docx) containing a link to web pages with exploit code for CVE-2019-1367. Although other distribution mechanisms are possible, we have observed attacks distributing the documents as attachments on spear-phishing emails.

  The documents themselves have been socially engineered with lure content—mostly around Middle Eastern and North African affairs—that entices recipients into clicking an embedded video element that is a link to external content. On many machines that run older platforms such as Windows 7, the link opens on Internet Explorer by default. Once the malicious link opens on a vulnerable instance of Internet Explorer, exploitation can occur, allowing attackers to run arbitrary code in the context of the current user.

  In known attacks, the exploit runs malicious code that does the following:

  • Uses an elevation of privilege (EoP) technique abusing the Web Proxy Auto Discovery (WDAP) protocol
  • Downloads and runs a malicious executable cqe.exe (detected as Trojan:Win32/Hevor.A!dha)

  The executable, which now serves as an initial implant, then proceeds to download other payloads from another location.

  Mitigations

  Apply these mitigations to reduce the impact of this threat. Check the recommendations card for the deployment status of monitored mitigations.

  • Prioritize installation of the security update for CVE-2019-1367. The update is automatically deployed as a required update through Microsoft Update and the WSUS catalog. Customers with automatic updates turned on don’t need to take additional action.
  • On machines that could not install the security updates, consider restricting access to JScript.dll to prevent exploitation. See the workaround in the CVE-2019-1367 advisory.
  • Use Office 365 ATP for enhanced phishing protection and coverage against new threats and polymorphic variants. Office 365 ATP customers should ensure that Safe Links protection is enabled for users with Zero-hour Auto Purge (ZAP) to remove emails when a URL gets weaponized post-delivery.
  • To take advantage of a modern web viewer for Office 365 applications, customers are encouraged to upgrade to Office 365 version 16.0.11629 and Windows 10 version 1903. With these or newer versions, Office 365 applications use Microsoft Edge WebView to load web content instead of Internet Explorer, which is affected by this vulnerability.
  • To prevent exploitation of WPAD, upgrade to Windows 10 version 1809 or newer.
  • Block external content in Word documents by enabling the Group Policy Object (GPO) Allow Online Videos to play within Word under User Configuration > Administrative Templates > Microsoft Word 2016 > Word Options > General. This GPO is available only upon installation of the Microsoft Word 2016 update described in KB4462193 or a later cumulative update.
  • Turn on cloud-delivered protection and automatic sample submission on Windows Defender Antivirus. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats.
  • Turn on attack surface reduction rules, including rules that can block process creation initiated by Office applications and rules that can block scripts (JavaScript and VBScript) from launching downloaded executable content.
  • Turn on network protection to block connections to malicious domains and IP addresses.
  • Customers are encouraged to use Microsoft Edge or other modern web browsers where possible. For tasks that require Internet Explorer, customers should limit its use to these tasks and set a different application as the default browser.
  • Educate end users about preventing malware infections by ignoring or deleting unsolicited and unexpected emails.

  So … the risk is from targeted emails, the risk is opening .doc files, the risk is higher on machines 1803 and older (Windows 7).

  So I don’t see this as great of a risk to you and me.

  (1) you have to be a subscriber to the Microsoft Defender ATP license (E5) in order to get to the original link.

   

  Patch Watch Patch Lady Posts

• Patch Lady – Internet Explorer out of band

  Posted on October 3rd, 2019 at 21:59 Susan Bradley Comment on the AskWoody Lounge

  Stay tuned.  We’re in the process of updating the master Patch Lists.  I’ve been testing the out of band Internet Explorer update and I’m not seeing any start menu issues.

  I’m giving the go ahead to roll it out in my office, stay tuned there’s a special edition coming to you soon.

  This time it’s really an out of  band update.  And that’s good for all of us.

  Patch Watch Patch Lady Posts

• Here’s why we’re not patching Internet Explorer

  Posted on September 30th, 2019 at 01:05 Tracey Capen Comment on the AskWoody Lounge

  PATCH WATCH

  By Susan Bradley

  There’s no way to sugar-coat this: The current Windows updating situation is a disaster.

  No, I’m not talking about the usual round of side effects in the second–Patch Tuesday updates, the lack of overall patch quality, or the known issues that impact only a small set of Windows users but that we’re still forced to track.

  Read the full story in AskWoody Plus Newsletter 16.35.0 (2019-09-30).

  Patch Watch .NET Framework, AskWoody Plus Newsletter, Internet Explorer, Office updates, Patch problems, Windows Updates

• The patch waiting game — September edition

  Posted on September 16th, 2019 at 01:05 Tracey Capen Comment on the AskWoody Lounge

  PATCH WATCH

  By Susan Bradley

  For those of us in the northern hemisphere, September can be a time when days seem to be noticeably shorter — the daylight hours more precious.

  Time has value, too, when it comes to patching our systems. As regular Patch Watch readers know, we need some time for the monthly updates to sort themselves out. In the days following Patch Tuesday, some updates get reissued due to significant issues, while others need clarification.

  Read the full story in AskWoody Plus Newsletter 16.33.0 (2019-09-16).

  Patch Watch AskWoody Plus Newsletter, Cumulative Updates, NET, Office updates, Windows Updates

• Patch Lady Podcast for Sept 15 2019

  Posted on September 15th, 2019 at 23:42 Susan Bradley Comment on the AskWoody Lounge

  

  For those of you that are Plus members head on over to the Podcast page.  While we’re not ready to roll out updates just yet, I showcase how you can keep an eye on Microsoft’s acknowledged issues by following a twitter account.

  Patch Watch Patch Lady Podcast
• « Older Entries