Newsletter Archives

• Zero day CVE 2021-40444

  Posted on September 10th, 2021 at 21:49 Susan Bradley Comment on the AskWoody Lounge

  What is it?

  It’s (yet another) zero day attack that is a TARGETED only attack using Office and RTF file  to take ownership of your machine. Microsoft has updated it’s security advisory with mitigation advice.

  Who is getting attacked?

  At this time just targeted folks – meaning large companies, governmental entities, I’m not seeing widespread buzz that it’s being widely seen. I’m not seeing chatter that it’s impacting smaller firms or individual users at this time.

  What if I want to protect myself just in case?

  I’ve put together a registry key to fully enable all of the protections which include disabling word documents and rtf files in the preview pane.

  To enable this protection click on THIS registry file.

  Download THIS file to reenable it should Microsoft patch it next Tuesday.

  What does the enable registry key do?

  I bundled all of the settings included in that advisory in one reg file.   Note while I did include the setting for removing [-HKEY_CLASSES_ROOT\.docm\ShellEx\{8895b1c6-b41f-4c1c-a562-0d564250836f}]  for the docm value in my registry my system didn’t have that value from the get go. Yours may have it so I’ve included it in the registry file.

  Windows Registry Editor Version 5.00

  [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
  “1001”=dword:00000003
  “1004”=dword:00000003

  [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
  “1001”=dword:00000003
  “1004”=dword:00000003

  [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
  “1001”=dword:00000003
  “1004”=dword:00000003

  [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
  “1001”=dword:00000003
  “1004”=dword:00000003

  [-HKEY_CLASSES_ROOT\.docx\ShellEx\{8895b1c6-b41f-4c1c-a562-0d564250836f}]

  [-HKEY_CLASSES_ROOT\.doc\ShellEx\{8895b1c6-b41f-4c1c-a562-0d564250836f}]

  [-HKEY_CLASSES_ROOT\.rtf\ShellEx\{8895b1c6-b41f-4c1c-a562-0d564250836f}]

  What does the reenable reg file do?

  It removes the Internet Settings and then puts all of those values regarding ShellEx back.

  Are there any side effects after making these registry changes?

  Honestly I didn’t see any, but then again, I don’t enable the preview pane in Windows Explorer in the first place.  I’ve only enabled it if I have a special project and I need to see a bunch of images. 99.9999999% of the time I don’t have it enabled.

  So why aren’t you sending out an AskWoody alert?

  Well I strongly believe that the AskWoody folks are smarter than the average bear. You know that you shouldn’t be clicking blindly on Office files. You know you shouldn’t be blindly opening up .rtf files. You probably don’t turn on preview pane in Windows explorer anyway.  I don’t. I find that it slows my computer down.  We know not to turn on preview pane in Outlook.

  Bottom line, if I see more chatter and change my mind I’ll let you know. But for now, I know that you are too smart to fall for this.  Look for more information in Monday’s newsletter.

  (Impacts all supported versions of Windows including Windows 11)

  Want to get alerted when the AskWoody MS-DEFCON status changes?

  MS-DEFCON Alert system

  If you want to get alerted when the MS-DEFCON status changes there are two ways to do so:

  Twitter:  https://twitter.com/defconpatch Sign up for twitter and follow that account. Then set up notifications in the twitter app so that you get alerted when the account tweets a change. COST:  free – other than now having a twitter account but I honestly find that some of the best security information and advice is freely given on twitter. You can also follow the official Askwoody twitter account as well.

  Cell phone notifications via text:  You need to be a PLUS member to get the fullest benefit from this service.  We request a small fee requested (along the lines of the decide what you want to pay as the main site has) in order to cover the costs of the monthly texting service and server hosting. Click here to sign up. COST:  We ask a minimum of $1 a month to keep the lights on and the chipmunks powering the servers fed, but if you’d like to donate more to the cause we’d all be appreciative!

  Windows Security Patch Lady Posts

• Tasks for the weekend – August 28, 2021 – trying out new browsers

  Posted on August 28th, 2021 at 23:35 Susan Bradley Comment on the AskWoody Lounge

  (Youtube here demo-ing the various browsers)

  Last week’s newsletter about browsing your way to more security showcased that many of you are looking for browser options. It reminded me that the world is not just Edge, Firefox, Chrome or even Brave.

  Other browsers to investigate include:

  Vivaldi – native blocking

  Tor Browser – safeguards privacy

  Opera- Chromium based

  Now I will complain about Opera – either I missed a check box but it made itself default.

  So?  What browsers have you used lately?  I’d recommend having multiple ones installed and trying them out on your different devices. Many of them have versions for Windows, Apple, Linux and even phone platforms.

  And yes, note that the AskWoody site/WordFence that protects the site from attacks does NOT like the Tor Browser when it’s in what I’m going to call it’s “hide me” mode where you are using a vpn like connection to the tor network.  As many of you know (and can attest to) this is a common occurrence with the site. As always it’s hard to balance security and usability. Lower the security of the site, and the site suffers. Use a VPN or VPN like browser to gain security on your side and you suffer by being blocked. I’d recommend using multiple browsers and deciding which browser you use for your tasks and browsing that you want more private, and another for those sites that request a bit more from you.  In the meantime I have a case open with WordFence and I’ll keep you posted.  Security is never easy for sure.

  Windows Security Patch Lady Posts

• What would you have done?

  Posted on August 9th, 2021 at 11:55 Susan Bradley Comment on the AskWoody Lounge

  The other day I was working on a laptop and ended up rebuilding it. I discuss what I did over on Computerworld.com.

  I am reminded of this old and really good article about what to do when you’ve been “hacked” – or in this case, hit by a drive by malware installer and dubious browser. You can no longer trust the machine and MUST reinstall.

  What would you have done? What tools did I miss trying?

  Windows 10, Windows Security Patch Lady Posts

• Is Microsoft doing enough?

  Posted on August 2nd, 2021 at 11:29 Susan Bradley Comment on the AskWoody Lounge

  In Computerworld I ask “For Windows security, what we have is a failure to communicate” and ask if Microsoft is doing enough to help keep us safe.

  As an aside this is similar to Fred’s lament that documentation for Windows products is all over the place and not as helpful as it once was.

  What do you think? Do you think Microsoft is doing enough or could it do better?

   

  Windows Security Patch Lady Posts

• Tasks for the weekend – July 31st – what to do?

  Posted on August 1st, 2021 at 00:03 Susan Bradley Comment on the AskWoody Lounge

  (Youtube here)

  This week I’m revisiting two discussions that have been going on regarding actions to be taken on two bugs that are not yet patched.

  First is the permission bug.

  The second is the print spooler bugs.

  I will separate my recommendations into two camps: Home and Business.

  For Home I honestly don’t think you should take any action at this time because I do not see active attacks against home users for either the Print Spooler bugs or the incorrect permission bug. Both of them are more suited for attackers going after businesses, so once again, I’ll urge you to be aware, don’t click where you shouldn’t, but not to take any actions at this time.

  For businesses I see that you need to be evaluating and if you feel that the risk is large enough to then take actions that I discuss in the video.

  Take a look at the video.

  Windows Security Patch Lady Posts

• Check your certificate services

  Posted on July 24th, 2021 at 20:48 Susan Bradley Comment on the AskWoody Lounge

  Guidance for businesses:

  For those of you that have active directory domains – and especially if you use Small Business Server or Essential Server and have migrated your active directory over from these platforms check out this article I wrote for CSO online earlier.

  Bottom line you may have Certificate templates you either have now due to Essentials server, or you brought it over from the active directory when you migrated to your current active directory domain. As a result you may need to adjust the certificate templates on the server – or – if you no longer have an Essentials server in your network – you may need to remove the certificate templates.

  Next another issue to read up on:  SANS site is showcasing an issues with certificate services.  Mind you that SMB signing should be enabled in most networks anyway, so you may have some mitigation already.

  Guidance for consumers:

  Be glad that you don’t have a network, slightly worry about all of the businesses you interact with that do.

  Windows Security Patch Lady Posts

• Tasks for the weekend – July 17 – what’s your password?

  Posted on July 18th, 2021 at 00:19 Susan Bradley Comment on the AskWoody Lounge

  (Youtube here)

  Just the other day I was reminded to be careful with any of the social media “game” questions that try to make you build a name from various information you provide. What these are doing it trying to get you to expose your security password reset answers…. typical password reset questions include:

  What Is your favorite book?
  What is the name of the road you grew up on?
  What is your mother’s maiden name?
  What was the name of your first/current/favorite pet?
  What was the first company that you worked for?
  Where did you meet your spouse?
  Where did you go to high school/college?
  What is your favorite food?
  What city were you born in?
  Where is your favorite place to vacation?

  As a study indicated, “All four of the most popular webmail providers – AOL, Google, Microsoft, and Yahoo! – rely on personal questions as the secondary authentication secrets used to reset account passwords. The security of these questions has received limited formal scrutiny, almost all of which predates webmail. We ran a user study to measure the reliability and security of the questions used by all four webmail providers. We asked participants to answer these questions and then asked their acquaintances to guess their answers. Acquaintances with whom participants reported being unwilling to share their webmail passwords were able to guess 17% of their answers. Participants forgot 20% of their own answers within six months. What’s more, 13% of answers could be guessed within five attempts by guessing the most popular answers of other participants, though this weakness is partially attributable to the geographic homogeneity of our participant pool.”

  Bottom line be careful when social media games try to get information from you, they may be trying to trick you. And next time you pick a password reset answer, try NOT to pick the usual stuff.

  Windows Security Patch Lady Posts

• Out of band for Print Nightmare is out

  Posted on July 6th, 2021 at 16:22 Susan Bradley Comment on the AskWoody Lounge

  https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527

  Remember the print nightmare post from the other day?  Microsoft has released out of band updates to fix the issue.

  “CVE updated to announce that Microsoft is releasing an update for several versions of Window to address this vulnerability. Updates are not yet available for Windows 10 version 1607, Windows Server 2016, or Windows Server 2012. Security updates for these versions of Windows will be released soon. Other information has been updated as well. This information will be updated when more information or updates are available”

  If you are a home user, I don’t see a need to rush this patch on. If you are a MSP or IT professional, and you haven’t already disabled the print spooler on your domain controllers – look for these updates. ( I don’t think they’ve been fully posted yet)

  https://support.microsoft.com/en-us/topic/31b91c02-05bc-4ada-a7ea-183b129578a7

  “Prior to installing the July 6, 2021, and newer Windows Updates containing protections for CVE-2021-34527, the printer operators’ security group could install both signed and unsigned printer drivers on a printer server. After installing such updates, delegated admin groups like printer operators can only install signed printer drivers. Administrator credentials will be required to install unsigned printer drivers on a printer server going forward.”

  Edit on 7/7/2021:  Seeing it start to trend that Zebra label printers can’t print after installing this update.  I’m going to flip DefCon to 2 to be safe.

  Edit on 7/7/2021 12:10:  Lawrence from Bleepingcomputer indicates that the patch doesn’t fully protect from “local privilege esPrintNightmare calation” attacks.  If you have enabled any “Point and print” options you may still be vulnerable even with the update installed.  “To bypass the patch and achieve RCE and LPE, a Windows policy called ‘Point and Print Restrictions’ must be enabled, and the “When installing drivers for a new connection” setting configured as “Do not show warning on elevation prompt.”  Note I have not done this on any local printer or network printer under my control – so my guess is that most of us won’t have to worry about this corner case.

  Edit 7/10/2021: Microsoft is saying that the issue with usb based label printers (Zebra and Duo) isn’t caused by this specific update but from earlier updates and we just didn’t realize it. They have implemented the “known issue rollback” process where the non security bits causing the issue are automatically rolled back.

   

  Windows Security Patch Lady Posts, Print Nightmare

• Print Nightmare is going to be a nightmare

  Posted on June 30th, 2021 at 14:38 Susan Bradley Comment on the AskWoody Lounge

  

  This is me. This is me trying to figure out what best to do with a security issue in the news today. CVE-2021-1675 Or rather it’s what I’d like to be doing but I can’t.

  So here’s the deal. There’s a security vulnerability for Print spooler that was patched back on June 8th but the patch didn’t fully fix the issue.  On June 21, the vuln was updated to critical severity as a potential for remote code execution was found. There is now a zero day proof of concept of this issue out on Github and various places.  Specifically the proof of concept is for Windows Server 2019 but as I understand it, it impact more platforms as well.

  Edit:  Turns out this appears to be a new bug and not an unfixed vulnerability. Bottom line it’s still just as bad but now just a regular old zero day instead of a slightly unfixed zero day. And it also works on Windows 11 as well.

  Edit 7-2-2021 Micropatches from 0patch have been released for this issue 

  Action items if you are a consumer and DO print.

  As I’m reading it, this is a big deal on domain controllers – not so much on stand alone computers. This allows attackers to wiggle in via a remote authenticated user and raise the rights of that account.  Since home computers do not have “remote authenticated users”  I’m not freaking out here and recommending that you disable print spooler (yet).  I don’t know about you but I DO print so I cannot disable the print spooler service without severely impacting my productivity. I’ll keep monitoring the situation and update if I see anything where I think consumers/home users/small peer to peer networks should be taking action other than the usual “be careful out here” and watch what you click on. So for now if you run windows and print, take no action, other than to be your normal, careful, slightly paranoid self.

  Action items if you are a consumer and DON’T print.

  Print spooler lately has been a big target. If you know you don’t ever print or print to pdf or anything like that you can proactively click on the search box and type in “services”, scroll down to print spooler, double click and click to change the service to stop and then to disable the startup type. Note you need to be an administrator (or have admin rights) to be able to stop this service.

  Action items if you are a IT pro or MSP.

  Determine if you can follow this post and disable the print spooler service especially on Servers, Domain controllers in particular. You might want to go through server hardening guidance while you are at it.  Bottom line evaluate your risk for this attack and take action accordingly.  Recommendation is to disable the print spooler service on the Domain controllers first. If you are a SMB consultant where your Domain controller is ALSO your Print server there’s no good alternative especially if your folks have to print.

  TrueSec have come out with a workaround that allows you to deny permissions to keep attackers from gaining system rights and leave print spooler service as is.

  And if you are running Mint, Chromebook, Apple, etc. etc.  just try not to look so smug, okay?

  Windows Security CVE-2021-1675, June 2021 Black Tuesday, Patch Lady Posts

• WUshowhide is back!

  Posted on June 25th, 2021 at 22:05 Susan Bradley Comment on the AskWoody Lounge

  A big thank you to Bruce to providing feedback to Microsoft to get WUshowhide resigned with a SHA-2 certificate. It’s now been reposted to the download site.

  Sure enough it was what we thought….

  Thank you all for your patience. The troubleshooter was initially removed as part of our SHA-1 deprecation, where we removed all content on the DLC which had only SHA-1 signing. We are working to re-sign this with a SHA-2 certificate and verify that it works as expected, and will re-publish. I will follow up again shortly.

  He did and just reposted it tonight.

  http://download.microsoft.com/download/f/2/2/f22d5fdb-59cd-4275-8c95-1be17bf70b21/wushowhide.diagcab 

  The full URL is there.

   

  Windows Security Patch Lady Posts

• Tasks for the weekend – June 12 – Let’s look at Autoruns

  Posted on June 12th, 2021 at 23:46 Susan Bradley Comment on the AskWoody Lounge

  [Youtube here]

  This week we’re following up with June 5th’s  look at programs that launch on startup  and this time we’re looking at the “uber” version of a tool that allows you to review what’s starting up on your machine.

  Sysinternals Autoruns

  Most of time it’s self explanatory… until it’s not. And then remember just ask.

  The colors mean different things:

  Pink – this means that no publisher information was found, or if code verification is on, means that the digital signature either doesn’t exist or doesn’t match, or there is no publisher information.

  Green – this color is used when comparing against a previous set of Autoruns data to indicate an item that wasn’t there last time.

  Yellow – the startup entry is there, but the file or job it points to doesn’t exist anymore.

   

  Tech Help, Windows Security Patch Lady Posts

• June updates bring news

  Posted on June 9th, 2021 at 01:05 Susan Bradley Comment on the AskWoody Lounge

  It’s been a little bit funny seeing some of the reactions online to the News and Interests feature that is included in the June updates. As Askwoody readers know, this first started to trickle out in May but in the June security updates they are included in everyone’s Windows 10 including Enterprises.

  Just a reminder, you can right mouse click on the weather info, go up to news and interests, and either adjust the options (as it does take up a bit of real estate) or turn it off completely.

  Optionally you can use this registry key to do so. To use it, simply click on the download in the upper right, click to run the file, it will warn you it’s not digitally signed, click through that, next click through the UAC prompt and you’ll get to this page warning you about adding it to your registry.

  

  Click yes and it will turn off the News feature. You’ll need to reboot (I had to) to get it to turn it off.

  I’m keeping an eye on the early beta testers in the forums, so far I’m not seeing anything trending.  As always full details of the updates will be in the Newsletter, in the meantime if anyone needs assistance or help, you know where we are.

  In other patching news, keep an eye out for Apple 14.6 for your iphone/ipad and remember that Apple 15 will be offered up to even iphone 6 models. Androids, keep an eye out for your updates as well.

  Windows 10, Windows 7, Windows Security June 2021 Black Tuesday, Patch Lady Posts
• « Older Entries