|
MS-DEFCON 3:
Patch reliability is unclear, but widespread attacks make patching prudent. Go ahead and patch, but watch out for potential problems.
|
Blog Archives
-
Patch Lady – be careful they are out to get us
Posted on April 19th, 2020 at 23:35 Comment on the AskWoody Lounge
Just the other day this email came into my inbox. The attackers are using COVID-19 related themes to wiggle into our inboxes.
I talk about it in this video, Be extra careful because they are out to get us right now.
-
Patch Lady – are you safe online?
Posted on April 5th, 2020 at 12:13 Comment on the AskWoody LoungeJust spotted this…
It’s a series of 30 minute webinars next week put on by a company that normally does security assessments for companies. Their https://s2me.io site walks you through a series of questions to review your personal computer risk.
Some of the questions…… I never log into websites from links in emails. True or False? …. I never open a file attachment in an email unless I am specifically expecting one. True or False?
So how secure are you?
(edit: I received a score of 812 – it was lowered because I have too many Windows devices (well duh), and I don’t encrypt all devices. To be fair some of them are laptops I use for streaming needs and thus I don’t use them for sensitive tasks nor keep sensitive info on them)
-
Patch Lady – Office 365 pushes off disabling Basic Auth
Posted on April 3rd, 2020 at 21:32 Comment on the AskWoody LoungeWhile I totally understand why Microsoft is pushing off the due date for disabling basic authentication in their Office 365 platform/Exchange online I would recommend anyone using any sort of email platform these days (or online banking or anything online these days) to add multi factor authentication to anything you use online. The attackers go after the weak links, weak passwords, reused passwords and you need to be aware of the attacks out there.
Clearly COVID-19 is having a big impact.
-
Patch Lady – should we be concerned about Zoom?
Posted on April 1st, 2020 at 22:49 Comment on the AskWoody LoungeI’ve seen several comments on various venues about the risk of Zoom meetings. Some of them are valid, others are….. hang on … who in their RIGHT MINDS posts the URL to a non password protected zoom meeting on a social location?
I was listening to a presentation today and the gentlemen presenting was talking about how in times like these one has to balance risk with making sure the business survived.
Here’s another person I respect … Dave Kennedy on the topic of Zoom and security: https://threadreaderapp.com/thread/1245536000819986432.html
First off as Lawrence Abrams writes … make sure you put a password on the Zoom meeting. Next Zoom is working on the issue whereby NTLM hash values can be exposed, and Lawrence gives the workaround in the blog, but I have a better workaround. Be EXTREMELY careful of clicking on ANYTHING right now. I am seeing a huge uptick of COVID related emails and scams. I’m seeing these kinds of scams come into my inbox (well, the notifications that they are being cleaned out of my inbox anyway)
Subject: MUST READ-TRUTH ABOUT COVID-19
Sender: valeria.flores@ambiente.gob.ecTime received: 4/1/2020 11:41:20 PM
Message ID:<1870826593.23469281.1585784413797.JavaMail.zimbra@ambiente.gob.ec>
Detections found:
Virologyfiles.doc RTF/CVE-2017-11882.C.gen!CamelotSo… be careful and remember right now this is about balancing the needs of the business and the users. Absolute security doesn’t exist.
-
Patch Lady – Office 365 ATP this shouldn’t be missed
Posted on March 25th, 2020 at 11:07 Comment on the AskWoody Lounge
Dear Office 365 Advanced Threat Protection. You aren’t being that advanced today.
- that’s not my email address
- Short message and email attachment screams malware
When I run it through virustotal.com and reverse.it sure enough
Come on Microsoft (and all the other vendors who are missing this) we don’t need stupid stuff like this missed. Not now. Only Fortinet flags it right now 9:09 pacific time)
-
Patch Lady – remoting into a desktop without VPN
Posted on March 21st, 2020 at 22:41 Comment on the AskWoody LoungeIf you are a small or medium business – or an IT consultant who helps small or medium businesses here’s a thought of a way to temporarily allow folks to remote into their desktops at the office without introducing more risk. Many IT consultants are setting up Virtual Private Network connections from potentially insecure home pcs that are not secure to the firm network and may introduce more risk. Especially if you have an unpatched Windows 7, this could introduce MORE risk to the network.
Here’s an alternative:
First off you’ll need either a spare server or spare room in a HyperV server. You’ll need a domain with workstations joined to that domain. Next download a trial version of either Windows Server 2016 or 2019. Download an ISO to that hyperV Server. Then follow these instructions (*)to set up a RDServer on that trial version. That trial version – and the Remote desktop cals – will work for 180 days.
Now from a home pc – even a Mac computer – launch the remote desktop connection program. In the computer name section put in the name of the computer you want to remote into. Click on show options. Click on the advanced tab. Click on the connect from anywhere settings box. Click on use these RDgateway settings and put in the url of the server name you’ve created from the instructions above.
Now click on “Use my RDGateway credentials for the remote computer. Click on the experience tab and change the performance setting to modem (this will thin down the remote connection so that you get the best experience).
Back on the first tab
Back on the first tab you put in the actual workstation/computer name you want to get to and for the user name you put in DOMAINNAME\user name. The remote user can now get to his or her exact workstation and remotely print.
Note to anyone using SBS 2011, SBS 2008, Essentials Server 2012, Essential Server 2016 those servers all have RDgateway set up by default and you can use the same process above to bypass the RWA portal and go directly to the workstations. Note this also works for Mac workstations as long as you download the new RDP client
PC name would be the PC you’ll want to remote into. In the Gateway setting, you’ll click on that blue icon on the right and put in the rdgateway url just like you do for the Windows machines.
Again, this will work to let workers remote straight into the exact desktop they use, so it’s best for office workers and those have have a single computer assigned to them.
Note if you have excess server computing power on that HyperV you can also use this to set up RDweb apps. Put the date on your calendar as this will only work for 180 days or be prepared to license it before then. But bottom line – this temporary solution can give your smaller clients a secure way to remote back into their offices with the Work from Home orders.
Also remember if you are like me where you are suddenly putting an ancient Windows 7 back into remote service, you can still buy ESUs from Amy.
(*) Huge thanks to Richard Kokoski for allowing me to post his step by step instructions.
Note that this only works with “normal” GUI server 2019 not Essentials 2019. Microsoft removed the RDgateway bits from Essentials 2019 so do not attempt to do this with that version.
If you need a good VPN solution check out using OPENVPN.
-
Patch Lady – we have an out of band on that SMBv3
Posted on March 12th, 2020 at 10:48 Comment on the AskWoody Loungehttps://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796
https://support.microsoft.com/en-us/help/4551762/windows-10-update-kb4551762
At this time I”m not seeing active attacks and NO ONE should be STUPID enough to have port 445 a SMB file sharing port open to the web. So I’m still in don’t panic, don’t install and let’s test mode.
-
Patch Lady – forget that crypto one, worry about this one
Posted on January 14th, 2020 at 21:41 Comment on the AskWoody LoungeIf you are a IT consultant or admin with an Essentials 2012 (or later) server, or use the RDgateway role and expose it over port 443 to allow users to gain access to RDweb or their desktops, forget that crypt32.dll bug. This one is one to worry about.
Impacts 2012 and above – so no impact to SBS 2011 or SBS 2008, yes to Essentials 2012 and higher.
Essentials 2012 exposes RDgateway over port 443 and 3389 is not open to the web (well, not normally) but given that this is a pre-authentication exploit, all an attacker has to do is to throw that crafted request to port 443 rather than 3389 (assuming I’m reading this right).
So if you patch SMB servers that use RDgateway, worry about patching those servers this time faster than you would normally do.
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0609
A remote code execution vulnerability exists in Windows Remote Desktop Gateway (RD Gateway) when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
To exploit this vulnerability, an attacker would need to send a specially crafted request to the target systems RD Gateway via RDP.
(edit: for anyone asking, 2008 R2 is not vulnerable and thus SBS 2011 is not vulnerable. It’s only vulnerable on Server 2012 and later, remember SBS 2011’s base operating system drops out of support today)
Welcome to our unique respite from the madness.
It's easy to post questions about Windows 10, Win8.1, Win7, Surface, Office, or browse through our Forums. Post anonymously or register for greater privileges. Keep it civil, please: Decorous Lounge rules strictly enforced. Questions? Contact Customer Support.
Plus Membership
Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.
AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments. Click here for details and to sign up.
Recent Replies
bsfinkel on Windows 10 2004 KB4565503 Errtor 0x8007000E
8 minutes agoOscarCP on Shaun the Sheep, etc: animated shows in Netflix to watch while self-isolating.
18 minutes agoPaulK on WIN 7 administrator password
42 minutes agocmptrgy on WIN 7 administrator password
1 hour, 3 minutes agoCarl D on Patch Lady – the different “offerings”
1 hour, 32 minutes agoEP on MS-DEFCON 3: There are some oddities, but it’s time to install the July 2020 patches
1 hour, 46 minutes ago- 1 hour, 49 minutes ago
dmt_3904 on Patch Lady – the different “offerings”
2 hours, 30 minutes ago- 2 hours, 31 minutes ago
PKCano on Patch Lady – the different “offerings”
2 hours, 35 minutes agoRick Corbett on Freeware Spotlight — Bloatbox
2 hours, 42 minutes ago- 2 hours, 44 minutes ago
- 2 hours, 45 minutes ago
geekdom on Freeware Spotlight — Bloatbox
2 hours, 48 minutes agoSusan Bradley on Windows 7 ESU Install Failure (?)
2 hours, 50 minutes ago- 2 hours, 54 minutes ago
- 3 hours, 3 minutes ago
Lil88reb on KeyPass No Longer Working As It Did
3 hours, 3 minutes ago- 3 hours, 11 minutes ago
anonymous on The TRS-80 turns 43 years old
3 hours, 13 minutes agoKYKaren on MS-DEFCON 3: There are some oddities, but it’s time to install the July 2020 patches
3 hours, 29 minutes ago- 3 hours, 46 minutes ago
- 3 hours, 57 minutes ago
cfcarrasco on Windows 7 ESU Install Failure (?)
4 hours, 4 minutes ago- 4 hours, 11 minutes ago
carpintero on Freeware Spotlight — Bloatbox
4 hours, 18 minutes agobumblebee on Asus motherboard P8Z68-V Pro SATA connections
4 hours, 25 minutes ago- 4 hours, 39 minutes ago
Microfix on Windows 10 2004 KB4565503 Errtor 0x8007000E
4 hours, 51 minutes ago- 5 hours, 18 minutes ago