Heads up: Microsoft posts a fix for that SMBv3 security hole. Get ready to install this month’s Windows patches.

Topic

New Reply

Microsoft just released the patch that it almost released on Tuesday. It’s the SMBv3 patch that’s set the security community on fire. KB 4551762, whic
[See the full post at: Heads up: Microsoft posts a fix for that SMBv3 security hole. Get ready to install this month’s Windows patches.]

2 users thanked author for this post.

Elly, geekdom

Reply | Quote

Replies

MS-DEFCON ignored per usual, KB4551762 Cumulative Update for Windows 10 Version 1909 for x64-based Systems installed, system nominal.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We were all once "Average Users". We all have our own reasons for doing the things that we do with our systems, we don't need anyone's approval, and we don't all have to do the same things.

Computer Specs

2 users thanked author for this post.

rexr, woody

Reply | Quote

As someone who had many family and friends have W10 meltdowns (probably due to having inexpensive, slower machines) I’ve always appreciated those who have the knowledge and expertise to easily recover. For the DEFCON system to work, there have to be those adventurous enough to put their machines on the line. Your regular reporting of having no issues is appreciated.

Non-techy Win 10 Pro and Linux Mint experimenter

3 users thanked author for this post.

bbearren, woody, b

Reply | Quote

Windows 1909 Test Beta
March 12, 2020

kb4551762
https://support.microsoft.com/en-us/help/4551762/windows-10-update-kb4551762

Installed update from Windows Update and then rebooted without error.

On permanent hiatus {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1992 x64 i5-9400 RAM16GB HDD Firefox116.0b3 MicrosoftDefender

1 user thanked author for this post.

woody

Reply | Quote

Well, Microsoft has done it again — force fed me KB4551762 (CVE-2020-0796) re: the SMBv3 security hole. Last night I left my PC asleep; this morning I came in to find my PC “ON” and updated without my permission. I am now at 18362.720. I am using StopUpdates10 to Pause updates. This has never happened since I’ve been using StopUpdates10 (a great tool by the way).

I realize KB4551762 is a critical update but @askWoody has said there are no known exploits. I don’t appreciate Microsoft again ignoring its own rules and NOT honoring my wishes to pause Updates.

Reply | Quote

Terry Muench wrote:

Well, Microsoft has done it again — force fed me KB4551762 (CVE-2020-0796) re: the SMBv3 security hole. Last night I left my PC asleep; this morning I came in to find my PC “ON” and updated without my permission. I am now at 18362.720. I am using StopUpdates10 to Pause updates. This has never happened since I’ve been using StopUpdates10 (a great tool by the way).

I realize KB4551762 is a critical update but @askWoody has said there are no known exploits. I don’t appreciate Microsoft again ignoring its own rules and NOT honoring my wishes to pause Updates.

Is StopUpdates10 a Microsoft tool?

1 user thanked author for this post.

b

Reply | Quote

https://greatis.com/stopupdates10/

No, StopUpdates10 is not from Microsoft. Get it at the link above. I should note that Microsoft finally gave Windows 10 users the ability to pause updates in v1903 aka 19H1. However if I have a choice between Microsoft and a 3rd party tool which probably works, I will choose the 3rd party tool!

 

Reply | Quote

Terry Muench wrote:

No, StopUpdates10 is not from Microsoft

Then MS is not ignoring you, StopUpdates10 is failing you.
Stick to known and tested methods – group policy, pause button, metered connections.

cheers, Paul

1 user thanked author for this post.

b

Reply | Quote

Then MS is not ignoring you, StopUpdates10 is failing you.
Stick to known and tested methods – group policy, pause button, metered connections.

cheers, Paul

MO MICROSOFT FORCE-FED ME THIS UPDATE. I have StopUpdates10  on all 3 machines, KB4551762 was forced on me on only one machine. Microsoft ignored the face that updates were paused. Updates can also be paused in Windows 10 Home from Settings > Updates & security if you have v1903 (19H1) or higher.

Reply | Quote

But you’re using “StopUpdates10 to Pause updates”. So if that doesn’t work, it’s not Microsoft’s fault.

Windows 11 Pro version 22H2 build 22621.2361 + Microsoft 365 + Edge

Reply | Quote

Why be in a hurry to Update Windows?! You usually have us wait until the last week of the current month or the 1st week of next month… yes, humans can catch COVID-19, but electronics are immune to that virus. Sanitize the Outside of your desktops, laptops, tablets, smartphones… & even Echos & Nest smart speakers. Oh Heck, sanitize your smart watches & other wearables, too. Then… WASH YOUR DANG HANDS!

Bought a refurbished Windows 10 64-bit, currently updated to 22H2. Have broke the AC adapter cord going to the 8.1 machine, but before that, coaxed it into charging. Need to buy new adapter if wish to continue using it.
Wild Bill Rides Again...

Reply | Quote

The reason why I’m concerned in this case is that Catalin Cimpanu — who has a good track record — says that several people have come up with working Proof of Concept exploits. In addition, Kevin Beaumont (who now works for Microsoft!) posted a video of a PoC.

It’s a long way from a working PoC to a widespread attack — but there’s still good reason to keep your ear to the ground.

Until there’s a real threat, though, in my opinion, it’s smarter to wait — at least until we see if there are any initial widespread problems.

4 users thanked author for this post.

WildBill, Elly, b, warrenrumak

Reply | Quote

Windows Server Version 1903 and Windows Server Version 1909 are Semi-Annual Channel releases and SAC releases are only available in Core or Nano Server variants.

Windows Server 2016 and 2019 are LTSC releases and are available with the Desktop Experience.

https://docs.microsoft.com/en-us/windows-server/get-started-19/servicing-channels-19

Francis

4 users thanked author for this post.

it1, PerthMike, woody, abbodi86

Reply | Quote

Yep

it’s not that only Server Core versions are affected, it’s only build 18362 is affected, which for Servers is only available in Core/Nano variant

i guess build 19041 (ver 2004) is also affected, but it’s not generally available yet, and maybe that’s why it didn’t recieve any updates this month yet (i.e. intentional delay to fix SMB issue)

2 users thanked author for this post.

it1, woody

Reply | Quote

Now THAT makes sense.

Reply | Quote

[EP]

not only that, the COVID-19 “pandemic” may also have something to do with MS not releasing any new updates for 19041.x yet

also saw this Twitter link recently in a few forums:

https://twitter.com/NorthFaceHiker/status/1238157709288992769

• This reply was modified 3 years, 6 months ago by EP.

Reply | Quote

check out this recent ZDNet article, woody:

https://www.zdnet.com/article/microsoft-patches-smbv3-wormable-bug-that-leaked-earlier-this-week/

Earlier this week, due to what looks like a miscommunication between Microsoft and some antivirus vendors, details about this bug leaked online.

Reply | Quote

MAR 11, 2020 9:45 AM PDT
Long story short, Microsoft apparently had the patch ready to go but pulled it at the last minute. Microsoft warned security software manufacturers in advance that the patch was coming (a common practice), but didn’t yell, “Stop the presses!” in time to keep the cows in the barn. Two organizations on the inside accidentally published, then pulled, descriptions. The story raced through the blogosphere.
https://www.computerworld.com/article/3532002/disappearing-smbv3-patch-non-security-office-patches-and-a-so-far-mild-patch-tuesday.html

Windows 11 Pro version 22H2 build 22621.2361 + Microsoft 365 + Edge

1 user thanked author for this post.

woody

Reply | Quote

Installed via Windows Update. No apparent problems.

 

Barry
Windows 11 v22H2

2 users thanked author for this post.

r1ma, woody

Reply | Quote

Hidden for me via WUshowhide is KB4540673 (released March 10) and KB4551762 (released March 12); the latter replaces the former according to the MS-Catalog.

So, when it comes time to update with the March Patch Tuesday/Thursday patches, should I unhide only the latter? If so, what I do about the former?
———————-
Version 1909, Feature Update Deferral= 365, Quality Update Deferral=0, Group Policy>Automatic Windows Update – #2 Notify download/install.

Reply | Quote

Win10 Security Updates are CUMULATIVE Updates. That means the latest one contains the previous ones. So if you install the latest one that contains the one before that, and the one before that…., it would be redundant to install the older patches. In fact, you won’t be able to do so.

If the newer patch supersedes (replaces) the older patch, the older patch will simply disappear from Windows Update after the newer one (containing it) is issued. By installing the newer patch, you install the older one by definition of “Cumulative”.

2 users thanked author for this post.

Elly, Bluetrix

Reply | Quote

I understand supersedence chains and what a cumulative update is.

You are right, the older patch (KB4540673) is no longer listed in the hidden updates; it WAS there, but it’s gone now. Only the new one (KB4551762) is listed there.

Currently, this is the WU display:
So, will the newer one disappear from this display, after the WU is next scheduled?

Evidently, it does not simultaneously get rid of the older one in wushowhide AND the newer one in the WU display.

Reply | Quote

Assuming you have Windows 10 Pro and are using wushowhide and have Group Policy > Windows Update set to 2:

With the release of KB4551762,  if you previously hid KB4540673 via wushowhide KB4540673 will now no longer show as hidden (or anywhere) in wushowhide.

But KB4551762 will now show up in wushowhide and maybe also the Windows Updater queue if you didn’t find it via wushowhide soon after it was released and hid it.

If it shows in Windows Updater queue, go to wushowhide and hide it.  Then wait until Windows Updater automatically updates itself again (18- 24 hours).  KB4551762 will then be hidden and removed from the Windows Updater.

To install it, unhide it and wait for Windows Updater to automatically update itself again and it will reappear in the Windows Updater queue to Download.

Windows 10 Pro x64 v22H2 and Windows 7 Pro SP1 x64 (RIP)

2 users thanked author for this post.

Elly

Reply | Quote

Given that these are cumulative what about the 2020-02 patch that hosed so many computers? I’m afraid to put in the 2020-03 because I don’t need 100 computers at my company losing their profiles like what happened with the last update.

Is that no longer a concern?

Reply | Quote

From reading here, there has been no Microsoft mention of a fix to profile problems.

On permanent hiatus {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1992 x64 i5-9400 RAM16GB HDD Firefox116.0b3 MicrosoftDefender

2 users thanked author for this post.

woody, Tomnibus

Reply | Quote

Yup, makes me want to not install it.

1 user thanked author for this post.

woody

Reply | Quote

Good point.

I finally gave in last month, and recommended that folks install the Win10 1903/1909 cumulative update, but took solace in the fact that we had seen the problem many, many times, and as best I know everybody was able to work around it.

Reply | Quote

Installed the SMBv3 CU on 2 production machines and 2 lab computers, no problems encountered.  Trend Micro AV.  W10 1903.  Going to take a chance.  Approved the rest in WSUS just now.  (~60 devices to update during next 48 hours, roughly.)

Reply | Quote

Please keep us posted.

Reply | Quote

Ditto: Installed via Windows Update. No apparent problems.

 

1 user thanked author for this post.

rontpxz81

Reply | Quote

As I understand it, currently this SMB3 vulnerability, according to CVE-2020-0796, is known to only affect SMB 3.1.1, which is only in Windows 10 (1903 / 1909 only?). Other Windows versions like Windows 8.1 use an older version (3.0.2 in the case of Windows 8.1) which is not affected (yet?). Is that correct, Woody?

If this is so then I would wait and not patch my Windows 8.1 systems any time soon. My Windows 8.1 systems are currently on January 2020 patch level.

Hope for the best. Prepare for the worst.

Reply | Quote

according to CVE-2020-0796, is known to only affect SMB 3.1.1, which is only in Windows 10 (1903 / 1909 only?).

Close. This vulnerability affects SMB compression, which is Windows 10 1903/1909 only (added in 2019). SMB compression was added after 3.1.1, they did not change the SMB version number when they added it. SMB 3.1.1 was available earlier, in Windows Server 2016, which does not have SMB compression and is not vulnerable.

8.1 is unaffected. LTSC 1809 is unaffected.

Compression is negotiated with a SMB2_NEGOTIATE context of SMB2_COMPRESSION_CAPABILITIES. Whether an implementation of SMB3 supports compression appears to be independent of whether it supports 3.1.1. Theoretically someone could make an smb server that does not support 3.1.1 but does support compression, but Microsoft did not do this.

Awfully confusing to have features without version numbers, but the reasoning is that compression is optional, so an implementation doesn’t have to support it.

2 users thanked author for this post.

woody, WildBill

Reply | Quote

I received user feedback from several users reporting install errors 0x800f0988 and 0x800f0900 during installing Update KB4551762.
Windows 10: Fehler 0x800f0988/0x800f0900 bei KB4551762
An English blog post will follow (will link it internally within the blog post) later.

Ex Microsoft Windows (Insider) MVP, Microsoft Answers Community Moderator, Blogger, Book author

https://www.borncity.com/win/

2 users thanked author for this post.

rontpxz81, woody

Reply | Quote

Terry Muench wrote:

Well, Microsoft has done it again — force fed me KB4551762 (CVE-2020-0796) re: the SMBv3 security hole. Last night I left my PC asleep; this morning I came in to find my PC “ON” and updated without my permission.

I use the build-in deferrals in 1909 pro + GPEdit ‘Notify don’t download’ = 2 and haven’t been forced fed with March updates. My PC is on 24/365.
It is probably some glitch in your 3rd party blocker settings.
You can use Microsoft’s wushowhide.diagcab tool instead.

Reply | Quote