Patch Lady – what’s the real risk?

Topic

New Reply

So the zero day IE is finally out as an out of band patch.  On the Windows Defender security portal they talk about the risk of this zero day…. For
[See the full post at: Patch Lady – what’s the real risk?]

Susan Bradley Patch Lady

8 users thanked author for this post.

jburk07, woody, Berserker79, Pim, Pierre77, Lori, b, AJNorth

Reply | Quote

Replies

There’s a lot of us still on 1803…until December. I installed the patch last night and I usually don’t fetch the FIRST cumulative update from Microsoft Catalog until about now for the previous month. I’m very cautious. But with a mandatory patch out for IE, that you don’t shrug your shoulders over, you don’t delay even if you practice safe hex especially with email links, etc and even if you never, like me, use IE, you MUST keep IE patched until you are on 1809 and above as you probably uninstalled IE as soon as you got on 1809…the one thing I am looking forward to when I upgrade from 1803.

Reply | Quote

So, for those on 1809 or higher, in essence this means that as long as we don’t use IE or fall for the old trick of opening suspicious links included in suspicious attachments of suspicious emails then there is no pressing need to install the out-of-band update, is that right? If so, it really sounds like my decision to ultimately move from 1803 to 1809 during the last DEFCON 3 period was well-timed and not at all invain!

BTW, for all those who don’t need IE at all, is there any clue whether disabling IE by using “Turn Windows features on or off” could also be an option to avoid falling victim to the exploit?

Reply | Quote

Mele20 wrote:

you MUST keep IE patched until you are on 1809 and above as you probably uninstalled IE as soon as you got on 1809

You can’t uninstall IE only disable.

3 users thanked author for this post.

Myst, Lars220, woody

Reply | Quote

AHA! Details at last!

Yep, looks exactly as you surmised – don’t use IE, and make something else your default browser. That won’t protect you completely because of the way MS has woven IE into the internals of Windows, but it’ll protect against the known attacks.

Of which I’ve heard of exactly none, by the way…

3 users thanked author for this post.

Myst, GoneToPlaid, jburk07

Reply | Quote

Just a reminder that it was back in February 2019 there was a lot of talk about Stop using Internet Explorer as your main web browser. Here is a link to a Microsoft Support article about how to disable Internet Explorer on Windows, covers various versions 7 – 10:

https://support.microsoft.com/en-us/help/4013567/how-to-disable-internet-explorer-on-windows

3 users thanked author for this post.

KP, Myst, b

Reply | Quote

[KP]

Thanks for the article.

Another method to block Internet Explorer is to use Windows10FirewallControl. Some users will find it is too much work to train the software, which software to block/allow/block once/allow once. It comes with default options and the free version may not allow blocking of some Microsoft programs (I am using the freeware).

You can also use Windows10FirewallControl to block or allow other programs/browser going out to the Internet too.

• This reply was modified 3 years, 7 months ago by KP.

Reply | Quote

For several years now I have made it my default policy not to open Word documents either coming attached to email, or found while making searches in the Internet, unless they are from very trusted sources and I am actually expecting them. If they come form a very trusted source and I am not expecting them, I ask the source first to confirm that it sent the document to me before doing anything else with that file. As to the rest of them, the ones I did not expect or from sources that are not trusted, or I find in the Web during a search, or are not confirmed by its alleged source: I delete them outright with my mail client, or close my browser on them without downloading or even looking at them, and never, ever push the “EDIT” button on any Word file not of my own making, before I run the AV on it to make sure the document is not carrying, unintentionally, an infectious bug along with it.

Does this policy of mine makes me perfectly safe? Of course not.

Here is a better question: does it make me substantially safer? Answer: I think so.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

It might be an oversimplification, due to the way IE is woven in the fabric of older versions of Windows, and how many directions it might be vulnerable from, but I think you can summarize at least 50% of virus/exploit/vulnerability prevention with four words:
“Don’t be an idiot.”

It seems like these exploits always require some sort of boneheaded user action before it can actually do damage. Not 100% of them, but the overwhelming majority are cases where you literally have to pull the trigger on the gun aimed at your foot.

Just being aware of vulnerabilities and routes of attack makes a huge difference, and no amount of security software or OS patching will protect you if you go running out into the middle of the road playing chicken with oncoming exploit traffic.

1 user thanked author for this post.

GoneToPlaid

Reply | Quote

Yep. I always scan Word docs before I open them. And I don’t use Outlook for email since that there is a can of worms in my opinion.

Reply | Quote

Man, I’m getting sick of this behavior from those who would spread fear, uncertainty, and doubt for business gain.

The message we’re being fed is abundantly clear: Leave behind everything and buy all our new software and be protected from impending doom.

Yet have you noticed that the doom has not come?

And let us not forget who wrote the vulnerable software in the first place.

By coincidence I happen to be watching a commercial about “security software” right now. “You never know where cyberthreats could be lurking these days” (direct quotes from the commercial)… “With threats all around, you need … protection.” “Why not have an added layer of protection so you can sleep well at night?”

They are trying to manipulate us in every way possible.

Don’t stand for it!

-Noel

6 users thanked author for this post.

satrow, dononline, Spiral, GoneToPlaid, Carl D, Myst

Reply | Quote

[GoneToPlaid]

I agree. Yet there is very little talk about what measures a person can take to prevent identity theft. This of course boils down to phishing emails, scam phone calls, and people using the same passwords and choosing the same security questions on more than one website. Identity theft is big business — not just for the criminals, but for companies who offer services to protect a person from identity theft. As they say in Mafia movies, its just business.

For those who use Twitter, I do recommend subscribing to haveibeenpwned (just do a Twitter search for haveibeenpwned). They announce data breaches nearly every day, and they also announce what percentage of breached data is already in their databases.

Needless to say, yet I will say it. Never use the same password online more than once, and never reuse any older password online — ever. Today, haveibeenpwned announced a data breach which occurred around 5 years ago, only to be recently discovered since the data showed up on the dark web.

• This reply was modified 3 years, 7 months ago by GoneToPlaid. Reason: Automatic yet inaccurate injection of SPAN code

1 user thanked author for this post.

Spiral

Reply | Quote

Problem is, significant proportion of end users just have insufficient skills to determine what is safe and what isn’t…

Chronocidal Guy wrote:

It seems like these exploits always require some sort of boneheaded user action before it can actually do damage. Not 100% of them, but the overwhelming majority are cases where you literally have to pull the trigger on the gun aimed at your foot.

… as in don’t recognize it as a gun, don’t know which way it’s pointing and/or don’t know which part of it is the trigger.

GoneToPlaid wrote:

I agree. Yet there is very little talk about what measures a person can take to prevent identity theft. This of course boils down to phishing emails, scam phone calls, and people using the same passwords and choosing the same security questions on more than one website.

Oh yeah, phishing emails. And faked-sender mails and … well the click-to-open method of “protected content” really isn’t very safe, as long as users aren’t able to check that the server storing the content and the user who owns the content are both trustworthy and not victims of some similar trick themselves.

IE and Outlook have been good target applications for these due to both the large installed base and the habit of “helpful” hiding of technical details. Hence things like the Outlook sender line spoof and…

1 user thanked author for this post.

doriel

Reply | Quote