News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • Time to get off the Group W bench – at least for a few minutes

    Home Forums AskWoody blog Time to get off the Group W bench – at least for a few minutes

    Viewing 36 reply threads
    • Author
      Posts
      • #110144 Reply
        woody
        Da Boss

        If you haven’t yet installed March patches for Windows, listen up. One of those leaked NSA exploits, EternalBlue, has been pulled out of the Shadow Br
        [See the full post at: Time to get off the Group W bench – at least for a few minutes]

        5 users thanked author for this post.
      • #110153 Reply
        MrBrian
        AskWoody_MVP

        Most non-business users are probably not exposed to this through the internet. You can test for internet exposure to port 445 (the vulnerable code in non-patched Windows listens to port 445) by doing the Common Ports test at https://www.grc.com/x/ne.dll?bh0bkyd2. Nonetheless, I still agree with Woody’s advice because I believe that port 445 is usually open within local networks.

        10 users thanked author for this post.
      • #110150 Reply
        anonymous
        Guest

        Most of those exploits, like EternalBlue, depend on any user related action or they are mostly “point-and-pwn” sort of tools?

        If they fall on the second category the affected system still have to be manually found and targeted in order to be exploited or there is already a more advanced, automated way of deliverying this threat?

        • #110160 Reply
          MrBrian
          AskWoody_MVP

          EternalBlue is unlike most other exploits because it involves no user actions other than being connected to a network that is able to send network traffic to port 445.

          4 users thanked author for this post.
          • #110164 Reply
            anonymous
            Guest

            Thanks for the heads up MrBrian…

            So with port 445 open, any unpatched system is still vulnerable… But it still depends on manual targetting, right? Which would might indicate that home users are less prone to infection?

             

            On a legacy machine running Windows XP SP3 which I barely ever use, I disabled the file/printer sharing on the network settings, does this does any good against those kinds of SMB exploits?

            • #110173 Reply
              MrBrian
              AskWoody_MVP

              You’re welcome :).

              Most home users shouldn’t be “reachable” to port 445 through the internet, but most home users should be “reachable” to port 445 by other devices on your local network (because of printer and file sharing). So if somebody else on your local network gets malware, if you’re vulnerable to this then their malware could be used to exploit your computer also.

              I don’t see any technical reason why an attack on devices “reachable” on port 445 through the internet couldn’t be automated (if it isn’t already).

              4 users thanked author for this post.
              • #110186 Reply
                anonymous
                Guest

                Hmm… So the biggest issue for home users is not direct internet access to the port 445 but somekind of lateral access to it by compromised systems on the same network…

                 

                So disabling file/printer sharing is somehow effective as it renders the XP machine “invisible”, at least directly, to the other machines on the same network, is it correct?

              • #110188 Reply
                MrBrian
                AskWoody_MVP

                @anonymous: That is correct, I believe. You can use a port scanner program such as SuperScan to scan if port 445 is open in your local network after you disable file and printer sharing.

              • #110250 Reply
                fp
                AskWoody Lounger

                If I scanned the ports and got a stealth result does this mean 445 is safe?

              • #110268 Reply
                Kirsty
                Da Boss

                The theory is that stealth is safety. The report probably told you that as the ports could not be seen, it appears as though the computer does not exist, or words to that effect.

                2 users thanked author for this post.
              • #110292 Reply
                MrBrian
                AskWoody_MVP

                “If I scanned the ports and got a stealth result does this mean 445 is safe?”

                Assuming you scanned port 445 of the target computer from another computer in your local network, and used the internal IP address of the target computer, a result of either “stealth” or “closed” is fine, I believe.

                1 user thanked author for this post.
      • #110158 Reply
        MrBrian
        AskWoody_MVP

        The article Leaked NSA hacking tools are a hit on the dark web states that some claim that Microsoft’s March 2017 patch is not good enough.

        1 user thanked author for this post.
        • #110161 Reply
          AlexN
          AskWoody Lounger

          Maybe not, but it’s a start toward improved security.  Hopefully May’s patch will take the rest of the punch out of this.

          Fortran, C++, R, Python, Java, Matlab, HTML, CSS, etc.... coding is fun!
          A weatherman that can code

          1 user thanked author for this post.
        • #110190 Reply
          woody
          Da Boss

          That’s my #1 concern at the moment… if I tell people all’s safe, when it isn’t….

          3 users thanked author for this post.
          • #110272 Reply
            Noel Carboni
            AskWoody_MVP

            Well, to be realistic there is NEVER a time when any patch (or computer usage) is PERFECTLY safe. 🙂

            -Noel

            3 users thanked author for this post.
        • #110279 Reply
          anonymous
          Guest

          @ MrBrian

          In that case, Win 7/8.1 users should move to Group L , … L for Linux. … ( :

      • #110162 Reply
        MrBrian
        AskWoody_MVP
      • #110165 Reply
        anonymous
        Guest

        Will a personal computer not be protected by leaving its Homegroup and disabling all sharing options?

        I also have 4012212 installed on my Win7.

        • #110175 Reply
          MrBrian
          AskWoody_MVP

          Installing the March 2017 Windows update should be sufficient, unless the suggestion in an above link that the March 2017 Windows update isn’t good enough is true.

          1 user thanked author for this post.
      • #110177 Reply
        MrBrian
        AskWoody_MVP

        Estimate of number of users who are “reachable” to port 445 through the internet: From Millions Of Systems Worldwide Found Exposed On The Public Internet (2016):

        “Meanwhile, some 4.7 million systems expose port 445/TCP, which is used for Microsoft SMB network communications.”

        1 user thanked author for this post.
      • #110184 Reply
        Geo
        AskWoody Plus

        I have Win 7 Home Premium. X 64 When trying to install 212 and 215 it said not applicable.  It did install KB4012218.

      • #110185 Reply
        MrBrian
        AskWoody_MVP

        For Windows 7 or 8.1 users: Because of the cumulative nature of the monthly rollups, if you have a monthly rollup or preview monthly rollup from March 2017 or later, you’re also protected from this.

        1 user thanked author for this post.
        • #110252 Reply
          Noel Carboni
          AskWoody_MVP

          For Windows 7 or 8.1 users: Because of the cumulative nature of the monthly rollups, if you have a monthly rollup or preview monthly rollup from March 2017 or later, you’re also protected from this.

          If they know how to patch the system to prevent infection, does that imply that the MSRT would remove an existing one?

          -Noel

          2 users thanked author for this post.
          • #110422 Reply
            ch100
            AskWoody_MVP

            That would be the ideal situation and hopefully will happen.
            Situations like this one are the only reason to justify the monthly (daily after Windows 7) scan and the existence of MSRT.
            The regular antivirus software only treat the symptoms and while useful to some extent because they raise the alert, are not the answer to this sort of malware.

            1 user thanked author for this post.
      • #110217 Reply
        anonymous
        Guest

        Are home users connected to a comcast xfinity modem-router, that has to literally plug the printer into a usb port on the computer vulnerable?

        • #110224 Reply
          MrBrian
          AskWoody_MVP

          I believe the router or modem itself, if it has malware on it, could infect your computer via this exploit.

      • #110219 Reply
        PKCano
        Da Boss

        You need two things to keep you from being vulnerable.
        1. You need to have the latest Office updates if you have MS Office (any version) installed on the computer.
        2. You need to have EITHER March 2017 Security Monthly Quality Rollup (delivered through Windows Update) OR March 2017 Security Only Quality Update (downloaded from the Microsoft Update Catalog) installed on your computer.

        Edited to correct patch date

        1 user thanked author for this post.
      • #110220 Reply
        anonymous
        Guest

        Also, if that ‘doublepulsar’ is malware, wouldn’t a malware blocker block it?

        • #110222 Reply
          PKCano
          Da Boss

          I believe you need the updates mentioned above.

        • #110227 Reply
          MrBrian
          AskWoody_MVP

          I have read that DoublePulsar is quite stealthy.

        • #110229 Reply
          anonymous
          Guest

          Apparently yes, DoublePulsar isn’t something new… It is a trojan with backdooring capabilities and a lot of variants in the wild…  What is new is the delivery method via the SMB vulnerability aka EternalBlue… So, at least in theory, it should be detected by security software as a resident infection because it is listed in a lot of AV databases, hence also in the signature updates…

          The updates make systems immune to the exploit, which is one of the spread methods, not to the threat itself…

        • #110242 Reply
          ch100
          AskWoody_MVP

          In general antivirus software generate alerts and blocks the symptom, but do not treat the root cause.
          Antivirus software is over-rated and in most cases useless, but it looks well to those less technical end-users or managers.

          2 users thanked author for this post.
          • #110647 Reply
            Noel Carboni
            AskWoody_MVP

            And it uses a lot of resources (i.e., it slows things down) to accomplish what protection it does provide.

            -Noel

      • #110225 Reply
        anonymous
        Guest

        Ok PKCano. Will the update from the catalog run even if I have windows update deactivated in services?

        • #110228 Reply
          PKCano
          Da Boss

          If you DISABLE the Windows Update Service the installer will NOT run.
          In WU, change settings to “Never Check for updates”
          In Services, put WU Service on manual (if it isn’t already).
          Reboot
          Open Services, scroll down and highlight WU Service, then at the top left “stop” the service.
          Run the update from the catalog.

           

          • #110247 Reply
            Kirsty
            Da Boss

            While in Services, it may pay to check that BITS is turned on/started (Background Intelligent Transfer Service).

      • #110243 Reply
        Noel Carboni
        AskWoody_MVP

        Out of curiosity, what scanners can detect this “stealthy” malware?

        -Noel

        • #110317 Reply
          anonymous
          Guest

          I wonder myself the same…

      • #110237 Reply
        anonymous
        Guest

        DoublePulsar is on the wild for some time right now, even some time befere the Shadow Brokers episode which “unleashed” some vulnerabilities that made that particular malware such a potential threat, what me wonder myself why there is no malware scanning tests published for it, I mean, there is A LOT of sources claiming NUMBERS of affected systems, based mostly on what they call “internet scans”, so if the code can be identified remotely by some tool it can’t be that stealth as expected…

        I might be acting ingenous here, but I’d really want to see some insight, some research of that particular side of this malware, of how stealth is that piece of code…

        • #110302 Reply
          MrBrian
          AskWoody_MVP
          • #110316 Reply
            anonymous
            Guest

            I’ve read this article before, great quote by the way, it’s an excelent in depth analysis of DOUBLEPULSAR injection technique, but as it is pretty much silent and “stealth” while injecting the DLLs, it is a malware code, it has a signature and by such it should be caught up by full scanning software, right?

            I mean, it probably won’t be caught doing the injection, but it could, at least in theory, be caught and eventually removed by a scanning tool…

            • #110408 Reply
              MrBrian
              AskWoody_MVP

              DoublePulsar itself is fileless and in memory-only.

              • #110415 Reply
                anonymous
                Guest

                Yes it runs in RAM and apparently can be caught at the moment maily by manually monitoring memory behavior… And it ain’t easy…

                For systems that hasn’t been rebooted it might leave a trace on memory, but I don’t know for sure how trackable it is, if it is trackable at all…

                 

                But DoublePulsar itself is harmless right? The main issue is the backdoor it leaves behind, which whatever manages to pass through will probably be identifyied by later scanning, correct?

              • #110459 Reply
                MrBrian
                AskWoody_MVP

                @anonymous: I think what you wrote is accurate.

      • #110249 Reply
        anonymous
        Guest

        >If you have version 1511, you need to be on Build 105867.839 or later.

        I am on 10586.494 and I have applied no patches since last year. I cleaned out Cortana, Edge and all apps and bloat. I consider their return with any update worse than the risk from NSA and all the idiots they enabled. I make frequent backups so if anything happens I will restore the latest. This to me is a superior alternative to letting MS shove stuff my stuff that I have to learn and can screw my system for no reason whatsoever.

        • #110253 Reply
          Noel Carboni
          AskWoody_MVP

          >If you have version 1511, you need to be on Build 105867.839 or later.

          I am on 10586.494 and I have applied no patches since last year. I cleaned out Cortana, Edge and all apps and bloat. I consider their return with any update worse than the risk from NSA and all the idiots they enabled. I make frequent backups so if anything happens I will restore the latest. This to me is a superior alternative to letting MS shove stuff my stuff that I have to learn and can screw my system for no reason whatsoever.

          An update to a higher build dot number in the same version (e.g., from 10586.494 to 10586.later) won’t return Cortana as far as I have seen (though it might depend on how you removed it).

          Per my experience, an update to a later version (i.e., 1607 or 1703) WILL return Cortana and any default Apps you have removed. That’s one reason I wrote a re-tweaker script I can use to remove them all again.

          -Noel

          1 user thanked author for this post.
          • #110282 Reply
            fp
            AskWoody Lounger

            That’s what I thought too, but I asked and Woody was pretty sure they would return. But the reality is I just don’t want anything to do with what MS does. My current configuration is just what I need and is stable and there is no reason that justifies taking the risk.
            I keep myself informed with everything going on and I have seen nothing to compel me to mess around with my system. I see only problems and no benefits.
            BTW, I removed Cortana and Edge with the Winaero scripts. I’m sure there are traces of them left, but they are inactive and as far as I can tell they’re dead given my settings.

            Edit: html to text, caused by copy>paste

      • #110258 Reply
        anonymous
        Guest

        While many of the Microsoft Windows-specific exploits contain remote code execution vulnerabilities, they need to be deployed against a host in order to be successful. In other words, a connection to the organization must already be established for many of these exploits to work — as port 445, which is used in Microsoft’s SMB, is typically blocked internet-wide.

        Leaked NSA hacking tools are a hit on the dark web

        IOW, vulnerable Windows computers do not get infected by the EternalBlue/DoublePulsar/Fuzzbunch exploit by just connecting to the Internet or visiting a website, ie the exploit has to come from within a LAN or WAN or Remote Network, eg from an already-infected/compromised computer/device on the LAN or WAN or Remote Network(eg the computer user had clicked on files with other malware).
        https://www.exploit-db.com/docs/41896.pdf

        • #110283 Reply
          fp
          AskWoody Lounger

          I dk how to write such scripts. Are you confident that the script will work on any subsequent version of Win10?

          • #110300 Reply
            anonymous
            Guest

            @ fp

            The link refers to hackers writing such scripts while using the EternalBlue exploit.

            Those Windows exploits were used by NSA from 2011 onward and were “stolen” by Shadow Brokers in 2013. Win 10 was only released on 29 July 2015. So, those exploits were only used by the NSA to exploit pre-Win 10 systems. Today, hackers may use those same recently-leaked exploits against unpatched pre-Win 10 systems.
            . . . But this does not mean that the NSA did not apply the same exploits against Win 10 from 2015 onward or hackers cannot use the exploits against unpatched Win 10 systems today.

        • #110278 Reply
          anonymous
          Guest

          … continuing from above …

          Note that the Fuzzbunch hacking tool that is needed for the EternalBlue exploit is only available for Win XP. Why ? Because many Chinese and Russian hackers are still using pirated Win XP which is not illegal in their countries.
          . . . As we know, Win XP will never be patched against all the Shadow Brokers’ leaked exploits. What gives ?

        • #110299 Reply
          MrBrian
          AskWoody_MVP

          Some systems are exposed to port 445 over the internet.

          Example: This guy purposely exposed a vulnerable system to port 445 on the internet. It was hacked in 15 minutes.

          1 user thanked author for this post.
          • #110318 Reply
            anonymous
            Guest

            @ MrBrian

            That is why computer users should always disable Remote Management/Assistance in their computers and routers(which also uses port 445), except when needed, eg when they request M$’s staffs to provide technical support and trouble-shooting of Windows problems remotely.
            http://www.speedguide.net/port.php?port=445 (RPC = Remote Procedure Call)

            • #110409 Reply
              MrBrian
              AskWoody_MVP

              I do have Remote Assistance disabled for my Windows 7 computers since I don’t use it. Remote Assistance seems to use port 135, not port 445, according to Remote Assistance and Resulting Internet Communication in Windows 7 and Windows Server 2008 R2.

            • #110473 Reply
              anonymous
              Guest

              @ MrBrian

              Yes, you are correct, ie Remote Assistance and Remote Desktop do not use port 445. Sorry.
              . . . It’s actually the Windows Servers’ Remote Desktop Service that uses port 445, as per …
              https://social.technet.microsoft.com/wiki/contents/articles/16164.rds-2012-which-ports-are-used-during-deployment.aspx
              . . This means, companies and websites who have Windows Servers and Remote Desktop Service(= port 445 is open to the Internet) are vulnerable to the EternalBlue exploit if unpatched.

              Most home computer users access the Internet through port 80 on their home-routers, and not through port 445, ie port 445 is mainly accessed by their own internal LAN/WAN for file and printer sharing with Windows SMB protocol.
              ……. So, hackers would usually need to infiltrate port 80 through the Internet with some other malware before they could deploy the EternalBlue/SMB exploit through port 445.

              My point is that pre-Win 10 home computer users are not vulnerable to the EternalBlue exploit by just being connected to the Internet for web-browsing, even if unpatched with the March 2017 update because they do not connect to the Internet through port 445.

              Also, a fully patched Windows computer is of no use against malware infection if the user does not practice safe-browsing and good house-keeping, eg foolishly open unfamiliar email attachments or download torrent files, does not change the default router admin password or disable Remote Management/Assistance.

              1 user thanked author for this post.
          • #110329 Reply
            anonymous
            Guest

            @ MrBrian

            Windows Networking/SMB through port 445 has been vulnerable since 2005, …
            http://www.infoworld.com/article/2669579/security/experts-split-on-port-445-security-risk.html

            1 user thanked author for this post.
      • #110254 Reply
        TheWatch
        AskWoody Lounger

        So I have been trying to figure this out. I have a semi-custom Windows 7 64-bit Skylake computer (an early Intel Core i7 6700K). As it is custom, it is not on the list I saw of a few of the brands like Asus, Dell, etc. that have committed to extra testing for future Windows 7 updates.
        Also, I am more or less in Group B. The last time I patched was during the recent MS-Defcon 5 time, following instructions here on AskWoody.
        Can I install KB 4012212 or other updates? Will I be blocked? How should I proceed?
        Thanks!

        • #110291 Reply
          PKCano
          Da Boss

          Can I install KB 4012212 or other updates? Will I be blocked? How should I proceed?

          I don’t know about that particular processor. What I can tell you from the threads on this site is – if you install the patch and your computer is blocked, you can then uninstall the patch and the blocking is reversed. That applies to both the Monthly ROLLUP delivered through Windows Update and the Security Only UPDATE downloaded from the MS Catalog because both/either contain the blocking mechanism.

          3 users thanked author for this post.
      • #110274 Reply
        lizzytish
        AskWoody Lounger

        I put my Win7 64bit machine through it’s paces at Steve Gibson’s Sheilds Up…. and came out with a good score. Claiming that my computer is well hardened. I would hazard a guess as I’m not tech minded to the extent of being able to tweak my machine, that either my router firewall, Norton Security and SpyBot Anti Beacon are playing a part. I do feel despite what others think that these programmes are helpful…….. perhaps not for those who are capable of writing scripts and engineering/tweaking their machines to do their bidding……… but for us lesser mortals!
        So please don’t disparage us by saying certain things…… thank you!
        Am attaching one of the reports given. All the ports tested were STEALTH with the exception of 139 and 445 which were CLOSED to connections.

        A-scan

        Attachments:
        1 user thanked author for this post.
        • #110298 Reply
          Noel Carboni
          AskWoody_MVP

          It’s basic to the nature of a router not to forward incoming connection requests and connectionless packets TO connected computers on the LAN side – even if there’s only one of them. You have to set that up specifically if you want such connectivity. Gamers sometimes do this, or people with special requirements.

          It automatically sets up the return pathways when you make requests FROM your computer on the LAN side.

          Thus just having a router protects you from all kinds of trouble, with little downside.

          -Noel

          3 users thanked author for this post.
          • #110518 Reply
            ch100
            AskWoody_MVP

            I am sure you actually described the default behaviour of a NAT router, like most home users have on their networks, and not the behaviour of any other regular router 🙂

            • #110528 Reply
              Noel Carboni
              AskWoody_MVP

              Yes, perhaps I should have said “home router” or “edge router” – i.e., one that serves only one WAN IP address but allows multiple systems to be connected. Thanks for the clarification.

              -Noel

      • #110289 Reply
        lizzytish
        AskWoody Lounger

        Thank you for that suggestion ‘just saying’……….. was wondering myself if there was anything else I could do. Will most certainly look into that and close it down!

        You never fail until you stop trying.

      • #110315 Reply
        anonymous
        Guest

        Is there a way to close those ports manually for older systems or those who can’t “affort” to get patched at the moment?

        Also, could rolling back to an early restore point, before the leakage happened, remove any DoublePulsar infections?

      • #110323 Reply
        Sessh
        AskWoody Lounger

        I have Microsoft DS disabled, don’t have a printer so all that is disabled and I have port 445 (among others) blocked several times over. A good tool to do this for those that aren’t technically inclined is Windows Worms Doors Cleaner 1.4.1. It doesn’t install anything, it’s just one file that runs and will allow you to easily close the following ports manually: 135, 137-139 and 445. It will also disable UPNP and SSDP services and will close the Messenger exploit if applicable (mine is disabled in services already). Handy little program to close off these ports for you if you so desire.

        • #110335 Reply
          anonymous
          Guest

          Closing those ports might imply in any issue?

        • #110455 Reply
          fp
          AskWoody Lounger

          Doesn’t work in Win10.

      • #110332 Reply
        Canadian Tech
        AskWoody_MVP

        Thanks Woody. I have sent the patch link to all of my 150 client machines to be installed. Well on the way to patching.

        CT

      • #110334 Reply
        Chip
        AskWoody Lounger

        Morning all, Happy Spring,

        I just ran my Secunia PSI, and it says that I have some .NET Framework (2.x 64-bit ; 2.x ; 3.x ; 4.x) programs that need updating.  Am I ok to update the .NET, or should I hold off on it for now?  I think I remember reading that it is ok to update the .NET, but I wanted to run it by you to be sure.

        Also, one of my machines gets automatic Office 3013 updating, but the other machine has Office 2010, and that one doesn’t seem to get the automatic updating.  Will those updates for the Office 2010 come through with our regular security updating? I’ve never seen it do that, so I am curious how Office 2010 gets updated.

        Thanks,  Chip

         

         

         

        • #110336 Reply
          Chip
          AskWoody Lounger

          My mistake.  I typed Office 3013, when it is Office 2013.

          Chip

          • #110340 Reply
            Chip
            AskWoody Lounger

            Oh yeah, there’s always another piece to the puzzle.  If I click on the Secunia update for the .NET stuff, it wants to use IE.  I haven’t been using that, and am not sure about the wisdom of doing the .NET updating with it.

            Do .NET updates come through to us the same way the Group B security updates come?

            Thanks,  Chip

            • #110342 Reply
              PKCano
              Da Boss

              .NET comes through Microsoft Update.

        • #110339 Reply
          PKCano
          Da Boss

          Am I ok to update the .NET, or should I hold off on it for now?

          The .NET patches for March and before are OK to install. The April patches are still under DEFCON 1.

          Will those updates for the Office 2010 come through with our regular security updating?

          If you are using Microsoft Update (checked box “Give me updates for other MS products), the Office updates will come through Windows/MS Update. If not, the Office patches are available on the Microsoft TechNet
          It is advisable to go ahead and install the latest Office patches now.

          • #110345 Reply
            Chip
            AskWoody Lounger

            PKCano,   When I look at my Windows Update > Change settings screen, I don’t see “Give me updates for other MS products.  I have Important Updates (which is set to Never check for updates).  It also shows “Recommended updates” (which I have unchecked).

            It also has a “Note: Windows Update might update itself automatically first when checking for other updates”, which puts a comforting feeling into my stomach.

            Regarding Office 2010, can I just install the April update?  I’ve never patched Office 2010 on this machine, and am wondering if April is all that I need.

            Thanks again,  Chip

            • #110348 Reply
              MrBrian
              AskWoody_MVP

              Here is a .vbs script that I have used to fix this problem on Windows 7: https://blogs.technet.microsoft.com/danbuche/2010/01/06/enabling-and-disabling-microsoft-update-in-windows-7-via-script/

              If you need more help on what to do, please say so.

              2 users thanked author for this post.
              • #110370 Reply
                Chip
                AskWoody Lounger

                Mr. Brian,  thanks for this.  I don’t think I’m up to the technical skill needed to use scripts, so I’ll have to let this slide.

                Chip

              • #110374 Reply
                MrBrian
                AskWoody_MVP

                @Chip: I’m not sure if this helps or if it’s too advanced yet?

                1. Copy these lines into a new file with an extension of .vbs: https://pastebin.com/w08Q3SBe.

                2. At a command prompt that is elevated, run the file created in step 1.

            • #110369 Reply
              Chip
              AskWoody Lounger

              Please allow a bit more info on this Office 2010 thing.  The machine in question used to get the automatic updating from MS, but I stopped that in September 2015.  I wasn’t too focused on updating for it, as that machine is not used very much, mainly being used as a live backup for my main machine.  I started doing the updates for windows at that time, so windows has always been updated following the all clear from you good folks.

              Thank you for the info on Microsoft TechNet.  Now I’ll be able to stop by there each month.

              Chip

              • #110382 Reply
                Chip
                AskWoody Lounger

                Well, that didn’t work. I got to the Microsoft Update Catalog, found KB3141538 (64-bit Edition) for Office 2010 Security Update , got it onto my download area, but when I applied/extracted it, I got a prompt saying something was missing and wouldn’t install.

                It was kind of a slog, getting to a spot that allowed the download.

                Thanks for you help.  Chip

              • #110387 Reply
                MrBrian
                AskWoody_MVP

                Do you know if you have 32-bit or 64-bit Office 2010?

              • #110397 Reply
                Seff
                AskWoody Plus

                Chip, I’d certainly check you’re trying to install the right version.  Open any Word document, look under File/Help and the version details will be shown including whether 32 or 64 bit. You also need to have Office 2010 SP2 installed, which means that the version details need to list the version number as 14.07015.1000 or higher.

                Mine qualifies on that basis but I’m not even being offered this update (nor have I been offered any definition or other updates since August 2016). I plan on tackling the main Windows updates (security and .Net roll-ups) when Woody raises the defcon  and then once it’s all proved to be working ok I’ll search from Word (same page as the version details) for Office 2010 updates and see what transpires.

              • #110599 Reply
                Chip
                AskWoody Lounger

                Seff,

                Thank you for your response with helpful info.  I’m showing, in a Word document, in Office 2010, a version of 14.7153.5000 (32-bit).  I think that’s meeting your requirement of v14.07015.1000, isn’t it?  (Would that mean that it has SP2?) It was pretty easy finding the version with your directions.  Office 2010 is on a Dell 390 Optiplex, which I think is a 64-bit machine; it’s Windows 7 Professional.   When I look at the Device Manager, it says that the 390 is: Computer – ACPI x64 based PC.  Would that mean that the 390 is a 64-bit machine?  I think the answer is yes.

                So, on the 390, would I go for the Office 2010 Update in the 32 or 64 bit flavor?  Can a machine be a 64-bit OS, but run Office 2010 at 32-bit?  I’ve been installing the Windows Security Updates (Group B) in 64-bit form on this 390, and everything seems to update correctly.

                My other machine is a Dell M6800 Precision Mobil Workstation, Win7 Pro.  It has Office 2013 and gets automatic Office Updates.  Looking in the Device Manager for the 6800 shows: Computer – ACPI x64 based PC; same as the 390, which makes me think the 390 is a 64-bit machine running Office 2010 in 32-bit.  Am I correct, so far?

                In the 6800, I’m not able to find the Word version, as you showed how to find it on the 390.  Maybe that’s because the 6800 has Office 2013, and is 64-bit?  I’m pretty sure that Office 2013 is 64-bit.

                I appreciate you help with this.  Chip

              • #110601 Reply
                PKCano
                Da Boss

                Chip,
                It is good to run Office 32-bit on a 64-bit machine. You will have less compatibility problems.

                To help you get the updates you need, try this MS website.

              • #110602 Reply
                Chip
                AskWoody Lounger

                Seff,

                I went for the 32-bit version of KB3141538 Security Update for Microsoft Office 2010 (32-bit Edition) and it installed promptly.  It also brought along 41 of it’s buddies, that hadn’t been installed since 9/8/2015.

                So, I’m thinking that Office 2010, on the 390, is now caught up. When I started handling the Windows Security Updates, I must have not focused on the separate updating for Office 2010.  Now I know.

                Thanks for you help.  Chip

                1 user thanked author for this post.
      • #110344 Reply
        Seff
        AskWoody Plus

        @ MrBrian In that case, Win 7/8.1 users should move to Group L , … L for Linux. … ( :

        Always assuming that Linux is absolutely safe – would anyone really claim that?

        1 user thanked author for this post.
      • #110359 Reply
        anonymous
        Guest

        FWIW, as one searches the Internet looking for reliable tests of firewall and various port penetrations, one observes that Mr. Steve Gibson, of GRC, is thought of, by some people, as a legend unto himself. There appears to be an especially bad small program called ‘Firewall Leakage Tester’ which is almost 12 years old, supplying you with false errors. Moral?… Investigate before blindly running tests mentioned, with links, in various help forums, blogs, fortune cookies, etc.

      • #110392 Reply
        MrBrian
        AskWoody_MVP

        DoublePulsar infections:

        “106,410 – 21/04/2017
        116,074 – 22/04/2017
        164,715 – 23/04/2017”

        2 users thanked author for this post.
        • #110498 Reply
          anonymous
          Guest

          is this a ms-related only problem?
          or does mac android and linux also affected?
          or all computers that connect to internet expose to port 445?

          TIA

          back to fishing for better dreams

        • #110609 Reply
          MrBrian
          AskWoody_MVP

          “183,107 – 24/04/2017”

      • #110396 Reply
        MrBrian
        AskWoody_MVP

        Woody posted this link in updates to the post: From Over 36,000 Computers Infected with NSA’s DoublePulsar Malware:

        “Earlier this week, trying to assess the number of users vulnerable to the malware leaked last Friday, cyber-security firm Below0Day has performed an Internet-wide scan for Windows computers with open SMB ports (port 445).

        Their scan returned a number of 5,561,708 Windows computers with port 445 exposed to external connections.”

      • #110423 Reply
        ch100
        AskWoody_MVP

        Per my experience, an update to a later version (i.e., 1607 or 1703) WILL return Cortana and any default Apps you have removed. That’s one reason I wrote a re-tweaker script I can use to remove them all again.

        There is a method to preserve the settings during the upgrade which was posted by Susan Bradley on patchmanagemnt.org.
        It is a command line for setup.exe on the full ISO with a specific switch which I don’t remember now, instead of using Windows Update for doing the upgrade.

        • #110477 Reply
          Noel Carboni
          AskWoody_MVP

          Thanks for the tip. I did the upgrade via the ISO, but I wasn’t aware of a command line switch to have it be more apt to leave my settings and App choices alone. However, in my case I got what I wanted since I always test the Apps at each new release.

          -Noel

          • #110492 Reply
            ch100
            AskWoody_MVP

            Here it is
            http://marc.info/?l=patchmanagement&m=149218946129446&w=2

            1 user thanked author for this post.
            • #110529 Reply
              Noel Carboni
              AskWoody_MVP

              Thanks.

              Kind of makes you wonder, though… If an OOBE in-place upgrade can have its problems, would a SETUP.EXE /AUTO UPGRADE – which is presumably less intrusive still – be more apt to have problems?

              Time was I would never consider installing a whole new version of Windows as anything but a fresh, clean setup. That, of course, comes with baggage – having to set up EVERYTHING again. That wasn’t all bad, though, because when doing so you could re-evaluate your current working environment – you could choose to get new versions of some things, or change to better solutions for some things.

              Now… Not having to go through all that twice a year is worth taking a chance on the in-place upgrade. And even so it’s as though you never have time to finish the finer points of re-tweaking a given version by the time the next one comes out.

              I shall have to try a SETUP.EXE /AUTO UPGRADE. I still have snapshots from before the upgrade.

              -Noel

              2 users thanked author for this post.
              • #110612 Reply
                ch100
                AskWoody_MVP

                Maybe I should mention that I haven’t tested the switch.

      • #110425 Reply
        anonymous
        Guest

        I have Window 10 Home Version 1607 (14393.1066 Build) with the last Security Update listed in Update history being  Security Update for Windows 10 Version 1607 (KB4015217). I had tried to update to the Build 14393.953 back in March but WU kept failing to install  KB4015438 so I decided to just disable WU for the time being to avoid getting untested updates in April, using Noel Carboni’s ConfigureAutomaticUpdates tool.

        Per Woody’s recent instructions to get my “build number up to snuff,” I just temporarily enabled WU to run WUSHOWHIDE but only driver updates for Intel, Realtek, Dell are listed – no cumulative updates. Please help provide a link to the correct KB needed to be installed and instructions how to do manually.

        Also of concern is that WU was still set at ‘disabled’ via the ConfigureAutomaticUpdates tool before I just enabled it today (4/23) but in checking the update history, not only was there an update done on 4/22 but there is also an Adobe Flash security update installed on 4/15. How is WU able to override these settings? Many thanks!—-DP

      • #110569 Reply
        AlexN
        AskWoody Lounger

        For those of us in Group W, which of these 3 do we need? As in, which ones are “Do, or likely die?”

        • KB 4012213 the Security-Only “Group B” patch, or
        • KB 4012216 the March Monthly Rollup “Group A” patch, or
        • KB 4015550 the April Monthly Rollup

        Fortran, C++, R, Python, Java, Matlab, HTML, CSS, etc.... coding is fun!
        A weatherman that can code

        • #110570 Reply
          Canadian Tech
          AskWoody_MVP

          I followed Woody’s advice KB4012212. I and my clients are basically W, with a few selected Security-Only updates and office updates, applied once they have aged well.

          Time to get off the Group W bench – at least for a few minutes

          CT

        • #110571 Reply
          PKCano
          Da Boss

          Win8.1
          You need at least the security patch
          KB4012213 March Security-only is the least deviation from W – It’s Group B
          Unless Woody or MrBrian says the April Security only KB4015547 is necessary.
          The two Rollups contain the non-security as well.

          1 user thanked author for this post.
          • #110573 Reply
            AlexN
            AskWoody Lounger

            Thanks PK Cano!

            I did that patch the other day, but with the updates to Woody’s post since then I was no longer certain.

            Fortran, C++, R, Python, Java, Matlab, HTML, CSS, etc.... coding is fun!
            A weatherman that can code

            • #110574 Reply
              PKCano
              Da Boss

              Woody is getting to change the DEFCON number.
              We should know more about the relevance of the April patches then.

        • #110607 Reply
          MrBrian
          AskWoody_MVP

          For the issue that is the subject of this topic, you need either the March 2017 security-only update, or any monthly rollup from March 2017 or later.

      • #110615 Reply
        MrBrian
        AskWoody_MVP

        From https://twitter.com/GossiTheDog/status/856631418167971841:

        “DoublePulsar is purely a kernel level remote backdoor. It has no payload. You use it to own, then load payload later.”

      • #110624 Reply
        Pixie
        AskWoody Lounger

        In PK Cano’s post upstream #110219 he says we need to apply April 2017 patches to be safe, but Woody has not changed MS-DEFCON yet.  Are we supposed to apply April patches and ignore Woody’s DEFCON rating?  I have March 2017 patch applied.  I have Stealth rating when checking port 445.  Is there evidence that April patches are still causing issues?

        • #110628 Reply
          PKCano
          Da Boss

          That should be March patches. I have corrected it. Thanks.

      • #110655 Reply
        Pixie
        AskWoody Lounger

        Thanks PKCano!

      • #110663 Reply
        tbsky
        AskWoody Lounger

        hi:

        we have servers dropping of network, like this: https://www.askwoody.com/forums/topic/ms17-006-kb4012216-kb4012215-kb1042204-and-servers-dropping-off-of-the-network/

        so we removed the patch. now what should we install to prevent the virus?

        thanks a lot for help!!

         

      • #111310 Reply
        anonymous
        Guest

        This is reply #110425 above, sent in my request for help 2 days ago: I’m still at Build 14393.1066  on Window 10 Home Version 1607 and need help to patch up to Build 14393.953. I used Noel Carboni’s ConfigureAutomaticUpdates tool to enable WU and re-ran wushowhide tool to show hidden updates but no cumulative patches were made available. WU is back being disabled till I get much needed help. Much thanks!

        • #111313 Reply
          PKCano
          Da Boss

          This is reply #110425 above, sent in my request for help 2 days ago: I’m still at Build 14393.1066 on Window 10 Home Version 1607 and need help to patch up to Build 14393.953.

          Build 14393.1066 is dated 4/11/2017. It is the latest Build of 1607

          Build 14393,953 is dated 3/11/2017. Since it was released there have been two additional Builds – 14393.969 on 3/20/and Build 14393.970 on 3/22.

          You have the latest build. Did you want to roll back to an earlier build?

          • #111334 Reply
            anonymous
            Guest

            Thank you, PKCano, for the clarification and no, I don’t want to roll back to earlier build if this one is considered stable enough and that the computer is relatively safe from exploits mentioned in this post.

            However, I’m concerned that even though I had used Noel Carboni’s ConfigureAutomaticUpdates tool to set WU as “disabled”, somehow there are several updates installed after the computer had been restarted. Is there an alternative way I can double check that WU is really disabled (with Win10 Home, I can’t edit registry easily)?

            Many thanks for your guidance and to all who keep this site going!

      • #111524 Reply
        anonymous
        Guest

        Help! Trying to patch a windows 7 group W laptop with KB 4012212 by downloading it directly using the link provided. However, I’m not able to install it because the KB 4012212 installer hangs when it checks for updates before installing, the same way my windows update hangs forever. Im not able to install anything.

      • #110401 Reply
        anonymous
        Guest

        Reply to #110284. I have a question about ping. My Win7 Home Prem laptop has all the recent Security Only patches and all ports show as stealth on the grc.com common ports test. However, that site says that my computer is receiving pings.
        I looked into that, unchecked the one box that was checked in the Inbound rules for Echo ICMP, tried the test again, still failed. I looked further and created a block ping rule, still failed. I’m not hugely technical, and this is at my boundary, it appears.
        I don’t know anything about router settings or where to find those. My understanding from my reading is that the Windows Firewall settings should block ping even if the router is letting it through. (It’s a Qwest wireless modem/router. I have no idea where I would find settings for it.) Just seeing if any of you knowledgeable folks have any suggestions. Thanks 🙂

      • #110486 Reply
        Kirsty
        Da Boss

        I found an article, published in ITWorld, PCWorld, ComputerWorld and others, saying false positives were not found.
        Now There’s a Tool to Test for NSA Spyware

        1 user thanked author for this post.
      • #110501 Reply
        anonymous
        Guest

        Do a search online for your router and the internet address you need to type, (if that doesn’t show up, ring tech support at your ISP, no need for them to have remote access, they can just give you the address). Go to that address, and access your dashboard, (admin settings).You need to change, (if your router will allow it), the admin password, and your (default) password. (Important). Make it a complex password, but one that you can remember/store and type out again. Not words from a dictionary, increases “entropy”, ie, a longish nonsense word and maybe a number will do fine. Check if you can update firmware. After you have updated firmware, if it doesn’t do that automatically, (it will say so in settings), save settings, log out and then go back to the internet address again. (Some routers, not all, will lose password in a firmware update, just do this to check it is ok). (Then log out again, and relax).

        Some advocate changing this (password/s) now and then. Up to you, if it is a good password and not the defaults. Maybe check 2 times a year that it is all ok.

        It seems that MS is now no longer able to support printers on networks??? (joke).

      • #110611 Reply
        anonymous
        Guest

        ? says:

        look up your CL dsl modem and apply the “IPV4 firewall steath mode.” It fixed the ShieldsUP ICMP Echo Request hole for me.

        eg: for c1000z

        http://internethelp.centurylink.com/internethelp/modem-c1000z-adv-firewall-stealth-mode.html

        or for c2100t

        http://internethelp.centurylink.com/internethelp/modem-c2100t-adv-firewall.html

    Viewing 36 reply threads

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Time to get off the Group W bench – at least for a few minutes

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.