Woody Leonhard's no-bull news, tips and help for Windows, Office and more… Please disable your ad blocker – our (polite!) ads help keep AskWoody going!
Home icon Home icon Home icon Email icon RSS icon
  • Anti-Ransomware Software Overview Update

    Posted on May 23rd, 2017 at 16:28 Kirsty Comment on the AskWoody Lounge

    Martin Brinkmann has updated the ghacks.net Security overview, to 23 May 2017.

    “There are two types of Anti-Ransomware software programs: those that protect the system in real-time against incoming threats, and those that disinfect the system after a successful ransomware attack.”

    As well as reviewing named programs that act to prevent ransomware, a handy table compares the various paid and free software options.

    Decryption is also discussed, should you have the misfortune to not prevent an infection.

    Martin’s advice is worth repeating here:

    “As far as prevention is concerned, there is more that users can do, for instance making sure they run up to date security software, do back ups of important data and keep the backups detached from the system, or use common sense.”

    Take a look at Martin’s full article here.

  • The “new” XP patch KB 982316 is a dud, but the new MSRT is for real

    Posted on May 23rd, 2017 at 06:12 woody Comment on the AskWoody Lounge

    Yesterday, I wrote about the mysterious “new” Windows XP patch KB 982316. There’s speculation all over the web that Microsoft is now patching Windows XP again.


    @abbodi86 dug in and confirmed:

    The digital signature of the downloaded file indicates that it’s still the same old one, “Monday, ‎June ‎14, ‎2010”. So this is just a review/renew of the download page for some reason

    On the other hand, the new Malicious Software Removal Tool, KB 890830, is very real. An anonymous poster notes that it’s marked “Important” in Windows 7. The Windows Update list says that the program has changed, and the metadata has changed. @ch100 theorizes that it’s a WannaCry detector, which is confirmed in the Technet post Customer Guidance for WannaCrypt attacks:

    Update 5/22/2017: Today, we released an update to the Microsoft Malicious Software Removal Tool (MSRT) to detect and remove WannaCrypt malware. For customers that run Windows Update, the tool will detect and remove WannaCrypt and other prevalent malware infections. Customers can also manually download and run the tool by following the guidance here. The MSRT tool runs on all supported Windows machines where automatic updates are enabled, including those that aren’t running other Microsoft security products.

    As I’ve said many times over the past week, WannaCrypt only attacks Windows 7. No matter which version of Windows you have, you’d be well advised to run the new MSRT and see if it picks up any vestiges.

    (Historical note: Microsoft’s sticking to the “WannaCrypt” name while most of the popular press has moved to “WannaCry.” I switched from WannaCrypt to WannaCry, too, in response to an edit. The worm calls itself “Wana Decrypt0r” with a zero. Malware researchers pick their own names, and there’s no central authority assigning names to specific infections. It’s all about branding, folks — I guess “WannaCry” sounds more compelling.)

  • What’s up with the “new” XP patch KB 982316?

    Posted on May 22nd, 2017 at 13:37 woody Comment on the AskWoody Lounge

    I don’t know what to make of it.

    I’m seeing reports all over the internet that Microsoft has released a new Windows XP patch, KB982316.

    Yes, Windows XP.

    There’s a download link that’s dated May 19, 2017 — last Friday.

    But there’s no Microsoft Update Catalog listing.

    The KB article says it was last reviewed on June 10, 2011:

    This update implements a defense-in-depth change that some customers may decide to deploy.. This update changes the Access Control Lists (ACLs) for the following registry entry:


    By default, Network Service (NS) users explicitly have full permission to this registry entry. After you install this update, NS users will have Read-Only access to this registry entry. The update will apply the same ACLs to all subkeys of the registry entry.

    The KB article points to Security Advisory 2264072, Elevation of Privilege Using Windows Service Isolation Bypass, but that article’s dated Aug. 10, 2010. Version 1.0.

    Is this another supercedence screw-up? (We’ve seen many, lately.) Is it related to the Shadow Brokers trove?

    And, if it’s really a new patch – not some phantom resurrected erroneously — is Microsoft going to patch XP for NSA-derived exploits?

  • We’re now taking Bitcoins

    Posted on May 22nd, 2017 at 06:09 woody Comment on the AskWoody Lounge

    I’m finally being dragged into the 21st century…

    Along with the other donation options — Patreon, PayPal, shopping with Amazon, check or cash, all explained in the top right corner of this page — we’re also taking Bitcoin donations:


    Our income’s still meager, but it’s enough to keep the lights on. Thanks to all of you, especially our donors.

  • MS-DEFCON 3: Get patched and brace yourself for a Malware-as-a-Service future

    Posted on May 21st, 2017 at 18:15 woody Comment on the AskWoody Lounge

    The times are a-changin’.

    Last October, Microsoft started lumping together all of its Windows 7 and 8.1 patches. Before October, we had separate patches — separate KBs — for individual security holes, and for non-security improvements. After October’s patchocalypse, we were given two big monthly globs. You could choose to have all of your patches in one fell swoop — a choice I call “Group A” with Monthly Rollups — or you could take just the security patches, in a different fell swoop — “Group B” in my parlance, with Security-Only updates.

    There have been a few changes since then — Internet Explorer patches got pulled out, for example — and a lot of confusion over, e.g., .NET Security-only and Monthly Rollups, but by and large, the Windows 7 and 8.1 patching world a month ago was divided into three parts:

    • Group A – automated installation of Monthly Rollups
    • Group B – manual installation of specific Security-Only patches
    • Group W – folks who sat on the bench and didn’t patch at all.

    That neat (if controversial and not really so neat) version of the world changed forever when, earlier this month, Shadow Brokers not only released the NSA’s trove which gave rise to the WannaCry worm, it also set up an auction for the “Shadow Brokers Monthly Data Dump” — what I’ve called Malware as a Service. You can bet that there are some very nasty malware surprises coming, all lovingly crafted by the US National Security Agency, stolen, then spread by Shadow Brokers.

    In the not-so-good-old-days, supercharged Windows hacks were tools for expensive, targeted, usually politically motivated attacks. In the near future, that will no longer be the case. With the Shadow Brokers Monthly Data Dump comes democratization of the malware industry. Anybody, it seems, can strap their favorite piece of junk malware onto one of these souped-up infection methods and start attacking normal folks.

    Group W — R.I.P.

    With Shadow Brokers guaranteeing that major Windows vulnerabilities are coming every month, Group W is just plain dangerous. It’s not an option. Sorry.

    Group B — Only for experts with a high tolerance for pain

    Group B, which is based on Microsoft’s commitment to deliver Security-only updates every month, has gone from relatively simple to very complex. Officially, Internet Explorer patches have been broken off from the main download. There’s all sorts of confusion about .NET patches — which are Security-only, which Rollups? We’ve seen security patches released outside the monthly Security-only stream. There have been bugs in Security-only patches that were fixed outside of the Security-only stream. There’s a host of problems documented in this Topic.

    Group B isn’t dead, but it’s no longer within the grasp of typical Windows customers. Many of you reading this post are fully capable of sticking with Group B. Most Windows customers are not.

    Pick up the Pace

    In the past I’ve waited several weeks to see if any big bugs appear before recommending that you install available patches. In the future, I need to pick up the pace. That means I may throw some of you under the bus, changing the MS-DEFCON level with some possible problems intact, and for that I apologize. Given the expected upswing in Windows-targeted malware, though, there doesn’t seem to be much choice.

    That said, it’s now time to apply the May 2017 updates. Here’s what I recommend:

    Windows 10

    It’s still too early to jump to Win10 Creators Update, version 1703. Wait for it to be designated “Current Branch for Business.” You can block the upgrade with a few simple steps, detailed in this InfoWorld post.

    Go ahead and run the steps in AKB 2000005: How to update Windows 10 – safely. You may want to use wushowhide to hide any driver updates. All of the other updates should be OK, including Servicing stack updates, Office, MSRT, or .Net updates (go ahead and use the Monthly Rollup if it’s offered).

    Windows 7 and 8.1

    If you’re running Windows 7 or 8.1 on a PC made in the past 18 months, check to see if installing this month’s Windows patches will completely block Windows Update. See AKB 2000006: Check to see if Microsoft is blocking Windows Update on your new computer. In particular, if you try to run updates and get an “Unsupported hardware” notification (screenshot), Microsoft won’t willingly let you update your machine. See the AKB 2000006 article for a workaround.

    If you absolutely must avoid Microsoft snooping at all costs, go ahead with the instructions in AKB 2000003: Ongoing list of “Group B” monthly updates for Win7 and 8.1, but realize that thar be tygers here. Be particularly sure to install the March Security-Only update; that’s the one with the patches to the SMBv1 driver that’ll block WannaCry and its ilk.

    For most Windows 7 and 8.1 users, I recommend following AKB 2000004: How to apply the Win7 and 8.1 Monthly Rollups. Watch out for driver updates — you’re far better off getting them from the manufacturer’s web site.

    After you’ve installed the latest Monthly Rollup, if you’re intent on minimizing Microsoft’s snooping, run through the steps in AKB 2000007: Turning off the worst Win7 and 8.1 snooping. Realize that we don’t know what information Microsoft collects on Win7 and 8.1 machines.

    Good luck patching. Keep your eyes peeled for bugs — and be sure to update when next month rolls around.

  • Windows 10 Anniversary Update OK?

    Posted on May 21st, 2017 at 15:42 woody Comment on the AskWoody Lounge

    Just got this from reader NP:

    I have been following your articles about issues with Windows 10.  Would you say at this point, it is safe to update, or should we still wait?  I am concerned about not having the latest patches because of the WannyCry ransomware.

    It’s safe to upgrade to Windows 10 Anniversary Update, version 1607


    It’s too early to upgrade to Windows 10 Creators Update, version 1703


    This is the part that gets me. WannaCry only infects Windows 7 machines. Period. (And Server 2008R2, which is basically Windows 7.)

    WannaCry does NOT infect Windows XP. I’ve been saying that since my first report a week ago. In spite of what you’ve read, WannaCry does not infect WinXP.

    WannaCry does NOT infect Windows 8.1.

    WannaCry does NOT infect Windows 10. Any version. That tiny blip on the Kaspersky chart is no doubt due to mis-reporting, or the possibility that people were running infected WinXP machines in a Virtual Machine on Windows 10. I don’t know of any other way there could be any occurrences.

    That said, you need to make sure your Windows computer is fully protected against WannaCry – every version, from XP to Win10. The problem isn’t WannaCry itself. The problem’s all the other malware that’s likely to follow in its footsteps.

  • Google Chrome Browser Vulnerability – check your “where to save file” settings

    Posted on May 20th, 2017 at 19:16 Kirsty Comment on the AskWoody Lounge

    Last week, a new topic was posted on a vulnerability on Google Chrome Browser over on Code Red – security advisories.

    From Catalin Cimpanu, on bleepingcomputer.com:

    Just by accessing a folder containing a malicious SCF file, a user will unwittingly share his computer’s login credentials with an attacker via Google Chrome and the SMB protocol.

    Users can do this by visiting:
    Settings -> Show advanced settings -> Ask where to save each file before downloading

    More advanced protection measures include blocking outbound SMB requests via firewalls, so local computers can’t query remote SMB servers.

    Bosko Stankovic, on defense.com said:

    With its default configuration, Chrome browser will automatically download files that it deems safe without prompting the user for a download location but instead using the preset one. From a security standpoint, this feature is not an ideal behavior

    In order to disable automatic downloads in Google Chrome, the following changes should be made: Settings -> Show advanced settings -> Check the Ask where to save each file before downloading option. Manually approving each download attempt significantly decreases the risk of NTLMv2 credential theft attacks using SCF files.

    scmagazine.com discussed this issue in Greg Masters’ article – see today’s post on this over on Google Chrome Flaw Could Allow Windows Credential Theft

    Now would be a good time to check that your browser is set to ask where to save downloads, even if you use another brand.

  • EternalRocks SMB Worm Uses Seven NSA Hacking Tools

    Posted on May 20th, 2017 at 15:57 woody Comment on the AskWoody Lounge

    Original posts here:

    EternalRocks SMB Worm Uses Seven NSA Hacking Tools

    @MrBrian and @Kirsty just raised the alarm in the Code Red forum….

    From https://www.bleepingcomputer.com/news/security/new-smb-worm-uses-seven-nsa-hacking-tools-wannacry-used-just-two/:

    Researchers have detected a new worm that is spreading via SMB, but unlike the worm component of the WannaCry ransomware, this one is using seven NSA tools instead of two.

    The worm’s existence first came to light on Wednesday, after it infected the SMB honeypot of Miroslav Stampar, member of the Croatian Government CERT, and creator of the sqlmap tool used for detecting and exploiting SQL injection flaws.

    It’s happening.