ADVERTISEMENT
	The Nokbox Estate Planning & Organization If something were to happen to you tomorrow, would your next of kin be prepared to manage all of your assets, finances, and wishes? They will if you have a Nokbox: a Next of Kin box. www.thenokbox.com

PATCH WATCH

By Susan Bradley • Comment about this article

This month’s updates include fewer vulnerabilities than normal. What is not normal is that some of the bugs have already been exploited.

I’m not changing my stance about it being wise to wait to see whether there are side effects, but I will review that decision should the need arise. For now, review this special alert.

There are six bugs under active attack.

For consumers:

For businesses:

This past Friday, I published an unusual alert — lowering the MS-DEFCON level to 3, but much earlier in the month than the level is usually lowered. This was due to the unexpected disclosure of a Windows TCP/IP Remote Code Execution Vulnerability (CVE-2024-38063). See MS-DEFCON 3: Blocking a potential wormable event (2024-08-16).

The gist of the alert is that the danger associated with this vulnerability is high and the August updates, including a fix for this bug, are benign. I consider updating now prudent.

Friday’s alert makes several suggestions, with details.

The MS-DEFCON 3 alert is available to anyone and is recommended reading. Note that the precise way you handle the update depends upon your specific situation.

Microsoft has several bugs this month that are best referred to as “fixing clicking on bad things.”

In the early days after Patch Tuesday, when I’m urging you to hold back while I review the updates, your best protection is yourself. Up your paranoia level. It’s very common at my office to receive alerts about potentially dangerous emails that include phishing links. But I get those alerts after a user has already received the email. The spam system kicks in and removes the malicious email from the system — but again, the user may have already seen the email. That’s why I’m so glad my users have adopted a certain degree of paranoia and do not click through blindly.

Even that does not take into account emails that try to make a user set up a malicious ACH transfer. My users are alert to those kinds of scams, too.

Naturally, the paranoia must be backed up by good antivirus solutions for consumers and good endpoint protection software for businesses.

Updates include a patch to fix a longstanding issue called “Mark of the Web” (CVE-2024-38213), whereby attackers could trick sites into not launching Microsoft SmartScreen. For those not familiar, SmartScreen is a “cloud-based anti-phishing and anti-malware component included in several Microsoft products,” including all versions of Windows back to 8, Edge, Microsoft 365, and Microsoft Bing. This is one of nine zero days — six being used in attacks — that is being patched.

Even though Windows 11 24H2 is not out yet, we are already seeing updates for fixing security issues unique to systems that have been shipped starting mid-June and that included 24H2 components. One such component is the “snapshot feature” called Microsoft Recall. Strangely, I haven’t heard much about Recall lately. Hopefully, Microsoft is hard at work to ensure that Security is included every step of the way. Better yet, maybe Redmond is starting over.

I still don’t have any good news for users of Office 2019 retail, some of whom are having problems getting their machines updated. I’ll be closely monitoring this issue and will provide workarounds if needed. So far, the only resolution Microsoft is pointing to is an uninstall or a repair install. Meanwhile, it’s still occurring with the August updates. Ugh! Stay tuned!

I do want you to ensure any browser you use is patched and up to date. In addition, if you are a fan of the uBlock Origin extension and use Chrome, you’ll need to plan ahead and move to a different tool. Chrome is blocking tools that use Manifest V2 in favor of Manifest V3. Note that if you use uBlock Origin on Firefox, you will not be impacted. Alternatively, you can move over to uBlock Origin Lite (the Mv3-compatible baby sibling), also available from the Chrome Web Store.

CVE-2024-38173 describes an Outlook vulnerability whereby the preview pane is an attack vector. But due to the fact that specific actions must be taken in order for this vulnerability to be triggered, and that the attacker must gain access to your login credentials in order to install a malicious form into your Outlook, I’m not concerned that we’re having issues getting these Office versions patched. This is a highly complex attack sequence and won’t be seen in a consumer setting.

Even with all these zero days, I’m still not ready to scream “Everyone patch now!” at the top of my lungs. Many of these zero days are targeted for businesses — not consumers — and with proper “click” hygiene procedures where you look, inspect, and click only when necessary on links, I feel confident with my advice at this time.

For those that have machines in a hosting situation, Windows TCP/IP Remote Code Execution Vulnerability (CVE-2024-38063) is one to keep an eye on. An attacker can send malicious packets on the IPv6 TCP/IP stack to trigger remote code execution. An unauthenticated attacker could repeatedly send IPv6 packets that include specially crafted packets to a Windows machine, which could enable remote code execution. Note that if you do not have or use IPv6, you are not at risk.

Do you have clients that use Remote Desktop Gateway (RDG) technologies to remote into their network? To ensure that last month’s known issue with RDG won’t impact your client base, review the settings below. It primarily impacts folks using older RDP technologies. Last month’s MS-DEFCON 3 alert contained a workaround that you can use to proactively ensure you won’t have issues. In my own network, where I have some connections set up with Remote Desktop Gateway over only port 443, not port 80, I did not use the workaround and had no issues after the July updates were installed.

Here’s the key piece of information from the alert:

For the latter, Microsoft issued the following warning in a Health release bulletin mailed to Microsoft 365 administrators:

Windows Servers which have installed Windows security updates released July 9, 2024 and later, might affect Remote Desktop Connectivity across an organization if legacy protocol (Remote Procedure Call over HTTP) is used in Remote Desktop Gateway. This can affect Remote Desktop (RD) Connectivity if the connection is going through an RD Gateway. Resulting from this, remote desktop connections might be interrupted. This issue might occur intermittently, such as repeating every 30 minutes. At this interval, logon sessions are lost and users will need to reconnect to the server. IT admins can track this as a termination of the TSGateway service which becomes unresponsive with exception code 0xc0000005.

Two options can be used to mitigate this issue ahead of a future Microsoft update.

The first is to disallow connections over pipe, and port \pipe\RpcProxy\3388 through the RD Gateway. This process will require the use of connection applications, such as firewall software. Consult the documentation for your connection as well as for firewall software for guidance on disallowing and porting connections.

The second is to edit the registry of client devices by removing a key.

This was posted to a Windows Health Dashboard on the Microsoft 365 Administrator site and has not been fixed with the August updates.

Resources

Contribute your thoughts in this article’s forum!

Susan Bradley is the publisher of the AskWoody newsletters.

FROM THE FORUMS

Will Fastie’s article last week, of the same name, drew quite a few readers to its forum. Contributors homed in on the manufacturing-quality problem with 13th- and 14th-generation Intel processors. In addition to the forum posts, Will received a fair number of emails on the topic.

As mentioned in the article, Intel has not been transparent about the chip problems, adjusting its story and response several times. It is thus important to follow this matter because these two generations of chips make up the bulk of current PC sales.

In addition to the reference sources in the article, you can follow Intel directly.

Two investor events are scheduled soon. Intel’s press release announcing those said this:

On Aug. 29 at 8 a.m. PDT, Pat Gelsinger, Intel CEO, will participate in a fireside chat on Intel’s business and corporate strategy at Deutsche Bank’s 2024 Technology Conference.

On Sept. 4 at 11:10 a.m. PDT, David Zinsner, executive vice president and chief financial officer, will participate in a fireside chat on Intel’s business and financial strategy at the Citi Global Technology Conference.

It is not clear whether these events will be webcasts. If so, they should become available at the Investor Relations site.

If you learn anything, come back to our forum and keep us all updated.

ADVERTISEMENT

Enjoying the newsletter? Become a PLUS member and get it all!
	Don’t miss any of our great content about Windows, Microsoft, Office, 365, PCs, hardware, software, privacy, security, safety, useful and safe freeware, important news, analysis, and Susan Bradley’s popular and sought-after patch advice. PLUS, these exclusive benefits: Every article, delivered to your inbox Four bonus issues per year, with original content MS-DEFCON Alerts, delivered to your inbox MS-DEFCON Alerts available via TEXT message Special Plus Alerts, delivered to your inbox Access to the complete archive of nearly two decades of newsletters Identification as a Plus member in our popular forums No ads We’re supported by donations — choose any amount of $6 or more for a one-year membership.