Woody Leonhard's no-bull news, tips and help for Windows, Office and more… Please disable your ad blocker – our (polite!) ads help keep AskWoody going!
Home icon Home icon Home icon Email icon RSS icon
  • What every Windows customer should know about last week’s deluge of malware

    Posted on April 17th, 2017 at 13:41 woody Comment on the AskWoody Lounge

    It’s been a crazy week. Last Monday we learned about the Word zero-day that uses a booby-trapped Word DOC attached to an email message to infect machines. Then, on Friday, came the deluge of exploits collectively identified with their leaker, Shadow Brokers, which appear to originate with the US National Security Agency.

    In both cases, many of us thought the sky was falling on Windows users — the exploits touch all versions of Windows, all versions of Office. Now we have more insight and the situation isn’t as bad as was first thought. Here’s what you need to know.

    Word zero-day

    As I explained last Monday, the Word zero-day takes over your PC when you open an infected Word document attached to an email. The attack takes place from inside Word, so it doesn’t matter which email program you’re using, or even which version of Windows.

    In a twist I’ve never seen before, subsequent research into the exploit revealed that it was first used by suspected nation-state attackers, but was then incorporated into garden-variety malware. Zach Whittaker on ZDNet and Dan Goodin on Ars Technica report that the exploit was originally used in January to hack Russian targets — but the same code snippet turned up in a Dridex banking malware email campaign from last week. Exploits aimed at the spooky set rarely get unleashed on the world at large, but this one is a big exception.

    In theory, in order to block the exploit’s path, you have to apply both the appropriate April Office security patch and either the Windows 7 or 8.1 April Monthly Rollup or the April Security-only patch, or the Windows 10 April cumulative update. That’s a big problem for a lot of folks because the April patches — 210 security patches, 644 in all — are causing all sorts of mayhem.

    Be of good cheer. I’m seeing verification from all over the web — including our own AskWoody Lounge — that you can avoid infection by sticking with Word’s Protected View Mode (in Word, click File > Options > Trust Center > Trust Center Settings and check Protected View). Protected View Mode is enabled by default in Word 2010 and later, but Word 2007 and earlier don’t have Protected View. (Thanks to anonymous tipster.) See screenshot.

    If you click “Enable Editing,” the malware fires automatically — you don’t need to do anything more. If you open an attached DOC from Gmail, it’s harmless, unless you download the file, then open the DOC in Word and then click Enable Editing.

    Moral of the story: Use Gmail. Failing that, don’t click Enable Editing. If you have to edit the file, and don’t want to use Google Docs, move it over to OneDrive and use Word Online. Details in this How-To Geek article by Chris Hoffman.

    Shadow Brokers last gasp

    The Shadow Brokers hacks originally appeared to harbor all sorts of zero-days across all versions of Windows, but as last weekend wore on, we found that wasn’t even close to the truth. Security researcher Efrain Torres kindly provided the information in the screenshot to show that the currently supported versions of Windows are (nearly) immune.

    (click to enlarge)

    To paraphrase, the MS17-010 patch released last month fixes all of the exploits in Windows Vista and later. NT and XP users can kiss their bits goodbye.

    Late Friday night, Microsoft offered the following analysis:

    Most of the exploits that were disclosed fall into vulnerabilities that are already patched in our supported products. Below is a list of exploits that are confirmed as already addressed by an update. We encourage customers to ensure their computers are up-to-date.

    Of the three remaining exploits, “EnglishmanDentist”, “EsteemAudit”, and “ExplodingCan”, none reproduces on supported platforms, which means that customers running Windows 7 and more recent versions of Windows or Exchange 2010 and newer versions of Exchange are not at risk. Customers still running prior versions of these products are encouraged to upgrade to a supported offering.

    (It appears as if “Eskimo Roll” is mis-spelled.)

    There’s a lot of speculation online that the NSA, in fact, fed Microsoft a list of security holes well in advance of last Friday’s Shadow Brokers disclosure — early enough for Microsoft to fix the SMB-related problems last month, in the March Patch Tuesday batch. The known timing certainly supports that theory, or a variation on it: As Dan Goodin reported in January, Shadow Brokers started dropping hacking tools after they failed to sell their cache for 10,000 bitcoins (currently worth US$12 million).

    The follow-up offer for the remaining exploits at 750 BTC fell on deaf ears. Did the NSA figure out what was still in the unreported cache and slip the info to Microsoft? Did Microsoft buy the remaining cache? Did Shadow Brokers turn gray hat and beam advance warning to Microsoft? Was an early peek at all the troubles the main reason we didn’t see patches in February? There are lots of possible explanations, but I doubt that we’ll ever know for sure.

    Bottom line: If you have last month’s MS17-010 installed, you’re fine. According to the KB 4013389 article, that includes any of these KB numbers:

    • 4012598 MS17-010: Description of the security update for Windows SMB Server: March 14, 2017
    • 4012216 March 2017 Security Monthly Quality Rollup for Windows 8.1 and Windows Server 2012 R2
    • 4012213 March 2017 Security Only Quality Update for Windows 8.1 and Windows Server 2012 R2
    • 4012217 March 2017 Security Monthly Quality Rollup for Windows Server 2012
    • 4012214 March 2017 Security Only Quality Update for Windows Server 2012
    • 4012215 March 2017 Security Monthly Quality Rollup for Windows 7 SP1 and Windows Server 2008 R2 SP1
    • 4012212 March 2017 Security Only Quality Update for Windows 7 SP1 and Windows Server 2008 R2 SP1
    • 4013429 March 13, 2017—KB4013429 (OS Build 933)
    • 4012606 March 14, 2017—KB4012606 (OS Build 17312)
    • 4013198 March 14, 2017—KB4013198 (OS Build 830)

    It appears to me that the above info has a mistake — the KB 4013429 patch for Win10 Anniversary Update runs the build number up to 14393.953. I don’t see any reference to 14393.933.

    What you need to do, to stay safe

    If you have to use Outlook and Windows, and you receive an email with a DOC file attached, don’t click the Enable Editing box in Protected View. (Different versions of Outlook,, and the Windows UWP Mail app all behave a bit differently.) As an alternative, use Gmail, because DOC attachments in Gmail open in a viewer-only mode. If you have to edit the DOC, go through Word Online where a bad DOC will detonate in the cloud.

    If you didn’t get caught up on March’s Windows patches, make sure you install MS17-010. For Win7 and 8.1, you can use either the Monthly Rollup or the Security-Only version. For Win10, you may be able to roust out a copy of KB 4013429 for the Anniversary Update, which moves to build 14393.953. (See comments.) You don’t — repeat, don’t — need to install the April patch mess.


    Oh boy. Now it looks like it’s possible to bypass Office Protected View. Thx to MrBrian. It’s not clear to me if that bypass can occur with or Outlook 2016 preview panes – but I bet Protected View can be bypassed in Windows 10 Mail.

    Hang on. The story continues. In the interim, it’s by far simpler and safer to open attached DOCs using Gmail. That kicks the DOC into a Google Docs viewer which can’t execute anything.

  • The best of the best FREE Windows 10 tools

    Posted on April 17th, 2017 at 09:02 woody Comment on the AskWoody Lounge

    See my InfoWorld slideshow for the Top 30. It was hard narrowing down the choices!

    Do you have a favorite I missed? Post it in the Tools forum.

  • Ongoing list of bugs in Win10 Creators Update

    Posted on April 17th, 2017 at 05:11 woody Comment on the AskWoody Lounge

    Creators Update has all the problems you’ve come to expect from Windows 10 version upgrades — freezes, rollbacks, wonky user interface elements and the like. There are good general lists on WindowsReport and DigitalTrends and plenty of ancillary material here in the Lounge comments (link above). Also check my Windows 10 install problems — and how to solve them.

    I’m particularly looking for bugs that are a bit meatier.

    As you hit bugs, please post them on the AskWoody Lounge (link above). I’ll give them a quick once-over and promote the best ones to the main blog.

    Creators Update breaks Logitech BRIO camera (the one that’s supposed to support Windows Hello). Fix on Logitech web site.

    Intel Clover Trail processors (Atom Z2760, 2520, 2560, 2580) are not supported. Post from MS on the Microsoft Answers Forum.

    From Softpedia (I haven’t been able to confirm independently): Windows 10 Creators Update Installation Blocked by Toshiba Display Utility . But may not be a problem (@rpodric).

    Moved Special Folders again appearing to cause W10 upgrade problems, this time it’s only dupes/ghosts appearing (@satrow)

    Anonymous complaint that System Restore is disabled.

    Windows 10 CU doesn’t remember WPA2-Enterprise WiFi credentials

    Stuck “Low Battery” notification window

    Various Night Light problems.

    Green screen when upgrading a fresh Win10 Anniversary Update machine to Creators Update. @teroalhonen.

    DISM doesn’t work, throws error 0x800f081f.

    Persistent yellow warning triangle on Defender.

    Edge crashes (many and various).

    Odd one-off report of 8 GB Verbatim Store ‘N’ Go USB drive failure.

    Surface Bluetooth Arc Touch mouse problem. Thx @barbbowman

    When installing the Windows ADK on 1703, if SecureBoot is enabled, you get a bogus warning that a “digitally signed driver is required.”

    Gibberish in many applications.

    Nahimic audio software doesn’t work.

    Driver incompatibilities: older NVIDIA, new NVIDIA driver 381.65 is buggy, so use 378.92. DTS encoding on Realtek. Wi-Fi drivers on Dell Inspiron 640m, Lenovo t500. Note that Creators Update does not work on many older systems — even systems that worked with Anniversary Update. (Thx, EP) Broadcom Bluetooth LE driver problem. Broadcom 440x 100/Integrated Ethernet/LAN Controller Network Adapter, Microsoft’s Bluetooth Arc Touch mouse.

    Third party program incompatibilities: Explorer crashing/black screen with  UxStyle, MacType, Grand Theft Auto V, MSI Afterburner, Rivatuner,

  • Booby-trapped Word documents in the wild exploit critical Microsoft 0day

    Posted on April 17th, 2017 at 03:26 woody Comment on the AskWoody Lounge

    The exploit appears in a Word doc attached to an email message. When you open the doc, it has an embedded link that retrieves an executable HTML file which looks like an RTF file. Apparently, all of that happens automatically.

    The downloaded file loads a decoy that looks like a document, so the user thinks they’re looking at a doc. It then stops the Word program to hide a warning that would normally appear because of the link.

    Very clever. It works on all versions of Windows, including Win10. It works on all versions of Office, including Office 2016.

    Good overview by Dan Goodin at Ars Technica.

    Technical analysis by Genwei Jiang at FireEye

    FireEye shared the details of the vulnerability with Microsoft and has been coordinating for several weeks public disclosure timed with the release of a patch by Microsoft to address the vulnerability. After recent public disclosure by another company, this blog serves to acknowledge FireEye’s awareness and coverage of these attacks.

    Likely cause of the rush to disclose from Haifei Li at McAfee.

    McAfee’s recommendation:

    • Do not open any Office files obtained from untrusted locations.
    •  According to our tests, this active attack cannot bypass the Office Protected View, so we suggest everyone ensure that Office Protected View is enabled.

    More details in my InfoWorld Woody on Windows post.

  • Shadow Brokers and what the leaks mean to Windows users

    Posted on April 15th, 2017 at 06:53 woody Comment on the AskWoody Lounge

    I’m a little late to the party on this one.

    As many/most/all of you know, on Friday a group called Shadow Brokers published an enormously damaging trove of code, apparently from the NSA, with all sorts of exploits and hacking tools. Most (if not all) versions of Windows are in the crosshairs.

    Our tax dollars at work.

    To catch up, there’s a series of articles every Windows user should read.

    Dan Goodin, Ars Technica: NSA-leaking Shadow Brokers just dumped its most damaging release yet

    Andy Greenburg, Wired: Major leak suggests NSA was deepn in Middle East banking system

    Philip Misner, Microsoft Security Response Center: Protecting customers and evaluating risk

    Microsoft’s analysis (which is undoubtedly accurate, but will be debated endlessly):

    Most of the exploits that were disclosed fall into vulnerabilities that are already patched in our supported products. Below is a list of exploits that are confirmed as already addressed by an update. We encourage customers to ensure their computers are up-to-date.

    Code Name Solution
    EternalBlue Addressed by MS17-010
    EmeraldThread Addressed by MS10-061
    EternalChampion Addressed by CVE-2017-0146 & CVE-2017-0147
    “ErraticGopher” Addressed prior to the release of Windows Vista
    EsikmoRoll Addressed by MS14-068
    EternalRomance Addressed by MS17-010
    EducatedScholar Addressed by MS09-050
    EternalSynergy Addressed by MS17-010
    EclipsedWing Addressed by MS08-067

    Of the three remaining exploits, “EnglishmanDentist”, “EsteemAudit”, and “ExplodingCan”, none reproduces on supported platforms, which means that customers running Windows 7 and more recent versions of Windows or Exchange 2010 and newer versions of Exchange are not at risk. Customers still running prior versions of these products are encouraged to upgrade to a supported offering.

    MS17-010, which figures prominently in that table, is the one that fixed the SMBv1 hole in all versions of Windows. This month’s patches don’t figure in any of the discussions. We’re still at MS-DEFCON 1.

    I haven’t seen any evidence that the disclosure is being used by Microsoft to convince folks to move to Windows 10. (I do note, with some nostalgia, that the demise of the Security Bulletin system will make such analysis and communication much more cumbersome in the future.)

    So… the sky isn’t falling. But there are some very gray clouds out there, and a whole bunch of cretins jumping around trying to incorporate the Shadow Brokers code into their products. Those of you who patched through last month’s Patch Tuesday crop are OK, according to Microsoft – and they should know. Windows XP and Vista remain debatable. Those of you in Group W — who aren’t patching at all — should take note.

    Last night, MrBrian started a Lounge thread on the topic. I’ve moved it to the location referenced above. Thanks, MrBrian.

  • Windows 10 Anniversary Update wants to go back to the future

    Posted on April 14th, 2017 at 07:19 woody Comment on the AskWoody Lounge

    Interesting question from JH, who is using Windows 10 1607 Anniversary Update:

    For many days the update function has been trying but failing to install KB4015438.

    Then yesterday the update successfully completed installing KB4015217 which resulted in OS build 14393.1066.

    So I figured that this newest build would stop or kill the updates for KB4015438; but updates are still trying and failing to install KB4015438 which would result in OS build 14393.969 !!

    Can you tell me what is going on?

    I haven’t a clue. Any suggestions?

  • HIPAA compliance using Win10 Enterprise

    Posted on April 14th, 2017 at 06:40 woody Comment on the AskWoody Lounge

    Here’s an excellent article about walking the thin line between modern technology and HIPAA (think: keeping private information private in the US — if that isn’t an oxymoron). From HIPAA One, Steven Marco, Arch Bear, and Markus Muller have put together an insightful analysis. From the introduction:

    In today’s computing environment, record-breaking data breaches (e.g. Premera Blue Cross with 11+ Million members breached in 2015) that include healthcare identity theft have increased by over 20% year-over-year between 2012 and 2014

    1. It is no surprise most of us feel we have lost control of our personal data

    2 . This is especially true in the healthcare industry in the form of data breaches and HIPAA Privacy violations.

    Simultaneously, massive populations of users are fully-embracing new mobile applications to store and share data across platforms. As a result, cloud computing has bridged the gap between consumer devices and sensitive data. Is there a price to pay for our love affair with cloud-based apps and mobile devices?

    As a cloud-based technology user, have you ever wondered about the safeguards protecting your personal and health information? Ever contemplated how modern operating systems like Google Android, Apple iOS and Microsoft Windows 10 access your data to provide cloud
    powered features?

    For example, Siri, the Dragon dictation cloud, Google Voice search and Docs all send voice recordings to the cloud and back while other built-in OS features share contacts between apps. How do these cloud-powered features impact these risks?

    If a medical facility utilizes voice-to-text technology (e.g. by saying “Hey Cortana”, “Siri” “OK Google”, or “Alexa”) to dictate notes about a patient, that information is automatically exchanged with the cloud. Without a business associate agreement, that medical facility could
    face a HIPAA violation. How do we combine the past 30 years of email-use, file and print sharing with today’s cloud-enabled apps securely?

    These questions and concerns are currently top-of-mind for IT and legal professionals responsible for managing electronic Protected Health Information (ePHI) while ensuring and maintaining HIPAA compliance. In light of the recent focus on HIPAA enforcement actions, hospitals, clinics, healthcare clearinghouses and business associates are trying to understand how to manage modern operating systems with cloud features to meet HIPAA regulatory mandates. Additionally, many of these healthcare organizations are under pressure to broadly embrace the benefits of cloud computing.

    Microsoft has invested heavily in security and privacy technologies to mitigate today’s threats.

    Lounger zero2dash, who posted the original link to this story, says:

    They configured the heck out of 10 AU Enterprise to not phone home, and it did it anyway. Very interesting to see all the settings they tweaked in GP but still saw all the traffic going to MS.

    Having to deal with PCI Compliance is bad enough for me; I’m glad I don’t have to try to keep our environment HIPAA compliant.

    Well worth reading (PDF).


  • A panoply of problems with this week’s 210 critical Windows and Office patches

    Posted on April 13th, 2017 at 11:23 woody Comment on the AskWoody Lounge

    April 2017 Patch Tuesday’s 644 patches are crawling in bugs — but there are some solutions

    InfoWorld Woody on Windows.