Woody Leonhard's no-bull news, tips and help for Windows, Office and more… Please disable your ad blocker – our (polite!) ads help keep AskWoody going!
Home icon Home icon Home icon Email icon RSS icon
  • A question about the MS-DEFCON system

    Posted on May 20th, 2017 at 14:08 woody Comment on the AskWoody Lounge

    Good one from reader ZP:

    I have a question about the ‘Defcon’ system. E.g. in April your first said it was “ ‘Defcon 2’; wait with installing”. Then at a certain point it became “ ‘Defcon 3; go ahead”

    So something in the situation must have changed between those two announcements?

    But I downloaded the ‘April Security-Only update’ (Win 7-32 bit), from the link in AKB003 (I want to be in Group B, for I don’t like MS snooping) when it was ‘Defcon 2’, and for a test I downloaded later the ‘April Security-Only update’ again, and it was still the same file with the same size!

    So, what has changed in the situation between the ‘Defcon’ states? Because the ‘bugs’ appearently weren’t fixed. (?)

    Therefore I am still wary of installing the ‘April Security-Only update. 🙁

    Please could you do a post or article to elaborate on the matter?

    Many Thanks! 🙂

    Think of the MS-DEFCON system as kind of a “green light – red light” system, with some shades of orange and yellow tossed in for comic relief.

    In recent years, patches have gotten better, but there are still some real show-stoppers. Microsoft pulls patches from time to time and may re-issue them, but in most cases the problem comes from interactions that aren’t fixed until the next month.

    So, for example, if you run something called Dynamics CRM and rely on it to print PDF files, you would want to hold off installing the March 2016 security patch until Microsoft got its act together. The patch doesn’t change. But people who may be affected get a heads up before they install the patch. In many cases, they can be forewarned, or they may need to implement a particular fix.

    Similarly for people who are running Windows 7 on recent PCs. There are many half-baked drivers. And so on.

    So it isn’t so much a question of waiting for Microsoft to re-issue a patch (which happens, but much less frequently in the current as-a-service environment). Mostly it’s a question of knowing in advance what kind of puddle you’re stepping in.

    It takes a while for bugs to appear. Diagnosing bugs is notoriously difficult, and it may take hundreds of observations to get some idea of where the problems lie. For that reason, I don’t recommend automatic update. Wait for the other folks to get their faces torn off, like in Alien.

    I’ll be changing the MS-DEFCON level as soon as I’m comfortable with the new approach to updating that we’ve been kicking around. I kinda got sidetracked by the WannaCry stuff. But look for changes soon.

  • DigitalShadows weighs in on the most likely explanation: WannaCry is from an “unsophisticated” attacker

    Posted on May 19th, 2017 at 09:26 woody Comment on the AskWoody Lounge

    I don’t use their fancy analysis technique, but the conclusion from Digital Shadows sure rings right with me:

    Though by no means definitive, we assessed that a WannaCry campaign launched by an unsophisticated cybercriminal actor was the most plausible scenario based on the information that is currently available.

    WannaCry is full of cringeworthy errors — it’s like a misguided firecracker launched by an F-22 Raptor.

    Please, if you use Windows and you haven’t patched it yet, get on the stick.

  • The original WannaCry does NOT infect Windows XP boxes

    Posted on May 19th, 2017 at 08:00 woody Comment on the AskWoody Lounge

    I’ve been saying that for a week now – sometimes fighting over it.

    I’m not saying the EternalBlue infection method doesn’t work on XP. (Sorry for the double negative.) What I am saying is that no Windows XP boxes were infected, in the wild, by the original WannaCry worm.

    I’m also saying that the original WannaCry worm is now a distant memory, with much nastier things to come, and you have to get yourself patched, no matter which version of Windows you’re using.

    There’s an interesting debate going on right now about infections on XP boxes that weren’t part of the first wave.

    UPDATE: The Scottish National Health Service reports that 1,500 computers came down with WannaCry. Independently, NHS says they still have 6,500 computers running XP. Somehow that’s getting reported in the press that 1,500 XP NHS computers were infected. The announcement from NHS is apparently correct. The poorly-spun media reports are clearly wrong.

    ANOTHER UPDATE: Catalin Cimpanu at BleepingComputer comes to the conclusion that we’ve known all along — WannaCry only infects Windows 7 and Server 2008 R2, which is basically the same thing as Windows 7.

    The Kaspersky graph shows a tiny, tiny number of Win10 machines infected. My guess is that’s either a false positive, or from people who were intentionally infecting Win7 machines running in a Virtual Machine on Win10.

    There’s a commenter (I know, I shouldn’t read the comments) who says:

    You want to know why Windows 10 was on the list?
    I blame Microsoft for still allowing people to opt-out of auto-updates. The mass do not always know what’s best for them, so it is our responsibility to firmly reject their demand when it’s harmful, and educate them why so.

    I could pull my hair out. Win10 wasn’t directly affected. Opting in or out of updates isn’t a problem – although if you opted out of Win7 auto updates and you didn’t check for two months, yep, you could’ve gotten stung. But Win10? Puh-lease.

  • Not all Windows Store apps will run on Windows 10 S

    Posted on May 19th, 2017 at 07:43 woody Comment on the AskWoody Lounge

    From ‘Softie Rich Turner, on the MSDN forum:

    Just because an “app” comes from the Windows Store does NOT automatically mean that it’s safe & suitable for running in Windows 10 S. There are some apps that are not allowed to run on Windows 10 S, including all command-line apps, shells and Consoles.

    That’s news to me. I bet it is to you, too.

    Thx, @teroalhonen.

  • Breaking: WannaCry has been decrypted, if you follow the rules

    Posted on May 19th, 2017 at 07:37 woody Comment on the AskWoody Lounge

    For those of you who were infected with WannaCry, very good news. If you see the WannaCry ransom screen:


    Matt Suiche has confirmed that the wanakiwi tool can reach into your infected Win7 machine and retrieve the decryption key. The tool was created by Benjamin Delpy, @gentilkiwi. Per Suiche:

    His tool is very ingenious as it does not look for the actual key but the prime numbers in memory to recompute the key itself. In short, his technique is totally bad ass and super smart.

    Suiche has confirmed that the tool works on WinXP x86, Server 2003 x86, and Win7 x86 “This would imply it works for every version of Windows from XP to 7, including… Vista and 2008 and 2008 R2.”

    Remember, the original WannaCry worm ONLY infects Windows 7 computers. Anything you’ve read to the contrary is wrong.

    REMEMBER – You have to make sure your Windows machines are updated, to protect against new versions of WannaCry. They’re starting to make an appearance. If you haven’t already done it, drop everything and get patched now. Every Windows machine. No exceptions.

  • Reported problem with COM security patch KB 4018556 for WinXP Embedded

    Posted on May 19th, 2017 at 06:35 woody Comment on the AskWoody Lounge

    Just got this message, from Moldova:

    In our organization, we have many Windows XP desktops, that have been “moved” to Embedded, as to receive security patches (the process of upgrading of all machines is ongoing).

    We had no problems before. But this month the KB4018556 brought us a big headache!!!

    After installing and rebooting, many of our users (not all!) saw the winlogon error right on top of the logon window where the prompt for ctrl-alt-del appears.

    Users tried to restart their computers, and sometimes(!) after several restarts (3…9, maybe more) the system allowed them to log in. But sometimes not!!!

    Other computers may run normally a day or two, and then again could show the winlogon.exe error!

    After we remove this KB4018556 from all the computers, they went back to the normal state.


    Anybody else seeing this?

    PATCHES PULLED: While this patch was originally issued for Windows XP Embedded, POSReady 2009 and Windows Server 2008, it looks like Microsoft has pulled all versions except the one for Server 2008. Thx to Mr. Bond, and to DougCuk. The KB article now only mentions Server 2008.

  • The complexity of controlling Windows telemetry

    Posted on May 18th, 2017 at 10:13 woody Comment on the AskWoody Lounge

    Noel Carboni has a great post that I wanted to bring up here onto the main page. It’s in response to the question of what to recommend for Win7 and 8.1 users, in this age of Malware as a Service, but it’s generally applicable to all Windows customers:


    I’ll wager I know what communications a desktop system does online as well as anyone, as understanding and controlling such communications is a passion of mine. A career in data communications and software engineering tends to do that to you.

    Thing is, there’s not just one “telemetry” communications stream. What Windows does online is much, much more complex than that! Insanely more complicated.

    Presuming you want to do at least SOME things online with your system you actually DON’T want to block all the comms – there are some very necessary sites that MUST be contacted by a typical system regularly, e.g., for the purposes of certificate verification, time sync, license management…

    That’s not to say Windows can’t be made very private. I myself maintain Windows 7, 8.1, and 10 systems that don’t spill the beans online. But it’s no small, simple, turnkey task. Windows is a complex beast, and it takes some geek chops to do it along with ongoing effort.

    As an example, here’s a list of all the sites my Windows 10 test system at LAN address, allowed to sit idle all day, contacted. I ran the command (on my Win 8.1 workstation) to search my DNS log at near midnight last night. You can see that the only communication initiated in the 24 hour period was to get the time from the National Institute of Standards and Technology via a task I have scheduled (I have disabled the out-of-box Windows time service).


    Most folks, however, wouldn’t find my Windows 10 system, above, acceptable. Why? Because I have shunned all the Apps and cloud-integration entirely. But it DOES illustrate that the beast can be controlled, and my techniques are applicable to purely desktop-oriented Windows 7 and 8.1 systems also.

    What have I found that it takes to accomplish this reduction/elimination of Microsoft-initiated online communications?

    • Reconfiguration of all provided settings to their most private choices.
    • Being willing to do without (or reduced function from) some services Windows seeks to provide.
    • Configuration through the local Group Policy editor a number of settings.
    • Configuration through the registry of a number of settings that have no UI.
    • Disabling of scheduled tasks involved with telemetry and online comms.
    • Disabling of services involved with telemetry and online comms.
    • Adding entries to the hosts file to blacklist some sites.
    • Watching vigilantly for any of these things to be reverted by updates.
    • Outfitting with extra software to monitor and police communication attempts.

    The list above may seem daunting, but we haven’t even gotten to the part where the devil is in the details. The lists of how to accomplish the above things are long and complex.

    Ideally I imagine people want a fully private system that still allows them to do everything they want. That’s not gonna happen. You have to be willing to compromise.

    What does one have to consider doing without?

    • Apps. The very nature of Apps is that they’re web-integrated and they require an infrastructure to keep them functional. If you want to run Apps, stop reading now.
    • Cortana. A personal digital assistant COULD work entirely from local data, but Cortana doesn’t. If you want a personal digital assistant that talks to you, stop here.
    • Cloud-integration, such as OneDrive, except for user-initiated operations e.g., in a browser. The good news is that you can use a OneDrive server to store/retrieve files through a browser without ANY of the system-level integration
    • Automatic updates. You have to be willing to install them yourself from the catalog if you want a truly subservient system.
    • Some security features such as the “Smartscreen Filter”. But you can’t rely on luck; you need a GOOD alternate plan to stay safe online.
    • Suggestions that pop up while you type. Your keystrokes are sent to Bing or Google or whatever search engine to make that happen.
    • Generally speaking, subscription and high-end commercial software communicates regularly online to do things like verify its licensing. Either you need to allow this or choose software that doesn’t do that.
    • Some software seeks to be cloud-integrated (late versions of Office, for example). You have to avoid this software or specific features within it, and be able to differentiate wanted comms from unwanted comms. That’s no small feat!
    • Online backups. Uh, no, get one or more external USB drives and make your own local backups, where you maintain full control of your data.

    This has gotten long already, yet I’m sure there are things I’ve missed and I haven’t even begun to get into the list of actual technical things to do to get to a secure, private system that doesn’t try overmuch to send your data abroad. It’s a challenging task even for a career software engineer. It’s not going to be feasible at all to provide a “have your cake and eat it too, set it and forget it” solution for an average user.

  • New Windows 7/8.1 updating method coming

    Posted on May 17th, 2017 at 14:06 woody Comment on the AskWoody Lounge

    It’s almost time to move the MS-DEFCON level, but when I do, I want to get it right – and get your input.

    As you all know, I’ve recommended “Group A” – install all Rollup patches – to folks who don’t mind the added snooping. I’ve also recommended “Group B” to those who want the security updates only. I’ve acknowledged, but not recommended “Group W” for those who never patch.

    The world’s changed since last October.

    With Shadow Brokers guaranteeing that major Windows vulnerabilities are coming every month – I call it “Malware as a Service” – Group W is just plain dangerous. It’s not an option. Sorry.

    Group B, which is based on Microsoft’s commitment to deliver Security-only updates every month, has gone from relatively simple to very complex. Officially, Internet Explorer patches have been broken off from the main download. There’s all sorts of confusion about .NET patches — which are Security-only, which Rollups? We’ve seen security patches released outside the monthly Security-only stream. There have been bugs in Security-only patches that were fixed outside of the Security-only stream. There’s a host of problems documented in this Topic.

    Group B isn’t dead, but it’s no longer within the grasp of typical Windows customers. Many of you reading this post are fully capable of sticking with Group B. Most Windows customers are not.

    Starting this month, I’ll mention Group B in my InfoWorld posts and the MS-DEFCON posts here — but I won’t include details. Instead, I’ll refer you to the AskWoody KB article AKB 2000003, maintained by PKCano. We’ll modify that AKB article with generic installation instructions. The MS-DEFCON level will apply to Group B folks, too, but the instructions most people see won’t include the Group B details.

    Which leaves me with new adornments for Group A. Starting this month, I’m going to recommend that just about everybody move to Group A, and install the Monthly Rollups (waiting until we’ve had time to thoroughly vet the patches, of course).

    For those of you who are sensitive to the manifest (but still undefined) snooping included in Win7 and 8.1 updates, I’ll include instructions for reducing – but not eliminating – Microsoft’s “telemetry.” As a reader here, I’m looking for your input, but keep in mind that:

    • What you recommend can’t hurt anything other than telemetry.
    • Novice “For Dummies” level users have to be able to understand what’s involved, and how to do it.
    • I don’t want to recommend a third party app. Yes, I know there are apps that block telemetry.

    There are three approaches that have caught my eye:

    • A short list of KB numbers, listing patches that should be removed. @PKCano has an example in the AKB 200003 documentation.
    • A simple batch script, like the one @abbodi86 maintains. The problem is that some people will have a hard time figuring out how to run it.
    • A combination of directions, as @MrBrian has proposed.

    I realize that Microsoft has promised that it will release a completely cumulative update for Win7 — a Service Pack 3, if you will, available through Windows Update — at some point in the future. I don’t think we have the luxury of waiting for Microsoft to get its act together.

    I think, given the Shadow Brokers promise, that we need to come up with a solution now — and pick up the pace, shortening the length of time between the release of Monthly Rollups and a go-ahead, through the MS-DEFCON level, when it’s safe to install.

    Don’t get me wrong. Automatic Update is still for your Great Aunt Martha, who doesn’t want to follow along, and can’t be trusted to apply patches consistently. For those of you who can take your patches proactively, waiting a week or two is still the best way to go.

    What do you think? What would you recommend for Group A anti-snooping instructions?