Still no exploit in the wild for the “wormable” Win7/WinXP security hole

https://twitter.com/GossiTheDog/status/1129995367427256320

For the second month in a row, McAfee and Sophos are having problems with the Win7/Server 2008 R2 Monthly Rollup and Security-only patches

After the debacle last month, you’d think that McAfee and Sophos would’ve figured out a way to work with Microsoft’s monthly patches.

Not so.

Microsoft says that its May 14 Monthly Rollup, KB 4499164 and Security-only patch KB 4499175, are triggering problems anew:

Microsoft and McAfee have identified an issue on devices with McAfee Endpoint Security (ENS) Threat Prevention 10.x or McAfee Host Intrusion Prevention (Host IPS) 8.0 or McAfee VirusScan Enterprise (VSE) 8.8 installed. It may cause the system to have slow startup or become unresponsive at restart after installing this update.

We are presently investigating this issue with McAfee.

Guidance for McAfee customers can be found in the following McAfee support articles:

• McAfee Security (ENS) Threat Prevention 10.x
• McAfee Host Intrusion Prevention (Host IPS) 8.0
• McAfee VirusScan Enterprise (VSE) 8.8

To be clear, this is in addition to the problems we all felt last month. The official Release Information status page says that this particular problem originated on April 9 and has been mitigated. McAfee disagrees: “May 16, 2019 Updated that this issue applies to Windows April 2019 update KBs or later Windows monthly updates.” You can choose which one you believe.

Microsoft hasn’t yet admitted to the problems with Sophos, but I assure you they will. Here’s what Sophos says:

We have had an increase in customers reporting that following on from the Microsoft Windows 14th May patches they are experiencing a hang on boot where the machines appear to get stuck on “Configuring 30%”

Initial findings suggest that this relates to the below Microsoft Patches:

May 14, 2019—KB4499164 (Monthly Rollup)
May 14, 2019—KB4499165 (Security-only update)

We have currently only identified the issue on Windows 7 and Windows Server 2008 R2

Applies to the following Sophos product(s) and version(s)
Sophos Endpoint Security and Control
Sophos Central Endpoint Standard/Advanced

Why does this feel like deja vu all over again?

Thx Kevin Beaumont @GossiTheDog.

Microsoft released fixes for IE “gov.uk” HSTS bug – on a Saturday – but only for Win7 and 8.1

Make of this what you will.

Today, Saturday, Microsoft released KB 4505050, a “Cumulative update for Internet Explorer: May 18, 2019” that applies to

Internet Explorer 11 on Windows Server 2012 R2Internet Explorer 11 on Windows Server 2012Internet Explorer 11 on Windows Server 2008 R2 SP1Internet Explorer 11 on Windows 8.1 UpdateInternet Explorer 11 on Windows 7 SP1Internet Explorer 11 on Windows Embedded 8 Standard

Its sole purpose is given as

Addresses an issue that may prevent access to some gov.uk websites that don’t support HTTP Strict Transport Security (HSTS) when using Internet Explorer 11 or Microsoft Edge.

If you’re dealing with UK government sites, and using Win7 or 8.1 with IE 11, you might want to get patched up.

The notice on the Release Information page that said this bug was solved? It still says that the bug’s been solved, but now there’s an added reference to KB 4505050.

I see no change at all for any of the other versions of Windows. And there are many.

If you’re dealing with UK government websites, bend waaaaaaaay over and kiss your keester

Actually, the best solution is to use Chrome or Firefox, but….

Every single Windows patch this month has broken a protocol known as HSTS for domains that end in gov.uk.

From Wikipedia:

HSTS allows web servers to declare that web browsers (or other complying user agents) should interact with it using only secure HTTPS connections, and never via the insecure HTTP protocol.

Poster @magic describes it this way:

“gov.uk” is the main site for the UK government. It’s used for online applications for car tax, passports, driving licenses. That sort of very important stuff which requires a secure connection, and has been HTTPS for years.

Then you get a level down to local government, where there’s 400+ local councils. They have placename.gov.uk domains, which this just broke as we got no warning that HSTS was being enforced. I’m an infrastructure tech for for a local council with 250,000 residents. A bunch of internal systems (that don’t require HTTPS) stopped working after I got the patches to test on Wednesday morning.

For us it prevents access to the publicly accessible democracy data and the planning system among others. Both of these are maintained by external systems providers so it’s not a five minute job to add a certificate. The main website is fine for us, other councils don’t even have HTTPS enabled on those. I got a tweet before from someone advising that reading.gov.uk and doncaster.gov.uk are inaccessible.

Like I said, bend waaaaaaaay over.

The culprit? Microsoft has just fessed up:

Unable to access some gov.uk websites

After installing the May 14, 2019 update, some gov.uk websites that don’t support HTTP Strict Transport Security (HSTS) may not be accessible through Internet Explorer 11 or Microsoft Edge.

Affected platforms:

• Client: Windows 10, version 1809; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10, version 1507; Windows 8.1; Windows 7 SP1
• Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1

Next Steps: Microsoft is working on a resolution and will provide an update as quickly as possible.

Tell me again who tests this stuff. Certainly nobody running Win10 1809, 1803, 1709, 1703, 1607, 1507, Win 8.1, Win 7, Server 1809, Server 2019, Server 1803, Server 1709, Server 2016, Server 2012 R2, Server 2012, or Server 2008 R2 who’s using IE or Edge to access UK government sites.

Did I leave anybody out?

UPDATE: Do you use Avast? See this anonymous post:

Here’s the link directly to the Avast site, but be warned: I can no longer see it with any browser ever since installing the May MS updates as recommended by @woody. The cause is probably due to a lack of full support for HSTS on their site, as it’s based in the UK.

And now you know why I hated SO much to recommend that Win7 users install this month’s update.

There’s a new KB 4023057 making the rounds

Let’s see. It’s Friday. There must be a new version of KB 4023057, the “Update to Windows 10, versions 1507, 1511, 1607, 1703, 1709, and 1803 for update reliability reliability” patch.

Reliably.

Short version: We don’t really know what it does, except to blast away anything you or your machine has done to block upgrading to version 1903. Oddly, it still isn’t being released to Win10 1809.

Günter Born has all the details. We’ve been covering it here forever.

New report from Forescout says 71% of medical industry PCs will still be running Win7 in January

Interesting report from the people at Forescout:

Within our data sample… 71% of devices will be running unsupported Windows operating systems by January 14, 2020.

“Unsupported operating systems” includes Windows 7, Server 2008, and earlier.

The study revealed that 40% of deployments had more than 20 different operating systems on their medical VLANs.

They were looking at a very large sample of very large installations:

Source data for this report came from the Forescout Device Cloud, a repository of host and network information for more than 8 million devices, making it one of the largest crowdsourced device repositories. For this study, researchers limited Device Cloud analysis to 75 healthcare deployments with over 10,000 virtual local area networks (VLANs) and 1.5 million devices. Since the primary focus of the report is the status of medical devices, many of the results are based on analysis of more than 1,500 medical VLANs with 430,000 devices.

No, Windows 7 is not going away any time soon. The medical industry has an enormous problem. As do many of us.

New forum: Windows 7 beyond end-of-life

There’s a lot of interest in keeping Win7 going after January 2020. So I just set up a forum specifically for that concern:

Win7 beyond End-of-life

Please join us and let us know about best practices, recommendations, problems… you name it.

Seven semper fi.

Thx, CAO.

Good news: The “wormable” security hole in XP, 7, and related Servers, isn’t being exploited yet

If you’re running

• Windows XP (including Embedded)
• Windows Server 2003, Server 2003 Datacenter Edition
• Windows 7
• Windows Server 2008, Server 2008 R2

You still have time to install the May patches.

https://twitter.com/2sec4u/status/1128782426954706950

For some, this month’s Win10 1809 cumulative update installs twice twice

Microsoft has finally acknowledged what’s been going around since Tuesday. On some machines, installing KB 4494441 — this month’s cumulative update for Win10 version 1809 — takes two tries.

The KB article now says:

Some customers report that KB4494441 installed twice on their device. 

In certain situations, installing an update requires multiple download and restart steps. If two intermediate steps of the installation complete successfully, the View your Update history page will report that installation completed successfully twice.

No action is required on your part. The update installation may take longer and may require more than one restart, but will install successfully after all intermediate installation steps have completed.

We are working on improving this update experience to ensure the Update history correctly reflects the installation of the latest cumulative update (LCU).

Fair enough, but it’d be nice to have an update only throw one reboot, yes?

Who tests this stuff anyway?

Snarky sidenote: the shiny new official Release Information page says the problem’s been Resolved.

Thx Martin Brinkmann, ghacks.net

A quick status report on the Windows Secrets merge

We’ve officially finished merging posts that were in WindowsSecrets.com. You should be able to find most (although, regrettably, not all) of them here. I’ve bumped our server allocation up by a factor of two or more, so the site should be quite spritely.

ProTip: For now, you’ll find it much faster to search the site using Google; just put site:askwoody.com at the end of your search string. Yep, we’re working on it.

For those of you with usernames brought over from Windows Secrets (they’re prefixed with “WS” as in “WSBillG”) and regular AskWoody account names, I can start merging your accounts. There’s no inherent advantage to having an account with or without the “WS.” But those of you with two active accounts may want to pull all your posts into one account, to make it easier to keep track of things. If you want to merge two (or more) accounts, from any source, please email me (CustomerService@AskWoody.com), and tell me the usernames on the accounts.

If you have a username that’s an email address, make sure the old email address account is the one that’s going to get obliterated in the merge. We’re still trying to stomp out usernames that are email addresses — for your privacy, if nothing else.

Your MVPs have been hard at work making lots of changes, some of which you’ll see, many of which are behind the scenes. For example, you can now upload files attached to your posts (“Replies”) as long as they’re under 2 MB. Most filetypes are supported. All of them are scanned for malware.

We’re also working on bringing over all of the old Windows Secrets Newsletters, and making them more easily available. Susan’s cooking up a new downloadable format for the Patch Watch lists. We’re going to try to tie together the Newsletter and Lounge efforts more tightly. Lots and lots of things.

I’m going to wait a bit — let the changes stabilize — before tackling the next big effort: Redesigning the site. I really want to create a forum navigation pane that’s as good as the old Windows Secrets vBulletin-based listing. But it’s going to take time. When we’re ready to kick that effort off, I’ll let you know.

I also plan to reinstate the free newsletters, which is a different kettle of fish entirely.

Thanks, everybody. MVPs have helped enormously, and keep the site working. Plus members are footing the bill. We aren’t quite up to being financially stable, but that will come. And each of you reading, posting, asking and helping, are making it work.

If you have any suggestions, I’m all ears.

MS-DEFCON 3: Get Windows XP, Win7 and associated Servers patched

If you’re running Win8, 8.1, 10 or related Server versions, stay on MS-DEFCON 2. Don’t install this month’s patches just yet.

But if you have:

• Windows XP (including Embedded)
• Windows Server 2003, Server 2003 Datacenter Edition
• Windows 7
• Windows Server 2008, Server 2008 R2

you need to get patched right away. The sky isn’t falling — there’s no worm making the rounds just yet — but at this point it looks like the benefits of patching outweigh the risks.

If you’re running Vista, hang tight. Looks like Microsoft forgot to document that one.

For XP and 7 users, I’m moving to MS-DEFCON 3: Patch reliability is unclear, but widespread attacks make patching prudent. Go ahead and patch, but watch out for potential problems.

Details in Computerworld Woody on Windows. And I’ll have an AskWoody Alert out soon.

Patch Lady – bookmark this page

https://docs.microsoft.com/en-us/windows/release-information/status-windows-10-1809-and-windows-server-2019#355msgdesc

I totally forgot about this page.

The page that

1. acknowledges the double reboot problem with KB4494441

2. acknowledges that KB4495667 installed automatically for some of us  (see this post)

Needless to say you’ll want to book mark that page and keep an eye on it.