Newsletter Archives

  • Patching year 2022 comes to a close

    newsletter banner

    ISSUE 19.51 • 2022-12-19


    Susan Bradley

    By Susan Bradley

    Every vendor brought us a lump of coal.

    No matter which platform you use, we are closing out a year in which we have been very vulnerable. From Microsoft to Apple to our firewall vendors — and even to Linux distros such as Ubuntu and Mint — just about every vendor has ended the year with patches, vulnerabilities unfixed, and new releases.

    Read the full story in our Plus Newsletter (19.51.0, 2022-12-19).
    This story also appears in our public Newsletter.

  • Zero day for Windows 7

    Bleeping computer reports that 0-patch is releasing a fix for a zero day in Windows 7 and server 2008 R2.

    I haven’t yet seen an out of band patch released to Windows 7 ESUs but I’ll keep you posted.

    One clarification on that post, Sergiu says “At the moment, only small-and-midsize businesses or organizations with volume-licensing agreements can get an ESU license until January 2023.”  You actually don’t need a volume licensing agreement in order to buy Windows 7 patches.  Amy Babinchak is still selling Windows 7 ESUs and for anyone who bought them last year, she’ll be contacting you to see if you want the updates again this year.  Microsoft hasn’t yet set it up so that the 2021 Windows  7 ESUs are on their price list, but I’m guessing December 1st is when they will post it to the price list.  It’s expected to be twice the price of last years.

  • 0patch posts a patch for the “PrintDemon” security hole CVE-2020-1048

    I still haven’t seen any in-the-wild exploits for the security hole announced last week, PrintDemon or CVE-2020-1048 — and I still don’t recommend that you install this month’s patches — but those of you running Windows 7 without the paid Extended Security Updates should take note of the latest “micropatch” offering from 0patch.

    According to the 0patch blog:

    Windows 7 and Server 2008 R2 users without Extended Security Updates have just received a micropatch [from 0patch] for CVE-2020-1048, a privilege elevation vulnerability allowing a local non-admin attacker to create an arbitrary file in an arbitrary location.

    When time comes to install this month’s patches, if you don’t have Win7 Extended Security Updates, you should keep this micropatch in mind. (It’s OK, I’ll remind you if you forget.)

    Just a reminder: We’re still at MS-DEFCON 2. There are no widespread threats out and about and you don’t need to patch just yet. Go outside and get some fresh air. At a distance, of course.

    Thx @etguenni

  • Microsoft Office gets a drenching of updates


    By Susan Bradley

    COVID-19’s impact on patching doesn’t extend to Office releases.

    If April’s updates prove anything, it’s that Office is a prime target for malware attacks. This month, all supported versions of Microsoft’s productivity suite received a dozen or more security patches. And most of these fixes have a common purpose: breaking a specific risk to our networks — Office apps using Visual Basic scripts to pull information from the Internet. This change is good, for the most part, but it might cause line-of-business apps with sloppy coding to stop working.

    Read the full story in AskWoody Plus Newsletter 17.15.0 (2020-04-20).

  • Worth considering: 0patch for Win7 after January 2020

    I just got a note from @Microfix that pointed me to an interesting discussion from Ionut Ilascu at BleepingComputer:

    After Microsoft ends support for Windows 7 and Windows Server 2008 on January 14, 2020, 0Patch platform will continue to ship vulnerability fixes to its agents.

    “Each Patch Tuesday we’ll review Microsoft’s security advisories to determine which of the vulnerabilities they have fixed for supported Windows versions might apply to Windows 7 or Windows Server 2008 and present a high-enough risk to warrant micropatching”

    Micropatches will normally be available to paying customers (Pro – $25/agent/year – and Enterprise license holders). However, Kolsek says that there will be exceptions for high-risk issues that could help slow down a global-level spread, which will be available to non-paying customers, too.

    Many of you know that 0Patch has been issuing quick fixes for bad bugs in recent patches. In all cases, I’ve refrained from recommending them, simply because I’m concerned about applying third party patches directly to Windows binaries. That said, to date, they’ve had a very good track record. Whether they can continue that record with patches-on-patches-on-patches remains to be seen, of course.

    I fully expect Microsoft to release patches for newly discovered major security flaws, even after January 14. Whether those will step on the 0Patch patches is anybody’s guess.

    Definitely something worth considering….

  • That Internet Explorer XXE zero day poking through to Edge

    I’ve been slammed for the past few days, and haven’t kept you folks apprised of the latest Internet Explorer 0day.

    It depends on you opening an infect MHT file. MHT is an old file format that’s almost always opened by IE — no matter which browser you’re using, no matter which version of Windows. Catalin Cimpanu has a good overview of this XXE vulnerability on ZDNet.

    It’s a doozy of security hole as it affects every recent version of IE, and it infects whether you’re actively browsing with IE or not.

    When you download files from the internet, they’re marked — the “Mark-Of-The-Web” — to tell programs that special care is required when opening the files. Thus, if you download an infected MHT file, IE will know that it needs to open the MHT file with caution (at “low integrity,” in a sandbox). That severely limits this exploit’s reach.

    There’s a lot of controversy about how bad this XXE hole really is. There have been lots of XXE holes discovered in the past. They’re used to pull files off your machine and send them to the bad guys. Microsoft figured this one isn’t all that bad, in part because of the MOTW mechanism. The folks who discovered this particular hole aren’t so sanguine. They responded to Microsoft’s snub last week by releasing details, proof of concept code, and even a video.

    Yesterday, Mitja Kolsek at 0patch revealed something disconcerting. If you use Edge to download an infected MHT file, Internet Explorer will open it like any other file. Says Kolsek:

    Does Edge not put the mark-of-the-web on downloaded files, or does it do it differently and somehow confuses Internet Explorer? That would be a serious flaw.

    He goes on to explain how Edge changes the permissions on downloaded files and, thus, why IE will open the infected MHT file as if it had no Mark-Of-The-Web.

    All fascinating stuff if you’re into this kind of thing. Ionut Ilascu has a synopsis on BleepingComputer.

    The 0patch company has a quick patch that you can apply, free, if you’re concerned about getting burned. I’m not going to link to it — I don’t want to take responsibility for 3rd-party patches to Windows — but you can find it quite easily if you’re really interested. That said, 0patch is highly regarded, and has made many useful hotfixes for Windows.

    What to do? That’s easy. Don’t open MHT files. And don’t use IE.

    Thx to @Alex5723 and others who have been posting about this problem while I’m off doing other things…..

    Let’s see if I get a definitive answer from this:

    UPDATE: @mkolsek, who published the report yesterday, confirms that reassigning the default handler for MHT files breaks the attack. He tested it. I’ll write this up.

  • Single-purpose patch for CVE-2018-8174, the VBScript 0day, available from 0patch

    This isn’t an endorsement.

    If you read my summary of this month’s patches, you’ll recall that there’s one potentially important patch:

    Microsoft released an explanation for the one “critical” Windows patch this month that is being actively exploited — a zero-day. Called CVE-2018-8174, the security hole involves the way Internet Explorer (mis)handles VBScript programs.

    That’s the one big security hole staring at us so far this month. I still haven’t heard of any exploits other than the ones identified by Kaspersky and Qihoo 360 (remember – they involved PDF files in Yiddish/Hebrew sent to Chinese organizations), but it’s still a potential problem.

    And then Microsoft screwed up the Windows 7 patches this month, breaking networks on some Win7 systems.

    Given the current state of affairs, you can either fix the VBScript 0day and possibly break your network card in the process, or you can avoid the update entirely until Microsoft finally fixes it. Whenever that may be.

    I was surprised to discover that 0patch, a well regarded patching platform from ACROS Security, now has a free patch available that plugs the 0day hole by simply, well, plugging the 0day hole. What a novel idea. Microsoft should do that… he says, tongue planted firmly in cheek.

    I’m NOT recommending that you run out and install the 0patch patch. It always gives me the willies when I see a non-Microsoft product offered to fix a Microsoft bug. But in this case, if you read the description, the analyst there who wrote the patch (Mitja Kolsek) knows what he’s doing.

    So rather than recommend that patch, I’m putting out a feeler to see if any of you have installed this patch — or if you have experience with other 0patch patches.

    Whaddya think?