Newsletter Archives

  • Caution updating Win7 if you have an ASUS motherboard and get a “Secure Boot Violation” warning

    Poster @Charlie has questions about ASUS motherboards and the August Win7 Monthly Rollup:

    I was all set to go ahead with the August Updates when I read about this apparent problem that KB3133977 has with ASUS motherboards, and that stopped me dead in my tracks!  I have an ASUS P8H61-MLE CSM, H61 B3 chipset motherboard of around 2012 vintage and it has an EFI BIOS, but not UEFI.  I do not already have KB3133977 and according to what I see will need to install it (maybe).

    Just to refresh your memory, KB 3133977 caused all sorts of havoc when it was released in May of 2016. I wrote an article about it in Computerworld at the time. I’m not at all sure if the ghost from more than two years ago is still haunting Win7 Monthly Rollups.

    @PKCano has an answer:

    For those with ASUS motherboards considering KB3133977:

    It would seem that ASUS implemented “Safe Boot” on some Win7 machines, when Win7 doesn’t support Safe Boot, by altering the BIOS.

    There are instructions on the ASUS website (thank you, @samak ) here to deal with the situation:

    If you have an ASUS motherboard, and Safe Boot is implemented, it looks there are three options:
    Make the modification in the BIOS so you can install KB3133977
    Not install KB3133977 and just install the August patch.
    Do not install either patch and wait for further instructions.

    Anybody out there have more recent info?

    UPDATE: @Sinclair has a related question:

    What I am trying to get sorted is can you install the August and future patches on a non UEFI motherboard without installing the Bitlocker patch. Does the August patch not alter your boot files if the Bitlocker patch is not installed on a non UEFI system? Does it even matter if it is a non UEFI system or not when it comes to the boot files? Because it would really suck if so short before Windows 7 goes out of patching. I end up with a system that can not use any old repair tool to fix it if it ever has harddisk problems.

    That is why it is so complex. I have not seen anyone say yeah your fine the new boot files can be seen by old tools. Or yeah no worries nothing is altered on a non UEFI motherboard.

  • August 2019 Security patches: It’s a biiiiiiiiig month

    Looks like we’re getting 90 separate patches for 93 individually reported security holes (CVEs).

    The largest single pain point appears to be Remote Desktop Services. (Tell me if you’ve heard that one before.) According to a post from Simon Pope at the MS Security Response Center:

    Today Microsoft released a set of fixes for Remote Desktop Services that include two critical Remote Code Execution (RCE) vulnerabilities, CVE-2019-1181 and CVE-2019-1182. Like the previously-fixed ‘BlueKeep’ vulnerability (CVE-2019-0708), these two vulnerabilities are also ‘wormable’, meaning that any future malware that exploits these could propagate from vulnerable computer to vulnerable computer without user interaction.

    The affected versions of Windows are Windows 7 SP1, Windows Server 2008 R2 SP1, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, and all supported versions of Windows 10, including server versions.

    Windows XP, Windows Server 2003, and Windows Server 2008 are not affected, nor is the Remote Desktop Protocol (RDP) itself affected.,,

    At this time, we have no evidence that these vulnerabilities were known to any third party.

    In the process of fixing the BlueKeep security hole, Microsoft found a metric ton of similar problems. At this point, nobody’s figured out a way to worm-out BlueKeep, so I figure you’re safe for now. This applies to almost none of you (if you have an internet-facing RDP server you likely know about it already), but as Dustin Childs says on the Zero Day Initiative page:

    If you must have an internet-facing RDP server, patch immediately (and reconsider your server placement).

    Martin Brinkmann has his usual overview on

    Windows 7: 39 vulnerabilities
    Windows 8.1: 39 vulnerabilities
    Windows 10 version 1709: 53 vulnerabilities (!)
    Windows 10 version 1803: 61 vulnerabilities
    Windows 10 version 1809: 64 vulnerabilities
    Windows 10 version 1903: 64 vulnerabilities

    The scariest Office vulnerability? CVE-2019-1201. It looks like you can exploit this one by sending someone an email and having it viewed in the Outlook preview pane. I thought that general form of exploit was fixed years ago – but not according to the CVE description:

    Microsoft Outlook Preview Pane is an attack vector for this vulnerability.

    As usual, we’re very interested in hearing of any problems you encounter – particularly if they persist after you roll back the patch.

    UPDATE: There’s an acknowledged problem with the Win7 and Server 2008R2 patches and Symantec Endpoint Protection. It’s more of the SHA-2 blues. Thx, @EP.

    Another update: Security folks are starting to call the new BlueKeep act-alikes “BlueKeep II” and “BlueKeep III.” I’m going to follow Kevin Beaumont’s lead and call them DejaBlue.

    Worth noting: None of the security holes plugged today have known exploits. SANS Internet Storm Center has details.

    Great observation by Brian Krebs:

    At least one of the updates I installed last month totally hosed my Windows 10 machine. I consider myself an equal OS abuser, and maintain multiple computers powered by a variety of operating systems, including Windows, Linux and MacOS.

    Nevertheless, it is frustrating when being diligent about applying patches introduces so many unfixable problems that you’re forced to completely reinstall the OS and all of the programs that ride on top of it.

    We share your pain, Brian.

  • Recommended BitLocker patch KB 3133977 causes some ASUS motherboards to freeze

    Looks like ASUS set a bit in BIOS that engages Secure Boot – when they shouldn’t have. Combine that with KB 3133977, and you get a bricked system.

    InfoWorld Woody on Windows