Newsletter Archives
-
Master Patch List as of May 9, 2023
I’ve updated the Master Patch list for the May releases.
Remember to always review the known issues we are tracking on the Master Patch List. I will keep the latest info there.
So far trending issues are:
Business patchers – In order to fully patch systems for potential UEFI/Secure Boot there are a series of manual steps. I am NOT convinced that this is needed for anyone other than targeted nation state organizations. I’ll have exact instructions and a video should you want more information.
I am recommending at this time that you install Apple updates, I’m not recommending Windows updates at this time. I’ll have more details in the newsletter on Monday.
- Windows 11 22H2: Not recommended
- Windows 11 21H2: If you have a Windows 11 PC, recommended
- Windows 10 22H2: Recommended
- Windows 10 21H2: Recommended (if a vendor won’t support 22H2)
- Apple Ventura – Recommended for newer hardware – as always check with the applications you rely on if they recommend this release.
As always, thank you all for supporting the cause! Remember a donation will give you access and if you donate $50 or more you’ll get a special code to enable text messages sent to your phone each time the Master Patch List gets updated and when I change the MS-DEFCON level
-
Master Patch List April 11, 2023
I’ve updated the Master Patch list for the April releases.
Remember to always review the known issues we are tracking on the Master Patch List. I will keep the latest info there.
So far trending issues are:
Business patchers – weird Google chrome issue after installing kb5025221 if your group policy is used to set Chrome as default
Also I’ll update the list for the SQL updates but I wanted to get the other updates out for you
I am recommending at this time that you install Apple updates, I’m not recommending Windows updates at this time. I’ll have more details in the newsletter on Monday.
- Windows 11 22H2: Not recommended
- Windows 11 21H2: If you have a Windows 11 PC, recommended
- Windows 10 22H2: Recommended
- Windows 10 21H2: Recommended (if a vendor won’t support 22H2)
- Apple Ventura – Recommended for newer hardware – as always check with the applications you rely on if they recommend this release.
As always, thank you all for supporting the cause! Remember a donation will give you access and if you donate $50 or more you’ll get a special code to enable text messages sent to your phone each time the Master Patch List gets updated and when I change the MS-DEFCON level.
-
Special note for Samsung users (or Pixel users too!)
If you have any of the following read on….
Mobile devices from Samsung, including those in the S22, M33, M13, M12, A71, A53, A33, A21, A13, A12 and A04 series;
Mobile devices from Vivo, including those in the S16, S15, S6, X70, X60 and X30 series;
The Pixel 6 and Pixel 7 series of devices from Google;
any wearables that use the Exynos W920 chipset; and
any vehicles that use the Exynos Auto T5123 chipset.What is this about? Google project zero have released a blog post about a security vulnerability that impacts these devices.
What does this mean? Tests conducted by Project Zero confirm that those four vulnerabilities allow an attacker to remotely compromise a phone at the baseband level with no user interaction, and require only that the attacker know the victim’s phone number. With limited additional research and development, we believe that skilled attackers would be able to quickly create an operational exploit to compromise affected devices silently and remotely. So if the attacker CALLS you, they could compromise your phone.
Note: Until security updates are available, users who wish to protect themselves from the baseband remote code execution vulnerabilities in Samsung’s Exynos chipsets can turn off Wi-Fi calling and Voice-over-LTE (VoLTE) in their device settings. Turning off these settings will remove the exploitation risk of these vulnerabilities.
What should I do?
How to turn off WiFi calling on a Samsung phone
- Open the phone on your Samsung phone
- Tap the three-dot menu in the top-right corner
- Select Settings
- Find the WiFi Calling option about halfway down and toggle it off
How to Disable VoLTE on any Samsung Galaxy Phone
- Head over to the Settings page on your galaxy device.
- Then go to the Connections section.
- Scroll to the Mobile network section.
- Within that, you should see the VoLTE Calls option. Just disable the toggle and that’s it. (note I think this should be default disabled and is probably not enabled by default)
No patch is available at this time. As soon as I hear word of one, I’ll add it to the master patch listing.
Please note – each vendor of the phones can customize the deployment and thus you may not see these options in your phone.
-
Master Patch list as of March 15, 2023
I’ve updated the Master Patch list for the March releases.
Remember to always review the known issues we are tracking on the Master Patch List. I will keep the latest info there. Right now the big trending issue is the issue where Windows 10 22H2 doesn’t seemingly reboot if you manually check for updates. If you use Start11, StartAllBack, and ExplorerPatcher make sure you update to the latest on Windows 11.
I am recommending at this time that you install Apple updates, I’m not recommending Windows updates at this time. I’ll have more details in the newsletter on Monday.
- Windows 11 22H2: Not recommended
- Windows 11 21H2: If you have a Windows 11 PC, recommended
- Windows 10 22H2: Recommended
- Windows 10 21H2: Recommended (if a vendor won’t support 22H2)
- Apple Ventura – Recommended for newer hardware – as always check with the applications you rely on if they recommend this release.
As always, thank you all for supporting the cause! Remember a donation will give you access and if you donate $50 or more you’ll get a special code to enable text messages sent to your phone each time the Master Patch List gets updated and when I change the MS-DEFCON level.
-
Master patch list as of February 14, 2023
I’ve updated the Master Patch list for the February releases. While this month doesn’t have the vulnerability count that many gage a big month by, it has .NET security releases which – on some platforms – add additional patch offerings.
Remember to always review the known issues we are tracking on the Master Patch List. I will keep the latest info there. Right now the big trending issue is Server 2022 and VMware.
I am recommending at this time that you install Apple updates, I’m not recommending Windows updates at this time. I’ll have more details in the newsletter on Monday.
- Windows 11 22H2: Not recommended
- Windows 11 21H2: If you have a Windows 11 PC, recommended
- Windows 10 22H2: Recommended
- Windows 10 21H2: Recommended (if a vendor won’t support 22H2)
- Apple Ventura – Recommended for newer hardware – as always check with the applications you rely on if they recommend this release.
As always, thank you all for supporting the cause! Remember a donation will give you access and if you donate $50 or more you’ll get a special code to enable text messages sent to your phone each time the Master Patch List gets updated and when I change the MS-DEFCON level.
-
Patch list for January 2023 – final update
I realized tonight that I hadn’t done my final recap of the January updates on the Master Patch List page
We’re just about to get ready for the February updates so stay tuned for advice about February.
As a reminder – if you want to keep your computer on Windows 10 but still let it update to the various feature releases – Enter Windows 10 in that upper section of the local group policy and leave the lower portion blank.
- Windows 11 22H2: Not recommended
- Windows 11 21H2: If you have a Windows 11 PC, recommended
- Windows 10 22H2: Recommended
- Windows 10 21H2: Recommended (if a vendor won’t support 22H2)
- Apple Ventura – tentative. Check with the applications you rely on if they recommend this release.
As always, thank you all for supporting the cause! Remember a donation will give you access and if you donate $50 or more you’ll get a special code to enable text messages sent to your phone each time the Master Patch List gets updated and when I change the MS-DEFCON level.
Be aware that due to a change in twitter possibly as early as next week, the DefCon tweeting may not work automatically. The texting will continue without fail, but I rely on Zapier who is like everyone else and trying to keep up with what keeps changing. We will keep you posted as we know more.
-
Attack surface reduction rule triggers a mess on Friday the 13
#Fridaythethirteenthmess
If you set up the Attack surface reduction rule to check Office macros, you have woken up to missing shortcuts. It appears to have been triggered after a defender update. Note this will only occur IF you have attack surface reduction rule enabled. On machines where this is not set, no issues will be seen using Defender. It is just those with ASR rules enabled.
The specific rule causing this is
Block Win32 API calls from Office macros
Rule-ID 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b
In Intune or group policy set the rule to audit if Microsoft hasn’t done it for you already. Now how to deal with the missing shortcuts?
Emin reports that “If you’ve volume shadow copy enabled, you can find these shorcuts in a VSS snapshot. I still use nowadays this code whenever I’ve to mount/dismount VSS snapshots. https://p0w3rsh3ll.wordpress.com/2014/06/21/mount-and-dismount-volume-shadow-copies/
Alternatively you can get the shortcuts from Onedrive if the Desktop synchronization was enabled.
Microsoft’s guidance here:
I’ll also note this on the Master Patch list – but it’s NOT exactly patch related side effect.
-
Master Patch list updated as of January 10, 2023
#PatchTuesday #DeadBodyWedneday #KeepaneyeoutforissuesThursday
Consumers: Defer updates at this time.
I’ve updated the Master Patch List for Tuesday’s releases.
It’s too soon at this time for consumers to be making recommendations, I’m still watching for issues.
For businesses, the impact to look out for and keep an eye on are any Exchange on premises server you are still patching.
As a reminder
- Windows 11 22H2: Not recommended
- Windows 11 21H2: If you have a Windows 11 PC, recommended
- Windows 10 22H2: Recommended
- Windows 10 21H2: Recommended (if a vendor won’t support 22H2)
- Apple Ventura – tentative. Check with the applications you rely on if they recommend this release.
As always, thank you all for supporting the cause! Remember a donation will give you access and if you donate $50 or more you’ll get a special code to enable text messages sent to your phone each time the Master Patch List gets updated and when I change the MS-DEFCON level.
-
Master Patch List as of December 13, 2022
#PatchTuesday
Business patchers: Microsoft has indicated that they fixed the memory issue with the LSASS patch but still waiting for community confirmation.
Consumers: Defer updates at this time. The secure boot patch KB5012170 has been released to apply to Windows 10 and 11 22H2 so be sure to defer it as well.
I’ve updated the Master Patch List for Tuesday’s releases.
It’s too soon at this time for consumers to be making recommendations, I’m still watching for issues.
For businesses, the impact to look out for and keep an eye on are the Kerberos related patches. Microsoft has indicated that the memory leak issues introduced in last month’s Kerberos updates have been fixed but I am still waiting for community confirmation.
As a reminder
- Windows 11 22H2: Not recommended
- Windows 11 21H2: If you have a Windows 11 PC, recommended
- Windows 10 22H2: Recommended
- Windows 10 21H2: Recommended (if a vendor won’t support 22H2)
As always, thank you all for supporting the cause! Remember a donation will give you access and if you donate $50 or more you’ll get a special code to enable text messages sent to your phone each time the Master Patch List gets updated and when I change the MS-DEFCON level.
-
MS-DEFCON 3: Side effect with Domain patch
Special alert By Susan Bradley
November Domain controller update leads to memory leak
Business patchers only: Microsoft has posted up a known side effect introduced by the November updates applied to domain controllers.
As they note in their health release: (with my slight edits for clarification)
After installing November or later updates on Domain Controllers (DCs), you might experience a memory leak with Local Security Authority Subsystem Service (LSASS,exe). Depending on the workload of your DCs and the amount of time since the last restart of the server, LSASS might continually increase memory usage with the up time of your server and the server might become unresponsive or automatically restart. Note: The out-of-band updates for DCs released November 17, 2022 and November 18, 2022 do not fix the issue and are also affected by this issue.
Workaround one if you can remove the patch: Uninstall the November 8th updates and out of band updates that are listed here.
Workaround two if you are mandated to keep the patch installed: To mitigate this issue, open Command Prompt as Administrator and use the following command to set the registry key KrbtgtFullPacSignature to 0:
- reg add “HKLM\System\CurrentControlSet\services\KDC” -v “KrbtgtFullPacSignature” -d 0 -t REG_DWORD
Note that this ONLY impacts business patchers and does NOT impact consumers.
-
Business patchers alert: Out of band patch expected to fix Domain controller issues
What is it? A heads up to business patchers.
Does it impact consumers? No. This is only an issue being seen on domain controllers
What is it about? In the November 8th updates (which I haven’t approved yet) installing the updates on your domain controllers could cause authentication issues.
There will be an out of band update released later on this week to fix issues caused by the November updates on domain controllers.
If you have been impacted by these updates and have had to roll back the patches on your domain controllers, hang tight. Help is on the way. I will update the Master Patch list once this update has been released.
See also KB5021131 and KB5020805
Update: Out of band released
Microsoft is releasing Out-of-band (OOB) security updates today, November 17, 2022 for installation on all the Domain Controllers (DCs) in affected environments. This update addresses a known issue which might cause sign in failures or other Kerberos authentication issues. You do not need to install any update or make any changes to other servers or client devices in your environment to resolve this issue. If you used any workaround or mitigations for this issue, they are no longer needed, and we recommend you remove them.To get the standalone package for these out-of-band updates, search for the KB number in the Microsoft Update Catalog. You can manually import these updates into Windows Server Update Services (WSUS) and Microsoft Endpoint Configuration Manager. For WSUS instructions, see WSUS and the Catalog Site. For Configuration Manger instructions, see Import updates from the Microsoft Update Catalog. Note The below updates are not available from Windows Update and will not install automatically.Cumulative updates:Note: You do not need to apply any previous update before installing these cumulative updates. If you have already installed updates released November 8, 2022, you do not need to uninstall the affected updates before installing any later updates including the updates listed above.Standalone Updates:- Windows Server 2012 R2: KB5021653
- Windows Server 2012: KB5021652
- Windows Server 2008 R2 SP1: KB5021651 (released November 18, 2022)
- Windows Server 2008 SP2: KB5021657
Note: If you are using security only updates for these versions of Windows Server, you only need to install these standalone updates for the month of November 2022. Security only updates are not cumulative, and you will also need to install all previous Security only updates to be fully up to date. Monthly rollup updates are cumulative and include security and all quality updates. If you are using Monthly rollup updates, you will need to install both the standalone updates listed above to resolve this issue, and install the Monthly rollups released November 8, 2022 to receive the quality updates for November 2022. If you have already installed updates released November 8, 2022, you do not need to uninstall the affected updates before installing any later updates including the updates listed above. -
Master Patch List as of November 8, 2022
#PatchTuesday
I’ve updated the Master Patch List for Tuesday’s releases.
It’s too soon at this time for consumers to be making recommendations, I’m still watching for issues.
For businesses, the impact to look out for and keep an eye on are the Kerberos related patches. Already seeing potential issues reported “but we’re seeing reports where certain auths are failing when users have their msDS-SupportedEncryptionTypes attribute explicitly being set to AES only (decimal 24, hex 0x18).” You may want to do a specific query on your domain controllers to see if you will see impacted — see this KB. Bottom line, be sure you do tests and be aware of authentication issues.
As always, thank you all for supporting the cause! Remember a donation will give you access and if you donate $50 or more you’ll get a special code to enable text messages sent to your phone each time the Master Patch List gets updated and when I change the MS-DEFCON level.