Newsletter Archives

  • MS-DEFCON 4: Get the May 2020 patches installed now

    Although there have been screaming headlines about bugs in May’s patches, neither Susan nor I have detected any pattern – with two exceptions.

    • We’re still seeing the “temporary profile” bug, where machines come back after installing the latest cumulative update, and the user logs into a brand new profile. As a result, their icons are all wrong, some data appears to be missing (but it isn’t), and pandemonium reigns.
    • There seems to be some sort of problem with audio drivers. I haven’t figured out if it’s specifically the cumulative update, drivers that sneak in, or some combination thereof.

    As usual, Windows 8.1 remains the most stable version of Windows – unless you’re running Windows 7 and paying for Extended Security Updates.

    Details on safely updating your machine in Computerworld Woody on Windows.

    From the article:

    I’m assuming that you don’t voluntarily jump down the rabbit hole and join the unpaid beta testers working on Windows 10 version 2004 – the May 2020 Update. It’s kicking up all sorts of problems – but that’s no reason to hold off on the May patches.

    We’re now at MS-DEFCON 4: There are known problems, but go ahead and patch.

  • Where we stand with the May 2020 patches

    What a month!

    From an undocumented drive-by “Intel” microcode patch to an unannounced zero-day (which didn’t turn out to be very pressing), to five documented but ho-hum zero-days, more audio problems, a conflict with HP’s software that threw a BSoD, and an Office 365 Click-to-Run bug that took a day to patch, it’s never a dull moment.

    Details in Computerworld Woody on Windows.

  • 0patch posts a patch for the “PrintDemon” security hole CVE-2020-1048

    I still haven’t seen any in-the-wild exploits for the security hole announced last week, PrintDemon or CVE-2020-1048 — and I still don’t recommend that you install this month’s patches — but those of you running Windows 7 without the paid Extended Security Updates should take note of the latest “micropatch” offering from 0patch.

    According to the 0patch blog:

    Windows 7 and Server 2008 R2 users without Extended Security Updates have just received a micropatch [from 0patch] for CVE-2020-1048, a privilege elevation vulnerability allowing a local non-admin attacker to create an arbitrary file in an arbitrary location.

    When time comes to install this month’s patches, if you don’t have Win7 Extended Security Updates, you should keep this micropatch in mind. (It’s OK, I’ll remind you if you forget.)

    Just a reminder: We’re still at MS-DEFCON 2. There are no widespread threats out and about and you don’t need to patch just yet. Go outside and get some fresh air. At a distance, of course.

    Thx @etguenni

  • Windows Latest: The May Win10 1903/1909 cumulative update knocks around audio drivers — and the misplaced data/temporary profile bug is still there

    Mayank Parmar at Windows Latest has an all-too-familiar round up of problems with this month’s Win10 version 1903 and 1909 cumulative update, KB 4556799:

    Users running Windows 10 May 2019 Update (Win10 version 1903) and November 2019 Update (Win10 version 1909) are reporting that the update is a serious fail with a wide range of issues including a broken audio adapter, temporary user profile, Blue Screen of Death, and even an uninformative error message during the installation process.

    As was the case last month, there are swarms of bug reports about this month’s cumulative update, running all over the web.

    As was the case last month, it isn’t clear how widespread the problems might be. Microsoft — assuming it knows the extent of the damage — isn’t saying anything. Of course.

    For details, see Parmar’s article, but the gist is:

    • Realtek (and possibly other) audio drivers get scrambled. Parmar has a workaround.
    • Microsoft still hasn’t fixed the temporary profile “missing data” bug that we’ve been railing about for months. MS hasn’t even acknowledged the bug, even though it’s been reported extensively on the Microsoft Answers forum, the Microsoft-posted Win10 Reddit thread and in the Microsoft Feedback Hub.
    • There’s a wide array of blue screens, installation failures, and miscellaneous update halitosis.

    Can you corroborate any of the problems?

    Of course, we remain on MS-DEFCON 2. There’s no reason for “normal” Windows users to install this month’s patches. Yet.

  • On the radar: An exploit for CVE-2020-1048, Windows Print Spooler elevation of privilege

    It isn’t yet time to go screaming for the exits, but there’s an important analysis of the CVE-2020-1048 security hole, patched in this month’s Patch Tuesday crop. Yarden Shafir and Alex Ionescu dive deep into the “PrintDemon” vulnerability in Windows Internals.

    We can finally talk about some of the very exciting technical details of the Windows Print Spooler, and interesting ways it can be used to elevate privileges, bypass EDR rules, gain persistence, and more. Ironically, the Print Spooler continues to be one of the oldest Windows components that still hasn’t gotten much scrutiny, even though it’s largely unchanged since Windows NT 4, and was even famously abused by Stuxnet

    At this point, Shafir and Ionescu have found a way to use the hole with an (unprivileged!) PowerShell command:

    Add-PrinterPort -Name c:\windows\system32\ualapi.dll

    At this point the attack code has to be typed into a machine, so the hole is a long way from being weaponized in a mainstream attack. But I’ll definitely be watching to see if it turns into something you need to be worried about.

    Thx, @endi24

    UPDATE: Interesting take from Rob VandenBrink on the ISC Storm Center.

    Microsoft rated this as:

    Disclosed: NO
    Exploited: NO
    Exploitability (old and new versions) Exploitation Less Likely

    Unfortunately, this vulnerabiltiy was actually disclosed to Microsoft by the research community (see below), so the code to exploit it absolutely does exist and was disclosed, and a full write-up was posted as soon as the patch came out… Don’t put too much stock in risk ratings assigned to patches.  “Lows” and “Mediums” can bite you just as badly as vulnerabilities rated as “High”.  This goes for patches as well as scan results or pentest results.  If your policy is to patch only Severe and High rated issues, you’ll pay for that eventually.

    I just looked at the CVE article again and, sure enough, it’s still listed as not disclosed, not exploited, and Exploitation less likely.

    ANOTHER UPDATE: Vess Bontchev and Nathan McNulty are trying to figure out how to make it work on Win7. No success report as yet.

  • Many reports of errors when trying to install the latest .NET patch on Win7 systems with Extended Security Updates enabled

    Looks like a clunker.

    @BobT reports:

    KB4556399 (Security and Quality Rollup for .NET Framework 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2, 4.8 for Windows 7 SP1 and Windows Server 2008 R2 SP1) is failing with error 643 for me and many others on the MyDigitalLife forum.

    W7 Ultimate x64.

    And sure enough, MDL is lit up. See the lengthy list of problems starting here.

    Bottom line: Even if you’ve paid for Win7 Extended Security Updates, wait for MS to re-issue KB4556399.

    Susan edit:  This appears to only fail if you have used the bypass script.  On a Windows 7 with an ESU key it installs just fine.

  • May 2020 Patch Tuesday rolls out

    The KB articles are out

    Microsoft Update Catalog has 241 new entries. (Five others date from earlier this month.)

    According to the KB article, Win10 1909 is getting the same fixes as Win10 1903. That’s good news, especially for those of us who have moved to 1909.

    Dustin Childs at Google’s ZDI reports:

    111 CVEs, 16 are rated Critical and 95 are rated Important in severity. Eleven of these CVEs were reported through the ZDI program. None of the bugs being patched are listed as being publicly known or under active attack at the time of release.

    Childs gives special recognition to CVE-2020-1071, which requires physical access to a computer (say, a computer in a publicly accessible location); CVE-2020-1067, an attack that requires access to a domain user account; and CVE-2020-1118, an exploit that’ll remotely shut down a computer.

    Lawrence Abrams has a comprehensive, easily accessible list on BleepingComputer.

    Let’s see if we get any new bugs this month.

    For those of you running the beta version of Win10 2004, there’s a patch waiting just for you — KB 4556803, which brings your build number up to 19041.264. Noteworthy improvements include “updated the 2020 start date for daylight saving time (DST) in the Kingdom of Morocco.”

    Bottom line: No need to install the May updates yet. (You got the April updates installed, right?)

  • MS-DEFCON 2: Make sure Windows has been set to pause updating

    I’m not expecting a particularly interesting or difficult Patch Tuesday, but ya never know.

    It’s time to make sure your machine’s set to hold off on patching, for the time being. Let’s sit back and see what surprises await.

    (Or, if you’re in a pioneering mood, set Windows Update free, and report back to us if you hit any snags!)

    Step-by-step details in Computerworld Woody on Windows.