News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon

Blog Archives

  • Patch Lady – countdown reminder

    Posted on October 20th, 2019 at 21:40 Susan Bradley Comment on the AskWoody Lounge

    Spotted this web site tonight:

    86 days and counting

  • Patch Lady – okay Microsoft, how about you help?

    Posted on October 19th, 2019 at 19:22 Susan Bradley Comment on the AskWoody Lounge

    So the other day the only place I could find solid actionable information about the risk of attacks from the IE zero day was on a Microsoft 365 ATP E5 console called the Threat analytics dashboard.  It was the only place that gave me information that assured me that we could wait until the issues with the patches were dealt with and we didn’t need to rush to patch.  Today I went to the console and saw there was a new alert.  At the bottom of the alert is brand new wording:

    © Microsoft 2019. All rights reserved. Reproduction or distribution of the content of this site, or any part thereof, without written permission of Microsoft is prohibited

    Sigh.  So there goes another resource that Microsoft is limiting access to just certain paying customers.  Once upon a time Microsoft gave actionable information that helped administrators of all sizes to make smarter decisions about security and the risks they face.  They told everyone ahead of time on the Thursday before the second Tuesday the types of patches to expect.  They had webcasts open to all customers to help all of us understand how to deploy updates better.

    Now we have a MSRC blog that just tells us to turn on automatic updates and provides no overall discussion about risks.  Thanks guys, but I rushed out that out of band update and spent several HOURS fitzing with printers, updating drivers,  removing the update – and in one case had to roll the entire workstation back to the week before to get printing working again.  Customers with premier support contracts are the only folks that still get security guidance webcasts.  Customers with premier support contracts still get the security patch heads up email on the Thursday before Patch Tuesday.

    We’re told by Microsoft that Patching is a social responsibility.  Well yes, Microsoft it is.  And you have a social responsibility to all of your customers large and small to treat their IT assets with respect.  You need to do the right thing and release better patches that don’t break printing (as a recent sample of impact) and you need to release better information to all customers to help us understand the risks of not patching as well as patching.  You have a responsibility to all of your customers, and not just those with premier support contracts.

  • Patch Lady – did Xfinity go too far?

    Posted on October 14th, 2019 at 15:13 Susan Bradley Comment on the AskWoody Lounge

    So this weekend I was channel surfing and an old movie I remember watching was on Turner Classic Movies…. and those of you that are Xfinity customers can probably already guess at what I’m about to say next …. and it prompted me to subscribe to the channel.  Mind you it was part of my 261+ channels just days ago.

    The cord cutting wars are heating up and Xfinity may have gone too far this time.  Already there’s a 17 plus page complaint thread on the Xfinity forums, there’s a petition, and there’s numerous twitter feeds complaining about moving TCM out of the main line up to a “Sports and Entertainment package” at an additional $9.99 a month fee in addition to the price for the basic service.

    Disney has a new streaming service.  Apple is coming online with theirs.  Netflix stock price is down.  And the biggest loser?  Us.  Us and simplicity.  Instead we’re getting higher prices and complexity.

    The other day my Sister (whom I share a house and the technology with) joked that she needed to die first because if I went first there would be no way for her to just “watch” something.   You need umpteen remotes, you need a strong internet that every now and then need rebooting because some update to your ISP provider router messes it up every now and then.  Want to know what you need to launch to watch THAT?  You need a manual to list where what streaming service is located where.

    And it’s not cheaper.  And our need for speed just keeps increasing every year with more things cloud only, patches larger, and our requirement for always on world.

    So I’ll be calling Xfinity to join my fellow users in complaining about this decision, asking for a rebundling, demanding better pricing.  I won’t get any of it, but it will make me feel slightly better.

    Venting about it here helps too.  What about your ISP and entertainment options?  Are they getting better or worse for you?

  • Patch Lady – printing problems

    Posted on October 7th, 2019 at 13:37 Susan Bradley Comment on the AskWoody Lounge

    So remember how I said I saw no issues?  Well….. not so fast.  And it showcases why testing patches is hard.  I rolled out the update over the weekend.  And while 99.99999% of the printers in the office had no issues, one printer on one workstation, is having issues.  I’m getting a “The Hewlett-Packard HP Color LaserJet M553 print server may be offline or network problems may be preventing a connection to the print server” when I attempt to print inside of one of our line of business applications.  Removed
    and it functions again. So I can personally confirm that printing problems exist but are extremely hit and miss.  I’ve opened up support case 119100724005655 and will keep you posted.  Note that I doubt the issue will be fixed in time for tomorrow’s update release.

  • Patch Lady – what’s the real risk?

    Posted on October 4th, 2019 at 23:28 Susan Bradley Comment on the AskWoody Lounge

    So the zero day IE is finally out as an out of band patch.  On the Windows Defender security portal (1) they talk about the risk of this zero day….

    For attacks to be successful, targets will need to use Internet Explorer or another application that utilizes the Internet Explorer scripting engine to open a link containing the exploit. Initial reports of attacks indicate the use of Microsoft Word documents (.docx) with lure content that entice recipients to click on malicious links. If the links are launched by Internet Explorer—the default web browser on machines running older platforms like Windows 7—exploitation can occur.

    This analysis is based on limited, initial reports about actual attacks that exploit this vulnerability.

    Customers have encountered Microsoft Word documents (.docx) containing a link to web pages with exploit code for CVE-2019-1367. Although other distribution mechanisms are possible, we have observed attacks distributing the documents as attachments on spear-phishing emails.

    The documents themselves have been socially engineered with lure content—mostly around Middle Eastern and North African affairs—that entices recipients into clicking an embedded video element that is a link to external content. On many machines that run older platforms such as Windows 7, the link opens on Internet Explorer by default. Once the malicious link opens on a vulnerable instance of Internet Explorer, exploitation can occur, allowing attackers to run arbitrary code in the context of the current user.

    In known attacks, the exploit runs malicious code that does the following:

    • Uses an elevation of privilege (EoP) technique abusing the Web Proxy Auto Discovery (WDAP) protocol
    • Downloads and runs a malicious executable cqe.exe (detected as Trojan:Win32/Hevor.A!dha)

    The executable, which now serves as an initial implant, then proceeds to download other payloads from another location.


    Apply these mitigations to reduce the impact of this threat. Check the recommendations card for the deployment status of monitored mitigations.

    • Prioritize installation of the security update for CVE-2019-1367. The update is automatically deployed as a required update through Microsoft Update and the WSUS catalog. Customers with automatic updates turned on don’t need to take additional action.
    • On machines that could not install the security updates, consider restricting access to JScript.dll to prevent exploitation. See the workaround in the CVE-2019-1367 advisory.
    • Use Office 365 ATP for enhanced phishing protection and coverage against new threats and polymorphic variants. Office 365 ATP customers should ensure that Safe Links protection is enabled for users with Zero-hour Auto Purge (ZAP) to remove emails when a URL gets weaponized post-delivery.
    • To take advantage of a modern web viewer for Office 365 applications, customers are encouraged to upgrade to Office 365 version 16.0.11629 and Windows 10 version 1903. With these or newer versions, Office 365 applications use Microsoft Edge WebView to load web content instead of Internet Explorer, which is affected by this vulnerability.
    • To prevent exploitation of WPAD, upgrade to Windows 10 version 1809 or newer.
    • Block external content in Word documents by enabling the Group Policy Object (GPO) Allow Online Videos to play within Word under User Configuration > Administrative Templates > Microsoft Word 2016 > Word Options > General. This GPO is available only upon installation of the Microsoft Word 2016 update described in KB4462193 or a later cumulative update.
    • Turn on cloud-delivered protection and automatic sample submission on Windows Defender Antivirus. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats.
    • Turn on attack surface reduction rules, including rules that can block process creation initiated by Office applications and rules that can block scripts (JavaScript and VBScript) from launching downloaded executable content.
    • Turn on network protection to block connections to malicious domains and IP addresses.
    • Customers are encouraged to use Microsoft Edge or other modern web browsers where possible. For tasks that require Internet Explorer, customers should limit its use to these tasks and set a different application as the default browser.
    • Educate end users about preventing malware infections by ignoring or deleting unsolicited and unexpected emails.

    So … the risk is from targeted emails, the risk is opening .doc files, the risk is higher on machines 1803 and older (Windows 7).

    So I don’t see this as great of a risk to you and me.

    (1) you have to be a subscriber to the Microsoft Defender ATP license (E5) in order to get to the original link.


  • Patch Lady – Internet Explorer out of band

    Posted on October 3rd, 2019 at 21:59 Susan Bradley Comment on the AskWoody Lounge

    Stay tuned.  We’re in the process of updating the master Patch Lists.  I’ve been testing the out of band Internet Explorer update and I’m not seeing any start menu issues.

    I’m giving the go ahead to roll it out in my office, stay tuned there’s a special edition coming to you soon.

    This time it’s really an out of  band update.  And that’s good for all of us.

  • Patch Lady – 31 days of security

    Posted on October 1st, 2019 at 23:59 Susan Bradley Comment on the AskWoody Lounge

    October is the national cyber security awareness month and I’m kicking off the month by linking to another author.  John Opdenakker posts about why everyone should care about online security.

    Are you making any changes to your online security due to what’s going on?  I know that I’m adding more multi-factor authentication to my accounts.  What about you?


  • Patch Lady – the optional 1903 that includes the IE patch is out

    Posted on September 26th, 2019 at 16:44 Susan Bradley Comment on the AskWoody Lounge

    …and I’m not installing it.  Which is saying a lot since I’m an Enterprise Security MVP and normally understand why Microsoft does what they do to keep us safe even though I don’t agree with it all the time.

    Microsoft just released

    And released a servicing stack update

    For those keeping track this is the “D” week release, meaning it’s optional…. HOWEVER…. this INCLUDES the out of band IE update released on 9/23 which was not released on Windows update or WSUS and is only available on the catalog site.  There are two side effects that have been noted and reproduced by several on the patching community (can’t install .net 3.5, and early reports of printing issues).   Support cases are still in the process of being set up so it will take a bit of time to get these documented as known issues or at least better understood if there are interactions going on with something else.

    I still can’t figure out why the out of band update is NOT on Windows update or WSUS and if Microsoft is THAT worried about it being a risk for all of us, then I’d say they need to get their act together and fix WU and WSUS as deployment mechanisms.

    This time I do not understand why Microsoft is not doing what they should do if they truly think we are at risk.  All they have done is let the attackers get the ability to understand the vulnerability and have not done their part to keep the masses safe from this risk.  Given that I do not see evidence of anything but targeted specific attacks and not rank and file mass attacks, I’m recommending that you not install anything that includes these out of band IE updates at this time.

    In the meantime, I too am starting to sound more and more like … “hey… you there.. get off my lawn”