News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon

Blog Archives

  • Patch Lady – light reading for the evening

    Posted on June 13th, 2018 at 21:49 Susan Bradley Comment on the AskWoody Lounge

    For those of you that like to dig a bit deeper into the details of patching, I highly recommend the Zero Day blog.  For those who remember the detailed Microsoft MSRC blogs from years ago, the author is one that USED to write those detailed Microsoft blogs:  Dustin Childs.  Now he works for the Zero day Initiative and writes these fantastic blogs that go a long way to help me understand the risks of *not* patching.

    The other day I said that when the point in time occurs that I’m more scared of *not* patching than I am of patching, that’s the point in time I need to patch.

    So right now, we are day four of the updating process.  I’ve installed updates on a few of my home pcs, I will be rolling an update on a sample (in my office that means ONE) production machine to see if I spot any issues.  I’m watching the forums for side effects.  I’m waiting for Microsoft to fix any metadata detection issues (they already expired KB4284880 as there was a duplicate up there), and I’m basically not approving anything at this time until my testing process is done.  

    But what I am doing is reading and understanding what this month’s updates include.   Here’s my light reading I’m doing tonight:

    https://www.zerodayinitiative.com/blog/2018/6/12/the-june-2018-security-update-review

    The blog post spells out the security issues per CVE or Common Vulnerabilities and Exposures, not per patch.  So while it doesn’t showcase the updates as you can I see them on your computer, (as we see them in one glob per operating system) it does give a way better deep dirty explanation of the overall risks related to not updating so you and I can get a feel for how long we should wait before we update.

    It also helps me to determine what I currently have in place for mitigations or protections that will also give me time to not patch.

    Flash zero day – “primarily targeting the Middle East region and is wrapped in an Office document”.  Okay so I’m not located in the Middle East and I not only warn users about opening attachments, we have email attachment filtering.

    DNS server bug –   “The more likely scenario is simply tricking a target DNS server into querying an evil server that sends the corrupted response”.  In small firms or home users, the way I see this probably used is getting your system to reach out to a malicious DNS server bypassing your DNS entries (or your ISPs).  For servers in large firms that handle handling out DNS inside of a firm, because you can’t always control what your servers connect to, this is one you’ll probably want to patch sooner versus later.

    Http.sys bug – bug in a web service, “A remote attacker could cause code execution by sending a malformed packet to a target server”.  If I’ve got a web server out there, I’ll be testing this and rolling it out sooner versus later.  But we don’t (well, we shouldn’t) run web servers on workstations so this will be lower risk there.

    Cortana bug – “someone close enough to speak to a Cortana-enabled system could execute programs with elevated privileges”  Doesn’t impact Windows 7, and like the Alexa bugs, you have to be local to the machine to do your evil deeds.  Bottom line anything these days that you yell “Hey….” to is being targeted these days because it’s sexy to go after the voice recognition stuff.

    The other thing of interest to me that ran across my radar was YASMB (yet another Spectre Meltdown bug).  This time the v4 bug is NOT enabled by default.  Based on my read it’s due to two things:

    Thing one, it’s another Spectre Meltdown with a performance hit.  As per this blog post “If enabled, we’ve observed a performance impact of approximately 2 to 8 percent based on overall scores for benchmarks.”.  Thing two there are no active attacks and it reads to me that it’s going to be hard to exploit.  Not to say it’s impossible to exploit, but there are lots of other low hanging fruit that they can use to get me.

    There’s a nice recap on the bottom of the portal page that describes which patches are and are not enabled by default in the Spectre/Meltdown patches:

      • After installing Windows updates, refer to the following table for further action to be protected from Spectre/Meltdown vulnerabilities:
    Operating System CVE-2017-5715 CV-2017-5754 CVE-2018-3639
    Windows 10 Enabled by default Enabled by default Disabled by default – see ADV180012
    Windows Server 2016 Disabled by default – see KB4072698 Disabled by default – see KB4072698 Disabled by default – see ADV180012
    Windows 8.1 Enabled by default Enabled by default Not available – see ADV180012
    Windows Server 2012 R2 Disabled by default – see KB4072698 Disabled by default – see KB4072698 Not available – see ADV180012
    Windows RT 8.1 Enabled by default Enabled by default Not available – see ADV180012
    Windows 7 Enabled by default Enabled by default Disabled by default – see ADV180012
    Windows Server 2008 R2 Disabled by default – see KB4072698 Disabled by default – see KB4072698 Disabled by default – see ADV180012
    Windows Server 2008 Disabled by default – see KB4072698 Disabled by default – see KB4072698 Not available – see ADV180012

    I’m still not convinced that on desktops this is as big of an issue we are making it, I still think this is a bigger risk on cloud servers or hosted servers where you may not monitor the access as much as you do on a desktop in front of you.

    Just hot off the presses tonight we have another Intel vulnerability that will make our heads hurt trying to figure out the patches on.  Called Lazy FP State restore vulnerability

    https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180016

    Intel Releases Security Advisory on Lazy FP State Restore Vulnerability
    06/13/2018 06:47 PM EDT

    Original release date: June 13, 2018

    Intel has released recommendations to address a vulnerability—dubbed Lazy FP state restore—affecting Intel Core-based microprocessors. An attacker could exploit this vulnerability to obtain access to sensitive information.

    NCCIC encourages users and administrators to review Intel’s Security Advisory INTEL-SA-00145, apply the necessary mitigations, and refer to software vendors for appropriate patches, when available.

    At this time Microsoft is still determining updates to be released.  If you have VM’s in Azure they are not affected by this vulnerability.

    All of this just showcases that you can’t just update your operating system these days, you HAVE to update your bios and hardware drivers.

    Here’s another example of hardware patches — Surface 3 has a standalone TPM update tool in order to fix that vulnerability. It can’t come down via Windows update, it has to be done manually.

    Lots of fun.

  • Patch Lady – Microcode updates

    Posted on March 4th, 2018 at 00:30 Susan Bradley Comment on the AskWoody Lounge

    Patch Lady here — Did you happen to catch this gem in this blog about the Microsoft microcode updates?

    There is also a small but subtle difference between firmware updates for the UEFI and a microcode update. A firmware update for the UEFI must be approved by the manufacturer of the motherboard. This update may also include microcode updates. These are loaded from the UEFI firmware into the CPU when the system is started. Pure microcode updates can be rolled out by Microsoft. These microcodes are loaded into the CPU when the operating system is started. The above update is therefore a microcode update, which is reloaded every time Windows starts.

    Interesting. Remember that these updates  are only on the Catalog download site and not on Windows update. The Microsoft blog hints that more of these Microcode updates are on their way.

    The reason for this? Doing firmware updates from afar is fraught with risk and many IT admins don’t have processes in place to remotely patch firmware. There are ways with PDQdeploy and psexec scripts but if you haven’t built up a process, you’d much rather script out the install of a patch rather than the install of a firmware update.  On my home and office machines I’ve become much more comfortable with installing the firmware updates from the manufacturers but I still cross my fingers and hold my breath a bit waiting for the process to complete.

    For those that plan to import these microcode updates into your Server 2016 WSUS, there’s a known issue whereby one can’t import updates into WSUS based on Server 2016 like one is used to in other platforms. As noted on the WSUS blog, you’ll need to edit a bit before you can import the patch.

    So what should you do if you are not a network administrator?  I would still wait for two reasons:

    1. It’s never wise with firmware to be the first one to install. There is no easy way to uninstall a firmware update.
    2. I would watch for side effects and impact.

    For anyone concerned about the impact of Spectre/Meltdown, I’m still not aware of widespread attacks. If you want to add a bit more security to your browsing remember you can put in Browser isolation in Chrome by following their instructions.  Test the impact as it may impact certain web sites, but if you suffer no major issues, I’d probably leave that setting in place.  As is noted on the Chrome blog

    the extra security will help stop the site from stealing your data from another website.

    And that’s a good thing!

  • Microsoft “helps” Intel by releasing KB 4090007, a Spectre 2 microcode update for Win10 1709, Skylake processors only

    Posted on March 1st, 2018 at 13:38 woody Comment on the AskWoody Lounge

    UPDATE: Correcting myself (thanks to the anonymous poster) — this is a microcode update, which is kind of a transient firmware override, for lack of a better description. There’s a more thorough description on the Debian wiki, “Processor microcode is akin to processor firmware. The kernel is able to update the processor’s firmware without the need to update it via a BIOS update. A microcode update is kept in volatile memory, thus the BIOS/UEFI or kernel updates the microcode during every boot.”

    I can’t recall ever seeing Microsoft issue a firmware update (other than a Surface firmware update) as a security patch. This one comes with its own KB, no less.

    The announcement is very specific. KB 4090007 only deals with the Spectre Variant 2 / CVE 2017-5715 (“Branch Target Injection”) mitigation, and only on 6th generation Skylake H/S, U/Y and U23e processors. It’s only for Win10 1709. It’s not a cumulative update.

    And — importantly — it’s an Intel microcode update. Not a Windows patch.

    Says Microsoft:

    We will offer additional microcode updates from Intel as they become available to Microsoft. We will continue to work with chipset and device makers as they offer more vulnerability mitigations.

    which is a noble goal, at least to my way of thinking.

    You won’t get the patch via Automatic Update. If you really, really want to test it on your Win10 1709 / Skylake machine, you can download it from the Microsoft Update Catalog and manually install.

    Spectre v2 is a vulnerability in just about everything — Intel, AMD, ARM. As I’m fond of repeating, neither Meltdown nor Spectre (either variant) has been found in the wild.

    As you might imagine, I’m highly skeptical. I mean… what could possibly go wrong?