Newsletter Archives

• Ensuring you can recover

  Posted on March 13, 2023 at 02:41 CDT by Susan Bradley • Comment in the Forums

  PATCH WATCH

  

  By Susan Bradley

  Anyone reading the title of this edition of Patch Watch may think I’m talking about a Windows update issue.

  But no matter what your technology, I want to remind you that having a backup means that you will be able to recover.

  A good friend of mine, totally ensconced in the Apple world, reported that her older Apple computer running Monterey was not a happy camper. She had been traveling and did not want to install updates. Once at home after her travels, she attempted to update. That’s when the “fun” started.

  Read the full story in our Plus Newsletter (20.11.0, 2023-03-13).

  Patch Watch backup, Group Policy Editor, Intel, Newsletters, Patch Lady Posts, Reinstall, Upgrade blocking, Zero Day

• Zero day in office – but don’t panic

  Posted on May 31, 2022 at 15:38 CDT by Susan Bradley • Comment in the Forums

  Microsoft Releases Workaround Guidance for MSDT “Follina”; Vulnerability

  05/31/2022 11:11 AM EDT

  Original release date: May 31, 2022

  Microsoft has released workaround guidance to address a remote code execution (RCE) vulnerability—CVE-2022-30190, known as “Follina”—affecting the Microsoft Support Diagnostic Tool (MSDT) in Windows. A remote, unauthenticated attacker could exploit this vulnerability to take control of an affected system. Microsoft has reported active exploitation of this vulnerability in the wild.

  CISA urges users and administrators to review Microsoft’s Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability and apply the necessary workaround.

  ---

  Here at Askwoody we are a bit more savvy.  WE DON’T OPEN THINGS WE AREN’T EXPECTING.  That said if you do want to proactively protect yourself ….

  Group policy fix – Just disable “Troubleshooting wizards” by GPO  see the location here:

  Registry fix:

  click on the search box, type in cmd

  Right mouse click on cmd in the menu bar to RUN AS ADMIN

  type in reg delete HKEY_CLASSES_ROOT\ms-msdt /f

  Click enter

  

  If you want to restore it back:

  This registry key will restore the troubleshooting wizard – link here

  Click on the downloads, double click to launch, follow the slightly scary instructions to import the registry key back in.

  =================

  Update 6/1/2022

  Now the URI for Search is being abused.

  Once again if you want to proactively protect yourself

  Run Command Prompt as Administrator.

  Execute the command “reg delete HKEY_CLASSES_ROOT\search-ms /f”

  

  If you want to restore it back, click here

  Windows Security MS-DEFCON, Patch Lady Posts, Zero Day

• Understanding the zero days

  Posted on March 7, 2022 at 02:42 CST by Susan Bradley • Comment in the Forums

  PATCH WATCH

  

  By Susan Bradley

  What do attackers go after?

  If you take a look at the known, exploited vulnerability listing as put out by the Cybersecurity & Infrastructure Security Agency, you’ll find that the list is long and confusing. Even if you cut it down to just Microsoft and Apple, it’s still a bit overwhelming, to say the least.

  I’m going to focus on two bugs, to showcase differences in how the attacks occur on Windows and Apple and what the attackers are going after.

  Read the full story in the AskWoody Plus Newsletter 19.10.0 (2022-03-07).

  AskWoody Plus Newsletter, Patch Watch AskWoody Plus Newsletter, Patch Lady Posts, Patch Watch, Ransomware, Zero Day

• Zero day for Windows 7

  Posted on November 25, 2020 at 12:11 CST by Susan Bradley • Comment in the Forums

  Bleeping computer reports that 0-patch is releasing a fix for a zero day in Windows 7 and server 2008 R2.

  I haven’t yet seen an out of band patch released to Windows 7 ESUs but I’ll keep you posted.

  One clarification on that post, Sergiu says “At the moment, only small-and-midsize businesses or organizations with volume-licensing agreements can get an ESU license until January 2023.”  You actually don’t need a volume licensing agreement in order to buy Windows 7 patches.  Amy Babinchak is still selling Windows 7 ESUs and for anyone who bought them last year, she’ll be contacting you to see if you want the updates again this year.  Microsoft hasn’t yet set it up so that the 2021 Windows  7 ESUs are on their price list, but I’m guessing December 1st is when they will post it to the price list.  It’s expected to be twice the price of last years.

  Windows 7, Windows Patches/Security 0patch, Patch Lady Posts, Zero Day

• Patch lady – targeted attacks using zero day

  Posted on October 30, 2020 at 14:24 CDT by Susan Bradley • Comment in the Forums

  Per https://www.zdnet.com/article/google-discloses-windows-zero-day-exploited-in-the-wild/:

  and per https://www.bleepingcomputer.com/news/security/windows-kernel-zero-day-vulnerability-used-in-targeted-attacks/

  On Twitter, Hawkes said the Windows zero-day (tracked as CVE-2020-17087) was used as part of a two-punch attack, together with another a Chrome zero-day (tracked as CVE-2020-15999) that his team disclosed last week.

  “We have confirmed with the Director of Google’s Threat Analysis Group, Shane Huntley, that this is targeted exploitation and this is not related to any US election-related targeting.”

  It will be patched November 10th.

  So the good news is that this is targeted only – not by us mere mortals.  Until then keep your tinfoil on and in the ready mode

  Windows 10 0day, Patch Lady Posts, Zero Day

• SandboxEscaper drops another Win10 0day on Twitter

  Posted on October 24, 2018 at 09:38 CDT by woody • Comment in the Forums

  Remember the Task Scheduler ALPC 0day dropped on Twitter at the end of August?

  The same gal, @SandboxEscaper, just dropped another one. On Twitter. No forewarning. No chance for Microsoft to fix it.

  Catalin Cimpanu has a good overview on ZDNet.

  It’s another privilege elevation attack, which means the attacker has to be running on your machine before it kicks in, and the 0day can be used to change the running code from standard to admin.

  The PoC, in particular, was coded to delete files for which a user would normally need admin privileges to do so. With the appropriate modifications, other actions can be taken, experts believe.

  That makes it very mean, but not yet a potent attack.

  Kevin Beaumon, @GossiTheDog, has taken a look at it:

  So this works. Windows 10 and Server 2016 (and 2019) only. It’s similar to Task Scheduler exploit, it allows non-admins to delete any file by abusing a new Windows service not checking permissions again. https://t.co/q45Qj3DGSS

  — Kevin Beaumont (@GossiTheDog) October 23, 2018

  I’ll update this post with the CVE number as soon as I have it.

  Windows Patches/Security Data Sharing Service, SandboxEscaper, Zero Day

• Details on the Task Scheduler ALPC zero-day

  Posted on August 28, 2018 at 07:59 CDT by woody • Comment in the Forums

  Kevin Beaumont (@GossiTheDog) just published an excellent overview of the newly touted ALPC zero-day in Task Scheduler. Complete with working exploit code.

  The flaw is that the Task Scheduler API function SchRpcSetSecurity fails to check permissions. So anybody — even a guest — can call it and set file permissions on anything locally.

  It’s a privilege escalation bug, allowing an offending program to leapfrog itself from running in user mode to take over the machine.

  Catalin Cimpanu on Bleeping Computer posted the initial revelation from @SandboxEscaper, who posted original exploit code on GitHub, then deleted their Twitter account.

  Nothing to worry about yet, but expect to see a fix for all versions of Windows before too long.

  Windows Patches/Security ALPC, Zero Day

• Patch Lady – Flash update out on June 7th

  Posted on June 7, 2018 at 14:39 CDT by Susan Bradley • Comment in the Forums

  Be aware that today a Flash update has been released.  For those of you on Windows 7 you will need to either look to a prompt or go to the Adobe flash page for your update.  For those on 10, and 8.1 you get your update from Microsoft.

  https://support.microsoft.com/en-us/help/4287903/security-update-for-adobe-flash-player

  “Adobe is aware of a report that an exploit for CVE-2018-5002 exists in the wild, and is being used in limited, targeted attacks against Windows users. These attacks leverage Office documents with embedded malicious Flash Player content distributed via email.”

  Generally speaking it’s wise to ensure these flash updates are installed as soon as possible.  Kirsty’s got the links for you here:

   

  Windows Patches/Security Flash, Patch Lady Posts, Zero Day

• Pwnfest brings two zero-day system level hacks of Edge

  Posted on November 11, 2016 at 11:20 CST by woody • Comment in the Forums

  So much for the most secure browser ever.

  Darren Pauli at The Register reports that two Win10 1607 ( = Anniversary Update = Redstone 1) machines updated to this week’s security patch level were pwned in separate hacks.

  It’s become a lucrative hobby. $140,000 each to Qihoo 360 (China) and LokiHardt (South Korea).

  There’s also a hack using Flash on Edge on Win10 1607.

  Windows Patches/Security Zero Day

• Microsoft’s latest Word security hole, KB 2953095, is part of an on-going embarrassment

  Posted on March 25, 2014 at 21:46 CDT by woody • Comment in the Forums

  Has everybody forgotten that RTF – the sticking point in the latest zero-day, and dozens of zero-days before it – was invented and controlled by Microsoft?

  InfoWorld Tech Watch.

  Office Patches/Security 0day, KB 2953095, RTF, Word, Zero Day

• If you use IE9 or IE10, Security Advisory 2934088 says get patched now

  Posted on February 20, 2014 at 22:16 CST by woody • Comment in the Forums

  There’s a Fixit…

  InfoWorld TechWatch

  Uncategorized IE 10, IE 9, Internet Explorer, KB 2934088, Zero Day

• In minimizing zero-days, Microsoft misses the point

  Posted on October 13, 2011 at 06:32 CDT by woody • Comment in the Forums

  They may not be numerous, but they’re dangerous.

  InfoWorld Tech Watch.

  Windows Patches/Security 0day, Zero Day
• « Older Entries