Category Archives: Microsoft

Patch Tuesday for November 2017

According to Microsoft’s announcement, the November updates include patches for Internet Explorer, Edge, Windows, Office, and .NET. As usual, you have to dig into the rather awkward Security Update Guide to find additional details.

My analysis of the SUG reveals that there are fifty-three bulletins, addressing fifty-four vulnerabilities across the usual range of products. Sixteen of the vulnerabilities are flagged Critical.

If you’re interested in performing your own analysis, I strongly suggest avoiding the cumbersome SUG interface. Instead, locate the almost hidden ‘Download’ link at the top right of the updates grid and click that to open the data in Excel. From there you can use Excel’s filtering tools to wrestle the update information into more manageable lists.

KRACK Wi-Fi vulnerability: what you need to know

Last week, security researchers identified a series of vulnerabilities affecting almost all Wi-Fi devices, from computers to refrigerators. The vulnerability could allow attackers to intercept wireless communications and potentially steal credentials and other sensitive information. The vulnerabilities are collectively referred to as KRACK.

The good news is that computers running Windows and Linux already have patches available. Microsoft included fixes in the October 2017 Patch Tuesday updates.

Apple says that fixes are ready for MacOS, but there’s no word on exactly when they will actually be made available.

The bad news is that mobile devices, particularly those that run Google’s Android operating system, are vulnerable, and in some cases, might stay that way indefinitely. That’s because even though Google has prepared fixes for Android, those fixes won’t get to devices made by other vendors until those vendors make them available. Some vendors are better than others at pushing updates to their devices. Worse, some devices running older O/S versions may never get updates at all, rendering them permanently insecure.

There are mitigating factors. First, because of the responsible way in which these vulnerabilities were reported, Microsoft and other major players have had time to develop fixes, while details of the vulnerabilities were kept relatively secret until recently. That means we have a head start on the bad guys this time.

Second, exploiting these vulnerabilities requires close proximity. Attacks based on these vulnerabilities can’t be executed over the Internet.

Use caution with unpatched devices

If you use a public Wi-Fi access point with an unpatched device, you’re exposed. So until patches for your device become available, you might want to disable its Wi-Fi when you’re not at home. Most devices have settings that prevent automatically connecting to Wi-Fi networks it finds in the vicinity.

IoT devices may remain vulnerable forever

‘Internet of Things’ (IoT) devices, including thermostats, cars, appliances, and basically anything that can have a computer stuffed into it, often connect to the Internet using Wi-Fi. There are no security standards for IoT devices yet, and many are extremely unlikely to ever be patched.

Recommendation: identify all of your IoT devices that have the ability to connect to the Internet. For each, make sure that you’re using a wired connection, or disable networking completely, if possible. As for devices that connect to the Internet via Wi-Fi and cannot or won’t be patched or disabled, consider taking them to the nearest landfill.

References

October 10, 2017: Patch Tuesday

Imagine a world in which there were no software updates; no security vulnerabilities; no bugs at all. The idea of such a place makes me happy. This utopia is destined to remain a fantasy, sadly. All software has bugs, and that will never change.

Inspection of Microsoft’s Security Update Guide (SUG) as of 10am today shows the usual massive list of updates, only some of which will affect most of us. You can wade into that if you have some time and access to painkillers, or you can download the list and open it in Excel, which is a lot easier to work with, and is what I do.

Analysis of the update data shows that there are fifty updates this month. Sixteen of those updates are flagged as Critical. A total of sixty-seven vulnerabilities in Windows, Office, Internet Explorer, and Edge are addressed.

As usual, the announcement of this month’s updates does little more than tell us what we already knew: that there are updates today, and where to find them.

Time to patch those computers!

Update 2017Oct11: The Register points out that while vulnerabilities affecting Windows 10 are being patched by Microsoft as soon as they are identified, Windows 7 and 8 systems don’t get those updates until the next Patch Tuesday. This creates an opportunity for malicious persons to analyze the Windows 10 updates and create exploits that work on Windows 7 and 8.

Patch Tuesday for September 2017

This month’s updates from Microsoft include a patch for a nasty zero-day vulnerability in the .NET framework.

The announcement for this batch of updates is of course just a link to the Security Update Guide, where it’s up to the user to wade through piles of information and determine what’s relevant.

Here’s what I’ve been able to glean from my explorations: there are ninety-four updates, affecting Internet Explorer, Edge, Windows, Office, Adobe Flash Player, Skype, and the .NET Framework. A total of eighty-five vulnerabilities are addressed, twenty-nine of which are flagged as Critical.

As you may have guessed, this month we also have yet another new version of Flash. Microsoft included the new version in updates for Edge and Internet Explorer, and Chrome will get the new version via its internal auto-updater. Desktop Flash users should visit the main Flash page to get the new version. Flash 27.0.0.130 addresses two critical vulnerabilities in previous versions.

Windows 10 Pro for Workstations

Microsoft WindowsSince the release of Windows 10, Microsoft has received feedback from certain users, to the effect that the O/S doesn’t meet the “demanding needs of mission critical and compute intensive workloads.” It either doesn’t detect, or simply doesn’t use the capabilities of some types of high-performance hardware.

Microsoft’s answer to that feedback is Windows 10 Pro for Workstations, which will become available for testing soon, via the Insider Preview program.

The new version of Windows 10 includes the ReFS filesystem, which is supposed to be much more resilient than the NTFS filesystem used by standard Windows. It also includes support for non-volatile NVDIMM-N memory modules, which provide high-speed access to files. SMB Direct provides a faster file sharing mechanism. There’s also more support for high performance hardware, including server-grade Intel Xeon and AMD Opteron processors, up to four CPUs (regular Windows is limited to two) and memory up to 6TB (regular Windows is limited to 2TB).

High-end system builders, and people running high-performance niche applications may find these features useful, but I suspect that most people won’t be interested, especially as the new version is likely to be rather expensive, as is the related hardware.

There’s no word yet on whether privacy-related instrumentation will be any easier to disable in Windows 10 Pro for Workstations, or whether system administrators will be able to control which updates are installed, or disable auto-update completely.

Patch Tuesday for August 2017

It’s once again time for the monthly headache otherwise known as Patch Tuesday.

As you’re no doubt aware from my previous whining, Microsoft no longer publishes a bulletin for each update, and finding useful information in the Security Update Guide is awkward at best. It feels like Microsoft is trying to get everyone to just give up and enable auto-update. Of course with Windows 10 you no longer have a choice: you get updates when Microsoft wants you to have them. Which is one of the reasons I don’t use that particular O/S.

From my analysis of the Security Update Guide‘s entries for August 2017, it appears that we have thirty-nine updates, addressing fifty-three vulnerabilities in Internet Explorer, Edge, Windows, SharePoint, Adobe Flash Player, and SQL Server. Eighteen of the updates are flagged as Critical. Time to fire up Windows Update on all your Windows 8.1 and Windows 7 computers.

Adobe released updates for Flash and Reader today. The Reader update (Reader DC/Continuous: 2017.012.20093; Reader 2017: 2017.011.30059; Reader DC/Classic: 2015.006.30352) addresses sixty-seven vulnerabilities. The Flash update (version 26.0.0.151) addresses two vulnerabilities. Anyone still using Flash or Reader, especially as web browser plugins, should install the new versions as soon as possible.

Patch Tuesday for June 2017

In a somewhat surprising move, Microsoft is releasing more updates for Windows XP today. To be clear, Microsoft had already created these updates for corporate (paying) clients. All they’re doing is making those updates available to the rest of us. While the updates are welcome to those still running Windows XP, one wonders how paying customers feel about it.

Here’s Microsoft’s explanation: “In reviewing the updates for this month, some vulnerabilities were identified that pose elevated risk of cyber attacks by government organizations, sometimes referred to as nation-state actors or other copycat organizations.” What that probably means is that Microsoft believes — along with the rest of us — that last month’s WannaCry threat was only the beginning of the havoc coming our way in the wake of The Shadow Brokers‘ leaks. The bit about ‘government organizations’ is presumably to get people to take notice.

That announcement is also somewhat misleading, in that it talks about ‘enabling Windows Update’ in supported versions of Windows, when in fact they’re referring to automatic updates. Further, automatic updates in Windows 10 cannot be disabled.

From the June 2017 security update release announcement: “we recommend those on older platforms, such as Windows XP, prioritize downloading and applying these critical updates, which can be found in the Download Center (or alternatively in the Update Catalog).”


The Download Center site doesn’t work particularly well in Internet Explorer 8, the version my poor old Windows XP Virtual Machine is stuck with. The page does show a prompt to try Edge, which is not particularly helpful as Edge won’t run on Windows XP. Okay, how about the Update Catalog? All I get there is ‘The website has encountered a problem’.

The Download Center works a lot better in Chrome, but clicking the Microsoft Update link only tells me that I have to use Internet Explorer for that. Entering the Windows category just invites me to visit the Update Catalog. That site also seems to work with Chrome, but it’s basically just a search form. What do I search for to get the available updates for Windows XP? Searching for ‘Windows XP’ produces 870 results. Sorting the list by date shows the most recent update was in 2014.


A post on the Technet site provides additional information about the vulnerabilities: Microsoft Security Advisory 4025685 – Guidance related to June 2017 security update release. Fifteen vulnerabilities are addressed, almost all of which are flagged as Critical. But there’s nothing on that page about how to install the updates on Windows XP.

The general guidance page links to additional guidance pages, one for supported versions, and another for older versions of Windows.

The page for older versions starts by pointing out that “All security updates Microsoft provides do not check Windows Genuine Advantage status.” That means even people running bootleg copies of Windows XP can install these updates. It goes on to say “For customers on these older platforms, the following table provides information to manually download applicable security updates.”

So installing these updates on Windows XP involves manually downloading them with the links provided on the Microsoft security advisory 4025685: Guidance for older platforms page. Some of the links go to the Update Catalog, and some involve additional navigation, but I was able to use Chrome to download and install all twelve of the updates linked from the guidance page on my WinXP VM. Not exactly convenient, and certainly not fast, but it did work.

Microsoft security advisory 4025685: Guidance for supported platforms includes a summary of the month’s updates for supported software. Numerous vulnerabilities are addressed, affecting the usual software: Windows, Office, Internet Explorer, Edge, Silverlight, Skype and Flash. Extracting the complete details from the Security Update Guide is still annoyingly awkward, and the release notes are rather light on details.

More bungled Windows updates

If you’re on the Windows Insider program — the one that gets you early looks at where Windows 10 is heading — you may have noticed some unusual updates in the last day or so.

First, a new development version of Windows 10 was rolled out to some unlucky users. This version was not intended for users, even those on the Insider Preview program. Microsoft caught the error and stopped the update, but if your computer was affected, you may notice some new “issues that impact usability of your PC.” You can roll back to the previous release, or live with any new issues until the next release.

Second, a development version of the mobile variant of Windows 10 was pushed out, again unintentionally. If your mobile device received this unfortunate update, it’s probably no longer usable. Microsoft recommends using their Windows Device Recovery Tool to fix the problem.

Microsoft wants us all to trust them to install updates whenever they want, but mistakes like these are not helping.

Ars Technica has more.

Timeline: NSA hacking tool to WannaCry

A recent Washington Post article is helping to answer some questions about Microsoft’s actions in recent months. Here’s a timeline of events:

2012 (or possibly earlier): The NSA identifies a vulnerability in Windows that affects all existing versions of the operating system, and has the potential to allow almost unfettered access to affected systems. A software tool — an exploit — is developed either for, or by, the NSA. The tool is called EternalBlue. People at the NSA worry about the potential damage if the tool or the vulnerability became public knowledge. They decide not to tell anyone, not even Windows’ developer, Microsoft.

EternalBlue finds its way into the toolkit of an elite hacking outfit known as Equation Group. Although it’s difficult to know for certain, this group is generally assumed to be operating under the auspices of the NSA. Equation Group may work for the NSA as contractors, or they may simply be NSA employees. Regardless, the group’s actions seem to align with those of the NSA: their targets are generally in places like Iran, Russia, Pakistan, Afghanistan, India, Syria, and Mali.

Early to mid-2016: A hacking group calling themselves The Shadow Brokers somehow gains access to NSA systems or data, and obtains copies of various NSA documents and tools. Among those tools is EternalBlue.

August, 2016: The Shadow Brokers begin publishing their NSA haul on public services like Tumblr.

January 7, 2017: The Shadow Brokers begin selling tools that are related to EternalBlue.

Late January to early February 2017: The NSA finally tells Microsoft about the vulnerability exploited by EternalBlue. We don’t know exactly when this happened, but it clearly happened. The NSA was Microsoft’s source for this vulnerability.

February 14, 2017: Microsoft announces that February’s Patch Tuesday updates will be postponed. Their explanation is vague: “we discovered a last minute issue that could impact some customers.

Late February 2017: The Windows SMB vulnerability exploited by EternalBlue is identified publicly as CVE-2017-0144.

March 14, 2017: March’s Patch Tuesday updates from Microsoft include a fix for CVE-2017-0144, MS17-010. The update is flagged as Critical and described as Security Update for Microsoft Windows SMB Server (4013389). Nothing in Microsoft’s output on March 14 calls special attention to this update.

April 14, 2017: The Shadow Brokers release 300 megabytes of NSA material on Github, including EternalBlue.

May 12, 2017: WannaCry ransomware infection wave begins. The malware uses EternalBlue to infect vulnerable computers, mostly Windows 7 PCs in Europe and Asia. Infected computers clearly had not been updated since before March 14, and were therefore vulnerable to EternalBlue.


It’s now clear that the NSA is the real problem here. They had several opportunities to do the right thing, and failed every time, until it was too late. The NSA’s last chance to look at all good in this matter was after the vulnerability was made public, when they should have made the danger clear to the public, or at least to Microsoft. Because, after all, they knew exactly how useful EternalBlue would be in the hands of… just about anyone with bad intent.

Everyone involved in this mess acted foolishly. But whereas we’ve grown accustomed to corporations caring less about people than about money, government institutions — no matter how necessarily secretive — should not be allowed to get away with what the NSA has done. Especially when you consider that this is just the tip of the iceberg. For every WannaCry, there are probably a thousand other threats lurking out there, all thanks to the clowns at the NSA.

Ars Technica’s analysis.

Techdirt’s analysis.

WannaCry update

According to Kaspersky Labs, almost all of the computers infected with WannaCry (WCry, WannaCrypt) were running Windows 7. A small percentage (less than 1%) were running Windows XP.

Microsoft released updates in March 2017 which — if installed — protect Windows 7 computers from WannaCry infections. So all those Windows 7 WannaCry infections were only possible because users failed to install updates. This is a good argument for either enabling automatic updates, or being extremely diligent about installing updates as soon as they become available.

A researcher at Quarkslab discovered a method for decrypting files encrypted with WannaCry, although it only works on Windows XP, and only if the computer has not been restarted since the files were encrypted.

Building on the discoveries of Quarkslab, researchers at Comae Technologies and elsewhere developed a tool that can decrypt files encrypted by WannaCry on Windows 7 as well as XP. The new tool — dubbed wanakiwi by its developers — uses the same technique as its predecessor and has the same limitation: it doesn’t work if the infected computer has been restarted since encryption occurred.

The Register points out that while the NSA was hoarding exploits, Microsoft was doing something similar with patches. Microsoft is in fact still creating security updates for Windows XP and other ‘unsupported’ software; they just don’t normally make those updates available to the general public. Instead, they are only provided to enterprise customers, which pay substantial fees for the privilege. When Microsoft released the Windows XP patch in response to the WannaCry threat, the patch was already developed; all Microsoft had to do was make it available to the general public. Sure, developing updates costs money, and Microsoft wants to recover those costs somehow, but it seems clear that we would all be better off if they made all updates available to everyone.

Bruce Schneier provides a useful overview of WannaCry, and how best to protect yourself. From the article: “Criminals go where the money is, and cybercriminals are no exception. And right now, the money is in ransomware.”

Update 2017May21: Analysts have confirmed that WannaCry’s initial infections were accomplished by scanning the Internet for computers with open Server Message Block ports, then using the EternalBlue SMB exploit to install the ransomware. Once installed on any computer, WannaCry spread to other vulnerable computers on the same local network (LAN). Earlier assumptions about WannaCry using spam and phishing emails to spread were not accurate.