Category Archives: Security

aka infosec

Patch Tuesday for June 2017

In a somewhat surprising move, Microsoft is releasing more updates for Windows XP today. To be clear, Microsoft had already created these updates for corporate (paying) clients. All they’re doing is making those updates available to the rest of us. While the updates are welcome to those still running Windows XP, one wonders how paying customers feel about it.

Here’s Microsoft’s explanation: “In reviewing the updates for this month, some vulnerabilities were identified that pose elevated risk of cyber attacks by government organizations, sometimes referred to as nation-state actors or other copycat organizations.” What that probably means is that Microsoft believes — along with the rest of us — that last month’s WannaCry threat was only the beginning of the havoc coming our way in the wake of The Shadow Brokers‘ leaks. The bit about ‘government organizations’ is presumably to get people to take notice.

That announcement is also somewhat misleading, in that it talks about ‘enabling Windows Update’ in supported versions of Windows, when in fact they’re referring to automatic updates. Further, automatic updates in Windows 10 cannot be disabled.

From the June 2017 security update release announcement: “we recommend those on older platforms, such as Windows XP, prioritize downloading and applying these critical updates, which can be found in the Download Center (or alternatively in the Update Catalog).”


The Download Center site doesn’t work particularly well in Internet Explorer 8, the version my poor old Windows XP Virtual Machine is stuck with. The page does show a prompt to try Edge, which is not particularly helpful as Edge won’t run on Windows XP. Okay, how about the Update Catalog? All I get there is ‘The website has encountered a problem’.

The Download Center works a lot better in Chrome, but clicking the Microsoft Update link only tells me that I have to use Internet Explorer for that. Entering the Windows category just invites me to visit the Update Catalog. That site also seems to work with Chrome, but it’s basically just a search form. What do I search for to get the available updates for Windows XP? Searching for ‘Windows XP’ produces 870 results. Sorting the list by date shows the most recent update was in 2014.


A post on the Technet site provides additional information about the vulnerabilities: Microsoft Security Advisory 4025685 – Guidance related to June 2017 security update release. Fifteen vulnerabilities are addressed, almost all of which are flagged as Critical. But there’s nothing on that page about how to install the updates on Windows XP.

The general guidance page links to additional guidance pages, one for supported versions, and another for older versions of Windows.

The page for older versions starts by pointing out that “All security updates Microsoft provides do not check Windows Genuine Advantage status.” That means even people running bootleg copies of Windows XP can install these updates. It goes on to say “For customers on these older platforms, the following table provides information to manually download applicable security updates.”

So installing these updates on Windows XP involves manually downloading them with the links provided on the Microsoft security advisory 4025685: Guidance for older platforms page. Some of the links go to the Update Catalog, and some involve additional navigation, but I was able to use Chrome to download and install all twelve of the updates linked from the guidance page on my WinXP VM. Not exactly convenient, and certainly not fast, but it did work.

Microsoft security advisory 4025685: Guidance for supported platforms includes a summary of the month’s updates for supported software. Numerous vulnerabilities are addressed, affecting the usual software: Windows, Office, Internet Explorer, Edge, Silverlight, Skype and Flash. Extracting the complete details from the Security Update Guide is still annoyingly awkward, and the release notes are rather light on details.

Chrome 59.0.3071.86

With thirty security fixes in Chrome 59.0.3071.86, I would expect Google to emphasize the need for users to update as soon as possible. Instead, the release announcement says “This will roll out over the coming days/weeks.” Presumably Google feels that the fixed security issues are too obscure to represent any imminent threat.

To be fair, personal experience has shown that Chrome is great at detecting updates, often very soon after they become available. Visiting the About page is usually enough to trigger an update. Click the three-vertical-dots menu button, then choose Help > About.

If you have several hours to kill, you might want to check out the change log for Chrome 59.0.3071.86, which by my count contains 10,911 entries.

Google improves GMail security

I’ve tried other search services, but I always end up back at Google, because the search results are consistently better. Google does collect information about its users, and uses that information to target advertising. Google also looks at the content of GMail messages for the same reason. If that bothers you, there are ways to prevent it, or you can stop using Google’s products and services.

That said, in all my years of using Google’s services, I’ve never encountered anything that made me want to stop using them. Google does occasionally annoy me by dropping services like Reader, and Google’s advertising is ridiculously overpriced, but on balance the company provides far more benefit than any potential harm.

For example, Google spends enormous amounts of time and resources on making the web safer for everyone. Much of that effort goes unheralded, but occasionally we catch glimpses in the form of blog posts, like this one, describing recent improvements to GMail security. Compare that with Yahoo’s recent track record, which clearly shows that user security and privacy are not a priority at that company.

Timeline: NSA hacking tool to WannaCry

A recent Washington Post article is helping to answer some questions about Microsoft’s actions in recent months. Here’s a timeline of events:

2012 (or possibly earlier): The NSA identifies a vulnerability in Windows that affects all existing versions of the operating system, and has the potential to allow almost unfettered access to affected systems. A software tool — an exploit — is developed either for, or by, the NSA. The tool is called EternalBlue. People at the NSA worry about the potential damage if the tool or the vulnerability became public knowledge. They decide not to tell anyone, not even Windows’ developer, Microsoft.

EternalBlue finds its way into the toolkit of an elite hacking outfit known as Equation Group. Although it’s difficult to know for certain, this group is generally assumed to be operating under the auspices of the NSA. Equation Group may work for the NSA as contractors, or they may simply be NSA employees. Regardless, the group’s actions seem to align with those of the NSA: their targets are generally in places like Iran, Russia, Pakistan, Afghanistan, India, Syria, and Mali.

Early to mid-2016: A hacking group calling themselves The Shadow Brokers somehow gains access to NSA systems or data, and obtains copies of various NSA documents and tools. Among those tools is EternalBlue.

August, 2016: The Shadow Brokers begin publishing their NSA haul on public services like Tumblr.

January 7, 2017: The Shadow Brokers begin selling tools that are related to EternalBlue.

Late January to early February 2017: The NSA finally tells Microsoft about the vulnerability exploited by EternalBlue. We don’t know exactly when this happened, but it clearly happened. The NSA was Microsoft’s source for this vulnerability.

February 14, 2017: Microsoft announces that February’s Patch Tuesday updates will be postponed. Their explanation is vague: “we discovered a last minute issue that could impact some customers.

Late February 2017: The Windows SMB vulnerability exploited by EternalBlue is identified publicly as CVE-2017-0144.

March 14, 2017: March’s Patch Tuesday updates from Microsoft include a fix for CVE-2017-0144, MS17-010. The update is flagged as Critical and described as Security Update for Microsoft Windows SMB Server (4013389). Nothing in Microsoft’s output on March 14 calls special attention to this update.

April 14, 2017: The Shadow Brokers release 300 megabytes of NSA material on Github, including EternalBlue.

May 12, 2017: WannaCry ransomware infection wave begins. The malware uses EternalBlue to infect vulnerable computers, mostly Windows 7 PCs in Europe and Asia. Infected computers clearly had not been updated since before March 14, and were therefore vulnerable to EternalBlue.


It’s now clear that the NSA is the real problem here. They had several opportunities to do the right thing, and failed every time, until it was too late. The NSA’s last chance to look at all good in this matter was after the vulnerability was made public, when they should have made the danger clear to the public, or at least to Microsoft. Because, after all, they knew exactly how useful EternalBlue would be in the hands of… just about anyone with bad intent.

Everyone involved in this mess acted foolishly. But whereas we’ve grown accustomed to corporations caring less about people than about money, government institutions — no matter how necessarily secretive — should not be allowed to get away with what the NSA has done. Especially when you consider that this is just the tip of the iceberg. For every WannaCry, there are probably a thousand other threats lurking out there, all thanks to the clowns at the NSA.

Ars Technica’s analysis.

Techdirt’s analysis.

WannaCry update

According to Kaspersky Labs, almost all of the computers infected with WannaCry (WCry, WannaCrypt) were running Windows 7. A small percentage (less than 1%) were running Windows XP.

Microsoft released updates in March 2017 which — if installed — protect Windows 7 computers from WannaCry infections. So all those Windows 7 WannaCry infections were only possible because users failed to install updates. This is a good argument for either enabling automatic updates, or being extremely diligent about installing updates as soon as they become available.

A researcher at Quarkslab discovered a method for decrypting files encrypted with WannaCry, although it only works on Windows XP, and only if the computer has not been restarted since the files were encrypted.

Building on the discoveries of Quarkslab, researchers at Comae Technologies and elsewhere developed a tool that can decrypt files encrypted by WannaCry on Windows 7 as well as XP. The new tool — dubbed wanakiwi by its developers — uses the same technique as its predecessor and has the same limitation: it doesn’t work if the infected computer has been restarted since encryption occurred.

The Register points out that while the NSA was hoarding exploits, Microsoft was doing something similar with patches. Microsoft is in fact still creating security updates for Windows XP and other ‘unsupported’ software; they just don’t normally make those updates available to the general public. Instead, they are only provided to enterprise customers, which pay substantial fees for the privilege. When Microsoft released the Windows XP patch in response to the WannaCry threat, the patch was already developed; all Microsoft had to do was make it available to the general public. Sure, developing updates costs money, and Microsoft wants to recover those costs somehow, but it seems clear that we would all be better off if they made all updates available to everyone.

Bruce Schneier provides a useful overview of WannaCry, and how best to protect yourself. From the article: “Criminals go where the money is, and cybercriminals are no exception. And right now, the money is in ransomware.”

Update 2017May21: Analysts have confirmed that WannaCry’s initial infections were accomplished by scanning the Internet for computers with open Server Message Block ports, then using the EternalBlue SMB exploit to install the ransomware. Once installed on any computer, WannaCry spread to other vulnerable computers on the same local network (LAN). Earlier assumptions about WannaCry using spam and phishing emails to spread were not accurate.

WannaCrypt variants infecting systems worldwide

The accidental stifling of WannaCrypt’s spread was too good to last, apparently. New versions of the ransomware — unaffected by the serendipitous domain registration of a security researcher — are now making their way around the world. You can even watch the malware spread using MalwareTech’s WannaCrypt live feed.

Our advice remains the same: make sure all your Windows computers have the relevant updates installed, including Windows XP. Microsoft’s Customer Guidance for WannaCrypt attacks is a good place to start; there are links to the updates at the bottom of that page. For more information about the exploit used by WannaCrypt, see Microsoft’s MS17-010 bulletin from March 14.

SANS has a good summary of the technical aspects of WannaCrypt.

Update 2017May16: There’s plenty of blame to go around for this mess. Microsoft is being criticized for abandoning Windows XP when it’s still widely used. Meanwhile, Microsoft is blaming the NSA’s vulnerability hoarding.

WannaCrypt ransomware: Microsoft issues updates for unsupported Windows

Ransomware known as WannaCrypt (aka WCry, WannaCry) has already crippled as many as 75,000 unpatched Windows computers in Europe and Asia. So far it hasn’t done much damage in North America, but that could change quickly.

The flaw WannaCrypt uses to infect Windows computers was patched by Microsoft in March, but unpatched computers and those running unsupported versions of Windows were left unprotected.

Microsoft has long since stopped releasing security updates for Windows XP, but WannaCrypt is spreading quickly, and Windows XP computers are essentially defenseless against it. So Microsoft has taken the unprecedented step of publicly releasing an update that protects Windows XP computers from the flaw that WannaCrypt uses to spread.

If you manage any computers that run Windows XP, you should install the update immediately: download update for 32-bit Windows XP Service Pack 3. There’s more information about this from Microsoft.

Techdirt points out that the flaw WannaCrypt exploits was exposed in the recent NSA tool leaks. Which is exactly the problem when security organizations hoard flaws instead of reporting them responsibly.

Update 2017May14: Apparently a security researcher at MalwareTech registered a (previously unregistered) domain used by WannaCrypt as part of his investigation into the ransomware. This is standard practice, because it often allows researchers to gain a better understanding of their subject. Surprisingly, this move stopped WannaCrypt from doing any further damage.

The latest guidance from NCSC.