{"id":12258,"date":"2018-05-10T10:30:03","date_gmt":"2018-05-10T18:30:03","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2018\/05\/10\/news-6027\/"},"modified":"2018-05-10T10:30:03","modified_gmt":"2018-05-10T18:30:03","slug":"news-6027","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2018\/05\/10\/news-6027\/","title":{"rendered":"Patch Tuesday problems, fixes \u2014 but no cause for immediate alarm"},"content":{"rendered":"

<\/p>\n

Credit to Author: Woody Leonhard| Date: Thu, 10 May 2018 10:51:00 -0700<\/strong><\/p>\n

Results are starting to roll in about this month\u2019s Patch Tuesday, and it\u2019s quite a mixed bag. For those of you struggling with the new Windows 10 April 2018 Update, version 1803, there\u2019s good news and bad news. The hand wringing about a new VBScript zero-day, thanks to our good old friend baked-in Internet Explorer, looks overblown for now. And if you can\u2019t get RDP working because of \u201cAn authentication error has occurred\u201d messages, you missed the memo.<\/span><\/p>\n

First, the good news. As I <\/span>anticipated earlier this week<\/span><\/a>, this month\u2019s cumulative update for 1803 is a must-have, warts and all. The new build 17134.48 replaces the old 17134.1 (which went to those who installed 1803 directly or fell into the <\/span>seeker trap<\/span><\/a>) and the old 17134.5 (for those upgrading with the Windows Insider builds). As <\/span>Susan Bradley explains<\/span><\/a>, 17134.48 claims to fix both the Chrome and Cortana freeze, as well as a major VPN bug.<\/span><\/p>\n

My recommendation continues to be that you should roll back to 1709, but if you insist on using 1803 during its unpaid beta-testing phase, get this month\u2019s cumulative update installed as soon as you can. If you can.<\/span><\/p>\n

An <\/span>anonymous poster on AskWoody<\/span><\/a> notes:<\/span><\/p>\n

1803 was installed without permission on 3 of my computers last week, 5\/1\/2018. Fortunately no problems, working great. Then in the early A.M. on 5\/8\/2108 the \u201cfixed\u201d 1803 was installed, once again without permission on all 3 computers (all running Windows 10 Pro). Bricked them all. I make 3 full backup images of each of my computers every day (2 local using Macrium and EaseUS and 1 cloud using Acronis). Restored all 3 computers, backed up data, and did clean installs which installed the latest fixed 1803. Recovered data and all is back to normal, just took a full day.<\/span><\/p>\n

Assuming you can even get the installer to work. \u201cMicrosoft Agent\u201d Lonnie_L <\/span>on the Microsoft Answers forum<\/span><\/a> says:<\/span><\/p>\n

When attempting to upgrade to Window 10 April 2018 Update select devices with certain Intel SSDs may enter a UEFI screen reboot or crash repeatedly.<\/span><\/p>\n

Microsoft is currently blocking some Intel SSDs from installing the April 2018 Update due to a known incompatibility that may cause performance and stability issues. There is no workaround for this issue. If you have encountered this issue, you can roll back to Windows 10, version 1709 and wait for the resolution before attempting to install the April 2018 Update again.<\/span><\/p>\n

Microsoft is currently working on a solution that will be provided in a near future Windows Update, after which these devices will be able to install the April 2018 Update<\/span><\/p>\n

We have a thread going on that topic <\/span>on AskWoody<\/span><\/a>.<\/span><\/p>\n

The MS Answers forum has a <\/span>monster thread<\/span><\/a>, started by StephenPhillipsZY who says:<\/span><\/p>\n

This update has some serious issues, specifically. Do NOT install this update after updating to Windows 10 version 1803. It will prevent your computer from booting up. I am stuck on the spinning circle for a long time. I have to use a Windows 10 USB to boot into the Troubleshooting and use Command Prompt to boot into safe mode. Please fix this update!<\/span><\/p>\n

There are still many, many bugs in 1803. For example, <\/span>Mr. Natural says<\/span><\/a>:<\/span><\/p>\n

I have 2 systems that I installed 1803 on and ever since they are unable to communicate with WSUS. Windows Update pointing to Microsoft works, but not WSUS. I had to manually install that even though my WSUS system has the patch ready to go.<\/span><\/p>\n

Bogdan Popa at Softpedia tells of many people who try to apply this cumulative update and end up with bricked systems. He has <\/span>three unbricking methods <\/span><\/a>that may prove handy.<\/span><\/p>\n

There are also <\/span>extensive reports<\/span><\/a> of build 17134.48 not being able to see WSUS update servers.<\/span><\/p>\n

Oh, the joys of IE bound at the knees and elbows to Windows. <\/span><\/p>\n

Microsoft <\/span>released an explanation<\/span><\/a> for the one \u201ccritical\u201d Windows patch this month that is being actively exploited \u2014 a zero-day. Called CVE-21018-8174, the security hole involves the way Internet Explorer (mis)handles VBScript programs. Per Microsoft:<\/span><\/p>\n

In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website. An attacker could also embed an ActiveX control marked “safe for initialization” in an application or Microsoft Office document that hosts the IE rendering engine. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. <\/span><\/p>\n

Microsoft\u2019s expos\u00e9 credits both Qihoo 360 Core Security and Kaspersky with the discovery. And at that point, things get complicated.<\/span><\/p>\n

Kaspersky\u2019s Securelist shows an <\/span>in-the-wild exploit<\/span><\/a>, using an infected RTF file that on most machines would be opened by Word. The infected file then does its dirty deed through IE, no matter which browser you\u2019ve chosen as default:<\/span><\/p>\n

With CVE-2018-8174 being the first public exploit to use a URL moniker to load an IE exploit in Word, we believe that this technique, unless fixed, will be heavily abused by attackers in the future, as It allows you force IE to load ignoring the default browser settings on a victim\u2019s system. We expect this vulnerability to become one of the most exploited in the near future, as it won\u2019t be long until exploit kit authors start abusing it in both drive-by (via browser) and spear-phishing (via document) campaigns. <\/span><\/p>\n

As best I can tell, Kaspersky doesn\u2019t talk about a \u201cweb-based attack scenario\u201d where the victim is using Internet Explorer. Instead, it relies on an RTF file \u2014 such fules have been <\/span>carrying malware for years<\/span><\/a>\u00a0\u2014 to bring up Word, and to force Word to use the buggy VBScript engine in IE.<\/span><\/p>\n

Qihoo 360 <\/span>has a different explanation<\/span><\/a>:<\/span><\/p>\n

We code named the vulnerability as \u201cdouble kill\u201d exploit. This vulnerability affects the latest version of Internet Explorer and applications that use the IE kernel. When users browse the web or open Office documents, they are likely to be potential targets. Eventually the hackers will implant backdoor Trojan to completely control the computer. <\/span><\/p>\n

Qihoo doesn\u2019t specifically mention RTF-formatted documents, but the one exploit it has discovered is in a document, ostensibly in Yiddish, and \u201cthe attack affected regions in China are mainly distributed in provinces that actively involved in foreign trade activities. Victims include trade agencies and related organizations.\u201d<\/span><\/p>\n

(I asked Morty Schiller, a noted Hebrew\/Yiddish scholar, about the language used and <\/span>he says,<\/span><\/a> \u201cThe few words that showed in the background of the image were Yiddish, not Hebrew. But some of the ‘words’ were Hebrew\/Yiddish letters interlaced with English letters. So they may have been truncated, or just garbage. None of it seems to make any sense.\u201d)<\/span><\/p>\n

So as things stand, it looks as if you need to watch out for RTF files in Yiddish\/Hebrew sent to Chinese trade agencies, but it\u2019s likely that the technique will become more widespread in the not-too-distant future.<\/span><\/p>\n

This \u201cDouble Kill\u201d problem affects <\/span>every <\/i><\/strong>version of Windows. It isn\u2019t clear if redirecting RTF files to open in something other than Word will fix the document-based infection vector. (You can <\/span>use Windows<\/span><\/a> to change the default program assigned to the RTF filename extension, and make RTF files open in, say, WordPad \u2014\u00a0<\/span>even in Windows 10<\/span><\/a>.)<\/span><\/p>\n

Back in the good old days, you could just pick out the patch that fixes the problem, install it, and deal with any bugs in the patch in isolation.<\/span><\/p>\n

Nowadays, <\/span>since the patchocalypse<\/span><\/a>, that isn\u2019t an option. If you want to protect against Double Kill, you have to install the entire month\u2019s patches \u2014 and if you\u2019re using Win10, you have to install both the security and the non-security updates at the same time.<\/span><\/p>\n

We\u2019ll be watching to see how quickly the Double Kill technique proliferates. If infected RTF files start appearing, we\u2019ll let you know here in Computerworld<\/em>.<\/span><\/p>\n

Last week, noted security maven Alex Ionescu revealed <\/span>yet another bug<\/span><\/a> introduced in all of the Meltdown patches released this year for Win10 version 1709. <\/span><\/p>\n

It turns out the #Meltdown patches for Windows 10 had a fatal flaw: calling NtCallEnclave returned back to user space with the full kernel page table directory, completely undermining the mitigation. <\/span><\/p>\n

Microsoft quietly built a fix into Win10 version 1803 \u2014 and if you have version 1803, you don\u2019t need to worry about the bug. But we didn\u2019t discover until Patch Tuesday that Win10 version 1709 has the same bug. This month\u2019s version 1709 fix solves it. Says <\/span>Ionescu<\/span><\/a>:<\/span><\/p>\n

Incredible turnaround by @msftsecresponse to fix this issue (which only affected Fall Creators Update due to this API being introduced in 1709) in today\u2019s Patch Tuesday. Customers on 1709 now protected just like on 1803.<\/span><\/p>\n

Meltdown continues its march into the patching hall of fame.<\/span><\/p>\n

I\u2019ve seen <\/span>many complaints <\/span><\/a>about this month\u2019s Windows patches triggering an error in Remote Desktop connections (see screenshot).<\/span><\/p>\n

Those errors keep popping up after installing <\/span>KB 4093492<\/span><\/a>, the update that fixes CVE-2018-0886, a vulnerability in the CredSSP protocol. (If you don\u2019t use Microsoft Remote Desktop with a server, you don\u2019t need to worry about it.)<\/span><\/p>\n

Long story short, as Susan Bradley says:<\/span><\/p>\n

The problem is NOT with the KB 4093492 update. Rather the issue is that there\u2019s a mismatch of patching levels. In March Microsoft released an update that began the process of rolling out an update to CredSSP used in Remote Desktop connection. In May the updates mandate that a patched machine can\u2019t remote into an unpatched machine. If you dig into the KB there is a registry workaround to [TEMPORARILY] disable the mandate, but the better and wiser move is to update the server or workstation you are remoting into. Make sure the \u201cthing\u201d you are remoting into has an update. <\/span><\/p>\n

If you see that \u201cauthentication error\u201d message, check with the folks who maintain your server.<\/span><\/p>\n

Admins rejoice. It looks like the SMB memory leak bug has finally been fixed. (If you aren\u2019t an admin, you can go back to sleep now.)<\/span><\/p>\n

Way back in January, the <\/span>2018-01 Monthly Rollup<\/span><\/a> introduced a bug in Win7 and Server 2008 R2 that set up a memory leak.<\/span><\/p>\n

After installing KB4056897 or any other recent monthly updates, SMB servers may experience a memory leak for some scenarios. This occurs when the requested path traverses a symbolic link, mount point, or directory junction and the registry key is set to 1:<\/span><\/p>\n

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesLanManServerParametersEnableEcp<\/span><\/p>\n

Most people couldn\u2019t care less, but for a significant subset of Server users, that memory leak was a show-stopper. Maybe that\u2019s why some folks didn\u2019t install the CredSSP fix?<\/span><\/p>\n

The hunt continues for bugs and fixes. Join us on the <\/span><\/i>AskWoody Lounge<\/span><\/i><\/a>.<\/span><\/i><\/p>\n

http:\/\/www.computerworld.com\/category\/security\/index.rss<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

<\/p>\n

Credit to Author: Woody Leonhard| Date: Thu, 10 May 2018 10:51:00 -0700<\/strong><\/p>\n

\n
\n

Results are starting to roll in about this month\u2019s Patch Tuesday, and it\u2019s quite a mixed bag. For those of you struggling with the new Windows 10 April 2018 Update, version 1803, there\u2019s good news and bad news. The hand wringing about a new VBScript zero-day, thanks to our good old friend baked-in Internet Explorer, looks overblown for now. And if you can\u2019t get RDP working because of \u201cAn authentication error has occurred\u201d messages, you missed the memo.<\/span><\/p>\n

Windows 10 version 1803<\/strong><\/h2>\n

First, the good news. As I <\/span>anticipated earlier this week<\/span><\/a>, this month\u2019s cumulative update for 1803 is a must-have, warts and all. The new build 17134.48 replaces the old 17134.1 (which went to those who installed 1803 directly or fell into the <\/span>seeker trap<\/span><\/a>) and the old 17134.5 (for those upgrading with the Windows Insider builds). As <\/span>Susan Bradley explains<\/span><\/a>, 17134.48 claims to fix both the Chrome and Cortana freeze, as well as a major VPN bug.<\/span><\/p>\n

To read this article in full, please click here<\/a><\/p>\n<\/section>\n<\/article>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[11062,10643],"tags":[714,10525],"class_list":["post-12258","post","type-post","status-publish","format-standard","hentry","category-computerworld","category-independent","tag-security","tag-windows"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/12258","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=12258"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/12258\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=12258"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=12258"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=12258"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}