Microsoft today released updates to plug 50 security holes in various flavors of Windows and related software. The patch batch includes a fix for a flaw in Windows 10 and server equivalents of this operating system that prompted an unprecedented public warning from the U.S. National Security Agency. This month also marks the end of mainstream support for Windows 7, a still broadly-used operating system that will no longer be supplied with security updates.
As first reported Monday by KrebsOnSecurity, Microsoft addressed a severe bug (CVE-2020-0601) in Windows 10 and Windows Server 2016/19 reported by the NSA that allows an attacker to spoof the digital signature tied to a specific piece of software. Such a weakness could be abused by attackers to make malware appear to be a benign program that was produced and signed by a legitimate software company.
An advisory (PDF) released today by the NSA says the flaw may have far more wide-ranging security implications, noting that the “exploitation of the vulnerability allows attackers to defeat trusted network connections and deliver executable code while appearing as legitimately trusted entities.”
“NSA assesses the vulnerability to be severe and that sophisticated cyber actors will understand the underlying flaw very quickly and, if exploited, would render the previously mentioned platforms as fundamentally vulnerable,” the advisory continues. “The consequences of not patching the vulnerability are severe and widespread.”
Matthew Green, an associate professor in the computer science department at Johns Hopkins University, said the flaw involves an apparent implementation weakness in a component of recent Windows versions responsible for validating the legitimacy of authentication requests for a panoply of security functions in the operating system.
Green said attackers can use this weakness to impersonate everything from trusted Web sites to the source of software updates for Windows and other programs.
“Imagine if I wanted to pick the lock in your front door,” Green analogized. “It might be hard for me to come up with a key that will open your door, but what if I could tamper with or present both the key and the lock at the same time?”
Kenneth White, security principal at the software company MongoDB, equated the vulnerability to a phone call that gets routed to a party you didn’t intend to reach.
“You pick up the phone, dial a number and assume you’re talking to your bank or Microsoft or whomever, but the part of the software that confirms who you’re talking to is flawed,” White said. “That’s pretty bad, especially when your system is saying download this piece of software or patch automatically and it’s being done in the background.”
Both Green and White said it likely will be a matter of hours or days before security researchers and/or bad guys work out ways to exploit this bug, given the stakes involved. Indeed, already this evening KrebsOnSecurity has seen indications that people are teasing out such methods, which will likely be posted publicly online soon.
According to security vendor Qualys, only eight of the 50 flaws fixed in today’s patch roundup from Microsoft earned the company’s most dire “critical” rating, a designation reserved for bugs that can be exploited remotely by malware or miscreants to seize complete control over the target computer without any help from users.
Once again, some of those critical flaws include security weaknesses in the way Windows implements Remote Desktop connections, a feature that allows systems to be accessed, viewed and controlled as if the user was seated directly in front of the remote computer. Other critical patches include updates for the Web browsers and Web scripting engines built into Windows, as well as fixes for ASP.NET and the .NET Framework.
The security fix for the CVE-2020-0601 bug and others detailed in this post will be offered to Windows users as part of a bundle of patches released today by Microsoft. To see whether any updates are available for your Windows computer, go to the Start menu and type “Windows Update,” then let the system scan for any available patches.
Keep in mind that while staying up-to-date on Windows patches is a must, it’s important to make sure you’re updating only after you’ve backed up your important data and files. A reliable backup means you’re not losing your mind when the odd buggy patch causes problems booting the system. So do yourself a favor and backup your files before installing any patches. Windows 10 even has some built-in tools to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once.
Today also marks the last month in which Microsoft will ship security updates for Windows 7 home/personal users. I count myself among some 30 percent of Windows users who still like and (ab)use this operating system in one form or another, and am sad that this day has come to pass. But if you rely on this OS for day-to-day use, it’s probably time to think about upgrading to something newer.
That might be a computer with Windows 10. Or maybe you have always wanted that shiny MacOS computer. If cost is a primary motivator and the user you have in mind doesn’t do much with the system other than browsing the Web, perhaps a Chromebook or an older machine with a recent version of Linux is the answer. Whichever system you choose, it’s important to pick one that fits the owner’s needs and provides security updates on an ongoing basis.
As always, if you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there’s a better-than-even chance other readers have experienced the same and may chime in here with some helpful tips.
Windows 7, love it, so sad to see it go!
It hasn’t gone anywhere. In fact you can still pay for another year or two of support should you want to do that. Until there’s some major flaw found to force people to stop using it, this isn’t that. This is Miscresoft’s long-ago-picked date to stop continuing to respect their previous retail customers. It doesn’t mean anything is actually more or less secure. Not yet.
And this whole line of thinking is predicated on Windows being sold on the basis of its security, lol. I mean HELLO!
Well, yes and no, Duke. I looked into this since I’m one of those who didn’t want to migrate to Win 10 for a number of reasons, which I won’t go into. What Ive learned is that extended updates are available only for businesses, organizations and government, not to individual users. You can read more here. https://www.howtogeek.com/443573/how-windows-7s-extended-security-updates-will-work/
I have updated the release to and had a number of issues:
1. Long, long reboot times
2. Sometimes the LEVONO Screen prior to windows seems to stay on forever.
3. My Logitech wireless mouse and keyboard have quit working multiple times today and isn’t resolved with a restart.
Win 7 update changed the desktop background color but just on one of the laptops. The others were fine. As others mention below, updates required two separate downloads. On two computers, the installation of the second update failed initially, requiring a third attempt. All installed eventually, but the files took a looooooooong time to download.
The last rollup for Windows 7 is here… and it fails to install.
I have patched a dozen Windows 7 machines today – installs first set, reboots, and comes back for one more. Works perfectly.
Had one -non-Windows patch fail: you can’t install a 64-bit patch to a 32-bit machine.
Pretty much the same here – no failures, but it waited until all the first updates installed then, one more to go – all listed as successful in the history log.
I usually like Brian’s articles, but this one is full of generalities. Can someone explain (give technical details) of what is that Windows crypto bug about?
Dennis, I’m sorry you found this post lacking. The truth is this is a fairly technical vulnerability, and the exact intricacies of it are still being explored and understood by researchers. That is why I sought to explain with analogies.
If you’re hungry for more technical details, you could review the NSA’s advisory linked to in the third paragraph of this story. Or the CERT advisory here: https://kb.cert.org/vuls/id/849224/
For a really, really technical deep dive, you might consider reviewing this from Thomas Ptacek, a seriously smart dude I interviewed a while back
https://news.ycombinator.com/item?id=22048619
Brian,
M1cr0s-Soft W1nd0ze has historically attracted a high level of effort, with periodic security patching, especially for large organizations. This of course translate to lost productivity and operational impact (financial).
Is patching the ONLY risk-response available to this vulnerability, or is there an interim mitigating control such as an IP address/FQDN list of targets to be blocked at the perimeter/endpoint?
Considering the vulnerability there’s not going to be a list of IP’s you can block, anyone can initiate the attack at any time. And systems need patching, even linux needs to install required updates from time to time, it’s just the way of the world. If you’re looking for complete 0 downtime (or as close to it as possible) then you need to look into high availability solutions that involve transfering your customers to another set of servers while you watch one group, then switching them back to patch the other group.
Sorry I’m not Brian.
It’s been said that there are no mitigating controls by multiple parties. Look at the CISA and NSA advisories – or even Microsoft’s.
Blocking IP’s will have little impact if anything comes from the cloud. Beyond that, doing that is whack a mole and not efficient.
Patch for prevention or roll the dice that you will not be impacted.
If you think that an IP or FQDN blacklist would negate a certificate vulnerability, you’re wrong.
You can AND SHOULD disable RDP on any systems that don’t absolutely need it. That will mitigate a whole host of issues, including some from this.
HOWEVER, the ONLY way to address the crypto dll issues, is to patch.
=O
Brian, your going to make his brain inplode/explode.
=Þ
I understand the desire hear the full details but I think kudos should go to Brian for providing this information and giving us a chance to tell users that they MUST make their systems available to received the patches. The fact that this was Windows 10 was confusing because our users were focused on Windows 7. The IT staff I supervise has just spent weeks and weeks begging and cajoling people into bringing in their systems to be upgraded from Windows 7 to 10. We had been sending out messages about how Windows 7 was no good and you had to have Windows 10 to be safe. It was nice to have some warning that Windows 10 would be affected. It took a carefully worded email to make the users understand that their systems just upgraded to Windows 10 had to be patched ASAP and that just being on Windows 10 was not enough to be secure. And I think that is a necessary message which Brian’s post conveys.
100.00% of all Remote Desktop functionalities should be disabled by default, be controlled with a single mouseclick easily found by anyone, and simply not function at all outside of a VPN
Windows won’t do this, and uninstalling or permanently disabling a “feature” like this is apparently blasphemy.
“Computers aren’t for people like you, computers are for Tom, Dick and Sally” seems to be Microsoft’s policy.
Luckily blocking RDP is easy to do for anyone competent on an enterprise firewall.
You just don’t allow RDP from outside, ever, for any reason. If you do, you’re just waiting to become a statistic.
Why would you need RDP inside a physical building? You can just physically walk around to the computers without the vulns.
There are 3rd party screen sharing clients that don’t crap the bed if you really needed that functionality. RDP needs to be off, or you’re asking for it. If anyone established a beachhead they could go laterally through your organization.
Because IT departments are spread very thin these days, they usually aren’t even present in all buildings within an organization, requiring them to remote into the system in order to help the user with their problem (unless you consider getting into a car and driving hours before you arrive on site acceptable).
That being said you don’t allow RDP from the internet, you do it on the LAN, and you granularly lock it down in the on-system firewall to only allow it from a range of addresses that IT uses to provide assistance. Still not perfect, but it’s better than most places do.
That being said if you are a member of a luddite IT staff whose coworkers don’t know how to remote into a system because they stopped learning new things 10+ years ago, you may as well turn it off because being the sole person asking them to send you remote assistance requests means you first have to explain to people why you’re doing this instead of getting into a car…
RDP is not turned on automatically. You have to turn it on.
Now if you deal with an image of Windows where it is turned on, that’s a horse of a different color.
So your bias against MS is in full view.
I am still too frightened to install Windows rollups for last September and October – both of the Updates for those months caused me to experience serious problems to my Win8.1Pro. But the October completely destoyed my system necessitating a new HD and all of the attendant inconvenience and costs.
I am still waiting for assurances that the October rollup in particular will not behave the same as before.
Anyone out there who had similar problems last year – please help or advise
you said: “I am still too frightened to install Windows rollups for last September and October ”
The releases are cumulative, so if you install January 2020, you’ll have everything up until that time.
I have completed installing this month’s patches on ~25 systems running Windows 10 (various versions), Server 2012-R2, 2016, and 2019, without issue.
@ASB Thank you for trying to help me. But I could not have made my situation clear – the second Update was witnessed doing its dirty work to my system – there is no doubt at all that it was the Update at fault. The reason for my insecurity is that I cannot get MS to admit or make any comment AT ALL – so if they cannot help or are not prepared to – of course I am worried that the rollup may have the same bug
You should ALWAYS do a current System Backup (System Image) along with creating a Repair Disk, especially if your nervous about applying updates.
If somehow an update were to make your system non-bootable or you encounter other software issues due to the update you can re-image your system and you will be back to the version you had before you attempted the software update along with all your latest data being restored at the same time.
If you experienced hardware related issues previously that is another matter, I would make sure all your drivers are at their most current level your hardware facilitates.
@Isaac
Thank you for taking the time to to advise me. I know my bleating on about MS makes me look to be a newby but it is for a very good reason. I am a great fan of mirror imaging and cloning – Macrium is my friend – but, having been a victim of CryptoLocker simply by agreeing to an authentic-looking Update from Firefox – it would seem to me that none of us should be experiencing problems with MS Updates – the intention of which is to repair – not to destroy !!
Do we ever receive answers to our problems from MS ?? I state my case.
You need to switch to a macintosh then
Has anyone else experienced, the clearing of the update history log after today’s security updates? Is this happening in Windows 10 (1909) ?
My 1909 laptop still has all of the previous updates (well, at least since the upgrade to 1909, anyway).
Hi Brian, Long Time Reader, First Time Posting…
Can you confirm that Windows 7 is not vulnerable to the cryptography bug? Both the NSA & Microsoft press releases talk about “supported” operating systems on the very date that Windows 7 expires.
It’s a code-signing verification bug, meaning it’s only really in play when you’re installing new programs, and only then IF you were previously paying attention to code signing and cert validation.
As we know, CA’s are blowing it all the time between maleficent sub vendors or outright cracked certs. Malware can be (xyz method) put into end packages even after signing or in transit. And the Windows user base pays about as much attention to cert dialogue boxes as they pay to anything else.
TLDR: Don’t download from strange places and expect a cert to save you. All a cert actually certifies now is that someone went to some amount of effort to get that on their package. It doesn’t mean it’s clean or that anyone has _actually_ vetted it. This goes for 7, 10, Linux and everything else.
Given where the bug is, you should assume that every Windows from XP onwards has it.
NOT CORRECT!
All modern windows versions are vulnerable. Windows 7 got it’s last patch yesterday, which included patches for this issue.
Older unsupported windows versions are also vulnerable but did not get patches.
According to info coming out today, this bug was introduced on 2015. Code prior to that is not affected.
Search for SystemPropertiesRemote.exe and make sure Remote Desktop Connection is off. I have always turn it off but when I checked this morning, it was turned on for one of my computers. Some update must have turned it on.
There may be some particular reasons to turn it on, but it seems like such a dangerous security hole that it is better turned on only when needed.
I agree about Windows 7 being better. The feel of Windows 10 is play toys grafted onto a real operating system. I trust neither for my banking needs.
you said: “The feel of Windows 10 is play toys…”
I remember when people made the same complaint about Windows XP vs Windows 2000, yet Win2K went away with little fanfare, and people would not let go of XP for anything.
Win10 is a little different, and has a few annoying changes, but it is not nearly the complaint center that people make it out to be. But, to each his or her own, I guess.
I just want to know the KB number!
according KB is (for win 10 x64) https://support.microsoft.com/en-us/help/4534306/windows-10-update-kb4534306
for all KBs you can find them on the CVE page: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601
Thank you fine sir!
It may be a non-security update, but there’s a new release for Adobe Flash which brings all of the flavors to v32.0.0.314. If you don’t want to use Adobe’s stub installer, the full download(s) can be found here:
https://helpx.adobe.com/flash-player/kb/installation-problems-flash-player-windows.html
Gosh, I haven’t needed flash for over two years now. Chrome and Firefox play all videos I would ever want to see. I could always install VLC if I ever had a problem, but I’ve not needed it lately, either.
If you participate in some webinars by a few institutional vendors that use Adobe Connect (and not GoToMeeting or some other platform), Flash is still required.
The Windows version of Comcast’s stream app still (ridiculously) requires Flash. So does CitiBank’s Virtual Account Number (virtual credit card) creator.
Flash is now updated to v32.0.0.321, so there might be security fixes after all.
I love Win7 and have just upgraded my work laptop to Win 10 which i have delayed as long as possible as supporting it is a nightmare.
Microsoft is still offering support for Win 7 under certain conditions, It has to be a enterprise/pro edition and have volume licensing. It is $50 year 1, $100 year 2 and $200 year 3 – pricing is actually different depending on the version. This is pricing for PRO.
I have my home laptop now set to turn off my NIC when i close the lid. What are people’s thought about using a VPN tunnel to access the internet so i don’t have to upgrade?
Thoughts? Recommendations?
Thanks!
If you are referring to a VPN being used in place of not having to patch your system, then I’d disagree wholeheartedly. A VPN is great and has its place, but not here. In no way will this prevent an attack or should be used in place of updating / upgrading your system. All it really does is creates an encrypted tunnel from point A (you) to point B (somewhere else). If you’re on public wifi or if someone else is on your network, there are proof-of-concepts that can be run against your machine to exploit a vulnerability. Since there won’t be future patches for Windows 7, this vastly increases the attack surface, especially the longer you use it. If an attacker sees an unpatched or outdated OS like Windows 7, you can be sure that their eyes will light up and they’ll be attempting to exploit it.
According to reporters over at ZDnet, you can get the support extension even if you are a SOHO. However, I think it would be cheaper to simply buy DeepFreeze by Faronics and save the money over the next three years. This is dependent on the annual cost of renewing the license for it. MS will charge more each year, otherwise.
If you haven’t heard of it before, it is like those PC systems at the public library – once you reboot, everything goes back to the previous state. MS used to offer support for “steady state”, which was their version, but they have dropped that years ago. It was difficult to install. but DeepFreeze looks a lot easier from what I last read about it. I’m thinking of going that route myself. I am not a shill for Faronics – no one pays me for anything I recommend. I just like foiling the ill gotten gains of criminals.
I would love to transition to Linux and abandon Microsoft entirely. However, in researching Linux very carefully over the last couple of years, I find that there is no major testing lab that tests Linux security software, like they do for Windows. Hence, picking security software for any Linux distro amounts to a “crap shoot,” and one can never be sure how effective it really is.
Numerous people in the Linux community claim that one doesn’t need ANY sort of security software for Linux distros. However, my research shows that this is a myth, and that Linux has and will be compromised if you don’t use a good security suite.
What’s the answer to this conundrum? I welcome comments from professionals in this field.
Thank You
I’ve been doing “linux” since 1998 (Lindows) and haven’t looked back. Several of my high-end scientific colleagues said use Knoppix – but I found that an important part of choosing a “distro” is their user forum – it needs to be active and friendly (that’s your “tech support”). Incidentally, that’s really the only way ordinary folks can find out anything truthful about “linux” since the “authors” don’t interact directly with the public (there isn’t a “linux marketing” branch like in wind*ws.). There are literally thousands of brilliant coders who make up the linux codebase work, and they’re not driven by the “bottom line” which you might say is why wind*ws has never, ever gotten security “right.” (I’ll keep more cynical comments to myself.) You access those people through the users forums – yes, there are guru’s on those forums.
I never liked Ubuntu/Kubuntu because it’s “too simple” – people nowadays like Linux Mint (and I think they have the best user forum). I use Opensuse, mainly because of their sysadmin tool – it made my life as a part-time sysadmin much easier
Best Regards,
PattiMichelle, Res. Scientist (retired)
USAF/SMC
I can’t speak to your first point of Linux not having a testing lab, but I can honestly say that in my 10 years of using Linux, I have NEVER had an issue with an update. Windows? Not the case. I’ve had to boot into Safe Mode many times to roll back updates. You have to understand that Linux is open-source and constantly being reviewed / updated, unlike Windows. The devs and community are not simply just blindly rolling out updates.
To your next point, you should still use security software regardless of the OS you’re using. That’s purely a myth and probably points back to security through obscurity – i.e., more vulns are seen on Windows because it has a much higher user-base. It’s just what attackers are going to develop exploits for. Why waste time writing malware for an OS that has 5 users when you can write malware for an OS that has 5,000 users?
Instead of searching in forums and other communities, I’d say to download VMware or VirtualBox and try a distro yourself. The best way to answer your questions are to play around with it yourself. They’re free. As a beginner, I’d suggest Linux Mint or Ubuntu. Linux Mint is probably the most user-friendly for “Windows switchers”, as the cinnamon desktop resembles Windows more than other desktop environments — which brings me to my next point: you can have different desktop environments for the distros, which makes it even more customizeable. Personally, I’m a Debian guy with Gnome desktop now; though, I’ve used lots of Linux distros with lots of different desktop environments over the years.
According to Microsoft’s page on the vulnerability, they have categorized this patch as “important”.
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601
Any speculation as to why they did not categorize it as critical? From reading on-line analyses of the announcements, it sounds like anything that relies on validating a digital signature may be vulnerable. It seems that “important” doesn’t adequately convey how risky that is.
Strictly as a guess from reading Microsoft’s guide to severity rating, it is only important instead of critical since it does require user interaction to be exploited.
https://www.microsoft.com/en-us/msrc/security-update-severity-rating-system
One reason why you shouldn’t rely on severity ratings when applying patches.
John: “Any speculation as to why they did not categorize it as critical? From reading on-line analyses of the announcements, it sounds like anything that relies on validating a digital signature may be vulnerable. It seems that “important” doesn’t adequately convey how risky that is.”- John
I am not anti-surveillance – assuming it helps American citizens – but let me guess. The powers to be stripped away all evidence of an encryption key or debug symbols and successfully adding a backdoor. Who knows?
For those who might consider “a recent flavor of Linux” be careful which “version” you select. For Ubuntu, a commonly recommended flavor, there are LTS (long term support) versions which might be the right choice for Linux newbies. The next LTS version should come out in late April 2020. The current one (18.04) was released in April 2018 and will be “supported” until April 2023. Wikipedia can provide more info if interested.
Linux Mint has been referred-to as “Ubuntu done right.” (I have been using Opensuse for the last 20 years.)
Chromebooks are a privacy nightmare. How, in good conscience, can a security professional recommend such a product? At least without a disclaimer. Not trying to be mean, but that’s worse than what Windows 10 does to your privacy. Great article otherwise.
You’re right that Chromebooks are a privacy nightmare. Essentially, they’re data acquisition devices that pipe straight to the mothership. Same with Android. I do believe that Chrome OS is secure, so bad actors won’t compromise your system, but that doesn’t protect you from Google vacuuming up your life and selling it to the highest bidder.
Windows 10 needs to be configured to improve privacy. Disable everything in the privacy prefs possible. If you use Office, disable LinkedIn integration in Outlook. LinkedIn is a spear-phisher’s wet dream.
As a Windows network admin, I feel strongly that we already pay MS way too much $$$. They shouldn’t be grabbing our data too. I understand it’s Google’s business model, but that has no business in enterprise.
In the process of looking to disable RDP (Remote Desktop) on my Windows 10 PC, I find it isn’t installed..When attempting to launch RDP, I got a message ‘Your Home edition of Windows doesn’t support Remote Desktop’
I am running the patch and am stuck @ 94% on the Windows 10 version 1903 with no errors. How long should this take????
If i patch Windows 10 Build 1903 and than upgrade manually to Build 1909, do i need to patch also the upgraded version ?
Yes, patches are cumulative per version. Apply al patches after upgrading.
Can Microsoft, and will they, create a tool that checks the cryptographic signature of every piece of software ever installed on a computer for software that exploited this bug?
In principle it should be simple to compare whether a software package passes the old version of CryptoAPI but fails the new one but I don’t know if/how those signatures are stored.
Checking for exploits using this vulnerability could be really interesting, for many reasons.
Not usefully.
Let’s say there’s old software which was signed and later found to have vulnerabilities.
Let’s say you installed an upgraded version of that software (to fix the vulnerabilities) using the software’s auto-update system.
Let’s say you’re hacked by software using the current vulnerability. That software then goes off and disables this other software’s update system and replaces the software w/ the older vulnerable version, and then removes itself.
Your system would only have “validly signed” software, but it would be vulnerable.
It isn’t sufficient to scan a system for “valid signatures”. All configuration settings need to be “safe” / “proper” as well.
As a general rule, once a computer is compromised, the only safe thing to do is rebuild from scratch, carefully examining each data before copying it over.
Thanks timeless.
I agree with your points but I am only partially interested in knowing whether my computers are safe. After all, it is safe to assume that they are not; it’s just a question of whether those vulnerabilities are known/exploited.
My greater interest is whether somebody knew of the CryptoAPI vulnerability and used it to distribute malware. If they did, you could – maybe – find software with signatures that passed the old CryptoAPI but failed the new one. And that would yield a lot of interesting data based on the malware characteristics, the recipients, etc. After all, software that was legitimately signed will pass both the old and new checks but false signatures will pass the old one and fail the new CryptoAPI.
As always a lot of useful information. Thank you.
before install 2020 (01) windows 10 all versions, i suggest to update the intel hd graphics or amd graphics display devices of the computers for successfull 100% done.
“But if you rely on this OS for day-to-day use, it’s probably time to think about upgrading to something newer.”
Brian needs to take a stronger position here.
It’s not “probably time to think about upgrading”. You *need* to upgrade to stay safe – full stop.
I’d say one can continue to use W7 as long as it’s not connected to the Internet.
Using the installed software as a standalone system or maybe on it’s own inhouse LAN-segment without internet access might be an option.
+1
I run Win 7. Got a notification from Microsoft on Jan 15, 2020 for 3 security updates for Windows 7. Even though I knew support had ended on the 14th, I installed them. I was rewarded with an eye-popping cyan background instead of my beach vacay pictures. I could find no settings that worked to change the background to the way it was the day before. I had to do a system restore to regain my preferred background. Why did those last security updates for Win 7 do this to my computer? Are they trying to annoy me enough to force me to update to 10? Did this happen to anyone else? Will I need to simply disregard any other notifications I get from Microsoft from now on?
Similar issue on one of my laptops, but rather than cyan the update painted mine black. Everything else on the desktop is fine. Reset the background to my usual and it stuck around for 2 days but when I booted up this morning, black again. So it looks like my default isn’t sticking for some reason. It’s happening on only one of my computers, which I find a bit odd. They’re all running Win7 Pro. Then again, it’s MS and I stopped trying to look for answers to the whys and wherefores years ago. Just grateful that I wasn’t greeted with the BSOD.
This update likely broke a bunch of cross-device connectivity (i.e. my phone, 3rd party keyboard). I can’t import photos or use my touchpad on the keyboard despite confirming the most recent drivers are installed and reinstalled.
Thanks as always for your top-class reporting on this stuff, Brian.
There are a large number of very good comments. But, I am just going to add my 2 cents and I may address the whole issue of windows 10 security, surveillance, total costs, and so on later.
My customers mostly have a mix of Windows 7/8.1 and a few Windows 10 machines. I am seeing drivers in Dell and Lenovo getting corrupted by an update – mostly on 7/8.1 which makes me suspicions of MS profit goals.
Once you move to Windows 10 you are starting to get pushed into the so called “cloud” with problems and costs of an unknown magnitude.
My current solution is to reinstall all the hosed drivers and/or roll back Dell and Lenovo machines.
Yes, most of my customers don’t allow RDP to be used – but one or two machines may have been enabled on by the MS updates – or a dishonest employee.
Also, I note that Win 7/8.1 machines with Windows Defender or MS Security essential let updates through [new MS AV definitions seem to reach MS update servers causing the disabled – never check method to be side stepped – maybe Deepfreeze is a better option].
In the of Win Defender/Security essentials I replace them with another AV product. This is not a perfect solution.
Last, I note the NSA has a huge disclaimers [see Brian K’s link to the NSA pdf]:
“The information and opinions contained in this document are provided “as is” and without any warranties or guarantees….blaa, blaa, blaa…”-NSA
I find that disclaimer less than good or practically gutless – who knows what the NSA is doing. They are probably trying to do good – but may cause more damage than necessary.
> In the of Win Defender/Security essentials I replace them with another AV product.
On multiple machines with W-7, all with Windows Update set to “check for updates”, updates for Microsoft Security Essentials continue to be available *after* the 14 Jan 2020 drop-dead date; just sayin’. (And no, this isn’t a permanent solution….)
Keep your eye on Amazon – its online behavior is suddenly changing this morning with respect to passwords and the authentication of.
Could you elaborate? Thanks.
If you don’t need remote desktop, in addition to turning off Remote Desktop, consider disabling the 3 remote desktop related services in “Services (Local)”. And while you’re at it, disable the Remote Procedure Call (RPC) Locator. As MS states, starting with Vista, “this service does not provide any functionality and is present for application compatibility.” Why leave any service you don’t need enabled.
Here is a little good news. First, the “scary” Crypt32dll/CrptoAPI faulty inspection chain of Elliptical Curve certificates chain problem [Note 1] can be tested by going to SANs test page [note 2] – hat tip Woody. I attest to the fact that spot checking Windows 7/8.1 machines does not show susceptible to this flaw. Spot checks on windows 10 showed one machine was vulnerable.
Next, to the dangerous RDP and RDgateway/RDweb problem … It can be nurtured by turning off java script Note 3 and Note 4 hat tip to Woody. Java script can be a real problem for windows boxes [if you still even use MS RDP – which some people don’t].
Finally, poster Duke Nukerson notes “[Windows 7]… hasn’t gone anywhere. In fact you can still pay for another year or two of support”
I have to agree. My customers have fairly dependable machines with working and necessary scripts to accomplish their tasks. They really don’t like Windows 10 due to the fact it changes rapidly, has not stabilized after 4.5 years, leaks too much data, is not noticeably faster than older windows 7 code and frankly costs too much [maintenance, cloud security/backup costs and cloud storage costs]. I Will say the my mix of customers handle, medical, accounting and legal data – but are smaller customers the 3000 box companies with large budgets. YMMV depending on size.
That said, I am really not happy with MS products which seem to get debouched with every update. The whole MS situation is far from perfect. MS seems to keep increasing the cost of maintaining their products year by year.
Note 1:
https://krebsonsecurity.com/2020/01/cryptic-rumblings-ahead-of-first-2020-patch-tuesday/
Note 2:
ht tps://www.askwoody[.]com/2020/is-your-system-susceptible-to-a-chainoffools-curveball-cve-2020-0601-attack/
and the test page
ht tps://curveballtest[.]com/index.html
note 3:
ht tps://www.askwoody[.]com/2020/patch-lady-forget-that-crypto-one-worry-about-this-one/
and
ht tps://www.askwoody[.]com/2020/theres-a-manual-workaround-for-the-rd-gateway-security-holes-cve-2020-0609-and-0610/
note 4:
ht tps://www.kryptoslogic[.]com/blog/2020/01/rdp-to-rce-when-fragmentation-goes-wrong/
I am not affiliated with Woody in any way.