[German]September 2019 has just begun, and the figures for the operating system share on the desktop are available for the end of August 2019. Here is a look at the figures.

Some figures

The latest figures from netmarketshare.com (until the end of August 2019) show that Windows is still running at 87.89 (July 2019: 88.45 %) of desktop systems. Mac OS comes to 9.68% (July 2019: 8.98%), while Linux runs on 1.72% (July 2.10%) of the systems. So no major change. 

(netmarketshare.com OS share 8.2019)

In the analysis of the share by operating system version, NetMarketShare shows the following figures for the desktop operating systems at the end of August 2019 (see figure above):

• Windows 10 holds 50.99 % (previous month 48.86%),
• Windows 7 is at 30.34% (previous month 31.83%),
• Windows 8.1 still has a share of 4.20 % (previous month 5.29 %),
• and macOS 10.14 comes to 5.95 % (previous month 5.38 %).

If statistical fluctuations are taken into account, almost all have remained the same.

Some conclusions

Even if the figures fluctuate only slightly, it can be regarded as statistical uncertainties, at least in my eyes, interesting conclusions can still be drawn.

• Six months before the end of support, Windows 7 still has a 30% market share on the desktop. A sign that the operating system continues to be appreciated by users.
• Interesting for me is the slight drop in the use of Windows 8.1. Apparently users are not switching from Windows 7 to Windows 8.1, but are choosing other operating systems.   
• I can’t say, whether the slight increase in macOS 10.14 is an indication that people are switching from Windows 7 to Apple Macs. It could also be due to slight statistical fluctuations or users upgrading from older macOS versions.
• Linux does not actually appear in the equation – its user share has meanwhile fallen to 1.26% – and it I recalled that the figure was around 2% in the past.

You can summarize the above data in a few short sentences. Even just before the end of Windows 7 support Windows 10 didn’t overtake the desktop. Since the beginning of 2019, Windows 10 has only grown by around 10%, a sign that Microsoft’s new operating system is not really fit with user requirements. Or in brief: Six months before Windows 7 End of Life Windows 10 isn’t at 80%, and Linux is far away from ‘it’s long year propose’ to overtake the desktop.

Economic and ecological nonsense?

And another thought that has just come to my mind. Apparently most people don’t really miss anything with Windows 7 and would like to continue using it. Of course, the End of Life date was announced at the release of any previous Windows versions, including Windows 7. It was also a fact for a long time: Windows gets 10 years of support, because in the meantime there was a newer and mostly better OS alternative from Microsoft.

But currently we experience that million systems, which works well, are simply destroyed in such a way, although Windows 7 of the functionality is sufficient for many purposes. Microsoft could not score with Windows 8 and Windows 8.1. And with the Windows as a Service approach of Windows 10, this insanity continues.

Or say it other word: The software industry is mutating due to its update cycles into one of the biggest capital destroyers and eco-pigs of the planet. A few days ago, I realized once again that the IT development driven by computer specialists and marketing – at least in the area of operating systems – don’t meet the requirements of industrial users. Welding machines, laser cutter or other mechanical tools, plants in the chemistry and process or steel production plants, diagnostic units in industry and medicine etc. are sometimes projected for a life time of 10, often even 20 to 40 years. But the Windows systems used there for supervisory are lasting 10 years (and with Windows 10 just 30 months in best case). A revamp in this environments is in most It’s a mis-fit both from an economic and from a safety point of view. In terms of sustainability this could not be the way of our future. We should start, thinking about that.

[German]The day that software vendors and security researchers have been waiting for for months has arrived. A metasploid for the Bluekeep vulnerability in Windows is publicly available.

I had been warning about the BlueKeep vulnerability for months and waiting for an exploit every day (see BlueKeep warning: Exploit might come soon?). Now it seems to have happened, as you can see in the following tweet. Exploit for wormable Bluekeep Windows bug released into the wild.

Exploit for wormable Bluekeep Windows bug released into the wild https://t.co/1mCiPR5ZeF by @dangoodin001

— Ars Technica (@arstechnica) September 6, 2019

The exploit is ‘wormable’, i.e. the infection of a computer is enough to spread the malware over the network. Some information is also available from Bleeping Computer .

Work of Programm on GitHub

On GitHub the code for a BlueKeep exploit was published as ‘Work in Progress’. The exploit exploits the vulnerability CVE-2019-0708, alias BlueKeep, via RDP in the Windows kernel. The author of the exploit writes that the RDP driver termdd.sys handles bindings to the internal channel MS_T120 improperly. Thus a faulty Disconnect Provider Indication message can trigger a use-after-free error. With a controllable Data/Size Remote nonpaged Pool Spray, an indirect call gadget of the enabled channel is used to achieve arbitrary code execution.

The module currently works with 64-bit versions of Windows 7 and Windows Server 2008 R2. However, for Windows Server 2008 R2, a registry entry must be changed to allow heap grooming over the RDPSND channel. The author writes that there are other ways to use alternative channels that are enabled by default on all Windows operating systems.

The module is currently classified as manual because the user must enter additional target information. Otherwise, there is a risk of the target host crashing. The module implements a default TARGET option that only searches for a vulnerable host and displays some initial information about the specific target operating system. However, an attack requires the user to specify a more specific target. Later or further improvements in this module could allow a more accurate determination of the target system’s memory layout at runtime.

Background to the BlueKeep vulnerability

I had reported about the BlueKeep vulnerability CVE-2019-0708 in several blog posts. An explanation of the vulnerabilities can be found in the blog post Security Critical update for Windows XP up to Windows 7 (May 2019).

There is a patch, but it has not been installed on all systems. It is currently estimated that approximately 800,000 systems are still unpatched and accessible via the Internet (see BlueKeep warning: Exploit might come soon?).In my blog post How To: BlueKeep-Check for Windows, I explained how a system can be scanned both locally for installed patches and in a network for vulnerabilities.

Similar articles
A threat actor scans Windows systems for BlueKeep vulnerability
BlueKeep: Windows Remote Desktop Services vulnerability exploits status
Critical update for Windows XP up to Windows 7 (May 2019)
Nearly 1 million Windows machines with BlueKeep vulnerability
BlueKeep vulnerability: Microsoft warns about a wormable malware epedemia
BlueKeep: Patch for pirated copies; SSL tunnel as a risk factor
How To: BlueKeep-Check for Windows

[German]A brief message for administrators in corporate environments using Windows Analytics. The product will be discontinued on January 31, 2020, so Windows 7 SP1 and Windows Server 2008 R2 will only survive 2 weeks.

What’s Windows Analytics?

Windows Analytics  is a cloud based analysis service and part of the Microsoft Operations Management Suite (OMS). With a number of solutions for Azure Portal, extensive data is collected on the state of devices during deployment. There are currently three solutions that you can use individually or in any combination:

• Device Health: The Device status allows you to identify devices that frequently crash and need to be reinstalled, identify device drivers that cause crashes, and create notifications about Windows Information Protection misconfigurations.
• Update monitoring: The Update compatibility shows you the state of your devices with respect to Windows updates, so you can make sure you get the latest updates when you need them.
• Upgrade Readiness: The feature Upgrade  Readiness provides a set of tools to plan and manage the upgrade process.

For more information, see the Microsoft Windows Analytics document.

Retirement has been announced

The following tweet tells me that Windows Analytices will be retired soon, on January 31, 2020.

Heads up! “We plan to retire Windows Analytics in favor of Desktop Analytics on January 31st, 2020.” https://t.co/if52xqSpdi #desktopanalytics #configmgr

— Garrett Chandler (@gwchandler) September 7, 2019

The Techcommunity article Migrate user input data from “Windows Analytics: Upgrade Readiness” to Desktop Analytics encourages users to switch to Desktop Analytics. This cloud service was announced as a preview in early July 2019. Desktop Analytics is used by hundreds of customers to keep nearly two million Windows devices up to date. 

And because Microsoft received so much been enthusiastically feedback, Microsoft plans to discontinue Windows Analytics by January 31, 2020. If you are not yet a Windows Analytics customer, Microsoft recommend that you test Desktop Analytics immediately. New customers will no longer be able to use the “Upgrade Readiness” and “Device Health” solutions as soon as Desktop Analytics is generally available in the coming weeks. Those who already use “Update Compliance” in the Azure portal can do so even after January 2020. More details can be found in the linked article.

[German]As of September 10, 2019, Microsoft released security updates for Windows clients and servers, Office, and more. Here is a compact overview of these updates.

A list of the updates can be found on this Microsoft page. Details about the update packages for Windows, Office etc. can be found in separate blog posts.

Servicing Stack Updates

Microsoft now publishes an overview of all current Servicing Stack Updates (SSUs). The list of SSUs can be found at ADV990001.

Notes on updates

All Windows 10 updates are cumulative. The monthly Patchday update includes all security fixes for Windows 10 and all non-security fixes up to Patchday. In addition to the security patches for the vulnerabilities, the updates include defense-in-depth updates to improve security.

Updates can also be downloaded from the Microsoft Update Catalog. Updates for Windows RT 8.1 and Microsoft Office RT are only available through Windows Update. Information about the support period for Windows 10 can be found in the Windows Lifecycle Facts Sheet.

Internet Explorer 11 will be available on Windows Serverv 2012 from May 2019. This configuration is available only through the Cumulative Update for IE. .

The September 2019 security updates cover 85 vulnerabilities, of which 19 are classified as “critical”, 65 as “important” and one as “moderate”. There is also a critical note related to the latest update to Adobe Flash Player. Talos has published a summary here. According to askwoody.com, two vulnerabilities are ‘known’ and two are already attacked (but requires the attacker to be locally active). There is also a fix for the bug in the Windows 10 V1903 search and the high CPU load by Cortana (see also my old article Windows 10 V1903: Search and Cortana bug in Update KB4512941 confirmed (09/05/2019), where a fix was promised).

Critical Security Updates

Internet Explorer 11
ChakraCore
Microsoft Edge
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core
installation)
Windows Server 2008 for Itanium-Based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core
installation)
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server
Core installation)
Windows Server 2012
Windows Server 2012 (Server Core installation)
Windows 8.1 for 32-bit systems
Windows 8.1 for x64-based systems
Windows RT 8.1
Windows Server 2012 R2
Windows Server 2012 R2 (Server Core installation)
Windows 10 for 32-bit Systems
Windows 10 for x64-based Systems
Windows 10 Version 1607 for 32-bit Systems
Windows 10 Version 1607 for x64-based Systems
Windows 10 Version 1703 for 32-bit Systems
Windows 10 Version 1703 for x64-based Systems
Windows 10 version 1709 for 32-bit Systems
Windows 10 version 1709 for x64-based Systems
Windows 10 Version 1709 for ARM64-based Systems
Windows 10 Version 1803 for 32-bit Systems
Windows 10 Version 1803 for x64-based Systems
Windows 10 Version 1803 for ARM64-based Systems
Windows 10 Version 1809 for 32-bit Systems
Windows 10 Version 1809 for x64-based Systems
Windows 10 Version 1809 for ARM64-based Systems
Windows 10 Version 1903 for 32-bit Systems
Windows 10 Version 1903 for x64-based Systems
Windows 10 Version 1903 for ARM64-based Systems
Windows Server 2016
Windows Server 2016 (Server Core installation)
Windows Server, version 1803 (Server Core Installation)
Windows Server, version 1903 (Server Core Installation)
Windows Server 2019
Windows Server 2019 (Server Core installation)
Microsoft Excel 2010 Service Pack 2 (32-bit editions)
Microsoft Excel 2010 Service Pack 2 (64-bit editions)
Microsoft Excel 2013 RT Service Pack 1
Microsoft Excel 2013 Service Pack 1 (32-bit editions)
Microsoft Excel 2013 Service Pack 1 (64-bit editions)
Microsoft Excel 2016 (32-bit edition)
Microsoft Excel 2016 (64-bit edition)
Microsoft Lync Server 2013
Microsoft Office 2010 Service Pack 2 (32-bit editions)
Microsoft Office 2010 Service Pack 2 (64-bit editions)
Microsoft Office 2013 Service Pack 1 (32-bit editions)
Microsoft Office 2013 Service Pack 1 (64-bit editions)
Microsoft Office 2013 RT Service Pack 1
Microsoft Office 2016 (32-bit edition)
Microsoft Office 2016 (64-bit edition)
Microsoft Office 2016 for Mac
Microsoft Office 2019 for 32-bit editions
Microsoft Office 2019 for 64-bit editions
Microsoft Office 2019 for Mac
Microsoft Project 2010 Service Pack 2 (32-bit editions)
Microsoft Project 2010 Service Pack 2 (64-bit editions)
Microsoft Project 2013 Service Pack 1 (32-bit editions)
Microsoft Project 2013 Service Pack 1 (64-bit editions)
Microsoft Project 2016 (32-bit edition)
Microsoft Project 2016 (64-bit edition)
Microsoft SharePoint Enterprise Server 2013 Service Pack 1
Microsoft SharePoint Enterprise Server 2016
Microsoft SharePoint Server 2019
Microsoft SharePoint Foundation 2010 Service Pack 2
Microsoft SharePoint Foundation 2013 Service Pack 1
Office 365 ProPlus for 32-bit Systems
Office 365 ProPlus for 64-bit Systems
.NET Core 2.1
.NET Core 2.2
ASP.NET Core 2.1
ASP.NET Core 2.2
ASP.NET Core 3.0
Microsoft .NET Framework 3.5
Microsoft .NET Framework 3.5 AND 4.7.2
Microsoft .NET Framework 3.5 AND 4.8
Microsoft .NET Framework 4.5.2
Microsoft .NET Framework 4.6.2
Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2
Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2
Microsoft .NET Framework 4.7.1/4.7.2
Microsoft .NET Framework 4.7.2
Microsoft .NET Framework 4.7/4.7.1/4.7.2
Microsoft .NET Framework 4.8
Rome SDK 1.4.1

Important Security Updates

Microsoft Access 2010 Service Pack 2 (32-bit editions)
Microsoft Access 2010 Service Pack 2 (64-bit editions)
Microsoft Access 2013 Service Pack 1 (32-bit editions)
Microsoft Access 2013 Service Pack 1 (64-bit editions)
Microsoft Access 2016 (32-bit edition)
Microsoft Access 2016 (64-bit edition)
Microsoft Exchange Server 2016 Cumulative Update 12
Microsoft Exchange Server 2016 Cumulative Update 13
Microsoft Exchange Server 2019 Cumulative Update 1
Microsoft Exchange Server 2019 Cumulative Update 2
Microsoft Visual Studio 2015 Update 3
Microsoft Visual Studio 2017
Microsoft Visual Studio 2017 version 15.9
Microsoft Visual Studio 2019 version 16.0
Microsoft Visual Studio 2019 version 16.2
Yammer for Android

Moderate Security Updates

Internet Explorer 9
Internet Explorer 10

Similar articles:
Microsoft Office Patchday (September 3, 2019)

[German]On September 10, 2019, Microsoft released various (security) updates for Windows 7 SP1 and other updates for Windows 8.1 as well as the corresponding server versions. Here is an overview of these updates.

Updates for Windows 7/Windows Server 2008 R2

For Windows 7 SP1 and Windows Server 2008 R2 SP1, a rollup and a security-only update have been released. The update history for Windows 7 can be found on this Microsoft page. Installation requires installed SHA2 support to successfully install the security updates. 

KB4516065 (Monthly Rollup) for Windows 7/Windows Server 2008 R2

Update KB4516065 (Monthly Quality Rollup for Windows 7 SP1 and Windows Server 2008 R2 SP1) contains improvements and bug fixes and addresses the following items:

• Provides protections against a new subclass of speculative execution side-channel vulnerabilities, known as Microarchitectural Data Sampling, for 32-Bit (x86) versions of Windows (CVE-2019-11091,CVE-2018-12126, CVE-2018-12127, CVE-2018-12130). Use the registry settings as described in the Windows Client and Windows Server articles. (These registry settings are enabled by default for Windows Client OS editions and Windows Server OS editions.)
• Security updates to Windows App Platform and Frameworks, Windows Input and Composition, Windows Media, Windows Fundamentals, Windows Kernel, Windows Authentication, Windows Datacenter Networking, Windows Storage and Filesystems, the Microsoft JET Database Engine, and Windows Server.

In addition to the many unnamed vulnerabilities, the update once again addresses vulnerabilities caused by speculative side-channel attacks. This update is automatically downloaded and installed via Windows Update. The package is also available via Microsoft Update Catalog and again distributed via WSUS. The installation requires that the latest SSU (KB4516655) is already installed. If you install it via Windows Update, it will be installed automatically.

Since August 2019, the SHA-2 update (KB447444419) must be installed before installing this security update. This update will only be delivered via SHA-2 Code Signing for Windows Update and WSUS.

For this update, Microsoft lists the known issue that users may receive an error when opening or using the Toshiba Qosmio AV Center after installing this update. Errors may also occur in the event log associated with cryptnet.dll. Microsoft is working with Toshiba to resolve this issue and will provide a fix with upcoming updates.

But there is a second problem: VBScript in Internet Explorer 11 should be disabled by default after installing KB4507437 (preview of monthly rollup) or KB4511872 (Internet Explorer cumulative update) and later. Under certain circumstances, however, VBScript may not be disabled as intended. The KB article contains instructions on how to solve the issue. 

KB4516033 (Security Only) for Windows 7/Windows Server 2008 R2

Update KB4516033 (Security-only update) is available for Windows 7 SP1 and Windows Server 2008 R2 SP1. The update addresses the same issues as Update KB4516065 (see above). The update is available via WSUS or in the Microsoft Update Catalog. If you install the update, you must first install the latest Servicing Stack Update (SSU) (see above). You should also install the security update KB4516046 or IE. In this update, Microsoft lists the same Toshiba AV Security Center issues as for update KB4516033. 

Updates foür Windows 8.1/Windows Server 2012 R2

For Windows 8.1 and Windows Server 2012 R2 a rollup and a security-only update have been released. The update history for Windows 8.1 can be found on this Microsoft page. 

KB4516067 (Monthly Rollup) for Windows 8.1/Server 2012 R2

Update KB4516067 (Monthly Rollup for Windows 8.1 and Windows Server 2012 R2) contains improvements and fixes, and addresses the following istems.

• Provides protections against a new subclass of speculative execution side-channel vulnerabilities, known as Microarchitectural Data Sampling, for 32-Bit (x86) versions of Windows (CVE-2019-11091,CVE-2018-12126, CVE-2018-12127, CVE-2018-12130). Use the registry settings as described in the Windows Client and Windows Server articles. (These registry settings are enabled by default for Windows Client OS editions and Windows Server OS editions.)
• Security updates to Windows App Platform and Frameworks, Windows Kernel, Windows Input and Composition, Windows Media, Windows Fundamentals, Windows Authentication, Windows Datacenter Networking, Windows Storage and Filesystems, the Microsoft JET Database Engine, and Windows Server.

This update is automatically downloaded and installed by Windows Update, but is also available from the Microsoft Update Catalog For manual installation, the latest Servicing Stack Update (SSU) must be installed first.

The update has a known problem: Certain operations, such as renaming files or folders located on a cluster shared volume (CSV), may fail with the error “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the action on a CSV owner node from a process that does not have administrator privileges. See the KB article for details.

KB4516064 (Security-only update) for Windows 8.1/Server 2012 R2

Update KB4516064 (Security Only Quality Update for Windows 8.1 and Windows Server 2012 R2) addresses the same points as update KB4516067. The update is available via WSUS or via the Microsoft Update Catalog. The update also has known issues that are described in the KB article. For a manual installation, the latest Servicing Stack Update (SSU) must be installed beforehand. For this update, Microsoft lists the same issues as for update KB4512488.  You should also install the KB4516046 update for IE.

Similar articles:
Microsoft Office Patchday (September 3, 2019)
Adobe Flash Player 32.0.0.255
Microsoft Security Update Summary (September 10, 2019)
Patchday: Updates for Windows 7/8.1/Server (Sept. 10, 2019)

[German]Sophos, the owner of Sandboxie software, has just announced that the tool will be released for free. A license is no longer required – in version 5.31.4 all restrictions have been removed. The release as open source will follow. Here are some hints about this tool.

What is Sandboxie?

Sandboxie is an application isolation program that allows you to run other software under Windows in a controlled environment. Sandboxie takes control when installing the application and isolates all file and registry accesses and redirects them to separate files.

Sandboxie’s isolation technology separates the installed programs from the underlying operating system. This prevents unwanted changes from being made to personal data, programs, and applications that are safely stored on the hard drive. Sandboxie therefore enables you to test software and later uninstall it from the system without leaving any traces.

I myself used Sandboxie under Windows XP for application virtualization. You could test software and then uninstall it without leaving any traces, files or settings. However, at some point I ran into more and more into a situation where Sandboxie failed or the software could not be installed or used. A short time later the program became fee-based – and since I often ran into issues, I begun using virtual machines for my tests. With snapshots I could always reset the guest operating systems to their original state.

Sandboxie released as free tool

Since then, I haven’t been tracking what happened to Sandboxie, so I didn’t realize it was being bought by Sophos. The Sandboxie website now has the following information (thanks to Ralf for the hint):

Sophos is releasing Sandbox as a free tool and plans to make it open source. Sophos mentions that the decision was made under cost considerations, as the tool has probably never been a significant part of Sophos’s business, but on the other hand they had to maintain the software. It is commendable that Sophos is not simply letting the tool die, but is planning to put its further devlopment in the hands of the user community. They can continue to maintain the open source tool.

Personally, I think that Microsoft’s decision to add the Windows Sandbox to Windows 10 Professional also played a role in Sophos’ decision. In any case, Sophos announces that they have remove all restrictions on the unlicensed version with the new release. If you still have a Sandboxie license, you still have to switch to the ‘free version’.

Sandboxie Version 5.31.4 has been available for download as a 32- or 64-bit version for Windows 7 to Windows 10 on this website since September 10, 2019. However, registration is required – due to US export regulations. This Community post contains some additional information.

[German]Microsoft doesn’t trust self-encrypting drives (SEDs) no more and has begun to encrypt self-encrypting drives (SEDs) using Bitlocker in Windows 10.

Cause: SSD manufacturers fail with encryption

Self-encrypting drives (SEDs) are actually a good thing because the operating system doesn’t have to worry about encryption. However, the problem is that these drives do not work reliably in terms of encryption. In November 2018 Microsoft had to publish the security advisory ADV180028 entitled Guidance for configuring BitLocker to enforce software encryption. The background was that the self-encrypting drives (SEDs) had weaknesses in hardware encryption.

On Windows computers with self-encrypting drives, BitLocker Drive Encryption was configured to use hardware encryption by default. Customers who were worried about the vulnerabilities they discovered were advised to take action by Microsoft. Administrators who want to enforce software encryption on computers with self-encrypting drives can do so by deploying Group Policy. This Group Policy overrides the Windows default behavior, which is hardware encryption, and Bitlocker encrypts the data using software.

Microsoft switches to Bitlocker for encryption

Now Microsoft starts to deactivate the hardware encryption in Windows 10 and uses a software encryption with Bitlocker. I was made aware of this by the following tweet. 

Microsoft gives up on SSD manufacturers: Windows will no longer trust drives that say they can encrypt themselves, BitLocker will default to CPU-accelerated AES encryption instead. This is after an exposé on broad issues with firmware-powered encryption.https://t.co/6B357jzv46 pic.twitter.com/fP7F9BGzdD

— SwiftOnSecurity (@SwiftOnSecurity) September 27, 2019

The support article for update KB4516071 for Windows 10 Version 1709, released on September 24, 2019, contains the following item:

Changes the default setting for BitLocker when encrypting a self-encrypting hard drive. Now, the default is to use software encryption for newly encrypted drives. For existing drives, the type of encryption will not change.

When encrypting a ‘self-encrypting drive’, the update changes the setting. Instead of using the encryption by the drive, Windows 10 itself does this using Bitlocker. The same text can be found in Update KB4516061 for Windows 10 Version 1607 and Windows Server 2016. 

Meanwhile sites like Tom’s Hardware also report about this issue (with reference to the Tweet and further statements by @SwiftOnSecurity). For other Windows 10 builds, I haven’t found a clue to this change yet. I’m not sure if and when other Windows 10 builds will make this change.

Similar articles:
Bitlocker on SSDs: Microsoft Security Advisory Notification (Nov. 6, 2018)

[German]Microsoft has just released an analysis of the Nodersok infection chain. The malware runs entirely in memory and is difficult for antivirus programs such as Defender to detect (but Microsoft Defender ATP can detect the malware). There are thousands of infections of Windows systems, including in Europe.

The Nodersok malware

There is malware which is named Nodersok at Microsoft (Talos calls it Divergent), which is files-less, but is rolled out via Node.js in the form of encrypted scripts. The entire malicious code is unpacked in memory and then executed. Therefore, a virus scanner like Microsoft Defender cannot detect this malware. The following tweet deals with the whole thing.

Every step of #Nodersok‘s infection chain runs only legitimate executables. All relevant functionalities reside in scripts and shellcodes that come in encrypted and are decrypted and run while only in memory. More in our analysis of this #fileless threat: https://t.co/d4XC5dQeg7

— Microsoft Security Intelligence (@MsftSecIntel) September 27, 2019

According to this Microsoft post the new malware campaign, called Nodersok, uses its own LOLBins image – and it uses two very unusual, legitimate tools for infected computers:

• Node.exe, the Windows implementation of the popular Node.js framework that is used by countless web applications.
• WinDivert, a powerful network packet capture and editing program.

A LOLBins stands for Living off the land Binary and is a term for a binary file that an attacker uses to perform actions that go beyond the original purpose (see the explanations here).

As with any LOLBin, these tools are not themselves malicious or vulnerable; they provide important functionality for legitimate use under Windows. But the Nodersok uses the tools for its own purposes. It is not uncommon for attackers to download legitimate third-party tools to infected computers (e.g. PsExec is often misused to execute other tools or commands).

Difficult to detect

But Nodersok uses a long chain of file-less techniques to install some very special tools. The ultimate goal is to turn infected computers into zombie proxies. Due to the file-less approach, the attack is very difficult to detect (Microsoft Defender does not detect the malware because there are no files to scan) – but the attack’s behavior creates a visible ‘footprint’ that is clearly visible to anyone who knows where to look. With its set of advanced defense technologies, Microsoft Defender ATP is able to detect the threat throughout the infection chain.

Thousands of machines infected

The Nodersok campaign has attacked thousands of machines in recent weeks, with most targets in the United States and Europe. The majority of the systems attacked are in the hands of consumers. But about 3% of the attacked Windows machines are operated in organizations in areas such as education, professional services, healthcare, finance and retail.

(Source: Microsoft)

The Microsoft diagram above shows that about 8% of the attacks detected on Windows systems in Germany are in Germany. Microsoft discovered this malware campaign ready in mid-July 2019 when suspicious patterns appeared in the abnormal use of MSHTA.exe from Microsoft Defender ATP telemetry. In the days that followed, further anomalies became apparent, leading to a tenfold increase in activity. The campaign peaked at the end of August and the beginning of September 2019 before fading away. Further details can be found in the Microsoft article here or in this article on The Hacker News.

[German]Microsoft has just confirmed that some Windows systems may experience problems with printers after the September 2019 updates has bee installed. Here are an overview and also the details I know so far.

The printing issues – a brief review

In Windows 10 version 1903, some users recognized that the printer queue crashes after installing the KB4517211 update and they could no longer print. Specifically, the spooler service for the printers crashes, causing no printers to be detected by applications. The affected person can restart the service, but it crashes again during printing.

After a reader comment, I had briefly mentioned the issue within my blog post Windows 10: Issues with Updates KB4522015, KB4522016 / KB4517211 (Sept. 2019). When writing the post, I still assumed that this could be an isolated case for one user. Afterwards, however, a number of independent confirmations came from readers both here and in the German-language blog. So later I decided to create a separate blog post Windows10 V1903: Update KB4517211 causes printer issues.

After receiving additional confirmations from more users, I found a post in the Microsoft Answers forum and escalated the issue to Microsoft moderators – together with the request to forward this with a link to my post above to Microsoft’s developers (as a Microsoft Answers community moderator I still can do that). .

Issue confirmed for all Windows versions

Meanwhile Microsoft has confirmed this error in the Windows 10 V1903 status page (my colleagues noticed this, because I haven’t found anything in the KB articles yet). Microsoft writes with date September 30, 2019:

Intermittent issues when printing

The print spooler service may intermittently have issues completing a print job and may result in a print job being canceled or failing. Some apps may close or error when the print spooler fails and you may receive a remote procedure call error (RPC error) from some printing utility or printing apps.

So everything that my blog readers have also reported here as comments to my posts. Interesting is, however, that all Windows versions may be be affected.

• Client: Windows 10, Version 1903; Windows 10, Version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, Version 1803; Windows 10, Version 1709; Windows 10, Version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, Version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
• Server: Windows Server, Version 1903; Windows Server, Version 1809; Windows Server 2019; Windows Server, Version 1803; Windows Server, Version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2

Microsoft is working on a solution and pans to release an update for Windows in future. Currently uninstalling update KB4517211 may solve the issue.

At this point I took a closer look at the Microsoft article, because this issue doesn’t hit all users. And in contrast to the comments, which I got here in the blog, users of Windows 7 SP1, Windows 8.1 or Windows Server can also be affected. I will outline more within the following text.

Is there a workaround?

Microsoft writes that affected users can try to print again and that this might even work. If that doesn’t work, and you can’t print by retrying, you should restart the device (interesting workaround ‘have you tried to switch it off and on again).

If the device uses a v4 printer driver and a v3 driver is available, you can also try to install the older v3 driver as a workaround. This also explains why for some people have been successful, installing the printer driver using the .inf files in device manager fixed the issue, while re-installing the latest printer driver doesn’t repair it.

Just in case, somebody wondering what v3 drivers are. It’s the old driver architecture used for Windows 2000 7 up to Windows 7. Microsoft decided to establish a new printer driver architecture v4 for Windows 8/Windows Server 2012 and declare old v3 drivers as legacy. See this post and this article for more details.

But I’m guessing that some people can’t avoid uninstalling update KB4517211 and then waiting for a fix from Microsoft.

Microsoft blame Internet Explorer Update KB4522016

When I then saw that Microsoft was providing the security update KB4522016 (for Win 10 V1903) from September 23, 2019, things became clear to me. Because that was the security update for Internet Explorer that I described in the blog post Windows: Vulnerabilities in IE and Defender (09/23/2019). And that explains, why not all users are affected. Because this update was only available for download in the Microsoft Update Catalog.

Question: Can affected persons confirm that the IE security update was installed there and that the bug is gone after uninstalling the security update? A list of updates for distinct Windows versions may be found in the blog post Windows: Vulnerabilities in IE and Defender (09/23/2019).

Addendum: According to the feedback I got within my German blog, my doubts that KB4522016 is the root cause of the printer issues are confirmed. Users with printer issues did not install the KB4522016 update (or one of the other update for distinct Windows versions). So I guess it can’t be the (only) roote cause.

Addendum 2: Microsoft released a fix on October 3, 2019 – see my blog post Windows Updates fixes printer bug (Oct. 3, 2019) for further details.

Similar articles:
Windows 10: Issues with Updates KB4522015, KB4522016 / KB4517211 (Sept. 2019)Windows 10 V1903: Update KB4517211 released (09/26/2019)
Windows 10 Version 1903: Ready for broad realease
Windows 10 19H2 Insider Preview in Release Preview Ring
Windows10 V1903: Update KB4517211 causes printer issues
Windows: Vulnerabilities in IE and Defender (09/23/2019)

[German]Microsoft finally released the cumulative security update KB4524135 for Internet Explorer versions 9 to 11 on October 3, 2019 to close a vulnerability that had become known in September.

The vulnerability CVE-2019-1367 in IE

On September 23, 2019, Microsoft had surprisingly released out-of-band security updates for Internet Explorer that were intended to close the CVE-2019-1367 vulnerability.

CVE-2019-1367 is a memory corruption vulnerability in IE’s scripting engine. This is related to the handling of objects in Internet Explorer memory by the scripting engine. The vulnerability could damage the memory to such an extent that an attacker could execute arbitrary code in the context of the current user.

An attacker who successfully exploited the vulnerability is granted the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs, view, modify, or delete data, or create new accounts with full user privileges.

I had blogged about the updates available for the various Windows versions in the blog post Windows: Vulnerabilities in IE and Defender (09/23/2019). According to KB article, the security updates were only available for manual download in the Microsoft Update Catalog und had to be installed manually. However, there were printing issue with the September updates and Microsoft blamed the IE security update for this (see Windows: Printer issues after Sept. 2019 Update confirmed).

Update KB4524135 for Internet Explorer

Cumulative Update KB4524135, released on October 3, 2019, is available for Internet Explorer 9 – 11 for the following Windows versions:

• Internet Explorer 11 on Windows Server 2012 R2
• Internet Explorer 11 on Windows Server 2012
• Internet Explorer 11 on Windows Server 2008 R2 SP1
• Internet Explorer 11 on Windows 8.1 Update
• Internet Explorer 11 on Windows 7 SP1
• Internet Explorer 10 on Windows Server 2012
• Internet Explorer 9 on Windows Server 2008 SP2

The cumulative update addresses again the CVE-2019-1367 vulnerability, and this time it is shipped via both Windows Update and WSUS. The update can also be downloaded from the Microsoft Update Catalog and installed manually.

Before installing the IE update KB4524135, the installation of Servicing Stack Update (SSU) (KB4490628) or newer (if available) is recommended. In addition, the SHA-2 update (KB4474419) dated September 10, 2019 must have been installed under Windows 7 and Windows Server 2008/R2.

Microsoft also recommends that you install the latest Servicing Stack Update (SSU) (KB4516655) under Windows 7/Server 2008/R2 after installing the update. If a language pack is subsequently installed, update KB4524135 must be reinstalled. The support article KB4524135 lists known errors and further information that should be noted.

The printer issue mentioned below will be fixed in separate Windows-Updates.

Addendum: See also my new article Windows/IE: Issues and confusion with updates (10/03/2019) discussing new/old issues.

Similar articles:
Windows: Vulnerabilities in IE and Defender (09/23/2019)
Windows: Printer issues after Sept. 2019 Update confirmed
Windows10 V1903: Update KB4517211 causes printer issues
Windows 10: Issues with Updates KB4522015, KB4522016 / KB4517211 (Sept. 2019)
Windows Updates fixes printer bug (Oct. 3, 2019)

[German]Microsoft has released a cumulative security update for Internet Explorer on October 3, 2019, as well as an optional bug fix update for various Windows versions to fix the printer bug. At the end of the day, it turns out that the updates raise more questions and problems than they solve.

In the night from October 3 to October 4, 2019, I summarized hints about these updates in the following two blog posts.

Internet Explorer: Cumulative Update KB4524135 (10/03/2019)
Windows Updates fixes printer bug (Oct. 3, 2019)

The comments I received to those articles (German, English) reveals inconsistencies and additional errors. Here is an outline of the situation.

Internet Explorer updates knitted with a hot needle?

Cumulative security supdate KB4524135 for Internet Explorer 9 till 11 shall fix a vulnerability CVE-2019-1367 (that became public in September) in older Windows versions (Windows 7, Windows 8.1 and Server pendants).

I have given some hints in the blog post Internet Explorer: Cumulative Update KB4524135 (10/03/2019). It also mentions the Windows versions that this update applies to. For Windows 10, the fix for the vulnerability is provided through cumulative updates for the various Windows 10 builds.

Microsoft already writes in support article KB4524135 that Internet Explorer displays an incorrect update installed.

On Windows 7, the “About Internet Explorer” dialog box in Internet Explorer 11 may list a different KB number, even when you have KB4524135 installed.

Exactly this discussion has originated within my German blog. In this comment, Blog reader Bolko tries to unravel Microsoft’s inconsitencies with various patches (the KB number used in the update’s internal metafiles has not been adapted to the KB number under which the patch was released).

As a result, the rollup update KB4524157 installs the older IE11 version 11.0.9600.19503, while the IE 11 update KB4524135 installs version 1.0.9600.19504.

The printer bug and other issues

Even more confusing is the situation with Microsoft’s attempt to solve the printer problem (see my blog post Windows: Printer issues after Sept. 2019 Update confirmed) in Windows, which was caused by September updates, with subsequent updates.

In the blog post Windows Updates fixes printer bug (Oct. 3, 2019), I enlisted the updates available for the various Windows versions. There was a hint from me that the first feedback I got, was that the printer bug wasn’t fixed for all users. If I go into the comments I received for my blog post, I see the following picture:

• The Windows update in question (see the list in Windows Updates fixes printer bug (Oct. 3, 2019)) did nothing to fix the printer bugs – so the error is still there (see this comment, for example).
• Users who had working printers until now suddenly are facing printing issues after installing the update – so the error was newly introduced (see this German comment). I also read something like this on MS Answers.

The observation from the following tweet, which Susan Bradley pulled out of askwoody.com, is also very ugly.

I’d like to thank @Microsoft for pushing out Windows 10 v1903 w/KB4524147 included, breaking the Print Spooler service, bypassing our WSUS, and wasting hours of my time. Seriously, thanks for the job security. @AskWoody

— Kobold Curry Chef (@KoboldCurryChef) October 4, 2019

Those who run into these problems should try to reinstall the printer driver. For a blog reader this has helped. The alternative would be to update the printer driver via the Update Driver button in the Device Manager using the .inf file. Maybe it will help – otherwise there is only uninstalling the updates that cause this bug.

Addendum: I found this thread in Technet forum, where more updates are mentioned for this issue. And this post enlists the following updates that may causes printer issues:

KB4517211
KB4522016
KB4522014
KB4524147
KB4524148
KB4522015

There was a suspicion that it might only have to do with HP printers. In the meantime, however, I have received feedback that other printers are also affected. Interesting is this spiceworks.com post, where a user traced the crash of the printer spooler back to the jscript.dll. The post is from 30.9.2019 – before the October 2019 update. But in all updates Microsoft patches in the IE JScript security area.

• Within this German comment blog reader Kay mentions, that the massive printing issues caused by the old update KB4517211 have been fixed for him by the new update KB4524147. But he has the problem that the Info-Center (button at the bottom right next to time) and “Windows “+”P” don’t work anymore. On MS Answers there is this more recent thread, which already discusses issues with the Action Center at the end of September 2019.
• Other German users reported install issues in Windows 7 SP1, or freezing application and more in Windows 8.1.
• At this MS Answers forum post someone reports that the start menu does not work anymore after installing the update KB4524147 in Windows 10 Version 1903. Woody Leonhard already discussed this in this short article on October 3, 2019. Meanwhile the reports of affected people are increasing.

Woody Leonhard has published this ComputerWorld article in the meantime, where he collected further issues in connection with the patches. It breaks KB4524156 possibly ASP applications on Windows Server 2012 R2. It may be isolated cases – but it doesn’t really make you happy.

Addendum: Bleeping Computer is reporting here cases, where users have boot issues after installing update KB4524147. And Woody Leonhard says, that the updates has been pulled.

In the past few hours, all the MS “zero-day” out-of-band patches were re-released with a new date of Oct. 4. Many reports that they’ve been pulled from Windows Update – although they’re still in the catalog. Bugs still crawling out of the woodwork. https://t.co/hVYPQD6Bkk

— Woody Leonhard (@AskWoody) October 5, 2019

Similar articles:
Windows: Vulnerabilities in IE and Defender (09/23/2019)
Windows: Printer issues after Sept. 2019 Update confirmed
Windows 10: Issues with Updates KB4522015, KB4522016 / KB4517211
Internet Explorer: Cumulative Update KB4524135 (10/03/2019)
Windows Updates fixes printer bug (Oct. 3, 2019)

[German]After the September and October 2019 updates for Windows, there are not only printer issues. I have also noticed RDP issues. And the Sept. 2019 update KB4515384 causes boot problems with certain network drivers.

I’ll sum it up here in this article – currently as ‘single cases’ – but maybe there are other users affected.

RDP issues after October 2019 updates

But I got several feedback from reader reporting RDP issues after installing October 3, 2019 updates for Windows. A user of my German article Chaos bei Oktober-Updates für Windows und Internet Explorer I published at news portal heise reported the following issue (I’ve translated the German comment):

RDP no longer works

After the updating my virtual server, RDP only works as an administrator.

Does anyone else have the same problem?

I had the comment still open in the browser tab for further research when I received this comment in my German blog..

KB4524147: Installed on a Windows 10 PC with an HP laser attached. This PC connects to a server 2008R2 via RDP as terminal server. The TS server printer redirection “Easyprint” is used.

After the “Update”: If a document with more than one page is printed, the RDP session is suddenly disconnected. After logging in again, you will see the error message: “Printer xy” not found. Printer xy is then any other printer.

Update KB4524147 was released on October 3 for Windows 10 Version 1903 and Windows Server Version 1903 to address the Internet Explorer vulnerability and printing issues. User Hansi reported a similar issue within my English blog.

SBS 2011 Remote Access (RDP) does not work after this crap update. And yes I know SBS is EOL in January 2020, but we have just October 2019.

This doesn’t have to be the same error – but all comments refer to RDP connections.

Update KB4515384 causes boot issues?

As of September 11, 2019, several security updates were released for Windows, which also fix a vulnerability in the RDP service. I noticed this threadin the comment section of a  in a German news site. One affected writes:

I still have problems with the patch, both network drivers (GBit and Wireless, both Intel) cannot start the device. I can’t start Microsoft Edge and the Start menu immediately displays a serious error that forces me to log off.

sfc /scannow does not output any errors. Uninstalling the patch immediately fixes all these bugs. The whole thing is easily reproducible.

Somebody else who observed this behavior?

Update KB4515384 has more problems – for example it may cause the installation error 0xe0000100 on USB HID devices – as you can read here. The same author has published a more comprehensive overview of problems here.

Similar articles
Windows 10 V1903: Issues with Update KB4515384 confirmed
Windows/IE: Issues and confusion with updates (10/03/2019)

[German]On October 8, 2019, Microsoft released security updates for Windows clients and servers, Office, etc. Here is a compact overview of these updates.

A list of the updates can be found on this Microsoft page. Details about the update packages for Windows, Office etc. can be found in separate blog posts.

Servicing Stack Updates

Microsoft now publishes an overview of all current Servicing Stack Updates (SSUs). The list of SSUs can be found at ADV990001. In October 2019 SSUs were updated – e.g. changes to the Secure Boot Revocation List were made for some Windows 10 updates. Here is the compact list:

(Source: Microsoft/Askwoody)

Notes on updates

All Windows 10 updates are cumulative. The monthly Patchday update includes all security fixes for Windows 10 and all non-security fixes up to Patchday. In addition to the security patches for the vulnerabilities, the updates include defense-in-depth updates to improve security.

Updates can also be downloaded from the Microsoft Update Catalog. Updates for Windows RT 8.1 and Microsoft Office RT are only available through Windows Update. Information about the support period for Windows 10 can be found in the Windows Lifecycle Facts Sheet.

Internet Explorer 11 will be available on Windows Serverv 2012 from May 2019. This configuration is available only through the Cumulative Update for IE.

For Windows 7 SP1 and Windows Server 2008/R2 an updated SHA-2 Code-Signing Update KB4474419 was released on October 8, 2019 (see this comment at askwoody.com).

The October 2019 security updates cover 59 CVE vulnerabilities, of which 9 are classified as “critical”, 49 as “important” and one as “moderate”. A list can be found on the Google Zero Day Initiative blog – Talos has also published a summary here. And Martin Brinkmann has published a compact list of updates here (I will describe details within separate blog posts).

Critical Security Updates

Internet Explorer 11
ChakraCore
Microsoft Edge (EdgeHTML-based)
Windows 10 for 32-bit Systems
Windows 10 for x64-based Systems
Windows 10 Version 1607 for 32-bit Systems
Windows 10 Version 1607 for x64-based Systems
Windows 10 Version 1703 for 32-bit Systems
Windows 10 Version 1703 for x64-based Systems
Windows 10 Version 1709 for 32-bit Systems
Windows 10 Version 1709 for ARM64-based Systems
Windows 10 Version 1709 for x64-based Systems
Windows 10 Version 1803 for 32-bit Systems
Windows 10 Version 1803 for ARM64-based Systems
Windows 10 Version 1803 for x64-based Systems
Windows 10 Version 1809 for 32-bit Systems
Windows 10 Version 1809 for ARM64-based Systems
Windows 10 Version 1809 for x64-based Systems
Windows 10 Version 1903 for 32-bit Systems
Windows 10 Version 1903 for ARM64-based Systems
Windows 10 Version 1903 for x64-based Systems
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems Service Pack 1
Windows 8.1 for 32-bit systems
Windows 8.1 for x64-based systems
Windows RT 8.1
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for Itanium-Based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
Windows Server 2012
Windows Server 2012 (Server Core installation)
Windows Server 2012 R2
Windows Server 2012 R2 (Server Core installation)
Windows Server 2016
Windows Server 2016  (Server Core installation)
Windows Server 2019
Windows Server 2019  (Server Core installation)
Windows Server, version 1803  (Server Core Installation)
Windows Server, version 1903 (Server Core installation)
Azure App Service on Azure Stack
Open Enclave SDK

Important Security Updates

Excel Services
Microsoft Excel 2010 Service Pack 2 (32-bit editions)
Microsoft Excel 2010 Service Pack 2 (64-bit editions)
Microsoft Excel 2013 RT Service Pack 1
Microsoft Excel 2013 Service Pack 1 (32-bit editions)
Microsoft Excel 2013 Service Pack 1 (64-bit editions)
Microsoft Excel 2016 (32-bit edition)
Microsoft Excel 2016 (64-bit edition)
Microsoft Office 2010 Service Pack 2 (32-bit editions)
Microsoft Office 2010 Service Pack 2 (64-bit editions)
Microsoft Office 2013 RT Service Pack 1
Microsoft Office 2013 Service Pack 1 (32-bit editions)
Microsoft Office 2013 Service Pack 1 (64-bit editions)
Microsoft Office 2016 (32-bit edition)
Microsoft Office 2016 (64-bit edition)
Microsoft Office 2016 for Mac
Microsoft Office 2019 for 32-bit editions
Microsoft Office 2019 for 64-bit editions
Microsoft Office 2019 for Mac
Microsoft SharePoint Enterprise Server 2013 Service Pack 1
Microsoft SharePoint Enterprise Server 2016
Microsoft SharePoint Foundation 2010 Service Pack 2
Microsoft SharePoint Foundation 2013 Service Pack 1
Microsoft SharePoint Server 2019
Office 365 ProPlus for 32-bit Systems
Office 365 ProPlus for 64-bit Systems
Office Online Server
SQL Server Management Studio 18.3
SQL Server Management Studio 18.3.1
Microsoft Dynamics 365 (on-premises) version 9.0
Windows 10 Mobile
Windows Update Assistant

Moderate Security Updates

Internet Explorer 9
Internet Explorer 10

Similar articles:
Microsoft Office Patchday (1. Oktober 2019)
Microsoft Security Update Summary (October 8, 2019)
Patchday: Updates for Windows 7/8.1/Server (Oct. 8, 2019)
Patchday Windows 10-Updates (October 8, 2019)
Patchday Microsoft Office Updates (October 8, 2019)

[German]There are vulnerabilities in the Bonjour updater in iTunes and iCloud for Windows that are currently being exploited by cyber criminals to spread ransomware. Apple has now released updates to close this vulnerability. Anyone who has ever installed Apple software a la iTunes or iCloud on their Windows system should act now.

The Hacker News reports in the article Apple iTunes and iCloud for Windows 0-Day Exploited in Ransomware Attacks, that cyber criminals are using recently discovered vulnerabilities in the Bonjour updater (the article speaks of 0-day vulnerabilities) of Apple’s iTunes and iCloud for Windows for BitPaymer and iEncrypt Ransomware attacks.

Bonjour updater vulnerable

The vulnerable component is the Bonjour updater, a configuration-free implementation of the network communication protocol that works in the background and automates various low-level network tasks. This includes automatically downloading updates for Apple software.

Since the Bonjour updater is installed as a separate program on the system, Bonjour is not removed when iTunes and iCloud are uninstalled. Therefore, this Bonjour updater is present on many Windows computers and has not been updated after uninstalling iTunes or iCloud, but runs in the background.

Cyber security researchers at Morphisec Labs discovered the exploitation of the Bonjour zero-day vulnerability in August. At the time, the attackers targeted an unnamed automotive company and infected the systems with the BitPaymer Ransomware. Details of the vulnerability can be found in the article Apple iTunes and iCloud for Windows 0-Day Exploited in Ransomware Attacks.

Apple provides Updates for iTunes/iCloud

Immediately after the discovery of the attack, the Morphisec Labs security researchers informed Apple of the details of the attack. Apple released iCloud for Windows 10.7, iCloud for Windows 7.14 and iTunes 12.10.1 for Windows a few hours ago to close the vulnerability. 

Windows users who have iTunes and/or iCloud installed on their system are strongly advised to update their software to the latest versions. Users who have ever installed and then uninstalled this Apple software on their Windows computer should check the list of installed applications on your system (in Control Panel in Installed Applications). If a Bonjour updater is listed there, this software should be uninstalled manually.

[German]HP Touchpoint Analytics software is pre-installed on most HP computers. A vulnerability allows attackers to gain administrator privileges. Here’s what you need to know about that incident.

HP TouchPoint Analytics is software preinstalled on most HP computers in the form of a Windows service that runs with NT AUTHORITY\SYSTEM” top-level permissions and is used to anonymously collect hardware performance diagnostic information. I had already blogged about issues with the HP Touchpoint Analytics software in 2017 (see my German blog post HP installiert heimlich HP Touchpoint Analytics Client-Telemetriedatenprogramm). There was a statement from HP at that time that telemetry data collection was not a problem.

Vulnerability in HP Touchpoint Analytics

Bleeping Computer reported here that a Local Privilege Escalation (LPE) vulnerability has been found in the software. The CVE-2019-6333vulnerability was found in the Open Hardware Monitor library used by HP’s monitoring software.

CVE-2019-6333 enables attackers to run malware by extending system-level permissions and avoiding anti-malware detection. To do this, it can bypass the application’s whitelisting. This whitelisting is often used to prevent the execution of unknown or potentially malicious applications.

The vulnerability was discovered by security researcher Peleg Hadar of SafeBreach Labs and reported to HP on 4 July. It affects all versions of the HP Touchpoint Analytics Client under 4.1.4.2827. The problem is the DLL search path that is frequently mentioned here in the blog, which enables DLL hijacking. 

According to Hadar, the security problem is caused by the use of an uncontrolled search path for DLLs and it is not validated whether the loaded DLLs are signed with digital certificates. This allows malware to store and load its own DLL in the path. The DLL then contains the system rights of the loading service.

Such errors in the DLL search order are often exploited in the later phase of malicious attacks after the affected computers have already been infiltrated. This vulnerability makes it possible to increase permissions to gain persistence and further infiltrate a compromised system.

Security advisory and update available

HP has released a security advisory to determine if a device is vulnerable and is providing an update to the HP TouchPoint Analytic software via Windwos Update. The Security Advisories contain information on how to update the software. Personally, I would rather uninstall the software.

[German]Microsoft regularly releases new Servicing Stack Updates (SSUs) for the still supported Windows versions. Here is a short list of the current SSUs as of October 2019.

Microsoft publishes a list of SSUs on its website at ADV990001.  But as stated in this German comment this list is not always up to date. Blog reader Karl published the updated list shown below (as of October 2019). Karl writes about it:

I recommend the installation no matter if affected by the listed issue. Based on the experiences of Win7 SSU and other occurrences we can assume that MS plans his future servicing on this installed SSU.

Here is the updated list of Servicing Stack updates for the various Windows.

• KB4517134, 09. Sep 2019, Win Vista SP2 / Server 2008 SP2 (+Itanium) (6.0.x)
• KB4490628, Mar 2019 + KB4516655, 30. Sep 2019, Win 7 SP1 / Server 2008 R2 SP1 / Embedded (+Itanium) (6.1.x)
• KB4521857, 07. Oct 2019, Win 8 / Server 2012 / Embedded (6.2.x)
• KB4521864, 07 Oct 2019, Win 8.1 / Server 2012 R2 (6.3.x)
• KB4521856, 07. Oct 2019, Win 10 1507 SAC / LTSC (10.10240.x)
• KB4035632, 08. Aug 2017, Win 10 1511 SAC (10.10586.x)
• KB4521858, 07. Oct 2019, Win 10 1607 SAC / LTSC / Server 2016 LTSC (10.14393.x)
• KB4521859, 07. Oct 2019, Win 10 1703 SAC (10.15063.x)
• KB4521860, 07. Oct 2019, Win 10 1709 SAC / Server 2016 SAC (+ARM64) (10.16299.x)
• KB4521861, 07. Oct 2019, Win 10 1803 SAC / Server 2016 SAC (+ARM64) (10.17134.x)
• KB4521862, 07. Oct 2019, Win 10 1809 SAC / Server 2019 LTSC / SAC (+ARM64) (10.17763.x)
• KB4521863, 07. Oct 2019, Win 10 1903 SAC / 19H2 slow, 1909 RP (+ARM64) (10.18362.x)

Important Notes:  SSU for 2008 without R2 and 2012 without R2 has been updated after many years.

The SSU for 1507 only apply to LTSC versions, despite 1507 Home and Pro is broken at the moment and will not receive any updates or upgrades. I’ve reported this to Microsoft

This is different for other unsupported versions such as 1607 or later.  Detailed reference in this group:  Investigating Windows 10 “end of support”

Changes:

• Improves the Secure Boot revocation list (DBX) update experience to avoid multiple restarts when you deploy the DBX update on a device where the Credential Guard service is not running.
• Addresses an issue in which the Secure Boot revocation list (DBX) is not applied when the Secure Boot allow list (DB) update is empty.

We strongly recommend you install the latest servicing stack update (SSU) for your operating system before installing the latest cumulative update (LCU). Installing servicing stack updates (SSU) makes sure that you have a robust and reliable servicing stack so that your devices can receive and install Microsoft security fixes.

The Wannacry ransomware has hit many computers in 2017. Over the last year we have seen some re-infections in some sites, but not a big ware of infections. Now there are signs, dass some people probably may be facing new infections.

I haven’t too much details. But security researcher @VessOnSecurity has just postet the following Tweet.

Several people in various countries seem to have a bit of a WannaCry problem… pic.twitter.com/osq29Bo2cY

— Vess (@VessOnSecurity) October 27, 2019

The embedded graphics shows the ‘Uploaded Unique Malware’ detected for Ransom.Wannacry from Symantec.

Similar articles
WannaCry has infected chip maker TSMC fabs …

[German]Microsoft has now released a new service for Windows Defender ATP customers. If they need support for security incidents, these customers may cvall Microsoft’s security experts on demand for assistance with attacks or malware infections. More details may be read within Microsoft’s security blog post Experts on demand: Your direct line to Microsoft security insight, guidance, and expertise. (via)

[German]Windows 7, Windows 8.1 and various Windows Server versions have timeouts in TLS connections after installing the latest October 2019 updates. Microsoft has confirmed these TLS timeouts in a support article.

A Microsoft support article 4528489 (Transport Layer Security (TLS) connections might intermittently fail or timeout when connecting) contains the details. 

The error description

When attempting to connect [to a server], Transport Layer Security (TLS) and Secure Sockets Layer (SSL) may fail temporarily or run on a timeout. One or more of the following errors will be displayed:

• “The request was aborted: Could not create SSL/TLS secure Channel”
• Error 0x800903030f  (SEC_E_MESSAGE_ALTERED)
• An error logged in the System Event Log for SCHANNEL event 36887 with alert code 20 and the description, “A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 20.​”

The cause of this issue is that Microsoft closed the vulnerability CVE-2019-1318 in Augst 2019 with an update. Now updates from October 2019 seems to cause the TLS timeouts.

Which Windows versions are affected?

Unfortunately, the fix was distributed through various updates to Windows 7, Windows 8.1, and various Windows Server versions that are still in support. Affected are the following Windows versions that have received cumulative updates and rollups as of October 8, 2019 (or later):

• KB4519998 LCU for Windows Server, version 1607 and Windows Server 2016.
• KB4520005 Monthly Rollup for Windows 8.1 and Windows Server 2012 R2.
• KB4520007 Monthly Rollup for Windows Server 2012.
• KB4519976 Monthly Rollup for Windows 7 SP1 and Windows Server 2008 R2 SP1.
• KB4520002 Monthly Rollup for Windows Server 2008 SP2

Also affected are systems that have received the following security-only updates dated October 8, 2019.

• KB4519990 Security-only update for Windows 8.1 and Windows Server 2012 R2.
• KB4519985 Security-only update for Windows Server 2012 and Windows Embedded 8 Standard.
• KB4520003 Security-only update for Windows 7 SP1 and Windows Server 2008 R2 SP1
• KB4520009 Security-only update for Windows Server 2008 SP2

Whoever has installed these updates on the machines and receives TLS errors should react and try the following workaround.

A workaround for the TLS problem

Microsoft states two workarounds in the support article, with which the TLS timeout problem can possibly be mitigated.

• Enable support for Extend Master Secret (EMS) extensions when performing TLS connections on both the client and the server operaing system. EMS as defined in RFC 7627,  was added to supported versions of Windows in the calendar year of 2015. Any update released on or after October 8, 2019 will have EMS enabled by default for CVE-2019-1318.
• Or: For operating systems that do not support EMS, remove the TLS_DHE_* cipher suites from the cipher suite list in the OS of the TLS client device. For instructions on how to do this on Windows, see Prioritizing Schannel Cipher Suites.

Microsoft does not recomend disabling EMS. If EMS was previoulsy explicitly disabled, it can be re-enabled by setting following registry key values:

HKLM\System\CurrentControlSet\Control\SecurityProviders\Schannel  

On TLS Server: DisableServerExtendedMasterSecret: 0
On TLS Client: DisableClientExtendedMasterSecret: 0

Damit sollten die TLS-Verbindungsprobleme weg sein. (via)

[German]After October 2019 is over, I would like to take a look at the operating system share on the desktop. Is Windows 7 finally drops at 2% share and what’s about Windows 10?

Looking at the latest figures from netmarketshare.com (until October 2019), Windows still runs at 86.82 (Sept. 2019: 86.38%) of desktop systems. Mac OS comes to 10.97% (Sept. 11.16%), while Linux runs on 1.55% (Sept. 1.80%) of the systems. 

(netmarketshare.com OS-Market-Share 10.2019, Zum Vergrößern klicken)

In the analysis of the desktop share by individual operating system versions, NetMarketShare shows the following figures for the desktop operating systems at the end of October 2019:

• Windows 10 comes to 54.32% (previous month 52.33%),
• Windows 7 is at 26.90 % (previous month 28.61 %),
• Windows 8.1 still comes in at 3.59 % (previous month 3.45 %),
• and macOS 10.14 comes to 5.16 % (previous month 6.78 %).

As expected, Windows 10 grew in October 2019 and Windows 7 lost market share, but still runs on every fourth desktop system.

(netmarketshare.com. Windows Market-Share 10.2019, Zum Vergrößern klicken)

It will be exciting to watch what happens in the coming months. After all, support for Windows 7 will expire in January 2020 (only companies can renew for a fee). It is interesting to note that there is no movement towards Windows 8.1 or macOS 10.x. On the desktop, Windows 10 will dominate in the future.

Among browsers on desktop systems, Google Chrome is the undisputed leader with 67.39%, followed by Firefox (8.63%). The Internet Explorer still comes up to 6.37% and the Edge bumbles around at 6.09%.