[English]Security researchers have now probably seen for the first time a meta sploit on the net that wants to exploit the BlueKeep vulnerability and tries to install Crypto-Miner. At the moment, however, this exploit still ends with BlueScreens.

The BlueKeep vulnerability in the Windows RDP service threatens unpatched systems from Windows XP to Windows 7 and their server counterparts. I had been warning about the BlueKeep vulnerability for months (see BlueKeep warning: Exploit might come soon?). It seems, however, that the BlueKeep vulnerability is difficult to exploit in practice. This is the only way to explain that this issue has been quite quiet so far, although there is a publicly available metasploit (see Windows: Bluekeep Metasploit released in the wild). But that could change now.

RDP HoneyPots suddenly crashes with BlueScreens

I had already seen it at the weekend, but only now am I able to prepare something for it. Security researcher Kevin Beaumont had set up a worldwide network of honeypots for the RDP vulnerability after the BlueKeep vulnerability became known and the first exploits became available. On Saturday Beaumont reported that its EternalBlue RDP honeypot suddenly showed BlueScreens.

huh, the EternalPot RDP honeypots have all started BSOD’ing recently. They only expose port 3389. pic.twitter.com/VdiKoqAwkr

— Kevin Beaumont (@GossiTheDog) November 2, 2019

Specifically, the first BluesScreen with a restart start of the underlying Windows system already appeared on 23 October 2019. In the last weeks there were these BlueScreens at further Honeypots. The suspicion was that someone was trying to exploit the BlueKeep vulnerability. In another tweet, however, it quickly became clear that it was probably not a worm that had attacked the honeypot. According to Beaumont, there were probably only BlueScreens at various honeypots. Here is a post from him:

imma retrieving the crash logs to see if anything interesting pic.twitter.com/sEoMV37RG7

— Kevin Beaumont (@GossiTheDog) November 2, 2019

On November 2, 2019 he received his bill for the booked Microsoft Azure services and looked at the details of the Azure Sentinel for log analysis. 

(Azure Sentinel, Source: Kevin Beaumont)

Since 22/23 October, problems (BSOD) have probably occurred with the affected azure instances. Then safety researchers looked at the crash dump of the BlueScreens – an analysis can be found here. MalwareTech security researchers confirmed that the kernel dump contained traces of a metasploit exploiting the BlueKeep vulnerability (or at least something based on it). It is probably an attempt to install a crypto-miner on Windows machines via the vulnerability. Beaumont has published now a writeup.

Here’s a writeup of the BlueKeep exploitation activity investigated this weekend https://t.co/q1ne8uuyai

— Kevin Beaumont (@GossiTheDog) November 3, 2019

At present, the impact is still limited: It’s not a worm that spreads itself, and the approach of putting a crypto-miner on the machines is unattractive, but not a major threat. But the conclusion from these attacks is that there are people who now understand how to attack random targets using BlueKeep vulnerabilities. There’s a good chance the attacks will become more sophisticated soon. More articles can be found at Wired, The Hacker News or ZDNet.

Background: BlueKeep vulnerability

I had reported about the BlueKeep vulnerability CVE-2019-0708 in several blog posts. An explanation of the vulnerabilities can be found in the blog post Security Critical update for Windows XP up to Windows 7 (May 2019).

There is a patch, but it has not been installed on all systems. It is currently estimated that approximately 800,000 systems are still unpatched and accessible via the Internet (see Windows: What about the BlueKeep vulnerability in July 2019? ).

Es gibt zwar einen Patch, aber dieser wurde nicht in allen Systemen installiert. Aktuell schätzt man, dass noch ca. 800.000 Systeme ungepatcht betrieben werden und per Internet erreichbar sind (siehe Windows: Wie steht’s um die BlueKeep-Schwachstelle im Juli 2019?). In my blog post How To: BlueKeep-Check for Windows, I explained how a system can be scanned both locally for installed patches and in a network for vulnerabilities.

Similar articles
A threat actor scans Windows systems for BlueKeep vulnerability
BlueKeep: Windows Remote Desktop Services vulnerability exploits status
Critical update for Windows XP up to Windows 7 (May 2019)
Nearly 1 million Windows machines with BlueKeep vulnerability
BlueKeep vulnerability: Microsoft warns about a wormable malware epedemia
BlueKeep: Patch for pirated copies; SSL tunnel as a risk factor
Windows: Bluekeep Metasploit released in the wild
BlueKeep warning: Exploit might come soon?
How To: BlueKeep-Check for Windows

[German]A new version of MegaCortex Ransomware is being distributed by malware such as Emotet. The new version not only encrypts the system’s files but also changes the user’s password.

The MalwareHunter team has been able to access corresponding malware examples. In the following tweet they point to a corresponding message to victims.

The latest MegaCortex ransomware also threats to leak files: “[…] downloaded your data […]. In the unfortunate event of us not coming to an agreement we will have no choice but to make this data public.”
Of course, it can be a lie, but for sure they could do it.@demonslay335 pic.twitter.com/lWgJnSDykS

— MalwareHunterTeam (@malwrhunterteam) November 5, 2019

After encrypting files, this is a new quality – the user is virtually locked out of the user account under Windows. In addition, the blackmailers threaten to make the data public if it is not paid for. Bleeping Computer has taken up this case here. After an analysis by Vitali Kremez and Bleeping Computer, the MegaCortex ransomware changes its behavior.

• In the new version of the Ransomware, the files are provided with the file name extension .m3g4c0rtx after encryption. 
• The Ransomware changes the Windows password of the logged-in user so that the user can no longer log in.
• A message “Locked by MegaCortex” is now displayed on the login page with an e-mail account stating that the computer has been locked by the malware.

(MegaCortex notification, Source: Bleeping Computer)

In addition, the attackers claim to have uploaded the victim’s data to a secure location. The following text appears in the express message. 

“We have also downloaded your data to a secure location. In the unfortunate event of us not coming to an agreement we will have no choice but to make this data public.
Once the transaction is finalized all of copies of data we have downloaded will be erased.”

The text contains the threat to publish the data in case of non-payment. So far it has not been confirmed whether attackers have actually uploaded files of the victims to their own servers. If a data outflow can be confirmed, affected persons are not only confronted with the problem of being victims of a Ransomware attack. Depending on the information copied, this may also be a data protection violation that must be reported in the EU.

If the main launcher is executed by MegaCortex, it extracts two DLL files and three CMD scripts to C:\Windows\Temp. Then the actions are executed by the Ransomware. The launcher currently has a Sectigo certificate for an Australian company called MURSA PTY LTD. In the meantime, Sectigo has declared the certificate invalid. Further details on the course of the attack can be found in the Bleeping Computer article.

[German]After the first malware attacks using the BlueKeep vulnerability have been found in the wild (see Windows: first BlueKeep Metasploit in the wild), Microsoft and the Australian government are intensifying their warnings.

Short review of BlueKeep

The BlueKeep vulnerability in the Windows RDP service threatens unpatched systems from Windows XP to Windows 7 and their server counterparts. I had been warning about the BlueKeep vulnerability for months (see BlueKeep warning: Exploit might come soon?). It seems, however, that the BlueKeep vulnerability is difficult to exploit in practice. This is the only way to explain that this issue has been quite quiet so far, although there is a publicly available metasploit (see Windows: Bluekeep Metasploit released in the wild). But that could change now.

Last week the picture has changed. Security researcher Kevin Beaumont had set up a worldwide network of honeypots for the RDP vulnerability following the discovery of the BlueKeep vulnerability and the availability of the first exploits. On Saturday Beaumont reported that its EternalBlue RDP honeypot suddenly showed BlueScreens.

When security researchers looked at the BlueScreen crash dump, it became clear that someone was trying to exploit the BlueKeep vulnerability. MalwareTech security researchers confirmed that the kernel dump contained traces of a metasploit to exploit the BlueKeep vulnerability (or at least something based on it). It is probably an attempt to install a crypto-miner on Windows machines via the vulnerability. I had collected details in the blog post Windows: first BlueKeep Metasploit in the wild.

Warning from the Australian authorities

An article at Bleeping Computer reveals, that australian Cyber Security Centre (ACSC) of  Australian Signals Directorate warns together with partners from the states, companies and individuals from threats by the Ransomware Emotet and from exploiting the BlueKeep vulnerability. Both threats were active in the wild.

The ACSC apparently took up the above-mentioned findings and calls on users to be vigilant. Attackers have begun to exploit the Windows BlueKeep vulnerability to attack unpatched systems and infect them with coin miners.

Regarding the Emotet campaigns, the ACSC writes that these have slowly decreased compared to the end of October last week. However, emotets still pose a significant threat to businesses and the general public. More details can be found at Bleeping Computer.

Microsoft also warns again against BlueKeep

The above-mentioned discovery of malware infecting honeypots with a crypto-miner via the BlueKeep vulnerability is also a wake-up call for Microsoft to finally patch its system.

While we currently see only coin miners being dropped, we agree w/ the research community that CVE-2019-0708 (BlueKeep) exploitation can be big. Locate and patch exposed RDP services now. Read our latest blog w/ assist from @GossiTheDog & @MalwareTechBlog https://t.co/y1NgN5WVu8

— Microsoft Security Intelligence (@MsftSecIntel) November 7, 2019

In the tweet above, Microsoft security specialists point to MalwareTech’s analysis of the BlueKeep attack and recall that patches are available for the RDP vulnerability. Microsoft has summarized its findings in this blog post (Bleeping Computer picked it up here). The following chart shows the increase in attacks on BlueKeep honeypots.

Figure 1. Increase in RDP-related service crashes when the Metasploit module was released Source: Microsoft

Background: BlueKeep vulnerability

I had reported about the BlueKeep vulnerability CVE-2019-0708 in several blog posts. An explanation of the vulnerabilities can be found in the blog post Security Critical update for Windows XP up to Windows 7 (May 2019).

There is a patch, but it has not been installed on all systems (see Windows: What about the BlueKeep vulnerability in July 2019? ). In my blog post How To: BlueKeep-Check for Windows, I explained how a system can be scanned both locally for installed patches and in a network for vulnerabilities.

Similar articles
A threat actor scans Windows systems for BlueKeep vulnerability
BlueKeep: Windows Remote Desktop Services vulnerability exploits status
Critical update for Windows XP up to Windows 7 (May 2019)
Nearly 1 million Windows machines with BlueKeep vulnerability
BlueKeep vulnerability: Microsoft warns about a wormable malware epedemia
BlueKeep: Patch for pirated copies; SSL tunnel as a risk factor
Windows: Bluekeep Metasploit released in the wild
BlueKeep warning: Exploit might come soon?
How To: BlueKeep-Check for Windows
Windows: first BlueKeep Metasploit in the wild

[German]Occasionally Microsoft cleans up its web site and deletes older support articles. In recent weeks, a number of KB articles have fallen victim to this cleaning action.

I came across a tweet by Woody Leonhard, who put agaoin the topic on the table this weekend.

Microsoft is deleting (not archiving) older Internet Explorer documentation. https://t.co/MVYPXffzYc

— Woody Leonhard (@AskWoody) November 10, 2019

Woody Leonhard refers his article to Internet Explorer (Version 8 and 9) and writes that old support articles will be deleted.I notice, however, that this affects much more content at Microsoft than just Internet Explorer.

Background: My blogs uses a plug-in that checks all links cyclically for validity. Invalid links are displayed to users as crossed out in the text. I get a list of broken links and redirect them to archive copies of the Wayback machine if possible. During the last months I have been getting ‘bursts’ with many broken links to Microsoft – that is: Microsoft has deleted the downloads for patches or hotfixes, but also KB articles.

For some deleted content this makes sense, for example hotfixes or updates contained in the update rollups or cumulative updates. The problem I see: Deleting KB articles is of course stupid for people looking for the old content. But Microsoft doesn’t seem to dispute it.

[German]As of November 12, 2019, Microsoft released security updates for Windows clients and servers, Office, and more. Here is a compact overview of these updates.

A list of the updates can be found on this Microsoft page. Details about the update packages for Windows, Office etc. can be found in separate blog posts.

Servicing Stack Updates

Microsoft now publishes an overview of all current Servicing Stack Updates (SSUs). The list of SSUs can be found at ADV990001 (but is not always up to date).

Notes on updates

All Windows 10 updates are cumulative. The monthly Patchday update includes all security fixes for Windows 10 and all non-security fixes up to Patchday. In addition to the security patches for the vulnerabilities, the updates contain defense-in-depth updates to improve security.

The updates can also be downloaded from the Microsoft Update Catalog. Updates for Windows RT 8.1 and Microsoft Office RT are only available via Windows Update.

On November 12, 2019, Windows 10 Version 1803 will receive security updates for the last time in its home/pro version. Information about the support period for Windows 10 can be found in the Windows Lifecycle Facts Sheet.

Internet Explorer 11 will be available on Windows Server 2012 from May 2019. This configuration is available only through the Cumulative Update for IE.

For Windows 7 SP1 and Windows Server 2008/R2, an updated SHA-2 Code Signing Update KB4474419 was released on October 8, 2019 (see this comment at askwoody.com).

The November 2019 security updates cover 75 vulnerabilities (including one 0-day vulnerability in IE), of which 13 are rated critical and 61 moderate. A list can be found on the Google Zero Day Initiative blog – Talos has also published a summary here. And Martin Brinkmann has published a compact list of updates (I will discuss more details within separately in blog posts).

Critical Security Updates

Internet Explorer 11
ChakraCore
Microsoft Edge (EdgeHTML-based)
Windows 10 for 32-bit Systems
Windows 10 for x64-based Systems
Windows 10 Version 1607 for 32-bit Systems
Windows 10 Version 1607 for x64-based Systems
Windows 10 Version 1709 for 32-bit Systems
Windows 10 Version 1709 for ARM64-based Systems
Windows 10 Version 1709 for x64-based Systems
Windows 10 Version 1803 for 32-bit Systems
Windows 10 Version 1803 for ARM64-based Systems
Windows 10 Version 1803 for x64-based Systems
Windows 10 Version 1809 for 32-bit Systems
Windows 10 Version 1809 for ARM64-based Systems
Windows 10 Version 1809 for x64-based Systems
Windows 10 Version 1903 for 32-bit Systems
Windows 10 Version 1903 for ARM64-based Systems
Windows 10 Version 1903 for x64-based Systems
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems Service Pack 1
Windows 8.1 for 32-bit systems
Windows 8.1 for x64-based systems
Windows RT 8.1
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for Itanium-Based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
Windows Server 2012
Windows Server 2012 (Server Core installation)
Windows Server 2012 R2
Windows Server 2012 R2 (Server Core installation)
Windows Server 2016
Windows Server 2016 (Server Core installation)
Windows Server 2019
Windows Server 2019 (Server Core installation)
Windows Server, version 1803 (Server Core Installation)
Windows Server, version 1903 (Server Core installation)
Microsoft Exchange Server 2013 Cumulative Update 23
Microsoft Exchange Server 2016 Cumulative Update 13
Microsoft Exchange Server 2016 Cumulative Update 14
Microsoft Exchange Server 2019 Cumulative Update 2
Microsoft Exchange Server 2019 Cumulative Update 3

Important Security Updates

Excel Services
Microsoft Excel 2010 Service Pack 2 (32-bit editions)
Microsoft Excel 2010 Service Pack 2 (64-bit editions)
Microsoft Excel 2013 RT Service Pack 1
Microsoft Excel 2013 Service Pack 1 (32-bit editions)
Microsoft Excel 2013 Service Pack 1 (64-bit editions)
Microsoft Excel 2016 (32-bit edition)
Microsoft Excel 2016 (64-bit edition)
Microsoft Excel 2016 for Mac
Microsoft Office 2010 Service Pack 2 (32-bit editions)
Microsoft Office 2010 Service Pack 2 (64-bit editions)
Microsoft Office 2013 RT Service Pack 1
Microsoft Office 2013 Service Pack 1 (32-bit editions)
Microsoft Office 2013 Service Pack 1 (64-bit editions)
Microsoft Office 2016 (32-bit edition)
Microsoft Office 2016 (64-bit edition)
Microsoft Office 2016 for Mac
Microsoft Office 2019 for 32-bit editions
Microsoft Office 2019 for 64-bit editions
Microsoft Office 2019 for Mac
Microsoft Office Online Server
Microsoft SharePoint Enterprise Server 2013 Service Pack 1
Microsoft SharePoint Enterprise Server 2016
Microsoft SharePoint Foundation 2010 Service Pack 2
Microsoft SharePoint Foundation 2013 Service Pack 1
Microsoft SharePoint Server 2019
Office 365 ProPlus for 32-bit Systems
Office 365 ProPlus for 64-bit Systems
Office Online Server
Microsoft Visual Studio 2017 version 15.9
Microsoft Visual Studio 2017 version 16.0
Open Enclave SDK
Azure Stack

Moderate Security Updates

Internet Explorer 9
Internet Explorer 10

Similar Articles:
Microsoft Office Patchday (November 5, 2019)
Microsoft Security Update Summary (November 12, 2019)

[German]On November 12, 2019, Microsoft released several (security) updates for Windows 7 SP1 and further updates for Windows 8.1 as well as the corresponding server versions. Here is an overview of these updates.

Updates for Windows 7/Windows Server 2008 R2

For Windows 7 SP1 and Windows Server 2008 R2 SP1, a rollup and a security-only update have been released. The update history for Windows 7 can be found on this Microsoft page. Installation requires installed SHA2 support to successfully install the security updates.

KB4525235 (Monthly Rollup) for Windows 7/Windows Server 2008 R2

Update KB4525235 (Monthly Quality Rollup for Windows 7 SP1 and Windows Server 2008 R2 SP1) contains (besides the security fixes of October 2019) improvements and bug fixes and addresses the following:

• Addresses an issue that prevents a 16-bit Visual Basic 3 (VB3) application or other VB3 applications from running.
• Provides protections against the Intel® Processor Machine Check Error vulnerability (CVE-2018-12207). Use the registry setting as described in the Guidance KB article. (This registry setting is disabled by default.)
• Provides protections against the Intel® Transactional Synchronization Extensions (Intel® TSX) Transaction Asynchronous Abort vulnerability (CVE-2019-11135). Use the registry settings as described in the Windows Client and Windows Server articles. (These registry settings are enabled by default for Windows Client OS editions, but disabled by default for Windows Server OS editions.)
• Addresses an issue with temporary user profiles in an environment in which user profile disks (UPD) are deployed and cached roaming profiles are not deleted when the “Delete cached copies of roaming profiles” policy is enabled.
• Security updates to Microsoft Scripting Engine, Windows Input and Composition, Microsoft Graphics Component, Windows Cryptography, Windows Virtualization, Windows Kernel, Windows Datacenter Networking, and the Microsoft JET Database Engine.

This update is automatically downloaded and installed via Windows Update. The package is also available via Microsoft Update Catalog and will be distributed via WSUS. The installation requires that the SSU (KB4490628  of March 2019 and the SHA-2 update KB4474419 of September 10, 2019) is already installed. If installed via Windows Update, it will be installed automatically. After the update installation, Microsoft recommends to install the SSUKB4523206 (if not already installed).

Since August 2019, the SHA-2 update (KB4474419) must be installed before installing this security update. This update will only be delivered via SHA-2 Code Signing for Windows Update and WSUS. Microsoft has made an update on October 8, 2019. The update should be updated automatically.

Microsoft does not list a known problem for this update.

KB4525233 (Security Only) for Windows 7/Windows Server 2008 R2

Update KB4525233 (Security-only update) is available for Windows 7 SP1 and Windows Server 2008 R2 SP1. The update addresses the following issues.

• Provides protections against the Intel® Processor Machine Check Error vulnerability (CVE-2018-12207). Use the registry setting as described in the Guidance KB article. (This registry setting is disabled by default.)
• Provides protections against the Intel® Transactional Synchronization Extensions (Intel® TSX) Transaction Asynchronous Abort vulnerability (CVE-2019-11135). Use the registry settings as described in the Windows Client and Windows Server articles. (These registry settings are enabled by default for Windows Client OS editions, but disabled by default for Windows Server OS editions.)
• Security updates to Windows Input and Composition, Microsoft Graphics Component, Windows Cryptography, Windows Virtualization, Windows Kernel, Windows Datacenter Networking, and the Microsoft JET Database Engine.

The update is available via WSUS or in the Microsoft Update Catalog. To install the update, you must meet the prerequisites listed in the KB article and above in the Rollup Update.

When deploying WSUS, make sure that the SSU and SHA-2 updates mentioned above are installed – the automatic installation will not then be performed via Windows Update. After installation, Windows must be restarted before the Security-only Update is installed. You should also install the security update KB4525106 for IE, as this closes a 0-day vulnerability. Microsoft does not list any known issues with this update. Whether telemetry functions are included this time is currently unknown.

Updates foür Windows 8.1/Windows Server 2012 R2

For Windows 8.1 and Windows Server 2012 R2 a rollup and a security-only update have been released. The update history for Windows 8.1 can be found on this Microsoft page. .

KB4525243 (Monthly Rollup) for Windows 8.1/Server 2012 R2

Update KB4525243 (Monthly Rollup for Windows 8.1 and Windows Server 2012 R2) contains improvements and fixes, and addresses the following items.

• Addresses an issue that prevents a 16-bit Visual Basic 3 (VB3) application or other VB3 applications from running.
• Addresses an issue that causes only one Bluetooth Basic Rate device to function properly on some Bluetooth controllers after installing the August 13, 2019 update.
• Addresses an issue that causes error 0x7E when you connect Bluetooth devices after installing the June 11, 2019 update.
• Provides protections against the Intel® Processor Machine Check Error vulnerability (CVE-2018-12207). Use the registry setting as described in the Guidance KB article. (This registry setting is disabled by default.)
• Provides protections against the Intel® Transactional Synchronization Extensions (Intel® TSX) Transaction Asynchronous Abort vulnerability (CVE-2019-11135). Use the registry settings as described in the Windows Client and Windows Server articles. (These registry settings are enabled by default for Windows Client OS editions, but disabled by default for Windows Server OS editions.)
• Addresses an issue with temporary user profiles in an environment in which user profile disks (UPD) are deployed and cached roaming profiles are not deleted when the “Delete cached copies of roaming profiles” policy is enabled.
• Security updates to Microsoft Scripting Engine, Internet Explorer, Microsoft Graphics Component, Windows Input and Composition, Windows Cryptography, Windows Virtualization, Windows Kernel, Windows Datacenter Networking, and the Microsoft JET Database Engine.

This update is automatically downloaded and installed by Windows Update, but is also available in the Microsoft Update Catalog and via WSUS. For manual installation, the latest Servicing Stack Update (SSU) must be installed first.

The update has a known problem: Certain operations, such as renaming files or folders located on a cluster shared volume (CSV), may fail with the error “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the action on a CSV owner node from a process that does not have administrator privileges. See the KB article for details.

KB4525250 (Security-only update) for Windows 8.1/Server 2012 R2

Update KB4525250 (Security Only Quality Update for Windows 8.1 and Windows Server 2012 R2) addresses the following intems.

• Provides protections against the Intel® Processor Machine Check Error vulnerability (CVE-2018-12207). Use the registry setting as described in the Guidance KB article. (This registry setting is disabled by default.)
• Provides protections against the Intel® Transactional Synchronization Extensions (Intel® TSX) Transaction Asynchronous Abort vulnerability (CVE-2019-11135). Use the registry settings as described in the Windows Client and Windows Server articles. (These registry settings are enabled by default for Windows Client OS editions, but disabled by default for Windows Server OS editions.)
• Security updates to Microsoft Graphics Component, Windows Input and Composition, Windows Cryptography, Windows Virtualization, Windows Kernel, Windows Datacenter Networking, and the Microsoft JET Database Engine.

The update is available via WSUS or in the Microsoft Update Catalog. The update has the same known problems as the rollup update, these are described in the KB article. For a manual installation, the latest Servicing Stack Update (SSU) must be installed first. In addition, you should also install the  KB4525106 security update for IE, as this fixes a 0-day vulnerability. In this update, Microsoft lists the same known issues as for update KB4525243.

Similar articles:
Microsoft Office Patchday (November 5, 2019)
Microsoft Security Update Summary (November 12, 2019)
Patchday: Updates für Windows 7/8.1/Server (12. Nov. 2019)
Patchday Windows 10 Updates (November 12, 2019)

Office November 2019 Updates are causing Access Error 3340

[German]Short information for people who want to access Linux Btrfs disks under Windows. The Window driver WinBtrfs v1.5 has just been released. Blog reader Gero S. pointed this out to me (thanks for that).

WinBtrfs is a Windows driver for the next generation Linux file system Btrfs. The new release is a reimplementation from scratch. The driver does not contain any code from the Linux kernel and should work with any Windows version from Windows XP. It is also included as part of the free operating system ReactOS. The features of the driver:

• Reading and writing of Btrfs filesystems
• Basic RAID: RAID0, RAID1, and RAID10
• Advanced RAID: RAID5 and RAID6
• Caching
• Discovery of Btrfs partitions, even if Windows would normally ignore them
• Getting and setting of Access Control Lists (ACLs), using the xattr security.NTACL
• Alternate Data Streams (e.g. :Zone.Identifier is stored as the xattr user.Zone.Identifier)
• Mappings from Linux users to Windows ones (see below)
• Symlinks and other reparse points
• Shell extension to identify and create subvolumes, including snapshots
• Hard links
• Sparse files
• Free-space cache
• Preallocation
• Asynchronous reading and writing
• Partition-less Btrfs volumes
• Per-volume registry mount options (see below)
• zlib compression
• LZO compression
• LXSS (“Ubuntu on Windows”) support
• Balancing (including resuming balances started on Linux)
• Device addition and removal
• Creation of new filesystems with mkbtrfs.exe and ubtrfs.dll
• Scrubbing
• TRIM/DISCARD
• Reflink copy
• Subvol send and receive
• Degraded mounts
• Free space tree (compat_ro flag free_space_cache)
• Shrinking and expanding
• Passthrough of permissions etc. for LXSS
• Zstd compression
• Windows 10 case-sensitive directory flag
• Oplocks

Defragmentation, support for Btrfs quotas and Windows 10 reserved storage have not yet been implemented. If a Btrfs file system resides on an MD software RAID device created by Linux, WinMD is also required to display it under Windows.

The new version should be suitable for daily use, but making backups is recommended. The developers also point out that the use of this software is at your own risk. Details can be found on GitHub – download may be found here.

[German]Some users are annoyed by a strange behavior. The shutdown is blocked by a strange app ‘G’ – which makes many suspect a malware infection. It is simply a Windows bug that will soon be fixed.

The error in detail

If you search the Internet for the term ‘App G prevents shutting down’, there are hundreds of hits. The error runs from Windows 7 to Windows 10 through the operating system versions. On reddit.com there is this post for example:

App called “g” is preventing shutdown or restart

Every once and a while there’s this app called “g” that prevents my pc from shuting down but I have no idea what it is , does anyone have and idea on what tjis could be?

A user complains that an app named G interferes with the shutdown process. Another user confirms this in the same thread. This reddit.com post describes the same thing. bestätigt das Ganze im gleichen Thread.

The screenshot above shows this display during shutdown. The whole thing is described at superuser.com in this article.  

App is preventing shutdown or restart

After updating my Windows 10 to creators update (build 15063.138) when I restart or shutdown the PC a screen appears and shows a ‘G’ app which is preventing the operation.

Is there a way to determine which application it is, or find out more details about it?

I do not see any “g” running process or installed application in my system.

Also in the Steam-Community, in Microsoft Answers forum (here and here) the problem is reported without a solution being found. There is also a German reddit.com thread on the topic. As a rule, those affected are advised to check the system for malware. At Bleeping Computer, for example, you can find this forum thread with such hints. 

A Bug in Windows

The error has passed me by so far – but Woody Leonhard found the cause and described it in this  Computer World article. Also Woody noticed that there are hundreds of hits on the internet where the problem is described. People are sent to search for malware, but this is without result.

The reason: The whole thing is simply a bug in Windows that has been running for years through various versions. Raymond Chen of Microsoft described the background in the Microsoft developer blog in the article The program “G” is preventing you from shutting down.

Microsoft’s developers have noticed some time ago that treating a UTF16-LE Unicode string as an 8-bit string generally takes only the first character. This is because the higher byte of the UTF16-LE code unit is zero for most Western European characters and the zero byte is interpreted as the end of the 8-bit string.

Let’s get back to the mysterious “G” program, which blocks the shutdown. When the GDI+ library was created, it had to support Windows 98. However, Windows 98 had very limited support for Unicode. So everything was compiled as ANSI and used the ANSI versions of functions like RegisterClass, CreateWindow and DefWindowProc to create and manage help windows. The lack of Unicode support in the helper window didn’t cause any problems since the window never displayed a user interface and never processed text. The window was there to do things like listen to WM_SETTINGSCHANGE messages so it knew when to invalidate its caches.

Later, most of the GDI+ library was recompiled simply as a Unicode component, not as an ANSI component. However, the notification window procedure contained an explicit call to DefWindowProcA. Most character set mismatches are detected by the compiler due to a type mismatch. However, the font dependency in DefWindowProc is not encoded in the parameter types. Therefore, this discrepancy was not detected by the compiler.

This discrepancy was also not detected during testing, since the notification window does not output any text. The title of the window “GDI+ Hook Window” was simply truncated to “G”. But since this title is not used for anything, it didn’t matter, the window title is never displayed to the user. Only if the program hangs at shutdown, the truncated string G is used. The error described above is noticed.

A Fix comes for Windows 10 20H1

Microsoft’s developers have included a fix for the problem in the announcement of Windows 10 Insider Preview Build 19013. Jen Gentleman pointed this out in this tweet at the end of October::

Have you ever tried shutting down, and seen a message saying “G” is preventing the operation, and thought “What is G? “

We investigated this, and found…https://t.co/RBzWGnEt0F#WindowsInsiders pic.twitter.com/0sDJHkgIZv

— Jen Gentleman (@JenMsft) October 29, 2019

The change log for the insider build 19013 already contains this reference to the correction of the bug:

Some of you have reached out about when trying to shutdown, seeing a message saying that an app named “G” was preventing shutdown. We investigated and found an issue where windows related to GDI+ were only referenced as “G.” We’ve fixed this, so going forward, these will now have the name “GDI+ Window (<exe name>)”, where <exe name> will show the .exe name of the app using GDI+.

So a fix exactly the error mentioned above, so that from the Windows 10 release in spring 2020, the application that hangs on shutdown will also be correctly named. 

[German]Security researchers from Microsoft have found that more than 80,000 computers have been infected by a malware called Dexphot. The malware is currently being used for crypto mining.

It has been running since 2018, with a peak of 80,000 infections in June. I came across the information about the following tweet.

Microsoft says new Dexphot malware infected more than 80,000 computers

> delivered via ICLoader
> used for cryptomining
> peaked in June at 80k infections
> used fileless execution, LOLbins, polymorphism, and redundant boot persistence mechanismshttps://t.co/vzsplOiW3g pic.twitter.com/GKgVqsodYu

— Catalin Cimpanu (@campuscodi) November 26, 2019

First noticed in October 2018

Microsoft has published the details in this blog post. The malware was noticed in October 2018 when Microsoft’s polymorphic outbreak monitoring system recorded a large increase in reports. This suggests that a large-scale malware campaign was developing.

Microsoft’s security team then watched the new malware attempt to infiltrate files that changed every 20-30 minutes on thousands of devices. The malware was then named “Dexphot” by Microsoft. 

Tricky infection methods

The Dexphot attack used a variety of sophisticated methods to bypass security solutions. There are different levels of code obfuscation, encryption, and the use of random filenames to hide the installation process.

Dexphot uses file-less techniques to execute malicious code in memory, leaving only a few traces that can be used for forensics. The malicious code has hijacked legitimate system processes to camouflage malicious activity. If Dexphot is not stopped during the infection phase, a crypto-miner will eventually run on the device. Monitoring services set up by the malware and scheduled tasks trigger a re-infection as soon as an attempt is made to remove the malware.

Microsoft Defender ATP blocks Dexphot 

In most cases, Microsoft Defender Advanced Threat Protection detection modules blocked Dexphot before execution. If that failed, behavior-based machine learning models provided protection. Given the persistence mechanisms of the threat, the polymorphism, and the use of file-less techniques, behavioral detection, according to Microsoft, was an important part of the comprehensive protection against this malware and other threats that exhibit similar malicious behavior.

According to this Microsoft page, Windows Defender under Windows 8.1 and Windows 10 also detects this malware as Trojan:Win32/Dexphot. Due to the detection capabilities, the infection rate is now greatly reduced. Details can be found in this Microsoft article.

[German]November is over, and it’s time to have another look at the operating system and browser share on the desktop. How its about Windows 7 on the desktop two months before the end of support? And what’s about Windows 10?

Looking at the latest figures from netmarketshare.com (until November 2019), Windows still runs on 86.06% (Oct. 2019: 86.82%) of desktop systems. Mac OS comes to 11.60% (Oct. 10.97%), while Linux runs on 1.65% (Oct. 1.55%) of the systems. So virtually no real change in market share, Windows dominates the desktop.

(netmarketshare.com OS-Market-Share 11.2019, Click to zoom)

The analysis of the shares by individual operating system versions, NetMarketShare issues the following figures for the desktop operating systems at the end of November 2019:

• Windows 10 has to 53.33% (previous month 54.32%),
• Windows 7 is at 26.86% (previous month 26.90%),
• Windows 8.1 still comes in at 3.32 % (previous month 3.59 %),
• and macOS 10.14 comes to 4.15 % (previous month 5.16 %).

Contrary to expectations, Windows 10 was therefore unable to grow in November 2019 and even has a dent to report (which, however, can be a statistical effect). Windows 7 lost minimal market share (in line with statistical fluctuations) and still runs on every fourth desktop system.

(netmarketshare.com. Windows Market-Share 11.2019, Click to zoom) 

It will be exciting to observe what is still going on in December. Because support for Windows 7 will expire in January 2020 (only companies can book an Extended Security Update support for a yearly fee). It is interesting to note that there is no movement towards Windows 8.1 or macOS 10.x. On the desktop, Windows will remain the standard operating system – and Windows 10 be the most used os on the desktop.

Among browsers on desktop systems, Google Chrome is the undisputed leader with 67.15%, followed by Firefox (8.15%). Both browsers have lost some of their shares. The Internet Explorer still comes to 6.81% (previous month 6.31%) and the Edge bumbles around at 5.97% (previous month 6.09%).

(netmarketshare.com OS-Market-Share 11.2019, Click to zoom)

[German]Just a short security note. Security researchers have found an approach to trick and evade/circumvent the protection or detection of attacks on the theft of credentials.

Microsoft Defender ATP provides advanced security breach detection sensors (see also here). Windows Defender Credential Guard also provides virtualization-based security in Windows 10. Any attempt to read logon information from memory using Mimikatz and Co. should therefore be detected and reported as a threat. 

Defender ATP Credential-Theft

I just came across the following tweet, which deals with an approach to bypass the protection mechanisms of Microsoft Defender ATP to detect and warn against the theft of credentials.

Evading WinDefender ATP credential-theft: a hit after a hit-and-miss start.
tl;dr PssCaptureSnapshot syscall clones the process then you don’t need to do ReadProcessMemory against the original process and avoid LSASS read detection.https://t.co/Z4pc45xrqU

— scriptjunkie (@scriptjunkie1) December 2, 2019

The linked article shows how to steal login information. And a suggestion is made to monitor with Sysmon LSASS and check every eventID 10 if there is an attempt to steal credentials. If you are interested in the topic, you will find the relevant details in the article. At the moment I cannot judge how practical the whole thing is.

The current status is that the vulnerability was reported to the Microsoft Security Response Center MSRC on November 2, 2019. The MSRC announced on 12.11.2019 that the whole thing does not fall into a bug bounty program and wanted to analyze the whole thing and then approach the security researchers. In spite of two reminders, this did not happen, so that the discoverers of the vulnerability published it on December 2, 2019, after the 30-day period of silence had expired.

[German]There is one annoying flaw in the Group Policy for Active Directory. This prevents an administrator from setting a password policy that requires passwords of at least 15 characters. If an administrator tries to force the password length to 15 characters, an internal length of only 7 up to 14 characters is used. But there are workarounds.

I came across the topic via a Facebook post from German (ex)MVP colleague Mark Heitbrink and thought it might be of interest to some administrators.

(Facebook post from Mark Heitbrink)

Mark described the details on his German website gruppenrichtlinien.die within a post. Abstract: He intended to set 15 characters as the default minimum length for Active Directory passwords via group policy (the editor allows 20 characters). But Microsoft’s Security Baseline simply says 14 characters is the maximus (due to a bug).

Because this is the longest allowed length of passwords that can be specified without side effects. Marc describes what happens when an administrator attempts to set the default password length to 15 characters via a default domain password policy. The default password length of x characters (here set to 7 during a test) is retained after a gpupdate, and is passed on as the default policy in the AD. This can be recognized because in the Event Viewer warnings of the type SceCli 1202, The security policies were propagated with warnings. 0x57 : Incorrect parameter mas be found.

Mark writes: The administrator assumes that the default 15 characters apply, but the default policy, which suddenly takes effect, also allows passwords with 7 characters.

Mark describes the solutions to this dilemma. You can set the minimum password length using PowerShell for the minPwdLength AD attribute. However, this has the disadvantage that the warnings continue to arrive in the Event Viewer. Mark suggests setting the default domain policy to 14 characters password length. Details can be found in his German article.

[German]As of December 10, 2019, Microsoft released security updates for Windows clients and servers, for Office, and so on. Here is a compact overview of these updates.

A list of the updates can be found on this Microsoft page. Details about the update packages for Windows, Office etc. can be found in separate blog posts.

Servicing Stack Updates

Microsoft now publishes an overview of all current Servicing Stack Updates (SSUs). The list of SSUs can be found at ADV990001 (but is not always up to date).

Notes on updates

All Windows 10 updates are cumulative. The monthly Patchday update includes all security fixes for Windows 10 and all non-security fixes up to Patchday. In addition to the security patches for the vulnerabilities, the updates contain defense-in-depth updates to improve security.

The updates can also be downloaded from the Microsoft Update Catalog. Updates for Windows RT 8.1 and Microsoft Office RT are only available via Windows Update.

For information about the support period for Windows 10, see the Windows Lifecycle Facts Sheet. Internet Explorer 11 will be available on Windows Server 2012 from May 2019. This configuration is available only through the Cumulative Update for IE.

For Windows 7 SP1 and Windows Server 2008/R2, an updated SHA-2 Code Signing Update KB4474419 was released on October 8, 2019 (see this comment at askwoody.com).

The December 2019 security updates cover 36 CVE vulnerabilities (including a 0-day vulnerability in IE), 7 of which are rated “critical” and 28 “important”. A list can be found in the Zero Day Initiative blog – Talos has also published a summary here (details will be covered separately in blog posts).

Critical Security Updates

Internet Explorer 11
Windows 10 for 32-bit Systems
Windows 10 for x64-based Systems
Windows 10 Version 1607 for 32-bit Systems
Windows 10 Version 1607 for x64-based Systems
Windows 10 Version 1709 for 32-bit Systems
Windows 10 Version 1709 for ARM64-based Systems
Windows 10 Version 1709 for x64-based Systems
Windows 10 Version 1803 for 32-bit Systems
Windows 10 Version 1803 for ARM64-based Systems
Windows 10 Version 1803 for x64-based Systems
Windows 10 Version 1809 for 32-bit Systems
Windows 10 Version 1809 for ARM64-based Systems
Windows 10 Version 1809 for x64-based Systems
Windows 10 Version 1903 for 32-bit Systems
Windows 10 Version 1903 for ARM64-based Systems
Windows 10 Version 1903 for x64-based Systems
Windows 10 Version 1909 for 32-bit Systems
Windows 10 Version 1909 for ARM64-based Systems
Windows 10 Version 1909 for x64-based Systems
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems Service Pack 1
Windows 8.1 for 32-bit systems
Windows 8.1 for x64-based systems
Windows RT 8.1
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for Itanium-Based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core
installation)
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core
installation)
Windows Server 2012
Windows Server 2012 (Server Core installation)
Windows Server 2012 R2
Windows Server 2012 R2 (Server Core installation)
Windows Server 2016
Windows Server 2016 (Server Core installation)
Windows Server 2019
Windows Server 2019 (Server Core installation)
Windows Server, version 1803  (Server Core Installation)
Windows Server, version 1903 (Server Core installation)
Windows Server, version 1909 (Server Core installation)
Microsoft Visual Studio 2017 version 15.0
Microsoft Visual Studio 2017 version 15.9 (includes 15.1 – 15.8)
Microsoft Visual Studio 2019 version 16.0
Microsoft Visual Studio 2019 version 16.4 (includes 16.0 – 16.3)
Microsoft Visual Studio Live Share extension

Important Security Updates

Microsoft Excel 2010 Service Pack 2 (32-bit editions)
Microsoft Excel 2010 Service Pack 2 (64-bit editions)
Microsoft Excel 2013 RT Service Pack 1
Microsoft Excel 2013 Service Pack 1 (32-bit editions)
Microsoft Excel 2013 Service Pack 1 (64-bit editions)
Microsoft Excel 2016 (32-bit edition)
Microsoft Excel 2016 (64-bit edition)
Microsoft Office 2010 Service Pack 2 (32-bit editions)
Microsoft Office 2010 Service Pack 2 (64-bit editions)
Microsoft Office 2013 RT Service Pack 1
Microsoft Office 2013 Service Pack 1 (32-bit editions)
Microsoft Office 2013 Service Pack 1 (64-bit editions)
Microsoft Office 2016 (32-bit edition)
Microsoft Office 2016 (64-bit edition)
Microsoft Office 2016 for Mac
Microsoft Office 2019 for 32-bit editions
Microsoft Office 2019 for 64-bit editions
Microsoft Office 2019 for Mac
Microsoft PowerPoint 2010 Service Pack 2 (32-bit editions)
Microsoft PowerPoint 2010 Service Pack 2 (64-bit editions)
Microsoft PowerPoint 2013 RT Service Pack 1
Microsoft PowerPoint 2013 Service Pack 1 (32-bit editions)
Microsoft PowerPoint 2013 Service Pack 1 (64-bit editions)
Microsoft PowerPoint 2016 (32-bit edition)
Microsoft PowerPoint 2016 (64-bit edition)
Microsoft Word 2010 Service Pack 2 (32-bit editions)
Microsoft Word 2010 Service Pack 2 (64-bit editions)
Microsoft Word 2013 RT Service Pack 1
Microsoft Word 2013 Service Pack 1 (32-bit editions)
Microsoft Word 2013 Service Pack 1 (64-bit editions)
Microsoft Word 2016 (32-bit edition)
Microsoft Word 2016 (64-bit edition)
Office 365 ProPlus for 32-bit Systems
Office 365 ProPlus for 64-bit Systems
SQL Server 2017 Reporting Services
SQL Server 2019 Reporting Services
Power BI Report Server
Microsoft Authentication Library (MSAL) for Android
Skype for Business Server 2019 CU2

Low Security Updates

Internet Explorer 9
Internet Explorer 10

Similar articles:
Microsoft Office Patchday (December 3, 2019)
Microsoft Security Update Summary (December 10, 2019)
Patchday: Updates for Windows 7/8.1/Server (Dec. 10, 2019)
Patchday Windows 10-Updates (December 10, 2019)

[German]As of December 10, 2019, Microsoft has released a collection of security updates for its products. The article includes a Patchday review that provides information about issues related to updates.

Issues with Windows 7 Updates

The updates KB4530734 (Monthly Rollup Update) and KB4530692 (Security only Update) showed at least an unusual behavior on Windows 7 clients.

Very long installation time under Windows 7

In the German article Patchday: Updates für Windows 7/8.1/Server (10. Dez. 2019) several blog readers reported (and here) a very long installation time of the Windows 7 updates. One user wrote:

For me, the update just paralyzed the PC completely. Since one hour “Updates are being configured”. And that with i5 processor, 8 GB RAM and 500 GB SSD. So far – at least in the last years – the Win7-update was always a matter of a few minutes and the hours of downtime for updates I know only from my Win10 computer. Should this “adaptation” of Win7 make me migrate my favorite PC (so far) to Win10?

In the comments readers point out that the update installation takes an unusually long time (especially when configuring the updates).

If the machine does not come out of the update configuration loop, use my tip from this article and boot into safe mode via F8. Have the updates installed there.

KB4530734 ends with black screen

t reddit.com there is this thread, in which a user complains a black screen after installing the monthly rollup update KB4530734. The problem is confirmed by some users.

Installing this month’s Win7 Servicing Stack Update KB 4523206 may lock up your PC. Only known fix at this point is to revert to backup. (You can’t uninstall a SSU.) Tell me again how MS patches are getting better? https://t.co/ebbQcourES

— Woody Leonhard (@AskWoody) December 12, 2019

It is suspected that uninstalled Servicing Stack Update (SSU) KB4523206 is responsible for this boot problem. Woody Leonhard has posted a corresponding article (see also tweet above). 

Trouble with TrueCrypt

In connection with TrueCrypt (it’s outdated anyway) there seems to be boot problems with encrypted drives, as I read here.

Install issues with Windows Server

I have received feedback on Windows Server 2008 R2 boot problems as well as Windows Server 2012.

Windows Server 2008 R2 boot issues

The comment here about Windows 7/Server 2008/R2-Updates KB4530734 (Monthly Rollup Update) and KB4530692 (Security only Update) describes boot issues. In a VM, Windows Server 2008 R2 goes to the Recovery Console and no longer starts. The host is VMware. And this comment mentions that Windows Server 2008 R2 ran into problems after the update was installed. 

This patch caused our Server 2008R2 server to have problems – RDP connection failed, DFS Namespace server would not start – the dependant Server service did not start.

Removed the patch and all is working again.

Could be an isolated case, though. In addition, it was not specified which update caused the error.

Windows Server 2012 boot loop

f Windows Server 2012 falls into a boot loop during the installation of the December 2019 updates, the .NET Framework update KB4533096 could be the cause, as Woody Leonhard suggests in the following tweet.

Is your Windows Server 2012 (not R2) in a boot loop? Blame this month’s .NET patch, KB 4533096. Boot into Safe Mode and you’ll be able to bring the server back. https://t.co/kaEEjOZEgy

— Woody Leonhard (@AskWoody) December 12, 2019

Here, too, it helps to boot Windows Server 2012 in safe mode. Then the installation should be finished.

Windows 10: Problem with Drive Mapping

Woody Leonhard points out a problem with drive mapping (sharing of network drives) in connection with the cumulative update KB4530684 for Windows 10 Version 1903/1909:

Reported problem with Drive Mappings after installing this month’s Win10 1909 cumulative update, KB 4530684. Looks like it knocks out AD management. Only identified solution is to roll back the patch. Can you confirm? https://t.co/zHMKLXe9Hv

— Woody Leonhard (@AskWoody) December 12, 2019

After installing the update, the network drives had disappeared and the AD management tools could no longer find the domain. A rollback of the update fixed the problem. But it seems to have been an isolated case.

Office 365 Updates pulled

I didn’t discuss the updates for Office 365 here in the blog. However, the Microsoft Update Catalog contains certain updates. In Bleeping, this post reported that Office 365 updates have been withdrawn. Reason: The updates caused the error 0x800b0004 (a certificate error TRUST_E_SUBJECT_NOT_TRUSTED) when distributing via SCCM.

Similar articles:
Microsoft Office Patchday (December 3, 2019)
Microsoft Security Update Summary (December 10, 2019)
Patchday: Updates for Windows 7/8.1/Server (Dec. 10, 2019)
Patchday Windows 10-Updates (December 10, 2019)
Patchday Microsoft Office Updates (December 10, 2019)

[German]Do Lenovo Yoga X370 and X380 Series Thinkpads have connection issues with the USB-C Dock under Windows 10 version 1903? And if it occurs with the 1903 version, it should also apply to the 1909 version (November 2019 update). 

The topic hese ben send already to me in mid-October 2019 by blog reader Michael H. by mail (thanks for that). I confess, it slipped through the stack of many messages, but it didn’t get lost. So I’ll cover it up here in the blog again, maybe it helps other blog readers, or there is even a solution – then you can post comments.

The problem description

German blog reader Michael H. wrote the following in his mail about the troubles which Windows 10 and the hardware is causing:

We are lucky to always be at the forefront of IT technology. Unfortunately, we are also facing various issues with Windows 10 or the hardware we use.

Currently, the problem of Lenovo Yoga Thinkpads of the X370 and X380 series having connection problems with the USB-C dock is becoming more and more common.

Since it doesn’t seem to be a direct hardware problem, it’s always difficult to bag something like this from the manufacturers.

The problem is that the notebooks hang as soon as a monitor with display port is connected and switched on.

Sometimes the display on the notebook turns black, sometimes the mouse is gone and touch cannot be operated anymore.

If the monitors are switched off, the notebook works again.

Drivers, firmware (NB and Dock) and also Windows 10 1903 are up to date. We also had this problem with 1809.

This immediately rings a bell in the back of my mind, as I had published the article urface Pro 7: Firmware update for Battery and USB Dock at the beginning of December 2019 due to a similar error.  

Other mentions within the internet

German blog reader Michael H. pointed out in his mail that there are numerous users on the Internet who are complaining about the dock problem with USB-C. Here are a few links to German and English forum posts about that issue.

• Displayproblem in Verbindung mit Thinkpad Dock (USB-C)
• ThinkPad USB-C Dock Gen 2 and multple monitor problems
• USB-C dock external monitors not working on L370
• ThinkPad USB-C Dock Gen2 – Black Screen, USB Audio Issue & Firmware Upgrade

In the last linked article the user also has firmware upgrade problems. In none of these forum posts I found a solution. But other users confirm the problem. Can anyone confirm the problems? Is there a known solution?

[German]Vendor NVIDIA has closed a chess hole (DDOS or Privilege Escalation) in its NVIDIA GeForce Experience app with an update. 

The NVIDIA GFE App

The NVIDIA GeForce Experience is software that lets you capture and share videos, screenshots, and live streams with friends. The app is also designed to keep drivers up to date and optimize game settings. The application can be downloaded here. Details can be found in this FAQ.

The vulnerability

However, there was a CVE-2019-5702 vulnerability in the application that, when the GameStream was enabled, allowed an attacker with local system access to corrupt a system file. This could lead to a denial of service that could render the Windows machine unusable. Or it could lead to privilege escalation. The vulnerability was rated severe with a base score index of 8.4.

There is a security update

As of December 23, 2019, NVIDIA has updated the Security Bulletin: NVIDIA GeForce Experience – December 2019. NVIDIA has released a software security update for NVIDIA® GeForce Experience. This update fixes an issue that could cause a denial of service or escalation of privileges.

The CVE-2019-5702 vulnerability affects all Windows program versions of the GeForce Experience prior to 3.20.2. The CVE-2019-5702 vulnerability was closed when the application was updated to version 3.20.2.

To protect a Windows system, users should download and install this software update from the GeForce Experience Downloads page. Open the NVIDIA GeForce Experience client to upgrade the security update. Earlier versions of the software that support this product are also affected. If you are using an earlier branch of the software, upgrade to the latest version. (via Bleeping Computer)

[German]It’s early January 2020, and Windows 7 will expire this month. Time to take a look at the current market share of desktop operating systems as of the end of December 2019.

Windows dominates the desktop

Looking at the latest figures from netmarketshare.com  (until December 2019), Windows still runs on 86.84% (Nov. 2019: 86.06%) of desktop systems. Mac OS runs on 11.9% (Oct. 11.0%) of systems, while Linux runs on 1.61% (Oct. 1.65) of systems. So in fact no real change in market share, Windows dominates the desktop.

(Operating system shares Desktop 12-2019, source: netmarketshare.com)

Desktop versions at a glance

In the analysis of the distribution by operating system version, the NetMarketShare for Desktop Operating Systems website reports the following distribution for the end of December 2019:

• Windows 10 comes to 54.62% (previous month 53.33%),
• Windows 7 is at 26.64% (previous month 26.86%),
• Windows 8.1 still comes to 3.63% (previous month 3.32%),
• and macOS 10.14 comes to 3.50 % (previous month 4.15 %)

So Windows 10 could not really gain in December 2019, even though the support for Windows 7 will expire this month. Windows 7 lost minimal market share (is within the range of statistical fluctuations) and still runs on every fourth desktop system.

(Operating system share 12-2019, source: netmarketshare.com)

This is not what I had imagined

I was a bit surprised by the decrease in macOS share, but this may be due to statistical fluctuations. Linux with 1.41% (average value over 12 months in 2019, the value for December 2019 is 1.20%) does not appear in the above chart. But what you can also state: The change from Windows 7 to Windows 10 did not take place at least at the turn of the year 2019/2020. People stay with the currently used operating systems.

If 14 days before the end of support more than every fourth desktop computer is still running Windows 7, this is a huge gossip for Microsoft. Although the upgrade from Windows 7 to Windows 10 for free is still possible, one in four Windows users doesn’t even want this operating system as a gift. If someone had told me this 5 years ago, I would have classified the person as grazy. The information of an ex-Microsoft employee from Greece comes to my mind, who wrote me two years ago that Microsoft in Redmond was on fire, because Windows 10 does not run as successfully as expected. Obviously nothing has changed. 

Among the browsers on desktop systems, Google Chrome is the undisputed leader with 66.59%, followed by Firefox (8.22%). Internet Explorer still comes in at 5.77% and the Edge is bobbing around at 6.47%. There are hardly any changes to the previous month. 

[German]In a few days Windows 7 SP1 receives security updates for the last time (at least for the broad mass of users). Then the support for this operating system will end. But in January 2020, support for a number of other Microsoft products will end.

A complete overview of all products that reach the end of support in 2020 can be found on this Microsoft website. Here is some selected information what to know about products that reach the support end in January 2020.

January 14, 2020: Windows 7 SP1

On January 14, 2020, Windows 7 SP1 and Windows Server 2008 and Windows Server 2008 R2 will reach the end of support, which means that security updates will be the last time.

For Windows 7 SP1 (except Basic and Home Premium versions), you can purchase Extended Security Update Support (ESU) for a fee. These Extended Security Updates are also available as single licenses for the respective clients, an option for small businesses or freelancers without a software maintenance contract. Then there are security updates for January 2023. I have published some information on this topic in the following blog posts.

Wow! Windows 7 get extended support until January 2023
Windows 7 Extended Security Updates buyable from April 2019
Microsoft offers Windows 7 Extended Update Support to SMBs
Prices for Windows 7 Extended Security Updates till 2023
Windows 7: Free Extended Update Support and usage
Windows 7: Office 365 ProPlus Updates till 2023
Windows 7 Extended Security Updates (ESU) requirements
Windows 7 Extended Security Update (ESU) program available
Windows 7 Extended Security Updates (ESU) program, price and source for SMEs
Windows 7: Buy and manage ESU licenses – Part 1
Windows 7: Preparing for ESU and license activation – Part 2

For organizations that virtualize it all, Microsoft Windows Virtual Desktop (available on Azure) offers the ability to provide free advanced security updates to a Windows 7 installation through January 2023.

January 14, 2020: Windows Server 2008 / R2

The two server variants will also be discontinued from support on January 14, 2020 and will no longer receive regular updates. There is also an Extended Security Updates program for these server operating systems. However, it will be difficult for Windows Server 2008 / R2 when it is a single system and there is no volume license contract including software assurance. From what I know, Microsoft will not offer ESU single licenses for Server 2008/R2 through CSP partners.

Microsoft advises companies that still need to stay on Windows Server 2008 / R2 to migrate to Azure. By running Windows Server 2008 and 2008 R2 in the cloud, organizations will continue to receive free security updates for Windows Server 2008 / 2008 R2 for at least three more years after January 14, 2020. If you want to upgrade from Windows Server 2008 / R2 to a successor version, you will find information about migration paths in the article Windows Server 2008/R2: In-place upgrade description updated (01/06/2020). Information on migrating from Windows Server 2008 to Azure is available here.

Also Hyper-V Server 2008 and Hyper-V Server 2008 R2 are reaching end of life on January 14, 2020.

January 14, 2020: WSUS 3.0

Windows Server Update Services (WSUS) 3.0 SP2 will also be dropped from support on January 14, 2020. Actually, the end of support would have been on July 11, 2017. But this end date for extended support for Windows Server Update Services (WSUS) 3.0 SP2 has been moved from July 11, 2017, to January 14, 2020, bringing it into line with the support expiration dates for Windows Server 2008 SP2 and Windows Server 2008 R2.

Microsoft WSUS 4.0 will be available for subsequent Windows Server versions (Windows Server 2012/ R2 and later). Instructions for migrating from WSUS 3.0 to WSUS 4.0 can be found in this Microsoft article.  

January 14, 2020: Watch the Office365-Support

Via the patch management list I became aware of an information from blog reader Karl about the support of Microsoft Office 365. Microsoft Office 365 Pro Plus will be dropped from support as of January 14, 2020 for the following operating systems:

• Alle Windows 10 LTSC/LTSB Versions
• Windows Server 2012 and Windows Server 2012 R2

However, Microsoft will continue to support Office 365 ProPlus on Windows 8.1 until the end of the support date in January 2023 and on Windows Server 2016 until October 2025. This can be read in this Microsoft document.  

Several System Center products will expire on January 24, 2020 (see). And on January 31, 2020, updates for Internet Explorer 10 will end. 

[German]If the rumors are true, today comes a critical patch for the CryptoAPI of some versions of Windows. The vulnerability is putting all kind of encryption at risk. The US military is said to have received the fix in advance. Addendum: Details of the spoofing vulnerability CVE-2020-0601 are now known. Not all Windows versions are affected, as originally suspected, but only Windows 10, Windows Server 2016 and 2019.

First patchday in 2020

January 14, 2020 is the first regular patchday from Microsoft this year. Windows 7 will then get its last planned security updates. But also other Windows versions and other Microsoft products will probably be patched. So far so normal.

Security expert rumor

I had already heard it mentioned that night in the askwoody.com newsletter as a nebulous hint. Woody Leonhard refers to a tweet from Will Dormann (security analyst at CERT/CC):

I get the impression that people should perhaps pay very close attention to installing tomorrow’s Microsoft Patch Tuesday updates in a timely manner. Even more so than others.
I don’t know… just call it a hunch?
¯\_(ツ)_/¯

— Will Dormann (@wdormann) January 13, 2020

But then I came across a little more detail with Brian Krebs. Sources tell KrebsOnSecurity that Microsoft will release a critical security update today, Tuesday. This is to fix an extremely serious security hole in a central cryptographic component that is present in all versions of Windows.

The sources quoted by Krebs say that Microsoft has tacitly provided a patch for the bug to the US military and other high-value customers/targets that manage critical Internet infrastructure. However, these organizations were asked to sign a Non Disclosure Agreement (NDA). This prevents them from publishing details of the bug before January 14, 2020.

Vulnerability in crypt32.dll

According to the sources of Krebs, the vulnerability is located in the Windows library crypt32.dll. According to Microsoft, this library is responsible for handling the “certificate and cryptographic message functions in the CryptoAPI”. The Microsoft CryptoAPI enables developers to cryptographically secure Windows applications. For this purpose there are functions for encrypting and decrypting data with the help of digital certificates.

A critical vulnerability in this Windows component could have far-reaching effects on the security of a number of important Windows functions. These range from authentication on Windows desktops and servers to the protection of sensitive data encrypted by browsers or applications using the API.

Krebs speculates that a flaw in crypt32.dll could also be used to bypass or forge the digital signature for software packages. Such a vulnerability could be exploited by attackers to make malware appear to be a benign program that was produced and signed by a legitimate software company. The DLL for the CryptoAPI was introduced more than 20 years ago, meaning the old stuff is also in the ultramodern Windows as a service. Let’s see what’s coming within a few hours.

Addendum: Details of the spoofing vulnerability CVE-2020-0601 are now known.

A spoofing vulnerability exists in the way the Windows CryptoAPI (Crypt32.dll) validates elliptic curve cryptography (ECC) certificates.

An attacker could exploit this vulnerability by using a spoofed code-signing certificate to sign a malicious executable file, thereby implying that the file came from a trusted, legitimate source. The user would have no way to recognize the file as malicious, because the digital signature appears to come from a trusted provider.

A successful exploit could also allow the attacker to perform man-in-the-middle attacks and decrypt confidential information through user connections to the affected software.

This security update addresses the vulnerability by ensuring that the Windows CryptoAPI ECC certificates are fully validated.

Affected are Windows 10, Windows Server 2016 and 2019 – all super modern Microsoft operating systems. The vulnerabilities will be closed with the cumulative updates from January 14, 2020 (see  CVE-2020-0601 and my blog post Patchday Windows 10-Updates (December 10, 2019)).  Patchday Windows 10-Updates (14. Januar 2020)).

[German]On January 14, 2020, Microsoft released security updates for Windows clients and servers, for Office, etc. Here is a compact overview of these updates.

A list of the updates can be found on this Microsoft page. Details about the update packages for Windows, Office etc. are available in separate blog posts.

Servicing Stack Updates

Microsoft now publishes an overview of all current Servicing Stack Updates (SSUs). The list of SSUs can be found at ADV990001  (but is not always up to date).

Notes on updates

All Windows 10 updates are cumulative. The monthly patchday update includes all security fixes for Windows 10 and all non-security related fixes up to the patchday. In addition to the security patches for the vulnerabilities, the updates contain defense-in-depth updates to improve security.

The updates can also be downloaded from the Microsoft Update Catalog. The updates for Windows RT 8.1 and Microsoft Office RT are only available via Windows Update.

Information on the support period for Windows 10 can be found in the Windows Lifecycle Facts Sheet. Internet Explorer 11 is available on Windows Server 2012 since May 2019. This configuration is only available through the Cumulative Update for IE.

For Windows 7 SP1 and Windows Server 2008/R2, an updated SHA-2 code signing update KB4474419 was released on October 8, 2019 (see this comment at askwoody.com). Extended Support for these operating systems will end on 01/14/2020 – and further updates will only be available for ESU program participants.

The January 2020 security updates cover 49 CVE vulnerabilities in Microsoft Windows, Internet Explorer (IE), Office and Office Services and Web applications, ASP.NET, .NET Core, .NET Framework, Modern Apps, and Microsoft Dynamics. From these vulnerabilities are listed eight listed with severity as Critical and 41 listed as Important. According to Microsoft, none of these vulnerabilities are publicly known or under active attack at the time of release. However, there have been some reports of an IE bug that is actively exploited but not yet fixed by an update. A list can be found in the blog of the Zero-Day-Initiative – Talos has also published a summary here (details will be covered separately in blog posts).

Critical Security Updates

Internet Explorer 11
Windows 10 for 32-bit Systems
Windows 10 for x64-based Systems
Windows 10 Version 1607 for 32-bit Systems
Windows 10 Version 1607 for x64-based Systems
Windows 10 Version 1709 for 32-bit Systems
Windows 10 Version 1709 for ARM64-based Systems
Windows 10 Version 1709 for x64-based Systems
Windows 10 Version 1803 for 32-bit Systems
Windows 10 Version 1803 for ARM64-based Systems
Windows 10 Version 1803 for x64-based Systems
Windows 10 Version 1809 for 32-bit Systems
Windows 10 Version 1809 for ARM64-based Systems
Windows 10 Version 1809 for x64-based Systems
Windows 10 Version 1903 for 32-bit Systems
Windows 10 Version 1903 for ARM64-based Systems
Windows 10 Version 1903 for x64-based Systems
Windows 10 Version 1909 for 32-bit Systems
Windows 10 Version 1909 for ARM64-based Systems
Windows 10 Version 1909 for x64-based Systems
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems Service Pack 1
Windows 8.1 for 32-bit systems
Windows 8.1 for x64-based systems
Windows RT 8.1
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core
installation)
Windows Server 2008 for Itanium-Based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core
installation)
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core
installation)
Windows Server 2012
Windows Server 2012 (Server Core installation)
Windows Server 2012 R2
Windows Server 2012 R2 (Server Core installation)
Windows Server 2016
Windows Server 2016 (Server Core installation)
Windows Server 2019
Windows Server 2019 (Server Core installation)
Windows Server, version 1803  (Server Core Installation)
Windows Server, version 1903 (Server Core installation)
Windows Server, version 1909 (Server Core installation)
.NET Core 3.0
.NET Core 3.1
ASP.NET Core 2.1
ASP.NET Core 3.0
ASP.NET Core 3.1
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5
Microsoft .NET Framework 3.5 AND 4.6.2/4.7/4.7.1/4.7.2
Microsoft .NET Framework 3.5 AND 4.7.1/4.7.2
Microsoft .NET Framework 3.5 AND 4.7.2
Microsoft .NET Framework 3.5 AND 4.8
Microsoft .NET Framework 3.5.1
Microsoft .NET Framework 4.5.2
Microsoft .NET Framework 4.6
Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2
Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2
Microsoft .NET Framework 4.8

Important Security Updates

Dynamics 365 Field Service (on-premises) v7 series
Microsoft Excel 2010 Service Pack 2 (32-bit editions)
Microsoft Excel 2010 Service Pack 2 (64-bit editions)
Microsoft Excel 2013 RT Service Pack 1
Microsoft Excel 2013 Service Pack 1 (32-bit editions)
Microsoft Excel 2013 Service Pack 1 (64-bit editions)
Microsoft Excel 2016 (32-bit edition)
Microsoft Excel 2016 (64-bit edition)
Microsoft Office 2010 Service Pack 2 (32-bit editions)
Microsoft Office 2010 Service Pack 2 (64-bit editions)
Microsoft Office 2013 RT Service Pack 1
Microsoft Office 2013 Service Pack 1 (32-bit editions)
Microsoft Office 2013 Service Pack 1 (64-bit editions)
Microsoft Office 2016 (32-bit edition)
Microsoft Office 2016 (64-bit edition)
Microsoft Office 2016 for Mac
Microsoft Office 2019 for 32-bit editions
Microsoft Office 2019 for 64-bit editions
Microsoft Office 2019 for Mac
Office 365 ProPlus for 32-bit Systems
Office 365 ProPlus for 64-bit Systems
Office Online Server
OneDrive for Android

Low Security Updates

Internet Explorer 9
Internet Explorer 10

Similar articles:
Microsoft Office Patchday (January 7, 2020)
Microsoft Security Update Summary (January 14, 2020)
Patchday: Updates for Windows 7/8.1/Server (Jan. 14, 2020)