[German]The CyptoAPI vulnerability CVE-2020-0601 in Windows has several proof of concept exploits and is likely to be actively attacked soon. Chrome introduces a check in the browser and there is a test page for this vulnerability.

What is CVE-2020-0601

As a reminder, there is a spoofing vulnerability CVE-2020-0601 in the Crypt32.dll library (CryptoAPI) that could be exploited by an attacker. An attacker could use a spoofed code-signing certificate to sign a malicious executable file without Windows knowing about it.

A successful exploit could also allow the attacker to perform man-in-the-middle attacks and decrypt confidential information about user connections to the affected software. I had a blog post Windows: Is a critical cryptography patch coming today? about that. Microsoft also published this blog post on 1-14-2020.

Microsoft states that Windows 10, Windows Server 2016 and 2019 are affected and has provided cumulative updates to close the vulnerability (see CVE-2020-0601 and my blog post Patchday Windows 10-Updates (December 10, 2019)).

Proof of Concept Exploits are public

The recently discovered vulnerability in Windows, CVE-2020-0601, is of course a natural target for cyber criminals. They could break encrypted HTTPS connections through man-in-the-middle attacks and read the information. In the meantime, security researchers have developed and partially published proof of concept (PoC) code examples that exploit this vulnerability.

• Security expert Saleem Rashid has created a proof of concept code to spoof TLS certificates. This makes it possible to set up a fake website that looks like a website secured by legitimate certificates. Rashid has not released the exploit code to prevent bad guys from using it in the wild.
• Swiss cyber security company Kudelski Security has released a working exploit for the vulnerability on GitHub.
• Danish security researcher Ollypwn also released an exploit for the CurveBall vulnerability.

The site securityaffairs.co reports in this article about this exploit of the security researchers. Also Bleeping Computer has also covered the issue in this article. It’s recommended that administrators patch Windows systems immediately. 

A test page for the crypto vulnerability

Through a tweet from security researcher Kevin Beaumont I came across an interesting website. 

It doesn’t work at all on Firefox, even if using vulnerable OS, as they validate certificate correctly. The Chrome team could add extra validation for this btw, for people who don’t patch.

— Kevin Beaumont (@GossiTheDog) January 16, 2020

If you visit the website chainoffools.wouaib.ch, you should receive the certificate error shown in the tweet or below as a warning.

If the above warning does not appear, the system should be patched because the fake certificate of the test page is apparently not recognized. With Firefox, however, the test is useless because the browser performs a separate validation internally. Thus the certificate warning appears, although the CryptoAPI error may be unpatched.

I have tested it on Windows 10 in Edge. There the warning is displayed, but the system was also patched. However, the display with the warning also appeared when the system was unpatched. So I’m not sure how accurate the test really is. You may want to test it and report here.

Chrome gets check for CryptoAPI errors

In the responses to the above tweet, Kevin Beaumont points out that the Chrome browser may get a check for the Crypto API vulnerability.

Google Chrome Adds Protection for NSA’s Windows CryptoAPI Flaw – by @LawrenceAbramshttps://t.co/kRx7h24E1E

— BleepingComputer (@BleepinComputer) January 16, 2020

Then I came across the above tweet from Bleeping Computer. Google has just released Chrome 79.0.3945.130, which now detects certificates attempting to exploit the CVE-2020-0601 CryptoAPI Windows vulnerability discovered by the NSA.

[German]Microsoft has issued a security advisory for a 0-day vulnerability in Internet Explorer as of January 17, 2020, which affects virtually all versions of Windows (because Internet Explorer is the browser that is present in those versions). There is an issue in the JScript part that could be exploited to remotely execute code. Here is some information, including how to work around it.

Internet Explorer 0-Day vulnerability

On January 17, 2021, Microsoft issued a security warning about a zero-day vulnerability in Internet Explorer for which no patch is available. According to Catalin Cimpanu, the Chinese security provider Qihoo 360 had briefly tweeted this on Twitter last week, but deleted the tweet again. Here is the security message from Microsoft:

**************************************************************
Title: Microsoft Security Advisory Notification
Issued: January 17, 2020
**************************************************************
Security Advisories Released or Updated on January 17, 2020
=================================================

* Microsoft Security Advisory ADV200001

– ADV200001 | Microsoft Guidance on Scripting Engine Memory Corruption Vulnerability
– Reason for Revision: Information published.
– Originally posted: January 17, 2020
– Updated: N/A
– Version: 1.0

There is a memory corruption vulnerability in the scripting engine that is also used by Internet Explorer.

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

When objects are executed by the Scripting Engine in Internet Explorer, a memory corruption may occur.

RCE code execution possible

The vulnerability could cause memory corruption that could allow an attacker to execute arbitrary code in the context of the current user. This vulnerability could allow remote code execution (RCE).

However, an attacker who successfully exploited the vulnerability could be granted only the same user rights as the current user. However, if the current user is logged on with administrative user rights, the attacker is given the opportunity to possibly take control of an affected system. An attacker could then install programs, display, change, or delete data, or create new accounts with full user rights.

The issue is that in a Web-based attack scenario, an attacker could host a specially crafted Web site that exploits the vulnerability by using Internet Explorer. The attacker could then try to trick a user into viewing the Web site (for example, by sending an e-mail that contains a link to the Web site).

Critical, but manageable

Microsoft classifies the vulnerability, which exists in all supported Windows systems, as critical. However, by default, Internet Explorer runs in Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019 in a restricted mode that is called Advanced Security Configuration.

This security configuration uses a set of preconfigured settings in Internet Explorer that can reduce the likelihood that a user or administrator will download and run specially crafted Web content on a server. This is a mitigating factor for websites that you have not added to the Trusted Sites zone in Internet Explorer.

Workaround: disable JScript.dll if necessary

As a workaround, Microsoft suggests disabling access to the JScript.dll. For 32-bit systems, run the following commands in an administrative prompt.

    takeown /f %windir%\system32\jscript.dll
    cacls %windir%\system32\jscript.dll /E /P everyone:N

For 64-bit systems, execute the following commands in an administrative prompt.

    takeown /f %windir%\syswow64\jscript.dll
    cacls %windir%\syswow64\jscript.dll /E /P everyone:N
    takeown /f %windir%\system32\jscript.dll
    cacls %windir%\system32\jscript.dll /E /P everyone:N

Note: The commands shown above are for an English Windows. In localized Windows editions, you need to exchange ‘everyone’ to the localized groupe name value. In my German Windows I need to exchange it to ‘jeder’. Create a backup before using the workaround from Microsoft and read also the remarks below about collateral damages.

As a result, access to the jscript.dll is blocked for every user and the vulnerability can no longer be exploited. The implementation of these steps results in reduced functionality for components or features that rely on jscript.dll. If you encounter problems that cause applications to stop running, the article contains instructions for releasing the DLL.

By default IE11, IE10 and IE9 use the Jscript9.dll file, which is not affected by this vulnerability. This vulnerability affects only certain Web sites that use Jscript as their script engine. For more details, see Microsoft’s ADV200001 article.

Adddenum: You at your own risk

The above workaround from Microsoft has a number of collateral damages – everything that JScript (and the library) needs will no longer work. For example, there is a feedback from a blog reader that the login to Microsoft online accounts in IE no longer works. And the following tweet indicates that Bitlocker Recovery is causing issues.

Is it possible that the workaround to disable JScript.dll breaks bitlocker recovery method? #jscript #ZeroDay

— Manfred Martin (@freddyz2001) January 19, 2020

I have now issues with Firefox (portable version in Windows 7). The browser launches, but can’t display any web page – even the settings page won’t open anymore. Don’t know, if it’s related to the workaround (using other profiles, omitting add-ins etc. doesn’t help, but FF works in Tor bunde).

[German]Exciting prognosis, which has just fallen into my hands. Dean Hager, CEO of the software provider Jamf, has given some forecasts for innovations in 2020. One is that we will see a mass migration from Windows to macOS. I found this so interesting that I made a small blog post about it.

The “next big thing” is already waiting around the next corner. That’s nowhere more true than in the tech industry, where a look at the recent past is often enough to predict the future, says Dean Hager, CEO of software provider Jamf. In this news release (German), he looks at four developments in 2020, one of which I’ll pick out.

Windows 7 end of life forces users to macOS?

I had discussed it several times in articles here in the blog. On January 14, 2020, Microsoft ended the support of Windows 7 for the mass of users. Private people got to see this nag screen and an end of life notification recently.

(Windows 7 EOL-Nag-Screen, Source: Bleeping Computer)

There are no more security updates for the masses – only companies can still book the ESU program. Microsoft does offer extended security updates (ESU) until January 2023. But even with ESU there is no helpdesk support and no more regular bugfixes or patches. The price for the ESU program starts at about 70 Euro and doubles every year (see links at the end of this article).

Still millions of Windows 7 devices in use

Currently, however, there are still millions of devices running Windows 7. In the article Operating system/Windows Market Share (December 2019) I discussed the latest figures from netmarketshare.com. Windows dominates the desktop systems market with 86.84%, while macOS comes to 11.9%.

(Operating system shares Desktop 12-2019, source: netmarketshare.com)

But Windows 7 still has a ‘market share’ of 26.64% on the desktop, while Windows 10 – chosen by Microsoft as its ‘natural successor’ – has 54.62%. Despite the end of support for Windows 7, one hardly sees a massive change of users from Windows 7 to Windows 10 in the above graph.

At the beginning of January 2020, the magazine Computerworld examined the topic and wrote that currently 417 million Windows 7 devices are still in use. They assume 29.7% Windows 7 PCs on 31 January 2020. Differs somewhat from the above figures, but the scale is correct.

A trend towards the Mac

Many companies have reduced their Windows PCs in response to the end of support, according to this announcement, and have already switched to Mac. Many more will follow in 2020. At insurance company Aegon , the number of Macs has increased by 104 percent in the last two years as employees have chosen to migrate to macOS rather than upgrade to Windows 10. Let me remind you of my German article IBM: Macs sind über ihre Lebenszeit 543 $ günstiger als Windows-PCs from 2016. At IBM, employees were free to choose between Windows PCs and Macs. There, IT made a cost advantage for the Mac world. 

Currently, the proportion of Apple computers in companies around the world, according to this report, is growing rapidly due to employee voting programs. In fact, 72 percent of employees choose a Mac when they have a choice between a Mac and a PC. This is very good news for companies, the Jamf CEO said. 

Recent studies by Jamf show that users, who can work on the job with their preferred device, are more productive, creative and cooperative. In addition, companies save between $243 and $543 per Mac compared to a PC in the long run (someone also read the IBM article I quoted above). In addition, 77 percent of employees say they are more likely to choose an employer or stay with a company if the employer gives them the choice of workstation. These are serious savings simply by offering a choice. All the more so if you also take into account things like the costs of employee turnover and the loss of company knowledge.

Companies that want to save money and retain top talent will continue to move to Mac in 2020 and beyond. That’s the forecast IDC is making. According to a recent study, corporate IT decision makers expect 13 percent of their current Windows 7 inventory to be replaced by MacBooks.  

At this point it is important to note that Jamf is an Apple company – with Jamf Pro they offer an Apple device management solution that is used by system administrators to configure and automate IT administration tasks for macOS, iOS and tvOS devices. The product includes server and client software (“Agent”) that runs on iOS, macOS and tvOS devices. The Product includes server and client software (“Agent”) that runs on iOS, macOS, and tvOS devices. The above statements could be interpreted differently by an outsider. Anyway, I find it exciting and thought I’d put the information in my blog. Let’s see how it looks like in 2023. 

Similar articles
Wow! Windows 7 get extended support until January 2023
Windows 7 Extended Security Updates buyable from April 2019
Microsoft offers Windows 7 Extended Update Support to SMBs
Prices for Windows 7 Extended Security Updates till 2023
Windows 7: Free Extended Update Support and usage
Windows 7: Office 365 ProPlus Updates till 2023
Windows 7 Extended Security Updates (ESU) requirements
Windows 7 Extended Security Update (ESU) program available
Windows 7 Extended Security Updates (ESU) program, price and source for SMEs
Windows 7: Buy and manage ESU licenses – Part 1
Windows 7: Preparing for ESU and license activation – Part 2

[German]Are there issues caused by updates from the last patchday (January 2020), when the file Crypt32.dll was patched. A reader sent me a question about this topic. He is using McAfee and SCCM in an enterprise environment. Currently McAfee seems to block the SCCM agent smsexec.exe from accessing an RSA key.

Background: The NSA vulnerability CVE-2020-0601

On the January 2020 patchday, the vulnerability CVE-2020-0601 discovered by the NSA and reported to Microsoft became public. As a reminder, there is a spoofing vulnerability CVE-2020-0601  in the Crypt32.dll library (CryptoAPI) that could be exploited by attackers. An attacker could use a spoofed code-signing certificate to sign a malicious executable file.

A successful exploit could also allow the attacker to perform man-in-the-middle attacks and decrypt confidential information about user connections to the affected software. I had reported on this issue in the blog post Windows: Is a critical cryptography patch coming today? as well as in the article Windows: PoC for CryptoAPI Bug CVE-2020-0601 are out. Microsoft also published this blog post on Jan 14, 2020. 

Microsoft states that Windows 10, Windows Server 2016 and 2019 are affected and has provided cumulative updates to close the vulnerability (see CVE-2020-0601 and my blog post Patchday Windows 10-Updates (December 10, 2019)).

A reader reported an issue

Today I received a mail from German blog reader Patrik D. asking if I know about issues with the patched Crypt32.dl. I will post his information here in the blog – maybe someone else is affected and can confirm this. Patrick wrote

After the patchday this morning, I noticed the following [event log entries] in interaction with SCCM and McAfee.

Event ID McAfee Endpoint Security from EventID=18060
NT AUTHORITY\SYSTEM ran smsexec.exe, which tried to access C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\
b173a4ca6eeb3a8529b5390fef6b81be_abb57870-155d-4625-9eb2-c73c0e888e7d, violating the rule “Malware Behavior : Windows EFS abuse”, and was blocked. For information about how to respond to this event, see KB85494. was raised.
Event Descritpion:
EventID=18060

If I look at the file, it is a Self Signed “SMS User Service” certificate. Since the Crypt32.dll has just been patched, this could be the reason. The cert itself is still valid.

Furthermore the same happens with another software. Have you already had any user notification? Anyway, we will escalate it to Premier-Support & McAfee.

I myself have not heard anything like that and the web does not know anything like that yet. But it looks like the agent smsexec.exe (SCCM Microsoft SMS Agent Host service) is prevented by McAfee from accessing a certificate. Anyone who uses the constellation of SCCM and patched Windows 10/server systems with McAfee enterprise solutions and can verify this?

[German]A fix for the 0-day vulnerability CVE-2020-0674 in Internet Explorer’s JScript library, which was published a few days ago, has been released from 0patch today. Here is some information about what I have found so far – the article will be updated as new findings are made..

What is CVE-2020-0674 about?

Microsoft has issued advisory ADV200001 for a 0-day vulnerability (CVE-2020-0674 s reserved for this vulnerability) in Internet Explorer as of January 17, 2020. The vulnerability affects IE 9, 10, and 11 and affects virtually all versions of Windows (since Internet Explorer is included as a browser in those versions).

There is a memory corruption vulnerability in the scripting engine that is also used by Internet Explorer. When objects are executed by the Scripting Engine in Internet Explorer, memory overflows or corruption may occur. As a result, attackers can use prepared Web pages to corrupt IE’s memory in such a way that remote code can be infiltrated and executed.

However, an attacker who successfully exploited the vulnerability would only be granted the same user rights as the current user. However, if the current user is logged on with administrative user rights, the attacker has the opportunity to take control of an affected system. An attacker could then install programs, display, change, or delete data, or create new accounts with full user rights.

This is just a worst case scenario, which I reported about in the blog post Warning: 0-Day vulnerability in Internet Explorer (01/17/2020). There I also suggested the workaround suggested by Microsoft, but it causes some collateral damage.

• Windows Media Player can’t play MP4 files.
• The system file check sfc (Resource Checker) will choke on jscript.dll file, if the access rights are changed.
• Printing with “Microsoft Print to PDF”  is broken. 
• Automatic proxy configuration scripts (PAC scripts) may not work.

A bit heavy, but Microsoft does not intend to close this vulnerability in a timely manner with an unscheduled patch. It is rather planned to deliver an update for the supported Windows versions on February 2020 patchday. Whether Windows 7 SP1 and Windows Server 2008 R2 will receive a patch outside the ESU program is completely open.

0patch provides a fix

Was a ‘litmus test’ for me, how long it takes until 0patch releases something. I’m in contact with Mitja Kolsek, CEO of ACROS Security and co-founder of 0patch, because I’m also planning something about 0patch solutions for Windows 7 SP. Mitja Kolsek has just informed me via private Twitter message about the 0patch solution developed by his company.

Video of micropatch in action https://t.co/dL7qxdA9hg

— 0patch (@0patch) January 21, 2020

In the blog post Micropatching a Workaround for CVE-2020-0674, Mitja Kolsek describes the kill switch for the jscript.dll library vulnerability. His team has found a test case for loading jscript.dll described by Google’s Project Zero. They then used it to test this DLL for the vulnerability. It was then possible to develop a micropatch for the vulnerability. The 0patch developers have ported this micropatch to the following platforms, for 32-bit and 64-bit

Windows 7,
Windows 10 v1709,
Windows 10 v1803,
Windows 10 v1809,
Windows Server 2008 R2,
Windows Server 2019

According to the provider, 0patch users have already downloaded this micropatch with the 0patch agent to all Windows systems that can go online and – depending on the settings – have already automatically applied it to all processes that use the Internet Explorer 11 engine to render content. This includes (of course) Internet Explorer, Microsoft Word, Microsoft Outlook and a variety of other applications. The YouTube video linked in the above tweet shows the application.

0patch agent and account required

To use the micropatch you need the 0patch agent, which can be downloaded free of charge from the opatch website and then installed on Windows. The installer and the agent require administrator rights to run.

The operation is done via the 0patch console, which can be called via the Windows start menu. To retrieve the micro patches in the 0patch console you need a user account from provider 0patch. For private use a free account is offered, which I have created with an e-mail address for testing purposes. At this level, free micro patches are applied. For companies requiring more patches, there are also business and enterprise account variants, that can be bought on a subscription base.

However, the JScript DLL patch listed here in the free account refers to a memory corruption vulnerability CVE-2019-1429 from November 2019 (I haven’t patched it on the test system yet because IE11 is not used). So the 0patch agent shows if unfixed vulnerabilities are present. 

I found the micropatch for the current vulnerability CVE-2020-0674 (after a hint from Mitja Kolsek) under ‘Installed Patches’ under the numbers 402-404 for the mshtml.dll. Cool thing.

Similar articles
Warning: 0-Day vulnerability in Internet Explorer (01/17/2020)
Windows 7: Internet Explorer 11 reaches end of support

[German]A short tip for Windows administrators. Until March 2020 you have to make sure that access to domain controllers is only possible via secure LDAP bindings. Four commands can help identify shaky systems.

I had already mentioned this at Christmas 2019 here in the blog in the article Microsoft enforces secure connections to the Domain Controller from January 2020. But maybe not every administrator has noticed that. In addition, Microsoft has put a spoke in my wheel. The mixed ink I used to print the post on the internet was not yet dry, so Microsoft postponed the date from January to March 2020.

Microsoft has pointed out this fact in ADV190023 (Microsoft Guidance for Enabling LDAP Channel Binding and LDAP Signing – see my blog post Microsoft Security Advisories Dez. 17, 2019).

Four commands to help you track down insecure LDAP Bindings before !!!! March 2020 – Evotec https://t.co/KJrThXscvU

— Thorsten Enderlein (@endi24) January 24, 2020

In case somebody is still struggling with this, Thorsten Enderlein points out an article in the above tweet that promises four commands for support to detect systems with insecure LDAP bindings. Maybe it helps someone.

[German]It’s early February 2020, and Windows 7 has reached end of support. Time to take a look at the current market shares of desktop operating systems as of the end of January 2020.

Windows dominates the desktop

Looking at the latest figures from netmarketshare.com (to January 2020), Windows still runs on 88.14% (Dec. 2019: 86.84%) of desktop systems. Mac OS runs on 9.74% (Dec.2019: 11.9%), while Linux runs on 1.4% (Dec. 1.61%) of the systems. So there is virtually no real change in market share, Windows dominates the desktop and even managed to win slightly.

(Operating system shares Desktop 1-2020, source: netmarketshare.com)

Desktop versions at a glance

In the analysis of the distribution by operating system version, the NetMarketShare for desktop operating systems website shows the following distribution for the end of January 2020:

• Windows 10 has 57.08% (previous month 54.62%),
• Windows 7 is at 25.56% (previous month 26.64%),
• Windows 8.1 still comes to 3.38% (previous month 3.63%),
• and macOS 10.14 comes to 3.12 % (previous month 3.50 %)

So Windows 10 was able to increase slightly compared to December 2019, the end of support for Windows 7 in January 2020 has shown its effect. Although Windows 7 has lost just over one percent of its market share, it still runs on every fourth desktop system.

(Operating system shares Windows 1-2020, source: netmarketshare.com)

I was a bit surprised by the decrease in macOS, but this may be due to statistical fluctuations. With 1.36% (average value over 12 months) Linux does not appear in the above chart. But what you can also state: The switch from Windows 7 to Windows 10 did not take place at least in January 2020. People stay with the operating systems currently in use.

Browser distribution on the desktop

This time I would also like to take a look at the browser distribution on the desktop, because in January 2020 the Chromium Edge was introduced as an innovation. In terms of browsers on desktop systems, Google Chrome is the undisputed leader with 66.93%, followed by Firefox (8.12%). The new Chromium Edge jumps to 7.02% (previous month 6.47%) and Internet Explorer comes in at 6.24% (previous month 5.77%). There are hardly any changes to the previous month.

[German]Just a brief information:  It’s about Windows 10 notebooks on which there were issues with recognizing the 2-finger scrolling on the trackpad, which was recognized as a mouse click. The reason seems to be the chromium based Edge.

The whole thing probably occurs on HP computers with Synaptics trackpads (Lenovos are said to cause problems as well). Blog reader Alexander J. sent me a text from a discussion in the Microsoft Tech Community (thanks for that). I’m just now getting around to posting this here. The problem is that 2-finger scrolling is recognized as a mouse click.

Re: Two finger scrolling is getting detected as a click – Discussion

Hey everyone!

We wanted to give an update on this issue as we’ve made some progress but before we do that we have a slight update to the original statement: We no longer believe Lenovo is impacted at all by this issue and instead believe it’s exclusive to a subset of HP devices with Synaptics trackpads. Now on to the update!

We’ve finally reproduced the exact issue on a device and were able to determine the cause, we no longer believe this is due to the scroll delta issue. To get into specifics the driver was detecting the new Microsoft Edge as the old Microsoft Edge and sending touch input to the browser. Chromium’s gesture recognizer handled the touch input differently from the old Microsoft Edge browser and this resulted in the context menu opening after a two-finger scroll. The reason this wasn’t happening in other Chromium-based browsers was due to the driver specifically targeting Microsoft Edge, other browsers instead receive mouse wheel events when scrolling using the trackpad.

Between two separate fixes we’ve made, we now believe we’ve mitigated this such that the new Microsoft Edge will receive the same mouse wheel input as other Chromium-based browsers. This means that touch-based gestures will no longer work on these trackpads, but we believe overall this is the right direction for compatibility as we will behave similarly to other Chromium-based browsers. These changes are in today’s Canary build (81.0.406.0). The first change specifically ignores the exact set of inputs we were receiving from the driver, while the second change, made for unrelated reasons, changes the window title to no longer include “Microsoft Edge”; the latter also broke the driver’s recognition. We’re already in the process of implementing the fixes in the Beta channel so that when Stable updates to 80 it will also have this fix.

Longer term we do plan to remove the mitigation that specifically ignores the bad set of inputs as we do know this creates another issue where you can’t open the context menu on the first two-finger tap after a two-finger scroll on impacted devices. We instead are working on either a shim in-product or in Windows 10 to fix the issue while we also work longer-term to get the drivers updated. We know that Windows updates and driver updates aren’t the perfect fix as any user who doesn’t receive them would be stuck with this issue, so we’re trying to find a good way to work around this in the product but know that may not be possible.

If you’re experiencing other issues related to scrolling please continue to file feedback as we use that feedback to analyze and resolve issues.

Anyone affected by this?

[German]In Windows 10 there is the Defender, which has an option to protect against ransomware. German blog readers Dekre and Markus contacted me the last days by email to point out inconsistencies.

Defender ransomware protection blocks Outlook

Blog reader Dekre contacted me by email because he made an unusual observation. He wrote:

I have moved to Win10 for using my office software. I use MS Defender and wanted to activate the so-called ransomware protection. This is not a good idea. Activating this will cause defender to block Outlook.exe from Office 2013 and then there I can’t get e-mails. That has happened right after activation.

I have now switched it off (the ransomware protection) and it works again (Outlook).

Dekre asks: Can this be understood?

Problem: Defender signatures after domain join

And there is a second observation by blog reader Markus K. which I received by email a few days ago. It’s about the Defender signature updates for Windows clients that are members of a domain. Markus writes about it:

I noticed that updating the signatures of the Defender after a domain join does not always work well.

The only thing that catches your eye is the yellow triangle with call sign at the security center icon in the tray. Or if you do the whole thing in a try-catch block and then see that it doesn’t always work :).

If you look, the “tamper protection” is not active.

In the appendix are the things I asked for via PowerShell.
Worth mentioning:

Get-MPComputerStatus
– AntispywareSignatureLastUpdated
– AntivirusSignatureLastUpdated
– NISSignatureLastUpdated
Get-ComputerInfo
– WindowsInstallDateFromRegistry
– OsLocalDateTime
– OsLastBootUpTime

I have removed domains, user names etc. (hope I haven’t forgotten anything).

Funny also that with 1909 “usoclient startscan” doesn’t seem to do anything anymore. Also checked with Sysinternals strings… the switches still exist.

Something is rotten in the area of updates (Defender + WindowsUpdate), because normally the computers get both and the Defender signatures several times a day.

Here are the data that Markus sent along:

Get-MPComputerStatus
AMEngineVersion                 : 1.1.16600.7
AMProductVersion                : 4.18.1911.3
AMServiceEnabled                : True
AMServiceVersion                : 4.18.1911.3
AntispywareEnabled              : True
AntispywareSignatureAge         : 7
AntispywareSignatureLastUpdated : 14.01.2020 16:29:44
AntispywareSignatureVersion     : 1.307.2344.0
AntivirusEnabled                : True
AntivirusSignatureAge           : 7
AntivirusSignatureLastUpdated   : 14.01.2020 16:29:45
AntivirusSignatureVersion       : 1.307.2344.0
BehaviorMonitorEnabled          : True
ComputerID                      : C6D530CA-1F25-40C8-B961-D3BC9E11D735
ComputerState                   : 0
FullScanAge                     : 4294967295
FullScanEndTime                 :
FullScanStartTime               :
IoavProtectionEnabled           : True
IsTamperProtected               : False
IsVirtualMachine                : False
LastFullScanSource              : 0
LastQuickScanSource             : 2
NISEnabled                      : True
NISEngineVersion                : 1.1.16600.7
NISSignatureAge                 : 7
NISSignatureLastUpdated         : 14.01.2020 16:29:45
NISSignatureVersion             : 1.307.2344.0
OnAccessProtectionEnabled       : True
QuickScanAge                    : 0
QuickScanEndTime                : 21.01.2020 15:39:54
QuickScanStartTime              : 21.01.2020 15:26:50
RealTimeProtectionEnabled       : True
RealTimeScanDirection           : 0
PSComputerName                  :

—
Get-Date
Mittwoch, 22. Januar 2020 11:31:18
—

Get-ComputerInfo

WindowsBuildLabEx                                       : 18362.1.amd64fre.19h1_release.190318-1202
WindowsCurrentVersion                                   : 6.3
WindowsEditionId                                        : Enterprise
WindowsInstallationType                                 : Client
WindowsInstallDateFromRegistry                          : 15.01.2020 10:30:19
WindowsProductId                                        : 00329-10181-55688-####
WindowsProductName                                      : Windows 10 Enterprise
WindowsRegisteredOrganization                           :
WindowsSystemRoot                                       : C:\Windows
WindowsVersion                                          : 1909
BiosCharacteristics                                     : {7, 11, 12, 15…}
BiosBIOSVersion                                         : {LENOVO – 12C0, M1AKT2CA, American Megatrends – 5000C}
BiosBuildNumber                                         :
BiosCaption                                             : M1AKT2CA
BiosCodeSet                                             :
BiosCurrentLanguage                                     : en|US|iso8859-1
BiosDescription                                         : M1AKT2CA
BiosEmbeddedControllerMajorVersion                      : 1
BiosEmbeddedControllerMinorVersion                      : 9
BiosFirmwareType                                        : Uefi
BiosIdentificationCode                                  :
BiosInstallableLanguages                                : 3
BiosInstallDate                                         :
BiosLanguageEdition                                     :
BiosListOfLanguages                                     : {en|US|iso8859-1, fr|FR|iso8859-1, zh|CN|unicode}
BiosManufacturer                                        : LENOVO
BiosName                                                : M1AKT2CA
BiosOtherTargetOS                                       :
BiosPrimaryBIOS                                         : True
BiosReleaseDate                                         : 22.11.2017 01:00:00
BiosSeralNumber                                         : S4DZ8393
BiosSMBIOSBIOSVersion                                   : M1AKT2CA
BiosSMBIOSMajorVersion                                  : 3
BiosSMBIOSMinorVersion                                  : 0
BiosSMBIOSPresent                                       : True
BiosSoftwareElementState                                : Running
BiosStatus                                              : OK
BiosSystemBiosMajorVersion                              : 1
BiosSystemBiosMinorVersion                              : 32
BiosTargetOperatingSystem                               : 0
BiosVersion                                             : LENOVO – 12C0
CsAdminPasswordStatus                                   : Disabled
CsAutomaticManagedPagefile                              : True
CsAutomaticResetBootOption                              : True
CsAutomaticResetCapability                              : True
CsBootOptionOnLimit                                     :
CsBootOptionOnWatchDog                                  :
CsBootROMSupported                                      : True
CsBootStatus                                            : {0, 0, 0, 0…}
CsBootupState                                           : Normal boot
CsChassisBootupState                                    : Safe
CsChassisSKUNumber                                      : Default string
CsCurrentTimeZone                                       : 60
CsDaylightInEffect                                      : False
CsDescription                                           : AT/AT COMPATIBLE
CsDomainRole                                            : MemberWorkstation
CsEnableDaylightSavingsTime                             : True
CsFrontPanelResetStatus                                 : NotImplemented
CsHypervisorPresent                                     : False
CsInfraredSupported                                     : False
CsInitialLoadInfo                                       :
CsInstallDate                                           :
CsKeyboardPasswordStatus                                : Enabled
CsLastLoadInfo                                          :
CsManufacturer                                          : LENOVO
CsModel                                                 : 10MUS3KM00
CsNetworkAdapters                                       : {Ethernet, VirtualBox Host-Only Network}
CsNetworkServerModeEnabled                              : True
CsNumberOfLogicalProcessors                             : 4
CsNumberOfProcessors                                    : 1
CsProcessors                                            : {Intel(R) Core(TM) i5-7500T CPU @ 2.70GHz}
CsOEMStringArray                                        : {LENOVO ThinkCentre Embedded Controller -[M1ACT09A-1.09]-,
                                                          LENOVO ThinkCentre BIOS Boot Block Revision 1.2C, Lenovo
                                                          Service Engine Not Supported, INVALID…}
CsPartOfDomain                                          : True
CsPauseAfterReset                                       : -1
CsPCSystemType                                          : Desktop
CsPCSystemTypeEx                                        : Desktop
CsPowerManagementCapabilities                           :
CsPowerManagementSupported                              :
CsPowerOnPasswordStatus                                 : Disabled
CsPowerState                                            : Unknown
CsPowerSupplyState                                      : Safe
CsPrimaryOwnerContact                                   :
CsResetCapability                                       : Other
CsResetCount                                            : -1
CsResetLimit                                            : -1
CsRoles                                                 : {LM_Workstation, LM_Server, NT, Potential_Browser…}
CsStatus                                                : OK
CsSupportContactDescription                             :
CsSystemFamily                                          : ThinkCentre M910q
CsSystemSKUNumber                                       : LENOVO_MT_10MU_BU_LENOVO_FM_ThinkCentre M910q
CsSystemType                                            : x64-based PC
CsThermalState                                          : Safe
CsTotalPhysicalMemory                                   : 17062850560
CsPhyicallyInstalledMemory                              : 16777216
CsWakeUpType                                            : PowerSwitch
CsWorkgroup                                             :
OsName                                                  : Microsoft Windows 10 Enterprise
OsType                                                  : WINNT
OsOperatingSystemSKU                                    : EnterpriseEdition
OsVersion                                               : 10.0.18363
OsCSDVersion                                            :
OsBuildNumber                                           : 18363
OsHotFixes                                              : {KB4532938, KB4513661, KB4516115, KB4517245…}
OsBootDevice                                            : \Device\HarddiskVolume2
OsSystemDevice                                          : \Device\HarddiskVolume4
OsSystemDirectory                                       : C:\Windows\system32
OsSystemDrive                                           : C:
OsWindowsDirectory                                      : C:\Windows
OsCountryCode                                           : 49
OsCurrentTimeZone                                       : 60
OsLocaleID                                              : 0407
OsLocale                                                : de-DE
OsLocalDateTime                                         : 22.01.2020 11:34:56
OsLastBootUpTime                                        : 21.01.2020 13:26:38
OsUptime                                                : 22:08:18.3972062
OsBuildType                                             : Multiprocessor Free
OsCodeSet                                               : 1252
OsDataExecutionPreventionAvailable                      : True
OsDataExecutionPrevention32BitApplications              : True
OsDataExecutionPreventionDrivers                        : True
OsDataExecutionPreventionSupportPolicy                  : OptIn
OsDebug                                                 : False
OsDistributed                                           : False
OsEncryptionLevel                                       : 256
OsForegroundApplicationBoost                            : Maximum
OsTotalVisibleMemorySize                                : 16662940
OsFreePhysicalMemory                                    : 12305504
OsTotalVirtualMemorySize                                : 19153308
OsFreeVirtualMemory                                     : 15262712
OsInUseVirtualMemory                                    : 3890596
OsTotalSwapSpaceSize                                    :
OsSizeStoredInPagingFiles                               : 2490368
OsFreeSpaceInPagingFiles                                : 2490368
OsPagingFiles                                           : {C:\pagefile.sys}
OsHardwareAbstractionLayer                              : 10.0.18362.387
OsInstallDate                                           : 15.01.2020 11:30:19
OsManufacturer                                          : Microsoft Corporation
OsMaxNumberOfProcesses                                  : 4294967295
OsMaxProcessMemorySize                                  : 137438953344
OsMuiLanguages                                          : {de-DE}
OsNumberOfLicensedUsers                                 : 0
OsNumberOfProcesses                                     : 152
OsNumberOfUsers                                         : 7
OsOrganization                                          :
OsArchitecture                                          : 64-Bit
OsLanguage                                              : de-DE
OsProductSuites                                         : {TerminalServicesSingleSession}
OsOtherTypeDescription                                  :
OsPAEEnabled                                            :
OsPortableOperatingSystem                               : False
OsPrimary                                               : True
OsProductType                                           : WorkStation
OsSerialNumber                                          : 00329-10181-55688-AA019
OsServicePackMajorVersion                               : 0
OsServicePackMinorVersion                               : 0
OsStatus                                                : OK
OsSuites                                                : {TerminalServices, TerminalServicesSingleSession}
OsServerLevel                                           :
KeyboardLayout                                          : de-DE
TimeZone                                                : (UTC+01:00) Amsterdam, Berlin, Bern, Rom, Stockholm, Wien
LogonServer                                             : \\AD2T
PowerPlatformRole                                       : Desktop
HyperVisorPresent                                       : False
HyperVRequirementDataExecutionPreventionAvailable       : True
HyperVRequirementSecondLevelAddressTranslation          : True
HyperVRequirementVirtualizationFirmwareEnabled          : False
HyperVRequirementVMMonitorModeExtensions                : True
DeviceGuardSmartStatus                                  : Off
DeviceGuardRequiredSecurityProperties                   :
DeviceGuardAvailableSecurityProperties                  :
DeviceGuardSecurityServicesConfigured                   :
DeviceGuardSecurityServicesRunning                      :
DeviceGuardCodeIntegrityPolicyEnforcementStatus         :
DeviceGuardUserModeCodeIntegrityPolicyEnforcementStatus :

[German]A brief information for administrators in the Windows environment. The changes planned for 2020 for accessing domain controllers via secure LDAP bindings will probably be updated in the ‘2nd half of 2020’. Here again a little sorted.

LDAP Channel Binding: What we are talking about?

I had already mentioned this at Christmas 2019 here in the blog in the article Microsoft enforces secure connections to the Domain Controller from January 2020. Already in August 2019 Microsoft published ADV190023 (Microsoft Guidance for Enabling LDAP Channel Binding and LDAP Signing).

LDAP channel binding and LDAP signing provide ways to increase the security of communication between LDAP clients and Active Directory domain controllers. On Active Directory domain controllers, there are a number of unsafe default configurations for LDAP channel binding and LDAP signing that allow LDAP clients to communicate with them without forcing LDAP channel binding and LDAP signing. This allows Active Directory domain controllers to be opened to increase permission vulnerabilities.

Therefore, Microsoft wanted to address this issue by providing a new set of secure default configurations for LDAP channel binding and LDAP signature on Active Directory domain controllers, replacing the original insecure configuration.

The timetable is changing

I had pointed out this fact – see my blog post Microsoft Security Advisories Dez. 17, 2019. German blog readers pointed out to me around Christmas 2019 that the first changes would take effect in January 2020. I had mentioned this in my blog post Microsoft enforces secure connections to the Domain Controller from January 2020.

However, Microsoft has changed that plan and moved the date from January to March 2020. And I received some feedback to the German edition of my blog post Detect insecure LDAP bindings before March 2020 there were a number of misunderstandings and that Microsoft would not really change anything on this date. The there were a number of misunderstandings and that Microsoft would not really change anything on this date. The relevant passage in ADV190023 reads like this:

Windows Updates in March 2020 add new audit events, additional logging, and a remapping of Group Policy values that will enable hardening LDAP Channel Binding and LDAP Signing. The March 2020 updates do not make changes to LDAP signing or channel binding policies or their registry equivalent on new or existing domain controllers.

Updates will provide new audit events and logging capabilities in March 2020 to harden LDAP channel binding and LDAP signing. But the March 2020 updates will not change the channel binding policies.

Changes in 2nd half of 2020

That night I saw the following tweet from Woody Leonhard, in which he points out a ‘further shift’ in the LDAP channel binding and LDAP signing story.

Once again, Microsoft delays changes in LDAP channel binding – from January to March, and now “the second half of calendar year 2020.” Admins take note. https://t.co/qUcQT5kfan

— Woody Leonhard (@AskWoody) February 4, 2020

I never made a copy of the ADV190023 article. But after reading Woody Leonhard, Microsoft did not add the above clarification to the post until February 4, 2020, that the March 2020 update does not change anything in the LDAP channel binding and LDAP signing itself.

What is relevant for you is that with the March 2020 update, you can start checking the settings for LDAP Channel Binding and LDAP Signing and change them if necessary (see also my blog post Detect insecure LDAP bindings before March 2020). And keep the following sentence from Microsoft in mind.

A further future monthly update, anticipated for release the second half of calendar year 2020, will enable LDAP signing and channel binding on domain controllers configured with default values for those settings.

Sometime in the 2nd half of 2020 there will be an update which implements LDAP Channel Binding and LDAP Signing to Domain Controllers based on the default settings. By then administrators should have adjusted their configuration.

Similar articles:
Microsoft Security Advisories Dez. 17, 2019
Microsoft enforces secure connections to the Domain Controller from January 2020
Detect insecure LDAP bindings before March 2020

At Microsoft there is once again a reorganization in the Windows division. The head of the Surface development is now also the head of the Windows development. Therefore Joe Belfiore will be the head of the office division.

Somehow a bigger action has been initiated in terms of chair moving at Microsoft, as Mary Foley at ZDNet reports. 

• Panos Panay, will now lead the Windows Experiences group along with the Hardware group. The new group is called Devices + Windows Group. Until now, the Windows Experiences group was under Joe Belfiore.
• Panos Panay will continue to report to Rajesh Jha, Executive Vice President of Microsoft’s Experiences and Devices Group.
• Joe Belfiore and Ales Holecek will lead the Office Experience Group (OXO) team as the product/engineering team. Joe Belfiore will continue to lead Microsoft News and other mobile applications on iOS and Android.
• Eran Megiddo, Corporate Vice President of Windows Product & Education, will lead the Modern Life Experiences (MLX) and Education group. Brian Macdonald, who currently leads the teams, will retire from Microsoft.
• Jeff Tepper will now lead the teams along with SharePoint and OneDrive.
• Kirk Koenigsbauer, CVP of Microsoft 365, will become COO of Rajesh Jha.

By the way, Jeff Weiner is retiring as head of LinkedIn, his successor will be Ryan Roslansky. Here is another e-mail from Panos Panay to his employees:

“Personally I’m very excited to lead the Windows Client for Microsoft, which will help us streamline our decision-making processes, be clear on our priorities, and deliver the best end user experiences from silicon through operating systems across all Microsoft apps and service connected devices (OEMs and Surface). We believe this will make the Windows Client experience better for the entire PC ecosystem. Designing hardware and software together will enable us to do a better job on our long term Windows bets (dual screen, silicon diversity, connectivity, app platform, etc.) and having a single point of Windows Client Experience leadership driving consistent priorities and resourcing across all of Windows client will help all of us accelerate innovation and improve execution. This is such an amazing time and opportunity to bring more energy to Windows and our customers using Windows. It won’t be easy, but extending our growth will be key for our company strategy.”

Mary Foley reports the rumor that Panos Panay was looking for a new role within or outside Microsoft at the end of last year. Her sources said that he was also considering taking a leave of absence or toying with the idea of switching to Apple. But these are unconfirmed rumors. How do OEMs behave now when Surface and Windows development are in one hand? One will have to wait and see.

[German]Vendor  Realtek has closed a DLL hijacking vulnerability in its HD audit driver package. Here is some information about this issue.

Vulnerability in Realtek audio driver package

I came across the subject through Bleeping Computer. Peleg Hadar has found the DLL hijacking vulnerability and points out the problem in this tweet

CVE-2019-19705 – A vulnerability which I found in Realtek’s Driver package for Windows, which affects a lot of PC users:https://t.co/5MpYix6t7o

— Peleg Hadar (@peleghd) February 4, 2020

Within this article Hadar describes the vulnerability CVE-2019-19705 found by SafeBreach Labs using his own guard DLLs and discovered that the MFC application RAVBg64.exe (owned by Realtek) reloads DLLs without considering their path. Thus a missing (system) DLL would be reloaded by Windows from the current working directory.

Specifically, the HD Audio background process running as NT AUTHORITY\SYSTEM tries to load the RAVBg64ENU.dll and the RAVBg64LOC.dll from the working directory

C:\Program Files\Realtek\Audio\HDA\

even though the DLLs are not found there. An attacker with appropriate permissions could use this to place his own files with this name in this folder. These would be loaded by the HD Audio background process and would allow malware to be persistently anchored in the system.

Vulnerability fixed, old driver packages as problem

The vulnerability was reported to Realtek on July 10, 2019, and closed with a patch on December 13, 2019. The fix can be found in the Realtek HD Audio driver package ver.8857 or later. Driver versions prior to 8855 created with Microsoft Visual Studio 2005 (VS2005) are still vulnerable to attacks.

While writing this post, I saw this German comment from blog reader 1ST1, which points out a serious problem:

The stupid thing is, on http://www.realtek.com and realtek-downloads.com you can only find HD-Audio drivers from the year 2017 and 18, but nothing from December 2019. And they have different version numbers: 2.xx, and nixda with 88xx…

People also complain about this here https://www.tenforums.com/sound-audio/135259-latest-realtek-hd-audio-driver-version-2-a-145.html

and offer even newer drivers, the latest is 8888.1 via download links in the Mangenta cloud. But I don’t find this trustworthy…

Maybe you can find these newer versions on websites of mainboard manufacturers (ASUS, MSI, Gigabyte, …), but you’d have to kick Realtek’s butt for that.

That’s a good description of the point. Maybe this is helpful for one or the other reader.

[German]A brief information for administrators of Windows systems running Sophos SafeGuard Enterprise. Sophos has published an article that addresses issues related to Microsoft’s planned LDAP channel binding and LDAP signing requirement.

The update, which includes changes to LDAP channel binding and LDAP signing, will not be released until the second half of 2020 (see LDAP Channel Binding: Change is coming 2nd half of 2020).  But already in March 2020 first changes are supposed to take place via update (see ADV190023, Microsoft Guidance for Enabling LDAP Channel Binding and LDAP Signing).

[Latest KB’s] Safeguard Enterprise : Impact of LDAP Channel Binding and LDAP Signing Requirements on SafeGuard Enterprise. For more information, please refer to this article – https://t.co/AOl9z2utZX ^JS

— Sophos Support (@SophosSupport) February 5, 2020

I just came across the information from Sophos on Twitter. They have published a community post about the impact of LDAP channel binding and LDAP signing on SafeGuard Enterprise.

Here is a workaround for the issue, caused by a driver update, that resulted for some users in a 640 x 480 Mode display.

The problem

A graphics driver update for the Microsoft Surface Pro 7 and the Surface Laptop 3, dated January 30, 2020, causes some users to have a graphics resolution of only 640 x 480 pixels at the DisplayPort. I’ve addressed this within my blog post Surface Pro 7/Laptop 3: Update causes 640 x 480 Mode issue. The Intel ® IRIS® Plus Graphics driver has to be blamed.

(Driver rollback blocked)

Unfortunately it’s not possible, to do a driver rollback, as you can see within the screenshot above. This has been discussed here at Microsoft Answers forum.

Some Workarounds

While the Surface support team didn’t provide a solution, some users mentioned, that uninstalling the driver and installing the older driver helped. User JWB1911 wrote:

I was able to find an old msi package for the surface drivers that included 25.20.100.7101 version. After completely deleting the device from device manager and uninstalling drivers.. rebooting, then installing the 25.20.100.7101, my external monitors are working as expected.

The drivers are downloadable from the following links:

• December 2019 bundle for Surface Pro 7
• November 2019 Surface Laptop 3 Intel 

After downloading, the files within the .msi package has to be extracted using a command like:

msiexec /a c:\testfile.msi /qb TARGETDIR=c:\temp\test

Afterward it should be possible, to install the graphic drivers manually via the Update driver button in the device manager.

A German blog reader left a similar comment: He downloaded the Intel Iris Plus Graphics driver version 26.20.100.6999. He wrote:

Since the Surface devices do not allow installation using, for example, the installation medium of the normal Intel drivers from the website, the installation must be performed using the Snappy Driver Installer tool (https://sdi-tool.org/).

In the tool itself, select “Alternate Displays” under the Intel Iris Plus Graphics driver and search for and install the driver with the version mentioned above.

The blog reader has tested it with a Surface 7 Pro. He need to undock the device once, shut it down, disconnect the power supply and restart it completely. Afterwards, all connected displays are also correctly recognized.

[German]A Windows that lets people work just without the need to upgrade? Works alongside Windows 7 or 10 and doesn’t even cost anything. That’s a hot promise for Windows 7 switchers whodon’t like Windows 10. Therefore the successor is called ‘Windows 12 Lite’.

I stumbled upon that idea last night when I saw Bogdan Popa’s Softpedia tweet shown below.

Linux-Based Windows 12 Promises Flawless Updates, Available for Free https://t.co/VrwsuqYAxh #Microsoft #Windows10 #Linux

— Bogdan Popa (@bgdftw) February 10, 2020

A reddit.com user spottet some DVDs brandet ‘Windows 12 Lite’ and promising a neath Windows experience.

Of course it is not Windows. Rather, someone has added a Windows 10 theme to a Linux to make it easier for people to switch over. Windows 12 Lite is a Linux distribution based on a slimmed down Ubuntu, offered as Linux Lite. The theme gives people the impression of a Windows 10 – without the disadvantages. 

(Super Lite-Desktop, Source: webhouses.co.uk/lite/)

Target group Windows 7 switcher

The whole thing is advertised on this British website for the group of Windows 7 switchers who don’t want Windows 10, but want a Windows 10 interface. The creators of the media are writing:

Lite’s 4.8 desktop is designed for those who migrate from Windows 7 with the Lite background. You just add it to your pictures then select it as background using System settings.

All the problems of the poor operating system are solved with Windows 12 Lite 4.8 a really great operating system.

It can also be a replacement for Windows 10 you can dual boot with Windows 10 and you will have a far better operating system this is one of the worlds fastest and best. If you just have Windows you can install on the whole disk or choose to boot alongside your Windows. You choose which to switch on at the start with this screen.

So the perfect way to migrate to the Lite 4.8 desktop and the solution to all problems with this ‘poor operating system’ [called Windows 10]. Windows 12 Lite should be able to be installed in parallel to a Windows system. Nice dude, which shows how much Microsoft is now taken for a ride with the dissatisfaction of many users with Windows 10.

Let’s see how long Microsoft watches this driver – because the brand Windows is protected. But I found the idea funny, so I took the info snippet here in the blog. Somewhat more serious is the approach of Cannonical, see my the blog post Windows 7 End of Live: Ubuntu promotes a switch to Linux.

[German]Dell SupportAssist, which ships with Dell’s Windows systems, contains a serious vulnerability in older versions that allows the execution of arbitrary code with administrative privileges. 

German Blog reader Ralf Lindemann already pointed out yesterday in this comment the warning about the Dell SupportAssist vulnerability (thanks for that).

There is (once again) a serious vulnerability in Dell SupportAssist, which “allows the execution of arbitrary program code with administrator rights”.

Dell has issued security advisory DSA-2020-005: Dell SupportAssist Client Uncontrolled Search Path Vulnerability CVE-2020-5316, that affects the following products:

# Dell SupportAssist for business PCs, Version 2.1.3 or earlier
# Dell SupportAssist for home PCs, Version 3.4 or earlier

It appears to be a DLL hijacking vulnerability that could allow a locally authenticated, low privileged user to attack a system. The vulnerability could be exploited to cause the SupportAssist binaries to load arbitrary DLLs. Since Dell SupportAssist runs with administrative privileges, this would allow an attacker to execute arbitrary code with those privileges.

Dell writes that the Dell SupportAssist for Business PCs and the Dell SupportAssist for Home PCs have been updated to address an uncontrolled exploitation of the search path vulnerability.  

All versions of SupportAssist are automatically upgraded to the latest available version if automatic upgrades are enabled. Customers can check which version they are running and upgrade to a newer version of SupportAssist if available.

To perform a manual update, open SupportAssist. In the upper right corner of the SupportAssist window, click the “Settings” icon and then click “About SupportAssist”. SupportAssist automatically checks if a newer version of SupportAssist is available.

It is strongly recommended to upgrade to version 2.1.4 or 3.4.1. Unfortunately, this case again reveals which crap-ware the OEM providers install on their PCs, allegedly for the benefit of their customers, and then open vulnerabilities.

Similar articles:
Dell devices: RCE vulnerabilities in SupportAssist Client
Lenovo ships Superfish adware preinstalled on systems
ShadowHammer: ASUS Live Update infected with backdoor

[German]Brief information for users, who want to access Linux Btrfs disks under Windows. Blog reader Gero S. pointed out to me (thanks for that) that version 1.6 was released on February 4, 2020. I had introduced version 1.5 in the article Windows driver WinBtrfs v1.5 for Linux file system released. Details can be found on GitHub – download it here.

[German]In South Korea, the government is on the move to get rid of its dependence on Windows to some extent. Three large organizations have decided to exodus from Windows and plan to switch to Linux.

I had already reported in May 2019 in the article South Korea’s government migrates from Windows 7 to Linux about the plans of the South Korean government to switch to Linux. The following tweet from Bogdan Popa (Softpedia) brought new information to my attention. 

Goodbye, Windows: Another Government Plans En-Masse Transition to Linux https://t.co/dQgpeM4wsj #Linux #Windows10

— Bogdan Popa (@bgdftw) February 11, 2020

The basis are probably new articles in the media appearing in South Korea that after the end of support for Windows 7, they want to migrate away from Microsoft and towards Linux. I have prepared an article (in Korean) in the best possible way, because it offers interesting insights. The article here on ajunews.com asks the question whether the goal of the South Korean government to migrate from Windows to Linux in six years at the latest can work.

Government relies on Open-OS and has a plan

The South Korean government plans to use an open desktop operating system called Open-OS. This is to be based on Linux and is to be set up by Korean software developers. The long-term goal is to use Open-OS at all workplaces in public administration. Currently, the following roadmap is available.

• First, the Open-OS introduction strategy was defined in February of this year,
• in October, the Ministry of Public Administration and Security will then introduce Open-OS on some external network PCs.
• After that, the government plans to introduce an open operating system instead of Windows in 2026.

The main reason for the South Korean government’s call for an open operating system is to reduce excessive reliance on Windows. In South Korea, 92% of systems run on Windows and the government is forced to follow Microsoft’s guidelines, which are perceived as one-sided.

Support end of Windows 7 and saving costs

One reason explicitly mentioned is the end of support for Windows 7. The government has estimated the cost of discontinuing the provision of security updates for Windows 7. It is expected to cost 780 billion won (about 602 million euros, 658 million US $) to replace the Windows 7 PCs in government agencies with Windows 10.

The government expects to reduce the (license) costs of 70 billion won (approx. 54 million euros, 59 million US $) per year by introducing an open operating system. The expectation of the South Korean government is also that this transition will lead to South Korean companies entering the OS market, which is currently monopolized by foreign companies, and working closely with domestic companies to solve security problems.

Migration has already begun

Furthermore, the South Korean Post will change from Windows 7 to TMaxOS. This is a Linux-based operating system, which is developed by the South Korean company TmaxSoft. I already reported about TMax some time ago (see my German article Koreanisches TmaxOS: kann Windows, iOS und Android-Apps from 2016).

Other ministries have already switched a part of their workstations to Linux and are working on plans to extend the introduction to other devices. For example, the Ministry of National Defense and the National Police Agency are currently using Harmonica OS 3.0, which is being adapted with a number of Korean applications, while the Ministry of Public Administration and Security has installed the locally developed Gooroom cloud OS based on Debian.

Three variants of Open-OS

I find interesting that in South Korea intends to use three types of open operating systems:

• Inveium ‘Harmonica OS’,
• Gooroom ‘Cloud OS’
• and Tmax A & C ‘Tmax OS’.

All three variants are based on Debian, and have been adapted accordingly. Since the kernel, the core of the operating system, is compatible, you can install and use more than 90% of the thousands of Debian Linux apps.

Discussions, positive and negative examples

Of course, the approach does not happen without controversial discussions. For example, some people are worried about the government’s policy, because they know negative examples. Among other things, the Korean medium writes that the government has rarely succeeded in replacing a Windows workstation PC with an open operating system.

Interestingly, the Korean article lists LiMux as a negative example. In 2003 the city administration in Munich decided to use Linux instead of Windows. But in the meantime Munich is returning to Windows – I have reported in the blog. Quote from the Korean article: German civil servants accustomed to Windows did not adapt to Linux and had to spend a lot of operating and administration costs of about 60 million Euros for the administration of the operating system, although savings of 11 million Euros were expected.

But a positive example is also mentioned: Last year the Chinese government decided to introduce “Girin OS”, an open operating system based on Linux, at the state workplaces. However, it is not intended to introduce Kirin OS on all PCs, but the plan is to test it in some selected institutions and then extend it to all public institutions.

The government of South Korea plans to analyze abroad the cases of switching from Windows to Linux and to carry out the migration without their errors. It is hoped to minimize the negative effects of introducing an open operating system.

Not all desktops will be Linux-driven

Windows will not disappear in South Korea’s public institutions after 2026 either. The government’s plan is to reduce the current Windows market share from 99% to 50%. And there’s another interesting piece of information in the article: Currently, the employees of the South Korean central government use two physical PCs at work: an external network PC (for the Internet) to access external Internet services, and an internal network PC (for businesses) for internal tasks. This concept of using separate PCs is in response to external security threats such as hacking.

Therefore, the government of South Korea only wants to convert the Internet PCs to Open-OS (i.e. Linux). Internal network PCs on which government employees perform important tasks will continue to use Windows as the operating system, among other things to increase productivity. This is also the reason not to introduce an open operating system on every public sector PC. You only need to convert half of the desktop systems.

Interesting solution until 2026

By 2026, most employees will be working on a single laptop running Windows instead of two desktop PCs. The laptop can only perform internal tasks. Open OS for External Business is delivered as a virtual desktop (VDI) via a cloud server.

To access external services, employees must run a terminal program on their laptop and then access the open operating system installed on a cloud server. This environment, which runs in the cloud without installing an operating system, is delivered as a desktop service (DaaS).

The reason why the government is pushing the adoption of open operating systems with such confidence is because there are already successful cases. In December last year, Korea Post (Ubon) introduced an open operating system as a VDI solution for external network PCs.

The Korea Post Ubon secured 11,000 licenses for Windows 10, Tmax OS and Cloud OS. Employees can now access an external Internet network via VDI using an open operating system (Tmax OS9). There are some services that cannot be accessed, e.g. some homepages that cannot yet be run. However, the evaluation within Ubon showed that the handling of most external tasks is not a major obstacle.

The government plans to change the services that cannot be run on an open operating system in cooperation with the companies. When an open operating system is introduced for government external network PCs, it is also expected that frequently used website plug-ins will disappear. Such plug-ins are Windows dependent and are not available on open operating systems.

[German]On February 11, 2020, Microsoft released security updates for Windows clients and servers, for Office, Flash, etc. Here is a compact overview of these updates.

A list of the updates can be found on this Microsoft page. Details about the update packages for Windows, Office etc. are available in separate blog posts.

Servicing Stack Updates

Microsoft now publishes an overview of all current Servicing Stack Updates (SSUs). The list of SSUs can be found at ADV990001  (but is not always up to date).

Notes on the updates

All Windows 10 updates are cumulative. The monthly patchday update includes all security fixes for Windows 10 and all non-security related fixes up to the patchday. In addition to the security patches for the vulnerabilities, the updates contain defense-in-depth updates to improve security.

The updates can also be downloaded from the Microsoft Update Catalog. The updates for Windows RT 8.1 and Microsoft Office RT are only available through Windows Update.

Information about the support period for Windows 10 can be found in the  Windows Lifecycle Facts Sheet. Internet Explorer 11 will be available on Windows Server 2012 in May 2019. This configuration is only available through the Cumulative Update for IE. This is the last time Internet Explorer 10 receives a security update.

Windows 7 Updates only for ESU customers

Microsoft warns in the following tweet that updates for Windows 7 SP1, Windows Server 2008 R2 SP1, and Windows Server 2008 SP2 are available for customers who have booked Extended Security Updates (ESU).

For customers who have purchased Extended Security Updates (ESU), the February 2020 security update is now available for Windows 7 SP1, Windows Server 2008 R2 SP1, and Windows Server 2008 SP2. Important information is available here: https://t.co/PpJGDk8dDr.

— Windows Update (@WindowsUpdate) February 11, 2020

I have been emailed by blog readers and there is this comment, hat the updates for Windows 7 etc. are provided in the Microsoft Update Catalog. I haven’t tried it yet because I don’t have Windows 7 running ad-hoc without ESU. But I assume, as in this German comment, that the updates cannot be installed without ESU.

Security fixes in February 2020

Microsoft has announced the security updates for February 2020 in the following tweet and links to the page where they are listed.

The February 2020 security updates are available: https://t.co/Wr9xBG9ITV

— Microsoft Security Intelligence (@MsftSecIntel) February 11, 2020

The February 2020 security updates cover 99 vulnerabilities in Microsoft products. Ten fixes are listed as critical, 87 as important and two as moderate. There is also a fix for the 0-day vulnerability CVE-2020-0674 in Internet Explorer. Bleeping Computer gives an overview in this article.

A list of all security updates for February 2020 (including Adobe) can be found on the Zero Day Initiative blog. Talos has also published a summary here (details will be covered separately in blog posts). Details about the Use-after-Free vulnerability in Windows 10 can be found here.  And the vulnerability in Microsoft Media Foundation is covered here.

Critical Security Updates

Internet Explorer 11
ChakraCore
Microsoft Edge (EdgeHTML-based)
Windows 10 for 32-bit Systems
Windows 10 for x64-based Systems
Windows 10 Version 1607 for 32-bit Systems
Windows 10 Version 1607 for x64-based Systems
Windows 10 Version 1709 for 32-bit Systems
Windows 10 Version 1709 for ARM64-based Systems
Windows 10 Version 1709 for x64-based Systems
Windows 10 Version 1803 for 32-bit Systems
Windows 10 Version 1803 for ARM64-based Systems
Windows 10 Version 1803 for x64-based Systems
Windows 10 Version 1809 for 32-bit Systems
Windows 10 Version 1809 for ARM64-based Systems
Windows 10 Version 1809 for x64-based Systems
Windows 10 Version 1903 for 32-bit Systems
Windows 10 Version 1903 for ARM64-based Systems
Windows 10 Version 1903 for x64-based Systems
Windows 10 Version 1909 for 32-bit Systems
Windows 10 Version 1909 for ARM64-based Systems
Windows 10 Version 1909 for x64-based Systems
Windows 8.1 for 32-bit systems
Windows 8.1 for x64-based systems
Windows RT 8.1
Windows Server 2012
Windows Server 2012 (Server Core installation)
Windows Server 2012 R2
Windows Server 2012 R2 (Server Core installation)
Windows Server 2016
Windows Server 2016 (Server Core installation)
Windows Server 2019
Windows Server 2019 (Server Core installation)
Windows Server, version 1803  (Server Core Installation)
Windows Server, version 1903 (Server Core installation)
Windows Server, version 1909 (Server Core installation)

Important Security Updates

Microsoft Excel 2010 Service Pack 2 (32-bit editions)
Microsoft Excel 2010 Service Pack 2 (64-bit editions)
Microsoft Excel 2013 RT Service Pack 1
Microsoft Excel 2013 Service Pack 1 (32-bit editions)
Microsoft Excel 2013 Service Pack 1 (64-bit editions)
Microsoft Excel 2016 (32-bit edition)
Microsoft Excel 2016 (64-bit edition)
Microsoft Office 2016 for Mac
Microsoft Office 2019 for 32-bit editions
Microsoft Office 2019 for 64-bit editions
Microsoft Office 2019 for Mac
Microsoft Outlook 2010 Service Pack 2 (32-bit editions)
Microsoft Outlook 2010 Service Pack 2 (64-bit editions)
Microsoft Outlook 2013 RT Service Pack 1
Microsoft Outlook 2013 Service Pack 1 (32-bit editions)
Microsoft Outlook 2013 Service Pack 1 (64-bit editions)
Microsoft Outlook 2016 (32-bit edition)
Microsoft Outlook 2016 (64-bit edition)
Microsoft SharePoint Enterprise Server 2016
Microsoft SharePoint Server 2013 Service Pack 1
Microsoft SharePoint Server 2019
Office 365 ProPlus for 32-bit Systems
Office 365 ProPlus for 64-bit Systems
Microsoft Exchange Server 2010 Service Pack 3 Update Rollup 30
Microsoft Exchange Server 2013 Cumulative Update 23
Microsoft Exchange Server 2016 Cumulative Update 14
Microsoft Exchange Server 2016 Cumulative Update 15
Microsoft Exchange Server 2019 Cumulative Update 3
Microsoft Exchange Server 2019 Cumulative Update 4
Microsoft SQL Server 2012 for 32-bit Systems Service Pack 4 (QFE)
Microsoft SQL Server 2012 for x64-based Systems Service Pack 4 (QFE)
Microsoft SQL Server 2014 Service Pack 3 for 32-bit Systems (CU)
Microsoft SQL Server 2014 Service Pack 3 for 32-bit Systems (GDR)
Microsoft SQL Server 2014 Service Pack 3 for x64-based Systems (CU)
Microsoft SQL Server 2014 Service Pack 3 for x64-based Systems (GDR)
Microsoft SQL Server 2016 for x64-based Systems Service Pack 2 (CU)
Microsoft SQL Server 2016 for x64-based Systems Service Pack 2 (GDR)
Windows Malicious Software Removal Tool 32-bit
Windows Malicious Software Removal Tool 64-bit
Adobe Flash Player
Microsoft Surface Hub

Low Security Updates

Internet Explorer 10

Similar articles:
Adobe Flash Player 32.0.0.330 released
Microsoft Office Patchday (February 4, 2020)
Microsoft Security Update Summary (February 11, 2020)
Patchday Windows 10-Updates (February 11, 2020)
Patchday: Updates for Windows 7/8.1/Server (Feb. 11, 2020)

[German]A short note for Windows users who intend to experiment with Docker for Windows. There are conflicts with the Razer Synapse driver tool. Funny is the reason why the two programs fails to work together.

The manufacturer Razer offers under the name Synapse 3 software that allows users to customize the peripherals of this. Razer has this website with download options for the Windows software. The Razer support site for Synapse 3 can be found here. Docker for Windows is a platform to use Docker containers under Windows – this website has some information about it. 

Collision due to programming errors

The following tweet has brought to my attention the problem that Docker for Windows does not work with the Razer Synapse driver management tool.

So I learned of an amusing bug today:

Docker for Windows won’t run if you have the Razer Synapse driver management tool running.

But the reason is the funny part… pic.twitter.com/s42SeQ949z

— foone (@Foone) February 18, 2020

The problem: Both software products try to ensure that only one copy is running at the same time. To do this, they try to find out the GUID of the .NET Assembly under which they are currently running. This could theoretically prevent another start by stopping the copy of the last started program.

The programming flaw

Quite good in theory, in practice the developers have nailed themselves. The functions they use to determine the GUID return as GUID the type of assembly, as @Foone explains on Twitter. The end of the story: Once Docker for Windows is started or the Razer Synapse driver management tool is used, the other software can’t be used anymore. It is simply blocked by the other software.

A wrong stackoverflow forum post and the consequences

The hillarios part of the story: In 2009, a user “Nathan” asks on the Stack Overflow platform how to determine the GUID of a running assembly. After 12 minutes an answer came from a user named “Cerberus”. But the ‘hellhound’ gave a wrong solution.

That flawed stackoverflow post is here:https://t.co/HI7nOLCgaJ

— foone (@Foone) February 18, 2020

After 13 months, a user with the alias “Yoopergeek” pointed out that a wrong GUID was returned. Three years later, Cerberus tried an update on the Stack Overflow forum. But because an error occurred during the answering process and the accepted answer cannot be deleted, the wrong solution meanders through the web and has been used in many a project. In many Tweets @Foone outlines the history of the problem and the above example as a consequence of it. It’s just good that I don’t have any activities in .NET programming anymore. My last exercises were probably done in 2008, when writing a VB book.