Category Archives: Security

Backup/Restore, Insider stuff, Recent Activity, Security, Troubleshooting, WED Blog

Windows Resiliency Initiative Includes Quick Machine Recovery

November 20, 2024 Ed Tittel Leave a comment

It’s that time of year again, when MS meetings and conferences — Ignite 2024, in this case — heat things up with future promises and new idea campaigns. Yesterday’s Windows Experience Blog from David Weston (MS VP Enterprise & OS Security) is a case in point. Entitled Windows security and resiliency: Protecting your business, it asserts that a new Windows Resiliency Initiative includes Quick Machine Recovery as a key capability. Very interesting!

Explaining Windows Resiliency Initiative Includes Quick Machine Recovery

This new initiative “takes four areas of focus” as its goal — namely (all bullet points quoted verbatim from the afore-linked blog post, except for my [bracketed] commentary):

Strengthen reliability based on learnings from the incident we saw in July. [Crowdstrike kernel mode error took down 8.5M Windows PCs.]

Enabling more apps and users to run without admin privileges.

Stronger controls for what apps and drivers are allowed to run.

Improved identity protection to prevent phishing attacks.

The first and arguably most impactful preceding item is what led MS to its announcement of Quick Machine Recovery. Here’s how Weston explains it:

This feature will enable IT administrators to execute targeted fixes from Windows Update on PCs, even when machines are unable to boot, without needing physical access to the PC. This remote recovery will unblock your employees from broad issues much faster than what has been possible in the past. Quick Machine Recovery will be available to the Windows Insider Program community in early 2025.

In other words, this new feature should enable what savvy administrators had to do using OOB access to affected machine via KVMs smart enough to bootstrap machines otherwise unable to boot.

Great Addition: How’s the Execution?

IMO this is something MS should’ve built into Windows long ago. I’m curious to see how (and how well) it works. I’m also curious to see if it will be available for Windows 10 as well as 11. Only time will tell, but I’ll be all over this when it hits Insider Builds early next year. Good stuff — I hope!!

Backup/Restore, Insider stuff, Security, WED Blog

CVE-2024-6768 Exposes Scary Windows Vulnerability

August 14, 2024 Ed Tittel Leave a comment

In reading through my usual Windows news and info sources this morning I came across a scary notification at MS Power User. The named item is from the national vulnerability database. CVE-2024-6738 — which makes it item 6,738 for 2024 — comes with scary implications. It’s been reported in some form since last February. It attacks by altering meta-data for Windows base log files (BLFs) and can cause doom loops like those recently experienced from a Crowdstrike update last month. Thus, CVE-2024-6768 exposes scary Windows vulnerability that is hard to fend off and tricky to repair.

BLF Alteration in CVE-2024-6768 Exposes Scary Windows Vulnerability

A base log file (BLF) sits at the heart of the Windows Common Log File System (aka CLFS). As MS Learn’s “Creating a Log File” article begins, it says:

Before you can use CLFS, you must create a log file using the CreateLogFile function. A log file is made up of a base log file that contains metadata, and a number of containers that hold the actual data. On any local file system, containers can be in one or more separate files; on NTFS, containers can be in one or more streams within a file.

The BLF contains key information that describes the associated containers for log data. If the BLF is wrong, the log won’t make sense and cannot be read. This doesn’t sound like a big deal, but it is. Let me explain further…

Several Interesting Copilot Responses…

When asked to describe BLF files, Copilot notes how they’re used:

Usage: These files are crucial for maintaining system stability and integrity. They help manage user-level registry information and other system-level data. For example, the Windows component that writes user-level registry information to the NTUSER.DAT file uses CLFS logging, which involves BLF files ¹.

Indeed it seems that CVE-2024-6768 wreaks havoc by breaking the base log handler with a bogus “size of data field” value. This kind of error triggers a BugCheck error, and in turn provokes a BSOD.

Further investigation shows that any time a registry change occurs BLF files get updated. They are also essential to system boot-up, application installation and update, as well as system update. To get more details ask Copilot: “When do Windows base log files get written, and when do they get read?” You’ll see what I mean right away.

What Does the Future Hold?

The Fortra release note for this vulnerability shows its history, while a companion research note shows more details. So far, MS has yet to respond. Other than research work, I see no evidence of successful exploits in the wild. That said, this kind of attack is nearly impossible to fix without knowing the exact details of the registry values changed to mung some (or more) specific .BLF file(s).

IMO, this means the only real protection is a recent image backup that will replace the altered Windows image with a known, good working copy. Stuff like this is why I keep such things handy, and make one at least daily. This could get interesting…stay tuned!

Cool Tools, Device drivers, Insider stuff, Remote Desktop (RDP), Security, Thoughts & concerns, WED Blog

Getting Past Crowdstruck Requires Access

July 24, 2024 Ed Tittel 3 Comments

Last Friday (July 19), cybersecurity firm Crowdstrike pushed an update to its threat sensors. Ultimately, that ended up with over 8 million Windows PC unable to boot, stuck on a BSOD for invalid references in a kernel-mode driver. Behind the scenes, all kinds of companies from hospitals, to government agencies, to airlines, and more, found themselves unable to use updates machines after a post-update reboot. What really caused the heartburn? Getting past Crowdstruck requires access to affected machines on a one-at-a-time basis.

If you look at the BSOD screencap at the head of this blog post, you’ll see a driver named csagent.sys. This is the CrowdStrike Agent driver which runs at kernel mode by design. That ensures it can’t be easily accessed or tampered with by hackers. But when something runs as a kernel mode driver it must be rigorously and thoroughly tested and vetted, or it can crash any PC on which it runs. Errors, in short, cannot be tolerated. Oops!

Why Getting Past Crowdstruck Requires Access

Part of the Crowdstrike software run as a Windows kernel-mode driver. That means it has the same level of access as privileged parts of the OS itself. If any of this code throws an error — as Crowdstrike has publicly admitted its update did — Windows crashes itself. That’s by design, out of an abundance of caution to avoid loss of data or other damage to affected systems.

Here’s where things get interesting. Windows can’t boot and run until the offending driver is removed. In turn, the affected PCs must boot into safe mode or a recovery image. Either can operate on the damaged Windows image, remove the bad driver, and stand Windows back up again. This is easy when admins or IT pros have physical access to affected PCs. Indeed, Copilot recommends using the “three strikes” method to get into Windows recovery. (Three consecutive boot failures autoomatically triggers Windows alternate boot.) Then, using WinRE (or Windows itself in safe mode, from the Advanced Boot Options), repairs can go forward.

The problem is that many, if not virtually all, of the affected machines stayed down, stuck in a “boot loop.” They remained that way because their operators DIDN’T have physical access to those PCs. I’ll bet that most of them had to be teleoperated through a KVM device that can work around PC problems that extend all the way down to the hardware level (outside the scope of normal remote access and RDP). This kind of thing doesn’t scale well, either, so it takes time to work through hundreds to thousands of remote PCs (think of the PC behind the counter at AA or Delta, where the gate or ticket agent is completely clueless about boot-level Windows repairs).

An “Interesting” Problem, Indeed!

Far too many cybersecurity and IT pros found themselves in the grip of the old Chinese curse (“May you live in interesting times”) after the *291* driver for Crowdstrike tried to run on Friday. Organizations that prepare and drill for these kinds of outages were doubtless at an advantage in already knowing how to broker and run boot repairs remotely. I can only imagine the hair-pulling that went on at other outfits less well-equipped to handle this outage.

Here’s a moral to ponder for those who run remote Windows PCs where physical access is impossible, difficult or impractical: Can your remote management infrastructure and automation work with a Windows PC that’s not booting, and won’t boot until it’s restarted in some special way? If your answer is “yes,” you’re probably over the Crowdstruck hump already. If your answer is “no,” you’ll probably make that a top priority as soon as you can kick-start and repair all remaining affected Windows nodes. In the meantime, my deepest sympathies…

Insider stuff, Recent Activity, Security, WED Blog

Defender Threat-Flags MTPW

June 19, 2024 Ed Tittel Leave a comment

MTPW is the intialism for MiniTool Partition Wizard, a long-time mainstay in my stable of free and capable Windows tools. I’m not sure exactly why MS/Defender decided it’s a “potentially unwanted app.” That said you can see the message from Microsoft Defender Beta as the lead-in graphic, which also labels it as a threat, albeit an abandoned one. To repeat: I don’t know why Defender threat-flags MTPW download, but there it most assuredly is.

Digging into Defender Threat-Flags MTPW

Turns out that pw12-free.exe is an old, outdated name for MiniTool Partition Wizard (note the 2020 date, if you’re not convinced). The current version is named pw-free-online.exe. It throws no Defender Beta alerts, nor does VirusTotal find it at all objectionable. I guess that makes this one of those WTF moments that Windows can occasionally throw this way.

Given a security alert, I’d much rather have it turn out to be a false positive as is apparently the case here. Indeed, Everything can’t even find a copy of the offending file on my test PC (a 2018-vintage Lenovo Yoga 380X). Another bullet dodged, apparently, or less-than-vicious threat averted. I can’t make up my mind: you decide.

The Good Thing About False Positives…

Is, of course, that you can cheerfully ignore them. Indeed, because the offending file can’t even be found, it’s no longer a concern — if ever it was one. I checked the current download (pw-free-online.exe) just to make doubly-darned sure. But there’s no threat there that I can see. Good enough for me!

Insider stuff, Security, Thoughts & concerns, WED Blog

WordPress Link Access API Hack

June 6, 2024 Ed Tittel Leave a comment

Whoa! I just got messages from a colleague on LinkedIn, and have confirmed for both that social media platform and Facebook, that something wicked this way comes. That is, it seems there’s a WordPress link access API hack that enables malicious redirection whenever a link compaction program calls my site for link info. You can see what this looks like in the lead-in graphic. To mangle Talking Heads my reaction is “That’s not my beautiful site! Those aren’t my URLs.” Ai-yi-yi!

Fixing WordPress Link Access API Hack

Scan, remove bad references. remove any suspect WordPress elements. Put a security scan service in place to prevent recurrences. That’s what my Web guy is working on right now. For whatever odd and obviously invalid reason, I thought my WP service already covered all these bases. Now that I know that’s untrue, it will get fixed as soon as that work gets done.

Wow! What an astonishing PITA for something so modest and focused. It seems that several configuration files got modified through a vulnerable plug-in and included references to malicious URLs as of 5/21. We’re changing all the passwords, fixing what’s wrong, and cleaning up the mess. I’m hopeful things will be back to normal by tomorrow.

Going forward, we’ve added explicit ongoing security scans, and regular reviews of software selections, patch levels, and protective software to the mix. Hopefully, this won’t happen again. But if you see something odd any time you access one of my posts or Web pages, do like MS MVP Simon Allison did, and let me know right away that something seems funny or broken. Every little bit of insight and info helps!

Note Added 6/5 2:40 PM

The URL/API portion of the site has been replaced, and no more malicious or suspect URLs get generated. The issue is apparently fixed, but we’re still scanning all files in the entire site to make sure no other unwanted content/malicious payloads are lurking anywhere. All’s well that ends well, but the road goes on forever and the party never ends…

Insider stuff, PowerShell, Recent Activity, Security, WED Blog

MS Defender Update Targets Deployment Images

June 7, 2023 Ed Tittel Leave a comment

If you can trust the header data in this MS Support note (I do) it was updated on June 5, 2023. The item is entitled “Windows Defender update for Windows Operating system installation. It describes how to imbue offline Windows images with the latest and greatest Defender capabilities. In fact, that article includes a warning not to apply them to live images. Thus, it’s clear that this MS Defender update targets deployment images.

I got my date information about the article from its HTML meta-data:

<meta name="lastPublishedDate" content="2023-06-05">
<meta name="firstPublishedDate" content="2020-12-04">

How MS Defender Update Targets Deployment Images

Pre-requisites to run the updates — for WIM and VHD files — include:

Works on OS install images for 64-bit Windows 10 and 11, and Windows Server 2016 and 2019
OS environment must include PowerShell version 5.1 or newer (current production version is 7.3.4 as I write this)
Microsoft.Powershell.Security and DISM modules installed
The PowerShell session for the script <code>DefenderUpdateWinImage.ps1</code> runs with admin privileges. (“Run as administrator” or equivalent.)

The script provides switches to apply, remove or roll back, and list details for the installed update. Useful for those who maintain Windows images and want their security levels up to current snuff.

Find all the details in the MS Support article previously named. Do this before your next scheduled update window, for sure. Of course, this means you’re using Windows Defender as part of your security infrastructure.

MS Is BIG in Security

I just worked on a promotional piece for a joint Rubrik and MIcrosoft security webinar (YouTube video). Amazingly, MS describes itself as “the biggest cyber security company in the world” and did over US$20B in such business in 2022. I guess they do have some legs to stand on in this arena. And indeed, they’re doing all kinds of fascinating stuff with AI and ML to improve their security posture and incident response capabilities. Great stuff!

Cool Tools, Insider stuff, Recent Activity, Security, WED Blog

Zoom Restores Unpaid Update Capability

May 26, 2023 Ed Tittel Leave a comment

Let me first confess: I don’t know exactly when the change I report here actually occurred. What I do know is that I reported last October (2022) that the free version of Zoom no longer offered a “Check for Updates” option in its free version’s user menu. It’s highlighted in the red box in the lead-in graphic at right. Because my son is back home from college, I accidentally logged into Zoom on his (free) account yesterday, and saw that the same update item was present. Good-oh!

Glad Zoom Restores Unpaid Update Capability

If you read my earlier post, you’ll see I dinged the Zoom developers for making update a paid-only capability. Why? Because that approach fosters the possibility of security exposures for the class of users that stick to the free version. I took it as a deliberate strategy to force that class to trade security against cost. That’s not good.

Given what I discovered yesterday, I take it all back. Zoom is now doing the right thing. It may have been doing so for some time without my knowledge. That IS good, and I thank them for reversing the earlier development decisions that made users choose between more cost, better security and lower cost, lower security (or more work, to get around that limitation).

Indeed, as I mentioned in my October 2022 post, users could always uninstall an outdated version, then install the current one. This would bring them back to par, and let them benefit from any security patches or fixes in the newer version. Now, thanks to Zoom’s decision to reinstate the “Check for Updates” menu item — and its supported auto-download and -install capabilities — such contortions are unnecessary. Once again: good! And thanks again to Zoom for taking the right path, regardless of exactly when that occurred.

Insider stuff, Recent Activity, Security, WED Blog, Windows 11

P16 Manifests LSASS Bug

May 18, 2023 Ed Tittel Leave a comment

The Windows Local Security Authority Subsystem Service, aka LSASS, handles security policy enforcement for that OS. With KB5023706 (installed on 3/14) on my mainstream Windows 11 PC, some have shown interesting side-effects. My P16 manifests LSASS bug shown in the lead-in graphic.

Basically, it falsely asserts that LSASS protection is turned off (see text in red box). How do I know it’s actually running? As I searched the System log in Event Viewer, I found a message indicating the “LSASS.exe (process) was started…” as part of that system’s last boot-up. According to this discussion of that very issue at BleepingComputer.com, this indicates that LSASS protection is enabled and working as it should be.

The Event Viewer (System Log) reports a successful start of LSASS.exe as part of the OS boot-up process. It’s working!

What To Do If Your P16 Manifests LSASS Bug

Of course, this applies to all Windows PCs of all kinds. That said, the afore-linked BleepingComputer story explains a couple of Registry hacks that will fix such spurious notifications. MS will probably get around to fixing this sooner or later. Meanwhile, I’m not concerned about false security flags. Indeed, I’m content to wait until it’s corrected in some future update.

It sounds like a serious error. And it would be a major security hole, if the notification were true. But since it’s simply a false positive, and I’ve proved to myself that things are working as they should be, I’ll live with it.

This problem has been in play for some while now (BleepingComputer reports it goes back to January 2023). If I search for “Local security authority protection is off” at ElevenForum.com, I see hits as far back as March 1, 2023, on this topic. All are unanimous in flagging this as a false positive not worth corrective action.

But that’s the way things sometimes go here in Windows-World. Take it under advisement if you see the “Yellow bang!” in Windows Security on your Windows 11 PC. Cheers!

Insider stuff, Networking, Recent Activity, Security, WED Blog, Windows 11

Build 25158 Gains DNS Over TLS Support

July 14, 2022 Ed Tittel Leave a comment

Earlier this week, MS released Build 25158 into the Dev Channel. Among the many notes in this build’s announcements, you’ll find an item that starts off “DNS over TLS testing is now available for Windows DNS client query protection.” Thus, when Build 25158 gains DNS over TLS support, that means improved security for DNS traffic on networks everywhere. Given that DNS is a constant focus for direct and indirect attack, this is a good thing. So, how can you try this new feature out?

Putting Build 25158 Gains DNS Over TLS Support to Work

For brevity and convenience, DNS over TLS is usually abbreviated as DoT. Two ingredients are needed to take DoT for a spin:

1. You need to point your IP stack at a DoT DNS server. You’ll find a list of same at the DNS Privacy Project. It provided the lead-in graphic for this story, in fact. For the nonce, I’m using Google’s 8.8.8.8 and 8.8.4.4 addresses (and associated domain names for certificate authentication). There are several other options available.

2. A series of configuration tweaks, including Settings changes, and netsh and ipconfig commands, are required to set this up and make it work. Fortunately, all those details are covered in an MS Networking Blog post entitled “DNS over TLS available to Windows Insiders.” Therein, Tommy Jensen provides nicely illustrated step-by-step instructions to get you through the process.

More to Follow After Additional Try-Outs

I have two (2) test machines running Build 25158. I’ll try DoT on both of them, and let you know what happens. Mr. Jensen’s post on setting things up includes a potentially scary phrase. That is “This may result in a small performance improvement depending on the network environment at the cost of the flexibility HTTPS-based protocols can provide” (italic emphasis mine).

I’m afraid I know what this means. Indeed, I’ll be curious to see what’s still working — and what’s not — after experimenting with these changes. Given an upcoming out of office adventure, I might wait until week after next to put this to a real test. Stay tuned! In the meantime, you might find this Wikipedia article about DoT worth a quick read-through (good discussion and lots of good additional references there).

Insider stuff, Recent Activity, Security, WED Blog, Windows 10, Windows 11

MS 365 Brings New Defender Aboard

June 17, 2022 Ed Tittel Leave a comment

OK, then. Now I finally understand what’s up with the Store-based version of Windows Defender. It’s been “out there” for while now for Insiders. Called “Microsoft Defender for individuals,” it’s available to anyone with an active Microsoft 365 subscription. (Either Personal or Family subscriptions qualify.) That’s why I say “MS 365 brings new Defender aboard” in today’s title. The lead-in graphic shows the dashboard (in part) from my production Windows 10 desktop. Both “other devices” run Windows 11.

When MS 365 Brings New Defender Aboard, Then What?

According to MSPowerUser.com the tool is built on Microsoft Defender Endpoint technology. Thus, it brings the same cloud-based security to end users already available to Enterprise customers. A June 16 Microsoft Security blog post confirms this assertion. It describes this new Defender version as “an exciting step in our journey to bring security to all.” The tool works on Windows, iOS, Android, and macOS devices to provide family-wide protection across whole households.

MS explains Microsoft Defender for individuals as enabling the following capabilities (also including “continuous antivirus and anti-phishing protection for your data and devices”):

Manage your security protections and view security protections for everyone in your family, from a single easy-to-use, centralized dashboard.

View your existing antivirus protection (such as Norton or McAfee). Defender recognizes these protections within the dashboard.

Extend Windows device protections to iOS, Android, and macOS devices for cross-platform malware protection on the devices you and your family use the most.

Receive instant security alerts, resolution strategies, and expert tips to help keep your data and devices secure.

I’m giving it a try on my production PC which still runs Norton 360, along with a couple of my Defender-only test machines running Windows 11. Should be interesting to see how it all turns out! If you’d like to check it out for yourself and your devices (and your family’s, if applicable) visit the Microsoft 365 Defender page for a download link.