More problems with Windows patches

And the “hits” continue. Three new bugs from January 8th batch of updates.

After installing the Windows 7 SP1 cumulative update or the security only update version, those running the Professional or Enterprise version of Windows 7 SP1 may receive a message stating that their copy of Windows is not activated, “counterfeit copy” or “not genuine” if KMS is used. See here for further information.

Windows 8.1 has a bug where after installing the cumulative security update, third-party applications may have difficulty authenticating hotspots. This only is for the cumulative update.  An update is expected later this month.

Windows 10 has the same hotspot bug but only for v1809 and v1709 – not v1803. An update is expected later this month.

There is another bug with the Windows 7 SP1 update [but not confirmed by Microsoft] related to the cumulative update and its security only update where it is causing SMBv2 shares to be inaccessible once it is installed on the host.

There is a further bug with an Office 2010 security update but it only affects Windows XP users. Seriously?  As Windows XP is not supported, don’t expect Microsoft to fix the issue unless it gets fixed in a future update.

 

Advertisements

Issues already with this week’s Windows updates

That didn’t take long… Again. [A broken record it seems.]

Microsoft has blocked this week’s Windows OS updates for all supported operating systems – at least for those on a domain – for two issues [one for clients].

“Some devices running network monitoring workloads may receive the 0xD1 Stop error because of a race condition.” This applies to all versions.

“After installing this update on a DHCP Failover Server, Enterprise clients may receive an invalid configuration when requesting a new IP address. This may result in loss of connectivity as systems fail to renew their leases. ” This applies to servers with DHCP Failover Server enabled only.

Microsoft is expected to release an update in “mid-July” to fix the issues.

You can still manually download and install the update.

 

Intel to release updated microcode going back at least 5 years

To fix the problems associated with the Spectre and Meltdown vulnerabilities, Intel will be releasing microcode [i.e. BIOS] updates going back quite far. How far? Initially they said going back to the 4th generation Core processors but now they are planning to go even farther. At least back as far as Core 2 Duo days. Updates will be available from OEMs and not Windows Update.

You can find the announcement here.

[Update 2018/03/05:] Microsoft will slowly be offering microcode update though Windows Update Catalog. One update will cover them all. If your CPU is not supported at the time, it will notify you.

The catch is that the update will not be through Windows Update but through the Windows Update Catalog. So you will have to manually download the update.

[Update 2018/03/16:] Microsoft added more CPUs (6th through 8th generation) now to the update. Updated 8th generation as well as the upcoming 9th generation CPUs will have the fix in addition to other protections, so Intel says.

 

Some directions for Windows computers and the CPU flaw

As you probably know by now, Intel [and to a lesser extent other CPU developers] were hit with a vulnerability that in some cases go back over 20 years.

Most operating system developers have released update or will shortly.

For example, Apple has released updates for their supported hardware. Google will release updates for Android [harder to exploit – surprisingly]. Microsoft has released updates for their operating systems but with a caveat – anti-virus developers must correct their own software first if using some programming code they shouldn’t of.

According to current information at this time, here are the most common anti-virus products and their status:

Avast: Fixed if using version 8 or later.

ESET: Fixed if you check for updates.

Kaspersky: Fix previously released.

McAfee: Expected to use the registry fix found here.

Microsoft: Windows Defender is fixed.

Norton: Fixed.

Panda: Expected to use the registry fix found here.

Symantec: Fixed when checking for updates.

Trend Micro: Can use the registry fix found here.

WebRoot: Expected to use the registry fix found here.

Once the fix is in place, Windows Update should list the January 2018 update.

If your computer is still supported, check for a recent BIOS update as well.

Please note that the information given is as is. I am not responsible for any issues that may arise. Check with the anti-virus vendor first. Failure could result in a BSOD or other issues. If your vendor isn’t listed, go to the vendor’s web site.

[Update 2018/01/11:] If you have VMware Workstation Player or Pro [recent supported versions or any business line versions, you may want to check for updates. If you are receiving updates with your AMD CPU, either you were unaffected or the issue has been fixed.

Some older AMD processors have had the recent OS updates suspended by Microsoft following some blue screen of deaths. Athlon 64 X2 seem to be affected.

 

Miscellaneous computer tips – Volume 9

Where to find pinned links

Always wonder where you can find your pinned links at the top of the Start menu or in the Task Bar? For whatever infinite wisdom Microsoft did, they placed them both under Internet Explorer and not [say] Windows Explorer. Even worse, if you drill down to “User Pinned” in one of the two paths below, “User Pinned” is a hidden folder. Why?

Below, replace your_user_name with the account you log in.

C:\Users\your_user_name\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu

C:\Users\your_user_name\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar

Note: You can only have valid shortcut links in the folder.

Firefox Send

Mozilla has released a new web tool called Firefox Send. Nothing to install.

You upload a file and it gets encrypted. You then provide the link to someone.

Once they download it or after 24 hours after uploading, it automatically gets deleted. You can download a file more than once.

Works with Firefox [not surprised] and Chrome. Not with Internet Explorer or Edge.

Windmail.dat in Outlook

When you see a WINMAIL.DAT attachment it means that these issues are caused by TNEF. TNEF is Transport Neutral Encapsulation Format that is used by Outlook for Windows and Exchange Server for Exchange specific features such as voting buttons.
When you are using Outlook with POP/IMAP/EAS account you can use the registry settings below to disable TNEF.

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Office\xx.0\Outlook\Preferences]
“DisableTNEF”=dword:00000001

Notes:

  • xx.0 in this registry path corresponds to the Outlook version (16.0 = Outlook 2016, 15.0 = Outlook 2013, 14.0 = Outlook 2010).
  • This is a per user setting. So it has to be done for each user on a shared computer.
  • If you upgrade your version of Office [or Outlook] you need to reapply with the correct version.

By disabling TNEF, the following features will not work:

  • Task Request message will be replaced by a normal message.
  • Custom forms can’t be used and scripts and properties will be removed.
  • Embedded OLE (Object Linking and Embedding) in a message won’t be use. Instead, these are replaced by pictures.
  • Voting buttons may be used but recipients may not see any buttons.

As usual, use at your own risk. See the Notes page regarding making changes to your system.

How to disable SMB v1

If you have been reading about WannaCry and Petya, most of the systems could have been protected two ways.

First is to make sure systems were up to date on security updates and other patching.

Second would be to disable SMB v1.

[A third way would be up to date anti-virus/security software but for those in the initial batches that were hit, this probably wouldn’t have been available.]

Server Message Block [SMB] is the file protocol that is most commonly used by Windows operating systems. It is an old protocol, over 10 years old. Communications is digitally signed, which enables the recipient of the packets to confirm their point of origination and their authenticity.

Note: Test before applying changes. You still may have some lesser known applications that still need SMB v1.

This link details how to disable SMB v1 for stand-alone computers as well as those on a domain for various operating systems.

If you are using a stand-alone computer [not on a domain], the registry “fix” below will disable SMB v1 and will take effect after rebooting:

Windows Registry Editor Version 5.00

; Disables SMB v1

; To enable, set to 1 or delete entry

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters]

“SMB1″=dword:00000000

With the release of Windows 10 Fall Creator Update [a.k.a. v1709] and the server equivalent, SMB v1 will be disabled by default when you buy a new system or do a clean/fresh installation [i.e. not an upgrade].

Microsoft has a web page that lists Microsoft and third-party products that require SMB v1 and links with further information.

Note: A reminder that if you modify the registry, back up the registry before proceeding.

Blocking the latest Microsoft .net Framework in Windows

There is the occasional time where you want to disable Windows from upgrading to the latest .net Framework from Microsoft. As of this time, the latest version is version 4.7. The following can disable the installation:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\WU]

“BlockNetFramework47″=dword:00000001

.net Framework 4.7 incorporates all the updates and updates backwards to 4.0 [i.e. 4.0., 4.5, 4.5.1, 4.6, 4.6.1 and 4.6.2]. From the above, you can replace the version in the registry settings with the version number without the decimal [for example, BlockNetFramework462 for version 4.6.2.] .net Framework 4.x series does not replace .net framework 3.5 series.

Microsoft Exchange, for example, is at this time not compatible with .net framework 4.7.

To enable the installing, replace the “1” above in the registry settings by a “0”. Note that you can still manually install .net Framework.

Now what is .net Framework? Unless you’re a developer, you really don’t need a lot of knowledge to make use of .net Framework. You just need to know it is working. The .net Framework contains thousands of pieces of shared code which helps developers as it is much easier because they don’t have to repeat the need to perform some common function. They can instead re-use the shared code in other applications. In earlier days when high speed internet wasn’t as common, it was easier for developers to include their application only as the shared code is already installed.

Note: As usual, when modifying the registry, back it up first. And use at your own risk.

To query version of .net Framework on your computer, run [on one line]:

reg query “HKLM\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4” /s