MS update Tuesday: to fix an extraordinarily serious security risk

Monkey34

Supreme [H]ardness
Joined
Apr 11, 2003
Messages
5,128
Don't skip or block this one folks......

"It appears that there could be what one leading investigative reporter has called "an extraordinarily serious security vulnerability" in a core cryptographic component that is present in Windows 10. Before you take a deep breath and relax because you're still using Windows 8, 7 or XP, that same crypto component is present in all versions of Windows."

https://www.forbes.com/sites/daveyw...y-warning-for-900-million-users/#1dd4faf6690c
 

MrCaffeineX

[H]ard|Gawd
Joined
Aug 22, 2011
Messages
1,472
"This shows why automatic updates are so important."

I understand the point that they are trying to make, but having worked in Systems Administration and experienced first-hand Windows updates that cause blue screens when installed on a number of occasions, there is a reason why so many organizations do not deploy updates immediately upon release. When Microsoft is trying to fix one thing, something else can easily get broken and rolling out updates to a small pool of sacrificial guinea pigs has saved a lot of hours of remediation, in my experience.
 
Joined
Apr 11, 2017
Messages
758
"This shows why automatic updates are so important."

I understand the point that they are trying to make, but having worked in Systems Administration and experienced first-hand Windows updates that cause blue screens when installed on a number of occasions, there is a reason why so many organizations do not deploy updates immediately upon release. When Microsoft is trying to fix one thing, something else can easily get broken and rolling out updates to a small pool of sacrificial guinea pigs has saved a lot of hours of remediation, in my experience.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ x9000
Source: Sys Admin
 

GhostCow

Limp Gawd
Joined
Feb 13, 2005
Messages
368
"This shows why automatic updates are so important."

I understand the point that they are trying to make, but having worked in Systems Administration and experienced first-hand Windows updates that cause blue screens when installed on a number of occasions, there is a reason why so many organizations do not deploy updates immediately upon release. When Microsoft is trying to fix one thing, something else can easily get broken and rolling out updates to a small pool of sacrificial guinea pigs has saved a lot of hours of remediation, in my experience.


Maybe not so great for a business environment but it's practically necessary for the millions of idiots who never update, never reboot, never turn their computer off. Automatic updates wouldn't be a thing if not for them.
 

erek

Supreme [H]ardness
Joined
Dec 19, 2005
Messages
6,947
nothing pulled down for me :(

sigh, where is it?


upload_2020-1-14_10-41-14.png
 

Attachments

  • upload_2020-1-14_10-41-2.png
    upload_2020-1-14_10-41-2.png
    623.8 KB · Views: 0

Dead Parrot

2[H]4U
Joined
Mar 4, 2013
Messages
2,831
Gee, give the patch person a break. It isn't even the start of Redmond's business day yet! Some poor Admin Tech 1 has to get their coffee/tea/soda/etc and donut before worrying about something like uploading critical patches to the official patch server.
 

erek

Supreme [H]ardness
Joined
Dec 19, 2005
Messages
6,947
Gee, give the patch person a break. It isn't even the start of Redmond's business day yet! Some poor Admin Tech 1 has to get their coffee/tea/soda/etc and donut before worrying about something like uploading critical patches to the official patch server.
do you like donuts? just curious
 

erek

Supreme [H]ardness
Joined
Dec 19, 2005
Messages
6,947
Chill erek, it will show up here if you want to confirm.
[11:18 AM]
FUGGLE HOPS | McAFEE 2020:
I got 7 emails from various parts of my federal agency employer telling me that ALL MUST PERFORM UPDATES tomorrow.
The NSA’s Neuberger said in a media call this morning that the agency did indeed report this vulnerability to Microsoft, and that this was the first time Microsoft will have credited NSA for reporting a security flaw. Neuberger said NSA researchers discovered the bug in their own research, and that Microsoft’s advisory later today will state that Microsoft has seen no active exploitation of it yet.
 

Mega6

2[H]4U
Joined
Aug 13, 2017
Messages
3,025
[11:18 AM]
FUGGLE HOPS | McAFEE 2020:
this was the first time Microsoft will have credited NSA for reporting a security flaw. Neuberger said NSA researchers discovered the bug in their own research, and that Microsoft’s advisory later today will state that Microsoft has seen no active exploitation of it yet.

The NSA never reports 0-day exploits because they save 0-days for themselves to use. It must be in the wild if the NSA reported it to MS.
 

erek

Supreme [H]ardness
Joined
Dec 19, 2005
Messages
6,947
anyone else spamming this button out of nervousness? :(

upload_2020-1-14_11-27-17.png
 

pendragon1

Fully [H]
Joined
Oct 7, 2000
Messages
23,435
"At this point, it has to be reiterated that this remains conjecture, no disclosure has been made and neither Microsoft nor the NSA is saying anything beyond confirming that details of any vulnerability will not be discussed before an update has been made available."

lets wait and see...
 

erek

Supreme [H]ardness
Joined
Dec 19, 2005
Messages
6,947
Krispy Kreme is very popular in the Southeast US. They are the shortest path to diabetes, heart disease, and hypertension, just like everything else on the menu around here.

you like them though? or what
 

Ur_Mom

Fully [H]
Joined
May 15, 2006
Messages
20,334
"This shows why automatic updates are so important."

I understand the point that they are trying to make, but having worked in Systems Administration and experienced first-hand Windows updates that cause blue screens when installed on a number of occasions, there is a reason why so many organizations do not deploy updates immediately upon release. When Microsoft is trying to fix one thing, something else can easily get broken and rolling out updates to a small pool of sacrificial guinea pigs has saved a lot of hours of remediation, in my experience.

Why not have a pilot group (IT group) for the first couple days, then a week later roll the update to the rest of the company? Most org's I know don't just throw out updates to everyone without doing some kind of pilot testing. Or at least they don't more than once... :)
 

pendragon1

Fully [H]
Joined
Oct 7, 2000
Messages
23,435
Why not have a pilot group (IT group) for the first couple days, then a week later roll the update to the rest of the company? Most org's I know don't just throw out updates to everyone without doing some kind of pilot testing. Or at least they don't more than once... :)
hahahha ahahahahahh ever dealt with a school division.
 

Mega6

2[H]4U
Joined
Aug 13, 2017
Messages
3,025
its up

upload_2020-1-14_13-4-10.png
 

Attachments

  • upload_2020-1-14_13-3-49.png
    upload_2020-1-14_13-3-49.png
    59.8 KB · Views: 0
  • Like
Reactions: erek
like this

bman212121

[H]ard|Gawd
Joined
Aug 18, 2011
Messages
1,715
This month we addressed the vulnerability CVE-2020-0601 in the usermode cryptographic library, CRYPT32.DLL, that affects Windows 10 systems. This vulnerability is classed Important and we have not seen it used in active attacks.
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601


A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates.

An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source. The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider.

A successful exploit could also allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software.

The security update addresses the vulnerability by ensuring that Windows CryptoAPI completely validates ECC certificates.

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601


I would say this is a fairly important fix to patch asap.
 

Zarathustra[H]

Fully [H]
Joined
Oct 29, 2000
Messages
31,202
No. The question is, what kind of sites have you been visiting to be this nervous?

In this day and age it doesn't matter what you visit.

I have found exploits on legitimate sites, inside banner ads distributed by Google AdWords.

This stuff can be anywhere.

Just being knowledgeable and careful is no longer enough. (Honestly, I don't think it ever was)
 

Zarathustra[H]

Fully [H]
Joined
Oct 29, 2000
Messages
31,202
"This shows why automatic updates are so important."

I understand the point that they are trying to make, but having worked in Systems Administration and experienced first-hand Windows updates that cause blue screens when installed on a number of occasions, there is a reason why so many organizations do not deploy updates immediately upon release. When Microsoft is trying to fix one thing, something else can easily get broken and rolling out updates to a small pool of sacrificial guinea pigs has saved a lot of hours of remediation, in my experience.

The counter argument is that no matter what you do, no matter how mission critical, it is ALWAYS better to be down than to be pwned.

I encourage religiously installing every single security (not feature) update on every single system without ever testing first. Any time you waste testing, is time you could be getting pwned.

I think it is atrocious and irresponsible of enterprise IT departments to test security patches before going live.

If you or your organization honestly feel like avoiding downtime is more important than exposing your customers, business or employees to data theft, or worse, then you are on serious need of a priority readjustment.
 

dragon69

[H]ard|Gawd
Joined
Sep 1, 2008
Messages
1,755
In this day and age it doesn't matter what you visit.

I have found exploits on legitimate sites, inside banner ads distributed by Google AdWords.

This stuff can be anywhere.

Just being knowledgeable and careful is no longer enough. (Honestly, I don't think it ever was)

True, but if you have to be that nervous waiting for an update, should you be online in the first place?
 

Furious_Styles

[H]ard|Gawd
Joined
Jan 16, 2013
Messages
1,948
In this day and age it doesn't matter what you visit.

I have found exploits on legitimate sites, inside banner ads distributed by Google AdWords.

This stuff can be anywhere.

Just being knowledgeable and careful is no longer enough. (Honestly, I don't think it ever was)

I think it is honestly, unless you are in a business where your job depends on it. You also give another reason to block those ads like the plague.
 

thecold

Limp Gawd
Joined
Nov 12, 2017
Messages
419
It isn't just a windows problem, can hit similar issues with Linux or any software.

The amount of times I've been crushed by people not testing software installs before they deploy them.

*rage*
 
  • Like
Reactions: mikeo
like this

Zarathustra[H]

Fully [H]
Joined
Oct 29, 2000
Messages
31,202
Soo...you're saying you're not or haven't been a sys admin?

That is accurate.

This may be a standard industry practice, and if that is the case I think every IT professional is wrong.

Downtime >>> exposure to vulnerabities.

This only becomes more true the more critical the system is.

I don't care how many millions in sales you lose because a system is down. It's still better than losing data to a breach.
 
Last edited:

Axman

Supreme [H]ardness
Joined
Jul 13, 2005
Messages
6,358
Downtime >>> exposure to vilberabities

That is understandable, commendable, and incorrect.

The IT group that a company uses is skeletal compared to the rest of the organization. If a software update breaks computers used by the company or organization, it's not going to down machines at random, it's going to knock out a significant percentage of the computers in use, since they're more or less all the same. And then you've got a tiny number of people who can fix it. And they're going to have to work the weekend plus overtime.

The organization I was the sys admin for had about 80 machines for staff and students, plus about 15 machines for administration, plus another half-dozen for servers and hosting, plus firewalls and networking hardware. ETA: and two people to maintain it all. (And to clarify, anything that was low-voltage was my problem. Anything on mains was his. So if there was a computer problem, I'd work my ass off while he pointed and laughed, and if there was an AC problem, he'd work his ass of and I'd point and laugh. We were a team.)

If an update caused the 80 user machines to go down, the whole school would shut down. If the administration's machines went down, then the whole school may as well also go down. If the servers or the networking hardware goes down, the whole school would shut down. So you can be sure that we sandboxed all of the updates and pushed them out when we knew they would work. Anything else is too expensive and like it or not, it makes the IT guys look worse than if an exploit is exploited.

Because the big risk that an exploit gets exploited is that one machine goes down. 30 minute fix after hours, clone the machine back to factory. That includes getting coffee and going to the bathroom.

These machines should not have the permissions or the network access to cause harm, even if they're totally filthy with malware and completely unpatched. If there is personal data on the company machine, that's not IT's problem, it's the user's.

The servers and oddball machines for administration you do on a one-by-one basis or something approaching that. If you don't have a physical replacement machine handy, you need a solid backup first. Then you test the update, hopefully off hours if you can.

The security should not come from patches and updates. The security should be baked into the infrastructure. Permissions, firewalls, all that.

And ultimately, if an exploit takes out a ton of machines all at once, that's unfortunate, but it can happen, that's a cost of business. But if your IT people take down a ton of machines at once, it's on them and them only.
 
Last edited:

clockdogg

[H]ard|Gawd
Joined
Dec 12, 2007
Messages
1,079
...

I don't care how many millions in sales you lose because a system is down. It's still better than losing data to a breach.

The Presidents/CEOs of 2019's Top 20 List:

Capital One
Wyze
Wawa
Facebook
LifeLabs
OnePlus
T-Mobile
Elasticsearch
UniCredit
7-Eleven
Web.com
Malindo Air
Noaestrat
Hostinger
CafePress
Poshmark
QuickBit
Emuparadise
Labcorp
Quest Diagnostics
Flipboard
Canva
First American Financial Corp

Are giggling at your boy scoutism.

List of big 2019 Hacks (that we know of): https://selfkey.org/data-breaches-in-2019/

I agree with your sentiments. However, SillyCon Valley is so pumped up on their billions scraped from the data mines, they've devalued personal privacy to the point of mockery.
 

Zarathustra[H]

Fully [H]
Joined
Oct 29, 2000
Messages
31,202
That is understandable, commendable, and incorrect.

The IT group that a company uses is skeletal compared to the rest of the organization. If a software update breaks computers used by the company or organization, it's not going to down machines at random, it's going to knock out a significant percentage of the computers in use, since they're more or less all the same. And then you've got a tiny number of people who can fix it. And they're going to have to work the weekend plus overtime.

The organization I was the sys admin for had about 80 machines for staff and students, plus about 15 machines for administration, plus another half-dozen for servers and hosting, plus firewalls and networking hardware.

If an update caused the 80 user machines to go down, the whole school would shut down. If the administration's machines went down, then the whole school may as well also go down. If the servers or the networking hardware goes down, the whole school would shut down. So you can be sure that we sandboxed all of the updates and pushed them out when we knew they would work. Anything else is too expensive and like it or not, it makes the IT guys look worse than if an exploit is exploited.

Because the big risk that an exploit gets exploited is that one machine goes down. 30 minute fix after hours, clone the machine back to factory. That includes getting coffee and going to the bathroom.

These machines should not have the permissions or the network access to cause harm, even if they're totally filthy with malware and completely unpatched. If there is personal data on the company machine, that's not IT's problem, it's the user's.

The servers and oddball machines for administration you do on a one-by-one basis or something approaching that. If you don't have a physical replacement machine handy, you need a solid backup first. Then you test the update, hopefully off hours if you can.

The security should not come from patches and updates. The security should be baked into the infrastructure. Permissions, firewalls, all that.

And ultimately, if an exploit takes out a ton of machines all at once, that's unfortunate, but it can happen, that's a cost of business. But if your IT people take down a ton of machines at once, it's on them and them only.

I feel like you have miscategorized the risk.

Sure, most client machines won't have personal data, but what about HR? Or benefits coordinators? Or managers machines?

Then there is sensitive corporate financial data that can be accessible from any number of machines in finance, operations, etc

Proprietary IP? Id you have engineers working on pretty much anything, that's a real risk as well.

IMHO, any organization should prevent risking a week of downtime vs. losing data.
 
Top