MS update Tuesday: to fix an extraordinarily serious security risk

Discussion in 'HardForum Tech News' started by Monkey34, Jan 14, 2020 at 7:32 AM.

  1. Monkey34

    Monkey34 [H]ardness Supreme

    Messages:
    5,081
    Joined:
    Apr 11, 2003
    Don't skip or block this one folks......

    "It appears that there could be what one leading investigative reporter has called "an extraordinarily serious security vulnerability" in a core cryptographic component that is present in Windows 10. Before you take a deep breath and relax because you're still using Windows 8, 7 or XP, that same crypto component is present in all versions of Windows."

    https://www.forbes.com/sites/daveyw...y-warning-for-900-million-users/#1dd4faf6690c
     
  2. MrCaffeineX

    MrCaffeineX [H]ard|Gawd

    Messages:
    1,443
    Joined:
    Aug 22, 2011
    "This shows why automatic updates are so important."

    I understand the point that they are trying to make, but having worked in Systems Administration and experienced first-hand Windows updates that cause blue screens when installed on a number of occasions, there is a reason why so many organizations do not deploy updates immediately upon release. When Microsoft is trying to fix one thing, something else can easily get broken and rolling out updates to a small pool of sacrificial guinea pigs has saved a lot of hours of remediation, in my experience.
     
  3. Rockenrooster

    Rockenrooster Limp Gawd

    Messages:
    440
    Joined:
    Apr 11, 2017
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ x9000
    Source: Sys Admin
     
  4. Armenius

    Armenius I Drive Myself to the [H]ospital

    Messages:
    19,979
    Joined:
    Jan 28, 2014
    Forbes want to install a Crypto Wallet, WTF?
     
  5. GhostCow

    GhostCow Limp Gawd

    Messages:
    268
    Joined:
    Feb 13, 2005

    Maybe not so great for a business environment but it's practically necessary for the millions of idiots who never update, never reboot, never turn their computer off. Automatic updates wouldn't be a thing if not for them.
     
    Jon855 likes this.
  6. Krazy925

    Krazy925 2[H]4U

    Messages:
    3,889
    Joined:
    Sep 29, 2012
    Announced on the day that w7 goes EOL. Am I wearing my tinfoil hat too tight?
     
    jfreund, Revdarian, the901 and 6 others like this.
  7. erek

    erek [H]ardness Supreme

    Messages:
    4,147
    Joined:
    Dec 19, 2005
    nothing pulled down for me :(

    sigh, where is it?


    upload_2020-1-14_10-41-14.png
     

    Attached Files:

    d3athf1sh likes this.
  8. Dead Parrot

    Dead Parrot 2[H]4U

    Messages:
    2,645
    Joined:
    Mar 4, 2013
    Gee, give the patch person a break. It isn't even the start of Redmond's business day yet! Some poor Admin Tech 1 has to get their coffee/tea/soda/etc and donut before worrying about something like uploading critical patches to the official patch server.
     
    Revdarian, 1_rick, AlphaQup and 2 others like this.
  9. erek

    erek [H]ardness Supreme

    Messages:
    4,147
    Joined:
    Dec 19, 2005
    do you like donuts? just curious
     
  10. Mega6

    Mega6 2[H]4U

    Messages:
    2,619
    Joined:
    Aug 13, 2017
    Chill erek, it will show up here if you want to confirm.
     
    erek likes this.
  11. erek

    erek [H]ardness Supreme

    Messages:
    4,147
    Joined:
    Dec 19, 2005
    [11:18 AM]
    FUGGLE HOPS | McAFEE 2020:
    I got 7 emails from various parts of my federal agency employer telling me that ALL MUST PERFORM UPDATES tomorrow.
    The NSA’s Neuberger said in a media call this morning that the agency did indeed report this vulnerability to Microsoft, and that this was the first time Microsoft will have credited NSA for reporting a security flaw. Neuberger said NSA researchers discovered the bug in their own research, and that Microsoft’s advisory later today will state that Microsoft has seen no active exploitation of it yet.
     
  12. Mega6

    Mega6 2[H]4U

    Messages:
    2,619
    Joined:
    Aug 13, 2017
    The NSA never reports 0-day exploits because they save 0-days for themselves to use. It must be in the wild if the NSA reported it to MS.
     
    Red Falcon, Denjoy, jfreund and 8 others like this.
  13. Zarathustra[H]

    Zarathustra[H] Official Forum Curmudgeon

    Messages:
    29,232
    Joined:
    Oct 29, 2000
    I wonder if Win7 is getting this update, seei g how today is Win 7 EOL day
     
    d3athf1sh and Krazy925 like this.
  14. erek

    erek [H]ardness Supreme

    Messages:
    4,147
    Joined:
    Dec 19, 2005
    anyone else spamming this button out of nervousness? :(

    upload_2020-1-14_11-27-17.png
     
    HAL_404 likes this.
  15. bman212121

    bman212121 [H]ard|Gawd

    Messages:
    1,545
    Joined:
    Aug 18, 2011

    For reference, Microsoft releases updates at 1PM Eastern time. I believe the would be 10AM PST.

    So in a bit over an hour from now they will show up in Windows update.
     
  16. dragon69

    dragon69 69's Dragons

    Messages:
    1,338
    Joined:
    Sep 1, 2008

    No. The question is, what kind of sites have you been visiting to be this nervous?
     
    blandead, Travolta, 1_rick and 2 others like this.
  17. Sulphademus

    Sulphademus Limp Gawd

    Messages:
    375
    Joined:
    Mar 18, 2010
    Will be throwing into my Testing environment right away. Will wait a hair on prod. Unless, you know you wanna be a real man.
     

    Attached Files:

  18. Dead Parrot

    Dead Parrot 2[H]4U

    Messages:
    2,645
    Joined:
    Mar 4, 2013
    Yes. But not Krispy Kreme. Those aren't donuts. Not sure what they are, but they don't count as donuts.
     
    Tactlesss likes this.
  19. pendragon1

    pendragon1 [H]ardForum Junkie

    Messages:
    15,242
    Joined:
    Oct 7, 2000
    "At this point, it has to be reiterated that this remains conjecture, no disclosure has been made and neither Microsoft nor the NSA is saying anything beyond confirming that details of any vulnerability will not be discussed before an update has been made available."

    lets wait and see...
     
    dragon69 likes this.
  20. MrCaffeineX

    MrCaffeineX [H]ard|Gawd

    Messages:
    1,443
    Joined:
    Aug 22, 2011
    Krispy Kreme is very popular in the Southeast US. They are the shortest path to diabetes, heart disease, and hypertension, just like everything else on the menu around here.
     
    jfreund, Furious_Styles and DWolvin like this.
  21. erek

    erek [H]ardness Supreme

    Messages:
    4,147
    Joined:
    Dec 19, 2005
    you like them though? or what
     
  22. Ur_Mom

    Ur_Mom I'm Not Serious

    Messages:
    19,988
    Joined:
    May 15, 2006
    Why not have a pilot group (IT group) for the first couple days, then a week later roll the update to the rest of the company? Most org's I know don't just throw out updates to everyone without doing some kind of pilot testing. Or at least they don't more than once... :)
     
    Sulphademus and mikeo like this.
  23. Rockenrooster

    Rockenrooster Limp Gawd

    Messages:
    440
    Joined:
    Apr 11, 2017
    can confirm. krispy kreme is like crack in the south.
    source: i live in the south
     
  24. GoodBoy

    GoodBoy [H]ard|Gawd

    Messages:
    1,658
    Joined:
    Nov 29, 2004
    It's a Forbes post... take it with a grain of salt until Microsoft actually says something. The source is a tweet.
     
  25. pendragon1

    pendragon1 [H]ardForum Junkie

    Messages:
    15,242
    Joined:
    Oct 7, 2000
    hahahha ahahahahahh ever dealt with a school division.
     
    jimbob200521, Armenius and Ur_Mom like this.
  26. bman212121

    bman212121 [H]ard|Gawd

    Messages:
    1,545
    Joined:
    Aug 18, 2011
    They are live now.
     
    erek likes this.
  27. Mega6

    Mega6 2[H]4U

    Messages:
    2,619
    Joined:
    Aug 13, 2017
    its up

    upload_2020-1-14_13-4-10.png
     

    Attached Files:

    erek likes this.
  28. bman212121

    bman212121 [H]ard|Gawd

    Messages:
    1,545
    Joined:
    Aug 18, 2011
    https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601


    https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601


    I would say this is a fairly important fix to patch asap.
     
    Monkey34 and Armenius like this.
  29. Zarathustra[H]

    Zarathustra[H] Official Forum Curmudgeon

    Messages:
    29,232
    Joined:
    Oct 29, 2000
    In this day and age it doesn't matter what you visit.

    I have found exploits on legitimate sites, inside banner ads distributed by Google AdWords.

    This stuff can be anywhere.

    Just being knowledgeable and careful is no longer enough. (Honestly, I don't think it ever was)
     
    GoodBoy and d3athf1sh like this.
  30. Zarathustra[H]

    Zarathustra[H] Official Forum Curmudgeon

    Messages:
    29,232
    Joined:
    Oct 29, 2000
    The counter argument is that no matter what you do, no matter how mission critical, it is ALWAYS better to be down than to be pwned.

    I encourage religiously installing every single security (not feature) update on every single system without ever testing first. Any time you waste testing, is time you could be getting pwned.

    I think it is atrocious and irresponsible of enterprise IT departments to test security patches before going live.

    If you or your organization honestly feel like avoiding downtime is more important than exposing your customers, business or employees to data theft, or worse, then you are on serious need of a priority readjustment.
     
    carlbme likes this.
  31. dragon69

    dragon69 69's Dragons

    Messages:
    1,338
    Joined:
    Sep 1, 2008
    True, but if you have to be that nervous waiting for an update, should you be online in the first place?
     
  32. Furious_Styles

    Furious_Styles [H]ard|Gawd

    Messages:
    1,513
    Joined:
    Jan 16, 2013
    I think it is honestly, unless you are in a business where your job depends on it. You also give another reason to block those ads like the plague.
     
  33. Zarathustra[H]

    Zarathustra[H] Official Forum Curmudgeon

    Messages:
    29,232
    Joined:
    Oct 29, 2000

    Good point!
     
    dragon69 likes this.
  34. mikeo

    mikeo Gawd

    Messages:
    617
    Joined:
    May 17, 2006
    It isn't just a windows problem, can hit similar issues with Linux or any software.
     
    the901 and pendragon1 like this.
  35. thecold

    thecold Limp Gawd

    Messages:
    362
    Joined:
    Nov 12, 2017
    The amount of times I've been crushed by people not testing software installs before they deploy them.

    *rage*
     
    mikeo likes this.
  36. Axman

    Axman 2[H]4U

    Messages:
    2,466
    Joined:
    Jul 13, 2005
    Soo...you're saying you're not or haven't been a sys admin?
     
    Sulphademus likes this.
  37. Zarathustra[H]

    Zarathustra[H] Official Forum Curmudgeon

    Messages:
    29,232
    Joined:
    Oct 29, 2000
    That is accurate.

    This may be a standard industry practice, and if that is the case I think every IT professional is wrong.

    Downtime >>> exposure to vulnerabities.

    This only becomes more true the more critical the system is.

    I don't care how many millions in sales you lose because a system is down. It's still better than losing data to a breach.
     
    Last edited: Jan 14, 2020 at 5:22 PM
  38. Axman

    Axman 2[H]4U

    Messages:
    2,466
    Joined:
    Jul 13, 2005
    That is understandable, commendable, and incorrect.

    The IT group that a company uses is skeletal compared to the rest of the organization. If a software update breaks computers used by the company or organization, it's not going to down machines at random, it's going to knock out a significant percentage of the computers in use, since they're more or less all the same. And then you've got a tiny number of people who can fix it. And they're going to have to work the weekend plus overtime.

    The organization I was the sys admin for had about 80 machines for staff and students, plus about 15 machines for administration, plus another half-dozen for servers and hosting, plus firewalls and networking hardware. ETA: and two people to maintain it all. (And to clarify, anything that was low-voltage was my problem. Anything on mains was his. So if there was a computer problem, I'd work my ass off while he pointed and laughed, and if there was an AC problem, he'd work his ass of and I'd point and laugh. We were a team.)

    If an update caused the 80 user machines to go down, the whole school would shut down. If the administration's machines went down, then the whole school may as well also go down. If the servers or the networking hardware goes down, the whole school would shut down. So you can be sure that we sandboxed all of the updates and pushed them out when we knew they would work. Anything else is too expensive and like it or not, it makes the IT guys look worse than if an exploit is exploited.

    Because the big risk that an exploit gets exploited is that one machine goes down. 30 minute fix after hours, clone the machine back to factory. That includes getting coffee and going to the bathroom.

    These machines should not have the permissions or the network access to cause harm, even if they're totally filthy with malware and completely unpatched. If there is personal data on the company machine, that's not IT's problem, it's the user's.

    The servers and oddball machines for administration you do on a one-by-one basis or something approaching that. If you don't have a physical replacement machine handy, you need a solid backup first. Then you test the update, hopefully off hours if you can.

    The security should not come from patches and updates. The security should be baked into the infrastructure. Permissions, firewalls, all that.

    And ultimately, if an exploit takes out a ton of machines all at once, that's unfortunate, but it can happen, that's a cost of business. But if your IT people take down a ton of machines at once, it's on them and them only.
     
    Last edited: Jan 14, 2020 at 11:37 PM
    Red Falcon, Algrim, Dark12 and 5 others like this.
  39. clockdogg

    clockdogg Gawd

    Messages:
    982
    Joined:
    Dec 12, 2007
    The Presidents/CEOs of 2019's Top 20 List:

    Capital One
    Wyze
    Wawa
    Facebook
    LifeLabs
    OnePlus
    T-Mobile
    Elasticsearch
    UniCredit
    7-Eleven
    Web.com
    Malindo Air
    Noaestrat
    Hostinger
    CafePress
    Poshmark
    QuickBit
    Emuparadise
    Labcorp
    Quest Diagnostics
    Flipboard
    Canva
    First American Financial Corp

    Are giggling at your boy scoutism.

    List of big 2019 Hacks (that we know of): https://selfkey.org/data-breaches-in-2019/

    I agree with your sentiments. However, SillyCon Valley is so pumped up on their billions scraped from the data mines, they've devalued personal privacy to the point of mockery.
     
    Sulphademus likes this.
  40. Zarathustra[H]

    Zarathustra[H] Official Forum Curmudgeon

    Messages:
    29,232
    Joined:
    Oct 29, 2000
    I feel like you have miscategorized the risk.

    Sure, most client machines won't have personal data, but what about HR? Or benefits coordinators? Or managers machines?

    Then there is sensitive corporate financial data that can be accessible from any number of machines in finance, operations, etc

    Proprietary IP? Id you have engineers working on pretty much anything, that's a real risk as well.

    IMHO, any organization should prevent risking a week of downtime vs. losing data.