Category Archives: News

October patch status report – 10 days past release

Issues we are still tracking:

**** KB30000061 is a kernel update:
KB3000061 fails to install on Server 2012:   Also impacting Windows 8.
https://social.technet.microsoft.com/Forums/windowsserver/en-US/f77691d8-a9d0-4714-98ad-71665cfa8965/kb3000061-fails-to-install-on-server-2012?forum=winserver8gen   Cases opened: 114101711916740 and 114101711915623

Status:  See in that thread, Microsoft engineer in the forum is asking for cbs.log files from impacted machines.  Some recommendations have been made, no solution at this time.

****
Two issues with KB2984972 – this is a patch to update the RDP restricted admin mode

“Heads up, KB2984972 on Server 2008R2 RD server caused issues with our Wyse thinclients – it caused them all to span desktops across multiple monitors rather than presenting multiple monitors to the host OS. After uninstalling & rebooting clients are presented with multiple monitors again.”  <<<< will impact MultiPoint Server as well too <<<<<

Another thread on the issue here: http://forums.mydigitallife.info/threads/57448-KB2984972-breaks-concurrent-RDP-patch?p=960999#post960999

Status:  Unknown if this is being investigated by Microsoft.  Have seen some updates from the thin client vendors, so unsure if this will be patched from the vendor side or from the Microsoft side. https://serverfault.com/questions/637251/what-would-cause-wyse-c10le-thin-clients-to-suddenly-be-unable-to-use-dual-displ/637429#637429?newreg=ab71e335f34e48c2b161992751a39282    If someone has a serverfault reputation of greater than 50 can you post in there and ask them to email me at susan-at-msmvps.com (change the -at- to @) to set up a support case?  I really am unsure if there are cases being worked on regarding the thin client impact and I’d love to make sure they are.
****
App v and KB2984972 impact:
https://social.technet.microsoft.com/Forums/en-US/c90212b0-b32c-4488-9753-fb952112828c/warning-kb2984972-and-autodeskrelated-46-appv-packages?forum=mdopappv   << case opened on this issue SRX 114101611907865.

  Status:  Known issue now documented

Known issues with this security update

  • Symptoms After you install this security update, virtualized applications in Microsoft Application Virtualization (App-V) versions 4.5, 4.6, and 5.0 may experience problems loading. When the problem occurs, you may receive an error message that resembles the following:
    Launching MyApp 100%
    Note In this error message, MyApp represents the name of the App-V application. Depending on the scenario, the virtualized app may stop responding after it starts, or the app may not start at all. Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
    322756 How to back up and restore the registry in Windows
    Resolution To resolve this known issue, configure the TermSrvReadyEvent registry entry on the computer where the Microsoft Application Virtualization Client is installed. For Microsoft Application Virtualization 5.0
    • Registry Key: HKLM\Software\Microsoft\AppV\Subsystem\ObjExclusions Value name: 93 (Or any unique value) Type: REG_SZ Data: TermSrvReadyEventExample For example, type the following command at an elevated command prompt to add the entry to a system running Application Virtualization 5.0:
      reg add HKLM\Software\Microsoft\AppV\Subsystem\ObjExclusions /v 93 /t REG_SZ /d TermSrvReadyEvent
    For Microsoft Application Virtualization 4.6
    • For all supported x86-based systems Registry Key: HKLM\SOFTWARE\Microsoft\SoftGrid\4.5\SystemGuard\ObjExclusions Value name: 95 (Or any unique value) Type: REG_SZ Data: TermSrvReadyEvent Example For example, type the following command at an elevated command prompt to add the entry to an x86-based system running Application Virtualization 4.6:
      reg add HKLM\SOFTWARE\Microsoft\SoftGrid\4.5\SystemGuard\ObjExclusions /v 95 /t REG_SZ /d TermSrvReadyEvent
    • For all supported x64-based systemsRegistry Key: HKLM\SOFTWARE\Wow6432Node\Microsoft\SoftGrid\4.5\SystemGuard\ObjExclusions Value name: 95 (Or any unique value) Type: REG_SZ Data: TermSrvReadyEvent Example For example, type the following command at an elevated command prompt to add the entry to an x64-based system running Application Virtualization 4.6:
      reg add HKLM\SOFTWARE\Wow6432Node\Microsoft\SoftGrid\4.5\SystemGuard\ObjExclusions /v 95 /t REG_SZ /d TermSrvReadyEvent

******
KB2949927 – the SHA-2 update: Also seeing issues with KB2949927 getting installed:  https://social.technet.microsoft.com/Forums/en-US/bc191121-94ab-483f-ae9f-d5056ca3aae5/kb2949927-fails-to-install-if-bitlocker-fvevol-service-is-disabled?forum=w7itproinstall  and http://www.bobistheoilguy.com/forums/ubbthreads.php/topics/3511807/KB2949927_failing_to_install

STATUS:  KB2949927 has been pulled from Microsoft update on 10/17/2014

****
Then KB2995388 8.1 cumulative update causing issues with VMware workstation:

Workstation 10 issue with recent Microsoft Windows 8.1 Update | VMware Workstation Zealot – VMware Blogs:
http://blogs.vmware.com/workstation/2014/10/workstation-10-issue-recent-microsoft-windows-8-1-update.html
We noticed that a recent Windows 8.1 Update (KB2995388) may cause issues when running VMware Workstation on a Windows 8.1 host with this update installed. User will see an error message “not enough physical memory” when booting up a virtual machine

STATUS:  per the thread reinstalling vmware 10 will fix the issue, unsure if this patch will be redone or merely the recommendation will be to reinstall VMware

***
2990942 ASP. MVC security update
Microsoft Asp.Net MVC Security Update MS14-059 broke my build! – .NET Web Development and Tools Blog – Site Home – MSDN Blogs:
http://blogs.msdn.com/b/webdev/archive/2014/10/16/microsoft-asp-net-mvc-security-update-broke-my-build.aspx

Windows Azure Pack: Cannot create Plans.:
https://social.technet.microsoft.com/Forums/en-US/b60f7840-7da9-41f1-a896-b6875c6a925f/windows-azure-pack-cannot-create-plans?forum=windowsazuremanagement

Status:  Lots of upset developers.

***
Driver Patch released by vendor bricks users chips

http://www.zdnet.com/ftdi-admits-to-bricking-innocent-users-chips-in-silent-update-7000035019/

FTDI appears to have used a recent Windows update to deliver the driver update to brick all cloned FTDI FT232s.

FTDI’s surprise new driver reprograms the USB PID to 0, killing the chips instantly.

The hardware hackers at Hack A Day first reported that a recent driver update deployed over Windows Update is bricking cloned versions of the very common FTDI FT232 [USB to UART] chip

Status:  A driver update delivered through Windows update supplied by a vendor was designed to nuke non genuine chips.  If suddenly your clients/customers start complaining that their USB devices are missing/won’t work, it may be due to this.  The vendor used the MU driver update channel to nuke unlicensed chips  (Susan note:  despite what the Microsoft folks say I use the driver updates offered up to me via MU as indicators I need to look for vendor drivers, I do not install them on production machines due to too many years of being burnt by them)

 

***

Adobe update 11.0.9 causes problems with opening files across network shares.  Error message received is
“There was an error opening this document. The network path was not found.”

https://forums.adobe.com/message/6860536#6860536

Status:  Workaround to issue – disable protected mode (which is not acceptable), otherwise use Foxit or CutePDF reader as an alternative.

Got a few hours to watch some videos?

Lots of great videos here on this page:

Derbycon 2014 Videos (Hacking Illustrated Series InfoSec Tutorial Videos):
http://www.irongeek.com/i.php?page=videos/derbycon4/mainlist

I highly recommend spending a few hours looking around the videos here!

 

 

Real patch pain metrics

Humor me please?

If you can recall a patch directly causing impact to your systems please email me directly – email susan-at-msmvps.com (change the -at- to @) with the KB number and what it impacted please?  I would love to put together a list of real patch pain, and not just perceived patch pain.

Fact:  There have been a lot of non security updates that are impacting our patching views.

(I’m looking at you Exchange)

Case in point:
8/26/2014    CU 6 for Exchange 2013        http://support.microsoft.com/kb/2997209        http://blogs.technet.com/b/exchange/archive/2014/08/26/released-cumulative-update-6-for-exchange-server-2013.aspx

Fact:  There have been a lot of click to run issues impacting our patching views:

6/13/2014    Click to run        Uninstall/reinstall        http://blogs.technet.com/b/office_sustained_engineering/archive/2014/06/13/june-public-update-issue-affecting-click-to-run-users.aspx
5/22/2014    Click to run        Activation issues        http://blogs.technet.com/b/office_sustained_engineering/archive/2014/05/22/c2r-update-may-2014.aspx

Fact:  There have been hiccups in Office releases – especially in regards to Outlook:
8/13/2014    Outlook 2013    KB2881011    Replaced with KB2889859        http://blogs.technet.com/b/office_sustained_engineering/archive/2014/08/13/august-2014-office-update-release.aspx

Lord knows KB2919355 has impacted my view of this year.

Off the top of my head these are recent pulled patches:
MS14-045 pulled and rereleased.
KB2949927 pulled

Anytime you see a Kernel update, expect slight turbulence especially in the consumer side.  Kernel updates interact with malware infected machines, pirated machines and antivirus vendors that get a little too much protection efforts.

I see the problem as a bit like the Ebola scare in the USA.  We’re scared because of a lack of communication.

There’s a lack of post release follow up and communication as I see it.  We have no idea how many machines are impacted, we just see the social echo of headlines and twitter feeds.

I am concerned that it seems like it’s taking longer to get investigations done.

We’re a week after release date and I still haven’t a clue why KB3000061 is failing, if the RDP patch is going to get a fix or if the fix should be expected from the vendors or what.

While security patches have a known issue section, other patches need a “we’re investigating” section with follow up.

So?  Can you help me out with a feel on REAL patch pain versus perceived patch pain?  I don’t want to know “I heard about an issue on a random blog/twitter account that someone was impacted”… I want to know exactly what patch gave you pain.

Getting ready for a test run

Getting ready for a migration at the office from the 2008 R2 era HyperV to a 2012 R2 era hyperV

iphone 064

And as the server sounds like a jet engine taking off…

it always makes me laugh how small the drives are, and how big the unit it

iphone 065

Makes ya wanna buy more hard drives and fill that sucker up.

So one of the things I’m doing this time is rather than doing a router in front of the server to separate out from the production network, I’m trying a virtual router

Fastvue Sophos Reporter How to Deploy Sophos UTM on Hyper-V in 7 Simple Steps:
http://fastvue.co/sophos/blog/how-to-deploy-sophos-utm-on-hyper-v-in-7-simple-steps/

So far it’s not as simple as that leads one to think it is.  I obviously have networking/binding to the nics mucked up because it won’t find the web console address.

I’ll try again tomorrow and let you know how I get along with a virtual router.

 

Patches to keep an eye on:

KB30000061 is a kernel update:
KB3000061 fails to install on Server 2012:   Also impacting Windows 8.
https://social.technet.microsoft.com/Forums/windowsserver/en-US/f77691d8-a9d0-4714-98ad-71665cfa8965/kb3000061-fails-to-install-on-server-2012?forum=winserver8gen EDIT:  Cases opened: 114101711916740 and 114101711915623

 

Two issues with KB2984972 – this is a patch to update the RDP restricted admin mode

“Heads up, KB2984972 on Server 2008R2 RD server caused issues with our Wyse thinclients – it caused them all to span desktops across multiple monitors rather than presenting multiple monitors to the host OS. After uninstalling & rebooting clients are presented with multiple monitors again.”  <<<< will impact MultiPoint Server as well too <<<<<

Another thread on the issue here: http://forums.mydigitallife.info/threads/57448-KB2984972-breaks-concurrent-RDP-patch?p=960999#post960999

App v and KB2984972 impact:
https://social.technet.microsoft.com/Forums/en-US/c90212b0-b32c-4488-9753-fb952112828c/warning-kb2984972-and-autodeskrelated-46-appv-packages?forum=mdopappv   << case opened on this issue SRX 114101611907865.

 

KB2949927 – the SHA-2 update: Also seeing issues with KB2949927 getting installed:  https://social.technet.microsoft.com/Forums/en-US/bc191121-94ab-483f-ae9f-d5056ca3aae5/kb2949927-fails-to-install-if-bitlocker-fvevol-service-is-disabled?forum=w7itproinstall  and http://www.bobistheoilguy.com/forums/ubbthreads.php/topics/3511807/KB2949927_failing_to_install
EDIT:  KB2949927 has been pulled from Microsoft update on 10/17/2014

 

Then KB2995388 8.1 cumulative update causing issues with VMware workstation:

Workstation 10 issue with recent Microsoft Windows 8.1 Update | VMware Workstation Zealot – VMware Blogs:
http://blogs.vmware.com/workstation/2014/10/workstation-10-issue-recent-microsoft-windows-8-1-update.html
We noticed that a recent Windows 8.1 Update (KB2995388) may cause issues when running VMware Workstation on a Windows 8.1 host with this update installed. User will see an error message “not enough physical memory” when booting up a virtual machine

Exchange updates

I install Exchange update rollups all by themselves and on 9/24 Exchange put the 2007 and 2010 update rollups on MU and WSUS.  Normally they don’t kick a reboot but this time it did.

While I have seen issues reported with the 2013 update especially in a mixed Exchange deployment with 2010, I have not seen issues with 2007 nor 2010.

albyitsef

 

We hold a moment of silence…

lotusIMG_1791

For those of you youngsters who don’t know what that is, that’s a vintage Compaq luggable – that’s a laptop back in the 80’s – that has Lotus 1-2-3 burned into the green screen of the computer after years of running that software.  Two floppy drives, one for the OS and Lotus, the second for the data.

Now THAT’s vintage computing folks.

That was the program that revolutionized computers for businesses.  It meant we didn’t spend DAYS doing manual calculations of depreciation on green paper ledger sheets, by hand, with calculators.  (You think I’m kidding, I’m not).  It freed up office workers to do more complicated calculations and brought the mainframe into any sized business office.

So farewell then Lotus 1-2-3, spreadsheet extraordinaire | ZDNet:
http://www.zdnet.com/so-farewell-then-lotus-1-2-3-spreadsheet-extraordinaire-7000034288/

 

October is cyber security month

And in the ransomware front we’re losing the battle. CryptoWall gets on a machine, not via wiggling in via the temp install locations but from an unpatched cocktail of Java, Silverlight, and Flash that we should have patched or ripped out of the machine years ago.

http://threatpost.com/rig-exploit-kit-pushing-cryptowall-ransomware

So on Day one of this 31 days of Cyber Security awareness month I challenge you to find a Silverlight installation and uninstall it.

Windows 10 betas now out

Announcing availability of Windows Server Technical Preview and System
Center Technical Preview – Microsoft Server and Cloud Platform Blog –
Site Home – TechNet Blogs:
http://blogs.technet.com/b/server-cloud/archive/2014/10/01/announcing-availability-of-windows-server-technical-preview-and-system-center-technical-preview.aspx

and

http://windows.microsoft.com/en-us/windows/preview

Windows 10 beta releases are now out so you can take it for a spin.

Right now the Windows update section is grayed out and you must install all updates.

But in a cryptic section in the blog post….

http://blogs.windows.com/business/2014/09/30/introducing-windows-10-for-business/

 

Windows 10 helps keep customers secure and up to date


Windows 10 will be delivered in a way that gives more choice and flexibility to businesses. As a result, a business can pick the speed of innovation that is right for each group of its users, rather than apply a one size fits all solution.

Businesses will be able to opt-in to the fast-moving consumer pace, or lock-down mission critical environments to receive only security and critical updates to their systems. And businesses will have an in-between option for systems that aren’t mission critical, but need to keep pace with the latest innovations without disrupting the flow of business. And the choice isn’t one or the other for businesses; we expect that most will require a mixed approach where a number of scenarios can be accommodated.

Consumers, and opt-in businesses, will be able to take advantage of the latest updates as soon as they are available, delivered via Windows Update. Business customers can segment their own user groups, and choose the model and pace that works for them. They will have more choice in how they consume updates, whether through Windows Update or in a managed environment. And for all scenarios, security and critical updates will be delivered on a monthly basis.

 

What exactly does THAT mean?

Looking for resources to check urls

I was wanting to check a url for nasty stuff… thanks to several folks … here’s a list of places to send a link to see what phishing/issues
Virustotal (Submit a URL)
https://www.virustotal.com/#url
URL Query
http://urlquery.net/index.php
Anubis – Malware Analysis
https://anubis.iseclab.org/?action=home
Dr.Web Check URL Scan
http://online.us.drweb.com/?url=1
AVG Threat Labs
http://www.avgthreatlabs.com/sitereports/
Norton Safe Web[/color]
http://safeweb.norton.com/
Trend Micro Site Safety URL Query
http://global.sitesafety.trendmicro.com/
Online Link Scan
http://onlinelinkscan.com/
Websense CSI: ACE Insight
http://csi.websense.com/
Website Security Check – Unmask Parasites
http://www.unmaskparasites.com/
Anubis
http://anubis.iseclab.org/
Wepawet
http://wepawet.iseclab.org/  << currently under maintenance
LongURL to de-obfuscate shortened URLS
http://longurl.org/

Also

http://www.brightcloud.com/tools/url-ip-lookup.php

and

http://www.brightcloud.com/platform/webroot-intelligence-network.php