Microsoft

Patch Tuesday, November 2019 Edition

Microsoft today released updates to plug security holes in its software, including patches to fix at least 74 weaknesses in various flavors of Windows and programs that run on top of it. The November updates include patches for a zero-day flaw in Internet Explorer that is currently being exploited in the wild, as well as a sneaky bug in certain versions of Office for Mac that bypasses security protections and was detailed publicly prior to today’s patches.

More than a dozen of the flaws tackled in this month’s release are rated “critical,” meaning they involve weaknesses that could be exploited to install malware without any action on the part of the user, except for perhaps browsing to a hacked or malicious Web site or opening a booby-trapped file attachment.

Perhaps the most concerning of those critical holes is a zero-day flaw in Internet Exploder Explorer (CVE-2019-1429) that has already seen active exploitation. Today’s updates also address two other critical vulnerabilities in the same Windows component that handles various scripting languages.

Microsoft also fixed a flaw in Microsoft Office for Mac (CVE-2019-1457) that could allow attackers to bypass security protections in some versions of the program.

Macros are bits of computer code that can be embedded into Office files, and malicious macros are frequently used by malware purveyors to compromise Windows systems. Usually, this takes the form of a prompt urging the user to “enable macros” once they’ve opened a booby-trapped Office document delivered via email. Thus, Office has a feature called “disable all macros without notification.”

But Microsoft says all versions of Office still support an older type of macros that do not respect this setting, and can be used as a vector for pushing malwareWill Dormann of the CERT/CC has reported that Office 2016 and 2019 for Mac will fail to prompt the user before executing these older macro types if the “Disable all macros without notification” setting is used.

Other Windows applications or components receiving patches for critical flaws today include Microsoft Exchange and Windows Media Player. In addition, Microsoft also patched nine vulnerabilities — five of them critical — in the Windows Hyper-V, an add-on to the Windows Server OS (and Windows 10 Pro) that allows users to create and run virtual machines (other “guest” operating systems) from within Windows.

Although Adobe typically issues patches for its Flash Player browser component on Patch Tuesday, this is the second month in a row that Adobe has not released any security updates for Flash. However, Adobe today did push security fixes for a variety of its creative software suites, including Animate, Illustrator, Media Encoder and Bridge. Also, I neglected to note last month that Adobe released a critical update for Acrobat/Reader that addressed at least 67 bugs, so if you’ve got either of these products installed, please be sure they’re patched and up to date.

Finally, Google recently fixed a zero-day flaw in its Chrome Web browser (CVE-2019-13720). If you use Chrome and see an upward-facing arrow to the right of the address bar, you have an update pending; fully closing and restarting the browser should install any available updates.

Now seems like a good time to remind all you Windows 7 end users that Microsoft will cease shipping security updates after January 2020 (this end-of-life also affects Windows Server 2008 and 2008 R2). While businesses and other volume-license purchasers will have the option to pay for further fixes after that point, all other Windows 7 users who want to stick with Windows will need to consider migrating to Windows 10 soon.

Standard heads-up: Windows 10 likes to install patches all in one go and reboot your computer on its own schedule. Microsoft doesn’t make it easy for Windows 10 users to change this setting, but it is possible. For all other Windows OS users, if you’d rather be alerted to new updates when they’re available so you can choose when to install them, there’s a setting for that in Windows Update. To get there, click the Windows key on your keyboard and type “windows update” into the box that pops up.

Keep in mind that while staying up-to-date on Windows patches is a good idea, it’s important to make sure you’re updating only after you’ve backed up your important data and files. A reliable backup means you’re probably not freaking out when the odd buggy patch causes problems booting the system. So do yourself a favor and backup your files before installing any patches.

As ever, if you experience glitches or problems installing any of these patches this month, please feel free to leave a comment about it below; there’s a decent chance other readers have experienced the same and may even chime in here with some helpful tips.

Update, Nov. 13, 11:34 a.m.: An earlier version of this story misstated some of the findings from CERT/CC, and misspelled the name of the researcher. The above post has been corrected.

Microsoft OneDrive gets a more secure Personal Vault, plus additional storage options

The Microsoft logo displayed at Microsoft's booth at a trade show.

Enlarge / Microsoft at a trade show.

Microsoft is launching a new layer of security for users of its OneDrive cloud storage service. OneDrive Personal Vault is a new section of your storage that’s accessed through two-step verification, or a “strong authentication method,” although Microsoft didn’t define the latter term.

Microsoft notes that fingerprinting, face scans, PINs, and one-time codes by email, SMS, or an authenticator app are among the acceptable two-step verification methods. And you’ll automatically get de-authenticated after a period of inactivity—that’s the key to Microsoft’s special security argument here. Two-factor authentication using text or email is less secure than other options. Using the more heavy-duty face or fingerprint verification will require the appropriate hardware, such as a device with Windows Hello.

It also has options for transferring physical documents to the OneDrive mobile app. You can scan documents or take photos directly into the Personal Vault section without needing to store the file in a less secure part of your device first.

Users will have to be patient about this update, because Personal Vault will be getting a gradual rollout. The company said in its press release that Australia, New Zealand, and Canada will be getting the service “soon,” and all users will have it by the end of 2019. Personal Vault is coming to OneDrive on the Web, the OneDrive mobile app, and on Windows 10 PCs.

OneDrive does have standard security in place for all users even without the extra oomph of Personal Vault, such as file encryption both in Microsoft Cloud servers and in transit to your device. The tighter security option seems intended to give Microsoft customers more peace of mind for backing up very sensitive or important personal information.

The debut of Personal Vault is the big development, but Microsoft has minor items from its storage team that are also welcome news. The OneDrive standalone storage plan is being increased from 50GB to 100GB without any change in cost. This change will be happening soon and won’t require any action from users.

For those of you accessing OneDrive as an Office 365 subscriber, you’ll also have the option to add more storage to the 1TB you already have. Additional storage can be added in chunks of 200GB starting at $1.99 per month. If you’re managing a truly massive file situation, you can buy 1TB of extra storage for $9.99 a month. Additional storage can be increased and decreased at any time. Microsoft said it will be making this update in the coming months.

Windows 10 May 2019 Update now rolling out to everyone… slowly

Stylized image of glass skyscrapers under construction.

To avoid a replay of the problems faced by the Windows 10 October 2018 Update, version 1809, Microsoft has taken a very measured approach to the release of the May 2019 Update, version 1903, with both a long spell as release candidate and a much less aggressive rollout to Windows Update.

That rollout starts today. While you previously needed to be in the Insider Program (or have a source such as an MSDN subscription) to download and install version 1903, it’s now open to everyone through Windows Update.

However, Windows users are unlikely to see the update automatically installed for many months. Initially, only those who explicitly visit Windows Update and click “Check for Updates” will be offered version 1903, and even then, they’ll have to explicitly choose to download and install the update. This is part of Microsoft’s attempt to make Windows Update less surprising: feature updates are offered separately from regular updates because feature updates take a long time to install and regular updates don’t (or at least, they shouldn’t). This installation experience requires the use of version 1803 or 1809, and it also requires the most recent monthly patch, which is also released today.

The update is also available to those who download either the update tool or media creation tool from Microsoft.

Starting from June, the update will be pushed to users currently on Windows 10 version 1803, as that version will cease receiving updates this November. And corporations using patch management systems can schedule deployments in whatever way they choose. Beyond that, however, Microsoft says that, for now at least, the update won’t be automatically installed. This marks a great change from previous Windows 10 feature updates and means that uptake of the May update is likely to be severely impeded.

Notable features of version 1903 include better Kaomoji support, application sandboxing, and the separation of Cortana and searching.

Password1, Password2, Password3 no more: Microsoft drops password expiration rec

Password1, Password2, Password3 no more: Microsoft drops password expiration rec

For many years, Microsoft has published a security baseline configuration: a set of system policies that are a reasonable default for a typical organization. This configuration may be sufficient for some companies, and it represents a good starting point for those corporations that need something stricter. While most of the settings have been unproblematic, one particular decision has long drawn the ire of end-users and helpdesks alike: a 60-day password expiration policy that forces a password change every two months. That reality is no longer: the latest draft for the baseline configuration for Windows 10 version 1903 and Windows Server version 1903 drops this tedious requirement.

The rationale for the previous policy is that it limits the impact a stolen password can have—a stolen password will automatically become invalid after, at most, 60 days. In reality, however, password expiration tends to make systems less safe, not more, because computer users don’t like picking or remembering new passwords. Instead, they’ll do something like pick a simple password and then increment a number on the end of the password, making it easy to “generate” a new password whenever they’re forced to.

In the early days of computing, this might have been a sensible trade-off, because cracking passwords was relatively slow. But these days, with rainbow tables, GPU acceleration, and the massive computational power of the cloud, that’s no longer the case—short passwords are a liability, so any policy that makes people favor short passwords is a bad policy. It’s better instead to choose a long password and, ideally, multifactor authentication, supplementing the password with a time-based code or something similar.

The baseline configs are often used by auditors, with companies dinged for each baseline policy they don’t follow. Accordingly, Microsoft is making a few other changes to the baseline in an effort to ensure that audits only pick up security configurations that are truly important. Previously, the baseline would require that the strongest possible disk encryption is used (256-bit); it no longer does so. Some devices have a meaningful performance difference between 128- and 256-bit encryption, making 256-bit encryption undesirable. Others, like the Surface, ship with 128-bit encryption rather than 256-bit. Abiding by the policy means decrypting the disk and then re-encrypting it. Microsoft believes that 128-bit full-disk encryption is sufficient for most situations, and hence demanding 256-bit does little to improve security but hurts performance and requires tedious re-encryption.

In the new baseline, Microsoft is also considering dropping the long-standing requirement to disable the Guest account and the default Administrator account. Windows 10 disables the Guest account by default already, meaning that if it’s enabled, it’s probably for a good reason and shouldn’t be picked up in an audit.

The built-in Administrator account is also disabled by default in Windows 10, with the operating system creating a separate Administrator-privileged account during installation. However, the built-in account has certain properties that make it better—it isn’t subject to account lockout policies, and it can’t be removed from the Administrators group. As such, the decision to use the built-in Administrator account or a different one is more a matter of taste than security.

McAfee joins Sophos, Avira, Avast—the latest Windows update breaks them all

A colorized transmission electron micrograph (TEM) of an Ebola virus virion. (Cynthia Goldsmith)

Enlarge / A colorized transmission electron micrograph (TEM) of an Ebola virus virion. (Cynthia Goldsmith)

The most recent Windows patch, released April 9, seems to have done something (still to be determined) that’s causing problems with anti-malware software. Over the last few days, Microsoft has been adding more and more antivirus scanners to its list of known issues. As of publication time, client-side antivirus software from Sophos, Avira, ArcaBit, Avast, and most recently McAfee are all showing problems with the patch.

Affected machines seem to be fine until an attempt is made to log in, at which point the system grinds to a halt. It’s not immediately clear if systems are freezing altogether or just going extraordinarily slowly. Some users have reported that they can log in, but the process takes ten or more hours. Logging in to Windows 7, 8.1, Server 2008 R2, Server 2012, and Server 2012 R2 are all affected.

Booting into safe mode is unaffected, and the current advice is to use this method to disable the antivirus applications and allow the machines to boot normally. Sophos additionally reports that adding the antivirus software’s own directory to the list of excluded locations also serves as a fix, which is a little strange.

Microsoft is currently blocking the update for Sophos, Avira, and ArcaBit users, with McAfee still under investigation. ArcaBit and Avast have published updates that address the problem. Avast recommends leaving systems at the login screen for about 15 minutes and then rebooting; the antivirus software should then update itself automatically in the background.

Avast and McAfee also provide a hint at the root cause: it appears that Microsoft has made a change to CSRSS (“client/server runtime subsystem”), a core component of Windows that coordinates and manages Win32 applications. This is reportedly making the antivirus software deadlock. The antivirus applications are trying to get access to some resource, but they’re blocked from doing so because they have already taken exclusive access to the resource.

Given that patches have appeared from antivirus vendors rather than an update from Microsoft, it suggests (though does not guarantee) that whatever change Microsoft made to CSRSS is revealing latent bugs in the antivirus software. On the other hand, it’s possible that CSRSS is now doing something that Microsoft previously promised wouldn’t happen.

Hackers could read non-corporate Outlook.com, Hotmail for six months

Hackers could read non-corporate Outlook.com, Hotmail for six months

Getty / Aurich Lawson

Late on Friday, some users of Outlook.com/Hotmail/MSN Mail received an email from Microsoft stating that an unauthorized third party had gained limited access to their accounts and was able to read, among other things, the subject lines of emails (but not their bodies or attachments, nor their account passwords), between January 1 and March 28 of this year. Microsoft confirmed this to TechCrunch on Saturday.

The hackers, however, dispute this characterization. They told Motherboard that they can indeed access email contents and have shown that publication screenshots to prove their point. They also claim that the hack lasted at least six months, doubling the period of vulnerability that Microsoft has claimed. After this pushback, Microsoft responded that around 6 percent of customers affected by the hack had suffered unauthorized access to their emails and that these customers received different breach notifications to make this clear. However, the company is still sticking to its claim that the hack only lasted three months.

Not in dispute is the broad character of the attack. Both hackers and Microsoft’s breach notifications say that access to customer accounts came through compromise of a support agent’s credentials. With these credentials, the hackers could use Microsoft’s internal customer support portal, which offers support agents some level of access to Outlook.com accounts. The hackers speculated to Motherboard that the compromised account belonged to a highly privileged user and that this may have been what granted them the ability to read mail bodies. The compromised account has subsequently been locked to prevent any further abuse.

The support account would also have only had access to free Outlook.com/Hotmail/MSN-branded accounts and not to paid Office 365 email.

Motherboard’s source also gave a reason for the hack in the first place. iPhones are associated with iCloud accounts, and that association precludes performing a factory reset. This in turn means that stolen iPhones become less valuable; they can still be salvaged for parts, but they can’t be resold as complete working handsets because they’re still tied to their original owner. However, with access to the iPhone user’s email account, it’s possible to dissociate the phone from the iCloud account and subsequently to reset the handset. In other words, the hackers aren’t much interested in the email accounts per se; they just want to get their hands on those important reset-request emails so that they can boost the value of their stolen phones.