Steve the IT Tech Guy

From Security Now Episode 771

Security NewsPatch TuesdayMicrosoft continues its record-break streak. Or as Sophos put it:“Whoosh. You hear that? It’s the sound of Microsoft’s security fire hose spraying out a river ofCVE fixes. That’s right – Patch Tuesday was last [this] week and the software giant releasedpatches to fix 129 CVEs.”In other words, it has once again broken its all-time record for the most patches released in onemonth.While most of those are regarded as and rated “important”, 11 of those 129 CVE are CRITICALremote code execution vulnerabilities which Windows 10, since last Tuesday, no longer has.There’s CVE-2020-1286, a Windows shell RCE triggered by improper file path validation.And 1299, an RCE bug that an attacker could exploit using a malicious .LNK file and associatedbinary. Note that either we still haven’t got .LNK link files working right, or we keep breakingthem, since Windows has been having security problems with link files from the start. In thiscase Microsoft warns us that if a malicious link file was placed onto a removable drive or networkshare, clicking on the .LNK file would run the attacker’s malicious code in the file.The there’s 1281, a vulnerability in the Windows Object Linking and Embedding (OLE) codestemming from poor input validation and it’s exploitable via a malicious website, file, or emailmessage.1248 is a memory object handling bug in GDI, Windows Graphics Device Interface, which isdeliverable by a website, instant message, or document file.Those all affected Win10, of course, since Windows 7 is no longer being maintained, and many ofthese also affected the latest 2004 build of Windows 10 since, of course, most of the code neverchanges.Not to be forgotten, IE had its own batch of critical vulnerability bungles. Both IE 9 and 11 weresusceptible to RCE via bug CVE-2020-1213, 1216 and 1260, all memory handling errorsaffecting VBScript.The original Edge browser (isn’t that history, yet?) had a critical vulnerability, 1073, a memoryhandling bug in its ChakraCore JavaScript engine. And CVE-2020-1219 affects both IE andEdgeHTML with more memory-handling issues.1181 is a bug in the SharePoint Server. It can be exploited by unsafe ASP.Net controls that don’tfilter properly. Attackers able to upload a malicious page to the server (not clear how they woulddo that, but perhaps through remote website authoring) could achieve pwnage. As aconsequence, admins of SharePoint Enterprise Server 2016, Foundation 2010 SP2 and 2013SP1, or SharePoint Server 2019 should all patch now.Security Now! #7712
There’s also 1300, a long standing bug in Windows’ handling of cabinet files. It affects mostversions of Windows, Win7 through Win10 2004, and also Windows Server.And, believe it or not, those were just the 11 ?critical? bugs. If I were to attempt to detail theother one hundred and eighteen “important” flaws, this entire podcast would have to be retitled:“Patch Tuesday.” I’ll spare us that, since we have plenty more to talk about. In the meantime,Microsoft, ?BIG? congrats on achieving another lifetime milestone.And speaking of milestones, we also have…The case of the disappearing printer portMicrosoft’s disclosure of this oddball Win10 delight is titled: “USB printer port missing afterdisconnecting printer while Windows 10 (version 1903 or later) is shut down” and it is stated asapplying to: Windows 10, version 1903, all editions. Windows 10, version 1909, all editions. AndWindows 10, version 2004, all editions.https://support.microsoft.com/en-us/help/4566779/usb-printer-port-missing-after-disconnecting-printer-while-windows-10What happens? Microsoft explains:“If you connect a USB printer to Windows 10 version 1903 or later, then shut down Windows anddisconnect or shut off the printer, when you start Windows again the USB printer port will not beavailable in the list of printer ports. Windows will not be able to complete any task that requiresthat port.”Resolution:You can avoid the issue by connecting a powered-on USB printer before starting Windows.“Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the”Applies to” section. We are working to fix the issue in a future version of the operating system.”According to reporting of this in the tech press, if you need to print something to yourUSB-connected printer and you didn’t have it on ?before? you started Windows, no problem. Justshut down your computer, turn the printer on and wait for it to finish initializing and settle down,then you can fire up Windows and the printer port should reappear and you’ll be able to print.Because this is a state-of-the art modern operating system.And, believe it or not, in a related but separate matter…Last week;s Patch Tuesday broke ALL PRINTING (even to PDFs) for many users:Windows 10 users are reporting that they are unable to print to printers from several vendorsafter installing last week’s updates for Windows 10 versions 1903, 1909, and 2004 OS’s.The two specific patches causing the trouble have been determined to be cumulative updatesKB4560960 and KB4557957. Although Microsoft hasn’t yet gone official, a Microsoft AnswersIndependent Community Advisor has stated that Microsoft engineers are “already aware of thisSecurity Now! #7713

issue and working a patch to be deployed in the next update.” Oh, joy. No printing for a month.So after updating their machines last Tuesday, users started flooding both Microsoft Answersforums and Reddit with reports of printing issues affecting various models of HP, Canon,Panasonic, Brother, and Ricoh devices. Typical posted included:?“Unable to print after installing update KB4560960 and/or KB4561608. Uninstalling updatesfixes problem. This is happening to every Windows 10 computer in our organization asupdates install.”?Another says that right after installing the KB4560960 on multiple systems, users startedreporting “Windows cannot print due to a problem with the current printer setup” errors thatwent away after uninstalling the update.?Someone wrote: “Found this problem today where all clients at a customer site had the sameproblem,” others complained. “They have Ricoh, but a few other brands too. Even the virtualPDF printers do not work anymore. Explorer.exe crashes completely when doing atest-print…”?A network technician posted: “HPs seem to be hit or miss with this issue. Ricoh / Canon /Brother / KM / Kyocera all seem to be experiencing problems. As everyone else is saying,backing out update KB4560960 and postponing updates seems to be our only salvation atthis point.”?“Hopefully Microsoft will produce a patch for this quickly, call volume is picking up witheverybody returning to work, this is going to make things awfully hectic!”Affected users have found that the printer’s native driver ?can? be replaced with PCL6 driverswhich reportedly work, or by uninstalling last week’s cumulative updates to restore printing, andalso to restore those 11 critical remote code execution bugs. You’ll be fine. It’s been determinedthat attempting to uninstall and reinstall the printer, or updating its drivers, does not help. PCL6printer drivers do work… either vendor-specific PCL6 drivers or the universal Windows 10 PCL6drivers for Canon, HP, Ricoh, Kyocera, and Brother.Windows 10 2004 is messing up SSDs and non-SSDs.Just a quick note for those running Windows 10 who have moved to 2004 with SSDs: The 2004feature update has broken Windows awareness that it has ever previously defragmented thesystem’s drive. As a result, rather than only defragging occasionally, like once a month bydesign to improve the performance of Windows “volume shadow copy on write” performance,Win10 is defragging every time the system is started.This isn’t a huge problem since SSDs should have strong write endurance, but it’s still not whatwe want. Microsoft has acknowledged the problem but hasn’t indicated when it will be resolved.The release notes for the Insider Preview build 19551 states: “Thank you for reporting that theOptimize Drives Control Panel was incorrectly showing that optimization hadn’t run on somedevices. We’ve fixed it in this build.”Security Now! #7714
And in another oddity,? Win10 2004 is also attempting to use the TRIM command on non SSDdrives. That fails and logs an error into the Windows error log. But it should not be trying.Our longtime listeners will recall that SSDs have a TRIM command to allow the operating systemto inform the drive of the drive regions that are not in use by the OS. Normally, drives treat allsectors alike and only the OS has any awareness of which regions are in use by its file system,and which are free. Hard drives write data by simply overwriting what was there before. ButSSDs are only able to set bits that have been previously reset by an erase cycle. And erasecycles erase large blocks of the SSD all at once. This means that to write a small region of alarger block, the previous contents of the larger block must first be read and held in RAM whilethe underlying block is all reset. Then the cached data must be rewritten into the block. But IFthe SSD has an awareness of which sectors are not in use, it can leave them reset rather thanneeding to rewrite them with unneeded data. AND those reset and unwritten blocks can later bewritten to directly without needing any pre-erase since they were left erased.But although doing this clearly makes no sense for hard drives, some new bug introduced into2004 is causing Windows to issue these superfluous TRIM commands to spinning hard drivesnonetheless.There were also reports that many programs would no longer run at all after last Tuesday’supdates, but it turned out that the problem was caused by an interaction with a recent updatefor Avast and AVG anti-malware software. They hook into a feature that allows them to interceptthe running of other programs and that didn’t go as expected.Overall, much as Win10 2004 is promising some new features, it does feel as though perhapsholding back a bit and waiting for things to settle down might be prudent.