Windows urgent security update

I get the feeling this is additional to the 9 May update that Nick_ADSL has posted about, as in his summary I don't see it mentioned. I assume that was all packaged up and ready to go.

As I don't use Defender I have nothing to check, and don't think my auto-update has kicked in anyway. However does it imply any AV-product could trigger it?

Microsoft has released an urgent update to stop hackers taking control of computers with a single email.

The unusual bug, in Microsoft anti-malware software such as Windows Defender, could be exploited without the recipient even opening the message.

Researchers working for Google's Project Zero cyber-security outfit discovered the flaw at the weekend.

The fix has been specially pushed out hours before the software giant's weekly Tuesday security update.

Hackers could exploit the flaw simply by sending an infected email, instant message or getting the user to click on a web browser link.

Windows 8, 8.1, 10 and Windows Server operating systems are affected by the bug.

Anti-virus software such as Windows Defender would merely have to scan the malicious content for the exploit to be triggered.

On some computers, scans are set up to occur almost instantly - "real-time protection" - or to take place at a scheduled time.

Windows users can check that they are running the latest Windows Defender version (1.1.13704.0), which should download automatically, to make sure they are not at risk - or hit the update button.

Link.

Edited by RobertoS (Tue 09-May-17 23:42:57)

More information is in Microsoft Security Advisory 4022344.

The most likely scenario is that if you are using an affected Microsoft security product that you should automatically pick up the fixed Microsoft Malware Protection Engine within 48 hours of its release assuming you are using an Internet connected system. This Engine is updated frequently and on a much faster release cycle than the monthly cumulative patches for Windows.

As Microsoft say "no action is necessary" as a result of this advisory for the majority of users. Admins who apply updates via a local server may need to take some action, but they should know what they are doing.

So glad I do not use windows own security system.

Thanks for the link David.

48 hours is a long time once hackers know there is such a vulnerability however. That is why manual updating is suggested.

There is also the possibility that some proprietary IS systems are vulnerable to similar exploits, and not all end users are meticulous in applying updates. I expect most readers here are.

In reply to a post by RobertoS:

That is why manual updating is suggested.

It's not suggested by Microsoft

Re

Windows users can check that they are running the latest Windows Defender version (1.1.13704.0), which should download automatically, to make sure they are not at risk - or hit the update button.

Mine has been updated to this version automatically

I don't run it . There are loads of bits of it visible via File Explorer but I can't find and exe to try to establish its version, and last night couldn't be bothered to enable it in Services to find out or force it. Pointless except for interest.

It will no doubt be updated soon on my main laptop, and Kaspersky and Norton some time today if not already. On the other laptop within minutes of turning on, whenever that is.

Edited by RobertoS (Wed 10-May-17 09:30:27)

To be fair most AV software have had issues, and its choosing the best of a bad bunch at times. Ive used a few over the years and had issues with them flagging boot files as a false positive causing the PC to not boot as it deleted the file, and one even had a false positive which made it think the AV program itself was a virus.

Dont most email clients (certainly the likes of Outlook web) block any executable code by default on incoming mail?

Still quite concerning as most viruses need some kind of user interaction/stupidity to execute, whether it be visiting a dodgy site, clicking a dodgy link in an email etc

It's not quite that simple. The exploit works by using a flaw in the virus scanner to execute the code.

These sort of exploits will always exist but the heartening thing is how quickly Microsoft has reacted and pushed out a patch. Most users will never be aware that the exploit existed and will have been automatically patched. It really is impressive that it has been fixed so quickly.

+1
And that it was discovered in a lab not active in the field.

It was impressive how quick it was fixed, but i dont think they had a choice given the circumstances around it

In reply to a post by RobertoS:

I can't find and exe to try to establish its version,

.EXE is at "%ProgramFiles%\Windows Defender\MSASCui.exe".

Mine seems to be Antimalware Client Version: 4.10.14393.1066 on Win 10 Anniversary Edition.
EDIT: Duh! That's just the version of Windows itself!

Edited by XRaySpeX (Thu 11-May-17 03:03:14)

Is this problem for the Anniversary Edition, as Defender is totally different in Creators Edition. My exe is saying 4.11.15063, is this version affected? BBC article is not very clear.

See this Microsoft Advisory. This link posted earlier in the thread by David_W.

Given the products it is stated that have the vulnerability, and the very deep inside sort of bug it is, it would be strange if the Creators Edition version doesn't also have it. Even though the serial number seems much higher. It can't be that much up the development path surely, and even if it is, how "completely different" is it from the mainstream one? An entirely different source starting from scratch at some point in the past?

How often do you update for security patches?

I have checked Windows Update several times today and had several definition updates and yesterday I had the updates that Nick has posted but looking in WU history I cant see anything about engine update, nor can I find the engine serial number mentioned.

Edited by Banger (Thu 11-May-17 00:09:22)

I seem to have Windows Defender Security Center, with advanced network scanner. So I dont know if it is up to date or not. The exe seems to be the one with Creator Update as it is v4.11.15063.

Edit: It is up to date, found the Engine Version from an Article after googling the vulnerability and learning how to access the Security Centre about page. Phew.

Edited by Banger (Thu 11-May-17 00:34:12)

Great.

I thought there had to be an update for it, just not mentioned in the main advisory.

I expect that is because it isn't on full roll-out yet, is it? Available to anyone, but only manually by user download. Also doesn't preserve user settings, whereas the automatic upgrade should.

I downloaded the ISO, and did an Upgrade install. Auto roll out started 11th April, but you can get it now by getting the Windows Upgrade Assistant and that will download it straight away.

I have done several Upgrade installs and they always preserve settings so does the Upgrade Assistant.

The file in question is actually mpengine.dll not any .EXE. My vers. is only at 1.1.12805.0 on Win 10 Anniversary Edition but Win Defender is disabled.

Edited by XRaySpeX (Thu 11-May-17 03:05:26)

It's the version number of the engine, not the executable, that you need. It is listed on the "About" menu in the application.

I'm having a mental blackout . I have always found it difficult since upgrading from 8.1 to 10 to find the actual update version of it that I'm on, and right now failing miserably. I suspect from when I clicked for a new tab in IE11 that I got the Creators update last night, as instead of getting my usual "new tab" screen that I have set to the one that holds an array of frequently used I got a Microsft Advertising one with loads of junk and a warning that continuing without changing settings would authorise an avalanche of MS ads from thereon in.

So I followed the link and turned them off, then went to settings and reset that, then restarted as instructed.

History:
Last night the machine had been running dreadfully slow for hours for no apparent reason. When I went to turn it off it offered the common Update and restart or Update and turn off, which I took. It went to the "Preparing to update" screen as usual.

About 5 minutes later I came back and it had shut down. I was surprised as I though it may be this upgrade which I would expect to take longer.

Started it up this morning and as I normally do waited till I could log on, then left it to complete the start-up procedures which don't start till then. Probably 20 minutes later all seemed normal till I clicked this New Tab.

I suspect the slow running and constant fan running was a background installation of Creators.

So I want to see if I'm on 1607 as before or 1703.

Edited by RobertoS (Thu 11-May-17 11:59:03)

Run 'winver' from a command prompt to see which version you are on.

Thanks Ian . 1607 and much easier than what I have always done. D'oh!

In which case you may have concerns about the behaviour that your computer exhibited. Time for a thorough malware scan?

You could be right, except it isn't doing it now, and did stop last night. It does it fairly often for reasons I have always easily traced, which is why I wasn't too worried last night. Though it was rather persistent.

So yes. Time to have some lunch. I shall start a full system Kaspersky scan after posting this, and following that run Malwarebytes as well.

Thanks.

No problems from Kaspersky. Sixty-nine from Malwarebytes all registry, folder or file stuff to do with PUP.Optional.Amazon1Button.AppFlsh, commented as possibly not required or some such. Not labelled as threats.

So I let it quarantine them. If Amazon needs them no doubt it will reinstate them without my knowledge or complain and I can take it from there.

Edited by RobertoS (Thu 11-May-17 17:55:28)

No need to use a command prompt, just type winver from the Start button.

Yesterday I started up my older, still Win 10, laptop for a specific reason but forgot all about it for hours. When I came back it had clearly done a Windows update and rebooted, which is what it sometimes does with a count-down warning.

Anyway, I checked the version which was still 1607, but when I went to a new tab in IE11 that too had the grotty MS advertising and links page. As on the other I disabled MS advertising and in Internet Options changed the setting to my usual one.

This MS page is clearly part of the latest update. It calls itself a news feed. I've never seen it before, at least in this format, and it is now the top of the drop down list of options for what happens when you click for a new tab, (defaulting to it after installation as on my main laptop). It used not to be in that list at all.

I could also have said press Win+R and enter the command 'winver' amongst many other ways of achieving the same result...

Customer Guidance for WannaCrypt attacks
Microsoft solution available to protect additional products
https://docs.microsoft.com/en-us/msrc/customer-guida...