[German]A strange thing happened today: Windows 7 machines are receiving Internet Explorer 11 security update KB3008923 via Windows Update. This update is dated from December 2014. Here are a few details and observations.

I received the first notification this morning, when blog reader Leon wrote: ‘hallo mr. born, this night an internet explorer 11 update KB 3008923 has been offered’. After searching the web, I came to the conclusion, that it was a false alarm, because all I could find, was articles from 20124.

But then a comment from @Webmasta within my old German blog post Patch-Flicken: Internet Explorer-Update KB 3025390 verfügbar published on December 2014 mentioned also update KB 3008923. Webmasta wrote: KB (3008923) has been offered on my fully patched Win7 Pro 64 machine. Does somebody else received this update?

Checking Windows Update on my Windows 7 machine

I currently run a Windows 7 SP1 machine (for productive work), so during writing this blog post I opened Windows Update and let it search for new updates. Here is, what I got (click to the screenshot, to enlarge).

Windows Update offers a ‘Cumulative security update for Internet Explorer 11 for Windows 7 for x64 systems (KB3008923)’ with a download size of 52.7 MB. The update is dated 12/09/2014 and is quoted as important. The descriptiong says:

this security update resolves several reported vulnerabilities in Internet Explorer. The most severe of these vulnerabilities could allow remote code execution if a user views a specially crafted webpage in Internet Explorer. This security update helps protect Internet Explorer from being attacked.
Additionally, this security update includes several non-security-related fixes for Internet Explorer.

But this article was published on December 9, 2014.

Update KB3008923 is from 2014

I searched the web, but all I could find related to this update, was articles dated from december 2014. Then I searched Microsoft Update Catalog.

All I could fiund, was updates from December 2014 – and some versions from January 2014 for Windows Embedded 7 Standard and Windows Server 2003 (this software has reached end of life). The English KB article 3008923 says:

The update that this article describes has been replaced by a newer update. We recommend that you install the most current cumulative security update for Internet Explorer.

But there is no note about the release date of this quote. So overall I conclude: Windows Update says, there is an important IE 11 security update, but all information I found, was dated from 2014. There is also another remark within the KB article:

KB3022827 redirects you to this article because KB3022827 contains the same security updates from this KB that apply to Windows 10 Technical Preview.

Really odd is the note given under known issues in KB3008923. Microsoft says:

We are aware of some reports of functional issues on sites that use nested modal dialog boxes on Internet Explorer 11 that occur after you install this security update.

We are aware of some limited reports of Internet Explorer 9 crashing after you apply this security update.

Well IE 9 seems to be history in Windows 7 SP1, but the modal dialog box issue doesn’t sound well. Update KB3008923 will also be mentioned in 2014 as a root cause for several other issues (see here, here, here). Also at askwoody.com is a short article and a discussion about this patch. Currently I recommend to hide this update.

Final thoughts

Let’s nail it down:

• Maybe something went wrong on Microsoft Update servers and they are offering an old patch.
• Or Microsoft has changed something, but forget to change the description within the KB article, the update catalog and within the Windows Update meta data.

Independently from the answer, this is obscure, and it won’t help to raise Microsoft’s reputation. I still have the interview with Microsoft’s Brad Anderson, Corporate Vice President of Enterprise Client and Mobility, during Ignite 2016 made by The Register within my head. Anderson stated:

Our long term vision on Windows 10 management is that organizations should rely on Microsoft to do more for them on their behalf. Let us worry about your images. Let us keep your devices updated through Windows Update for Business. Rather than you approving which patches you want, we are saying let them all flow because the way organizations get the most secure, the most compliant, the most reliable and most performance devices is to stay updated with all of our updates …

There is years of experience that IT pros have, sometimes we release updates that break something. As we build confidence with IT pros around the world that our updates are solid they will get more comfortable with just letting the patches go through, in Windows Update for Business you have the ability to say, I want to delay these updates, so you have some level of control. You don’t have the degree where you can say I want to deploy these three but not these 10.

Well, Windows 7 is old stuff – and Microsoft is promoting heavily Windows 10. But I can’t believe, that such actions as we have seen again today build trust on Microsoft’s ability to handle updates in a proper way. I would say, that Update thing is terrible broken. Or do you have a different opinion?

Addendum: An explanation

An explanation may be found at askwoody.com from @abbodi86 within this comment: they expired most of IE11 cumulative updates (around 14 updates)
however, the supersedence chain for KB3008923 is now broken, the update that supersede it is expired – therefore and by metadata rules, KB3008923 is not superseded now.

So, just hide update KB3008923 – and probably other updated (KB3003057 and KB2987107) within the broken update chain.

[German]User of Windows 10 Creators Update are facing probably a strange issue: In some scenarios network printer aren’t installable. Printer setup won’t find the device. Here are a few details and a workaround.

What’s the problem?

Windows 10 provides a printer install wizard to search for devices and add the appropriate drivers. In Windows 10 Creators Update (Version 1703) the wizard fails on machines, with less then 4 GB RAM. Setup for a network printer (a WSD device) didn’t find the the device. The installation fails.

WSD stands for Web Service for Devices, a Microsoft API to access devices (Printers, Scanner) within a network (see). 

In previous Windows 10 version this issue doesn’t exists. Microsoft has confirmed this issue.

When connecting a network printer (a WSD device) to a network with a PC that contains less than 4 GB of memory and is running Windows 10 Creators Update (version 1703), if I run the printer’s setup software on the PC, the setup software fails to discover and install the printer. This problem did not exist prior to installing the Creators Update.

They are investigating this issue and offers a workaround. Because the solution is a bit ‘short’ here are a few additional details.

How to fix this network printer install issue

Microsoft wrote within the MS Answers forum post: Microsoft has confirmed a known issue that may prevent network printer software from discovering and installing the network printer on systems with low memory (< 4GB). This is due to firewall hardening rules added in Windows 10 Version 1703. To fix this, they suggest to run the required service within it’s own process. Here are the steps:

1. Enter cmd into the task bars search box, and wait, till the Command prompt search result entry is shown within the start menu.

2. Right click the Command prompt search result and select the context menu command Run as administrator. Confirm UAC.

3. Enter the command sc config fdphost type=own into the administrative command prompt windows and press the enter key.

4. Restart Windows and try to install the network printer again.

At this point a few background information. fdphost is a service (Function Discovery Provider Host) to detect network devices. Obviously this service has trouble to be executed in Windows 10 Version 1703, if memory runs low. The command used above uses the sc command to advise Windows, to execute the fdphost service within its own process (see also this Technet article and this discussion). It seems, that isolating fdphost within it’s own process, solves the issue – the network printer will be found via WSD, the installation should run successfully.

Similar articles
Win10 Wiki
Windows 10: Open command prompt window as administrator
How to block Windows 10 updates
Stop Windows from installing updates over and over again
How to decode Windows errors?
Windows 10: Analyze upgrade errors
Windows: How to decode update 0x8024…. errors

Microsoft plans to replace the old terminology for Windows 10 ‘Current Branch’ and ‘Current Branch for Business’ with new terms like ‘Semi-Annual Channel (Pilot)’ and ‘Semi-Annual Channel (Broad)’.

Microsoft has announced, that the company will release two feature updates a year for Windows 10 and also for Office 365 Pro Plus (see Windows 10: Redstone 3 is coming September 2017). In an effort, to streamline the release terminology of Windows 10 and Office 365, plans to change some terms. This was revealed during Microsoft’s last weeks AMA session. Michael Niehaus explained the planned change, after a user has asked:

• New Windows 10 releases are initially considered “Current Branch” releases, to be used for piloting.  After a period of about four months, we’ll declare the release as a “Current Branch for Business” release, ready for broad deployment.
• New Windows 10 releases in the Semi-Annual Channel are initially to be used for pilot deployments.  After about four months, we’ll declare that the release is ready for broad deployment.

Regardless of the terms, the 18 months is for the release, e.g. Windows 10 1703, and that 18 months starts from the date that it was released. Another user has detailed things:

• 1709 is released in September 2017. It’s dubbed “Semi Annual (Pilot)”, and the 18 month clock starts ticking immediately.
• A few months later (January 2018, if we’re matching the Office Pro Plus timeline), 1709 is declared ready for Semi Annual (Broad). The 18 month clock is now at 15 months.
• 15 Months later (March 2019), 1709 is no longer supported. There is no 60-day “grace period”, as that was removed with implementation of this new servicing schedule.

Martin Brinkmann from ghacks.net has further explanation within his article here.

Similar articles:
Windows 10: Redstone 3 is coming September 2017
New update options for Windows 10 Creators Update

Microsoft delivers Windows Explorer (explorer.exe) in Windows 10 Creators Update as a file manger. But there is an undocumented, touch optimized file manager app on board. Here are a few details how to use it.

Windows Explorer is well known, this file manager can be accessed via an task bar’s icon or via the desktop icon This PC.

But on touch screens, this file manager isn’t the best choice. While Microsoft has shipped a file manager app in previous Windows 8, similar apps for Windows 10 are offered by third party developers. But Windows 10 Version 1703 contains a touch optimized file manager app within the path:

C:\Windows\SystemApps\Microsoft.Windows.FileExplorer_cw5n1h2txyewy

Here is, how this app locks currently:

The app has a burger menu and some buttons in the footer to handle primitive file operations. Also a context menu to copy, move, rename or delete files is suported.

How to use this app?

Using C:\Windows\SystemApps\Microsoft.Windows.FileExplorer_cw5n1h2txyewy via double clicking to launch this app doesn’t work. Martin Brinkmann from ghacks.com has found this SemperVideo and published the details to use the new file manager. We nee a desktop shortcut with the following command:

explorer shell:AppsFolder\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy!App

to invoke the new app. Right click to a free part of your Windows 10 desktop and select context menu commands New/Shortcut. Then add the command given above for this shortcut and set a name for your desktop shortcut. Then a double-touch to this desktop icon invokes the new file explorer app.

[German]It’s a bit cryptic, what Google security experts Natalie Silvanovich and Tavis Ormandy from project Zero just revealed. They claim, they has discovered the ‘worst Windows remote code exec in recent memory’. Update: Microsoft issued a fix for this vulnerability in Malware Protection Engine.

Tavis Ormandy posted last Saturday a Tweet mention this security hole in standard Windows installs.

I think @natashenka and I just discovered the worst Windows remote code exec in recent memory. This is crazy bad. Report on the way.

— Tavis Ormandy (@taviso) 6. Mai 2017

Currently no details about the affected Windows component are released. Tavis wrote, that attacker don’t need to be in the same network of the victim (so I guess remote access via Internet will be possible). The exploit works on standard Windows – no further software are required. The attack is wormable (can self-replicate). Let’s hope, Microsoft releases a fix tomorrow (May 9, 2017) on patchday. (via)

Microsoft has issued a fix for this vulnerability in Malware Protection Engine. Further details may be found within my blog post Microsoft fixes critical Malware Protection Engine vulnerability.

[German]Sometimes Microsoft offers Windows updates, that are quoted as ‘dynamic updates’. Here are a few details, what are dynamic updates are for.

I came across this term during updates KB4020001 and KB4020002 released recently for Windows 10 (see my blog post Windows 10 V1703: Updates KB4020001 and KB4020002). Both updates has been quoted as ‘dynamic’ in Microsoft’s kb articles – but I was wondering, why none of those updates has been offered via Windows Update. One of my German blog readers pointed me to the right direction, as he mentioned, that it was ‘dynamic updates’ for upgrading Windows.

Dynamic Updates – for Windows Upgrade installation only

Microsoft has introduced dynamic updates to support an upgrade from a Windows install to a new operating system version. During setup it’s possible to download dynamic updates and integrate them into the install process. According to this document critical drivers and other improvements for the upgrade may be released via dynamic updates.

In Media Creation Tool and during upgrades the install wizzard offers to download updates from Microsoft’s servers and integrates it into the install process. This Technet article contains some details about ‘Dynamic Updates’ for Windows 8.x.

[German]Microsoft has acted quickly to a critical vulnerability in Windows, reported yesterday (see Windows has a critical wormable vulnerability). This night a security advisory has been released, patches will be available.

Yesterday Google security experts Natalie Silvanovich and Tavis Ormandy from project Zero revealed a security hole in standard Windows installs. An attacker can use a remote execution vulnerability, but Tavis did not reveal details. This night things became clearer.

Microsoft has released Microsoft Security Advisory 4022344 on May 8, 2017 with more details. They addressing a Security Update for Microsoft Malware Protection Engine. The Microsoft Malware Protection Engine ships with several Microsoft antimalware products (like Microsoft Security Essentials and Windows Defender). Microsoft wrote:

icrosoft is releasing this security advisory to inform customers that an update to the Microsoft Malware Protection Engine addresses a security vulnerability that was reported to Microsoft.

The update addresses a vulnerability that could allow remote code execution if the Microsoft Malware Protection Engine scans a specially crafted file. An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take control of the system.

Details about CVE-2017-0290

A remote code execution vulnerability exists when the Microsoft Malware Protection Engine does not properly scan a specially crafted file leading to memory corruption.

To exploit this vulnerability, a specially crafted file must be scanned by an affected version of the Microsoft Malware Protection Engine. There are many ways that an attacker could place a specially crafted file in a location that is scanned by the Microsoft Malware Protection Engine.

• For example, an attacker could use a website to deliver a specially crafted file to the victim’s system that is scanned when the website is viewed by the user.
• An attacker could also deliver a specially crafted file via an email message or in an Instant Messenger message that is scanned when the file is opened.
• In addition, an attacker could take advantage of websites that accept or host user-provided content, to upload a specially crafted file to a shared location that is scanned by the Malware Protection Engine running on the hosting server.

If the affected antimalware software has real-time protection turned on, the Microsoft Malware Protection Engine will scan files automatically, leading to exploitation of the vulnerability when the specially crafted file scanned. If real-time scanning is not enabled, the attacker would need to wait until a scheduled scan occurs in order for the vulnerability to be exploited. All systems running an affected version of antimalware software are primarily at risk.

An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take control of the system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The update addresses the vulnerability by correcting the manner in which the Microsoft Malware Protection Engine scans specially crafted files. Currently it seem, that this vulnerability had not been publicly used to attack customers .

Affected versions and products

Microsoft says, Microsoft Malware Protection Engine version 1.1.13701.0 is affected, in version 1.1.13704.0 and higher the issue was addressed. They note, ‘if your version of the Microsoft Malware Protection Engine is equal to or greater than this version [1.1.13704.0], then you are not affected by this vulnerability and do not need to take any further action’. I interpret this sentence in a way, that an automatic update will be shipped. Microsoft Malware Protection Engine is included in the following products.

Typically, no action is required of enterprise administrators or end users to install updates for the Microsoft Malware Protection Engine, because the built-in mechanism for the automatic detection and deployment of updates will apply the update within 48 hours of release. The exact time frame depends on the software used, Internet connection, and infrastructure configuration.

BTW: Details about the vulnerability discovered by Tavis Ormandy may be found here. Tavis Ormandy has tweeted this night.

Still blown away at how quickly @msftsecurity responded to protect users, can’t give enough kudos. Amazing.

— Tavis Ormandy (@taviso) 9. Mai 2017

Addendum: Also Bleeping Computer addresses this topic – but focussed on Windows Defender in Windows 10.

On May 9, Mai 2017 support for Windows 10 version 1507 (RTM version from 2015) ends with the last patches offered. Microsoft has also released a couple of security updates.

Here are a short overview, what has been updated. A list of all updates may be found in Security Portal. More details are released in separate blog posts.

Critical Security Updates
============================

Critical    Adobe Flash Player
Critical    Internet Explorer 10
Critical    Internet Explorer 11
Critical    Internet Explorer 9
Critical    Microsoft Edge
Critical    Microsoft Business Productivity Servers 2010
Critical    Microsoft Office 2007 Service Pack 3
Critical    Microsoft Office 2010 Service Pack 2 (32-bit editions)
Critical    Microsoft Office 2010 Service Pack 2 (64-bit editions)
Critical    Microsoft Office 2013 RT Service Pack 1
Critical    Microsoft Office 2013 Service Pack 1 (32-bit editions)
Critical    Microsoft Office 2013 Service Pack 1 (64-bit editions)
Critical    Microsoft Office 2016 (32-bit edition)
Critical    Microsoft Office 2016 (64-bit edition)
Critical    Microsoft Office 2016 for Mac
Critical    Microsoft Office Compatibility Pack Service Pack 3
Critical    Microsoft Office for Mac 2011
Critical    Microsoft Office Web Apps 2010 Service Pack 2
Critical    Microsoft Office Web Apps 2013 Service Pack 1
Critical    Microsoft Office Word Viewer
Critical    Microsoft Office Web Apps Server 2013
Critical    Microsoft Office Online Server
Critical    Microsoft Project Server 2013
Critical    Microsoft SharePoint Enterprise Server 2016
Critical    Microsoft SharePoint Foundation 2013 Service Pack 1
Critical    Microsoft SharePoint Server 2010
Critical    Microsoft SharePoint Foundation 2013
Critical    Microsoft SharePoint Enterprise Server 2013
Critical    Word Automation Services
Critical    Microsoft Word 2007 Service Pack 3
Critical    Microsoft Word 2010 Service Pack 2 (32-bit editions)
Critical    Microsoft Word 2010 Service Pack 2 (64-bit editions)
Critical    Microsoft Word 2013 RT Service Pack 1
Critical    Microsoft Word 2013 Service Pack 1 (32-bit editions)
Critical    Microsoft Word 2013 Service Pack 1 (64-bit editions)
Critical    Microsoft Word 2016 (32-bit edition)
Critical    Microsoft Word 2016 (64-bit edition)
Critical    Skype for Business 2016
Critical    Windows 7 for 32-bit Systems Service Pack 1
Critical    Windows 7 for x64-based Systems Service Pack 1
Critical    Windows 8.1 for 32-bit systems
Critical    Windows 8.1 for x64-based systems
Critical    Windows RT 8.1
Critical    Windows 10 for 32-bit Systems
Critical    Windows 10 for x64-based Systems
Critical    Windows 10 Version 1511 for 32-bit Systems
Critical    Windows 10 Version 1511 for x64-based Systems
Critical    Windows 10 Version 1607 for 32-bit Systems
Critical    Windows 10 Version 1607 for x64-based Systems
Critical    Windows 10 Version 1703 for 32-bit Systems
Critical    Windows 10 Version 1703 for x64-based Systems
Critical    Windows Server 2008 for 32-bit Systems Service Pack 2
Critical    Windows Server 2008 for 32-bit Systems Service Pack 2
(Server Core installation)
Critical    Windows Server 2008 for Itanium-Based Systems Service
Pack 2
Critical    Windows Server 2008 for x64-based Systems Service
Pack 2
Critical    Windows Server 2008 for x64-based Systems Service
Pack 2 (Server Core installation)
Critical    Windows Server 2008 R2 for Itanium-Based Systems
Service Pack 1
Critical    Windows Server 2008 R2 for x64-based Systems Service
Pack 1
Critical    Windows Server 2008 R2 for x64-based Systems Service
Pack 1 (Server Core installation)
Critical    Windows Server 2012
Critical    Windows Server 2012 (Server Core installation)
Critical    Windows Server 2012 R2
Critical    Windows Server 2012 R2 (Server Core installation)
Critical    Windows Server 2016
Critical    Windows Server 2016 (Server Core installation)

Important Security Updates
============================

Important    Microsoft .NET Framework 2.0 Service Pack 2
Important    Microsoft .NET Framework 3.5
Important    Microsoft .NET Framework 3.5.1
Important    Microsoft .NET Framework 4.5.2
Important    Microsoft .NET Framework 4.6
Important    Microsoft .NET Framework 4.6.1
Important    Microsoft .NET Framework 4.6.2
Important    Microsoft .NET Framework 4.6/4.6.1

Similar articles:
Microsoft May 2017 patch day short over view
Updates May 2017 for Windows 7/8.1
Updates for Windows 10 (May 9, 2017)
Office Patchday May 2, 2017
Windows 10: What are dynamic updates?

[German]Microsoft has released a couple of (security-) updates for Windows 7 SP1 and Windows 8.1 (and the corresponding Server versions on May 9, 2017. Here is an overview.

KB4019264 (Monthly Rollup) for Windows 7/Windows Server 2008 R2 SP1

Update KB4019264 (May Security Monthly Quality Rollup for Windows 7 SP1 and Windows Server 2008 R2 SP1) contains improvements and fixes already contained in April 2017 update and addresses the following issued:

• Addressed issue where, after installing security update KB4015549, applications that use msado15.dll stop working.
• Updated Internet Explorer 11’s New Tab Page with an integrated newsfeed.
• Deprecated SHA-1 Microsoft Edge and Internet Explorer 11 for SSL/TLS Server Authentication. See Advisory 4010323 for more information.
• Security updates to Internet Explorer, Microsoft Graphics Component, Windows COM, Microsoft ActiveX, Windows Server, Windows kernel, and Microsoft Windows DNS.

The update will be offered via Windows Update and as download in Microsoft Update Catalog. The Monthly Rollup Update doesn’t contain security fixes for Internet Explorer, will be found in KB4018271. The patch blocks Windows Update on systems with AMD Carrizo DDR4 processor.

KB4019263  (Security-only update) for Windows 7/Server 2008 R2 SP1

Update KB4019263 (May 9, 2017 Security Only Quality Update for Windows 7 SP1 and Windows Server 2008 R2 SP1) addresses:

• Updated Windows Cryptography API to deprecate SHA-1 for SSL/TLS Server Authentication, including in Microsoft Edge and Internet Explorer 11. See Advisory 4010323 for more information.
• Security updates to Microsoft Graphics Component, Windows COM, Microsoft ActiveX, Windows Server, Windows kernel, and Microsoft Windows DNS.

The update will be offered via Windows Update and as download in Microsoft Update Catalog. The Monthly Rollup Update doesn’t contain security fixes for Internet Explorer, will be found in KB4018271. The patch blocks Windows Update on systems with AMD Carrizo DDR4 processor. This package doesn’t provides telemetry features. 

You may find the update history for Windows 7 on this Microsoft site.

KB4019215 (Monthly Rollup) for Windows 8.1/Windows Server 2012 R2

Update KB4019215 (May 2017 Security Monthly Quality Rollup for Windows 8.1 and Windows Server 2012 R2) contains improvements and fixes:

• Addressed issue where applications that use msado15.dll stop working after installing after installing security update 4015550
• Deprecated SHA-1 Microsoft Edge and Internet Explorer 11 for SSL/TLS Server Authentication. See Advisory 4010323 for more information.
• Updated Internet Explorer 11’s New Tab Page with an integrated newsfeed.
• Security updates to Microsoft Graphics Component, Microsoft Windows DNS, Windows COM, Windows Server, Windows kernel, and Internet Explorer.

The update will be offered via Windows Update and as download in Microsoft Update Catalog. The Monthly Rollup Update doesn’t contain security fixes for Internet Explorer, will be found in KB4018271. Details may be found within the linked KB article.

KB4019213 (Security-only update) for Windows 8.1/Windows Server 2012 R2

Update KB4019213 (May 2017 Security Only Quality Update for Windows 8.1 and Windows Server 2012 R2) addresses:

• Updated Windows Cryptography API to deprecate SHA-1 for SSL/TLS Server Authentication, including in Microsoft Edge and Internet Explorer 11. See Advisory 4010323 for more information.
• Security updates to Microsoft Graphics Component, Microsoft Windows DNS, Windows COM, Windows Server and Windows kernel.

The update will be offered via Windows Update and as download in Microsoft Update Catalog. Details may be found within the linked KB article.

You may find the update history for Windows 8.1 on this Microsoft site.

Similar articles:
Microsoft May 2017 patch day short over view
Updates May 2017 for Windows 7/8.1
Updates for Windows 10 (May 9, 2017)
Office Patchday May 2, 2017
Windows 10: What are dynamic updates?

[German]Microsoft has released a couple of cumulative updates for supported Windows 10 versions. Here is an overview.

Update KB4016871 for Windows 10 Version 1703

Update KB4016871 contains some quality improvements for Windows 10 version 1703 and changes the build number to 15063.296 for PC and to 15063.297 for Mobile. Here are the list of fixes:

• Addressed issue with Surface Hub devices waking from sleep approximately every four minutes after the first two hours. 
• Addressed issue where autochk.exe can randomly skip drive checks and not fix corruptions, which may lead to data loss. 
• Addressed an issue where Microsoft Edge users in networking environments that do not fully support the TCP Fast Open standard may have problems connecting to some websites. Users can re-enable TCP Fast Open in about:flags.  
• Addressed issues with Arc Touch mouse Bluetooth connectivity.
• Security updates to Microsoft Edge, Internet Explorer, Microsoft Graphics Component, Windows SMB Server, Windows COM, Microsoft Scripting Engine, Windows kernel, Windows Server, and the .NET Framework.

Update KB4019472  for Windows 10 Version 1607/Server 2016

Update KB4019472 contains some quality improvements for Windows 10 version 1703 (and Windows Server 2016) and changes the build number to 14393.1198. Here are the list of fixes:

• Addressed issue where the PC Settings pages do not display the correct options after the installation of KB3213986 and a language pack.
• Addressed issue where fonts appear differently based on whether an app uses Graphics Device Interface (GDI) or GDI Plus.
• Addressed issue where applications that use msado15.dll stop working after installing security update KB4015550.
• Addressed issue that causes a device to become unresponsive when users try to enable end-user-defined characters (EUDCs). 
• Addressed issue that causes a device to crash every time a user logs off from a remote session using a Virtual Desktop Agent (VDA). 
• Addressed issue where changing the scaling setting of the display prevents DPI-aware tools (Notepad, MS Paint, etc.) from accepting input or drawing correctly when using the Japanese IME. 
• Addressed issue that causes Windows Explorer’s CPU usage to be at 20% when an executable file is hosted on a file share and its Offline attribute is set. 
• Addressed issue where Windows Event Forwarding between two 2012 R2 servers makes reports incompatible with third-party Security Information and Event Management software. 
• Addressed issue where the BitLocker Drive Encryption wizard shows the “Choose which encryption mode to use” page even when the BitLocker GPO is enabled.
• Addressed issue where AppLocker fails to block binaries with revoked certificates.
• Addressed issue where a virtual machine (VM) loses network connectivity if the VM does not send Address Resolution Protocol packets for five minutes and the VM is connected to a wireless NIC. 
• Addressed issue that causes the loss of a VPN connection when using a computer with an integrated WAN card (cellular card). 
• Addressed issue where multipath I/O did not properly restore service after the check condition “Illegal request, LUN not available (sense codes 05/25/00)” occurs. 
• Addressed issue where a Stop 0x27 error occurs after a user provides the domain username and password.
• Addressed issue where users can create folders on a USB flash drive when “Deny write access” is set for Removable Storage Access.
• Addressed an issue where crash dump generation hangs at 0% on a system with over 750 GB of physical memory and Hyper-V enabled. 
• Addressed an issue with a paging file space leak that leads Windows to a crash, blue screen, or data loss.
• Addressed issue that prevents access to a website when Automatic Rebind of Renewed Certificate and Directory Service Mapper are enabled. 
• Addressed a crash in Services.exe with the error code “0xc0000374 – A heap has been corrupted,” and requires a system restart.
• Addressed issue where Windows Defender anti-virus definitions, which are regulated by the network, prevent other updates (LCU, drivers) from being downloaded. 
• Addressed issue where Internet Explorer 11 does not save JavaScript files when exporting to an MHT file. 
• Addressed issue that prevents Internet Explorer 11 from following redirects when the Include-Referer-Token-Binding-ID header is set to “true.”
• Addressed issue that causes users to get logged out from a Web-application intermittently. 
• Updated Internet Explorer 11’s New Tab Page with an integrated newsfeed. 
• Deprecated SHA-1 Microsoft Edge and Internet Explorer 11 for SSL/TLS Server Authentication. See Advisory 4010323 for more information.
• Addressed additional issues with the Windows Shell, enterprise security, Datacenter Networking, storage networking, Internet Information Services, Active Directory, clustering, Windows Server, the client platform, and Internet Explorer.
• Security updates to Windows COM, Windows SMB Server, Windows server, Internet Explorer, and Microsoft Edge.

Update KB4019473  for Windows 10 Version 1511

Update KB4019473 contains some quality improvements for Windows 10 version 1511 and changes the build number to 10586.839. Here are the list of fixes:

• Addressed issue that causes the OS to become unresponsive when migrating users from a cloud-based solution to an on-premise desktop running Microsoft Virtual Desktop Infrastructure. 
• Addressed issue with high CPU and RAM usage when accessing .mp4 files larger than 60 GB using Windows Explorer.
• Addressed issue where Windows Event Forwarding between two 2012 R2 servers makes reports incompatible with third-party Security Information and Event Management software. 
• Addressed an issue related to establishing a secure connection to a server using the TLS protocol. The application may hang when the server certificate specifies a secure URL (HTTPS) for the Certificate Revocation List (CRL) or for the Authority Information Access (AIA) values within the certificate.
• Addressed issue where applications that use msado15.dll stop working after installing after installing security update KB4015550.
• Addressed issue where the BitLocker Drive Encryption wizard shows the “Choose which encryption mode to use” page even when the BitLocker GPO is enabled. 
• Addressed an issue where changing your password while not directly connected to the enterprise network, such as with a VPN, will cause your private keys to become inaccessible. Symptoms vary including the inability to encrypt/decrypt or sign documents. 
• Updated Internet Explorer 11’s New Tab Page with an integrated newsfeed. 
• Deprecated SHA-1 Microsoft Edge and Internet Explorer 11 for SSL/TLS Server Authentication. See Advisory 4010323 for more information.
• Addressed additional issues with enterprise security, Internet Explorer, and Microsoft Edge.
• Security updates to Microsoft Edge, Microsoft Scripting Engine, Windows COM, Microsoft Graphics Component, .NET Framework, Windows kernel, Windows SMB Server, Windows Server, and Internet Explorer.

Update KB4019474  for Windows 10 Version 1507 (RTM)

Update KB4019474 contains some quality improvements for Windows 10 version 1507 and changes the build number 0240.17394. Here are the list of fixes:

• Addressed issue where Windows Event Forwarding between two 2012 R2 servers makes reports incompatible with third-party Security Information and Event Management software. 
• Addressed an issue related to establishing a secure connection to a server using the TLS protocol. The application may hang when the server certificate specifies a secure URL (HTTPS) for the Certificate Revocation List (CRL) or for the Authority Information Access (AIA) values within the certificate.
• Addressed an issue where changing your password while not directly connected to the enterprise network, such as with a VPN, will cause your private keys to become inaccessible. Symptoms vary including the inability to encrypt/decrypt or sign documents.
• Addressed issue where applications that use msado15.dll stop working after installing security update KB4015550.
• Addressed issue that prevents Internet Explorer 11 from following redirects when the Include-Referer-Token-Binding-ID header is set to “true.”
• Addressed issue with Microsoft Edge where a memory leak occurs every time you refresh a webpage.
• Updated Internet Explorer 11’s New Tab Page with an integrated newsfeed.
• Deprecated SHA-1 Microsoft Edge and Internet Explorer 11 for SSL/TLS Server Authentication. See Advisory 4010323 for more information.
• Addressed additional issues with storage file system, Internet Explorer, and the .NET Framework.
• Security updates to the Microsoft Scripting Engine, Microsoft Edge, Windows COM, Microsoft Graphics Component, .NET Framework, Windows kernel, Windows SMB Server, Windows Server, and Internet Explorer.

The list about Windows 10 update history may be obtained from this Microsoft site.

Further Windows 10 Updates

Microsoft has also released dynamic update KB4020007 (Compatibility update for upgrading to Windows 10 Version 1703: May 9, 2017) which changes the upgrade experience to Windows 10 Version 1703.

And there is update KB4020008 (OOBE update for Windows 10 Version 1703: May 9, 2017) that improves the Windows 10 Version 1703 out-of-box experience (OOBE). This update applies only to the Windows 10 Version 1703 OOBE process and will be available only at the time that OOBE updates are installed.

Similar articles:
Microsoft May 2017 patch day short over view
Updates May 2017 for Windows 7/8.1
Updates for Windows 10 (May 9, 2017)
Office Patchday May 2, 2017
Windows 10: What are dynamic updates?

How many times has Windows 10 been activated till now? During Build 2017 Microsoft has published new numbers. Here are a few details and thoughts.

1 Billion Windows 10 systems till 2018 …

Do you still remember Build 2015, where Terry Myerson announced the one billion Windows 10 devices till 2018? Well, we are close …

(Source: Microsoft)

At Build 2017 Microsoft announced that they are reaching 500 million Windows 10 activations. Some sources close to Microsoft told The Verge that Microsoft is targeting 550 million monthly active Windows 10 devices by the end of June, and 575 million by the end of September 2017. The other 625 million will be activated till December 2017 (I guess).

Ok, wait, the 500 500 million Windows 10 activations includes Windows 10 PCs, Notebooks, Tablet PCs, Xboxes, Hololens and also mobile devices. And a few days ago, we noticed, that Microsoft told us, that only 300 million active users are working with Windows 10 (see How many users are working with Windows 10 every day?).

I thing Windows 10 Eco systen us broken

A few days ago, adduplex has published the Windows 10 Desktop OS version chart shown below. There are 1.8 % of Windows 10 users still hanging an the RTM version from 2015.

(Source: AdDuplex)

Most users are running Windows 10 Anniversary Update (Version 1607) – we have 82.1%. But 6.0 % are still using Windows 10 Version 1511, and 9.8% are using Windows 10 Creators Update (Windows 10 Version 1703). And in September 2017 we will receive Windows 10 Version 1709. I would say: Pretty fragmented this Windows 10 world – isn’t it.

I don’t think, Microsoft is on the right track with Windows 10. No, I won’t have a new Windows 10 system every 6 months, and I also don’t like telemetry, auto updates and so on. What’s your opinion?

[German]It’s a nasty surprise, what Thorsten Schröder, from Swiss modzero AG, discovered in Conexant’s audio drivers shipped with some HP notebooks. The driver is logging all key strokes and writes it into a public log file – a security night mare.

A key logger is a software logging all keystrokes on a keyboard – also passwords may be logged. Finding such a key logger within an audio driver isn’t a thing you expected.

A bad surprise during device security check

Security expert Thorsten Schröder has been hired to check the security for HP notebooks for a customer. Analyzing the audio driver showed, that this package logs all keyboard entries into a file. The audio driver has been developed and digitally signed by audio chip manufacturer Conexant. Schröder has documented the issued within this modzero.ch post. Schröder wrote:

Security reviews of modern Windows Active Domain infrastructures are – from our point of view – quite sobering. Therefore, we often look left and right, when, for example, examining the hardening of protection mechanisms of a workstation. Here, we often find all sorts of dangerous and ill-conceived stuff. We want to present one of these casually identified cases now, as it’s quite an interesting one: We have discovered a keylogger in an audio driver package by Hewlett-Packard.

And he asks:

So what’s the point of a keylogger in an audio driver? Does HP deliver pre-installed spyware? Is HP itself a victim of a backdoored software that third-party vendors have developed on behalf of HP? The responsibility in this case is uncertain, because the software is offered by HP as a driver package for their own devices on their website. On the other hand, the software was developed and digitally signed by the audio chip manufacturer Conexant.

In some cases, audio drivers are used, to detect a keystroke combination to activate or deactivate a microphone. 

A full blown key logger

Schröder found out, that the developers has added a full featured key logger into the audio driver. In version 1.0.0.46 the driver logs all key strokes into the public file:

C:\Users\Public\MicTray.log

It seems, that the driver has this ‘feature’ since December 2015. The driver is shipped with the following file names:

C:\Windows\System32\MicTray64.exe

or

C:\Windows\System32\MicTray.exe

depending on the Windows architecture.

No spyware – no responsibility

Schröder writes: He didn’t find signs, that this is an intended backdoor or key logger. Neither HP nor Conexant are claiming they are responsible for this feature. Therefore Schröder published a Security-Advisory. (via 4chan.org, via heise.de).

[German]A massive ransomware campaign started May 12, 2017, infected worldwide thousands of Windows systems. Hospitals, banks, companies are out of order, because their systems are affected and critical data are encrypted. Here a short overview, what is known so far.

I received an e-mail a few days ago containing a zip attachment claiming it contains a scanned bill. Well, the name given as sender was known to me – but I didn’t expect a bill from this person. Inspecting the source code of the e-mail showed clearly, that it was a phishing attempt, so I deleted this mail. I don’t know, whether it’s related to the current ransomware campaign – currently I’m fighting with cold viruses causing a kind of ‘shutdown’ yesterday and probably also today.

WannaCry, WanaCrypt0r, Wanna Cryptor ….

The name of this ransomware isn’t clear, I’ve seen several names given in the title above in articles. Malwarebytes has told me some first details about the ransomware campaign.

Two campaigns

The new ransomware has spread worldwide into Windows based networks and is causing critical infrastructures to shut down. According to Bleeping Computer, there has been two version of this ransomware.

• Version 1.0: This variant has been detected by Malwarebytes on February 10, 2017 – and Karsten Hahn, GData found a short campaign on March 25, 2017.
• Version 2.0: This variant has been detected at May 12, 2017 from MalwareHunter. This version is responsible for the massive infection during the last hours.

The reason, why this ransomware is spreading like a wild fire, seems to be clear. Security analysts from Malwarebytes told me:

There are strong circumstantial, that the ransomware is using known vulnerabilities [in Windows], to intrude networks and may be spread as a worm. The vulnerability has been part of the NSA hacking tools (code name „ETERNALBLUE“) leaked by „The Shadow Brokers“. The NSA tool enables the attackers remote access via an exploit to SMB & NBT protocols used in Windows systems. Malwarebytes users are protected against this exploit.

Within this blog post security analysts from MalwareBytes are discussing, how the worm will spread. The ransomware uses a vulnerability already patched by Microsoft at March 14, 2017 (MS17-010 Security Update for Microsoft Windows SMB Server (4013389)). It seems, that a lot of unpatched systems are out there (probable also some Windows XP and Windows Server 2003 systems).

It isn’t clear yet, how the initial attack has been instrumented – maybe a spear phishing attack or a vulnerability in Microsoft’s Windows systems has been used. Malwarebytes recommends to shut down old Windows XP systems and patches the other supported Windows computers. A good documentation of the history of this attack and more details may be found at talosintelligence.com.

Thousands of systems infected

Since a few hours thousands of Windows systems are infected with this ransomware. Victims sees the following message, after the files has been encrypted.

(Source: MalwareBytes)

Currently hospitals (NHS in Great Britain), telecommunication company Telefonica in Spain are heavily affected. There are other articles mentioning Spanish firms like KPMG, BBVA and Santander bank, the electricity provider Iberdrola and also Vodafone are affected. In Germany, the railway Bundesbahn is affected (see this tweet).

Just got to Frankfurt and took a picture of this… #Sbahn, you got a #Ransomware! pic.twitter.com/w0DODySL0p

— Marco Aguilar (@Avas_Marco) 12. Mai 2017

It seems that an unpatched Windows 7 is working there. Malwarebytes supposes also Russia, Ukraine and Taiwan are victims of this ransomware, as this tweet suggests.

36,000 detections of #WannaCry (aka #WanaCypt0r aka #WCry) #ransomware so far. Russia, Ukraine, and Taiwan leading. This is huge. pic.twitter.com/EaZcaxPta4

— Jakub Kroustek (@JakubKroustek) 12. Mai 2017

The New York Times has published a map showing infections worldwide.

Check out this NYT post, they made a really cool time based map with my data https://t.co/K7lVjagq29

— MalwareTech (@MalwareTechBlog) 13. Mai 2017

Hat the campaing been stopped?

A person tweeting under @MalwareTechBlogs has found a ‘kill switch’ to shutdown the massive malware campaign. He registered a domain hard coded within the malware – this was the ‘kill switch’ the author of the malware has included.

Some analysts are suggesting by sinkholing the domain we stopped the infection? Can anyone confirm?

— MalwareTech (@MalwareTechBlog) 12. Mai 2017

I will confess that I was unaware registering the domain would stop the malware until after i registered it, so initially it was accidental.

— MalwareTech (@MalwareTechBlog) 13. Mai 2017

British The Guadian has an article with more details. It helps, until a new variant of this ransomware will be released. And the kill switch doesn’t help, if the files on an infected system encrypted.

Microsoft patches Windows XP, Windows Server 2003, Windows 8

Microsoft has released patches for Windows XP, Windows Server 2003 and Windows 8 to stop WannaCrypt (and similar) infections. Further details may be found within MSRC-Blog. (via)

Final thoughts

This ransomware campaign shows, how weak the critical infrastructure we are using, is. I just remember the show, Microsoft’s management presented on BUILD 2017. Cloud, Cloud, Cloud everywhere – and we all shall be heading to big data, Internet of Things and big brother. Also the ‘sirens’ are trying to lure companies to total networking, called Industry 4.0.  I’m not confident that the current attack is the last one – and I fear, the damaged will be stronger in future.

Just a last thought: It’s time now, to claim IT manager the responsible for the decision they made. It’s negligently to use Windows within critical infrastructure projects like hospitals or railway information systems.

[German]Microsoft has released Update KB3150513 for Windows 10 Anniversary Update multiple times in May 2017. The latest re-release has been scheduled on May 11, 2017.

Update KB3150513 will be released (nearly) each month and is available for Windows 7 up to Windows. Microsoft chooses, which Windows version is receiving this update on each release date. In most cases I mentioned a new version within my blog. This time, update KB3150513 is for Windows 10 Version 1607.

What is update KB3150513 for?

Update KB3150513 transports the ‘Latest compatibility definition update for Windows’. According to Microsoft, it provides the latest set of definitions for compatibility diagnostics that are performed on the system. The updated definitions help enable Microsoft and its partners to ensure compatibility for all customers who want to install the latest Windows operating system. Installing this update also makes sure that the latest Windows operating system version is correctly offered through Windows Update, based on compatibility results.

This update may not be offered concurrently to all platforms. It will be available only to platforms for which there are new definitions available. In Windows 10 users will see it frequently within the rollout wave of a new feature update. Microsoft has re-released Update KB3150513 on May 1, May 5, and then May 11, 2017.

What’s changing?

Each update ships new versions of the files Appraiser.sdb, Appraiser_data.ini and Appraiser_telemetryrunlist.xml. This enables Microsoft to gain detailed compatibility data on distinct systems. The fact that Microsoft has re-released this update multiple times in May 2017, indicates to me, that they detected upgrade issues from Windows 10 Version 1607 to Windows 10 Creators Update. If you are in need, and the machine did not receive the package via Windows Update, download it from Microsoft Update Catalog and install the package manually.

Similar articles:
Windows compatibility update KB3150513
Windows 10 Version 1607: Update KB3150513 re-released
Windows 10: Updates KB3150513 and KB4015219 are back
Update KB3150513 for Windows 8/8.1/10 (08/31/2016)

[German]Microsoft has released on May 16, 2017 a couple of ‘Preview of Monthly Rollup’ updates for Windows 7, Windows 8.1 and Windows Server variants. Also packages for .NET Framework are available.

All updates are optional and will be available via Windows Update and Windows Catalog. Next June 2017 patch day the updates will be offered as regular updates.

KB4019265 Windows 7 SP1 and Windows Server 2008 R2 SP1

Update KB4019265 (Preview of Monthly Rollup from May 16, 2017 for Windows 7 SP1 and Windows Server 2008 R2 SP1) contains fixes from Monthly Rollup KB4019264 (May 9, 2017). Addressed also an issue by updating the d3dcompiler_47.dll file to improve application compatibility.

If the PC uses an AMD Carrizo DDR4 processor, installing this update will block downloading and installing future Windows updates. Microsoft is saying since months they are working on a resolution and promises the will provide an update in an upcoming release…

KB4019217 Windows 8.1 and Windows Server 2012 R2

Update KB4019217 (Preview of Monthly Rollup from May 16, 2017 for Windows 8.1 and Windows Server 2012 R2) contains fixes from Monthly Rollup KB4019215 (May 9, 2017). Addresses the following preview fixes:

• Addressed issue related to establishing a secure connection to a server using the TLS protocol. The application may hang when the server certificate specifies a secure URL (HTTPS) for the Certificate Revocation List (CRL) or for the Authority Information Access (AIA) values within the certificate.
• Addressed issue where changing your password while not directly connected to the enterprise network, such as with a VPN, will cause your private keys to become inaccessible. Symptoms vary including the inability to encrypt/decrypt or sign documents.
• Addressed issue where performing a factory reset fails because a new authenticated variable that was added to the firmware cannot be deleted during factory reset. When the factory reset encounters this variable, it gets an error and does not complete the reset.
• Addressed issue where users may experience slow logons when logging on to Windows Server 2012 R2 servers that have a high amount of open connections. The issue is caused by the collection of bandwidth statistics on the open connections for the processing of group policy.
• Addressed issue where the Server Message Block 3.0’s Continuous Availability feature degrades software performance when the FindFirstFileEx() function receives a path that ends with “..” or “.”.
• Addressed issue where the Common Log File System references an invalid parameter when users create new folders and new tasks using Task Scheduler, which generates Stop Error 0x24.
• Addressed issue where removable devices do not work as expected after applying KB3179574 and when auditing of removable devices is enabled.
• Addressed issue where a Virtual Machine sporadically loses its network connection completely.
• Addressed issue where Windows Event Forwarding between two 2012 R2 servers makes reports incompatible with third-party Security Information and Event Management software.
• Addressed an issue where LSASS consumes large amounts of memory on 2012 R2 Domain Controllers during a security descriptor propagation operation. This issue occurs when a security descriptor change is made on a root object with lots of descendants. Additionally, Applies To is set to “This object and all descendant objects.”
• Addressed issue where Work Folders clients using token broker do not work (“Access denied” error) when using an Active Directory Federation Services Server 2012 R2.

If the PC uses an AMD Carrizo DDR4 processor, installing this update will block downloading and installing future Windows updates.

KB4019218 Windows Server 2012

Update KB4019218 (Preview of Monthly Rollup from May 16, 2017 for Windows Server 2012) contains fixes from Monthly Rollup KB4019216 (May 9, 2017). Addresses the following preview fixes:

• Addressed issue by updating the d3dcompiler_47.dll file to improve application compatibility.
• Addressed issue where the WinRM service and subscriptions stop working and events are dropped when monitoring events and using event forwarding for large deployments.
• Addressed issue where the Server Message Block 3.0’s Continuous Availability feature degrades software performance when the FindFirstFileEx() function receives a path that ends with “..” or “.”.

No issues are known.

.NET Framework Preview Updates

Microsoft published the following .NET Framework Preview Updates (details may be read within the linked articles).

• Update KB4019288 (May 2017 Preview of the Quality Rollup for the .NET Framework 3.5.1, 4.5.2, 4.6, 4.6.1, and 4.6.2 for Windows 7 and Windows Server 2008 R2, May 16, 2017).
• Update KB4019289 (May 2017 Preview of the Quality Rollup for the .NET Framework 3.5, 4.5.2, 4.6, 4.6.1, and 4.6.2 for Windows Server 2012, May 16, 2017).
• Update KB4019290 (May 2017 Preview of the Quality Rollup for the .NET Framework 3.5, 4.5.2, 4.6, 4.6.1, and 4.6.2 updates for Windows 8.1 and Windows Server 2012 R2, May 16, 2017).
• Update KB4019291 (May 2017 Preview of the Quality Rollups for the .NET Framework 2.0 Service Pack 2, 4.5.2, and 4.6 for Windows Server 2008 Service Pack 2, May 16, 2017)

Microsoft has released a new Insider Preview Windows 10 Build 16199 for PCs in Fast Ring. Windows 10 Mobile is available as Build 15215. The announcement has been made within the Windows Blog, where details may be read.

[German]Good news with a grain of salt for users with systems affected by #WannaCry ransomware. A first decryptor has been developed, but it works only under Windows XP and only if some conditions are true.

WCry, it works for Windows XP, if …

The tool, called WCry, has been developed by fresh security researcher Adrien Guinet from Quarkslab and it’s available at GitHub. The tool tries to find the prime number used to calculate the private RSA key used by Wanacry to encrypt all files.

The software has only been tested and known to work under Windows XP. In order to work, the Windows XP computer must not have been rebooted after being infected – more details below. Please also note that you need some luck for this to work (see below), and so it might not work in every cases!

How it works?

This software allows to recover the prime numbers of the RSA private key that are used by Wanacry, searching the system’s memory associated to the wcry.exe process. This is the process that generates the RSA private key. This is possible, because the api calls CryptDestroyKey and CryptReleaseContext does not erase the prime numbers from memory before freeing the associated memory.

This is not really a mistake from the ransomware authors, as as Adrien Guinet wrote. He assume, that the ransomware authors are using the Windows Crypto API properly. Guinet tested under Windows 10, CryptReleaseContext does cleanup the memory (and so this recovery technique won’t work).

It can work under Windows XP because, in this version, CryptReleaseContext does not do the cleanup. Moreover, MSDN states this, for this function : “After this function is called, the released CSP handle is no longer valid. This function does not destroy key containers or key pairs.”. So, Guinet assumes, that there are no clean and cross-platform ways under Windows to clean this memory.

So his approach to search the associated memory for prime numbers works in Windows XP, if the memory hasn’t been reallocated and erased or erased during a reboot.

How it’s used?

Go to the GitHub binary folder bin and download the file. Then you need to find the PID of the wcry.exe process using the Task Manager. Afterward locate the 00000000.pky file on your Windows drive (it’s the WannaCry private key folder).

Once you’ve got this, launch using cmd.exe and execute the following command:

search_primes.exe PID path\to\00000000.pky

If a valid prime is found in memory, the priv.key file will be generated in the current directory. You can then use https://github.com/odzhan/wanafork/ to decrypt your files!

WARNING: wanafork does not work directly for now directly under Windows XP. This should be fixed soon (hopefully)!(via)

[German]It seems that users of Malwarebytes security software was hidden by a strange issue. The real time protection keeps tuning off. An update shipped today seems to fixed the issue (till the next case).

I’ve been pinged by a German user at Google+ – he noticed, the Malwarebytes is causing suddenly serious trouble – the real time protection keeps tuning off.

Update ends with null byte database

It seems, see this forum post, that an Malwarebytes update ended with MBDB data bases with a size of 0 bytes.

(Source: Malwarebytes forum)

Users affected worldwide

According to MalwareByte’s support forum (see this forum thread), many users has been affected. Malwarebytes software reports that the Real-Time Protection Layers are deactivated.

(Source: Malwarebytes forum)

Not only version 3.1.2 was affected, other users are reporting the same with 3.0.6 (there is a support article Malwarebytes 3.0 Real-time protection layer turning off? addressing this old issue). 

(Source: Malwarebytes)

Users updating to version 3.1.2 can’t activate Real time protection. MalwareBytes has released an update (see MalwareBytes forum) which seems to fixed the issue.

Partially good news for Window 7 users hidden by WannaCrypt ransomware. A decryptor for encrypted files, that can obtain the required key is available for Windows XP and Windows 7.

I’ve introduced a first Decryptor for Windows XP this morning (see Wannacry: first WCry-Decryptor for Windows XP). Then Matt Suiche, hacker, security specialist and MVP colleague has published a blog post WannaCry — Decrypting files with WanaKiwi + Demos.

WanaKiwi also for Windows 7

The tool WanaWiki uses the same techniques as wannakey from Adrien Guinet to extract prime numbers left from the ransomware within memory.

#wanakiwi to decrypt #WANACRY files from pieces of key in memory(thanks @adriengnt for idea)https://t.co/7LTTZXXEsB
XP sometimes,7 if lucky pic.twitter.com/3V8gFaIkCF

— Benjamin Delpy (@gentilkiwi) 19. Mai 2017

The tool is available at GitHub and runs from Windows XP up to Windows 7 (also Vista and Server 2003/2008 and R2). It’s sufficient, to download wanakiwi to an infected machine and launch wanakiwi.exe per. The program will automatically look for the 00000000.pky, and extracts the primary number. Wanakiwi also recreates the .dky files expect from the ransomware by the attackers, which makes it compatible with the ransomware itself too. This also prevents the WannaCry to encrypt further files. Further details may be read at Matt’s blog post.

[German]WikiLeaks has leaked new documents in the Vault 7 series. These documents details some new CIA spyware framework, called Athena. 

WikiLeaks claimed it received the material from hackers and CIA insiders. The new material (user manual, demo, overview) shows, that the Spyware Framework addresses Windows from XP up to Windows 10. As ibtimes.co.uk reported, the documents are dated between September 2015 and February 2016 (after the release of Windows 10).

RELEASE: CIA malware system Athena https://t.co/pqCWCRrqHy #Vault7

— WikiLeaks (@wikileaks) 19. Mai 2017

According to WikiLeaks’ documents, the spyware was created by the CIA, with help from a private New Hampshire-based cybersecurity firm called Siege Technologies. The tools allows attackers to completely hijack computers, steal data and send it to CIA severs, delete data and upload malicious software. Further details may be read here and here.