[German]It seems that the newly released Windows 10 Fall Creators Update (V1709) threatens us with bugs a hell. Even Explorer contains a bug that prevents renaming files or folders.

I couldn’t believe, as I read this German forum post, where a user claims that renaming of files and folders don’t work in Explorer. Here is a screenshot of my German Windows Explorer, where I set the View mode to small icons.

This mode completely disables the rename function in Windows Explorer. Pressing function key F2, which normally invokes a rename operation for the selected item, doesn’t show any reaction. Also the context menu command Rename and the Rename button within the ribbon won’t do the rename.

The only workaround is: Change the View mode to Details or an other mode and try the rename operation. I don’t know, if it’s only related to the German Windows 10 Fall Creators Update (V1709), or if it also affected other languages. But the bug is also in Windows 10 Insider Preview Build 17017 (Redstone 4).

[German]Urgent warning to all administrators in corporate environments. Eastern Europe has been hit by an outbreak of BadRabbit ransomware campaign. Affected are Windows systems and networks in corporate environments. It’s similar to the NotPetya infection in early summer this year. Possibly a Killswitch has been found.

In summer 2017 we have had a NotPetya ransomware infection spreading from Ukraine (see News about (Not)Petya ransomware – Killswitch/vaccine found?WannaCry Clone). A few days ago I’ve warned about a possible new infection with a NotPetya like ransomware (the blog post is only in German Warnung vor neuem NotPetya-ähnlichem Cyber-Angriff). Now it seems that this scenarios is happens.

BadRabbit ransomware outbreak

Bleeping Computer reported about BadRabbit ransomware, spreading since a few hours in several Eastern European countries. Both government agencies and private companies are affected. Currently, the infection is probably spreading in countries such as Russia, Ukraine, Bulgaria and Turkey.

Confirmed victims include Odessa airport in Ukraine, the metro system of Kiev in Ukraine, the Ukrainian Ministry of Infrastructure and three Russian news agencies, including Interfax and Fontanka. The Ukrainian CERT team has issued a warning message and warns Ukrainian companies of this new outbreak.

Distribution via fake flash update

Antivirus vendor wrote in a Tweet, that the initial distribution was made via a fake Flash update.

#ESET confirms Discoder/#Petya/#BadRabbit campaign live today, incorporating #Mimikatz distribuded via fake flash. More info soon. pic.twitter.com/lUpkmdG2ox

— Jiri Kropac (@jiriatvirlab) 24. Oktober 2017

Also security researcher from Proofpoint confirms this finding, tweeting that BadRabbit was initially distributes via a fake Flash update.

#BadRabbit was spread by a fake Adobe Flash Player installer hosted here: 1dnscontrol[.]com, found by @ESET https://t.co/2z8g3tmzMe

— Darien Huss (@darienhuss) 24. Oktober 2017

Proofpoint wrote, that the ransomware comes with ‘tools’ to infect other computers via network.

A few details

Based of first analysis ob ESET, Emsisoft. and Fox-IT, BadRabbit uses Mimikatz, to extract credentials from the system’s local memory, but also has fixed coded access codes. The Ransomware tries to spread via additional servers and workstations via network.

Ransomware probably uses DiskCryptor (an open source encryption software) to encrypt the files (was used in the attack on the San Francisco suburban transport system, see ÖPNV-Hack in San Franzisko). As soon as Bad Rabbit has finished the infection, it restarts the user’s PC. The modified Master Boot Record (MBR) contains code that indicates a ransom request.

#BadRabbit #cryptor attacked a number of Russia’s major media. @interfax_news pic.twitter.com/5iLNs131Ml

— Group-IB (@GroupIB_GIB) 24. Oktober 2017

The victim is required to access a page in the Tor network. There he is asked to pay a ransom of 0.05 Bitcoin (approx. $280). The victims have a little more than 40 hours until the ransom money goes up. The ransom demand is almost identical to the one used by NotPetya in the June outbreak. Nevertheless, there is little resemblance to NotPetya. Security researcher Intezer claims that there is only 13% match of code between Bad Rabbit and NotPetya.

More details

Malwarebytes has published this blog post with further details. Here is the message shown after the infection.

And this is the Tor network’s website, where victims can find more information. The counter with the remaining time appears there before the price of the ransom .

The infection starts with a PE file (the fake Flash Player update). Then a file infpub.dat comes into the game (similar to NotPetya), which exports two functions as a DLL. The first one contains the dropper that distributes the malware (infector) to other computers in the LAN. Among other things, WMIC is used to deploy the modules on remote computers. The responsible code is similar to the elements of Petya/NotPetya.

Then, an attempt is made to obtain logon data (credentials) for other machines from memory using a Mimikatz module. At the same time, this module has a hard coded list of generic logon data, which is also tested to access other network shares.

There is no Eternal Blue exploit required to spread to other machines (SMB and WMIC are sufficient, if the credentials are known). After successful infection, files are encrypted via a DLL using the Windows Crypto API. The following directories are omitted.

\\Windows
\\Program Files
\\ProgramData
\\AppData

At Pastbin is a document naming the file names of encrypted files. ESET writes at welivesecurity.com, that there is another infection method, using a drive-by-download via watering holes. Some frequently web sites seems to be infected and contains JavaScript in HTML body or injected in js files. Update: Here are a list of affected media sites:

#BadRabbit was spread via web traffic from compromised media sites. #infosec #ransomware #cryptor pic.twitter.com/7GPsgZ2s3A

— Group-IB (@GroupIB_GIB) 24. Oktober 2017

ESET wrote, that the Win32/Diskcoder.D named malware will spread via SMB – but not using EthernalBlue exploit. ESET has published the following infection statistics:

• Russia: 65%
• Ukraine: 12.2%
• Bulgaria: 10.2%
• Turkey: 6.4%
• Japan: 3.8%
• Other: 2.4%

The infection is still limited to Eastern Europe and Japan. US-CERT now offers this warning.

Possible kill switch found

In the meantime, security researchers have allegedly also found ways to prevent the spread of the malware on Windows computers. In this Tweet some solutions has to be proposed.

I can confirm – Vaccination for #badrabbit:
Create the following files c:\windows\infpub.dat && c:\windows\cscc.dat – remove ALL PERMISSIONS (inheritance) and you are now vaccinated. pic.twitter.com/5sXIyX3QJl

— Amit Serper​ (@0xAmit) October 24, 2017

Just create the following files and withdraw access rights:

c:\windows\infpub.dat
c:\windows\cscc.dat

This means that the malware can no longer access its export DLL and the control file. The information can be found in this blog post, where detailed instructions are given. Another user specifies the following files to stop an infection.

%windir%\infpub.dat
%windir%\dispci.exe

But I haven’t tested this methods.

Just a short information Windows user. Microsoft ends the free upgrade offer to Windows 10 ‚for customers how use assistive technologies’.

After the free Windows 10 upgrade offer expired on July 29, 2016, Microsoft had created a special solution. Users who depends on systems with assistive technologies are still eligible to upgrade to Windows 10 for free.

Now Microsoft has updated the english web page for customers who use assistive technologies. The web site says now, that the offer for a free upgrade ends at December 31, 2017 ausläuft. (via)

[German]Some users of Windows 10 Fall Creators Update (version 1709) are reporting login issues. They have to log-in twice to access the user desktop. But there’s a fix for that.

What the problem?

Users who have upgraded their system to Windows 10 Fall Creators Update (version 1709) may run into a problem. The log-in to the user account must be done twice by PIN or password.

After entering the first login information, the login page shown above will re-appear and the user has to enter the PIN or password a second time to reach the desktop. A user at reddit.com wrote.

I use a PIN number to log on to my PC and since the Fall Creators Update, I need to enter the number twice. After the first PIN entry, I’m back at the lock/login screen. Any ideas?

Also some posts at Microsoft Answers forum are mentions this behavior. According to this MS Answers forum thread, this is a known issued in Windows 10 Fall Creators Update. Some people proposing an autologon. However, this is not the best solution, if somebody want to secure the user accounts by password or PIN.

A fix for the logon issue

The problem curiously does not occur for every user, but there is a workaround that prevents double logon..

1. Open the Start menu and select the Settings app icon.

2. On the Settings app start page, click to Accounts to go to the Accounts page.

3. In the left-hand column of the next page, select Sign-in options.

4. Turn off “Use my sign in info to automatically finish setting up my device after an update or restart” within the Privacy setting.

Repeat these steps under each user account. Afterward the user logon should work as usual by entering a password or a PIN only once.

I interpret the workaround in such a way that something went wrong with the device setup or an update installation for affected user accounts. Therefore, Windows 10 V1709 requires the second logon process. I assume that Microsoft will fix this bug with an update at some point.

[German]Nvidia has released version 388.13 of its GeForce WHQL certified graphics driver for Windows. This update contains optimization for Call of Duty WW2 and Need for Speed Payback.

The download may be possible from this web page, where drivers for Windows 7, Windows 8.1 and Windows 10 are provided. The release notes mentions a few new features and bug fixes.

The WHQL certified driver is optimized for the recently released shooter game Wolfenstein II The New Colossus. In addition, the driver already contains optimizations for the Call of Duty WWII (release planned for 3rd November) and Need for Speed Payback, release expected in a few days. In addition, the new driver contains all optimizations of previous drivers.

The new driver now also supports the GeForce GTX 1070 Ti graphics card and fixes the problem of the second screen shows only a black display. Problems can occur with Adobe Photoshop CC 2017 on Windows 7, if the path blur function is called directly after application start. In Windows 10, some display port configurations (DP+2×Dual-Link-DVI) cause trouble, because the monitor remains black. In Windows 10 V1709, the color settings set in the Nvidia Control Panel will be lost during restart. (via)

[German]Embarrassing or funny incident during a presentation at Microsoft’s Ignite conference: Because the Edge browser crashed, a Microsoft employee had to quickly install the Google Chrome browser during a presentation at Ignite in order to complete his demo.

At this year’s Ignite 2017 conference here was also a presentation on Microsoft’s Azure Cloud solution (video of the session Migrating your applications, data, and workloads to Microsoft Azure – BRK2233). A Microsoft speaker intended to demonstrate how easy it is to move data into the cloud on Microsoft Azure (see video from 37:20). Unfortunately, he had made the calculation without the Edge browser, as you can see in the video. It simply crashed or hung.

 (Source: YouTube)

But the guy wasn’t impressed – he probably had already practice. He quickly downloaded the Google Chrome browser, installed it and was able to finish his presentation. He comments ironically’ it won’t help to make Google better’ – and the laughter of the audience was sure. The bottom line: Thumbs up, how confidently he mastered the situation ‘with a little help from Chrome’. (via)

[German]Microsoft has released Flash Player update KB4051613 for Windows on November 1, 2017. This update changes Flash to version 27.0.0.183.

Update KB4051613 (Update for Adobe Flash Player: November 1, 2017) resolves issues in Adobe Flash Player – according to the linked Microsoft page. Details are not given. Adobe has published a changelog for the Flash Player update from October 25, 2017.

October 25, 2017

In today’s release, we’ve updated Flash Player with an important functional fix impacting Flex content and recommend those users impacted update.

This update fixes also a Flash Player crash in VMware vSphere Web Client (see this forum post). This update is available on all supported edition of Windows Server Version 1709, Windows Server 2016, Windows 10 Version 1709 (Fall Creators Update), Windows 10 Version 1703 (Creators Update), Windows 10 Version 1607 (Anniversary Update) Windows 10 Version 1511, Windows 10 RTM, Windows 8.1, or Windows RT 8.1. Note the following:

• All security and nonsecurity updates for Windows Server 2012 R2, Windows 8.1, and Windows RT 8.1 require the installation of update KB2919355. Microsoft recommend that you install update KB2919355 on your Windows Server 2012 R2-based, Windows 8.1-based, or Windows RT 8.1-based computer so that you receive future updates.
• If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see Add language packs to Windows.

This update is available via Windows Update, but may also be downloaded and installed from Microsoft Update Catalog. For Windows 7 no Flash Player is shipped. If you have installed Adobe Flash, use the player’s auto-update or download the new Flash version from Adobe (see Adobe Flash Player Version 27.0.0.183).

[German]Microsoft has released on November 2, 2017 rollup update KB4052234 for Windows 7 SP1 and KB4052233 for Windows 8.1 (both packages are available also for Windows Server pendants).

Update KB4052234 for Windows 7 SP1

Update KB4052234 is a non security patch for Windows 7 SP1 and Windows Server 2008, delivered as Rollup. It fixes the Microsoft JET Database Engine bug:

Addressed issue where applications based on the Microsoft JET Database Engine (Microsoft Access 2007 and older or non-Microsoft applications) fail when creating or opening Microsoft Excel .xls files. The error message is, “Unexpected error from external database driver (1). (Microsoft JET Database Engine)“.

But this rollup is causing issues. After installing the update, users may receive an error dialog box indicating that an application exception has occurred when closing some applications. This can affect applications that use MShtml.dll to load web content. The error only occurs, if a process is already in shut down mode and does not affect the application functionality. Microsoft has been working on this problem since October and promises to fix it in one of the upcoming updates. The package can be downloaded via Microsoft Update Catalog.

Update KB4052233 for Windows 8.1

Update KB4052233 is is a non security patch for Windows 8.1 and Windows Server 2012 R2, delivered as Rollup. It fixes the Microsoft JET Database Engine bug:

Addressed issue where applications based on the Microsoft JET Database Engine (Microsoft Access 2007 and older or non-Microsoft applications) fail when creating or opening Microsoft Excel .xls files. The error message is, “Unexpected error from external database driver (1). (Microsoft JET Database Engine)“.

But this rollup is causing several known issues. Microsoft addressed the following issues within KB4052233:

• After installing KB4041693, package users may see an error dialog that indicates that an application exception has occurred when closing some applications. This can affect applications that use mshtml.dll to load web content. The failure only occurs when a process is already shutting down, and doesn’t impact application functionality. Microsoft is working on a resolution (since a while) and will provide an update in an upcoming release.
• Some users who have the text size for icons set to a larger size (using Display Settings in Control Panel) may have issues launching Internet Explorer. Reducing the text size for icons to a smaller value or using the Change the size of all items setting should lessen this issue. I’ve seen this workaround since October, and Microsoft promises to fix this issue within one of the upcoming patches.

The package may be downloaded via Microsoft Update Catalog and may be installed manually.

Similar articles:
Windows Flash Player 27.0.0.183 Update KB4051613
Windows 10 Updates November 2, 2017

[German]Microsoft released some updates (KB4049370, KB4052231, KB4052231, KB4052232) for various Windows 10 builds (one for the Surface Laptop) on Thursday, November 2, 2017. Some updates are fixing the Microsoft JET database engine bug for various Windows 10 builds.

Update KB4049370 for Windows 10 Version 1703

Cumulative update KB4049370 is for Windows 10 Creators Update (Version 1703) and changes the build number to 15063.675. This version is only for the Microsoft Surface Laptop and contains quality improvements according to Microsoft. No new operating system features are introduced in this update.

This update addressed an issue where after installing KB4038788, some Microsoft Surface Laptops boot to a black screen. Additionally, you must press the power button for a long time to recover. This update may be downloaded from Microsoft Update Catalog. Further details, also about know issues with this package may be obtained from KB4049370.

Update KB4052231 for Windows 10 Version 1607

Cumulative update KB4052231 is for Windows 10 Anniversary Update (Version 1607) and changes the build number to 14393.1797. This update fixes the Microsoft JET Database Engine-Bug:

Addressed issue where applications based on the Microsoft JET Database Engine (Microsoft Access 2007 and older or non-Microsoft applications) fail when creating or opening Microsoft Excel .xls files. The error message is, “Unexpected error from external database driver (1). (Microsoft JET Database Engine)”.

Details about known issues may be read in KB4052231. Microsoft will also release an update directly to the Windows Update Client to improve Windows Update reliability. It will only be offered to devices that have not installed the most recent updates and are not currently managed (e.g., domain joined). The package is available via Microsoft Update Catalog for direct download and manual install.

Update KB4052232 for Windows 10 Version 1511

Cumulative update KB4052232 is for Windows 10 Version 1511 changes the build number to 10586.1177. This update fixes the Microsoft JET Database Engine-Bug (same as cumulative update KB4052231). The package is available via Microsoft Update Catalog for direct download and manual install.

Similar articles:
Microsoft Office Patchday (October 3, 2017)
Adobe Flash Update 27.0.0.159 (October 2017)
Microsoft Security Updates Summary October 2017
Windows 10 Updates (October 10, 2017)
Microsoft Office Security Updates (October 10, 2017)
Windows 10: Updates KB4041688, KB4043961 (10/17/2017)
Windows 7/8.1 Preview Rollups October 2017
Windows 10 V1703: Update KB4041676 install issues
Windows 10: Updates KB4041688, KB4043961 (10/17/2017)
Windows Flash Player 27.0.0.183 Update KB4051613

[German]Microsoft released a fix for the Microsoft JET Database Engine bug on November 2, 2017. This update fixes the problem with the Access or Excel database connection, but not in all versions of Windows. Here are some details about the topic.

The Background

There was a buffer overflow vulnerability in the Microsoft JET Database Engine that allowed a remote code execution attack. The attacker was able to install programs, view, modify or delete data, and create new accounts with full user privileges. However, users whose user accounts are configured to work with default permissions were less likely to be affected than users with administrator privileges.

Microsoft has detailed this vulnerability in Security Advisory CVE-2017-0250 (last revision October 10, 2017). In August 2017 Microsoft releases some security updates for some Windows version to close this vulnerability (see Patchday August 2017: Updates for Windows 7/8.1).

Issues since October 2017 patchday

On October 10, 2017 Microsoft released another patch, that causes issues. I received this comment, mentions trouble accessing Excel files from Access.

Since the last window supdate 10.10.2017, it is no longer possible to link excel files to Access 2000, or to open linked excel files.

Other comments within my blog confirmed an Excel data base access error. Microsoft was aware of this issue, as the following text indicates :

Issue where applications based on the Microsoft JET Database Engine (Microsoft Access 2007 and older or non-Microsoft applications) fail when creating or opening Microsoft Excel .xls files. The error message is, “Unexpected error from external database driver (1). (Microsoft JET Database Engine)“.

Microsoft patches only some Windows builds

On November 2, 2017 Microsoft released a couple of extra ordinary updates, some are addressing the Microsoft JET Database Engine bug. Here are the updates:

• Update KB4052234 for Windows 7 SP1 und Windows Server 2008
• Update KB4052233 for Windows 8.1 und Windows Server 2012 R2
• Update KB4052231 for Windows 10 Anniversary Update (Version 1607)
• Update KB4052232 for Windows 10 Version 1511

For Windows 10 Fall Creators Update (V1709) Microsoft have had released cumulative update KB4043961 on am 10/17/2017. This addresses also the Microsoft JET Database Engine issue. For all other Windows 10 builds (Windows 10 RTM and Windows 10 Creators Update, version 1703) no update is available.

Issues and a workaround

Installing the updates mentioned above is a bitter sweet pill. They are fixing the Microsoft JET Database Engine issue, but are causing other issues. For instance:

After installing KB4041681, package users may see an error dialog that indicates that an application exception has occurred when closing some applications. This can affect applications that use mshtml.dll to load web content. The failure only occurs when a process is already shutting down, and doesn’t impact application functionality.

Details may be found within the kb articles linked above. Microsoft is working on a resolution and will provide an update in an upcoming release. I guess, not everybody will install the updates mentioned above, due to the side effects. But there is a workaround for the en Microsoft JET Database Engine error.

Instead of using the Microsoft.Jet.OLEDB.4.0 provider, use the Microsoft Access Database Engine (ACE) Provider. Download and install the Microsoft Access Database Engine 2010 Redistributable. Then change the DB connection string in Microsoft Excel (or in other apps) to the ACE provider. The string

Provider=Microsoft.Jet.OLEDB.4.0

need to be changed to:

Provider=Microsoft.ACE.OLEDB.12.0

The Microsoft Excel is able to read Access data bases.

Similar articles
Patchday August 2017: Updates for Windows 7/8.1
Update Rollups for Windows 7/8.1 (November 2, 2017)
Windows 10 Updates November 2, 2017
Windows Flash Player 27.0.0.183 Update KB4051613

[German]Recently I stumbled over a question in a German forum, asking, what the file REMSH.exe is for. Here are a few information I found, after I investigated this question.

The first case, I’ve seen

The first time I stumbled within this German forum discussion about the program file REMSH.exe and the question what this file is for. A user wrote:

Firewall reports since a few weeks ago that REMSH. exe wants to connect to MS

Since some time I’m receiving firewall alerts, that the file remsh. exe wants to use the path C: \Program Files\rempl\ to establish a connection to an IP which, according to the IP address of the server query belongs to Microsoft Corporation, or more precisely to Microsoft Azure.

Can someone tell me what this file wants to do and where it comes from? All affected computers are Windows 10 Pro with Commodo Firewall 10.

Browsing the Internet doesn’t seems to help at a first glance. The first MS Answers forum entry I found, claimed (faulty) it was malware.

What is remsh.exe?

remsh.exe (C:\Program Files\rempl\remsh.exe) try to access the Internet these days

remsh.exe is signed by Microsoft. It also has high CPU usage and disk writing sometimes.

What is remsh.exe? What is it for?

Also this Microsoft Answers forum thread seems to walk in the same direction – note the answer of the Microsoft employee. And here we have a discussion, that Rempl triggers a daily task.

Could REMSH.exe be malware?

The first question to check would be: Is remsh.exe malware or something from Microsoft. Checking several forum entries, I found out, that the file is located within the path:

C:\Program Files\rempl\

as mentioned above. And what the user cited above wrote, was, that he program tries to connect a Microsoft Azure server. So it seems, that the program is legit. But checking some test machines with Windows 10, I wasn’t able to detect this file. This triggers ‘worse fears’ that it could be malware.

The best you can do in such a case: Right click the file, select Properties and check the Digital Signatures property page. Here I found a user, who has posted the screen shown above. The file has been digitally signed by Microsoft, so it’s not malware.

What you also should do: Upload the file to Virus Total and let it check for malware.

But what is REMSH.exe?

The remaining question is: Why is REMSH.exe available only on some machine and is there an explanation, what the file is for? Searching the web for the file name brought me to Microsoft’s KB article 4023057 that gives us some clue. At the time this blog post was written, KB4023057 stands for Update to Windows 10 Versions 1507, 1511, and 1607 for update reliability: November 2, 2017. Microsoft says:

This update includes reliability improvements that affect the update components in Windows 10 Versions 1507, 1511, and 1607.

This update includes files and resources that address issues that affect the update processes in Windows 10. These improvements ensure that quality updates are installed seamlessly to improve the reliability and security of Windows 10.

Only certain builds of Windows 10 Versions 1507, 1511, and 1607 require this update. Devices that are running those builds will automatically get the update downloaded and installed through Windows Update.

And there I found a mention of Remsh.exe:

The file version given in the table above may vary. But we have a firm explanation for our questions. First of all, the file may be found on ‘certain builds of Windows 10 Versions 1507, 1511, and 1607 [that] require this update’. And it address issues that affect the update processes in Windows 10. Hope this has shed some light into this topic.

[German]Microsoft has pulled both November 2017 Rollup Updates KB4052234 for Windows 7 SP1 and KB4052233 for Windows 8.1 (and the Server pendats). Both updates should fix the Microsoft JET Database Engine bug, but are causing issues.

Some Background details

On November 2, 2017 Microsoft released the rollup updates KB4052234 for Windows 7 SP1 and KB4052233 for Windows 8.1 (also for the corresponding servers). I’ve reported this within my blog posts Microsoft tries to fix the JET Database Engine bug and Update Rollups for Windows 7/8.1 (November 2, 2017). Both rollup updates are intended to fix the Microsoft JET Database Engine bug:

Addressed issue where applications based on the Microsoft JET Database Engine (Microsoft Access 2007 and older or non-Microsoft applications) fail when creating or opening Microsoft Excel .xls files. The error message is, “Unexpected error from external database driver (1). (Microsoft JET Database Engine)“.

But I mentioned within my blog posts, that both update packages are coming with serious known issues.

Issues caused by both updates

One of the collateral damages admitted by Microsoft is, that when users close some applications, they see an error dialog box indicating that an application exception has occurred. This can affect applications that use MShtml.dll to load web content. The error only occurs if a process is already shut down and does not affect the application functionality.

With Windows 8.1, there may also be problems starting Internet Explorer if the display settings are not correct (see my details in the linked blog post). A German blog reader posted also a comment, that after installing the update under Windows 8.1, a total of 23 important updates has been offered. But the release date was from 2015/2016. It seems, that packages KB4052234 and KB4052233 confuses the Microsoft Update Component Store, so that old updates are requested.

Microsoft quietly pulled both updates

To cut a long story short: I didn’t even install the updates because of the collateral damage that Microsoft indicates. Now blog the German blog reader dropped a comment, that both updates have been withdrawn by Microsoft. Some colleagues at winfuture.de have noticed this. And the colleagues from deskmodder.de pointed out, that it could have been withdrawn because of the’ older updates’ – same, as I mentioned above. It seems that we have had once again a quick shot from Redmond, which only lasted a few days.

Similar Articles
Update Rollups for Windows 7/8.1 (November 2, 2017)
Microsoft tries to fix the JET Database Engine bug 
Windows Flash Player 27.0.0.183 Update KB4051613
Windows 10 Updates November 2, 2017

[German]Some users of Microsoft Windows 10 are receiving an error 0x80080204 during downloading apps from Microsoft Store. Here are a few background information and an explanation for a case in Windows Fall Creators Update.

What we are talking about?

Trying to download an app from Microsoft Store ends in some cases with error code  0x80080204. Then the app can’t be installed. 

Searching the web for error code 0x80080204 results in many hits for distinct Windows (10) versions (here, here, here etc.). Here the Audible app is causing this issue. Some hits mentions Windows 10 Mobile, others are referencing to Windows 10 for PCs. And I found also hits from 2012, referencing to Windows 8.

What does error code 0x80080204 means?

Somewhere I read, that some user has identified the reason for the error code in a bad SD card in his Lumia under Windows 10 Mobile. However, since most users don’t use a SD card on the desktop systems to store apps, it could be not the general root cause. Therefore it would be helpful to have a more details, what the error code 0x80080204 stands for.

Searching my error code lists did not result in an explation – the error code wasn’t found in the usual error lists. You have to go into the files with the error definitions of the Windows SDK to find hints if necessary. I still didn’t install an SDK on my computer – but when searching the internet I found this forum post on Windows 8 from 2012, where André Ziegler (who also posts within my German blog) mentioned the details. 

//
// MessageId: APPX_E_INVALID_MANIFEST
//
// MessageText:
//
// The Appx package's manifest is invalid.
//
#define APPX_E_INVALID_MANIFEST          _HRESULT_TYPEDEF_(0x80080204L)

The manifest used within the appx package is damaged. André linked to this MSDN article explaining some details of an app. The solution can be (in some cases) to uninstall and reinstall the app from Microsoft Store.

I’ve addressed the manifest issue recently within my blog post Windows 10 V1709: Store broken (wrong manifest layout).

Error 0x80080204 in Windows 10 Fall Creators Update

After release of Windows 10 Fall Creators Update it seems that some apps are affected by this error. For Windows 10 Mobile V1709 there is a thread in Dropbox forum, where a user mentions this issue.

The installed DropBox version worked properly

Trying to update from the Microsoft Store under Win10 Mobile 1709 Fall Creators update results in error 0x80080204.

I then uninstalled DropBox.
A new install now results in the same error 0x80080204.

This is a case, where reinstalling an app wont’ fix the issue. MVP Rudy Huyn, who is a developer, posted his findings for the special case. He received feedback and one star reviews for one of his apps, where users are claiming, that this app could not be downloaded from Microsoft Store, as he wrote within his blog. Rudy Huyn found the reason for this behavior. It’s a combination of Visual Studio 2017 and Windows 10 Fall Creator Update SDK. His explanation:

If your application contains a background audio agent, each time you edit your AppxManifest via the App Manifest Designer (the default viewer of this type of file) when you change the version number of your app (when you create a package for example), the appxmanifest becomes corrupted.

This is also the explanation, why a re-install didn’t fix the issue (because the app is broken in store). I could not help, but my impression is, that since Microsoft is forcing Store apps, the amount of errors (compared to Win32 applications) is rising. (via Windows Latest, via)

Similar articles
Windows 10 V1709: Store broken (wrong manifest layout)
Fix: Microsoft Edge doesn’t work anymore or crashes
Windows 10: Store login shows only a grey box
Windows 10: App download ends with error 0x803FB107

[German]Microsoft’s OneDrive online storage system has some a rather stupid pitfalls: If a Microsoft account is not used for a long time, Microsoft freezes the account. And if you want to access another OneDrive account via browser, then this doesn’t seem to work. There is simply not logoff feature within the web client (it seems to be a bug – or more drastically: the browser client for OneDrive is broken and a big mess). Here are some information and a workaround on how to get out of this mess.

Users who do not use their Microsoft account frequently, risks, that Microsoft locks services such as OneDrive or freeze them. Then a user isn’t able to access his OneDrive files for 24 hours. I accidentally run yesterday under Windows 7 into this problem. And I was facing suddenly a second problem, a missing OneDrive logoff option in the browser. Maybe it’s all well known and just me didn’t know that. But I will publish the info here, if someone else is confronted with the problem.

Trap 1: Microsoft account unused

I have set up several Microsoft accounts for my test machines running Windows 8.1/10 and for accessing Microsoft services. One of these Microsoft accounts is the one I use frequently for Microsoft forums, MSDN, the Insider Preview program etc. In addition, there are less frequently used Microsoft accounts.

Yesterday I intended to register me for a test an online service of a third party provider. I ‘ve planned to use on of my Microsoft accounts e-mail address to register me for the service. Because I was unsure whether the third party provider would send a confirmation email to the specified email account, I used a browser to quickly logged in to the Outlook account and left the window open. Because there was never a confirmation mail has been received, I closed the browser window after a while, without log out of the Microsoft account.

A couple of hours later, I was in need to upload a couple of files to my OneDrive storage. So I opened a browser window and typed onedrive.com into the address bar. The browser will redirects me either to live[dot].com for login, or to the OneDrive windows of the current Microsoft account.

OneDrive frozen …

Suddenly I got a message within the browser that my OneDrive account has been ‘frozen’ by Microsoft. My first thought was, that I might have been redirected to a phishing or malware site. So I checked the URL, but the message was from Microsoft and told me, that my Microsoft OneDrive account has been frozen and OneDrive refused access (I have had access to the mailbox associated to the same Microsoft account hours earlier). 

Background: If an account for OneDrive isn’t used for a year, Microsoft will freeze that account (see this Microsoft page). 

Well, it’s not a problem, I thought. I clicked at the browser’s window to the loge to ‘unfreeze’ my OneDrive account. Then I received the following notification.

It could take 24 hours to unfreeze my account – seriously Microsoft? Hey, they spend hours to design the logo with the notification, but I have to wait 24 hours to un-look my account. But should not be a real issue, because my intension was, to use another Microsoft account for my OneDrive upload.

Trap 2: Nailed to your OneDrive account?

I failed badly to quickly logo off from the frozen account and login to the planned account for upload. The OneDrive’s browser page didn’t show that damn logoff feature (the upper bar within the browser window shown in the above screenshot is empty and black).

There is no logo for the user account and also the logo visible in Microsoft services such as Outlook Mail in the upper left corner (see following screenshot) for accessing the services (OneDrive, Outlook etc.) of the account was missing in the OneDrive page.

A logout from the OneDrive account seemed impossible for me. I have tested it explicitly with IE 11 in addition to Google Chrome.

A workaround …

My first idea was to use another browser to log in to the second Microsoft account and upload the files. Then I decided to try another workaround. I shortened the URL onedrive.live.com/?id=xxx to live.com/? id=xxx. The Outlook Mail window appeared within the browser and I was able to log out again. 

During writing this blog article, I searched the web and found many users asking how to logoff from an OneDrive account since years. 

A bug

Discussing this behavior with a buddy resulted to another finding. We found the entry PCs within the left pane.

Clicking at the command forced the browser to open another tab (see below) 

And the header of the new page contains the user’s logo and other options. So I was able to proceed a logoff. Switching back to the OneDrive view needs to go to the still open tab. Or click to the nine squares shown in the upper left corner and select OneDrive. Pretty broken that thing.

[German]Occasionally, when users try to download apps from the Microsoft Store on Windows 10, error code 0x87AF000B is displayed. Then no more app downloads are possible.

The error detailed

Under Windows 10, users suddenly are no longer able to load apps from the Microsoft Store. Each attempt ends with error code 0x87AF000B. The message shown below will be displayed is not really helpful. It just says that something unexpected has occurred.

Searching the web reveals many hits in Microsoft Answers (see here). The proposed fixes like resetting the store using wsreset.exe or reset Windows Update (see here) won’t help. Also restarting Windows 10, as proposed within the error notification shown above isn’t a fix, as you can read here.

What exactly does the error code stand for?

The first question I ask in this case is what error code 0x87AF000B stands for. According to this web page 0x87AF000B stands for an SQLite error SQLITE_E_CORRUPT, ‚The database disk image is malformed‘.

The error must be interpreted in such a way that Windows uses SQLite to write and read app data into a database. If this database is damaged, the operations no longer work and the error occurs. The error can occur if an operation on the database is not properly completed, for example, due to the crash of an app.

It is possible to repair the SQLite database with suitable tools. The approaches are described in this article, as well as here, and here you will find additional information. However, this approach is likely to fail in practice because neither the database repair tool nor the location of the database is known.

Trick: Create a new DB. of the old is broken

How can you, as a normal user, create a new SQLITE database for the store? Since this database is administered on a user-specific basis under Windows 10, there is a solution. What you can try is to create a new local user profile and log in under this profile. Then start the Windows Store as an app and connect the app to the Microsoft account. These steps force to create a new SQLite database for the account.

If the store download works again, it’s clear that the old database in the user profile is corrupted. In this case, I would delete the old user account via the settings app or the control panel and create a new one. This resets the local profile. This approach was mentioned as successful within this forum thread.

[German]Does Windows throws an update error 0x800b0100 and aborts the download and installation of updates? Here are some information about this bug I encountered from Windows 7 to Windows 10.

Recently I stumbled upon this German message reporting update error 0x800b0100 for Windows 10. Windows 10 displayed a clear text error message, saying, that some update files are not signed properly.

But I’ve seen tis error also in Windows 7, and within my German blog post Windows 7 Service Pack 1 Troubleshooting-Tipps I’ve posted some details. The error code 0x800B0100 stands for TRUST_E_NOSIGNATURE and means that the update package`s digital signature is missing or wrong.

Possible fixes

The first The first thing I’m suggesting in Windows 10 is to restart the operating system. If necessary, this restart can be carried out with the Shift key pressed.

If the restart does not help, it is recommended that you check the system for corrupted files. The steps are described in more detail in the article Check and repair Windows system files and component store. Dism is also used to inspect and repair the component door, if necessary.

For Windows 7, 8, 8.1 and older versions, Microsoft has described in this KB article that DLL files are no longer properly registered. Microsoft describes in principle the approach to repair, that I discussed in the article the article Check and repair Windows system files and component store. Because Windows 7 doesn’t support dism, the tool checksur is needed to repair the system. And this Microsoft blog post discusses a similar case.

If third-party Internet security tools (virus scanners, etc.) are installed, they should be uninstalled and a clean tool from the manufacturer should be used. This is to ensure that these programs do not damage the downloads.

If these measures do not work, you can still try to reset the Update Store manually. How this works is described in the blog entry Windows 10: Update error 0x80240437.

Microsoft offers broken updates

At the end of the day, however, it can also be, that Microsoft has provided the update packages with incorrect signatures on the update servers. The case quoted above, in which two machines are affected at the same time, indicates this (I know the person affected, and he is able to carry out the above methods).

Similar articles:
Windows 10 Wiki
Check and repair Windows system files and component store
Windows 10: Update error 0x80240437
Windows 10 V1709: Store broken (wrong manifest layout)

[German]Fraudsters offer a fake version of Microsoft Windows Movie Maker for download. The link has made it to the first (or second) place, depending on the search term, in the search results thanks to optimizations of the crooks.

Windows Movie Maker is a video editor offered for free from Microsoft. But Windows Live Essentials 2012, which included Movie Maker, has been withdrawn for download since a while. Microsoft only offers Movie Maker as a Windows 10 App in Microsoft Store. Fraudsters take advantage of this and offers a fake version of Movie Maker for download on a website. The criminals have succeeded in creating the website windows-movie-maker[.dot]org to the top of search engine search results. 

If you search for’ Movie Maker’ in Google or other search engines, the fake page will be listed in the first place in the hits. When searching for’ Windows Movie Maker’, the scammers page appears as a second hit (see screenshot above). The link leads to the following page where the Movie Maker is offered for free download.

The counterfeit software then tries to get money from the users (although Movie Maker was always free). If users install the software offered on the above-mentioned website, they will receive a working Windows Movie Maker. In contrast to the official and free Windows Movie Maker from Microsoft, however, the downloaded version claims that it is a trial version, which needs to be upgraded to a full version in order to offer all the features. That’s supposed to cost $29.95.

ESET security researchers has published this blog post about this topic. ESET classifies the website as Win32/Hoax.MovieMaker. On November 5, 2017, Win32/Hoax MovieMaker was the third most recognized threat and the biggest threat in Israel worldwide. Since November 6, ESET telemetry has recorded many downloads in the Philippines, Israel, Finland and Denmark.

[German]A design flaw in various antivirus products allows malware or local attackers to exploit the “Restore Quarantine” feature. Malware already quarantined can be moved to sensitive areas of the operating system in order to survive restarts and increases privileges.

Florian Bogner, a security auditor of the Austrian cyber-security company Kapsch, discovered the error he was tracking under the code name AVGater. Bogner has informed the affected antivirus vendors, some have updated their security solutions yet. Bogner published the findings in this blog post.

Some basics

The following illustration shows the inner workings of a typical antivirus product from the perspective of an unprivileged user. There are three different access domains: kernel mode, privileged user mode (SYSTEM) and unprivileged user mode. As the following figure shows, the various components have very different tasks:

(Source: Bogner)

In the context of the unprivileged user, there is only the AV user interface. It alone has no real power because it is executed within a limited user session. However, by communicating with the Windows service of the AV program, the user interface can do many things that a normal user is denied in terms of permissions. For example, it may be allowed to recover files from the virus quarantine.

AVGator is using this

The question is, is an attack scenario thinkable, which exploits the quarantined files to infiltrate the system with malware – even though the user has no privileges? Bogner has published the following video.

 (Source: YouTube)

As shown in the video above, #AVGater can be used to restore a previously quarantined file to any location on the file system. This is possible because the restore process is usually performed by the privileged AV Windows user mode service.

This a privileged file write vulnerability can be used to place a malicious DLL anywhere on the system. The goal is to side load this library for a legitimate Windows servers by abusing the DLL Search Order, as Bogner wrote. If this succeeds, arbitrary code can be executed with the help of the DLLMain entry point.

The unanswered question: How can we use the quarantine file restore without system privileges? The solution are NTFS directory junctions, that can be created by anyone with the help of mklink. Misusing NTFS directory junctions allows to store quarantined files to any location within a system. This allows to construct the following scenario.

• First a malicious library is moved to the AV quarantine. Then the original source path is forwarded to another destination through the misuse of NTFS directory functions (probably a folder in C:\Program Files or C:\Windows).
• By restoring the previously isolated file, the SYSTEM privileges of the Windows user mode service are abused and the malicious library is placed in a folder where the currently logged on user cannot write to under normal conditions.
• Since the DLL search sequence works, it is eventually loaded by another privileged Windows process. The code is executed within the DLLMain of the malware library.

A local non-administrator thus gained full control over the affected endpoint. Bogner has summarized the whole in the following picture.

(Source: Bogner)

AV vendors Trend Micro, Kaspersky, Malwarebytes, EMSISoft, ZoneAlarm and IKARUS has fixed this vulnerability with updates. Further details may be read here.

[German]Microsoft has released a couple of security updates for Windows, Office etc. on November 14, 2017. Here a short overview about those updates.

Details about those security updates may be found within Microsoft’s Security Tech Center. I will also document the updates in separate blog posts.

Critical Security Updates

Adobe Flash Player
ChakraCore
Microsoft Edge
Internet Explorer 9
Internet Explorer 11

Important Security Updates

Windows 10 for 32-bit Systems
Windows 10 for x64-based Systems
Windows 10 Version 1511 for 32-bit Systems
Windows 10 Version 1511 for x64-based Systems
Windows 10 Version 1607 for 32-bit Systems
Windows 10 Version 1607 for x64-based Systems
Windows 10 Version 1703 for 32-bit Systems
Windows 10 Version 1703 for x64-based Systems
Windows 10 Version 1709 for 32-bit Systems
Windows 10 Version 1709 for x64-based Systems
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems Service Pack 1
Windows 8.1 for 32-bit systems
Windows 8.1 for x64-based systems
Windows RT 8.1
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core
installation)
Windows Server 2008 for Itanium-Based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core
installation)
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core
installation)
Windows Server 2012
Windows Server 2012 (Server Core installation)
Windows Server 2012 R2
Windows Server 2012 R2 (Server Core installation)
Windows Server 2016
Windows Server 2016 (Server Core installation)
Windows Server, version 1709
Microsoft Excel 2007 Service Pack 3
Microsoft Excel 2010 Service Pack 2 (32-bit editions)
Microsoft Excel 2010 Service Pack 2 (64-bit editions)
Microsoft Excel 2013 RT Service Pack 1
Microsoft Excel 2013 Service Pack 1 (32-bit editions)
Microsoft Excel 2013 Service Pack 1 (64-bit editions)
Microsoft Excel 2016 (32-bit edition)
Microsoft Excel 2016 (64-bit edition)
Microsoft Excel 2016 Click-to-Run (C2R) for 32-bit editions
Microsoft Excel 2016 Click-to-Run (C2R) for 64-bit editions
Microsoft Excel Viewer 2007 Service Pack 3
Microsoft Office 2007 Service Pack 3
Microsoft Office 2010 Service Pack 2 (32-bit editions)
Microsoft Office 2010 Service Pack 2 (64-bit editions)
Microsoft Office 2013 Service Pack 1 (32-bit editions)
Microsoft Office 2013 Service Pack 1 (64-bit editions)
Microsoft Office 2016 (32-bit edition)
Microsoft Office 2016 (64-bit edition)
Microsoft Office Compatibility Pack Service Pack 3
Microsoft Office Web Apps 2010 Service Pack 2
Microsoft Office Web Apps Server 2013 Service Pack 1
Microsoft Office Word Viewer
Microsoft Project Server 2013 Service Pack 1
Microsoft SharePoint Enterprise Server 2016
Microsoft Word 2007 Service Pack 3
Microsoft Word 2010 Service Pack 2 (32-bit editions)
Microsoft Word 2010 Service Pack 2 (64-bit editions)
Microsoft Word 2013 RT Service Pack 1
Microsoft Word 2013 Service Pack 1 (32-bit editions)
Microsoft Word 2013 Service Pack 1 (64-bit editions)
Microsoft Word 2016 (32-bit edition)
Microsoft Word 2016 (64-bit edition)
Microsoft Office 2016 for Mac
Word Automation Services
.NET Core 1.0
.NET Core 1.1
.NET Core 2.0
ASP.NET Core 1.0
ASP.NET Core 1.1
ASP.NET Core 2.0

Moderate Security Updates

Internet Explorer 10

Similar articles:
Windows 10 Updates November 2, 2017
Update Rollups for Windows 7/8.1 (November 2, 2017)
Microsoft Office Patchday (November 7, 2017)

[German]Interesting information for owners of a Windows 10 version 1511 version. Actually, the support of this version should have ended last month.

Windows as a service – after 18+n months it’s over

Microsoft’s Windows as a service approach means, that Windows 10 builds to stop receiving updates about between 18 months and 2 1/2 years after the release. The only exception is Windows 10 Enterprise LTSC (Long Term Services Channel), which will be supported for 10 years.

This approach wobbles …

In my view, the Windows as a service approach with end of support after 18 months to 2.5 years after release doesn’t seems to work. Well, in some rare cases, there could be an exception. But now it seems the exception becomes normality.

• Windows 10 V1507 (RTM): The support period has been extended by several months until May 2017 (see Windows 10 RTM support ends May 9, 2017).
• Windows 10 V1607 (Anniversary Update): In this version, the support period has been extended until 2023, after the Clover Trail disaster (see Windows 10 support for Clover Trail machines till 2023).

Ok, ok, Windows 10 V1511 is missing, and the end of life has been set to October 2017? Wait, not yet.

Windows 10 V1511 support prolonged

Michael Niehaus from Microsoft announced, that the support of Windows 10 V1511 has been extended for additional 6 months. He wrote:

Windows 10 continues to be adopted rapidly by all types of organizations, and with that adoption Microsoft is working with customers who are adapting existing processes to support a modern servicing methodology which we refer to as Windows as a service.…

Then he ‘let the cat out of the bag’, as he wrote:

Many customers have already made significant progress implementing these changes, including MARS, Kimberly-Clark, and Accenture. To help some early enterprise adopters that are still finishing their transition to Windows as a service, we will be providing a supplemental servicing package for Windows 10, version 1511 for an additional six months, until April 2018, providing updates to address critical and important security issues that arise during that time.

These updates will be available to anyone using Windows 10 Enterprise, version 1511 or Windows 10 Education, version 1511. Updates will be offered via all normal channels, including Windows Update, WSUS, Configuration Manager, and the Windows Update catalog.

Ups, my reading between the lines: There has been a few customers foolish enough, to migrate early to Windows 10 and Windows as a service and hanging now around, not able, to upgrade to newer builds. Whilst consumers are thumb enough to be send to the next shop to buy a new Windows 10 machine, in business it seems a bit an issue with this ‘Windows as a service’. Or freely spoken, I would interpret it in a way, that the customer’s pressure at Microsoft was huge enough, to force their management and marketing folks to prolong the support period for Windows 10 V1511 for another 6 months. 

At the end of the day, Microsoft is reliable: They announce something, they discontinue that thing and they extend support a few days later – that’s how it works. A prankster who tries to interpret between the lines could probably come to the impression, that the ‘Windows as a service’ thing doesn’t works. You know that, I know that, only Microsoft seems still dreaming about that development scheme. Now I’m curious to see what’s happens in January 2020, when support of Windows 7 and Windows Server 2008 R2 shall ends. What do you think?