dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
4306

WildByDesign
join:2014-09-05
Canada

3 recommendations

WildByDesign to bluepoint

Member

to bluepoint

Re: MS014-45 Fix?

Followed DSLReports/BroadbandReports Security forums for 5+ years, thoroughly and often. Yet finally made an account now. Anyways...

Running Windows 7 SP1 64-bit here. I had absolutely zero issues after installing KB2982791 back when it first came to WU and was fine for the week(s) until KB2993651 came out. I did everything accurately by uninstalling KB2982791 first, rebooting and the usual. Upon installing KB2993651 successfully, during the reboot process that followed, it showed that message "Creating your desktop..." (don't recall exact working), you know when you install Windows for the first time and create your user account. No BSOD's or anything. Surely I was thinking "WTF?" because I understood the severity of what was happening. Yet it still went into my user account, showed my correct account name, although nothing was there. Absolutely no shortcuts at all in the Start menu, no wallpaper, no desktop shortcuts or files or anything. Rebooting did not fix anything. So needless to say, thank goodness for thorough and regular backups and disk images. I was able to restore, but wasn't pleased the with amount of work that went into the trouble of this one single update from WU.

Being adventurous and free of fear, I decided to try to install KB2993651 again, knowing that if it messed up my user account I could simply restore from disk image again. Just curious if it was a one-off situation. I ensured that KB2982791 was still removed and didn't show in the list of installed updates. Sure enough, KB2993651 destroyed my system again. No BSOD's still, but a thoroughly corrupt user profile again.

Anyways, I just wanted to post my experience with this update. I am no longer free of fear for Windows Updates. I admittedly DO fear Windows Updates now and I am without a doubt hiding KB2993651 for the time being until Microsoft gets their stuff together. With these reported BSOD's and other random badness like my experience plus the documented known issues in the bulletin from Microsoft, I am going to wait until they fix it properly.

Cheers, guys and gals. And thank you for the wealth of security information that I have enjoyed here over the years. Now that I am finally a member here I can finally contribute back whenever possible.
Expand your moderator at work
Mele20
Premium Member
join:2001-06-05
Hilo, HI

Mele20 to redwolfe_98

Premium Member

to redwolfe_98

Re: MS014-45 Fix?

I not only do not have KB2993651 installed but I am preparing to REMOVE earlier updates of win32k.sys that ALSO have the z-order bug. These are KB2965768, KB2970228, KB2973201, KB2975719, KB2982791 and KB2993651. I don't have all of them installed but I do have KB 2973201 installed. I plan to uninstall it so that my Windows 8 Pro system will then revert to the LAST KNOWN GOOD VERSION of win32.sys 6.1.7601.22665.

I have no idea why you think Microsoft should insist that anyone install K2993651 which has a KNOWN SERIOUS BUG. Rather you and Microsoft should be instructing everyone to remove any of the above six patches that they have so that their win32k.sys file reverts to the last known good version without the z-order bug.
LaRRY_PEpPeR
join:2010-03-19
Wentzville, MO

2 edits

LaRRY_PEpPeR to Frodo

Member

to Frodo
HEY, why in the world did my replies get hidden for "personal attacks?!" That makes no sense at all. I've hardly ever posted here, but have to help people when I see blatantly FALSE information posted as fact to harm someone else. Why are lies and misinformation allowed to be spread by people that can't understand (basic) stuff? Absolutely insane.
said by Frodo:

Going to the article that describes the vulnerabilities addressed by this update, I see:

quote:
An attacker must have valid logon credentials and be able to log on locally to exploit these vulnerabilities.
For most home users, remotely exploitable vulnerabilities are the chief concerns. People logging on locally are not a concern; not the enemy.

So, I uninstalled the updates reported to be defective, and didn't install the replacements, since they are not completely devoid of defects.

According to the bulletin, the attacker must ... be able to log on locally.

WRONG. »blogs.technet.com/b/srd/ ··· tes.aspx
quote:
Attacker running code at low privilege runs exploit binary to elevate to SYSTEM.
Anyone that doesn't understand the long-standing MS Security Bulletin speak can see the light, as seen before: »www.wilderssecurity.com/ ··· 9/page-3

(Although anyone that doesn't probably shouldn't be reading them. One needs to be very sure to understand every detail, as I generally have. Otherwise stick to "Auto Updates.")

I'm testing shutting these groups off from my browser now. I'm a big believer in "least privilege". If the attacker somehow had local login credentials, I don't want my browsers to be a conduit to log on locally. So far, I'm not seeing any degradation.

Anyone that believes in least privilege (e.g. dropped rights/UAC, not full blown admin) should definitely believe in installing Elevation of Privilege ("logon credentials") updates, otherwise the whole system (of least privilege) is compromised.

To become a bigger believer, one needs to become a scholar of the "MS bible." I'm a Sunday School teacher of sorts.

BTW, has there ever been a case of an attacker acquiring "logon credentials" in the way you're thinking of...? I don't think that's really possible (e.g. there's nowhere to get it?).
LaRRY_PEpPeR

LaRRY_PEpPeR to Frodo

Member

to Frodo
said by Frodo:

"An attacker must have valid logon credentials and be able to log on locally..."
I guess the context can be different, logon credentials are ID and password in most contexts.

For example, in a page discussing saving your logon credentials Microsoft says:

quote:
Saving your credentials shortens connection time

Not needing to type your credentials each time you connect to a remote computer makes connecting a little faster.
The item typed is ID and password.

In what way is this related to exploits?

Insofar as "log on locally" Microsoft says:

quote:
When you limit physical access to a server, you limit who can log on locally to the server ...
So, reading literally what Microsoft says, the attacker must have physical access and know an ID and password.

In what way is this related to exploits?
quote:
If that is not the case, then the exploit is remotely exploitable.
THAT is correct (in any case).

Now, whether we can rely on what Microsoft said, well that's a different story.

Sort of. All about understanding MS speak like I said. Although they have always been consistent with the same vague language where, taking one instance literally at face value, you can't quite be sure what's meant. But you're able to learn to discern the real meaning fairly quickly after reading a few (there's still just one from a few years ago that I'm not fully clear on, no matter what; missing specific technical details). And they've been the same for 10+ years...

The correct (more "human readable") info is always on the SRD blog assessment (which I generally never look at; I had to find the link somewhere to post). It's up to people to understand the MS meaning (if they're going to "outsmart" MS, or pick-and-choose updates (I do the latter, not the former, generally)).

I didn't use to install the Elevation of Privilege fixes years ago because everything was running as unrestricted admin (e.g. no need to elevate when an initial exploit would already have total control). I understood that, though maybe I should have installed anyway. As soon as I started using dropped rights (and later, Sandboxie), I immediately went back and applied the skipped EoP updates, because they became critical for maintaining the integrity of that/this setup.

BTW, the ONLY updates I can recall that need physical access are the couple USB driver vulnerabilities from last year (classified as EoP I believe), since a USB drive needs to be connected. I've skipped those since that is never happening here.
Frodo
join:2006-05-05

Frodo

Member

said by LaRRY_PEpPeR:

Anyone that believes in least privilege (e.g. dropped rights/UAC, not full blown admin) should definitely believe in installing Elevation of Privilege ("logon credentials") updates

Absolutely, so long as the cure is not worse than the disease. Right now, insofar as trashing my system is concerned, the score is Microsoft 1, Attacker 0. I don't want Microsoft building a further lead. This particular update is identified as containing bugs. So, I don't see any harm in waiting a little bit and see if they improve on this update.
said by LaRRY_PEpPeR:

In what way is this related to exploits?

Microsoft said "credentials", which is how one authenticates. Once authenticated, a process may pick up a token or membership in a group or so forth. Microsoft said "log on locally". Using Microsoft's own definition, that requires physical access.

This sound very much like an exploit for an ordinary user using a corporate administrated workstation to gain admin rights, such as me at work. And by the way, "exploit binary" suggest separate file, (not necessarily a exe) to gain admin.

So, in assessing the totality of the situation, this is an important but not a critical update, and it contains bugs. Presumably, since it contains bugs, a better update will come along eventually. So, on my systems, this one can wait. However, I'm not hiding it, just sitting on it.

And I'm not updating next Tuesday either. I waited two days last time and Microsoft starting pulling updates out 3 days later. So, I'm going to try a week delay this time, again, taking into account the totality of the situation. Sound to me like IE is the only critical next week.
LaRRY_PEpPeR
join:2010-03-19
Wentzville, MO

LaRRY_PEpPeR

Member

Oh yes, in no way did I mean to imply that you or anyone else should install these problem updates at this point in time! I was only talking about the Elevation of Privilege ones in general and the MS descriptions.

But definitely don't blame anyone for staying away from these for now. Although I haven't had or heard of any problems on XP (Embedded updates), I'm even still "waiting" (though I've installed) to see when they get it sorted out, hopefully soon.

altermatt
Premium Member
join:2004-01-22
White Plains, NY

1 recommendation

altermatt to WildByDesign

Premium Member

to WildByDesign
WildByDesign, thank you for posting your experience. I, too, had no issues with KB2982791 but was going to dutifully uninstall is and install KB2993651, but have decided to just let everything sit as is for now...no issues, no KB2993651.
Frodo
join:2006-05-05

Frodo to LaRRY_PEpPeR

Member

to LaRRY_PEpPeR
said by LaRRY_PEpPeR:

I see blatantly FALSE information posted as fact to harm someone else. Why are lies and misinformation allowed to be spread by people that can't understand (basic) stuff?

Well, lets see if I have some company.
According to Microsoft:
quote:
Should I apply the August 27, 2014 rereleased update (2993651)?
Yes. To be protected from CVE-2014-0318 and CVE-2014-1819, all customers should apply the rereleased update (2993651), which replaces the expired 2982791 update.
So, it is a simple matter of googling CVE-2014-0318 and CVE-2014-1819.

According to Symantic on CVE-2014-0318:
quote:
Permit local access for trusted individuals only. Where possible, use restricted environments and restricted shells. To exploit this vulnerability, an attacker requires local access to an affected computer.
They say the same thing for CVE-2014-1819.

So, while Symantic and I reviewed the Microsoft advisories independently, we reached the same conclusion. And for the home user, if a stranger is sitting in front of their computer, they have a bigger problem than privilege escalation. Businesses should install the update if they have restricted users.

I said I "didn't install the replacements, since they are not completely devoid of defects." I never said I wouldn't install it or its successor once the defects are resolved. And Microsoft says right in their advisory, that they are working to resolve the defects.

So, I'm not seeing the error in my advice. Now redwolfe_98 did helpfully point out that future updates may have a dependency on this update. And lately, the quality of Microsoft updates has decreased, so WU might not check for a dependency. So, I'll have to make a decision on how to proceed, prior to dealing with any other updates.

For me, that is a week out, absent some zero day. Maybe in that interim, Microsoft will push out a replacement that clears the defects.
LaRRY_PEpPeR
join:2010-03-19
Wentzville, MO

LaRRY_PEpPeR

Member

I don't care about company, just facts. n wrong people don't make something any more right than 1...

I just ignored your post yesterday with, "So what?," "Who cares?" (It's Symantec; no relevance to me.)

Besides, I was talking about the usual EoP updates wording in general, like I said. Although there's NO special circumstances needed for these exploits, AFAIK (but maybe I was wrong without looking; I never do much, just use my senses).

But glad I came back here and checked! They're the same as Microsoft bulletins! (Poor language more than stupidity, I guess (MS is not stupid about the vulnerabilities).) e.g. Same useless language for everything that provides ZERO real information.

Same for all EoP (Privilege Escalation in Symantec language), random:
CVE-2013-1300
CVE-2014-1767
CVE-2014-1807

Viewing tons more is left as an exercise.

"Local," "local," "local." *yawn* "Successful exploits will result in the complete compromise of affected computers."

That last one (2014-1807) is especially hilarious! "An attacker requires local interactive access." What kind of nonsense is that?

Google it?

»www.cert.be/advisories/m ··· rability

"Reportedly, this vulnerability is actively exploited in the wild in limited attacks."

I certainly don't see, "exploited by strangers sitting in front of computers" (ya know, being all "interactive").

But why waste time "googling" when you could just get the right info from MS (as I do from Bulletins since I know what I'm doing; and never check "Assessing ..." posts)?

»blogs.technet.com/b/srd/ ··· tes.aspx

Wow, look at the names of all those strangers. (No, not sarcastic, look at the list!)

You can't seriously claim that any "local" exploit needs a "stranger?" (Those would be physical access ones like the USB drivers, which I haven't installed.)

No, local simply means ANY code running of any and all sorts, on every running computer at every moment. That's it. Simple. In the sense of something "bad," that obviously needs some initial exploit to then exploit the secondary LOCAL vulnerability.

Ya know, as opposed to remote access (e.g. Remote Code Execution) that requires nothing else. Hypothetical question: Can remote vulnerabilities be exploited locally? (Your interpretation of "local.") I don't think MetaSploit will get shocking news from anyone, like Symantec, any time soon (or ever)...

If you're talking about these updates and waiting, there's no error in your advice. I never saw that in the post I first replied to, where you were talking about the wording used in EVERY EoP Bulletin.

Waiting in general to see what happens with new updates, or after known bad ones, whatever, is fine of course. Thinking you don't need them because you think "such-and-such," is definitely a massive error! The ones I have skipped over the years have been because I truly don't need them, and can explain exactly why as well. If one can't, then better install them [eventually].

Pentangle
With our thoughts we make the world.
Premium Member
join:2006-06-01
Vancouver BC

Pentangle to altermatt

Premium Member

to altermatt
said by altermatt:

WildByDesign, thank you for posting your experience. I, too, had no issues with KB2982791 but was going to dutifully uninstall is and install KB2993651, but have decided to just let everything sit as is for now...no issues, no KB2993651.

An article from WindowsITPro.

»windowsitpro.com/securit ··· lling-it

And one from InfoWorld.

»www.infoworld.com/t/micr ··· s-249342

altermatt
Premium Member
join:2004-01-22
White Plains, NY

altermatt

Premium Member

Thanks for those links Pentangle; I'd seen one but not the other. Both confirm that there are some bad problems with the new update. The font thing never applied to me (no shortcuts, etc.) and since uninstalling the old KB2982791 before installing the new one breaks Windows Update for many, and causes black screens for some, and that hidden windows problem for many, again, I'll pass. By the time I return from Europe in a week and a half, I'm hoping this is resolved!

Exidor
Premium Member
join:2001-05-04

Exidor to WildByDesign

Premium Member

to WildByDesign
I had some spare time today so decided to again try installing KB2993651.

Running Windows 7 SP1 64-bit here as well.

I also "had absolutely zero issues after installing KB2982791 back when it first came to WU and was fine for the week(s) until KB2993651 came out. I did everything accurately by uninstalling KB2982791 first, rebooting and the usual."

On my system the patch appears to install properly through Windows Update until reaching the Log on screen. After entering my password there is an immediate BSOD and the system restarts to the screen for Windows Repair / Safe Mode options.

Downloading/installing the patch separately from »www.microsoft.com/en-sg/ ··· id=44038 resulted in the same BSOD issue.

It was necessary to uninstall KB2993651 in Safe Mode in order to get my system up and running again.

There are other reports along the same line:

"Windows 7 Users Getting BSODs After Installing KB2993651 Update"

»news.softpedia.com/news/ ··· 60.shtml

"Bluescreen still happen after install KB2993651"

»answers.microsoft.com/en ··· 95494a04

So the KB2993651 "patch" is now once again hidden on my system.

On the plus side, I was able to revert to my ISP DNS (after having to switch to Google DNS last week in order for Windows Update to function at all).