Heads up: A free, working exploit for BlueKeep just hit

There’s been a lot of discussion about BlueKeep, its ramifications and various strategies for blocking it. In a nutshell, it’s a security hole in the Windows Remote Desktop Protocol that allows a malicious program to enter your machine – if you have Remote Dekstop turned on, it’s accessible directly from the internet, and you haven’t installed the May patches.

Two weeks ago, Susan Bradley posted a CSO article that details ways admins can  avoid using RDP. I’ve seen reams of advice about blocking ports, disabling services, setting authentication levels, deploying voodoo dolls, reading chicken entrails…, but the simplest way for almost everybody to avoid the problem is to install the May (or later) Windows patches.

Earlier today, Kevin Beaumont – who I consider to be a world-class authority on the subject – posted this warning:

The first public, free #BlueKeep exploit is out in Metasploit now.

He, in turn, points to this article by Brent Cook on the Rapid7 site:

By default, Metasploit’s BlueKeep exploit only identifies the target operating system version and whether the target is likely to be vulnerable. The exploit does not currently support automatic targeting; it requires the user to manually specify target details before it will attempt further exploitation. If the module is interrupted during exploitation, or if the incorrect target is specified, the target will crash with a bluescreen. Users should also note that some elements of the exploit require knowledge of how Windows kernel memory is laid out, which varies depending on both OS version and the underlying host platform (virtual or physical); the user currently needs to specify this correctly to run the exploit successfully. Server versions of Windows also require a non-default configuration for successful exploitation—namely, changing a registry setting to enable audio sharing. This limitation may be removed in the future.

So the next worm isn’t yet a massive threat – but you can bet that it will be. Soon.

Get the May (or later) Windows patches applied. Now.

It’s time to squirrel away a clean copy of Win10 version 1903

With the release of Windows 10 version 1909 imminent, you should take a moment now and squirrel away a clean copy of version 1903. Since we don’t know exactly how version 1909 will hit the fan, and whether it’ll introduce any bugs, it’s well worth your time and effort to stash away a free, Microsoft-certified-clean copy.

It’s easy. Even your Sainted Aunt Martha can do it.

1. Make sure you aren’t running Win10 version 1903

If there’s no Search box to the right of the Start button, you’re running Windows 7, 8.1, or some other older version of Windows (unless you intentionally moved the Search box!). Go to Step 3 below.

If there’s a Search box to the right of the Start button, click in it and type About. Choose About Your PC. On the right, under Windows Specifications, you can see your version number. If you’re already running version 1903, you have my condolences, but you still might want to consider storing away a clean copy of 1903, just in case Armageddon arrives with version 1909.

2. If you’re running Win10, use the Media Creation Tool

If you have a license for Windows 10, the easiest way to get version 1903 involves Microsoft’s Media Creation Tool. Go to the Download Windows 10 site and click the link marked “Using the tool to create installation media (USB flash drive, DVD, or ISO file)” to install Windows 10 on a different PC. Follow the instructions, and when asked “What do you want to do?” opt for Create installation media.

When you get to the point where you choose a place to put the file, give it a name that you’ll be able to identify in the future – say, Win10_1903_ x64_English.ISO or something similar. When you’re asked to Burn to a DVD, say “meh” and click Finish.

3. If you aren’t running Windows 10, grab a different machine

If you go to the Download Windows 10 site using anything other than a fully ordained Windows machine, you’ll see something like this screenshot, which was taken on my Android phone.

download win10 from non win machine I

4. If you have to use a Windows machine, but Microsoft won’t give you the file, punt

Microsoft reserves a special place in ISO download hell for those who have the temerity to look for a copy of Windows 10 while running a version of Windows that hasn’t been blessed. It’s a throwback to the old “my way or the highway” Microsoft, which you’d think would be gone by now. But…, Microsoft, eh?

If you absolutely can’t get another machine, or can’t convince a friend to download the file, you need to monkey with something called a browser user agent. It’s complicated and not for the faint of heart, but Brady Gavin has full step-by-step instructions on How-To Geek.

5. Make like a squirrel

No matter which path you choose, you’ll end up with a copy of the official Win10 version 1903 ISO file, which can be easily used to install 1903 – at least, “easily” in a Windows kind of way. If you download right now, you’ll get the Sept. 10 flavor, known as build 18362.356. It’s good enough.

Stow it away someplace handy. You may need it some day.

Microsoft delivers emergency security update for antiquated IE

Microsoft on Monday released an emergency security update to patch a vulnerability in Internet Explorer (IE), the legacy browser predominantly used by commercial customers.

The flaw, which was reported to Microsoft by Clement Lecigne, a security engineer with Google’s Threat Analysis Group (TAG), has already been exploited by attackers, making it a classic “zero-day,” a vulnerability actively in use before a patch is in place.

In the security bulletin that accompanied the release of the IE patch, Microsoft labeled the bug a remote code vulnerability, meaning that a hacker could, by exploiting the bug, introduce malicious code into the browser. Remote code vulnerabilities, also called remote code execution, or RCE, flaws, are among the most serious. That seriousness, as well as the fact that criminals are already leveraging the vulnerability, was reflected in Microsoft’s decision to go “out of band,” or off the usual patching cycle, to plug the hole.

Traditionally, Microsoft delivers its security updates on the second Tuesday of each month, the so-called “Patch Tuesday.” The next such date will be Oct. 8, or in two weeks.

“In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website, for example, by sending an email,” Microsoft wrote in the bulletin.

The bug is in IE’s scripting engine, Microsoft said, but did not elaborate.

Microsoft posted security updates for Windows 10, Windows 8.1, Windows 7, Windows Server 2019, Windows Server 2016, Windows Server 2012 and 2012 R2, and Windows 2008 and 2008 R2. All still-supported versions of IE were patched, including IE9, IE10 and the dominant IE11.

IE was demoted to second-citizen status with the introduction of Windows 10, but Microsoft has been adamant that it will continue to support the browser. IE, particularly IE11, remains necessary in many enterprises and organizations for running aged web apps and internal websites. The browser may retreat to a “mode” within a vastly reworked Microsoft Edge – and the stand-alone abandoned – but IE will live on in some form.

Still, it’s no longer the most popular kid on the block: According to the latest data from web analytics vendor Net Applications, IE accounted for just 9% of all Windows-based browsing activity. For comparison, Edge’s share of all Windows was around 7%.

According to information in the description of the update package, the emergency IE fix is available only through the Microsoft Update Catalog. Users would have to steer a browser to that website, then download and install the update. The easiest way to locate the IE update is by using the link in the OS-appropriate KB (for knowledge base) gleaned from the security bulletin. (No one said Microsoft makes it easy.)

Automated servicing feeds, including Windows Update and Windows Server Update Services (WSUS), are to begin offering the out-of-band update today.

This isn’t the first time that Microsoft has had to patch Internet Explorer on the fly for a scripting vulnerability being exploited by hackers. In December 2018, the Redmond, Wash. developer shipped an emergency security update to deal with how IE’s “scripting engine handles objects in memory,” the exact language used in Monday’s bulletin.

Microsoft releases emergency IE patches inside ‘optional, non-security’ cumulative updates

I’ve seen a lot of confusion about the security hole known as CVE-2019-1367 and what normal Windows customers should do about it. Part of the reason for the confusion is the way the fix was distributed – the patching files were released on Monday, Sept. 23, but only via manual download from the Microsoft Update Catalog.

On a Monday.

In the past few hours, Microsoft released a hodge-podge of patches that seem to tackle the problem. They’re “optional non-security” and “Monthly Rollup preview” patches, so you won’t get them unless you specifically go looking for them.

As a bit o’ lagniappe, if you use Windows Update to install the sky-is-falling IE patch, you’ll get a bunch of additional marginally-tested patches along for the ride.

Here are the most important Win10 patches that appear to contain the IE/CVE-2019-1367 fix:

  • Win10 1809 and Server 2019 – KB 4516077 – build 17763.774.
  • Win10 1803 – KB 4516045 – build 17134.1039.
  • Server 2016 – KB 4516061 – build 14393.3242.

I say “appear to contain” the fix because, as best I can tell, none of the documentation mentions CVE-2019-1367, the security hole that was fixed yesterday in an odd single-purpose cumulative update. These, too, are cumulative updates, but they’re specifically identified as “non-security updates.”

Which is disingenuous, at best.

Those patches are only available if you click “Check for updates.” Microsoft would traditionally call them “optional, non-security” patches, but with the likely (if undocumented) presence of a separately identified out-of-band security patch, it’s hard to say what to call them.

We don’t have a cumulative update for Win10 1903 just yet. We do, however, have a manually downloadable out-of-band patch for the IE problem in 1903, KB 4522016.

Over on the Windows 7/8.1 side of the fence, it appears as if the CVE-2019-1367 fix is part and parcel of the two Monthly Rollup Previews just released:

  • Win7 – KB 4516048 – “Addresses an issue that may cause an error when opening or using the Toshiba Qosmio AV Center. You may also receive an error in the Event Log related to cryptnet.dll.”
  • Win8.1 – KB 4516041 – Fixes the bug that prevented IE 11 from running on RT devices.

There’s no indication in the KB articles that either of these Previews fix the IE hole, but an independent check by AskWoody’s @EP shows that the Previews contain the latest IE file. That likely means the security hole has been plugged in the Previews.

At this point, I don’t see why the Windows blogosphere has tied itself in knots warning about the IE/CVE-2019-1367 security hole. Yes, Microsoft has said that it’s been exploited in the wild. No, we don’t have any more information. The folks who know aren’t talking. The most credible story I’ve seen involves a very targeted attack from the (reputedly) Korean group known as DarkHotel.

At any rate, for almost everybody, this appears to be yet another tempest in a teapot. My advice is to sit tight, don’t update anything, and stop using Internet Explorer.

Unless you’ve done something to make DarkHotel angry, of course.

How to protect your privacy in Windows 10

There has been some concern that Windows 10 gathers too much private information from users. Whether you think Microsoft’s operating system crosses the privacy line or just want to make sure you protect as much of your personal life as possible, we’re here to help. Here’s how to protect your privacy in just a few minutes.

Note: This story has been updated for the Windows 10 October 2018 Update, a.k.a. version 1809. If you have an earlier release of Windows 10, some things may be different.

Turn off ad tracking

At the top of many people’s privacy concerns is what data is being gathered about them as they browse the web. That information creates a profile of a person’s interests that is used by a variety of companies to target ads. Windows 10 does this with the use of an advertising ID. The ID doesn’t just gather information about you when you browse the web, but also when you use Windows 10 apps.

You can turn that advertising ID off if you want. Launch the Windows 10 Settings app (by clicking on the Start button at the lower left corner of your screen and then clicking the Settings icon, which looks like a gear) and go to Privacy > General. There you’ll see a list of choices under the title “Change privacy options”; the first controls the advertising ID. Move the slider from On to Off. You’ll still get ads delivered to you, but they’ll be generic ones rather than targeted ones, and your interests won’t be tracked.

win10 privacy advertising id


You can turn off Windows 10’s advertising ID if you want. You’ll still get ads, but they’ll be generic ones. (Click any image in this story to enlarge it.)

To make absolutely sure you’re not tracked online when you use Windows 10, and to turn off any other ways Microsoft will use information about you to target ads, head to the Ad Settings section of Microsoft’s Privacy Dashboard. Sign into your Microsoft account at the top of the page.  Then go to the “See ads that interest you” section at the top of the page and move the slider from On to Off. After that, scroll down to the “See personalized ads in your browser” section and move the slider from On to Off. Note that you need to go to every browser you use and make sure the slider for “See personalized ads in your browser” is set to Off.

Turn off location tracking

Wherever you go, Windows 10 knows you’re there. Some people don’t mind this, because it helps the operating system give you relevant information, such as your local weather, what restaurants are nearby and so on. But if you don’t want Windows 10 to track your location, you can tell it to stop.

Launch the Settings app and go to Privacy > Location. Underneath “Allow access to location on this device,” click Change and, on the screen that appears, move the slider from On to Off. Doing that turns off all location tracking for every user on the PC.

win10 privacy location tracking

This doesn’t have to be all or nothing affair — you can turn off location tracking on an app-by-app basis. If you want your location to be used only for some apps and not others, make sure location tracking is turned on, then scroll down to the “Choose apps that can use your precise location” section. You’ll see a list of every app that can use your location. Move the slider to On for the apps you want to allow to use your location — for example, Weather or News — and to Off for the apps you don’t.

When you turn off location tracking, Windows 10 will still keep a record of your past location history. To clear your location history, scroll to “Location History” and click Clear. Even if you use location tracking, you might want to clear your history regularly; there’s no automated way to have it cleared.

Turn off Timeline

The Windows 10 April 2018 Update introduced a new feature called Timeline that lets you review and then resume activities and open files you’ve started on your Windows 10 PC, as well as any other Windows PCs and devices you have. So, for example, you’ll be able to switch between a desktop and laptop and from each machine resume activities you’ve started on either PC.

In order to do that, Windows needs to gather information about all your activities on each of your machines. If that worries you, it’s easy to turn Timeline off. To do it, go to Settings > Privacy > Activity History and uncheck the boxes next to “Store my activity history on this device” and “Send my activity history to Microsoft.”

win10 privacy activity history

At that point, Windows 10 no longer gathers information about your activities. However, it still keeps information about your old activities and shows them in your Timeline on all your PCs. To get rid of that old information, in the “Clear activity history” section of the screen, click “Manage my Microsoft account activity data.” You’ll be sent to Microsoft’s Privacy Dashboard, where you can clear your data. See the section later in this article on how to use the privacy dashboard to do that.

Note that you’ll have to take these steps on all of your PCs to turn off the tracking of your activities.

Curb Cortana

Cortana is a very useful digital assistant, but there’s a tradeoff in using it: To do its job well, it needs to know things about you such as your home location, place of work and the times and route you take to commute there. If you’re worried it will invade your privacy by doing that, there are a number of things you can do to limit the information Cortana gathers about you.

Start by opening Cortana settings: place your cursor in the Windows search box and click the Cortana settings icon (it looks like a gear) that appears in the left pane. On the screen that appears, select Permissions & History. Click “Manage the information Cortana can access from this device,” and on the screen that appears, turn off Location so that Cortana won’t track and store your location.

Then turn off “Contacts, email, calendar & communication history.” That will stop the assistant from gathering information about your meetings, travel plans, contacts and more. But it will also turn off Cortana’s ability to do things such as remind you about meetings and upcoming flights. Towards the bottom of the screen, turn off “Browsing history” so that Cortana won’t keep your browsing history.

To stop Cortana from gathering other types of information, head to the Cortana’s Notebook section of Microsoft’s Privacy Dashboard. You’ll see a variety of personal content, ranging from finance to flights, news, sports, and much more. Click the content you want Cortana to stop tracking, then follow the instructions for deleting it.

If you want to delete all the data Cortana has gathered about you, click “Clear Cortana data” on the right side of the screen.