MS-DEFCON 4: A “sort of” quiet February

by Susan Bradley

The February updates have generally been well behaved, with one major exception: gamers.

Otherwise, things have been mostly quiet. That’s why I feel comfortable lowering the MS-DEFCON level to 4. Patches are unlikely to cause most users any problems.

Gamers using a controller on their Windows PCs may find that Windows Explorer fails to load the task bar after the installation of Windows 11 KB5034765 or Windows 10 KB5034763. Some users have reported that the issue clears up if they uninstall and reinstall the offending updates. This typically happens because the files that the system needs to properly work go back to their needed defaults.

We have yet to see any resolution to the issues triggered by KB5034441, the Windows Recovery Environment update. Keep in mind that the failure of KB5034441 to install will not cause damage to your system, other than making Windows update sluggish as it repeatedly attempts to install the update. It will not trigger other side effects.

The Microsoft community post Serial and continuous problems after (KB5034441) Error (0x80070643) hints that the failure of the update to install could be the root cause of other problems. I disagree. The WinRE update patches a specific, hidden partition in your computer — or rather attempts to. It won’t install its code in other areas of the computer. Its failure to install on a Consumer Windows 10 PC is cosmetic, albeit annoying.

It’s infuriating that Microsoft has still not fixed the issue, but this is not a trigger of other core issues in Windows. The Patch Tuesday Megathread (2024-02-13) post at Reddit includes a buried comment from user bdam55, who reports that his contacts in the Windows Servicing organization say there will be no near-term fix for this. Instead they have, in effect, stopped pushing the update. If you’ve hidden it, keep it like that.

If you wondered where your “show desktop” sliver went after installing the February updates, lots of other folks on social media were wondering as well. You can go through the GUI process to turn it back on, but I’ve put up registry keys to make it a bit easier. Simply click on the file, approve the UAC prompt, and install it on your system. The little sliver will immediately come back with no need for a reboot.

The other day, someone asked what I meant when I urged everyone to install all updates in their Web Browsers immediately. Was there a specific setting they were missing?

No. The best way to update your browser to the latest version is to literally just launch the browser, find its update mechanism, and launch it. For many browsers, it’s there under Help | About. When the browser checks its version so it can be displayed, it also checks for updates. The browser handles any updates quietly, after which closing and relaunching the browser will result in a fully updated program. It’s the same process on Macs.

My mantra — to have multiple browsers and keep one for specific uses, such as banking — is also true for devices. Don’t rely just on the browser that ships with the device. These days, you can install many browsers on many devices.

The news about Mozilla reprioritizing its work on Firefox includes a note about the addition of AI features. That makes me want to scold Mozilla, “Not you, too!” The nonprofit has lost market share and still relies heavily on Google to fund its business model. Maybe the race to include AI in everything means that we’ll start to see advertisements touting the absence of AI in some products. It’s still early days for this technology, and we still need to vet the results and let the bugs emerge.

If you have a Windows 11 computer that won’t install KB5034765, the solution is to delete a folder called $WinREAgent, located in your C:\Drive. A thread on Reddit pointed this out as a fix for the issue, noting that the folder is hidden. Viewing hidden files is easy, as described in Microsoft’s support post View hidden files and folders in Windows. My theory is that this is connected to the BitLocker update because — as you may recall — Windows 11 has its WinRE updates included in the monthly cumulative update and not as a separate patch.

This month, Microsoft released .NET updates. They do not contain any new security content and are just regular bug fixes. Once upon a time, I would look in horror at .NET releases, but now they are even better behaved than Windows updates. They are not mandatory, and I am not tracking any side effects if you do install them. I flag them for installation.

Support for PQ3 will start to roll out with the public releases of iOS 17.4, iPadOS 17.4, macOS 14.4, and watchOS 10.4. It is already contained in the corresponding developer preview and beta releases. Although it’s not yet in general release, there is already chatter about PQ3, which promises end-to-end encryption in the iMessage system. According to Apple, this update is intended to guard against hacking threats driven by quantum computing.

Security updates for Microsoft’s on-premises Exchange email server address two known issues:

You’ll want to refer to the Exchange Team blog for more details and workarounds.

SQL is another one of those beasts of code to patch. If you are in the unenviable position of being a database patcher, my recommendation is to bookmark the Microsoft Learn post Latest updates and version history for SQL Server and always have a recovery plan or failover database handy. Compare your version of installed SQL to the supported levels and, as always, check with your vendors before updating.

The remaining February updates have been relatively quiet for Server admins. If you have a Server 2022 that does not have a WinRE partition, KB5034439 will continue to fail.

Last week, ConnectWise, released a security advisory regarding its product ScreenConnect, a program used by many managed service providers to provide remote access and support to clients. Huntress also provided details. Anyone with an on-premises version of ScreenConnect should update immediately.

As the alert from Huntress researchers notse, the exploit is a simple authentication bypass:

Once you have administrative access to a compromised instance, it is trivial to create and upload a malicious ScreenConnect extension to gain Remote Code Execution (RCE). This is not a vulnerability, but a feature of ScreenConnect, which allows an administrator to create extensions that execute .Net code as SYSTEM on the ScreenConnect server.

If you use a consulting firm to assist with your technology, ask them what remote tools they use — and ensure they are patched. If you are a consulting firm, always be aware of vulnerabilities in remote-control tools; add two-factor authentication to all such installations. The bad guys know we connect remotely, and they look for easy ways to piggyback on our access.

Resources

Source