MS-DEFCON 4: Consumers get a break

By Susan Bradley

We’re halfway through the patching year!

It’s time to install the June updates, which is why I’m lowering the MS-DEFCON level to 4. I’m not seeing any widespread issues or major impacts. Most side effects seem to be with Win11 Insider versions and 24H2.

It appears that new technology allowing you to sync your phone with your computer is causing a bit of a CPU hit in the 24H2 release. Microsoft is trying to fix this issue before it gets released to the rest of us. That’s good news.

In the very good news category is the delay in releasing Microsoft Recall, the much-hyped “reminder” software. The company pulled back at the last minute, due to concerns from security researchers and businesses.

Highlights

Be aware that Microsoft is rolling out a File Explorer fix for what many consider to be a step backward in functionality. Prior to this fix, as noted in an April Insider post, you could not drag and drop files to the breadcrumb trail in the Explorer address bar. This shortcut allowed a file to be moved up the directory tree to a different folder. Many also complained about the loss of the ability to click the icon to the left of the path; this turned the breadcrumb trail into a text version of the path to the current folder, which could be copied for other uses.

Microsoft is changing directions and restoring the old behavior. But even if the update is installed, you may not see this change right away, because it’s being enabled slowly on machines.

This month will be a very quick install, because no .NET updates were released. If you still have some deferred .NET updates because you missed my approval window back in May, go ahead and install the deferred .NET updates along with the June updates.

For all supported versions of Windows, the June updates include fixes for the Wi-Fi driver vulnerability (CVE-2024-30078). An attacker trying to gain access to your machine must be on the same network as you. I’ve seen reports that a threat actor has put an exploit up for sale for $5,000, but I’ve not seen reports that attacks are in active use at this time. I still think it’s easier to use a phishing attack than it is to use this exploit. Nonetheless, once you install the June updates, you’ll be protected.

Even though I regularly recommend not installing Windows updates right away, the same is not true for Apple updates. Back in mid-June 2023, Apple released fixes for two zero days that related to targeted attacks against Kaspersky employees and Russian diplomats. CVE-2023-38606 affected a particularly unusual hardware feature that was not actually used by iOS firmware — it’s been theorized that it was used in debugging. The attackers enabled this debugging mode in order to spy on or monitor transmissions.

Now we’re learning that Apple refused to pay a bug bounty to Kaspersky for reporting the flaw. That’s a concern because it removes an incentive for third parties to do the work to discover such security problems — and thus increases the risk that some problems will not see the light of day.

Most of the AskWoody readership would not be subject to these targeted attacks, but knowing about the situation showcases that even Apple’s secure platforms are not bulletproof. Make sure your phone is supported, and patch aggressively.

KB5039217 is causing some issues not only for Cloud servers but also for — perhaps — on-premises SQL databases running on Windows Server 2022. As Microsoft noted in its most recent “Windows Release Health” email:

Following the installation of the Windows security update released June 11, 2024 (the Originating KBs listed above), you might see an issue on cloud-based SQL servers where Azure Synapse SQL serverless Pool databases go on “Recovery pending” state. This issue is more likely to affect environments utilizing Customer-Managed Key (CMK) and Azure Synapse dedicated SQL pool. We have received reports that this issue might also affect SQL Server 2019 and SQL Server 2022 on-premises when running on Windows Server 2022 with the Originating KBs listed above installed. We are investigating these reports to confirm if on-premises scenarios are also affected.

So while Microsoft is rolling out the fix on the Cloud servers, it continues to investigate the impact on on-premises servers.

Businesses must be aware of beneficial tools that are, in turn, used for malicious purposes. One example is AADInternals, which can be used by attackers to pivot from on-premises to cloud. As Mandiant posts::

AADInternals, which can allow an attacker to vertically move from on-premises to Azure AD, establish backdoors, steal passwords, generate user security tokens, and bypass MFA protections. This PowerShell module has allowed attackers to maintain persistence in the tenant even after initial eradication efforts were conducted.

The risks to both Active Directory Federation Services and Cloud assets should be reviewed. You should ensure that Cloud admins log in only to Cloud properties and (as Microsoft suggests in its Learn post Protecting Microsoft 365 from on-premises attacks) that isolated systems are used to log in to cloud assets for management purposes.

For those of you who love any sort of tool that Mark Russinovich and his team have created, Microsoft released Process Monitor 4.0 and Sysmon 1.3.3 for Linux. Process Monitor includes “Process Start,” a new column that can be used to sort start times.

Resources

Source