[German]Microsoft has released the updates KB4462932 (Windows 10 V1709), KB4462939 (Windows 10 Version 1703) and KB4462928 (Windows 10 Version 1607) as well as some dynamic updates as of October 18, 2018..

A list of updates can be found on this Microsoft website. I have extracted the most important information below.

Updates for Windows 10 Version 1709

The following updates are available for Windows 10 Fall Creators Update (version 1709). 

Update KB4462932 for Windows 10 Version 1709

Cumulative Update KB4462932 for Windows 10 Version 1709 (Fall Creators Update)raises the OS build to 16299.755 and includes quality improvements and fixes:

• Addresses the redenomination of local currency that the Central Bank of Venezuela implemented to enter the Bolivar Soberano into circulation. 
• Addresses an issue in which searching using Microsoft Outlook’s Social Connector returns nothing, which causes the People’s pane results to always be empty. 
• Addresses additional issues with updated time zone information. 
• Addresses an issue that prevents the clock and date flyout from appearing when the region format is Spanish (Spain) and the sorting method is Traditional. 
• Addresses an issue with navigation from the Decade view in the Japanese calendar. When the user tries to go from the Current era to the next era, navigation does not work properly. 
• Addresses an issue to support Microsoft Office events in the “Limit Enhanced” Group Policy setting list. 
• Addresses an issue in which applications on systems with more than 4 GB of memory receive Access Denied error code “0x5” when calling CreateProcessWithLogonW(). 
• Addresses an issue that makes it impossible to disable TLS 1.0 and TLS 1.1 when the Federal Information Processing Standard (FIPS) mode is enabled. 
• Addresses an issue in which the AccountName in the Event Log entry for the Microsoft-Windows-Kerberos-Key-Distribution-Center source and Event ID 7 sometimes appears corrupted. 
• Addresses an issue in which applications have handle leaks when using client authentication certificates with the TLS protocol. This issue occurs when the FreeCredentialsHandle call occurs before the DeleteSecurityContext call in application code. 
• Addresses an issue that might cause TCP connections opened for an application running on Windows Container to fail sporadically. This occurs when the container runs on a Network Address Translation (NAT) Network provided by Windows Network Address Translation (WinNAT). A SYN timeout occurs after reaching the maximum SYN Retransmit count. 
• Addresses an issue that prevents the deletion of Immediate Tasks when their deletion timer occurs, such as when you configure Group Policy preferences for Immediate Task actions. 
• Addresses an issue that can cause App-V packages to fail because of a missing file or DLL error. 
• Addresses an issue that may cause certain applications to stop responding after installation.
• Addresses an issue that fails to mount a volume when running Mount-SRDestination to bring a destination volume online as part of the Test Failover feature.
• Addresses an issue in which the System.Security.Cryptography.Algorithms reference was not correctly loaded on .NET Framework 4.7.1 after the July 10, 2018 and August 14, 2018 patches.
• Addresses an issue that may cause the system to stop working during the shutdown of some Windows Presentation Foundation (WPF) apps because of TaskCanceledException. Apps that are vulnerable to this issue perform work involving weak events or data binding after the Application.Run() function returns values.
• Addresses a race condition in temporary files and some antivirus scanners that causes .NET Framework applications to stop working. The error message is, “The process cannot access the file <name of temp file>”.
• Updates the .NET Framework’s support for the formatting of Japanese dates for the first year in the eras. When the format pattern is “y年”, the year format will use the symbol 元 and not use year number 1. Additionally, the .NET Framework will support dates that include 元.
• Updates Venezuela currency information. This will affect the culture of “es-VE” as follows:
  • The currency symbol is “Bs.S”.
  • The English currency name is “Bolívar Soberano”.
  • The local currency name is “bolívar soberano”.
  • The International Currency Code is “VES”.
• Addresses an issue with a dialog box that may appear with a non-applicable message beginning with the words, “Hosted by…” when first starting Microsoft Edge. The dialog box only appears if you have turned on “Block only third-party cookies” in Microsoft Edge and applied certain language packs after installing the October 9, 2018 update.
• Addresses an issue that may cause an application that has a child window to stop processing mouse inputs. This issue occurs when a precision touchpad triggers a WM_MOUSEWHEEL event.

he latest Servicing Stack Update (SSU) must be installed before this update can be installed (is done automatically by Windows Update). The update is distributed via Windows Update, but can be downloaded from the Microsoft Update Catalog. Problems are not known.

Updates for Windows 10 Version 1703

The following updates are available for Windows 10 Creators Update (version 1703). 

Update KB4462939 for Windows 10 Version 1703

Cumulative Update KB4462939 for Windows 10 Version 1703 (Creators Update) aises the OS build to 15063.1418 and includes quality improvements. It addresses the following vulnerabilities and issues:

• Addresses the redenomination of local currency that the Central Bank of Venezuela implemented to enter the Bolivar Soberano into circulation. 
• Addresses additional issues with updated time zone information.
• Addresses an issue that may cause the operating system to stop responding when transitioning from Sleep to Hibernation. 
• Addresses an issue with navigation from the Decade view in the Japanese calendar. When the user tries to go from the Current era to the next era, navigation does not work properly. 
• Addresses an issue with cloud authentication performance for accounts that create logon sessions very quickly. 
• Addresses an issue that makes it impossible to disable TLS 1.0 and TLS 1.1 when the Federal Information Processing Standard (FIPS) mode is enabled. 
• Addresses an issue in which applications on systems with more than 4 GB of memory receive Access Denied error code “0x5” when calling CreateProcessWithLogonW().
• Addresses an issue in which applications have handle leaks when using client authentication certificates with the TLS protocol. This issue occurs when the FreeCredentialsHandle call occurs before the DeleteSecurityContext call in application code. 
• Addresses an issue that can cause App-V packages to fail because of a missing file or DLL error.
• Addresses an issue in which the System.Security.Cryptography.Algorithms reference was not correctly loaded on .NET Framework 4.7.1 after the July 10, 2018 and August 14, 2018 patches.
• Addresses an issue that may cause the system to stop working during the shutdown of some Windows Presentation Foundation (WPF) apps because of TaskCanceledException. Apps that are vulnerable to this issue perform work involving weak events or data binding after the Application.Run() function returns values.
• Addresses a race condition in temporary files and some antivirus scanners that causes .NET Framework applications to stop working. The error message is, “The process cannot access the file <name of temp file>”.
• Updates the .NET Framework’s support for the formatting of Japanese dates for the first year in the eras. When the format pattern is “y年”, the year format will use the symbol 元 and not use year number 1. Additionally, the .NET Framework will support dates that include 元.
• Updates Venezuela currency information. This will affect the culture of “es-VE” as follows:
  • The currency symbol is “Bs.S”.
  • The English currency name is “Bolívar Soberano”.
  • The local currency name is “bolívar soberano”.
  • The International Currency Code is “VES”.
• Addresses an issue with a dialog box that may appear with a non-applicable message beginning with the words, “Hosted by…” when first starting Microsoft Edge. The dialog box only appears if you have turned on “Block only third-party cookies” in Microsoft Edge and applied certain language packs after installing the October 9, 2018 update.

The latest Servicing Stack Update (SSU) must be installed before this update can be installed (is done automatically by Windows Update). The update is distributed via Windows Update, but can be downloaded from the Microsoft Update Catalog. Problems are not known. 

Improvements in Windows Update

Microsoft has also released an update directly to the Windows Update Client to improve its reliability. Any device running Windows 10 that is configured to automatically receive updates from Windows Update will be updated. This does not apply to long-term service editions of Windows 10..

Updates for Windows 10 Version 1607

The following updates are available for Windows 10 Anniversary Update (version 1607) and Windows Server 2016. 

Update KB4462928 for Windows 10 Version 1607

Cumulative Update KB4462928 for Windows 10 Version 1607 (Anniversary Update) raises the OS build to 14393.2580 and includes quality improvements. The update is only available for Windows 10 Enterprise and Windows 10 Education (and the LTSC variant). It addresses the following vulnerabilities and issues: 

• Addresses the redenomination of local currency that the Central Bank of Venezuela implemented to enter the Bolivar Soberano into circulation. 
• Addresses additional issues with updated time zone information.
• Addresses an issue in which no error message appears when a blocked app is invoked from the Start menu. 
• Addresses an issue in which the AccountName in the Event Log entry for the Microsoft-Windows-Kerberos-Key-Distribution-Center source and Event ID 7 sometimes appears corrupted. 
• Addresses an issue with cloud authentication performance for accounts that create logon sessions very quickly. 
• Addresses an issue that makes it impossible to disable TLS 1.0 and TLS 1.1 when the Federal Information Processing Standard (FIPS) mode is enabled. 
• Addresses an issue that maps two or more certificates for authentication to the same user. The user receives the message, “Duplicates found” and receives the error, “STATUS_CERTIFICATE_MAPPING_NOT_UNIQUE”. 
• Addresses an issue in which applications have handle leaks when using client authentication certificates with the TLS protocol. This issue occurs when the FreeCredentialsHandle call occurs before the DeleteSecurityContext call in application code. 
• Addresses memory leak issues on svchost.exe (netsvcs and IP Helper Service). 
• Addresses an issue that depletes the storage space on a cluster-shared volume (CSV) because of a Hyper-V virtual hard disk (VHDX) expansion. As a result, a Virtual Machine (VM) might continue writing data to its disk until it becomes corrupted or stops working. The VM might also restart and then resume writing data until a corruption occurs. 
• Addresses an issue that causes the promotion of a read-only domain controller (RODC) to fail. This might occur if application partitions are defined, but the DNS name resolution failed with the “Name error”. The errors are “While promoting Read-only Domain Controller, the expected state objects could not be found” and “More data is available” (error code 234).
• Addresses interoperation issues between Active Directory Federation Services (ADFS) Extranet Smart Lockout (ESL) and Alternate Login ID. When Alternate Login ID is enabled, calls to AD FS Powershell cmdlets, Get-AdfsAccountActivity and Reset-AdfsAccountLockout, return “Account not found” errors. When Set-AdfsAccountActivity is called, a new entry is added instead of editing an existing one. 
• Addresses an issue with navigation from the Decade view in the Japanese calendar. When the user tries to go from the Current era to the next era, navigation does not work properly.
• Addresses an issue that causes the Remote Desktop Services Gateway to stop working effectively in a load balanced scenario after 12 to 24 hours of uptime. 

• Addresses an issue that occurs when using multiple Windows Server 2016 Hyper-V clusters. The following event appears in the log:

  “Cluster Shared Volume ‘CSVName’ (‘CSVName’) has entered a paused state because of ‘STATUS_USER_SESSION_DELETED(c0000203)’. All I/O will temporarily be queued until a path to the volume is reestablished.”

• Addresses an issue that may cause the creation of a single node cluster or the addition of more nodes to a cluster to fail intermittently.

• Addresses an issue that occurs when restarting a node after draining the node. Event ID 5120 appears in the log with a “STATUS_IO_TIMEOUT c00000b5” message. This may slow or stop input and output (I/O) to the VMs, and sometimes the nodes may drop out of cluster membership.

• Addresses an issue in which the System.Security.Cryptography.Algorithms reference was not correctly loaded on .NET Framework 4.7.1 after the July 10, 2018 and August 14, 2018 patches.

• Addresses an issue that may cause the system to stop working during the shutdown of some Windows Presentation Foundation (WPF) apps because of TaskCanceledException. Apps that are vulnerable to this issue perform work involving weak events or data binding after the Application.Run() function returns values.
• Addresses a race condition in temporary files and some antivirus scanners that causes .NET Framework applications to stop working. The error message is, “The process cannot access the file <name of temp file>”.
• Updates the .NET Framework’s support for the formatting of Japanese dates for the first year in the eras. When the format pattern is “y年”, the year format will use the symbol 元 and not use year number 1. Additionally, the .NET Framework will support dates that include 元.
• Updates Venezuela currency information. This will affect the culture of “es-VE” as follows:
  • The currency symbol is “Bs.S”.
  • The English currency name is “Bolívar Soberano”.
  • The local currency name is “bolívar soberano”.
  • The International Currency Code is “VES”.
• Addresses an issue that may cause the addition of nodes to fail intermittently after creating a single node in a Windows Server 2016 Cluster. The error code is, “0x0000001e”.

• Addresses an issue that may cause an application that has a child window to stop processing mouse inputs. This issue occurs when a precision touchpad triggers a WM_MOUSEWHEEL event.

The latest Servicing Stack Update (SSU) must be installed before this update can be installed (is done automatically by Windows Update). The update is distributed via Windows Update, but can be downloaded from the Microsoft Update Catalog.

After installing this update, installing Window Server 2019 Key Management Service (KMS) Host Keys (CSVLK) on Window Server 2016 KMS hosts does not work as expected.

Windows Update improvements

Microsoft has also released an update directly to the Windows Update Client to improve its reliability. Any device running Windows 10 that is configured to automatically receive updates from Windows Update will be updated. This does not apply to long-term service editions of Windows 10.

Updates for Windows 10 V1803

There has been also some updates for Windows 10 V1803.

Dynamic Update KB4460108 for Windows 10 V1803

Microsoft has also released Update KB4460108 for Windows 10 V1803, to improve the upgrade experience under this release. The German site deskmodder.de has the direct download links here.

Critical Update KB4463318 for Windows 10 V1803

Microsoft also released a critical Update KB4463318 for Windows 10 V1803. This update makes improvements to ease the upgrade experience to Windows 10 Version 1803 (it’s for the integration of indexes in an install.wim).

Similar articles:
Adobe Flash Player: Update version 31.0.0.122
Microsoft Security Update Summary October 9, 2018
Patchday Windows 10-Updates (October 9, 2018)
Patchday: Updates für Windows 7/8.1/Server 9. Okt. 2018
Patchday Microsoft Office Updates (October 9, 2018)
Microsoft Patchday: Further Updates October 9, 2018
Windows 7/8.1/Server Preview Updates (Oct. 18, 2018)
Windows 10 V1607, V1703, V1709 Updates (10/18/2018)

[German]Surprise in Windows 10 Insider Preview 19H1: The kernel contains the Retpoline technology to protect it from Spectre V2 attack. This is to minimize the power loss caused by this protection.

Background information about Retpoline

At the beginning of the year, the attack methods Spectre and Meltdown, which work at the CPU level, became publicly known. As a result, Intel and Microsoft released a number of Meltdown and Spectre Microcode patches. An unwelcome side effect: Some patches caused massive performance losses in the systems.

On the other hand, Google software developers had the idea to mitigate speculative side channel attacks for Spectre (and Meltdown) using special code constructs. The technique is called Retpoline and was described in this Google document. Google used the Retpoline technique to patch its own servers for the cloud.

Microsoft is using Retpoline

Now security researcher Alex Ionescu noticed while testing the current Insider Preview for Windows 10 19H1 that Retpoline is activated in the kernel. He reported this in a tweet, answered by Mehmet Iyigun.

Yes, we have enabled retpoline by default in our 19H1 flights along with what we call “import optimization” to further reduce perf impact due to indirect calls in kernel-mode. Combined, these reduce the perf impact of Spectre v2 mitigations to noise-level for most scenarios. https://t.co/CPlYeryV9K

— Mehmet Iyigun (@mamyun) 18. Oktober 2018

In his tests, he recognized greatly improve performance of the new kernel in file system benchmarks on a Surface Pro 4. Mehmet Iyigun (@mamyun) from the Windows/Azure Kernel Team then confirmed on Twitter that Retpoline had been enabled by default in the Windows 10 development branch 19H1 (to be the spring update in 2019).

At Microsoft, this is combined with a technique called ‘Import Optimization’. The developers aim to minimize the performance losses caused by indirect calls to kernel mode functions. The combination of these techniques reduce the performance losses caused by Spectre V2 protection to noise-level. (via)

[German]A brief information for users who want or need to downgrade from Windows 10 to a previous version of Windows. I have received a newsletter from an Swiss OEM with various information that might be of interest to administrators.

At this point I would like to thank blog reader Uwe K., who sent me a note about the bluechip-TECHnews newsletter. In the newsletter (German) bluechip discusses the Windows 10 support extension. I had discussed this in the blog post Windows 10 Support extended to 30 months (sometimes).

Costs for Windows 7 Extended Security Updates

I also mentioned the offer of extended support for Windows 7 to 2023 in the blog post Wow! Windows 7 get extended support until January 2023. What’s new for me is the cost statement. Here’s what the Swiss OEM wrote:

For Windows 7 users, there are … security updates available until January 2023. The Extended Security Updates (ESU) fee is 75% of the original license price and is available only to customers who have purchased Pro or Enterprise Edition through a volume program.

This information may be of interest to one or another administrator who must run Windows 7 SP1 from January 2020 in an enterprise environment.

Windows 10 downgrade right

The second information from the newsletter, which may be of interest to some blog readers, addresses the right to downgrade a machine with a Windows 10 license to an earlier version of Windows. Microsoft’s downgrade right allows customers to use an older version of Windows instead of the current operating system on a machine with a Windows 10 license. This makes it possible to avoid compatibility problems. The newsletter says:

This applies not only to corporate customers, but also to private customers.

However, the prerequisite is that the Windows 10 license also includes this downgrade right, which is not the case for Windows 10 Home (this SKU is not downgradeable). A Windows 10 Pro on the other hand is downgradeable to Windows 7 Professional or Windows 8.1 Pro.

Windows 10  Downgrade Right Deadlines

Swiss OEM bluechip points out in its newsletter that this downgrade right is limited in time according to the Microsoft license conditions. It expires at the end of Extended Support for the Windows version used.

• For Windows 7 Professional, the downgrade right ends on 01/14/2020.
• However, a downgrade to Windows 8.1 Pro is possible until 01/14/2023.

bluechip also writes that OEMs are only entitled to preload Windows 7 Professional on delivered machines until October 31, 2018.

However, a customer may still downgrade to an earlier version of Windows after this date under licensing law. However, he requires both a data carrier and a key for this. These are provided by the respective OEMs. Further details can be read directly in the (German) bluechip newsletter.

Similar articles:
Windows 10 Support extended to 30 months (sometimes)
Wow! Windows 7 get extended support until January 2023

Microsoft failed to release Windows 10 April 2018 Update free of accidents, and Microsoft failed to release Windows 10 October 2018 Update without an accident. I would say: This ‘Windows as a thing’ is broken by design.

Microsoft’s Windows 10 developers are on a rocky road. No cumulative update, that’s not causing issues on many machines. And the Windows 10 April 2018 Update released this spring has been halted due to issues. Also Microsoft was in need to withdraw Windows 10 October 2018 Update and pauses the rollout, due to major file deleting issues.

Bugs, bugs, how defend against bugs

And if a feature update has been released, users and administrators fights with bugs, that has been introduced with feature updates and cumulative updates. Windows veteran Susan Bradly, known as Patch Lady, has obtained a survey about Windows 10 user confidence and has written an open letter to Microsoft’s Satya Nadella (see Windows (10) Update Survey and an open letter to Microsoft, and Microsoft’s answers at Windows Update quality issues: Microsoft’s answer). That didn’t trigger a noticeable reaction at Microsoft.

Michael Horowitz has written recently the article Defending against Windows 10 bug fixes, outlining, what plagues administrators and users of Windows 10. The title says it all: In normal cases, users are eager to receive bug fixes for their software. But in case of Windows 10, many users thing about ‘how to defend against Microsoft Windows 10 bug fixes’, that breaks more than it fixes.

And Peter Bright has analyzed, why Microsoft’s Windows development process fails for years at Arstechnica. Within his lengthy article Microsoft’s problem isn’t how often it updates Windows—it’s how it develops it Peter analyzed what’s going wrong within this process. His conclusion: Microsoft’s process of developing their operating system was flawed from the get-go, all the way back to even Windows 7. The developers were allowed to integrate code without any testing in Windows 10 feature updates. And he noted, that Microsoft’s developers actually writing code for new features of only a few weeks during a release cycle. The rest of this cycle they are pending to remove bugs from the code.

What we as users get, is poor quality, and unreliable software called Windows 10, that comes with many issues that are not found during Insider testing, or that are known (and ignored from Microsoft) since many Windows versions.

Windows 10 V1809 is ‘recommended’, but is pulled

It seems, that Microsoft’s stuff is really nervously at the moment. Maybe that explains, what has been outlined within the following tweet from Tero Alhonen.

??? pic.twitter.com/Ao2N5MbNKB

— Tero Alhonen (@teroalhonen) 21. Oktober 2018

Windows 10 V1809 has been pulled due to major bugs (and it is been tested again within Windows Insider Process). But Microsoft recommends that version here. Unbelievable!

Microsoft has confirmed the bug when unpacking ZIP files (existing files are not overwritten, but nothing is reported either) in Windows 10 V1809. The bug was known to Microsoft, is even fixed in Windows 10 19H1 (Insider Preview) branch, but the users of Windows 10 V1809 needs to wait until a patch comes in November 2018 and the rollout is released again. I’ve added details within my blog post Windows 10 V1809: Write bug in ZIP feature

[German]Twitter user @SandboxEscaper has once again disclosed a zero-day exploit in Windows 10 (and the server editions) and published a proof of concept (PoC) on GitHub. It concerns the Microsoft Data Sharing library dssvc.dll, which allows an extension of rights..

Twitter user @SandboxEscaper had already made a name for himself two months ago with a zero-day exploit in the task scheduler (task planning) – but then switched off his Twitter account (see Windows 0-day ALPC vulnerability in task scheduler).

Vulnerability in Microsoft Data Sharing library

Now @SandboxEscaper has disclosed a new vulnerability in Windows via Twitter and delivered also a proof of concept (PoC).

https://t.co/1Of8EsOW8z Here’s a low quality bug that is a pain to exploit.. still unpatched. I’m done with all this anyway. Probably going to get into problems because of being broke now.. but whatever.

— SandboxEscaper (@SandboxEscaper) 23. Oktober 2018

The tweet is a bit cryptic, SandboxEscaper writes something about a still unpatched ‘low quality bug’ that can be exploited. He has published a Proof of Concept (PoC) on GitHub, with which the bug can be exploited. But the GitHub RAR archive file is immediately blocked as harmful by Chrome on my system.  So I didn’t tested anything. 

The tweet above shows that @SandboxEscaper probably wants to withdraw from the whole thing – he’s done, he writes. And he probably indicates that he is broke (he had tried to sell the previous vulnerability to the highest bidder, possibly he was ‘burned’ in this respect). This may emerge from this tweet, where he suggests that he has to get drugs on the grey market because health care in Belgium is crap. According to the hints, he is likely to suffer from depression and therefore seems to be unemployed/not able to work. But that is speculation on my part.

A few details about the vulnerability

The Hacker News has addressed the issue in this article. The vulnerability (0-day exploit) is located in the Microsoft Data Sharing library dssvc.dll. The DLL is responsible for the Data Sharing Service. The Data Sharing Service is a local service that runs as a LocalSystem account with extensive privileges and enables data switching between applications.

The Proof of Concept (PoC) published on a Github page probably exploits a privilege escalation vulnerability in the dssvc.dll data sharing library, which provides one that appears to be a privilege escalation vulnerability in Microsoft Data Sharing (dssvc.dll). The vulnerability could allow a low-privileged attacker to increase his privileges on a target system. However, the PoC exploit code (deletebug.exe) shared by @SandboxEscaper only allows a low-privilege user to delete critical system files that would otherwise only be accessible with administrator privileges. @SandboxEscaper writes according to The Hacker News:

“Not the same bug I posted a while back, this doesn’t write garbage to files but actually deletes them.. meaning you can delete application dll’s and hope they go look for them in user write-able locations. Or delete stuff used by system services c:\windows\temp and hijack them.”

But it allows to delete DLLs and other stuff. This opens another attac vector. If a DLL is deleted, an attacker can hope that the applications, services or whatever then search the missing DLL in places (via search path) that are writable with user rights. If an attacker then places his own DLLs in these directories, successful DLL hijacking is possible (I addressed the scenario several times in my blog). 

Windows 10 and server editions at risk

The Hacker News writes that the Microsoft Data Sharing service was introduced in Windows 10 and later versions of Windows Server editions. In other words: Users of Windows 7 SP1 and Windows 8.1 and their server counterparts are not affected by this vulnerability. 

The PoC exploit was successfully exploited by Will Dormann against a “fully patched Windows 10 system” (V1803) with the latest security updates from October 2018, Server 2016 and Server 2019, as he writes on Twitter.

Confirmed as well on Win10 1803, fully-patched as of October.
It’s perhaps worth noting that the service used by the PoC, Data Sharing Service (dssvc.dll), does not seem to be present on Windows 8.1 and earlier systems. https://t.co/W8cNNC4xYO

— Will Dormann (@wdormann) 23. Oktober 2018

At this point I’d like to point out: I don’t recommend any blog reader to run the PoC. Nobody knows what’s in the file – and the code can crash the operating system.

Micropatch from 0patch available

Hours after the PoC was published by @SandboxEscaper, Mitja Kolsek from 0patch announced a micropatch for this vulnerability via Twitter.

Hey, we have a micropatch candidate for your 0day, currently working on fully updated Windows 10 1803. Would you care to try it out? (Please DM)

— Mitja Kolsek (@mkolsek) 23. Oktober 2018

In another tweet of 0patch, it is confirmed, that the vulnerability is no longer exploitable.

7 hours after the 0day in Microsoft Data Sharing Service was dropped, we have a micropatch candidate that successfully blocks the exploit by adding impersonation to the DeleteFileW call. As you can see, the Delete operation now gets an “ACCESS DENIED” due to impersonation. pic.twitter.com/qoQgMqtTas

— 0patch (@0patch) 23. Oktober 2018

I already had some articles about 0patch and its micro patches here within my blog. 0patch always intend to patch zero-day exploits before Microsoft releases a regular security update. 

Similar articles:
Windows 0-day ALPC vulnerability in task scheduler
Windows ALPC vulnerability (CVE-2018-8440) used in Exploit Kit

Microsoft has released the Windows 10 Insider Preview Build 18267 in the Fast and Skip Ahead Ring. This is the 19H1 development branch, which will be released as a product in spring 2019. The announcement and description of the new features can be found in the Windows Blog.

Microsoft has added an additional security feature to the Windows Defender included in Windows 10. Defender can be run in a protected sandbox environment from Windows 10 V1703 onwards.

Some Background: Virus scanners like Windows Defender run with system rights. If there are vulnerabilities in these modules, malware can exploit them and do virtually anything with system rights. Microsoft regularly patches vulnerabilities found in Defender or in the Antimalware Engine. But isolating these components in a sandbox is helpful.

(Quelle: Pexels Markus Spiske CC0 Lizenz)

According to Microsoft, a new milestone has been reached with Windows Defender Antivirus. The integrated antivirus functions of Windows 10 can now be executed as the first complete antivirus solution in a sandbox. Microsoft introduced the new feature and more details on October 26, 2018 in the blog post Windows Defender Antivirus can now run in a sandbox.

[German]A worrying thing that may have happened in the USA. Users looking for a Google Chrome download in Microsoft Edge on Windows 10 were occasionally redirected to a page offering unwanted software (PUP).

There is always the danger that when users searching on Google, Bing and Co. they are redirected via sponsored ads to pages offering malware or unwanted software (PUP). The search engine providers naturally try to avoid this.

Phisher tricked Bing

From time to time cyber criminals are able, to trick Bing to show ad which redirects users to phishing sites. I became aware of this topic through a tweet by Tero Alhonen.

It’s not just Bing serving ads with malware, it’s also Microsoft’s SmartScreen (i.e. “safe browsing”) for Edge failing miserably to detect malicious web sites https://t.co/RDrheOraFO pic.twitter.com/4rF1fbAC1M

— Tero Alhonen (@teroalhonen) 27. Oktober 2018

The case was was noticed by Gabriel Landau, who got a new Windows 10 notebook. He wanted to quickly search in Microsoft’s Edge browser for the Google Chrome browser download while setting the machine up and install this alternative browser. But he noticed, that he was offered googleonline2018[.]com as the target page. So he recorded this in a video and published it in a tweet.

Brand new Win10 laptop. Attempt to install Chrome. Almost get owned with my very first action. Why is this still happening in 2018, @bing? Please explain. pic.twitter.com/uYJhu7xa9H

— Gabriel Landau (@GabrielLandau) 25. Oktober 2018

Redirected to a Phishing site distributing PUPs

The target page is a phishing site that is also blocked with a warning in the Google Chrome browser. Here is the warning, which is displayed to me in Chrome under Windows 7.

It seems, that a PUP installer for potentially unwanted programs (PUPs) is offered on this site for download with the Chrome browser package. How To Geek addressed the case within this article (also Forbes has a report). Bleeping Computer had a similar article in April 2018. And the How To Geek article mentions further sources.

Strange behaviour in Edge/IE 11

My attempt to open the web page in the Edge browser ended with a strange display (see screenshot below), which I can’t make sense of at the moment.

It says the web site could not reached. The link shown to search for the page on Bing produces the same result. IE 11 also shows a similar message (under Windows 7 and Windows 10), but no indication of a phishing page. Something is now blocked at Microsoft.

Hi Gabriel, protecting customers from malicious content is a top priority and we have removed the ads from Bing and banned the associated account. We encourage users to continue to report this type of content at https://t.co/Dh1KuF5O0t so we can take appropriate action. ^GC

— Bing Ads (@BingAds) 26. Oktober 2018

Microsoft has posted the above Tweet informing, that the ads has been removed from Bing. What I recommend: Keep your eyes open when you search for software via search engines. If known, make sure that the download page of the manufacturer is shown in the address bar of the browser (in the current case it would be something with google.com). If you want to be absolutely sure, you can inspect the downloaded installer file and check it for digital signatures as well as upload it to VirusTotal.

[German]Windows 10 October 2018 Update (V1809), released to the public by Microsoft on October 2, 2018 and withdrawn a short time later, may have been installed on millions of PCs.

It was a failure with an announcement: Although the Insider Preview users had reported numerous bugs, they were not fixed. Instead, Microsoft pushed the V1809 to the release channel. Anyone looking for updates on October 2 was offered this Windows build.

Due to numerous bugs, including the threat of data loss, Microsoft stopped the distribution of Windows 10 V1809 a short time later. In the meantime some patches have been released for insiders. Apart from the reader’s note that some users received the feature upgrade automatically, many users seem to have switched to build V1809.

(Source: AdDuplex)

MSPowerUser noticed, thad AdDuplex has published the newest figures on Windows 10 distributions for October 2018. Windows 10 V1809 is mentioned with a share of 2.3%. This value is determined by apps in which the AdDuplex tracker is integrated. With 700 million Windows 10 installations, this means that 16.1 million Windows 10 V1809 installations are active.

[German]Microsoft has released Windows 10 Insider Preview Build 18272 in the Fast Ring. This is the 19H1 development branch, which will be released in spring 2019 as a product. This build is also available as an ISO file. In addition, new code names for Windows 10 Insider Previews have become known..

Windows 10 Insider Preview Build 18272

The announcement of the Windows 10 Insider Preview Build 18272 was made by Dona Sarkar on Twitter,

Hello #WindowsInsiders we have released 19H1 Build 18272 to the Fast ring! https://t.co/Ex1lghDsqp

— Dona Sarkar (@donasarkar) 31. Oktober 2018

where the description of new features and known bugs can be found within the Windows Blog.

(Source: Microsoft)

• The Windows Hello login settings have been revised (see figure above). 
• The Swift Key keyboard now supports several additional languages (Swiss-German). 
• Some enhancements have been made to the accessibility features. 
• Apps like Snip & Sketch(Screenshot-Tool) and Sticky Notes have been improved.

Details and a list of other improvements can be found within the Microsoft blog post. Within this article you can also find a long list of known problems. When installing the build, some users may experience an installation loop with the error 0x8024200d, for instance.

ISO download of Windows 10 Build 18272

For the first time, Microsoft has made an Insider Preview build in the 19H1 branch available for download as an ISO file. The downloads are available for Windows Insider Preview participants via this Microsoft site after logging in with the Microsoft account. German site deskmodder.de has the direct download links.

New code names: Vanadium & Co.

For the previous Windows Insider Preview development branches, Microsoft developers used code names like Threshold and Redstone. From 2019 onwards, it has been announced, that a naming scheme 19H1, 19H2 etc. will be used.

pic.twitter.com/hz4wnStxWR

— Tero Alhonen (@teroalhonen) 31. Oktober 2018

Tero Alhonen has discovered in the above tweet that the developers in the Azure environment use code names for metals such as titanium, vibranium and manganese for the individual versions. Titanium is the code name for the Azure development branch 19H1.

Up next: Windows 10 19H1, then Win 10 Vanadium and then Win 10 Vibranium: https://t.co/ET8DP53e45 Check it out: https://t.co/kn33Tmu4oy (thanks, Tero)

— Mary Jo Foley (@maryjofoley) 31. Oktober 2018

Mary Jo Foley has taken this up and points within the above tweet to a ZDNet article with further details. The Windows team has not yet taken up the codenames Titanium of the Azure developers for the 19H1 branch. But in autumn 2019 the development branch 19H2 might be ready for a fantasy name again.

[German]Microsoft has released the Windows Performance Analyzer as an App in the Microsoft Store. This tool comes in handy during some diagnostic tasks. Here are a few information about that topics.

Windows Performance Analyzer

Windows Performance Analyzer has been a port of Microsoft’s Windows Assessment and Deployment Kit (Windows ADK). It’s a tool that creates graphs and data tables of Event Tracing for Windows (ETW) events that are recorded by Windows Performance Recorder (WPR), Xperf, or an assessment that is run in the Assessment Platform.

WPA can open any event trace log (ETL) file for analysis (see here). This Microsoft document is a step-by-step guide to use this tool.

Windows Performance Analyzer in Store

WalkingCat noticed that Microsoft has put Windows Performance Analyzer as an App into Microsoft Store. 

Windows Performance Analyzer is in the Store https://t.co/Npy2I5S6Xd

— WalkingCat (@h0x0d) 2. November 2018

The app can bee downloaded here from Microsoft Store. The tool has been released in Microsoft Store since Mai 2018 and has a size of 63.23 MB. This package also includes WPAExporter & XPerf.

(via)

[German]Microsoft is probably able to track the Microsoft store app history, i.e. what you have loaded as an app in the store, even without a Microsoft account. This may be shown within the store’s app history.

Windows 10 Pro: Store access with local account

It has been known since a while, that Windows 10 supports access to the Microsoft Store, at least in the Pro version, even without a Microsoft account. I found first hints in 2015 here. In November 2016 German magazine heise.de took up the topic and described that you can still select and download free apps in the Microsoft store with local accounts (as long as they are not for adults). But the heise.de article describes some issues with this approach (for instance, if an account has been temporarily a Microsoft account, and then changing it to a local account, it’s not possible to access the store from this local account).

I checked the local account

I just checked it on my Windows 10 Pro test machine and logged in to my local administrator account. If I go to the Store app, I can view the app history (also without MS account) under (see screenshot below).

The gray icon in the upper right corner of the store flags the missing Microsoft account. Within the screenshot you can see which apps I used within this account. The list shows some apps that have been updated in the last months on the machine.

But what surprised me at this point was the last two lines. Apparently I installed Windows 10 Home on July 16, 2015 – which is probably true (I had the RTM a few days earlier and tested it). On August 21, 2015 I tested the upgrade to Windows 10 Pro (V1507), which was also noted. In addition, the VLC app and some of Microsoft’s stuff are bobbing around on the machine and are assigned to the local account.

Unpleasant implications

So far I hadn’t thought about this topic (naively). I don’t use any apps (except that I might test something) and therefore never needed to check the app history of a local account.

Within this German article, news site heise.de reports that the machine knows the app history even without a Microsoft account. The article also shows a screenshot of the store apps, which lists some ‘downloaded’ apps with a local account. Apparently the Microsoft servers remember which apps were bought by using the machine ID of an activated Windows 10.

This history is probably not stored on the client, but is registered for the machine in Microsoft’s cloud. heise.de now points out an unpleasant implication in the article, which I didn’t have on my radar. Since the Microsoft servers remember when a machine visits the Microsoft Store and downloads apps, the app history also survives a new installation of the operating system.

That’s no problem, because Windows 10 was activated by a unique ID – and can be activated again. But it’s stupid that, if a buyer of a used Windows 10 machine can see, which apps the previous owner has been obtained from the store under a local account.

This can only be avoided by logging in with a Microsoft account when using the store. Then the apps will be assigned to this account and won’t show up if you downgrade the account to a local account. To my knowledge, deleting the app history is not possible – or did I miss something?

[German]Microsoft released cumulative update KB4462933 for Windows 10 V1803 in October 2018. This update caused the Edge Developer Tools to stop working. There may also be problems with SQL connections.

We are talking about cumulative update KB4462933 of October 24, 2018, which raised Windows 10 V1803 (April 2018 update) to build 17134.376. I mentioned the update within the blog post Windows 10 V1803: Update KB4462933 (10/24/2018).

Issues with Edge Developers Tools

The update should actually fix, among others, a number of bugs in Edge Developers Tools. Microsoft wrote:

• Addresses an issue that sometimes prevents documents from appearing in the Microsoft Edge DevTools debugger.
• Addresses an issue that sometimes prevents Microsoft Edge extension scripts from appearing in Microsoft Edge DevTools.

WindowsLatest it has now become apparent that Microsoft has added a Known Issue to the KB article KB4462933:

Developer Tools (F12) may fail to start in Microsoft Edge.

If someone really uses the Edge DevTool, Microsoft suggests deleting the following registry entries with administrative permissions as a workaround..

Using Administrator permissions, delete the following files and restart Developer Tools:

On an x64 machine: C:\Windows\SystemApps\Microsoft.
MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\
microsoft.system.package.metadata\Autogen\JSByteCodeCache_64

On an x86 machine: C:\Windows\SystemApps\Microsoft.
MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\
microsoft.system.package.metadata\Autogen\JSByteCodeCache_32

Microsoft is working on a resolution and will provide an update in an upcoming release.

SqlConnection can throw an exception

Microsoft describes a second SQL Connection error that may occur in conjunction with a .NET framework update. Microsoft describes the error as follows:

After you install the August Preview of Quality Rollup or September 11, 2018 .NET Framework update, instantiation of SqlConnection can throw an exception. For more information about this issue, see the following article in the Microsoft Knowledge Base:

4470809 SqlConnection instantiation exception on .NET 4.6 and later after August-September 2018 .NET Framework updates

Microsoft is working on a resolution and will provide an update in an upcoming release.

Similar articles:
Windows 10 V1803: Update KB4462933 (10/24/2018)
Microsoft Security Update Summary October 9, 2018
Patchday Windows 10-Updates (October 9, 2018)

has released the Windows 10 Insider Preview Build 18277 in the Fast Ring. It is the 19H1 development branch, which will be released in spring 2019. Windows 10 Insider Preview Build 18272 has been announded within the Windows Blog, where you may read further details.

[German]It seems, Microsoft has fixed its Windows 10 activation problem, which has been affecting numerous Windows 10 users around the world. I’ve reported that incident yesterday.

Within my article Windows activation server currently down? (11/8/2018) I’ve reported several cases, where affected users contacted me. Also at reddit.com or on Twitter some users claimed a lost Windows 10 activation.

@Microsoft HEY! What the Hell is going on with Windows Activation?! I have in the last 30 min had my windows install tell me that it’s no longer activated and that my digital licence is invalid?! This better be some kind of Error! The App store is even broken!!! pic.twitter.com/nS2UiifXJX

— Katzi (@m2geek) 8. November 2018

German blog reader Fabian G. (thanks for that) sent me the following additional information:

just read your article and other articles about this problem and wanted to make sure what it looks like for me to downgrade from Pro to Home because I didn’t get a message. So I looked into the system and it said “Pro” (didn’t look at the activation). But when I closed the system window, I got the message: “Windows is not activated”. It’s funny how long an activation lasts – not at all. When calling “System” the status of the activation is tested – for whatever reason – but a system that has been activated for years is probably not activated as soon as the servers fail. So much for ” … the activation will be stored in the Microsoft account in order to …” That was a sentence with X … Digital Life … Digital Disaster …

Most of the time it was noticed that an installed Windows 10 Pro was suddenly downgraded to a Windows 10 Home – but the activation problem handling did not go through any more. Blog reader Fabian G. told me the following in a second mail:

there is probably another kind of “downgrading” … Windows 10 Pro is made into a Pro N for once. Looks to me somehow after a hack of the data base … there probably someone has donated chaos. Only to hope that Windows does not stop its service.

The above screenshot also indicates that the troubleshooting to solve the lost activation was not successful. Microsoft ‘recommends’ to buy an ‘original copy of Windows’ in the store – also a (costly) solution. 

The error was confirmed by Microsoft

After the error was reported here in the blog and on numerous websites, Microsoft confirmed the error in the Answers forum. 

Contacted Live Agent Chat, and here is the response given

Thank you for sharing, Daniel. Microsoft has just released an Emerging issue announcement about current activation issue related to Pro edition recently. This happens in Japan, Korea, American and many other countries. I am very sorry to inform you that there is a temporary issue with Microsoft’s activation server at the moment and some customers might experience this issue where Windows is displayed as not activated.

Our engineers are working tirelessly to resolve this issue and it is expected to be corrected within one to two business days, Daniel.

Hopefully it’ll get fix soonest possible

And a Microsoft employee PaulSey… (the forum owner) then pushed a more detailed explanation after:

We are aware of reports that some customers’ Windows 10 Pro and Windows 10 Enterprise machines are not recognizing their licenses as activated. Users may receive the following notification: “Error: you are running Windows 10 Pro, but you have valid digital license for Windows 10 Home,” or one of the following error codes 0X803F8001, 0xC004C003.

We are actively working to resolve this within 24 hours. You can still use your PC; however, the watermark will appear until activation is restored. Thank you for your patience.

We will update this post with additional information as needed and once activations are restored.

Paul…

The announcement that it would take up to 24 hours to fix the whole thing points to a bigger problem. However, Windows 10 users can usually continue to work. The only stupid thing is when a Windows 10 Pro is downgraded to Home or the N version, because then some functions are lost. 

The activation issue seems to be fixed

I now received some comments, that the activation error has been fixed since a few minutes – and the systems are activated again. Also the following tweet of a Windows 10 user confirms this.

Looks like Microsoft has fixed their Windows 10 Pro Activation Servers within the last 10 minutes! @TheRegister pic.twitter.com/Ynea20maPM

— Steve Smith (@droyls) 8. November 2018

If the activation does not recover automatically, simply go to the settings page, then switch to Update & Security and select the Activation category. There you will find options to start the activation troubleshooter manually.

I have not yet read an official confirmation from Microsoft that the problem has been fixed. In the MS Answers forum thread, however, confirmations now appear that Windows is reactivated. Also , many websites, such as askwoody.com, confirm that Windows 10 can be reactivated. Question to users whose activation has disappeared: Can Windows 10 be reactivated?

[German]At the moment there are rumors and hints that Microsoft is preparing the renewed release of the Windows 10 October 2018 Update (Version 1809) for the coming days. 

After Microsoft stopped the October 2018 update (Windows 10 V1809) after the first release on October 2, 2018, they waited the whole of October for the new release. As is known, this did not take place – and now the expectations of the media focus on a release of the October 2018 update in November. 

Will Windows 10 V1809 arrive at patchday?

Next Tuesday we have Patchday (2nd Tuesday of the month). But Patchday falls on November 13th, which might be a bad omen for but devout administrators. Therefore, November 14, 2018 could be the release date. 

Идет подготовка к 13 ноябре (вт). Ещё одна попытка выкатить сборку версии 1809 в мир.
Возможно к 13 ноябрю данный файл “MediaCreationTool1809Oct.exe” будет заменен на более новый, а пока он определяется как 17763.1https://t.co/ffKCLhMQwb pic.twitter.com/IODCeV6lmd

— adguard (@rgadguard) 10. November 2018

The operators of the Russian site adguard report in the above tweet that Microsoft is preparing a new release of Windows 10 V1803. A release date of November 13, 2018 is expected. Until November 13, it is possible that the file “mediacreationtool1809oct. exe” (download here) will be replaced by a newer version.

(Windows 10 V1809 Download from Adguard)

At least the Adguard website is already prepared for Windows 10 V1809. If you select “Windows (Final)” as the type in the form fields, version 1809, but with an old build, is already listed.

[German]As of November 13 (second Tuesday of the month, Patchday at Microsoft), several cumulative updates have been released for the supported Windows 10 builds.

For a list of updates, visit this Microsoft Web page, which should also be consulted in case of doubts. Note, that all cumulative updates requires the newest Servicing Stack Update (SSU) installed first.

Updates for Windows 10 Version 1809

he following updates are available for Windows 10 October 2018 Update (version 1809) (for the Windows 10 October 2018 Update that was released again yesterday).

• Cumulative update KB4464455 for Windows 10 Version 1809 raises the OS build to 17763.107 and contains quality improvements and fixes.
• Cumulative update KB4467708  for Windows 10 Version 1809 raises the OS build to 17763.134 and contains more quality improvements and fixes.
• Update KB4465664 (SSU) for Windows 10 Version 1809

Updates for Windows 10 Version 1803

The following updates are available for Windows 10 April Update (version 1803).

• Cumulative update KB4467702 for Windows 10 Version 1803 raises the OS build to 17134.407 and contains quality improvements and fixes. It’s also available for Microsoft HoloLens (OS Build 17134.407).
• Update KB4465663 (SSU) for Windows 10 Version 1803

Updates for Windows 10 Version 1709

The following updates are available for Windows 10 Fall Creators Update (version 1709).

• Cumulative update KB44467686 for Windows 10 Version 1709 raises the OS build to 16299.785 and contains quality improvements and fixes. It’s also available for Microsoft HoloLens (OS Build 17134.407).
• Update KB4465661 (SSU) for Windows 10 Version 1709

Updates for Windows 10 Version 1703

Windows 10, version 1703, has reached the end of support on October 8, 2018. Devices running Windows 10 Home, Pro, Pro for Workstation and IoT Core will no longer receive monthly security and quality updates. Only Windows 10 Enterprise and Windows 10 Education will receive additional updates for one year. The following updates are available for these editions of the Windows 10 Creators Update (version 1703).

• Cumulative update KB4467696 for Windows 10 Version 1703 raises the OS build to 15063.1446 and contains quality improvements and fixes. It’s also available for Microsoft HoloLens (OS Build 17134.407).
• Update KB4465660 (SSU) for Windows 10 Version 1703

Updates for Windows 10 Version 1507 bis 1607

Various updates are available for Windows 10 RTM and Windows 10 Anniversary Update (version 1607). Here is a short overview.

• Windows 10 Version 1607: Update KB4467691 is only available for Enterprise and Education and Windows Server 2016. The update raises the OS build to 14393.2608. The fixes mentioned in the KB article are included.
• Windows 10 Version 1507: Update KB4467680 is available for the RTM version (LTSC). The update raises the OS build to 10240.18036.

There was no update for Windows 10 V1511, because this version was dropped from support. Details about the above updates can be found in the respective Microsoft KB articles in case of doubt.

Similar articles:
Adobe Flash Player: Update Version 31.0.0.148
Microsoft Security Update Summary for November 13, 2018
Patchday: Updates for Windows 7/8.1/Server Nov. 13, 2018
Patchday Windows 10-Updates (November 13, 2018)

Short info for users of Windows 10 October 2018 Update N variants. After Microsoft has released Windows 10 V1809 again, the Media Feature Pack for this version is also available again. Details can be found in the blog post Media Feature Pack for Windows 10 N Version 1809.

[German]Microsoft has released the Windows 10 Insider Preview Build 18282 in Fast Ring. This is the 19H1 development branch, which will be released in spring 2019.

The announcement of the Windows 10 Insider Preview Build 18272 was made by Dona Sarkar on Twitter and within the Windows Blog.

Windows Insiders in SkipAhead and Fast Rings: Build 18282 is now available! Details are in the latest blog post: https://t.co/PTjJj7sx7o pic.twitter.com/DJz9N2qLni

— Windows Insider (@windowsinsider) 14. November 2018

What Microsoft highlights is a Light Theme for Windows – as shown in the following screenshot.

(Source: Microsoft)

Let’s say, it’s nice, that a few young designers may experiment with such features. But the Dark mode doesn’t work in a proper way in Windows 10 V1809 (Control Panel just shows a black title bar for instance). Using this view, we should as ‘it that a 1st priority thing we need for business use’?

Update may be paused for 7 days

It took a lot of pressure from the users and the disaster with the Windows 10 V1809 until Redmond moved a bit. In the new build there is now an option in the settings page for updates to suspend updates for 7 days. 

(Source: Microsoft)

Richard Hayes writes on Twitter that this option should also be available for Windows 10 Home – I don’t believe it until the build is rolled out as a final. 

Windows 10 Home users are going to get the ability to pause updates in 19H1 based on today’s latest build that was released. THIS IS HUGE! #WindowsInsiders pic.twitter.com/ucFFJ2yhQ1

— Richard Hay (@WinObs) 14. November 2018

Otherwise, there are a number of smaller improvements such as in the brightness control when switching between battery and mains operation. Details can be found in the Microsoft blog post.