Microsoft

Microsoft specific workarounds and fixes

Microsoft report on the cause of recent cyberattacks.

09 September 2023 - Posted in Microsoft by m.atkins

Microsoft has announced what the cause for the email systems breach caused by the Storm-0558 APT, as reported on in our prior post. Their report states that the signing key was exfiltrated from a compromised Microsoft engineers corporate account. This engineer had access to an improperly handled crash dump from a key signing server dated to 2021, and while the keys shouldn't have been in said dump, a race condition somehow allowed the keys to be inserted into the dump. The crash dump was also moved from Microsofts' reportedly isolated production network to their internet connected debugging environment at some point between 2021 and the initial attack, which is where the dump was when it was accessed by the compromised account.

This report should be a wake up call that the businesses that are referred to as "Big Tech" really aren't as secure as they would have us believe. we have heard for years that Microsofts' cloud based products are completely secure, but we now find that they are irresponsible with potentially sensitive data, why would a debugging environment not also be isolated? Why wasn't the source dump already archived offline? How many other attacks this year, like the Anonymous Sudan APT attacks in june-july, occurred because of this same issue. While Microsoft has said that the exploit in their systems used to generate the unauthorized signing keys has been fixed, how much longer until the next oversight occurs?

Our Thoughts Our assessment of this whole situation is that something needs to change at "Big Tech" firms. Company standard operating procedures seem to be past failing because they have marketers and accountants running tech firms. Where polices and procedures can and are changed for the sake of it taking less time/costing less money to perform a task, without taking into account the repercussions of doing so. We have historically loved Microsoft products, and must be mindful before currently recommending Big Techs cloud products due to issue like those mentioned in this article. If Microsoft can clean up its act, we would be first in line to validate the change and start using their cloud products again.

Microsoft update to defender causes havoc on some applications

22 September 2021 - Posted in Microsoft by lloyd

Microsoft's recent patch has caused a number of issues with write permissions and ownership on the OS. It the latest round of updates Microsoft (MS) rightly hardened the access permissions for the OS and added security features for MS Defender. These features added a second range of options that allows greater control and protections against exploits and vulnerabilities. in addition, MS Remote desktop has been hardened with the Defender controls to prevent execution of many OS management features, a blessing for the untrained, and a nightmare for the IT professional who had not yet understood the changes and was locked out of all system controls resulting in a manual visit to the data center to add appropriate exclusions.

However, an unintended consequence is that some authorized software is now, no longer allowed to access their own files, including some MS applications. In testing we found as follows:

Changes to MS desktop files was reverted on reboot
PRTG cannot be updated or uninstalled as it reverts on reboot even on the latest PRTG patch
Manual registry edits and folder deletions, while showing at the time, revert on reboot from MS backup
Installation of driver updates from the manufacturer are reverted on reboot
Windows update breaks on some machines and cannot be fixed

These are just some of the issues encountered, and it appears random per machine and user. While the computer remains active, the saves hold, but revert on restart, suggesting that the cache is not updating, but this is not so as they save at time of execution, but revert from cache.

Tests have been done on 20H2, and prior, and each user reported different but similar issues that appear to be random depending on what's being done. Some report that their Icons fail, others games wont update or install. Others uninstall is refused, while other still have defender execution refusals based on "your organization has denied the chosen action" despite you being the administrator and having no way to change it as there is no explanation of where the authority lies.

Currently we are testing the 21H2 update set to launch in October for everyone to see if the problem resolves. We will update this post when testing is complete. If you are experiencing issues, you may want to execute the update patch now and see if the problems resolve.

21H2 MS update helper

Update 23 September 2021 The patch release for 21H2 resolves most problems; however, if computers are running services exposed to the internet, some reinstall of applications is needed to resolve tensions. As patches are completed problems are slowly resolving, so make sure you update your software as soon as the patches are available.