Blog

A report of two new vulnerabilities named Meltdown and Spectre was published last Wednesday, January 3, 2018. It is a big deal because they are hardware vulnerabilities affecting pretty much everything with a silicon chip. Yes, this means microprocessors on workstations and servers, mobile phones, tablets, cloud services, and other platforms.

Currently, mitigation and recommended processes are in flux. New information, articles, and white papers have emerged daily over the last week. As you research these concerns, be sure you are referencing reputable sources and the information is up-to-date.

For now, the tricky part is that some of the early updates aimed at mitigating the vulnerabilities have yielded incompatibilities which might leave systems inoperable. (The fix might break things.) Please be cautious. Verify and test updates before installation.

The Vulnerabilities

If exploited, both vulnerabilities, which are classified as speculative execution vulnerabilities, allow unauthorized access to protected areas of memory which could allow an attacker to collect sensitive information such as passwords and nonpublic customer information.

  • Meltdown - allows unauthorized access to memory, including protected kernel memory. Affects almost all Intel processors manufactured since 1995 and some ARM processors.
  • Spectre - allows unauthorized access to memory used by other computer processes. Affects almost all processors. It has been verified on Intel, AMD, and ARM processors.

Mitigation

As the IT industry moves to mitigate these vulnerabilities, incompatibilities which can render systems unusable have occurred. It is of utmost importance to verify and test updates before installation. Prudently pursue and ensure the following security processes are working effectively within your organization (these are already standard elements of strong security cultures):

  • Installation of security software updates - antivirus software, endpoint security software, etc.
  • Installation of operating system (OS) updates - Microsoft Windows, Linux, Mac OS, iPhone, Android, etc.
  • Installation of web browser updates - Microsoft Edge/Internet Explorer, Google Chrome, Mozilla Firefox, etc.
  • Installation of firmware updates for microprocessors - BIOS updates issued by computer system manufactures - Dell, Lenovo, HP, Apple, etc.
  • Prevention of malicious code execution - website blocking, website ad-blocking, phishing detection, security awareness training for users (how to spot malicious emails, not to click on links in emails), etc.

Exploits of these vulnerabilities are likely to change over time and the controls issued by hardware and software manufactures are likely to change as well. Therefore, it will be important to ensure updates are installed regularly.

 

Additional information provided by the researchers who discovered both vulnerabilities can be found at https://meltdownattack.com/.

0 Comments   IT Security Alerts Alert Vulernability

 

I was working with a customer who uses QuickBooks, and they stopped being able to view PDFs saved in QuickBooks. I tried a few things and even got QuickBooks support on the line to help troubleshoot. They were unable to resolve the issue, but the rep did give me a link to a KB. The link stated that Adobe Reader DC was not supported by QuickBooks and recommended going to Adobe Reader 11.

When QuickBooks does not find a compatible PDF reader it defaults to IE, and IE sees the \\ as a URL and tries to open a nonexistent site. So the solution is to downgrade to Adobe Reader 11. Then you have to make sure that the file you open in QuickBooks is not still pulling the UNC name. You can check this by pressing f2 and looking at the "Location" it should not start with \\. If it does, then you need to close out of QuickBooks, map a network drive to the shared folder that the QuickBooks files reside ie...\\DC1\QBData for instance. Reopen QuickBooks and open the file from the mapped drive you just created. When you press f2 now, the "Location" should say N:\DC1\QBData (or whatever your mapped drive is).

Here is a link to a KB providing a step by step - https://community.intuit.com/articles/1437250

 

 

0 Comments   Networking quickbooks Adobe Reader

 

I was investigating a problem with Windows Updates on a laptop with a lot of software on it from a previous user. The updates having problems were the Windows 7 Monthly Cumulative Security patches.

Windows Update would download the patch, install the patch, and then ask to reboot Windows to complete the install.  Once the PC rebooted, the screen would show that Windows was installing updates and sit there at 32%.  The system would eventually reboot itself and change the status to "Failure Configuring Windows Updates. Reverting Changes. Do Not Turn Off Your Computer."  This whole process would take anywhere between 60 - 90 minutes before changes were reverted and I could get back into the system.

Through a  remote console, I connected to the system and wrote down what I observed, including the time.  What I saw were 3 reboots 15 minutes apart with the screen sitting at 32%.  The 15 minutes apart seemed to be consistent.  It was also observed that the Trusted Installer process had high CPU utilization.

From this information, I searched more specifically at CBS log error "Startup: A possible hang was detected on the last boot. [HRESULT = 0x800705b4 - ERROR_TIMEOUT].  I figured that the 15 minutes might end up being a timeout period since it was consistent.

I came across a single article where someone saw something similar with a Windows 2008 R2 domain controller getting stuck at 42% and had opened a premier case with Microsoft: https://social.technet.microsoft.com/Forums/office/en-US/f8fe7d4c-af64-4e65-a007-1f557518628e/windows-2008-r2-sp1-fails-to-install-on-domain-controller-errortimeout-at-42?forum=winservergen

As a solution, they modified the registry value for BlockTimeIncrement in the Trusted Installer service key: HKLM\System\CurrentControlSet\Services\TrustedInstaller.  This appears to be a timeout used for driver enumeration, and by default this is set to 15 minutes.  Increasing this value from 384 (15 Minutes) to 2a30 (3 hours) gave it enough time to wait for whichever component was taking longer than 15 minutes, and eventually the update installed successfully.

 

0 Comments   Networking windows update

 

I was working with a customer who reported that his Outlook searches for emails from only user only went back about a month. We did some testing and found that when he searched for emails from another person, they only went back one week. In both searches, I noticed that the number of items found was 250.

250 seemed like a very round number and would have been a huge coincidence that searches for two different people would result in the same number of results found. I did some investigating and found that there is a “feature” in Outlook to limit the search results to increase the speed of searches. Microsoft documentation: https://support.microsoft.com/en-us/help/2185146

The feature that enables limiting search results is “Improve search speed by limiting the number of results shown” and is enabled by default. In Outlook 2013 and 2016, this setting limits results to 250 items. In Outlook 2007 and 2010, this setting limits results to 200 items. When this option is unchecked, it will return all items found. Also, if you click “More” at the end of the search results, this setting will be ignored as the “More” button searches on the server and will only return the limited result set.

0 Comments   Networking Outlook

 

Was working with a customer in which SEP flagged malware located on this week-old PC. Upon investigation, I found that the malware was named MicTray64. A quick bit of research showed this to be a key logger. So we took care of it and changed her passwords. The customer inquired where the malware had come from.

I investigated a little further and that's when I discovered that HP has been shipping PCs with a Key logger preinstalled in their Conexant Audio drivers. The key logger is included in a service called MicTray64 that is meant to check keyboard shortcuts for microphone usage. The key logger launches at log on, and records every key stroke and saves it into a log C:\Users\Public\MicTray.log, so anyone on that pc has access to said log.

Supposedly the log deletes itself when the user logs off. But this file could be easily accessed and it stores everything, including credentials in plain text.

The issue originated because a debugging feature for testing should have been disabled prior to deployment, but that obviously didn't happen. This issue has been found to go back as far as 2015.

To resolve the user needs the most up to date driver, which was released by HP on May 24, 2017. Any driver version prior to this (8.65.186.53 Rev.A) may contain that key logger feature.

 

0 Comments   Networking keylogger HP

 

There were intermittent scanning to e-mail issues occurring with an HP Color LaserJet CM4540 MFP.  Initially, scan jobs of all sizes were having trouble going through.  There was an article found that suggested updating the firmware on the device.  After the firmware was updated, it seemed to correct issues with smaller scan jobs, but larger ones were still having issues.

When the scan jobs finished scanning the pages, the device would show on the display “SMTP Protocol Error”.  The e-mails would fail to go out.  During troubleshooting, the device could scan a 10 page document to e-mail (3 times successful), but not a color 46 page document (failed 3 times in a row). 

I tested setting the Exchange server’s hub transport settings from 10 MB to 40 MB.  E-mail sent successfully for the 46 page color scan 4 times with no problems.  What this proved was that the message size was too large to be sent through e-mail based on the e-mail size limit configured in Exchange.

If you happen to see “SMTP Protocol Error” message when trying to scan large documents, chances are the e-mail size is over the limit.

0 Comments   Networking multifunction HP SMTP

 
 

Recently, I deployed a new vCenter appliance (VCSA) – version 6.5 – with an external Platform Services Controller (PSC) appliance. VMware has made the deployment considerably simpler than it originally was with their first few appliance releases. Instead of having to import an OVA/OVF and do a lot of the configuring yourself, VMware has made an EXE available to configures most of those steps automatically. Simply step through the wizard, providing information such as “what host to deploy the appliance to” and “what deployment model would you like” (external or internal PSC) and the wizard will deploy/configure the appropriate OVA templates.

Unfortunately, the first time that I ran through this wizard, it hung around two-thirds the way through indefinitely. I even left it running overnight and it never completed. Looking through the deployment logs, it turns out that the deployment failed due to licensing issues.

debug: initiateFileTransferFromGuest error: ServerFaultCode: Current license or ESXi version prohibits execution of the requested operation.
debug: Failed to get fileTransferInfo:ServerFaultCode: Current license or ESXi version prohibits execution of the requested operation.
debug: Failed to get url of file in guest vm:ServerFaultCode: Current license or ESXi version prohibits execution of the requested operation. 

Granted, these hosts hadn’t been licensed yet – I had just upgraded the hosts from 6.0 and had assumed the evaluation license was in effect. Apparently not. I installed the full license and tried the deployment once more. Sure enough, that did it …

Moral of the story, if you don’t license your hosts for vCenter (i.e. using the free Hypervisor license), you will not be able to deploy the vCenter appliance.

0 Comments   Networking VMware vCenter

 

I have had the issue of Windows explorer crashing several times a day. All explorer windows, the desktop and task bar disappear then the desktop and task bar reappear after a few seconds.

I did not nail down the specific culprit but used ShellExView (www.nirsoft.net/utils/shexview.html) to disable all non-Microsoft shell extentions. That made a significant difference and I haven't had explorer crash in the last few days. Of course, it could be a combination of shell extensions that will make it harder to identify. In the meantime, I will add an extension as I miss it and see if it destabilizes Windows explorer again.

0 Comments   Networking Windows

 

There are power management settings that should be checked when running ESX on HP Proliant G6 and above or Dell PowerEdge 11th and 12th Generation servers.  See VMware article for details: https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1018206‚Äč 

The Proliant G8 that I examined having performance issues was set in the BIOS to use "HP Dynamic Power Savings mode" instead of "HP Static High Performance mode".  This can have an impact on virtual machines ability to utilize the CPU of the host.   This setting can be changed through iLO without the need to get into the BIOS directly to make the change.  It does not require a reboot of the ESX host to change the setting this way, which is even better.

0 Comments   Networking HP VMware Proliant