Category: Technical

Microsoft urges customers to uninstall ‘Blue Screen of Death’ update

Posted on by Mark Pace

One of last week’s security updates has bricked an unknown number of PCs

Microsoft on Friday quietly recommended that customers uninstall one of last week’s security updates after users reported that it crippled their computers with the infamous “Blue Screen of Death” (BSOD).

The update, identified as MS14-045 in Microsoft’s numbering, was one of nine released on “Patch Tuesday,” Aug. 12, was designed to fix three separate flaws, including one related to a font vulnerability and another in the Windows kernel, the heart of the operating system.

Within hours of its release, however, users reported that MS14-045 had generated a Stop 0x50 error on some systems, mostly on Windows 7 PCs running the 64-bit version of the OS.

“Installation went smoothly. After rebooting everything worked fine. But when I shut down my notebook and switched it on a little later it came up with a blue screen with a Stop 0x50 in Win32k.sys. I could not even boot into safe mode as Windows failed to start no matter which mode chose,” wrote a user identified as “xformer” to start a now-long thread on Microsoft’s support discussion forum.

As of Sunday, the thread contained nearly 380 messages and had been viewed almost 50,000 times. The latter is a large number even for Microsoft’s support forum, and hints at the scope of the problem.

Others on that same discussion thread pointed to different updates issued the same day that caused identical problems, including one meant to support the Russian ruble symbol.

Some customers were able to regain control of their PCs by using System Restore to return the machine to a previous date, but only after they’d booted the computer using original install media.

In the updated MS14-045 and other supporting documents, Microsoft said it had removed the patches from its Download Center. As of Saturday, however, the flawed update was still being pushed by Windows Update, Microsoft’s service for delivering patches to PCs.

“Microsoft is investigating behavior associated with the installation of this update, and will update this bulletin when more information becomes available,” the company said in the revised MS14-045’s Update FAQ. “Microsoft recommends that customers uninstall this update. As an added precaution, Microsoft has removed the download links to the 2982791 security update.”

Microsoft’s advice, however, may not be of any help to those already afflicted. It told users, for example, to boot using Safe Mode, which many on the support thread said didn’t work.

Not every PC that installed MS14-045 or the other suspect patches reported problems. Several IT administrators posted messages on Patchmanagement.org, a mailing list dedicated to the subject, that said they had successfully updated hundreds of client systems and servers.

Last week’s patch problem was not Microsoft’s first by any means.

In April 2013, Microsoft urged Windows 7 users to uninstall an update that had generated BSOD screens. And last August and September Microsoft had such a run of problems with updates for its Office suite that experts called it a “worrisome” sign of declining update quality.

In October 2013, Microsoft yanked a Windows 8.1 RT update from the Windows Store after some tablet owners reported their devices had been crippled.

VSS Warnings in the Application Event Log of SBS 2011 Standard – Event ID 8230

Posted on by Mark Pace

Collapse imageSYMPTOMS

On Small Business Server 2011 Standard, you may see warnings in the application event log similar to the following:

Log Name:      Application
Source:        VSS
Date:          4/11/2011 9:48:48 AM
Event ID:      8230
Task Category: None
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      CONTOSOSERVER.contoso.local
Description:
Volume Shadow Copy Service error: Failed resolving account spsearch with status 1376. Check connection to domain controller and VssAccessControl registry key.

The warnings may also reference the spfarm account.

Collapse imageCAUSE

SBS 2011 Standard Edition installs Sharepoint 2010 Foundation in SharePoint farm mode. The accounts SPfarm and SPsearch are used as service accounts for some of the Sharepoint services. In order to be able to utilize the VSS writers, the accounts must be granted access to VSS. The accounts are added by SBS to the vssaccesscontrol registry key but the VSS service fails to locate the accounts. As Microsoft knowledge base article 2483007 suggests you can ignore the warnings. The warnings don’t affect the operation of VSS. If you wish to remove the warnings, you can use the steps in the resolution section.

Collapse imageRESOLUTION

You can use the following steps to workaround the issue.

1. In Active Directory Users and Computers, create a Domain Local Security Group named VSSRegistryGroup

2. Add SPFARM and SPSEARCH accounts to the VSSRegistryGroup Group

3. Run regedit

Important This article contains information about how to modify the registry. Make sure that you back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:

322756 How to back up and restore the registry in Windows

4. Go to hklm\system\currentcontrolset\services\vss\vssaccesscontrol

5. Add Dword value of DOMAIN\vssregistrygroup where domain is the netbios domainname (example: CONTOSO\vssregistrygroup Note: The Domain name must be in all caps) set the value to 1

6. Remove values for domain\spsearch and domain\spfarm

7. Go to hklm\system\currentcontrolset\services\vss\diag

8. Right click on diag and go permissions, click advanced and add VSSRegistrygroup group with Full Control.

9.  Remove spsearch and spfarm accounts from the list of permissions

10. Reboot the server

How to decrypt, unlock and restore Cryptolocker malware for free

Posted on by Mark Pace

Cryptolocker is a particularly nasty type of ransomware that criminals have used to encrypt files on a victim’s computer before demanding a ransom for the encryption key to unlock the files.  Without the key, the encryption renders the victim’s files useless so many people lost files or paid the ransom.

Two security firms, Fireeye and Fox IT have partnered to provide a solution which may help many people. The website Decrypt Cryptolocker can now be used to try and unlock files encrypted by the Cryptolocker malware.

Use of the Decrypt Cryptolocker service is free and simply requires you to upload a sample encrypted file to the website.  If the website is able to decrypt your files, you can then download its recovery program and receive the unlocking master key by email.

Please note that this tool may not be able to decrypt some affected files.

Synology® Continues to Encourage Users to Update – Synolocker attack on NAS

Posted on by Mark Pace

We’d like to provide a brief update regarding the recent ransomware called “SynoLocker,” which is currently affecting certain Synology NAS servers.

We are fully dedicated to investigating this issue and possible solutions. Based on our current observations, this issue only affects Synology NAS servers running some older versions of DSM (DSM 4.3-3810 or earlier), by exploiting a security vulnerability that was fixed and patched in December, 2013. Furthermore, to prevent spread of the issue we have only enabled QuickConnect and Synology DDNS service to secure versions of DSM. At present, we have not observed this vulnerability in DSM 5.0.

For Synology NAS servers running DSM 4.3-3810 or earlier, and if users encounter any of the below symptoms, we recommend they shutdown their system and contact our technical support team here: https://myds.synology.com/support/support_form.php

When attempting to log in to DSM, a screen appears informing users that data has been encrypted and a fee is required to unlock data.

  • A process called “synosync” is running in Resource Monitor.
  • DSM 4.3-3810 or earlier is installed, but the system says the latest version is installed at Control Panel > DSM Update.

For users who have not encountered any of the symptoms stated above, we highly recommend downloading and installing DSM 5.0, or any version below:

  • For DSM 4.3, please install DSM 4.3-3827 or later
  • For DSM 4.1 or DSM 4.2, please install DSM 4.2-3243 or later
  • For DSM 4.0, please install DSM 4.0-2259 or later
  • DSM can be updated by going to Control Panel > DSM Update. Users can also manually download and install the latest version from our Download Center here: https://www.synology.com/support/download.
  • If users notice any strange behavior or suspect their Synology NAS server has been affected by the above issue, we encourage them to contact us at security@synology.com.
  • We sincerely apologize for any problems or inconvenience this issue has caused our users. We will keep you updated with the latest information as we address this issue.

eBay confirms security breach, password change recommended: Alert Priority High

Posted on by Mark Pace

eBay has confirmed that an attack on its systems earlier this year compromised a database containing encrypted passwords, customer names, email addresses, physical addresses, phone numbers and date of birth information.

It has stated that the database did not contain any financial information and that it has undertaken testing, finding no evidence of unauthorised activity for eBay users. It added that data stored with PayPal (owned by eBay) such as your credit card information, is encrypted and stored separately on a secure network.

eBay has advised it will begin contacting users to change their passwords.

Regardless of whether you receive notification from eBay, if you use eBay, you should change your password immediately.

If you use the same password to log in on any other website, you should change those as well, choosing something unique and strong.

SBS 2011 Devices or Users cannot relay even after setting anonymous to the connector in Exchange Management

Posted on by Mark Pace

After spending hours trying to rectify our send connector to allow our accounting program to send invoices out, we stumble across an article from Mark Berry at https://www.mcbsys.com.

We had run the Fix My Network Wizard in SBS 2011 and after that Exchange 2010 would not accept email from non authenticated users even if the anonymous was selected.

Can’t Anonymously Send External Email

Once I had made those changes, the accounting system wouldn’t send email external, only internally to our domain/network.

When the application tried to send an email to a recipient outside the network, it failed with a 5.7.1 error:

sterling-it-mail-relay

 

 

 

 

The Persits knowledge base has a helpful article identifying the problem:  it means that “the SMTP server you are using is configured to reject messages sent to outside email addresses and originating from unauthorized IP addresses or users.”

So it’s a separate setting to be able to send mail outside the organization?

Yup, and for some reason it can only be enabled from the Exchange Management Shell, not from the Console. Once I found and executed the command at the bottom of this Petri article, sending mail to external recipients worked as well:

Get-ReceiveConnector "Default SBS" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "ms-Exch-SMTP-Accept-Any-Recipient"

Never in a million years would I have figured that one out. Thanks Mr. Petri! (no, thank you Mark Berry for reposting in a clean easy format)

NOTE:  If you need to re-run the Internet connection wizard, it will overwrite most of the above settings, and my mail wasn’t going out. So either don’t run that wizard, or make a note of your Exchange Hub Transport settings first.