system files Archives

Winsage

November 8, 2024

The Windows 11 24H2 bug list grows again: 10 reasons to avoid this update for now

Microsoft released the Windows 11 24H2 update on October 1, 2023, which includes enhancements like an upgraded Copilot AI and a refreshed File Explorer. However, the update has several bugs, leading Microsoft to temporarily halt its rollout for certain problematic PCs. Key issues include: 1. The System File Checker (SFC) is caught in a loop of false positives, misidentifying WebView2-related files as corrupted. 2. An 8.63GB update cache cannot be deleted through standard methods, but can be removed using "Windows Update Cleanup." 3. The update conflicts with Easy Anti-Cheat software, causing blue screens for users with Intel's Alder Lake+ processors. 4. Blue screens can also occur due to driver incompatibilities with Intel Smart Sound Technology, certain Western Digital SSDs, and MSI Z890 motherboards. 5. The mouse pointer may disappear in Chromium-based applications when interacting with text input fields. 6. Users have reported erratic internet connectivity, with some unable to receive a valid IP address. 7. Fingerprint sensors may become unresponsive on some devices. 8. The clipboard history feature may malfunction, showing as empty despite copied items. 9. Devices may fail to appear in the network list, affecting file and printer sharing. 10. Users of Copilot+ PCs face difficulties with printer setup and usage, particularly with HP, Canon, and Brother printers. Due to these issues, users are advised to delay installation of the update until fixes are implemented.

Winsage

November 3, 2024

This local privilege escalation vulnerability in iTunes could spell big trouble for Windows users

Cyfirma Research has identified a security vulnerability in iTunes for Windows, designated as CVE-2024-44193, which allows attackers to escalate privileges on systems running versions 12.13.2.3 and earlier. This local privilege escalation vulnerability arises from improper permission management related to the AppleMobileDeviceService.exe, enabling attackers to manipulate files in the C:ProgramDataAppleLockdown directory. The exploitation is straightforward, involving tools like NTFS junctions and opportunistic locks to gain elevated access. Organizations are advised to update iTunes to version 12.13.3 or later to mitigate this risk. Although there is no current evidence of active exploitation, the vulnerability poses a significant threat, particularly to sectors reliant on Windows-based systems, such as media, education, government, and corporate environments.

Winsage

November 3, 2024

When these 9 problems happen, I know it’s to reinstall Windows 11

Users of Windows 11 may experience performance issues that indicate a need for reinstallation. Key indicators include: 1. Significant performance drops due to accumulated applications, storage issues, or malware. 2. Frequent crashes and freezes that persist despite troubleshooting. 3. Regular system errors suggesting instability. 4. Corrupted system files identified by tools like System File Checker (SFC) or DISM. 5. New hardware installations that require a clean installation for optimal compatibility. 6. Startup issues that do not improve with disabling startup programs. 7. Malware infections that may necessitate a complete reinstallation. 8. System instability after major changes like new drivers or modifications. 9. Failed troubleshooting attempts that consume more time than productive use of the system. Reinstallation methods include: - Using Windows Update to reinstall while preserving files, settings, and applications. - Resetting the PC to keep files while removing apps and settings. - Removing everything for a clean installation, requiring restoration of files and reinstallation of applications. For severe issues, creating a bootable USB may be necessary.

Winsage

October 28, 2024

Windows ‘Downdate’ Attack Makes Patched PCs Vulnerable

Recent findings have identified a vulnerability in fully patched Windows 11 systems that allows attackers to install custom rootkits, which can bypass endpoint security and maintain persistence on compromised systems. This vulnerability is linked to a downgrade attack technique demonstrated by SafeBreach researcher Alon Leviev at Black Hat USA 2024, using an exploit tool called Windows Downdate. This tool enables an attacker with administrative access to manipulate the Windows Update process, reverting patched components to vulnerable states. Leviev's demonstration showed that even systems using virtualization-based security (VBS) are at risk, as he could downgrade VBS features and expose previously fixed privilege escalation vulnerabilities. Microsoft has patched two vulnerabilities (CVE-2024-21302 and CVE-2024-38202) but has not addressed the core issue of the downgrade capability. Microsoft maintains that the ability for an admin-level user to gain kernel code execution does not cross a security boundary. Leviev released details of a new downgrade attack on October 26, using the Windows Downdate tool to revive a driver signature enforcement bypass attack. He categorized this flaw as False File Immutability (FFI), exploiting incorrect assumptions about file immutability. He noted that downgrading specific OS modules, like CI.dll, allows exploitation even with VBS enabled. Tim Peck from Securonix highlighted that the attacks exploit Windows' failure to validate DLL version numbers properly, enabling the use of outdated, vulnerable files. Microsoft is actively developing mitigations against these risks, including a security update to revoke outdated VBS system files, although specific measures and timelines are not yet disclosed.

Winsage

October 28, 2024

Windows Update takeover lets an attacker revive a patched flaw

Microsoft's approach to security vulnerabilities has been criticized for not classifying scenarios where an attacker with administrative privileges can execute kernel-level code as critical vulnerabilities. SafeBreach researchers highlighted that this narrow definition leaves systems vulnerable to custom rootkits that can bypass essential security controls. They identified CVE-2024-21302, a privilege escalation vulnerability affecting the Windows virtualization stack, and CVE-2024-38202, which allows attackers to exploit the Windows Update process to disable security features like Driver Signature Enforcement and virtualization-based security. Microsoft is actively developing mitigations for these vulnerabilities and has released a security update for CVE-2024-38202 on October 15, with further updates planned for CVE-2024-21302.

Winsage

October 28, 2024

Windows kernel components can be installed to bypass defense systems

Cybersecurity experts have discovered a method that allows cybercriminals to bypass Windows security features, specifically Driver Signature Enforcement (DSE), enabling the installation of rootkits on fully updated systems. Alon Leviev from SafeBreach reported that the exploit involves downgrading specific Windows kernel components, making Windows 11 devices particularly vulnerable. Despite notifying Microsoft, no fix has been implemented, as the company stated the vulnerability does not breach a “security boundary” since administrator access is required for exploitation. Leviev presented this vulnerability at the Black Hat and DEF CON 2024 conferences, introducing a tool called Windows Downdate that can reactivate previously patched vulnerabilities. He demonstrated downgrading components on Windows 11 to bypass DSE and install rootkits that disable security software. A key part of his attack involved replacing the ci.dll file with an unpatched version, which requires a system restart and disguises the action as a routine update. Leviev also showed methods to disable Virtualization-Based Security (VBS) by modifying settings and files. Microsoft is working on a solution to block outdated system files and prevent downgrade attacks, but the timeline for this fix is uncertain due to the need for thorough testing. Leviev advises organizations to remain vigilant against downgrade attacks until a resolution is available.

Winsage

October 28, 2024

The Windows 11 24H2 bug list grows again: 9 reasons to avoid this update for now

Microsoft officially released the Windows 11 24H2 update on October 1, 2023, which includes enhancements to Copilot AI, a refreshed File Explorer, improved performance, and greater stability. Users can install the update via Windows Update or download it from Microsoft's page. However, there are reports of bugs, leading Microsoft to temporarily halt the rollout for certain problematic PCs. 1. The Windows System File Checker (SFC) is experiencing a glitch that causes it to falsely report corrupted files. 2. An 8.63GB update cache cannot be deleted through standard methods; Microsoft confirmed this as a reporting bug. 3. The update may conflict with the Easy Anti-Cheat application, causing blue screens for users with Intel's Alder Lake+ processors. 4. Other drivers, particularly those related to Intel Smart Sound Technology, may also cause blue screens. 5. A bug in Chromium-based applications causes the mouse pointer to disappear when interacting with text input fields. 6. Some users report erratic internet connectivity, with devices failing to receive valid IP addresses. 7. Fingerprint sensors on some devices may become unresponsive after the update. 8. The clipboard history feature may malfunction, indicating it is empty despite copied items being present. 9. A network issue prevents devices from appearing in the network list, affecting file and printer sharing capabilities.

Winsage

October 18, 2024

Kernel shellcode persistence technique in APT attacks and SAS CTF challenge

On May 18, 2024, Kaspersky’s Global Research & Analysis Team conducted the qualifying round of the SAS Capture the Flag (CTF) competition, which involved over 800 teams addressing cybersecurity challenges. One significant challenge highlighted a security vulnerability in Windows 7 and Windows Server 2008 R2 systems, allowing kernel shellcode to be concealed in the system registry and executed during boot. This vulnerability is linked to an incomplete fix for CVE-2010-4398. Despite the end of security updates for Windows 7 in early 2020, the flaw was known to be only partially addressed, with exploitation evidence dating back to 2018. The vulnerability affects Windows operating systems from NT 4.0 through Windows 7, allowing kernel shellcode to persist and execute at boot. Attackers exploit it through stack buffer overflows in the "dxgmms1.sys" and "dxgkrnl.sys" drivers using the RtlQueryRegistryValues function. In the CTF challenge, participants analyzed registry hives to identify a crash source, set up debugging for blue screen events, and examined a keylogger payload. The final competition of the SAS CTF will take place in Bali from October 22-25, 2024.

Winsage

October 17, 2024

8 reasons to avoid the latest Windows 11 update (hint: they’re all bugs)

Microsoft has released the 2024 update for Windows 11, known as Windows 11 24H2, which includes enhancements to Copilot AI, a refreshed File Explorer, and performance improvements. Users can access the update through Windows Update or Microsoft's Download Windows 11 page. However, the update has several bugs, including: 1. System File Checker Bug: The SFC tool shows false positives for corrupted files related to WebView2. 2. Cache File Deletion Glitch: An 8.63GB update cache is resistant to deletion, but can be removed using "Windows Update Cleanup" in Disk Cleanup. 3. Conflict with Easy Anti-Cheat: Users may experience blue screens with the Easy Anti-Cheat software, especially on Intel Alder Lake+ devices. 4. Blue Screens from Driver Compatibility: Compatibility issues with Intel Smart Sound Technology drivers and certain Western Digital SSDs can cause blue screens. 5. Disappearing Mouse Pointer: The mouse cursor may vanish in Chromium-based applications when interacting with text fields. 6. Internet Connection Issues: Users may face problems obtaining a valid IP address, despite seemingly functional Ethernet or Wi-Fi connections. 7. Fingerprint Sensor Glitch: Fingerprint sensors may become unresponsive after the update. 8. Broken Clipboard History: The clipboard history feature may appear empty despite items being copied. Microsoft has acknowledged these and other issues on its Known Issues and Notifications page. Users are advised to consider delaying the update due to these challenges.

Winsage

October 17, 2024

7 reasons to avoid the latest Windows 11 update (hint: they’re all bugs)

Microsoft has released the 2024 update for Windows 11, known as Windows 11 24H2, which includes enhancements to Copilot AI, a new File Explorer, improved performance, and increased stability. The update is available through Windows Update and Microsoft's Download Windows 11 page. However, it has been reported to contain several bugs, including: 1. The System File Checker (SFC) tool is producing false positives for corrupted files. 2. An 8.63GB update cache is not deletable by standard methods, though it can be removed via "Windows Update Cleanup." 3. A conflict with the Easy Anti-Cheat application may cause blue screens for users with Intel Alder Lake+ processors. 4. Blue screens may also occur due to driver incompatibilities with Intel Smart Sound Technology and specific Western Digital SSDs. 5. A glitch in Chromium-based applications causes the mouse pointer to disappear in text input fields. 6. Users are experiencing erratic internet connections, with the system failing to assign valid IP addresses. 7. Some devices have unresponsive fingerprint sensors after the update. Microsoft has acknowledged these issues, and users may want to delay the update until these problems are resolved.