lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 20 Oct 2016 14:27:53 +0200
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <bugtraq@...urityfocus.com>
Subject: Defense in depth -- the Microsoft way (part 44): complete failure of Windows Update

Hi @ll,

since more than a year now, Windows Update fails (not only, but most
notably) on FRESH installations of Windows 7/8/8.1 (especially their
32-bit editions), which then get NO security updates at all [°]!

One of the many possible causes: Windows Update Client runs out of
(virtual) memory during the search for updates and yields 0x8007000E
alias E_OUTOFMEMORY ['].

According to <https://support.microsoft.com/en-us/kb/3050265>

| This update addresses an issue in which Windows Update scans can
| fail and generate a 0x8007000E error.

and <https://support.microsoft.com/en-us/kb/3161647>

| Fix for a Windows Update error 0x8007000E on some computers while
| they are updating.

this has been fixed in recent versions of the Windows Update Client.

BUT: Windows Update does NOT get/fetch this updated Windows Update
     Client and is stuck!

The first action Windows Update Client performs when it contacts the
update servers (which happens as soon as an internet connection is
available, see <https://support.microsoft.com/en-us/kb/931275>) is to
update itself ... on Windows 7 to version 7.6.7600.320, which is but
COMPLETELY outdated [²]!

Despite the completely outdated version distributed for self-update via
Windows Update, the Windows Update Client makes no further attempts to
update itself; see the following lines from C:\Windows\WindowsUpdate.log:

| 2016-10-06 22:23:01:815  860 dec Agent *************
| 2016-10-06 22:23:01:815  860 dec Agent ** START **  Agent: Finding updates [CallerId = AutomaticUpdates]
| 2016-10-06 22:23:01:815  860 dec Agent *********
| 2016-10-06 22:23:01:815  860 dec Agent   * Online = Yes; Ignore download priority = No
| 2016-10-06 22:23:01:815  860 dec Agent   * Criteria = "IsInstalled=0 and DeploymentAction='Installation' or IsPresent=1 and
DeploymentAction='Uninstallation' or IsInstalled=1 and DeploymentAction='Installation' and RebootRequired=1 or IsInstalled=0 and
DeploymentAction='Uninstallation' and RebootRequired=1"
| 2016-10-06 22:23:01:815  860 dec Agent   * ServiceID = {9482F4B4-E343-43B6-B170-9A65BC822C77} Windows Update
| 2016-10-06 22:23:01:815  860 dec Agent   * Search Scope = {Machine}
| 2016-10-06 22:23:01:815  860 dec Setup Checking for agent SelfUpdate
| 2016-10-06 22:23:01:815  860 dec Setup Client version: Core: 7.6.7600.320  Aux: 7.6.7600.320
...
| 2016-10-06 22:23:05:184  860 dec Setup SelfUpdate handler update NOT required: Current version: 7.6.7600.320, required version:
7.6.7600.320


See <http://home.arcor.de/skanthak/slipstream.html> for instructions
for a fix and some more information!


stay tuned
Stefan Kanthak


[°] since this happens during the search for updates these searches
    NEVER finish. As result, Windows Update doesn't notify the user
    that Windows is not up-to-date and misses critical/important
    security updates!

['] when this happens on FRESH installations of Windows 7, manual
    installation of KB3124275 alias MS16-001 (the latest update
    for Internet Explorer 8, which is part of Windows 7) helps.
    This prunes the search tree sufficiently to avoid this error.

[²] the same holds for <https://support.microsoft.com/en-us/kb/949104>,
    titled "How to update the Windows Update Agent to the latest version",
    which too offers version 7.6.7600.320 for Windows 7.
    ARE YOU SERIOUS, MICROSOFT?
    There are at least 10 later versions of the Windows Update Client
    for Windows 7: KB3050265, KB3065987, KB3075851, KB3083324, KB3083710,
    KB3102810, KB3112343, KB3135445, KB3138612 and KB3161647 (and even
    more for Windows 8/8.1)!

Powered by blists - more mailing lists