Category Archives: Internet Explorer

Patch Tuesday for May 2021

Still waiting for the vaccine? Trying to avoid going outside? Well, luckily for you, there are plenty of indoor tasks you can work on, like Netflix binge-watching, exercise, and installing software updates on your Windows computers.

For May 2021, Microsoft is handing us yet another pile of updates, addressing eighty-eight vulnerabilities (by my count) in .NET, Internet Explorer, Office, Edge, Exchange Server, SharePoint, Visual Studio, Skype, and Windows. My analysis is based on data exported from Microsoft’s Security Update Guide.

As usual, Windows 10 users can delay updates but not indefinitely. Windows 8.1 users who don’t have automatic updates enabled need to go to Windows Update to get the updates. Windows 7 users are mostly out of luck, but should check Windows Update anyway, because Microsoft sometimes makes critical update available for all users, not just business and educational users with deep pockets. If you’re still using Windows XP, there are no more updates, and I hope you know what you’re doing.

Patch Tuesday for March 2021

It’s another Patch Tuesday, usually referred to by Microsoft as ‘Update Tuesday’. Terminology aside, what it means is a big pile of updates that will be foisted upon most Windows users over the next few days.

Those of us sticking with Windows 8.1 can still review the available updates and install them at our leisure, which can be very satisfying when an update that we defer turns out to cause problems. But Microsoft seems to reserve its major screwups to Windows 10 updates these days (incuding this month’s printing crashes, and the fix for those crashes).

If you’re running Windows 10, you can defer updates for as long as a month… unless you’re running any of the Home versions, in which case the updates are as inevitable as taxes.

This month’s updates address several extremely serious security vulnerabilities in Exchange, Microsoft’s email server software, which ordinary folks are very unlikely to be running.

But the parade also includes updates for the usual offenders: Internet Explorer, Microsoft Edge (both the Chromium-based and original versions), Office (Excel, PowerPoint, SharePoint, Visio), Visual Studio, Visual Studio Code, and of course Windows. One hundred and thirty-one vulnerabilities* are addressed in all.

Microsoft’s Security Update Guide is currently the official source for this information. The SUG has undergone some improvements lately, and it’s gradually getting easier to navigate, which is a relief.

If you’re still running Windows 7, today’s festivities are largely meaningless, though Microsoft does occasionally toss a bone in your direction, in the form of a Windows 7 update normally reserved for those deep of pocket. Microsoft will presumably continue to do this when a flaw is serious enough that witholding the fix would create a public relations problem for the company.

The release notes for today’s updates provide additional details, though they are still sadly somewhat incomplete.

* The vulnerability count varies depending on who’s looking. According to the SANS Internet Storm Center, “This month we got patches for 122 vulnerabilities. Of these, 14 are critical, 5 are being exploited and 2 were previously disclosed.” Brian Krebs says “from Microsoft today…the company released software updates to plug more than 82 security flaws in Windows and other supported software. Ten of these earned Microsoft’s “critical” rating”. Clearly Microsoft’s Security Update Guide still needs work.

Patch Tuesday for January 2021

There’s no stopping the juggernaut of monthly updates coming from our pals in Redmond.

This month’s load of updates, based on analysis of the new, ‘improved’ Security Update Guide, shows that we have updates for Edge, Office (2010, 2013, 2016, and 2019), Sharepoint, SQL Server, Visual Studio, Windows (7, 8.1, and 10), and Windows Server (2008, 2012, 2016, and 2019), addressing eighty-three security vulnerabilities in all.

There’s a summary of this month’s updates linked from the SUG, but as usual, it’s bafflingly incomplete.

Windows 8.1 computers can get this month’s updates via Windows Update in the Control Panel. Windows 10 computers will get the updates over the next few days, unless they’ve been configured to delay updates temporarily. Windows 7 users are still basically out of luck.

Flash is DEAD

Adobe’s kill switch for Flash went into effect as scheduled yesterday. Any Flash media you try to view from now on will show a placeholder image, which links to the End Of Life announcement for Flash.

That includes any Flash media you have lying around on your computer. For example, I found the Flash test animation on my main computer and uploaded it to my web server, where until January 12, it worked perfectly. That same Flash animation used to show on the main Flash help page, but of course that page now shows the placeholder as well.

And so ends the long, exasperating, security nightmare that was Flash. Good riddance.

Patch Tuesday for September 2020

This month’s pile from Microsoft includes fixes for vulnerabilities in Internet Explorer (9 and 11), both variants of Edge (Chromium and EdgeHTML), Office (2010, 2013, 2016, and 2019), SharePoint, Visual Studio, Windows (7, 8.1, and 10), and Windows Server (2008, 2012, 2016, 2019).

There are fifty-three security bulletins in all, and fifty-three associated updates. The updates includes fixes for one hundred and twenty vulnerabilities, twenty-one of which have been flagged as having critical severity. All of the critical vulnerabilities involve potential remote code execution.

As usual, the details are available in Microsoft’s Security Update Guide.

You can still get the Windows 7 updates legitimately, but only if you subscribe to Microsoft’s rather expensive Extended Security Updates program.

Windows 10 systems will update themselves automatically, although with newer versions, you have some control over when that happens. With Windows 10, most updates are going to get installed at some point. But delaying them can allow you to avoid updates that cause problems, since Microsoft usually issues fixes for the updates shortly after problems are discovered. But doing that potentially leaves your computer vulnerable in the interim. It’s your call. Adjust the update settings by going to Settings > Update & Security > Advanced options.

For Windows 8.1 users, it’s all about Windows Update. If you’ve configured it to install updates automatically, you’re basically in the same boat as Windows 10 users. Otherwise, locate Windows Update in the Control Panel, and click the Check for updates button.

Don’t bother trying to uninstall Microsoft Edge

If you’re old enough to remember the browser wars of the 1990s, you probably remember that Microsoft got into trouble for pushing their web browser, Internet Explorer, using tactics tied to the dominance of Windows.

Competitors were less than thrilled with Microsoft’s tactics. In 1998, an anti-trust suit was launched by the US Department of Justice against Microsoft, alleging that Microsoft was using unfair tactics, in particular by embedding Internet Explorer into Windows, making it difficult to remove.

Microsoft argued that Internet Explorer was a core part of the operating system, and could not be easily excised from Windows. This didn’t help their case much, as you can imagine.

The court agreed with the DOJ, recommending that Microsoft be broken into two organizations, one for Windows and the other for applications like Internet Explorer. After appeals, the final settlement required Microsoft to share its API (Application Programming Interface) documentation with third party companies. The idea was to remove any head start Microsoft would have in developing changes to its web browser based on technology advancements.

The DOJ did not require Microsoft to change any of its code or prevent Microsoft from tying other software with Windows in the future.

Microsoft’s tactics this time around

Fast forward to today, and Microsoft is again using questionable tactics in its fight for web browser dominance. This time around, with Internet Explorer soon to be discontinued, the browser in question is Edge (the newer, Chromium-based version).

Microsoft recently published a small support article about the new version of Edge, presumably in response to user questions. In part, it states: “The new version of Microsoft Edge is included in a Windows system update, so the option to uninstall it or use the legacy version of Microsoft Edge will no longer be available.”

So, once again, Microsoft is apparently trying to use its dominance in the desktop operating system market to push its web browser on people.

It’s hard to predict whether this tactic will actually help Edge, or whether anyone will care enough to claim antitrust activity again. I like to think people are generally somewhat better informed, and recognize that there are other, better web browsers than Edge.

UPDATE 2020Sep12: Microsoft has revised the wording of the support article about this, but the new version sounds like more of the same weak arguments they used in the 1990s:

Because Windows supports applications that rely on the web platform, our default web browser is an essential component of our operating system and can’t be uninstalled.

Windows users can download and install other browsers and change their default browser at any time.

Giant corporations trying to sound innocent when caught in their shenanigans is just embarassing.

Patch Tuesday for August 2020

If you run Windows 10 and are curious about the updates Microsoft will be jamming down your throat in the next few days; if you run Windows 7 and want to know what you’re missing out on by not being rich enough to afford Microsoft’s Extended Security Updates program; or if you’re running Windows 8.1 and want to know a bit more about the updates you’re about to install, read on.

Analysis of Microsoft’s comprehensive — yet still oddly difficult to navigate — Security Update Guide for this month reveals that there are sixty-five distinct updates and associated bulletins. Actually, since Microsoft is now calling these things ‘articles’, I’ll do the same. So there are sixty-five articles with associated updates, many of which are packaged into bundles: one with all the month’s updates, and one with only security-related updates.

The updates address a total of one hundred and twenty vulnerabilities in the usual lineup of Microsoft software: Windows (10, 8.1, and 7), Office (2010, 2013, 2016, and 2019), Internet Explorer 9 and 11, Edge (the one built on Chromium), .NET, SharePoint, and Visual Studio.

As is usual these days, Windows 10 updates are installed at Microsoft’s whim, Windows 7 updates are out of reach for most folks, and Windows 8.1 updates are installed via Windows Update in the Control Panel.

Patch Tuesday for July 2020

Another month, another load of patches from Microsoft.

This month we have seventy-one bulletins and corresponding updates. One hundred and twenty-six vulnerabilities are addressed in all, affecting .NET, Internet Explorer 9 and 11, Edge, Office, SharePoint, Visual Studio, OneDrive, Skype, Windows, and Windows Defender. Nineteen of the vulnerabilities are flagged as having Critical severity.

As usual, you can find all the details in Microsoft’s Security Update Guide.

Those of you running Windows 10 know the drill: depending on which version of Windows 10 you’re running, you can delay installation of updates for a while, but not indefinitely. On Windows 8.1 computers, Windows Update is still the best way to install updates. Windows 7 users don’t have an official way to obtain updates for that O/S, despite the fact that Microsoft continues to develop them.

Update 2020Jul17: Again with this crap, Microsoft? One of the updates from this batch caused Outlook 2016 to crash on starting for users worldwide. This affected one of my clients, and affected critical business operations. A fix posted by someone other than Microsoft allowed Outlook to run, but killed the ability to print. Linux never looked so good.

You will now use Microsoft Edge!

On a related note, you may have noticed that Microsoft is pushing its new Chromium-based Edge browser to all Windows computers. This is happening not only on Windows 10 computers, but also those running Windows 8.1 and even 7. The new Edge cannot be removed in the usual way once it’s installed. This is causing consternation for many users, as Edge seems to take over once installed, forcing the user to make certain choices before the desktop can even be accessed. Isn’t this the kind of behaviour that got Microsoft in trouble in the 1990s?

The Verge has additional details. In case you were thinking about switching to Edge, you should be aware that a recent study by Yandex ranked Edge last in terms of privacy.

Patch Tuesday for June 2020

It’s another Patch Day, and this month from Microsoft we’ve got thirty-two update bulletins and associated patches. Twenty-one of the bulletins are flagged as having Critical severity. One hundred and twenty-four security vulnerabilities are addressed, affecting Internet Explorer 9 and 11, Adobe Flash embedded in Microsoft browsers, Office applications, Edge (both the original version and the new version based on the Chromium engine), Sharepoint, Visual Studio, Windows 7, 8.1, and 10, and Windows Defender, the anti-malware program included with Windows 10.

You can find all the relevant details by perusing Microsoft’s Security Update Guide.

Although Microsoft produced Windows 7 updates this month, you won’t be able to obtain them through Windows Update unless you’ve subscribed to Microsoft’s Extended Security Updates (ESU) program. Still, you should check Windows Update because occasionally Microsoft makes new Windows 7 updates available to everyone.

Windows 8.1 is still getting updates, and that will continue until January 10, 2023. Windows Update is still the easiest way to check for and install updates for Windows 8.1.

As usual, Windows 10 computers will be force-fed these updates over the next few days. You can delay the inevitable for as much as a year for feature updates (changes other than bug fixes), or a month for bug fixes, but eventually they’ll be installed whether you want them or not. Which still seems crazy, given how many problems Windows 10 updates have caused.

Patch Tuesday for May 2020

We’re in the middle of a pandemic, but that’s no excuse to leave software unpatched. There’s certainly been no reduction in the rate at which vulnerabilities and exploits are being discovered.

This month’s contribution from Microsoft, as documented in the Security Update Guide, consists of thirty-eight updates, with corresponding bulletins, addressing one hundred and eleven vulnerabilities in .NET, Internet Explorer, Edge, Office, Visual Studio, and Windows. Eighteen of the updates are flagged as having Critical severity.

If you’re still using Windows 7, and you haven’t shelled out for Microsoft’s Extended Security Updates, you won’t find any of this month’s Windows 7 updates via Windows Update. You do have at least one other option: an organization called 0patch. These folks provide what they call ‘micropatches’ for known vulnerabilities in no-longer-officially-supported versions of Windows, including Windows 7 and Windows Server 2008. I haven’t tried these myself, but they seem legitimate. Well, presumably not in the view of Microsoft.

Windows 10 users will get the latest updates whether they’re wanted or not, although there are settings that allow you to delay them, for a while. That leaves Windows 8.1, for which Windows Update is still the appropriate tool.

Adobe logoAdobe once again tags along this month, with new versions of Reader and Acrobat. Most people use the free version of Reader, officially known as Acrobat Reader DC. The new version, 2020.009.20063, includes fixes for twenty-four security vulnerabilites in earlier versions.

Patch Tuesday for March 2020

Happy Patch Tuesday! Today’s gifts from the always-generous folks at Microsoft include forty-two updates, addressing one hundred and fifteen security bugs in Internet Explorer (9 and 11), Edge (the original version, not the one built on Chromium), Office (2010, 2016, and 2019), Windows (7, 8.1, and 10), and Windows Server.

You can dig into all the gory details over at the Microsoft Security Update Guide.

Computers running Windows 10 will update themselves at Microsoft’s whim over the coming days.

Windows 8.1 users can still exercise some freedom of choice in deciding when to install updates, but I encourage everyone to install them as soon as possible. Even with Microsoft’s recent bungling, you’re arguably better off with security fixes than without, even if those updates sometimes cause other problems.

To install updates on your Windows 8.1 computer, go to the Windows Control Panel and open Windows Update.

If you’re running Windows 7, you may be surprised to note that some of this month’s updates are available for that no-longer-officially-supported version. That’s because while those updates definitely exist, they’re not technically available to the general public.

To get access to the Windows 7 updates, you need to sign up for Extended Security Updates for Windows 7. This is typically only done by Enterprise users (businesses and educational institutions) who need more time to migrate computers to newer versions of Windows. For regular folks, the cost of ESU seems likely to be prohibitive.

The more adventurous among you might want to experiment with hacks to get around this limitation for Windows 7 updates. Apparently people are finding some success doing this.