Earlier today, Microsoft released forty-two updates to address fifty-four vulnerabilities in Windows, Internet Explorer, Edge, Flash, and Office software. Fourteen of the vulnerabilities are flagged as critical, and have the potential to be used for remote code execution.
This information was extracted from Microsoft’s Security Update Guide, the rather opaque reservoir into which Microsoft now dumps its update information. Of course Microsoft would be happier if we all just enabled auto-updates, and in fact the monthly patch bulletins are now little more than a link to the SUG and a recommendation to enable auto-updates.
This month’s pile of Microsoft patches includes some that help to mitigate the recently-discovered Spectre and Meltdown vulnerabilities in Windows 7 and 8. Windows 10 machines received these updates last week, as soon as they were made available by Microsoft, because of course there’s no way to stop that from happening. Unfortunately for folks running some older AMD processors, the Spectre/Meltdown updates are causing Windows to crash, and Microsoft has now disabled those updates for affected computers.
It gets worse. Many antivirus products use sketchy techniques for blocking, detecting, and removing malware. Some of those activities are incompatible with this month’s Spectre/Meltdown updates for Windows. Microsoft is currently blocking those updates on computers that are missing a special registry setting: the idea is that anti-malware software will set this flag to indicate that the updates are compatible, and safe to install. On my Windows 8.1 computer, Windows Update initially did not show this month’s security-only (KB4056898) or security rollup (KB4056895) updates. That’s because (gasp) I wasn’t running any anti-malware software. To get the update, I re-enabled Windows Defender, which created the missing registry entry, and re-ran Windows Update.
There’s also a special security advisory in this month’s updates, in which Microsoft lays out the Spectre/Meltdown issue, its effect on Microsoft software, and ways to mitigate the associated vulnerabilities.
Back to our regularly-scheduled Patch Tuesday…
The January 2018 update announcement as usual contains zero useful information, serving only as a pointer to the Security Update Guide. Analysis of this month’s guide data shows that there are seventy-two updates, addressing fifty-six vulnerabilities in .NET, Internet Explorer, Edge, Office, Windows, Flash Player, Sharepoint, and SQL Server.
Today, Microsoft published twenty-four updates, addressing thirty-three vulnerabilities in Flash player (for Microsoft browsers), Office, Internet Explorer, Edge, and Windows.
As usual, Microsoft’s announcement is little more than a pointer to the Security Update Guide (SUG). If you’re looking for details about any of these updates, that’s your only official option. The SUG’s user interface is somewhat headache-inducing, but there’s useful information to be had there.
Windows 10 gets these updates whether you want them or not; Windows 7 and 8.1 can be configured for automatic or manual updates. I personally don’t like the idea of updates being installed on my computers at Microsoft’s whim, so I’m sticking with manual updates. And avoiding Windows 10 completely. And gradually switching to Linux.
Yesterday, Adobe announced updates for several of its main products, including Flash, Acrobat Reader, and Shockwave.
Flash 18.104.22.168 addresses five critical vulnerabilities in earlier versions. You can download the new desktop version from the main Flash download page. That page usually offers to install additional software, which you should avoid. Chrome will as usual update itself with the new version, and both Internet Explorer and Edge will get their own updates via Windows Update.
Acrobat Reader 11.0.23 includes fixes for a whopping sixty-two vulnerabilities, all flagged as critical, in earlier versions. Download the full installer from the Acrobat Reader Download Center.
Shockwave Player 22.214.171.124 addresses a single critical security issue in earlier versions. Download the new version from the Adobe Shockwave Player Download Center.
If you use Flash, Reader or Shockwave to view content from untrusted sources, or if you use a web browser with add-ons enabled for any of these technologies, you should update affected systems immediately.
According to Microsoft’s announcement, the November updates include patches for Internet Explorer, Edge, Windows, Office, and .NET. As usual, you have to dig into the rather awkward Security Update Guide to find additional details.
My analysis of the SUG reveals that there are fifty-three bulletins, addressing fifty-four vulnerabilities across the usual range of products. Sixteen of the vulnerabilities are flagged Critical.
If you’re interested in performing your own analysis, I strongly suggest avoiding the cumbersome SUG interface. Instead, locate the almost hidden ‘Download’ link at the top right of the updates grid and click that to open the data in Excel. From there you can use Excel’s filtering tools to wrestle the update information into more manageable lists.
Imagine a world in which there were no software updates; no security vulnerabilities; no bugs at all. The idea of such a place makes me happy. This utopia is destined to remain a fantasy, sadly. All software has bugs, and that will never change.
Inspection of Microsoft’s Security Update Guide (SUG) as of 10am today shows the usual massive list of updates, only some of which will affect most of us. You can wade into that if you have some time and access to painkillers, or you can download the list and open it in Excel, which is a lot easier to work with, and is what I do.
Analysis of the update data shows that there are fifty updates this month. Sixteen of those updates are flagged as Critical. A total of sixty-seven vulnerabilities in Windows, Office, Internet Explorer, and Edge are addressed.
As usual, the announcement of this month’s updates does little more than tell us what we already knew: that there are updates today, and where to find them.
Time to patch those computers!
Update 2017Oct11: The Register points out that while vulnerabilities affecting Windows 10 are being patched by Microsoft as soon as they are identified, Windows 7 and 8 systems don’t get those updates until the next Patch Tuesday. This creates an opportunity for malicious persons to analyze the Windows 10 updates and create exploits that work on Windows 7 and 8.
This month’s updates from Microsoft include a patch for a nasty zero-day vulnerability in the .NET framework.
The announcement for this batch of updates is of course just a link to the Security Update Guide, where it’s up to the user to wade through piles of information and determine what’s relevant.
Here’s what I’ve been able to glean from my explorations: there are ninety-four updates, affecting Internet Explorer, Edge, Windows, Office, Adobe Flash Player, Skype, and the .NET Framework. A total of eighty-five vulnerabilities are addressed, twenty-nine of which are flagged as Critical.
As you may have guessed, this month we also have yet another new version of Flash. Microsoft included the new version in updates for Edge and Internet Explorer, and Chrome will get the new version via its internal auto-updater. Desktop Flash users should visit the main Flash page to get the new version. Flash 126.96.36.199 addresses two critical vulnerabilities in previous versions.
It’s once again time for the monthly headache otherwise known as Patch Tuesday.
As you’re no doubt aware from my previous whining, Microsoft no longer publishes a bulletin for each update, and finding useful information in the Security Update Guide is awkward at best. It feels like Microsoft is trying to get everyone to just give up and enable auto-update. Of course with Windows 10 you no longer have a choice: you get updates when Microsoft wants you to have them. Which is one of the reasons I don’t use that particular O/S.
From my analysis of the Security Update Guide‘s entries for August 2017, it appears that we have thirty-nine updates, addressing fifty-three vulnerabilities in Internet Explorer, Edge, Windows, SharePoint, Adobe Flash Player, and SQL Server. Eighteen of the updates are flagged as Critical. Time to fire up Windows Update on all your Windows 8.1 and Windows 7 computers.
Adobe released updates for Flash and Reader today. The Reader update (Reader DC/Continuous: 2017.012.20093; Reader 2017: 2017.011.30059; Reader DC/Classic: 2015.006.30352) addresses sixty-seven vulnerabilities. The Flash update (version 188.8.131.52) addresses two vulnerabilities. Anyone still using Flash or Reader, especially as web browser plugins, should install the new versions as soon as possible.
A bizarre bug in Microsoft’s Edge web browser is baffling users. Depending on the selected printer and other factors, attempting to print a PDF file, or use Edge’s ‘Print to PDF’ function, will cause random changes in the output. The changes are difficult to detect: we’re not talking about the usual kind of printer garbage. For example, users are reporting shifted cell numbers, added words and symbols, and substitution of words and characters.
If you’re printing invitations to a neighbourhood barbecue, this issue is unlikely to cause any serious problems, but what if you’re printing legal, medical, or architectural documents?
Microsoft hasn’t said much about this yet, but according to at least one bug report, they are at least aware of the problem. Which is good, because Microsoft just announced that Windows 10 is running on 500 million devices; Edge is the default browser on all those devices, and Print to PDF is the default printer on many.
My advice? If you use Windows 10, don’t use Edge at all if you can avoid it: try Firefox or Chrome. If you must use Edge, use a different PDF reader to view and print PDF files. Adobe’s Reader is free and actually works as expected.
Adobe’s software updates for April include Flash 184.108.40.206, which fixes seven security issues in previous versions. If Flash is enabled in your web browser, you should visit the official Flash About page to check its version and update if it’s not current.
As usual, Chrome will update itself with the latest Flash, and Internet Explorer and Edge get their new Flash via Windows Update.