Category Archives: Edge

Patch Tuesday for June 2016

It’s that time again, folks. This month Microsoft has sixteen updates, which address forty-four vulnerabilities in the usual culprits: Windows, Internet Explorer, Office, and Edge. Five of the updates are flagged as Critical.

Adobe issued an alert earlier today, saying that they have identified a vulnerability in Flash that is being actively exploited. There’s no update as yet, but they expect to have one ready by June 16. I imagine that Adobe was planning to release a Flash update today to coincide with Microsoft’s updates, but this new threat messed up their timing.

April security roundup

People who store Slack credentials in Github code repositories learned that this a bad idea, as researchers demonstrated the ease with which this information can be gathered without any explicit permissions.

Scary news: computers at a German nuclear reactor facility were found to be loaded with malware. The only thing that prevented miscreants from playing with real nuclear reactors was the fact that these computers are not connected to the Internet.

Crappy security practices led to the theft of user account information (email addresses and poorly-encrypted passwords) from Minecraft community site Lifeboat.

The notorious hacking group known as Hacking Team made the news again, this time with reports of active drive-by exploits affecting Android devices.

The Nuclear exploit kit is still operating, despite recent, partially-successful, efforts to shut it down. Researchers showed that the kit is still being used, and may be involved in recent ransomware infections.

Good news: the two men responsible for the notorious SpyEye banking trojan, recently extradited to the US to face federal prosecution, will be spending nine and fifteen years in prison.

Zero-day exploits are on the rise, doubling from 24 in 2014 to 54 in 2015. A zero-day exploit is a hack that takes advantage of software vulnerabilities before the software’s maintainers have had a chance to develop a fix.

Cisco security researchers identified vulnerabilities in several enterprise software systems, including Red Hat’s JBoss. As many as three million web-facing servers running this software are at risk of being infected with ransomware, and in fact as many as 2100 infected servers were identified.

More good news: the Petya ransomware was found to contain a flaw that allows its victims to decrypt their data without paying any ransom.

The Mumblehard botnet was taken down by ESet researchers, after it infected at least 4000 computers and sent out countless spam emails.

Microsoft announced plans to prevent Flash content from playing automatically in the Windows 10 web browser Edge. All the major browsers appear to be heading in this direction, if they don’t already have the feature, as does Chrome.

April’s issue of the SANS ‘Ouch!’ newsletter is titled “I’m Hacked, Now What?” (PDF) and provides helpful information for the recently-hacked. The newsletter is aimed at regular users, so it may not be particularly useful for IT professionals, except as a means to educate users.

The wildly popular WhatsApp – a messaging application for mobile devices – now has end-to-end encryption. This will make life more difficult for spy agencies who want to know what users are saying to each other. But WhatsApp users should be aware that this does not make their communications invulnerable, since techniques exist to get around full encryption, such as keystroke loggers.

Bad idea: someone at CNBC thought it would be a good idea to ask users to submit their passwords to a web-based system that would test the passwords and report on their relative strength. The service itself was vulnerable, and exposed submitted passwords to network sniffing. The service was taken offline soon after the vulnerability was identified.

The web site for toy maker Maisto International was hacked and serving up ransomware for an unknown amount of time, probably several days or even weeks. The hack was made possible because the site was using outdated Joomla software.

Cortana no longer works with Google

In a recent blog post, Microsoft announced that it is no longer possible to make Cortana work with any search engine other than Bing, or any browser other than Edge.

This announcement confirms two things: first, even Microsoft considers Cortana’s main function to be a voice interface for web searching. Second, despite its claims, Microsoft cares more about selling eyeballs to advertisers than giving users options.

To be fair, advertising is the business model of the web. Should we criticize Microsoft for trying to emulate Google? Yes. Yes we should. We (grudgingly) accept web advertising, because the vast majority of what we consume on the web is otherwise free.

On the other hand, stuffing ads into an operating system I paid for is not acceptable. Why not offer a free version of Windows that includes ads? One could argue that this is what Microsoft did, in offering Windows 10 as a free upgrade. But if that’s the case, where’s the paid version that doesn’t include ads?

Patch Tuesday for April 2016

Microsoft offers up thirteen patches this month, addressing thirty security issues in the usual culprits: Windows, Internet Explorer, Edge, .NET, and Office. There are thirteen updates in all, six of them flagged as Critical.

The folks at SANS now provide useful summaries of Microsoft patch days, showing which vulnerabilities are addressed in each update, with multiple risk assessments.

Windows 10 Insider Preview Build 14295

Late last week, preview build 14295 started making its way to computers enrolled in the ‘Fast track’ Windows 10 Insider Preview program. Yesterday, the build was made available to computers on the ‘Slow track’.

This latest build actually includes some interesting features. Or it will when the accompanying developer tools become available. With this build, Microsoft is expanding support for Linux tools on Windows 10, including the BASH scripting language.

While not of much interest to regular users, adding Linux tools to Windows 10 shows that Microsoft is actually listening to developers and other power users.

Build 14295 also fixes some minor problems affecting XBox compatibility, the Edge browser, and Kaspersky security software.

Emergency update for Flash

If you use a web browser with Flash enabled, you should stop what you’re doing and update Flash.

According to the associated Adobe security bulletin, Flash fixes twenty-three security vulnerabilities, including one (CVE-2016-1010) that is being actively exploited on the web.

The release notes for Flash provide additional details. The new version fixes several bugs that are unrelated to security, and adds some new features.

As usual, Chrome will update itself with the new version of Flash, and Internet Explorer and Edge on newer versions of Windows will be updated via Windows Update.

Patch Tuesday for March 2016

It’s time once again to roll up the sleeves and get patching. This month we have thirteen security bulletins and associated updates from Microsoft. The updates address at least forty-four security vulnerabilities in Windows, Internet Explorer, Edge, Office, Windows Server, and .NET. Five of the updates are flagged as Critical.

Adobe’s contribution this month is new versions of Acrobat/Reader. You may have noticed that Adobe has confused things by splitting Acrobat/Reader into several variations: classic, continuous, and desktop. According to Adobe, the continuous variant always has all the most recent updates, fixes, and new features. I think it’s safe to assume that’s the variant most people should be using. The new continuous version of Reader is 15.010.20060. All of the new versions include fixes for three security vulnerabilities.

Windows 10 Insider Preview Build 14267

For those of you interested in the Windows 10 Insider Preview builds, the latest is build 14267, which was announced on February 18.

Build 14267 finally fixes the WSClient.dll error dialogs that were popping up in previous builds. Problems with certain front-facing cameras have been fixed. The ‘Reset this PC’ function is once again working properly with this build.

It’s now easier to use Cortana to identify playing music. There are several improvements to Edge, including Favorites management, an option to clear browsing data on exit, and better download management.

End in sight for Java browser plugin

Oracle is finally throwing in the towel for Java browser plugins. A never-ending source of security problems, the Java plugin will be phased out in the near future. Browser software developers like Mozilla and Google made this move inevitable when they started removing plugin functionality in recent months.

This will cause headaches for organizations that use a lot of browser-based Java. They’ll be faced with a decision. Many will presumably stall for time, and continue to use existing Java applets in increasingly-outdated browsers. Others may decide to switch to another platform entirely, which is likely to be very costly. The best alternative is to – where possible – change browser-based Java applets to use the Java Web Start technology. According to a white paper from Oracle (PDF): “The conversion of an applet to a Java Web Start application provides the ability to launch and update the resulting application without relying on a web browser… Desktop shortcuts can also launch the application, providing the user with the same experience as that of a native application.”

Regular users will only notice the loss of the Java browser plugin if they happen to use one or more Java applets. Site operators have been aware that this change is coming for a while, and have been scaling back their use of Java applets, but they may still be found on some banking and financial sites, web site builders, and so on. One Java applet-based service that I find extremely useful is Berkley’s ICSI Netalyzer, which analyzes your network connection and reports on any issues it finds. I’m hoping that Netalyzer’s developers will convert it to use Java Web Start, or do something else to keep the service online.

Duo Security has additional related information.

Two more Windows 10 Insider Preview builds

When Windows 10 updates itself, in the final stages, we’re treated to a series of screen-filling messages, like “We’ve updated your computer”, and “All your files are right where you left them.” I can understand why Microsoft is showing messages like this: to reassure users who would otherwise be wondering what’s going on as their hard drive thrashes away. As a more technically-minded person, I would prefer an indication of exactly what’s happening, and how long it’s going to take, but I can live with these messages instead.

On the other hand, sometimes these messages are misleading. Take this one: “We’ve got some new features to get excited about.” Apart from the grammatical issues, this message simply isn’t usually true. The most recent Preview builds, for example.

Windows 10 Insider Preview Build 11102

Build 11102, released on January 21, includes only one new feature of note, and it’s hardly exciting: you can now “right-click on the back and forward buttons in Microsoft Edge for quick access to your recently visited websites in the current tab.” Woo hoo.

Note that this build still has the problem with WSClient.dll error dialogs popping up at inconvenient times. At least the build announcement describes a workaround.

Windows Insider Preview Build 14251

Build 14251, released on January 27, has the distinction of generating a lot of discussion regarding the large jump in build number. It turns out that the big jump is the result of Microsoft trying to synchronize builds across platforms, which is actually a good thing.

Meanwhile, the announcement for build 14251 actually says “This build doesn’t have notable new features in it”. And sure enough, it’s mostly bug fixes.