Category Archives: Edge

Patch Tuesday for September 2016

Microsoft’s contribution to our monthly headache is fourteen updates for their flagship software (Windows, Office, Edge, and Internet Explorer). Seven of the updates are classified as Critical. Over sixty separate vulnerabilities are addressed by these updates. One of the updates is for the version of Adobe Flash embedded in Internet Explorer 10 and 11, and Edge.

Not wanting to be left out, Adobe once again brings its own pile of patches to the table. Flash 23.0.0.162 includes fixes for at least twenty-six vulnerabilities. Google Chrome will update itself with the new Flash, and Internet Explorer 10 and 11, and Edge, get the new Flash via the update mentioned above. For all other browsers, simply visit the main Flash page to check your Flash version and update it as needed.

Patch Tuesday for August 2016

It’s update time again. This month Microsoft is making available nine updates, affecting Windows, Internet Explorer, Edge, and Office. Five of the updates are flagged as Critical. A total 38 vulnerabilities are addressed with these updates.

The associated bulletin from Microsoft has additional details.

There’s also one new security advisory: Update for Kernel Mode Blacklist.

Windows 10 Insider Preview Builds 14352, 14361, 14366, and 14367

I was starting to wonder why my Windows 10 test computer wasn’t getting new preview builds. It was seemingly stuck on build 14342, as new build announcements paraded past in my RSS feed reader.

As much as possible, I’ve attempted to evaluate Windows 10 as a regular user, so I held off trying to fix this, assuming it would fix itself. A couple of days ago, I finally relented, and started to investigate.

Looking at All Settings > Update and Security > Windows Update, I was confronted with this message: “We couldn’t connect to the update service. We’ll try again later, or you can check now. If it still doesn’t work, make sure you’re connected to the Internet.” I clicked the Check for Updates button and initially it seemed to be working. It showed a new available build, and actually installed a minor update, but then when it started to download the new build, the message reappeared.

I found plenty of reports on the web of other people having similar difficulties, but mostly for earlier builds. None of the suggested solutions had any effect, including disabling the option Updates from more than one place, and running the Windows Update troubleshooter. The troubleshooter found nothing untoward.

I use a special DNS service for privacy reasons, so on a hunch, I switched to my ISP’s DNS and again checked for updates. Preview Build 14366 started downloading, and eventually installed.

Is Microsoft somehow preventing Windows 10 preview builds from being downloaded when certain DNS services are being used? I find that difficult to believe, but it’s certainly possible.

What’s new in builds 14352, 14361, and 14366?

Build 14352

Release announcement (May 26, 2016).

  • Cortana improvements
  • Windows Ink improvements
  • Feedback Hub now shows Microsoft’s responses
  • A load of bug fixes

Build 14361

Release announcement (June 8, 2016).

  • LastPass extension for Microsoft Edge
  • Windows Ink improvements
  • Settings – visual improvements
  • Start screen – visual improvements
  • the usual pile of bug fixes, many related to Edge

Build 14366

Release announcement (June 14, 2016).

  • Windows Store app – resource usage improvements
  • a bunch more bug fixes, including several for user interface glitches

Build 14367

Release announcement (June 16, 2016).

  • New tool to clean-install the latest Windows 10 release
  • the usual pile of bug fixes

Patch Tuesday for June 2016

It’s that time again, folks. This month Microsoft has sixteen updates, which address forty-four vulnerabilities in the usual culprits: Windows, Internet Explorer, Office, and Edge. Five of the updates are flagged as Critical.

Adobe issued an alert earlier today, saying that they have identified a vulnerability in Flash that is being actively exploited. There’s no update as yet, but they expect to have one ready by June 16. I imagine that Adobe was planning to release a Flash update today to coincide with Microsoft’s updates, but this new threat messed up their timing.

April security roundup

People who store Slack credentials in Github code repositories learned that this a bad idea, as researchers demonstrated the ease with which this information can be gathered without any explicit permissions.

Scary news: computers at a German nuclear reactor facility were found to be loaded with malware. The only thing that prevented miscreants from playing with real nuclear reactors was the fact that these computers are not connected to the Internet.

Crappy security practices led to the theft of user account information (email addresses and poorly-encrypted passwords) from Minecraft community site Lifeboat.

The notorious hacking group known as Hacking Team made the news again, this time with reports of active drive-by exploits affecting Android devices.

The Nuclear exploit kit is still operating, despite recent, partially-successful, efforts to shut it down. Researchers showed that the kit is still being used, and may be involved in recent ransomware infections.

Good news: the two men responsible for the notorious SpyEye banking trojan, recently extradited to the US to face federal prosecution, will be spending nine and fifteen years in prison.

Zero-day exploits are on the rise, doubling from 24 in 2014 to 54 in 2015. A zero-day exploit is a hack that takes advantage of software vulnerabilities before the software’s maintainers have had a chance to develop a fix.

Cisco security researchers identified vulnerabilities in several enterprise software systems, including Red Hat’s JBoss. As many as three million web-facing servers running this software are at risk of being infected with ransomware, and in fact as many as 2100 infected servers were identified.

More good news: the Petya ransomware was found to contain a flaw that allows its victims to decrypt their data without paying any ransom.

The Mumblehard botnet was taken down by ESet researchers, after it infected at least 4000 computers and sent out countless spam emails.

Microsoft announced plans to prevent Flash content from playing automatically in the Windows 10 web browser Edge. All the major browsers appear to be heading in this direction, if they don’t already have the feature, as does Chrome.

April’s issue of the SANS ‘Ouch!’ newsletter is titled “I’m Hacked, Now What?” (PDF) and provides helpful information for the recently-hacked. The newsletter is aimed at regular users, so it may not be particularly useful for IT professionals, except as a means to educate users.

The wildly popular WhatsApp – a messaging application for mobile devices – now has end-to-end encryption. This will make life more difficult for spy agencies who want to know what users are saying to each other. But WhatsApp users should be aware that this does not make their communications invulnerable, since techniques exist to get around full encryption, such as keystroke loggers.

Bad idea: someone at CNBC thought it would be a good idea to ask users to submit their passwords to a web-based system that would test the passwords and report on their relative strength. The service itself was vulnerable, and exposed submitted passwords to network sniffing. The service was taken offline soon after the vulnerability was identified.

The web site for toy maker Maisto International was hacked and serving up ransomware for an unknown amount of time, probably several days or even weeks. The hack was made possible because the site was using outdated Joomla software.

Cortana no longer works with Google

In a recent blog post, Microsoft announced that it is no longer possible to make Cortana work with any search engine other than Bing, or any browser other than Edge.

This announcement confirms two things: first, even Microsoft considers Cortana’s main function to be a voice interface for web searching. Second, despite its claims, Microsoft cares more about selling eyeballs to advertisers than giving users options.

To be fair, advertising is the business model of the web. Should we criticize Microsoft for trying to emulate Google? Yes. Yes we should. We (grudgingly) accept web advertising, because the vast majority of what we consume on the web is otherwise free.

On the other hand, stuffing ads into an operating system I paid for is not acceptable. Why not offer a free version of Windows that includes ads? One could argue that this is what Microsoft did, in offering Windows 10 as a free upgrade. But if that’s the case, where’s the paid version that doesn’t include ads?

Patch Tuesday for April 2016

Microsoft offers up thirteen patches this month, addressing thirty security issues in the usual culprits: Windows, Internet Explorer, Edge, .NET, and Office. There are thirteen updates in all, six of them flagged as Critical.

The folks at SANS now provide useful summaries of Microsoft patch days, showing which vulnerabilities are addressed in each update, with multiple risk assessments.

Windows 10 Insider Preview Build 14295

Late last week, preview build 14295 started making its way to computers enrolled in the ‘Fast track’ Windows 10 Insider Preview program. Yesterday, the build was made available to computers on the ‘Slow track’.

This latest build actually includes some interesting features. Or it will when the accompanying developer tools become available. With this build, Microsoft is expanding support for Linux tools on Windows 10, including the BASH scripting language.

While not of much interest to regular users, adding Linux tools to Windows 10 shows that Microsoft is actually listening to developers and other power users.

Build 14295 also fixes some minor problems affecting XBox compatibility, the Edge browser, and Kaspersky security software.

Emergency update for Flash

If you use a web browser with Flash enabled, you should stop what you’re doing and update Flash.

According to the associated Adobe security bulletin, Flash 21.0.0.182 fixes twenty-three security vulnerabilities, including one (CVE-2016-1010) that is being actively exploited on the web.

The release notes for Flash 21.0.0.182 provide additional details. The new version fixes several bugs that are unrelated to security, and adds some new features.

As usual, Chrome will update itself with the new version of Flash, and Internet Explorer and Edge on newer versions of Windows will be updated via Windows Update.

Patch Tuesday for March 2016

It’s time once again to roll up the sleeves and get patching. This month we have thirteen security bulletins and associated updates from Microsoft. The updates address at least forty-four security vulnerabilities in Windows, Internet Explorer, Edge, Office, Windows Server, and .NET. Five of the updates are flagged as Critical.

Adobe’s contribution this month is new versions of Acrobat/Reader. You may have noticed that Adobe has confused things by splitting Acrobat/Reader into several variations: classic, continuous, and desktop. According to Adobe, the continuous variant always has all the most recent updates, fixes, and new features. I think it’s safe to assume that’s the variant most people should be using. The new continuous version of Reader is 15.010.20060. All of the new versions include fixes for three security vulnerabilities.