Category Archives: Edge

Flash update fixes 13 vulnerabilities

A new version of Flash, released yesterday, addresses at least thirteen vulnerabilities in previous versions.

According to the security bulletin for Flash 24.0.0.221, the new version fixes “critical vulnerabilities that could potentially allow an attacker to take control of the affected system.”

The release notes for Flash 24.0.0.221 describe some new features that are likely only of interest to developers.

As usual, Internet Explorer and Edge will get new versions of their embedded Flash via Windows Update, while Chrome’s embedded Flash will be updated automatically.

Anyone who still uses a web browser with Flash enabled should update it as soon as possible.

Microsoft is losing all of its browser market share to Google

If you used Windows in the 90’s, you probably remember the Browser War between Microsoft’s Internet Explorer and Netscape’s Navigator. That war culminated in an antitrust case against Microsoft, in which the plaintiff (the USA) claimed that Microsoft’s bundling of IE with Windows was anti-competitive.

Regardless of whether you believe Microsoft acted fairly, Internet Explorer’s market share increased steadily during the period from 1995 to 2001, getting close to 100% at its high water mark. Microsoft never charged anything for its browser, but controlling the window through which most of the world viewed the web clearly provided a huge advantage to the company.

Now, all that ‘hard won’ market share is being given away by Microsoft, mostly to Google’s Chrome. Internet Explorer’s share plummeted from 40% to 20% in 2016, and there’s no bottom in sight.

Why is this happening?

Microsoft has abandoned Internet Explorer, switching its browser development efforts to Edge, which only runs in Windows 10. Only the most recent versions of IE are still supported, and only on Windows 7, 8.1, and 10. And that support is limited to fixing security issues and other bugs. You won’t see any more new features in IE.

Clearly, Microsoft thought everyone would upgrade to Windows 10, especially given the free upgrade offer, and the company’s aggressive upgrade tactics. But that appears to have backfired; Windows 10’s growth has been less than stellar, and even though Edge is arguably a better browser than IE, Windows 10 users are mostly choosing other browsers.

Microsoft may soon own as little as 5% of the total browser market, thanks to Edge’s lackluster uptake. Edge started 2016 with a market share of about 4%, and ended it with about 5%.

I think this qualifies as a major strategic blunder on the part of Microsoft.

Numbers are courtesy of NetMarketShare.

Article on Ars Technica.

Patch Tuesday for December 2016

For 2016’s final set of updates, Microsoft has issued twelve bulletins, with associated patches, affecting the usual software, namely Windows, Internet Explorer, Edge, Office, and the .NET Framework. Forty-seven vulnerabilities in all are addressed by these updates.

Adobe issued updates for several of its products today, but the only one likely to be of interest to most people is, of course, Flash. And I mean ‘interest’ in the sense of “I am very interested in not having my computer infected with malware because I visited a malicious web site while running an out-of-date version of Flash.” The new version of Flash on all platforms is 24.0.0.186. It addresses seventeen vulnerabilities in the still-ubiquitous player. As usual, Flash in Internet Explorer and Chrome will be updated automatically.

SHA-1 deprecation coming soon

SHA-1 (Secure Hash Algorithm 1) is still used by some web sites to encrypt their traffic. Starting in early 2017, most web browsers will start displaying scary-looking warnings when anyone tries to visit sites using SHA-1.

Like this one in Edge:

After Feb 14, 2017, Microsoft Edge will show this warning when it detects SHA-1 encryption
After Feb 14, 2017, Microsoft Edge will show this warning when it detects SHA-1 encryption

SHA-1 deprecation announcements

Microsoft

(From a post on the Microsoft Edge blog.)

Starting on February 14th, 2017, Microsoft Edge and Internet Explorer 11 will prevent sites that are protected with a SHA-1 certificate from loading and will display an invalid certificate warning. Though we strongly discourage it, users will have the option to ignore the error and continue to the website.

Mozilla

From a post on the Mozilla security blog.

In early 2017, Firefox will show an overridable “Untrusted Connection” error whenever a SHA-1 certificate is encountered that chains up to a root certificate included in Mozilla’s CA Certificate Program. SHA-1 certificates that chain up to a manually-imported root certificate, as specified by the user, will continue to be supported by default; this will continue allowing certain enterprise root use cases, though we strongly encourage everyone to migrate away from SHA-1 as quickly as possible.

Google

From a post on the Google security blog.

We are planning to remove support for SHA-1 certificates in Chrome 56, which will be released to the stable channel around the end of January 2017. The removal will follow the Chrome release process, moving from Dev to Beta to Stable; there won’t be a date-based change in behaviour.

Patch Tuesday for November 2016

It’s Patch Tuesday, albeit a slightly more interesting one than usual. Patches we have, from both Microsoft and Adobe. More about that later.

Microsoft wants to simplify the way security update information is presented to the public. To that end, they’ve created a new ‘starting page’ of sorts, called the Security Updates Guide. The idea is that anyone should be able to find the information they need by starting here. Most of the links on the new page actually go to existing TechNet pages. It’s definitely worth checking out.

Among the updates from Microsoft this month is a fix for the Windows vulnerability recently reported by Google. You may recall that Microsoft was rather annoyed with Google for making the vulnerability public according to their own rules (sooner than Microsoft wanted). Microsoft did credit Neel Mehta and Billy Leonard of Google’s Threat Analysis Group for their assistance.

There are fourteen bulletins from Microsoft this month. The associated updates address seventy-five vulnerabilities in Windows, Edge, Office, and Internet Explorer.

Adobe’s monthly contribution to the festivities is a new version of Flash, 23.0.0.207. A release announcement provides an overview of the changes, while the associated security bulletin provides some background about the nine vulnerabilities addressed.

Flash 23.0.0.205

Normally Adobe releases Flash updates on Patch Tuesday, but when there’s a critical security vulnerability they will release an ‘out of cycle’ fix. That’s what happened with Flash 23.0.0.205, which was released on October 26 to address a single vulnerability: CVE-2016-7855 (details pending).

Anyone who uses Flash in a web browser should update Flash as soon as possible. If you’re not sure whether you’re running the latest Flash, go to the About Flash page on the Adobe web site.

As always, Internet Explorer and Edge will get updates to their embedded Flash via Windows Update (bulletin MS16-128), and Chrome will update itself automatically. Still, it’s a good idea to make sure by visiting the About Flash page.

Patch Tuesday: October 2016

It’s the first day of a new era in Windows updates. Windows 7 and 8 now get updates in cumulative rollups, and updates are bundled together.

This month there are ten security bulletins. Each bulletin is associated with one fix for a specific vulnerability in an application, library, or API; or with a bundle of fixes that address several vulnerabilities in Windows.

Each bulletin is associated with at least one Knowledge Base article, and sometimes with additional KB articles that apply to different versions of Windows, Office, .NET, or some other application. Each additional KB article is associated with a version-specific update. There are often two sets of KB articles: one for the security only quality update and one for the security monthly quality update.

All of the security updates this month are available via Microsoft Update. Most are also available from the Microsoft Download Center and the Microsoft Update Catalog (MUC). Downloading updates from the MUC technically requires Internet Explorer, but you can use any other browser by navigating to http://catalog.update.microsoft.com/v7/site/Rss.aspx?q=KBxxxxxxx (replacing KBxxxxxxx with the KB article number).

So far I don’t see anything in these new updates that looks particularly worrisome. Of course there’s always a risk that Microsoft will slip something in that we don’t want, but there’s a non-trivial amount of scrutiny being directed toward Microsoft right now, and I’m confident someone will quickly spot anything untoward.

I was half-expecting the updates to be as poorly documented as Windows 10 updates, but instead the Windows 10 updates are now as well documented as the others. I also thought there would be fewer bundles, and I didn’t expect them to be grouped as sensibly as they are.

The new system is simpler in some ways, and it does at least unify all versions of Windows to some extent, although Windows 10 updates are still treated somewhat differently. It all actually seems less clunky than before, which is a very nice surprise.

Questions remain. It’s unclear how bad updates will be handled. In the past, if an update broke Windows, you could uninstall it. Now, presumably, you’d have to uninstall an entire bundle. Or something. We’ll see how it goes next month when rollups start arriving with multiple months worth of updates.

Update 2016Oct12: Brian Krebs’ take on the new Windows Update system.

Patch Tuesday for September 2016

Microsoft’s contribution to our monthly headache is fourteen updates for their flagship software (Windows, Office, Edge, and Internet Explorer). Seven of the updates are classified as Critical. Over sixty separate vulnerabilities are addressed by these updates. One of the updates is for the version of Adobe Flash embedded in Internet Explorer 10 and 11, and Edge.

Not wanting to be left out, Adobe once again brings its own pile of patches to the table. Flash 23.0.0.162 includes fixes for at least twenty-six vulnerabilities. Google Chrome will update itself with the new Flash, and Internet Explorer 10 and 11, and Edge, get the new Flash via the update mentioned above. For all other browsers, simply visit the main Flash page to check your Flash version and update it as needed.

Patch Tuesday for August 2016

It’s update time again. This month Microsoft is making available nine updates, affecting Windows, Internet Explorer, Edge, and Office. Five of the updates are flagged as Critical. A total 38 vulnerabilities are addressed with these updates.

The associated bulletin from Microsoft has additional details.

There’s also one new security advisory: Update for Kernel Mode Blacklist.

Windows 10 Insider Preview Builds 14352, 14361, 14366, and 14367

I was starting to wonder why my Windows 10 test computer wasn’t getting new preview builds. It was seemingly stuck on build 14342, as new build announcements paraded past in my RSS feed reader.

As much as possible, I’ve attempted to evaluate Windows 10 as a regular user, so I held off trying to fix this, assuming it would fix itself. A couple of days ago, I finally relented, and started to investigate.

Looking at All Settings > Update and Security > Windows Update, I was confronted with this message: “We couldn’t connect to the update service. We’ll try again later, or you can check now. If it still doesn’t work, make sure you’re connected to the Internet.” I clicked the Check for Updates button and initially it seemed to be working. It showed a new available build, and actually installed a minor update, but then when it started to download the new build, the message reappeared.

I found plenty of reports on the web of other people having similar difficulties, but mostly for earlier builds. None of the suggested solutions had any effect, including disabling the option Updates from more than one place, and running the Windows Update troubleshooter. The troubleshooter found nothing untoward.

I use a special DNS service for privacy reasons, so on a hunch, I switched to my ISP’s DNS and again checked for updates. Preview Build 14366 started downloading, and eventually installed.

Is Microsoft somehow preventing Windows 10 preview builds from being downloaded when certain DNS services are being used? I find that difficult to believe, but it’s certainly possible.

What’s new in builds 14352, 14361, and 14366?

Build 14352

Release announcement (May 26, 2016).

  • Cortana improvements
  • Windows Ink improvements
  • Feedback Hub now shows Microsoft’s responses
  • A load of bug fixes

Build 14361

Release announcement (June 8, 2016).

  • LastPass extension for Microsoft Edge
  • Windows Ink improvements
  • Settings – visual improvements
  • Start screen – visual improvements
  • the usual pile of bug fixes, many related to Edge

Build 14366

Release announcement (June 14, 2016).

  • Windows Store app – resource usage improvements
  • a bunch more bug fixes, including several for user interface glitches

Build 14367

Release announcement (June 16, 2016).

  • New tool to clean-install the latest Windows 10 release
  • the usual pile of bug fixes