Category Archives: Internet Explorer

Patch Tuesday updates from Microsoft and Adobe

It looks like Microsoft fixed the technical issues that led to February’s updates being postponed until March. Today they announced eighteen updates that address security issues in Windows, Internet Explorer, Edge, Office, Silverlight, as well as Windows Server software, including Exchange.

Critical vulnerabilities for which updates were expected in February, including an SMB flaw in Windows (CVE-2017-0016), and two others that were disclosed by Google’s Project Zero that affect the Windows GDI library (CVE-2017-0038), and Internet Explorer and Edge (CVE-2017-0037), finally get fixes today.

A total of one hundred and forty vulnerabilities are addressed by today’s updates from Microsoft. That’s higher than usual, but of course this is two months’ worth of updates.

Adobe’s contribution to the patching fun this month is new versions of Flash and Shockwave. Flash 25.0.0.127 includes fixes for seven vulnerabilities in earlier versions, while Shockwave 12.2.8.198 resolves a single security issue in versions 12.2.7.197 and earlier.

Chrome will update itself with the new version of Flash in the next day or so, but you can usually trigger the update process by navigating to its About page. Flash updates for Internet Explorer and Edge are included in this month’s updates from Microsoft.

If you’re still using a web browser with a Flash plugin, you should make sure it’s up to date as soon as possible.

Update 2017Mar17: Ars Technica points out — quite rightly — that Microsoft still owes us all an explanation for why the February updates were cancelled. My favourite quote from the Ars article: “when marketers drive communications concerning a reported zero-day exploit, customers lose.” I’d argue that when marketing folk are the only ones talking about technical issues of any kind, we should all be very worried.

Microsoft releases update for Flash

Normally, Microsoft releases updates for Flash in Edge and Internet Explorer along with everything else on the second Tuesday of each month.

This month, something went wrong with the Windows Update system, and Microsoft pushed all the February updates to March, including an expected fix for a serious SMS flaw.

Someone at Microsoft apparently realized that this decision would leave some Flash users (those using Flash in Edge and Internet Explorer) vulnerable for an extra month. Flash vulnerabilities are targeted aggressively by malicious hackers, so this is obviously a bad thing. As a result, Microsoft has released a Flash update, one week later than originally planned.

Anyone who uses Flash in Internet Explorer or Edge should visit Windows Update and install the Flash update as soon as possible.

So we do get a Microsoft Security Bulletin Summary for February 2017 after all, but it only includes a single bulletin.

Flash update fixes 13 vulnerabilities

A new version of Flash, released yesterday, addresses at least thirteen vulnerabilities in previous versions.

According to the security bulletin for Flash 24.0.0.221, the new version fixes “critical vulnerabilities that could potentially allow an attacker to take control of the affected system.”

The release notes for Flash 24.0.0.221 describe some new features that are likely only of interest to developers.

As usual, Internet Explorer and Edge will get new versions of their embedded Flash via Windows Update, while Chrome’s embedded Flash will be updated automatically.

Anyone who still uses a web browser with Flash enabled should update it as soon as possible.

Patch Tuesday for January 2017

Another Patch Tuesday rolls around, bringing updates for Internet Explorer, Edge, Windows, and Office from Microsoft, and new versions of Flash and Reader from Adobe.

According to the Microsoft’s January 2017 bulletin summary,

“There are no security fixes or quality improvements for Windows 8.1 … on Update Tuesday for January 2017. As such, there is no Security Only Quality Update or Security Monthly Quality Rollup release for [Windows 8.1] this month.”

And in fact there are only four bulletins (with associated updates), addressing vulnerabilities in Windows, Edge, Office, and the Flash player built into Edge and Internet Explorer 11. Not including Flash, these updates address three security vulnerabilities.

Adobe’s contributions this month start with Flash 24.0.0.194, which addresses thirteen vulnerabilities in previous versions, adds some new features that are not particularly interesting, and improves support for high resolution displays in Firefox on Windows: Flash content will now scale properly in that context. As usual, Flash updates for Edge and Internet Explorer are handled by Microsoft, and Google Chrome will update itself automatically.

New versions of Adobe Reader address twenty-nine vulnerabilities. Reader XI is up to version 11.0.19, while its confusingly-named sister products Acrobat Reader DC (Continuous) and Acrobat Reader DC (Classic) are at versions 15.023.20053 and 15.006.30279, respectively.

So it’s an enjoyably light month. Visit Windows Update, update Adobe Reader, and if you use a web browser with Flash enabled, make sure to update that as well.

Microsoft is losing all of its browser market share to Google

If you used Windows in the 90’s, you probably remember the Browser War between Microsoft’s Internet Explorer and Netscape’s Navigator. That war culminated in an antitrust case against Microsoft, in which the plaintiff (the USA) claimed that Microsoft’s bundling of IE with Windows was anti-competitive.

Regardless of whether you believe Microsoft acted fairly, Internet Explorer’s market share increased steadily during the period from 1995 to 2001, getting close to 100% at its high water mark. Microsoft never charged anything for its browser, but controlling the window through which most of the world viewed the web clearly provided a huge advantage to the company.

Now, all that ‘hard won’ market share is being given away by Microsoft, mostly to Google’s Chrome. Internet Explorer’s share plummeted from 40% to 20% in 2016, and there’s no bottom in sight.

Why is this happening?

Microsoft has abandoned Internet Explorer, switching its browser development efforts to Edge, which only runs in Windows 10. Only the most recent versions of IE are still supported, and only on Windows 7, 8.1, and 10. And that support is limited to fixing security issues and other bugs. You won’t see any more new features in IE.

Clearly, Microsoft thought everyone would upgrade to Windows 10, especially given the free upgrade offer, and the company’s aggressive upgrade tactics. But that appears to have backfired; Windows 10’s growth has been less than stellar, and even though Edge is arguably a better browser than IE, Windows 10 users are mostly choosing other browsers.

Microsoft may soon own as little as 5% of the total browser market, thanks to Edge’s lackluster uptake. Edge started 2016 with a market share of about 4%, and ended it with about 5%.

I think this qualifies as a major strategic blunder on the part of Microsoft.

Numbers are courtesy of NetMarketShare.

Article on Ars Technica.

Patch Tuesday for December 2016

For 2016’s final set of updates, Microsoft has issued twelve bulletins, with associated patches, affecting the usual software, namely Windows, Internet Explorer, Edge, Office, and the .NET Framework. Forty-seven vulnerabilities in all are addressed by these updates.

Adobe issued updates for several of its products today, but the only one likely to be of interest to most people is, of course, Flash. And I mean ‘interest’ in the sense of “I am very interested in not having my computer infected with malware because I visited a malicious web site while running an out-of-date version of Flash.” The new version of Flash on all platforms is 24.0.0.186. It addresses seventeen vulnerabilities in the still-ubiquitous player. As usual, Flash in Internet Explorer and Chrome will be updated automatically.

SHA-1 deprecation coming soon

SHA-1 (Secure Hash Algorithm 1) is still used by some web sites to encrypt their traffic. Starting in early 2017, most web browsers will start displaying scary-looking warnings when anyone tries to visit sites using SHA-1.

Like this one in Edge:

After Feb 14, 2017, Microsoft Edge will show this warning when it detects SHA-1 encryption
After Feb 14, 2017, Microsoft Edge will show this warning when it detects SHA-1 encryption

SHA-1 deprecation announcements

Microsoft

(From a post on the Microsoft Edge blog.)

Starting on February 14th, 2017, Microsoft Edge and Internet Explorer 11 will prevent sites that are protected with a SHA-1 certificate from loading and will display an invalid certificate warning. Though we strongly discourage it, users will have the option to ignore the error and continue to the website.

Mozilla

From a post on the Mozilla security blog.

In early 2017, Firefox will show an overridable “Untrusted Connection” error whenever a SHA-1 certificate is encountered that chains up to a root certificate included in Mozilla’s CA Certificate Program. SHA-1 certificates that chain up to a manually-imported root certificate, as specified by the user, will continue to be supported by default; this will continue allowing certain enterprise root use cases, though we strongly encourage everyone to migrate away from SHA-1 as quickly as possible.

Google

From a post on the Google security blog.

We are planning to remove support for SHA-1 certificates in Chrome 56, which will be released to the stable channel around the end of January 2017. The removal will follow the Chrome release process, moving from Dev to Beta to Stable; there won’t be a date-based change in behaviour.

Patch Tuesday for November 2016

It’s Patch Tuesday, albeit a slightly more interesting one than usual. Patches we have, from both Microsoft and Adobe. More about that later.

Microsoft wants to simplify the way security update information is presented to the public. To that end, they’ve created a new ‘starting page’ of sorts, called the Security Updates Guide. The idea is that anyone should be able to find the information they need by starting here. Most of the links on the new page actually go to existing TechNet pages. It’s definitely worth checking out.

Among the updates from Microsoft this month is a fix for the Windows vulnerability recently reported by Google. You may recall that Microsoft was rather annoyed with Google for making the vulnerability public according to their own rules (sooner than Microsoft wanted). Microsoft did credit Neel Mehta and Billy Leonard of Google’s Threat Analysis Group for their assistance.

There are fourteen bulletins from Microsoft this month. The associated updates address seventy-five vulnerabilities in Windows, Edge, Office, and Internet Explorer.

Adobe’s monthly contribution to the festivities is a new version of Flash, 23.0.0.207. A release announcement provides an overview of the changes, while the associated security bulletin provides some background about the nine vulnerabilities addressed.

Flash 23.0.0.205

Normally Adobe releases Flash updates on Patch Tuesday, but when there’s a critical security vulnerability they will release an ‘out of cycle’ fix. That’s what happened with Flash 23.0.0.205, which was released on October 26 to address a single vulnerability: CVE-2016-7855 (details pending).

Anyone who uses Flash in a web browser should update Flash as soon as possible. If you’re not sure whether you’re running the latest Flash, go to the About Flash page on the Adobe web site.

As always, Internet Explorer and Edge will get updates to their embedded Flash via Windows Update (bulletin MS16-128), and Chrome will update itself automatically. Still, it’s a good idea to make sure by visiting the About Flash page.

Patch Tuesday: October 2016

It’s the first day of a new era in Windows updates. Windows 7 and 8 now get updates in cumulative rollups, and updates are bundled together.

This month there are ten security bulletins. Each bulletin is associated with one fix for a specific vulnerability in an application, library, or API; or with a bundle of fixes that address several vulnerabilities in Windows.

Each bulletin is associated with at least one Knowledge Base article, and sometimes with additional KB articles that apply to different versions of Windows, Office, .NET, or some other application. Each additional KB article is associated with a version-specific update. There are often two sets of KB articles: one for the security only quality update and one for the security monthly quality update.

All of the security updates this month are available via Microsoft Update. Most are also available from the Microsoft Download Center and the Microsoft Update Catalog (MUC). Downloading updates from the MUC technically requires Internet Explorer, but you can use any other browser by navigating to http://catalog.update.microsoft.com/v7/site/Rss.aspx?q=KBxxxxxxx (replacing KBxxxxxxx with the KB article number).

So far I don’t see anything in these new updates that looks particularly worrisome. Of course there’s always a risk that Microsoft will slip something in that we don’t want, but there’s a non-trivial amount of scrutiny being directed toward Microsoft right now, and I’m confident someone will quickly spot anything untoward.

I was half-expecting the updates to be as poorly documented as Windows 10 updates, but instead the Windows 10 updates are now as well documented as the others. I also thought there would be fewer bundles, and I didn’t expect them to be grouped as sensibly as they are.

The new system is simpler in some ways, and it does at least unify all versions of Windows to some extent, although Windows 10 updates are still treated somewhat differently. It all actually seems less clunky than before, which is a very nice surprise.

Questions remain. It’s unclear how bad updates will be handled. In the past, if an update broke Windows, you could uninstall it. Now, presumably, you’d have to uninstall an entire bundle. Or something. We’ll see how it goes next month when rollups start arriving with multiple months worth of updates.

Update 2016Oct12: Brian Krebs’ take on the new Windows Update system.