Category Archives: Internet Explorer

Patch Tuesday for July 2020

Another month, another load of patches from Microsoft.

This month we have seventy-one bulletins and corresponding updates. One hundred and twenty-six vulnerabilities are addressed in all, affecting .NET, Internet Explorer 9 and 11, Edge, Office, SharePoint, Visual Studio, OneDrive, Skype, Windows, and Windows Defender. Nineteen of the vulnerabilities are flagged as having Critical severity.

As usual, you can find all the details in Microsoft’s Security Update Guide.

Those of you running Windows 10 know the drill: depending on which version of Windows 10 you’re running, you can delay installation of updates for a while, but not indefinitely. On Windows 8.1 computers, Windows Update is still the best way to install updates. Windows 7 users don’t have an official way to obtain updates for that O/S, despite the fact that Microsoft continues to develop them.

Update 2020Jul17: Again with this crap, Microsoft? One of the updates from this batch caused Outlook 2016 to crash on starting for users worldwide. This affected one of my clients, and affected critical business operations. A fix posted by someone other than Microsoft allowed Outlook to run, but killed the ability to print. Linux never looked so good.

You will now use Microsoft Edge!

On a related note, you may have noticed that Microsoft is pushing its new Chromium-based Edge browser to all Windows computers. This is happening not only on Windows 10 computers, but also those running Windows 8.1 and even 7. The new Edge cannot be removed in the usual way once it’s installed. This is causing consternation for many users, as Edge seems to take over once installed, forcing the user to make certain choices before the desktop can even be accessed. Isn’t this the kind of behaviour that got Microsoft in trouble in the 1990s?

The Verge has additional details. In case you were thinking about switching to Edge, you should be aware that a recent study by Yandex ranked Edge last in terms of privacy.

Patch Tuesday for June 2020

It’s another Patch Day, and this month from Microsoft we’ve got thirty-two update bulletins and associated patches. Twenty-one of the bulletins are flagged as having Critical severity. One hundred and twenty-four security vulnerabilities are addressed, affecting Internet Explorer 9 and 11, Adobe Flash embedded in Microsoft browsers, Office applications, Edge (both the original version and the new version based on the Chromium engine), Sharepoint, Visual Studio, Windows 7, 8.1, and 10, and Windows Defender, the anti-malware program included with Windows 10.

You can find all the relevant details by perusing Microsoft’s Security Update Guide.

Although Microsoft produced Windows 7 updates this month, you won’t be able to obtain them through Windows Update unless you’ve subscribed to Microsoft’s Extended Security Updates (ESU) program. Still, you should check Windows Update because occasionally Microsoft makes new Windows 7 updates available to everyone.

Windows 8.1 is still getting updates, and that will continue until January 10, 2023. Windows Update is still the easiest way to check for and install updates for Windows 8.1.

As usual, Windows 10 computers will be force-fed these updates over the next few days. You can delay the inevitable for as much as a year for feature updates (changes other than bug fixes), or a month for bug fixes, but eventually they’ll be installed whether you want them or not. Which still seems crazy, given how many problems Windows 10 updates have caused.

Patch Tuesday for May 2020

We’re in the middle of a pandemic, but that’s no excuse to leave software unpatched. There’s certainly been no reduction in the rate at which vulnerabilities and exploits are being discovered.

This month’s contribution from Microsoft, as documented in the Security Update Guide, consists of thirty-eight updates, with corresponding bulletins, addressing one hundred and eleven vulnerabilities in .NET, Internet Explorer, Edge, Office, Visual Studio, and Windows. Eighteen of the updates are flagged as having Critical severity.

If you’re still using Windows 7, and you haven’t shelled out for Microsoft’s Extended Security Updates, you won’t find any of this month’s Windows 7 updates via Windows Update. You do have at least one other option: an organization called 0patch. These folks provide what they call ‘micropatches’ for known vulnerabilities in no-longer-officially-supported versions of Windows, including Windows 7 and Windows Server 2008. I haven’t tried these myself, but they seem legitimate. Well, presumably not in the view of Microsoft.

Windows 10 users will get the latest updates whether they’re wanted or not, although there are settings that allow you to delay them, for a while. That leaves Windows 8.1, for which Windows Update is still the appropriate tool.

Adobe logoAdobe once again tags along this month, with new versions of Reader and Acrobat. Most people use the free version of Reader, officially known as Acrobat Reader DC. The new version, 2020.009.20063, includes fixes for twenty-four security vulnerabilites in earlier versions.

Patch Tuesday for March 2020

Happy Patch Tuesday! Today’s gifts from the always-generous folks at Microsoft include forty-two updates, addressing one hundred and fifteen security bugs in Internet Explorer (9 and 11), Edge (the original version, not the one built on Chromium), Office (2010, 2016, and 2019), Windows (7, 8.1, and 10), and Windows Server.

You can dig into all the gory details over at the Microsoft Security Update Guide.

Computers running Windows 10 will update themselves at Microsoft’s whim over the coming days.

Windows 8.1 users can still exercise some freedom of choice in deciding when to install updates, but I encourage everyone to install them as soon as possible. Even with Microsoft’s recent bungling, you’re arguably better off with security fixes than without, even if those updates sometimes cause other problems.

To install updates on your Windows 8.1 computer, go to the Windows Control Panel and open Windows Update.

If you’re running Windows 7, you may be surprised to note that some of this month’s updates are available for that no-longer-officially-supported version. That’s because while those updates definitely exist, they’re not technically available to the general public.

To get access to the Windows 7 updates, you need to sign up for Extended Security Updates for Windows 7. This is typically only done by Enterprise users (businesses and educational institutions) who need more time to migrate computers to newer versions of Windows. For regular folks, the cost of ESU seems likely to be prohibitive.

The more adventurous among you might want to experiment with hacks to get around this limitation for Windows 7 updates. Apparently people are finding some success doing this.

Patch Tuesday for February 2020

Yesterday’s crop of updates includes the usual pile from Microsoft, as well as a few from Adobe, for Flash and Reader.

Analysis of Microsoft’s Security Update Guide for February 2020 reveals that there are thirty-eight updates, addressing one hundred and one security issues in Internet Explorer, Edge (both the old and new versions), Flash embedded in Internet Explorer, Office, and Windows. Thirteeen of the updates have been flagged as Critical.

To install Microsoft updates, go to Windows Update in the Control Panel for older versions of Windows, and in Settings > Update & Security for Windows 10. Alternatively, for Windows 10, you can just wait for the updates to be installed automatically.

Adobe logo

The latest version of Flash, 32.0.0.330, fixes a single security vulnerability in earlier versions.

Update Flash on pre-Windows 10 computers by heading to the Windows Control Panel and running the Flash applet. On the Updates tab, check the version and click the Check Now button. Click the link to the Player Download Center. Make sure to disable any checkboxes for installing additional software, then click the big Install Now button. Follow the prompts. You may have to restart your web browser for the update to finish.

Adobe Reader 2020.006.20034, also released this Patch Tuesday, includes fixes for seventeen security vulnerabilities in earlier versions.

Recent versions of Reader typically update themselves, but you can check your version and force an update by navigating Reader’s menu to Help > Check for Updates...

Patch Tuesday for January 2020; end of support for Windows 7

The first Patch Tuesday for 2020 arrives with the long-planned but still inconvenient end of meaningful support for Windows 7.

The venerable Windows 7 still runs on about a quarter of all PCs worldwide. Sticking with Windows 7 was — and continues to be — a conscious decision for many users, made because Windows 8 and 10 were problematic for a variety of reasons.

Microsoft killed support for Windows XP on April 8, 2014, but still released updates for that O/S on a couple of occasions when a security vulnerability was so severe that it seemed likely to cause massive problems if unpatched. Microsoft will probably do the same thing for Windows 7, but it’s not a good idea to rely on the goodwill of any large corporation.

So, if you’re running Windows 7, what should you do? You can upgrade to Windows 8.1, which will buy you some time, until its support ends on January 10, 2023. Or you can stop resisting and make the move to Windows 10. Many of the initial problems with — and objections to — Windows 10 have now been addressed, making it somewhat less unpalatable. Microsoft offers additional guidance on the Windows 7 support ended on January 14, 2020 page on the Microsoft support site.

Another sensible option would be to switch to Linux. There are now Linux distributions that feel a lot like Windows, which can ease the transition. The main problem is software. But even if the software you use has no Linux version, you can still run an older version of Windows in a virtual machine on your Linux computer. That’s not too helpful for high-end games, however.

Back to our regularly scheduled updates…

There are thirty-nine updates (and associated bulletins) from Microsoft this month, addressing fifty vulnerabilities in Windows, .NET, Internet Explorer, and Office. Eight of the updates are flagged with Critical severity.

Although there are other ways to obtain the updates, by far the simplest method is to use Windows Update, which is found in the Windows 10 settings, or the Control Panel in older versions.

Update 2020Jan15: One of the vulnerabilities addressed in yesterday’s updates was reported to Microsoft by the NSA. While there’s disagreement about the seriousness of the vulnerability, this is notable in that the NSA previously wasn’t interested in sharing its discovered vulnerabilities. Lack of NSA cooperation led to the WannaCry ransomware nightmare in 2017. Brian Krebs has more.

While it’s generally a good idea to cross your fingers and install all available Microsoft updates, or at least allow them to be installed automatically, some Windows 10 users have grown wary of updates, and configured Windows Updates to be delayed. The actual risk from this vulnerability is mostly for Windows Server 2016 computers that are exposed to the Internet, and Windows 10 computers normally used by people with administrator permissions.

Update 2020Jan17: There’s more useful information about the NSA-reported vulnerability from Ars Technica, and SANS. SANS has created a web page and download that you can use to test your computers for this vulnerability.

Patch Tuesday for December 2019

This month we’ve got a new version of Reader from Adobe, along with the usual heap of updates affecting Microsoft software.

Analysis of Microsoft’s Security Update Guide for December shows that there are thirty-two updates in all, affecting Internet Explorer 9 through 11; Office 365, 2013, 2016, and 2019; Visual Studio; Windows 7, 8.1, and 10; and Windows Server 2008, 2012, 2016 and 2019. Thirty-seven vulnerabilities (CVEs) are addressed, of which seven are flagged as having Critical severity.

The easiest way to install Microsoft updates is via the Windows Update Control Panel (prior to Windows 10) or Settings > Update & Security on Windows 10.

Adobe logoAdobe released updates for several of its software products on Tuesday, but the only one likely to be installed on your computers is the ubiquitous Acrobat Reader DC, Adobe’s free PDF file viewer.

A new version of Acrobat Reader DC, 2019.021.20058, addresses at least twenty-one vulnerabilities in previous versions.

Recent versions of Reader seem to keep themselves updated, but if you use Reader to view PDF files from dubious sources, you should definitely check whether your Reader is up to date. Do that by running it, then choosing Check for Updates... from the Help menu.

About CVEs

I usually refer to security bugs as vulnerabilities. There’s another term that I sometimes use (see above): CVE. That’s an abbreviation for Common Vulnerabilities and Exposures. If you’d like to know more, there’s a helpful post about CVEs over on the SecurityTrails web site. Here’s a quote:

CVE was launched in 1999 by the MITRE Corporation, a nonprofit sponsored by the National Cyber Security Division, or NCSD. When a researcher or a company discovers a new vulnerability or an exposure, they add them to the CVE list so other organizations can leverage this data and protect their systems.

It’s a worthwhile read, even for non-technical folks.

Emergency fix for Internet Explorer

If you’ve ignored the almost continuous advice of IT experts over the last decade or so, and are still using Internet Explorer for web browsing, you should stop what you’re doing and install a new security update, just released by Microsoft.

The update fixes a critical vulnerability (CVE-2019-1367) in IE 9, 10, and 11 that could allow a remote attacker to execute code on your computer, if they are able to trick you into visiting a specially-crafted web page.

Even if you don’t actively use IE, if it’s installed on your Windows computer (and it almost always is), you may run it accidentally, or it may become the default web browser because of another Microsoft update. In other words, everyone running Windows 7, 8.1 and 10 needs to install the fix, which exists in several different versions, each for a specific combination of Windows version and IE version (as outlined in Microsoft’s related security bulletin).

For example, on my main Windows computer, on which I run 64-bit Windows 8.1 and IE 11, the relevant update is designated 4522007.

These updates are not available via Windows Update. To install the update for your computer, follow the appropriate link in the security bulletin. Eventually you’ll end up at the Microsoft Update Catalog. Locate the update you want, then click the Download button to begin.

Patch Tuesday for September 2019

It’s another Patch Tuesday, and this month we have the usual pile from Microsoft, along with a new version of Flash.

Analysis of the summary spreadsheet — helpfully provided by Microsoft on the Security Update Guide site — shows that there are forty-nine updates, addressing eighty vulnerabilities in Windows, Internet Explorer, .NET, Edge and Office. Seventeen of the vulnerabilities are critical.

Those of you running Windows 10 will get these updates automatically, unless you’ve explicitly configured Windows to delay updates. Everyone else should navigate to Windows Update in the Windows Control Panel or Windows Settings.

The new version of Flash is 32.0.0.255. It addresses two critical security bugs in earlier versions, both of which were discovered and reported by independent security researchers.

Anyone who still uses Flash, especially if it’s enabled in any web browser, should update Flash as soon as possible. Go to the Flash applet in the Windows Control Panel to check your version and install the new version.

Patch Tuesday for August 2019

It’s another day of updates, with the usual load from Microsoft, and a new version of Reader from Adobe.

Analysis of the monthly data dump from Microsoft’s Security Update Guide shows that this month we have fifty-two updates (with associated bulletins), addressing ninety-five vulnerabilities in Office applications, Windows, Internet Explorer 9 through 11, Edge, Exchange, SharePoint, and Windows Defender.

Twenty-nine of the vulnerabilities are characterised as having Critical severity, and all of the usual nightmarish potential impacts are represented, including Denial of Service, Elevation of Privilege, Information Disclosure, Remote Code Execution, Security Feature Bypass, Spoofing, and Tampering.

If you’re running Windows 10, there’s not much you can do to avoid these updates, although you can at least delay them. The risks associated with installing updates as soon as they become available are still arguably lower that the risks of delaying them as much as possible, or somehow avoiding them altogether.

In this particular case, however, you definitely should install the updates immediately. That’s because they include fixes for a set of dangerous vulnerabilities in RDS (Remote Desktop Services) in all versions of Windows, including Windows 10. Still not convinced? This month’s updates also include a fix for a terrible vulnerability in the Text Services Framework that’s existed in all versions of Windows since XP. The RDS and Text Services vulnerabilities were discovered very recently; no related exploits or attacks have been observed, but it’s a safe bet that malicious persons are working on exploits right now.

Anyway, as always, Windows Update is your friend. Your annoying, can’t-seem-to-shake-them kind of friend.

Adobe logoAdobe released updates for several of its products today, of which only Acrobat Reader presents a significant risk, because malicious hacker types enjoy embedding various kinds of nastiness in PDF files, pretty much every computer on Earth has Acrobat Reader installed, and most people with computers open PDF files without even thinking about the risk.

The latest Acrobat Reader (DC Continuous, which is the variant most likely to be installed on your computer) is version 2019.012.20036. It addresses at least seventy-six security vulnerabilities in previous versions. The release bulletin gives credit to a number of non-Adobe security researchers who discovered and reported some of the vulnerabilities.

You can check your version of Acrobat Reader by navigating its menu to Help > About Adobe Acrobat Reader DC. Also on the Help menu is the handy Check for Updates option, which is probably the easiest way to update Reader.