Category Archives: Internet Explorer

October 10, 2017: Patch Tuesday

Imagine a world in which there were no software updates; no security vulnerabilities; no bugs at all. The idea of such a place makes me happy. This utopia is destined to remain a fantasy, sadly. All software has bugs, and that will never change.

Inspection of Microsoft’s Security Update Guide (SUG) as of 10am today shows the usual massive list of updates, only some of which will affect most of us. You can wade into that if you have some time and access to painkillers, or you can download the list and open it in Excel, which is a lot easier to work with, and is what I do.

Analysis of the update data shows that there are fifty updates this month. Sixteen of those updates are flagged as Critical. A total of sixty-seven vulnerabilities in Windows, Office, Internet Explorer, and Edge are addressed.

As usual, the announcement of this month’s updates does little more than tell us what we already knew: that there are updates today, and where to find them.

Time to patch those computers!

Update 2017Oct11: The Register points out that while vulnerabilities affecting Windows 10 are being patched by Microsoft as soon as they are identified, Windows 7 and 8 systems don’t get those updates until the next Patch Tuesday. This creates an opportunity for malicious persons to analyze the Windows 10 updates and create exploits that work on Windows 7 and 8.

Patch Tuesday for September 2017

This month’s updates from Microsoft include a patch for a nasty zero-day vulnerability in the .NET framework.

The announcement for this batch of updates is of course just a link to the Security Update Guide, where it’s up to the user to wade through piles of information and determine what’s relevant.

Here’s what I’ve been able to glean from my explorations: there are ninety-four updates, affecting Internet Explorer, Edge, Windows, Office, Adobe Flash Player, Skype, and the .NET Framework. A total of eighty-five vulnerabilities are addressed, twenty-nine of which are flagged as Critical.

As you may have guessed, this month we also have yet another new version of Flash. Microsoft included the new version in updates for Edge and Internet Explorer, and Chrome will get the new version via its internal auto-updater. Desktop Flash users should visit the main Flash page to get the new version. Flash 27.0.0.130 addresses two critical vulnerabilities in previous versions.

Patch Tuesday for August 2017

It’s once again time for the monthly headache otherwise known as Patch Tuesday.

As you’re no doubt aware from my previous whining, Microsoft no longer publishes a bulletin for each update, and finding useful information in the Security Update Guide is awkward at best. It feels like Microsoft is trying to get everyone to just give up and enable auto-update. Of course with Windows 10 you no longer have a choice: you get updates when Microsoft wants you to have them. Which is one of the reasons I don’t use that particular O/S.

From my analysis of the Security Update Guide‘s entries for August 2017, it appears that we have thirty-nine updates, addressing fifty-three vulnerabilities in Internet Explorer, Edge, Windows, SharePoint, Adobe Flash Player, and SQL Server. Eighteen of the updates are flagged as Critical. Time to fire up Windows Update on all your Windows 8.1 and Windows 7 computers.

Adobe released updates for Flash and Reader today. The Reader update (Reader DC/Continuous: 2017.012.20093; Reader 2017: 2017.011.30059; Reader DC/Classic: 2015.006.30352) addresses sixty-seven vulnerabilities. The Flash update (version 26.0.0.151) addresses two vulnerabilities. Anyone still using Flash or Reader, especially as web browser plugins, should install the new versions as soon as possible.

Flash 25.0.0.171

Adobe’s software updates for April include Flash 25.0.0.171, which fixes seven security issues in previous versions. If Flash is enabled in your web browser, you should visit the official Flash About page to check its version and update if it’s not current.

As usual, Chrome will update itself with the latest Flash, and Internet Explorer and Edge get their new Flash via Windows Update.

Patch Tuesday for May 2017

Well, I was right. The announcement for May’s Patch Tuesday has almost exactly the same wording as last month’s. That’s because neither contains any useful information. No, it’s back to the new Security Update Guide, at least if you want to know what Microsoft wants to do to your computer this month.

According to my analysis of this month’s update information in the SUG, there are fifty distinct bulletins, affecting Flash, Internet Explorer, Edge, .NET, Office, and Windows. A total of fifty-six vulnerabilities are addressed. Fifteen of the vulnerabilities are categorized as Critical.

Today Microsoft also issued three advisories:

New Java version: 8 Update 131

Earlier this week Oracle posted its quarterly Critical Patch Advisory for April 2017. Most of the Oracle software affected by these updates is likely only of interest to system administrators and developers, but buried in the advisory is a list of eight security vulnerabilities in Java 8 Update 121. Although it’s not mentioned in the advisory, those Java vulnerabilities are addressed in a new version of Java: 8 Update 131.

Anyone who uses a web browser with a Java plugin enabled should install Java 8 Update 131 as soon as possible. These days, Firefox, Chrome, and other Chrome-similar browsers like Vivaldi don’t support Java at all, so that leaves Internet Explorer. You can check whether Java is enabled in Internet Explorer by pointing IE to the official Java version test page.

Even if you don’t use a browser with Java enabled, you may have a version of Java installed on your computer, in which case you should consider updating it. You can find out whether Java is installed by looking for the Java applet in the Windows Control Panel. If it’s there, Java is installed; go to the Update tab and click Update now to install the new version.

Oracle sued by the FTC

If you visit the main Java page, you may notice a large all-caps message at the very top of the page: IMPORTANT INFORMATION REGARDING THE SECURITY OF JAVA SE. The message links to a page that discusses an ongoing lawsuit:

The Federal Trade Commission, the nation’s consumer protection agency, has sued us for making allegedly deceptive security claims about Java SE. To settle the lawsuit, we agreed to contact you with instructions on how to protect the personal information on your computer by deleting older versions of Java SE from your computer.

This is a good reminder that Java installers tend to leave old versions and related junk on Windows computers, and that you should always check for and remove old versions of Java after you install a new version. Visit the Java uninstall page and the Java uninstall help page to get started.

Patch Tuesday for April 2017

As of this month, Microsoft is no longer publishing security bulletins. What we get instead is the Security Update Guide, an online database of Microsoft updates. Instead of a nice series of bulletins in my RSS reader, I get a single notification that contains almost nothing of use, aside from a link to the Security Update Guide. It also recommends enabling auto updates. Suffice to say that they won’t need to change the wording next month.

Security Update Guide

I’m sure it’s possible to create an online update database that works, but the Security Update Guide doesn’t qualify. In the hour I’ve spent so far trying to use it, what I usually see is an empty list. On the occasions when updates were shown, attempting to navigate from there also produced blank lists. Presumably this is happening because the site is overwhelmed, this being Patch Tuesday, but it’s also an excellent demonstration of why simpler systems are often better.

But even assuming that the current (as of 2017Apr11 13:00 PST) issues are transitory, information about the current set of updates that I did manage to see (in brief glimpses) was scattered among hundreds of items in the list. There is an always-visible link to a release notes page for the month’s updates, but sadly that page is far less useful than the summary bulletins previously provided. Aside from a few notes about special cases, all we get is this:

The April security release consists of security updates for the following software:
Internet Explorer
Microsoft Edge
Microsoft Windows
Microsoft Office and Microsoft Office Services and Web Apps
Visual Studio for Mac
.NET Framework
Silverlight
Adobe Flash Player

For the period between March’s Patch Tuesday and today, the guide shows 233 total items. To learn more, you have only one obvious option: go through every item in the list, looking for unique Knowledge Base article numbers in the More Info column, and clicking them to see the related KB article. I think I’ll leave that as an exercise for the reader. If Microsoft improves the guide sufficiently, I’ll go back to providing a more detailed breakdown of the monthly updates.

Update 2017Apr12: On Microsoft’s Security Update Guide, you’ll find a small Download link at the top right of the update list. You can use this to open the update list in Excel, which is a lot easier than using the flaky web-based tool. Using this method, I was able to count the number of unique updates, and it looks like there are forty-two, with forty-four vulnerabilities addressed. CERT’s count is sixty-one.

Update 2017Apr18: Ars Technica wonders if anyone likes the new Security Update Guide.

Update 2017May05: One of the updates is a new version of Silverlight (5.1.50906.0) that addresses a single security issue.

Adobe’s Contribution

As is now almost traditional, Adobe published their own set of updates today. This month we get updates for Flash (seven issues addressed) and Acrobat/Reader (47 issues addressed).

If you still use a web browser with a Flash plugin, you should update it as soon as possible. Internet Explorer and Edge will of course get their own Flash updates via Microsoft Update, while Chrome’s built-in Flash will be updated automatically on most computers.

Patch Tuesday updates from Microsoft and Adobe

It looks like Microsoft fixed the technical issues that led to February’s updates being postponed until March. Today they announced eighteen updates that address security issues in Windows, Internet Explorer, Edge, Office, Silverlight, as well as Windows Server software, including Exchange.

Critical vulnerabilities for which updates were expected in February, including an SMB flaw in Windows (CVE-2017-0016), and two others that were disclosed by Google’s Project Zero that affect the Windows GDI library (CVE-2017-0038), and Internet Explorer and Edge (CVE-2017-0037), finally get fixes today.

A total of one hundred and forty vulnerabilities are addressed by today’s updates from Microsoft. That’s higher than usual, but of course this is two months’ worth of updates.

Adobe’s contribution to the patching fun this month is new versions of Flash and Shockwave. Flash 25.0.0.127 includes fixes for seven vulnerabilities in earlier versions, while Shockwave 12.2.8.198 resolves a single security issue in versions 12.2.7.197 and earlier.

Chrome will update itself with the new version of Flash in the next day or so, but you can usually trigger the update process by navigating to its About page. Flash updates for Internet Explorer and Edge are included in this month’s updates from Microsoft.

If you’re still using a web browser with a Flash plugin, you should make sure it’s up to date as soon as possible.

Update 2017Mar17: Ars Technica points out — quite rightly — that Microsoft still owes us all an explanation for why the February updates were cancelled. My favourite quote from the Ars article: “when marketers drive communications concerning a reported zero-day exploit, customers lose.” I’d argue that when marketing folk are the only ones talking about technical issues of any kind, we should all be very worried.

Microsoft releases update for Flash

Normally, Microsoft releases updates for Flash in Edge and Internet Explorer along with everything else on the second Tuesday of each month.

This month, something went wrong with the Windows Update system, and Microsoft pushed all the February updates to March, including an expected fix for a serious SMS flaw.

Someone at Microsoft apparently realized that this decision would leave some Flash users (those using Flash in Edge and Internet Explorer) vulnerable for an extra month. Flash vulnerabilities are targeted aggressively by malicious hackers, so this is obviously a bad thing. As a result, Microsoft has released a Flash update, one week later than originally planned.

Anyone who uses Flash in Internet Explorer or Edge should visit Windows Update and install the Flash update as soon as possible.

So we do get a Microsoft Security Bulletin Summary for February 2017 after all, but it only includes a single bulletin.

Flash update fixes 13 vulnerabilities

A new version of Flash, released yesterday, addresses at least thirteen vulnerabilities in previous versions.

According to the security bulletin for Flash 24.0.0.221, the new version fixes “critical vulnerabilities that could potentially allow an attacker to take control of the affected system.”

The release notes for Flash 24.0.0.221 describe some new features that are likely only of interest to developers.

As usual, Internet Explorer and Edge will get new versions of their embedded Flash via Windows Update, while Chrome’s embedded Flash will be updated automatically.

Anyone who still uses a web browser with Flash enabled should update it as soon as possible.