Category Archives: Internet Explorer

Adobe, Flash, Internet Explorer, Microsoft, Patches and updates, Security, Windows

Patch Tuesday for January 2017

Leave a comment

Another Patch Tuesday rolls around, bringing updates for Internet Explorer, Edge, Windows, and Office from Microsoft, and new versions of Flash and Reader from Adobe.

According to the Microsoft’s January 2017 bulletin summary,

“There are no security fixes or quality improvements for Windows 8.1 … on Update Tuesday for January 2017. As such, there is no Security Only Quality Update or Security Monthly Quality Rollup release for [Windows 8.1] this month.”

And in fact there are only four bulletins (with associated updates), addressing vulnerabilities in Windows, Edge, Office, and the Flash player built into Edge and Internet Explorer 11. Not including Flash, these updates address three security vulnerabilities.

Adobe’s contributions this month start with Flash 24.0.0.194, which addresses thirteen vulnerabilities in previous versions, adds some new features that are not particularly interesting, and improves support for high resolution displays in Firefox on Windows: Flash content will now scale properly in that context. As usual, Flash updates for Edge and Internet Explorer are handled by Microsoft, and Google Chrome will update itself automatically.

New versions of Adobe Reader address twenty-nine vulnerabilities. Reader XI is up to version 11.0.19, while its confusingly-named sister products Acrobat Reader DC (Continuous) and Acrobat Reader DC (Classic) are at versions 15.023.20053 and 15.006.30279, respectively.

So it’s an enjoyably light month. Visit Windows Update, update Adobe Reader, and if you use a web browser with Flash enabled, make sure to update that as well.

Edge, Google, Internet Explorer, Microsoft, Windows

Microsoft is losing all of its browser market share to Google

Leave a comment

If you used Windows in the 90’s, you probably remember the Browser War between Microsoft’s Internet Explorer and Netscape’s Navigator. That war culminated in an antitrust case against Microsoft, in which the plaintiff (the USA) claimed that Microsoft’s bundling of IE with Windows was anti-competitive.

Regardless of whether you believe Microsoft acted fairly, Internet Explorer’s market share increased steadily during the period from 1995 to 2001, getting close to 100% at its high water mark. Microsoft never charged anything for its browser, but controlling the window through which most of the world viewed the web clearly provided a huge advantage to the company.

Now, all that ‘hard won’ market share is being given away by Microsoft, mostly to Google’s Chrome. Internet Explorer’s share plummeted from 40% to 20% in 2016, and there’s no bottom in sight.

Why is this happening?

Microsoft has abandoned Internet Explorer, switching its browser development efforts to Edge, which only runs in Windows 10. Only the most recent versions of IE are still supported, and only on Windows 7, 8.1, and 10. And that support is limited to fixing security issues and other bugs. You won’t see any more new features in IE.

Clearly, Microsoft thought everyone would upgrade to Windows 10, especially given the free upgrade offer, and the company’s aggressive upgrade tactics. But that appears to have backfired; Windows 10’s growth has been less than stellar, and even though Edge is arguably a better browser than IE, Windows 10 users are mostly choosing other browsers.

Microsoft may soon own as little as 5% of the total browser market, thanks to Edge’s lackluster uptake. Edge started 2016 with a market share of about 4%, and ended it with about 5%.

I think this qualifies as a major strategic blunder on the part of Microsoft.

Numbers are courtesy of NetMarketShare.

Article on Ars Technica.

Adobe, Edge, Flash, Internet Explorer, Microsoft, Patches and updates, Security, Windows

Patch Tuesday for December 2016

Leave a comment

For 2016’s final set of updates, Microsoft has issued twelve bulletins, with associated patches, affecting the usual software, namely Windows, Internet Explorer, Edge, Office, and the .NET Framework. Forty-seven vulnerabilities in all are addressed by these updates.

Adobe issued updates for several of its products today, but the only one likely to be of interest to most people is, of course, Flash. And I mean ‘interest’ in the sense of “I am very interested in not having my computer infected with malware because I visited a malicious web site while running an out-of-date version of Flash.” The new version of Flash on all platforms is 24.0.0.186. It addresses seventeen vulnerabilities in the still-ubiquitous player. As usual, Flash in Internet Explorer and Chrome will be updated automatically.

Chrome, Edge, Firefox, Google, Internet Explorer, Microsoft, Security

SHA-1 deprecation coming soon

Leave a comment

SHA-1 (Secure Hash Algorithm 1) is still used by some web sites to encrypt their traffic. Starting in early 2017, most web browsers will start displaying scary-looking warnings when anyone tries to visit sites using SHA-1.

Like this one in Edge:

After Feb 14, 2017, Microsoft Edge will show this warning when it detects SHA-1 encryption
After Feb 14, 2017, Microsoft Edge will show this warning when it detects SHA-1 encryption

SHA-1 deprecation announcements

Microsoft

(From a post on the Microsoft Edge blog.)

Starting on February 14th, 2017, Microsoft Edge and Internet Explorer 11 will prevent sites that are protected with a SHA-1 certificate from loading and will display an invalid certificate warning. Though we strongly discourage it, users will have the option to ignore the error and continue to the website.

Mozilla

From a post on the Mozilla security blog.

In early 2017, Firefox will show an overridable “Untrusted Connection” error whenever a SHA-1 certificate is encountered that chains up to a root certificate included in Mozilla’s CA Certificate Program. SHA-1 certificates that chain up to a manually-imported root certificate, as specified by the user, will continue to be supported by default; this will continue allowing certain enterprise root use cases, though we strongly encourage everyone to migrate away from SHA-1 as quickly as possible.

Google

From a post on the Google security blog.

We are planning to remove support for SHA-1 certificates in Chrome 56, which will be released to the stable channel around the end of January 2017. The removal will follow the Chrome release process, moving from Dev to Beta to Stable; there won’t be a date-based change in behaviour.

Adobe, Edge, Flash, Internet Explorer, Microsoft, Patches and updates, Security, Windows

Patch Tuesday for November 2016

Leave a comment

It’s Patch Tuesday, albeit a slightly more interesting one than usual. Patches we have, from both Microsoft and Adobe. More about that later.

Microsoft wants to simplify the way security update information is presented to the public. To that end, they’ve created a new ‘starting page’ of sorts, called the Security Updates Guide. The idea is that anyone should be able to find the information they need by starting here. Most of the links on the new page actually go to existing TechNet pages. It’s definitely worth checking out.

Among the updates from Microsoft this month is a fix for the Windows vulnerability recently reported by Google. You may recall that Microsoft was rather annoyed with Google for making the vulnerability public according to their own rules (sooner than Microsoft wanted). Microsoft did credit Neel Mehta and Billy Leonard of Google’s Threat Analysis Group for their assistance.

There are fourteen bulletins from Microsoft this month. The associated updates address seventy-five vulnerabilities in Windows, Edge, Office, and Internet Explorer.

Adobe’s monthly contribution to the festivities is a new version of Flash, 23.0.0.207. A release announcement provides an overview of the changes, while the associated security bulletin provides some background about the nine vulnerabilities addressed.

Adobe, Chrome, Edge, Flash, Internet Explorer, Patches and updates, Security, Windows

Flash 23.0.0.205

1 Comment

Normally Adobe releases Flash updates on Patch Tuesday, but when there’s a critical security vulnerability they will release an ‘out of cycle’ fix. That’s what happened with Flash 23.0.0.205, which was released on October 26 to address a single vulnerability: CVE-2016-7855 (details pending).

Anyone who uses Flash in a web browser should update Flash as soon as possible. If you’re not sure whether you’re running the latest Flash, go to the About Flash page on the Adobe web site.

As always, Internet Explorer and Edge will get updates to their embedded Flash via Windows Update (bulletin MS16-128), and Chrome will update itself automatically. Still, it’s a good idea to make sure by visiting the About Flash page.

Adobe, Edge, Flash, Internet Explorer, Microsoft, Patches and updates, Security, Windows

Patch Tuesday: October 2016

Leave a comment

It’s the first day of a new era in Windows updates. Windows 7 and 8 now get updates in cumulative rollups, and updates are bundled together.

This month there are ten security bulletins. Each bulletin is associated with one fix for a specific vulnerability in an application, library, or API; or with a bundle of fixes that address several vulnerabilities in Windows.

Each bulletin is associated with at least one Knowledge Base article, and sometimes with additional KB articles that apply to different versions of Windows, Office, .NET, or some other application. Each additional KB article is associated with a version-specific update. There are often two sets of KB articles: one for the security only quality update and one for the security monthly quality update.

All of the security updates this month are available via Microsoft Update. Most are also available from the Microsoft Download Center and the Microsoft Update Catalog (MUC). Downloading updates from the MUC technically requires Internet Explorer, but you can use any other browser by navigating to http://catalog.update.microsoft.com/v7/site/Rss.aspx?q=KBxxxxxxx (replacing KBxxxxxxx with the KB article number).

So far I don’t see anything in these new updates that looks particularly worrisome. Of course there’s always a risk that Microsoft will slip something in that we don’t want, but there’s a non-trivial amount of scrutiny being directed toward Microsoft right now, and I’m confident someone will quickly spot anything untoward.

I was half-expecting the updates to be as poorly documented as Windows 10 updates, but instead the Windows 10 updates are now as well documented as the others. I also thought there would be fewer bundles, and I didn’t expect them to be grouped as sensibly as they are.

The new system is simpler in some ways, and it does at least unify all versions of Windows to some extent, although Windows 10 updates are still treated somewhat differently. It all actually seems less clunky than before, which is a very nice surprise.

Questions remain. It’s unclear how bad updates will be handled. In the past, if an update broke Windows, you could uninstall it. Now, presumably, you’d have to uninstall an entire bundle. Or something. We’ll see how it goes next month when rollups start arriving with multiple months worth of updates.

Update 2016Oct12: Brian Krebs’ take on the new Windows Update system.

Adobe, Chrome, Edge, Flash, Internet Explorer, Microsoft, Patches and updates, Security, Windows

Patch Tuesday for September 2016

Leave a comment

Microsoft’s contribution to our monthly headache is fourteen updates for their flagship software (Windows, Office, Edge, and Internet Explorer). Seven of the updates are classified as Critical. Over sixty separate vulnerabilities are addressed by these updates. One of the updates is for the version of Adobe Flash embedded in Internet Explorer 10 and 11, and Edge.

Not wanting to be left out, Adobe once again brings its own pile of patches to the table. Flash 23.0.0.162 includes fixes for at least twenty-six vulnerabilities. Google Chrome will update itself with the new Flash, and Internet Explorer 10 and 11, and Edge, get the new Flash via the update mentioned above. For all other browsers, simply visit the main Flash page to check your Flash version and update it as needed.

Edge, Internet Explorer, Microsoft, Patches and updates, Security, Windows

Patch Tuesday for August 2016

Leave a comment

It’s update time again. This month Microsoft is making available nine updates, affecting Windows, Internet Explorer, Edge, and Office. Five of the updates are flagged as Critical. A total 38 vulnerabilities are addressed with these updates.

The associated bulletin from Microsoft has additional details.

There’s also one new security advisory: Update for Kernel Mode Blacklist.

Adobe, Flash, Internet Explorer, Microsoft, Patches and updates, Security, Windows

Patch Tuesday for July 2016

Leave a comment

It’s a relatively light month for Microsoft patches: only eleven this time. The updates address security issues in the usual suspects, namely Windows, Internet Explorer, Edge, Office, and the Flash code that’s embedded in IE 10, IE 11, and Edge. Six of the updates are flagged as Critical. A total of fifty vulnerabilities are addressed.

Adobe joins in the fun again this month, with updates for Flash and Reader/Acrobat. The Flash update fixes a whopping fifty-two vulnerabilities, while the Reader update fixes thirty vulnerabilities. Update: an announcement for the Flash update appeared on July 14th, despite being dated July 12th.

Update 2016Jul17: Ars Technica points out that one of the Microsoft updates addresses a critical security hole in a Windows printer driver installation mechanism that dates back to Windows 95. The vulnerability was not actually closed by the update; instead, a warning was added to the driver installation process.