Category Archives: Microsoft

Strange times for Microsoft

Microsoft’s relentless push to get everyone using Windows 10 is creating problems for the software giant. At least one class action lawsuit is underway in Illinois, where annoyed users claim that Microsoft owes more than $5 million in damages related to Windows 10 upgrades, both wanted and unwanted.

Meanwhile, Windows is no longer the most popular way to access the Internet. As recently as 2012, up to 90% of all Internet access was via Windows, but that number has been dropping steadily in recent years, and it’s now at an all-time low. For the first time ever, another operating system is in first place: the mobile O/S Android. Microsoft has bet heavily on Windows 10 and its universal touch interface, alienating traditional desktop enthusiasts and power users in the process. But if consumers are increasingly choosing Android over Windows 10 for their mobile devices, where does that leave Windows?

Microsoft’s efforts to herd users towards their advertising platform Windows 10 includes discontinuing support for newer processors on older versions of Windows. While it’s clearly Microsoft’s prerogative to decide which hardware they support, there’s no obvious technical reason for this limitation. In light of Microsoft’s historical support for older systems, this is particularly annoying news for anyone expecting to be able to use Windows 7 or 8.1 with new hardware.

The April 12 publication of a set of exploits by hacking group The Shadow Brokers included several that were widely reported as unpatched zero-day Windows vulnerabilities. It turns out that most of those vulnerabilities were already fixed by March’s Patch Tuesday updates. While this is good news for Windows users, it raises questions about when and how Microsoft learned about the Shadow Brokers exploits, why there was no mention of the source in March’s patch release notes, and whether this has anything to do with the rescheduling of February’s Patch Tuesday updates. Update: TechDirt’s analysis.

Windows 10 telemetry details revealed by Microsoft

Microsoft has finally provided some details regarding Windows 10’s telemetry: the data Windows 10 collects and sends back to the Redmond mothership.

A recent post on the Windows blog (Windows 10 privacy journey continues: more transparency and controls for you) highlights three changes related to Windows 10 privacy:

  1. With the April 11 Creators Update, Windows 10 itself will provide more useful and detailed information about privacy settings, both during initial setup and in the Settings app.
  2. The privacy statement for Windows 10 has been updated.
  3. Most importantly, you can now see exactly what data is being collected from your computer and sent to Microsoft.

Telemetry data revealed

The information Windows 10 collects at the Basic privacy/telemetry/diagnostic level is listed in great detail on a new page on the Technet site: Windows 10, version 1703 basic level Windows diagnostic events and fields. The information is moderately technical, and may not be of much use to regular users, but it’s worth skimming if you have any concerns about Windows 10 telemetry.

There’s a similar new Technet page that describes, in somewhat more general terms, the data collected at the Full privacy/telemetry/diagnostic level: Windows 10, version 1703 Diagnostic Data.

Now someone just needs to review all that information, looking for red flags. Any volunteers?

Ars Technica: Microsoft opens up on Windows telemetry, tells us most of what data it collects

The Verge: Microsoft finally reveals what data Windows 10 really collects

Windows 10 Creators Update

The next big update for Windows 10 was released on April 11, Patch Tuesday. Opinions differ as to the significance of the update: while Microsoft touts it as something amazing, others see it as something less than a major update.

Still, the new version contains incremental improvements, and a few changes that are likely to be useful. Interesting, but not particularly useful changes include Paint 3D, mixed reality support, and 4K gaming support. Visuals, Ink, Surface Dial, Bluetooth, notifications, background execution, Cortana, Skype, Windows Defender, Windows Store and app download all get modest improvements.

Enhancements to Desktop Bridge, which allows traditional desktop apps to be migrated to the new Windows UI, will make a lot of lives easier. The Windows Subsystem for Linux is also expanded with new functionality. The Edge browser gets some new features that are likely to be helpful for people who actually use Edge. A new Game Mode may make Windows 10 gaming slightly more palatable. Beam game streaming is now built into Windows 10. A new feature called Night Light allows Windows 10 to reduce blue light from a display at specific times.

Windows 10’s privacy settings are overhauled in the new version, including a new privacy dashboard, although the overall result seems to be less control rather than more. The window of time during which Windows 10 can update itself has been widened slightly, but there’s still no way to avoid Microsoft’s remote fiddling unless you’re using an Enterprise version.

All in all, there’s nothing particularly objectionable about this update, and there are enough improvements to make it worthwhile. Which is good, because you’ll get it whether you want it or not. Whenever Microsoft wants you to get it.

More information from Microsoft

Patch Tuesday for April 2017

As of this month, Microsoft is no longer publishing security bulletins. What we get instead is the Security Update Guide, an online database of Microsoft updates. Instead of a nice series of bulletins in my RSS reader, I get a single notification that contains almost nothing of use, aside from a link to the Security Update Guide. It also recommends enabling auto updates. Suffice to say that they won’t need to change the wording next month.

Security Update Guide

I’m sure it’s possible to create an online update database that works, but the Security Update Guide doesn’t qualify. In the hour I’ve spent so far trying to use it, what I usually see is an empty list. On the occasions when updates were shown, attempting to navigate from there also produced blank lists. Presumably this is happening because the site is overwhelmed, this being Patch Tuesday, but it’s also an excellent demonstration of why simpler systems are often better.

But even assuming that the current (as of 2017Apr11 13:00 PST) issues are transitory, information about the current set of updates that I did manage to see (in brief glimpses) was scattered among hundreds of items in the list. There is an always-visible link to a release notes page for the month’s updates, but sadly that page is far less useful than the summary bulletins previously provided. Aside from a few notes about special cases, all we get is this:

The April security release consists of security updates for the following software:
Internet Explorer
Microsoft Edge
Microsoft Windows
Microsoft Office and Microsoft Office Services and Web Apps
Visual Studio for Mac
.NET Framework
Silverlight
Adobe Flash Player

For the period between March’s Patch Tuesday and today, the guide shows 233 total items. To learn more, you have only one obvious option: go through every item in the list, looking for unique Knowledge Base article numbers in the More Info column, and clicking them to see the related KB article. I think I’ll leave that as an exercise for the reader. If Microsoft improves the guide sufficiently, I’ll go back to providing a more detailed breakdown of the monthly updates.

Update 2017Apr12: On Microsoft’s Security Update Guide, you’ll find a small Download link at the top right of the update list. You can use this to open the update list in Excel, which is a lot easier than using the flaky web-based tool. using this method, I was able to count the number of unique updates, and it looks like there are forty-two, with forty-four vulnerabilities addressed. CERT’s count is sixty-one.

Update 2017Apr18: Ars Technica wonders if anyone likes the new Security Update Guide.

Adobe’s Contribution

As is now almost traditional, Adobe published their own set of updates today. This month we get updates for Flash (seven issues addressed) and Acrobat/Reader (47 issues addressed).

If you still use a web browser with a Flash plugin, you should update it as soon as possible. Internet Explorer and Edge will of course get their own Flash updates via Microsoft Update, while Chrome’s built-in Flash will be updated automatically on most computers.

Windows 10 cumulative updates hopelessly botched

Recently I noticed that my Windows 10 test PC wasn’t staying logged in. Every morning, despite not having logged out the day before, I was seeing the login screen. A bit of poking around in the Windows 10 settings showed that Windows was trying to install update KB4013429, rebooting to complete the install, failing to complete the install, and rolling back the changes. Rinse and repeat daily, since March 14.

Searching online, I immediately found other people experiencing this problem. No official solution from Microsoft, but plenty from other users, including what turned out to be the only thing that worked for many: a total reinstall of Windows 10.

One user pointed to an interesting tool, available in the TechNet Script Center, called Reset Windows Update Agent. (Note: this script was created and submitted by a non-Microsoft contributor, not by Microsoft.) Since I wasn’t getting anywhere looking for an official solution, I tried the tool’s main feature, which does indeed reset all things Windows Update. After rebooting, Windows successfully installed a few updates, then started to install ‘Cumulative Update for Windows 10 Version 1607 (KB4015438)’, which Microsoft issued on March 20 to address problems with KB4013429. But that update also failed to install, and now we’re back in our daily loop.

I considered contacting Microsoft about this, but then I remembered my previous encounters with Microsoft support, shuddered, and thought better of it. After all, Microsoft already knows my PC is having trouble installing this update, because of all the telemetry in Windows 10, right? If anything, they should be contacting me with a solution. Yeah, right. Like that would ever happen.

I really don’t want Microsoft to be in a position to make my life miserable, especially now that they can do that remotely, without my explicit consent, and usually without my knowledge. At a time when Microsoft should be showing us just how much they’ve learned about managing Windows updates, they seem to be getting worse.

I sympathize with anyone who tries to do anything productive with Windows 10. I only use it for testing and media playback, but even so, this is the end of the line for my relationship with Windows 10. I’ll be installing Linux Mint MATE next.

Windows Vista to be put out of its misery on April 11

I’m sure there are a few people out there still using Vista. It may even have a few fans, and maybe they’re sad about Vista’s impending trip to the back of the woodshed. But they’re crazy: Vista was a terrible O/S.

CERT’s announcement of Vista’s coming demise.

After April 11, Vista will no longer receive any updates from Microsoft, including security updates. Beyond that point, no Vista computer should be allowed to connect to the Internet.

Patch Tuesday updates from Microsoft and Adobe

It looks like Microsoft fixed the technical issues that led to February’s updates being postponed until March. Today they announced eighteen updates that address security issues in Windows, Internet Explorer, Edge, Office, Silverlight, as well as Windows Server software, including Exchange.

Critical vulnerabilities for which updates were expected in February, including an SMB flaw in Windows (CVE-2017-0016), and two others that were disclosed by Google’s Project Zero that affect the Windows GDI library (CVE-2017-0038), and Internet Explorer and Edge (CVE-2017-0037), finally get fixes today.

A total of one hundred and forty vulnerabilities are addressed by today’s updates from Microsoft. That’s higher than usual, but of course this is two months’ worth of updates.

Adobe’s contribution to the patching fun this month is new versions of Flash and Shockwave. Flash 25.0.0.127 includes fixes for seven vulnerabilities in earlier versions, while Shockwave 12.2.8.198 resolves a single security issue in versions 12.2.7.197 and earlier.

Chrome will update itself with the new version of Flash in the next day or so, but you can usually trigger the update process by navigating to its About page. Flash updates for Internet Explorer and Edge are included in this month’s updates from Microsoft.

If you’re still using a web browser with a Flash plugin, you should make sure it’s up to date as soon as possible.

Update 2017Mar17: Ars Technica points out — quite rightly — that Microsoft still owes us all an explanation for why the February updates were cancelled. My favourite quote from the Ars article: “when marketers drive communications concerning a reported zero-day exploit, customers lose.” I’d argue that when marketing folk are the only ones talking about technical issues of any kind, we should all be very worried.

They’re here: ads in Windows 10

We called it. Microsoft denied it. Now the reality of advertising in Windows has arrived. We’re not talking about the tiny, easily-ignored ads commonly seen in Skype, either. The ads that just started appearing in Windows 10 are hard to miss, and they’re in Windows Explorer, arguably the core user interface of the system.

Of course Microsoft is calling these ads ‘tips’ and insists that they just provide helpful information to Windows 10 users. Okay, let’s take a look at what users are seeing:

You be the judge: is this an advertisement?

You may disagree, but in my opinion, that’s an ad. It might as well say “Your Advertisement Here” or “Advertise In This Space”. At this stage, I’m sure we’ll only see ads from Microsoft in Explorer, but once the anger subsides, it’s difficult to imagine Microsoft won’t start selling that space – and others like it – to the highest bidder.

That’s right, Windows 10 really is an advertising platform, just as we’ve been saying all along. It explains why Microsoft was so happy to give away the O/S to anyone who upgraded from an earlier version, why they pushed so hard and literally tricked people to upgrade from earlier versions, why they included so much user activity tracking in Windows 10, and why they retrofitted that tracking into earlier versions when people failed to upgrade in sufficient numbers.

Clearly, the underlying reason for Microsoft’s advertising-in-Windows strategy is simply the enormous amount of money being made by Google from advertising.

Linux is looking a lot better now, isn’t it?

Analysis from The Verge and Ars Technica.

Update 2017Mar17: Tom Warren over at The Verge reacts to the new ads in Windows 10. He describes it as an ‘infestation’, and I agree with his assessment.

Microsoft announces amazing new Windows 10 feature

There’s a surprisingly lengthy post on the Windows Experience blog, co-written by two senior Microsoft managers: Michael Fortin (CVP of Windows and Devices Group Core Quality) and John Cable (Director of Program Management, Windows Servicing and Delivery).

Okay, what’s so important that these two folks decided to write about it? Just this: after the upcoming Windows 10 “Creators Update”, Windows 10 will be slightly less likely to do things at inconvenient times.

I don’t know about you, but allowing users to have control over when updates are installed, and when their computer reboots, seems like a pretty basic feature. And in fact that kind of control has existed in Windows for years. Until Windows 10. But instead of fixing the problem and apologizing for it, we get senior Microsoft managers talking about this bug fix as if it was the most amazing new feature ever.

I understand that there are good reasons to force updates and restarts, the main one being that otherwise many people allow their computers to get out of date, and vulnerable. But seriously, wouldn’t it have made more sense for automatic updates and restarts to be the default behaviour, and allow for this behaviour to be overridden, when Windows 10 was released?

The Verge’s take on this. And Ars Technica’s.

Update 2017Mar22: A new ‘tip’ from Microsoft shows Windows 10 users how to change ‘Active Hours’, during which Microsoft hopefully won’t remotely restart their computer. Of course, the maximum duration for active hours is still only twelve hours. On a related note, I was wondering why my Windows 10 test PC always seemed to be logged out lately, and discovered that it’s been trying to install one particular update every night for a couple of weeks. Windows reboots to complete the install, but the installation fails, and the cycle repeats. This is exactly the kind of thing that bothers me about letting Microsoft screw around with my computer without my knowledge.

Microsoft releases update for Flash

Normally, Microsoft releases updates for Flash in Edge and Internet Explorer along with everything else on the second Tuesday of each month.

This month, something went wrong with the Windows Update system, and Microsoft pushed all the February updates to March, including an expected fix for a serious SMS flaw.

Someone at Microsoft apparently realized that this decision would leave some Flash users (those using Flash in Edge and Internet Explorer) vulnerable for an extra month. Flash vulnerabilities are targeted aggressively by malicious hackers, so this is obviously a bad thing. As a result, Microsoft has released a Flash update, one week later than originally planned.

Anyone who uses Flash in Internet Explorer or Edge should visit Windows Update and install the Flash update as soon as possible.

So we do get a Microsoft Security Bulletin Summary for February 2017 after all, but it only includes a single bulletin.