Category Archives: Microsoft

Patch Tuesday for May 2020

We’re in the middle of a pandemic, but that’s no excuse to leave software unpatched. There’s certainly been no reduction in the rate at which vulnerabilities and exploits are being discovered.

This month’s contribution from Microsoft, as documented in the Security Update Guide, consists of thirty-eight updates, with corresponding bulletins, addressing one hundred and eleven vulnerabilities in .NET, Internet Explorer, Edge, Office, Visual Studio, and Windows. Eighteen of the updates are flagged as having Critical severity.

If you’re still using Windows 7, and you haven’t shelled out for Microsoft’s Extended Security Updates, you won’t find any of this month’s Windows 7 updates via Windows Update. You do have at least one other option: an organization called 0patch. These folks provide what they call ‘micropatches’ for known vulnerabilities in no-longer-officially-supported versions of Windows, including Windows 7 and Windows Server 2008. I haven’t tried these myself, but they seem legitimate. Well, presumably not in the view of Microsoft.

Windows 10 users will get the latest updates whether they’re wanted or not, although there are settings that allow you to delay them, for a while. That leaves Windows 8.1, for which Windows Update is still the appropriate tool.

Adobe logoAdobe once again tags along this month, with new versions of Reader and Acrobat. Most people use the free version of Reader, officially known as Acrobat Reader DC. The new version, 2020.009.20063, includes fixes for twenty-four security vulnerabilites in earlier versions.

Patch Tuesday for April 2020

As if there wasn’t enough going on, it’s already time to patch your Windows computers again.

Of course at this point, given that Windows 7 is effectively no longer getting patches, and Windows 10 updates itself whether you want it to or not, we’re really just talking about Windows 8.1. Market share for Windows 8.x was never high, and it’s now below 5% overall. Oh well.

Somewhat confusingly, Microsoft continues to produce patches for Windows 7, and documents them along with all the others in the Security Update Guide. But if you look at the requirements for these Windows 7 updates, you’ll see that they can’t be installed unless you’ve already paid for and installed the Extended Security Updates (ESU) Licensing Preparation Package. Which most regular folks can’t afford.

This month we don’t have any interesting updates from Adobe, but there’s the usual pile from Microsoft. Analysis of the Security Update Guide reveals that a total of one hundred and fourteen security vulnerabilities are addressed in this month’s patches. The usual lineup of software products are affected, including Windows, Internet Explorer 9 and 11, Edge, Office, and Windows Defender. There are thirty-eight security bulletins in all, nineteen of which are flagged as Critical.

By now I’m sure you know the drill: find Windows Update in the Control Panel and check for updates. Whether you cross your fingers or not is entirely up to you. Windows 10 users need to keep their fingers crossed at all times I guess.

Update 2020Apr15: April’s Microsoft updates include fixes for those actively-exploited Adobe Type Library vulnerabilities recently reported.

Unpatched Windows 7 vulnerability being used in targeted attacks

A serious vulnerability in Adobe Type Manager Library, a Windows DLL file used by numerous software applications, is being actively exploited, but so far only in a very limited way.

The vulnerability technically could affect all versions of Windows, but security features in current releases of Windows 10 seem to provide sufficient protection.

So far the attacks only seem to be targeting Windows 7 computers. Given that Windows 7 is no longer supported by Microsoft, we might expect that this bug would remain unpatched forever. But Microsoft has shown that it is willing to provide certain post-support Windows 7 security updates to the general public.

In any case, if you run Windows 7, the advice for fending off attacks using this vulnerability are basically the same as always: exercise extreme caution when opening suspicious documents. Even simply previewing an infected document in the Windows Explorer preview pane can allow a Windows 7 computer to be exploited remotely.

So the old advice about disabling preview panes remains valid. Any software that shows a preview of the contents of a file or email is in effect opening that file or email, which can trigger an embedded exploit on vulnerable computers. I strongly recommend disabling all such functionality, so that files and emails are never opened unintentionally, and to see the contents of files and emails, you must explicitly open them.

The related security advisory published by Microsoft also includes some workarounds, but these involve making changes to Windows that are themselves risky.

Given the wording of Microsoft’s bulletin, it seems likely that the NSA discovered this vulnerability and developed the exploit, which they are now using in their investigations. If that’s the case, the NSA may — in the post-EternalBlue/WannaCry world — have decided to inform Microsoft for the good of all.

In other words, for now you’re safe unless you’re the target of an NSA investigation. But it won’t be long until exploits attacking this vulnerability are in the hands of malicious actors.

Patch Tuesday for March 2020

Happy Patch Tuesday! Today’s gifts from the always-generous folks at Microsoft include forty-two updates, addressing one hundred and fifteen security bugs in Internet Explorer (9 and 11), Edge (the original version, not the one built on Chromium), Office (2010, 2016, and 2019), Windows (7, 8.1, and 10), and Windows Server.

You can dig into all the gory details over at the Microsoft Security Update Guide.

Computers running Windows 10 will update themselves at Microsoft’s whim over the coming days.

Windows 8.1 users can still exercise some freedom of choice in deciding when to install updates, but I encourage everyone to install them as soon as possible. Even with Microsoft’s recent bungling, you’re arguably better off with security fixes than without, even if those updates sometimes cause other problems.

To install updates on your Windows 8.1 computer, go to the Windows Control Panel and open Windows Update.

If you’re running Windows 7, you may be surprised to note that some of this month’s updates are available for that no-longer-officially-supported version. That’s because while those updates definitely exist, they’re not technically available to the general public.

To get access to the Windows 7 updates, you need to sign up for Extended Security Updates for Windows 7. This is typically only done by Enterprise users (businesses and educational institutions) who need more time to migrate computers to newer versions of Windows. For regular folks, the cost of ESU seems likely to be prohibitive.

The more adventurous among you might want to experiment with hacks to get around this limitation for Windows 7 updates. Apparently people are finding some success doing this.

Patch Tuesday for February 2020

Yesterday’s crop of updates includes the usual pile from Microsoft, as well as a few from Adobe, for Flash and Reader.

Analysis of Microsoft’s Security Update Guide for February 2020 reveals that there are thirty-eight updates, addressing one hundred and one security issues in Internet Explorer, Edge (both the old and new versions), Flash embedded in Internet Explorer, Office, and Windows. Thirteeen of the updates have been flagged as Critical.

To install Microsoft updates, go to Windows Update in the Control Panel for older versions of Windows, and in Settings > Update & Security for Windows 10. Alternatively, for Windows 10, you can just wait for the updates to be installed automatically.

Adobe logo

The latest version of Flash, 32.0.0.330, fixes a single security vulnerability in earlier versions.

Update Flash on pre-Windows 10 computers by heading to the Windows Control Panel and running the Flash applet. On the Updates tab, check the version and click the Check Now button. Click the link to the Player Download Center. Make sure to disable any checkboxes for installing additional software, then click the big Install Now button. Follow the prompts. You may have to restart your web browser for the update to finish.

Adobe Reader 2020.006.20034, also released this Patch Tuesday, includes fixes for seventeen security vulnerabilities in earlier versions.

Recent versions of Reader typically update themselves, but you can check your version and force an update by navigating Reader’s menu to Help > Check for Updates...

Microsoft news: all bad today

The hits just keep on coming for Microsoft. I suppose it’s inevitable that a company as large as Microsoft will make mistakes, but when their products reach into our lives as thoroughly as Microsoft’s, those mistakes can lead to major disasters.

Global Windows 10 search failures

A huge proportion of Windows 10 users worldwide lost the ability to search their own computers recently. According to Microsoft, the problem stemmed from a glitch on a Microsoft server. Exactly why local search should be affected by some mysterious remote Microsoft server is yet to be explained.

In reality, search in Windows has been variously broken since Vista. I discovered a particularly horrible search bug in that garbage dump of an O/S soon after it was released, and was eventually able to convince Microsoft that it was a real problem; a fix soon followed. But even that didn’t fix all of Windows search’s problems; getting it to find all your files in all their locations was — and continues to be — a never-ending, and ultimately ineffective, exercise.

That’s why most people who need a search function that’s actually useful have long since switched to third party software, such as the excellent, fast, accurate, and free Fileseek. There’s also the blazingly fast (and also free) Everything. Both of these work perfectly out of the box, requiring no special setup to be useful, unlike Windows’ built-in search.

Still, many people assume that the Windows search feature is adequate, and never switch to anything else. Those people discovered the recent problem the hard way, when the already basically worthless search stopped working completely. Those people are understandably angry.

Implicit trust of driver software is a gaping security hole in Windows

Malicious folks have discovered yet another way to fool Windows into executing code that it shouldn’t. The new technique takes advantage of the fact that Windows implicitly trusts drivers. A driver is a small piece of software that connects Windows with hardware, allowing that hardware to be used by the O/S.

In this case, a specific driver that contains a serious security vulnerability — but is neverthless trusted by Windows — was used by hackers to deploy ransomware to affected systems.

There’s no word from Microsoft on how they intend to deal with this glaring hole in Windows security.

A treasure trove of illicit data awaits the buyer of corp.com, thanks to Microsoft

Decisions made by Microsoft years ago are poised to create massive problems for many business and educational customers worldwide. When the person who owns the generic corp.com domain sells it, the new owner will be able to gather credentials and other supposedly private data from Windows computers that assume they are communicating with internal systems.

The problem stems from an ill-considered decision to use corp.com as a default setting and in documentation provided by Microsoft. Server administrators who didn’t change that default are now faced with a huge task that involves bringing down entire networks and possibly creating new problems.

Microsoft has known about this problem for years, and their advice to customers is basically “you shouldn’t have used the defaults”. Thanks for nothing, Microsoft.

Microsoft news: the good, the bad, and the spiteful

The Good

Windows 7 support ended earlier this month, and with it any hope of fixing newly-discovered security vulnerabilities. Or did it? Microsoft recently discovered a problem with an update, released in Novemeber 2019, that is causing problems with desktop wallpaper on Windows 7 computers. This isn’t a security issue, but it probably affects thousands of users, and Microsoft has now released a special update that fixes the wallpaper problem. You can get the update via Windows Update on Windows 7 computers.

The Bad

Microsoft’s plans for expanding advertising in Windows 10 continue, albeit very slowly. The latest change is in Windows 10’s default rich text editor, Wordpad. When you run Wordpad, you’ll see an advertisement for Microsoft Office. It’s not much, and many users will never see it, but I’m reminded of the proverbial frog in steadily-warming water.

The Spiteful

Microsoft’s shenanigans with Google show no signs of slowing down. Both companies have engaged in questionable behaviour in trying to promote their software and services. The latest shot from Microsoft is particularly annoying: when Office 365 updates itself — a process that is both frequent and difficult to control — it will look for an installation of Google’s Chrome web browser, and change its default search engine to Bing.

Microsoft has a history of inappropriately reverting settings during updates, which is annoying enough, but this is excessive and downright spiteful, in my opinion. Microsoft, please play out your differences with Google in a way that doesn’t annoy millions of users.

Update 2020Feb11: Microsoft relented, and won’t be switching Windows 10 searches to use Bing during Office 365 updates. I guess they realized that they didn’t need yet another public relations disaster.

Patch Tuesday for January 2020; end of support for Windows 7

The first Patch Tuesday for 2020 arrives with the long-planned but still inconvenient end of meaningful support for Windows 7.

The venerable Windows 7 still runs on about a quarter of all PCs worldwide. Sticking with Windows 7 was — and continues to be — a conscious decision for many users, made because Windows 8 and 10 were problematic for a variety of reasons.

Microsoft killed support for Windows XP on April 8, 2014, but still released updates for that O/S on a couple of occasions when a security vulnerability was so severe that it seemed likely to cause massive problems if unpatched. Microsoft will probably do the same thing for Windows 7, but it’s not a good idea to rely on the goodwill of any large corporation.

So, if you’re running Windows 7, what should you do? You can upgrade to Windows 8.1, which will buy you some time, until its support ends on January 10, 2023. Or you can stop resisting and make the move to Windows 10. Many of the initial problems with — and objections to — Windows 10 have now been addressed, making it somewhat less unpalatable. Microsoft offers additional guidance on the Windows 7 support ended on January 14, 2020 page on the Microsoft support site.

Another sensible option would be to switch to Linux. There are now Linux distributions that feel a lot like Windows, which can ease the transition. The main problem is software. But even if the software you use has no Linux version, you can still run an older version of Windows in a virtual machine on your Linux computer. That’s not too helpful for high-end games, however.

Back to our regularly scheduled updates…

There are thirty-nine updates (and associated bulletins) from Microsoft this month, addressing fifty vulnerabilities in Windows, .NET, Internet Explorer, and Office. Eight of the updates are flagged with Critical severity.

Although there are other ways to obtain the updates, by far the simplest method is to use Windows Update, which is found in the Windows 10 settings, or the Control Panel in older versions.

Update 2020Jan15: One of the vulnerabilities addressed in yesterday’s updates was reported to Microsoft by the NSA. While there’s disagreement about the seriousness of the vulnerability, this is notable in that the NSA previously wasn’t interested in sharing its discovered vulnerabilities. Lack of NSA cooperation led to the WannaCry ransomware nightmare in 2017. Brian Krebs has more.

While it’s generally a good idea to cross your fingers and install all available Microsoft updates, or at least allow them to be installed automatically, some Windows 10 users have grown wary of updates, and configured Windows Updates to be delayed. The actual risk from this vulnerability is mostly for Windows Server 2016 computers that are exposed to the Internet, and Windows 10 computers normally used by people with administrator permissions.

Update 2020Jan17: There’s more useful information about the NSA-reported vulnerability from Ars Technica, and SANS. SANS has created a web page and download that you can use to test your computers for this vulnerability.

Patch Tuesday for December 2019

This month we’ve got a new version of Reader from Adobe, along with the usual heap of updates affecting Microsoft software.

Analysis of Microsoft’s Security Update Guide for December shows that there are thirty-two updates in all, affecting Internet Explorer 9 through 11; Office 365, 2013, 2016, and 2019; Visual Studio; Windows 7, 8.1, and 10; and Windows Server 2008, 2012, 2016 and 2019. Thirty-seven vulnerabilities (CVEs) are addressed, of which seven are flagged as having Critical severity.

The easiest way to install Microsoft updates is via the Windows Update Control Panel (prior to Windows 10) or Settings > Update & Security on Windows 10.

Adobe logoAdobe released updates for several of its software products on Tuesday, but the only one likely to be installed on your computers is the ubiquitous Acrobat Reader DC, Adobe’s free PDF file viewer.

A new version of Acrobat Reader DC, 2019.021.20058, addresses at least twenty-one vulnerabilities in previous versions.

Recent versions of Reader seem to keep themselves updated, but if you use Reader to view PDF files from dubious sources, you should definitely check whether your Reader is up to date. Do that by running it, then choosing Check for Updates... from the Help menu.

About CVEs

I usually refer to security bugs as vulnerabilities. There’s another term that I sometimes use (see above): CVE. That’s an abbreviation for Common Vulnerabilities and Exposures. If you’d like to know more, there’s a helpful post about CVEs over on the SecurityTrails web site. Here’s a quote:

CVE was launched in 1999 by the MITRE Corporation, a nonprofit sponsored by the National Cyber Security Division, or NCSD. When a researcher or a company discovers a new vulnerability or an exposure, they add them to the CVE list so other organizations can leverage this data and protect their systems.

It’s a worthwhile read, even for non-technical folks.

MORE Windows 10 update problems

Today’s nightmare is brought to you by Microsoft

An open letter to Microsoft:

Dear Microsoft –

Please either allow us to disable Windows 10 updates, or stop pushing out updates that break millions of computers worldwide every few weeks.

Sincerely,
Almost a billion Windows 10 users

The problems with Windows 10 updates are getting worse, not better. The last major feature update (1903) had major issues at release, and more seem to be turning up with each new set of “quality” updates. Those quotes around the word ‘quality’ are very intentional, by the way.

I’ve just spent most of a day troubleshooting and fixing a heinous set of problems related to printing, affecting most of the computers at a retail client. Printing is a critical function for this client, as it is for most businesses.

What follows is the sequence of events leading up to the printing problem, and what finally fixed it.

All of the computers are running 64-bit Windows Professional release 1903 (build 18362.356).

SUMMARY: Update 4522016, which apparently caused these printing problems on some computers, was never installed on any of the affected PCs at this business. Update 4524147 caused the printing problems it was supposed to fix. Uninstalling update 4524147 fixed the printing problems on three otherwise up-to-date Windows 10 PCs.

  1. 2019Oct03: Update 4524147 was installed automatically on all affected PCs. This happened overnight, which is normal for these PCs.
  2. 2019Oct04: The client reported printing problems on several PCs.
  3. 2019Oct04: The usual troubleshooting for printing issues was ineffective. Research eventually showed that a recent Windows update (4522016) was causing printing problems for many users. But that update was never installed on any of the affected PCs.
  4. 2019Oct04: Since printing was working fine before 4524147 was installed, I uninstalled that update, and printing started working again. Repeating this on all affected computers resolved all the printing problems.
  5. 2019Oct05: On trying to log into one of the recently-fixed PCs, Windows 10 told me that the Start menu was broken. Research showed that update 4524147 was causing this problem (the second time an update broke the Start menu in recent weeks). I checked, and sure enough, 4524147 had been reinstalled automatically overnight. Uninstalling it fixed the Start menu.
  6. 2019Oct05: To delay recurrence of the printing problem, I used the Advanced settings on the Windows Update screen to delay updates as long as possible. On most of the PCs, I was able to delay updates for between 30 and 365 days. On one PC, these settings were inexplicably missing. I eventually had to use the Local Group Policy Editor to make the necessary changes.
  7. 2019Oct04: I reported this bizarre situation to Microsoft via its Windows 10 Feedback hub. It’s difficult to know whether anyone at Microsoft will actually see this, or take it seriously. I have doubts, which means that this problem seems likely to reappear at some point.

As predicted

This is in fact the nightmare scenario envisioned by myself and others when it became clear that Windows 10 updates would not be optional. While Microsoft has — grudgingly — made it possible to delay updates, it’s still not possible to avoid them completely, and if you’re one of the unlucky Windows 10 Home users, even that’s not an option.

Questions for Microsoft

Why did an update intended to fix printing problems actually cause those exact problems?

Why are some of the advanced Windows Update settings missing from one of several identically-configured Windows 10 PCs running the same build?

Why are you inflicting this garbage on us? Do you hate us?

WHY DON’T YOU LET US TURN OFF UPDATES? This is the simplest solution, and while I understand that you want Windows 10 installs to be secure (and that means installing fixes for security vulnerabilities), until you can produce updates that don’t cause massive problems, we don’t want them.

Related links

Update 2019Oct10: Apparently update 4517389, released on October 8 along with the rest of October’s updates, addresses this problem.