Category Archives: Microsoft

Microsoft releases update for Flash

Normally, Microsoft releases updates for Flash in Edge and Internet Explorer along with everything else on the second Tuesday of each month.

This month, something went wrong with the Windows Update system, and Microsoft pushed all the February updates to March, including an expected fix for a serious SMS flaw.

Someone at Microsoft apparently realized that this decision would leave some Flash users (those using Flash in Edge and Internet Explorer) vulnerable for an extra month. Flash vulnerabilities are targeted aggressively by malicious hackers, so this is obviously a bad thing. As a result, Microsoft has released a Flash update, one week later than originally planned.

Anyone who uses Flash in Internet Explorer or Edge should visit Windows Update and install the Flash update as soon as possible.

So we do get a Microsoft Security Bulletin Summary for February 2017 after all, but it only includes a single bulletin.

Microsoft pushes February updates to March

In an unprecedented move, Microsoft has decided to delay all February updates until next Patch Tuesday, which is March 14. It’s still not clear exactly why this is happening, but Microsoft is working on structural changes to the Windows Update system, so presumably something went horribly wrong in testing.

This is bad news for anyone who runs a server that’s vulnerable to a recently-discovered SMB flaw that was expected to be fixed with Tuesday’s updates.

Update 2017Feb23: Meanwhile, Google’s Project Zero went ahead and published the details of another vulnerability that was supposed to be fixed this month. This was done in keeping with GPZ’s own policy, but as usual Microsoft isn’t happy about it.

Microsoft will patch recently-discovered SMB flaw in February

The flaw itself is not particularly dangerous for most users: it can only be used to crash Windows computers with file shares that are exposed to the Internet. But when an exploit was published on Thursday, the vulnerability was initially assigned the highest risk rating by CERT. That rating has since been downgraded, as details of the flaw became more clear.

In any case, Microsoft’s reaction to the exploit announcement included statements that are demonstrably false, and seem to have been motivated by the company’s frantic efforts to get everyone on the planet to switch to Windows 10.

“Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible.”

This is simply false. The same work is done for Linux and MacOS. The unnamed Microsoft staffer who said this may have borrowed it from this TechNet blog post, without checking its veracity.

“We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection.”

This is totally misleading. Windows 10 is arguably the safest version of Windows yet, but the vulnerability affects all versions of Windows. Worse, the vulnerability is completely unrelated to web browsing.

It looks like Microsoft has issued standing orders to its PR department to push Windows 10 at every opportunity, and not to worry too much about accuracy.

Microsoft is expected to issue an update for the vulnerability on February’s Patch Tuesday.

Windows 10 privacy improvements, sort of

The good news is that Microsoft is improving the state of privacy in Windows 10, albeit slowly, and grudgingly. The bad news is that the improvements are unlikely to satisfy anyone genuinely concerned about what Windows 10 is really doing.

New: Privacy Dashboard

A few days ago, Terry Myerson, Microsoft’s Executive Vice President of the Windows and Devices Group, announced a new web-based Privacy Dashboard, accessible via your Microsoft account. If you don’t have a Microsoft account, you’re out of luck. I’m still using my Microsoft account to log into my test system, because otherwise I’d have to buy a Windows 10 license. You probably already have a Microsoft account even if you don’t use Windows 10, as they are used for XBox Live, Skype, and other Microsoft services as well.

Poking around in the Privacy Dashboard, the Browsing History section is empty for me, presumably because I don’t use Cortana or Edge. The Search History section is also empty for me, because I don’t use Bing search. But if you use Cortana, Edge and Bing, you’d be able to see all that history here, and be able to remove it as well.

The Location section shows where you’ve been when you logged in on Windows 8.1 and 10 computers. Again, you can clear any or all of this. The section for Cortana’s database shows everything Cortana knows about you, based on your interactions. This is where things get interesting for me, because I only used Cortana for a couple of days when I first installed Windows 10. Cortana knows how often I eat at restaurants, and how far I go to get there. It knows my main mode of transportation. It knows what kind of news interests me. It’s not much, but it’s enough to be kind of creepy.

The Privacy Dashboard is a step in the right direction, and it’s very useful for anyone interested in seeing exactly what information Microsoft has collected. It also allows you to clear much of that information. But what if you want to prevent Microsoft from gathering this information in the first place?

Privacy improvements in Windows 10

Also revealed in Myerson’s post are upcoming changes to the privacy settings in Windows 10. The initial privacy setup has changed, and now provides a bit more information about the various privacy levels and settings. Microsoft is “simplifying Diagnostic data levels and further reducing the data collected at the Basic level.” But in fact there will be fewer privacy levels to choose from, and there’s still no real explanation of exactly what data is sent. And of course the most useful ‘Security’ level (which disables almost all telemetry) is only available to Enterprise users. Us regular folks can only throttle data collection down to the ‘Basic’ level.

According to Microsoft, the Basic level “includes data that is vital to the operation of Windows. We use this data to help keep Windows and apps secure, up-to-date, and running properly when you let Microsoft know the capabilities of your device, what is installed, and whether Windows is operating correctly. This option also includes basic error reporting back to Microsoft.” This sounds reasonable, but it’s lacking in detail and — for many users — still sounds like an intrusion.

Luckily, there are alternatives. I recently discovered a Powershell script called Reclaim Windows 10 that can disable all of the telemetry settings in Windows 10. I’ve yet to test the script, but it looks promising.

Advertisements in Windows 10?

Microsoft still insists this isn’t about advertising: “We want you to be informed about and in control of your data, which is why we’re working hard on these settings and controls. And regardless of your data collection choices, we will not use the contents of your email, chat, files, or pictures to target ads to you.” I’d like to believe that, but it seems unlikely. Microsoft is clearly taking aim at Google’s huge lead in online advertising, and the idea of having a captive audience for advertising (in the form of millions of Windows users) is obviously just too tempting to resist.

Microsoft continues to push Windows 10, now at the expense of Windows 7, which it now says “does not meet the requirements of modern systems, nor the security requirements of IT departments.”

Update 2017Jan18: Techdirt weighs in.

Patch Tuesday for January 2017

Another Patch Tuesday rolls around, bringing updates for Internet Explorer, Edge, Windows, and Office from Microsoft, and new versions of Flash and Reader from Adobe.

According to the Microsoft’s January 2017 bulletin summary,

“There are no security fixes or quality improvements for Windows 8.1 … on Update Tuesday for January 2017. As such, there is no Security Only Quality Update or Security Monthly Quality Rollup release for [Windows 8.1] this month.”

And in fact there are only four bulletins (with associated updates), addressing vulnerabilities in Windows, Edge, Office, and the Flash player built into Edge and Internet Explorer 11. Not including Flash, these updates address three security vulnerabilities.

Adobe’s contributions this month start with Flash 24.0.0.194, which addresses thirteen vulnerabilities in previous versions, adds some new features that are not particularly interesting, and improves support for high resolution displays in Firefox on Windows: Flash content will now scale properly in that context. As usual, Flash updates for Edge and Internet Explorer are handled by Microsoft, and Google Chrome will update itself automatically.

New versions of Adobe Reader address twenty-nine vulnerabilities. Reader XI is up to version 11.0.19, while its confusingly-named sister products Acrobat Reader DC (Continuous) and Acrobat Reader DC (Classic) are at versions 15.023.20053 and 15.006.30279, respectively.

So it’s an enjoyably light month. Visit Windows Update, update Adobe Reader, and if you use a web browser with Flash enabled, make sure to update that as well.

Microsoft is losing all of its browser market share to Google

If you used Windows in the 90’s, you probably remember the Browser War between Microsoft’s Internet Explorer and Netscape’s Navigator. That war culminated in an antitrust case against Microsoft, in which the plaintiff (the USA) claimed that Microsoft’s bundling of IE with Windows was anti-competitive.

Regardless of whether you believe Microsoft acted fairly, Internet Explorer’s market share increased steadily during the period from 1995 to 2001, getting close to 100% at its high water mark. Microsoft never charged anything for its browser, but controlling the window through which most of the world viewed the web clearly provided a huge advantage to the company.

Now, all that ‘hard won’ market share is being given away by Microsoft, mostly to Google’s Chrome. Internet Explorer’s share plummeted from 40% to 20% in 2016, and there’s no bottom in sight.

Why is this happening?

Microsoft has abandoned Internet Explorer, switching its browser development efforts to Edge, which only runs in Windows 10. Only the most recent versions of IE are still supported, and only on Windows 7, 8.1, and 10. And that support is limited to fixing security issues and other bugs. You won’t see any more new features in IE.

Clearly, Microsoft thought everyone would upgrade to Windows 10, especially given the free upgrade offer, and the company’s aggressive upgrade tactics. But that appears to have backfired; Windows 10’s growth has been less than stellar, and even though Edge is arguably a better browser than IE, Windows 10 users are mostly choosing other browsers.

Microsoft may soon own as little as 5% of the total browser market, thanks to Edge’s lackluster uptake. Edge started 2016 with a market share of about 4%, and ended it with about 5%.

I think this qualifies as a major strategic blunder on the part of Microsoft.

Numbers are courtesy of NetMarketShare.

Article on Ars Technica.

Microsoft admits it went too far in pushing Windows 10

In a recent Windows Weekly podcast, Microsoft’s Chief Marketing Officer Chris Capossela didn’t quite apologize for the company’s heavy-handed efforts to get people to upgrade to Windows 10.

Capossela did say that Microsoft heard the criticism, and tried to find the ‘right balance’, but he only seems to actually regret one particularly nasty ploy, in which closing an upgrade dialog caused the upgrade to start for many users.

Of course the Windows 10 push is long over, and the bad feelings it generated have started to fade. Unfortunately, even with the bad publicity, I suspect that Microsoft views the operation as a success, which means that they may be tempted to use the same tactics in the future.

When ‘Checking for updates…’ takes forever on Windows 8.1

This week I once again encountered an old nemesis, the infinite ‘Checking for updates…’ Windows Update screen. Not this again! It happened when I was attempting to install the December 2016 updates on my main Windows 8.1 machine.

Is it working? How can you tell?

I tried the usual troubleshooting steps: rebooting, stopping all non-essential processes, the Windows Update troubleshooter, and so on. Nothing helped.

What makes this problem really annoying is that even when Windows Update is working properly, there are long pauses during which nothing appears to be happening. Even looking deeply into the running processes sometimes shows a complete lack of activity. Since a hung Windows Update often looks exactly like Windows Update actually doing something, all you can do is watch helplessly, in growing frustration, until you finally can’t stand it any more and stop the Windows Update process.

After banging my head against this problem for a while, it occurred to me that since most Windows updates are now available in ‘rollup’ form (i.e. packaged together in one update), I could install the appropriate ones manually, which would at least get my computer up to date, and could conceivably also fix Windows Update.

After a bit of searching I found the July 2016 update rollup for Windows 8.1 and Windows Server 2012 R2. One of the prerequisites for this update is the Servicing stack update for Windows 8.1 and Windows Server 2012 R2: July 12, 2016, but that had already been installed in July, so I proceeded to install the rollup. It only took a few minutes.

After rebooting, I tried Windows Update, and ‘Checking for updates’ took about a minute to find December’s Patch Tuesday updates. Yay! I installed those updates and the computer is now fully patched.

It’s difficult to know for sure why this Windows Update problem happens, but it’s depressingly common, as are the sometimes wacky solutions users have proposed. The rollup solution that worked for me may work for others, but there are no guarantees. It’s Windows, after all.

Microsoft releases fix for Windows 10 Internet connectivity issues

Details are sketchy, but apparently a recent Windows 10 update caused major problems for some users. Affected users were suddenly unable to access the Internet. December’s Patch Tuesday (earlier this week) included an update that addresses this problem.

This issue once again raises the question of whether Microsoft can be trusted not to push flawed Windows updates, especially now that updates are essentially mandatory and unavoidable.

Update 2016Dec16: Many of the Knowledge Base pages on the Microsoft support site now include this message at the top: “If you are experiencing issues connecting to the internet we recommend you restart your PC by going to Start, clicking the Power button, then choosing Restart (not Shut down).” No further explanation is provided.