This month’s updates will become available around 10am PST on July 8. There are expected to be six bulletins, with associated updates affecting Windows and Internet Explorer. Two are tagged as Critical.
The official advance notification bulletin has all the technical details, while as usual there’s a less technical summary over on the MSRC blog.
Despite its initial growth spurt, it looks like people are staying away from Windows 8.x in droves. The latest stats show little to no change in the number of Windows 8.x installs in the last month. Windows XP’s recent slide, no doubt due to the end of its support, has also leveled out. As things stand, Windows XP use is roughly double that of Windows 8.x.
Microsoft may have have thrown in the towel on Windows 8.x. They recently announced that the Start menu won’t reappear in Windows 8.x, but will be included in Windows 9, which is giving those of us who advised against switching to Windows 8 an excuse to say ‘I told you so.’
Traffic into and out of Microsoft’s Outlook.com email service will now be encrypted, as long as the other end also supports encryption. Both Outlook.com and OneDrive, Microsoft’s cloud storage service, now use random keys that are generated for each session.
That last change is a strong indication that Microsoft’s motivation in making these changes is to regain public trust in the wake of Snowden’s revelations. The NSA and other law enforcement agencies can only read encrypted communication if they obtain the encryption keys, and now those keys are temporary and disappear after use.
Up to now we’ve been happy to report on the successes of Microsoft’s work on hindering or shutting down botnets and other malware networks and sites. But their most recent actions in this area were heavy-handed, resulting in millions of legitimate domains going offline.
From Microsoft’s official blog post:
On June 19, Microsoft filed for an ex parte temporary restraining order (TRO) from the U.S. District Court for Nevada against No-IP. On June 26, the court granted our request and made Microsoft the DNS authority for the company’s 23 free No-IP domains, allowing us to identify and route all known bad traffic to the Microsoft sinkhole and classify the identified threats.
Microsoft named two foreign nationals, Mohamed Benabdellah and Naser Al Mutairi, and a U.S. company, Vitalwerks Internet Solutions, LLC (doing business as No-IP.com), for their roles in creating, controlling, and assisting in infecting millions of computers with malicious software—harming Microsoft, its customers and the public at large.
We’re taking No-IP to task as the owner of infrastructure frequently exploited by cybercriminals to infect innocent victims with the Bladabindi (NJrat) and Jenxcus (NJw0rm) family of malware.
That all sounds fine, except for one thing: No-IP was also being used for millions of domains with perfectly legitimate purposes. Microsoft says they knew this, and took measures to protect non-malicious domains.
Backlash against Microsoft’s actions is ramping up. Microsoft’s PR people are now saying that this is all due to a technical error, but given their characterization of No-IP (see above), it seems more likely that this is just spin, and they really did mean to kill all domains using no-IPs services.
Brian Krebs has additional details, as does Ars Technica.
Update 2014Jul03: Microsoft has returned control of the No-IP domains to No-IP. There’s still some doubt as to whether Microsoft acted in good faith: No-IP claims they were never contacted by Microsoft prior to the domain seizure; Microsoft claims otherwise. Regardless, I imagine No-IP will quickly move to remove clients using No-IP for nefarious purposes.
Update 2014Jul13: The EFF has a useful followup of the debacle.
Despite earlier indications that Microsoft would finally return the Start menu to Windows 8.x, it now looks like that may not ever happen.
Microsoft is now saying that the next update for Windows 8.1 (likely to be called ‘Update 2’) will not bring back the Start menu, and will only include small user interface adjustments.
Instead, Microsoft will wait for Windows 9 to bring back the Start menu. With Windows 9, Microsoft will apparently do what they should have done with Windows 8, making the touch-centric ‘Metro’ user interface optional, defaulting to a regular desktop on keyboard/mouse PCs and to the touch interface on touch devices.
One of the updates made available by Microsoft for June’s Patch Tuesday makes Internet Explorer much more resistant to attacks based on a particular form of security flaw known as ‘use after free‘.
Ars Technica has additional details.
A serious vulnerability in the software at the core of Microsoft’s anti-malware solutions (Microsoft Malware Protection Engine) could open the door for DDoS attacks.
An attacker could create a special file, which – when scanned by affected software – would make the anti-malware software ineffective against any and all malware. A new patch from Microsoft fixes the vulnerability.
Software that uses the Malware Protection Engine is typically configured to update itself automatically. That includes Microsoft Security Essentials, a free Windows-based anti-malware solution.
If you are using MSSE, you can determine whether the patch has been installed by opening MSSE, clicking the small arrow next to ‘Help’, then clicking ‘About’. You should see a line like this:
Engine Version: 1.1.10701.0
If your Engine Version is 1.1.10701.0 or higher, then the patch has been installed and you are protected against this vulnerability. If the version is 1.1.10600.0 or lower, go to the Update tab and click the Update button.
Microsoft Security Advisory 2974294 provides additional details.
Microsoft is apparently trying to reduce the amount of work they face when creating software updates.
The latest wrinkle is that anyone running Internet Explorer 11 on Windows 7 must install update KB2929437 in order to continue receiving updates for Internet Explorer.
In other words, if you fail to install KB2929437, you will stop seeing updates (including critical security updates) for Internet Explorer in Windows Update and Autoupdate.
This month there are seven bulletins, with related patches affecting Internet Explorer, Windows and Office. A total of sixty-six security vulnerabilities are fixed with these updates.
Note that Microsoft is recommending upgrading to the latest version of Internet Explorer. IE 11 contains security features not found in previous versions and is therefore somewhat more secure than those older versions. Anyone still using Internet Explorer would do well to follow this advice.
Note also that this is the last set of updates that will be available for Windows 8.1 installations without Update 1. In other words, if you’ve held off on installing Update 1, you won’t get any updates next month or after that.
This month there will be seven bulletins and associated updates for Windows, Office and Internet Explorer. Two are rated Critical.
One of the updates will fix the recently-discovered vulnerability in Internet Explorer 8.
The official advance warning bulletin has all the technical details.
boot13