Category Archives: Microsoft

Microsoft, Patches and updates, Windows XP

Not recommended: tricky way to obtain Windows XP updates

Leave a comment

Someone recently discovered that it’s possible to trick Windows Update into providing updates for Windows XP.

Recall that even though Microsoft has stopped issuing updates for Windows XP to the general public, they are actually still developing updates – for paying customers.

The trick for obtaining updates for Windows XP involves changing a setting in Windows that makes Windows Update think that it’s actually running a variant of Windows XP that’s still supported, namely ‘POSReady 2009’.

There are all kinds of problems with this, starting with the likelihood that Microsoft will find a way to stop it. In short, if you’re desperate to keep running Windows XP and you want to install the available updates, and you’re willing to take the risk of totally messing up your system, it might be worth a try. But I seriously cannot recommend it.

Update 2014Jun04: For those of you who can’t resist the temptation to try this, the procedure is outlined in this betanews.com blog post.

Microsoft, Patches and updates, Security

New service from Microsoft: myBulletins

Leave a comment

On Wednesday, Microsoft announced myBulletins: a new web-based service that allows users to keep track of updates.

The service provides a centralized view of all Microsoft bulletins that can be customized to show only products in which you are interested. The resulting list can be further searched, filtered, and sorted. Once you customize myBulletins, it’s a handy way to see all Microsoft bulletins in one place without a lot of clutter.

To use myBulletins, you need a free Microsoft account.

Internet Explorer, Microsoft, Security, Windows

Internet Explorer vulnerability reported

1 Comment

Zero Day Initiative, a security vulnerability reporting initiative funded by HP, recently announced a vulnerability affecting Internet Explorer 8 (and possibly other versions).

The vulnerability was originally discovered and reported to Microsoft in October 2013, and confirmed by Microsoft in February 2014. Since Microsoft has not yet issued a patch, ZDI announced the vulnerability in keeping with their disclosure policy.

Anyone using Internet Explorer is strongly encouraged to install and use Microsoft EMET, which will help to mitigate this vulnerability.

Update 2014May25: Despite some reports to the contrary, Microsoft is planning to fix this vulnerability. The problem only seems to affect IE8, and no exploits have yet been seen in the wild.

Microsoft, Security, Silverlight

Microsoft Silverlight an increasingly popular target

Leave a comment

As the popularity of software and platforms ebbs and flows, so do the targets of malicious hackers. In the past few years, Java and Flash were the most notable targets.

More recently, Microsoft’s Silverlight media platform is increasingly being targeted. This is almost certainly due to the fact that Netflix uses that particular technology. Attackers are always drawn to platforms that are widely used by ordinary folks.

Because of this, I’m adding Silverlight to the list of software products that I track on this site’s Current Versions page.

Internet Explorer, Microsoft, Patches and updates, Security, Windows

Microsoft Patch Tuesday for May 2014

Leave a comment

This month’s crop of updates addresses thirteen vulnerabilities in Windows, Office, Internet Explorer, SharePoint and .NET.

There are eight bulletins, with two of them being flagged as Critical.

There are no updates for Windows XP this month, so it looks like Microsoft really has put the final nail in XP’s coffin.

The summary bulletin on the TechNet Security TechCenter has all the gory details. As usual, there’s a friendlier summary on the MSRC blog. The SANS Handler’s Blog has a slightly different take on this month’s updates.

Internet Explorer, Microsoft, Patches and updates, Security, Windows

Advance notification for May 2014 Patch Tuesday

Leave a comment

Next Tuesday we’ll find out whether Microsoft is going to stick to its original plan and stop providing Windows XP security updates to us ordinary folks.

According to the Advance Notification post on the MSRC blog, this month’s updates will include eight bulletins, with two of those being Critical. The updates affect the usual suspects, including Windows, Office, Internet Explorer and .NET.

The more technical Advance Notification security bulletin on the TechNet Security Tech Center blog definitely does not list Windows XP anywhere.

Internet Explorer, Microsoft, Patches and updates, Security, Windows, Windows XP

Microsoft issues special update for Internet Explorer

Leave a comment

We recently reported on a serious vulnerability affecting all versions of Internet Explorer that is being exploited on the web.

Well, it appears that Microsoft sees this vulnerability as very serious, because they are planning to release an update – later today – that addresses the problem. This is an ‘out-of-band’ update, meaning that it’s considered too important to wait for the next Patch Tuesday.

Just in case you were wondering, this vulnerability affects all versions of Internet Explorer on all versions of Windows, including Windows XP. But the patch will not be made available for Windows XP computers.

Update 2014May02: Surprisingly, Microsoft has decided to make this update available for Windows XP. I confirmed this by running Microsoft Update on my WinXP test system: security update 2964358 was offered, and I installed it without any difficulties. Reading through the associated bulletin (MS14-021) there is no explanation for this decision, but there is confirmation, in the section titled “Security Update Deployment
– Windows XP (all editions)”, and in a related post on the MSRC blog. The Verge has additional details, as does Ars Technica. The Ars Technica post includes the official explanation from Microsoft:

Even though Windows XP is no longer supported by Microsoft and is past the time we normally provide security updates, we’ve decided to provide an update for all versions of Windows XP (including embedded) today. We made this exception based on the proximity to the end of support for Windows XP. The reality is there have been a very small number of attacks based on this particular vulnerability and concerns were, frankly, overblown. Unfortunately this is a sign of the times and this is not to say we don’t take these reports seriously. We absolutely do.

Update 2014May02: Another Ars Technica post makes the argument that releasing a patch for Windows XP was a mistake. The moment of truth will be Patch Tuesday for May 2014: will Microsoft stick to its guns and leave Windows XP out of the next set of patches?

Internet Explorer, Microsoft, Security, Windows

New Internet Explorer vulnerability

1 Comment

On April 26, Microsoft released Security Advisory 2963983, which describes a newly-discovered vulnerability affecting all versions of Internet Explorer.

According to the related MSRC blog post, attacks based on this vulnerability are being seen in the wild, but so far those attacks are limited.

This IE vulnerability is apparently based on a vulnerability in Flash.

Microsoft is advising the usual caution, especially when clicking links in email and visiting unfamiliar web sites.

Presumably Microsoft will produce a patch for this vulnerability, and an interim ‘Fix-It’ workaround may be made available soon, but in the meantime, you should either stop using Internet Explorer completely, or at least install and configure EMET.

Windows XP users should not – under any circumstance – still be using Internet Explorer as their default web browser or for browsing the web. This vulnerability is only the first in what is sure to be a long series that make using Internet Explorer on Windows XP extremely risky.

Update 2014Apr28: Ars Technica, The Verge, and the SANS InfoSec handlers diary all have additional information.

Microsoft, Patches and updates, Windows 8.x

Why Windows 8.1 Update 1 is ‘required’

Leave a comment

We recently wrote about the release of Update 1 for Windows 8.1.

In that post, we noted that Microsoft was making this update mandatory for all subsequent security updates, and wondered why they would do that. Apparently we weren’t the only ones, and there was enough angry feedback that Microsoft extended the period during which Windows 8.1 systems without Update 1 could continue receiving security updates, from 30 days to 120.

But why add this kind of limitation at all?

Ars Technica may have the answer to that question. We previously wondered why Microsoft wasn’t simply labeling Update 1 as ‘Service Pack 1’, in keeping with their long-established practices. The answer is simple: Microsoft sees what Apple, Google, and other O/S developers are doing, and they want to do the same.

Anyone who owns a Mac knows that Apple’s support for previous versions of OS X is extremely limited. If you want to keep running that old version of OS X, you’re going to have problems, and you won’t have any recourse except to bite the bullet and upgrade. Often, that also means upgrading the hardware. While this is clearly a consumer-hostile stance, it’s easy to understand. Apple saves an enormous amount of money and effort that would otherwise be spent on supporting old versions, developing updates for multiple O/S versions, and so on.

It appears that Microsoft has finally started down the path away from backward-compatibility and support for old versions of Windows. This is both a good and a bad thing. Backward compatibility is why so many people still run Windows XP: why upgrade your O/S if it suits your purposes and can still be kept reasonably secure? But it’s also the source of many problems.

Moving to a more restricted update system in Windows 8.x looks like the first step in a general trend towards the less consumer-friendly model used by Apple and others. And if that’s true, we can expect more moves like this in Microsoft’s future. Which is sad, but probably inevitable.