Category Archives: Microsoft

Patch Tuesday for April 2021

While installing software updates may not be the most fun you can have, at least you can do it indoors and remotely, safe from the pandemic still raging outside.

As usual, the main source of update information from Microsoft is the Security Update Guide (SUG). The SUG is a huge database, and it’s easy to get overwhelmed by the amount of information there. I begin my analysis by downloading this month’s information as a spreadsheet, which when loaded into Excel is much easier to handle.

Estimates of the number of vulnerabilities addressed by this month’s updates vary: by my count, it’s one hundred and eighteen. Other people show the total as ‘over 110’ and 114. Microsoft seems to have embraced a ‘keep them guessing’ strategy, perhaps so that we’ll eventually give up and stop counting, and learn to simply accept what we get without trying to get a handle on it. In psychology, that’s known as learned helplessness, which sounds about right.

This month’s updates include fixes for still-supported versions of Windows, Office, Edge, SharePoint, Visual Studio, and VS Code.

Also this month there are fixes for the rather horrible Microsoft Exchange vulnerabilities that have led to even worse compromises of business, government, and education systems worldwide in recent weeks. That’s great news, but unless you work in one of those environments, you are likely not affected.

Windows 10 users are once again faced with limited options: a) give in to Microsoft and allow updates to be installed on their schedule, risking bad updates; or b) delay updates as long as possible, risking being exposed to security vulnerabilities.

Windows 8.1 users still have an actual choice, since automatic updates can be disabled entirely. In which case you’ll need to run Windows Update manually to get the latest updates.

Windows 7 still occasionally gets updates. Microsoft creates them for enterprise clients, who pay a premium for that service. Non-paying folks don’t usually have access to those updates, although sometimes Microsoft makes individual updates available to all if they are particularly dangerous. Note that Windows 7 still works just fine: you can minimize the security risk of running it by being extremely careful when using email, browsing the web, clicking links, and downloading software.

Windows XP is still being used, but it’s long past receiving any updates, and it’s increasingly unable to run new software. It’s perfectly safe to use if it’s not connected to the Internet, or if it’s only used for specific, limited tasks.

Patch Tuesday for March 2021

It’s another Patch Tuesday, usually referred to by Microsoft as ‘Update Tuesday’. Terminology aside, what it means is a big pile of updates that will be foisted upon most Windows users over the next few days.

Those of us sticking with Windows 8.1 can still review the available updates and install them at our leisure, which can be very satisfying when an update that we defer turns out to cause problems. But Microsoft seems to reserve its major screwups to Windows 10 updates these days (incuding this month’s printing crashes, and the fix for those crashes).

If you’re running Windows 10, you can defer updates for as long as a month… unless you’re running any of the Home versions, in which case the updates are as inevitable as taxes.

This month’s updates address several extremely serious security vulnerabilities in Exchange, Microsoft’s email server software, which ordinary folks are very unlikely to be running.

But the parade also includes updates for the usual offenders: Internet Explorer, Microsoft Edge (both the Chromium-based and original versions), Office (Excel, PowerPoint, SharePoint, Visio), Visual Studio, Visual Studio Code, and of course Windows. One hundred and thirty-one vulnerabilities* are addressed in all.

Microsoft’s Security Update Guide is currently the official source for this information. The SUG has undergone some improvements lately, and it’s gradually getting easier to navigate, which is a relief.

If you’re still running Windows 7, today’s festivities are largely meaningless, though Microsoft does occasionally toss a bone in your direction, in the form of a Windows 7 update normally reserved for those deep of pocket. Microsoft will presumably continue to do this when a flaw is serious enough that witholding the fix would create a public relations problem for the company.

The release notes for today’s updates provide additional details, though they are still sadly somewhat incomplete.

* The vulnerability count varies depending on who’s looking. According to the SANS Internet Storm Center, “This month we got patches for 122 vulnerabilities. Of these, 14 are critical, 5 are being exploited and 2 were previously disclosed.” Brian Krebs says “from Microsoft today…the company released software updates to plug more than 82 security flaws in Windows and other supported software. Ten of these earned Microsoft’s “critical” rating”. Clearly Microsoft’s Security Update Guide still needs work.

Patch Tuesday for February 2021

We’re gradually moving into a world where the software we use every day is maintained remotely, because it runs on or from a remote server, or because it automatically updates itself. This is widely viewed as progress, since the responsibility of protecting everyone from vulnerable software moves away from software users, to software producers. Responsible software producers no longer simply create and sell software, developing and making available updates when necessary; they are taking on the task of deploying those updates to user platforms.

There are drawbacks to this approach. Many people — including myself — are reluctant to cede control of the software we use to faceless corporate drones. We are wary of allowing corporate interests control what we see on our computers. With Windows 10, everything is in place to allow Microsoft to sell advertising space on your computer screen. We shudder to think of the nightmare scenarios resulting from bad (and unavoidable) updates.

For those of us who are resistant to these changes, there are options. Most software that automatically updates itself includes settings to disable auto-updates in favour of manual updates. Notable exceptions are Windows 10, and almost all Google and Adobe software.

There are other problems. Once, every update came with release notes and change logs. Increasingly, the details of changes in updates are not published, and users must simply trust that software producers only ever intend to make things better for us. Sadly, that is not always the case. The Windows desktop client for Spotify is a good example: it’s buggy, unstable, crash-prone, and although it is updated frequently, new versions are not documented in any way. Installing Spotify updates is a game of Russian Roulette, and it’s not optional.

Where do we go from here?

Updates should always be optional. Sure, install them by default, but provide settings to allow users to fully control whether and when updates are installed. At the very least, this would make updates much less stressful for business and educational IT staff. How about providing a free version that automatically updates itself and allows advertising, and a reasonably-priced version that allows control over updates and advertising? I’d be willing to pay a few bucks extra to have that kind of control.

Meanwhile, back to reality

Here in the real world, we’ve got more updates from Microsoft and Adobe, many of which are not optional. Some of these updates are not available for free, and are instead prohibitively expensive (e.g. all updates for Windows 7).

First up it’s Microsoft, with software updates addressing fifty-six vulnerabilities in .NET, Edge, Office, Sharepoint, Visual Studio, VS Code, Windows, and Defender.

If you try to count the number of distinct updates, your numbers will vary, depending on what you’re counting. As such, I will no longer be attempting update counts.

You can wade through the details yourself, using the new, ‘improved’ Security Update Guide. You can also find a summary on the official release notes page for this Patch Tuesday.

Several of this month’s updates address critical vulnerabilities that are being actively exploited. Which of course drives home the point that people really need to update, as soon as possible. Which in turn is a strong argument for forcing those updates. Welcome to the new update hell reality.


Adobe logoAdobe has been installing automatic update mechanisms on your computer for a few years now. As with Google software, this is accomplished using a variety of techniques that are also used by malware: to make sure they are always enabled, to reinstall themselves when removed, and to remain hidden as much as possible. While it is possible to remove or disable these update mechanisms, doing so is an exercise in frustration, because they will return, sometimes in a form that’s even more difficult to remove. The only real solution is to avoid using such software.

If you’ve ever opened a PDF file on your computer, there’s a good chance that it opened in Adobe’s free Acrobat Reader. In which case that software is updating itself automatically, using a system service called Adobe Acrobat Update Service.

Adobe released a new version of Reader on February 9: 2021.001.20135. This new version addresses at least twenty-three security vulnerabilities in earlier versions. Since it’s difficult to know exactly when automatic updates will occur, it’s a good idea to check. On Reader’s menu, navigate to Help > About Adobe Acrobat Reader DC. If your version is out of date, select Help > Check for Updates on Reader’s menu to install the new version.

Patch Tuesday for January 2021

There’s no stopping the juggernaut of monthly updates coming from our pals in Redmond.

This month’s load of updates, based on analysis of the new, ‘improved’ Security Update Guide, shows that we have updates for Edge, Office (2010, 2013, 2016, and 2019), Sharepoint, SQL Server, Visual Studio, Windows (7, 8.1, and 10), and Windows Server (2008, 2012, 2016, and 2019), addressing eighty-three security vulnerabilities in all.

There’s a summary of this month’s updates linked from the SUG, but as usual, it’s bafflingly incomplete.

Windows 8.1 computers can get this month’s updates via Windows Update in the Control Panel. Windows 10 computers will get the updates over the next few days, unless they’ve been configured to delay updates temporarily. Windows 7 users are still basically out of luck.

Flash is DEAD

Adobe’s kill switch for Flash went into effect as scheduled yesterday. Any Flash media you try to view from now on will show a placeholder image, which links to the End Of Life announcement for Flash.

That includes any Flash media you have lying around on your computer. For example, I found the Flash test animation on my main computer and uploaded it to my web server, where until January 12, it worked perfectly. That same Flash animation used to show on the main Flash help page, but of course that page now shows the placeholder as well.

And so ends the long, exasperating, security nightmare that was Flash. Good riddance.

Patch Tuesday for December 2020

Microsoft recently overhauled its Security Update Guide, the web-based resource meant to be the definitive guide to Microsoft software updates. I don’t know what they had in mind, but from the standpoint of usability, there’s little improvement.

I still recommend using the SUG’s handy Download link to save the data in spreadsheet form, which you can then open in an Excel-compatible program, and use filtering and sorting functions to extract the information you need.

The official release notes for this month’s crop of updates is somewhat useful, although it contains neither a complete list of updates nor a complete list of vulnerabilities. It does at least provide a list of the software affected by the updates: Microsoft Windows, Microsoft Edge (EdgeHTML-based), Microsoft Edge for Android, ChakraCore, Microsoft Office and Microsoft Office Services and Web Apps, Microsoft Exchange Server, Azure DevOps, Microsoft Dynamics, Visual Studio, Azure SDK, and Azure Sphere.

The Vulnerabilities tab of the SUG lists fifty-nine vulnerabilities that are addressed by the December updates. That matches the total I obtained in my analysis of the data. As for the number of actual updates, that’s increasingly difficult to determine. There are references to forty-seven help articles and twenty-one sets of release notes in the SUG data.

As usual, Windows 10 computers will get the relevant updates installed when Microsoft feels like it. Windows 8.1 computers are best updated via the Windows Update applet in the Control Panel. Users of Windows 7 and earlier versions are still pretty much out of luck, though it’s worth checking Windows Update anyway.

Patch Tuesday for November 2020

This month’s pile-o-patches from Microsoft includes updates for Flash in Microsoft browsers, .NET, Exchange Server, Office (2010, 2013, 2016, and 2019), Sharepoint, Windows (7, 8.1, and 10), Windows Server (2008, 2012, 2016, and 2019), Visual Studio, Visual Studio Code, Internet Explorer 11, Edge, and Teams.

Analysis of the new (but not improved) Security Update Guide for November shows that there are at least 102 bulletins (but as many as 118, depending on what’s counted), each with an associated set of updates. As many as one hundred and eighty-five security vulnerabilities are addressed.

Dammit, Microsoft

Microsoft has once again changed the way security bulletins and updates are documented. As a result, it’s now even more difficult to find certain details about individual updates, and more difficult to ascertain just how many updates were made available for a given Patch Tuesday. It seems like Microsoft wants us to give up trying to get a handle on these things, and just install all available updates. Some people have turned to non-Microsoft resources for update information, such as the Patch Tuesday Dashboard, which is useful, but the numbers there don’t match mine, so who knows.

Getting the updates

Most Windows 10 users will get the relevant updates installed automatically over the next couple of days, although more recent versions of Windows 10 do allow updates to be delayed.

Windows 8.1 computers that have automatic updates enabled will also get those updates soon. Otherwise, you’ll need to head to the Windows Control Panel to run Windows Update.

Windows 7 users are still pretty much out of luck.

Patch Tuesday for October 2020

It’s time for another round of updates for your Windows computers. Earlier today Microsoft published fifty-eight bulletins, with associated updates, addressing eighty vulnerabilities in Flash, .NET, Office (2010, 2013, 2016, and 2019), SharePoint, Visual Studio, and Windows (7, 8.1, 10, and Server). Ten of the vulnerabilities are flagged as having Critical severity.

Get the full details directly from the source: Microsoft’s Security Update Guide.

Interestingly, there are no updates for any version of Internet Explorer this time around. I don’t think that’s ever happened before.

What you need to do

Windows 10

Unless you’re running one of the more recent major releases of Windows 10, and you’ve configured it to delay updates, you’re going to get the new updates within the next day or so.

If your version of Windows 10 has settings that allow you to delay updates, I strongly recommend that you use them. Given Microsoft’s recent track record with updates, which includes rushing out fixes for a sadly long series of problematic updates, it seems like the smart choice.

Windows 8.1

It’s been a while since Microsoft broke Windows 8.1 with a bad update, but if you’re at all wary about these things (as am I), you should make sure Windows Update is not configured to install updates automatically, then wait a few days before installing them manually with Windows Update.

The more adventurous among you may choose to install the new updates right away via Windows Update, or even (shudder) configure Windows Update to do it all automatically.

Windows 7

If the organization you work for has paid for extended updates, your Windows 7 computer will get any applicable updates, but your IT folks probably do that for you anyway.

The rest of the world’s Windows 7 users can only wonder how much less secure their computers are without the new updates.

Patch Tuesday for September 2020

This month’s pile from Microsoft includes fixes for vulnerabilities in Internet Explorer (9 and 11), both variants of Edge (Chromium and EdgeHTML), Office (2010, 2013, 2016, and 2019), SharePoint, Visual Studio, Windows (7, 8.1, and 10), and Windows Server (2008, 2012, 2016, 2019).

There are fifty-three security bulletins in all, and fifty-three associated updates. The updates includes fixes for one hundred and twenty vulnerabilities, twenty-one of which have been flagged as having critical severity. All of the critical vulnerabilities involve potential remote code execution.

As usual, the details are available in Microsoft’s Security Update Guide.

You can still get the Windows 7 updates legitimately, but only if you subscribe to Microsoft’s rather expensive Extended Security Updates program.

Windows 10 systems will update themselves automatically, although with newer versions, you have some control over when that happens. With Windows 10, most updates are going to get installed at some point. But delaying them can allow you to avoid updates that cause problems, since Microsoft usually issues fixes for the updates shortly after problems are discovered. But doing that potentially leaves your computer vulnerable in the interim. It’s your call. Adjust the update settings by going to Settings > Update & Security > Advanced options.

For Windows 8.1 users, it’s all about Windows Update. If you’ve configured it to install updates automatically, you’re basically in the same boat as Windows 10 users. Otherwise, locate Windows Update in the Control Panel, and click the Check for updates button.

Don’t bother trying to uninstall Microsoft Edge

If you’re old enough to remember the browser wars of the 1990s, you probably remember that Microsoft got into trouble for pushing their web browser, Internet Explorer, using tactics tied to the dominance of Windows.

Competitors were less than thrilled with Microsoft’s tactics. In 1998, an anti-trust suit was launched by the US Department of Justice against Microsoft, alleging that Microsoft was using unfair tactics, in particular by embedding Internet Explorer into Windows, making it difficult to remove.

Microsoft argued that Internet Explorer was a core part of the operating system, and could not be easily excised from Windows. This didn’t help their case much, as you can imagine.

The court agreed with the DOJ, recommending that Microsoft be broken into two organizations, one for Windows and the other for applications like Internet Explorer. After appeals, the final settlement required Microsoft to share its API (Application Programming Interface) documentation with third party companies. The idea was to remove any head start Microsoft would have in developing changes to its web browser based on technology advancements.

The DOJ did not require Microsoft to change any of its code or prevent Microsoft from tying other software with Windows in the future.

Microsoft’s tactics this time around

Fast forward to today, and Microsoft is again using questionable tactics in its fight for web browser dominance. This time around, with Internet Explorer soon to be discontinued, the browser in question is Edge (the newer, Chromium-based version).

Microsoft recently published a small support article about the new version of Edge, presumably in response to user questions. In part, it states: “The new version of Microsoft Edge is included in a Windows system update, so the option to uninstall it or use the legacy version of Microsoft Edge will no longer be available.”

So, once again, Microsoft is apparently trying to use its dominance in the desktop operating system market to push its web browser on people.

It’s hard to predict whether this tactic will actually help Edge, or whether anyone will care enough to claim antitrust activity again. I like to think people are generally somewhat better informed, and recognize that there are other, better web browsers than Edge.

UPDATE 2020Sep12: Microsoft has revised the wording of the support article about this, but the new version sounds like more of the same weak arguments they used in the 1990s:

Because Windows supports applications that rely on the web platform, our default web browser is an essential component of our operating system and can’t be uninstalled.

Windows users can download and install other browsers and change their default browser at any time.

Giant corporations trying to sound innocent when caught in their shenanigans is just embarassing.

Patch Tuesday for August 2020

If you run Windows 10 and are curious about the updates Microsoft will be jamming down your throat in the next few days; if you run Windows 7 and want to know what you’re missing out on by not being rich enough to afford Microsoft’s Extended Security Updates program; or if you’re running Windows 8.1 and want to know a bit more about the updates you’re about to install, read on.

Analysis of Microsoft’s comprehensive — yet still oddly difficult to navigate — Security Update Guide for this month reveals that there are sixty-five distinct updates and associated bulletins. Actually, since Microsoft is now calling these things ‘articles’, I’ll do the same. So there are sixty-five articles with associated updates, many of which are packaged into bundles: one with all the month’s updates, and one with only security-related updates.

The updates address a total of one hundred and twenty vulnerabilities in the usual lineup of Microsoft software: Windows (10, 8.1, and 7), Office (2010, 2013, 2016, and 2019), Internet Explorer 9 and 11, Edge (the one built on Chromium), .NET, SharePoint, and Visual Studio.

As is usual these days, Windows 10 updates are installed at Microsoft’s whim, Windows 7 updates are out of reach for most folks, and Windows 8.1 updates are installed via Windows Update in the Control Panel.