boot13Microsoft is obviously concentrating its development efforts on Windows 8, but they haven’t totally forgotten that much of the world still runs Windows 7. Windows XP users are out of luck, but Windows 7 users can now install Internet Explorer 11, which was previously only available for Windows 8.
Category Archives: Microsoft
Advance notification of November 2013 Patch Tuesday
Tuesday, November 12 will see a modest batch of updates from Microsoft. There will be eight bulletins in total, with five Critical updates addressing vulnerabilities in Windows and Internet Explorer, and three Important updates addressing vulnerabilities in Windows and Office.
The recently-discovered vulnerability in Office running on Vista will not get a patch on November 12, but Microsoft is working on it and will release it as soon as it’s ready.
Vulnerability in MS Office on Vista being actively exploited
Microsoft has issued a security advisory to users of Office on Windows Vista. A newly-discovered vulnerability in Microsoft Office versions 2003 through 2010, when running on Windows Vista, is already being exploited by nefarious hackers.
If you are using Office 2003 to 2010 on Windows Vista, you should take steps to protect yourself until Microsoft releases a patch for this vulnerability:
- Install and use Microsoft’s Enhanced Mitigation Experience Toolkit (EMET)
- Install the related Microsoft ‘Fix-It’ (see Microsoft Knowledge Base Article 2896666).
This vulnerability also affects Office 2003 through 2010 running on Windows Server 2008, but you shouldn’t be running desktop applications on server software anyway, right?
The MSRC blog has more information, as does an Ars Technica post on the subject.
Update 2013Nov09: apparently attacks based on this vulnerability are more widespread than was originally estimated.
Smartphones just became useful
I don’t have a smartphone. I’ve fiddled with them, and I use one for app development. But the mobile device I actually use for day-to-day phone communication is an ancient Nokia 2610b.
I’ve never had any issues with call quality, or any other problems with this phone. It lets me download media from arbitrary web locations and use any sound file as a ring or other tone. It’s sturdy; I literally use it as a beer bottle opener. Of course it doesn’t have a full keyboard, and the buttons are tiny, but I’m no rapid-fire texter anyway. The display is very basic, but it works for me.
I’ve been tempted on many occasions to buy a smartphone. The coolness factor alone has almost triumphed, but so far I’ve resisted its lure. Sure, smartphones can do lots of cool stuff, and I have no doubt that if I owned one, I’d spend a lot of time playing with it. But in the end, the only features I would really use are the phone, contacts, text messages (including alerts from Google Calendar), and occasionally the timer and alarm.
Until today, I thought I might end up using the 2610b until it died (which is unlikely), the battery stopped holding a charge (original battery is still going strong), or somehow it was no longer supported by my carrier (also unlikely).
What changed my mind? Microsoft released a mobile version of Remote Desktop. That’s the software I use to remotely control the Windows PCs I administer. I use it to administer the media computer downstairs, and the server next to me. I use it to manage client computers in this and other cities. And I use it to access my main PC when I’m elsewhere. It’s indispensable. And now it runs on Android and iPhone devices.
This changes everything: now I have a valid reason to buy a smartphone. But I’ll continue to resist as long as I can.
Windows 8.1 released today
Windows 8 Service Pack 1 Windows 8.1 is now available. If you’re not already running Windows 8, you can purchase 8.1 from the Windows Store. If you are using Windows 8, you should start seeing prompts in the Windows Store to upgrade to 8.1 (a free download).
In the past, when a Windows Service Pack became available, savvy users tended to stay away until the inevitable problems were resolved. I don’t see any particular reason to charge blindly into Windows 8.1 either. My advice is to wait for at least two weeks and monitor this and other tech blogs for reports from early adopters.
Ars Technica and The Verge have additional information:
Patch Tuesday for October 2013
Patches from Microsoft and Adobe were announced today, along with a new version of Flash.
Eight bulletins from Microsoft fix security vulnerabilities in Windows, Internet Explorer, .NET, Office, Windows Server and Silverlight.
The Microsoft Security Research Center as usual provides a more friendly overview of this month’s patches, while the SANS Internet Storm Center provides a wealth of technical details.
Two bulletins from Adobe fix security vulnerabilities in Adobe Reader/Acrobat and Robohelp.
Flash 11.9.900.117 includes a long list of bug fixes. Chrome will be updated silently to match the new version of Flash. An update for Internet Explorer 10 on Windows 8 is also on the way.
Advance patch notifications from Microsoft and Adobe
Next Tuesday, October 8, will see patches from Microsoft (for Internet Explorer, Windows, .NET, Office and Silverlight) and Adobe (for Reader/Acrobat).
Included in the patches from Microsoft will be a fix for the recently-discovered security flaw affecting all versions of Internet Explorer.
Additional details:
Microsoft updates declining in quality?
Given that the vast majority of Windows systems are configured to download and install updates automatically, it’s critical for Microsoft to ensure the quality of those updates. One seriously bad update could cripple millions of Windows computers.
Issues with several of the September 2013 updates, along with similar problems in recent months, are causing concern in the industry. ComputerWorld has an informative look at the recent problems.
Internet Explorer flaw being actively exploited
Yesterday, Microsoft announced that they are looking into reports of a security vulnerability potentially affecting all versions of Internet Explorer. Apparently an exploit for this flaw exists and has been observed in the wild, targeting IE 8 and 9.
If you are using one of the affected browsers (likely all versions of Internet Explorer) and you visit a web site that has been compromised with malicious code that targets this vulnerability, an attacker might be able to execute arbitrary code on your computer remotely.
Microsoft issued security advisory 2887505 to warn and provide guidance to users. Workarounds include installing EMET and raising the security settings related to running ActiveX within the browser.
No patch for this vulnerability has yet been published by Microsoft, although there is a temporary ‘Fix-It’ solution available from Microsoft.
Update 2013Sep21: The SANS Internet Storm Center has been monitoring this issue. They have confirmed seeing related exploits in the wild. They also confirmed that Microsoft’s ‘Fix-It’ solution prevents these exploits, but only in 32-bit versions of Internet Explorer.
Update 2013Oct03: The developers of the controversial hacking toolkit Metasploit have released a module that exploits this IE vulnerability. This is likely to spur an increase in the number of attacks based on this vulnerability. Microsoft has yet to release a proper fix. If you use Internet Explorer for anything other than Windows Update, you should consider applying the temporary Fix-It solution or installing EMET (see above).
Patch Tuesday for September 2013
Another month, another pile of patches from Microsoft. This month there are fourteen bulletins, addressing security vulnerabilities in Windows, Internet Explorer, Office, and the .NET framework. Four of the bulletins are rated Critical.
As usual, the updates will become available after 10am PST from Windows Update.
The SANS Internet Storm Center has a detailed look at the vulnerabilities addressed by this month’s patches.
The Microsoft Security Response Center has a somewhat friendlier summary of this month’s updates.