Category Archives: Patches and updates

Windows 10 cumulative updates hopelessly botched

Recently I noticed that my Windows 10 test PC wasn’t staying logged in. Every day, despite not having logged out, I was seeing the login screen. A bit of poking around in the Windows 10 settings showed that Windows was trying to install update KB4013429, rebooting to complete the install, failing to complete the install, and rolling back the changes. Rinse and repeat daily, since March 14.

Searching online, I immediately found plenty of other people experiencing this problem. No official solution from Microsoft, but plenty from other users, including what turned out to be the only thing that worked for many: a total reinstall of Windows 10.

One user pointed to an interesting tool, available in the TechNet Script Center, called Reset Windows Update Agent. This script was created and submitted by a non-Microsoft contributor, not by Microsoft. Since I wasn’t getting anywhere looking for an official solution, I tried the tool’s main feature, which does indeed reset all things Windows Update. After rebooting, Windows successfully installed a few updates, then started to install ‘Cumulative Update for Windows 10 Version 1607 (KB4015438)’, which Microsoft issued on March 20 to address problems with KB4013429. But that update also failed to install.

I admit to being tempted to contact Microsoft about this, but then I remembered my previous encounters with Microsoft support, shuddered, and thought better of it. After all, Microsoft already knows my PC is having trouble installing this update, because of all the telemetry in Windows 10, right? If anything, they should be contacting me with a solution. Yeah, right. Like that would ever happen.

I feel sorry for anyone who tries to do anything productive with Windows 10. I only use it for testing and media playback, but even so, this is the end of the line for my relationship with Windows 10. I’ll be installing Linux Mint MATE next.

Firefox 52.0.1

A single security fix is apparently the sole reason Mozilla released Firefox 52.0.1 on March 17. There was no announcement from Mozilla, but as usual, CERT picked up the slack with their own announcement. The release notes for 52.0.1 point to a related security advisory.

Firefox will offer to update itself over the next few days, but you can usually trigger an update by navigating to its About dialog (hamburger menu icon > question mark icon > About Firefox).

Patch Tuesday updates from Microsoft and Adobe

It looks like Microsoft fixed the technical issues that led to February’s updates being postponed until March. Today they announced eighteen updates that address security issues in Windows, Internet Explorer, Edge, Office, Silverlight, as well as Windows Server software, including Exchange.

Critical vulnerabilities for which updates were expected in February, including an SMB flaw in Windows (CVE-2017-0016), and two others that were disclosed by Google’s Project Zero that affect the Windows GDI library (CVE-2017-0038), and Internet Explorer and Edge (CVE-2017-0037), finally get fixes today.

A total of one hundred and forty vulnerabilities are addressed by today’s updates from Microsoft. That’s higher than usual, but of course this is two months’ worth of updates.

Adobe’s contribution to the patching fun this month is new versions of Flash and Shockwave. Flash includes fixes for seven vulnerabilities in earlier versions, while Shockwave resolves a single security issue in versions and earlier.

Chrome will update itself with the new version of Flash in the next day or so, but you can usually trigger the update process by navigating to its About page. Flash updates for Internet Explorer and Edge are included in this month’s updates from Microsoft.

If you’re still using a web browser with a Flash plugin, you should make sure it’s up to date as soon as possible.

Update 2017Mar17: Ars Technica points out — quite rightly — that Microsoft still owes us all an explanation for why the February updates were cancelled. My favourite quote from the Ars article: “when marketers drive communications concerning a reported zero-day exploit, customers lose.” I’d argue that when marketing folk are the only ones talking about technical issues of any kind, we should all be very worried.

Chrome 57.0.2987.98

The latest version of Chrome includes fixes for thirty-six security vulnerabilities.

There are numerous other changes in Chrome 57.0.2987.98. Google didn’t see fit to highlight any of them in the release announcement, so you’ll have to read the browser-annihilating change log to see if any of the changes are of interest. I’m not planning to do that myself, as it’s likely to take several hours, and unlikely to be particularly rewarding.

Chrome updates itself on its own mysterious schedule, but you can usually trigger an update by going to its ‘About’ page. Because this version includes security updates, you should try to update Chrome as soon as possible.

Update 2017Mar16: Ars Technica points out that Chrome 57 includes power saving features that should extend battery life for Chrome users on laptops.

Firefox 52 – security fixes, WebAssembly support

At this point it seems clear that Mozilla has instructed its content writers to never mention version numbers in Firefox release announcements. The reason remains a mystery. Take yesterday’s announcement, for example. It begins “Today‚Äôs release of Firefox” – which makes it sound like Firefox is a new product.

Anyway… the mystery Firefox release yesterday was in fact version 52, which fixes at least twenty-eight security vulnerabilities. The new version also adds support for WebAssembly, which can dramatically improve the performance of web-based applications. Support for those annoying WiFi ‘captive portal’ hotspot login pages is improved in Firefox 52, and there are further improvements to the warnings you’ll see when you’re presented with a login form on an unencrypted connection.

Firefox 52 also removes almost all remaining support for the NPAPI plugin technology, with the lone exception being Flash, which means Silverlight, Java, Acrobat and other plugins that depend on NPAPI will no longer work. Support for the NPAPI version of Flash will apparently be removed in the next major Firefox release.

Microsoft announces amazing new Windows 10 feature

There’s a surprisingly lengthy post on the Windows Experience blog, co-written by two senior Microsoft managers: Michael Fortin (CVP of Windows and Devices Group Core Quality) and John Cable (Director of Program Management, Windows Servicing and Delivery).

Okay, what’s so important that these two folks decided to write about it? Just this: after the upcoming Windows 10 “Creators Update”, Windows 10 will be slightly less likely to do things at inconvenient times.

I don’t know about you, but allowing users to have control over when updates are installed, and when their computer reboots, seems like a pretty basic feature. And in fact that kind of control has existed in Windows for years. Until Windows 10. But instead of fixing the problem and apologizing for it, we get senior Microsoft managers talking about this bug fix as if it was the most amazing new feature ever.

I understand that there are good reasons to force updates and restarts, the main one being that otherwise many people allow their computers to get out of date, and vulnerable. But seriously, wouldn’t it have made more sense for automatic updates and restarts to be the default behaviour, and allow for this behaviour to be overridden, when Windows 10 was released?

The Verge’s take on this. And Ars Technica’s.

Update 2017Mar22: A new ‘tip’ from Microsoft shows Windows 10 users how to change ‘Active Hours’, during which Microsoft hopefully won’t remotely restart their computer. Of course, the maximum duration for active hours is still only twelve hours. On a related note, I was wondering why my Windows 10 test PC always seemed to be logged out lately, and discovered that it’s been trying to install one particular update every night for a couple of weeks. Windows reboots to complete the install, but the installation fails, and the cycle repeats. This is exactly the kind of thing that bothers me about letting Microsoft screw around with my computer without my knowledge.