Category Archives: Patches and updates

Adobe, Edge, Flash, Internet Explorer, Microsoft, Patches and updates, Security, Silverlight, Windows

Patch Tuesday for April 2017

Leave a comment

As of this month, Microsoft is no longer publishing security bulletins. What we get instead is the Security Update Guide, an online database of Microsoft updates. Instead of a nice series of bulletins in my RSS reader, I get a single notification that contains almost nothing of use, aside from a link to the Security Update Guide. It also recommends enabling auto updates. Suffice to say that they won’t need to change the wording next month.

Security Update Guide

I’m sure it’s possible to create an online update database that works, but the Security Update Guide doesn’t qualify. In the hour I’ve spent so far trying to use it, what I usually see is an empty list. On the occasions when updates were shown, attempting to navigate from there also produced blank lists. Presumably this is happening because the site is overwhelmed, this being Patch Tuesday, but it’s also an excellent demonstration of why simpler systems are often better.

But even assuming that the current (as of 2017Apr11 13:00 PST) issues are transitory, information about the current set of updates that I did manage to see (in brief glimpses) was scattered among hundreds of items in the list. There is an always-visible link to a release notes page for the month’s updates, but sadly that page is far less useful than the summary bulletins previously provided. Aside from a few notes about special cases, all we get is this:

The April security release consists of security updates for the following software:
Internet Explorer
Microsoft Edge
Microsoft Windows
Microsoft Office and Microsoft Office Services and Web Apps
Visual Studio for Mac
.NET Framework
Silverlight
Adobe Flash Player

For the period between March’s Patch Tuesday and today, the guide shows 233 total items. To learn more, you have only one obvious option: go through every item in the list, looking for unique Knowledge Base article numbers in the More Info column, and clicking them to see the related KB article. I think I’ll leave that as an exercise for the reader. If Microsoft improves the guide sufficiently, I’ll go back to providing a more detailed breakdown of the monthly updates.

Update 2017Apr12: On Microsoft’s Security Update Guide, you’ll find a small Download link at the top right of the update list. You can use this to open the update list in Excel, which is a lot easier than using the flaky web-based tool. Using this method, I was able to count the number of unique updates, and it looks like there are forty-two, with forty-four vulnerabilities addressed. CERT’s count is sixty-one.

Update 2017Apr18: Ars Technica wonders if anyone likes the new Security Update Guide.

Update 2017May05: One of the updates is a new version of Silverlight (5.1.50906.0) that addresses a single security issue.

Adobe’s Contribution

As is now almost traditional, Adobe published their own set of updates today. This month we get updates for Flash (seven issues addressed) and Acrobat/Reader (47 issues addressed).

If you still use a web browser with a Flash plugin, you should update it as soon as possible. Internet Explorer and Edge will of course get their own Flash updates via Microsoft Update, while Chrome’s built-in Flash will be updated automatically on most computers.

Patches and updates, Vivaldi

Vivaldi 1.8

Leave a comment

The latest version of Vivaldi sports a reworked browsing history, and better control over audio, as well as several bug fixes. The release announcement lists all the changes. None of the changes appear to be related to security.

Vivaldi 1.8’s new history interface is a real improvement over what’s available in other browsers. Anyone who spends a lot of time reviewing their browsing history will appreciate the new calendar view.

Despite the improvements, I’d rather the Vivaldi development team spend their time fixing issues with the user interface. The sidebar bookmark editor is still weirdly difficult to use, and it’s also now apparently impossible to remove. There are still inconsistencies in the way links and bookmarks are handled, and the browser still lacks options that would allow complete control over whether links and bookmarks open in new tabs.

Update 2017Apr05: the full version number is 1.8.770.50.

Firefox, Mozilla, Patches and updates

Firefox 52.0.2

Leave a comment

There’s another new Firefox release: 52.0.2. The new version fixes a few minor bugs, none related to security.

Firefox should update itself automatically to the new version, but there’s no particular urgency about this update, unless you’re affected by one of the bugs it fixes. See the release notes for details.

As usual, there was no announcement from Mozilla about Firefox 52.0.2. I learned about this one when Firefox offered to update itself.

Microsoft, Patches and updates, Things that are bad, Windows 10

Windows 10 cumulative updates hopelessly botched

Leave a comment

Recently I noticed that my Windows 10 test PC wasn’t staying logged in. Every morning, despite not having logged out the day before, I was seeing the login screen. A bit of poking around in the Windows 10 settings showed that Windows was trying to install update KB4013429, rebooting to complete the install, failing to complete the install, and rolling back the changes. Rinse and repeat daily, since March 14.

Searching online, I immediately found other people experiencing this problem. No official solution from Microsoft, but plenty from other users, including what turned out to be the only thing that worked for many: a total reinstall of Windows 10.

One user pointed to an interesting tool, available in the TechNet Script Center, called Reset Windows Update Agent. (Note: this script was created and submitted by a non-Microsoft contributor, not by Microsoft.) Since I wasn’t getting anywhere looking for an official solution, I tried the tool’s main feature, which does indeed reset all things Windows Update. After rebooting, Windows successfully installed a few updates, then started to install ‘Cumulative Update for Windows 10 Version 1607 (KB4015438)’, which Microsoft issued on March 20 to address problems with KB4013429. But that update also failed to install, and now we’re back in our daily loop.

I considered contacting Microsoft about this, but then I remembered my previous encounters with Microsoft support, shuddered, and thought better of it. After all, Microsoft already knows my PC is having trouble installing this update, because of all the telemetry in Windows 10, right? If anything, they should be contacting me with a solution. Yeah, right. Like that would ever happen.

I really don’t want Microsoft to be in a position to make my life miserable, especially now that they can do that remotely, without my explicit consent, and usually without my knowledge. At a time when Microsoft should be showing us just how much they’ve learned about managing Windows updates, they seem to be getting worse.

I sympathize with anyone who tries to do anything productive with Windows 10. I only use it for testing and media playback, but even so, this is the end of the line for my relationship with Windows 10. I’ll be installing Linux Mint MATE next.

Update 2017Apr30: I decided to call Microsoft after all. I figured it was only fair to give them one last chance. The call was relatively painless; I was only on hold for a few minutes. The tier one support person I spoke with identified himself as such and was happy to escalate my problem to the next support tier once it became clear he couldn’t help. We arranged a callback from tier two support, which happened yesterday. Both support people I spoke with started by asking if they could start a remote session to the affected computer, which I declined in both cases. I understand being able to control a computer remotely makes support much easier, but I’m just not comfortable with the idea. The tier two guy confirmed that Microsoft knows about this problem and is working on it. He also confirmed that lots of people are reporting the same problem. Unfortunately, the only fix he could provide was to hide the troublesome update, so that it stops trying to install every day. The ability to hide updates exists in the classic Windows Update, but that feature was removed from Windows 10, so a special download was required. The Microsoft support article “How to temporarily prevent a driver update from reinstalling in Windows 10” includes a link to a tool called the Show or hide updates troubleshooter package. I downloaded and ran the tool, and it listed a few pending updates, including the most recent failing cumulative update. I hid that update, and so far so good: the computer no longer tries to install the update daily. According to the tier two support guy, when Microsoft finds a fix, they’ll include it with a subsequent cumulative update, and all will be well with the world. But in the meantime, my Windows 10 PC isn’t getting security updates. So it’s not much of a solution. Linux, here we come.

Firefox, Mozilla, Patches and updates, Security

Firefox 52.0.1

Leave a comment

A single security fix is apparently the sole reason Mozilla released Firefox 52.0.1 on March 17. There was no announcement from Mozilla, but as usual, CERT picked up the slack with their own announcement. The release notes for 52.0.1 point to a related security advisory.

Firefox will offer to update itself over the next few days, but you can usually trigger an update by navigating to its About dialog (hamburger menu icon > question mark icon > About Firefox).