Category Archives: Security

aka infosec

Patch Tuesday for June 2021

According to my count, which is based on the official Security Update Guide, Microsoft’s patch pile for June addresses forty-nine security vulnerabilities.

There are approximately thirty-two updates, affecting .NET, Office, Windows (7, 8.1, and 10), SharePoint, and Visual Studio.

Only people paying through the nose for them will get the Windows 7 updates; the rest of us are out of luck. Windows 8.1 updates can be installed via the Windows Update control panel. Windows 10 systems will receive the updates when Microsoft feels like rebooting your computer, usally at the most inopportune time.

New versions of Acrobat and Reader

Adobe logoEarlier this week, timed to coincide with Microsoft Patch Tuesday, Adobe released new versions of its PDF authoring tool Acrobat, as well as its free PDF viewer, Reader.

The new versions address ten security vulnerabilities in earlier versions. The new version of Acrobat Reader (DC) is 2021.001.20155.

If you have Adobe Reader installed on any of your computers, you should check whether it’s up to date, and install the new version if it’s not. You can do that by running Reader, and navigating its menu to Help > About Adobe Acrobat Reader DC.

You can install the latest version of Reader by navigating its menu to Help > Check for Updates.

Patch Tuesday for May 2021

Still waiting for the vaccine? Trying to avoid going outside? Well, luckily for you, there are plenty of indoor tasks you can work on, like Netflix binge-watching, exercise, and installing software updates on your Windows computers.

For May 2021, Microsoft is handing us yet another pile of updates, addressing eighty-eight vulnerabilities (by my count) in .NET, Internet Explorer, Office, Edge, Exchange Server, SharePoint, Visual Studio, Skype, and Windows. My analysis is based on data exported from Microsoft’s Security Update Guide.

As usual, Windows 10 users can delay updates but not indefinitely. Windows 8.1 users who don’t have automatic updates enabled need to go to Windows Update to get the updates. Windows 7 users are mostly out of luck, but should check Windows Update anyway, because Microsoft sometimes makes critical update available for all users, not just business and educational users with deep pockets. If you’re still using Windows XP, there are no more updates, and I hope you know what you’re doing.

Java 8 Update 291

Oracle’s quarterly bulletin for Q1 of 2021 as usual includes some Java security alerts, and a new version of Java was released to fix the associated vulnerabilities.

Java 8 Update 291 addresses two security vulnerabilities in earlier versions.

As usual, the easiest way to update Java is through its own built-in update mechanism. Head to the Windows Control Panel, open the Java applet, go to the Update tab, and click Update Now.

Patch Tuesday for April 2021

While installing software updates may not be the most fun you can have, at least you can do it indoors and remotely, safe from the pandemic still raging outside.

As usual, the main source of update information from Microsoft is the Security Update Guide (SUG). The SUG is a huge database, and it’s easy to get overwhelmed by the amount of information there. I begin my analysis by downloading this month’s information as a spreadsheet, which when loaded into Excel is much easier to handle.

Estimates of the number of vulnerabilities addressed by this month’s updates vary: by my count, it’s one hundred and eighteen. Other people show the total as ‘over 110’ and 114. Microsoft seems to have embraced a ‘keep them guessing’ strategy, perhaps so that we’ll eventually give up and stop counting, and learn to simply accept what we get without trying to get a handle on it. In psychology, that’s known as learned helplessness, which sounds about right.

This month’s updates include fixes for still-supported versions of Windows, Office, Edge, SharePoint, Visual Studio, and VS Code.

Also this month there are fixes for the rather horrible Microsoft Exchange vulnerabilities that have led to even worse compromises of business, government, and education systems worldwide in recent weeks. That’s great news, but unless you work in one of those environments, you are likely not affected.

Windows 10 users are once again faced with limited options: a) give in to Microsoft and allow updates to be installed on their schedule, risking bad updates; or b) delay updates as long as possible, risking being exposed to security vulnerabilities.

Windows 8.1 users still have an actual choice, since automatic updates can be disabled entirely. In which case you’ll need to run Windows Update manually to get the latest updates.

Windows 7 still occasionally gets updates. Microsoft creates them for enterprise clients, who pay a premium for that service. Non-paying folks don’t usually have access to those updates, although sometimes Microsoft makes individual updates available to all if they are particularly dangerous. Note that Windows 7 still works just fine: you can minimize the security risk of running it by being extremely careful when using email, browsing the web, clicking links, and downloading software.

Windows XP is still being used, but it’s long past receiving any updates, and it’s increasingly unable to run new software. It’s perfectly safe to use if it’s not connected to the Internet, or if it’s only used for specific, limited tasks.

Flagging software as dangerous for the wrong reasons is idiotic

There’s a disturbing trend in the world of malware detection: falsely labeling software as malware.

For example, there’s an entire category of software that’s being mislabeled as malware by an increasing number of anti-malware providers: torrent software.

Torrent software is widely used by people trying to get access to cultural material that is otherwise locked away by the gatekeepers of big media (by way of prohibitive pricing, overlapping services, poor or unavailable service, geo-locking, release windows, and other big media fuckery).

Torrent software is used all over the world to legally share media in an extremely efficient, and Internet-friendly way.

But big media doesn’t care about any of that, because torrent software is also used for piracy.

Currently, there are efforts underway by media organizations to discredit and cripple torrent software in any way possible. Apparently they are now leaning on anti-malware software and service providers.

Why would an otherwise reputable anti-malware organization erroneously flag software as malicious? There are a number of possibilities:

  • They are being fed false information
  • Industry/corporate threats
  • Financial incentives

Why is this a problem?

  • It’s an extremely annoying inconvenience for users. Unable to install the falsely-labeled software, or exclude it from malware scans, some users will resort to uninstalling their anti-malware software.
  • It’s increasingly difficult for users to distinguish between actual threats and bullshit.
  • If an actually malicious version of one of these programs comes along, there’s no way to distinguish it from other versions that are erroneously flagged as malicious.
  • A general loss of trust in anti-malware providers and their services.

Big media will keep playing this idiotic game of whac-a-mole in any way their lawyers dream up. Media piracy continues, despite these efforts, and the only people affected are innocent users.

Advice to anti-malware purveryors: stop doing this. It’s short-sighted, dangerous, and stupid.

Patch Tuesday for March 2021

It’s another Patch Tuesday, usually referred to by Microsoft as ‘Update Tuesday’. Terminology aside, what it means is a big pile of updates that will be foisted upon most Windows users over the next few days.

Those of us sticking with Windows 8.1 can still review the available updates and install them at our leisure, which can be very satisfying when an update that we defer turns out to cause problems. But Microsoft seems to reserve its major screwups to Windows 10 updates these days (incuding this month’s printing crashes, and the fix for those crashes).

If you’re running Windows 10, you can defer updates for as long as a month… unless you’re running any of the Home versions, in which case the updates are as inevitable as taxes.

This month’s updates address several extremely serious security vulnerabilities in Exchange, Microsoft’s email server software, which ordinary folks are very unlikely to be running.

But the parade also includes updates for the usual offenders: Internet Explorer, Microsoft Edge (both the Chromium-based and original versions), Office (Excel, PowerPoint, SharePoint, Visio), Visual Studio, Visual Studio Code, and of course Windows. One hundred and thirty-one vulnerabilities* are addressed in all.

Microsoft’s Security Update Guide is currently the official source for this information. The SUG has undergone some improvements lately, and it’s gradually getting easier to navigate, which is a relief.

If you’re still running Windows 7, today’s festivities are largely meaningless, though Microsoft does occasionally toss a bone in your direction, in the form of a Windows 7 update normally reserved for those deep of pocket. Microsoft will presumably continue to do this when a flaw is serious enough that witholding the fix would create a public relations problem for the company.

The release notes for today’s updates provide additional details, though they are still sadly somewhat incomplete.

* The vulnerability count varies depending on who’s looking. According to the SANS Internet Storm Center, “This month we got patches for 122 vulnerabilities. Of these, 14 are critical, 5 are being exploited and 2 were previously disclosed.” Brian Krebs says “from Microsoft today…the company released software updates to plug more than 82 security flaws in Windows and other supported software. Ten of these earned Microsoft’s “critical” rating”. Clearly Microsoft’s Security Update Guide still needs work.

Patch Tuesday for February 2021

We’re gradually moving into a world where the software we use every day is maintained remotely, because it runs on or from a remote server, or because it automatically updates itself. This is widely viewed as progress, since the responsibility of protecting everyone from vulnerable software moves away from software users, to software producers. Responsible software producers no longer simply create and sell software, developing and making available updates when necessary; they are taking on the task of deploying those updates to user platforms.

There are drawbacks to this approach. Many people — including myself — are reluctant to cede control of the software we use to faceless corporate drones. We are wary of allowing corporate interests control what we see on our computers. With Windows 10, everything is in place to allow Microsoft to sell advertising space on your computer screen. We shudder to think of the nightmare scenarios resulting from bad (and unavoidable) updates.

For those of us who are resistant to these changes, there are options. Most software that automatically updates itself includes settings to disable auto-updates in favour of manual updates. Notable exceptions are Windows 10, and almost all Google and Adobe software.

There are other problems. Once, every update came with release notes and change logs. Increasingly, the details of changes in updates are not published, and users must simply trust that software producers only ever intend to make things better for us. Sadly, that is not always the case. The Windows desktop client for Spotify is a good example: it’s buggy, unstable, crash-prone, and although it is updated frequently, new versions are not documented in any way. Installing Spotify updates is a game of Russian Roulette, and it’s not optional.

Where do we go from here?

Updates should always be optional. Sure, install them by default, but provide settings to allow users to fully control whether and when updates are installed. At the very least, this would make updates much less stressful for business and educational IT staff. How about providing a free version that automatically updates itself and allows advertising, and a reasonably-priced version that allows control over updates and advertising? I’d be willing to pay a few bucks extra to have that kind of control.

Meanwhile, back to reality

Here in the real world, we’ve got more updates from Microsoft and Adobe, many of which are not optional. Some of these updates are not available for free, and are instead prohibitively expensive (e.g. all updates for Windows 7).

First up it’s Microsoft, with software updates addressing fifty-six vulnerabilities in .NET, Edge, Office, Sharepoint, Visual Studio, VS Code, Windows, and Defender.

If you try to count the number of distinct updates, your numbers will vary, depending on what you’re counting. As such, I will no longer be attempting update counts.

You can wade through the details yourself, using the new, ‘improved’ Security Update Guide. You can also find a summary on the official release notes page for this Patch Tuesday.

Several of this month’s updates address critical vulnerabilities that are being actively exploited. Which of course drives home the point that people really need to update, as soon as possible. Which in turn is a strong argument for forcing those updates. Welcome to the new update hell reality.


Adobe logoAdobe has been installing automatic update mechanisms on your computer for a few years now. As with Google software, this is accomplished using a variety of techniques that are also used by malware: to make sure they are always enabled, to reinstall themselves when removed, and to remain hidden as much as possible. While it is possible to remove or disable these update mechanisms, doing so is an exercise in frustration, because they will return, sometimes in a form that’s even more difficult to remove. The only real solution is to avoid using such software.

If you’ve ever opened a PDF file on your computer, there’s a good chance that it opened in Adobe’s free Acrobat Reader. In which case that software is updating itself automatically, using a system service called Adobe Acrobat Update Service.

Adobe released a new version of Reader on February 9: 2021.001.20135. This new version addresses at least twenty-three security vulnerabilities in earlier versions. Since it’s difficult to know exactly when automatic updates will occur, it’s a good idea to check. On Reader’s menu, navigate to Help > About Adobe Acrobat Reader DC. If your version is out of date, select Help > Check for Updates on Reader’s menu to install the new version.

Java 8 Update 281

Oracle’s Critical Patch Update Advisory for January 2021 includes an entry for Java. There’s a single security vulnerability in Java 8 Update 271 and, presumably, in earlier versions as well.

The risk of using an unpatched version of Java depends on how you use it. If it’s only used to run specific, business-related software, the risk is low. By far the biggest risk is Java code that arrives on your computer by way of compromised web sites, or in email.

Java’s newer, built-in security features make it less of a risk than in years past, but risk remains. As a rule, it’s best to keep Java up to date.

If Java is installed on your Windows computer, you’ll see an entry for it in the list of installed software in the Control Panel or Settings. You should also see an applet in the Control Panel for Java, which you can use to both check which version is installed, and update it if necessary.

To get to the Control Panel in Windows 10, click the Start button, then start typing “control panel”. You should see it in the search results as you type. Click the search result to get there.

Patch Tuesday for January 2021

There’s no stopping the juggernaut of monthly updates coming from our pals in Redmond.

This month’s load of updates, based on analysis of the new, ‘improved’ Security Update Guide, shows that we have updates for Edge, Office (2010, 2013, 2016, and 2019), Sharepoint, SQL Server, Visual Studio, Windows (7, 8.1, and 10), and Windows Server (2008, 2012, 2016, and 2019), addressing eighty-three security vulnerabilities in all.

There’s a summary of this month’s updates linked from the SUG, but as usual, it’s bafflingly incomplete.

Windows 8.1 computers can get this month’s updates via Windows Update in the Control Panel. Windows 10 computers will get the updates over the next few days, unless they’ve been configured to delay updates temporarily. Windows 7 users are still basically out of luck.

Flash is DEAD

Adobe’s kill switch for Flash went into effect as scheduled yesterday. Any Flash media you try to view from now on will show a placeholder image, which links to the End Of Life announcement for Flash.

That includes any Flash media you have lying around on your computer. For example, I found the Flash test animation on my main computer and uploaded it to my web server, where until January 12, it worked perfectly. That same Flash animation used to show on the main Flash help page, but of course that page now shows the placeholder as well.

And so ends the long, exasperating, security nightmare that was Flash. Good riddance.