Category Archives: Security

aka infosec

Patch Tuesday for February 2020

Yesterday’s crop of updates includes the usual pile from Microsoft, as well as a few from Adobe, for Flash and Reader.

Analysis of Microsoft’s Security Update Guide for February 2020 reveals that there are thirty-eight updates, addressing one hundred and one security issues in Internet Explorer, Edge (both the old and new versions), Flash embedded in Internet Explorer, Office, and Windows. Thirteeen of the updates have been flagged as Critical.

To install Microsoft updates, go to Windows Update in the Control Panel for older versions of Windows, and in Settings > Update & Security for Windows 10. Alternatively, for Windows 10, you can just wait for the updates to be installed automatically.

Adobe logo

The latest version of Flash, 32.0.0.330, fixes a single security vulnerability in earlier versions.

Update Flash on pre-Windows 10 computers by heading to the Windows Control Panel and running the Flash applet. On the Updates tab, check the version and click the Check Now button. Click the link to the Player Download Center. Make sure to disable any checkboxes for installing additional software, then click the big Install Now button. Follow the prompts. You may have to restart your web browser for the update to finish.

Adobe Reader 2020.006.20034, also released this Patch Tuesday, includes fixes for seventeen security vulnerabilities in earlier versions.

Recent versions of Reader typically update themselves, but you can check your version and force an update by navigating Reader’s menu to Help > Check for Updates...

Microsoft news: all bad today

The hits just keep on coming for Microsoft. I suppose it’s inevitable that a company as large as Microsoft will make mistakes, but when their products reach into our lives as thoroughly as Microsoft’s, those mistakes can lead to major disasters.

Global Windows 10 search failures

A huge proportion of Windows 10 users worldwide lost the ability to search their own computers recently. According to Microsoft, the problem stemmed from a glitch on a Microsoft server. Exactly why local search should be affected by some mysterious remote Microsoft server is yet to be explained.

In reality, search in Windows has been variously broken since Vista. I discovered a particularly horrible search bug in that garbage dump of an O/S soon after it was released, and was eventually able to convince Microsoft that it was a real problem; a fix soon followed. But even that didn’t fix all of Windows search’s problems; getting it to find all your files in all their locations was — and continues to be — a never-ending, and ultimately ineffective, exercise.

That’s why most people who need a search function that’s actually useful have long since switched to third party software, such as the excellent, fast, accurate, and free Fileseek. There’s also the blazingly fast (and also free) Everything. Both of these work perfectly out of the box, requiring no special setup to be useful, unlike Windows’ built-in search.

Still, many people assume that the Windows search feature is adequate, and never switch to anything else. Those people discovered the recent problem the hard way, when the already basically worthless search stopped working completely. Those people are understandably angry.

Implicit trust of driver software is a gaping security hole in Windows

Malicious folks have discovered yet another way to fool Windows into executing code that it shouldn’t. The new technique takes advantage of the fact that Windows implicitly trusts drivers. A driver is a small piece of software that connects Windows with hardware, allowing that hardware to be used by the O/S.

In this case, a specific driver that contains a serious security vulnerability — but is neverthless trusted by Windows — was used by hackers to deploy ransomware to affected systems.

There’s no word from Microsoft on how they intend to deal with this glaring hole in Windows security.

A treasure trove of illicit data awaits the buyer of corp.com, thanks to Microsoft

Decisions made by Microsoft years ago are poised to create massive problems for many business and educational customers worldwide. When the person who owns the generic corp.com domain sells it, the new owner will be able to gather credentials and other supposedly private data from Windows computers that assume they are communicating with internal systems.

The problem stems from an ill-considered decision to use corp.com as a default setting and in documentation provided by Microsoft. Server administrators who didn’t change that default are now faced with a huge task that involves bringing down entire networks and possibly creating new problems.

Microsoft has known about this problem for years, and their advice to customers is basically “you shouldn’t have used the defaults”. Thanks for nothing, Microsoft.

Chrome 80.0.3987.87

The latest release of Google’s Chrome web browser, announced on February 4, includes fifty-six security fixes. As usual, details on all of the related vulnerabilities will not be released until a majority of users are updated with a fix.

The full change log for Chrome 80.0.3987.87 is a whopper, with over sixteen thousand changes in all. A little light reading for anyone with a few hours to spare. But hey, at this point if you don’t trust Google you probably shouldn’t be using Chrome. In the same way that you shouldn’t be using Windows 10 if you don’t trust Microsoft.

Chrome updates itself on its own mysterious schedule, unless you’ve taken extreme (and continuous) measures to prevent it. You can find out which version you’re running by navigating Chrome’s menu (hidden behind the three-vertical-dots menu button at the top right) to Help > About Google Chrome. If a newer version is available, you should see a button or link to install it.

Java 8 Update 241 (8u241)

Oracle’s Critical Patch Update Advisory for January 2020 documents twelve security vulnerabilities in Java 8 Update 231 and earlier versions.

Java 8 Update 241 was released to address those vulnerabilities. The release notes page for Java 8 lists notable changes in Java 8 Update 241.

These days the only mainstream web browser that still supports Java is Internet Explorer. If you use Internet Explorer with Java enabled, keeping Java up to date is critical.

But even if you don’t use IE with Java, if Java is installed on your computer, it’s a good idea to keep it up to date. If you’re not sure, look for a Java entry in the Windows Control Panel. Open it and click the About button on the General tab to check the installed version. If it’s not up to date, go to the Update tab and click the Update Now button.

Patch Tuesday for January 2020; end of support for Windows 7

The first Patch Tuesday for 2020 arrives with the long-planned but still inconvenient end of meaningful support for Windows 7.

The venerable Windows 7 still runs on about a quarter of all PCs worldwide. Sticking with Windows 7 was — and continues to be — a conscious decision for many users, made because Windows 8 and 10 were problematic for a variety of reasons.

Microsoft killed support for Windows XP on April 8, 2014, but still released updates for that O/S on a couple of occasions when a security vulnerability was so severe that it seemed likely to cause massive problems if unpatched. Microsoft will probably do the same thing for Windows 7, but it’s not a good idea to rely on the goodwill of any large corporation.

So, if you’re running Windows 7, what should you do? You can upgrade to Windows 8.1, which will buy you some time, until its support ends on January 10, 2023. Or you can stop resisting and make the move to Windows 10. Many of the initial problems with — and objections to — Windows 10 have now been addressed, making it somewhat less unpalatable. Microsoft offers additional guidance on the Windows 7 support ended on January 14, 2020 page on the Microsoft support site.

Another sensible option would be to switch to Linux. There are now Linux distributions that feel a lot like Windows, which can ease the transition. The main problem is software. But even if the software you use has no Linux version, you can still run an older version of Windows in a virtual machine on your Linux computer. That’s not too helpful for high-end games, however.

Back to our regularly scheduled updates…

There are thirty-nine updates (and associated bulletins) from Microsoft this month, addressing fifty vulnerabilities in Windows, .NET, Internet Explorer, and Office. Eight of the updates are flagged with Critical severity.

Although there are other ways to obtain the updates, by far the simplest method is to use Windows Update, which is found in the Windows 10 settings, or the Control Panel in older versions.

Update 2020Jan15: One of the vulnerabilities addressed in yesterday’s updates was reported to Microsoft by the NSA. While there’s disagreement about the seriousness of the vulnerability, this is notable in that the NSA previously wasn’t interested in sharing its discovered vulnerabilities. Lack of NSA cooperation led to the WannaCry ransomware nightmare in 2017. Brian Krebs has more.

While it’s generally a good idea to cross your fingers and install all available Microsoft updates, or at least allow them to be installed automatically, some Windows 10 users have grown wary of updates, and configured Windows Updates to be delayed. The actual risk from this vulnerability is mostly for Windows Server 2016 computers that are exposed to the Internet, and Windows 10 computers normally used by people with administrator permissions.

Update 2020Jan17: There’s more useful information about the NSA-reported vulnerability from Ars Technica, and SANS. SANS has created a web page and download that you can use to test your computers for this vulnerability.

Firefox 72.0 and 72.0.1

Security fixes and some welcome changes to notifications and tracking protection were released in the form of Firefox 72.0 on January 7. Firefox 72.0.1 followed the next day, adding one more security fix.

Site notifications are those annoying messages that pop up when you’re browsing web sites, asking — somewhat ironically — whether you want to see notifications for that site. You can still choose to see those, but now Firefox lets you suppress them. To control notifications, navigate Firefox’s Settings to Privacy & Security > Permissions, then click on the Settings button next to Notifications.

Firefox’s already helpful tracking protections were enhanced in version 72 with the addition of fingerprint script blocking. Fingerprinting is a technique used by many companies to better understand you and your online behaviour. While arguably harmless (it’s mostly about providing better ad targeting) fingerprinting is also creepy and a privacy concern. By default, Firefox now blocks scripts that are known to be involved.

Current versions of Firefox default to updating themselves automatically, but you can check for available updates by navigating Firefox’s menu to Help > About Firefox.

Security improvements in Chrome

Google is rolling out some changes to the Chrome web browser that will improve security in several ways. The changes are being spread out across several updates, and exactly when they will arrive on your devices depends on some security-related settings.

Warnings about compromised passwords

When you enter a user ID and password on any web site using Chrome, the browser can check whether that combination is on a list of known-compromised IDs and passwords. Chrome started doing this earlier in 2019, but you had to install the Password Checkup extension to use it. A couple of months ago, Google added this feature to passwords stored in Google accounts, protecting anyone who logs into their Google account in Chrome.

What’s new is that this password protection is now built into Chrome itself, and will now protect all Chrome users by default, regardless of whether they are logged into their Google account.

According to Google, “You can control this feature in the Sync and Google Services section of Chrome Settings.” In my installation of Chrome (version 79.0.3945.88), there’s a new option: Warn you if passwords are exposed in a data breach.

Real-time protection against unsafe sites

Google’s Safe Browsing service provides a continuously-updated list of unsafe sites. When you visit a web site or download a file, Chrome checks the address (URL) against the Safe Browsing list. The file it checks is on your computer, and updated every 30 minutes.

Previously, only a local copy of the unsafe URLs list (updated every 30 minutes by Google) was checked. What’s changed is that a new safe URLs list (stored on your computer and updated by Google) is checked, and if the site you’re visiting isn’t listed as safe, Chrome then checks an unsafe URLs list hosted by Google.

This change allows Chrome to use the most up to date information when deciding whether to warn you about potentially unsafe sites.

You can control this behaviour in Chrome’s settings: Sync and Google Services > Make searches and browsing better.

Expanding predictive phishing protection

When you enter a username and password on a web site, Chrome can check whether you are on a suspected phishing site.

Previously, Chrome only performed this check when you entered Google Account credentials on a web site, and only with the Sync feature enabed. What’s new is that Chrome now checks all passwords stored in Chrome’s password manager, and it does so as long as you’re signed into Chrome, even if Sync is not enabled.

It’s not clear whether there are specific Chrome settings that control this behaviour.

Safe to use

In the blog post announcing these changes, Google is careful to explain that the process of checking your passwords is itself completely secure, and even Google can’t determine your password as part of the process. The other checks that involve sending information to Google’s systems are also secure and private. In other words, you don’t need to worry about any of your information or activity being intercepted or misused, even by Google.

Patch Tuesday for December 2019

This month we’ve got a new version of Reader from Adobe, along with the usual heap of updates affecting Microsoft software.

Analysis of Microsoft’s Security Update Guide for December shows that there are thirty-two updates in all, affecting Internet Explorer 9 through 11; Office 365, 2013, 2016, and 2019; Visual Studio; Windows 7, 8.1, and 10; and Windows Server 2008, 2012, 2016 and 2019. Thirty-seven vulnerabilities (CVEs) are addressed, of which seven are flagged as having Critical severity.

The easiest way to install Microsoft updates is via the Windows Update Control Panel (prior to Windows 10) or Settings > Update & Security on Windows 10.

Adobe logoAdobe released updates for several of its software products on Tuesday, but the only one likely to be installed on your computers is the ubiquitous Acrobat Reader DC, Adobe’s free PDF file viewer.

A new version of Acrobat Reader DC, 2019.021.20058, addresses at least twenty-one vulnerabilities in previous versions.

Recent versions of Reader seem to keep themselves updated, but if you use Reader to view PDF files from dubious sources, you should definitely check whether your Reader is up to date. Do that by running it, then choosing Check for Updates... from the Help menu.

About CVEs

I usually refer to security bugs as vulnerabilities. There’s another term that I sometimes use (see above): CVE. That’s an abbreviation for Common Vulnerabilities and Exposures. If you’d like to know more, there’s a helpful post about CVEs over on the SecurityTrails web site. Here’s a quote:

CVE was launched in 1999 by the MITRE Corporation, a nonprofit sponsored by the National Cyber Security Division, or NCSD. When a researcher or a company discovers a new vulnerability or an exposure, they add them to the CVE list so other organizations can leverage this data and protect their systems.

It’s a worthwhile read, even for non-technical folks.

Firefox 71.0

Firefox is my current web browser of choice. I use Google Chrome sparingly, because it’s gotten so bloated and resource-intensive that I can’t leave it running. Perhaps that will change; it wasn’t that long ago that Chrome seemed like the best choice.

I still use Opera and Vivaldi for certain specific activities. And while there’s still no way I can stop using Internet Explorer altogether, I only do so when absolutely necessary. I avoid Edge completely, as it seems hopelessly buggy. There are other alternatives, but for now, Firefox is my main browser.

The latest version of Firefox is 71.0. The new version improves some existing features and adds a few more. Several bugs are fixed, including some security vulnerabilities.

New in Firefox 71.0

  • The integrated password manager, which Mozilla calls Lockwise, now differentiates between logins for different subdomains. If you have one login for subdomain1.domain.com and another for subdomain2.domain.com, they will no longer be conflated.
  • Lockwise will also now display a warning if it finds one of your passwords in a list of potentially compromised passwords.
  • The Enhanced Tracking Protection feature will now show a notification when Firefox blocks cryptomining code. You can see what Firefox is blocking by clicking the small shield icon at the far left of the address bar.
  • You can now view video in a floating window using the Picture-in-picture feature. Look for a small blue button () along the right edge of a video and click it to pop out the PiP window.

Security fixes

Eleven security vulnerabilities are addressed in Firefox 71.0. None of them are ranked as critical, and there doesn’t seem to be any evidence that any have been used in actual attacks. Still, it’s best to close those holes before they can be exploited.

How to update Firefox

Check which version of Firefox you’re running by navigating its ‘hamburger’ menu (at the top right) to Help > About Firefox. If you’re not running the latest version, you should see a button that will allow you to upgrade.

MORE Windows 10 update problems

Today’s nightmare is brought to you by Microsoft

An open letter to Microsoft:

Dear Microsoft –

Please either allow us to disable Windows 10 updates, or stop pushing out updates that break millions of computers worldwide every few weeks.

Sincerely,
Almost a billion Windows 10 users

The problems with Windows 10 updates are getting worse, not better. The last major feature update (1903) had major issues at release, and more seem to be turning up with each new set of “quality” updates. Those quotes around the word ‘quality’ are very intentional, by the way.

I’ve just spent most of a day troubleshooting and fixing a heinous set of problems related to printing, affecting most of the computers at a retail client. Printing is a critical function for this client, as it is for most businesses.

What follows is the sequence of events leading up to the printing problem, and what finally fixed it.

All of the computers are running 64-bit Windows Professional release 1903 (build 18362.356).

SUMMARY: Update 4522016, which apparently caused these printing problems on some computers, was never installed on any of the affected PCs at this business. Update 4524147 caused the printing problems it was supposed to fix. Uninstalling update 4524147 fixed the printing problems on three otherwise up-to-date Windows 10 PCs.

  1. 2019Oct03: Update 4524147 was installed automatically on all affected PCs. This happened overnight, which is normal for these PCs.
  2. 2019Oct04: The client reported printing problems on several PCs.
  3. 2019Oct04: The usual troubleshooting for printing issues was ineffective. Research eventually showed that a recent Windows update (4522016) was causing printing problems for many users. But that update was never installed on any of the affected PCs.
  4. 2019Oct04: Since printing was working fine before 4524147 was installed, I uninstalled that update, and printing started working again. Repeating this on all affected computers resolved all the printing problems.
  5. 2019Oct05: On trying to log into one of the recently-fixed PCs, Windows 10 told me that the Start menu was broken. Research showed that update 4524147 was causing this problem (the second time an update broke the Start menu in recent weeks). I checked, and sure enough, 4524147 had been reinstalled automatically overnight. Uninstalling it fixed the Start menu.
  6. 2019Oct05: To delay recurrence of the printing problem, I used the Advanced settings on the Windows Update screen to delay updates as long as possible. On most of the PCs, I was able to delay updates for between 30 and 365 days. On one PC, these settings were inexplicably missing. I eventually had to use the Local Group Policy Editor to make the necessary changes.
  7. 2019Oct04: I reported this bizarre situation to Microsoft via its Windows 10 Feedback hub. It’s difficult to know whether anyone at Microsoft will actually see this, or take it seriously. I have doubts, which means that this problem seems likely to reappear at some point.

As predicted

This is in fact the nightmare scenario envisioned by myself and others when it became clear that Windows 10 updates would not be optional. While Microsoft has — grudgingly — made it possible to delay updates, it’s still not possible to avoid them completely, and if you’re one of the unlucky Windows 10 Home users, even that’s not an option.

Questions for Microsoft

Why did an update intended to fix printing problems actually cause those exact problems?

Why are some of the advanced Windows Update settings missing from one of several identically-configured Windows 10 PCs running the same build?

Why are you inflicting this garbage on us? Do you hate us?

WHY DON’T YOU LET US TURN OFF UPDATES? This is the simplest solution, and while I understand that you want Windows 10 installs to be secure (and that means installing fixes for security vulnerabilities), until you can produce updates that don’t cause massive problems, we don’t want them.

Related links

Update 2019Oct10: Apparently update 4517389, released on October 8 along with the rest of October’s updates, addresses this problem.