Category Archives: Windows

Patch Tuesday for June 2019

It’s update time once again, and along with the updates from Microsoft and Adobe, I’m going to annoy you with yet another reminder that Only You Can Prevent Internet Worms. That sounds kind of gross, actually.

Analysis of the Security Update Guide spreadsheet, so thoughtfully provided by Microsoft each month, shows that this month there are thirty-three updates, addressing eighty-eight security vulnerabilities in Windows (7, 8.1, 10, and Server); Flash in Internet Explorer and Edge; Internet Explorer 9 through 11; Edge; and Office 2010, 2016, and 2019. At least twenty-one of the vulnerabilities are categorized as Critical.

If you missed last month’s update festivities, you may not be aware that there’s a very dangerous vulnerability (CVE-2019-0708) in Microsoft’s Remote Desktop feature in Windows XP, Windows 7, and Server 2008. Updates for Windows 7 and Windows Server 2008 computers are available in the usual way, via Windows Update. An update for Windows XP is also available, but you’ll have to download and install it manually, from the Microsoft Update Catalog.

I’m pestering you about this because the last time a vulnerability like this appeared, we got the global WannaCry worm mess. Patch those systems and prevent a similar worm from giving the world another major headache. Here’s Microsoft on the subject, as well as Ars Technica.

As usual, Adobe has released software updates to coincide with Microsoft’s Patch Tuesday, which makes things nice and tidy with Flash being integrated into IE and Edge. Flash 32.0.0.207 fixes a single security vulnerability.

There are a few ways to update Flash on Windows, but starting with the Flash Player Control Panel works for me. On the Flash CP’s Updates tab, you’ll find a Check Now button, which will take you to the Get Adobe Flash page. That will tell you which version you’re running. If you need an update, click the Player Download Center link on that page.

Patch Tuesday for May 2019

From Microsoft this month, we get forty-six updates, addressing seventy-nine distinct vulnerabilities in the usual gang of idiots, namely Windows, Office, Internet Explorer, Edge, .NET, Flash in Internet Explorer, and Visual Studio. Nineteen of the updates have been flagged with Critical severity. Head over to Microsoft’s Security Update Guide for more details.

Those of you running Windows 10 may actually be satisfied with its automatic updates, despite the problems. Either that or you’ve given up fighting Microsoft. And of course there are plenty of folks running Windows 7 and 8 with automatic updates enabled, in response to which I can only tip my hat and tell you that you’re braver than I. The rest of us will (or should) be making the trudge over to Windows Update today.

Microsoft dons a white hat

One of the updates made available by Microsoft today fixes a serious vulnerability (CVE-2019-0708) in older versions of Windows, including Windows 7, XP, and Server 2008. Despite the fact that official support for these versions has ended, Microsoft decided to make the world a slightly better place, taking the time to develop, test, and publish these updates. Which is good, because the hole being fixed is a bad one, in that it could provide a handy new conduit for malicious software worms to propagate… just like WannaCry did in 2017.

So, two things: first of all, thanks Microsoft! Second, if you run Windows 7 or Windows Server 2008 computers, please check Windows Update and install the May 2019 monthly security rollup as described on this Microsoft page. For any computers running Windows XP, you’ll have to download the appropriate update from the Microsoft Update Catalog, as decribed on this Microsoft page.

More about Microsoft’s unusual move

Adobe

Adobe logoAdobe’s contribution this month consists of new versions of Flash and Acrobat Reader. Flash 32.0.0.192 addresses a single security vulnerability, while Acrobat Reader DC 2019.012.20034 addresses a whopping eighty-four vulnerabilities in earlier versions.

Reader will generally update itself, but you can make sure by navigating its menu to Help > Check for Updates.... The easiest way to update Flash is to look for it in the Windows Control Panel. Go to the Updates tab of the Flash control panel widget and click Check Now. This will take you indirectly to the download page for Flash. Make sure you opt out of any additional software offered for install on that page.

Microsoft relents; cedes more Windows 10 update control to users

Microsoft is finally waking up to what we’ve all been saying since before Windows 10 was released: forcing operating system updates on users is not a good idea. Amusingly, they are presenting their findings and announcing related changes as if these things were previously unknown to the world of computing.

Microsoft refers to the process of installing Windows updates as an ‘experience’, and uses adjectives like ‘great’ when describing what they want the experience to be like for users. I don’t know about you, but I’ve never thought about installing updates as a ‘great experience’. Nightmarish, never-ending, endurable, and dreaded are more familiar ways to describe my update experiences. The word I’d most like to use in connection with updates is ‘uneventful’.

Note: phrases like ‘great update experience’ were no doubt vetted by some Microsoft committee. Microsoft writers are presumably encouraged to use these phrases — and avoid negative terminology — when discussing Windows updates.

Microsoft still seems unable to understand what people actually want to ‘experience’ from a Windows update:

  1. We don’t want updates at all, really. We want software to not be full of security holes in the first place. But that’s a fantasy, and will never happen (sigh).
  2. We want updates to not cause problems. Ever.
  3. Updates should install quickly, and with minimal fuss. Giant downloads, massive storage requirements, lengthy update durations, and high CPU usage are unacceptable.
  4. It should be possible to easily, quickly, and effectively revert updates.
  5. Automatic updates are a nice option, but only if we have full control over when they occur.

Upcoming Windows Update changes

  • Download and install now option: a new option on the Windows Update page that installs ‘feature updates’, which provide new or improved functionality. Using this option effectively updates Windows 10 to the latest version in terms of features, without installing any bug or security fixes. According to Microsoft, it’s a way to get the latest features without installing anything potentially risky.
  • Extended ability to pause updates. This further extends your ability to delay installation of updates, although it’s still limited: you can delay an update up to 35 days (seven days at a time, up to five times). This one is important for Windows 10 Home users, because the feature was previously unavailable on that version.
  • Intelligent active hours. The ‘active hours’ setting, which was added in the Anniversary Update, allows you to specify a window of time during which updates should never occur. This will now adjust itself automatically, based on when it thinks the computer is actually being used. This sounds good, but in practise, it may cause more problems than it solves. We’ll see.
  • Improved update orchestration. This new feature will detect device usage, and attempt to install updates when utilization is low, such as when there is no user activity.

For additional details on the upcoming changes, see Microsoft’s recent Windows blog post, titled “Improving the Windows 10 update experience with control, quality and transparency“.

Other Windows Update changes are being tested and may appear in upcoming releases of Windows 10, such as the ability to automatically roll back a problematic update.

These are all welcome changes, but I’m hoping Microsoft goes even further. If the Windows 10 update process improves enough, I may even consider installing it again. For now, there are still too many problems, such as Windows Update’s excessive use of disk space.

At least Microsoft is listening to the complaints about update dialogs popping up over important presentations, and worse. And they’re being surprisingly transparent during this current round of Windows improvements. Several recent Windows update problems (like this one in March and the known issues with this April update and this one) were probably the main impetus behind the changes, though.

Update 2019Jun03: The May update has arrived, and Windows 10 Home users are not impressed with the minor improvements to Windows Update.

Patch Tuesday for March 2019

You know, it’s theoretically possible that we could get a Patch Tuesday with no updates to install. We’ve had months like that for Adobe products. Not for Microsoft, though, at least not in my memory.

Anyway… this month from Microsoft we have thirty-four updates, addressing seventy-five security vulnerabilities in Internet Explorer, Edge, Flash in Microsoft browsers, Office, and Windows. At least that’s what my analysis shows. The source of this information, Microsoft’s Security Update Guide, is a complex beast.

Reminder: these updates are only for versions that are still supported. Windows XP is no longer supported, and Windows 7 won’t be for much longer. Versions of Office older than 2010 are no longer supported, and Office 2010 support will end later in 2019.

It was a busy month for Adobe, with updates to Flash, Reader, and Shockwave.

Flash 32.0.0.171 includes fixes for two vulnerabilities in earlier versions.

Acrobat Reader DC, the variant of Adobe’s Acrobat/Reader product line you probably use, is up to version 2019.010.20099. The new version addresses twenty-one vulnerabilities in earlier versions.

Shockwave Player 12.3.5.205 addresses seven security bugs in earlier versions. You’re slightly less likely to have this software installed on your computer, but it’s worth checking if you’re not sure.

There are links to download the new versions on all the release announcement pages linked to above.

Patch Tuesday for March, 2019

According to Microsoft’s Security Update Guide, March’s updates, twenty-eight in all, include fixes for at least sixty-five security vulnerabilities in .NET, Flash Player (in IE and Edge), Internet Explorer, Edge, Office, Visual Studio, and Windows.

Even if you have automatic updates enabled on Windows 7 and 8 computers, it’s a good idea to check for and install the new updates. If you’re running Windows 10, auto-updates can’t be disabled, but you can still check for updates, and get them sooner that way.

There are no updates for Flash or Reader from Adobe so far in March.

Patch Tuesday for February 2019

Analysis of Microsoft’s Security Update Guide for February 2019 reveals that there are sixty-one distinct updates and corresponding articles in Microsoft’s support knowledge base.

At least seventy-seven vulnerabilities in Windows, Office, .NET, Internet Explorer, Edge, and Visual Studio are addressed by the updates. Twenty of the updates are flagged as Critical. Included in the updates is a new version of Flash for Internet Explorer and Edge.

As always, the easiest way to update Microsoft software is to use Windows Update, found in the Control Panel or System settings of your version of Windows.


Adobe once again adds to the patching load with new versions of Flash and Reader. Flash 32.0.0.142 addresses a single security vulnerability in earlier versions. The easiest way to check your Flash version and grab an update is to visit the Flash Help page.

Adobe Reader DC 2019.010.20091 includes fixes for at least seventy security bugs in earlier versions. Newer versions of Reader support auto-updates, but you can check for new versions by running Reader, and selecting Help > Check for Updates from its menu. If there’s a new version available, you’ll be prompted to install it.

Problems with Windows 7 shares

Do you still run a Windows 7 computer that has shared folders? If you do, and those shares are set up so that they require user authentication, and the user involved is a member of the Administrators group on the Windows 7 computer, then you may find that those shares stopped working recently.

This problem was triggered by one of the Windows 7 updates from January 2019. Uninstalling that update fixes the problem, but doing that also rolls back some important security updates. So that’s not really a viable option.

Thankfully, Microsoft issued a fix for the problem. I’ve tested this fix and confirmed that it does work. To install it on your affected Windows 7 computer, locate the appropriate update (KB4487345 for 32-bit computers; KB4487345 for 64-bit computers) on this Windows Update Catalog page, click to download it, run the download and respond to the prompts. You’ll probably need to restart the computer.

Born’s Tech and Windows World has additional details.

Patch Tuesday for January 2019

Patch Tuesday: the gift that keeps on giving. Imagine a world where the second Tuesday in a month came and went, with no updates to install. Something to celebrate. Meanwhile, back in the real world, there’s an apparently infinite supply of software bugs out there, most as-yet undiscovered.

But back to the matter at hand. Microsoft’s Security Update Guide is still annoying to use on the web, so I recommend downloading this month’s patch details in the form of a spreadsheet. Navigate to the SUG, which by default will show the updates for this month. You should see a ‘Download’ link to the far right of the Security Updates heading. Click that link and open the spreadsheet in Excel or something compatible. In Excel, depending on the version, you should be able to enable the Filter feature, which makes each column heading a drop-down control, allowing you to filter and sort on any column. Very handy.

This month Microsoft is issuing seventy-three bulletins, each corresponding to an update for one or more security vulnerabilities. Forty-eight vulnerabilities are addressed by the updates, which affect the usual targets, namely Windows, Internet Explorer, Edge, Office, .NET, Flash (in IE and Edge), Visual Studio, and Exchange Server.

Windows 10 users will get relevant updates whether they want them or not, as will anyone using older versions of Windows with automatic updates enabled. The rest of us will need to head to Windows Update and click the Check for Updates button.

Adobe logoFrom Adobe, we get a new version of Flash, to go along with last week’s new version of Reader.

The latest Flash is version 32.0.0.114, and it includes fixes for feature and performance bugs, but — surprisingly — none for security bugs.

As usual, the Flash embedded in Chrome will update itself along with the browser, while IE and Edge updates are provided via Windows Update. Your Flash installation may be configured to install updates automatically, but if not, head to the main Flash Player page, which will let you know if you need an update, and provide links.

The new version of Reader (Acrobat Reader DC), made available by Adobe on January 3, is A2019.010.20069. Flash 2019.010.20069 includes fixes for two Critical security issues.

Newer installations of Reader seem to keep themselves up to date, but you can grab the latest version at the Get Reader page. Remember to disable the optional applications, or you’ll get what is likely unwanted software such as McAfee antivirus products.

Patch Tuesday for December 2018

It’s the second Tuesday of the month, so it’s once again time to play Patch Or Else, brought to you by Microsoft and Adobe.

It’s easy to get complacent about updating software: diligently installing updates as soon as they become available is an essential part of a good security strategy, and it means you’re less likely to fall afoul of malicious activity. But it also means that after a while you can lose sight of the risk of not staying up to date, and gradually become lax about installing updates. History is filled with stories of lost lessons; it’s apparently in our nature to forget what’s important when we aren’t reminded of the reasons for that importance.

Analysis of Microsoft’s Security Update Guide for the December 2018 updates reveals that this month we have sixty-seven distinct updates, half of which are flagged as having Critical severity. The updates address security issues in Adobe Flash (embedded in Internet Explorer and Edge), Internet Explorer, Edge, .NET, Office, Visual Studio, and Windows.

Update Windows and your other Microsoft software via Windows Update. In Windows 10, open the Start Menu and click on Settings > Update & Security settings > Windows Update. In older versions of Windows, you can find Windows Update in the Control Panel.

Presumably as part of the ongoing push for transparency in response to Windows 10 update problems earlier this year, Microsoft Corporate VP Michael Fortin posted an article, coinciding with this month’s updates, that explains some of the planning that goes into the monthly updates. Fortin points out that “During peak times, we update over 1,000 devices per second”.

Adobe’s contribution to the patch pile this month is a new version of Adobe Reader. The new Reader includes fixes for at least eighty-seven vulnerabilities, many having Critical severity. The release notes for Adobe Reader DC 2019.010.20064 provide additional details. Update Reader by pointing your browser to the Acrobat Reader Download Center.

Microsoft resumes rollout of Windows 10 October Update

Last month, after users reported file deletion issues, Microsoft took the Windows 10 October Update offline. Yesterday, the (now fixed) update was again made available. Microsoft has slowed their rollout this time, and for now, you can only get the update by manually checking for updates in Windows Update. If there are no new problems, Microsoft will gradually push the update out to all Windows 10 computers over the coming weeks.

In the month since the October update was pulled, Microsoft did a lot of soul-searching (aka process review), and the results of that work, detailed in a November 13 blog post, make for interesting reading. Here are the highlights:

  • Microsoft is trying to be more transparent about how it tests new versions of Windows before they are released. This is a good thing.
  • Adequate testing is difficult because there are so many possible combinations of hardware and software being used on Windows 10.
  • Base functional testing is the responsibility of the development teams. Presumably dedicated testing staff did this previously.
  • Data and user feedback are being used to gauge quality.
  • According to Microsoft, October update issues aside, overall quality and user satisfaction are increasing with each new Windows 10 update.
  • Employees working on Windows 10 have to ‘eat their own dog food’, meaning that they are required to use Windows 10 themselves.
  • As many as 15,000 new device drivers are added to Windows each month.
  • “The first principle of a feature update rollout is to only update devices that our data shows will have a good experience.” I find this wording amusing: in this case a ‘good experience’ means one where you’re less likely to throw yourself off a building after trying to update your O/S.

Update 2018Dec19: “Rollout Status as of December 17, 2018: Windows 10, version 1809, is now fully available for advanced users who manually select “Check for updates” via Windows Update.” See Windows 10 Update History.