Category Archives: Windows

Patch Tuesday for June 2018

The June 2018 Security Update Release bulletin on Microsoft’s TechNet blog is almost devoid of useful information, but if you click the link to the Security Update Guide, then click the big Go To Security Update Guide button, you’ll see a link to the release notes for this month’s updates.

According to the release notes, this month’s updates affect Internet Explorer, Edge, Windows, Office, Office Services and Web Apps, Flash embedded in IE and Edge, and ChakraCore. Analysis of the information in the SUG reveals that there are forty updates, fixing fifty-one separate vulnerabilities. Eleven of the vulnerabilties are flagged as Critical.

Patch Tuesday for May 2018

Spring has sprung, and with it, a load of updates from Microsoft and Adobe.

This month from Microsoft: sixty-seven updates, fixing sixty-nine security vulnerabilities in Windows, Internet Explorer, Office, Edge, .NET, Flash, and various development tools. Seventeen of the vulnerabilities addressed are flagged as Critical and can lead to remote code execution.

The details are as usual buried in Microsoft’s Security Update Guide. You may find it easier to examine that information in spreadsheet form, which you can obtain by clicking little Download link partway down the page on the right. Just above that there’s a link to the release notes for this month’s updates, but don’t expect much useful information there.

Update 2018May11: If you were looking for something to motivate your patching endeavours, consider this: two of the vulnerabilities addressed in this month’s updates are being actively exploited on the web.

Adobe logoAs you might have guessed from Microsoft’s Flash updates, Adobe released a new version of Flash today. Flash 29.0.0.171 addresses a single critical vulnerability in previous versions. You can find release notes for Flash 29 on the Adobe web site.

You can get Flash from Windows Update if you run a Microsoft browser, via Chrome’s internal updater, or from the official Flash download page. If you use the Flash download page, make sure to disable any optional installs, as they are generally not useful.

Windows 10 April 2018 Update

Another big update for Windows 10 is scheduled to start rolling out to all Windows 10 computers on May 8. Microsoft is calling this one the Windows 10 April 2018 Update.

As with all Windows 10 updates, there’s no way to avoid it, and the only way to control when the update lands on your computer is to manually check for updates using Windows Update. Doing that any time after April 30 should show the April update and let you install it.

What’s new in the April 2018 update

Timeline is a new feature that allows you to see what you were doing on your computer on a specific date.

Nearby Sharing provides a new mechanism for quickly and easily sharing documents with nearby users. It uses Bluetooth and WiFi, depending on what’s available.

Focus Assist allows for easier control over Windows features that are potentially distracting, such as sounds, visual notifications and other alerts.

Improvements to Edge include several we’ve seen in other browsers for a while: tab audio muting, form autofill, clutter-free printing, full-screen reading mode, grammar tools, colour/theme improvements, and better compatibility with mobile platforms.

Windows Ink gets a few enhancements with this update, as do Windows Mixed Reality, Windows Hello, Microsoft Photos, Mixed Reality Viewer, Paint 3D, Cortana, Dictation, My People, and the Game Bar.

The once-discarded, then revived Start menu sees some improvement in the way pinning works.

HDR video support in Windows HD Color is expanded, as is support for the Touch Keyboard and Handwriting.

The April 2018 update also includes changes to:

  • Windows accessibility features
  • Windows Store
  • Security

Update 2018May07: Microsoft continues to have quality issues with Windows 10 updates. The April 2018 Update was postponed earlier in April when a serious Blue Screen of Death (BSoD) problem was discovered. Now, Google Chrome users are reporting problems using the browser after installing the Windows 10 April 2018 update. Microsoft is working on a fix that should become available with other Patch Tuesday updates on May 8.

Java 8 Update 171 (8u171)

The only major browser that still officially supports Java is Internet Explorer, although there are workarounds for some of the other browsers. For example, you can switch to Firefox ESR (Extended Support Release), but even that support is likely to disappear before long. Google Chrome, and other browsers that use the same engine, can only be made to show Java content by installing an extension that runs Internet Explorer in a tab.

Java’s impact on security is diminishing, but it’s still being used on older systems where upgrading to newer O/S versions is not possible. There are still a lot of Windows XP systems out there, and most of them are either running older versions of Internet Explorer or Firefox ESR.

If you’re still using Java, you should install the latest version, Java 8 Update 171 (8u171), as soon as possible. The easiest way to check which version you’re running and install any available updates is to visit Oracle’s ‘Verify Java’ page. You’ll need to do that with a Java-enabled browser. Another option is to visit the third-party Java Tester site. Again, this site won’t work unless Java is enabled.

Java 8 Update 171 includes fixes for fourteen security vulnerabilities. Other changes are documented in the Java 8 release notes and the Java 8u171 bug fixes page.

Microsoft updates for March

I count forty-seven separate bulletins in this month’s batch of updates, which means there are roughly that same number of updates. Over seventy security vulnerabilities in Windows, Internet Explorer, Edge, Office, and .NET are addressed in the updates. There’s a Flash update in there as well, for Edge and recent versions of Internet Explorer.

This month we also get more fixes for Spectre and Meltdown, including firmware updates for somewhat older processors (Skylake, Kaby Lake, and Coffee Lake). There’s still not much available for processors that are more than a few years old.

While Microsoft continues to push people to enable automatic updates, the more cautious among us (including myself) prefer to control what is updated and when. Windows 10 users still have effectively no control over Windows updates.

You can extract additional details for this month’s updates from Microsoft’s Security Update Guide.

February updates from Microsoft

Earlier today, Microsoft released forty-two updates to address fifty-four vulnerabilities in Windows, Internet Explorer, Edge, Flash, and Office software. Fourteen of the vulnerabilities are flagged as critical, and have the potential to be used for remote code execution.

This information was extracted from Microsoft’s Security Update Guide, the rather opaque reservoir into which Microsoft now dumps its update information. Of course Microsoft would be happier if we all just enabled auto-updates, and in fact the monthly patch bulletins are now little more than a link to the SUG and a recommendation to enable auto-updates.

Patch Tuesday for January 2018

This month’s pile of Microsoft patches includes some that help to mitigate the recently-discovered Spectre and Meltdown vulnerabilities in Windows 7 and 8. Windows 10 machines received these updates last week, as soon as they were made available by Microsoft, because of course there’s no way to stop that from happening. Unfortunately for folks running some older AMD processors, the Spectre/Meltdown updates are causing Windows to crash, and Microsoft has now disabled those updates for affected computers.

It gets worse. Many antivirus products use sketchy techniques for blocking, detecting, and removing malware. Some of those activities are incompatible with this month’s Spectre/Meltdown updates for Windows. Microsoft is currently blocking those updates on computers that are missing a special registry setting: the idea is that anti-malware software will set this flag to indicate that the updates are compatible, and safe to install. On my Windows 8.1 computer, Windows Update initially did not show this month’s security-only (KB4056898) or security rollup (KB4056895) updates. That’s because (gasp) I wasn’t running any anti-malware software. To get the update, I re-enabled Windows Defender, which created the missing registry entry, and re-ran Windows Update.

There’s also a special security advisory in this month’s updates, in which Microsoft lays out the Spectre/Meltdown issue, its effect on Microsoft software, and ways to mitigate the associated vulnerabilities.

Back to our regularly-scheduled Patch Tuesday…

The January 2018 update announcement as usual contains zero useful information, serving only as a pointer to the Security Update Guide. Analysis of this month’s guide data shows that there are seventy-two updates, addressing fifty-six vulnerabilities in .NET, Internet Explorer, Edge, Office, Windows, Flash Player, Sharepoint, and SQL Server.

Major slowdowns headed for almost all computers

Major patches are coming, for most operating systems and devices running modern (made in the last 10 years or so) processors. Changes to Windows, Linux, macOS, and most other systems will modify the way memory is used, ameliorating critical CPU security flaws, and slowing them down significantly in the process.

There’s been a lot of secrecy around this issue, with details of the flaws — discovered several months ago — only now coming to light as O/S vendors scramble to prepare patches. The flaws (commonly referred to as Spectre and Meltdown) involve potential leaking of information, as described in a recent post on The Register:

At best, the vulnerability could be leveraged by malware and hackers to more easily exploit other security bugs.

At worst, the hole could be abused by programs and logged-in users to read the contents of the kernel’s memory. Suffice to say, this is not great. The kernel’s memory space is hidden from user processes and programs because it may contain all sorts of secrets, such as passwords, login keys, files cached from disk, and so on.

Much of this is still speculation, but the reality may be even worse, so hang onto your socks, since this is going to get ugly. It’s easy to imagine class action lawsuits arising out of the mess.

Those of you running light operating systems on older hardware may have the last laugh: while many of the world’s computers will soon be noticeably — and unavoidably — slower, yours will keep chugging along unaffected… at least until they’re used to access any of the millions of computers that power web sites and services. Major providers may have no choice but to install the updates, significantly reducing the processing power of their systems.

For computers running Windows 10, system updates are literally unavoidable, and the slowdown inevitable. The rest of us will need to decide whether to risk leaving the vulnerabilities exposed, or patch them and deal with the resulting performance hit. Exploiting the vulnerabilities is not straightforward, and it should be possible to stay safe by avoiding risky behaviour, such as indiscriminately running unknown software, visiting dubious web sites, and opening links in email. However, the full extent of the risks involved is not yet known.

Related articles

The Verge: Intel’s processors have a security bug and the fix could slow down PCs
The Verge: Microsoft issues emergency Windows update for processor security bugs
The Verge: Intel says processor bug isn’t unique to its chips and performance issues are ‘workload-dependent’
The Verge: Processor flaw exposes 20 years of devices to new attack
The Verge: How to protect your PC against the major ‘Meltdown’ CPU security flaw
Google Security Blog: Today’s CPU vulnerability: what you need to know
Bruce Schneier: Spectre and Meltdown Attacks
SANS InfoSec: Spectre and Meltdown: What You Need to Know Right Now
Techdirt: A Major Security Vulnerability Has Plagued ‘Nearly All’ Intel CPUs For Years

Update 2018Jan04: Corrected title and content to show that the problem affects all modern processors, not just those made by Intel, and that there are multiple vulnerabilities. Also added more related articles.

Patch Tuesday for December

Today, Microsoft published twenty-four updates, addressing thirty-three vulnerabilities in Flash player (for Microsoft browsers), Office, Internet Explorer, Edge, and Windows.

As usual, Microsoft’s announcement is little more than a pointer to the Security Update Guide (SUG). If you’re looking for details about any of these updates, that’s your only official option. The SUG’s user interface is somewhat headache-inducing, but there’s useful information to be had there.

Windows 10 gets these updates whether you want them or not; Windows 7 and 8.1 can be configured for automatic or manual updates. I personally don’t like the idea of updates being installed on my computers at Microsoft’s whim, so I’m sticking with manual updates. And avoiding Windows 10 completely. And gradually switching to Linux.

Patch Tuesday for November 2017

According to Microsoft’s announcement, the November updates include patches for Internet Explorer, Edge, Windows, Office, and .NET. As usual, you have to dig into the rather awkward Security Update Guide to find additional details.

My analysis of the SUG reveals that there are fifty-three bulletins, addressing fifty-four vulnerabilities across the usual range of products. Sixteen of the vulnerabilities are flagged Critical.

If you’re interested in performing your own analysis, I strongly suggest avoiding the cumbersome SUG interface. Instead, locate the almost hidden ‘Download’ link at the top right of the updates grid and click that to open the data in Excel. From there you can use Excel’s filtering tools to wrestle the update information into more manageable lists.