On October 9th, Microsoft released a new batch of updates for its software. My analysis of the Security Update Guide shows that there are forty distinct updates, addressing fifty security vulnerabilities in .NET, Internet Explorer, Edge, Office applications, and Windows. Twelve of the updates are flagged as Critical.
As you may be aware, there’s no longer any practical way to avoid installing Windows 10 updates. Once Microsoft pushes them out, they’re going to end up on your computer whether you want them or not. But maybe you trust Microsoft to make changes to your computer while you sleep (for the record, I’m definitely not). On the other hand, when an update ends up causing problems, it makes these forced updates look downright irresponsible.
According to numerous reports, the recently-announced October Update for Windows 10 is causing user files to be silently deleted. Now, before you go into panic mode, keep in mind that the October Update is not yet being pushed out to all Windows 10 computers: the only way to install it is to manually check for available Windows Updates. For now, the only people affected are those eager types who like to install shiny new things before looking closely at them.
Microsoft is aware of the problem, and they are looking into it, although it’s not at all clear when it might be resolved. Hopefully Microsoft will either pull the update, or at least delay pushing it out to all Windows 10 computers.
If you’re worried about losing files, I strongly suggest backing up all your documents, images, music, video, and other data files. Which you really should be doing anyway. I back up all my data nightly to an external hard drive, using the freeware Cobian Backup.
Update 2018Oct07: Microsoft put a halt to the planned rollout of the October update. The update is still available via Windows Update, so don’t think seeing it listed there means the problem has been fixed. All it means is that the update won’t be pushed out until the issue has been resolved.
Update 2018Oct08: When you shift testing away from professionals and to your user base, quality will suffer. Things are going to slip through. That’s why formal software testing is so important, especially for operating systems and other critical software. Microsoft seems to have made an erroneous assumption: that if you have a (nearly) infinite number of
monkeys people using your software, they will find (and reliably reproduce) every bug. In fact, the people doing this unpaid “testing” are mostly power users who are just hoping that their own specific needs will be better served by the latest version. They aren’t testing every scenario, just the same one they tested for the last version. Power users are also much less likely to make the kinds of obvious mistakes that regular folks make, which can lead to surprises even after an update is pushed out to the general public. This situation seems likely to get worse, sadly. The Verge weighs in.
Update 2018Oct16: On October 9, Microsoft made a new (fixed) version of the October update available to users subscribed to the Windows Insider program. Microsoft also seems to understand that the current user-focused testing process is less than ideal: the Windows Insider Feedback Hub now allows users to provide an indication of impact and severity when filing User Initiated Feedback.
Analysis of Microsoft’s Security Update Guide shows that this month’s updates address sixty-two security vulnerabilities, ranging from Low to Critical in severity, in the usual suspects, namely Edge, .NET, Internet Explorer, Office, and Windows. There are forty-five updates in all.
If you’re looking for a new way to evaluate Microsoft’s monthly patch offerings, I recommend Microsoft Patch Tuesday by security firm Morpheus Labs. It’s a lot less oppressive — and easier to use — than Microsoft’s Security Update Guide.
Adobe’s providing us with a new version of Flash this month. Flash version 18.104.22.168 fixes a single security vulnerability. As usual, the Flash code embedded in Chrome and Microsoft browsers will update itself through Google’s automatic update process and Windows Update, respectively.
It’s update time again.
Analysis of Microsoft’s Security Update Guide shows that this month there are seventy updates for Windows, Office, Internet Explorer, .NET, Edge, Excel, Outlook, PowerPoint, and Visual Studio. A total of sixty security bugs are addressed, twenty of which are categorized as Critical.
Adobe, meanhwile, has released new versions of Flash and Acrobat Reader. Flash 22.214.171.124 includes fixes for five security issues, all of which are ranked as Important. Acrobat Reader 2018.011.20058 addresses two Critical security vulnerabilities.
Remember, folks: although updating software is perhaps not the most exciting thing you’ll do today, it’s entirely worthwhile, as it limits the damage that can be done by any stray malware that may find itself on your computer… from that attachment you opened without thinking, or that web site you visited when you accidentally clicked that link.
One of Windows 10’s most frustrating features is the way it installs updates. Unless you’re using an enterprise version, updates are almost completely out of your control. You can’t prevent them from installing, and there’s very little you can do to control when they install, or when your computer restarts to complate installation.
While developing Windows 10, Microsoft somehow failed to understand that downloading, installing, and rebooting for updates automatically at potentially inconvenient times might be annoying to users.
The good news is that Microsoft is finally going to do something about this. What did it take to get Microsoft to look at the problem? A steady stream of customer complaints, starting immediately after Windows 10 was released.
The bad news is that you still won’t have any real control over when updates happen. Instead, Microsoft is planning to improve Windows 10’s ability to detect that a computer is in use before it automatically reboots. This is from the recent post Announcing Windows 10 Insider Preview Build 17723 and Build 18204:
“We trained a predictive model that can accurately predict when the right time to restart the device is. Meaning, that we will not only check if you are currently using your device before we restart, but we will also try to predict if you had just left the device to grab a cup of coffee and return shortly after.”
It’s too early to know how well this will work in practise, but at least it’s a (small) step in the right direction.
Adobe and Microsoft have issued their monthly updates for July, so even if you’d rather be doing anything else, you should be patching your computers.
We’ll start with Microsoft. As usual, this month’s Security Update Release bulletin serves as little more than a link to the Security Update Guide (SUG), Microsoft’s labyrinthine replacement for the individual bulletins we used to get.
In my experience, the SUG is much easier to digest in the form of a spreadsheet, so the first thing I do there is click the small
Download link at the right edge of the page, to the right of the Security Updates heading. If you have Excel — or something compatible — installed, you should be able to open it directly.
Once the spreadsheet is loaded, I recommend enabling the Filter option. In Excel 2007, that setting is in the Sort & Filter section of the Data ribbon (toolbar). This makes every column heading a drop-down list, which allow you to select a particular product or platform, and hide everything else.
Analysis of this month’s updates from the SUG spreadsheet shows that there are sixty-two distinct updates, addressing fifty-three security vulnerabilities in Flash, Internet Explorer, SharePoint, Visual Studio, Edge, Office applications, .NET, and all supported versions of Windows. Seventeen of the updates are flagged as Critical.
As for Adobe, there are updates for Flash (version 126.96.36.199) and Acrobat Reader DC (version 2018.011.20055). The Flash update fixes two vulnerabilities, one of which is Critical. The Acrobat Reader DC update includes fixes for over one hundred security bugs.
The June 2018 Security Update Release bulletin on Microsoft’s TechNet blog is almost devoid of useful information, but if you click the link to the Security Update Guide, then click the big Go To Security Update Guide button, you’ll see a link to the release notes for this month’s updates.
According to the release notes, this month’s updates affect Internet Explorer, Edge, Windows, Office, Office Services and Web Apps, Flash embedded in IE and Edge, and ChakraCore. Analysis of the information in the SUG reveals that there are forty updates, fixing fifty-one separate vulnerabilities. Eleven of the vulnerabilties are flagged as Critical.
Spring has sprung, and with it, a load of updates from Microsoft and Adobe.
This month from Microsoft: sixty-seven updates, fixing sixty-nine security vulnerabilities in Windows, Internet Explorer, Office, Edge, .NET, Flash, and various development tools. Seventeen of the vulnerabilities addressed are flagged as Critical and can lead to remote code execution.
The details are as usual buried in Microsoft’s Security Update Guide. You may find it easier to examine that information in spreadsheet form, which you can obtain by clicking little Download link partway down the page on the right. Just above that there’s a link to the release notes for this month’s updates, but don’t expect much useful information there.
Update 2018May11: If you were looking for something to motivate your patching endeavours, consider this: two of the vulnerabilities addressed in this month’s updates are being actively exploited on the web.
As you might have guessed from Microsoft’s Flash updates, Adobe released a new version of Flash today. Flash 188.8.131.52 addresses a single critical vulnerability in previous versions. You can find release notes for Flash 29 on the Adobe web site.
You can get Flash from Windows Update if you run a Microsoft browser, via Chrome’s internal updater, or from the official Flash download page. If you use the Flash download page, make sure to disable any optional installs, as they are generally not useful.
Another big update for Windows 10 is scheduled to start rolling out to all Windows 10 computers on May 8. Microsoft is calling this one the Windows 10 April 2018 Update.
As with all Windows 10 updates, there’s no way to avoid it, and the only way to control when the update lands on your computer is to manually check for updates using Windows Update. Doing that any time after April 30 should show the April update and let you install it.
What’s new in the April 2018 update
Timeline is a new feature that allows you to see what you were doing on your computer on a specific date.
Nearby Sharing provides a new mechanism for quickly and easily sharing documents with nearby users. It uses Bluetooth and WiFi, depending on what’s available.
Focus Assist allows for easier control over Windows features that are potentially distracting, such as sounds, visual notifications and other alerts.
Improvements to Edge include several we’ve seen in other browsers for a while: tab audio muting, form autofill, clutter-free printing, full-screen reading mode, grammar tools, colour/theme improvements, and better compatibility with mobile platforms.
Windows Ink gets a few enhancements with this update, as do Windows Mixed Reality, Windows Hello, Microsoft Photos, Mixed Reality Viewer, Paint 3D, Cortana, Dictation, My People, and the Game Bar.
The once-discarded, then revived Start menu sees some improvement in the way pinning works.
HDR video support in Windows HD Color is expanded, as is support for the Touch Keyboard and Handwriting.
The April 2018 update also includes changes to:
- Windows accessibility features
- Windows Store
Update 2018May07: Microsoft continues to have quality issues with Windows 10 updates. The April 2018 Update was postponed earlier in April when a serious Blue Screen of Death (BSoD) problem was discovered. Now, Google Chrome users are reporting problems using the browser after installing the Windows 10 April 2018 update. Microsoft is working on a fix that should become available with other Patch Tuesday updates on May 8.
The only major browser that still officially supports Java is Internet Explorer, although there are workarounds for some of the other browsers. For example, you can switch to Firefox ESR (Extended Support Release), but even that support is likely to disappear before long. Google Chrome, and other browsers that use the same engine, can only be made to show Java content by installing an extension that runs Internet Explorer in a tab.
Java’s impact on security is diminishing, but it’s still being used on older systems where upgrading to newer O/S versions is not possible. There are still a lot of Windows XP systems out there, and most of them are either running older versions of Internet Explorer or Firefox ESR.
If you’re still using Java, you should install the latest version, Java 8 Update 171 (8u171), as soon as possible. The easiest way to check which version you’re running and install any available updates is to visit Oracle’s ‘Verify Java’ page. You’ll need to do that with a Java-enabled browser. Another option is to visit the third-party Java Tester site. Again, this site won’t work unless Java is enabled.