Category Archives: Windows

Barely-documented updates for Windows 10

Anyone running the release version of Windows 10 (build 10240) may have noticed a few updates being installed in the last day or two. Clearly Microsoft is moving ahead with its plans to eschew the monthly Patch Tuesday update cycle for Windows 10. Unfortunately, there’s also not much information available about these updates.

Here’s what Microsoft is giving us:

  • KB3081449 – OOBE Update for Windows 10
  • KB3081452 – compatibility update for upgrading to Windows 10
  • KB3081448 – Cumulative Update for Windows 10

As you can see, these Knowledge Base articles are rather light on details. So that’s how it’s going to be, Microsoft?

WinBeta has a bit more information.

Security updates for QuickTime on Windows 7 and Vista

I don’t usually post about Apple software, but the QuickTime Player is installed on many Windows computers, so it falls into a kind of grey area.

Apple recently released an update for QuickTime to address at least nine vulnerabilities it exposes on Windows 7 and Vista computers. Anyone who uses QuickTime on Windows 7 or Vista should install the new version of QuickTime as soon as possible.

I no longer have QuickTime installed on my main computer. Downloaded QuickTime media files play in a combination of VLC and Windows Media Player. There’s no QuickTime player plugin in my my main web browser, either, but I don’t really mind not being able to see QuickTime media embedded in web pages. If I really need to see that content, I can always download it.

If you’re not sure whether you have QuickTime installed, or want to find out how QuickTime media is played on your computer, you can try playing these QuickTime sample media files.

Emergency patch for Internet Explorer

Earlier today, Microsoft issued a special update (MS15-093) to address a critical vulnerability in all versions of Internet Explorer. The new Edge browser is not affected.

Normally, security updates for IE are provided on monthly Patch Tuesdays. Since Microsoft is making this update available outside the regular update cycle, we can assume that exploits for the vulnerability have been observed in the wild.

The vulnerability is a bad one. Merely visiting a specially-crafted web page with Internet Explorer can cause malicious code to execute, leading to the possibility of an attacker installing just about any kind of software or accessing any information on the affected Windows computer.

If you use Internet Explorer, please use Windows Update to install this patch as soon as possible.

Patch Tuesday for August

Ah, Patch Tuesday. Of all the tasks we have to perform, there’s nothing quite like it: it’s both tedious and critically important. I’m starting to consider enabling automatic updates, but given Murphy’s Law, no doubt the moment I do that, Microsoft will issue a catastrophic update.

This month we have fourteen updates from Microsoft, affecting the usual culprits (Windows, Internet Explorer, Office, Silverlight, .NET), plus a few new ones: Lync and Edge, the new web browser in Windows 10. Four of the updates are flagged as critical. The updates address a total of 58 vulnerabilities. The update for Silverlight brings its version to 5.1.40728.0. Several of the updates apply to Windows 10. One of the updates addresses a nasty bug that could allow an attacker to execute malicious code from a USB thumb drive.

Adobe is once again tagging along this month, releasing a new version of Flash (18.0.0.232) that addresses a whopping thirty-four vulnerabilities. Needless to say, you should install the new version as soon as possible if you still use Flash in any web browser. Internet Explorer 10 and 11 in Windows 8.x will receive the Flash update via Windows Update, as will the new Edge browser in Windows 10. Chrome will update itself to use the new version.

Critical vulnerability in Firefox’s PDF viewer

Firefox has had its own internal PDF viewer for a while now, and it’s enabled by default. When you click on a PDF file link in Firefox, it will do one of the following: a) open with Firefox’s internal viewer; b) open with a PDF viewer plugin such as Adobe’s Reader plugin; or c) download and open with an external viewer. Unfortunately, PDF files can also be embedded on web pages, in which case there’s no need to click on anything to view them; merely visiting a web site with an embedded PDF will show the file’s contents. Worse still, some advertising platforms serve ads in the form of PDF files.

Now comes news that a newly-discovered vulnerability in Firefox’s internal PDF viewer is being actively exploited on at least one advertising network, and that malware-containing PDF ads were recently observed on a Russian news site.

Mozilla confirmed the bug and quickly released Firefox 39.0.3 to address it. All users are strongly encouraged to update Firefox as soon as possible.

But there’s more bad news. There’s no way to know whether this vulnerability has been exploited elsewhere on the web. There’s no reason to assume that only one Russian news site was affected, or that infected ads haven’t already appeared on other ad networks and web sites. If you use Firefox with the internal PDF viewer enabled, there’s a chance your computer ran a malicious script at some point. If you run a script blocker like Noscript, and you haven’t altered its default behaviour, you were probably protected.

The only known instance of a malicious script that exploits this vulnerability looks for configuration files related to Subversion, Pidgin, Filezilla, and other FTP applications on Windows systems. If you have any passwords stored in these configuration files, you should consider changing those passwords.

You might also want to consider disabling Firefox’s built-in PDF viewer. To do that, enter ‘about:config’ in the address bar. You’ll see a warning; confirm that you want to proceed by clicking the “I’ll be careful” button. In the Search box, enter ‘pdfjs.disabled’. One setting should appear in the list below. If the setting is currently ‘false’, double-click it to change it to ‘true’. This will prevent embedded PDFs from being shown on web pages.

Windows 10 DVD player is $15

There’s no ‘Media Center’ edition of Windows 10, and there’s no DVD player software included with Windows 10. Now comes word that you can purchase the Windows 10 DVD player from the Windows Store for $14.99. If you’re considering doing this, please don’t. Instead, download and install the excellent, freeware VLC Player, which aside from being able to play just about any media you can throw at it, can also play DVDs.

Update 2015Aug11: Apparently, if you upgrade from a Media Center version of Windows to Windows 10, you are warned about the features you’re about to lose. Better still, you will apparently be credited with a free copy of the Windows 10 DVD player, so you should be able to install it from the Windows Store for free.

Windows 10 lands

You can now download the release version of Windows 10 directly from Microsoft. The tools on that page allow you to upgrade the computer you’re using, or to create bootable disc or thumb drive images, which can then be used to install Windows 10 from scratch on another computer. Both the Home and Pro versions are available, in 32 and 64 bit form.

If you’re running Windows 7 or 8.x, and you choose to perform an upgrade from the site linked above, you’ll get the Home version if you’re currently running one of the Home variants, and Pro otherwise.

It’s still not completely clear what happens when you don’t have a legitimate Windows 7 or 8.x license. At some point, you’ll be asked to enter a license key, and without one, presumably Windows 10 will stop functioning or suffer from reduced functionality. The same goes for in-place upgrades; as Microsoft has said, if you have a non-valid install of Windows 7 or 8.x and upgrade it to Windows 10, it will continue to be non-valid, with all that entails.

Update: My Windows 10 test computer is running whatever version is being provided via the Windows Insider program. It looks like the final release version, and has the build number Microsoft planned to use for the release: 10240. Because I joined the Windows Insider program (which involved having updates pushed to the computer regularly, and being asked to provide ratings and feedback), I’m now running Windows 10 Pro on a computer that previously ran Windows XP, and it didn’t cost anything, and it’s completely legit. Of course, if I ever want to stop logging in to Windows 10 with my Microsoft ID, I’ll have to purchase a Windows 10 license.

Deciding whether to upgrade to Windows 10

Windows 10 is scheduled for release on July 29. Microsoft really wants people to upgrade, offering the new O/S for free to anyone running legitimate installs of Windows 7 and 8.x, at least until July 28, 2016. Anyone who’s been running the Windows Insider Preview version of Windows 10 will also be able to install the release version for free. It sounds enticing, but is it right for you?

Questions remain

Unfortunately, there are still some unanswered questions regarding the free Windows 10 upgrades. How long will a ‘free’ install of Windows 10 remain free? If I try to reinstall it from scratch a few years from now, will I be forced to pay for it? What if my computer’s hard drive fails and I have to replace it and reinstall Windows 10? Microsoft has yet to produce definitive answers to these questions.

But the biggest unknown is the issue of forced updates. Windows 10 updates will be installed on ‘Home’ versions without allowing the user any choice whatsoever. That includes security updates and other bug fixes, but also new and changed features. ‘Pro’ users will be able to delay updates for several weeks, but have no way to prevent them indefinitely. While forced updates are arguably a good thing for most (especially non-technical) users, many power users find this prospect alarming. I don’t want Microsoft messing with my computer when I’m asleep. I want to be the only person who installs updates. I don’t want to see mysterious WAN bandwidth spikes that turn out to be huge, unwanted Windows 10 updates. Note: there may be a way to block certain updates indefinitely, according to Ed Bott, but the details are sketchy.

How to decide?

Is Windows 10 right for you? If you want the latest version of Windows, with the most up to date technologies and support for current hardware, and you don’t mind that the user interface is a hodgepodge of old and new (touch/tablet/mobile) style elements, you don’t mind forced updates, and your hardware supports it, then by all means upgrade to Windows 10.

If you’re running Windows 8.x, there’s no reason to hold back, since Windows 10 is basically Windows 8.2, and it addresses many Windows 8.x problems, including the lack of a Start menu.

The decision is not so easy for Windows 7 users. Windows 7 support (mostly in the form of security updates) will continue until January 14, 2020, so there’s no urgency. If you don’t like the new user interface, with its focus on touch and mobile devices, stay away. If you want to be able to use newer apps – the ones designed for the new UI – then you’ll have to upgrade. Support for Windows 7 by software and hardware makers is sure to decline over the next few years, which may force your hand.

I’ve been using the Windows 10 Insider Preview on a test machine, and so far, I like it. That machine was previously running Windows XP, which of course is no longer getting security updates and is increasingly risky to use. Upgrading to Windows 10 resolved a long-standing display issue on that computer, and I’ve had no new problems, aside from a few glitches and Explorer crashes that seem to have been resolved in later builds. I expect the computer to update automatically to the release version of Windows 10 at some point soon after July 29, but I’m ready to switch back to XP if Microsoft’s answers to the above questions prove unsatisfactory.

Microsoft issues special update for critical Windows vulnerability

An update for a vulnerability in the Microsoft Font Driver – present in all supported versions of Windows – was released yesterday by Microsoft. Normally, updates like this are released as part of the monthly Patch Tuesday process, but Microsoft evidently decided that this vulnerability was serious enough to warrant this ‘out of band’ update.

Windows systems with Automatic Updates enabled will receive this update automatically. All other systems should be updated via Windows Update as soon as possible.

Patch Tuesday for July 2015

This month there are fourteen bulletins from Microsoft, with associated updates affecting Windows, Internet Explorer, Office and SQL Server. Four of the updates are flagged as Critical. The updates address at least fifty-nine vulnerabilities.

From Adobe, there are updates for Flash (see previous post), Reader/Acrobat (version 2015.008.20082) and Shockwave (version 12.1.9.159).

So, although installing updates on computers is probably not anyone’s idea of summer fun, let’s all try to keep our sense of humour as we once again work through the monthly update grind. Enjoy!

Update 2015Jul16: This month’s Microsoft updates address three vulnerabilities (two in Internet Explorer) exposed in the recent Hacker Team leak.