Category Archives: Windows

Microsoft update 3033929 causing problems

One of the updates made available by Microsoft earlier this week is apparently causing problems on some Windows 7 computers. Details are sketchy at this point, but some users are reporting that their Windows 7 computers get into an infinite reboot loop after installing the KB3033929 update.

Microsoft is expected to release another update or pull the existing update soon. For now, anyone running Windows 7 should avoid this update.

Patch Tuesday for March 2015

Today Microsoft announced fourteen updates for security vulnerabilities in Windows, Office, Exchange, and Internet Explorer. Five of the updates are flagged as Critical.

The bulletin summary gets into all the technical details. All you really need to know is that you should install these updates as soon as possible, especially if you use Internet Explorer.

One of the updates provides what is hoped will be a complete fix for a vulnerability that allowed the Stuxnet worm to spread. Microsoft published a fix for this vulnerability in 2010, but the fix was incomplete and the vulnerability remained largely intact.

SANS provides a breakdown of the new updates every month. The information is presented in a way that may be more appealing/useful to some readers.

If you needed another reason to stop using iTunes on a PC…

Even diehard Mac users are increasingly frustrated with the bloated mess that is Apple’s iTunes. If ever a piece of software needed a total rewrite, it’s iTunes.

The Windows version of iTunes is even worse. My own early evaluation left me wondering whether Apple had intentionally made the software buggy and unstable, as a ploy to get people to ditch their PCs in favour of Macs. Suffice to say that I haven’t let it anywhere near any of my PCs since then.

Now, security researchers have discovered that iTunes for Windows includes ancient software libraries that contain numerous security vulnerabilities.

Recommendation: do not use iTunes on any Windows PC. Doing so is just asking for trouble.

Patch Tuesday for February 2015

Microsoft has announced this month’s updates. There are nine bulletins and associated patches, addressing 56 vulnerabilities in Windows, Office and Internet Explorer. Three are flagged as Critical.

Recommendation: install these updates as soon as possible. At least one of them fixes a bug that’s currently being exploited in the wild.

The official bulletin summary has all the technical details.

VLC has two unpatched vulnerabilities

VLC is one of the most popular media players; it’s cross-platform, and has a reputation for being able to play almost any kind of media. Given its popularity, unpatched vulnerabilities in VLC are likely to make attractive targets to malicious hackers.

Two vulnerabilities in VLC, CVE-2014-9597 and CVE-2014-9598, have yet to be acknowledged by VLC’s developers. Both are memory corruption bugs that can allow attackers to execute arbitrary commands on target systems.

Note that these vulnerabilities only affect VLC running on Windows XP, and only FLV and M2V files.

If you use VLC, you should exercise extreme caution when playing media from sources not known to be safe.

Windows 7 supported until January 14, 2020

You may have noticed that Microsoft’s support for Windows 7 changed yesterday: ‘mainstream’ support ended. However, ‘extended’ support continues until January 14, 2020.

In Microsoft parlance, ‘mainstream’ support includes requests for feature changes, certain free support options (eg. phone support), and non-security updates. Now that Windows 7 is in the ‘extended’ support phase, Microsoft will no longer be changing the O/S, except to fix security issues.

In other words, there’s no need to panic. Windows 7 will continue to get security updates until 2020.

Patch Tuesday for January 2015

This month we have eight updates from Microsoft, affecting most versions of Windows, with one being flagged as Critical.

Anyone using a Windows computer is encouraged to use Windows Update to install available updates as soon as possible.

For complete technical details on the updates, see the official bulletin on the Microsoft Security TechCenter site.

There’s a related post on the MSRC blog.

Update 2015Jan13: One of the updates in this batch is the source of some ill-will between Microsoft and Google. Google reported a Windows 8.1 vulnerability to Microsoft on October 13, and in keeping with its disclosure policies, made the vulnerability public 90 days later. By the time Microsoft got around to developing a fix, it was too late to make the patch available before the 90 day delay would end. Microsoft apparently asked Google to wait for the patch to be released on January 13, but Google stuck to its policy. Now Microsoft has publicly expressed its displeasure with Google. Information Week has additional details.

CryptoWall update

Despite the demise of CryptoLocker, ransomware is still prevalent, mostly in the form of CryptoWall, now in its ‘improved’ 2.0 version.

Security researchers recently deconstructed CryptoWall 2.0 and shared their findings in a post on a Cisco security blog.

The researchers discovered that the malware uses a variety of techniques to obfuscate itself on target systems. It’s also able to infect both 32 and 64 bit Windows systems. And it can detect whether it’s running on a virtual machine, making it more difficult to analyze. The command and control servers are apparently in Russia.

A Windows computer can become infected with CryptoWall in a variety of ways, including as part of an e-mail ‘phishing’ attack, through a malicious website, via malicious PDF files, or in a spam e-mail disguised as an ‘Incoming Fax Report’.

Ars Technica has additional details.

Another bad patch from Microsoft

One of the updates from last week’s Patch Tuesday apparently caused problems for numerous Windows 7 and Windows Server 2008 users.

The update, KB3004394, was issued to increase the frequency of root certificate updates from weekly to daily, thereby improving overall system security.

Unfortunately, once the update was installed on affected computers, some software and driver installation programs no longer worked as expected.

Microsoft initially recommended uninstalling the problematic update, but has now released another update (KB3024777) that fixes the problem.

Ars Technica has additional details.

Patch Tuesday for December 2014

It’s patch time again.

As expected, Adobe released updates for Reader/Acrobat, but they also issued updates for Flash. The new version of Reader/Acrobat is 11.0.10, and it addresses at least twenty vulnerabilities.

The latest version of Flash is 16.0.0.235 (on most platforms), and it fixes six vulnerabilities in previous versions. As usual, Google Chrome will update its own internal Flash, and Microsoft will offer Flash updates for Internet Explorer on Windows 8.x via Microsoft Update. Note that Adobe also released Flash 15.0.0.246, which apparently fixes the same issues in earlier versions of Flash 15.

Meanwhile, Microsoft today released seven bulletins and associated patches. The patches address vulnerabilities in Windows, Internet Explorer, and Office. There’s a useful summary on the MSRC blog.

Brian Krebs has additional details.