Category Archives: Windows

Edge, Flash, Internet Explorer, Microsoft, Patches and updates, Security, Windows

February updates from Microsoft

Leave a comment

Earlier today, Microsoft released forty-two updates to address fifty-four vulnerabilities in Windows, Internet Explorer, Edge, Flash, and Office software. Fourteen of the vulnerabilities are flagged as critical, and have the potential to be used for remote code execution.

This information was extracted from Microsoft’s Security Update Guide, the rather opaque reservoir into which Microsoft now dumps its update information. Of course Microsoft would be happier if we all just enabled auto-updates, and in fact the monthly patch bulletins are now little more than a link to the SUG and a recommendation to enable auto-updates.

Edge, Flash, Internet Explorer, Microsoft, Patches and updates, Security, Windows

Patch Tuesday for January 2018

Leave a comment

This month’s pile of Microsoft patches includes some that help to mitigate the recently-discovered Spectre and Meltdown vulnerabilities in Windows 7 and 8. Windows 10 machines received these updates last week, as soon as they were made available by Microsoft, because of course there’s no way to stop that from happening. Unfortunately for folks running some older AMD processors, the Spectre/Meltdown updates are causing Windows to crash, and Microsoft has now disabled those updates for affected computers.

It gets worse. Many antivirus products use sketchy techniques for blocking, detecting, and removing malware. Some of those activities are incompatible with this month’s Spectre/Meltdown updates for Windows. Microsoft is currently blocking those updates on computers that are missing a special registry setting: the idea is that anti-malware software will set this flag to indicate that the updates are compatible, and safe to install. On my Windows 8.1 computer, Windows Update initially did not show this month’s security-only (KB4056898) or security rollup (KB4056895) updates. That’s because (gasp) I wasn’t running any anti-malware software. To get the update, I re-enabled Windows Defender, which created the missing registry entry, and re-ran Windows Update.

There’s also a special security advisory in this month’s updates, in which Microsoft lays out the Spectre/Meltdown issue, its effect on Microsoft software, and ways to mitigate the associated vulnerabilities.

Back to our regularly-scheduled Patch Tuesday…

The January 2018 update announcement as usual contains zero useful information, serving only as a pointer to the Security Update Guide. Analysis of this month’s guide data shows that there are seventy-two updates, addressing fifty-six vulnerabilities in .NET, Internet Explorer, Edge, Office, Windows, Flash Player, Sharepoint, and SQL Server.

*nix, Hardware, Linux, Mac, Patches and updates, Security, Things that are bad, Windows

Major slowdowns headed for almost all computers

2 Comments

Major patches are coming, for most operating systems and devices running modern (made in the last 10 years or so) processors. Changes to Windows, Linux, macOS, and most other systems will modify the way memory is used, ameliorating critical CPU security flaws, and slowing them down significantly in the process.

There’s been a lot of secrecy around this issue, with details of the flaws — discovered several months ago — only now coming to light as O/S vendors scramble to prepare patches. The flaws (commonly referred to as Spectre and Meltdown) involve potential leaking of information, as described in a recent post on The Register:

At best, the vulnerability could be leveraged by malware and hackers to more easily exploit other security bugs.

At worst, the hole could be abused by programs and logged-in users to read the contents of the kernel’s memory. Suffice to say, this is not great. The kernel’s memory space is hidden from user processes and programs because it may contain all sorts of secrets, such as passwords, login keys, files cached from disk, and so on.

Much of this is still speculation, but the reality may be even worse, so hang onto your socks, since this is going to get ugly. It’s easy to imagine class action lawsuits arising out of the mess.

Those of you running light operating systems on older hardware may have the last laugh: while many of the world’s computers will soon be noticeably — and unavoidably — slower, yours will keep chugging along unaffected… at least until they’re used to access any of the millions of computers that power web sites and services. Major providers may have no choice but to install the updates, significantly reducing the processing power of their systems.

For computers running Windows 10, system updates are literally unavoidable, and the slowdown inevitable. The rest of us will need to decide whether to risk leaving the vulnerabilities exposed, or patch them and deal with the resulting performance hit. Exploiting the vulnerabilities is not straightforward, and it should be possible to stay safe by avoiding risky behaviour, such as indiscriminately running unknown software, visiting dubious web sites, and opening links in email. However, the full extent of the risks involved is not yet known.

Related articles

The Verge: Intel’s processors have a security bug and the fix could slow down PCs
The Verge: Microsoft issues emergency Windows update for processor security bugs
The Verge: Intel says processor bug isn’t unique to its chips and performance issues are ‘workload-dependent’
The Verge: Processor flaw exposes 20 years of devices to new attack
The Verge: How to protect your PC against the major ‘Meltdown’ CPU security flaw
Google Security Blog: Today’s CPU vulnerability: what you need to know
Bruce Schneier: Spectre and Meltdown Attacks
SANS InfoSec: Spectre and Meltdown: What You Need to Know Right Now
Techdirt: A Major Security Vulnerability Has Plagued ‘Nearly All’ Intel CPUs For Years

Update 2018Jan04: Corrected title and content to show that the problem affects all modern processors, not just those made by Intel, and that there are multiple vulnerabilities. Also added more related articles.

Edge, Flash, Internet Explorer, Microsoft, Patches and updates, Security, Windows

Patch Tuesday for December

Leave a comment

Today, Microsoft published twenty-four updates, addressing thirty-three vulnerabilities in Flash player (for Microsoft browsers), Office, Internet Explorer, Edge, and Windows.

As usual, Microsoft’s announcement is little more than a pointer to the Security Update Guide (SUG). If you’re looking for details about any of these updates, that’s your only official option. The SUG’s user interface is somewhat headache-inducing, but there’s useful information to be had there.

Windows 10 gets these updates whether you want them or not; Windows 7 and 8.1 can be configured for automatic or manual updates. I personally don’t like the idea of updates being installed on my computers at Microsoft’s whim, so I’m sticking with manual updates. And avoiding Windows 10 completely. And gradually switching to Linux.

Edge, Flash, Internet Explorer, Microsoft, Patches and updates, Security, Windows

Patch Tuesday for November 2017

Leave a comment

According to Microsoft’s announcement, the November updates include patches for Internet Explorer, Edge, Windows, Office, and .NET. As usual, you have to dig into the rather awkward Security Update Guide to find additional details.

My analysis of the SUG reveals that there are fifty-three bulletins, addressing fifty-four vulnerabilities across the usual range of products. Sixteen of the vulnerabilities are flagged Critical.

If you’re interested in performing your own analysis, I strongly suggest avoiding the cumbersome SUG interface. Instead, locate the almost hidden ‘Download’ link at the top right of the updates grid and click that to open the data in Excel. From there you can use Excel’s filtering tools to wrestle the update information into more manageable lists.

Android, Apple, Google, IoT, Linux, Mac, Microsoft, Mobile, Security, Things that are bad, Windows

KRACK Wi-Fi vulnerability: what you need to know

Leave a comment

Last week, security researchers identified a series of vulnerabilities affecting almost all Wi-Fi devices, from computers to refrigerators. The vulnerability could allow attackers to intercept wireless communications and potentially steal credentials and other sensitive information. The vulnerabilities are collectively referred to as KRACK.

The good news is that computers running Windows and Linux already have patches available. Microsoft included fixes in the October 2017 Patch Tuesday updates.

Apple says that fixes are ready for MacOS, but there’s no word on exactly when they will actually be made available.

The bad news is that mobile devices, particularly those that run Google’s Android operating system, are vulnerable, and in some cases, might stay that way indefinitely. That’s because even though Google has prepared fixes for Android, those fixes won’t get to devices made by other vendors until those vendors make them available. Some vendors are better than others at pushing updates to their devices. Worse, some devices running older O/S versions may never get updates at all, rendering them permanently insecure.

There are mitigating factors. First, because of the responsible way in which these vulnerabilities were reported, Microsoft and other major players have had time to develop fixes, while details of the vulnerabilities were kept relatively secret until recently. That means we have a head start on the bad guys this time.

Second, exploiting these vulnerabilities requires close proximity. Attacks based on these vulnerabilities can’t be executed over the Internet.

Use caution with unpatched devices

If you use a public Wi-Fi access point with an unpatched device, you’re exposed. So until patches for your device become available, you might want to disable its Wi-Fi when you’re not at home. Most devices have settings that prevent automatically connecting to Wi-Fi networks it finds in the vicinity.

IoT devices may remain vulnerable forever

‘Internet of Things’ (IoT) devices, including thermostats, cars, appliances, and basically anything that can have a computer stuffed into it, often connect to the Internet using Wi-Fi. There are no security standards for IoT devices yet, and many are extremely unlikely to ever be patched.

Recommendation: identify all of your IoT devices that have the ability to connect to the Internet. For each, make sure that you’re using a wired connection, or disable networking completely, if possible. As for devices that connect to the Internet via Wi-Fi and cannot or won’t be patched or disabled, consider taking them to the nearest landfill.

References

Edge, Internet Explorer, Microsoft, Patches and updates, Security, Windows

October 10, 2017: Patch Tuesday

Leave a comment

Imagine a world in which there were no software updates; no security vulnerabilities; no bugs at all. The idea of such a place makes me happy. This utopia is destined to remain a fantasy, sadly. All software has bugs, and that will never change.

Inspection of Microsoft’s Security Update Guide (SUG) as of 10am today shows the usual massive list of updates, only some of which will affect most of us. You can wade into that if you have some time and access to painkillers, or you can download the list and open it in Excel, which is a lot easier to work with, and is what I do.

Analysis of the update data shows that there are fifty updates this month. Sixteen of those updates are flagged as Critical. A total of sixty-seven vulnerabilities in Windows, Office, Internet Explorer, and Edge are addressed.

As usual, the announcement of this month’s updates does little more than tell us what we already knew: that there are updates today, and where to find them.

Time to patch those computers!

Update 2017Oct11: The Register points out that while vulnerabilities affecting Windows 10 are being patched by Microsoft as soon as they are identified, Windows 7 and 8 systems don’t get those updates until the next Patch Tuesday. This creates an opportunity for malicious persons to analyze the Windows 10 updates and create exploits that work on Windows 7 and 8.

Malware, Patches and updates, Security, Things that are bad, Windows

CCleaner malware incident

Leave a comment

A recent version of the popular Windows cleanup tool CCleaner contains malware, apparently added by malicious persons who gained access to a server used by the software developer, Piriform.

The malware was found only in the 32-bit version of CCleaner 5.33.6162. No other versions were affected.

Piriform reacted quickly to the discovery, and yesterday released a new version: CCleaner 5.34.

If you have CCleaner installed on any Windows computers, you should make sure you’re running version 5.34, and if not, install it as soon as possible.

Update 2017Sep23: The server that was breached is actually managed by Avast, which purchased CCleaner software developer Piriform in July.

Ongoing analysis of the hack revealed that this may have been a state-sponsored attack, and that it specifically targeted high profile technology companies. Apparently the malware in the compromised version of CCleaner contained a second payload that was only installed on about twenty computers at eight tech companies.

Adobe, Edge, Flash, Internet Explorer, Microsoft, Patches and updates, Security, Windows

Patch Tuesday for September 2017

Leave a comment

This month’s updates from Microsoft include a patch for a nasty zero-day vulnerability in the .NET framework.

The announcement for this batch of updates is of course just a link to the Security Update Guide, where it’s up to the user to wade through piles of information and determine what’s relevant.

Here’s what I’ve been able to glean from my explorations: there are ninety-four updates, affecting Internet Explorer, Edge, Windows, Office, Adobe Flash Player, Skype, and the .NET Framework. A total of eighty-five vulnerabilities are addressed, twenty-nine of which are flagged as Critical.

As you may have guessed, this month we also have yet another new version of Flash. Microsoft included the new version in updates for Edge and Internet Explorer, and Chrome will get the new version via its internal auto-updater. Desktop Flash users should visit the main Flash page to get the new version. Flash 27.0.0.130 addresses two critical vulnerabilities in previous versions.

Microsoft, Windows 10

Windows 10 Pro for Workstations

Leave a comment

Microsoft WindowsSince the release of Windows 10, Microsoft has received feedback from certain users, to the effect that the O/S doesn’t meet the “demanding needs of mission critical and compute intensive workloads.” It either doesn’t detect, or simply doesn’t use the capabilities of some types of high-performance hardware.

Microsoft’s answer to that feedback is Windows 10 Pro for Workstations, which will become available for testing soon, via the Insider Preview program.

The new version of Windows 10 includes the ReFS filesystem, which is supposed to be much more resilient than the NTFS filesystem used by standard Windows. It also includes support for non-volatile NVDIMM-N memory modules, which provide high-speed access to files. SMB Direct provides a faster file sharing mechanism. There’s also more support for high performance hardware, including server-grade Intel Xeon and AMD Opteron processors, up to four CPUs (regular Windows is limited to two) and memory up to 6TB (regular Windows is limited to 2TB).

High-end system builders, and people running high-performance niche applications may find these features useful, but I suspect that most people won’t be interested, especially as the new version is likely to be rather expensive, as is the related hardware.

There’s no word yet on whether privacy-related instrumentation will be any easier to disable in Windows 10 Pro for Workstations, or whether system administrators will be able to control which updates are installed, or disable auto-update completely.