Another month, another load of patches from Microsoft.
This month we have seventy-one bulletins and corresponding updates. One hundred and twenty-six vulnerabilities are addressed in all, affecting .NET, Internet Explorer 9 and 11, Edge, Office, SharePoint, Visual Studio, OneDrive, Skype, Windows, and Windows Defender. Nineteen of the vulnerabilities are flagged as having Critical severity.
Those of you running Windows 10 know the drill: depending on which version of Windows 10 you’re running, you can delay installation of updates for a while, but not indefinitely. On Windows 8.1 computers, Windows Update is still the best way to install updates. Windows 7 users don’t have an official way to obtain updates for that O/S, despite the fact that Microsoft continues to develop them.
On a related note, you may have noticed that Microsoft is pushing its new Chromium-based Edge browser to all Windows computers. This is happening not only on Windows 10 computers, but also those running Windows 8.1 and even 7. The new Edge cannot be removed in the usual way once it’s installed. This is causing consternation for many users, as Edge seems to take over once installed, forcing the user to make certain choices before the desktop can even be accessed. Isn’t this the kind of behaviour that got Microsoft in trouble in the 1990s?
The vulnerability technically could affect all versions of Windows, but security features in current releases of Windows 10 seem to provide sufficient protection.
So far the attacks only seem to be targeting Windows 7 computers. Given that Windows 7 is no longer supported by Microsoft, we might expect that this bug would remain unpatched forever. But Microsoft has shown that it is willing to provide certain post-support Windows 7 security updates to the general public.
In any case, if you run Windows 7, the advice for fending off attacks using this vulnerability are basically the same as always: exercise extreme caution when opening suspicious documents. Even simply previewing an infected document in the Windows Explorer preview pane can allow a Windows 7 computer to be exploited remotely.
So the old advice about disabling preview panes remains valid. Any software that shows a preview of the contents of a file or email is in effect opening that file or email, which can trigger an embedded exploit on vulnerable computers. I strongly recommend disabling all such functionality, so that files and emails are never opened unintentionally, and to see the contents of files and emails, you must explicitly open them.
The related security advisory published by Microsoft also includes some workarounds, but these involve making changes to Windows that are themselves risky.
Given the wording of Microsoft’s bulletin, it seems likely that the NSA discovered this vulnerability and developed the exploit, which they are now using in their investigations. If that’s the case, the NSA may — in the post-EternalBlue/WannaCry world — have decided to inform Microsoft for the good of all.
In other words, for now you’re safe unless you’re the target of an NSA investigation. But it won’t be long until exploits attacking this vulnerability are in the hands of malicious actors.
Do you still run a Windows 7 computer that has shared folders? If you do, and those shares are set up so that they require user authentication, and the user involved is a member of the Administrators group on the Windows 7 computer, then you may find that those shares stopped working recently.
This problem was triggered by one of the Windows 7 updates from January 2019. Uninstalling that update fixes the problem, but doing that also rolls back some important security updates. So that’s not really a viable option.
Thankfully, Microsoft issued a fix for the problem. I’ve tested this fix and confirmed that it does work. To install it on your affected Windows 7 computer, locate the appropriate update (KB4487345 for 32-bit computers; KB4487345 for 64-bit computers) on this Windows Update Catalog page, click to download it, run the download and respond to the prompts. You’ll probably need to restart the computer.
Microsoft’s relentless push to get everyone using Windows 10 is creating problems for the software giant. At least one class action lawsuit is underway in Illinois, where annoyed users claim that Microsoft owes more than $5 million in damages related to Windows 10 upgrades, both wanted and unwanted.
Meanwhile, Windows is no longer the most popular way to access the Internet. As recently as 2012, up to 90% of all Internet access was via Windows, but that number has been dropping steadily in recent years, and it’s now at an all-time low. For the first time ever, another operating system is in first place: the mobile O/S Android. Microsoft has bet heavily on Windows 10 and its universal touch interface, alienating traditional desktop enthusiasts and power users in the process. But if consumers are increasingly choosing Android over Windows 10 for their mobile devices, where does that leave Windows?
Microsoft’s efforts to herd users towards their advertising platform Windows 10 includes discontinuing support for newer processors on older versions of Windows. While it’s clearly Microsoft’s prerogative to decide which hardware they support, there’s no obvious technical reason for this limitation. In light of Microsoft’s historical support for older systems, this is particularly annoying news for anyone expecting to be able to use Windows 7 or 8.1 with new hardware.
If you plan to risk a migraine and read Microsoft’s blog post, keep in mind that the intended audience is Enterprise users, not us lowly consumers (aka Windows 7/8 Home/Pro users). Parts of the post need to be interpreted differently for non-enterprise users. For instance, references to WSUS and ConfigMgr only apply to Enterprise users.
The changes will take effect on October 11, next week’s Patch Tuesday. The bottom line is that updates will no longer be delivered separately, but in large update packages. Each month, three of these packages will be produced:
security-only quality update – a single update containing this month’s security updates; not available through Windows Update!
security monthly quality rollup – a single update containing this month’s security updates, as well as non-security updates from the previous month, and the contents of all previous rollups.
preview of the monthly quality rollup – perhaps weirdest of all, this update will contain next month’s non-security updates. In other words, this month’s non-security updates, which are otherwise not available in the regular monthly rollup. Microsoft seems to be saying “For those of you who want this month’s non-security updates but would prefer not to wait until next month to get them, here’s a preview of those updates.” Even weirder, this update will become available the week after the regular Patch Tuesday. The preview rollups will also include fixes from all previous monthly rollups, and older updates will be gradually added as well.
Why will the monthly rollups contain non-security updates from the previous month? For example, according to Microsoft, the first (October 2016) rollup will include non-security updates from September. But why delay October’s non-security fixes for another month? This makes no sense.
What happens if an update causes problems? In the past, you could just uninstall the problematic update. That won’t be an option with this new system. Microsoft’s response to this question makes it clear that this is your fault: “Every Windows update is extensively tested with our OEMs [customers] and ISVs [customers], and by customers – all before these updates are released to the general population. Your organization may also be interested in validating updates before they are publicly released, by participating in the Security Update Validation Program (SUVP).” In other words, our updates are thoroughly tested by you, and if you’re not testing them, you should be.
Why is Microsoft doing this?
According to Microsoft, these changes will “simplify your updating of Windows 7 SP1, Windows 8.1, … while also improving scanning and installation times and providing flexibility depending on how you typically manage Windows updates today.”
There may actually be some good reasons for bundling updates. But Microsoft is being so vague that it’s hard to believe they aren’t trying to foist something unwanted on us. Maybe the new system will make Windows Update faster and more reliable. Maybe it will simplify updates, an appealing notion for many users. Maybe it will make us all safer. It’s difficult to predict.
But there’s no question that these changes will make it difficult to avoid unwanted updates, and therein lies the problem. We already know for sure that Microsoft desperately wants us to either upgrade to Windows 10, or install updates that make Windows 7 and 8 more like Windows 10. Clearly these changes are beneficial to Microsoft, and we have a pretty good idea why (it’s advertising infrastructure). And, despite Microsoft’s assurances, we can be fairly certain that these changes don’t actually benefit the user, unless the user enjoys targeted advertising.
Given Microsoft’s recent actions, and suspicions concerning their actual motivation, these new updates are going to be examined closely. Are all the ‘security’ updates actually necessary? Are they even related to security? Microsoft can slap a ‘security’ label on anything they want and force it down our throats.
What can we do about this?
If you use Windows 7 or 8.x Home or Professional, there’s not much you can do. As I explained in an earlier post, you can trust that Microsoft will act in your best interest and let them install what they want on your computer (yikes), you can stop using Windows Update completely (also yikes), or you can switch to Linux.
It’s also still possible that – with enough pressure from users – Microsoft could make these changes more palatable. The Electronic Freedom Foundation says (and I totally agree) that “Microsoft should come clean with its user community. The company needs to acknowledge its missteps and offer real, meaningful opt-outs to the users who want them, preferably in a single unified screen. It also needs to be straightforward in separating security updates from operating system upgrades going forward, and not try to bypass user choice and privacy expectations.” I would add that Microsoft should describe in detail exactly what each update really does, and how it affects the collection and transmission of user activity and other information.
Now that Microsoft’s offer of free Windows 10 upgrades for Windows 7 and 8.x users is over, it makes sense that we should stop seeing those annoying reminders everywhere. Sure enough, an update for Windows 7 and 8.x became available last Patch Tuesday (September 13) that removes the ‘Get Windows 10’ feature. The update is identified as KB3184143, and has the (surprisingly meaningful) title “Remove software related to the Windows 10 free upgrade offer”.
If you’ve been using the third-party software GWX Control Panel to keep those annoying Windows 10 upgrade messages away, and you’ve installed KB3184143 on your Windows 7/8.x system, you might be tempted to remove GWX Control Panel. Unfortunately, there’s no reason to assume that Microsoft won’t re-enable the ‘Get Windows 10’ feature again in the future. I plan to leave it running on my Windows 7 and 8.x computers.
Of course, knowing Microsoft, if they decide to start pushing Windows 10 on us again, they’ll probably develop something completely new, in which case GWX Control Panel probably won’t help.
Let’s review, shall we? Microsoft really wants you to use Windows 10. Their official explanation for this includes vague language about reliability, security, productivity, and a consistent interface across platforms. Their claims may be true, but they hide the real reason, which is that Microsoft saw how much money Google makes from advertising, realized that they had a captive audience in Windows users, and added advertising infrastructure to Windows 10 to capitalize on that. The privacy-annihiliating features are easily explained: the more Microsoft knows about its users, the higher the value of the advertising platform, since ads can be better targeted.
A short history of Microsoft’s sneakiest Windows 10 moves
Move #5: Microsoft realizes that the Group Policy tweaks provided for bus/edu customers can also be applied to Pro versions of Windows, Microsoft disables those settings in the Pro version. Windows 10 Home users never had access to those settings. Angry users are running out of options.
We know business and education customers won’t be affected by this latest change. The rest of us will have to suffer – or switch.
Assuming Microsoft doesn’t back way from this decision, I imagine my future computing setup to consist primarily of my existing Linux server, and one or two Linux machines for everyday use, development, blogging, media, etc. I’ll keep a single Windows XP machine for running older games and nothing else. In this scenario, I won’t run newer games if they don’t have a console version. Aside: if I’m not the only person doing this, we might see a distinct decline in PC gaming.
Dear Microsoft: I only kind of disliked you before. Now…
Now that their free Windows 10 upgrade offer is almost over, Microsoft thought this would be a good time to reduce some of the more devious tricks they’ve employed to fool users into upgrading from Windows 7 and 8.1 to Windows 10.
One incredibly annoying behaviour of at least one of the previous upgrade dialogs was that closing the dialog by clicking the ‘X’ button at the top right corner was actually interpreted by Microsoft as approval to proceed with the upgrade.
But it’s too little, too late for some users, many of whom encountered serious problems after their computers were upgraded to Windows 10 without their approval.
Update 2016Jul04: Apparently Microsoft is making one final big push to get people to upgrade. The Verge reports on new, screen-filling upgrade prompts that are starting to appear on Windows 7 and 8.1 computers.
The new package will install all post-SP1 updates up to April 2016. After you install Windows 7 with Service Pack 1, you need only install the April 2015 servicing stack update for Windows 7 (KB3020369), a prerequisite for the rollup, then install the rollup, then install any updates published after April 2016.
I haven’t yet tried the new rollup, but it’s difficult to imagine how it could fail to be an improvement.
Microsoft also plans to provide monthly non-security update rollups for Windows 7 and 8.1.
First, the bad news. The free Windows 10 upgrade offered to Windows 7 and 8.1 users for the past year or so is probably going to conclude at the end of July. If Microsoft sticks with this plan, upgrading to Windows 10 after that will cost about $120 US.