Microsoft, Patches and updates, Things that are bad, Windows 10

Windows 10 update problems continue

June 1, 2020 jrivett Leave a comment

With Windows 10, Microsoft shifted a lot of their testing to users, through the Windows Insider program. Anyone can join the Insider program, and what you get is early access to new versions of Windows 10.

In return, you are expected to provide feedback to Microsoft when you encounter problems, primarily via the Windows 10 Feedback Hub app. I’ve used the Feedback Hub, and Microsoft does indeed seem to look at — and act on — user feedback.

While I do appreciate having the option of contributing to the quality of Windows 10, it seems clear that relying on users for testing is woefully inadequate, and hardly a substitute for systematic, formal software testing. Each new set of Windows 10 updates, and especially new versions, seem to cause more problems than they solve.

Windows 10 version 2004, released on May 27, is no exception. Microsoft has identified at least ten separate problems with the new version, mostly related to device drivers. Users unlucky enough to have the affected devices are reporting application crashes and good old Blue Screens of Death (BSODs). In some cases the new version renders affected computers unusable.

At least updates can now be delayed. Earlier versions of Windows 10 forced new updates on all computers. Without the ability to to put off updates, these unwanted and problematic changes would cause worldwide carnage at least every Patch Tuesday.

Hey, Microsoft. Thanks for giving us the option to help out with Windows testing. But please go back to doing more formal testing. Nobody needs these headaches. We’ve got enough problems without you piling on.

Update 2020Jun02: Microsoft has put a ‘compatibility hold’ on the recent problematic updates. If Microsoft decides that your device may have problems with an update, it won’t get installed until the hold is released. Of course that doesn’t help people who installed those updates before they were held.

Internet, Tools

Deciding whether to install a web ad blocker

May 27, 2020 jrivett Leave a comment

I just discovered an interesting and useful web site: Should I Block Ads?

Created by Michael Howell, it’s collection of information that can be helpful in deciding whether to install an ad blocker in your web browser. It also provides ad-blocker recommendations for various platforms and browsers.

Michael’s analysis addresses all of the concerns I’ve had with web-based advertising, and confirms my choice to install and use uBlock Origin in Firefox, my primary web browser.

If you’re considering installing an ad blocker in your web browser, keep in mind that there can be a bit of a learning curve, and that blocking ads can cause some web sites to stop working. Blocking web ads usually ends up being an ongoing process; don’t expect it to be a magic bullet.

There are of course arguments against ad-blocking. Just keep in mind that a site owner always has the option of placing hand-crafted advertisements on their site; as long as they don’t use Javascript and are not associated with known advertising networks, they will not be blocked.

Adobe, Edge, Internet Explorer, Microsoft, Patches and updates, Security, Windows

Patch Tuesday for May 2020

May 12, 2020 jrivett Leave a comment

We’re in the middle of a pandemic, but that’s no excuse to leave software unpatched. There’s certainly been no reduction in the rate at which vulnerabilities and exploits are being discovered.

This month’s contribution from Microsoft, as documented in the Security Update Guide, consists of thirty-eight updates, with corresponding bulletins, addressing one hundred and eleven vulnerabilities in .NET, Internet Explorer, Edge, Office, Visual Studio, and Windows. Eighteen of the updates are flagged as having Critical severity.

If you’re still using Windows 7, and you haven’t shelled out for Microsoft’s Extended Security Updates, you won’t find any of this month’s Windows 7 updates via Windows Update. You do have at least one other option: an organization called 0patch. These folks provide what they call ‘micropatches’ for known vulnerabilities in no-longer-officially-supported versions of Windows, including Windows 7 and Windows Server 2008. I haven’t tried these myself, but they seem legitimate. Well, presumably not in the view of Microsoft.

Windows 10 users will get the latest updates whether they’re wanted or not, although there are settings that allow you to delay them, for a while. That leaves Windows 8.1, for which Windows Update is still the appropriate tool.

Adobe once again tags along this month, with new versions of Reader and Acrobat. Most people use the free version of Reader, officially known as Acrobat Reader DC. The new version, 2020.009.20063, includes fixes for twenty-four security vulnerabilites in earlier versions.

Firefox, Mozilla, Patches and updates, Security

Firefox 76 and 76.0.1

May 9, 2020 jrivett Leave a comment

Announced on May 5, Firefox 76 tightens up password management and related security in several ways:

Lockwise, the password manager built into Firefox, now prompts for your Lockwise master password when you try to show or copy a password. If you’re not using a master password, Lockwise will prompt for your device’s password. Previously, Lockwise only prompted for the master password once, on Firefox startup.
Firefox now checks all your saved passwords against records from known breaches. Any password known to have been revealed in any breach will show in your Logins & Passwords list with a special icon. A different icon is shown if the associated site was breached since you last changed your password for that site.
Firefox can now generate secure, complex passwords for you.

Other changes in Firefox 76 include improvements to the Picture-In-Picture feature, and native support for more complex audio applications, including Zoom. There are also some minor cosmetic tweaks to the address bar and bookmarks bar.

There are eleven security fixes in Firefox 76 as well.

Default installations of Firefox keep themselves up to date, but you can hurry the process along by navigating its ‘hamburger’ menu to Help > About Firefox.

Firefox 76.0.1

The release of Firefox 76 was followed up quickly by Firefox 76.0.1, which fixes two bugs, neither of which are security-related.

Java, Patches and updates, Security

Java 8 Update 251

April 17, 2020 jrivett Leave a comment

At this point, most folks probably don’t need Java. Which is good, because it’s still a target for malicious hackers. If you don’t actually need Java, it’s a good idea to remove it completely from your computers.

You can check whether Java is installed by opening the Windows Control Panel and looking for a Java entry. On my Windows 8.1 computer, it looks like this: . If you can’t see a Java entry in the Control Panel, try changing View by to Small icons. If you still can’t see it, Java probably isn’t installed. To find the Control Panel on Windows 10, press the Windows key, then type ‘control’. You should see Control Panel in the search results.

You can also double-check by opening Programs and Features in the Control Panel. Search the Programs and Features list for ‘java’.

If you’re not sure whether you still need Java, uninstall it, then if something stops working, you can always reinstall it.

If you do need to keep Java around, to run old Java applications and games, access ancient Java-enabled web sites, or use work-related resources you have no control over, it’s best to keep it up to date.

The Java Control Panel will let you see the currently installed version, and provides a link to download and install the newest version.

Java 8 Update 251 includes fixes for fifteen security vulnerabilities in earlier versions.

Edge, Microsoft, Patches and updates, Security, Windows, Windows 8.x

Patch Tuesday for April 2020

April 14, 2020 jrivett Leave a comment

As if there wasn’t enough going on, it’s already time to patch your Windows computers again.

Of course at this point, given that Windows 7 is effectively no longer getting patches, and Windows 10 updates itself whether you want it to or not, we’re really just talking about Windows 8.1. Market share for Windows 8.x was never high, and it’s now below 5% overall. Oh well.

Somewhat confusingly, Microsoft continues to produce patches for Windows 7, and documents them along with all the others in the Security Update Guide. But if you look at the requirements for these Windows 7 updates, you’ll see that they can’t be installed unless you’ve already paid for and installed the Extended Security Updates (ESU) Licensing Preparation Package. Which most regular folks can’t afford.

This month we don’t have any interesting updates from Adobe, but there’s the usual pile from Microsoft. Analysis of the Security Update Guide reveals that a total of one hundred and fourteen security vulnerabilities are addressed in this month’s patches. The usual lineup of software products are affected, including Windows, Internet Explorer 9 and 11, Edge, Office, and Windows Defender. There are thirty-eight security bulletins in all, nineteen of which are flagged as Critical.

By now I’m sure you know the drill: find Windows Update in the Control Panel and check for updates. Whether you cross your fingers or not is entirely up to you. Windows 10 users need to keep their fingers crossed at all times I guess.

Update 2020Apr15: April’s Microsoft updates include fixes for those actively-exploited Adobe Type Library vulnerabilities recently reported.

Chrome, Google, Patches and updates, Security

Chrome 81.0.4044.92

April 13, 2020 jrivett Leave a comment

A new version of Chrome addresses thirty-two security issues in previous versions.

Details of the vulnerabilities fixed in Chrome 81.0.4044.92 are sketchy, which is normal for newly-discovered and mostly unpatched security bugs. Google has published vulnerability identifiers (CVE numbers), along with links to Google’s internal bug tracking system, and credited the researchers who discovered them.

The links are mostly non-functional, and will remain so until Google decides that it’s safe to publish the vulnerability details. Even the CVE numbers aren’t that helpful: if you search the CVE list at Mitre.org for one of these recent vulnerabilities, you’ll see a placeholder page with no details — for now.

In a perfect world, it would be easy to discover exactly what a software update would change, before it’s installed. Sadly, opportunistic assholes have made this impractical and even dangerous for security-related updates. So, regardless of how one feels about the developer, at some level we have no choice but to trust them with security updates.

Chrome’s ‘three vertical dots’ menu is the place to start if you want to check which version you’re running and install an update. Drill down to Help > About Google Chrome. If an update is available, it will be installed automatically, after which you’ll see a Relaunch button.

Firefox, Mozilla, Patches and updates, Security

Firefox 75.0

April 11, 2020 jrivett Leave a comment

April 7’s announcement of Firefox 75.0 came just a few days after the release of Firefox 74.0.1, a special version that addresses two critical security vulnerabilities.

Firefox 75.0 features a reworked address bar, and includes fixes for another six security bugs.

The new address bar functionality may trip up some users initially, but it does appear to be an overall improvement. The changes are as follows:

Searching using the address bar on smaller screens is now optimized, and should be less confusing.
Clicking the empty address bar, or clicking on an address in the address bar, will now show a list of ‘top sites’. These are the sites you visit most often.
The address bar is now slightly larger, and expands slightly when clicked. The font is also larger, and suggested URLs are shortened to provide more useful context.
When entering search terms, Firefox will now suggest additional terms it thinks may be relevant.
If you start entering a URL that is already open in another tab, Firefox will show a ‘Switch to Tab’ entry in the suggestions.

Depending on your configuration, Firefox will typically update itself in the days following a new release. If you prefer to do this yourself, or you’re not sure which version you have, navigate Firefox’s ‘hamburger’ menu (at the top right) to Help > About Firefox. If a newver version is available, you’ll be given the opportunity to install it.

Chrome, Google, Patches and updates, Security

Chrome 80.0.3987.162 and 80.0.3987.163

April 4, 2020 jrivett Leave a comment

Two Chrome releases this week address at least eight security vulnerabilities and other bugs.

The release notes for Chrome 80.0.3987.162 provide details for some of the security vulnerabilities. A usual, Google holds off publishing vulnerability details until most installs have been updated.

Chrome 80.0.3987.163 appears to roll back a bug fix that was addressed in an earlier version.

You can trust Google to update your installation of Chrome, or do it youself, by navigating its three-vertical-dots menu to Help > About Google Chrome. This will trigger a check for updates, and if a newer version is available, you should see an Update button or link.

Microsoft, Security, Windows 7

Unpatched Windows 7 vulnerability being used in targeted attacks

March 26, 2020 jrivett Leave a comment

A serious vulnerability in Adobe Type Manager Library, a Windows DLL file used by numerous software applications, is being actively exploited, but so far only in a very limited way.

The vulnerability technically could affect all versions of Windows, but security features in current releases of Windows 10 seem to provide sufficient protection.

So far the attacks only seem to be targeting Windows 7 computers. Given that Windows 7 is no longer supported by Microsoft, we might expect that this bug would remain unpatched forever. But Microsoft has shown that it is willing to provide certain post-support Windows 7 security updates to the general public.

In any case, if you run Windows 7, the advice for fending off attacks using this vulnerability are basically the same as always: exercise extreme caution when opening suspicious documents. Even simply previewing an infected document in the Windows Explorer preview pane can allow a Windows 7 computer to be exploited remotely.

So the old advice about disabling preview panes remains valid. Any software that shows a preview of the contents of a file or email is in effect opening that file or email, which can trigger an embedded exploit on vulnerable computers. I strongly recommend disabling all such functionality, so that files and emails are never opened unintentionally, and to see the contents of files and emails, you must explicitly open them.

The related security advisory published by Microsoft also includes some workarounds, but these involve making changes to Windows that are themselves risky.

Given the wording of Microsoft’s bulletin, it seems likely that the NSA discovered this vulnerability and developed the exploit, which they are now using in their investigations. If that’s the case, the NSA may — in the post-EternalBlue/WannaCry world — have decided to inform Microsoft for the good of all.

In other words, for now you’re safe unless you’re the target of an NSA investigation. But it won’t be long until exploits attacking this vulnerability are in the hands of malicious actors.

boot13