Patch Tuesday for April 2017

As of this month, Microsoft is no longer publishing security bulletins. What we get instead is the Security Update Guide, an online database of Microsoft updates. Instead of a nice series of bulletins in my RSS reader, I get a single notification that contains almost nothing of use, aside from a link to the Security Update Guide. It also recommends enabling auto updates. Suffice to say that they won’t need to change the wording next month.

Security Update Guide

I’m sure it’s possible to create an online update database that works, but the Security Update Guide doesn’t qualify. In the hour I’ve spent so far trying to use it, what I usually see is an empty list. On the occasions when updates were shown, attempting to navigate from there also produced blank lists. Presumably this is happening because the site is overwhelmed, this being Patch Tuesday, but it’s also an excellent demonstration of why simpler systems are often better.

But even assuming that the current (as of 2017Apr11 13:00 PST) issues are transitory, information about the current set of updates that I did manage to see (in brief glimpses) was scattered among hundreds of items in the list. There is an always-visible link to a release notes page for the month’s updates, but sadly that page is far less useful than the summary bulletins previously provided. Aside from a few notes about special cases, all we get is this:

The April security release consists of security updates for the following software:
Internet Explorer
Microsoft Edge
Microsoft Windows
Microsoft Office and Microsoft Office Services and Web Apps
Visual Studio for Mac
.NET Framework
Silverlight
Adobe Flash Player

For the period between March’s Patch Tuesday and today, the guide shows 233 total items. To learn more, you have only one obvious option: go through every item in the list, looking for unique Knowledge Base article numbers in the More Info column, and clicking them to see the related KB article. I think I’ll leave that as an exercise for the reader. If Microsoft improves the guide sufficiently, I’ll go back to providing a more detailed breakdown of the monthly updates.

Update 2017Apr12: On Microsoft’s Security Update Guide, you’ll find a small Download link at the top right of the update list. You can use this to open the update list in Excel, which is a lot easier than using the flaky web-based tool. using this method, I was able to count the number of unique updates, and it looks like there are forty-two, with forty-four vulnerabilities addressed. CERT’s count is sixty-one.

Update 2017Apr18: Ars Technica wonders if anyone likes the new Security Update Guide.

Adobe’s Contribution

As is now almost traditional, Adobe published their own set of updates today. This month we get updates for Flash (seven issues addressed) and Acrobat/Reader (47 issues addressed).

If you still use a web browser with a Flash plugin, you should update it as soon as possible. Internet Explorer and Edge will of course get their own Flash updates via Microsoft Update, while Chrome’s built-in Flash will be updated automatically on most computers.

Vivaldi 1.8

The latest version of Vivaldi sports a reworked browsing history, and better control over audio, as well as several bug fixes. The release announcement lists all the changes. None of the changes appear to be related to security.

Vivaldi 1.8’s new history interface is a real improvement over what’s available in other browsers. Anyone who spends a lot of time reviewing their browsing history will appreciate the new calendar view.

Despite the improvements, I’d rather the Vivaldi development team spend their time fixing issues with the user interface. The sidebar bookmark editor is still weirdly difficult to use, and it’s also now apparently impossible to remove. There are still inconsistencies in the way links and bookmarks are handled, and the browser still lacks options that would allow complete control over whether links and bookmarks open in new tabs.

Update 2017Apr05: the full version number is 1.8.770.50.

It’s probably a good idea to stop using LastPass right now

Password management tools are generally a good thing. Most of us have so many passwords now that remembering them all is difficult. While it’s tempting to use one or two passwords everywhere, this is generally viewed as a bad idea. Same goes for short or easy-to-guess passwords: bad idea.

I recommend using password management software that runs natively, on your computer. I personally use Password Corral, and have used Bruce Schneier’s Password Safe. Both store your password data on your computer, not on someone else’s computer (aka ‘the cloud’). Both are relatively basic in terms of functionality: they allow you to store all of your passwords securely; password data is encrypted and protected by a master password. They can also generate new, random passwords.

There are plenty of other password management solutions out there. Some of the most popular ones, like LastPass, provide more features and are easier to use, but there’s typically a cost. For instance, it would definitely be convenient if I could access my passwords from any computer. But if that means my password data is stored on the cloud somewhere, well, no thanks. The same goes for browser extensions that enter passwords automatically.

Which brings us to yesterday, when a Google Project Zero security researcher reported a serious vulnerability in the LastPass browser extension. With the extension enabled in your browser, a malicious web site could steal all of your passwords from the LastPass data files. Yikes. But wait, there’s more! If you’re also running the main LastPass software on your computer, a malicious web site could execute arbitrary code on your computer.

LastPass issued a response to this report, confirming the problem. Their advice to users is vague, but that’s actually a good thing: if they said too much, it could provide clues about the vulnerability to malicious hackers. But the message is clear: if you have to use LastPass, disable the Lastpass browser plugin:

Use the LastPass Vault as a launch pad – Launch sites directly from the LastPass vault. This is the safest way to access your credentials and sites until this vulnerability is resolved.

Interestingly, of the three recommendations provided, two are standard advice for anyone who uses the web: enable and use Two-Factor Authentication for sites and services that offer it; and be wary of phishing attempts.

Firefox 52.0.2

There’s another new Firefox release: 52.0.2. The new version fixes a few minor bugs, none related to security.

Firefox should update itself automatically to the new version, but there’s no particular urgency about this update, unless you’re affected by one of the bugs it fixes. See the release notes for details.

As usual, there was no announcement from Mozilla about Firefox 52.0.2. I learned about this one when Firefox offered to update itself.

Windows 10 cumulative updates hopelessly botched

Recently I noticed that my Windows 10 test PC wasn’t staying logged in. Every morning, despite not having logged out the day before, I was seeing the login screen. A bit of poking around in the Windows 10 settings showed that Windows was trying to install update KB4013429, rebooting to complete the install, failing to complete the install, and rolling back the changes. Rinse and repeat daily, since March 14.

Searching online, I immediately found other people experiencing this problem. No official solution from Microsoft, but plenty from other users, including what turned out to be the only thing that worked for many: a total reinstall of Windows 10.

One user pointed to an interesting tool, available in the TechNet Script Center, called Reset Windows Update Agent. (Note: this script was created and submitted by a non-Microsoft contributor, not by Microsoft.) Since I wasn’t getting anywhere looking for an official solution, I tried the tool’s main feature, which does indeed reset all things Windows Update. After rebooting, Windows successfully installed a few updates, then started to install ‘Cumulative Update for Windows 10 Version 1607 (KB4015438)’, which Microsoft issued on March 20 to address problems with KB4013429. But that update also failed to install, and now we’re back in our daily loop.

I considered contacting Microsoft about this, but then I remembered my previous encounters with Microsoft support, shuddered, and thought better of it. After all, Microsoft already knows my PC is having trouble installing this update, because of all the telemetry in Windows 10, right? If anything, they should be contacting me with a solution. Yeah, right. Like that would ever happen.

I really don’t want Microsoft to be in a position to make my life miserable, especially now that they can do that remotely, without my explicit consent, and usually without my knowledge. At a time when Microsoft should be showing us just how much they’ve learned about managing Windows updates, they seem to be getting worse.

I sympathize with anyone who tries to do anything productive with Windows 10. I only use it for testing and media playback, but even so, this is the end of the line for my relationship with Windows 10. I’ll be installing Linux Mint MATE next.

Windows Vista to be put out of its misery on April 11

I’m sure there are a few people out there still using Vista. It may even have a few fans, and maybe they’re sad about Vista’s impending trip to the back of the woodshed. But they’re crazy: Vista was a terrible O/S.

CERT’s announcement of Vista’s coming demise.

After April 11, Vista will no longer receive any updates from Microsoft, including security updates. Beyond that point, no Vista computer should be allowed to connect to the Internet.

News for me, stuff that matters… to me. Windows, Linux, security, tools & miscellany.