Microsoft, Patches and updates, Windows 7

Update MS15-115 re-released to fix crashing issues

Leave a comment

One of the updates released by Microsoft on Tuesday apparently caused serious crashing problems on Windows 7 and Windows Server 2008 computers. Microsoft has re-issued the update to resolve these problems. Anyone who already installed MS15-115 on affected Windows systems should run Windows Update again to get the new version.

The MS15-115 bulletin has been updated to show the change.

From the associated knowledge base article:

This security update was rereleased on November 11, 2015, for Windows 7 and Windows Server 2008 R2 to resolve the following issues:

* Resolves crashing that occurred in all supported versions of Microsoft Outlook when users were reading certain email messages.
* Resolves problems that occurred while users were logging on to the system. For example, after a user restarted the computer and then pressed Ctrl+Alt+Delete at the logon screen, the screen flashed and then went black. The user was then unable to continue. There may be other, similar logon issues that are related to this issue.

Internet, Privacy, Security

Latest Ouch! newsletters from SANS

Leave a comment

It’s been a while since I posted a link to the SANS Ouch! Security Awareness (“Securing The Human”) Newsletter. It’s a monthly PDF publication that’s aimed at ordinary users, and each issue covers a topic that is – or should be – of interest to everyone.

The most recent issues are Two Step Verification, Password Managers, and Shopping Online Securely. Note: these are all PDF documents.

Note: because they are written for ordinary users, more knowledgeable users may not learn anything new from Ouch! newsletters. Still, they’re worth reading and passing on to anyone who may benefit.

Adobe, Chrome, Flash, Google, Internet Explorer, Microsoft, Patches and updates, Security, Windows

Patch Tuesday for November 2015

Leave a comment

It’s that time again. This month’s crop of updates from Microsoft addresses security problems in the usual suspects, namely Windows, Office, .NET and Internet Explorer. Adobe joins the fun with yet another batch of fixes for Flash, and Google releases another version of Chrome with the latest Flash.

The Microsoft security summary bulletin for November 2015 gets into all the technical details. There are twelve separate bulletins with associated updates. Four of the updates are flagged as Critical. One of the updates affects the Windows 10 web browser Edge. A total of 53 vulnerabilities are addressed.

Flash 19.0.0.245 includes fixes for at least seventeen vulnerabilities. As usual, Internet Explorer in recent versions of Windows will be updated via Windows Update. Chrome gets the new Flash via its internal updater. Anyone still using a web browser with Flash enabled should install the new Flash as soon as possible.

Chrome 46.0.2490.86 includes the latest Flash (see above) and fixes a security issue in its embedded PDF viewer.

Hardware, Microsoft, Windows 10, Windows 7, Windows 8.x

Only Windows 10 on new PCs after October 2016

Leave a comment

Microsoft has confirmed that OEMs will no longer be allowed to sell new computers with Windows 7 or 8.x after October 31, 2016. If you buy a new PC after that date, you won’t have any options besides Windows 10.

Support for Windows 7 – including security updates – will continue to 2020, so it’s still a perfectly viable operating system. But it’s unclear whether you will still be able to purchase Windows 7 OEM separately, from Microsoft or any other seller, after October 31, 2016. I certainly hope so, although it seems unlikely. So if you’re planning to build any new Windows 7 computers between October 2016 and 2020, you should stock up on Windows 7 OEM licenses now.

Microsoft, Patches and updates, Windows 10

Windows 10 build 10586

Leave a comment

Microsoft is happy with the latest Windows 10 Insider Preview build, designated 10586. That means it will find its way to your Windows 10 computer over the next week or so as the Windows 10 Fall Update. This will roughly coincide with next week’s Patch Tuesday.

My Insider Preview test machine is configured to get the latest updates, so I’ve been using 10586, and the builds that were available in the interim since the last public release (10240) for a while. Now that the test computer is running the new release version, the ‘Insider Preview build’ message is once again gone from the desktop. That will change when Microsoft pushes out the next preview version.

There’s not a lot to talk about here. Most of the changes are fairly minor, including coloured title bars, tab previews in Edge, general cleanup in user interface elements, and improvements to the Start menu. Skype will get several enhancements. Several bugs have also been fixed.

Update 2015Nov15: Ars Technica has a list of changes in the new release, and really, there’s not much of interest.

With this release, Microsoft has also changed the way it identifies Windows 10 versions. The previous release was “Version 10.0 (Build 10240).” The new release is “Version 1511 (OS Build 10586.3)” where “1511” refers to the 11th month of 2015. They like to keep us confused, don’t they?

Microsoft, Privacy, Windows 10

Windows 10 privacy concerns are legitimate

Leave a comment

Microsoft Corporate Vice President Joe Belfiore has finally admitted what we’ve known all along: Windows 10 talks to Microsoft servers even if you’ve disabled every available privacy-related setting.

Of course, Belfiore says that this is nothing to worry about, since it’s being done to make Windows 10 work better for everyone. He’s probably not lying about Microsoft’s intentions, but all the same, I don’t want my O/S to do this kind of thing. And I don’t care if blocking this unwanted communication makes Microsoft’s work more difficult.

Unless Microsoft relents and provides a method for disabling all of this anti-privacy communication, your choices are: a) give up and stop worrying about it; b) avoid Windows 10 completely; or c) use one of the available third-party methods, such as Spybot Anti-Beacon, to block all of this ‘phone home’ behaviour.

Normally, I’d go for option C. But I’m running Windows 10 as part of the Insider Preview program, and blocking all communication to Microsoft would almost certainly result in my being kicked from the program. So it’s option A for me.

Firefox, Patches and updates, Privacy, Security

Firefox 42 improves private browsing, fixes numerous bugs

Leave a comment

Mozilla seems determined to keep us guessing with new versions of Firefox. New versions that are not assigned a major new version number (e.g. 41, 42) are not announced in any way. When a new version is (apparently arbitrarily) assigned a major new version number, Mozilla publishes a post on the Mozilla blog. This post never includes any mention of the new version identifier, and typically doesn’t even say that there’s a new version.

For example, the post associated with Firefox 42 says this: “We’re releasing a powerful new feature in Firefox Private Browsing called Tracking Protection” and “We hope you enjoy the new Firefox!” What new version? When will it be released? We’re left guessing the answers to these rather obvious questions.

According to the release notes for Firefox 42, it was released on November 3. The Mozilla blog post describes changes to Firefox’s Private Browsing mode, including the new Tracking Protection, which “actively blocks content like ads, analytics trackers and social share buttons that may record your behavior without your knowledge across sites.”

Firefox 42 adds a small speaker icon that appears next to the caption for any tab that’s currently playing audio. You can mute a tab’s audio by clicking the speaker icon. The Login Manager has been improved in several ways. Performance has also been beefed up for sites that perform a lot of restyling. HTML5 support was improved.

Firefox 42 includes fixes for at least eighteen security bugs, according to the Security Advisories page. Recommendation: update Firefox to version 42 as soon as possible.

Adobe, Adware, Android, Apple, Firefox, Flash, Google, Internet crime, Java, Malware, Mobile, Security, Silverlight, WordPress and other CMS

October Security Roundup

Leave a comment

You probably shouldn’t rely on the security of your encrypted email. Even if you’re using current encryption technologies, certain conditions may arise during transit that cause your message to be transmitted in plain text.

There’s a well-reasoned response to a common question about the responsibility of Certificate Authorities over on the Let’s Encrypt blog. These fine folks will soon be providing free HTTPS certificates to the world, so they’ve been answering a lot of questions about how their service will work.

There’s going to be a minor apocalypse, starting January 1, 2016. On that date, Certificate Authorities will stop issuing certificates that use SHA1 encryption. SHA1 is now considered too weak for use, and is being phased out in favour of SHA2, which is much stronger. Just one problem: people stuck using older browser software and devices will lose their ability to access secure web sites and use those devices. There’s more technical nitty-gritty over at Ars Technica.

Symantec hasn’t done enough to clean up its Certificate Authority activities, according to Google. This follows the discovery that Symantec employees were issuing unauthorized certificates. Google has warned Symantec to provide a proper accounting of its CA activities or face the consequences.

A critical vulnerability in the blogging platform Joomla was discovered in October. The bug exists in all versions of Joomla from 3.2 onward. A patch was developed and made available, and anyone who manages a Joomla 3.x -based site is strongly advised to install the patched version (3.4.5) as soon as possible.

It’s increasingly dangerous to be a computer security researcher. New agreements could even make the work illegal in some regions.

Flaws in many self-encrypting external hard drives from Western Digital mean their encryption can be bypassed, according to researchers.

Google made it easier to determine why a site is flagged as unsafe, adding a Safe Browsing Site Status feature to their Transparency Report tools.

Mozilla is following the lead of Google and Microsoft, and plans to all but eliminate support for binary plugins in Firefox by the end of 2016. Binary browser plugins for Java, Flash, and Silverlight provide convenience but are a never-ending security headache. There’s one exception: Mozilla will continue to support Flash as a Firefox plugin for the foreseeable future.

The FBI teamed up with security vendors to take down another botnet in October. The Dridex botnet mainly targeted banking and corporate institutions, gathering private data and uploading it to control servers.

Cisco researchers, working with Limestone Networks, disrupted a lucrative ransomware operation in October.

A stash of thirteen million user names and plain text passwords was recently obtained by a security researcher. The records were traced to 000Webhost, an Internet services provider.

The Patreon funding web site was breached, and private information about subscribers, including encrypted passwords and donation records, was published online. Source code was also stolen, which may make decrypting the passwords much easier.

Researchers discovered numerous iPhone applications that collect and transmit private user information, in violation of Apple’s privacy policies. These apps apparently made it into the App Store because of a loophole in the validation process.

87% of Android-based devices are vulnerable to security exploits. Google develops Android updates quickly enough, but phone makers are typically very slow to make updates available to users.

New Android vulnerabilities, dubbed ‘Stagefright 2.0’ by researchers, were announced in early October. As many as a billion Android devices are vulnerable, and although patches were made available by Google, they may take weeks or months to find their way to individual devices.

A malicious Android adware campaign tricks unwary users into installing apps that appear to be from trusted vendors. These apps use slightly-modified icons of legitimate apps to fool users.

Microsoft, Patches and updates, Windows 10, Windows 7, Windows 8.x

If you don’t want Windows 10, disable Automatic Updates

Leave a comment

Microsoft is really ramping up the annoyance factor lately. The latest is that some time in 2016, Windows 7 and 8.x computers will start seeing Windows 10 as a ‘Recommended’ update in Windows Update. If you have Windows Automatic Updates enabled, your computer will be upgraded to Windows 10 on some arbitrary night in early 2016, while you’re asleep.

This is bad for several reasons. Here are a few:

  • For anyone not interested in upgrading to Windows 10, this renders Automatic Updates unusable. Yes, there are people who want to use Automatic Updates, but don’t want to upgrade to Windows 10. Lots of them. Including a lot of grandparents.
  • There have already been reports of problems with Windows 10 being installed when it wasn’t wanted. If Microsoft messes this up somehow, a lot of people are going to be mighty annoyed when they wake up to Windows 10 on their computer.
  • There are loads of reasons not to upgrade to Windows 10, including incompatible software and hardware. An unwanted Windows 10 upgrade could mean a lot of time wasted downgrading or looking for alternatives.
  • Microsoft has started talking about Windows 10 in business and education settings, saying they’ll provide workarounds for these types of problems. But it can’t be very encouraging to business IT folks to hear announcements like this.

The Verge has more.

Rants and musings on topics of interest. Sometimes about Windows, Linux, security and cool software.

Close

Ad-blocker not detected

Consider installing a browser extension that blocks ads and other malicious scripts in your browser to protect your privacy and security. Learn more.