Vulnerabilities everywhere

Topic

New Reply

ISSUE 20.33 • 2023-08-14 PATCH WATCH By Susan Bradley Another month, another series of updates for seemingly everything on the Windows platform. But t
[See the full post at: Vulnerabilities everywhere]

Susan Bradley Patch Lady/Prudent patcher

8 users thanked author for this post.

fisher75, rc primak, windbg, abbodi86, DLivesInTexas, lmacri, Alex5723, TechTango

Reply | Quote

Replies

For Teams, also see Teams update process

Reply | Quote

The change to opening links with Edge was also snuck into the Outlook standalone client, possibly in the latest update. The setting to change is well buried, but you do have the choice of selecting your default browser if it is not Edge.

1 user thanked author for this post.

Cybertooth

Reply | Quote

Susan Bradley wrote:

… browser links from the Outlook app will open in Microsoft Edge by default, right alongside the email they’re from in the Microsoft Edge sidebar pane.
…
If this annoys you, go to the Microsoft Edge Settings page, click on Sidebar, and then turn off Automatically open Outlook email context in the side pane.

In Edge Settings, after Sidebar you need to click Outlook under App and notification settings to reach that option:

How can I stop my email from auto-opening in the Microsoft Edge sidebar pane?

(I tried with the option on, but even as an avid Outlook and Edge user I didn’t find it useful as I don’t need the email “context” to be on display for most links.)

Reply | Quote

Susan Bradley wrote:

… browser links from the Outlook app will open in Microsoft Edge by default, right alongside the email they’re from in the Microsoft Edge sidebar pane.———I’m hoping that it will be an obvious thing that you can stop — not one of those jarring events  where you notice that something did change, but you have no idea why.

For me they open in Firefox—I have Edge completely uninstalled/removed from my PC, so nothing can open in Edge.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

Reply | Quote

Ubuntu Security Alert: GameOver(lay) Vulnerabilities in the Kernel
https://www.cyberkendra.com/2023/07/ubuntu-security-alert-gameoverlay.html

A few more details…

Notice the date was in late-July, and the kernel updates have rolled out from July 27, 2023 until this week. (I just got new kernels for some of my Ubuntu installs today.) Note also that this is one of many security issues Canonical has created for themselves by messing wround with the Linux kernel and making proprietary changes for their own distro (and by extension for most of its derivatives or forks).

Some words about CLI vs. GUI updating in Ubuntu…

Note: The GUI update manager in the illustration is from Mint, not from Ubuntu. Much of what follows is equally true in Mint and Ubuntu’s various flavors.

BTW, the CLI apt updating commands often show updates not available (yet) through the Ubuntu Updater. The Gnome Software Center shows that there are unspecified “OS Updates” available, but does not tell you that these are held packages, and must be manually upgraded through the CLI. I would be careful about upgrading held packages, as they can break stuff. Eventually, most package updates make it into normal update channels. There is no reason to upgrade to the subscription service for Ubuntu, called Ubuntu Pro or Ubuntu Advantage. You will get no additional overall security improvements. Just a lot more update nags.

Kernel updates can be delayed and will show up for some users before they show up for others. But by this time, everyone should have seen the relevant kernel updates. I have not seen a patch for Ubuntu kernel version 6.x.

Getting back to our story…

The vulnerabilities have since been patched by Ubuntu following responsible disclosure, with fixes issued on July 24, 2023.

The discovery of these vulnerabilities underscores the unpredictable effects of subtle changes to the Linux kernel made by Ubuntu. Wiz CTO and co-founder Ami Luttwak commented, “Both vulnerabilities are unique to Ubuntu kernels since they stemmed from Ubuntu’s individual changes to the OverlayFS module.”

Old news. Now, regarding the Mint upgrade…

Linux Mint Cinnamon “Victoria” was released July 24.

This does not mean this upgrade is ready for Prime Time. I’d give it awhile longer to settle down, given the history of Mint upgrades.

My own system will be upgraded sometime in September, when I’m not patching Windows or Ubuntu Unity.

In Linux Mint, the built-in backup software is called TimeShift, and it allows you to take a system snapshot before the upgrade.

Advanced Linux users may also prefer to use Clonezilla Live from a bootable USB Flash Drive. (My bootable media for Linux are now inside of Ventoy Flash Drives. This is to conserve Windows 11 TPM-2 Secure Boot Security Keys. This issue only applies to dual- and multiboot systems.) If using cloning in Linux, it’s wise to also make an uncompressed, unencrypted copy of the USer’s /Home Directory and archive that as Linux User Data.

Timeshift is nice, but it uses a compressed format which depends on getting Timeshift (hence, the OS base image) up and running to perform any restore operations. Also, Synaptic can back up a lot of the Linux software markings, making reinstalling, upgrading and rebuilding much quicker. This backup is a series of small files which can be exported, archived and later imported back into Synaptic.

-- rc primak

Reply | Quote

I don’t think you need the “–id”, but that you can bypass certificate pinning to avoid that error code:

Fix 0x8a15005e: The server certificate did not match any of the expected values

Reply | Quote

Did a reply get lost from this thread? I thought someone had posted regarding having trouble using Powershell to update the HEVC Video Codecs from the Microsoft Store (It’s a Store App) using Powershell. An error happened during the Winget process.

That post is no longer showing when I view this thread.

-- rc primak

Reply | Quote

RC,

That was me. I had read incorrectly Susan’s original post and I had the updated version already so there was nothing to update. I deleted the post. Sorry!

May the Forces of good computing be with you!

RG

PowerShell & VBA Rule!
Computer Specs

Reply | Quote

I enjoy Ubuntu Pro.  It doesn’t nag me.  It installs the updates automatically.

I now have Linux kernel 6.2.0-26 on Ubuntu 22.04.3 which was upgraded automatically.
I wish that Windows 11 was as trouble free as Ubuntu.  Last night I tried to print on Windows 11, and could not.  I eventually resolved the problem, but it is annoying to  encounter these problems for simple tasks.

Sorry if I am off-topic here.

Mark

 

 

 

Reply | Quote

Printers are evil in general.

Susan Bradley Patch Lady/Prudent patcher

2 users thanked author for this post.

WSbobby-p, cyberSAR

Reply | Quote

Printers are evil in general.

Spoken like a true IT tech 🙂

Reply | Quote

So, it looks like even the English language versions of Microsoft Exchange Server 2019 Cumulative Update 13 SU2, 2019 Cumulative Update 12 SU9, and 2016 Cumulative Update 23 SU9 have all been pulled from the Download Center.

 

 

1 user thanked author for this post.

IT Manager Geek

Reply | Quote

Yes.  They’ve really blown this release.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

And stay away from ASRock products.  Their support is awful.

My mobo from them was bought in 2015 but I think was new in 2014 (Z97 Extreme 6).  It’s still going strong.  However, they stopped updating the BIOS in 2018 except for issuing a small update in 2021 for some apparently serious zero day.  Their tuning app A-Tuning crashes all the time.  The version for my mobo hasn’t been updated in years and emails referencing the problems to their support function go unresponded to.

Reply | Quote

Blog post updates:

• 8/15: Added a link to the process of installing updates on management tools machine when there are no Exchange servers running
• 8/15: Temporarily removed all download links

 

https://techcommunity.microsoft.com/t5/exchange-team-blog/released-august-2023-exchange-server-security-updates/ba-p/3892811

What a disaster!

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

Any idea if Intel has or will release a patch for the downfall vulnerability in this month’s updates. Also, how in danger is someone who doesn’t let anyone else use their computer nor uses app store apps?

Reply | Quote

I honestly don’t see this is a huge threat.  To actually pop this would take a lot of effort.

Susan Bradley Patch Lady/Prudent patcher

1 user thanked author for this post.

Cybertooth

Reply | Quote

Thank you Susan. Keep up the excellent work, Woody would be proud of all the work you do helping us.

Reply | Quote

Is this a known and confirmed thing: Patches (major in my case) that vanish on you if you keep deferring them 2, 3, 4 times in succession ?  I’m running Win 10 Pro x64, 22H2.  The last major features update for 22H2 itself here was — according to Update History — last November.  When I’ve taken these deferments, the ones for Net Framework and Win Defender Security Updates always seem to return for another chance.  But ones that I thought I noticed being offered for 22H2 itself, not so much.  Or maybe not offered again for quite some time ?  It’s almost as though if you wanted to accept it, you had to do so on that first go-’round.  How good is their system at keeping an up-to-date track of what you may be missing ?  Also at knowing which updates needed to be taken in what order ?  Finally, if I did in fact miss a major 22H2 update, is there a KB download where I can acquire it, separately / manually ?

Reply | Quote

Windows 10 Security updates (Patch Tuesday patches) are Cumulative Updates (CUs). That means, the current one supersedes/contains the previous ones. For example, if you hide/defer the July update until after the August update is released, you will no longer be offered the July update because it’s fixes are contained in the August update.

The components of the Feature updates (ex: 21H2 -> 22H2) are already contained in the CUs. They are implemented by an “Experience Pack” which just “turns them on.” So doing a Feature Update is a minimal thing.

The .NET Security updates (Patch Tuesday) are also cumulative.

Microsoft releases Optional non-Security Previews later in the month for both Windows and .NET. They are mostly for businesses to test fixes. They are rolled into the Security updates (CUs) on Patch Tuesday and we do not recommend installing them unless you have a specific need for the fixes they contain.

1 user thanked author for this post.

TechTango

Reply | Quote