ISSUE 16.34.0 • 2019-09-23

Help: customersupport@askwoody.com

In this issue

WOODY’S WINDOWS WATCH: Has MS cleaned up its Win10-update mess? (Spoiler: No!)

BEST OF THE LOUNGE: Bitten by the Defender bug?

LANGALIST: How to stop two Windows Defender annoyances

PRODUCTIVITY: How to fill out a PDF form with Adobe Acrobat Reader

DROLL TALES LABS: Ian’s email account — Part 1

SECURITY: Changing my mind about Facebook

WOODY’S WINDOWS WATCH

By Woody Leonhard

Give Microsoft some credit: it keeps trying to improve patch quality.

But in spite of two significant improvements to the patching infrastructure, it looks to me as though the process is getting worse, not better.

Last week, ZDNet’s Ed Bott wrote a provocative article titled “Windows 10: Has Microsoft cleaned up its update mess? (Spoiler: Maybe).” If you haven’t read it, I suggest you do so. Ed’s theme:

“After its botched release of the Version 1809 update for Windows 10 last year, Microsoft instituted a sweeping series of changes to Windows Update. Don’t be fooled by the headlines: A close look at recent issues with Version 1903 suggests those changes are paying off.”

Ed then turns to the well-publicized and acknowledged bugs in Win10 1903 that appeared in the past few weeks:

To me, that laundry list of patch failures doesn’t justify the conclusion that Win10 updating is getting better. To the contrary, actually.

Before I get deep into the weeds, let me state categorically that Microsoft has rolled out two significant improvements to the updating process in the past few months.

Those enhancements mark sea changes in the way Microsoft’s been handling patches since Win10 hit the ground four years ago.

That said, several severe problems remain:

Most important, the attempt to improve the quality of Win10 1903 cumulative updates hasn’t gone well. These patches have their own Windows Insider ring, so they should, in theory, be thoroughly tested before they’re released. But in some cases, though Microsoft has delayed issuing the second monthly cumulative (“optional”) update until the end of the month, the patch still has bugs galore.

If you’re curious about patching history, Computerworld keeps an ongoing series of articles on patch problems, updated monthly and going back more than two years.

So no … I don’t see any real improvement in Windows patch quality. Am I missing something?

What’s our best solution for patching problems? That’s easy. Wait! Delay upgrading to the next release of Win10 for six, eight, or even ten months. Those initial days of unpaid beta testing will make all the difference. You’ll have a much more stable Windows 10.

Right now, my production machines run Win10 version 1809. (If you need help holding off Microsoft’s Version 1903 advances, see my Computerworld article.) Microsoft will support Win10 1809 until May 2020 — by that time I hope Version 1903 (or even 1909) is fully stable. We’ll see.

It’s been a long and hard battle, but we’re close to a usable solution for Win10 updating. It’s unlikely that patching Win10 will ever be as straightforward as Win7 or Win8.1, but we’re moving in the right direction.

Eponymous factotum Woody Leonhard writes lots of books about Windows and Office, creates the Woody on Windows columns for Computerworld, and raises copious red flags in sporadic AskWoody Plus Alerts.

Best of the Lounge

After a recent anti-malware definition update, AskWoody Plus member DrBonzo reported that his MS Security Essentials stopped scanning after just 29 files. Other members ran into similar problems. We now know the reason — one bug fix launches another bug.

If you’re not already a Lounge member, use the quick registration form to sign up for free.

LANGALIST

By Fred Langa

Win10’s built-in Windows Defender has matured into a top-ranked anti-malware tool. But several of its default behaviors can be downright irritating.

Here’s how to tweak Windows Defender with a few buried settings and a Task Scheduler change.

Plus: Does Adobe Flash Player really need as many updates as it claims?

Windows 10’s free, built-in Windows Defender is part of the Win10 Virus & threat protection suite (Microsoft support info).

That, in turn, is part of Win10’s truly comprehensive Windows Security suite (MS info), comprising a whole array of useful and effective security tools.

As a whole, Win10’s security suite is excellent, and Defender has evolved into a top-ranked antivirus tool, based on independent testing (AV-test.org info). It’s fully on a par with third-party offerings.

Still, Defender has a few flaws. Two of the most annoying are erratic scans and too many notifications.

Note — A new (and temporary) Defender flaw: As this article was being finished, Microsoft released a Windows Defender update that caused scan failures on some PCs — reportedly Win7 systems for the most part but also on Win8.1 and Win10. The problematic update is Defender Version 4.18.1908.7. (None of my three physical Windows 10 PCs, nor any of five Win10 VPCs, exhibits the bug.)

To see whether your Windows Defender is working properly, run the “Quick scan” option under Virus & threat protection/Current threats (MS info). If the scan completes normally, you’re good to go. On the other hand, if the scan stops after processing only a few dozen files, you have the bug. It’s likely Microsoft will have a fix shortly — possibly by the time you read this. Check askwoody.com for updated info. Whether you have the bug or don’t, you can still make the adjustments below — they’re unaffected. – Fred

How to fix Windows Defender’s erratic scanning. By default, Windows Defender is always on, working in the background, checking each file as it’s accessed. But during idle times, Defender is also supposed to perform separate verification scans of at least some files.

If your PC is busy, those verification scans will be delayed — and if delayed long enough to worry Windows, the OS will nag you via a little yellow exclamation mark placed on the Windows Security shield icon (see Figure 1), located down in the notification area. That little warning icon won’t go away until you manually trigger a scan or until there’s enough idle time for a scan to run on its own.

Figure 1. Windows Security’s yellow warning icon (enlarged 200 percent).

Windows’ built-in Task Scheduler can help ensure that no future scans are missed. Making a relatively simple change will both enhance your PC’s security and prevent that annoying “missed-scan” warning flag from appearing!

Here’s how to make the adjustment:

Need further help or refinements? See the Microsoft support page “Schedule a scan in Windows Defender Antivirus.”

How to reduce the number of Windows Defender notifications:

With Windows Defender reliably performing a daily scan, and with its excessive notifications reined in, you’ll have a well-protected PC without needless annoyance!

Neil Kuchinsky’s note was plaintive:

Yes … you really should.

First, Adobe Flash (Wikipedia article) is generally like any other software: if it’s installed on your PC, it needs to be kept up to date in order to plug security holes and correct incompatibilities with evolving standards.

But Adobe Flash deserves more than casual care because it (and its various components and installers) has for years been a target and vector for an astonishing amount of malware and other security issues. For example, a current Google Search for adobe flash malware yields over 8 million hits!

Not to put too fine a point on it, Flash has been a security pox on the computing community for over two decades.

Second, Adobe Flash is based on 23-year-old technology, and it’s now mostly obsolete. Adobe and every major browser vendor will stop supporting Flash in a little over a year (at the end of 2020; Adobe info). The end of Flash is truly and finally nigh.

Few major websites still require Flash; HTML5 is now, and has been for years, the preferred method for delivering native Web-based multimedia and graphics.

Unless you regularly play very old games, visit websites that are well out of date, or otherwise make use of sites and software that are built on very old tech, you might not need Flash on your PC at all.

You can find out by disabling or uninstalling Flash, then using your PC normally. Odds are you won’t notice anything different — except that your PC setup will be a little simpler and more secure!

Uninstalling Flash should be easy but sometimes isn’t — there is a host of variables such as whether Flash is baked in or added on to your browser or OS. (See? Flash maintenance really is a mess!) Adobe’s “Uninstall Flash Player” support pages provide some help for pre-Win8.1 systems — or check out the related How-To Geek article and other sources on the Web.

If some essential app or site breaks with Flash disabled or removed, you can temporarily restore it. But you’ll also want to look for a better alternative.

Ready or not, Flash Player reaches end of life in a little over a year. Do it now or do it later — either way, Flash has got to go.

Good riddance!

Fred Langa has been writing about tech — and, specifically, about personal computing — for as long as there have been PCs. And he is one of the founding members of the original Windows Secrets newsletter. Check out Langa.com for all Fred’s current projects.

PRODUCTIVITY

By Lance Whitney

Entering information into PDF-based forms can be an exercise in frustration — especially if it’s something you don’t do often.

Let’s say, for example, that you have a PDF tax form that needs to be filled out. You could use Adobe Acrobat to complete the task (and also do lots of other tricks with PDF files), but that’s a pricey proposition — around U.S. $180 per year — especially if you rarely need to edit or annotate PDFs.

Fortunately, the still-free Acrobat Reader lets you add text and symbols, highlight specific areas, write sticky notes, and insert your signature into typical PDF documents.

For the most part, PDF forms come in two formats. Some are set up with interactive fields, making adding text and inserting your signature a relatively simple process of clicking a box and making changes. But other PDF-based forms are plain, non-interactive pages. Even with those simpler forms, Adobe Acrobat Reader DC’s tools make adding the required information relatively easy.

If you’ve had and old version of Reader installed for a while, head over to Adobe’s website and download/install the latest version. Note: Before hitting the “Install now” download button, be sure to uncheck all optional software offers (typically Google Chrome and McAfee anti-malware).

Start by opening the PDF you need to fill out. Let’s say you need to add basic information such as your name, your address, and/or a date. In the Reader toolbar (top of the window), click the Pen icon, which is labeled “Sign document by typing or drawing a signature” when you hover your cursor over it. (If you don’t see it, click the Tools tab.) The Fill & Sign toolbar will appear, and the cursor turns into an insertion point with an “Ab” label. Click in the field where you want to enter your text and type away (see Figure 1).

Figure 1. Use the Fill & Sign tool to enter text anywhere in a PDF document.

You can increase or decrease the size of the text by clicking the smaller or larger “A” in the blue bar above your text. You can also move the text by dragging the surrounding box; simply move the cursor to the side of the box until the four-way arrow icon appears. Made a mistake? Either place the cursor within the text and make changes or delete the entire text box by clicking the trash-can icon. When you’re finished entering text, click anywhere outside the box.

Forms are often full of checkboxes. Let’s assume you need to insert a checkmark, “X,” or other symbol. The Fill & Sign toolbar includes icons for symbols that you can place where needed. For example, to add a checkmark, select its toolbar icon (see Figure 2) and the cursor changes to a checkmark. Place it where it’s needed and click your mouse. The blue box will appear, giving you the option of making the mark larger or smaller — or trashing it. Click the three-dot icon in the blue box, and you can switch to another symbol, such as an X, a box, a bullet point, or a dash. Again, when you’re done, click anywhere outside the box.

Figure 2. You can easily insert Xes, check marks, boxes with rounded corners, dashes, or bullet points.

Note the small blue dot in the lower-right corner of the entry box. Grab it with your cursor, and you can enlarge or reduce the chosen symbol (or text). You can also reshape the “box” option (shown in the toolbar as an oval).

Perhaps you want to draw attention to specific text or other areas in the PDF by using highlights. Close Sign & Fill to return to the main window. At the top toolbar, click the highlighter icon (Highlight text). Next, glide your cursor (or finger on touchscreens and tablets) over the text you want to feature. By default, the highlighting color is yellow, but you can change that by right-clicking the marked area and selecting Properties from the popup menu. Click OK to close the Properties window.

Next, you can add a note that points to your highlighted text. Right-click the highlighted area, again, and select Open Pop-up Note — when the blank note appears, simply enter your text (see Figure 3). Right-clicking on the text opens another menu for managing, spell-checking, and formatting the note’s content. When you’re done, click the Post button. You can resize your note and move it around the screen to a position that works best for your task.

Figure 3. You can quickly highlight sections of a document and add an accompanying note.

You can add other miscellaneous notes to the document via the toolbar’s sticky-note icon (Add sticky note). Place your cursor where you want the note, click your mouse, add text, and click Post to finish. Again, you can spell-check and format the text, plus resize and reposition the note. Click outside the note area and the entry box disappears, leaving behind a small “sticky” icon. To quickly read the note’s text, simply hover your cursor over the icon — or click the icon and have the full text box reappear (see Figure 4).

Figure 4. Sticky notes can be placed anywhere in the PDF document.

Now that you’ve filled in and marked up your form/document, it’s time to sign it. Click the pen icon on the main toolbar to open the Fill & Sign screen. Next, click this window’s Sign icon and select either Add Signature or Add Initials.

An entry box will open and give you three ways to add a signature: type it (Reader uses a cursive text to simulate script), use your finger or a stylus to “draw” your signature on a touch screen or tablet, or insert it from an image file (which requires scanning your physical signature and saving it as a JPG, PNG, or other graphic format). When you’re done, click the Apply button (see Figure 5).

Figure 5. Reader gives you the option to save signatures.

Your “signature” now appears on the screen in place of your standard cursor. Move it to the right spot with your mouse and click (see Figure 6). Select Close to return to the main Reader screen.

Figure 6. As with other Reader text-annotation tools, you can quickly resize the “signature” as needed.

You can save your work under the original filename, but it usually better to save it with a new name, so you have a copy of the original, unrevised version.

Lance Whitney is a freelance technology reporter and former IT professional. He’s written for CNET, TechRepublic, PC Magazine, and other publications. He’s authored a book on Windows and another about LinkedIn.

DROLL TALES

By Aaron Uglum

LABS / Twitter / Instagram

SECURITY

By Amy Babinchak

Undoubtedly, you’ve seen the invitation to sign in to a website with your Facebook account. And you ask yourself: “How can that be safe?”

Using one account sign-in for everything goes against a basic tenet of password security. And you’re trusting Facebook to keep your credentials secure — and not share them. (Sharing is core to Facebook.) And yet you watch as all your friends get hacked and cloned while using conventional sign-ins.

At a time when virtually every site we visit asks us to create an account, using your Facebook username and password seems like a practical solution to the daunting alternative of remembering passwords. Sure, we’re supposed to use a unique and complex password for each account we create, but how often do we actually do that? For most people, it’s rarely.

Nearly everyone has that throwaway password that they casually use in a bunch of places, sites they believe are of no great importance and they may never visit again. They’re wrong, of course — that password will be the one that comes back to bite them.

Equally risky are the passwords needed on a regular basis. For most users, those passwords must be easy to remember and quick to enter — which, as we know, makes them easy to hack. So we then add two-factor authentication. That means taking an additional step: responding to a text message or security app whenever we sign in. And we need somewhere to store all our passwords and usernames, don’t we? So we put them in an Excel file or a password-manager app that itself requires a password to access.

In short, it’s become really tough to manage our credentials on our myriad online accounts. And that’s why using Facebook as our “master sign-in” is so attractive. But is it safe? I used to say no … but I’ve recently changed my mind.

There’s a growing movement whose objective is nothing less than the elimination of passwords for authentication. Is it possible? No, not entirely with current technology. But that’s no reason not to try. This movement is, I think, akin to the paperless office — we’re making great strides, but we’re still striving. It’s a long road … we’ll get there eventually.

Toward this noble end, I’ve begun to use Face ID in my iPhone. Once I’ve entered my username and password for an app, all subsequent sign-ins use my face. It’s extremely practical and effective: I don’t need to remember my face, I don’t have to type it in, and it’s always with me. But, again, is it safe? At this time, let’s just say it’s not unsafe.

I’m not a security expert, but I know enough to know that every security measure will eventually be cracked. For now, I’m comfortable with the knowledge that my phone remembers usernames and passwords for me, and the key to my secure apps and online kingdom is simply facial recognition. I can only assume it will be a while before my face gets hacked. Phone-based facial recognition isn’t a true single-sign-in solution, but it moves us a step in that direction.

While Face ID might be a great solution on my phone, it doesn’t easily extend to my computer. Sure, Windows 10 also lets me sign in with facial recognition — but it still requires a special camera. I’ve improved my PC’s security with the addition of a special USB key. I now have a type of highly secure, three-step, two-factor sign-in: I insert the key, type in a short PIN, and then touch the key. That third step adds a very long string to my sign-in PIN.

The USB key is tied to just my system — I can’t use it to sign in to someone else’s device. But I can use it to enter my credentials for sites such as Facebook — and this is the reason I changed my mind about using the near-universal Facebook sign-in option for other various websites.

Now, you might argue that Facebook accounts get hacked all the time — and they do. But that’s primarily because most people don’t use a long password, two-factor authentication, security keys, or even Ok Facebook to receive alerts about their account.

Over time, Facebook has added a lot of security settings to protect your credentials — and I use all of them. For example, Facebook lets me know when my account has been accessed from a new location or device (see Figure 1).

Figure 1. Facebook’s numerous security settings include notifications of unrecognized sign-ins.

Facebook also offers two-factor authentication. It can, for example, use codes provided by Microsoft’s phone-based Authenticator app.

Figure 2. Two-factor authentication helps prevent Facebook-account hacking.

And the site even uses my USB security key. FIDO U2F security keys are inexpensive and work with a variety of browsers, cloud storage, and operating systems (more info).

Figure 3. Adding a USB- or near-field communication-based security key makes hacking Facebook extremely difficult.

Taken together, Facebook security options make the site one of the most hardened accounts I have. It’s going to allow access only if the sign-in is from a computer I usually use and from a known location. If accessing my account falls out of that realm, Facebook is going send me an email notification and ask for two-factor authentication. That’s about as secure as we can make things on the Internet these days.

But what if Facebook is compromised? In 2018, there was a well-publicized hack of Facebook that may have exposed user credentials. But that was a problem only if a password was your only form of authentication. If you’re combining two-factor, location-factor, and security-key authentication, then the underlying password is much less significant.

What about using a Facebook account to sign in to other websites and applications? The technology that applications use to authenticate themselves relies on a third-party service called OAuth2.0. This lets the site/application communicate with the source (i.e., Facebook) for credentials. So the site or app isn’t storing your Facebook credentials.

OAuth2.0 (more info) is the de facto standard applications use to authenticate across many companies, not just Facebook. It’s the same for Microsoft, Google, and others.

Some websites use an alternative authentication service called Security Assertion Markup Language (or Liberty Identify Federation Framework). In that case, the website doesn’t use its own account authentication process: it uses Facebook’s. The bottom line: With either Oath2.0 or SAML, your other accounts are protected just like your Facebook account. Most websites and apps don’t match Facebook’s level of security, so using a Facebook sign-in extends enhanced protection well beyond Facebook.

There are many valid reasons to dislike Facebook — privacy, for example — but sign-in security isn’t one of them. I’m now signing in with Facebook wherever I can get the chance.

As a final note, Google and Microsoft offer security options on a par with Facebook’s. So if you secure those accounts thoroughly, go ahead and take advantage of their extended sign-in offers. You’ll have a far better handle on your security than most users do.

Amy Babinchak is the owner of three IT-related businesses: Harbor Computer Services, Third Tier, and Sell My MSP. She has been working in the IT field with small and medium businesses for more than 20 years. She’s also a Microsoft MVP and has received numerous leadership awards.

Publisher: AskWoody LLC (woody@askwoody.com); editor: Tracey Capen (editor@askwoody.com).

Trademarks: Microsoft and Windows are registered trademarks of Microsoft Corporation. AskWoody, Windows Secrets Newsletter, WindowsSecrets.com, WinFind, Windows Gizmos, Security Baseline, Perimeter Scan, Wacky Web Week, the Windows Secrets Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of AskWoody LLC. All other marks are the trademarks or service marks of their respective owners.

Your email subscription:

• Subscription help: customersupport@askwoody.com

Copyright © 2019 AskWoody LLC, All rights reserved.