New beta version of Win10 — build 17063 — now available

Want to read about it?

Start with the ponderous tome nominally published by Dona Sarkar.

My big takeaway — they finally killed HomeGroups.

Microsoft releases KB 4057291 to fix a buggy Radeon video driver that it automatically installed last month

If you are running Windows 10 and have Automatic Update turned on, and you have an older Radeon video card, you probably got hit. The new patch reverses the ills caused by the driver “Advanced Micro Devices, Inc. – Display – 7/25/2017 12:00:00 AM – 22.19.128.0,” which was automatically installed in late November.

Computerworld Woody on Windows

Project Zero: Watch out for Web Proxy Auto-Discovery

What is WPAD? Easy question, long answer. Google’s Project Zero just posted a scary evaluation:

(With WPAD) every Windows machine will ask the local network: “Hey, where can I find a Javascript file to execute?”… WPAD allows the computer to query the local network to determine the server from which to load the PAC file… The browser connects to a pre-configured server, downloads the PAC file, and executes a particular Javascript function to determine proper proxy configuration.

And… you guessed it… the PAC file can contain all sorts of compromising programs.

Windows is certainly not the only piece of software that implements WPAD. Other operating systems and applications do as well. For example Google Chrome also has a WPAD implementation, but in Chrome’s case, evaluating the JavaScript code from the PAC file happens inside a sandbox. And other operating systems that support WPAD don’t enable it by default. This is why Windows is currently the most interesting target for this sort of attack.

The Project Zero people proceed to discuss many different nightmare scenarios. Oh boy.

Win10 Fall Creators Update cumulative update KB 4054517 refusing to install

UPDATES: See my Computerworld Woody on Windows article.

I saw the first heads up here on AskWoody, from @jwhiz56. He says:

This KB installed on my MS Surface Pro 3, my HP HPDV8T laptop but refuses to install on my 2017 Surface Pro (purchased just before Thanksgiving).  I’ve reset it multiple ways (the OS) and the update either sits at 99% downloaded, or it fails on installation.  my C:\windows\logs\CBS directory eats up ALL of my disk free space.  I’ve tried all hints/suggestions on the Microsoft forums related to this KB.  when I downloaded the standalone version for my computer x86/windows 10, it says it’s not applicable to my computer.

Now I’m seeing similar complaints all over the web. There this massive complaint thread on the Microsoft Answers forum, for example. Microsoft’s only suggestion (forgive me if you’ve heard this one) is a clean install. And even that doesn’t seem to work all of the time.

Following @Bob99’s suggestion, I Googled “KB 4054517 problems” and found several possible solutions.

The Sihmar site says that there are similar problems with KB 4053580 (this month’s cumulative update for Win10 Creators Update, version 1703). Pramod Singh breaks it down to three known symptoms:

Currently, there are three different kinds of update problems users are facing. First, while downloading the update (fail to download or update stuck). Second, update installation issues and finally, blue screen (BSOD) error after reboot.

He gives a series of possible fixes.

Has anybody encounter the problem? Have you tried Singh’s solutions?

Win10 FCU version 1709 out of band update KB 4058043

Patch Tuesday was, well, Tuesday.

On Friday, Microsoft released a “bonus” patch for Win10 version 1709, the Fall Creators Update. It is NOT a cumulative update.

Microsoft Store reliability improvements for Windows 10 Version 1709: December 15, 2017

Microsoft says:

This update makes reliability improvements to Microsoft Store and fixes an issue that could cause app update failures and cause Microsoft Store to generate unnecessary network requests.

I don’t see it in the Microsoft Catalog. It isn’t in the Windows Update list.  As best I can tell, you can only get it through Windows Update.

Thx Günter Born.

JR Raphael’s 20 Android tips and tricks you shouldn’t miss from 2017

My main phone is a Pixel XL (the original version, sniff), and I found this list of more than a hundred tips most useful.

JR Raphael, Android Intelligence, Computerworld.

AIM ( = AOL Instant Messenger) shuts down today

Remember when all of the messaging programs were trying sooooo hard to be AIM compatible?

As AOL announced last October, today is the final day for AIM.

Catalin Cimpanu at Bleepingcomputer has the details.

Data associated with AIM, such as files and past conversation logs, will also be deleted. AOL has advised users to save any files before the cut-off date.

Remember the HP Synaptics keylogger that was pulled last week? HP says it wasn’t a keylogger

You can make up your own mind, of course, but last week I posted a reference to Catalin Cimpanu’s report of a massive replacement of HP Synaptics drivers.

HP now says:

Synaptics is aware of articles that were published where it was purported that there was a “keylogger” in our touchpad drivers. This is inaccurate. Our debug tool was mischaracterized in the articles as “keylogger”…

Using a standardized risk scoring system, the Common Vulnerability Scoring System (CVSS), this debug tool scores approximately 2 out of 10, and is classified as a low risk. In today’s heightened sensitivity to security and privacy, Synaptics will take the precautionary steps of defeaturing the debug tool for production drivers to further prevent the tool from being used in an unintended and malicious way.

I’m of the opinion (in my usual snarky way) that anything that walks like a duck and quacks like a duck certainly has ducklike qualities.

Windows 7 Monthly Rollups are getting bigger – here’s why

Some interesting observations about express installation files in Win7 from Gregg Keizer at Computerworld.

Anybody care to comment on this?

only some Windows 7 machines are eligible for the smaller security-only updates: Those serviced by WSUS (Windows Server Update Services), or tools, whether third-party or Microsoft’s own System Center Configuration Manager (SCCM), that rely on WSUS for content. All other Windows 7 devices, including ones run by consumers and small companies, that connect via Windows Update or Windows Update for Business, are handed rollups. They do not get a choice.

One big contributor to Win7 Monthly Rollup size: the rollups are now reaching back, before the patchocalypse in October 2016. Anybody have a handle on how much the old patches are contributing to the Monthly Rollup size — or how far along Microsoft is in folding them all into the Rollup?

Brinkmann: Disqus commenting platform sold to big data and analytics firm Zeta Global

Big news for folks who post comments using Disqus. Says Brinkmann on ghacks:

Big data and analytics company Zeta Global announced that it has acquired the commenting platform Disqus. The company suffered two major security breaches, one in 2013 and another in October 2017. A snapshot of a database containing 17.5 million user email addresses, login dates and sign-up dates was copied according to Disqus in the latest breach.

Wow. 4 million web sites. 2 billion monthly unique users. And now it’s part of a data harvesting company.

Our little home-grown and hand-operated commenting system here on AskWoody may not have all the bells and whistles, but I’d put it up against Disqus any day.

December Patch Tuesday is out

Full coverage in Computerworld Woody on Windows.

As usual, Martin Brinkmann has an excellent detailed list on ghacks.net:

• Windows 7: 2 vulnerabilities, all rated important (which means that they aren’t, really)
• Windows 8.1: 2 vulnerabilities, all rated important
• Windows 10 version 1607: 3 vulnerabilities, all rated important
• Windows 10 version 1703: 3 vulnerabilities, all rated important
• Windows 10 version 1709: 3 vulnerabilities, all rated important

Yes, that means there are no “critical” updates for Windows.

IE and Edge aren’t so lucky — 9 and 12 critical updates, respectively – but then again, you don’t use IE or Edge, do you?

Office patches are available KB article 4055454. One for Office 2007, three for Office 2010, and the usual bunch for Office 2013 and 2016. Looks like they have changed the format on that page.

Reminder: We’re at MS-DEFCON 2. Wait for the cannon fodder to fod. Or do they fud? At any rate, there’s absolutely NO REASON to install any of the updates right now.

I’ll keep you posted, of course.

UPDATES:

PKCano reports that the MSRT is checked on a Win7 machine today. I can confirm on my “Group A” VM.

Big update: All of the Office security patches apparently disable DDE. https://www.askwoody.com/forums/topic/december-patch-tuesday-is-out/#post-151624

Hanukkah Sameach!

Want to know more about Hanukkah? See chabad.org.