Surface firmware/driver updates galore

I see new firmware/driver updates for:

Surface Pro 6

Surface Pro without a version number (which is to say, 5)

Surface Laptop (version 1)

Surface Laptop 2

Surface Book

Surface Book 2

There doesn’t appear to be any specific theme, just a big bunch of fixes.

Do you know a MailChimp/Woocommerce expert?

We’re starting the next round of expansion here at AskWoody by beefing up the Plus Newsletter subscription plumbing, and launching a new product. At the same time, we’re fixing a lot of loose ends here on the site. Swallowing a whale has its consequences.

If you know someone with MailChimp experience (we use MailChimp for the Plus Newsletter) and particularly the interface between WordPress’s Woocommerce package (which we use for subscriptions) and MailChimp, I’d sure like to talk to them. Have them email me (Woody@AskWoody.com) with a pointer to their best MailChimp/Woocommerce work.

Juggling three databases (WordPress/bbPress, Woocommerce and MailChimp) is a, uh, daunting experience.

Patch Lady – VBscript gets disabled

Stumbled across this tonight and I’m not sure if it’s been discussed.

https://blogs.windows.com/msedgedev/2019/08/02/update-disabling-vbscript-internet-explorer-windows-7-8/#bSQSyBD0gVXsef89.97

The change to disable VBScript will take effect in the upcoming cumulative updates for Windows 7, 8, and 8.1 on August 13^th, 2019. VBScript will be disabled by default for Internet Explorer 11 and WebOCs for Internet and Untrusted zones on all platforms running Internet Explorer 11. This change is effective for Internet Explorer 11 on Windows 10 as of the July 9^th, 2019 cumulative updates.

For older platforms the next IE update coming out in August will disable VBscript.

The settings to enable or disable for VBScript execution in Internet Explorer 11 will remain configurable per site security zone, via Registry, or via Group Policy, should you still need to utilize this legacy scripting language.

MS-DEFCON 4: Time to get the July 2019 patches installed

There’s some important new information for those of you installing Security-only patches for Win7 and Server 2008R2, and there’s an unconfirmed report of conflicts with McAfee Endpoint Protection (again), but for the most part “normal” users should be OK to install this month’s patches.

Details and step-by-step instructions in Computerworld. Woody on Windows.

UPDATE:

Anybody who sees KB 4023057 should follow the discussion and advice here:

https://www.askwoody.com/2019/microsoft-re-re-re-releases-kb-4023057-the-update-to-win10-1507-1511-1607-1703-1709-and-1803-for-update-reliability/

It’s now being pushed to 1809 as well.

In short, you probably don’t want it.

Google Project Zero: 90-day disclosure is working, with 97.5% of reported vulns being fixed within 90 days

The details are a little more complicated, but not much. Google’s Project Zero has turned up 1,434 security vulnerabilities in the past four and a half years:

Of these, 1224 were fixed within 90 days, and a further 174 issues were fixed within the 14-day grace period [granted when it looks like the manufacturer is going to release a patch shortly]. That leaves 36 vulnerabilities that were disclosed without a patch being available to users, or in other words 97.5% of our issues are fixed under deadline.

Realize that Google has a vested interest in saying that their disclosure policy is good for all of us — debatable, but I strongly agree — and they come to the conclusion:

If most bugs are fixed in a reasonable timeframe (i.e. less than 90 days), then we are only enforcing the deadline on a very small number of unfixed cases. And if disclosing a handful of unfixed vulnerabilities doesn’t substantially help attackers in the short-term, but does lead to the demonstrated long term benefits of shortened patch timelines and more frequent patching cycles, then it would follow that a deadline based disclosure policy is good for user security overall.

Interesting report. Thank to Catalin Cimpanu, who has additional observations on ZDNet.

Patch Lady – for those keeping track

My infamous Acer 32 gig max hard drive got 1903 offered up to it.  I did not attach an external USB hard drive, rather I left the internal drive and the SSD drive in it.  It gave me the “I don’t have enough room” and after I cleaned up the C drive a bit it saw both the C drive and the SSD drive and was supposedly going to use that for it’s needs to install the operating system.

So I let it go for it… and….. and…. and…

Once again once it kicked a reboot it gave the message that it couldn’t find the mounted drive and would not finish the upgrade to 1903.

Dear Microsoft:  You should have never let OEMs sell this configuration.  You should never let OEMs sell a computer that can’t get feature updates without extreme actions on the part of the user.

Win10 usage share surges

Win7’s taking it on the chin.

Source: Netmarketshare

It only took ’em four years. </snark off>

The BlueKeep situation gets murkier

There have been rumors for the past two weeks that there’s a working BlueKeep exploit on the darkweb. We’ve been fielding (and blocking) many posts on AskWoody claiming that the BlueKeep exploit is real and living in the ooze.

Catalin Cimpanu (who, along with Kevin Beaumont, are my guiding lights on the topic) just posted a response to an inquiry from Kirsty:

https://twitter.com/campuscodi/status/1156883469131288579

This is coming to a head because @zerosum0x0 now claims to have cracked the problem and handed all of his info over to Metasploit. If that’s true, and Metasploit publishes it (by no means a done deal, on either count), it could mean that we’re closer to a real, live BlueKeep worm.