Outlook 2007 and 2010 security patches scramble languages, break printing on custom forms

Both Outlook 2007 and 2010 security patches for September have been implicated in switching languages — Swedish menus in the Hungarian version, for example. Outlook 2010’s patch has the additional distinction of breaking custom form print function.

Computerworld Woody on Windows

Comments are back, but the Lounge is still down

The AskWoody devs got the commenting system back up and working. For those of you who were around early this year, the site’s now working the same way it did before the AskWoody Lounge appeared in February.

In technical terms, we’re back to stock WordPress, but haven’t yet been able to get bbPress working.

There’s a clone of the Lounge running on a test server, but every attempt to migrate over to the “real” server has met with more redlining. I still have no idea why.

For now, hey, it’s the best we got. For the future, I hope to get back to full use of the Lounge by the weekend. We’ll see.

Microsoft’s BlueBorne fix for CVE-2017-8628 arrived in both July and September

I read the news about the BlueBorne Bluetooth attack vector with a sigh of relief. Microsoft fixed the security hole back in July, yes?

Well, maybe no.

Dan Goodin at Ars Technica says:

Microsoft patched the vulnerabilities in July during the company’s regularly scheduled Patch Tuesday. Company officials, however, didn’t disclose the patch or the underlying vulnerabilities at the time.

Now I’m hearing from @MrBrian and other sources that may not be the case. Says @MrBrian:

The fixes for “CVE-2017-8628 | Microsoft Bluetooth Driver Spoofing Vulnerability” for some operating systems were apparently first delivered in July 2017, and for other operating systems in September 2017. Evidence: Look at when file bthpan.sys (https://support.microsoft.com/en-us/help/4034786/bluetooth-driver-spoofing-vulnerability) that was updated by Microsoft July 2017 or later was first made available for a given operating system.

Sure enough, if you go to that page and click the link “For all supported x-64 based systems,” you see that bthpan.sys was updated on July 14. But Microsoft’s official CVE-2017-8628 page lists dozens of patches, all of which were released on September 12.

Can anybody shed some light? If you click on the heading in this post and put something in the Comments box, they’ll appear! We just don’t have the Lounge (and bbPress) back.

Still no definitive word on when the Lounge will be back up. Argh.

A warning about this month’s security patches

If you can’t avoid Word’s “Enable Editing” button, you’re better off installing this month’s .NET patches right now. If you’re running Win10, yes, that means you need to install the cumulative updates – bugs and all.

Of course, the smarter alternative is to just cut off your clicking finger.

It’s a damned-if-you-do situation, but in this case – if you can’t keep from clicking “Enable Editing” – you’re better off installing the patch(es) and dealing with the bugs later.

Computerworld Woody on Windows

HP firmware update blocks the use of non-HP cartridges

Günter Born reports that there’s a new HP Officejet driver making the rounds today that produces a bogus front panel message:

One or more cartridges appear to be damaged. Remove them and replace with new cartridges

HP’s new firmware update seems to force HP’s Dynamic Security Feature to block non HP cartridges. Fortunately, there is a manual workaround.

Patch Alert update

Computerworld Patch Alert.

Hit any bugs in this month’s patches? Until the commenting system is working (which should happen tonight), don’t hesitate to send me email: woody@askwoody.com.

Includes notes about the newly reported language mix-ups caused by this month’s Outlook 2007 security patch.

UPDATE: Got this note about KB 4038777, the Win7 Monthly Rollup:

I installed this update yesterday. It broke Internet Explorer. I restored the pc to the state it was before this update. Reinstalled the update again. Same result. All the icons on the task bar were unusable. Restored the pc a second time.

Can anybody confirm?

ANOTHER ONE:

On both 1607 and 1703 slipstreamed with September cumulative updates and clean installed, Internet Explorer remains absolutely blank whatever URL I type. The only fix I could find so far was to disable protected mode.

ANOTHER:

After Win 7  KB4038777 – IE11 has the Search box on next to the URL box with no option to hide it and set tabs to new line. If you uncheck the “Tabs on new line” they are put in the same line as the URL hiding the Search box. No option so far to have both tabs in new line and search box off. Same supposed to happen with the equivalent Win8.1 and Win10 patches.

Bloated Patch Tuesday brings fix for nasty Word/RTF/Net vulnerability

For you folks guarding Russian-language espionage worthy secrets, there’s a hundred or so patches I need to tell you about.

For the rest of you, hang tight. We’re still at MS-DEFCON 2. Let’s wait and see what problems flush out of this month’s huge round of Patch Tuesday patches.

Computerworld Woody on Windows.

UPDATE: Ars Technica’s Dan Goodin just tweeted that there is now public exploit code for CVE-2017-8759 making the rounds. That steps up the pressure to patch, considerably.

ANOTHER UPDATE: Good question from an anonymous commenter:

does this same vuln still apply if RTF file is opened instead in Wordpad?

Answer: No. It requires Word, and Word cannot be running in Preview Mode. If you open RTF files with Wordpad, the Word Viewer, or any of a gazillion RTF readers (including OpenOffice), the .NET bug is NOT triggered.

New beta version of Win10 Fall Creators Update doesn’t have a watermark

That’s not a sure sign of an impending “RTM” release of the next version of Windows 10, but it certainly points in that direction. In spite of what Microsoft says officially:

On Build 16288, you will notice that the watermark at the lower right-hand corner of the desktop has disappeared. You will also see that the OS now reports as “Version 1709” which is the official version number for the Windows 10 Fall Creators Update release. However, this is NOT the final build as we’re not done yet.We’re just now beginning the phase of checking in final code to prepare for the final release. So we will have more builds to release to Windows Insiders between now and then. And the desktop watermark may re-appear in these builds.

Remember that, in the past, Insiders in the Fast ring got the “RTM” version of Win10, and there was a big cumulative update released at the same time the RTM version went into General Availability.

I have two bare-metal PCs running Win10 betas, and both of them are currently reporting “An update is being prepared for your device, but it’s not quite ready yet. We’ll keep trying or you can try again now.”

Perhaps somebody found a last-minute glitch and they’re trying to fix it before suffering the slings and arrows of outraged testers?

UPDATE: This tweet from JenMsft:

If you aren’t able to download 16288, we’re looking into it and will have more info in a bit

By the way.. for those who have asked… Microsoft patched the BlueBorne security hole in its Bluetooth-enabled devices back in July. If you’ve applied July or August patches, you’re fine. Details from Dan Goodin at Ars Technica.

Yes, you have to update sooner or later…

September Security patches for Windows and Office are out

I’ll keep this post updated (as I furtively watch the Apple announcement – there’s a reliable one on YouTube).

Overall list here. I see 259 individual security patches.

Martin Brinkmann just posted his overview on the Ghacks site.

• Windows 7:  22 vulnerabilities of which 3 are rated critical, 19 important
• Windows 8.1: 26 vulnerabilities of which 4 are rated critical, 22 important
• Windows 10 version 1703: 25 vulnerabilities of which 2 are rated critical, 23 important

I swear, I don’t know how Martin gets his list out so quickly.

The release notes still refer to the 1507 LTSB edition (now known as the Win10 2015 LTSC).

Win10 1703 (Creators Update) cumulative update announced, build 15063.608. It’s huge – many dozens of bug fixes, in addition to multiple security patches. Watch out for this one!

Win10 1607 (Anniversary Update) cumulative update announced, build 14393.1715. A half dozen bug fixes and all those security updates.

September Office Updates for all versions are available here. Considering the recent track record, you may want to wait on these.

The Windows Update release list now has the Sept. 12 entries.

For those of you who only want to install “Group B” security patches (NOTE: I strongly recommend against it; much too early!) PKCano advises:

Win 7 KB 4038779 – Download 32-bit or 64-bit  IE11 KB 4036586- Download 32-bit or 64-bit

Win8.1 Security-only KB 4038793 – Download 32-bit or 64-bit  IE11 KB 4036586- Download 32-bit or 64-bit

While this site is broken, if you want to retrieve an old version of the list of “Group B” patches, start with the Internet Archive.

Microsoft posted an advisory about a specific security hole in Word, CVE-2017-8759, that involves opening an RTF file, then changing from Protected View to enable edits. If you’re opening RTF files in Word, then switching them to enable edits, and fear an infection from the Russian-linked NEODYMIUM group, you need to get a bunch of Windows and .NET patches installed. Yes, all versions of Windows are susceptible, including all the Win10 variants, as well as all versions of .NET, including the very new .NET Framework 4.6. Full list of patches here.

Two critical security holes in Adobe Flash Player, security update APSB17-28.

Why I ordered a Galaxy Note 8

I don’t usually talk about phones here, but many of you have asked about the phone I’m using -and whether I’m going to consider getting a new iPhone X (when it’s announced in a couple of hours).

Short answer: I’ve been using a Nexus 6P for about a year and a half. The main draw is its use of the Google Fi network. I’ve had very good experiences with Google Fi while traveling.

But times change, and in this case the battery’s on its last legs. Like most modern phones, you can’t change the battery in the 6P, so I’m in the process of changing phones – and carriers.

By all appearances, and judging by a quick hands-on at the local phone shop, the Galaxy Note 8 is a wondrous phone, although it’s ridiculously expensive. I signed up for T-Mobile and, using their 2-for-1 sale, bought two Note 8’s for more-or-less the price of one.

I switched my Nexus over to T-Mobile last week, and so far haven’t seen any negative side effects. The Note 8 should be here in the next few days, and I’m waiting with bated breath.

My wife still uses and loves her iPhone, so we’re going to be a multiple-OS family for the foreseeable future – Android phone and tablets, iOS phones and tablets, Chromebook, even a Raspberry Pi.

Diversity is good, eh?

UPDATE: Reuters reports that the Galaxy Note 8 “Pre-orders reached about 650,000 Note 8 handsets over five days from about 40 countries.” It’ll be interesting to see if Apple announces its pre-order levels.

We’re back – but the comment links still don’t work

Not sure how long we’ll be up this time, but we ARE back.

AskWoody started redlining the server around 1:30 on Sunday afternoon, Pacific time. It’s been up one time since then, but only briefly.

Please accept my apologies. Rest assured we’re working furiously to get things back together – and figure out what the %$#@! happened.

MS-DEFCON 2: Time to make sure Windows Automatic Update is turned off

Unfortunately the comments on this site aren’t working right, but as soon as they’re up again, you’re most welcome to post about your experiences.

Computerworld Woody on Windows