All I want for Christmas is a patching process that works

Instead, I figure it’ll be a lump of cumulative coal.

Details on this month’s patches and their early foibles in Computerworld Woody on Windows.

December 2018 Patch Tuesday is under way

December Updates are rolling out. There are 194 updates listed in the Update Catalog.

Martin Brinkman at ghacks.com has his usual thorough summary.

Operating System Distribution

• Windows 7: 9 vulnerabilities of which 9 are rated important.
• Windows 8.1: 8 vulnerabilities of which 8 are rated important.
• Windows 10 version 1607:  12 vulnerabilities of which 2 are critical and 10 are important
• Windows 10 version 1703:  11 vulnerabilities of which 1 is critical and 10 are important
• Windows 10 version 1709: 12 vulnerabilities of which 2 are critical and 10 are important
• Windows 10 version 1803: 12 vulnerabilities of which 2 are critical and 10 are important
• Windows 10 version 1809: 19 vulnerabilities of which 2 are critical and 17 are important

Windows Server products

• Windows Server 2008 R2: 9 vulnerabilities of which 9 are important.
• Windows Server 2012 R2: 9 vulnerabilities of which 1 is critical and 8 are important.
• Windows Server 2016: 11 vulnerabilities of which 2 are critical and 9 are important.
• Windows Server 2019: 13 vulnerabilities of which 2 are critical and 11 are important.

Other Microsoft Products

• Internet Explorer 11: 4 vulnerability, 1 critical, 3 important
• Microsoft Edge: 5 vulnerabilities, 5 critical

Microsoft Office Security Updates are available. There are updates for Office 2016, Office 2013, Office 2010, the Office Viewers and the SharePoint Servers.

The .NET updates include Security-only updates this month, as well as the usual .NET Rollups.

For those of you with Windows 10, there are new Servicing Stack updates:
Win10 1709 Build 16229.846 KB 4477136
Win10 1803 Build 17134.471 KB 4477137

Interesting note from Senior Solutions Architect Allan Liska at Recorded Future:

Microsoft Edge has multiple critical vulnerabilities in its Chakra Core scripting engine. This is the now the 15th straight month that Microsoft has disclosed a vulnerability in the Chakra scripting engine, the last Patch Tuesday without a Chakra disclosure was September of 2017. This month’s vulnerability (CVE-2018-8583 and CVE-2018-8629) is a memory corruption vulnerability that, if exploited, would allow an attacker to execute arbitrary code on the victim’s machine.

Note Microsoftie liminzhu’s post on GitHub:

We’ve seen your questions for ChakraCore and we want to be transparent and honest with the open-source community that has given us so much support. To be compatible with the rest of the platform and reduce interoperability risks, Microsoft Edge will use the V8 engine as part of this change. There is much to build and learn, but we’re excited to take part in the V8 community and start contributing to the project.

ChakraCore is currently being used in various projects outside the browser. So, despite the change of direction for Microsoft Edge, our team will continue supporting ChakraCore.

You have to wonder if ChakraCore’s holiness is a contributing factor in Microsoft’s switch to the Chromium rendering engine.

Dustin Childs has his usual report up on the Zero Day Initiative site. He lists one vulnerability as exploited, but not publicly known, and one as known but not yet actively exploited. All the rest are less serious.

The exploited vulnerability — the 0day — has a familiar pedigree:

For the third month in a row, December has a Win32K (kernel-mode drivers) elevation of privilege vulnerability listed as currently under active attack. And, as was the case in previous months, this bug was reported by researchers at Kaspersky Labs, indicating this bug is being used in malware. Again, this is likely being used in targeted attacks in combination with other bugs.

Translation: Unless you’re protecting enormous state secrets (probably in a language other than English), you’re undoubtedly in the clear. Expect an explanation from Kaspersky shortly.

Chris Hoffman at How-To Geek has a seeker warning:

Microsoft hasn’t learned its lesson. If you click the “Check for Updates” button in the Settings app, Microsoft still considers you a “seeker” and will give you “preview” updates that haven’t gone through the normal testing process.

Of course, to be completely clear, I don’t recommend that you install ANY updates. It’s much too early to know what evil lurks in the hearts of man…

Fred Langa answsers: “Do I risk damage to my hard disk if, when I travel, I keep it in my bag?”

More down-to-earth advice from the LangaList legend.

Here’s how to hide KB 4023057 – and any other Win10 updates you don’t want

From @PKCano –

If you do not follow the above procedure, the updates you have supposedly hidden may not be cleared from the Settings\Updates and Security\Windows update queue and will thus be downloaded and installed in spite of the fact you THINK you have hidden them.

MS-DEFCON 2: December Patch Tuesday arrives tomorrow; get your machine locked down

My usual monthly admonition applies: Make sure your computer is locked down, to avoid surprises on Patch Tuesday.

I don’t expect a very big Patch Tuesday, frankly, except for those of you on Win10 1809 (who will get to absorb the contents of last week’s non-security cumulative update). Still, even if it’s a rather uneventful Patch Tuesday, you’d be well advised to turn auto updates off.

Computerworld Woody on Windows.

Patch Lady – Office 365 prioritization

Recently Office 365/Outlook on click to run has made a change in behavior… as noted on Office uservoice…

After the release of 16.0.6741.2017, the Click 2 Run (C2R) version of the Outlook client for the PC is prioritising O365 for Autodiscover queries above all other Autodiscover methods (SCP, HTTPS root domain etc).

This causes problems for customers who aren’t using O365 for mail service, especially if either of these conditions are true:

1. The user has a mailbox in the O365 service which is not being used. This can occur if the user has inadvertently had an Exchange license assigned.
2. The user has a personal Office subscription but has used their business email address to configure it.

Outlook prompts the user to login, but logging in will fail as it’s effectively requesting credentials against the O365 service.

This behaviour also breaks the experience for existing profiles, not just newly created ones.

The “workaround” we have is to add a registry change to end users PC to bypass the O365 endpoints. From this article: https://support.microsoft.com/en-gb/help/2212902/unexpected-autodiscover-behavior-when-you-have-registry-settings-under

This property needs to be set to a DWORD value of 1: ExcludeExplicitO365Endpoint

This workaround is hard to manage, client specific, and will need to be reverted if the customer ever does in fact move to O365 so that the Direct Connect method can work again.

My suggestion would be to re-consider this change and how Autodiscover may work more intelligently going forwards.

The request was made to put the behavior back to what it was.

The response:

We cannot fulfil this request as we will continue to optimize for the Office 365 experience. The supported implementation of Autodiscover is documented here, https://support.microsoft.com/en-us/help/3211279. Any ongoing changes and improvements will be documented in the article. We appreciate your feedback and take every request with consideration, whether we can move forward with it or not.
-Outlook Team

If you are running Office 365 they assume that you are using Exchange in the cloud even if you aren’t.  And if you are, and don’t like the new behavior… tough cookies.

Any advice on restoring a Macrium Reflect Free image?

Considering how frequently the folks on this site need – and recommend – full-image backups, it’d be good to have a definitive guide.

Anybody interested in giving it a whirl?

Thx @cesmart

Microsoft adopting Chromium for Edge rendering is a big deal — let me count the ways

If you’ve been following the “Edge is dead (but it isn’t)” story, you know that Microsoft announced a couple of days ago that they’ll stop developing the EdgeHTML rendering engine, and switch the Edge browser over to using Google’s open-source Chromium under the covers.

There have been many knowledgeable folks tossing out ideas and opinions, but some of them seem completely unfounded. As you know, I’m more of a “I’m from Missouri show me” kind of guy.

I come from a state that raises corn and cotton, cockleburs and Democrats, and frothy eloquence neither convinces nor satisfies me. I’m from Missouri, and you have got to show me.

— Willard Vandiver, 1899

I’m not really from Missouri, but you get the idea.

Yesterday there was an interesting “Ask me anything” session on Reddit where Edge Project Manager Kyle Alden makes some startling commitments:

Existing UWP apps (including PWAs in the Store) will continue to use EdgeHTML/Chakra without interruption. We don’t plan to shim under those with a different engine. We do expect to offer a new WebView that apps can choose to use based on the new rendering engine.

We expect to provide support for PWAs to be installed directly from the browser (much like with Chrome) in addition to the current Store approach. We’re not ready to go into all the details yet but PWAs behaving like native apps is still an important principle for us so we’ll be looking into the right system integrations to get that right.

It’s our intention to support existing Chrome extensions.

To me, that says two important things, which Windows users of every stripe need to understand:

• UWP apps (formerly “Metro,” and many other names) aren’t going to last much longer. If you had visions of UWP-based Edge, or Office, or just about any app, you need to re-think. Put a fork in Windows anything “in S Mode.” [UPDATE: I’m overstating things here. See @warrenrumak’s comment. We just learned that Edge will become a standard Win32 desktop app, not a UWP app. Microsoft has already said that Office won’t become a UWP app any time soon. You can draw your own line from there.]
• Even Microsoft now openly believes that Progressive Web Apps — a concept originally developed and pioneered by Google — are the way of the future.

‘Tis a brave new world.