Patch Lady – Not enough space to install 1709

Susan Patch Lady here – writing an online letter to Microsoft:

To whom it may concern at Microsoft:

I am concerned that in your zeal to make your vendors happy you are “vista-fying” Windows 10. 

Let me explain:

Recently I purchased a cheap laptop because I needed another one since I am lately using a computer connected to my TV to watch online videos.  Because I still needed a laptop to look up items, remote into computers and various other tasks, I needed a computer – not a tablet or an ipad – and I needed a Windows based computer.  I reviewed my options for a cheap small laptop and I saw one online for a low price and purchased it.  Knowing in advance it had a small SSD drive I figured that I would have fun keeping it updated and keeping the drive cleaned out.  But I’m a cheap geek, and knew I had options so I purchased it.  The computer came shipped with 1703 Windows Home and soon after I turned it on it started attempting to update.

The first thing I noticed after the system started checking into Windows update was how sluggish the machine had become. In reviewing the task manager both the CPU and the drive was pegged at 100% utilization causing the device to respond slowly.  Please ensure that when a machine is first turned on and checking in for updates that sucking up 100% CPU and disk drive isn’t the norm.  I’m seeing more and more people complain about this.  Please make sure that when either Windows update or Windows Defender is operational they aren’t taking all of the resources of the system.

Then you need to make sure that a 32 gig hard drive is really suitable to handle Windows 10 semi-annual feature releases. In my case it’s not and demanded that I have some sort of external storage available to have enough room to handle the update.

Yes, Microsoft I know that I got what I paid for, but my point is like Vista you are causing undo harm to a platform by letting vendors install it on price points and platforms it shouldn’t. When you shipped Vista, the driver ecosystem wasn’t ready and you had vendors install it on hardware that couldn’t handle the operating system. If one installed Vista on the RIGHT hardware it actually worked just fine.

I’m seeing in the consumer space of Windows 10 that multiple vendors have selections in this 32 gig space that will have issues getting any feature update installed.  After I get this laptop upgraded to 1709, there’s an HP Envy tablet that a friend of mine has that I have to help it up to 1709 as well.

I’ll be filing a bug on this, but please don’t “vista” any more vendor offerings. Any windows device should be able to handle a feature update without any external storage – at least in my opinion. And I’ll bet many of your frustrated customers think that way too.

To anyone else suffering from this issue, evaluate your options. In my case I’m ordering a MicroSD card to add a bit more space. For the Envy tablet I’ll be recommending we purchase that as well to give it breathing space to get this 1709 feature update installed.  Remember you can evaluate the files and storage on the machine and even turn off hibernation temporarily to gain a bit more space as noted in this blog post.  Microsoft does make it obvious during the upgrade to 1709 that it needs additional storage space and gives a various obvious GUI interface indicating that it needs more storage space. After the install remember you have 10 days before it automatically deletes the prior version so check your applications to make sure there are no issues.   1709 is now the most broadly released version, but if you are stuck back on 1703, I would recommend going to the Software download site and trying to install from the update now link at the top of the page and have a MicroSD card on hand should you get stuck.

Keizer: Windows 10 shows sign of enterprise upgrading

Keizer’s Computerworld take relies on the numbers reported by Net Applications:

Windows 10 actually slipped two-tenths of a percentage point in user share… during February, ending the month powering 34.1% of the world’s PC…

Using the 12-month average of Windows 7’s user share decline, Computerworld forecasts that the aging OS will still account for about 35% of all active Windows editions in January 2020

It’s clear which way the wind is blowing — but I wonder how many will abandon Win7 in 23 months?

Is it time to give up on 7-Zip?

I’ve been a 7-Zip fan for, like, forever. That’s why it pains me to report that several people — people who know what they’re doing — are taking 7-Zip to task for failing to keep up with key security features.

On Jan. 28, I posted an article on Computerworld titled Multiple vulnerabilities in 7-Zip. Get it updated now!

I thought that Igor Pavlov’s new release, version 18.01, took care of the major security problems. I was wrong.

The core of the problem: Pavlov refuses to add ASLR (Address Space Layout Randomization) to the product, and won’t compile 7-Zip with the /GS Buffer Security Check flag. (Good overview of both technologies on the ISV Software Security page.)

This was part of landave’s original complaint:

I have discussed this issue with Igor Pavlov and tried to convince him to enable all three flags. However, he refused to enable /DYNAMICBASE [the ASLR flag] because he prefers to ship the binaries without relocation table to achieve a minimal binary size. Moreover, he doesn’t want to enable /GS, because it could affect the runtime as well as the binary size.

So how bad is it? Microsoft Security Response Center engineer (not speaking in an official capacity!) Joseph Bialek says:

What year is it @7zip ?? You guys still running on 90’s hardware??

Stefan Kanthak, whom I quoted in the Computerworld Microsoft is distributing security patches through insecure HTTP links article, says in a private message:

[7-Zip’s] INSECURE shell extension is loaded into explorer.exe, and allows an attacker to leverage its MULTIPLE shortcomings. For example Sun/Oracle made such a blunder when they deployed an outdated MSVCRT71.dll with their Java Runtime Environment, which allowed attackers to take advantage of its flaws.

I’m not so concerned about individual, manual use, but the incorporation of 7-Zip binaries into other packages. An anonymous poster here on AskWoody came up with a long list of other packages that rely on 7-Zip, including WinRAR, Flash, and some .NET applications.

I’m not yet ready to throw my copy of 7-Zip in the bit bucket. But I wonder if that’s just inertia.

Keizer: Microsoft’s browsers are dying

Er, dieing. Sorry.

Gregg Keizer has a good look at the rapid decline of the IE (+ Edge) hegemony.

Even though IE showed an uptick in usage last month, per Net Applications, the prognosis for Microsoft browsers is dismal:

By the time Microsoft retires Windows 7, and for effective purposes, IE as well, Windows 10 should have reached a user share (of all Windows) of around 63.6%, assuming its climb continues on the past year’s trend line. If Edge hasn’t, well, edged up as a share of all Windows 10 by that time – and all evidence is that it will not – then Microsoft’s active browser share will be in the single digits, perhaps as low as 6%.

Hard to imagine IE + Edge at 6%, but then again Windows Phone took a hard, fast fall, too.

How frequently is Microsoft Security Essentials getting updates?

While I wasn’t watching, it looks like the frequency of MSE updates has increased.

GL just wrote to me:

Microsoft security essentials use to have one up date a day. Recently I`ve been getting 2 a day. Now today it looks like I`ll be getting morning , afternoon and evening. Whats up with that?

Have you seen any odd behavior?

Microsoft “helps” Intel by releasing KB 4090007, a Spectre 2 microcode update for Win10 1709, Skylake processors only

UPDATE: Correcting myself (thanks to the anonymous poster) — this is a microcode update, which is kind of a transient firmware override, for lack of a better description. There’s a more thorough description on the Debian wiki, “Processor microcode is akin to processor firmware. The kernel is able to update the processor’s firmware without the need to update it via a BIOS update. A microcode update is kept in volatile memory, thus the BIOS/UEFI or kernel updates the microcode during every boot.”

I can’t recall ever seeing Microsoft issue a firmware update (other than a Surface firmware update) as a security patch. This one comes with its own KB, no less.

The announcement is very specific. KB 4090007 only deals with the Spectre Variant 2 / CVE 2017-5715 (“Branch Target Injection”) mitigation, and only on 6th generation Skylake H/S, U/Y and U23e processors. It’s only for Win10 1709. It’s not a cumulative update.

And — importantly — it’s an Intel microcode update. Not a Windows patch.

Says Microsoft:

We will offer additional microcode updates from Intel as they become available to Microsoft. We will continue to work with chipset and device makers as they offer more vulnerability mitigations.

which is a noble goal, at least to my way of thinking.

You won’t get the patch via Automatic Update. If you really, really want to test it on your Win10 1709 / Skylake machine, you can download it from the Microsoft Update Catalog and manually install.

Spectre v2 is a vulnerability in just about everything — Intel, AMD, ARM. As I’m fond of repeating, neither Meltdown nor Spectre (either variant) has been found in the wild.

As you might imagine, I’m highly skeptical. I mean… what could possibly go wrong?

Microsoft releases KB 4091290, a fix for the Win7/Server 2008R2 SCARD_E_NO_SERVICE bug

Coming soon to Windows Update.

KB 4091290 –

This update addresses a known issue previously called out in KB4075211 where the LSM.EXE process and applications that call SCardEstablishContext or SCardReleaseContext may experience a handle leak. Once the leaked handle count reaches a certain threshold, smart card based operations fail with error with SCARD_E_NO_SERVICE

See Susan Bradley’s explainer from yesterday.

Looks like this is the first Windows Update release for the month. No doubt many more are to follow.

Android Outlook app scrambling Contacts?

I’m hearing reports all over that the Android Outlook app is running roughshod over (Outlook) Contacts lists.

As I understand it, linking the Android Outlook app to your (Exchange-based?) email account reaches into your Contacts and scrambles things like:

• Email 1 turns into Email 2, Email 2 turns into Email 3, and Email 3 goes back around to Email 1. It’s particularly frustrating because “The display still looks correct so it appears that I am sending it to the correct email address.  I can see it correctly when I look in the sent items but that is too late.”
• Fax numbers turn into “Other” numbers.
• Website, Spouse, Title removed
• “Almost all Notes were removed but for ones not erased”
• <mailto:…> was added to each email address and periods replaced apostrophes
• Some physical addresses were removed, and “United States of America” was added to physical addresses

The gripes I’ve seen come from a private forum — and I won’t reproduce the posts here. (I would welcome — encourage! — the original posters to chime in here.) But the problems are very real for some people at least.

Can you confirm? I don’t use Outlook Contacts – switched over to Google Contacts years ago.

Thx @sb