Newsletter Archives

  • MS-DEFCON 4: Time to get December patches installed

    It looks like the “emergency” Internet Explorer patch is working. As for the Outlook patches for the “operation failed” Rules & Alerts bug, your guess is as good as mine — and Microsoft sure isn’t saying anything.

    All in all, it’s time to take your medicine, and get your machine caught up. If you’re helping hapless friends or relatives, and they’re using Win10 Pro or Education, get them going with a 15-day cumulative update lag on the Semi-Annual Channel (explained in the article).

    Then, if you have a sec, could you explain to my Sainted Aunt Martha — who paid good money for her Win10 machine — exactly what that last sentence means? Windows is sooooooo user-friendly.

    Details Computerworld. Yes, even on the day before Christmas. Woody on Windows

  • Where we stand with the December patches

    Things were looking pretty good for This Month in Patches — until two days ago.

    Now, it’s anybody’s guess whether there’s a real emergency, or whether the IE patch is just a flash in the pan. But I continue to recommend that you hold off on patching — in spite of “The Sky is Falling — Patch Now” warnings from the usual suspects.

    If the sky really does start falling, we’ll let you know here first.

    Details in Computerworld Woody on Windows.

  • All I want for Christmas is a patching process that works

    Instead, I figure it’ll be a lump of cumulative coal.

    Details on this month’s patches and their early foibles in Computerworld Woody on Windows.

  • December 2018 Patch Tuesday is under way

    December Updates are rolling out. There are 194 updates listed in the Update Catalog.

    Martin Brinkman at ghacks.com has his usual thorough summary.

    Operating System Distribution

    • Windows 7: 9 vulnerabilities of which 9 are rated important.
    • Windows 8.1: 8 vulnerabilities of which 8 are rated important.
    • Windows 10 version 1607:  12 vulnerabilities of which 2 are critical and 10 are important
    • Windows 10 version 1703:  11 vulnerabilities of which 1 is critical and 10 are important
    • Windows 10 version 1709: 12 vulnerabilities of which 2 are critical and 10 are important
    • Windows 10 version 1803: 12 vulnerabilities of which 2 are critical and 10 are important
    • Windows 10 version 1809: 19 vulnerabilities of which 2 are critical and 17 are important

    Windows Server products

    • Windows Server 2008 R2: 9 vulnerabilities of which 9 are important.
    • Windows Server 2012 R2: 9 vulnerabilities of which 1 is critical and 8 are important.
    • Windows Server 2016: 11 vulnerabilities of which 2 are critical and 9 are important.
    • Windows Server 2019: 13 vulnerabilities of which 2 are critical and 11 are important.

    Other Microsoft Products

    • Internet Explorer 11: 4 vulnerability, 1 critical, 3 important
    • Microsoft Edge: 5 vulnerabilities, 5 critical

    Microsoft Office Security Updates are available. There are updates for Office 2016, Office 2013, Office 2010, the Office Viewers and the SharePoint Servers.

    The .NET updates include Security-only updates this month, as well as the usual .NET Rollups.

    For those of you with Windows 10, there are new Servicing Stack updates:
    Win10 1709 Build 16229.846 KB 4477136
    Win10 1803 Build 17134.471 KB 4477137

    Interesting note from Senior Solutions Architect Allan Liska at Recorded Future:

    Microsoft Edge has multiple critical vulnerabilities in its Chakra Core scripting engine. This is the now the 15th straight month that Microsoft has disclosed a vulnerability in the Chakra scripting engine, the last Patch Tuesday without a Chakra disclosure was September of 2017. This month’s vulnerability (CVE-2018-8583 and CVE-2018-8629) is a memory corruption vulnerability that, if exploited, would allow an attacker to execute arbitrary code on the victim’s machine.

    Note Microsoftie liminzhu’s post on GitHub:

    We’ve seen your questions for ChakraCore and we want to be transparent and honest with the open-source community that has given us so much support. To be compatible with the rest of the platform and reduce interoperability risks, Microsoft Edge will use the V8 engine as part of this change. There is much to build and learn, but we’re excited to take part in the V8 community and start contributing to the project.

    ChakraCore is currently being used in various projects outside the browser. So, despite the change of direction for Microsoft Edge, our team will continue supporting ChakraCore.

    You have to wonder if ChakraCore’s holiness is a contributing factor in Microsoft’s switch to the Chromium rendering engine.

    Dustin Childs has his usual report up on the Zero Day Initiative site. He lists one vulnerability as exploited, but not publicly known, and one as known but not yet actively exploited. All the rest are less serious.

    The exploited vulnerability — the 0day — has a familiar pedigree:

    For the third month in a row, December has a Win32K (kernel-mode drivers) elevation of privilege vulnerability listed as currently under active attack. And, as was the case in previous months, this bug was reported by researchers at Kaspersky Labs, indicating this bug is being used in malware. Again, this is likely being used in targeted attacks in combination with other bugs.

    Translation: Unless you’re protecting enormous state secrets (probably in a language other than English), you’re undoubtedly in the clear. Expect an explanation from Kaspersky shortly.

    Chris Hoffman at How-To Geek has a seeker warning:

    Microsoft hasn’t learned its lesson. If you click the “Check for Updates” button in the Settings app, Microsoft still considers you a “seeker” and will give you “preview” updates that haven’t gone through the normal testing process.

    Of course, to be completely clear, I don’t recommend that you install ANY updates. It’s much too early to know what evil lurks in the hearts of man…

  • MS-DEFCON 2: December Patch Tuesday arrives tomorrow; get your machine locked down

    My usual monthly admonition applies: Make sure your computer is locked down, to avoid surprises on Patch Tuesday.

    I don’t expect a very big Patch Tuesday, frankly, except for those of you on Win10 1809 (who will get to absorb the contents of last week’s non-security cumulative update). Still, even if it’s a rather uneventful Patch Tuesday, you’d be well advised to turn auto updates off.

    Computerworld Woody on Windows.

  • December 2018 non-Security Office Updates have been released

    These are December 2018 Office updates. They will not be included in the DEFCON approval for the November patches. Unless you have a specific need to install them, you should wait until Susan Bradley (Patch Lady) approves them and any problems have been reported.

    Office 2010

    Update for Microsoft Office 2010 (KB4227172)
    Update for Microsoft Office 2010 (KB4461579)

    Office 2013

    Update for Microsoft InfoPath 2013 (KB4022181)

    Office 2016

    Update for Skype for Business 2016 (KB4461545)
    Update for Microsoft Project 2016 (KB4461540)

    There were no non-security listings for Office 2007 (which is out of support).
    Office 365 and C2R are not included.
    Security updates for all supported versions of Microsoft Office are released on the second Tuesday of the month (Patch Tuesday).