|
Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don't do it. |
Newsletter Archives
-
February missing security patch toll: Two zero-days and counting
Good report from Dan Goodin at Ars Technica.
Google’s Project Zero sticks to its 90-day notification policy, and a second 0day has been revealed, this time apparently involving CSS tokens.
The details are important. For example, there’s no exploit code available for this second 0day. But the first 0day, involving a gdi32.dll heap boundary, is still at large.
So is the SMBv3 bug that causes crashes, and may lead to deeper exploits.
Security patches are scheduled to resume on March 14.
-
Another Windows 0day appears – gdi32.dll heap boundary error
As 0day bugs go, this isn’t an earth-shattering development. But it’s still enough to cause concern.
Mateusz Jurczyk at Google Project Zero discovered a memory disclosure vulnerability and notified Microsoft on Nov. 17. Project Zero has an automatic 90-day disclosure deadline: If the vendor (in this case Microsoft) doesn’t fix the hole that’s discovered, it will be automatically disclosed 90 days later.
Sure enough, 90 days passed and, on Feb. 14, the timer rang and the full disclosure popped out, including exploit code.
This isn’t a huge bug. The bad guy has to get access to your computer before it can be exploited. Once logged on to your machine, the interloper can open a bad EMF file and use it to sneak a peek at system memory that isn’t theirs.
It seems that security bulletin MS16-074 didn’t fix the problem entirely.
Yuhong Bao (whom I’ve mentioned before, many times) sent a provocative message to the Project Zero folks. He said:
I wonder if this was supposed to be part of the cancelled February Patch Tuesday.
Something to ponder over the upcoming three-day US holiday.
Plus Membership
Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.
AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments.
Get Plus!
Recent Topics
-
Registry Patches for Windows 10
by 55 minutes ago
-
Cannot get line length to NOT wrap in Outlining in Word 365
by 1 hour, 7 minutes ago
-
DDU (Display Driver Uninstaller) updates
by 4 hours, 43 minutes ago
-
Align objects on a OneNote page
by 6 hours, 23 minutes ago
-
OneNote Send To button?
by 7 hours, 6 minutes ago
-
WU help needed with “Some settings are managed by your organization”
by 15 hours, 39 minutes ago
-
No Newsletters since 27 January
by 11 hours, 36 minutes ago
-
Linux Mint Debian Edition 7 gets OEM support, death of Ubuntu-based Mint ?
by 20 hours, 9 minutes ago
-
Windows Update “Areca Technology Corporation – System – 6.20.0.41”
by 4 hours, 11 minutes ago
-
Google One Storage Questions
by 54 minutes ago
-
Button Missing for Automatic Apps Updates
by 1 hour, 58 minutes ago
-
Ancient SSD thinks it’s new
by 14 hours, 44 minutes ago
-
Washington State lab testing provider exposed health data of 1.6 million people
by 1 day, 6 hours ago
-
WinRE KB5057589 fake out
by 23 hours, 47 minutes ago
-
The April 2025 Windows RE update might show as unsuccessful in Windows Update
by 14 hours, 26 minutes ago
-
Firefox 137
by 10 hours, 45 minutes ago
-
Whisky, a popular Wine frontend for Mac gamers, is no more
by 1 day, 18 hours ago
-
Windows 11 Insider Preview build 26120.3863 (24H2) released to BETA
by 1 day, 19 hours ago
-
Windows 11 Insider Preview build 26200.5551 released to DEV
by 1 day, 19 hours ago
-
New Windows 11 PC setup — can I start over in the middle to set up a local id?
by 14 hours, 55 minutes ago
-
Windows 11 Insider Preview Build 26100.3902 (24H2) released to Release Preview
by 1 day, 22 hours ago
-
Oracle kinda-sorta tells customers it was pwned
by 2 days, 4 hours ago
-
Global data centers (AI) are driving a big increase in electricity demand
by 2 days, 14 hours ago
-
Office apps read-only for family members
by 2 days, 17 hours ago
-
Defunct domain for Microsoft account
by 2 days, 14 hours ago
-
24H2??
by 14 hours, 48 minutes ago
-
W11 23H2 April Updates threw ‘class not registered’
by 10 hours, 42 minutes ago
-
Master patch listing for April 8th, 2025
by 14 hours, 38 minutes ago
-
TotalAV safety warning popup
by 1 day, 13 hours ago
-
two pages side by side land scape
by 4 days, 15 hours ago
Remembering Woody
