Windows 10

The Microsoft Update Catalog uses insecure HTTP links – not HTTPS links – on the download buttons, so patches you download from the Update Catalog are subject to all of the security problems that dog HTTP links, including man-in-the-middle attacks.

Security researcher Stefan Kanthak, writing on Seclist’s Bugtraq mailing list, elaborates:

Even if you browse the “Microsoft Update Catalog” via the HTTPS link,  ALL download links published there use HTTP, not HTTPS!

That’s trustworthy computing … the Microsoft way!

Despite numerous mails sent to <secure () microsoft com> in the last years, and numerous replies “we’ll forward this to the product groups,” nothing happens at all.

To read this article in full, please click here

The very early reports are in, and it looks like this month’s monstrous panoply of patches isn’t as destructive as last month’s – so far, at least. Aside from a few reported incompatibilities, the big news involves two Outlook security holes that kick in when you download email, or preview a message. There are no known exploits, but if you use Outlook, you need to understand the dangers – and should seriously consider patching sooner rather than later.

First, the blast. Yesterday, Microsoft released its usual Patch Tuesday security updates, which include 50 separately identified security holes (CVEs). Those 50 are in addition to the one Adobe Flash Player security hole, CVE 4074595, that was plugged on Feb. 6. Of the 50, 14 are rated Critical, 34 rated Important (which means they aren’t) and two are Moderate.

To read this article in full, please click here

January 2018 will go down in history as one of the worst patching months in Microsoft’s very checkered history. That isn’t an isolated muck-up. It’s a harbinger. We had a couple of really bad months in 2017 — February and November come immediately to mind — but an unconscionable number of patches left bricked machines and busted programs in their wake.

To read this article in full, please click here

January 2018 was a month that will go down in patching infamy. Looking back on my notes, we had patches released, yanked, re-released and/or re-re-released on 15 different days in January. Untold thousands of machines were bricked by Microsoft patches. Millions of hours were lost chasing down bad patches and bad advice.

Although there were a couple of real bugs fixed in the January patches — the Equation Editor vulnerability being suspect #1 — most of the angst was completely superfluous. The Meltdown/Spectre patches at the heart of the drama attacked a problem that wasn’t — and isn’t — there. We still have no known Meltdown or Spectre exploits in the wild. None.

To read this article in full, please click here

Microsoft told us three weeks ago that Win10 Fall Creators Update, version 1709, was ready for enterprise deployment. Since then, we’ve seen the early January patch yanked because it tanked AMD machines. Then, after the first patch was reinstated, we got two more cumulative updates. In the past three weeks.

I guess that’s what Microsoft now means by “Current Branch for Business” and/or “Semi-Annual Channel.”

To read this article in full, please click here