New non-security patches arrive for Win10 1607 and 1703; 1709 update likely soon

Credit to Author: Woody Leonhard| Date: Fri, 23 Feb 2018 04:26:00 -0800

Microsoft last night released a flood of unexpected patches. Yes, that’s a Thursday night dump. No, there weren’t any pressing security fixes – at least, none that were advertised. I have no idea why Microsoft’s pushing this offal out the Automatic Update chute.

In addition to a scattering of Preview patches for Win7, 8.1 and Server 2002 – which are usually posted on the third “Week C” Tuesday of the month – and the Surface Pro 3 firmware patch that was announced, but not delivered, Wednesday, we have two new cumulative updates: one for Win10 Anniversary Update (version 1607) and one for Win10 Creators Update (version 1703). Susan Bradley has a full list with links on the AskWoody site.

To read this article in full, please click here

Read more

Clever, redefined

Credit to Author: Sharky| Date: Fri, 23 Feb 2018 03:00:00 -0800

It’s the 1990s, and this pilot fish is hired at a big international company to maintain a group of Linux servers — and they definitely need help.

“My initial survey of the systems uncovered some serious security problems,” says fish. “Everything had been set up and users added with no regard to security.

“As a temporary holding action, I set all the users’ login shells to a custom restricted shell that allowed each user access to only the directories and commands necessary for their work while I analyzed all the systems, planned a decent security configuration for each, got approvals, did testing and, finally, implemented the new security.”

To read this article in full, please click here

Read more

Throwback Thursday: Now he's feeling even LESS secure

Credit to Author: Sharky| Date: Thu, 22 Feb 2018 03:00:00 -0800

This organization’s IT security officer leaves and isn’t replaced. “A year and a half goes by and the organization suffers a web page defacement,” says a pilot fish on the scene. “During the course of the remediation, another server that has a couple of Trojans on it is found.”

That’s not really a big surprise. Since the infosec guy’s departure, the CIO has repeatedly demanded that ports be opened in the firewall, external connections be made to servers bypassing the firewall and servers in the DMZ be connected to internal servers.

The support manager objects every time — and is always overruled.

“Worse, support isn’t part of the process of selection or meetings with potential vendors for the new web services,” fish says. “Support only finds out about the requirements when they are directed to create the holes.”

To read this article in full, please click here

Read more

Intel releases more Meltdown/Spectre firmware fixes, Microsoft feints an SP3 patch

Credit to Author: Woody Leonhard| Date: Wed, 21 Feb 2018 07:56:00 -0800

One month ago today, Intel told the world that their Meltdown/Spectre patches were a mess. Their advice read something like, “Ooopsie. Those extremely important BIOS/UEFI firmware updates we released a coupla weeks ago are causing Intel machines to drop like bungee cows. In spite of what we told you then, stop installing them now. And if you installed a bad BIOS/UEFI patch, well golly, contact your PC manufacturer to see if they know how to get you out of the mess.”

To read this article in full, please click here

Read more

5 ways blockchain is the new business collaboration tool

Credit to Author: Lucas Mearian| Date: Tue, 20 Feb 2018 13:06:00 -0800

While blockchain may have cut its teeth on the cryptocurrency Bitcoin, the distributed electronic ledger technology is quickly making inroads across a variety of industries.

That’s mainly because of its innate security and its potential for improving systems  operations all while reducing costs and creating new revenue streams.

David Schatsky, a managing director at consultancy Deloitte LLP, believes blockchain’s diversity speaks to its versatility in addressing business needs, but “the impact that blockchain will have on businesses in various industries is not yet fully understood.”

To read this article in full, please click here

Read more

Time for a wake-up call…

Credit to Author: Sharky| Date: Tue, 20 Feb 2018 03:00:00 -0800

This pilot fish supervises the IT help desk, so he’s on the scene when one of his support techs takes a call that’s very ordinary — mostly.

“It was some normal problem like ‘install this printer’ or ‘the computer forgot my password, please reset it,'” says fish.

“But at the end of the call, when they were discussing various things, the user happened to mention, very proudly, that she always turns off her computer at the end of the day every Friday, so it can get its updates over the weekend.

“The tech didn’t have the heart to break the bad news to her. He just told her that was a good idea and to have a nice day.”

Sharky has a better idea: Send me your true tale of IT life at sharky@computerworld.com. You’ll score a sharp Shark shirt if I use it. Comment on today’s tale at Sharky’s Google+ community, and read thousands of great old tales in the Sharkives.

To read this article in full, please click here

Read more

Microsoft is distributing security patches through insecure HTTP links

Credit to Author: Woody Leonhard| Date: Fri, 16 Feb 2018 09:12:00 -0800

The Microsoft Update Catalog uses insecure HTTP links – not HTTPS links – on the download buttons, so patches you download from the Update Catalog are subject to all of the security problems that dog HTTP links, including man-in-the-middle attacks.

Security researcher Stefan Kanthak, writing on Seclist’s Bugtraq mailing list, elaborates:

Even if you browse the “Microsoft Update Catalog” via the HTTPS link,  ALL download links published there use HTTP, not HTTPS!

That’s trustworthy computing … the Microsoft way!

Despite numerous mails sent to <secure () microsoft com> in the last years, and numerous replies “we’ll forward this to the product groups,” nothing happens at all.

To read this article in full, please click here

Read more

Microsoft's free analytics service sniffs out Meltdown, Spectre patch status

Credit to Author: Gregg Keizer| Date: Thu, 15 Feb 2018 12:11:00 -0800

Microsoft’s free Windows Analytics service now scans enterprise Windows 7, Windows 8.1 and Windows 10 PCs, and reports whether they’ve been updated to defend against potential attacks exploiting the Meltdown and Spectre processor vulnerabilities.

The new capabilities of Windows Analytics’ “Upgrade Readiness” were announced Tuesday by Terry Myerson, the top Windows executive at the company. Myerson called the vulnerabilities – found by Google security researchers and reported to vendors in mid-2017 – “a new challenge for all of us” because they were in the silicon, not in software.

“We have added new capabilities to our free Windows Analytics service to report the status for all the Windows devices that [IT professionals] manage,” Myerson wrote in a post to a company blog.

To read this article in full, please click here

Read more

February patches bring ominous Outlook fixes and a rebirth of KB 2952664

Credit to Author: Woody Leonhard| Date: Wed, 14 Feb 2018 10:44:00 -0800

The very early reports are in, and it looks like this month’s monstrous panoply of patches isn’t as destructive as last month’s – so far, at least. Aside from a few reported incompatibilities, the big news involves two Outlook security holes that kick in when you download email, or preview a message. There are no known exploits, but if you use Outlook, you need to understand the dangers – and should seriously consider patching sooner rather than later.

First, the blast. Yesterday, Microsoft released its usual Patch Tuesday security updates, which include 50 separately identified security holes (CVEs). Those 50 are in addition to the one Adobe Flash Player security hole, CVE 4074595, that was plugged on Feb. 6. Of the 50, 14 are rated Critical, 34 rated Important (which means they aren’t) and two are Moderate.

To read this article in full, please click here

Read more

Mac: What does 'System Scan is Recommended' mean?

Credit to Author: Jonny Evans| Date: Wed, 14 Feb 2018 09:03:00 -0800

Many Mac users may have come across a small window that appears on top of their browser when surfing the Web that warns them, ‘System Scan is Recommended’. So, what is this message, and what should you do if you see it?

TL;DR: Don’t panic

The first thing to learn is that this is not a Mac system message. If you ever come across this message you can be utterly certain that it is a scam. Whoever is behind the message (and it may not be the website owner, but some poorly policed ads network) wants you to agree to something that will probably cost you money, leave your data at risk, or otherwise cause you unwanted problems. While scams like these are nowhere near as widespread on Macs as they are on other platforms, they do appear sometimes.

To read this article in full, please click here

Read more