Patching meltdown: Windows fixes, sloppy .NET, warnings about Word and Outlook

Credit to Author: Woody Leonhard| Date: Fri, 19 Jan 2018 09:28:00 -0800

On the heels of the Jan. 17 release of 14 Windows and .NET patches, we now have a huge crop of new patches, revised older patches, warnings about bugs, and a bewildered ecosystem of Microsoft customers who can’t figure out what in the blue blazes is going on.

Let’s step through the, uh, offerings on Jan. 18.

Windows 10 patches

Win10 Fall Creators Update version 1709 — Cumulative update KB 4073291 brings the Meltdown/Spectre patches to 32-bit machines. What, you thought 32-bit machines already had Meltdown/Spectre patches? Silly mortal. Microsoft’s Security Advisory ADV180002 has the dirty details in the fine print, point 7:

To read this article in full, please click here

Read more

TippingPoint Threat Intelligence and Zero-Day Coverage – Week of January 15, 2018

Credit to Author: Elisa Lippincott (TippingPoint Global Product Marketing)| Date: Fri, 19 Jan 2018 14:36:46 +0000

It’s been just over 14 years since I almost left this crazy world due to a bad car accident. I have a number of scars and daily pains that serve as reminders of that day. While some may think scars and pain are a burden and a nuisance, I think of them as reminders of…

Read more

Mozilla mandates that new Firefox features rely on encrypted connections

Credit to Author: Gregg Keizer| Date: Thu, 18 Jan 2018 10:37:00 -0800

Mozilla this week decreed that future web-facing features of Firefox must meet an under-development standard that requires all browser-to-server-and-back traffic be encrypted.

“Effective immediately, all new features that are web-exposed are to be restricted to secure contexts,” wrote Mozilla engineer Anne van Kesteren in a post to a company blog. “A feature can be anything from an extension of an existing IDL-defined object, a new CSS property, a new HTTP response header, to bigger features such as WebVR.”

Secure contexts, dubbed a “minimum security level,” is a pending standard of the W3 (World Wide Web Consortium), the primary standards body for the web. Secure contexts’ main purpose, according to its documentation: “Application code with access to sensitive or private data be delivered confidentially over authenticated channels that guarantee data integrity.”

To read this article in full, please click here

Read more

More Windows patches, primarily previews, point to escalating problems this month

Credit to Author: Woody Leonhard| Date: Thu, 18 Jan 2018 06:39:00 -0800

Never give a sucker an even break. Yesterday, on a very out-of-band Wednesday, Microsoft released preview patches for Windows 8.1 (but not 7!), Server 2012, and Windows 10 1709 (for bricked AMD machines only), with preview cumulative updates for Win10 1703 and 1607. There are also nine different .NET preview patches.

What should you do? Nothing. More accurately, make sure you DON’T install any of them. Fortunately, all of these patches require that you download and install them — and you’d have to be crazy (or an admin trying to shore up some critical servers) to dive into the cesspool.

It’s the same advice I’ve been giving all month. There’s nothing here that you need right now — there are no known exploits for Meltdown or Spectre in the wild, in particular — and machines are dropping like flies.

To read this article in full, please click here

Read more

Throwback Thursday: What are the odds?

Credit to Author: Sharky| Date: Thu, 18 Jan 2018 03:00:00 -0800

Internet filter is installed at this site, and in the beginning, there are complaints from users who can’t get to their favorite non-business sites, says an IT pilot fish working there.

But after six months and lots of explanations to users, the complaints have stopped. “Then one Saturday evening, a user called me,” fish says.

“He called to report that something must be wrong, because he could get to his lottery numbers tonight.

“I told him thanks, and that I would inform the individual in charge of the filter on Monday morning, as it wasn’t stopping anything production-critical during the weekend hours.

“I still can’t decide which is funnier: the fact that apparently every day for nearly six months this user tried to get to his lottery numbers even though the page should have never loaded again — or that, when he actually was able to, he reported it as a problem.”

To read this article in full, please click here

Read more