It's [insert month] of 2016, and your Windows PC can still be owned by [insert document type] Critical fixes for Office, Internet Explorer, and Windows DNS Server highlight this month's edition of Patch Update Tuesday. The Redmond Windows slinger has kicked out 16 bulletins this month, five rated as "critical" and the remaining 11 considered "important" risks. MS16-063 addresses 10 CVE-listed vulnerabilities in …
Bless him, still going after these years and providing useful stuff.
https://www.grc.com/never10.htm
Tried it, used it. It works by creating/setting two keys in your registry.
All credit to Mr Gibson, the following is paraphrased from his site.
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Gwx
Under this key, the 32-bit DWORD value “DisableGwx” is set to 1.
When DisableGwx is set to 1, the upgrade offer icon is suppressed.
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
Under this key, the 32-bit DWORD value “DisableOSUpgrade” is set to 1.
When DisableOSUpgrade is set to 1, any previously downloaded Windows 10 files are deleted and Windows will never attempt to upgrade the current operating system.
Just the two usual suspects showed up here... KB3035583 and KB2952664 It took 3 hours to gather all the updates. Hopefully there's no hidden time bomb but I'm testing on a sacrificial PC.
I am running GWX Control Panel so we'll see what blows up when it's done.
It strikes me as weird (the 3 hour gathering) since supposedly this was the month they were rolling everything into one massive update to speed things up... but then, MS is known for shoveling manure.
Add-on to my previous post. I did notice that those two evil KB's were checked and not in the "optional" update area in spite of the GWX Control Panel running. But after unchecking and running the updates, all appears well and I'm seeing no sign of Win10 on that machine.
Just be forewarned that the updates WERE checked by the Updater.
Where is my OS redesign?
How many of the binaries on my system does Word need access to? Why does the installer (rather than Word) not designate a data scratch area for each application instance and why doesn't the OS check with me if the application wants to read/write outside of this area?
Applications should not have free-run of user-space data. Any programs not installed officially should get severely sandboxed. Data can be copied in but not out. This is the OS responsibility, not Norton's nor VMware's. Or how about having properly installed applications register their mime types? The OS then checks the mime types of files being accessed outside of the application-allocated area and kills access to non-relevant files outside of the app's designated data area. Pwnd word can't crypto locker excel files. Flash in a browser gets flv files in its cache area- big whoop.
I get that this is different from using things like sort, grep and wc, but those are kicked off from shell. Who gives shell access to a browser or spreadsheet? If software installation has a security manifest, you should be able to add either containers with different rights, or add a filtered, virtualised FS to the application installation.
How about an auto versioning FS (hello vms) with purging only by elevated privilege. It helps crypto locker be less profitable.
OS vendors need to get their act together, especially those with high exposure.
Kill the value in pwning applications and the attacks go away.
I might even pay for that kind of thing.
For me the updates had become magically 'unhidden', but they were unchecked and in the optional updates group. So a mere check of their Knowledge Base descriptions and they were promptly re-hidden again.
For what it's worth, I haven't needed any other tools than simply not allowing or installing the pesky Win10 related updates every month.
One way to make IE and Edge safer is to disable their internet access (I do it by using the program control feature of the firewall component of Norton). Firefox with Noscript and Adblock Plus (and no Flash) makes for a far safer Internet Browsing experience. Foxit Reader also seems to be more secure than Adobe Reader for handling PDF's. Finally use LibreOffice instead of Microsoft Office to get round even more problems.
"One way to make IE and Edge safer is to disable their internet access (I do it by using the program control feature of the firewall component of Norton). Firefox with Noscript and Adblock Plus (and no Flash) makes for a far safer Internet Browsing experience. Foxit Reader also seems to be more secure than Adobe Reader for handling PDF's. Finally use LibreOffice instead of Microsoft Office to get round even more problems."
Having come this far, Linux seems to be a viable option for you now...
>>One way to make IE and Edge safer is to disable their internet access<<
(McEnroe voice) You cannot be serious?? If you aren't, then that's quite amusing.
Utterly preposterous that their 'new' browser can suffer these kinds of vulns.
I've had the misfortune to touch about 4 Win 10 boxes and i think in every case Edge seemed to be fundamentally broken.
"Utterly preposterous that their 'new' browser can suffer these kinds of vulns."
Indeed, quite funny to read the following :
http://windowsreport.com/microsoft-edge-most-secure-browser/
and
"MS16-068 is a fix for eight CVE-listed flaws in Edge. Like the IE flaws, the Edge vulnerabilities would allow remote code execution simply by viewing a web page on the Edge browser."
It has been almost a year, yet there is STILL no fix for "flaws in Windows that allow information disclosure or remote code execution by installing a malicious OS upgrade. The flaw can be targeted when an attacker tricks the user into installing a specially-crafted application that is disguised as an Important or Security update. This allows the attacker to perform a denial-of-privacy attack on a targeted user."
Oh, you mean the monthly Patch Tuesday files that MS dish out? Aren't these 'specially crafted'. Crafted to get you to install W10 that is. According to many in these parts W10 is nothing more than malware anyway.
I passed close to Area 51 yesterday hence the Icon.
It's [insert month] of 2016, and your Windows PC can still be owned by [insert document type]
Another month, another patching cycle...
Like the Sun rising in the East, it is a part of every Windows user's life.
Unlike sunshine, it brings no warmth, and no enlightenment.
No longer news, or even newsworthy, it will continue long after every one of us has died. I would rant and rave, but my anger has been replaced by ennui. Cretinous clowns creating code is all I can muster.
Remember that they tend to massage statistics in more aggressively than the NRA after yet another massacre to make their OS appear safer than it really is?
Why not create one CVE that reads "Microsoft Windows installed"?
It would allow them to proclaim statistical victory over any other OS out there, without having to be creative with the truth about it. Win win!
I haven't patched my personal machine since November 2015. Updates are turned off. Anyone wants to hack me, my IP is ::1. :-)
First week in August I will be blowing away this install and building a clean one with Windows 7. If MS still tries to force Win10 onto MY machine against my will then it too shall be blown away and Linux gets the nod once and for all.
If they rolled them all up they couldn't take any longer than they do now, but update services has been staring up the last couple of days and going right to 100% cpu utilization (well, until i force restart the service) and then it behaves "normally".
I hate you MS.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
