back to article 2016: Bad USB sticks, evil webpages, booby-trapped font files still menace Windows PCs

Microsoft has published the March edition of its monthly security updates, addressing security flaws in Internet Explorer, Edge and Windows, while Adobe has issued updates for Digital Editions, Acrobat and Reader. Microsoft released 13 sets of patches for you to install as soon as possible: MS16-023 A cumulative update for …

Silver badge

Dem Bones, dem dry Bones!

THE RIDE NEVER ENDS!

5
2

Re: Dem Bones, dem dry Bones!

Can a can of worms have a can of worms?

6
1

Re: Dem Bones, dem dry Bones!

Yes..

And furthermore, the worms in the can that's in the can of worms are likely to each be holding a can of whup-a$$ which you should NOT open - Peter Griffin did so and look what happened to him..

https://www.youtube.com/watch?v=aG59WqrAN3M

6
0
Silver badge

Re: Dem Bones, dem dry Bones!

Yes. It's worms all the way down!

1
1
Silver badge

A quick perusal of the issues and they all (except for a few) seem to be for all the Win and Office versions. Like did they use the same code chunks in all versions? The BS PR from MS tries to tell us that Win8 and up are "new"... but under the hood, it's still a 1929 Buick.

10
8
Anonymous Coward

Hmmm..

.. it appears I'm avoiding a lot of risk by using LibreOffice

If I could just find a way to do without Flash - too many sites still rely on it :(. Adobe Reader I've removed when they wanted me to agree to frankly ridiculous new conditions with their DC reader, so that's no longer an issue.

In conclusion, it appears attempting to try it on with unacceptable conditions and overcharging for something that doesn't actually bring *anything* new has made me safer. Yay :)

4
1
Anonymous Coward

Just like LibreSSL looks to borrow a lot of code from OpenSSL (as a recent El Reg article shows), even if it is "new"? Because rewriting it fully from scratch would have taken years?

Are you a software developer? Do you throw away all the previous code when you develop a new version? Some parts are rewritten from scratch, others are updated, others may be brought in as they are. If a font or document format don't change, there's a good chance their parsers don't as well, even across different releases.

Moreover, design issues may propagate to later releases. Looks at how the flaws in SSLv2 exist in any release.

5
2
Gold badge

Re: Hmmm..

"If I could just find a way to do without Flash - too many sites still rely on it :(. "

Just tell the site owner that they've lost your business because friends don't ask friends to drop their trousers and bend over.

3
1
Megaphone

Ohh FFS.

If you had to write brand new code every OS release, we'd still be stick using mainframes in a lab.

Grow up.

All operating systems have issues, otherwise I presume all the security flaws for Linux, BSD, Unix and so on are just made up are they?

Patch and move on.

10
2

Re: Ohh FFS.

I'd buy that except

When we moved from Windows 3.11 to Windows 95 we were told it was a complete rewrite.

When we moved from 98SE (because nobody is damn fool enough to admit using 98ME) to Windows 2000 we were told they did a complete rewrite.

When we moved from XP SP1 to SP2 were were told they did a serious deep dive, patched a boatload of serious holes and from now one, Security would be job #1.

When MS tried to convince everybody to move from XP SP3 to Vista we were told they did a complete rewrite of the code, all the way down to the HAL. At that point it was obvious they had because nothing worked right anymore. When they came out with the version we all adopted we were told they'd just fleshed out the driver set. Now it looks like they back ported the bad code into the system.

When they moved from Windows 7 to Windows 8 we were told ...

1
2
Anonymous Coward

Same old

On my W7 the KB2952664 W10 update nagware is back from the dead yet again - pre-ticked ready to install.

KB3138612 looks suspicious too.

"This article describes an update that contains some improvements to Windows Update Client in Windows 7 [...]"

12
0
Anonymous Coward

Re: Same old

On my W7 the KB2952664 W10 update nagware is back from the dead yet again - pre-ticked ready to install.

KB3138612 looks suspicious too.

"This article describes an update that contains some improvements to Windows Update Client in Windows 7 [...]"

If so, I wonder who you should report this to because that strikes me as an attempt to install software explicitly against your will. If enough people invoke the Computer Misuse Act 1990 it may be possible to get this stopped, or earn at least for the time you waste on fighting this virus upgrade. You should not have to battle to keep a computer clean from something that is not a patch but an upgrade, that's a straightforward abuse of trust.

10
3

Re: Same old

Yep, I've got that as well. Optional, unticked though. KB3035583 and KB3123862 look nasty too.

4
1
Silver badge

Re: Same old

Attempting to gain an advantage by misleading?

These guys - http://www.actionfraud.police.uk/types_of_fraud

1
0

Re: Same old

Agreed, but a more pragmatic solution for me has to ditch my final Windows machine, so it's now all Mint Linux and OSX, with a Windows 7 VM for when nothing else will do. No regrets.

1
0
Anonymous Coward

Re: Same old

Agreed, but a more pragmatic solution for me has to ditch my final Windows machine, so it's now all Mint Linux and OSX, with a Windows 7 VM for when nothing else will do. No regrets.

Well, yes, you and I are in the lucky position of being able to do that (and mandate that in new businesses), but not everyone has that good fortune. As a matter of fact, having just struck up discussions with a vendor of a very good product we may have to accept a policy exception for running a few Windows VMs - the product's value to the business offsets the costs of managing the extra risks we incur by having to maintain a Windows install.

Thankfully we can run it from the DMZ and only give it a firewall pinhole.

0
0

Re: Same old

Oops installed 'em by accident.

Here's the command line to uninstall:wusa /uninstall /kb:3123862 /norestart

0
0
Silver badge
Pint

Life is good!

Win 7 SP1 on the laptop, set for only Important Windows updates installed manually, as no MS Office and never use IE. Only update offered today was for Defender. FF is up to 45, which did get installed today, though I only keep it for sentimental reasons since they buggered the search function. MS tries to slip through Win 10 stuff via Optional updates, but I laugh as I hide them. Nothing that claims to update Windows Update gets over the moat.

3
3
Silver badge

Re: Life is good!

Three down votes? Really? Well, MS is offering me 8 IMPORTANT updates today (Wednesday), including one that fixes a "problem" with Windows Update.Uh-huh.Guess which one isn't getting installed? Nor are the Optional updates. Time to start the madness and go to lunch.

0
0

@Same old/Life is good

To take control of your Win 7 updates I'd recommend the following:

Turn off automatic updates.

Install WSUS Offline updates and (if you feel paranoid) GWX Control Panel.

http://download.wsusoffline.net/

http://ultimateoutsider.com/downloads/

Huzzah! No more Win 10 nags.

0
0
Silver badge
FAIL

Re: @Same old/Life is good

Huh! It's 2016 and Windows user still have to download random stuff from the web to make their boxes work.

9
4
FAIL

Re: @Same old/Life is good

Huh! It's 2016 and Linux / Android / OSX / iOS users still have to download random stuff from the web to make their boxes work.

Just for balance.

7
5
Anonymous Coward

Re: @Same old/Life is good

Huh! It's 2016 and Linux / Android / OSX / iOS users still have to download random stuff from the web to make their boxes work.

So there's an app store for Windows now? Cool. Not that I would use it, but it's nice for them to catch up. Oh, wait, the Android one isn't that good either, it is in a way Microsoft compatible..

0
2
Silver badge
Boffin

Re: @Same old/Life is good

>Huh! It's 2016 and Linux / Android / OSX / iOS users still have to download random stuff from the web to make their boxes work.

>Just for balance.

I do not have to install some third party crap off the interwebs that nobody can authenticate to ensure my Linux does not update without my consent. Actually, I am always kindly asked if I want to update, and I can select/postpone as I see fit. I can get diff's of the patches from the interwebs to see EXACTLY which lines of source code were changed.

Windows update attempts to trick you each time, with ever increasing sophistication. They use deception techniques, canned statements, "describing" the fixes, which often turn out to be way off.

Installing stuff from a repository IS NOT THE SAME as hunting down GWX ControlPanel (or whatever it's called) on some random website hoping nobody has injected the Ask toolbar or other walware into the exe. I am not saying a repository is 100% safe, nothing is, but it is much safer than a random website, don't you think?

So, you did not get the point.

4
4
Anonymous Coward

Re: @Same old/Life is good

"Installing stuff from a repository IS NOT THE SAME as hunting down GWX ControlPanel (or whatever it's called)"

have you downloaded a Mint Linux ISO recently (from the official source) ??? well that was secure and safe wasn't it! http://www.theregister.co.uk/2016/02/21/linux_mint_hacked_malwareinfected_isos_linked_from_official_site/

FLAME ON!

1
2

Re: @Same old/Life is good

I've completely disabled Windows Update on both my Windows 7 machines. Both are used for 3D modelling and rendering, video work, graphic design, gaming and testing my websites to make sure they work on Windows.

Neither one has internet access any longer. Neither one will ever be updated again.

The only machines on my network that see the internet are Linux Mint boxes - one of which is being used to post this comment.

0
0
Silver badge

Given the most common attack vectors of malware - what can we do to update the wetware?

4
0
Gold badge

what can we do to update the wetware?

To paraphrase a meme, I'd say we remove all the warning labels..

0
0

Whack a bug

We are doomed to forever be involved somehow in the war on malware.

1
0
Gold badge

Re: Whack a bug

Yup. The only choice you make is just how much effort you're willing to spend on keeping up to date.

0
0
GW7
Devil

Re: Whack a bug

I consider KB3035583 and KB2952664 to be malware. And there's a "bug" in Windows Update, because every time I hide these two miscreants, they reappear the following month in the list of optional updates.

At this rate, Microsoft will soon resort to bundling the pre-ticked Win 10 installer with "freeware" like Java and Flash and the sort of dodgy programs that try to install unwanted browser toolbars and adware. Please stop this madness now Microsoft, stop nagging, and *respect* the user's choice.

6
0
Windows

Windows 10 Patches

Here is my complete list of Windows 10 nagware patches to avoid/hide on Windows Update. Please let me know if I've missed any:

KB2952664

KB2976978

KB3035583

KB3112343

KB3123862

1
0
Coat

Re: Windows 10 Patches

Here is my list of all possible dodgy patches, some quite recent.

Check them out for yourself in case of error- in which case apologies in advance.

WIN 7 and 8.1 spyware list.

KB2592687

KB2660075

KB2726535

KB2882822

KB2902907 MS Security Essentials/Windows Defender related update

KB2922324 (reportedly pulled, uninstall it anyway if already installed)

KB2923545 Remote desktop protocol

KB2952664 RS "Compatibility update for upgrading Windows 7 " prepares system for upgrade to Windows 10 , sends a bunch of telemetry data to M$, , nagware patch that touts the Windows 10 upgrade, !reported to corrupt system files

KB2977759 "Compatibility update for Windows 7 RTM", prepares system for upgrade to Windows 10, installs telemetry (SPYWARE)

KB2990214 "Update that enables you to upgrade from Windows 7 to a later version of Windows" prepares system for upgrade to Windows 10/telemetry (SPYWARE)

KB2994023

KB2999226

KB3015249 "Update that adds telemetry points to consent.exe in Windows 8.1 and Windows 7" Telemetry, reports UAC prompt choices when making changes to the system (SPYWARE)

KB3021917 "Update to Windows 7 SP1 for performance improvements" prepares system for upgrade to Windows 10

KB3022345 "Update for customer experience and diagnostic telemetry" installs diagnostic/usage tracking service (SPYWARE) !reported to corrupt system files

KB3035583 "Update installs Get Windows 10 app in Windows 8.1 and Windows 7 SP1"

Gives you the windows 10 invite pitch

KB3046480 Update helps to determine whether to migrate the .NET Framework 1.1 when you upgrade Windows 8.1 or Windows 7

KB3050265 "Windows Update Client for Windows 7: June 2015" supposedly fixes an issue with windows update, but also changes system files to support upgrade to Windows 10

KB3065987 "Windows Update Client for Windows 7 and Windows Server 2008 R2: July 2015" makes "improvements" to the windows update client (really just more Win10 garbage)

KB3068707 Customer experience telemetry.

KB3068708 "Update for customer experience and diagnostic telemetry", installs telemetry service (SPYWARE), prepares system for upgrade to Windows 10 (replaces KB3022345)

KB3075249 "Update that adds telemetry points to consent.exe in Windows 8.1 and Windows 7" Telemetry, reports UAC prompts to Microsoft (SPYWARE)

KB3075851 "Windows Update Client for Windows 7 and Windows Server 2008 R2: August 2015"makes "improvements" to the windows update client (really just more Win10 garbage)

KB3080149 "Update for customer experience and diagnostic telemetry" Update for customer experience and diagnostic telemetry, CEIP (SPYWARE)

KB3083324

KB3083710

KB3097877

KB3104460

KB3112343 More spyware

KB3123862

KB3135445

KB3138612

KB971033 Description of the update for Windows Activation Technologies

****Windows 8.1, Windows RT 8.1 and Windows Server 2012 R2 ONLY****

KB2976978 Compatibility update for Windows 8.1 and Windows 8" prepares system for upgrade to Windows 10 - once installed cannot be removed.

KB2999226

KB3044374 "Update that enables you to upgrade from Windows 8.1 to Windows 10", prepares system for upgrade to Windows 10. Nagware.

KB3050267 "Windows Update Client for Windows 8.1: June 2015" supposedly fixes an issue with windows update, but also changes system files to support upgrade to Windows 10

KB3065988

KB3075853

KB3083325

KB3083711

KB3112336 More spyware

KB3133865

KB3135449

KB3138615

Any comments welcome.

Mine's the one with the Nostradamus guide to windows updates in the pocket.

4
0
Anonymous Coward

Re: Whack a bug

"[...] they reappear the following month in the list of optional updates."

You are lucky. They usually reappear in my updates as pre-ticked "important". So they have to be unticked and hidden again, and again, and .....

2
0
GW7
Windows

Re: Whack a bug

Change update settings to: "check for updates but let me choose whether to download and install them" and be sure to untick "give me recommended updates the same way I receive important updates".

KB3050267 (on 8.1/2012R2) or KB3050265 (on Win7/2008R2) is an update to Windows Update (July 2015) that installs a new Group Policy object that enables you to block upgrades to the latest version of Windows through Windows Update. Helpful instructions (rare these days!) on methods for setting the policy are provided in these KB articles.

After all that palaver, the optional updates are not pre-ticked, but it hasn't stopped the dreaded 3035583 update from coming out of hiding every month, presumably in the hope that user error will unleash the evil.

0
0
Silver badge

Compare and contrast...

... the CVEs for IE and Edge.

I haven't done it but I bet they're the same again this month.

2
0
Gold badge

Re: Compare and contrast...

And yet, oddly enough, Edge still seems to have *fewer* features than IE and more rough edges (bugs). It's almost as though it was the *newer* code in IE (which they kept) that was most flaky, and the older stuff (the dropping of which was the official reason to bring Edge in to being) was actually (eventually?) fairly reliable.

2
0
Silver badge
Happy

Re: Compare and contrast...

>[....] and the older stuff (the dropping of which was the official reason to bring Edge in to being) was actually (eventually?) fairly reliable.

After a decade of patches, you would expect it to be, right?

1
0
Silver badge
Linux

Re: Compare and contrast...

@Hans 1: After a decade of patches, you would expect it to be, right?"

The patching process itself introduces its own vulnerabilities. As in you could take a particular hardware and software combination and have it certified to EAL7. Any addition deletion or alternation to the system renders the cert void.

0
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018