back to article In 2015, your Windows PC can be owned by opening a spreadsheet

Microsoft and Adobe have pushed out their scheduled monthly security updates, with familiar names like IE and Flash once again getting critical fixes. For Redmond, the October update brings fixes for 33 CVE-listed security vulnerabilities. The updates include a cumulative fix for Internet Explorer and patches to address …

  1. elDog

    Yet Another Window Nuggie (YAWN) And most of us are doing that

    Hello, what's new?

    Oh, you got an infection and had to reformat your hard disk? Did you backup everything at least once in the last 5 years (NO).

    It would be comical except I do have some friends and business acquaintances who LIE about doing backups. "Oh, yes we do them frequently, well perhaps 6 months ago".

    1. Fatman Silver badge
      Pint

      Re: Yet Another Window Nuggie (YAWN) And most of us are doing that

      The thing I have always HATED about MS updates is that they sometimes took a lot of time to install, and at a former workplace, the manglement didn't want to suffer the downtime, so no patching. And slowly, over time they were more and more exposed.

      After i left, they didn't bother getting anyone with ANY IT experience to replace me, and in about 8 months they were pwned. And, due to the circumstances surrounding my departure, I refused to assist them. It made me so very warm and fuzzy inside when I heard that every one of their PC's were infected, and remediation service were going to cost them serious $$$$.

      Today, I oversee a company using Linux systems, and we have so few problems, I have time to do stuff that, if we were stuck with Windows and its accompanying niggles; I would never have to time to accomplish.

      Life is good, see icon-------------------------------------------------------------------->

  2. John Tserkezis

    "For Flash we recommend patching immediately,"

    "For Flash we recommend deleting immediately,"

    There, fixed it for them.

  3. Syntax Error

    Software

    Just proves that Windows is an insecure platform. Software programmers make lots of mistakes. After all these years you would of thought Microsoft would know how to program their OS safely and securely. Their office suite is just as bad. For example you should NEVER be able to take control of a PC via a web browser. If you can there is something fundamentally wrong in the design of the OS. Sandboxing doesn't work!!

    I like the way IT people blame users, but seriously software programming and OS's are not up to scratch for consumers to use safely and securely. To have to download gigabytes of patches every month just to "fix" the OS and Office is proof of their failure.

    Furthermore TCP/IP needs to be replaced as it is not really secure. Network devices relying on plain text MAC addresses to communicate is pretty backward.

    1. hypernovasoftware

      Re: Software

      This is Windows' legacy - security updates ad nauseum.

      That's why I stopped using Windows years ago.

    2. Mikel

      Re: Software

      Legacy software support is the reason for Windows, and will be the death of it.

      >After all these years you would of thought Microsoft would know how to program their OS safely and securely.

      They know how, but the answer is to not allow code to run that isn't well sourced, signed and validated. That means trusted repositories *required*, not included as an option. And that is a paradox because Windows has always been software from random strangers installed by any means necessary.

    3. Christian Berger Silver badge

      Re: Software

      "Furthermore TCP/IP needs to be replaced as it is not really secure. Network devices relying on plain text MAC addresses to communicate is pretty backward."

      a) TCP/IP does not rely on MAC addresses, those are part of Ethernet.

      b) Networks cannot provide security in a sense of integrity or secrecy, this has to be done on different levels.

    4. sabroni Silver badge

      Re: Just proves that Windows is an insecure platform. Software programmers make lots of mistakes.

      So you use an OS that isn't written by Software programmers and is therefore secure?

    5. Stuart 22

      The elephant in the room is ... XP!

      "Just proves that Windows is an insecure platform."

      It could be better but its real problem is its market domination makes it the most targeted platform. Nothing will be totally secure, hackers will always find a way if the returns are good enough. People with Linux desktops don't have to worry much but those with Linux servers know the pain.

      All we can do is patch fast and then patch the patches and accept (or not) the delicate issues raised by automatic updates. The real problem is the great unpatched. And the biggest most festering bunch are the XP laggards - probably still running IE8 or earlier. This is yet another set of nails gifted to hackers to nail 'em.

      We really need an XP-killer. I'm hoping the Lets Encrypt initiative will soon lead to most of their useful websites being encrypted and the IPv4 shortage make them rely on SNA which IE/XP does not support. Losing access to websites may be an incentive to move on. Whether to Win10, MacOS, Linux or whatever is a secondary consideration.

      And I'm really worried about Android (current version - 3) being the next elephant .

      1. SecretSonOfHG

        Re: The elephant in the room is ... XP!

        "And I'm really worried about Android (current version - 3) being the next elephant"

        Said that a while ago, Android is the next Windows.

    6. LionelB

      Re: Software

      "... would of thought ..."

      would have thought (or would've thought)

      Syntax Error by name, ...

    7. P. Lee Silver badge

      Re: Software

      Actually, sandboxing is the answer and signed code is not.

      It is often quite hard to differentiate between code and data. That vb code is just data to the vb interpreter.

      The problem is that the os doesn't sandbox apps and there is no rights hierarchy. Why would you allow excel to access system settings? Why would you allow excel to execute binaries outside of /office/excel/bin? Why wouldn't the os by default restrict executable's ability to run further executables to the subtree of the initial executable? Why can't I tell the os not to allow excel access to anything but "My Documents"? Does it want to load and run vbscript? Sure, but that vbscript inherits excel's rights and can only access files in My Documents too.

      Why not have a read-only $binpath and $docpath inherited and set automatically on execution? Then that browser flaw allows ransomware to encrypt your browser app and your Downloads directory. Meh.

      How about a flag to allow network access or it gets none? How about a flag which allows raw sockets or uri's which are logged/submitted to os security for approval? A built in local proxy service. Admin-installed packaged apps get to declare resource requests, but everything else is sandboxed by the os.

      These may not be appropriate for high throughput servers, but for desktops and exposed systems? I thInk so!

  4. Anonymous Coward
    Anonymous Coward

    Hidden W10 upgrade updates are back again!!!!!

    They are forcing the KB3035583 through again. Re-published 5 October 2015 as a pre-ticked "important recommended". You have to follow the links to find out that it is that W10 upgrade nag.

    Damn thing is like a zombie... ..haven't checked what other W10 spyware patches are being sneaked through again. That will have to wait until tomorrow. Way past my bedtime.

    I'm hopping mad - that is at least three times I've hidden it. MS really know how to piss people off to Linux mint.

    Damn!! KB 3083710 is back again too - apparently a W10 snooping patch. Although MS don't say what it does. Had to Google.

    1. Mark 85 Silver badge

      Re: Hidden W10 upgrade updates are back again!!!!!

      I've got those killed and buried and yes, they keep coming back. Also one that started popping up last week in Updates.... "Install Windows 10 NOW!!!"

    2. Mikel

      Re: Hidden W10 upgrade updates are back again!!!!!

      You *will* take Windows 10 whether you want it or not. They *need* to crow about those billion users now to prove they are still relevant. Never mind that by the time they get there with system updates that don't involve equipment sales Android will have sold five billion new *devices*.

      1. Dan 55 Silver badge

        Re: Hidden W10 upgrade updates are back again!!!!!

        It might be easier to change three registry entries to keep GWX at bay than fight Windows Update...

        [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\GWX]

        "DisableGwx"=dword:00000001

        [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]

        "DisableOSUpgrade"=dword:00000001

        [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\OSUpgrade]

        "ReservationsAllowed"=dword:00000000

        Of course you've still got to stop the telemetry updates yourself.

    3. Anonymous Coward
      Anonymous Coward

      Re: Hidden W10 upgrade updates are back again!!!!!

      KB2952664 also popped up here as well.

    4. paulf Silver badge
      Mushroom

      Re: Hidden W10 upgrade updates are back again!!!!!

      "For users running Windows Update, the October updates should download and install automatically."

      No they bloody well won't be - for this very reason. That auto install option was one of the first things I turned off along with the "Give me recommended updates the same way I receive important updates" option.

      Microsoft can shove their creepy stealthy Lets-Out-Google-Google telemetry customer experience grenade up their backsides and rotate on it. Pic - they can pull the pin out before they shove it up.

    5. Anonymous Coward
      Gimp

      Re: Hidden W10 upgrade updates are back again!!!!!

      Someone helpful soul is maintaining a set of scripts to help with these problems:

      https://github.com/WindowsLies/BlockWindows

      Apparently he's having problems with MSFT using fraudulent DMCA proclamations to bully sites which link to his project: So he must be doing something right... If you find it helpful (as I do) then...

      ;)

      1. Roland6 Silver badge

        Re: Hidden W10 upgrade updates are back again!!!!!

        >Apparently he's having problems with MSFT using fraudulent DMCA proclamations to bully sites which link to his project

        Remember MS on all their KB articles provide a feedback box in which you are invited to explain how the KB article can be improved; I recommend using this facility that MS provide especially for the GWX related updates to give them your opinions...

  5. Anonymous Coward
    Anonymous Coward

    Windows PosReady (XP) update fails this month

    Selecting "Windows Update" in Explorer gave a 404 error this month...

    You have to re-register a System32 module. I followed the instructions here

    .. ccm dot net/faq/255-no-windows-update-with-windows-xp-sp3

    and everything sprang to life again

    1. Uncle Slacky Silver badge
      Windows

      Re: Windows PosReady (XP) update fails this month

      Also, for anyone who wants to do a "fresh" XP (re)install, Windows Fundamentals for Legacy PCs* appears to be built on the same base as the POS version - at least, I'm still getting updates on my FLP installs...

      * available at your friendly local torrent site, natch

  6. Anonymous Coward
    Anonymous Coward

    Blessing in disguise

    Suddenly, my decision to stick with Windows Vista (machine was bought/assembled in early 2008) seems to be a brilliant one. At least Vista has been exempted of the mandatory telemetry spyware patch forced upon users of Windows 7 and 10.

    IE vulnerabilities are irrelevant unless you somehow still uses IE for web browsing (I doubt most home users do that these days).

    Excel's vulnerability is bad if you work with spreadsheets frequently, but CEO SatNad's all about the CLOUD now. Once the older offline versions of Office have reached end of life he'll coerce everyone to subscribe for Office 365. Alternatively, a new boxed retail version of Office which requires a paid subscription to unlock the additional CLOUD features and 'enhance your Office productivity experience'. Think of Freemium games or DLC content. Or the Solitaire game on the Windows 10 app store. Think also of the data mining opportunities for SatNad's CLOUD.

    I'm still using Office 2007 Pro. The enterprise version which you don't have to activate. Obtained legally from my workplace.

    I quite frankly don't need Windows now, except maybe to play some legacy games (mid 1990s to mid 2000s). For my very minuscule CLOUD computing needs, I choose Google over Microsoft any time of the day.

  7. Feldagast

    That picture looks like MS Multiplan

  8. alain williams Silver badge

    Get the basics right!

    I would have thought that MS would have had the money to be able to do security audits - the money that it makes is more than enough to pay for it. But, as it has done though out its history, it has been more interested in adding new features demanded by marketing than making a solid product.

    Download and use LibreOffice - this has fewer vulnerabilities in spite of having a development budget that is less than a rounding errors in Microsoft's accounts.

  9. Anonymous Coward
    Anonymous Coward

    Office 2016 - Mac updates

    Only a cool 3Gb in size.

    OneNote 15.15.0 345Mb

    Word 15.15.0 871.4Mb

    Excel 15.15.0 767.8Mb

    PowerPoint 15.15.0 720.5Mb

    Outlook 15.15.0 532.7Mb

    WTF are you playing at MS?

    1. Richard 12 Silver badge

      Re: Office 2016 - Mac updates

      They're Full installers. Whole thing as on the original (maybe) DVDs.

      Patching an existing install on a Mac is apparently "ungodly difficult"*, so all updates have to be a complete, full reinstall of the whole thing.

      * At least, I cannot find any way to do it. If you, the reader know how, please tell! I really want to do it but it seems impossible.

      1. Dan 55 Silver badge
        Facepalm

        Re: Office 2016 - Mac updates

        Well any application using the Sparkle framework manages it if the developer programs it, and that's open source.

        No comment about MS not being able to manage it... apart from the icon.

        1. Richard 12 Silver badge

          Re: Office 2016 - Mac updates

          Not heard of that before - interesting, thanks!

          (Apple don't seem to think it exists.)

          1. Richard 12 Silver badge

            Re: Office 2016 - Mac updates

            Ah yes - the usual behaviour of Sparkle is also to download the whole thing.

            Just automatically.

            It does however appear to be possible to do patch updates using it, which would be nice.

  10. Anonymous Coward
    Anonymous Coward

    Remove all Adobe products

    Flash and Acrobat reader are guaranteed to get your PC hacked. Get rid!

    1. hplasm Silver badge
      Coat

      Re: Remove all Adobe products

      Windows and Office are guaranteed to get your PC hacked. Get rid!

      /oblig

      1. Anonymous Coward
        Anonymous Coward

        Re: Remove all Adobe products

        Especially as Office for Mac always asks 'do you want to accept incoming connections?'

        after an upgrade.

        Well Duh No. Can't you keep track of what I said last time?

        sloppy, very sloppy.

  11. Michael Habel Silver badge

    So no new tricksy updates then?

    At this point I'm losing what little faith I might have had in Redmond's Chocolate Factory. That said I'm surprised that they haven't continued to push their Spyware further.

    1. Michael Habel Silver badge

      Re: So no new tricksy updates then?

      *Note my remark was reflective of the Article, and not the comments made above. For given that info. it's clear that MicroSoft haven't learnt Jack yet. If I went as tied to my leaky Android Phablet with its flakky autocorrect. I'd be so off Windows 7, thing is I hardly ever fire up my beige box these days. Save for security updates. Problem is who's watching the Watchmen?

      And this this latest decision from that lot will go down in history as; How to destroy a mega-corp in as many Months. This crap was kinda cute a few Months ago. Now its just turning tragic, and a move to Linux. Like (The learning curve), or not is increasingly now in order. Thankfully Distros like Mint have made this "Curve" a lot less painful then some Shills would have you believe.

      So its not so much a question of want, or need. at the root of it all is One of the largest reasons why the PC is a dying beast, that only the very loud MUSTARDRACE refuse to see. TBF though if I were inclined to drop Thousands into such a Rig, I'd to would probably go incandescent at the thoughts of others on the impending death of the beige box. Which is why my next PC will be one of those Ultra low-power jobs from China with an Atom CPU, with Ubuntu pre-installed.

      'cause there will always be a market for beige boxes. But the PC fad of the 90s/00s is now over.

  12. Zog_but_not_the_first Silver badge
    Black Helicopters

    Stopping the Windows 10 upgrade terminator

    The last straw came when my check for Win 7 updates last week gave me the "offer" of upgrading to Windows 10 AND NO ALTERNATIVE. I guess many people gave in at that point and joined the collective.

    Reading around for ways to kill the persistent critter I came across GWX Control Panel that automates the process very nicely.

    1. Zog_but_not_the_first Silver badge
      Trollface

      Re: Stopping the Windows 10 upgrade terminator

      A downvote! Who knew Nadella was an El Reg commentard?

  13. illiad

    another good one..

    http://www.ghacks.net/2015/06/10/i-dont-want-windows-10-removes-upgrade-notifications-from-windows-7-and-8/

    everyone knows the XL one, maybe why we are talking win10???

  14. Geoffrey Madden

    Many thanks for the advice. I checked a PC with Windows 7 for x64-based Systems, and discovered the following:

    Important: KB3083710 "Install this update to resolve issues in Windows." The box had been ticked. Does this mean that issues with Windows 7 will be resolved by swapping to Windows 10?

    Optional: KB3035583 "Recommended Update Install this update to resolve issues in Windows."

    Are these really as dishonest as they appear to be? Like others, I have been trying to move over to Linux for years, for the last few using Mint.

  15. mike acker

    whac-whac-whac that same old mole

    we've been whacking that same old mole for 10 years

    time to throw that game out the back and down the alley

  16. Bladeforce

    I really do feel sorry for you..

    ..windows users.

    Battling against security holes, virus scanners....and now the biggest malware company on the internet...MICROSOFT.

    Get control of YOUR PC back for your own sake and sanity. Microsoft just aren't worth the effort anymore

  17. Alan J. Wylie

    TLSv1.2, RC4 disabled

    https://support.microsoft.com/en-us/kb/2978675

    https://technet.microsoft.com/library/security/2960358

    | On May 13, 2014, Microsoft announced the availability of an update

    | for Microsoft .NET Framework that disables RC4 in Transport Layer

    | Security (TLS) through the modification of the system registry. Use

    | of RC4 in TLS could allow an attacker to perform man-in-the-middle

    | attacks and recover plaintext from encrypted sessions.

    | As of October 13, 2015, Microsoft is broadening the affected software

    | list to include Windows 10 systems that are running .NET Framework

    | 3.5 applications and systems with .NET Framework 4.6 installed that

    | are running .NET Framework 4.5/4.5.1/4.5.2 applications.

    TLS has been updated from 1.0 to 1.2

  18. Captain Mainwaring

    Just Saying

    Don't seem to get any of these problems on my Chromebook. Updates happen in the background and are applied in seconds on start up. I know most apps are cloud-based, but there are hundreds available and the choice is growing all the time. I'm not saying Chrome OS is for everyone at the moment, but as more professional business apps go online, perhaps its fast, lightweight nature and low overhead maintenance will make it an attractive choice in the future?

  19. Captain Badmouth
    Big Brother

    In 2015,

    Your windows 7 or 8 or 8.1 box can be pwned by Microshaft. I thought I had gotten rid of all the win10 shit on my daughters laptop until she complained that when she went to update it win10 tried to download. It seems there's a new update for 8.1 -KB2976978 which does this, and the win10 update is in the optional updates section which Microsoft had helpfully ticked for her! Sorry, but these people are getting totally out of hand, it needs a class action against them from people who have automatic updates and whose computer(s) have been subsequently bricked.

    1. Captain Badmouth
      Flame

      Re: In 2015,

      The optional win 10 upgrade returns "ticked by microshaft" after every restart so GWX control panel as mentioned above finally does the trick. Microshaft, what a bunch of bastards.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019