Dem Bones, dem dry Bones!
THE RIDE NEVER ENDS!
Microsoft has published the March edition of its monthly security updates, addressing security flaws in Internet Explorer, Edge and Windows, while Adobe has issued updates for Digital Editions, Acrobat and Reader. Microsoft released 13 sets of patches for you to install as soon as possible: MS16-023 A cumulative update for …
.. it appears I'm avoiding a lot of risk by using LibreOffice
If I could just find a way to do without Flash - too many sites still rely on it :(. Adobe Reader I've removed when they wanted me to agree to frankly ridiculous new conditions with their DC reader, so that's no longer an issue.
In conclusion, it appears attempting to try it on with unacceptable conditions and overcharging for something that doesn't actually bring *anything* new has made me safer. Yay :)
Just like LibreSSL looks to borrow a lot of code from OpenSSL (as a recent El Reg article shows), even if it is "new"? Because rewriting it fully from scratch would have taken years?
Are you a software developer? Do you throw away all the previous code when you develop a new version? Some parts are rewritten from scratch, others are updated, others may be brought in as they are. If a font or document format don't change, there's a good chance their parsers don't as well, even across different releases.
Moreover, design issues may propagate to later releases. Looks at how the flaws in SSLv2 exist in any release.
I'd buy that except
When we moved from Windows 3.11 to Windows 95 we were told it was a complete rewrite.
When we moved from 98SE (because nobody is damn fool enough to admit using 98ME) to Windows 2000 we were told they did a complete rewrite.
When we moved from XP SP1 to SP2 were were told they did a serious deep dive, patched a boatload of serious holes and from now one, Security would be job #1.
When MS tried to convince everybody to move from XP SP3 to Vista we were told they did a complete rewrite of the code, all the way down to the HAL. At that point it was obvious they had because nothing worked right anymore. When they came out with the version we all adopted we were told they'd just fleshed out the driver set. Now it looks like they back ported the bad code into the system.
When they moved from Windows 7 to Windows 8 we were told ...
On my W7 the KB2952664 W10 update nagware is back from the dead yet again - pre-ticked ready to install.
KB3138612 looks suspicious too.
"This article describes an update that contains some improvements to Windows Update Client in Windows 7 [...]"
If so, I wonder who you should report this to because that strikes me as an attempt to install software explicitly against your will. If enough people invoke the Computer Misuse Act 1990 it may be possible to get this stopped, or earn at least for the time you waste on fighting this
virus upgrade. You should not have to battle to keep a computer clean from something that is not a patch but an upgrade, that's a straightforward abuse of trust.
Agreed, but a more pragmatic solution for me has to ditch my final Windows machine, so it's now all Mint Linux and OSX, with a Windows 7 VM for when nothing else will do. No regrets.
Well, yes, you and I are in the lucky position of being able to do that (and mandate that in new businesses), but not everyone has that good fortune. As a matter of fact, having just struck up discussions with a vendor of a very good product we may have to accept a policy exception for running a few Windows VMs - the product's value to the business offsets the costs of managing the extra risks we incur by having to maintain a Windows install.
Thankfully we can run it from the DMZ and only give it a firewall pinhole.
Win 7 SP1 on the laptop, set for only Important Windows updates installed manually, as no MS Office and never use IE. Only update offered today was for Defender. FF is up to 45, which did get installed today, though I only keep it for sentimental reasons since they buggered the search function. MS tries to slip through Win 10 stuff via Optional updates, but I laugh as I hide them. Nothing that claims to update Windows Update gets over the moat.
To take control of your Win 7 updates I'd recommend the following:
Turn off automatic updates.
Install WSUS Offline updates and (if you feel paranoid) GWX Control Panel.
Huzzah! No more Win 10 nags.
Huh! It's 2016 and Linux / Android / OSX / iOS users still have to download random stuff from the web to make their boxes work.
So there's an app store for Windows now? Cool. Not that I would use it, but it's nice for them to catch up. Oh, wait, the Android one isn't that good either, it is in a way Microsoft compatible..
>Huh! It's 2016 and Linux / Android / OSX / iOS users still have to download random stuff from the web to make their boxes work.
>Just for balance.
I do not have to install some third party crap off the interwebs that nobody can authenticate to ensure my Linux does not update without my consent. Actually, I am always kindly asked if I want to update, and I can select/postpone as I see fit. I can get diff's of the patches from the interwebs to see EXACTLY which lines of source code were changed.
Windows update attempts to trick you each time, with ever increasing sophistication. They use deception techniques, canned statements, "describing" the fixes, which often turn out to be way off.
Installing stuff from a repository IS NOT THE SAME as hunting down GWX ControlPanel (or whatever it's called) on some random website hoping nobody has injected the Ask toolbar or other walware into the exe. I am not saying a repository is 100% safe, nothing is, but it is much safer than a random website, don't you think?
So, you did not get the point.
"Installing stuff from a repository IS NOT THE SAME as hunting down GWX ControlPanel (or whatever it's called)"
have you downloaded a Mint Linux ISO recently (from the official source) ??? well that was secure and safe wasn't it! http://www.theregister.co.uk/2016/02/21/linux_mint_hacked_malwareinfected_isos_linked_from_official_site/
I've completely disabled Windows Update on both my Windows 7 machines. Both are used for 3D modelling and rendering, video work, graphic design, gaming and testing my websites to make sure they work on Windows.
Neither one has internet access any longer. Neither one will ever be updated again.
The only machines on my network that see the internet are Linux Mint boxes - one of which is being used to post this comment.
I consider KB3035583 and KB2952664 to be malware. And there's a "bug" in Windows Update, because every time I hide these two miscreants, they reappear the following month in the list of optional updates.
At this rate, Microsoft will soon resort to bundling the pre-ticked Win 10 installer with "freeware" like Java and Flash and the sort of dodgy programs that try to install unwanted browser toolbars and adware. Please stop this madness now Microsoft, stop nagging, and *respect* the user's choice.
Here is my list of all possible dodgy patches, some quite recent.
Check them out for yourself in case of error- in which case apologies in advance.
WIN 7 and 8.1 spyware list.
KB2902907 MS Security Essentials/Windows Defender related update
KB2922324 (reportedly pulled, uninstall it anyway if already installed)
KB2923545 Remote desktop protocol
KB2952664 RS "Compatibility update for upgrading Windows 7 " prepares system for upgrade to Windows 10 , sends a bunch of telemetry data to M$, , nagware patch that touts the Windows 10 upgrade, !reported to corrupt system files
KB2977759 "Compatibility update for Windows 7 RTM", prepares system for upgrade to Windows 10, installs telemetry (SPYWARE)
KB2990214 "Update that enables you to upgrade from Windows 7 to a later version of Windows" prepares system for upgrade to Windows 10/telemetry (SPYWARE)
KB3015249 "Update that adds telemetry points to consent.exe in Windows 8.1 and Windows 7" Telemetry, reports UAC prompt choices when making changes to the system (SPYWARE)
KB3021917 "Update to Windows 7 SP1 for performance improvements" prepares system for upgrade to Windows 10
KB3022345 "Update for customer experience and diagnostic telemetry" installs diagnostic/usage tracking service (SPYWARE) !reported to corrupt system files
KB3035583 "Update installs Get Windows 10 app in Windows 8.1 and Windows 7 SP1"
Gives you the windows 10 invite pitch
KB3046480 Update helps to determine whether to migrate the .NET Framework 1.1 when you upgrade Windows 8.1 or Windows 7
KB3050265 "Windows Update Client for Windows 7: June 2015" supposedly fixes an issue with windows update, but also changes system files to support upgrade to Windows 10
KB3065987 "Windows Update Client for Windows 7 and Windows Server 2008 R2: July 2015" makes "improvements" to the windows update client (really just more Win10 garbage)
KB3068707 Customer experience telemetry.
KB3068708 "Update for customer experience and diagnostic telemetry", installs telemetry service (SPYWARE), prepares system for upgrade to Windows 10 (replaces KB3022345)
KB3075249 "Update that adds telemetry points to consent.exe in Windows 8.1 and Windows 7" Telemetry, reports UAC prompts to Microsoft (SPYWARE)
KB3075851 "Windows Update Client for Windows 7 and Windows Server 2008 R2: August 2015"makes "improvements" to the windows update client (really just more Win10 garbage)
KB3080149 "Update for customer experience and diagnostic telemetry" Update for customer experience and diagnostic telemetry, CEIP (SPYWARE)
KB3112343 More spyware
KB971033 Description of the update for Windows Activation Technologies
****Windows 8.1, Windows RT 8.1 and Windows Server 2012 R2 ONLY****
KB2976978 Compatibility update for Windows 8.1 and Windows 8" prepares system for upgrade to Windows 10 - once installed cannot be removed.
KB3044374 "Update that enables you to upgrade from Windows 8.1 to Windows 10", prepares system for upgrade to Windows 10. Nagware.
KB3050267 "Windows Update Client for Windows 8.1: June 2015" supposedly fixes an issue with windows update, but also changes system files to support upgrade to Windows 10
KB3112336 More spyware
Any comments welcome.
Mine's the one with the Nostradamus guide to windows updates in the pocket.
Change update settings to: "check for updates but let me choose whether to download and install them" and be sure to untick "give me recommended updates the same way I receive important updates".
KB3050267 (on 8.1/2012R2) or KB3050265 (on Win7/2008R2) is an update to Windows Update (July 2015) that installs a new Group Policy object that enables you to block upgrades to the latest version of Windows through Windows Update. Helpful instructions (rare these days!) on methods for setting the policy are provided in these KB articles.
After all that palaver, the optional updates are not pre-ticked, but it hasn't stopped the dreaded 3035583 update from coming out of hiding every month, presumably in the hope that user error will unleash the evil.
And yet, oddly enough, Edge still seems to have *fewer* features than IE and more rough edges (bugs). It's almost as though it was the *newer* code in IE (which they kept) that was most flaky, and the older stuff (the dropping of which was the official reason to bring Edge in to being) was actually (eventually?) fairly reliable.
@Hans 1: After a decade of patches, you would expect it to be, right?"
The patching process itself introduces its own vulnerabilities. As in you could take a particular hardware and software combination and have it certified to EAL7. Any addition deletion or alternation to the system renders the cert void.
Biting the hand that feeds IT © 1998–2019