back to article 2016: Bad USB sticks, evil webpages, booby-trapped font files still menace Windows PCs

Microsoft has published the March edition of its monthly security updates, addressing security flaws in Internet Explorer, Edge and Windows, while Adobe has issued updates for Digital Editions, Acrobat and Reader. Microsoft released 13 sets of patches for you to install as soon as possible: MS16-023 A cumulative update for …

  1. Destroy All Monsters Silver badge

    Dem Bones, dem dry Bones!

    THE RIDE NEVER ENDS!

    1. Anonymous Coward
      Anonymous Coward

      Re: Dem Bones, dem dry Bones!

      Can a can of worms have a can of worms?

      1. I sound like Peter Griffin!!

        Re: Dem Bones, dem dry Bones!

        Yes..

        And furthermore, the worms in the can that's in the can of worms are likely to each be holding a can of whup-a$$ which you should NOT open - Peter Griffin did so and look what happened to him..

        https://www.youtube.com/watch?v=aG59WqrAN3M

      2. John Brown (no body) Silver badge

        Re: Dem Bones, dem dry Bones!

        Yes. It's worms all the way down!

  2. Mark 85

    A quick perusal of the issues and they all (except for a few) seem to be for all the Win and Office versions. Like did they use the same code chunks in all versions? The BS PR from MS tries to tell us that Win8 and up are "new"... but under the hood, it's still a 1929 Buick.

    1. Anonymous Coward
      Anonymous Coward

      Hmmm..

      .. it appears I'm avoiding a lot of risk by using LibreOffice

      If I could just find a way to do without Flash - too many sites still rely on it :(. Adobe Reader I've removed when they wanted me to agree to frankly ridiculous new conditions with their DC reader, so that's no longer an issue.

      In conclusion, it appears attempting to try it on with unacceptable conditions and overcharging for something that doesn't actually bring *anything* new has made me safer. Yay :)

      1. Ken Hagan Gold badge

        Re: Hmmm..

        "If I could just find a way to do without Flash - too many sites still rely on it :(. "

        Just tell the site owner that they've lost your business because friends don't ask friends to drop their trousers and bend over.

    2. Anonymous Coward
      Anonymous Coward

      Just like LibreSSL looks to borrow a lot of code from OpenSSL (as a recent El Reg article shows), even if it is "new"? Because rewriting it fully from scratch would have taken years?

      Are you a software developer? Do you throw away all the previous code when you develop a new version? Some parts are rewritten from scratch, others are updated, others may be brought in as they are. If a font or document format don't change, there's a good chance their parsers don't as well, even across different releases.

      Moreover, design issues may propagate to later releases. Looks at how the flaws in SSLv2 exist in any release.

    3. Anonymous Coward
      Megaphone

      Ohh FFS.

      If you had to write brand new code every OS release, we'd still be stick using mainframes in a lab.

      Grow up.

      All operating systems have issues, otherwise I presume all the security flaws for Linux, BSD, Unix and so on are just made up are they?

      Patch and move on.

      1. Tom 13

        Re: Ohh FFS.

        I'd buy that except

        When we moved from Windows 3.11 to Windows 95 we were told it was a complete rewrite.

        When we moved from 98SE (because nobody is damn fool enough to admit using 98ME) to Windows 2000 we were told they did a complete rewrite.

        When we moved from XP SP1 to SP2 were were told they did a serious deep dive, patched a boatload of serious holes and from now one, Security would be job #1.

        When MS tried to convince everybody to move from XP SP3 to Vista we were told they did a complete rewrite of the code, all the way down to the HAL. At that point it was obvious they had because nothing worked right anymore. When they came out with the version we all adopted we were told they'd just fleshed out the driver set. Now it looks like they back ported the bad code into the system.

        When they moved from Windows 7 to Windows 8 we were told ...

  3. Anonymous Coward
    Anonymous Coward

    Same old

    On my W7 the KB2952664 W10 update nagware is back from the dead yet again - pre-ticked ready to install.

    KB3138612 looks suspicious too.

    "This article describes an update that contains some improvements to Windows Update Client in Windows 7 [...]"

    1. Anonymous Coward
      Anonymous Coward

      Re: Same old

      On my W7 the KB2952664 W10 update nagware is back from the dead yet again - pre-ticked ready to install.

      KB3138612 looks suspicious too.

      "This article describes an update that contains some improvements to Windows Update Client in Windows 7 [...]"

      If so, I wonder who you should report this to because that strikes me as an attempt to install software explicitly against your will. If enough people invoke the Computer Misuse Act 1990 it may be possible to get this stopped, or earn at least for the time you waste on fighting this virus upgrade. You should not have to battle to keep a computer clean from something that is not a patch but an upgrade, that's a straightforward abuse of trust.

      1. Adam 52 Silver badge

        Re: Same old

        Attempting to gain an advantage by misleading?

        These guys - http://www.actionfraud.police.uk/types_of_fraud

      2. Chris Parsons

        Re: Same old

        Agreed, but a more pragmatic solution for me has to ditch my final Windows machine, so it's now all Mint Linux and OSX, with a Windows 7 VM for when nothing else will do. No regrets.

        1. Anonymous Coward
          Anonymous Coward

          Re: Same old

          Agreed, but a more pragmatic solution for me has to ditch my final Windows machine, so it's now all Mint Linux and OSX, with a Windows 7 VM for when nothing else will do. No regrets.

          Well, yes, you and I are in the lucky position of being able to do that (and mandate that in new businesses), but not everyone has that good fortune. As a matter of fact, having just struck up discussions with a vendor of a very good product we may have to accept a policy exception for running a few Windows VMs - the product's value to the business offsets the costs of managing the extra risks we incur by having to maintain a Windows install.

          Thankfully we can run it from the DMZ and only give it a firewall pinhole.

    2. Martin Cable

      Re: Same old

      Yep, I've got that as well. Optional, unticked though. KB3035583 and KB3123862 look nasty too.

      1. TReko

        Re: Same old

        Oops installed 'em by accident.

        Here's the command line to uninstall:wusa /uninstall /kb:3123862 /norestart

  4. Florida1920
    Pint

    Life is good!

    Win 7 SP1 on the laptop, set for only Important Windows updates installed manually, as no MS Office and never use IE. Only update offered today was for Defender. FF is up to 45, which did get installed today, though I only keep it for sentimental reasons since they buggered the search function. MS tries to slip through Win 10 stuff via Optional updates, but I laugh as I hide them. Nothing that claims to update Windows Update gets over the moat.

    1. Florida1920

      Re: Life is good!

      Three down votes? Really? Well, MS is offering me 8 IMPORTANT updates today (Wednesday), including one that fixes a "problem" with Windows Update.Uh-huh.Guess which one isn't getting installed? Nor are the Optional updates. Time to start the madness and go to lunch.

  5. ashdav

    @Same old/Life is good

    To take control of your Win 7 updates I'd recommend the following:

    Turn off automatic updates.

    Install WSUS Offline updates and (if you feel paranoid) GWX Control Panel.

    http://download.wsusoffline.net/

    http://ultimateoutsider.com/downloads/

    Huzzah! No more Win 10 nags.

    1. Mystic Megabyte
      FAIL

      Re: @Same old/Life is good

      Huh! It's 2016 and Windows user still have to download random stuff from the web to make their boxes work.

      1. Anonymous Coward
        FAIL

        Re: @Same old/Life is good

        Huh! It's 2016 and Linux / Android / OSX / iOS users still have to download random stuff from the web to make their boxes work.

        Just for balance.

        1. Anonymous Coward
          Anonymous Coward

          Re: @Same old/Life is good

          Huh! It's 2016 and Linux / Android / OSX / iOS users still have to download random stuff from the web to make their boxes work.

          So there's an app store for Windows now? Cool. Not that I would use it, but it's nice for them to catch up. Oh, wait, the Android one isn't that good either, it is in a way Microsoft compatible..

        2. Hans 1
          Boffin

          Re: @Same old/Life is good

          >Huh! It's 2016 and Linux / Android / OSX / iOS users still have to download random stuff from the web to make their boxes work.

          >Just for balance.

          I do not have to install some third party crap off the interwebs that nobody can authenticate to ensure my Linux does not update without my consent. Actually, I am always kindly asked if I want to update, and I can select/postpone as I see fit. I can get diff's of the patches from the interwebs to see EXACTLY which lines of source code were changed.

          Windows update attempts to trick you each time, with ever increasing sophistication. They use deception techniques, canned statements, "describing" the fixes, which often turn out to be way off.

          Installing stuff from a repository IS NOT THE SAME as hunting down GWX ControlPanel (or whatever it's called) on some random website hoping nobody has injected the Ask toolbar or other walware into the exe. I am not saying a repository is 100% safe, nothing is, but it is much safer than a random website, don't you think?

          So, you did not get the point.

          1. Anonymous Coward
            Anonymous Coward

            Re: @Same old/Life is good

            "Installing stuff from a repository IS NOT THE SAME as hunting down GWX ControlPanel (or whatever it's called)"

            have you downloaded a Mint Linux ISO recently (from the official source) ??? well that was secure and safe wasn't it! http://www.theregister.co.uk/2016/02/21/linux_mint_hacked_malwareinfected_isos_linked_from_official_site/

            FLAME ON!

    2. Steven Roper

      Re: @Same old/Life is good

      I've completely disabled Windows Update on both my Windows 7 machines. Both are used for 3D modelling and rendering, video work, graphic design, gaming and testing my websites to make sure they work on Windows.

      Neither one has internet access any longer. Neither one will ever be updated again.

      The only machines on my network that see the internet are Linux Mint boxes - one of which is being used to post this comment.

  6. allthecoolshortnamesweretaken

    Given the most common attack vectors of malware - what can we do to update the wetware?

    1. Fred Flintstone Gold badge

      what can we do to update the wetware?

      To paraphrase a meme, I'd say we remove all the warning labels..

  7. gnufrontier

    Whack a bug

    We are doomed to forever be involved somehow in the war on malware.

    1. Fred Flintstone Gold badge

      Re: Whack a bug

      Yup. The only choice you make is just how much effort you're willing to spend on keeping up to date.

    2. GW7
      Devil

      Re: Whack a bug

      I consider KB3035583 and KB2952664 to be malware. And there's a "bug" in Windows Update, because every time I hide these two miscreants, they reappear the following month in the list of optional updates.

      At this rate, Microsoft will soon resort to bundling the pre-ticked Win 10 installer with "freeware" like Java and Flash and the sort of dodgy programs that try to install unwanted browser toolbars and adware. Please stop this madness now Microsoft, stop nagging, and *respect* the user's choice.

      1. Dale 3
        Windows

        Windows 10 Patches

        Here is my complete list of Windows 10 nagware patches to avoid/hide on Windows Update. Please let me know if I've missed any:

        KB2952664

        KB2976978

        KB3035583

        KB3112343

        KB3123862

        1. Captain Badmouth
          Coat

          Re: Windows 10 Patches

          Here is my list of all possible dodgy patches, some quite recent.

          Check them out for yourself in case of error- in which case apologies in advance.

          WIN 7 and 8.1 spyware list.

          KB2592687

          KB2660075

          KB2726535

          KB2882822

          KB2902907 MS Security Essentials/Windows Defender related update

          KB2922324 (reportedly pulled, uninstall it anyway if already installed)

          KB2923545 Remote desktop protocol

          KB2952664 RS "Compatibility update for upgrading Windows 7 " prepares system for upgrade to Windows 10 , sends a bunch of telemetry data to M$, , nagware patch that touts the Windows 10 upgrade, !reported to corrupt system files

          KB2977759 "Compatibility update for Windows 7 RTM", prepares system for upgrade to Windows 10, installs telemetry (SPYWARE)

          KB2990214 "Update that enables you to upgrade from Windows 7 to a later version of Windows" prepares system for upgrade to Windows 10/telemetry (SPYWARE)

          KB2994023

          KB2999226

          KB3015249 "Update that adds telemetry points to consent.exe in Windows 8.1 and Windows 7" Telemetry, reports UAC prompt choices when making changes to the system (SPYWARE)

          KB3021917 "Update to Windows 7 SP1 for performance improvements" prepares system for upgrade to Windows 10

          KB3022345 "Update for customer experience and diagnostic telemetry" installs diagnostic/usage tracking service (SPYWARE) !reported to corrupt system files

          KB3035583 "Update installs Get Windows 10 app in Windows 8.1 and Windows 7 SP1"

          Gives you the windows 10 invite pitch

          KB3046480 Update helps to determine whether to migrate the .NET Framework 1.1 when you upgrade Windows 8.1 or Windows 7

          KB3050265 "Windows Update Client for Windows 7: June 2015" supposedly fixes an issue with windows update, but also changes system files to support upgrade to Windows 10

          KB3065987 "Windows Update Client for Windows 7 and Windows Server 2008 R2: July 2015" makes "improvements" to the windows update client (really just more Win10 garbage)

          KB3068707 Customer experience telemetry.

          KB3068708 "Update for customer experience and diagnostic telemetry", installs telemetry service (SPYWARE), prepares system for upgrade to Windows 10 (replaces KB3022345)

          KB3075249 "Update that adds telemetry points to consent.exe in Windows 8.1 and Windows 7" Telemetry, reports UAC prompts to Microsoft (SPYWARE)

          KB3075851 "Windows Update Client for Windows 7 and Windows Server 2008 R2: August 2015"makes "improvements" to the windows update client (really just more Win10 garbage)

          KB3080149 "Update for customer experience and diagnostic telemetry" Update for customer experience and diagnostic telemetry, CEIP (SPYWARE)

          KB3083324

          KB3083710

          KB3097877

          KB3104460

          KB3112343 More spyware

          KB3123862

          KB3135445

          KB3138612

          KB971033 Description of the update for Windows Activation Technologies

          ****Windows 8.1, Windows RT 8.1 and Windows Server 2012 R2 ONLY****

          KB2976978 Compatibility update for Windows 8.1 and Windows 8" prepares system for upgrade to Windows 10 - once installed cannot be removed.

          KB2999226

          KB3044374 "Update that enables you to upgrade from Windows 8.1 to Windows 10", prepares system for upgrade to Windows 10. Nagware.

          KB3050267 "Windows Update Client for Windows 8.1: June 2015" supposedly fixes an issue with windows update, but also changes system files to support upgrade to Windows 10

          KB3065988

          KB3075853

          KB3083325

          KB3083711

          KB3112336 More spyware

          KB3133865

          KB3135449

          KB3138615

          Any comments welcome.

          Mine's the one with the Nostradamus guide to windows updates in the pocket.

      2. Anonymous Coward
        Anonymous Coward

        Re: Whack a bug

        "[...] they reappear the following month in the list of optional updates."

        You are lucky. They usually reappear in my updates as pre-ticked "important". So they have to be unticked and hidden again, and again, and .....

        1. GW7
          Windows

          Re: Whack a bug

          Change update settings to: "check for updates but let me choose whether to download and install them" and be sure to untick "give me recommended updates the same way I receive important updates".

          KB3050267 (on 8.1/2012R2) or KB3050265 (on Win7/2008R2) is an update to Windows Update (July 2015) that installs a new Group Policy object that enables you to block upgrades to the latest version of Windows through Windows Update. Helpful instructions (rare these days!) on methods for setting the policy are provided in these KB articles.

          After all that palaver, the optional updates are not pre-ticked, but it hasn't stopped the dreaded 3035583 update from coming out of hiding every month, presumably in the hope that user error will unleash the evil.

  8. Dan 55 Silver badge

    Compare and contrast...

    ... the CVEs for IE and Edge.

    I haven't done it but I bet they're the same again this month.

    1. Ken Hagan Gold badge

      Re: Compare and contrast...

      And yet, oddly enough, Edge still seems to have *fewer* features than IE and more rough edges (bugs). It's almost as though it was the *newer* code in IE (which they kept) that was most flaky, and the older stuff (the dropping of which was the official reason to bring Edge in to being) was actually (eventually?) fairly reliable.

      1. Hans 1
        Happy

        Re: Compare and contrast...

        >[....] and the older stuff (the dropping of which was the official reason to bring Edge in to being) was actually (eventually?) fairly reliable.

        After a decade of patches, you would expect it to be, right?

        1. Anonymous Coward
          Linux

          Re: Compare and contrast...

          @Hans 1: After a decade of patches, you would expect it to be, right?"

          The patching process itself introduces its own vulnerabilities. As in you could take a particular hardware and software combination and have it certified to EAL7. Any addition deletion or alternation to the system renders the cert void.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like