A small percentage of Windows users have opted into the “Insiders” program which grants them early access to new features, bug fixes and content updates for Windows 10, which as I’m sure all of you are painfully familiar with now, updates very frequently. The object of the Insiders program is to “beta test” new updates to the operating system before they are pushed out to the rest of the world, presumably to catch bugs before they can affect the more than 700 million devices that use Windows 10. Well, they caught a bug, but not before it erased data on an undisclosed number of Insider machines.
What this means for you – Get backed up!
If you aren’t an Insider – you have to opt into the program – you only have to worry about fully tested updates destroying your data. I’m only being somewhat sarcastic here, as many of you have experienced some form of loss (data, time, monetary) recovering from the forced death march that is Windows 10’s update cycle, and at least one of my clients experienced a complete wipe of all of his installed applications, necessitating hours of reinstallation work. It’s important to understand that Microsoft, just like any company powered by humans, can and will make mistakes, and those mistakes will cause problems for you. Fortunately, you can counteract this uncertainty with a simple practice: back up your data. There are many options to choose from in this area – some of my clients only work on and store important data on a central server that is backed up, or, if that option isn’t available to them, they use some form of cloud backup, either self-managed or provided to them by C2. Just the other day I had a client suffer a complete data wipe (rare, but it does happen) due to a crashed Windows profile (possibly caused by a Windows update) but they were backed up right until the crash and were able to recover their data, albeit slowly. The backup paid for itself in spades that day, and saved my client from catastrophic loss.
Last week, the majority of US Windows 10 users received a big update from Microsoft nicknamed the “Anniversary Update”, primarily because it was initially released on Aug 2, approximately one year after the official launch of Microsoft’s latest operating system. Amongst a host of improvements to core features like Edge and Cortana and presumably numerous bug fixes, the update also managed to render millions of webcams inoperable. Depending on what you use your computer (and webcam) for, and even what generation you hail from, the impact of this could have been non-existant to a complete showstopper. In the ongoing videochat fight, Apple and Google just scored a TKO without even stepping into the ring.
What this means for you:
Obviously if you don’t use Windows 10 and a webcam, feel free to point and laugh or shake your head in sympathy. What might make this very aggravating for the average Windows 10 user is that they may not even know their computer was updated last week. All they know is their Skype or favorite videochat app is now locking up after a minute with no visible explanation. Even more exasperating is Microsoft’s new rollback policy for Windows 10. Previous versions of Windows allowed the user to uninstall any MS update applied to their system at any time. Now, with Windows 10, you have ten days to rollback your OS to a previous version, otherwise you are just out of luck. In the grand scheme of things, ten days is a very short time to figure out the root cause of an obscure problem like this, so you can imagine that many folks are discovering the root cause of this problem too late to easily solve it.
Though Microsoft has finally acknowledged the problem (WARNING: technical jargon galore!), a patch is unlikely to be released until September. Until that day arrives, the only fix is to rollback the Anniversary update (if you catch it within 10 days) or manually edit your computer’s registry. Buying another webcam won’t necessarily fix this problem unless you know for a fact it can process video through a codec known as YUY2, as Microsoft intentionally removed support for the more common MJPEG and H.264 protocols. According to them, these two older codecs have significant performance issues and support was removed to improve Windows 10. So now instead of degrading performance, your webcam will have zero impact on your computers performance. Working as intended?
In case you are new here, let me catch you up on the primary purpose of this blog. My objective is to scare you into being more secure with technology. It doesn’t always work – one person’s phobia is another’s fetish, but this one ought to give you pause. A white hat security hacker has uncovered a bug in Symantec Antivirus that would allow for an almost trivial exploitation of its scanning engine to actually compromise the computer its supposed to be protecting. And this bug exists across all three major operating systems – Windows, OSX and Linux – something that is very rare in any type of software. Not worried yet? A victim doesn’t even need to open an infected file because Symantec will do it for them when it scans the file in your email, or scans a link in your web browser. Just touching a file designed to exploit this bug will cause a memory buffer overflow, which is tech-speak for “OK malware, I’m puckering up so you can plant a big haymaker right in my kisser.”
What this means for you:
If you don’t use Symantec or Norton products for malware protection, carry on and enjoy that feeling of schadenfreude most technology users rarely experience. If you do use either of those products, Symantec has already patched this bug, and if your software is set to update automatically, it should no longer be a problem. There in lies the rub: do you know if your antivirus is up to date? How many of you have been ignoring the little warning flags your AV has been waving at you from the corner of your screen, “Hey, I need to update but I can’t for some reason!” Do you know how to make sure your antivirus is updating regularly? By the way, “regularly” means daily, if not multiple times a day. Zero-day exploits are sometimes seen within hours of an vulnerability being published. Security companies like Symantec stake their reputation on reacting quickly, but they can only lead your computer to the update river. You need to make sure it’s drinking deep, daily. Not a software update wrangler by trade? Well it just so happens I know someone who is, pardner.
You wouldn’t let your business be run by amateurs, why would you leave your technology to anyone less that an experienced professional?
Most of us have seen the persistent little icon in the system tray, and clicked the many variations of “Not now!” to Microsoft’s constant reminders to upgrade to Windows 10. Some of you even caved in and upgraded your computer to Winodws 10, and an even smaller percentage of you have come out on the other side mostly intact and productive. I still continue to recommend against upgrading existing Windows 7 and 8 computers without considerable caution, planning and the watchful supervision of a trained technology professional. “Cleanly” installed (either on a blank hard drive or from the factory new), Windows 10 is a good operating system that performs well but still has many rough edges, and I have seen way too many upgrade installations go south faster than geese in winter. For reliabililty and performance, Windows 7 is still very hard to beat, and is still considered the standard in enterprise/corporate technology. Despite all of this, Microsoft continues to advance its agenda of “Upgrade all the things”, and has now made the Windows 10 upgrade installer a “recommended update”.
What this means for you:
By default, Windows 7 and 8 are set to automatically check for, download and install critical security updates. There is also another option rug “Recommended updates” which is also checked, and that is where Microsoft gets its virtual hooks into your precious Windows 7 (or 8, I’m not here to judge) operating system and plants the seeds of an upgrade. If your machine is still set to download recommended updates (as it will be if you’ve never changed these settings), you will soon be (if you aren’t already) the proud recipient of a 6GB hidden folder that, if you continue to deny Microsoft the satisfaction of upgrading you to Windows 10, will reside happily on its little 6GB plot of hard drive. Forever. Removing it doesn’t help – Windows Update will cheerfully re-download it for you, to make sure your Windows 10 upgrade experience isn’t slowed down by having to download it when you finally give in to their relentless nagging.
If you have a large hard drive and “all-you-can-eat” internet bandwidth, this isn’t a problem, but for those of you with smaller hard drives (like earlier model laptops with SSD drives) or metered bandwidth, 6GB is a lot of space AND bandwidth. There are ways to combat Microsoft’s insidious peer pressure, but to truly banish the upgrade nagging, you’ll need to fiddle with registry settings or install a third-party utility. If neither sounds like an activity for which you are qualified (either in patience or technical proficiency), why not have a friendly chat with your local tech professional to discuss a more moderate, considered approach to upgrading to Windows 10? If you are a business professional that uses Windows-based computers, its a bridge you will have to cross at some point, but you should do it on your own schedule and on your own terms.
Back in 2014 Microsoft announced that in 18 months it would cease to support older versions of Internet Explorer on currently supported operating system platforms. As of January 12th, Microsoft is making good on that promise and will only support the latest version of its web browser on supported OS’es. You might think that this will mean less zero-day exploits of older versions of IE (one of the biggest security risks to date) because people will be forced to abandon the older browsers, but not so fast! Microsoft is trapped within their own doublespeak, and the catch is “lastest version of IE released on a particular supported platform”.
What on earth does that mean?
If you happened to only skim (instead of read) their 2014 announcement or the news stories released this week about this new policy, you might have come away with the impression that Microsoft was finally dropping support for older versions of IE, namely 6, 7, 8, 9 and 10. Depending on your business need, this may have been cause for celebration or hair pulling, but a slightly deeper dive on this tells a less draconian tale. In a nutshell, depending on the operating system, some older versions will still be getting patched and updated, but only because the newer versions of IE were never officially released on a particular OS. Still confused? That’s OK, it’s Microsoft, so just shrug and take away the following:
- Microsoft will still be patching older versions of Internet Explorer as far back as version 7, but…
- Patches for versions 7-9 are likely to be hard to get, if not near impossible for normal consumers.
- Don’t use older versions of IE unless you have a compelling business restriction that prevents the use of IE 11.
- Businesses relying on websites that require the use of older versions of IE should be upgraded ASAP. You are putting your employees/clients/customers in danger.
- Remember #3? If you have to use Internet Explorer, you should be using version 11. It has competent backwards-compatibility capabilities that should work with websites that require older versions of IE to function.
The first Tuesday of every month is commonly known as “Patch Tuesday” in the IT industry, and is called thus because Microsoft issues its monthly batch of patches and security fixes to its operating systems and applications, most notably Internet Explorer. February’s selection features a whopping 31 CVEs (common vulnerabilities and exposures) that have been fixed in 4 “critical” updates and 3 “important” updates. Chief among the fixes are patches to all versions of Internet Explorer 6 through 11 to fill holes in the web browser that Microsoft anticipates being exploited in the next 30 days. Adobe also issued a fix for its Shockwave Media Player (a legacy multimedia player that may be installed on older PCs), not to be confused with Adobe Flash, which was also patched last week to combat a security hole that was actively being exploited on the internet.
What this means for you:
Depending on whether your technology is managed by an IT department, 3rd-part provider like C2, or just by you, your Windows computers may update in the next day or two, or further out if your IT department tests MS updates before patching your company’s fleet. The ones that really need to pay attention are those that manage the software updates personally, as it’s easy to forget about or ignore the Windows Update process.
Not sure if your computer’s OS needs an update? Go to Control Panels -> Windows Update and read the information presented there. It will tell you if there are any updates waiting to be applied, when your computer was last updated, and you can even see a full history of what was updated previously. You can also double-check to see how your computer is set to check and apply updates. The best choice for most non-managed computers is the default setting for Windows Update, which is to download and apply all “important” and “critical” updates automatically on a regular schedule.
If you need to check whether Adobe Flash is properly patched, you can visit http://helpx.adobe.com/flash-player.html to check what version you have installed and whether it is working properly.
If you thought you were the only one still using Windows XP, you are still in good company despite Microsoft’s widely publicized plan to end official support for the operating system in April of this year. NetMarketShare.com’s January 2014 report on installed desktop operating systems shows that an estimated 30% of the world’s computers are still using Windows XP, an operating system that is now approaching 13 years of age. NetMarketShare bases its statistics from metadata gathered by 40K websites around the world, so its also likely that this percentage may actually be slightly higher, as many XP machines are likely being used in legacy systems that do not require internet access to function.
In case you were wondering what that 30% equates to in actual numbers, there is an estimated 1.5 billion computers in use today. Based upon that number, it’s possible that several hundred million computers may continue to run an OS that will no longer get security updates from Microsoft, a number that has security analysts everywhere hyperventilating. Even though most anti-malware vendors will continue to provide support for XP, it will become increasingly difficult for them to remain effective on an OS for which Microsoft itself is abandoning.
What this means for you:
If you were thinking, “Well, this doesn’t impact me, I’m on Windows 7/8,” think again. Many cyberattacks are driven by zombified PC’s that have been gathered together into “Botnets” that can focus an incredible amount of processing power on anything they are rented to do, including sending out millions of phishing emails, spam and other nefarious activities. In the current state of desktop security, it’s commonly held wisdom that being targeted by a cyberattack is not a question of “if”, but of “when”. Cybercriminals rely on compromised resources to much of their dirty work, and their arsenal could become radically reinforced by the millions of computers still running XP, especially now that it will no longer be patched by Microsoft after April. If you are still operating PC’s with Windows XP, you should seriously consider upgrading those systems to a more modern OS if possible, and if an upgrade isn’t possible, replace them ASAP, as they will become an increasing liability for your organization.
Windows users will probably be unsurprised to note that Adobe’s ubiquitous Flash plug-in requires yet another patch. This time, unfortunately, Adobe is scrambling to release version 11.6 to rectify 2 serious security holes that are already being exploited in the wild, and not just on Windows machines; Macs and even Linux is affected by the latest flaws.
What this means for you:
The flaws fixed by the above release may allow malicious websites to install malware either from just visiting a compromised website, or by redirecting your browser to open infected Microsoft Word documents or Adobe PDFs. There are malware websites being found on the web right now that can take advantage of unpatched Flash plugins and they will wreak havoc on your computer.
Patch Flash now. Here’s how:
- Go to Adobe’s website: http://get.adobe.com/flashplayer/ (works for any platform)
- Windows: Go to your Control Panel and look for the “Flash Player” control panel icon. Click the “Advanced” tab and then the “Check Now” button.
If you want to verify you’ve updated to the correct version, you can check it by visiting this link after patching: http://www.adobe.com/software/flash/about/
Microsoft seems to be taking Fat Tuesday to heart: this month’s package of software updates includes a whopping 57 fixes for security flaws across most of its current product line. Microsoft isn’t the only one patching: Adobe also has a handful of security fixes for its products – the most commonly installed are Flash and Acrobat. The security exploits patched are just as potentially dangerous as the vulnerabilities patched in Internet Explorer.
What this means for you:
Ideally, you either have an IT department watching out for you and making sure your software is being updated in a timely fashion, or you have Automatic Updating turned on and will automatically download and apply all critical and important patches released by Microsoft and Adobe. In the case of the former, it may actually be a week or two before the actual patches are applied, as many IT departments routinely test all MS patches before distributing them through the enterprise, mostly to ensure Microsoft doesn’t break something proprietary to your company’s platforms. And in the case of this month’s Patch Tuesday, they will have much more to test and deploy.
If your computer is relying on automatic updates received via the internet, make sure you pay attention to the little message popups in the lower right corner of your screen. Windows Update will let you know when its doing its thing, and will also notify you when it has finished applying the necessary patches. Not sure whether your machine has been patched? For most versions of Windows (XP, Vista, 7) you can click the Start Menu and select “All Programs” and scroll until you find “Windows Update”. Review the information on the screen, and if you have any questions, don’t hesitate to call us for a second opinion!