By continuing to use the site or forum, you agree to the use of cookies, find out more by reading our GDPR policy

Windows 10 updates continue a pretty embarrassing run for Microsoft and almost every new monthly or feature updates appear to break more things than they fix. In recent times, Windows 10 has been plagued by an alarming amount of bugs. Windows Update mess kicked off with the October 2018 Update, which introduced a bug that deleted documents, pictures and other files of the consumers. After the October Update debacle, Microsoft adopted a very careful approach with the May 2019, which was rolled out slowly to avoid a repeat of the disastrous rollout. While the May 2019 Update itself wasn’t a mess, Microsoft shipped cumulative updates to fix some long-standing minor bugs, but the monthly updates introduced a new bug which caused high levels of CPU usage. Then another cumulative update was shipped to fix Cortana but it broke the Start menu and even Taskbar. It also broke internet connectivity on some configurations and another hotfix caused audio issues. All these issues were documented and resolved by Microsoft by the end of the year. After the rollout of the major update, Microsoft launched November 2019 Update, a minor release with only a few changes and many of us hoped that this would offer a bug-free experience. However, users have complained that the update breaks down File Explorer and Microsoft has not acknowledged the issue on its official website yet. Microsoft has also run into trouble with this year’s first cumulative update. Windows 10’s January 2020 important update has been failing to install and displaying unhelpful error messages. According to former employees, Microsoft has changed its Windows Update testing process and it could be one of the reasons for the mess. As the ex-Microsoft senior software engineer noted, Microsoft had an entire team dedicated to testing Windows updates in the old days. The software giant’s testing group had different subgroups for drivers or interface, and all the members discussed glitches in daily meetings. Microsoft engineers tested Windows updates using automated testing and as well as manually on real-world configurations rather than the virtual machines. In 2014, Microsoft laid off the Windows testing team and the company stopped testing updates on real-world configurations for the most part. In addition to the virtual machines, Microsoft now relies on Windows Insiders, a group of testers mostly consisting of enthusiasts and fans. For more visit OUR FORUM.

A micropatch implementing Microsoft's workaround for the actively exploited zero-day remote code execution (RCE) vulnerability impacting Internet Explorer is now available via the 0patch platform until an official fix will be released. Microsoft's advisory says that the company is aware of "limited targeted attacks" targeting the flaw tracked as CVE-2020-0674. The vulnerability, reported by Clément Lecigne of Google’s Threat Analysis Group and Ella Yu from Qihoo 360, "could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user" according to Microsoft. If the user is logged on with administrative permissions on a compromised device, attackers can take full control of the system allowing for program installation and data manipulation, or the possibility to create accounts with full user rights. While no patch for this security issue has been provided so far, Redmond is working on a fix that could be pushed out as an out-of-band security update before next month's Patch Tuesday, just as it happened when a very similar Internet Explorer RCE zero-day was fixed in September 2019. As 0patch found, the mitigation provided by Redmond also comes with several other negative side effects. 0patch created and released a micropatch for Internet Explorer 11, the latest version of the web browser, ready to be applied on fully-patched devices running of Windows 7, Windows 10 v1709/v1803/v1809, Windows Server 2008 R2, and Windows Server 2019. Applying it on these systems will also protect Windows 7 and Windows Server 2008 R2 users that haven't enrolled in the Extended Security Updates program in the event that Microsoft won't be releasing security fixes for their platform. "Our micropatch works like a switch that disables or enables the use of vulnerable jscript.dll by Internet Explorer's browser component in various applications (IE, Outlook, Word,...)," 0patch co-founder Mitja Kolsek explained. "If you're a 0patch user, you already have this micropatch downloaded to all your online computers with 0patch Agent, and - depending on your settings - already automatically applied to all processes using the Internet Explorer 11 engine for rendering content. For more in-depth reading visit OUR FORUM.

Two proofs-of-concept (PoC) exploits have been publicly released for the recently-patched crypto-spoofing vulnerability found by the National Security Agency and reported to Microsoft. The vulnerability (CVE-2020-0601) could enable an attacker to spoof a code-signing certificate (necessary for validating executable programs in Windows) in order to make it appear like an application was from a trusted source. The flaw made headlines when it was disclosed earlier this week as part of Microsoft’s January Patch Tuesday security bulletin. It marked the first time the NSA had ever publicly reported a bug to Microsoft. The two PoC exploits were published to GitHub on Thursday. Either could potentially allow an attacker to launch MitM (man-in-the-middle) attacks – allowing an adversary to spoof signatures for files and emails and fake signed-executable code inside programs that are launched inside Windows. One PoC exploit was released by Kudelski Security and the other by a security researcher under the alias “Ollypwn”. According to Microsoft’s advisory, the spoofing vulnerability exists in the way Windows CryptoAPI (Microsoft’s API that enables developers to secure Windows-based applications using cryptography) validates Elliptic Curve Cryptography (ECC) certificates. Kudelski Security in a blog post said they launched the PoC using a “curve P384” certificate, which uses ECC (specifically, the USERTrust ECC Certificate Authority). Researchers were able to craft a key used to sign the “curve P384” certificate with an arbitrary domain name. This certificate would subsequently be recognized by Windows’ CryptoAPI as trusted. Another similar PoC exploit was publicly released by Denmark-based security expert “Ollypwn.” “When Windows checks whether the certificate is trusted, it’ll see that it has been signed by our spoofed CA,” said “Ollypwn” in a write up of his PoC exploit. “It then looks at the spoofed CA’s public key to check against trusted CA’s. Then it simply verifies the signature of our spoofed CA with the spoofed CA’s generator – this is the issue.” A third PoC exploit was developed by security expert Saleem Rashid; who said on Twitter, Wednesday, that the PoC allowed him to fake TLS certificates and set up sites that look like legitimate ones. However, Rashid did not make his PoC exploit code public. To read the warnings, and more please visit OUR FORUM.

Microsoft has ended official support for Windows 7 on January 14 — 11 years after it first launched to rave reviews. Although Windows 10 eventually managed to overtake Windows 7's market share, many businesses and even home users continue to use Windows 7 despite Microsoft constantly urging them to upgrade. After January 14, Windows 7 users won't be getting any free support including any security updates. While your PC won't automagically stop working after January 14, not having timely security updates can comprise your online life. As we have seen with Windows XP, businesses reluctant to upgrade are used to paying hefty support fees to Microsoft after the official support period. A similar process is likely to be seen with Windows 7 as well. Enterprises have to enroll for Extended Security Updates (ESUs) in order to receive patches for vulnerabilities that may allow the spread of malware such as ransomware. If for some reason you wish to cling onto Windows 7, here's a neat hack developed by My Digital Life (MDL) forums veteran abbodi1406 to trick Microsoft into bypassing eligibility checks for Extended Security Updates. Then, register yourself on the MDL forums. Download the tool and install it. After installing the tool, fire-up Windows Update and see if it downloads the KB4528069 test update. If it does, your PC is now eligible to receive Microsoft's ESU that are otherwise only available to business users. The author notes that unlike conventional updates, ESUs have to be installed live via Windows Update only and cannot be installed offline or integrated into your Windows image via DISM. Eligibility for ESU is checked only once during the first ESU download. Therefore, you can remove the tool once eligibility is confirmed and you are able to download the aforementioned test update. However, do remember that the tool is still a prototype and any change in Microsoft's policies towards servicing ESUs may break the hack so, you will have to keep an eye on the thread for any updates to the tool. Follow this thread on OUR FORUM.

'The consequences of not patching the vulnerability are severe and widespread,' says National Security Agency, which found the bug. Windows 10 users have been urged to update their PCs or risk having private messages read. The huge vulnerability has been patched in an update but any computer that has not received the latest version of the operating system is at risk. The bug was discovered by the National Security Agency which alerted Microsoft, rather than using it to spy on citizens. The company then fixed the bug for all of its users through the latest free update, part of its "Patch Tuesday" program of regular fixes, which seals up the exploit and stops hackers from intercepting communications. There is no indication that the exploit has been used by hackers, Microsoft said, in a note that gave credit to the NSA for finding it. Amit Yoran, CEO of security firm Tenable, said it is "exceptionally rare if not unprecedented" for the U.S. government to share its discovery of such a critical vulnerability with a company. Yoran, who was a founding director of the Department of Homeland Security's computer emergency readiness team, urged all organizations to prioritize patching their systems quickly. An advisory sent by the NSA on Tuesday said: "the consequences of not patching the vulnerability are severe and widespread." Microsoft said an attacker could exploit the vulnerability by spoofing a code-signing certificate so it looked like a file came from a trusted source. "The user would have no way of knowing the file was malicious because the digital signature would appear to be from a trusted provider," the company said. If successfully exploited, an attacker would have been able to conduct "man-in-the-middle attacks" and decrypt confidential information on user connections, the company said. Some computers will get the fix automatically if they have the automatic update option turned on. Others can get it manually by going to Windows Update in the computer's settings. Further details can be found on OUR FORUM.

Today is a really historic day for the Microsoft family. Almost 11 years after the launch of Windows 7, Microsoft has decided its time to pull the plug on support for one of their most popular Operating Systems ever. For younger people more familiar with Windows 10, it’s hard to explain just how good Windows 7 was at the time. It felt like the first really STABLE and really aesthetically pleasing Operating System that Microsoft offered. Though it’s hard to believe, for millions of people, logging in daily and seeing this image below brought a sense of real comfort to the day. Windows 7 was awesome. It was seen as a marked improvement over its predecessor Window Vista, adding new “fancy” features like the taskbar, Aero window management, file libraries, and much more. Even with all the warnings and the heads up, Windows 7 remains popular, even today. It runs on 26 percent of all PC’s which is a staggering number considering that Windows 10 has been out for 4+ years AND Microsoft offered (and still offers) Windows 10 as a FREE upgrade to customers. Microsoft has been notifying users about this day for a full year and they plan to step up the notifications. A full-screen notification will appear for Windows 7 users on Wednesday, warning users that their systems are now out of support. If you are a business or an academic institution, your users will be able to pay for extended security updates but, it’s going to be expensive. Obviously some discounts will be available with volume licensing but when you start to think about how the costs will add up, the question is naturally – why stay with Windows 7? As you can see from the prices above, a company with 100 or more employees will start to pay REAL money going forward but there are a lot of smaller companies that will stay on Windows 7 until the lights are turned off. The reason is, they have made the decision that it’s a business-critical tool for their business. It would shock you if you knew how many small hotels and businesses run proprietary Windows 7 software. For more facts and figures, please visit OUR FORUM.

 

Translate