The fourth Tuesday of the month has come and gone, and it now looks reasonably safe to patch Windows and Office. I was expecting two big releases yesterday — one to fix numerous bugs in Win10 Creators Update, version 1703; the other to plug the bugs introduced by June’s Office security patches — but neither trove appeared. Given Microsoft’s past patterns, it’s unlikely that we’ll see any more serious patches until next month’s Patch Tuesday, on Aug. 8.
There’s also a bit of additional impetus right now. On July 17, security researcher Haifei published a proof of concept for running malware scripts directly in Office apps. I haven’t seen any exploits in the wild as yet, but it would be a good idea to install KB 3213640 (Office 2007), KB 3213624 (Office 2010), KB 3213555 (Office 2013) and/or KB 3213545 (Office 2016) in the short term. (Thx to @LeaningTowardsLinux.) Note that none of these patches, as best as I can tell, correct the Office bugs introduced in June.
IT pilot fish is moving on with his career, but before he changes employers, he comes up with an easier way for users to get on the company intranet.
"I wanted to relieve the staff of the need to memorize yet another username/password combination -- or write it on a sticky note to be posted on the wall," says fish.
"So I set up an interface that used Windows Active Directory for access authorization, with appropriate fallback in case the domain controller couldn't be accessed. The whole thing worked like a dream."
Fast forward a couple years: Fish is brought back in to add more capabilities to the Intranet that's been faithfully chugging along since he left. But as fish starts on the new project, the IT director casually mentions that intranet logins have been running a lot slower. Could fish perhaps check into that too?
Have you heard the news? Your Android device is in the midst of being updated to include Google's comprehensive new security suite, Google Play Protect.
Play Protect, as you may recall, was one of the biggest bullet points to come out of this year's Google I/O keynote address. It's a "doubled-down" effort around Android security, as Google explains it, and it's designed to ensure every Android device is always protected from any form of harm.
International border crossings are often legal gray areas where government agents can, and sometimes do, ask travelers for access to their laptops, phones and other mobile devices. Complying with the request allows them to freely search, read or copy documents, emails, passwords, contacts and social media account information.
Here's how to safeguard corporate and personal data when traveling with recent Android-based phones and tablets, using the Chrome browser. (Part 1 of this series, which focuses on the legal background of border searches, and traveling tips for Apple devices, is available here.)
On June 13—five and a half weeks ago—Microsoft released a series of buggy patches for Outlook. We know they’re buggy because Microsoft acknowledged seven bugs (including one primarily caused by bugs in Windows patches) in those four original June 13 security patches. As of this morning, we still don’t have fixes for those seven bugs.
Here are the known buggy original security patches:
- KB 3191898 – Security update for Outlook 2007, released June 13, 2017
- KB 3203467 – Security update for Outlook 2010, released June 13
- KB 3191938 – Security update for Outlook 2013, June 13
- KB 3191932 – Security update for Outlook 2016, June 13
If you have Automatic Update turned on, you were treated not only to those patches, but to all of these three later, interim fixes for the bugs in the security patches. Don't get too excited about them. In fact, they didn't fix the bugs:
The premiere episode of Tech Talk covered a lot of ground as our four-member panel weighed in on everything from Microsoft's just-announced Azure Stack to the trials of IT security pros buffeted by ongoing cyberattacks to the fate of Touch ID in the upcoming iPhone 8.
More June security patch bugs: You can patch an IE flaw, CVE-2017-8529, or print inside iFrames -- but not both
Strap on your hip waders. This particular “scare” article should have you thinking yet again about the advisability of installing Windows updates as soon as they’re available. As you’ll see, Microsoft itself has flip-flopped on the resolution and those who subscribe to Windows Update have been taken along for the ride.
Buggy June patches to Windows, Internet Explorer and Edge left customers in the horns of a dilemma:
- You can plug a security hole known as CVE-2017-8529, in which IE or Edge reveal the presence of a specific file on your computer when you simply surf to a compromised web site, OR
- You can print content on web pages that are inside an HTML construct known as an iFrame, using IE 9, 10 or 11.
Microsoft’s up against a hard bug that makes this an either-or proposition: Until Microsoft figures out how to fix both problems at the same time, either you patch the security hole, or you can print inside iFrames with IE, but not both.
TLS is the protocol invoked under the covers when viewing secure websites (those loaded with HTTPS rather than HTTP). There are multiple versions of the TLS protocol, and the most recent version, 1.2, is the most secure. Last time, I discussed tweaking Firefox so that it only supports TLS version 1.2 and not the older versions (1.0 and 1.1) of the protocol.
But that begs the question: what happens when a security-reinforced copy of Firefox encounters a website that does not support TLS 1.2? The answer is shown below.
I just received word from Gunter Born that Microsoft has pulled three of its Outlook patches:
- KB 4011042 - July 5, 2017, update for Outlook 2010
- KB 3191849 - June 27, 2017, update for Outlook 2013
- KB 3213654 - June 30, 2017, update for Outlook 2016
As I mentioned last week, Microsoft still hasn't fixed any of the Office 2007 bugs it introduced in the June security patches.
Although its common to think of a secure website as the opposite of an insecure one, the choice is not, in fact, binary. For a website to be truly secure, there are about a dozen or so ducks that all need to be lined up in a row.
Seeing HTTPS does not mean that the security is well done, secure websites exist in many shades of gray. Since web browsers don't offer a dozen visual indicators, many sites that are not particularly secure appear, to all but the most techie nerds, to be secure nonetheless. Browser vendors have dumbed things down for non-techies.
Last September, I took Apple to task for not having all their ducks in a row, writing that some of their security oversights allowed Apple websites to leak passwords.
Sometimes, how you say something can be as important as what you say -- especially when's there been a cyberattack and law enforcement officials are trying to figure out who you are.
That's what CSO senior writer Fahmida Rashid found when she looked into how cybersecurity firms go about tracking down the bad actors behind malware campaigns. While linguistics may not be the first thing companies worry about when trying to protect -- or retrieve access to -- their data, it can help pinpoint an attack's origin, Rashid told Computerworld Executive Editor Ken Mingis.
Apple still has not patched the hole allowing you to bypass the iPhone lock screen. As of iOS 10.3.2 (and the 10.3.3 beta), you can still trick Siri into getting into a person’s iPhone.
It works like this:
- Press the home button using a finger not associated with your fingerprint authentication, prompting Siri to wake up.
- Say to Siri: Cellular data.
Siri will then open the cellular data settings where you can turn off cellular data.
Anyone can do this—it doesn’t have to be the person who “trained” Siri.
By also turning off Wi-Fi, you cut off her connectivity access. You will get an error saying, “Siri not available. You are not connected to the internet.” But you don’t care about that error because you have already bypassed the iPhone lock screen.
The Linux Foundation's Hyperledger project announced today the availability of Fabric 1.0, a collaboration tool for building blockchain distributed ledger business networks such as smart contract technology.
The Hyperledger project, a collaborative cross-industry effort created to advance blockchain technology, said the Hyperledger Fabric framework can be a foundation for developing blockchain applications, products or customized business solutions
The headline — “HMS Queen Elizabeth is ‘running outdated Windows XP’, raising cyber attack fears” — was startling, but wrong. The United Kingdom’s newest aircraft carrier wasn’t running Windows XP. But some of the contractors that built the warship were.
The U.S. Navy, meanwhile, has been purchasing Windows XP support, at least through this year, so odds are our military still has XP systems running to this very day.
In case you hadn’t noticed, Microsoft has had a tough time with patches this year. From a total lack of patches in February (except for a late IE patch), to yanked and reissued botched patches that followed, to a jumble of problems with Windows and Office patches — including seven admitted bugs in last month’s Office patches — Microsoft has proved itself adept at Jack-in-the-box patching. You don't have to join the legions of unpaid patch beta testers.