Woody Leonhard's no-bull news, tips and help for Windows and Office
RSS icon Email icon Home icon
  • MS-DEFCON 2: Another huge crop of patches

    Posted on May 15th, 2013 at 06:52 woody 17 comments

    The Black Tuesday patches are out and, as usual, there’s no reason to install any of them immediately…

    … with one exception: if you’re still using Internet Explorer 8, you should stop using it, as I explained in January. Get Firefox or Chrome (my current favorite) and stop using IE 8. If you absolutely must continue using IE 8, install MS13-038 / KB 2847204 (one of today’s patches) immediately. The hole covered by this patch was well documented weeks ago, and is now widely available.

    Let’s see how this month’s patches fare. We’ve had two bad patches so far this year, and a couple that were a bit dicey.

    I’m moving us up to MS-DEFCON 2: Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don’t do it.

  • Google is ending support for IE 8

    Posted on November 30th, 2012 at 20:43 woody 7 comments

    … and if you have Windows XP, IE 8 is the latest version that’ll run.

    EP dropped this note:

    It looks like Google will be ending support for IE8 for some of their stuff.  read the following articles:

    http://www.zdnet.com/google-apps-pulls-plug-on-ie-8-windows-xp-left-out-in-the-cold-7000004305/

    http://www.computerworld.com/s/article/9231316/Google_to_drop_support_for_IE8_on_Nov._15

    http://googleappsupdates.blogspot.com/2012/09/supporting-modern-browsers-internet.html

    http://techcrunch.com/2012/09/14/google-apps-says-goodbye-to-internet-explorer-pulls-support-for-the-browser/

    http://www.geek.com/articles/news/gmail-google-docs-and-more-dropping-support-for-ie8-this-year-20120918/

    http://support.google.com/a/bin/answer.py?hl=en&answer=33864

    even a close friend who has a GMail account, is seeing a warning message when he signs in to his Gmail account through Internet Explorer 8 under Windows XP that he is using an “unsupported” browser and that he should upgrade his web browser.  ouch.

    I should tell my friend to either upgrade to Windows 7 and install IE9 or IE10 OR use the latest version of either Mozilla Firefox or Google Chrome on his XP computer

    Good advice.

     

  • IE 8 and IE 9 now getting pushed

    Posted on January 26th, 2012 at 10:40 woody 7 comments

    Ready or not, you’re getting IE 8 or IE 9, if you have automatic updates turned on.

    Susan Bradley’s Top Story for Windows Secrets Newsletter.

    I certainly hope all of you folks upgraded to IE 8 (for XP) or IE 9 (for Vista, Win7,) or IE 10 (Win8) months ago.

    I, personally, use Chrome most of the time, Firefox to get to secure sites, and IE on occasion. They’re all excellent. Really.

  • MS-DEFCON 4: Get patched, but avoid these stinkers

    Posted on June 5th, 2009 at 06:09 woody 16 comments

    With ten patches on the way next Tuesday, and many of the problems with older patches fixed, it’s time to get patched up. Unfortunately, there’s a long list of  problematic patches that you should studiously avoid.

    Here are the ones I suggest you pass by:

    Windows Vista Service Pack 2/KB 948645 is causing problems. Dennis O’Reilly talks about some of them in the latest Windows Secrets Newsletter. There’s no pressing need to install Vista SP2, and the PC you toast may be your own. Hold off for now. If you really want to install SP2 and it isn’t offered by Automatic Update, check out KB 948343 for a list of potential problems. Worth noting: that KB article is up to version 14.0. And you trust this stuff?

    Office 2007 Service Pack 2 / KB 953195 has a few problems – just look at the “Known Issues” list at the end of the KB article. Again, there isn’t enough new stuff to justify putting your computer at risk. Patience.

    KB 951847 is a mess of a patch of a patch of a patch of the .NET Framework in Windows XP. The Knowledge Base article is up to version 5.0. This is the one that includes the drive-by installation of a difficult-to-remove add-on for Firefox. I’m beginning to think that it’ll never get fixed – you’re better off waiting until you upgrade to Vista or (better) Windows 7, which have .NET baked in, or wait until Microsoft releases a new version of .NET.

    KB 960715, the ActiveX killbit update, still breaks many programs. I don’t think the cure is any better than the disease. Of course, you’re using Firefox (or Chrome) – or any Web browser that doesn’t directly expose your machine to ActiveX infections, right?

    KB 967715, the Conficker-killer that doesn’t work, is worth installing, but make sure you understand its limitations, as I posted in mid-March.

    I’m still ambivalent about Windows XP Service Pack 3, KB 936929. If you’ve been keeping up on all of your patches, it’s a toss-up. If you decide to install it, and you have problems, be sure to check out Microsoft’s Knowledge Base article KB 950718.

    I’m also ambivalent about Internet Explorer 8. Mark Edwards has a good analysis of the situation on the Windows Secrets web site.

    Sorry to leave you with such a patchwork quilt of good and problematic patches, but I think you’d be well advised to apply all outstanding patches except the ones listed above.

  • MS-DEFCON 2: Office 2007 Pack 2 is up – avoid all patches for now

    Posted on April 30th, 2009 at 09:22 woody 4 comments

    I’m raising us to MS-DEFCON 2:

    Hot on the heels of Office 2007 Service Pack 2 / KB 953195, Microsoft has just released Windows Vista Service Pack 2 [* to manufacturing - expect to see it widely available at some indeterminate point in the not-too-distant future].

    About a week ago, Microsoft started “pushing” Internet Explorer 8 via Automatic Update.

    I strongly recommend that you HOLD OFF on all three. IE 8 has been through the wringer, and I remain ambivalent about installing it, but the other two patches haven’t been out in the wild long enough to see what problems crop up.

    Because of the two new patches and the third that’s long in the tooth but still unproven, we’re at MS-DEFCON 2: Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don’t do it.

    UPDATE: *Man, am I embarrassed. I’ve been knee-deep in Windows 7 stuff, and erroneously reported that Vista SP2 is out in the wild. It isn’t. Microsoft announced that Vista SP2 is complete – it’s been “released to manufacturing” (precisely what is being “manufactured” isn’t at all clear, but I digress). “We expect Windows Vista and Windows Server 2008 SP2 to be publicly available in Q2 2009.”

    … as I go slinking back to my Windows 7 hovel, tail firmly between legs…

    I feel that the pushing of Office 2007 Service Pack 2 and Internet Explorer 8, though, warrant staying at MS-DEFCON 2.

  • MS-DEFCON 4: Watch out, but go ahead and install April patches

    Posted on April 24th, 2009 at 08:52 woody 5 comments

    The crop of April Black Tuesday patches looks reasonably stable. The SANS Internet Storm Center reports that Symantec has raised an alert about possible MS09-013 / KB 960803 based infections – “but it could also be old vulnerabilities from 2002 (both Apache and IIS).” MS09-013 and MS09-014 are the (now expectable) monthly humongous Internet Explorer patches.

    There are known problems with all of the following:

    MS09-010 / KB 960477 Wordpad and Office converter patches may refuse to install, and they change the way Wordpad handles Word 6 and Write files. When you install this patch, go ahead and install the new Office Compatibility Pack immediately after. I haven’t seen any advice as to whether the new Compatibility Pack eliminates the need to install MS09-010 or not, so to be safe, install the patch, then the new converters.

    MS09-014 / KB 963027, the massive Internet Explorer patch, may trigger a bogus “Connection Denied” message which requires a Registry change to eliminate. Of course, you’re using Firefox, so you aren’t overly concerned. Go ahead and patch.

    MS09-015 / KB 959426 has an interesting problem: if you install the patch on a Windows 2000 computer, you have to dig into the Registry to make the patch work. Kinda makes me feel warm and fuzzy about the testing that goes into these patches…

    At any rate, I’m moving us to MS-DEFCON 4: There are isolated problems with current patches, but they are well-known and documented here. Check this site to see if you’re affected and if things look OK, go ahead and patch.

    I still recommend that you HOLD OFF on these patches:

    KB 951847 is a mess of a patch of a patch of a patch of the .NET Framework in Windows XP. I’m beginning to think that it’ll never get fixed – you’re better off waiting until you upgrade to Vista or (better) Windows 7, which have .NET baked in, or wait until Microsoft releases a new version of .NET.

    KB 960715, the ActiveX killbit update, still breaks many programs. I don’t think the cure is any better than the disease. Of course, you’re using Firefox (or Chrome) – or any Web browser that doesn’t directly expose your machine to ActiveX infections, right?

    KB 967715, the Conficker-killer that doesn’t work, is worth installing, but make sure you understand its limitations, as I posted in mid-March.

    I’m still ambivalent about Windows XP Service Pack 3, KB 936929. If you’ve been keeping up on all of your patches, it’s a toss-up. If you decide to install it, and you have problems, be sure to check out Microsoft’s Knowledge Base article KB 950718.

    I’m also ambivalent about Internet Explorer 8. Mark Edwards has a good analysis of the situation on the Windows Secrets web site.

  • IE 6, or 7, or 8?

    Posted on April 11th, 2009 at 15:41 woody 5 comments

    Reader CG wrote:

    Your advice yesterday was very clear:

    “If you´re still using Internet Explorer 6, run to the Internet Explorer 8 download site and get it installed, like, right now. IE 6 is the single largest source of PC infections ever invented.”

    But later in the day your advice is rather different:

    “I´m still ambivalent about Windows XP Service Pack 3 and Internet Explorer 8, if you have IE 7 installed and patched, and you use Firefox.”

    You may wish to comfirm your thoughts.

    I ask, because, following your initial advice, I did install IE8. However, it seemed to slow down several processes, and I have gone back to IE6.

    I use Firefox for all normal browsing. I only used the IE Tab Add-in for Microsoft sites that won’t allow Firefox, and the increasingly few other sites which don’t work well with Firefox. But in addition, I effectively use IE for batch upload purposes (with AutoIt) and also of course Secunia uses the IE engine. Plus some programs Help-About links seem to point to IE.

    Am I therefore at risk? Do not the IE6 security updates protect me?

    I’d appreciate your thoughts on this.

    I was afraid that’d be a bit convoluted. Let me try to put it all together.

    IE 6 is a festering boil on the posterior of Windows. Even if it’s all patched up, it’s still a mess.

    IE 7 is much, much better, from a security point of view. If you have it, and it’s all patched up, and you don’t use it, you’re fine.

    IE 8 is a decent browser. I’m not overly impressed with some of the touted features (for example, InPrivate Blocking doesn’t do much at all), but it’s significantly better than IE 7. I wouldn’t rush out to install it because IE 7 is good enough – particularly if you don’t use it. But if you have IE 6 and you need to lance the boil, IE 8 is a decent choice.

    All of this presupposes that you actually use Firefox, of course. I’ve been using the 3.1 beta for quite some time now, and haven’t hit any problems.

    I haven’t hit any performance problems with any of the browsers – can’t even perceive the difference (or more accurately the mood swings on my broadband connection dwarf any performance difference between browsers). You may be more sensitive to time delays than I, though.

  • Pwn2Own conclusion

    Posted on March 22nd, 2009 at 11:56 woody No comments

    The annual pwn2own (I pronounce it “pone to own”) contest just wrapped, with interesting results. DVLabs reports:

    The contest uncovered 4 new and unique critical vulnerabilities affecting the latest and greatest versions of IE, Safari and FireFox. The Chrome browser gets a small nod for being impacted by one of the flaws, although exploit is not possible using any current known techniques.

    You’ve probably seen the headlines about Internet Explorer 8 – the version that just came out – getting hacked, and how Microsoft swears it has a patch, less than 12 hours after the original “pwn” but just hasn’t delivered it yet.

    Interestingly, none of the mobile operating systems – Blackberry, Android, iPhone, Nokia/Symbian, or Windows Mobile – got hacked. I betcha bucks to buckaroos that’ll change next year.