AskWoody

Is Microsoft replacing defective Surface Pro 4 machines with good (but used) ones?

Leonard Klint on German-language site WindowsUnited reports that Microsoft has finally, finally fessed up to screen defects in Surface Pro 4 tablets and (Google auto translate):

When I bothered the support with my problem, they knew directly. I did not need to refer to any threads, just to mention briefly that the problem was caused by the firmware update in July and the error code. In Device Manager , the following items are displayed with the error code 10 :

Surface ME (code 10)
Surface Embedded Controller Firmware (Code 10)
Surface UEFI (code 10)

Jez Corden at Windows Central goes on to say:

If you were impacted by the firmware problem, Microsoft is reportedly allowing users to get a replacement via the Surface Support website by talking to a member of staff and describing the above driver issues, although further details about exactly what caused the error are still elusive.

Poster ArrunBairu on the original Microsoft Answers forum gripe thread said on Dec. 11:

If true, this is a major breakthrough in an ongoing problem that’s been stonewalled for years.

Win10 “Activity History” — misnomer or snoop?

Another important story where I’m slow on the uptake. (Sorry, been very busy. You’ll see why shortly.)

Chris Hoffman at How-To Geek broke this on Monday:

Windows 10 collects an “Activity History” of applications you launch on your PC and sends it to Microsoft. Even if you disable or clear this, Microsoft’s Privacy Dashboard still shows an “Activity History” of applications you’ve launched on your PCs.

Chris goes through details on how your “activity history” gets snooped  — Microsoft collects and stores a list of which programs you use and when. The list gets collected even when you turn Activity History off: Click Start > Settings > Privacy. On the left choose Activity History and uncheck “Send my activity history to Microsoft.”

In Win10 version 1809 I don’t see a button to clear my Activity history (see screenshot). Apparently Chris is working with 1803 or an earlier version, where the Clear activity history option is at the bottom of the Activity History Settings pane.

Even after you’ve stopped collecting Activity History and blasted it away by clicking on Clear Activity History (which, again, doesn’t appear on my 1809 test machine), your history still appears in Microsoft’s coffers, which you can see by signing into the cutesy web site called Privacy Dashboard and clicking the tab at the top marked Activity History. You can see how my Activity history is still being collected, even after turning off “Send my activity history to Microsoft.”

Microsoft says it’s a case of mixed definitions — “Activity history” in the Windows Settings app is different from “Activity history” on the Privacy Dashboard Activity History tab. According to Microsoft, the only way to avoid sending your entire app history to their big data collection agency is by turning off “Send my activity history to Microsoft” and setting Diagnostic data collection (Start > Settings > Privacy, on the left choose Diagnostics & feedback) to “Basic,” instead of “Full.”

As Microsoft says, per Chris:

Windows 10 Activity History data is only a subset of the data displayed in the Microsoft Privacy Dashboard. We are working to address this naming issue in a future update.

I’m sure there are some folks on the EU GDPR compliance team who’d be interested in that little, uh, misnomer.

Any of you running Win10 1809… I’d sure be curious to know if you can find the Clear Activity History button.

And… tell me again how Chromebooks are collecting so much more data than Windows machines?

Microsoft 365 Consumer may actually be good for us

On Wednesday, Mary Jo Foley described her dumpster diving through Microsoft’s help-wanted ads, which turned up a couple of hints:

Microsoft is working on a new subscription bundle aimed at consumers, which looks to be named “Microsoft 365 Consumer.” The coming bundle will be the consumer-focused complement to Microsoft’s existing Microsoft 365 subscription bundle for business users.

A couple of recent Microsoft job postings mention the consumer subscription bundle, which Microsoft has yet to announce publicly.

Gregg Keizer speculates about what might make MS 365 Consumer compelling:

It’s possible that Microsoft will take a very measured approach with M365-C and simply include a license for Windows 10 Pro – the OEM-installable SKU that’s more feature-rich than the standard Windows 10 Home – with the subscription. The rationale for subbing to M365-C, then, would rest on Windows 10 Pro’s qualities. To boost Pro’s perceived value as part of M365-C, Microsoft could, say, discontinue sold-at-retail copies of Windows 10 Pro and the for-purchase licensing keys that transform Home into Pro. The only way to migrate from Home to Pro, without buying a new system, would be through M365-C.

That’s a fascinating possibility. Who knows if it’ll happen, but if you need to subscribe to (and pay for) MS 365 Consumer in order to block forced updates on your machine… yeah, that’s a compelling reason to fork out some money.

Patch Lady – twelve days of Christmas

Please note:  I’m starting a series of twelve “gifts” that I think are worthy of paranoia and protection.  I will say up front that many of these gifts involve protecting children and while I am personally not a Mother, I know a lot of friends and family members with children.

On the first day of Christmas I would recommend the following gift:

A router, firewall or Internet service that allows you to turn off the internet for certain times of the day. 

My Xfinity wifi does this, also the Disney Circle device (which is now embedded into several routers also do this).

Bottom line in this day and age of always on Internet, we need to take a break and get OFF the Internet, especially in the Holiday season.

How many times have you walked into restaurants, and even homes and found every face down in a phone looking at the screen and not talking to each other.  Recently I watched the host of NPR’s “Wait Wait don’t tell me” talk about how we need to “escape our “digital dystopia” of electronic screens and constant notifications by running outside”.  Now I’m not going to suggest that we all take up running immediately (for one it’s too cold and snowy for some of you to attempt to go running), but we definitely need to get off of our devices and stop rewiring our brains attention spans.

So on this first blog post of Christmas gifts… my recommendation if you have children and grandchildren… and even yourself… make sure you build in time OFF of technology and review your options to have the ability to set such times in your firewall or routers.

Do you run a DNS server?

If you aren’t sure, believe me, you aren’t running a DNS server.

If you are running a DNS server, @SimonZerafa wrote to me and suggested I nudge you about CVE-2018-8626. It’s a bug that lets bad programs bring DNS servers to a crawl.

How to disable Win10 driver updates

I’m seeing even more reports of zapped drivers — people who install the latest cumulative updates, and end up with new driver versions that mess with their video, audio and/or peripherals.

There’s an interesting post on Reddit, from thesereneknight:

All I want for Christmas is a patching process that works

Instead, I figure it’ll be a lump of cumulative coal.

Details on this month’s patches and their early foibles in Computerworld Woody on Windows.

December 2018 Patch Tuesday is under way

December Updates are rolling out. There are 194 updates listed in the Update Catalog.

Martin Brinkman at ghacks.com has his usual thorough summary.

Operating System Distribution

• Windows 7: 9 vulnerabilities of which 9 are rated important.
• Windows 8.1: 8 vulnerabilities of which 8 are rated important.
• Windows 10 version 1607:  12 vulnerabilities of which 2 are critical and 10 are important
• Windows 10 version 1703:  11 vulnerabilities of which 1 is critical and 10 are important
• Windows 10 version 1709: 12 vulnerabilities of which 2 are critical and 10 are important
• Windows 10 version 1803: 12 vulnerabilities of which 2 are critical and 10 are important
• Windows 10 version 1809: 19 vulnerabilities of which 2 are critical and 17 are important

Windows Server products

• Windows Server 2008 R2: 9 vulnerabilities of which 9 are important.
• Windows Server 2012 R2: 9 vulnerabilities of which 1 is critical and 8 are important.
• Windows Server 2016: 11 vulnerabilities of which 2 are critical and 9 are important.
• Windows Server 2019: 13 vulnerabilities of which 2 are critical and 11 are important.

Other Microsoft Products

• Internet Explorer 11: 4 vulnerability, 1 critical, 3 important
• Microsoft Edge: 5 vulnerabilities, 5 critical

Microsoft Office Security Updates are available. There are updates for Office 2016, Office 2013, Office 2010, the Office Viewers and the SharePoint Servers.

The .NET updates include Security-only updates this month, as well as the usual .NET Rollups.

For those of you with Windows 10, there are new Servicing Stack updates:
Win10 1709 Build 16229.846 KB 4477136
Win10 1803 Build 17134.471 KB 4477137

Interesting note from Senior Solutions Architect Allan Liska at Recorded Future:

Microsoft Edge has multiple critical vulnerabilities in its Chakra Core scripting engine. This is the now the 15th straight month that Microsoft has disclosed a vulnerability in the Chakra scripting engine, the last Patch Tuesday without a Chakra disclosure was September of 2017. This month’s vulnerability (CVE-2018-8583 and CVE-2018-8629) is a memory corruption vulnerability that, if exploited, would allow an attacker to execute arbitrary code on the victim’s machine.

Note Microsoftie liminzhu’s post on GitHub:

We’ve seen your questions for ChakraCore and we want to be transparent and honest with the open-source community that has given us so much support. To be compatible with the rest of the platform and reduce interoperability risks, Microsoft Edge will use the V8 engine as part of this change. There is much to build and learn, but we’re excited to take part in the V8 community and start contributing to the project.

ChakraCore is currently being used in various projects outside the browser. So, despite the change of direction for Microsoft Edge, our team will continue supporting ChakraCore.

You have to wonder if ChakraCore’s holiness is a contributing factor in Microsoft’s switch to the Chromium rendering engine.

Dustin Childs has his usual report up on the Zero Day Initiative site. He lists one vulnerability as exploited, but not publicly known, and one as known but not yet actively exploited. All the rest are less serious.

The exploited vulnerability — the 0day — has a familiar pedigree:

For the third month in a row, December has a Win32K (kernel-mode drivers) elevation of privilege vulnerability listed as currently under active attack. And, as was the case in previous months, this bug was reported by researchers at Kaspersky Labs, indicating this bug is being used in malware. Again, this is likely being used in targeted attacks in combination with other bugs.

Translation: Unless you’re protecting enormous state secrets (probably in a language other than English), you’re undoubtedly in the clear. Expect an explanation from Kaspersky shortly.

Chris Hoffman at How-To Geek has a seeker warning:

Microsoft hasn’t learned its lesson. If you click the “Check for Updates” button in the Settings app, Microsoft still considers you a “seeker” and will give you “preview” updates that haven’t gone through the normal testing process.

Of course, to be completely clear, I don’t recommend that you install ANY updates. It’s much too early to know what evil lurks in the hearts of man…