Intel says its new Spectre-busting Skylake firmware patch is ready

Oh boy. I love the smell of fresh bricked PCs in the morning.

Yesterday, Intel said it has released new firmware that — this time, really, for sure, honest — plugs the Meltdown/Spectre security hole. Says honcho Navin Shenoy:

Earlier this week, we released production microcode updates for several Skylake-based platforms to our OEM customers and industry partners, and we expect to do the same for more platforms in the coming days.

What he’s actually saying is something like, “Hey, we spent six months coming up with new firmware to fix Spectre, released it, and bricked a bunch of machines. We went back to the drawing board and, two weeks later, came up with new firmware that won’t brick your machines. Have at it.”

According to the freshly updated Microcode Revision Guidance, Intel has released updates for Skylake U-, Y-, U23e-, H-, and S- chips.

Shenoy goes on to say:

Ultimately, these updates will be made available in most cases through OEM firmware updates. I can’t emphasize enough how critical it is for everyone to always keep their systems up-to-date. Research tells us there is frequently a substantial lag between when people receive updates and when they actually implement them. In today’s environment, that must change.

To which I say:

Fool me once, shame on me. Fool me twice… well, you know.

Folks, you’d have to be absolutely batbox crazy to install these new BIOS/UEFI patches as they’re being rolled out. Give them time to break other peoples’ machines — or to prove their worth in open combat. I’m sure the folks who made the new firmware are quite competent and tested the living daylights out of everything. But they did that the last time, too.

Again, I repeat, for emphasis, there is exactly NO known Meltdown or Spectre-based malware out in the wild.

Adobe Flash patch KB 4074595 pushed out the Windows Update chute

Doncha just love Flash?

A few hours ago, Microsoft pushed the first round of February 2018 patches. The KB 4074595 patch fixes two security holes in Adobe Flash Player, CVE-2018-4877 and CVE-2018-4878.

Microsoft has a few details in Security Advisory ADV180004.

Adobe’s Security Bulletin APSB18-03 says:

Adobe is aware of a report that an exploit for CVE-2018-4878 exists in the wild, and is being used in limited, targeted attacks against Windows users.  These attacks leverage Office documents with embedded malicious Flash content distributed via email.

Adobe goes on to say it’s a remote code execution hole. Critical Priority 1. Impacts 28.0.0.137 and earlier versions (February 6, 2018). New version is 28.0.0.161.

Adobe’s version checker is here.

Microsoft’s patches are for Windows 8.1 and Win10, all versions. All of those versions need to have Internet Explorer (and, in the case of Win10, Edge) fixed to plug the holes in the embedded versions of Flash.

Adobe’s patches cover everything other than IE 11 and Edge. Chrome is fixed automatically, by default, when you re-start Chrome.

Liam Tung at ZDNet reports:

Researchers at Cisco Talos said hackers known as Group 123 were using the zero-day Flash flaw and Excel sheets to deliver the ROKRAT remote-administration tool.

Cisco researchers found Group 123’s Excel sheets contained an ActiveX object that was a malicious Flash file that downloaded ROKRAT from a compromised web server. Notably, it was the first time this group has been seen using a zero-day exploit, suggesting the targets were carefully selected and high value.

FireEye, which calls Group 123 TEMP.Reaper, said it had observed the group interacting with their command-and-control infrastructure from North Korean IP addresses. Most of the group’s targets were South Korean government, military and defense industry organizations, it said.

If you haven’t yet disabled Flash, now would be a very good time to do so. Chris Hoffman at How-to-Geek has detailed instructions. If you absolutely have to have Flash, restrict it to one browser — I use Chrome to do the dirty deed — and only use it manually, under duress.

If you can’t or won’t throttle Flash, get the update applied. Yet another Patch Wednesday.

Thx CAR, Günter Born.

Even more problems with Surface Pro 4 batteries and Surface TypeCovers

I’ve been covering “flickergate” since last April, and there’s still no resolution from Microsoft — in spite of a recent flare-up in tech blog coverage.

Now, even more complaints are circulating about dead batteries and bricked TypeCovers.

Computerworld Woody on Windows.

Outlook 2016 bug “No results when searching All Mailboxes” fixed

Got a note last night from reader KY saying that the old “Search All Mailboxes” bug has been fixed.

Microsoft says that the latest click-to-run version of Office 365 has the fix:

ISSUE

After updating Outlook or Office to version 16.0.8827.2062, searching using the All Mailboxes option shows no results.

STATUS: FIXED

The issue is fixed in Monthly Channel Version 1712 (Build 8827.2179). To get the latest update immediately, open Outlook and choose File > Office Account > Update Options > Update Now.

I wonder if one of the non-security Office 2016 patches this month also provides the fix. (There were three patches specifically for Office 2016 this month.) Darned if I can find any documentation about it, though.

KY confirms that his fix came through Click-to-Run.

Microsoft offering free OneDrive for Business to current Dropbox, Box and Google Drive customers

If you have more than 500 users, and you aren’t currently paying for OneDrive, it’s a very inviting offer.

Microsoft says:

We are making it easier for new customers to make the switch by offering free OneDrive for Business for the remaining term of their existing contract with Box, Dropbox, or Google. This offer is valid starting February 6, 2018 through June 30, 2018 for organizations that are not currently OneDrive for Business or Office 365 customers and who make a minimum 500 user commitment.

Microsoft will pay off your existing contract for up to three years.

Of course, MS would like to sell you an Office 365 contract (if you don’t already have one) along with the bargain, but on the face of it, a whole lot of Box, Dropbox and Google Drive customers must be running the numbers.

Mind boggling: SpaceX Falcon Heavy

Unbeleeeeeeeevable.

Look here starting about 35 minutes

And a live view of Starman:

To hear about the center booster (which, I fear, may not have landed on its drone ship), follow The Guardian’s coverage.

February 2018 Office Non-Security patches have been released

In the middle of all the January patching chaos we have MORE patches. But you don’t want to install these February Office patches yet, unless you want more upheaval in your life. WAIT a while!!

Office 2010

Update for Microsoft PowerPoint 2010 (KB4011187)
Update for Microsoft PowerPoint Viewer 2010 (KB4011191)

 Office 2013

Update for Microsoft Excel 2013 (KB4011700)
Update for Microsoft Office 2013 (KB4011646)
Update for Microsoft PowerPoint 2013 (KB4011676)
Update for Microsoft Project 2013 (KB4011679)
Update for Skype for Business 2015 (KB4011678)

Office 2016

Update for Microsoft Excel 2016 (KB4011684)
Update for Microsoft Office 2016 (KB4011664)
Update for Microsoft Office 2016 (KB4011668)
Update for Microsoft Office 2016 (KB4011685)
Update for Microsoft Office 2016 Language Interface Pack (KB4011566)
Update for Microsoft OneNote 2016 (KB4011571)
Update for Microsoft PowerPoint 2016 (KB4011663)
Update for Microsoft Project 2016 (KB4011672)
Update for Microsoft Word 2016 (KB4011681)
Update for Skype for Business 2016 (KB4011662)

There were no non-security updates for Office 2007 which is out of support.
Security patches for all supported versions of Office are released on Patch Tues. (2nd Tues. of the month).

Universal Windows Programs (“Metro apps”) aren’t dead yet, but there’s a better alternative on the horizon

Microsoft just announced that it’s going to start building Progressive Web App support into Edge and Win10.

Progressive Web Apps aren’t so much Google’s much-better alternative to Win10-only Universal Windows Programs (formerly known as “Metro apps” or “Universal apps” or “Windows Store Apps” or any of a half-dozen other monikers) as they are a genuine attempt to make browser-based applications look and feel more like regular ol’ apps.

Chances are very good you’ve never seen a PWA in action. But they’re definitely coming. At some point.

The theoretical benefits of PWAs over UWPs are enormous. Just for starters, UWPs can only run in the stripped-down Win10 environment. PWAs, on the other hand, should be able to run on just about anything that supports a browser — particularly Chrome, or ChromeOS. Yeah, that includes Chromebooks, at least at some point.

The browser requirement has vanished in the past couple of years, banking on a concept called service worker. Horrible name, but web folks are good at horrible names. Paul Thurrott described service workers months ago:

Google’s initial take on PWAs wasn’t that compelling: The full resources of Chrome needed to load each time a PWA ran, and there was no minimal user interface or runtime. But when Google introduced the notion of service worker, the technological core of what we now know as PWAs, it was a big differentiator. With service workers, PWAs could work like native apps, offering features like offline support, background processing, and more.

It now looks to me as if there’s going to be a headlong dash into developing PWAs — and that UWP’s days are numbered. Time will tell.

UPDATE: Mary Jo Foley has a calendar for future developments in Microsoft’s side of the PWA wars, in her ZDNet blog.

I just turned off threading in the replies

The server’s way overloaded. In a (possibly vain) attempt to reduce overhead, I eliminated threaded replies in the comments, and switched to paged replies. You can now see 10 replies per page – and you can change pages in the upper right corner.

I apologize for the abrupt change. Just hope that, after a little bit of settling-down, we’ll be able to get the site responding again.

For those of you keeping score, last month we were running 9,000 to 15,000 “visits” per day (using AWstats). This month, we started around 15,000 visits per day and we’re headed upward quickly. If we can keep the site going, I’m sure we’ll hit a new record before the afternoon’s in full swing.

Sure wish the advertising revenues were keeping pace. Sigh.

Report of a bug in January’s Outlook 2010 patch

From @mazzinia

A quick overview of January patching recommendations for Windows

This web site is getting hammered. Sorry about that, but there’s a reason why the main discussion thread for installing January 2018 takes a long time to load – lots of comments, lots of people. We’re redlining the server again, folks, and it’s the beefiest one currently available from our host.

For those of you looking for the bottom line on patching Win7 and 8.1, I’d like to repeat the posts from @PKCano and @MrBrian.

Starting with @MrBrian:

For any manually-installed Windows update from January 2018 and later: If you use antivirus, you must ensure that the antivirus-related registry item was set by your antivirus before proceeding with manual installation. If you don’t use antivirus, set the antivirus-related registry item, so that Windows Update won’t blacklist relevant updates.

Windows 7 Monthly Rollup (“Group A”) – recommended:

If Windows Update offers KB4056894 then install it. If Windows Update doesn’t offer KB4056894, then if Windows Update offers KB4057400 then install it. If neither update is offered, then wait for the February 2018 Windows updates.

Windows 7 Security-only patch (“Group B”) – for those who only want the security update, and none of the additional patches:

Manually install KB4073578. Manually install KB4056568.

Windows 8.1 Monthly Rollup (“Group A”) – recommended:

If Windows Update offers KB4056895 then install it. If Windows Update doesn’t offer KB4056895, then if Windows Update offers KB4057401 then install it. If neither update is offered, then wait for the February 2018 Windows updates.

Windows 8.1 Security-only patch (“Group B”) – for those who only want the security update, and none of the additional patches:

Manually install KB4077561. Manually install KB4056568.

@PKCano has a slightly different approach – with observations for Windows 10.

As a prelim:
1. Update your Anti-virus to the latest version of the PROGRAM. Check to be sure the ALLOW Regkey is set.
2. Verify whether your CPU is Intel or AMD.
3. Backup your computer!!!!!
4. Rule: DO NOT CHECK ANYTHING THAT IS NOT CHECKED BY DEFAULT

The following are only my choices. Make the choices as applies to your case.

Windows 7 Monthly Rollup (“Group A”):
I installed KB4056894 Monthly Rollup. If you have AMD and you feel unsure, download KB4073578 and install it manually first then the Rollup. See AKB2000003. EDIT: See @abbodi86 ‘s comment at #165285. Normally it is not recommended to install unchecked Preview patches, but in this case KB4057400 Preview probably contains the AMD fixes found in KB4073578.
I installed MSRT
I installed all the Office 2010 updates
I have .NET 4.7 on all machines. I did not install .NET 4.7.1 (unchecked).
My choice for .NET has always been the Rollups offered by WU.

Windows 8.1 Monthly Rollup (“Group A”):
I installed KB4056895 Monthly Rollup. If you have AMD and you feel unsure, download KB4073576 and install it manually first then the Rollup. I suspect the PIC/APIC problem will be fixed in the Feb Rollup. See AKB2000003. EDIT: See @abbodi86 ‘s comment at #165285. Normally it is not recommended to install unchecked Preview patches, but in this case KB4057401 Preview probably contains the fixes found in KB4073576 and KB4077561.
I installed the IE Flash update
I installed MSRT
I installed all the Office 2010 updates
I have .NET 4.7 on all machines. I did not install .NET 4.7.1 (unchecked).
My choice for .NET has always been the Rollups offered by WU.

Win10 1703
Using wushowhide I hid KB4023057, KB4073543, and KB4056254
I installed CU KB4057144 Build 15063.877
I installed all the other non-driver patches.

Win10 1709
I have KB4056892 Build 16299.192 installed.
I was not offered KB4058258 Build 16299.214 through WU and I did not try to manually install it. It seems to have an installation problem as noted here.

@PKCano’s approach to Win7 and 8.1 patching is slightly more aggressive than @MrBrian’s. Both ways are valid (and better than the directions I gave in the Computerworld article). You should choose @MrBrian’s approach if you aren’t overly concerned about a looming Meltdown/Spectre attack. But if you’re worried about an imminent attack (which is to say, one that happens before the February patches have time to stew), go with @PKCano’s approach.

MS-DEFCON 3: Lots of caveats, but it’s time to get patched

The January 2018 patches are now history. Thank heavens.

I hesitate to say it, but it’s time to take proper precautions, and get the January patches installed.

Just make sure you don’t do anything stupid, OK?

Extended definition of “stupid” in Computerworld Woody on Windows.