On August 18, I blogged about the withdrawal of a series of updates originally released on August 12 — most notably, KB2982791. At that time, MS recommended that IT admins at least consider uninstalling any or all of KB2982791, KB297028, KB2975719, and KB2975331, especially those who might experience an 0×50 Stop error (aka “Blue Screen of Death” or BSOD).
Out with the old, in with the new: KB2982791 gives way to KB2993651.
Here’s what MS is now saying in its more detailed TechNet discussion of MS14-045 from the “Update FAQ” section about a replacement update KB2993651 pushed out of band, or OOB, on August 27 (emphasis via light-gray background in the following quote is mine, to highlight the discussion that follows it):
Why was this bulletin revised on August 27, 2014? What happened to the original 2982791 security update?
To address known issues with security update 2982791, Microsoft rereleased MS14-045 to replace the 2982791 update with the 2993651 update for all supported releases of Microsoft Windows. Microsoft expired update 2982791 on August 15, 2014. All customers should apply the 2993651 update, which replaces the expired 2982791 update. Microsoft strongly recommends that customers who have not uninstalled the 2982791 update do so prior to applying the 2993651 update.
I already successfully installed the original 2982791 security update and am not experiencing any difficulties. Should I apply the replacement update (2993651) released on August 27, 2014?
Yes. All customers should apply the 2993651 update, which replaces the expired 2982791 update. Customers do not need to uninstall the expired 2982791 update before applying the 2993651 update; however, Microsoft strongly recommends it. Customers who do not remove the expired update will retain a listing for 2982791 under installed updates in Control Panel.
I uninstalled the original 2982791 security update. Should I apply the August 27, 2014 rereleased update (2993651)?
Yes. To be protected from CVE-2014-0318 and CVE-2014-1819, all customers should apply the rereleased update (2993651), which replaces the expired 2982791 update.
Here are the important takeaways from this out-of-band update that should be of particular interest to Windows administrators, particularly those charged with maintaining Windows images for users in an enterprise setting:
- If you haven’t yet deployed (or tested) KB2982791, don’t bother. It is completely supplanted by KB2993651.
- Users whose PCs have KB2982791 already installed will be best served by first uninstalling that update, then installing KB2993651 instead.
- In environments where users may have BYOD notebooks, tablets, laptops, and so forth running Windows, they may need to be informed about proper handling of KB2993651 and KB2982791. Such information should include brief instructions on how to uninstall the obsolete update prior to installing its replacement.
One of the sites I scan regularly for fodder for this very blog is MajorGeeks.com (MG), a well-curated site of mostly free (some shareware) Windows tools and utilities. I’ve been a devoted and enthusiastic user of Piriform’s CCleaner for many years now, so I was more than curious to see a story at MG entitled “Has Piriform pulled the ‘Slim’ version of CCleaner?” dated 8/26/2014 this morning. It explains the following chronology observed at the Piriform website of late:
1. Until about a month ago, Piriform made a free version of its CCleaner utility available with some minor hoops to jump through to get it (you had to know where to look for it, click through some “calls to buy” a fee-based version, and so forth)
2. Over the past month, Piriform added bundleware to its free CCleaner version, but allowed users to wait 5 days to obtain a link to download a non-encumbered version of the program. According to the author of the MG article (see comments following article text) that bundleware is a notorious advertising software module known as OpenCandy (see also Malwaretips.com “How to remove PUP.Optional.OpenCandy“).
3. According to MG, the non-encumbered (“Bundleware free Slim”) version of CCleaner is no longer available, so users have no choice but to download the encumbered version.
AdwCleaner turns up some unwanted registry keys, and a few sneaky browser extensions.
Nothing loath, I used the AdwCleaner tool to inspect my system and, sure enough, it found some minor traces of OpenCandy on my system (and I double-checked to make sure that CCleaner provides no opportunities for users to opt out of its installation, nor does it even inform them that this “bundleware” is being installed). I’m appalled and distraught, primarily because I’ve recommended CCleaner to many of my readers without knowing that the program has started to include questionable payloads along with its advertised/documented capabilities. Sigh.
MG goes onto recommend Wise Disk Cleaner as an alternative disk cleaner, noting that it finds and cleans more files than CCleaner does (and sure enough, it located about 712 MB more stuff on my system to get rid of, even after running the latest CCleaner version on that PC: 4.17.4808). I hesitate to unstintingly recommend this tool without spending more time with it myself, though I am comfortable with passing MG’s own recommendation onto readers, having observed them to be very careful about choosing and recommending software themselves over the 10 years or so I’ve been paying attention to the site. As for myself, I need to clean after OpenCandy on my system(s) with CCleaner, and then get to know Wise Disk Cleaner a bit better. Stay tuned!
[Note added 8/28/2014: The "Slim" (adware-free) version of CCleaner has returned to the Piriform.com website. Timothy Tibbetts (author of the MG article that spawned this blog post) says this about its appearance as of 9:52 AM (CDT) this morning:
Within 24 hours, they have put the new version of Slim up for download. For those who commented below and didn’t understand why this was written, here’s why; We have been listing CCleaner for as long as I remember. 10+ years maybe? There’s a system: Standard and Portable get released and the Slim version remains available one version back for exactly 5 days. This time the Slim version was not available for download at all and that has never happened. Ever. Oddly enough another first, the download for Slim re-appeared with the new version the next day. Again, this has never happened. Was it a response to this article? I’ll never know. Only time we ever heard from the guy (I mean Piriform) was for a cease and desist.
As long as users know they should only grab and use the Slim version going forward, I guess there's no reason not to stay with that version. I don't recommend the standard version any more, though. If you want to do that, you must visit the CCleaner - Download Builds page to grab the Slim version of the program: you can't find it on the regular download page. 'Nuff said.]
Only the “Slim” versions of CCleaner omit OpenCandy
The news sites are abuzz with word from the official Chinese Xinhua News Agency yesterday (August 24) that Chinese engineers are crafting their own home-grown operating system for desktop PCs and mobile devices. The Xinhua English newsfeed prominently features a piece entitled “Chinese OS expected to debut in October,” that includes language to the effect that “… the OS will be first seen on desktop devices and later expanded to smartphones and other mobile device” according to Ni Guangnan of the Chinese Academy of Engineering.
Could an “official state OS” be in the offing in China?
In recent months, China has announced it would not adopt Windows 8 for any of its computers, citing nonspecific concerns about security and confidentiality that many industry observers believe speak to the Chinese government’s fears that MS may otherwise enable eavesdropping for a variety of clandestine US interests and agencies. Microsoft is also the focus of an anti-trust investigation currently underway in China. Further, it turns out that Mr. Guangnan is none other than a co-founder of Lenovo, himself a man who remains active on the Chinese technology scene, and still enjoys close ties to the regime, which he believes “should lead the project going forward” (this is a quote attributed to him in a CNN story “China develops Windows and Android killer” 8/25/2014).
This story is getting lots of airplay, and while details are scarce and sometimes contradictory, it’s hard not to perceive this news as something of a pre-emptive strike of sorts, both against Microsoft and the US Government. Paul Thurrott, at WindowsITPro, reports that though an October release date has been mentioned, the initial planned OS won’t be complete by that time, and that delivery of the mobile version of this presumptive OS might not be ready for another three to five years. It should be interesting to see what emerges from development efforts now underway, and how they are received in China and elsewhere. One thing’s for sure: life in Redmond just got a lot more interesting for the operating systems team.
OK, I confess: I don’t always look at the Windows Reliability Monitor as often as I should. But when I did recently, I discovered an issue on my primary production Windows 8.1 desktop that further research showed me is pretty widespread. If you try a Google search on “SkyDrive appcrash” or “SkyDrive crashes daily” you’ll get a quick sense that what I’m asserting here — namely, that SkyDrive (formerly known as OneDrive) experiences frequent and regular stability problems on some Windows 8.1 (and other Windows versions’) installations — is more than just an isolated phenomenon. Here’s a weekly summary snapshot for the last week of July from the Reliability Monitor that illustrates what this PC has been experiencing over the past 5 weeks, during which time my stability index has wavered between a low of 2.2 and a high of 3.8:
For the week of 7/27, 12 critical events, of which 7 came from OneDrive.
Aside from establishing a new and unwelcome low-water mark for the reliability metric on any Windows OS I’ve operated, my research indicates that hundreds of users have been experiencing the same kinds of problems on some PCs, going back to the release of Update 1 in April 2014 (though there are some similar reports that predate this update, the volume increases markedly after April 9 when Windows 8.1 Update 1 was pushed out). Numerous causes are suggested that range from a corrupt or broken SkyDrive runtime environment, to issues with access to the OneDrive cloud (http://onedrive.live.com) related to SSH certificates and/or Trusted Web site status, to problems with OneDrive synchronization between local file copies and copies in the cloud.
None of the easy fixes suggested on social.microsoft.com or elsewhere appeared to work for me, until I took the tried-and-true approach to fixing broken applications/services. After uninstalling OneDrive via the “Programs and Features” applet in Control Panel, then downloading and reinstalling the current version from the PC|Mac download page — even though this resulted in a warning that I was replacing a newer version of the application with an older one (the download is designed for Windows 7 and 8, not 8.1, because OneDrive is pre-installed in the Windows 8.1 Update 1 image) — my problems appear to have abated.
This does not seem to be a universal issue for all PCs running Windows 8.1 Update 1, but it clearly afflicts some non-zero subset of such machines. Of the four tablets and notebooks I’ve got running that Windows version, and the four desktops likewise, Murphy’s Law apparently dictates that only my production PC be the one that’s thus afflicted. Go figure. As for myself, I’m keeping my fingers crossed that the fix just finally applied will fix my issues for once and for all. We’ll see!
When MS pushed the August updates just over a week ago, they clearly did not expect the kinds of problems that have emerged in the wake of their release.
In a revised version of security bulletin (MS14-045), in fact, MS now recommends that anyone who’s installed any of the following updates as identified by specific Knowledge Base (KB) articles, go ahead and uninstall them (this is easily accomplished in the Windows Update utility by right-clicking on an update on the “Installed Updates” pane, then selecting “Uninstall” from the resulting pop-up menu):
2982791 MS14-045: Description of the security update for kernel-mode drivers: August 12, 2014
2970228 Update to support the new currency symbol for the Russian ruble in Windows
2975719 August 2014 update rollup for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2
2975331 August 2014 update rollup for Windows RT, Windows 8, and Windows Server 2012
Apparently, the issue is somehow related to font handling, and may result in mis-rendering of fonts on-screen, or in some cases, the 0×50 Stop error message and a modern-day equivalent of the “Blue Screen of Death,” which while not as scary as the older memory dump screen just prior to system shutdown, nevertheless results in a complete system hang. In some reported cases, too, the affected PC will not boot properly following a restart or cold boot-up sequence, and can only be restored to operation from a restore point or image replacement that predates the update’s (or updates’) application. Ouch!
In a terrific diatribe entitled “Patch Tuesday Tripped Up by Rapid Release Era,” Windows maven Paul Thurrott waxes both eloquent and profane on this situation, and the inevitable fear and loathing it can’t help but evoke in most corporate Windows IT operations, where they’ve been “mildly hesitant” (to be as positive about the prevailing situation as possible) to jump on the rapid update cadence that Windows 8 has now adopted. Here’s a lengthy quote from that article that lays out his thoughts — which I both share and endorse, for what that’s worth — in unapologetic fashion:
The firm is recommending that users uninstall the offending updates and is urging them in some cases to uninstall those patches. This isn’t just unprecedented, folks, it’s catastrophic. And it casts a pall over Microsoft’s rapid release strategy.
You may recall that I’ve been worried about this very problem, though even I didn’t imagine that Microsoft would somehow screw up so many updates in a single month. (See, I’m not that negative.) But in a world in which IT departments were already leery about just trusting the updates that Microsoft released each month, I was curious what would happen when the firm started updating its core products even more rapidly. All it would take, I conjectured, was a single bad month.
Unfortunately, August 2014 is that month.
The moral of the story is that a rapid update cadence is all well and good, but the updates must themselves work well and be good to IT administrators before the corporate/enterprise IT world will jump on that bandwagon. Alas, I have to agree that MS has just shot itself in the foot quite neatly and convincingly. Now we’ll have to see how well their damage control works with the IT audience!
I didn’t actually experience any problems myself — at least, not that I noticed — after last week’s Update Tuesday brought a round of security updates for all current versions of the Internet Explorer (7 through 11, that is) for Windows. But when my colleague and co-worker Kim came to work in my office last Thursday, I couldn’t help but notice her ongoing observations that IE 11/Win 8.1 had slowed to a crawl on her Lenovo T530 desktop. I also witnessed excessively long page load times on sites that popped up more or less immediately on my production desktop — we test to compare experiences — and had to wonder if the latest round of updates might not be imposing some untoward and unwanted side effects.
And wouldn’t you know it, what should I discover over the weekend but a Windows Support note entitled “Internet Explorer may become slow or unresponsive when web applications implement consecutive modal dialog boxes” (KB 2991509). As the lengthy list to the left also illustrates, you’ll find versions of this hotfix for every current version of IE still in circulation, including 32- and 64-bit versions from 7 through 11, and Windows OSes from Vista to Windows 8.1 on the desktop side, and for Server versions 2008 R2 and 2012 R2. That list, BTW, comes straight from KB 2991509, and if accessed online, provides a download link to the hotfix associated with each such version of Internet Explorer as may be of interest to those who might be suffering from the symptoms described in the KB article’s title.
Aside from an error message when she tried to access the afore-linked KB article that required multiple attempts before she could grab and install the hotfix, Kim reports no further problems, hangs, or excessive download times since she installed the IE 11 hotfixes for both the 32- and 64-bit versions on her 8.1 notebook PC. She writes about and edits Windows 8 training materials and texts, so she uses both 32- and 64-bit versions of IE, and gives them a pretty rigorous workout in conducting her everyday work assignments. Her overall assessment of the situation is also worth reporting, with tongue inserted firmly in cheek: “I installed the patch recently, and it’s been 8 hours since I’ve had any further trouble with IE. Looks like this takes care of the problem — at least until MS pushes another set of security patches for Internet Explorer!” I’m happy to quote her, since I couldn’t have said it better myself.
Needless to say if you, or your users, experience IE hangs or slowdowns after installing (or while testing) the Critical grade security updates released on 8/12/2014, you’ll want to grab and install the corresponding hotfixes linked in KB 2991509 as well. Happy patching!
I read with interest in the previews of coming attractions for last Tuesday’s Windows updates that “Precision touchpad improvements” were on their way into Windows 8.1 as part of the limited set of functionality enhancements included in their number (which varied from a low of 18 KB items on machines without Office installed, and over 30 KB items on those with Office resident). Silly me: I understood the word precision to have been used in that context as an adjective, when in fact it turns out to be a specific brand or type of touchpad that represents a technology collaboration between Microsoft and Synaptics. Where I’d hoped that MS was going to extend those controls to all Windows 8.1 users as depicted on Ed Bott’s recent ZDnet blog post entitled “This month’s update rollup for Windows 8.1 delivers more than just bug fixes,” I quickly realized the import of the terminology when the same display failed to show up on any of my Windows 8 touchpad-equipped systems): except for the Surface Pro 3, I’m not aware of any other Win81 PCs that can take advantage of this update. Sigh.
This image shows some very nice touchpad functionality available from the Modern or Metro UI PC Settings/PCs and Devices/Mouse and Touchpad menu that I’d like to be able to exploit on all of my touchpad-equipped Windows 8.1 notebooks, laptops, and (docked) tablets. The ability to turn the touchpad off when a mouse is connected is worth the price of admission all by itself, if you ask me (as it is my habit to switch over to a mouse when working on a desk or conference room table as I most often do when working away from my home office, except when flying or working in an airport). Yes, I know: I can go into Device Manager and enable or disable the touchpad as my current situation dictates, but it’s a lot more convenient to have a software setting handle this for me automatically, don’t you think? And FWIW, the other touchpad controls enabled here aren’t bad, either!
I guess I’ll just have to keep hoping that other touchpad drivers and software might be enhanced to bring this functionality to other types of similar devices, or that some enterprising software developer might take it upon him- or herself(ves?) to make this a more widespread phenomenon. We’ll see!
After installing yesterday’s “Update Tuesday” security and functionality updates on my Fujitsu Q704, I ran the Intel Driver Update Utility on that machine to see what might be new on that front, and discovered a new driver for the N-7620 Dual Band Wireless interface on that machine. I promptly downloaded and installed same, only to have the machine crash during the install. Imagine my surprise when it wouldn’t start upon reboot, and my further dismay when ordinary repair operations (using the Recovery partition on the machines SSD) also failed. Couple in my outright disbelief when I couldn’t get the unit to recognize a Windows 8.1 ISO-based (and later, a Windows 8.1 Update 1 ISO-based) bootable USB Flash drive that I created (and re-created a couple of times) using Rufus 1.4.9, my hitherto infallible bootable UFD tool.
To my surprise and dismay, a bootable UFD built using Rufus went unrecognized on my Q704 (“Boot failed” error).
Even more interesting, my Rufus-generated bootable UFDs worked fine on my desktop test machine, so something was clearly wonky with the Q704 that made it unable to handle the install/repair images I was trying to get it to see. When I hooked up the external drive that I use to capture backups and system images for my laptops (it plays host to a capacious Toshiba 3TB hard disk, which gives it plenty of room for all three laptops currently in my stable), I noticed that it could see (and run) the Dell backup and repair/recovery tool that I purchased to support my Dell XPS12 convertible. But the Dell tool wouldn’t let me access the image for FujQ704, which is the machine name for the unit I was trying to recover, so I couldn’t boot from that drive, and also access the system image available there.
I was finally able to solve my problem by using the online installer that MS makes available to those wishing to upgrade Windows using a product key (see “Upgrade Windows with only a product key“), and choosing the Install Windows 8.1 button available there. This let me get the system booted, then elect the repair option in the second screen of the Windows 8.1 installer program. After that, I was able to target the most recent image backup for the Q704, and use that data to reformat and rebuild the primary drive. Next, I had to catch back up on the Windows updates I’d just installed yesterday, because my image pre-dated that installation. Guess what I’m doing now, having just restored and updated the system to where it’s supposed to be? I’m writing a new image backup of the updated system, so I won’t have to backtrack yet again, the next time this happens. Sigh.
While on this adventure, I did learn some interesting things:
1. As robust and reliable as Rufus seems to be, it apparently doesn’t work in all situations.
2. The Microsoft downloadable Win8.1 installer came through for me, even when Rufus failed.
3. I learned that MS offers a downloadable ISO file for Windows 8.1 Update 1, and used Rufus to turn it into a bootable UFD.
[Note added 4:10 PM CDT 8/13/2014:
I have now confirmed that the Intel Wireless driver file named Wireless_17.0.5_De164.exe is indeed responsible for the crash. I also switched to a different external backup drive, which fixed my earlier issues with access to a system image for restore purposes. Apparently, my trusty 5-year-old Antec USB/eSATA external file enclosure is failing, and occasionally presenting with "unknown device type" USB device errors. This complicated my first restore attempts, since that was the drive that held the most recent image but wasn't readily talking to the WinRE image that stands behind the installer/repair utility. With a newer OS image on a new -- and completely functional -- Vantec file enclosure, I was able to restore that image straight from the on-disk repair/recovery image instead.]
When MS published its Advance Notification for the first-ever “Update Tuesday” coming August 12, it listed 9 security bulletins therein. Of these 9, 6 affect modern Windows Desktops (Window 7, 8, and 8.1). Of the remaining 3, Bulletin 3 applies to MS Office (OneNote 2007 SP3 only), 4 to SQL Server (2008 & R2, 2012, and 2014), and 7 to MS Windows Server (2003, Server 2008 & R2, Sever 2012 & R2). SharePoint Server (2013 & SP1) is also subject to Bulletin 7, and Media Center TV Pack for Vista goes ditto for Bulletin 2. We’ll get more details tomorrow when the updates actually get released.
9 Security Bulletin Items for August: 2 Critical, involving IE versions 6-11 (Bulletin 1) and Windows graphics (Bulletin 2).
The big items in this mix include Bulletin 1, which applies to every modern version of Internet Explorer (6 through 11), is rated Critical (Remote Code Execution), requires a restart, and is getting some play on various rumor and security sites (most notably, Qualys), all of which admonish admins to apply to particular fix sooner rather than later because it allows malicious Web pages to engineer system takeovers. Ditto for Bulletin 2, which permits remote code execution by exploiting bugs in the graphics execution pipeline (and explains why the little-used Media Center TV pack for Vista falls within its purview), and is also rated Critical (Remote Code Execution).
The remaining bulletins (3-9) are rated Important (four of those 6 present “Elevation of “Privilege” vulnerability impacts, and the other two present “Security Feature Bypass”). Of the 9 bulletins, 4 absolutely require a restart, and the remainder are all labeled “May require restart,” so it looks like post-applications restarts are a virtual certainty. Other updates to be part of the August 12 release — at least according to WinBeta.org — include touchpad improvements designed to increase tracking precision, support for the Wi-Fi Alliance’s Miracast Receive technology (which supports wireless connections between playback devices and TV screens, projectors, and so forth), and various “other minor fixes” still TBD.
EMET is Microsoft’s Enhanced Mitigation Experience Toolkit, a free security software add-in designed to detect and counter zero-day attacks on Windows systems. More specifically, the software can detect and foil “exploitation techniques that are commonly used to exploit memory corruption vulnerabilities…by diverting, terminating, blocking and invalidating … the most common activities and techniques adversaries might use in compromising a computer” (to quote somewhat out of order from the EMET page in Microsoft’s Security TechCenter). I’ve been covering (and using) EMET myself since the version 3.x days, and was running version 4.1 until 5.0 came along on July 31, 2014 (here’s a link to a description of EMET I wrote back in September 2012).
The banner from the EMET page enjoins readers to “deploy today” — good advice!
You can download EMET 5.0 from the MS Download Center, where you’ll also find more information about the software, run-time requirements, installation instructions, and more. Be sure to check it out, and at least give it a try on some test machines or in a hurry-up pilot. I think most admins will find it a valuable (and not terribly resource intensive) addition to their existing software security solutions.