I didn’t actually experience any problems myself — at least, not that I noticed — after last week’s Update Tuesday brought a round of security updates for all current versions of the Internet Explorer (7 through 11, that is) for Windows. But when my colleague and co-worker Kim came to work in my office last Thursday, I couldn’t help but notice her ongoing observations that IE 11/Win 8.1 had slowed to a crawl on her Lenovo T530 desktop. I also witnessed excessively long page load times on sites that popped up more or less immediately on my production desktop — we test to compare experiences — and had to wonder if the latest round of updates might not be imposing some untoward and unwanted side effects.
And wouldn’t you know it, what should I discover over the weekend but a Windows Support note entitled “Internet Explorer may become slow or unresponsive when web applications implement consecutive modal dialog boxes” (KB 2991509). As the lengthy list to the left also illustrates, you’ll find versions of this hotfix for every current version of IE still in circulation, including 32- and 64-bit versions from 7 through 11, and Windows OSes from Vista to Windows 8.1 on the desktop side, and for Server versions 2008 R2 and 2012 R2. That list, BTW, comes straight from KB 2991509, and if accessed online, provides a download link to the hotfix associated with each such version of Internet Explorer as may be of interest to those who might be suffering from the symptoms described in the KB article’s title.
Aside from an error message when she tried to access the afore-linked KB article that required multiple attempts before she could grab and install the hotfix, Kim reports no further problems, hangs, or excessive download times since she installed the IE 11 hotfixes for both the 32- and 64-bit versions on her 8.1 notebook PC. She writes about and edits Windows 8 training materials and texts, so she uses both 32- and 64-bit versions of IE, and gives them a pretty rigorous workout in conducting her everyday work assignments. Her overall assessment of the situation is also worth reporting, with tongue inserted firmly in cheek: “I installed the patch recently, and it’s been 8 hours since I’ve had any further trouble with IE. Looks like this takes care of the problem — at least until MS pushes another set of security patches for Internet Explorer!” I’m happy to quote her, since I couldn’t have said it better myself.
Needless to say if you, or your users, experience IE hangs or slowdowns after installing (or while testing) the Critical grade security updates released on 8/12/2014, you’ll want to grab and install the corresponding hotfixes linked in KB 2991509 as well. Happy patching!
I read with interest in the previews of coming attractions for last Tuesday’s Windows updates that “Precision touchpad improvements” were on their way into Windows 8.1 as part of the limited set of functionality enhancements included in their number (which varied from a low of 18 KB items on machines without Office installed, and over 30 KB items on those with Office resident). Silly me: I understood the word precision to have been used in that context as an adjective, when in fact it turns out to be a specific brand or type of touchpad that represents a technology collaboration between Microsoft and Synaptics. Where I’d hoped that MS was going to extend those controls to all Windows 8.1 users as depicted on Ed Bott’s recent ZDnet blog post entitled “This month’s update rollup for Windows 8.1 delivers more than just bug fixes,” I quickly realized the import of the terminology when the same display failed to show up on any of my Windows 8 touchpad-equipped systems): except for the Surface Pro 3, I’m not aware of any other Win81 PCs that can take advantage of this update. Sigh.
This image shows some very nice touchpad functionality available from the Modern or Metro UI PC Settings/PCs and Devices/Mouse and Touchpad menu that I’d like to be able to exploit on all of my touchpad-equipped Windows 8.1 notebooks, laptops, and (docked) tablets. The ability to turn the touchpad off when a mouse is connected is worth the price of admission all by itself, if you ask me (as it is my habit to switch over to a mouse when working on a desk or conference room table as I most often do when working away from my home office, except when flying or working in an airport). Yes, I know: I can go into Device Manager and enable or disable the touchpad as my current situation dictates, but it’s a lot more convenient to have a software setting handle this for me automatically, don’t you think? And FWIW, the other touchpad controls enabled here aren’t bad, either!
I guess I’ll just have to keep hoping that other touchpad drivers and software might be enhanced to bring this functionality to other types of similar devices, or that some enterprising software developer might take it upon him- or herself(ves?) to make this a more widespread phenomenon. We’ll see!
After installing yesterday’s “Update Tuesday” security and functionality updates on my Fujitsu Q704, I ran the Intel Driver Update Utility on that machine to see what might be new on that front, and discovered a new driver for the N-7620 Dual Band Wireless interface on that machine. I promptly downloaded and installed same, only to have the machine crash during the install. Imagine my surprise when it wouldn’t start upon reboot, and my further dismay when ordinary repair operations (using the Recovery partition on the machines SSD) also failed. Couple in my outright disbelief when I couldn’t get the unit to recognize a Windows 8.1 ISO-based (and later, a Windows 8.1 Update 1 ISO-based) bootable USB Flash drive that I created (and re-created a couple of times) using Rufus 1.4.9, my hitherto infallible bootable UFD tool.
To my surprise and dismay, a bootable UFD built using Rufus went unrecognized on my Q704 (“Boot failed” error).
Even more interesting, my Rufus-generated bootable UFDs worked fine on my desktop test machine, so something was clearly wonky with the Q704 that made it unable to handle the install/repair images I was trying to get it to see. When I hooked up the external drive that I use to capture backups and system images for my laptops (it plays host to a capacious Toshiba 3TB hard disk, which gives it plenty of room for all three laptops currently in my stable), I noticed that it could see (and run) the Dell backup and repair/recovery tool that I purchased to support my Dell XPS12 convertible. But the Dell tool wouldn’t let me access the image for FujQ704, which is the machine name for the unit I was trying to recover, so I couldn’t boot from that drive, and also access the system image available there.
I was finally able to solve my problem by using the online installer that MS makes available to those wishing to upgrade Windows using a product key (see “Upgrade Windows with only a product key“), and choosing the Install Windows 8.1 button available there. This let me get the system booted, then elect the repair option in the second screen of the Windows 8.1 installer program. After that, I was able to target the most recent image backup for the Q704, and use that data to reformat and rebuild the primary drive. Next, I had to catch back up on the Windows updates I’d just installed yesterday, because my image pre-dated that installation. Guess what I’m doing now, having just restored and updated the system to where it’s supposed to be? I’m writing a new image backup of the updated system, so I won’t have to backtrack yet again, the next time this happens. Sigh.
While on this adventure, I did learn some interesting things:
1. As robust and reliable as Rufus seems to be, it apparently doesn’t work in all situations.
2. The Microsoft downloadable Win8.1 installer came through for me, even when Rufus failed.
3. I learned that MS offers a downloadable ISO file for Windows 8.1 Update 1, and used Rufus to turn it into a bootable UFD.
[Note added 4:10 PM CDT 8/13/2014:
I have now confirmed that the Intel Wireless driver file named Wireless_17.0.5_De164.exe is indeed responsible for the crash. I also switched to a different external backup drive, which fixed my earlier issues with access to a system image for restore purposes. Apparently, my trusty 5-year-old Antec USB/eSATA external file enclosure is failing, and occasionally presenting with “unknown device type” USB device errors. This complicated my first restore attempts, since that was the drive that held the most recent image but wasn’t readily talking to the WinRE image that stands behind the installer/repair utility. With a newer OS image on a new — and completely functional — Vantec file enclosure, I was able to restore that image straight from the on-disk repair/recovery image instead.]
When MS published its Advance Notification for the first-ever “Update Tuesday” coming August 12, it listed 9 security bulletins therein. Of these 9, 6 affect modern Windows Desktops (Window 7, 8, and 8.1). Of the remaining 3, Bulletin 3 applies to MS Office (OneNote 2007 SP3 only), 4 to SQL Server (2008 & R2, 2012, and 2014), and 7 to MS Windows Server (2003, Server 2008 & R2, Sever 2012 & R2). SharePoint Server (2013 & SP1) is also subject to Bulletin 7, and Media Center TV Pack for Vista goes ditto for Bulletin 2. We’ll get more details tomorrow when the updates actually get released.
9 Security Bulletin Items for August: 2 Critical, involving IE versions 6-11 (Bulletin 1) and Windows graphics (Bulletin 2).
The big items in this mix include Bulletin 1, which applies to every modern version of Internet Explorer (6 through 11), is rated Critical (Remote Code Execution), requires a restart, and is getting some play on various rumor and security sites (most notably, Qualys), all of which admonish admins to apply to particular fix sooner rather than later because it allows malicious Web pages to engineer system takeovers. Ditto for Bulletin 2, which permits remote code execution by exploiting bugs in the graphics execution pipeline (and explains why the little-used Media Center TV pack for Vista falls within its purview), and is also rated Critical (Remote Code Execution).
The remaining bulletins (3-9) are rated Important (four of those 6 present “Elevation of “Privilege” vulnerability impacts, and the other two present “Security Feature Bypass”). Of the 9 bulletins, 4 absolutely require a restart, and the remainder are all labeled “May require restart,” so it looks like post-applications restarts are a virtual certainty. Other updates to be part of the August 12 release — at least according to WinBeta.org — include touchpad improvements designed to increase tracking precision, support for the Wi-Fi Alliance’s Miracast Receive technology (which supports wireless connections between playback devices and TV screens, projectors, and so forth), and various “other minor fixes” still TBD.
EMET is Microsoft’s Enhanced Mitigation Experience Toolkit, a free security software add-in designed to detect and counter zero-day attacks on Windows systems. More specifically, the software can detect and foil “exploitation techniques that are commonly used to exploit memory corruption vulnerabilities…by diverting, terminating, blocking and invalidating … the most common activities and techniques adversaries might use in compromising a computer” (to quote somewhat out of order from the EMET page in Microsoft’s Security TechCenter). I’ve been covering (and using) EMET myself since the version 3.x days, and was running version 4.1 until 5.0 came along on July 31, 2014 (here’s a link to a description of EMET I wrote back in September 2012).
The banner from the EMET page enjoins readers to “deploy today” — good advice!
You can download EMET 5.0 from the MS Download Center, where you’ll also find more information about the software, run-time requirements, installation instructions, and more. Be sure to check it out, and at least give it a try on some test machines or in a hurry-up pilot. I think most admins will find it a valuable (and not terribly resource intensive) addition to their existing software security solutions.
Yesterday, MS Senior MarComm Manager Brandon LeBlanc posted some interesting info about the upcoming updates to Windows 8.1 and Windows Server 2012 R2 scheduled for August 12 (next week) over on Blogging Windows. In a post entitled “August updates for Windows 8.1 and Windows Server 2012 R2” he revealed a new approach to making functionality and UI changes to the latest Windows versions — namely, exchanging the practice of “waiting for months and bundling together a bunch of improvements into a larger update” (a la Service Packs for older Windows versions, or Windows 8.1 Update 1 released in April 2014) for a practice of “us[ing] our already existing monthly update process to deliver more frequent improvements along with the security updates normally provided as part of ‘Update Tuesday.’ …despite rumors and speculation, we are not planning to deliver a Windows 8.1 ‘Update 2′” [emphasis mine, because I plan to write further about both bolded elements in the paragraphs that follow].
Lots of interesting tidbits about future Windows updates in this recent Blogging Windows post.
Here’s what’s interesting to me about this post, to my way of observing and thinking:
- Looks like there’s a change of terminology regarding the regular “second Tuesday of the month” for pushing Microsoft updates: the traditional term for this until now has been “Patch Tuesday,” but now it looks like MS is seeking to use the more all-embracing term “Update Tuesday” instead.
- Also looks like functionality and UI updates will start flowing out on a more-or-less constant basis henceforth. This helps to get those changes into user’s hands faster, to be sure, but I can see it creating headaches on several fronts: it means constant compatibility testing for enterprises that seek to avoid being (unpleasantly) surprised by changes of any kind, and it also means that documenting, teaching, and testing individuals who work with the Windows UI and its tools and utilities (I’m thinking certifications here as well as books, how-tos, help files, and more) gets even more tricky than it already is.
- If indeed there is some bundling of functionality updates emerging next Tuesday, to reflect changes and additions since April 2014, MS is choosing not to acknowledge this, and is opting instead to simply identify it as one of an upcoming and regular series of such changes and additions to Windows going forward on an as-they-come basis from now on.
All in all, it looks like we’re moving to a constant update cadence for Windows now, for good and/or for ill. This should be an interesting situation to watch, learn from, and get used to. I’m sure nobody understands all the implications just yet, but we’ll be figuring it out as it moves along in the months and years ahead. Get ready!
IT pros who need to upgrade end users with the latest version of Windows 8.1 have a few days left to install Windows 8.1 Update before August 12.
Microsoft next week will update Windows 8.1 again with some minor improvements as part of its monthly Patch Tuesday upgrade release.
The new update will include enhancements such as providing the touchpad with three new end user settings, the ability to leave the touchpad on when a mouse is connected and enable right clicks on the touchpad. The update will also enable end users to double tap and drag content using the touchpad.
The company will also update Miracast to enable a Windows 8.1 computer to become a Miracast receiver. Miracast is a wireless technology that enables a PC to project the contents of the screen to a TV, projector or streaming media player.
Other improvements include reducing the number of login prompts for SharePoint Online.
For IT pros who intend to update their systems, they must complete the Windows 8.1 Update by August 12. In April, Microsoft granted IT pros a reprieve due to a bug in the original Windows 8.1 Update.
The company said it will deliver the Windows 8.1 update automatically through the existing Windows Update and through the Windows Server Update Services channels. Enterprise IT pros can update their Windows 8.1 computers and tablets on August 12.
Microsoft continues its fight to gain market share for the Windows 8 operating system but it remains a slow proposition Windows 8 and 8.1 hold only 12.4% of the operating system market, according to Net Market Share’s July desktop operating system survey. Windows 7 market share continues to rise and is now 51.2% market share, significantly more than Windows 8 and 8.1 Windows XP, which has slowly declined as organizations invest in new PCs and upgrade the ancient operating system is now at 24.8%. Mac OSX 10.9 is 4.1% while the remainder is 7.5%.
Over the weekend, a new version of the PowerShell App Deployment Toolkit appeared online at CodePlex. Labeled Version 3.1.5, this latest iteration to a substantial collection of PowerShell scripts designed to help sysadmins deploy Windows applications in an enterprise setting includes numerous useful facilities worth investigating. These scripts integrate nicely with System Center, but can also function independently (or with other .NET-based management consoles and suites). And best of all, they’re free (Open Source, actually) for commercial use. Here’s the page header info from the project’s home page at CodePlex:
This latest update at CodePlex is worth checking out, and should be helpful for most sysadmins charged with application deployment on Windows networks.
New features in this latest update include a handy “Send-Keys” function that permits PowerShell scripts to send keystroke sequences to an application Window to help automate in-app post-install configuration and customization, and several improvements to the “Execute-Process” script designed to implement recently promulgated MS best practice recommendations. Numerous bug fixes are also included as indicated on the afore-linked project home page as well. The project includes a reasonably detailed 61-page MS-Word file that serves as a user manual, and also presents a handful of readable and informative “Example Projects” that explore deployment of Adobe Reader in a variety of runtime situations (including SCCM 2007 and 2012, as well as standalone PowerShell-only).
Worth checking out!
With the upcoming release of Windows 8.1 Update 2 reportedly immanent, expected to fall on Patch Tuesday in August (8/12/2014), there’s certainly been a lot of fuss and bother lately about what’s coming (or not) for upcoming Windows releases including that particular one. With a variety of Russian and Chinese leakers posting sometimes irreconcilable (or incorrect) suppositions, separating the fruit from the nuts can sometimes be challenging. That’s why I was relieved and delighted to find a rumor roundup story from Windowsmaster Woody Leonhard over at Infoworld entitled “What we know about the next versions of Windows” to lay things out in workmanlike fashion.
1. Windows 8.1 Update 2
Woody confirms that what we know about the upcoming update — scheduled less than a week from today — is best summarized as “not much.” Nobody’s leaked credible details or particulars, and most rumors have agreed that there won’t be much new visible functionality making it onto the scene with that update. Russian-speaking readers may be pleased to learn that Windows 8.1 Update 2 is highly likely to include support for the Ruble currency character, which isn’t even available as a Unicode character at this point in time to my great surprise and astonishment.
A character layout map for the rouble symbol, probably headed for Unicode representation no later than year’s end.
2. Windows 8.1 Update 3?
Woody has some interesting things to say about a possible Windows 8.1 Update 3, which is represented as a “fallback patch in case work on the next big version of Windows falls behind.” In such an event, it would probably include the recently promised and much-ballyhooed return of the Start Window, along with “Modern UI app in a desktop window” (a la Stardock ModernMix), both of which MS has promised to deliver in some form or fashion sometime sooner or later (this is where things get muddier still, in case you hadn’t noticed).
3. Threshold versus Windows 9 versus Plan 9 from Outer Space…
The second page of Woody’s roundup is where things get really wonky, bizarre, and interesting. My favorite sentence: “Perhaps there are updates and there are Updates, if you know what I mean” (capitalization his, and worth noting). He notes that the next big version may not even be called Windows 9, however popular that terminology may be outside Microsoft right now. He also notes that the number of versions — which he labels as Metro, desktop, consumer, and corporate — isn’t completely clear, and then tosses in the OEM version Windows 365 which is currently tied to Bing but upgradeable online. How many versions does this mean? Nobody knows right now.
He also points out that a Brandon Paddock tweet via @BrandonLive on 6/27 equates the next update (3, not 2) of Windows 8.1 with Threshold, and that Chinese leaker Faikee opined in a Neowin discussion on July 16 that it’s really a “Plan B” (or “Plan 9” if you prefer) in case the next major release of Windows gets delayed (which puts it in the same hopper as other rumors already reported under the Windows 8.1 Update 3 heading). From there, Woody goes on to point out some inconsistencies he spotted in various purported screenshots of leaked future Windows versions to emphasize the indisputable fact that nobody seems to have a definitive handle on future Windows versions right now. His summary of circumstances is both apt and a little scary: “There are no legitimate leaked screenshots of any future version of Windows, no leaked builds. We have unattributed reports of planned features, many of which contradict each other.”
If there’s one limited ray of sunshine amidst this morass of muddy madness, I would guess that the situation demonstrates the apparent success of Microsoft’s attempts to shut down leaks, and to make things more difficult for would-be leakers. Though we know less now than is typical for this stage in various Windows development cycles, maybe that’s a good thing? Woody demurs, and closes his article with “It’s almost like living under the Sinofsky lock-down, all over again. We need a Myerson glasnost.” I’d settle for a clearer sense of future plans, features, and directions.
The Bromium Labs Research Brief entitled “Endpoint Exploitation Trends H1 2014” released on July 22 shows Microsoft’s Internet Explorer in the lead for a crown it probably doesn’t want — namely, “the historic high number of security patches in over a decade” (press release). Here’s a graph snipped from that documents that counts publicly reported vulnerabilities for a number of browsers and popular related tools and technologies (2013 in light blue; 2014 in salmon).
MSIE overtakes Firefox, Chrome and Java (ahead in 2013) to take the lead for reported vulnerabilities in the first half of 2014.
[Report: Pg3; data originates from the US NIST National Vulnerability Database, aka NVD]
The report states further: “The notable aspect for this year thus far in 2014 is that Internet Explorer was the most patched and also one of the most exploited products, surpassing Oracle Java, Adobe Flash, and others in the fray. Bromium Labs believes that the browser will likely continue to be the sweet spot for attackers” (page 3). Furthermore, Bromium’s analysis shows that attackers have been able to bypass Microsoft’s Address Space Layout Randomization (ASLR) technology using a technique called Action Script Spray to dynamically create return-oriented programming (ROP) chains, and reports that two such exploits have already been identified in 2014. Likewise, data execution prevention (DEP) blocks seem less effective than initial descriptions (and tests) of the technology promised.
One potentially positive trend documented in the report is a shortened time frame between the day an exploit is reported to the day a patch becomes available. A figure on page 4 of the report shows that lag times (in days) have decreased dramatically for IE9 (over 90 days), to IE10 (over 10 days), to IE11 (under 5 days). But on page 7 of the report, Bromium muddies the waters a bit with this remark: “Web browser release cycles are compressing and the interval between the general availability of a new release and the appearance of the first security patches has been decreasing recently. This may represent greater efforts on the part of software manufacturers to secure their products, or it may represent products being released to market with less security testing than earlier versions received.” To buttress the second possibility, Bromium’s researchers point to the increasing popularity of “use-after-free” vulnerabilities in zero-day exploits — a point worth learning more about, and pondering carefully (see this Mitre CWE definition for more info).
What does this portend for Windows system and security administrators? Alas, it means the common perception that IE remains a source of security vulnerability remains as true (or truer) today than it has been in the past, and that erecting defense in depth around (or avoiding or banning) its use is a top priority. And I thought newer generations of IE were supposed to be more secure than older ones? Go figure!