Results 1 to 13 of 13
  1. #1
    5 Star Lounger
    Join Date
    Jan 2011
    Location
    Seattle, WA
    Posts
    1,070
    Thanks
    42
    Thanked 132 Times in 86 Posts

    Adieu XP; bonjour Windows 8.1 Update




    PATCH WATCH

    Adieu XP; bonjour Windows 8.1 Update


    By Susan Bradley

    For April's Patch Tuesday, we're waving goodbye to official XP patches and hello to the Windows 8.1 Update. Plus: Critical updates for MS Word and Adobe Flash, a threat from malicious Publisher files, and a massive batch of nonsecurity Office fixes.

    The full text of this column is posted at windowssecrets.com/patch-watch/adieu-xp-bonjour-windows-8-1-update/ (opens in a new window/tab).

    Columnists typically cannot reply to comments here, but do incorporate the best tips into future columns.

  2. #2
    New Lounger
    Join Date
    Nov 2013
    Posts
    14
    Thanks
    1
    Thanked 1 Time in 1 Post
    On 64-bit Windows 7 Professional with IE 11, there are two IE 11 updates: Security Update for IE 11 - KB2936068 (MS14-018) as mentioned in the article and Cumulative Security Update for IE 11 - KB2929437. The fact that the latter is not selected by default in Windows Update and Microsoft's description mentions "hotfixes" suggests to me that I should not install this yet. Any thoughts?

  3. #3
    New Lounger
    Join Date
    Jun 2013
    Posts
    3
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Same here on my Win7 x64 with IE11. I assume Susan missed it or did not get it before the article was written. Be nice to have an update/comment/advice ASAP as it may be needed despite its 'enhancements included' parts.

  4. #4
    New Lounger
    Join Date
    Feb 2010
    Location
    NJ, USA
    Posts
    9
    Thanks
    0
    Thanked 0 Times in 0 Posts
    In an earlier column (12/19/13) Susan suggested changing the proxy server settings for PCs still running XP. What is interesting is that while it does block me from browsing the internet with any browser, it did connect to Windows Update for this last group of patches. Norton Live Update also connected. Anyone know what exactly is still open to the outside (and therefore trouble) when you use her recommendation?
    Last edited by jaman57; 2014-04-10 at 10:17. Reason: add info

  5. #5
    New Lounger
    Join Date
    Nov 2013
    Posts
    14
    Thanks
    1
    Thanked 1 Time in 1 Post
    @jrp2706: It was not mentioned in the Patch Tuesday pre-announcement from Microsoft so I guess that people did not expect it. It doesn't have a MS14-nnn designation either which suggests that it was added at the last minute. It is very naughty of Microsoft to bundle in a lot of new functionality with a so-called security fix though!

  6. The Following User Says Thank You to patermann For This Useful Post:

    box (2014-04-11)

  7. #6
    Super Moderator CLiNT's Avatar
    Join Date
    Dec 2009
    Location
    California & Arizona
    Posts
    6,121
    Thanks
    160
    Thanked 609 Times in 557 Posts
    Direct download links to KB2919442, KB2932046, KB2919355, KB2938439, & KB2937592.
    KB2919355 (update to W8.1) should be installed last.

    Windows 8.1 Update 1: How to Download it Now
    By Kevin ParrishApril 8, 2014 2:50 PM - Source: TechRadar

    They also include the 4 other updates on offer that day prior to the actual W8.1 update.
    DRIVE IMAGING
    Invest a little time and energy in a well thought out BACKUP regimen and you will have minimal down time, and headache.

    Build your own system; get everything you want and nothing you don't.
    Latest Build:
    ASUS X99 Deluxe, Core i7-5960X, Corsair Hydro H100i, Plextor M6e 256GB M.2 SSD, Corsair DOMINATOR Platinum 32GB DDR4@2666, W8.1 64 bit,
    EVGA GTX980, Seasonic PLATINUM-1000W PSU, MountainMods U2-UFO Case, and 7 other internal drives.

  8. #7
    3 Star Lounger
    Join Date
    Dec 2009
    Location
    Courtenay, BC
    Posts
    244
    Thanks
    9
    Thanked 16 Times in 15 Posts
    Win7 and I got the cumulative IE11 update too.

  9. #8
    3 Star Lounger
    Join Date
    Dec 2009
    Location
    Fresno, California, USA
    Posts
    259
    Thanks
    0
    Thanked 71 Times in 45 Posts
    Bleary eyed and missed it is what happened. One is a cumulative update, The other includes the enterprise IE features. http://support.microsoft.com/kb/2929437

    I meant to talk about it and talk about how outside of a domain or in home versions I'm not sure how well it would work and then forgot to include it.

    the Enterprise IE allows firms to build lists of sites that need IE8 and then the browser will use an emulator mode. But you need group policy to enable it, which is not in home PCs.

    Installing it won't hurt anything, but on Home SKUs you don't get the ability to use Enterprise mode.

    I'll bring it up next PW. Apologies for forgetting to include it.

  10. The Following 3 Users Say Thank You to SusanBradley For This Useful Post:

    aczer (2014-04-11),box (2014-04-21),PhotM (2014-04-11)

  11. #9
    3 Star Lounger
    Join Date
    Dec 2009
    Location
    Fresno, California, USA
    Posts
    259
    Thanks
    0
    Thanked 71 Times in 45 Posts
    WU doesn't need a browser.

  12. The Following User Says Thank You to SusanBradley For This Useful Post:

    PhotM (2014-04-11)

  13. #10
    Lounge VIP bobprimak's Avatar
    Join Date
    Feb 2009
    Location
    Hinsdale, IL, USA
    Posts
    2,482
    Thanks
    176
    Thanked 152 Times in 129 Posts
    The filippo.io site's tool does not run in my Firefox Browser under Ubuntu Linux 13.10, returning errors like "broken pipe" for nearly any URL I tested. I patch my Linux daily.

    Mozilla Products and Ubuntu Linux itself use different SSL implementations. Not OpenSSL in most cases. GNU-TLS which has been patched and Mozilla's own SSL implementation which may never have been vulnerable, do not suffer from the Heartbleed vulnerability currently. Mozilla means Firefox and Thunderbird primarily.

    Due to these and other differences, if you've been using Linux on the Web, you may have been less vulnerable. But your websites have remained just as vulnerable.

    You should change your passwords for this reason, not because your own desktop Linux system may have been leaking through your own SSL connections. The websites themselves probably used internal SSL which was vulnerable.

    Same outcome, but different implications for transmission of personal information.

    Fastmail, one of my email providers, did post a recommendation to change passwords. Yahoo and GMail have not done so. So go figure -- or change passwords every 30 days as countless security experts have been nagging us all to do. If you want to only remember one strong password, consider using the free KeepassX (https://www.keepassx.org/) password manager, which is fully portable and fully cross-platform, even for tablets. This is not the same program as Keepass for Windows only.
    -- Bob Primak --

  14. #11
    Super Moderator
    Join Date
    Jun 2011
    Location
    New England
    Posts
    4,752
    Thanks
    171
    Thanked 651 Times in 574 Posts
    Quote Originally Posted by bobprimak View Post
    The filippo.io site's tool does not run in my Firefox Browser under Ubuntu Linux 13.10, returning errors like "broken pipe" for nearly any URL I tested. I patch my Linux daily.
    That means that the Linux/Unix server of the URL has been fixed by blocking heartbeats and is therefore no longer vulnerable to Heartbleed.

    Or it was never vulnerable in the first place because it's a Microsoft Windows server:

    Heartbleed FAQ at filippo.io


    Quote Originally Posted by bobprimak View Post
    Mozilla Products and Ubuntu Linux itself use different SSL implementations. Not OpenSSL in most cases.
    It’s important to note that multiple versions of Ubuntu are affected, including Ubuntu 12.04 LTS, Ubuntu 12.10, Ubuntu 13.10, so it’s imperative that you ensure that the version your running is safe, and that you update to one that is if it’s exposed to the flaw. Here’s how,

    How to update Ubuntu to plug the Heartbleed OpenSSL flaw


    Quote Originally Posted by bobprimak View Post
    GNU-TLS which has been patched and Mozilla's own SSL implementation which may never have been vulnerable, do not suffer from the Heartbleed vulnerability currently.
    GnuTLS was never vulnerable to Heartbleed:

    After Heartbleed: 4 OpenSSL alternatives that work


    Bruce
    Last edited by BruceR; 2014-04-13 at 14:50.

  15. The Following User Says Thank You to BruceR For This Useful Post:

    bobprimak (2014-04-14)

  16. #12
    Lounge VIP bobprimak's Avatar
    Join Date
    Feb 2009
    Location
    Hinsdale, IL, USA
    Posts
    2,482
    Thanks
    176
    Thanked 152 Times in 129 Posts
    Quote Originally Posted by BruceR View Post
    That means that the Linux/Unix server of the URL has been fixed by blocking heartbeats and is therefore no longer vulnerable to Heartbleed.

    Or it was never vulnerable in the first place because it's a Microsoft Windows server:

    Heartbleed FAQ at filippo.io

    It’s important to note that multiple versions of Ubuntu are affected, including Ubuntu 12.04 LTS, Ubuntu 12.10, Ubuntu 13.10, so it’s imperative that you ensure that the version your running is safe, and that you update to one that is if it’s exposed to the flaw. Here’s how,

    How to update Ubuntu to plug the Heartbleed OpenSSL flaw

    GnuTLS was never vulnerable to Heartbleed:

    After Heartbleed: 4 OpenSSL alternatives that work


    Bruce
    These are very important distinctions for Linux users. Thank you for assembling the relevant information.

    Yes, the Linux ways of handling secure communications can be different from the Windows ways. So different results occur when testing for vulnerabilities. And, if we test a URL after it has been patched, the test will no longer show the vulnerability. Which tells us nothing of whether the site was ever vulnerable in the past. These are important points which I feel were largely lost in the uproar over Heartbleed in the tech press, including here in Windows Secrets Newsletter.

    The inability to gather historical data abouit a site's past vulnerability to Heartbleed makes a site like filippo.io of very limited use now. Using the site to decide where one needs to change passwords now, is almost as effective as closing the barn doors after the horses have run away. But if a URL is still vulnerable, this should show up in the tests. So if a URL still tests as vulnerable, changing a password for that site would still be premature. And the site operator(s) should get busy patching their servers!

    I do patch my Ubuntu daily or every few days, as these patches never result in instabilities and seldom require a system restart. So if Ubuntu was ever vulnerable, I got patched as soon as patches were available. My email client, Claws Mail for Linux, may have been a bit slower to upgrade. The rapid availability of security patches in Linux is another point often overlooked by the tech press.

    GNU-TLS had a separate long-standing security flaw, which was patched earlier this year.

    Just to be safe, I think everyone, including Linux users, should assume at least some of our secure communications over the Web have at some point been vulnerable to exploits like Heartbleed. We should change all important passwords and consider using a good, cross-platform password manager like KeepassX. Thus allowing us to use unique, strong passwords at each site, and to change our passwords every 30 days. That's what security experts have been telling us for years, no matter what OS or software we use.

    My guess is that by the third week of April 2014, most if not all sites which are going to patch will be patched. Am I assuming too much?
    Last edited by bobprimak; 2014-04-14 at 12:34.
    -- Bob Primak --

  17. #13
    2 Star Lounger
    Join Date
    Oct 2001
    Location
    Lanarkshire, Scotland
    Posts
    120
    Thanks
    9
    Thanked 6 Times in 5 Posts
    Thanks Susan but what are Home SKU's and why is the check box not ticked in the Microsoft update panel for this cumulative critical, according to Belarc Advisor,patch KB2929437?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •