Skip to main content
Please wait...

Microsoft Patch Alert: March 2020 brings two ‘sky-is-falling’ warnings, with no problems in sight

3 months 2 weeks ago

It’s been another strange patching month. The usual Patch Tuesday crop appeared. Two days later, we got a second cumulative update for Win10 1903 and 1909, KB 4551762, that’s had all sorts of documented problems. Two weeks later, on Monday, Microsoft posted a warning about (another) security hole related to jimmied Adobe fonts.

Predictably, much of the security press has gone P.T. Barnum.

The big, nasty, scary SMBv3 vulnerability

Patch Tuesday rolled out with a jump-the-gun-early warning from various antivirus manufacturers about a mysterious and initially undocumented security hole in the networking protocol SMBv3.

To read this article in full, please click here

Woody Leonhard

Microsoft adds 6 months support for Windows 10 1709 to account for pandemic disruption

3 months 3 weeks ago

Microsoft today extended the support lifespan of Windows 10 Enterprise 1709 and Windows 10 Education 1709 by six months, pushing their retirements to Oct. 13. The original end-of-support date had been fixed as April 14.

Microsoft cited the COVID-19 pandemic's impact, which in just the U.S. has ranged from massive business closings and even statewide lockdowns to a broad movement of companies telling white-collar employees to work from home. By midday March 19, 171 deaths in the U.S. had been attributed to the virus. Globally, deaths approached 10,000.

"We have been evaluating the public health situation, and we understand the impact this is having on you," wrote John Cable, director of program management, in a March 19 post to a company blog. "To ease one of the many burdens you are currently facing, and based on customer feedback, we have decided to delay the scheduled end of service date for the Enterprise, Education, and IoT Enterprise editions of Windows 10, version 1709."

To read this article in full, please click here

Gregg Keizer

12 security tips for the ‘work from home’ enterprise

4 months ago

If you or your employees are working from home while our governments lurch awkwardly through the current crisis, then there are several security considerations that must be explored.

Your enterprise outside the wall

Enterprises must consider the consequences of working from home in terms of systems access, access to internal IT infrastructure, bandwidth costs and data repatriation.

What this means, basically, is that when your worker accesses your data and/or databases remotely, then the risk to that data grows.

While at normal times the risk is only between the server, internal network and end user machine, external working adds public internet, local networks and consumer-grade security systems to the risk mix.

To read this article in full, please click here

Jonny Evans

Take your time, get it right for March Patch Tuesday

4 months ago

This is a big update to the Windows platform for the Microsoft March Patch Tuesday release cycle. Consisting of 115 patches, mostly to the Windows desktop, with almost all of the critical issues relating to browser-based scripting engine memory issues, this will be a difficult set of updates to release and manage.

The testing profile for the Windows desktop platform is very large, with a lower than usual exploitability/risk rating. For this month, we do not have any reports of publicly exploited or disclosed vulnerabilities (zero-days), so my recommendation is to take your time, test the changes to each platform, create a staged rollout plan and wait for future (potentially) imminent changes from Microsoft.

To read this article in full, please click here

Greg Lambert

Come on, Microsoft! Is it really that hard to update Windows 10 right?

4 months ago

Yesterday, on Patch Tuesday, as I was finishing up the column that follows lamenting the sorry state of Windows 10 patches and providing copious examples of things gone very wrong, a big, fat example landed in my lap (but happily not in my laptop). Word emerged that Microsoft had accidentally leaked news about a new Server Message Block (SMB) bug with a maximum severity rating, a.k.a. SMBGhost. The leak also said that this bug wasn’t patched in that day’s releases.

To read this article in full, please click here

Steven J. Vaughan-Nichols

Patch Tuesday’s tomorrow. We're in uncharted territory. Get Automatic Updates paused.

4 months ago

It’s always a good idea to pause Windows updates just before they hit the rollout chute. This month, we’re facing two extraordinary issues that you need to take into account. Wouldn’t hurt if you told your friends and family, too.

Take last month’s Windows patches. Please. We had one patch, KB 4524244, that slid out on Patch Tuesday, clobbered an unknown number of machines (HP PCs with Ryzen processors got hit hard), then remained in “automatic download” status until it was finally pulled on Friday. We had another patch, KB 4532693, that gobbled desktop icons and moved files while performing a nifty trick with temporary user profiles. Microsoft never did fix that one.

To read this article in full, please click here

Woody Leonhard

Enterprise resilience: Backup and management tips for iOS, Mac

4 months 1 week ago

Apple’s solutions are seeing increasing use across the enterprise, but do you have a business resilience strategy in place in case things go wrong?

If you’re one of the estimated 73% of SMBs that have not yet made such preparation, now might be a good time to start.

Your data is your business

It’s challenging enough when a consumer user suffers data loss as precious memories and valuable information go up in the digital smoke. Natural disasters, technology and infrastructure problems or human-made problems such as burglary, cyberattacks or civil unrest can all impact the sanctity of your systems, whatever platform you use. It matters because in today’s connected world, your data is your business.

To read this article in full, please click here

Jonny Evans

Apple, the FIDO Alliance and the future of passwords

4 months 1 week ago
Apple is the latest firm to join the FIDO Alliance, an industry standards group developing more secure ways to log in to online accounts and apps using multi-factor authentication (MFA), biometric authentication and physical security keys. Computerworld's Lucas Mearian joins Ken Mingis and Juliet Beauchamp to discuss the Apple move, how different forms of authentication work and how far away we are from a password-less world.

FIDO Alliance and the future of passwords

4 months 1 week ago

Apple is the latest company to join the FIDO Alliance, an industry standards group committed to finding more secure ways to log in to online accounts and apps. The FIDO Alliance pushes for multi-factor authentication (MFA) deployment, from biometric authentication to physical security keys. Computerworld's Lucas Mearian joins Ken and Juliet to discuss why Apple joined the FIDO Alliance, how different forms of authentication work and how far away we are from a password-less world.

To read this article in full, please click here

Ken Mingis,

Juliet Beauchamp,

Lucas Mearian

Mitigate your risk of getting hacked with help from with this online academy

4 months 1 week ago

Cyber crime rates are on the rise. In fact, according to this 2019 Juniper Research paper, the financial burden of this global nuisance is expected to surpass $2 trillion in 2020 alone. But don't panic. It turns out that education plays a major role in mitigating the risks, which is why grabbing a lifetime subscription to the CyberTraining 365 Online Academy is money well spent.

To read this article in full, please click here

DealPost Team

Will pay by palm be a thing? Should it be?

4 months 1 week ago

Amazon is experimenting with a way to allow shoppers to use a palm-print biometric to authenticate payments and to do so in physical stores far beyond Amazon-owned brick-and-mortars, (Whole Foods, AmazonGo, AmazonBooks, Amazon 4-Star and Amazon Pop-Up). Amazon is reportedly looking at QSRs (quick-service restaurants), especially coffee shops.

Palm prints have several advantages over more popular mobile biometric methods, such as fingerprint (prescription drugs, cleaning chemicals, burns and various other things can interfere with fingerprint readings) and facial recognition (finicky method that requires the face to be a precise distance from the scanner — not an inch too close or too far — and can suffer from hair growth, lighting, cosmetic changes, some sunglasses, as well as giving false positives to close relatives). And unlike my favorite biometric for security (retina scan), it's far less invasive. It's fairly accurate, convenient and (other than forcing customers to remove gloves, which could be a problem with outdoor shops in the winter) should be well-received.

To read this article in full, please click here

Evan Schuman

Verizon: Companies will sacrifice mobile security for profitability, convenience

4 months 1 week ago

Despite an increase in the number of companies hit by mobile attacks that led to compromises, four in 10 businesses sacrificed security to meet profit goals or avoid “cumbersome” security processes, according to Verizon’s third annual Mobile Security Index 2020.

It showed that 43% of organizations sacrificed security. More typical reasons for companies exposing themselves to risk, such as lack of budget and IT expertise, trailed “way behind” things such as expediency (62%), convenience (52%) and  profitability targets (46%). Lack of budget and IT expertise were only cited by 27% and 26% of respondents, respectively.

To read this article in full, please click here

Lucas Mearian

Memory-Lane Monday: The cruelest password

4 months 1 week ago

After a network manager unexpectedly tightens up the rules for passwords and forces the expiration of all user passwords on the main application system, calls flood into the help desk, reports a pilot fish on the scene. They’re having trouble because of the new complexity rules.

One of the calls:

User: I can’t seem to change my password.

Help desk tech: Your new password needs to contain letters, numbers and punctuation. Do not use any words such as you’d find in a dictionary.

User: OK. (Pause.) No, it still won’t let me change it.

Tech: What is the password you are trying to use?

User: April.

Tech: “April” is a word.

To read this article in full, please click here

Sharky

How and why you need HomeKit-secured smart homes

4 months 2 weeks ago

Once upon a time, the Internet was amazing, enabling niche interests and connecting people. Apple’s iMac was the epitome of the era, while the iPhone became the prophet of change.

Now, the home is the next connected frontier, and one that should be as secure – as much as possible – as the office. That's especially true given recent trends toward more remote work from home, where corporate data can be endangered by weak security.

What is HomeKit-secured and why should you use it?

These days hackers break into home networks using our routers and smart home devices, which is why everyone must learn how to use HomeKit-secured routers to keep their connected homes safe.

To read this article in full, please click here

Jonny Evans

Firefox starts switching on DNS-over-HTTPS to encrypt lookups, stymie tracking

4 months 2 weeks ago

Mozilla has started to turn on DNS-over-HTTPS, or DoH, as part of its overall strategy of stressing user privacy.

"We know that unencrypted DNS is not only vulnerable to spying but is being exploited," wrote Selena Deckelmann, Mozilla's new vice president of desktop Firefox, in a Feb. 25 post to a company blog. "We are helping...to make the shift to more secure alternatives [and] do this by performing DNS lookups in an encrypted HTTPS connection. This helps hide your browsing history from attackers on the network, helps prevent data collection by third parties on the network that ties your computer to websites you visit."

To read this article in full, please click here

Gregg Keizer

Microsoft Patch Alert: February 2020 patches bring fire and ice but seem to have settled – finally.

4 months 2 weeks ago

The real stinker this month, KB 4524244, rolled out the automatic update chute for four full days until Microsoft yanked it – leaving a trail of wounded PCs, primarily HP machines, in its wake. The other big-time bug in this month’s patches, a race condition in the KB 4532693 Win10 version 1903 and 1909 cumulative update installer, hasn’t been officially acknowledged by Microsoft outside of a blog post. But at least it’s well known and understood.

Folks running SQL Server and Exchange Server networks need to get patched right away.

Win10 UEFI update KB 4524244 blockages

Patch Tuesday brought KB 4524244 for Windows 10 owners, a bizarre single-purpose patch apparently directed at one specific UEFI bootloader. I talked about it last week.

To read this article in full, please click here

Woody Leonhard
Checked
1 month ago
Computer World Security
Subscribe to Computer World Security feed

About SecurityFeeds

SecurityFeeds Logo

Tim Weil is a Security Architect/IT Security Manager with over twenty five years of IT management, consulting and engineering experience in the U.S. Government and Communications Industry.  Mr. Weil's technical areas of expertise include IT Security Management, Enterprise Security Architecture, FISMA Compliance, Identity Management, and Network Engineering. Mr. Weil is a Senior Member of the IEEE and has served in several IEEE positions.