August brought loads of drama to the Windows and Office patching scene. Microsoft’s first round of patches killed Visual Basic, Visual Basic for Applications and VBScript in certain situations — on all versions of Windows. Fixes for the bugs dribbled out three, four, six and 17 days after the original infection.
Those Microsoft-introduced bugs were all the more daunting because the August patches are the ones intended to protect us from DejaBlue — the recently announced “wormable” malware infection vector that (thankfully!) has yet to be exploited. The mainstream press picked up the Chicken Little cry to install August patches right away. Then the buggy offal hit the impeller, and the press fell silent.
Apple is expected to introduce its own Tile-competing tracking device(s), perhaps as soon as fall. So, what are the advantages of the device, what can we expect, and what happens next?Freedom from networks
There are hundreds of tracking devices available today. These cost anything from tens to hundreds of dollars and in most cases require you sign-up to a network provider for SIM card-based network access.
What happens when Microsoft releases eight – count ‘em, eight – concurrent beta test versions of Win10 version 1909 without fixing bugs introduced into 1903 on Patch Tuesday?
Pan. De. Moaaan. Ium.The VB/VBA/VBScript debacle
No doubt, you recall the first wave of pain inflicted by the August 2019 patching regimen. Microsoft somehow managed to mess up Visual Basic (an old custom programming language), Visual Basic for Applications (for Office macros) and VBScript (a largely forgotten language primarily used inside Internet Explorer). Folks running applications in any of those languages would, on occasion, receive “invalid procedure call error” messages when using apps that had been working for decades.
Hedera Hashgraph, an electronic public ledger developed for corporate use, launched its mainnet beta today, allowing developers to create an account and build decentralized applications (dApps) for it.
The distributed ledger technology (DLT) is a direct competitor to blockchain distributed ledgers such as Ethereum and Hyperledger, and claims it can outperform traditional financial and business networks.[ Read the Download: Beginner's guide to blockchain special report ]
"There is no direct equivalent to Hedera Hashgraph today," said Martha Bennett, a principal analyst at Forrester Research. Hedera is potentially competing with public networks and all the enterprise DLT frameworks (such as Hyperledger Fabric & Sawtooth, R3 Corda, and others) and their commercial providers, which include AWS, IBM, Microsoft, Oracle.
It’s many years ago, and this pilot fish regularly travels to company offices around the country, dealing with IT-related problems and running user training sessions.
The big current project is implementing internet filtering after complaints that some workers are viewing inappropriate websites. So fish has to head to a meeting with many directors and managers to demonstrate.
Upon arriving at the meeting site, fish sets up a laptop and projector and connects it to the internal network. Then he tests to make sure the filtering is working, calling up a blocked site that, if it does display, only shows a silhouette of a bunny with a bow tie.
But not to worry: The site is blocked, so everything is ready.
If you’re using Symantec Endpoint Protection or any Norton Antivirus product on a Windows 7 or Server 2008 R2 machine, you didn’t get the August patches. Shortly after the August Monthly Rollup and Security-only patches were released, Microsoft put a freeze on systems running Symantec or Norton antivirus products.
The conflict stemmed from a long-anticipated change in the way Microsoft signed the August patches: Starting in August, all patches are signed using the SHA-2 encryption method. Somehow, Symantec didn’t get the message back in November that the shift was underway, and missed the deadline.
Microsoft is giving away one year of post-retirement support for Windows 7 to customers with active Windows 10 subscriptions.
"Enterprise Agreement and Enterprise Agreement Subscription (EA and EAS) customers with active subscription licenses to Windows 10 Enterprise E5, Microsoft 365 E5, or Microsoft 365 E5 Security will get Windows 7 Extended Security Updates for Year 1 as a benefit," Microsoft said in a FAQ about the end of support for Windows 7 and Office 2010.
Windows 10 Enterprise E5 and Microsoft 365 E5 are the top-tier subscriptions of the OS or packages that include the operating system. They are the highest-priced plans in their specific lines.
Programmer pilot fish goes online to a message board for a development system that’s used for one of his company’s applications.
But he gets a message that the site is blocked. He can either forget about it, click a link to continue, or click a link to see the company’s access policy.
He clicks to continue, gets what he needs, and then, just out of curiosity, he clicks to see the access policy to get an idea of why this site is being blocked.
But instead of seeing the access policy, fish sees this message: Content blocked. Click here to access our internet resource policy.
Sputters baffled fish, “It actually blocked the policy!”
The WebKit project - the open-source initiative that generates code for Apple's Safari browser - quietly announced last week that it would follow in Mozilla's footsteps and quash tracking technologies designed to follow users across the web.
In a short message on Aug. 14, the WebKit team pointed to its new Tracking Prevention Policy, a document that spells out its plans in detail, including what types of tracking it will create and how it will deal with any side effects.[ Related: Get serious about privacy with the Epic, Brave and Tor browsers ]
"We have implemented or intend to implement technical protections in WebKit to prevent all tracking practices included in this policy," the document read. "If we discover additional tracking techniques, we may expand this policy to include the new techniques and we may implement technical measures to prevent those techniques."
No doubt you recall the warning back in February that Windows 7, Server 2008 and Server 2008 R2 patches starting in July would use the SHA-2 encryption protocol. If you want to install Win7 patches issued after July, you have to get the SHA-2 translator installed.[ Related: Windows 7 to Windows 10 migration guide ]
A few days ago, Microsoft tossed a zinger into the FAQs down at the bottom of its SHA-2 post, 2019 SHA-2 Code Signing Support requirement for Windows and WSUS. That post now says that you have to install a seemingly unrelated patch, KB 3133977, entitled, BitLocker can't encrypt drives because of service crashes in svchost.exe process in Windows 7 or Windows Server 2008 R2.
August is going to be a perilous patching month.
We’re tracking down credible reports of the Server 2012 R2 Monthly rollup breaking RDP logins, a conflict between the Win10 1903 cumulative update and last month’s version of Outlook 365, confusion about Win7 patches being branded as “IA64 only,” dealing with the lack of telemetry (!) in the August Win7 Security Only patch, much mayhem trying to install SHA-2 signed patches (including the Win7 Monthly Rollup) on systems using Symantec Endpoint Protection, even more confusion over the difference between Symantec Endpoint Protection and Norton Security Suite, and lots of the usual installation failures and rollbacks.
Alternative search engines such as DuckDuckGo are attracting growing numbers of privacy focused users, but there’s no doubt that Google dominates the industry, even on Apple products. Fortunately, there are several ways to make your Google activity more private.Do you have a Google account? (You probably do)
Do you use Gmail? Did you one use Google +? Perhaps you employ Google Drive, Google Docs or any of the company’s other products. If so, you have a Google account.
Google and Mozilla have decided to eliminate visual signals in their Chrome and Firefox desktop browsers of special digital certificates meant to assure users that they landed at a legitimate site, not a malicious copycat.
The certificates, dubbed "Extended Validation" (EV) certificates, were a subset of the usual certificates used to encrypt browser-to-server-and-back communications. Unlike run-of-the-mill certificates, EVs can be issued only by a select group of certificate authorities (CAs); to acquire one, a company must go through a complicated process that validates its legal identity as the site owner. They're also more expensive.[ Further reading: 10 must-have Safari extensions ]
The idea behind EVs was to give web users confidence that they were at their intended destination, that the site computerworld.com, for instance, was owned by its legal proprietor, IDG, and not a fishy - and phishy - URL run by It's Crooks All the Way Down LLC and chockablock with malware. Browsers quickly took to the concept, rewarding EV-secured sites with in-your-face visual cues, notably the verified legal identity in front of the domain in the address bar. The identity was often shaded in green as an additional tip-off. (Chrome dismissed the green in September 2018 as of Chrome 69.)
Public tests of blockchain-based mobile voting are growing.
Even as there's been an uptick in pilot projects, security experts warn that blockchain-based mobile voting technology is innately insecure and potentially a danger to democracy through "wholesale fraud" or "manipulation tactics."
The topic of election security has been in the spotlight recently after Congress held classified briefings on U.S. cyber infrastructure to identify and defend against threats to the election system, especially after Russian interference was uncovered in the 2016 Presidential election.
Tim Weil is a Security Architect/IT Security Manager with over twenty five years of IT management, consulting and engineering experience in the U.S. Government and Communications Industry. Mr. Weil's technical areas of expertise include IT Security Management, Enterprise Security Architecture, FISMA Compliance, Identity Management, and Network Engineering. Mr. Weil is a Senior Member of the IEEE and has served in several IEEE positions.