back to article It's [insert month] of 2016, and your Windows PC can still be owned by [insert document type]

Critical fixes for Office, Internet Explorer, and Windows DNS Server highlight this month's edition of Patch Update Tuesday. The Redmond Windows slinger has kicked out 16 bulletins this month, five rated as "critical" and the remaining 11 considered "important" risks. MS16-063 addresses 10 CVE-listed vulnerabilities in …

  1. arctic_haze
    Black Helicopters

    The obligatory question

    Which one of them will make my life happier by shoving Windows 10 up my ass?

    1. Christopher Lane

      Re: The obligatory question

      Bless him, still going after these years and providing useful stuff.

      https://www.grc.com/never10.htm

      Tried it, used it. It works by creating/setting two keys in your registry.

      All credit to Mr Gibson, the following is paraphrased from his site.

      HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Gwx

      Under this key, the 32-bit DWORD value “DisableGwx” is set to 1.

      When DisableGwx is set to 1, the upgrade offer icon is suppressed.

      HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate

      Under this key, the 32-bit DWORD value “DisableOSUpgrade” is set to 1.

      When DisableOSUpgrade is set to 1, any previously downloaded Windows 10 files are deleted and Windows will never attempt to upgrade the current operating system.

      1. Gene Cash Silver badge

        Re: The obligatory question

        See also https://en.wikipedia.org/wiki/Rhetorical_question

        1. arctic_haze

          Re: The obligatory question

          It's not rhetorical. For now I wait with installing any of them. I expect more foul play from Microsoft as the deadline approaches (and possibly a delay in the deadline... for our good).

          1. a_yank_lurker Silver badge

            Re: The obligatory question

            @artic-fox - Saddly one has to wait for a few days/weeks to learn which patch includes this month's autointall of Winbloat 10..

            1. Mark 85 Silver badge

              Re: The obligatory question

              Just the two usual suspects showed up here... KB3035583 and KB2952664 It took 3 hours to gather all the updates. Hopefully there's no hidden time bomb but I'm testing on a sacrificial PC.

              I am running GWX Control Panel so we'll see what blows up when it's done.

              It strikes me as weird (the 3 hour gathering) since supposedly this was the month they were rolling everything into one massive update to speed things up... but then, MS is known for shoveling manure.

              1. Mark 85 Silver badge

                Re: The obligatory question

                Add-on to my previous post. I did notice that those two evil KB's were checked and not in the "optional" update area in spite of the GWX Control Panel running. But after unchecking and running the updates, all appears well and I'm seeing no sign of Win10 on that machine.

                Just be forewarned that the updates WERE checked by the Updater.

                1. Mark 85 Silver badge

                  Re: The obligatory question

                  The patch for IE11 seems to have bogged it down when starting and opening a new tab. Odd... Thank heavens for Firefox.

            2. Arctic fox
              Angel

              @a_yank_lurker Your reply is to arctic_haze

              I am Arctic Fox

              1. a_yank_lurker Silver badge

                Re: @a_yank_lurker Your reply is to arctic_haze

                Oops, had recent eye surgery so the vision is a bit blurry.

      2. PhilipN

        "Bless him ...

        ...... still going after these years and providing useful stuff.

        https://www.grc.com"

        Amen to that.

        His early indispensable work may not even register (sic) as fossils to many here though.

      3. P. Lee

        Re: The obligatory question

        Where is my OS redesign?

        How many of the binaries on my system does Word need access to? Why does the installer (rather than Word) not designate a data scratch area for each application instance and why doesn't the OS check with me if the application wants to read/write outside of this area?

        Applications should not have free-run of user-space data. Any programs not installed officially should get severely sandboxed. Data can be copied in but not out. This is the OS responsibility, not Norton's nor VMware's. Or how about having properly installed applications register their mime types? The OS then checks the mime types of files being accessed outside of the application-allocated area and kills access to non-relevant files outside of the app's designated data area. Pwnd word can't crypto locker excel files. Flash in a browser gets flv files in its cache area- big whoop.

        I get that this is different from using things like sort, grep and wc, but those are kicked off from shell. Who gives shell access to a browser or spreadsheet? If software installation has a security manifest, you should be able to add either containers with different rights, or add a filtered, virtualised FS to the application installation.

        How about an auto versioning FS (hello vms) with purging only by elevated privilege. It helps crypto locker be less profitable.

        OS vendors need to get their act together, especially those with high exposure.

        Kill the value in pwning applications and the attacks go away.

        I might even pay for that kind of thing.

    2. Don Dumb

      Re: The obligatory question

      For me the updates had become magically 'unhidden', but they were unchecked and in the optional updates group. So a mere check of their Knowledge Base descriptions and they were promptly re-hidden again.

      For what it's worth, I haven't needed any other tools than simply not allowing or installing the pesky Win10 related updates every month.

  2. Mikel

    (June) (GWX)

  3. Duncan Macdonald Silver badge

    Firewall and different programs

    One way to make IE and Edge safer is to disable their internet access (I do it by using the program control feature of the firewall component of Norton). Firefox with Noscript and Adblock Plus (and no Flash) makes for a far safer Internet Browsing experience. Foxit Reader also seems to be more secure than Adobe Reader for handling PDF's. Finally use LibreOffice instead of Microsoft Office to get round even more problems.

    1. Anonymous Coward
      Anonymous Coward

      Re: Firewall and different programs

      "One way to make IE and Edge safer is to disable their internet access (I do it by using the program control feature of the firewall component of Norton). Firefox with Noscript and Adblock Plus (and no Flash) makes for a far safer Internet Browsing experience. Foxit Reader also seems to be more secure than Adobe Reader for handling PDF's. Finally use LibreOffice instead of Microsoft Office to get round even more problems."

      Having come this far, Linux seems to be a viable option for you now...

    2. g00se
      Linux

      Re: Firewall and different programs

      >>One way to make IE and Edge safer is to disable their internet access<<

      (McEnroe voice) You cannot be serious?? If you aren't, then that's quite amusing.

      Utterly preposterous that their 'new' browser can suffer these kinds of vulns.

      I've had the misfortune to touch about 4 Win 10 boxes and i think in every case Edge seemed to be fundamentally broken.

      1. Captain Badmouth
        Happy

        Re: Firewall and different programs

        "Utterly preposterous that their 'new' browser can suffer these kinds of vulns."

        Indeed, quite funny to read the following :

        http://windowsreport.com/microsoft-edge-most-secure-browser/

        and

        "MS16-068 is a fix for eight CVE-listed flaws in Edge. Like the IE flaws, the Edge vulnerabilities would allow remote code execution simply by viewing a web page on the Edge browser."

      2. a_yank_lurker Silver badge

        Re: Firewall and different programs

        Flaws in Edge do not surprise me. Not because Edge is new but that all software beyond trivial will have various bugs, flaws, and compromises.

        And I detest Slurp.

  4. fidodogbreath Silver badge
    Big Brother

    Our long nightmare is not over

    It has been almost a year, yet there is STILL no fix for "flaws in Windows that allow information disclosure or remote code execution by installing a malicious OS upgrade. The flaw can be targeted when an attacker tricks the user into installing a specially-crafted application that is disguised as an Important or Security update. This allows the attacker to perform a denial-of-privacy attack on a targeted user."

    1. Steve Davies 3 Silver badge
      Alien

      Re: Our long nightmare is not over

      Oh, you mean the monthly Patch Tuesday files that MS dish out? Aren't these 'specially crafted'. Crafted to get you to install W10 that is. According to many in these parts W10 is nothing more than malware anyway.

      I passed close to Area 51 yesterday hence the Icon.

  5. channel extended

    Noticed Flash updates....

    Wonder just how long after nobody uses Flash will Adobe still issue updates?

    1. Mark 85 Silver badge

      Re: Noticed Flash updates....

      Who will tell them that no one is using it? The last person out will probably not turn off the lights and they'll continue to think it business as usual.

      1. Danny 14 Silver badge

        Re: Noticed Flash updates....

        We have run without java for 8 months now. Flash will be next.

        1. g00se
          Linux

          Re: Noticed Flash updates....

          ... then without Windows!

    2. captain veg Silver badge

      Re: Noticed Flash updates....

      I would happily become an ex-user of Flash, just as soon as iPlayer and 4OD stop needing it.

      -A.

  6. Kurt Meyer

    Death, Taxes, and...

    It's [insert month] of 2016, and your Windows PC can still be owned by [insert document type]

    Another month, another patching cycle...

    Like the Sun rising in the East, it is a part of every Windows user's life.

    Unlike sunshine, it brings no warmth, and no enlightenment.

    No longer news, or even newsworthy, it will continue long after every one of us has died. I would rant and rave, but my anger has been replaced by ennui. Cretinous clowns creating code is all I can muster.

  7. Anonymous Coward
    Anonymous Coward

    I have some help for Microsoft..

    Remember that they tend to massage statistics in more aggressively than the NRA after yet another massacre to make their OS appear safer than it really is?

    Why not create one CVE that reads "Microsoft Windows installed"?

    It would allow them to proclaim statistical victory over any other OS out there, without having to be creative with the truth about it. Win win!

  8. JJKing

    I haven't patched my personal machine since November 2015. Updates are turned off. Anyone wants to hack me, my IP is ::1. :-)

    First week in August I will be blowing away this install and building a clean one with Windows 7. If MS still tries to force Win10 onto MY machine against my will then it too shall be blown away and Linux gets the nod once and for all.

    1. a_yank_lurker Silver badge

      Skip the Winbloat 7 and go straight to Linux, it will be easier on you.

      1. Anonymous Coward
        Anonymous Coward

        @a_yank_lurker

        Thanks for that constructive and helpful comment. I will get right onto it as soon as all the myriad business applications we need to run are available for Linux.

  9. Pirate Peter

    kb3519398 / MS16-072 breaks group policy on a domain

    Just found this one while onsite today

    http://windowsitpro.com/patch-tuesday/patch-tuesday-security-update-group-policy-breaks-group-policy

    group policies fail to apply with “unknown reason” if you do a gpresult /v

    peter

  10. Anonymous Coward
    Anonymous Coward

    KB3159398

    We had an issue with KB3159398. It prevented group policies being applied to computers in OUs where security had been modifed.

  11. earl grey
    Flame

    why is update sucking 100% cpu

    If they rolled them all up they couldn't take any longer than they do now, but update services has been staring up the last couple of days and going right to 100% cpu utilization (well, until i force restart the service) and then it behaves "normally".

    I hate you MS.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022