Now it’s Office’s turn to have a load of patches pulled

Two patches pulled altogether; another is known to cause crashes but should be used anyway.

Now it’s Office’s turn to have a load of patches pulled

Enlarge (credit: Benjamin)

After endless difficulties with the Windows 10 October 2018 update—finally re-released this month with the data-loss bug fixed—it seems that now it's the Office team's turn to release some updates that need to be un-released.

On November's Patch Tuesday two weeks ago, Microsoft released a bunch of updates for Office to update its Japanese calendars. In December 2017, Emperor Akihito announced that he would abdicate and that his son Naruhito would take his role as emperor. Each emperor has a corresponding era name, and calendars must be updated to reflect that new name. The Office patches offer updates to handle this event.

Two of these updates, KB2863821 and KB4461522, both for Office 2010, are apparently very broken, causing application crashes. The company has suspended delivery of the patches, but the problem is so severe that Microsoft is recommending that anyone who has installed the updates already should uninstall them pronto (see instructions for KB2863821 here and for KB4461522 here).

Read 2 remaining paragraphs | Comments

Microsoft offers extended support for Windows, SQL 2008—but with a catch

(credit: Marcus W / Flickr)
Windows Server 2008 and 2008 R2, as well as SQL Server 2008 and 2008 R2, are due to move out of extended support over the next few years—SQL Server in July 2019 and Windows Server in January 2020. For organizations still …

(credit: Marcus W / Flickr)

Windows Server 2008 and 2008 R2, as well as SQL Server 2008 and 2008 R2, are due to move out of extended support over the next few years—SQL Server in July 2019 and Windows Server in January 2020. For organizations still using that software, this offers a few options: keep using the software and accept that it won't receive any more security updates, migrate to newer equivalents that are still supported, or pay Microsoft for a custom support contract to continue to receive security updates beyond the cutoff dates.

Today, Microsoft added a fourth option: migrate to Azure. Microsoft is extending the support window by three years (until July 2022 for SQL Server, January 2023 for Windows Server) for workloads hosted on Azure in the cloud. This extended support means that customers that make the switch to the cloud will receive another three years of security fixes. After those three years are up, customers will be back to the original set of choices: be insecure, upgrade, or pay for a custom support contract.

Microsoft isn't requiring customers to demonstrate that they have any kind of migration plan in place, and this support scheme incurs no additional costs beyond those already imposed by running software on Azure in the first place.

Read 2 remaining paragraphs | Comments

AMD systems gain Spectre protection with latest Windows fixes

Enlarge / An AMD Ryzen. (credit: Fritzchens Fritz)
The latest Windows 10 fixes, released as part of yesterday’s Patch Tuesday, enable protection against the Spectre variant 2 attacks on systems with AMD processors.
Earlier this year, attacks that ex…

Enlarge / An AMD Ryzen. (credit: Fritzchens Fritz)

The latest Windows 10 fixes, released as part of yesterday's Patch Tuesday, enable protection against the Spectre variant 2 attacks on systems with AMD processors.

Earlier this year, attacks that exploit the processor's speculative execution were published with the names Meltdown and Spectre, prompting a reaction from hardware and software companies. AMD chips are immune to Meltdown but have some vulnerability to the two Spectre variants. Spectre variant 1 requires application-level fixes; variant 2 requires operating system-level alterations.

Both Intel and AMD have released microcode updates to alter their processor behavior to give operating systems the control necessary to protect against Spectre variant 2. Microsoft has been shipping the Intel microcode, along with the operating system changes necessary to use the microcode's new features, for several weeks now; with yesterday's patch, similar protections are now enabled on AMD machines.

Read 2 remaining paragraphs | Comments

Patch Tuesday drops the mandatory antivirus requirement after all

(credit: amalthya / Flickr)
In the immediate aftermath of the Spectre and Meltdown attacks, Microsoft created an unusual stipulation for Windows patches: systems would only receive the fixes if they had antivirus software installed and if that antiv…

(credit: amalthya / Flickr)

In the immediate aftermath of the Spectre and Meltdown attacks, Microsoft created an unusual stipulation for Windows patches: systems would only receive the fixes if they had antivirus software installed and if that antivirus software created a special entry in the registry to indicate that it's compatible with the Windows fixes.

This was due to the particularly invasive nature of the Meltdown fix: Microsoft found that certain antivirus products manipulated Windows' kernel memory in unsupported ways that would crash systems with the Meltdown fix applied. The registry entry was a way for antivirus software to positively affirm that it was compatible with the Meltdown fix; if that entry was absent, Windows assumed that incompatible antivirus software was installed and hence did not apply the security fix.

This put systems without any antivirus software at all in a strange position: they too lack the registry entries, so they'd be passed over for fixes, even though they don't, in fact, have any incompatible antivirus software.

Read 5 remaining paragraphs | Comments