Microsoft Issues Windows 10 Preview Build, Patches Critical Flaws
With less than a month to go until the release of the Windows 10 Anniversary Update, Microsoft this week put out a new build that fixes a number of bugs in Windows, Office, Edge and other applications. In addition, Microsoft's Patch Tuesday release featured 11 updates for vulnerabilities, including six rated as "critical."
One of those vulnerabilities opens up Microsoft Windows -- Vista and later versions -- to possible man-in-the-middle attacks via printers or workstations. The problem can effectively turn printers into drive-by exploit kits that could let hackers access laptops or desktops connected to the affected printers.
Meanwhile, the Windows 10 Insider Preview Build 14388 released Tuesday includes 44 fixes to address everything from inconsistent keyboard displays in the mobile version of the Microsoft Edge browser to reliability and battery life issues. The build arrives just three weeks ahead of the scheduled August 2 release date for the Windows 10 Anniversary Update.
'Almost Too Good To Be True' for Hackers
Described as a "watering hole" attack, the 20-year-old printer vulnerability was identified and analyzed by security researcher Nick Beauchesne. Noting that Microsoft worked with the cybersecurity firm Vectra Networks to investigate the vulnerability, Beauchesne posted an analysis of his findings on Vectra's Web site Tuesday.
"This attack results in having 'system' rights on any workstation that connect[s] to your printer," Beauchesne wrote. "We are effectively transforming a printer in[to] an internal drive-by exploit kit, where we can just wait for people to come get infected without any warning."
Beauchesne said the vulnerability opened up a number of ways for attackers to use printers for remote code execution on laptops or PCs. The problem stemmed from an exception that Microsoft created to avoid account controls and make it easier for users to install printer drivers.
"So in the end, we have a mechanism that allows downloading executables from a shared drive, and run them as system on a workstation without generating any warning on the user side," Beauchesne said. "From an attacker perspective, this is almost too good to be true, and of course we had to give it a try."
Anniversary Update 'Getting Down to the Wire'
Among the other critical vulnerabilities Microsoft patched this week were bugs that could allow remote code execution via the Internet Explorer and Microsoft Edge browsers, along with similar flaws involving Microsoft Office, Adobe Flash Player and the Windows JScript and VBScript scripting engines.
"In addition to the critical updates, there are two important updates this month that warrant special mention," Chris Goettl, product manager for the Microsoft-focused security firm Shavlik, wrote in a blog post this week. Those two bugs "both include Public Disclosures, meaning they have a vulnerability included that has already leaked enough information to the public to allow an attacker to gain a head start on developing an exploit. As a result, this puts these vulnerabilities at higher risk of being exploited."
The scheduled August 2 Anniversary Update will be Microsoft's first significant update to Windows 10 since the operating system was released late last July. To date, the operating system has been downloaded onto more than 300 million devices worldwide, according to Microsoft.
With August fast approaching, Microsoft is now getting down to the wire with its planned operating system update, Windows and Devices Group software engineer Dona Sarkar said Tuesday in a post on the Windows blog.
Image credit: Product shot by Microsoft.
David Scott Young:
Posted: 2016-07-30 @ 4:01am PT
Something is fishy. Although I volunteered to be part of the windows-10 insider preview program since its inception, I've suddenly encountered a "fix me" box that doesn't fix anything each time I check for rebuilds. Build no. 14388, considered critical, was released Tuesday, and my current build number is 14366. Why am I being blocked from getting the final fixes to this program before paid release sales begin tomorrow.
Anyone that has experienced the same may have to pay to get the ultimate Windows-10 release, even though your input helped make it what is is. I'm interested in joining a class action lawsuit. Since we helped Microsoft windows fine tune its product before they begin charging for it, why are we being denied the completed beta product. This is disgusting, and unethical. If you know of, or start a class action lawsuit, please contact me... D Young - email@example.com
H.S. Ganesh Keerthi:
Posted: 2016-07-18 @ 5:25am PT
I use windows from 3.1 ages. I do not have any doubt or complaint. It is a very good version. Let Microsoft keep up their pace. Thanks
Posted: 2016-07-17 @ 5:13pm PT
Very interesting read, but the computer I'm on is still running Windows 7 pro. Going to look at my other 2 computers running Windows 10 for upgrades. Thanks
Posted: 2016-07-16 @ 3:49pm PT
I am pleased with Win10 and since my installation, the ability to reinstall it, when something does not work properly, after trying recommendations to correct the errors has truly been a plus.
No complaints on my end. I have used this operating system from the start and various versions afterwards.
Keep up the good work.
Posted: 2016-07-16 @ 2:06pm PT
Is this why I perpetually have a little blue ball running all over my emails, and why I have to pound the keys to move forward.... which doesn't always work and why I have trouble using my copy machine?
Posted: 2016-07-16 @ 1:01pm PT
As time passes with 10 overhauling much of their old code, they will find more security holes. The sooner they strip more of the 20 year old code out the better!
Posted: 2016-07-16 @ 10:45am PT
Wish I had never switched. No longer can use my calendar.
Posted: 2016-07-16 @ 9:48am PT
Why can't we add folders?
Posted: 2016-07-14 @ 2:32pm PT
So is this the reason my keyboard doesn't work most of the time on my new laptop? I have had for only 4 weeks.
Posted: 2016-07-14 @ 10:17am PT
Windows 10 is just crap.