Microsoft postpones TLS 1.0 and 1.1 deprecation to second half of 2020

Microsoft announced yesterday that its plan to disable the security protocols TLS 1.0 and TLS 1.1 in the company’s browsers has been postponed. The company wanted to disable the security protocols in the first half of 2020 initially but decided to postpone this in light of current global events.

All major browser makers pledged to disable the aging security protocols TLS 1.0 and 1.1 in the first half of 2020. Some, like Mozilla, went ahead with the change but reverted it when it became clear that some government sites still relied on these protocols. Users of Firefox could not access these sites anymore because of the disabled protocols. Mozilla re-enabled the protocols to make sure that Firefox users worldwide are able to access important sites in a time of crisis.

Microsoft’s updated plan for discontinuing support for TLS 1.0 and 1.1 is as follows:

  • New Chromium-based Microsoft Edge: TLS 1.0 and 1.1 will be disabled by default “no sooner than Microsoft Edge version 84”. The browser is scheduled for a July 2020 release.
  • Classic Microsoft Edge browser: TLS 1.0 and 1.1 will be disabled by default on September 8, 2020.
  • Microsoft Internet Explorer 11: TLS 1.0 and 1.1 will be disabled by default on September 8, 2020.

Options are provided to enable TLS 1.0 and 1.1. if required. Users find settings to enable TLS 1.0 and TLS 1.1 in the Internet Options under Advanced.

tls 1.0 1.1 internet options

Administrators may also change the settings in the Windows Registry. Here is how that is done:

  1. Open the Windows Registry Editor, e.g. by using Windows-R to open the run box, typing regedit.exe, and hitting the Enter-key.
  2. Confirm the UAC prompt that is spawned.
  3. Go to HKLM SYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocols
  4. For TLS 1.0, do the following:
    1. If you don’t see a TLS 1.0 entry, create one by right-clicking on Protocols and selecting New > Key. Name the key TLS 1.0.
    2. Right-click on TLS 1.0 and select New > Key. Name it Client.
    3. Right-click on the newly created Client key and select New > Dword (32-bit) Value. Name it Enabled.
    4. The default value is 0 which means that TLS 1.0 is disabled. To enable it, set the value to 1 instead.
  5. For TLS 1.1, do the following:
    1. f you don’t see a TLS 1.1 entry, create one by right-clicking on Protocols and selecting New > Key. Name the key TLS 1.1.
    2. Right-click on TLS 1.1 and select New > Key. Name it Client.
    3. Right-click on the newly created Client key and select New > Dword (32-bit) Value. Name it Enabled.
    4. The default value is 0 which means that TLS 1.0 is disabled. To enable it, set the value to 1 instead.
  6. Exit the Registry Editor and restart Windows.

You can use a service such as the SSL/TLS Client Text by Browserleaks to list the supported protocols of the browser.

Now You: Have you visited sites recently that rely on these older protocols?

Thank you for being a Ghacks reader. The post Microsoft postpones TLS 1.0 and 1.1 deprecation to second half of 2020 appeared first on gHacks Technology News.

0Patch releases patch for Internet Explorer vulnerability (also for Windows 7)

Microsoft ended support for the company’s Windows 7 operating system on January 14, 2020 and revealed a day later that it would not support Internet Explorer 11 on Windows 7 either anymore. The timing was as bad as it could be considering that a vulnerability that affected Internet Explorer was discovered after support end that Microsoft rated critical (the highest severity rating).

Microsoft confirmed that it was aware of limited attacks targeting the vulnerability and that administrators should expect a patch to arrive on the second Tuesday of February, the company’s monthly Patch Tuesday.

Administrators may apply a workaround on systems to protect against attacks.

Microsoft will provide the patch for Enterprise customers and businesses that are subscribed to the Extended Security Updates program. Home users on the other hand cannot join the program to extend support for Windows 7 by up to three years.

While it is still up for debate whether Microsoft will release a patch for Internet Explorer 11 on Windows 7, security company 0Patch stepped in as promised and released a micropatch that fixes the vulnerability based on a workaround that Microsoft suggested.

The company announced in late 2019 that it would create and release security updates for Windows 7 and Windows Server 2008 R2 after the official support end of both products in January 2020.

A blog post on the official 0Patch website provides details on the micropatch and how it can be applied to affected systems. According to the information, the patch is available for Windows 7, Windows 10 version 1709, 1803 and 1809, Windows Server 2008 R2, and Windows Server 2019.

Administrators who want to install the micropatch on supported devices need to download the 0Patch Agent from the company’s website to get started. It is a free program that can be installed on Windows devices.

0patch agent internet explorer 11 patch

Note that it is necessary to register a free account as you need to sign-in to the application.  Once you are signed in data is synced between the local system and the server to determine the patch state of the system. The program lists patches that are available for free and for purchase in the interface; all it takes is to get the Internet Explorer 11 patch installed for the system to protect it against attacks that target the vulnerability.

0Patch states that its patch does not cause the side-effects that Microsoft’s workaround is causing (web applications that make use of jscript.dll will not work anymore).

Administrators who run the 0Patch Agent software on their devices may toggle patches on or off in the interface.

Closing Words

It will be interesting to see if Microsoft will release the patch for unsupported versions of Windows 7 or Windows Server 2008 R2. If you still use Windows 7 or Windows Server 2008 R2, you may want to consider using the micropatch instead to protect systems against attacks.

Now You: do you think that Microsoft will release a patch for unsupported versions of Windows?

Thank you for being a Ghacks reader. The post 0Patch releases patch for Internet Explorer vulnerability (also for Windows 7) appeared first on gHacks Technology News.

Internet Explorer 11 on Windows 7 is no longer supported

Microsoft ended its support for the company’s Windows 7 operating system last week officially. While Enterprise and business customers may extend support by up to three years, it is no longer supported for Home users and customers who don’t purchase support extensions.

The new Microsoft Edge web browser that is based on Chromium has been released for Windows 7 at a surprising time; it was released one day after Microsoft ended support for Windows 7 and the company revealed already that it will continue to support the browser for the foreseeable future on Windows 7.

internet explorer 11 unsupported

Windows 7 users who prefer Internet Explorer 11 — is there anyone that does? — may download the latest version of the web browser from the Microsoft website. A visit to the download page brings a surprising revelation: Internet Explorer 11 is no longer support unlike Edge which continues to be supported.

Microsoft modified the download page on January 15, 2020, the day the Chromium-based Microsoft Edge browser was released and one day after support of Windows 7 ended officially.

The company states on the download page:

If you’re running Windows 7, the latest version of Internet Explorer that you can install is Internet Explorer 11. However, Internet Explorer 11 is no longer supported on Windows 7. Instead, we recommend you install the new Microsoft Edge. The new Microsoft Edge was built to bring you the best of the web, with more control and more privacy as you browse.

While it is still possible to download 32-bit and 64-bit versions of Internet Explorer 11, Microsoft does not fail to highlight a second time that Internet Explorer 11 is no longer supported.

The end of support notification leads to an interesting question: will Microsoft fix the recently discovered security vulnerability in Internet Explorer 11 for systems running Windows 7?

Considering that Internet Explorer 11 is still used, especially in corporate environments, and that Microsoft extended support for paying Enterprise and business customers, it is fairly certain that the vulnerability will be fixed. The big question is whether the patch will be available for unsupported versions of Windows 7 or if it will be reserved for systems subscribed to the Extended Security Updates program.

Now You: do you still run Internet Explorer? (via Deskmodder)

Thank you for being a Ghacks reader. The post Internet Explorer 11 on Windows 7 is no longer supported appeared first on gHacks Technology News.

Microsoft releases emergency Internet Explorer security update

Microsoft released an out-of-band emergency security update for Internet Explorer on September 23, 2019 for all supported versions of Windows.

The emergency update is only available on the Microsoft Update Catalog website at the time of writing and not through Windows Update or WSUS.

Some support articles provide little information. The Windows 10 update description simply states “
Updates to improve security when using Internet Explorer” without going into further detail. The page links to the Security Update Guide which, after some digging, leads to the CVE of the vulnerability.

internet explorer security out of band

The support page for the cumulative update for Internet Explorer offers more information and a direct link to the CVE.

It states:

This security update resolves a vulnerability in Internet Explorer. A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could run arbitrary code in the context of the current user. The security update addresses the vulnerability by changing how the scripting engine handles objects in memory.

The same information is provided on the CVE page as well. Microsoft notes that an attacker could take control of the attacked system if the attack succeeds which would allow the attacker to install or remove programs, view, change or delete files, or create new user accounts.

The security issue is exploited actively according to Microsoft; an attacker could create a specifically prepared website to exploit the issue in Internet Explorer.

Microsoft published a workaround to protect systems if the released updates cannot be installed at this point. The workaround may reduce functionality “for components or features that rely on jscript.dll”.

The commands need to be run from an elevated command prompt.

Workaround for 32-bit systems:

  • takeown /f %windir%system32jscript.dll
  • cacls %windir%system32jscript.dll /E /P everyone:N

Workaround for 64-bit systems:

  • takeown /f %windir%syswow64jscript.dll
  • cacls %windir%syswow64jscript.dll /E /P everyone:N
  • takeown /f %windir%system32jscript.dll
  • cacls %windir%system32jscript.dll /E /P everyone:N

The workaround can be undone by running the following commands from an elevated command prompt:

Undo 32-bit:

  • cacls %windir%system32jscript.dll /E /R everyone

Undo 64-bit

  • cacls %windir%system32jscript.dll /E /R everyone
  • cacls %windir%syswow64jscript.dll /E /R everyone

List of updates that fix the vulnerability:

What about Windows Updates?

Microsoft has not released the update via Windows Update or WSUS. Susan Bradley notes that the company could release the update on September 24, 2019 via Windows Update and WSUS but that has not been confirmed by Microsoft.

It is a bit puzzling that Microsoft releases an out-of-band security update that addresses an issue that is exploited in the wild but chooses to release it as an update that needs to be downloaded and installed manually only.

Closing Words

Should or should not you install the update right away? It is a security update but it is only available via the Microsoft Update Catalog website at the time of writing.

I still would recommend installing it but you should create a system backup, e.g. using Macrium Reflect or Paragon Backup & Recover Free, before you do so as one never knows these days updates introduce unwanted side effects or issues of their own.

Now You: install or wait, what is your position?

Ghacks needs you. You can find out how to support us here (https://www.ghacks.net/support/) or support the site directly by becoming a Patreon (https://www.patreon.com/ghacks/). Thank you for being a Ghacks reader. The post Microsoft releases emergency Internet Explorer security update appeared first on gHacks Technology News.

How to use multiple Microsoft Accounts in the new Microsoft Edge browser

The Chromium-based Microsoft Edge web browser that Microsoft is working on currently supports a number of features that the classic Edge browser does not support.

One of these is the ability to add multiple Microsoft Accounts and non-Microsoft accounts to the browser to switch between them.

Each profile comes with its own set of personal data and saved data, e.g. passwords or browsing data, and if a Microsoft Account is used, may use synchronization to sync the data between devices.

Using multiple profiles in Microsoft Edge

microsoft edge multiple profiles

Microsoft Edge displays a profile icon in the top toolbar; a click on the icon displays information about the current profile. If you did not sign in to a Microsoft Account previously, you will find that a local profile is used.

The core difference between local and Microsoft Accounts in Edge is that the former don’t support syncing while the latter do.

The option to sign in to a Microsoft Account is provided in the popup that opens when you click on the profile icon.

microsoft edge local account

All existing profiles are listed in the popup as well as options to start a guest browsing session, add a new profile, or open the profile settings.

A click on “add profile” displays options to create a new user profile in Microsoft Edge right then and there. You may pick a different profile icon and select a name for the profile. Options to sign-in using a Microsoft Account are not provided in the menu; this needs to be done in the settings or when you switch to the profile.

The best way to manage profiles is to either click on the “manage profile settings” link or load edge://settings/people directly in Microsoft Edge.

All profiles that exist on the local machine are displayed on the page that opens. One is expanded and you get options to edit or remove it, and to sign in to a Microsoft account or sign out.

Options to manage passwords, payment information, addresses, and to import browser data are provided regardless of account type. Sync is only activated for Microsoft Accounts.

Synchronization

syncing options edge

A click on Sync displays the syncing preferences. You may use these to select the types of data that you want to synchronize. Note that syncing means that that data is stored in the cloud.

The following information may be synced using Microsoft Accounts in the new Microsoft Edge:

  • Favorites — The browser bookmarks.
  • Extensions — Browser extensions.
  • History — The browsing history, e.g. visited pages.
  • Settings — The preferences.
  • Open tabs — All open webpages.
  • Addresses, phone numbers, and more — form data.
  • Passwords — Saved passwords for online services.

Using multiple profiles in Edge

The main benefit of running multiple profiles in a browser is that you may use it to separate data. You could create a work and home account and use them accordingly. Doing so would isolate work-related data, e.g. favorites, browsing history, or passwords, when the home account is used and vice versa. Means, among other things, that you won’t get work related suggestions when you type in the address bar.

Local and Microsoft accounts can be mixed. You could use one Microsoft Account and a local account in Edge on a system, and two Microsoft Accounts on another.

Now You: do you use multiple profiles in your browser of choice?

Ghacks needs you. You can find out how to support us here (https://www.ghacks.net/support/) or support the site directly by becoming a Patreon (https://www.patreon.com/ghacks/). Thank you for being a Ghacks reader. The post How to use multiple Microsoft Accounts in the new Microsoft Edge browser appeared first on gHacks Technology News.