To provide best-in-class encryption, and to ensure the service is more secure by default, Microsoft is moving all of its online services to Transport Layer Security (TLS) 1.2+

Office 365 will be retiring TLS 1.0 and 1.1 starting June 1, 2020. This means that all connections to Office 365 using the protocols TLS 1.0 and TLS 1.1 will not work so prior to June 1, 2020.

Plan to replace clients and devices that rely on TLS 1.0 and 1.1 to connect to Office 365.

The TLS protocol aims primarily to provide privacy and data integrity between two or more communicating computer applications. It is an IETF standard intended to prevent eavesdropping, tampering and message forgery. Transport Layer Security (TLS), and the deprecated predecessor, Secure Sockets Layer (SSL), are cryptographic protocols that provide communications security over a computer network and the protocols find are uses in applications such as: web browsing, email, instant messaging, and voice over IP (VoIP). Websites use TLS to secure all communications between their servers and web browsers. The latest version – TLS 1.3 – is an overhaul that strengthens and streamlines the crypto protocol.

The work on TLS1.3 started in April 2014, and it took four years and 28 drafts before it was approved in March of 2018. Version 1.3 makes the handshake process faster by speeding up the encryption process. This has a security benefit, and will also improve performance of secure web applications. With TLS 1.2, the handshake process involved several round trips, whereas with 1.3 only one round is required, and all the information is passed at that time. In addition to security improvements, TLS 1.3 eliminated a number of older algorithms that did nothing other than create vulnerabilities.The updated protocol added a function called “0-RTT resumption” that enables the client and server to remember if they have communicated before.

The PCI compliance standards require that any site accepting credit card payments uses TLS 1.2 after June 30, 2018 Services such as PayPal, Authorize.net, Stripe, UPS, FedEx, and many others already support TLS1.2, and have announced that they will eventually refuse TLS 1.0 connections. This means your safest action is to upgrade to TLS 1.2+/3 sooner than later to avoid disruption. It also likely to be a consideration for GDPR compliance in the event of a breach if using an older protocol.

Microsoft’s latest SSU helps fix a bug in Secure Boot that interferes with Windows’ BitLocker encryption system. The updates are available from the Microsoft Update Catalog or through Windows Server Update Services (WSUS).

Microsoft said it “strongly recommends” that users and admins install this latest SSU before installing the latest cumulative update, which was released along with this month’s Patch Tuesday updates. This month’s updates brings a fix for a Win32k zero-day, marked as CVE-2019-1132, which was part of an attack used by Kremlin-backed hackers. The researcher at ESET, Anton Cherepanov, found the exploit for the flaw which doesn’t affect Windows 10 or Windows 8 but it does impact older versions including Windows 7 SP1, Windows Server 2008 SP2, and Windows Server R2 SP1. Cherepanov noted that the technique used in the current exploit is “very similar” to one used before 2017 by the advanced hacking group called Sednit, aka Fancy Bear, APT28, STRONTIUM, and Sofacy. Windows 8 and later block a key component of the exploit chain, which is why the flaw only affects earlier versions of supported Windows versions. He notes that Microsoft back-ported the Windows 8 mitigation to Windows 7 for x64-based systems.

Bugs like this are one reason Windows 7 users should follow Microsoft’s advice to upgrade. Those who still use Windows 7 for 32-bit systems Service Pack 1 should update to newer operating systems, since extended support of Windows 7 Service Pack 1 ends on January 14, 2020. Which means that Windows 7 users will then no longer receive critical security updates. Thus, vulnerabilities like this one will stay unpatched forever.

This is not the only fix – the Microsoft patches address 77 security flaws, including 15 rated “critical.”
In May this year patches were also released for BlueKeep’s – the ability to automatically spread from one vulnerable machine to another – could be exploited in an attack on the same global scale as WannaCry, whose worm capabilities were enabled by EternalBlue, the leaked NSA exploit for the SMBv1 file-sharing protocol. The NSA urged admins to patch the flaw and change configurations to prevent potential attacks. Its warning followed research that found that at least one million Windows computers were still vulnerable to BlueKeep. The NSA said it was “likely only a matter of time” before attacks emerged.

Last week there were Windows Updateof security and reliability fixes for Windows 7 as part of the normal Patch Tuesday delivery cycle for every version of Windows. icrosoft split its monthly update packages for Windows 7 and Windows 8.1 into two distinct offerings: a monthly rollup of updates and fixes and, for those who are want only those patches that are absolutely essential, a Security-only update package. Under Microsoft’s rules, what it calls “Security-only updates” are supposed to include,only security updates, not quality fixes or diagnostic tools. However, this month’s Security-only update, the “July 9, 2019—KB4507456 (Security-only update),” bundled in the Compatibility Appraiser, KB2952664, which is designed to identify issues that could prevent a Windows 7 PC from updating to Windows 10.

The concern is that these components are being used to prepare either for another round of forced updates or to spy on individual PCs. The word telemetry appears in at least one file, and for some it seems to be a short step from innocuous data collection to spyware. Microsoft appeared to be surreptitiously adding telemetry functionality to most of its solutions. Microsoft has slipped this functionality into a security-only patch without any warning, thus adding the “Compatibility Appraiser” and its scheduled tasks (telemetry) to the update. The package details for KB4507456 say it replaces KB2952664 (among other updates). So this is not a security-only update.

The Appraiser tool was offered via Windows Update, both separately and as part of a monthly rollup update two years ago; as a result, most of the declining population of Windows 7 PCs already has it installed. Given the headaches users faced over unwanted upgrades back in Windows 10’s first year why is Microsoft reluctant to talk about security issues except in formal settings like release notes and support bulletins.

This has already been an exhausting week thanks to a pair of Windows 10 zero-day exploits being used in the wild, by Kremlin-backed hackers.

The 19H2 release of Windows 10, which will probably be called the Windows 10 October 2019 Update, will not include a list of new user-facing features. Instead, it will deliver “select performance improvements, enterprise features and quality enhancements.”

This update “will install like a monthly update” on PCs that are running the latest Windows 10 release, version 1903. In other words its what we would call a service pack even if Microsoft no longer does. Devices on any currently supported version of Windows 10 will only need to reboot once to update them to 19H2. The 19H2 release will be fully supported for 30 months. While still n aggressive update schedule for some IT departments that is a lot easier to live with than 6 monthly updates. (The update is the last Windows 10 release before the end of free support for Windows 7 on January 14, 2020. )

For OEM and retail Windows editions, even Windows 10 Home, feature updates are no longer immediately mandatory. The twice-yearly feature updates are offered on PCs that Microsoft’s algorithms deem suitable; but the feature update is to be offered as an optional update that the PC’s owner has to approve manually. You’re can ignore that prompt for as long as the current version is supported, or a maximum of 18 months.

For businesses with PCs running Windows 10 Pro, the updates are delivered with the same 18-month support cycle. The difference is that administrators can defer monthly cumulative updates by up to 30 days and can defer feature updates by up to 365 days. On a PC with Windows 10 Settings app or applied Group Policy to defer feature updates, the option to update to the next release doesn’t appear at all until the deferral period ends or the current version reaches its end-of-support. Companies that run Windows 10 Pro should plan for an annual Windows 10 feature update – any .than 12 months, but and you may hit an end-of-support date and a forced feature update.

Customers running Windows 10 Enterprise and Education get the longest support calendar, \. The March updates will have an 18-month support cycle for all editions, whereas the September release will get the longer, 3 install version 1903 late in 2019 and plan to install the 19H2 release as a lightweight update when it’s ready. With that “service pack” in place, they can leave those PCs alone for two full years, until the second half of 2021.0-month support cycle for Enterprise and Education editions. (All Windows 10 Pro releases are supported for 18 months.)

To ensure updates don’t happen at the wrong time see this post:
https://www.techrepublic.com/article/how-to-control-updates-in-windows-10/?ftag=CMG-01-10aaa1b

P.S. Dark mode to reduce eye strain MacOS got dark mode last year in Mojave, . Android also got a dark mode setting last year, and the upcoming Android Q will make it easy to turn on. You can similarly dim the lights in Windows 10 = Go to Settings, tap Personalization, tap Colors and then under Choose your default app mode, choose Dark.