A small update to Firefox 69 was released last week: 69.0.1. The new version addresses a single security vulnerability, fixes a rather annoying new bug that caused processes launched from Firefox to be hidden by Firefox, and fixes a few other minor issues.
Check your version of Firefox by clicking its ‘hamburger’ menu button at the top right, then navigating to Help > About Firefox. If a newer version is available, you’ll see an Update button.
If you’ve ignored the almost continuous advice of IT experts over the last decade or so, and are still using Internet Explorer for web browsing, you should stop what you’re doing and install a new security update, just released by Microsoft.
The update fixes a critical vulnerability (CVE-2019-1367) in IE 9, 10, and 11 that could allow a remote attacker to execute code on your computer, if they are able to trick you into visiting a specially-crafted web page.
Even if you don’t actively use IE, if it’s installed on your Windows computer (and it almost always is), you may run it accidentally, or it may become the default web browser because of another Microsoft update. In other words, everyone running Windows 7, 8.1 and 10 needs to install the fix, which exists in several different versions, each for a specific combination of Windows version and IE version (as outlined in Microsoft’s related security bulletin).
For example, on my main Windows computer, on which I run 64-bit Windows 8.1 and IE 11, the relevant update is designated 4522007.
These updates are not available via Windows Update. To install the update for your computer, follow the appropriate link in the security bulletin. Eventually you’ll end up at the Microsoft Update Catalog. Locate the update you want, then click the Download button to begin.
Like it or not, Chrome is the web browser that’s taking over the world. I use Chrome sparingly these days, mainly because recent versions have problems playing streaming video reliably, and because it seems to drain system resources more than other browsers — especially on mobile devices.
Still, Chrome has a lot going for it, and it remains a solid alternative to Firefox and the numerous browsers that, like Chrome, are based on the Chromium engine. Google welcomes — and indeed, rewards — vulnerability reports, and they act quickly to fix and release updates for Chrome.
Chrome 77.0.3865.90 includes fixes for four security vulnerabilities, all of which were reported by researchers not employed by Google. The full change log lists a few minor tweaks and obscure bug fixes.
Check your Chrome version and update it to the latest version by clicking the browser’s ‘three vertical dots’ menu button and navigating to Help > About Google Chrome.
Two new versions of Opera were released recently. The first, Opera 63.0.3368.88, includes security fixes and crash fixes. The release announcement doesn’t mention the vulnerabilities addressed in 63.0.3368.88, and neither does the change log, which is annoying. Presumably it’s left as an exercise for the user to research vulnerabilities in Opera, as documented on sites like Mitre.
The second new version, Opera 63.0.3368.94, sports a new version of the Chromium engine and more crash fixes. Again, there’s not much to learn from the release announcement or change log.
To check the version of Opera you’re running and install any available new version, click Opera’s menu button (the big ‘O’ at the top left usually) and navigate to Update & Recovery…
On September 10, Google released a new version of Chrome that includes fifty-two fixes for security vulnerabilities. The full change log lists almost seventeen thousand changes in all, so I’m going to assume that there’s nothing in there worth mentioning, aside from the security fixes. Presumably, if Google wanted to highlight any of the changes, they’d be outlined in the official release notes for Chrome 77.0.3865.75.
As is often the case with Chrome security vulnerabilities, many of those addressed in Chrome 77.0.3865.75 were discovered and reported by independent security researchers. There’s a list of those fine folks in the release notes, along with the rewards they earned from Google for their work.
To update Chrome, click its ‘three dots’ menu and navigate to Help > About Google Chrome. If there’s a newer version than the one you’re running, you should see an update link.
It’s another Patch Tuesday, and this month we have the usual pile from Microsoft, along with a new version of Flash.
Analysis of the summary spreadsheet — helpfully provided by Microsoft on the Security Update Guide site — shows that there are forty-nine updates, addressing eighty vulnerabilities in Windows, Internet Explorer, .NET, Edge and Office. Seventeen of the vulnerabilities are critical.
Those of you running Windows 10 will get these updates automatically, unless you’ve explicitly configured Windows to delay updates. Everyone else should navigate to Windows Update in the Windows Control Panel or Windows Settings.
The new version of Flash is 32.0.0.255. It addresses two critical security bugs in earlier versions, both of which were discovered and reported by independent security researchers.
Anyone who still uses Flash, especially if it’s enabled in any web browser, should update Flash as soon as possible. Go to the Flash applet in the Windows Control Panel to check your version and install the new version.
The latest Firefox includes fixes for at least twenty security vulnerabilities, and improves overall privacy and security by enabling Enhanced Tracking Protection by default.
When enabled, Firefox’s Enhanced Tracking Protection reduces your exposure to the information-gathering efforts that otherwise silently occur when you browse. It also provides protection against cryptominers, which surrepticiously use a portion of your computer’s resources to make money for someone else.
New in Firefox 69.0 is a feature that allows you to block any video you encounter, not just those with autoplayed audio: Block Autoplay.
The ‘Always Activate’ option for Flash content has been removed. Firefox now asks for permission before it will play any Flash content.
Default installations of Firefox will usually update themselves, but if you’re not sure what version you’re running, click the browser’s ‘hamburger’ menu button at the top right, then navigate to Help > About Firefox.
The latest version of Chrome (Google’s browser, not the open source Chromium project upon which it is based) is 76.0.3809.132. The new version provides fixes for three security vulnerabilities, some of which were discovered and reported by independent researchers.
If you love digging into dry technical details, the Chrome change log is for you. The new version’s log is at least brief. A cursory scan shows nothing particularly interesting.
Chrome usually updates itself, albeit somewhat mysteriously, since Google’s update schedule is unclear and possibly varies widely from update to update. Google’s update mechanisms also occasionally stop working — silently. It’s a good idea to check which version you’re running and install a new version if it’s offered on the Help > About Google Chrome dialog (click the ‘three dot’ menu button at the top right of Chrome’s user interface).
One security fix and a handful of other bug fixes were released in the form of Firefox 68.0.2 on August 14.
The lone security fix closes a hole in the way Firefox handles saved passwords. Before Firefox 68.0.2, it was possible to extract password information from the browser’s encrypted password database — even when it was protected by a master password — without entering the master password. That’s a rather large and (at least to anyone who uses Firefox’s password store with a master password) disturbing security hole.
As always, you can wait for Firefox to update itself, or expedite things by navigating the browser’s ‘hamburger’ menu to Help > About Firefox.
It’s another day of updates, with the usual load from Microsoft, and a new version of Reader from Adobe.
Analysis of the monthly data dump from Microsoft’s Security Update Guide shows that this month we have fifty-two updates (with associated bulletins), addressing ninety-five vulnerabilities in Office applications, Windows, Internet Explorer 9 through 11, Edge, Exchange, SharePoint, and Windows Defender.
Twenty-nine of the vulnerabilities are characterised as having Critical severity, and all of the usual nightmarish potential impacts are represented, including Denial of Service, Elevation of Privilege, Information Disclosure, Remote Code Execution, Security Feature Bypass, Spoofing, and Tampering.
If you’re running Windows 10, there’s not much you can do to avoid these updates, although you can at least delay them. The risks associated with installing updates as soon as they become available are still arguably lower that the risks of delaying them as much as possible, or somehow avoiding them altogether.
In this particular case, however, you definitely should install the updates immediately. That’s because they include fixes for a set of dangerous vulnerabilities in RDS (Remote Desktop Services) in all versions of Windows, including Windows 10. Still not convinced? This month’s updates also include a fix for a terrible vulnerability in the Text Services Framework that’s existed in all versions of Windows since XP. The RDS and Text Services vulnerabilities were discovered very recently; no related exploits or attacks have been observed, but it’s a safe bet that malicious persons are working on exploits right now.
Anyway, as always, Windows Update is your friend. Your annoying, can’t-seem-to-shake-them kind of friend.
Adobe released updates for several of its products today, of which only Acrobat Reader presents a significant risk, because malicious hacker types enjoy embedding various kinds of nastiness in PDF files, pretty much every computer on Earth has Acrobat Reader installed, and most people with computers open PDF files without even thinking about the risk.
The latest Acrobat Reader (DC Continuous, which is the variant most likely to be installed on your computer) is version 2019.012.20036. It addresses at least seventy-six security vulnerabilities in previous versions. The release bulletin gives credit to a number of non-Adobe security researchers who discovered and reported some of the vulnerabilities.
You can check your version of Acrobat Reader by navigating its menu to Help > About Adobe Acrobat Reader DC. Also on the Help menu is the handy Check for Updates option, which is probably the easiest way to update Reader.
boot13