A memory leak is fixed, the Chromium browser engine updated, and a couple of Mac-specific issues addressed in the latest release of Opera, 43.0.2442.991. No security fixes are mentioned in the change log.
Another new Shockwave version was released this week by Adobe. Once again, the official release notes page for Shockwave 12 only shows 184.108.40.206 as the current version, and provides no details. There was no announcement.
A couple of years ago, Adobe changed the way Flash functionality is built into Shockwave, presumably to beef up Shockwave’s security, which up to that point included older, vulnerable versions of Flash. So it’s possible that these barely-documented Shockwave updates exist primarily to synchronize Shockwave’s security with the current version of Flash.
As usual, if you use a web browser with Shockwave enabled, you should install the new version as soon as possible.
Normally, Microsoft releases updates for Flash in Edge and Internet Explorer along with everything else on the second Tuesday of each month.
This month, something went wrong with the Windows Update system, and Microsoft pushed all the February updates to March, including an expected fix for a serious SMS flaw.
Someone at Microsoft apparently realized that this decision would leave some Flash users (those using Flash in Edge and Internet Explorer) vulnerable for an extra month. Flash vulnerabilities are targeted aggressively by malicious hackers, so this is obviously a bad thing. As a result, Microsoft has released a Flash update, one week later than originally planned.
Anyone who uses Flash in Internet Explorer or Edge should visit Windows Update and install the Flash update as soon as possible.
So we do get a Microsoft Security Bulletin Summary for February 2017 after all, but it only includes a single bulletin.
A new version of Shockwave appeared at some point in recent weeks. There was nothing like an announcement, and version 220.127.116.11 is barely mentioned on the official Shockwave release notes page. In fact, all we get is this: “Current Runtime Release Version: 18.104.22.168”.
Somewhere at Adobe, there’s at least one person who knows why Shockwave 22.214.171.124 was released. It would sure be handy if they said something about it.
If you use a web browser with Shockwave enabled, you should probably install the new version, because it may contain a security fix that Adobe just didn’t bother to mention.
In an unprecedented move, Microsoft has decided to delay all February updates until next Patch Tuesday, which is March 14. It’s still not clear exactly why this is happening, but Microsoft is working on structural changes to the Windows Update system, so presumably something went horribly wrong in testing.
This is bad news for anyone who runs a server that’s vulnerable to a recently-discovered SMB flaw that was expected to be fixed with Tuesday’s updates.
Update 2017Feb23: Meanwhile, Google’s Project Zero went ahead and published the details of another vulnerability that was supposed to be fixed this month. This was done in keeping with GPZ’s own policy, but as usual Microsoft isn’t happy about it.
A new version of Flash, released yesterday, addresses at least thirteen vulnerabilities in previous versions.
According to the security bulletin for Flash 126.96.36.199, the new version fixes “critical vulnerabilities that could potentially allow an attacker to take control of the affected system.”
The release notes for Flash 188.8.131.52 describe some new features that are likely only of interest to developers.
As usual, Internet Explorer and Edge will get new versions of their embedded Flash via Windows Update, while Chrome’s embedded Flash will be updated automatically.
Anyone who still uses a web browser with Flash enabled should update it as soon as possible.
According to this MSRC TechNet post from yesterday, Microsoft “discovered a last minute issue that could impact some customers and was not resolved in time for our planned updates today.” There’s no word on when this month’s updates will be made available.
Apparently the people who develop Vivaldi believe that adding a screen capture feature to the browser is a good use of their time. Perhaps if you don’t use any other web browsers, and you only ever need to capture screenshots of web sites, and never of anything outside the browser, this would be a useful feature. The rest of us will use the much more powerful features of general-purpose screen capture tools like ShareX.
Aside from the arguably pointless addition of screen capture, Vivaldi 1.7 further improves audio handling, and includes tweaks for domain expansion in the address bar. More importantly, Vivaldi now warns users when they navigate to a non-encrypted page that prompts for a password.
You can see the complete list of changes for Vivaldi 1.7 in the official release announcement.
The folks who develop the alternative web browser Opera are working on improving page loading time, and if their own benchmarks are any indication, those efforts have paid off.
Opera 43 shows significant speed gains over Opera 42, due mainly to the introduction of two new technologies: ‘instant page loading’, which predicts the site you’re looking for as you’re typing in the address bar, and PGO, which optimizes the browser code to make it run faster when it’s most important.
The new version also includes improvements to URL highlighting/selecting. Previously, there was no way to highlight linked text. With Opera 43, highlighting linked text works as expected if you use a horizontal motion, and if you use a vertical motion, the entire link is copied, as before.
There are loads of other changes in Opera 43, as you can see from the lengthy change log. However, none of the changes seem to be related to security vulnerabilities.