Category Archives: Patches and updates

Java 8 Update 151: twenty-two security fixes

Although it’s rapidly losing its relevance, Java still poses a security risk for any computer on which it’s installed. Java’s dangers are significantly lower now than in the past, because of all the major browsers, only Internet Explorer still runs Java code. All the others have stopped supporting Java completely.

Those of you still using Java, especially in Internet Explorer, should install Java 8 Update 151, because it includes fixes for twenty-two security vulnerabilities.

The easiest way to update Java is to visit the official Verify Java Version page, which will provide an update link if you’re running an out of date version.

References:

Chrome 62.0.3202.62: thirty-five security fixes

If you want to test your web browser’s performance and memory management, just point it to the full change log for Chrome 62.0.3202.62. It’s a behemoth, documenting over ten thousand distinct changes.

Given the number of changes in Chrome 62.0.3202.62, I decided to skip reading the log and trust that Google would point out anything interesting in the release announcement.

The announcement for Chrome 62.0.3202.62 documents thirty-five fixes for security vulnerabilities, so clearly this is an important update. As for the other changes, Google says only this:

Chrome 62.0.3202.62 contains a number of fixes and improvements — a list of changes is available in the log. Watch out for upcoming Chrome and Chromium blog posts about new features and big efforts delivered in 62.

Chrome usually updates itself within a few days of a new release. You can trigger an update by navigating to the About page: click the three-vertical-dots menu button, then Help > About Google Chrome.

Firefox 56.0.1: 64 bits for the rest of us

On October 9, Mozilla released Firefox 56.0.1, which is notable in that it’s the first version that will automatically upgrade 32-bit Firefox to 64-bit Firefox. The 64-bit version has been available for a while, but Mozilla chose to hold off automatically upgrading 32-bit installs to 64-bit until now.

As usual, there was no announcement for Firefox 56.0.1 from Mozilla. Not even CERT helped here, since the new version doesn’t contain any security fixes. I learned about the new version when Firefox itself prompted me to upgrade on October 18, more than a week after the release.

On the positive side, the upgrade from 32- to 64-bit Firefox on my Windows 8.1 computer worked flawlessly. Somewhat oddly, the 64-bit version installed in the same directory as the 32-bit version: C:\Program Files (x86)\Mozilla Firefox. On 64-bit versions of Windows, 64-bit applications usually get installed in C:\Program Files. Regardless, I haven’t experienced any new problems or strange behaviour, and my old Firefox shortcuts still work. According to Mozilla, the 64-bit version of Firefox is demonstrably more stable and secure.

Firefox 56.0.1 includes a single bug fix, unrelated to security.

Flash 27.0.0.170 fixes one security issue

Adobe logoAnd just like that, we get another version of Flash, this one addressing a single security vulnerability. From the security bulletin: “Adobe is aware of a report that an exploit for CVE-2017-11292 exists in the wild, and is being used in limited, targeted attacks against users running Windows.”

Anyone still using Flash in their web browser should install the new version as soon as possible. You can check which version you’re running and download the new one at the Flash version checker and download page.

As usual, Chrome will get the new Flash via its own internal update system, and Microsoft browsers will be updated via Windows Update.

No security fixes in latest Flash: 27.0.0.159

Adobe logoA new version of Flash includes a few bug fixes and other functionality changes, but no security fixes. Still, you’ll most likely need to update Flash in your browser to view Flash content.

As usual, Chrome will get the new Flash via its own internal update system, and Microsoft browsers will be updated via Windows Update.

October 10, 2017: Patch Tuesday

Imagine a world in which there were no software updates; no security vulnerabilities; no bugs at all. The idea of such a place makes me happy. This utopia is destined to remain a fantasy, sadly. All software has bugs, and that will never change.

Inspection of Microsoft’s Security Update Guide (SUG) as of 10am today shows the usual massive list of updates, only some of which will affect most of us. You can wade into that if you have some time and access to painkillers, or you can download the list and open it in Excel, which is a lot easier to work with, and is what I do.

Analysis of the update data shows that there are fifty updates this month. Sixteen of those updates are flagged as Critical. A total of sixty-seven vulnerabilities in Windows, Office, Internet Explorer, and Edge are addressed.

As usual, the announcement of this month’s updates does little more than tell us what we already knew: that there are updates today, and where to find them.

Time to patch those computers!

Update 2017Oct11: The Register points out that while vulnerabilities affecting Windows 10 are being patched by Microsoft as soon as they are identified, Windows 7 and 8 systems don’t get those updates until the next Patch Tuesday. This creates an opportunity for malicious persons to analyze the Windows 10 updates and create exploits that work on Windows 7 and 8.

Firefox 56.0 released

It’s a major new version number, but there’s not much to get excited about in Firefox 56.0, unless the ability to take screenshots in your browser was on your wish list.

Also new in Firefox 56.0 is the Send Tabs feature, which allows you to send web page links to your other devices. Right click on any web page and select Send Page To Device to try it. I suppose it’s easier than sending yourself email.

Starting with version 56.0, Firefox’s web form autofill feature can fill in address fields. I didn’t even know this was missing in previous versions. In any case, this feature is currently only available for users in the USA; it will be made available in other countries in the coming weeks.

Firefox’s preferences (Options) pages have been reorganized and cleaned up significantly. There’s now a search box on the Options page, which should make finding that elusive setting a bit easier. The explanatory text associated with many options has been improved for clarity. The privacy options and data collection choices have been reworked so they are better aligned with the updated Privacy Notice and data collection strategy.

Finally, media on background tabs will no longer play automatically; it will only start playing once the associated tab is selected.

The release notes for Firefox 56.0 have additional details.

Chrome 61.0.3163.100

There are exactly fifty-seven items in the change log for Chrome 61.0.3163.100. Some of those changes are version increments and other housekeeping; about forty are actual changes to functionality. Most of those changes are fixes for minor issues. Three of the fixes are for security issues.

If you’ve stopped trying to prevent Chrome from updating itself, it will no doubt proceed with this update automatically. But since the new version includes security fixes, it’s a good idea to make sure. Click the main menu button (three vertical dots at the top right of Chrome’s window), then Help > About Google Chrome.

Vivaldi 1.12: bug fixes and some useful improvements

In response to frequent requests from users, the folks who make Vivaldi have finally added an Image Properties feature to the browser. Right-click an image on a web page and select ‘Image Properties’ to display a dialog showing the image’s URL, dimensions, binary size, and more.

Download management is somewhat easier in Vivaldi 1.12: the list of downloaded files can now be sorted by type, name, size, date added, date finished, and address. There’s a new panel at the bottom of the download sidebar that shows the details for a selected download.

Vivaldi’s Accent Color feature changes the browser’s colour scheme to match the web site currently being viewed. I personally find this kind of thing distracting, but there’s no accounting for taste. If you use this feature, you’ll be happy to know that Vivaldi now has a setting that determines the intensity of the accent color effect.

Vivaldi 1.12 includes fixes for about fifty bugs from earlier versions. None of the changes appear to be related to security. You can see all the details in the release announcement.

CCleaner malware incident

A recent version of the popular Windows cleanup tool CCleaner contains malware, apparently added by malicious persons who gained access to a server used by the software developer, Piriform.

The malware was found only in the 32-bit version of CCleaner 5.33.6162. No other versions were affected.

Piriform reacted quickly to the discovery, and yesterday released a new version: CCleaner 5.34.

If you have CCleaner installed on any Windows computers, you should make sure you’re running version 5.34, and if not, install it as soon as possible.

Update 2017Sep23: The server that was breached is actually managed by Avast, which purchased CCleaner software developer Piriform in July.

Ongoing analysis of the hack revealed that this may have been a state-sponsored attack, and that it specifically targeted high profile technology companies. Apparently the malware in the compromised version of CCleaner contained a second payload that was only installed on about twenty computers at eight tech companies.