Category Archives: Patches and updates

Chrome 74.0.3729.157

A new version of Chrome fixes a single security bug. Chrome 74.0.3729.157 was announced and made available on May 14, so it may have already found its way to your computer by way of Google’s rather insistent update mechanisms.

If you’re not sure which version of Chrome you’re running, click that little ‘three vertical dots’ menu button at the top right, and navigate to Help > About Google Chrome. Besides showing you the version of your current installation, this will usually prompt Chrome to check for available updates and offer to install a new version.

Patch Tuesday for May 2019

From Microsoft this month, we get forty-six updates, addressing seventy-nine distinct vulnerabilities in the usual gang of idiots, namely Windows, Office, Internet Explorer, Edge, .NET, Flash in Internet Explorer, and Visual Studio. Nineteen of the updates have been flagged with Critical severity. Head over to Microsoft’s Security Update Guide for more details.

Those of you running Windows 10 may actually be satisfied with its automatic updates, despite the problems. Either that or you’ve given up fighting Microsoft. And of course there are plenty of folks running Windows 7 and 8 with automatic updates enabled, in response to which I can only tip my hat and tell you that you’re braver than I. The rest of us will (or should) be making the trudge over to Windows Update today.

Microsoft dons a white hat

One of the updates made available by Microsoft today fixes a serious vulnerability (CVE-2019-0708) in older versions of Windows, including Windows 7, XP, and Server 2008. Despite the fact that official support for these versions has ended, Microsoft decided to make the world a slightly better place, taking the time to develop, test, and publish these updates. Which is good, because the hole being fixed is a bad one, in that it could provide a handy new conduit for malicious software worms to propagate… just like WannaCry did in 2017.

So, two things: first of all, thanks Microsoft! Second, if you run Windows 7 or Windows Server 2008 computers, please check Windows Update and install the May 2019 monthly security rollup as described on this Microsoft page. For any computers running Windows XP, you’ll have to download the appropriate update from the Microsoft Update Catalog, as decribed on this Microsoft page.

More about Microsoft’s unusual move

Adobe

Adobe logoAdobe’s contribution this month consists of new versions of Flash and Acrobat Reader. Flash 32.0.0.192 addresses a single security vulnerability, while Acrobat Reader DC 2019.012.20034 addresses a whopping eighty-four vulnerabilities in earlier versions.

Reader will generally update itself, but you can make sure by navigating its menu to Help > Check for Updates.... The easiest way to update Flash is to look for it in the Windows Control Panel. Go to the Updates tab of the Flash control panel widget and click Check Now. This will take you indirectly to the download page for Flash. Make sure you opt out of any additional software offered for install on that page.

Firefox 66.0.4 fixes major add-on problem

On May 3, Firefox users all over the world noticed that the browser’s add-ons suddenly stopped working and disappeared from the toolbar. This caused major consternation, as you might imagine. Mozilla has previously made changes to Firefox which disabled some add-ons, so there was initially some concern that this was intentional. However, it turns out that someone at Mozilla failed to renew a critical security certificate, which then expired on May 3rd.

Mozilla added certificate checking to Firefox’s add-ons (extensions, themes, search engines, language packs) some time ago to weed out malicious add-ons and prevent them from being used. When the main certificate expired, Firefox suddenly identified all add-ons as invalid, and disabled them.

Many people use Firefox without add-ons, and those people were unaffected by this problem. Some people, including myself, use add-ons to provide functionality without which Firefox is almost unusable. For example, I use uBlock Origin to prevent Javascript from running on all web pages by default, and Dark Reader to make dark-themed web pages readable.

Once people started noticing the problem, they naturally tried to find workarounds, some of which did more harm than good. Mozilla scrambled to solve the problem, and on May 4 pushed out an official, temporary workaround using a little-known Firefox feature called Studies. Once installed, this fix did re-enable add-ons for many users, but didn’t help if the Studies feature was disabled, and was only effective for desktop versions of the browser.

On May 5 a new version of Firefox was released by Mozilla. Firefox 66.0.4 includes a single change that fixes the certificate expiry problem. There are a few caveats: some add-ons may need to be re-enabled manually. Certain add-ons will remain disabled. Other add-ons may need to be reconfigured.

This was a major (and embarassing) blunder, but Mozilla handled it reasonably well, although the information they published was occasionally somewhat misleading. There’s a useful record of what happened on this Mozilla blog post.

Update 2019May10: Yesterday, Mozilla published a followup/apology post.

Chrome 74.0.3729.131

The latest Chrome browser, version 74.0.3729.131, includes fixes for a pair of security vulnerabilities. Fifty-four changes are listed in the full change log, of which about half are actual changes and not just bookkeeping.

As usual, you can let Chrome update itself on its own mysterious schedule, or trigger an update by navigating its ‘three dots’ menu to Help > About Google Chrome. There are other ways to obtain the latest version, but that’s the most straightforward.

Chrome 74.0.3729.108

According to the release announcement, Chrome 74.0.3729.108 fixes thirty-nine security vulnerabilities. The full change log lists almost fourteen thousand changes in all. Good luck absorbing all that information.

Chrome generally keeps itself up to date whether you want it to or not, which is arguably a good thing, given that a lot of malware makes its way onto computers via unpatched security holes in web browsers. You can check which version you’re currently running, and — if an update is available — trigger the update process by navigating Chrome’s ‘three dot’ menu to Help > About Google Chrome.

Java 8 Update 211

Oracle’s quarterly Critical Patch Update for Q2 2019 documents vulnerabilities and updates for its entire product line. As usual, it’s the updates to Java that are important to most users.

The Patch Update details five distinct security vulnerablities in Java 8 Update 202 and earlier versions. A new release, Java 8 Update 211, addresses these vulnerabilities. The new version includes numerous other changes, most of which are of little interest to anyone aside from developers.

Keeping Java up to date is less urgent than in the past, since most of the major web browsers stopped supporting it in recent years.

If you do use a web browser with Java enabled, which is still possible with Internet Explorer and older, unsupported versions of many other browsers, you should make sure to install the new version as soon as possible.

The simplest way to update Java is to head to the Windows Control Panel, look for the Java icon, and — if you see one — open it, then go to the Update tab and click the Update Now button. Follow the prompts to complete the process.

Microsoft relents; cedes more Windows 10 update control to users

Microsoft is finally waking up to what we’ve all been saying since before Windows 10 was released: forcing operating system updates on users is not a good idea. Amusingly, they are presenting their findings and announcing related changes as if these things were previously unknown to the world of computing.

Microsoft refers to the process of installing Windows updates as an ‘experience’, and uses adjectives like ‘great’ when describing what they want the experience to be like for users. I don’t know about you, but I’ve never thought about installing updates as a ‘great experience’. Nightmarish, never-ending, endurable, and dreaded are more familiar ways to describe my update experiences. The word I’d most like to use in connection with updates is ‘uneventful’.

Note: phrases like ‘great update experience’ were no doubt vetted by some Microsoft committee. Microsoft writers are presumably encouraged to use these phrases — and avoid negative terminology — when discussing Windows updates.

Microsoft still seems unable to understand what people actually want to ‘experience’ from a Windows update:

  1. We don’t want updates at all, really. We want software to not be full of security holes in the first place. But that’s a fantasy, and will never happen (sigh).
  2. We want updates to not cause problems. Ever.
  3. Updates should install quickly, and with minimal fuss. Giant downloads, massive storage requirements, lengthy update durations, and high CPU usage are unacceptable.
  4. It should be possible to easily, quickly, and effectively revert updates.
  5. Automatic updates are a nice option, but only if we have full control over when they occur.

Upcoming Windows Update changes

  • Download and install now option: a new option on the Windows Update page that installs ‘feature updates’, which provide new or improved functionality. Using this option effectively updates Windows 10 to the latest version in terms of features, without installing any bug or security fixes. According to Microsoft, it’s a way to get the latest features without installing anything potentially risky.
  • Extended ability to pause updates. This further extends your ability to delay installation of updates, although it’s still limited: you can delay an update up to 35 days (seven days at a time, up to five times). This one is important for Windows 10 Home users, because the feature was previously unavailable on that version.
  • Intelligent active hours. The ‘active hours’ setting, which was added in the Anniversary Update, allows you to specify a window of time during which updates should never occur. This will now adjust itself automatically, based on when it thinks the computer is actually being used. This sounds good, but in practise, it may cause more problems than it solves. We’ll see.
  • Improved update orchestration. This new feature will detect device usage, and attempt to install updates when utilization is low, such as when there is no user activity.

For additional details on the upcoming changes, see Microsoft’s recent Windows blog post, titled “Improving the Windows 10 update experience with control, quality and transparency“.

Other Windows Update changes are being tested and may appear in upcoming releases of Windows 10, such as the ability to automatically roll back a problematic update.

These are all welcome changes, but I’m hoping Microsoft goes even further. If the Windows 10 update process improves enough, I may even consider installing it again. For now, there are still too many problems, such as Windows Update’s excessive use of disk space.

At least Microsoft is listening to the complaints about update dialogs popping up over important presentations, and worse. And they’re being surprisingly transparent during this current round of Windows improvements. Several recent Windows update problems (like this one in March and the known issues with this April update and this one) were probably the main impetus behind the changes, though.

Patch Tuesday for March 2019

You know, it’s theoretically possible that we could get a Patch Tuesday with no updates to install. We’ve had months like that for Adobe products. Not for Microsoft, though, at least not in my memory.

Anyway… this month from Microsoft we have thirty-four updates, addressing seventy-five security vulnerabilities in Internet Explorer, Edge, Flash in Microsoft browsers, Office, and Windows. At least that’s what my analysis shows. The source of this information, Microsoft’s Security Update Guide, is a complex beast.

Reminder: these updates are only for versions that are still supported. Windows XP is no longer supported, and Windows 7 won’t be for much longer. Versions of Office older than 2010 are no longer supported, and Office 2010 support will end later in 2019.

It was a busy month for Adobe, with updates to Flash, Reader, and Shockwave.

Flash 32.0.0.171 includes fixes for two vulnerabilities in earlier versions.

Acrobat Reader DC, the variant of Adobe’s Acrobat/Reader product line you probably use, is up to version 2019.010.20099. The new version addresses twenty-one vulnerabilities in earlier versions.

Shockwave Player 12.3.5.205 addresses seven security bugs in earlier versions. You’re slightly less likely to have this software installed on your computer, but it’s worth checking if you’re not sure.

There are links to download the new versions on all the release announcement pages linked to above.

Thunderbird 60.6.1

Mozilla released a new version of their email client Thunderbird recently: 60.6.1. The new version includes fixes for two security vulnerabilities.

The fixed vulnerabilities are unlikely to pose a threat to Thunderbird users. According to the related security advisory:

In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts.

In other words, since Thunderbird does not allow scripts embedded in email to execute, users are generally much safer than if the same email is displayed in a web browser.

Firefox 66.0 and 66.0.1

The latest major release of Firefox is version 66, which was announced on March 19th. The new version includes some welcome improvements and twenty-one security fixes.

What’s new in Firefox 66?

  • Audio is now prevented from playing by default. You can override this behaviour with a global setting, or add specific web sites to an exclusion list.
  • When you have a lot of tabs open, Firefox now shows a down-arrow button at the end of the tab bar. Clicking this button shows a list of all open tabs, and provides a special search function, allowing you to search your open tabs.
  • Scroll Anchoring tries to keep your content in place even as advertising and other images try to push what you’re reading off the page.
  • Extensions get a slight speed boost.
  • It’s now a bit easier to configure keyboard shortcuts for extensions.
  • HTTPS certificate error pages are easier to understand.
  • Additional performance and stability improvements, especially during page loading.
  • AV1 video support was added to the 32-bit version of Firefox.

Firefox 66.0.1 addresses two security issues in earlier versions, and was released on March 22nd.

You can check which version you’re running by clicking Firefox’s ‘hamburger’ menu, and navigating to Help > About Firefox. If you’re not yet up to date, you should see an Update button that allows you to install the latest version.