This month we’ve got a new version of Reader from Adobe, along with the usual heap of updates affecting Microsoft software.
Analysis of Microsoft’s Security Update Guide for December shows that there are thirty-two updates in all, affecting Internet Explorer 9 through 11; Office 365, 2013, 2016, and 2019; Visual Studio; Windows 7, 8.1, and 10; and Windows Server 2008, 2012, 2016 and 2019. Thirty-seven vulnerabilities (CVEs) are addressed, of which seven are flagged as having Critical severity.
The easiest way to install Microsoft updates is via the Windows Update Control Panel (prior to Windows 10) or Settings > Update & Security on Windows 10.
Adobe released updates for several of its software products on Tuesday, but the only one likely to be installed on your computers is the ubiquitous Acrobat Reader DC, Adobe’s free PDF file viewer.
A new version of Acrobat Reader DC, 2019.021.20058, addresses at least twenty-one vulnerabilities in previous versions.
Recent versions of Reader seem to keep themselves updated, but if you use Reader to view PDF files from dubious sources, you should definitely check whether your Reader is up to date. Do that by running it, then choosing Check for Updates... from the Help menu.
I usually refer to security bugs as vulnerabilities. There’s another term that I sometimes use (see above): CVE. That’s an abbreviation for Common Vulnerabilities and Exposures. If you’d like to know more, there’s a helpful post about CVEs over on the SecurityTrails web site. Here’s a quote:
CVE was launched in 1999 by the MITRE Corporation, a nonprofit sponsored by the National Cyber Security Division, or NCSD. When a researcher or a company discovers a new vulnerability or an exposure, they add them to the CVE list so other organizations can leverage this data and protect their systems.
It’s a worthwhile read, even for non-technical folks.
Firefox is my current web browser of choice. I use Google Chrome sparingly, because it’s gotten so bloated and resource-intensive that I can’t leave it running. Perhaps that will change; it wasn’t that long ago that Chrome seemed like the best choice.
I still use Opera and Vivaldi for certain specific activities. And while there’s still no way I can stop using Internet Explorer altogether, I only do so when absolutely necessary. I avoid Edge completely, as it seems hopelessly buggy. There are other alternatives, but for now, Firefox is my main browser.
The integrated password manager, which Mozilla calls Lockwise, now differentiates between logins for different subdomains. If you have one login for subdomain1.domain.com and another for subdomain2.domain.com, they will no longer be conflated.
Lockwise will also now display a warning if it finds one of your passwords in a list of potentially compromised passwords.
The Enhanced Tracking Protection feature will now show a notification when Firefox blocks cryptomining code. You can see what Firefox is blocking by clicking the small shield icon at the far left of the address bar.
You can now view video in a floating window using the Picture-in-picture feature. Look for a small blue button () along the right edge of a video and click it to pop out the PiP window.
Eleven security vulnerabilities are addressed in Firefox 71.0. None of them are ranked as critical, and there doesn’t seem to be any evidence that any have been used in actual attacks. Still, it’s best to close those holes before they can be exploited.
How to update Firefox
Check which version of Firefox you’re running by navigating its ‘hamburger’ menu (at the top right) to Help > About Firefox. If you’re not running the latest version, you should see a button that will allow you to upgrade.
Please either allow us to disable Windows 10 updates, or stop pushing out updates that break millions of computers worldwide every few weeks.
Almost a billion Windows 10 users
The problems with Windows 10 updates are getting worse, not better. The last major feature update (1903) had major issues at release, and more seem to be turning up with each new set of “quality” updates. Those quotes around the word ‘quality’ are very intentional, by the way.
I’ve just spent most of a day troubleshooting and fixing a heinous set of problems related to printing, affecting most of the computers at a retail client. Printing is a critical function for this client, as it is for most businesses.
What follows is the sequence of events leading up to the printing problem, and what finally fixed it.
All of the computers are running 64-bit Windows Professional release 1903 (build 18362.356).
SUMMARY: Update 4522016, which apparently caused these printing problems on some computers, was never installed on any of the affected PCs at this business. Update 4524147 caused the printing problems it was supposed to fix. Uninstalling update 4524147 fixed the printing problems on three otherwise up-to-date Windows 10 PCs.
2019Oct03: Update 4524147 was installed automatically on all affected PCs. This happened overnight, which is normal for these PCs.
2019Oct04: The client reported printing problems on several PCs.
2019Oct04: The usual troubleshooting for printing issues was ineffective. Research eventually showed that a recent Windows update (4522016) was causing printing problems for many users. But that update was never installed on any of the affected PCs.
2019Oct04: Since printing was working fine before 4524147 was installed, I uninstalled that update, and printing started working again. Repeating this on all affected computers resolved all the printing problems.
2019Oct05: On trying to log into one of the recently-fixed PCs, Windows 10 told me that the Start menu was broken. Research showed that update 4524147 was causing this problem (the second time an update broke the Start menu in recent weeks). I checked, and sure enough, 4524147 had been reinstalled automatically overnight. Uninstalling it fixed the Start menu.
2019Oct05: To delay recurrence of the printing problem, I used the Advanced settings on the Windows Update screen to delay updates as long as possible. On most of the PCs, I was able to delay updates for between 30 and 365 days. On one PC, these settings were inexplicably missing. I eventually had to use the Local Group Policy Editor to make the necessary changes.
2019Oct04: I reported this bizarre situation to Microsoft via its Windows 10 Feedback hub. It’s difficult to know whether anyone at Microsoft will actually see this, or take it seriously. I have doubts, which means that this problem seems likely to reappear at some point.
This is in fact the nightmare scenario envisioned by myself and others when it became clear that Windows 10 updates would not be optional. While Microsoft has — grudgingly — made it possible to delay updates, it’s still not possible to avoid them completely, and if you’re one of the unlucky Windows 10 Home users, even that’s not an option.
Questions for Microsoft
Why did an update intended to fix printing problems actually cause those exact problems?
Why are some of the advanced Windows Update settings missing from one of several identically-configured Windows 10 PCs running the same build?
Why are you inflicting this garbage on us? Do you hate us?
WHY DON’T YOU LET US TURN OFF UPDATES? This is the simplest solution, and while I understand that you want Windows 10 installs to be secure (and that means installing fixes for security vulnerabilities), until you can produce updates that don’t cause massive problems, we don’t want them.
A small update to Firefox 69 was released last week: 69.0.1. The new version addresses a single security vulnerability, fixes a rather annoying new bug that caused processes launched from Firefox to be hidden by Firefox, and fixes a few other minor issues.
Check your version of Firefox by clicking its ‘hamburger’ menu button at the top right, then navigating to Help > About Firefox. If a newer version is available, you’ll see an Update button.
If you’ve ignored the almost continuous advice of IT experts over the last decade or so, and are still using Internet Explorer for web browsing, you should stop what you’re doing and install a new security update, just released by Microsoft.
The update fixes a critical vulnerability (CVE-2019-1367) in IE 9, 10, and 11 that could allow a remote attacker to execute code on your computer, if they are able to trick you into visiting a specially-crafted web page.
Even if you don’t actively use IE, if it’s installed on your Windows computer (and it almost always is), you may run it accidentally, or it may become the default web browser because of another Microsoft update. In other words, everyone running Windows 7, 8.1 and 10 needs to install the fix, which exists in several different versions, each for a specific combination of Windows version and IE version (as outlined in Microsoft’s related security bulletin).
For example, on my main Windows computer, on which I run 64-bit Windows 8.1 and IE 11, the relevant update is designated 4522007.
These updates are not available via Windows Update. To install the update for your computer, follow the appropriate link in the security bulletin. Eventually you’ll end up at the Microsoft Update Catalog. Locate the update you want, then click the Download button to begin.
Like it or not, Chrome is the web browser that’s taking over the world. I use Chrome sparingly these days, mainly because recent versions have problems playing streaming video reliably, and because it seems to drain system resources more than other browsers — especially on mobile devices.
Still, Chrome has a lot going for it, and it remains a solid alternative to Firefox and the numerous browsers that, like Chrome, are based on the Chromium engine. Google welcomes — and indeed, rewards — vulnerability reports, and they act quickly to fix and release updates for Chrome.
Chrome 77.0.3865.90 includes fixes for four security vulnerabilities, all of which were reported by researchers not employed by Google. The full change log lists a few minor tweaks and obscure bug fixes.
Check your Chrome version and update it to the latest version by clicking the browser’s ‘three vertical dots’ menu button and navigating to Help > About Google Chrome.
Two new versions of Opera were released recently. The first, Opera 63.0.3368.88, includes security fixes and crash fixes. The release announcement doesn’t mention the vulnerabilities addressed in 63.0.3368.88, and neither does the change log, which is annoying. Presumably it’s left as an exercise for the user to research vulnerabilities in Opera, as documented on sites like Mitre.
The second new version, Opera 63.0.3368.94, sports a new version of the Chromium engine and more crash fixes. Again, there’s not much to learn from the release announcement or change log.
To check the version of Opera you’re running and install any available new version, click Opera’s menu button (the big ‘O’ at the top left usually) and navigate to Update & Recovery…
On September 10, Google released a new version of Chrome that includes fifty-two fixes for security vulnerabilities. The full change log lists almost seventeen thousand changes in all, so I’m going to assume that there’s nothing in there worth mentioning, aside from the security fixes. Presumably, if Google wanted to highlight any of the changes, they’d be outlined in the official release notes for Chrome 77.0.3865.75.
As is often the case with Chrome security vulnerabilities, many of those addressed in Chrome 77.0.3865.75 were discovered and reported by independent security researchers. There’s a list of those fine folks in the release notes, along with the rewards they earned from Google for their work.
To update Chrome, click its ‘three dots’ menu and navigate to Help > About Google Chrome. If there’s a newer version than the one you’re running, you should see an update link.
It’s another Patch Tuesday, and this month we have the usual pile from Microsoft, along with a new version of Flash.
Analysis of the summary spreadsheet — helpfully provided by Microsoft on the Security Update Guide site — shows that there are forty-nine updates, addressing eighty vulnerabilities in Windows, Internet Explorer, .NET, Edge and Office. Seventeen of the vulnerabilities are critical.
Those of you running Windows 10 will get these updates automatically, unless you’ve explicitly configured Windows to delay updates. Everyone else should navigate to Windows Update in the Windows Control Panel or Windows Settings.
The new version of Flash is 184.108.40.206. It addresses two critical security bugs in earlier versions, both of which were discovered and reported by independent security researchers.
Anyone who still uses Flash, especially if it’s enabled in any web browser, should update Flash as soon as possible. Go to the Flash applet in the Windows Control Panel to check your version and install the new version.
When enabled, Firefox’s Enhanced Tracking Protection reduces your exposure to the information-gathering efforts that otherwise silently occur when you browse. It also provides protection against cryptominers, which surrepticiously use a portion of your computer’s resources to make money for someone else.
New in Firefox 69.0 is a feature that allows you to block any video you encounter, not just those with autoplayed audio: Block Autoplay.
The ‘Always Activate’ option for Flash content has been removed. Firefox now asks for permission before it will play any Flash content.
Default installations of Firefox will usually update themselves, but if you’re not sure what version you’re running, click the browser’s ‘hamburger’ menu button at the top right, then navigate to Help > About Firefox.
Rants and musings on topics of interest. Sometimes about Windows, Linux, security and cool software.