Category Archives: Patches and updates

Patch Tuesday for November 2018

This month, we have fifty-six updates from Microsoft. The updates fix security issues in .NET, Office, Internet Explorer, Edge, Microsoft Project, SharePoint, PowerShell, Skype, and Windows. Analysis of the Security Update Guide for this month shows that a total of sixty-three vulnerabilities are addressed by the updates. Twelve of the vulnerabilities are flagged as Critical.

Windows 10 computers will have relevant updates installed automatically over the next few days. Those of you running older versions of Windows that don’t have automatic updates enabled will need to use Windows Update (in the Windows Control Panel) to check for new updates.

Adobe logoMeanwhile, Adobe released new versions of Flash and Reader. Flash 31.0.0.148 addresses a single security vulnerability in earlier versions. Reader DC 2019.008.20081 fixes a single security bug in earlier versions. Adobe software will usually update itself, unless you’ve explicitly disabled its automatic update features.

Chrome 70.0.3538.102

Three security issues are fixed in the latest Chrome, released by Google on October 9. The Chrome 70.0.3538.102 change log is relatively brief, and the announcement doesn’t highlight any of the changes.

For most users, Chrome will update itself on its own mysterious schedule. You can regain some control by clicking Chrome’s ‘hamburger’ menu button and navigating to Help > About Google Chrome. This will show the version you’re currently runing and — usually — offer an update if it’s out of date.

Thunderbird 60.3

Released on October 31, Thunderbird 60.3 fixes a handful of bugs — some of which are security-related — affecting multiple versions and platforms.

From the security advisory: In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts. What they seem to be saying is that these vulnerabilities cannot be exploited through the act of opening and reading email in Thunderbird. As for the part about browser-like contexts, well, that’s not at all clear. What contexts?

You can update your install of Thunderbird by clicking its hamburger menu button at the top right. Click the small arrow to the right of Help, then click About Mozilla Thunderbird. The About dialog should show your current version and offer an update if one is available.

Thunderbird 60.2.1

There aren’t as many desktop email applications around as there used to be. Sure, some of the old classics are still available (hello Eudora), but they typically don’t provide support for the latest technologies.

I’ve never been comfortable using a web-based application for my email. I do use GMail, but mostly for client support. I just prefer to have more control over my email archive than is possible with a web-based solution. Email is a critical component of my business and personal communications, and leaving it at the mercy of Google or some other company is not acceptable.

That said, there are still a few good options for desktop email on Windows. I still use Outlook, because it’s always been rock solid for me, handling dozens of accounts efficiently and reliably. But Outlook is only available as part of Microsoft Office, and only the more expensive Professional or Business versions at that. And Office is not cheap, costing upwards of $300 USD.

So I’m always on the lookout for alternatives to Outlook. And sitting at the top of that list is Thunderbird, Mozilla’s email client. Thunderbird’s three-pane user interface should be familiar to anyone who has used Outlook, Outlook Express, or just about any other Windows email application. It supports all current email-related technologies.

Mozilla issued a major update for Thunderbird in early October: version 60.0. This update provides numerous improvements to the user interface, including a much-needed revamp for the way attachments are handled.

More recently, Thunderbird 60.2.1 was released to fix seven security issues in earlier versions, as well as a few non-security bugs.

As with Firefox, you can check the current version of Thunderbird by navigating its ‘hamburger’ menu (top right) to Help > About Mozilla Thunderbird. Doing this will usually trigger an update, if one is available.

Firefox 63.0

Released last week, Firefox 63.0 provides fixes for at least fourteen security issues.

Firefox 63 also includes performance improvements, content blocking functionality, some user interface improvements, and a few other bug fixes.

In keeping with the trend towards wresting control of updates away from users, the option to Never check for updates was removed from the Preferences page (about:preferences). Sigh.

Firefox can be updated by navigating its ‘hamburger’ menu (button at top right) to Help > About Firefox.

Chrome 70.0.3538.67/77

Two new versions of Google’s web browser were released recently. Chrome 70.0.3538.67 includes twenty-three security fixes, as outlined in the release announcement. The log for that version lists over twelve thousand changes.

The release announcement for Chrome 70.0.3538.77 doesn’t highlight any of the thirty-eight changes found in its change log, so presumably none of them are significant, and none are related to security.

By now, most people who like having control over what happens on their computers have probably given up on trying to prevent Google software from updating itself. Still, if you use Chrome, it’s a good idea to make sure it’s up to date, which you can do by clicking its ‘three dots’ menu button at the top right and navigating to Help > About Google Chrome. If a new version is available, this will usually trigger an update.

Java Version 8 Update 191

Earlier this week, Oracle released its quarterly Critical Patch Update Advisory for October 2018. As usual, there’s a new version of the Java runtime Engine (JRE): Version 8, Update 191 (Java 8u191).

The new version of Java fixes at least twelve security issues affecting earlier versions.

If you use Java, I encourage you to update it as soon as it’s convenient. Java is not the target it once was, but it’s still a good idea to reduce your exposure to Java-based threats by keeping it up to date. The only web browser that officially still supports Java is Internet Explorer. If you use Internet Explorer with Java enabled, you should update Java immediately.

The easiest way to check your Java version and download the latest is to go to the Windows Control Panel, open the Java applet, click the Update tab, then click the Update Now button. If you’re already up to date, you’ll see a message to that effect.

Windows 10 October Update is deleting user files

As you may be aware, there’s no longer any practical way to avoid installing Windows 10 updates. Once Microsoft pushes them out, they’re going to end up on your computer whether you want them or not. But maybe you trust Microsoft to make changes to your computer while you sleep (for the record, I’m definitely not). On the other hand, when an update ends up causing problems, it makes these forced updates look downright irresponsible.

According to numerous reports, the recently-announced October Update for Windows 10 is causing user files to be silently deleted. Now, before you go into panic mode, keep in mind that the October Update is not yet being pushed out to all Windows 10 computers: the only way to install it is to manually check for available Windows Updates. For now, the only people affected are those eager types who like to install shiny new things before looking closely at them.

Microsoft is aware of the problem, and they are looking into it, although it’s not at all clear when it might be resolved. Hopefully Microsoft will either pull the update, or at least delay pushing it out to all Windows 10 computers.

If you’re worried about losing files, I strongly suggest backing up all your documents, images, music, video, and other data files. Which you really should be doing anyway. I back up all my data nightly to an external hard drive, using the freeware Cobian Backup.

Update 2018Oct07: Microsoft put a halt to the planned rollout of the October update. The update is still available via Windows Update, so don’t think seeing it listed there means the problem has been fixed. All it means is that the update won’t be pushed out until the issue has been resolved.

Update 2018Oct08: When you shift testing away from professionals and to your user base, quality will suffer. Things are going to slip through. That’s why formal software testing is so important, especially for operating systems and other critical software. Microsoft seems to have made an erroneous assumption: that if you have a (nearly) infinite number of monkeys people using your software, they will find (and reliably reproduce) every bug. In fact, the people doing this unpaid “testing” are mostly power users who are just hoping that their own specific needs will be better served by the latest version. They aren’t testing every scenario, just the same one they tested for the last version. Power users are also much less likely to make the kinds of obvious mistakes that regular folks make, which can lead to surprises even after an update is pushed out to the general public. This situation seems likely to get worse, sadly. The Verge weighs in.

Update 2018Oct16: On October 9, Microsoft made a new (fixed) version of the October update available to users subscribed to the Windows Insider program. Microsoft also seems to understand that the current user-focused testing process is less than ideal: the Windows Insider Feedback Hub now allows users to provide an indication of impact and severity when filing User Initiated Feedback.

Firefox 62.0.3: two critical security fixes

Yesterday, Mozilla released Firefox 62.0.3, which includes fixes for two critical security vulnerabilities in previous versions of the popular web browser.

The two vulnerabilities addressed in Firefox 62.0.3 are described in some detail on the associated security advisory page.

Depending on how your Firefox is configured, it may display a small update dialog, or it may simply update itself. To control what happens with new versions, navigate Firefox’s ‘hamburger’ menu (at the top right) to Options > General > Firefox Updates. While there, you can click the Check for updates button to trigger an update if one is available.