Category Archives: Patches and updates

Chrome 69.0.3497.81: forty security fixes

The release announcement for Chrome 69.0.3497.81 says the new version “contains a number of fixes and improvements.” Google hasn’t bothered to highlight any of those, which means it’s up to us users to figure out what has changed by reading the change log. Oh well, sounds easy enough. Until you notice that the change log has 15890 entries. Yeesh.

Google does provide useful information about the forty security fixes in Chrome 69.0.3497.81. They range from Low to High in terms of Severity.

As with most Google desktop software, Chrome will silently update itself in the background when it gets around to it. It’s possible to disable Google’s automatic update software, but doing that can cause other problems, so it’s not recommended. If you want to encourage Chrome to update itself — not a bad idea considering the security fixes — you can point the browser to chrome://settings/help.

Update 2018Sep07: If you’re using Chrome 69.0.3497.81, you may have noticed something different in the address bar: some common subdomains — particularly www. — are no longer displayed. It looks like this change was not particularly well tested, and it’s causing problems for some users and sites. Here’s the associated bug report.

Patch Tuesday for August 2018

It’s update time again.

Analysis of Microsoft’s Security Update Guide shows that this month there are seventy updates for Windows, Office, Internet Explorer, .NET, Edge, Excel, Outlook, PowerPoint, and Visual Studio. A total of sixty security bugs are addressed, twenty of which are categorized as Critical.

Adobe, meanhwile, has released new versions of Flash and Acrobat Reader. Flash 30.0.0.154 includes fixes for five security issues, all of which are ranked as Important. Acrobat Reader 2018.011.20058 addresses two Critical security vulnerabilities.

Remember, folks: although updating software is perhaps not the most exciting thing you’ll do today, it’s entirely worthwhile, as it limits the damage that can be done by any stray malware that may find itself on your computer… from that attachment you opened without thinking, or that web site you visited when you accidentally clicked that link.

Vivaldi 1.15.1147.64: security fixes

Vivaldi is based on the open source Chromium browser engine. When Chromium gets security updates, Vivaldi’s developers have to ‘backport’ those changes to Vivaldi, or leave Vivaldi users exposed to known security threats.

The Vivaldi developers do a good job of staying on top of this, and sometimes release a new version of Vivaldi in which the only changes are security fixes backported from Chromium. Vivaldi 1.15.1147.64 is the most recent example of this.

You can check your verison of Vivaldi by clicking the menu button at the top left of the browser, then selecting Help > About. If you’re not running the latest version, Vivaldi should offer to update itself.

Chrome 68.0.3440.75: security fixes, address bar changes

The latest version of Chrome includes fixes for forty-two security vulnerabilities. It’s also the first version that will display Not Secure in the address bar for all non-encrypted web pages. When that indicator appears, traffic to and from the viewed page is not being encrypted.

Viewing a non-encrypted web page is not particularly risky, as long as no private information is being transmitted. That means user names, passwords, email addresses, credit card numbers, and so on. However, as discussed here previously, unencrypted sites open up a world of possibilities for intercepting and modifying web traffic.

The release announcement for Chrome 68.0.3440.75 provides additional details regarding the security issues addressed.

The simplest way to update Chrome is also the best way to determine which version you’re running: click the three-vertical-dots icon at the top right, then select Help > About Google Chrome. If your browser isn’t already up to date, this will usually trigger an update.

Java 8 Update 181

Oracle’s latest Critical Patch Update (CPU) Advisory — for July 2018 — as usual includes a section about Java.

A new version of Java (8 Update 181) addresses eight security vulnerabilities in earlier versions. The Release Highlights page for Java 8 provides additional details on changes in Update 181, most of which are likely only of interest to developers.

If you use Java, and in particular if you use a web browser that has Java enabled, you should install Java 8 Update 181 as soon as possible. Note that the only modern browser that still runs Java applications is Internet Explorer. The easiest way to update Java is to run the Java applet in the Windows Control Panel: on the Update tab, click the Update Now button.

Patch Tuesday for July 2018

Adobe and Microsoft have issued their monthly updates for July, so even if you’d rather be doing anything else, you should be patching your computers.

We’ll start with Microsoft. As usual, this month’s Security Update Release bulletin serves as little more than a link to the Security Update Guide (SUG), Microsoft’s labyrinthine replacement for the individual bulletins we used to get.

In my experience, the SUG is much easier to digest in the form of a spreadsheet, so the first thing I do there is click the small Download link at the right edge of the page, to the right of the Security Updates heading. If you have Excel — or something compatible — installed, you should be able to open it directly.

Once the spreadsheet is loaded, I recommend enabling the Filter option. In Excel 2007, that setting is in the Sort & Filter section of the Data ribbon (toolbar). This makes every column heading a drop-down list, which allow you to select a particular product or platform, and hide everything else.

Analysis of this month’s updates from the SUG spreadsheet shows that there are sixty-two distinct updates, addressing fifty-three security vulnerabilities in Flash, Internet Explorer, SharePoint, Visual Studio, Edge, Office applications, .NET, and all supported versions of Windows. Seventeen of the updates are flagged as Critical.

As for Adobe, there are updates for Flash (version 30.0.0.134) and Acrobat Reader DC (version 2018.011.20055). The Flash update fixes two vulnerabilities, one of which is Critical. The Acrobat Reader DC update includes fixes for over one hundred security bugs.

Firefox 61.0 – security and performance improvements

The latest Firefox release features faster page load times and tab switching, improvements to search provider setup, an improved dark theme, better bookmark syncing, and at least eighteen security fixes.

Settings related to the home page and ‘new tab’ page are now in their own section on Firefox’s Options pages. You can access the new section directly using this URL: about:preferences#home.

The Firefox 61.0 release notes provide additional details.

On most computers, Firefox will update itself. You can encourage it by visiting the About page: click the hamburger button, then select Help > About Firefox.

Patch Tuesday for June 2018

The June 2018 Security Update Release bulletin on Microsoft’s TechNet blog is almost devoid of useful information, but if you click the link to the Security Update Guide, then click the big Go To Security Update Guide button, you’ll see a link to the release notes for this month’s updates.

According to the release notes, this month’s updates affect Internet Explorer, Edge, Windows, Office, Office Services and Web Apps, Flash embedded in IE and Edge, and ChakraCore. Analysis of the information in the SUG reveals that there are forty updates, fixing fifty-one separate vulnerabilities. Eleven of the vulnerabilties are flagged as Critical.

Firefox 60.0.2

When first published on June 6, the release notes for Firefox 60.0.2 didn’t mention anything about security, but they’ve since been updated to include a reference to a single vulnerability that is fixed in the new version.

The vulnerability fixed in Firefox 60.0.2 is flagged as having both Critical and High impact by Mozilla, and since there are as yet no details in the official vulnerability database for CVE-2018-6126, it’s difficult to know which is correct.

Regardless, if you use Firefox, you should update it as soon as possible. Depending on how it’s configured, Firefox will usually at least let you know that a new version is available within a few hours after it’s published. If not, you can usually trigger an update by clicking the ‘hamburger’ menu icon at the top right, then selecting Help > About.