We’re in the middle of a pandemic, but that’s no excuse to leave software unpatched. There’s certainly been no reduction in the rate at which vulnerabilities and exploits are being discovered.
This month’s contribution from Microsoft, as documented in the Security Update Guide, consists of thirty-eight updates, with corresponding bulletins, addressing one hundred and eleven vulnerabilities in .NET, Internet Explorer, Edge, Office, Visual Studio, and Windows. Eighteen of the updates are flagged as having Critical severity.
If you’re still using Windows 7, and you haven’t shelled out for Microsoft’s Extended Security Updates, you won’t find any of this month’s Windows 7 updates via Windows Update. You do have at least one other option: an organization called 0patch. These folks provide what they call ‘micropatches’ for known vulnerabilities in no-longer-officially-supported versions of Windows, including Windows 7 and Windows Server 2008. I haven’t tried these myself, but they seem legitimate. Well, presumably not in the view of Microsoft.
Windows 10 users will get the latest updates whether they’re wanted or not, although there are settings that allow you to delay them, for a while. That leaves Windows 8.1, for which Windows Update is still the appropriate tool.
Adobe once again tags along this month, with new versions of Reader and Acrobat. Most people use the free version of Reader, officially known as Acrobat Reader DC. The new version, 2020.009.20063, includes fixes for twenty-four security vulnerabilites in earlier versions.
Announced on May 5, Firefox 76 tightens up password management and related security in several ways:
- Lockwise, the password manager built into Firefox, now prompts for your Lockwise master password when you try to show or copy a password. If you’re not using a master password, Lockwise will prompt for your device’s password. Previously, Lockwise only prompted for the master password once, on Firefox startup.
- Firefox now checks all your saved passwords against records from known breaches. Any password known to have been revealed in any breach will show in your Logins & Passwords list with a special icon. A different icon is shown if the associated site was breached since you last changed your password for that site.
- Firefox can now generate secure, complex passwords for you.
Other changes in Firefox 76 include improvements to the Picture-In-Picture feature, and native support for more complex audio applications, including Zoom. There are also some minor cosmetic tweaks to the address bar and bookmarks bar.
There are eleven security fixes in Firefox 76 as well.
Default installations of Firefox keep themselves up to date, but you can hurry the process along by navigating its ‘hamburger’ menu to
The release of Firefox 76 was followed up quickly by Firefox 76.0.1, which fixes two bugs, neither of which are security-related.
At this point, most folks probably don’t need Java. Which is good, because it’s still a target for malicious hackers. If you don’t actually need Java, it’s a good idea to remove it completely from your computers.
You can check whether Java is installed by opening the Windows Control Panel and looking for a Java entry. On my Windows 8.1 computer, it looks like this: . If you can’t see a Java entry in the Control Panel, try changing
View by to
Small icons. If you still can’t see it, Java probably isn’t installed. To find the Control Panel on Windows 10, press the Windows key, then type ‘control’. You should see
Control Panel in the search results.
You can also double-check by opening
Programs and Features in the Control Panel. Search the Programs and Features list for ‘java’.
If you’re not sure whether you still need Java, uninstall it, then if something stops working, you can always reinstall it.
If you do need to keep Java around, to run old Java applications and games, access ancient Java-enabled web sites, or use work-related resources you have no control over, it’s best to keep it up to date.
The Java Control Panel will let you see the currently installed version, and provides a link to download and install the newest version.
Java 8 Update 251 includes fixes for fifteen security vulnerabilities in earlier versions.
As if there wasn’t enough going on, it’s already time to patch your Windows computers again.
Of course at this point, given that Windows 7 is effectively no longer getting patches, and Windows 10 updates itself whether you want it to or not, we’re really just talking about Windows 8.1. Market share for Windows 8.x was never high, and it’s now below 5% overall. Oh well.
Somewhat confusingly, Microsoft continues to produce patches for Windows 7, and documents them along with all the others in the Security Update Guide. But if you look at the requirements for these Windows 7 updates, you’ll see that they can’t be installed unless you’ve already paid for and installed the Extended Security Updates (ESU) Licensing Preparation Package. Which most regular folks can’t afford.
This month we don’t have any interesting updates from Adobe, but there’s the usual pile from Microsoft. Analysis of the Security Update Guide reveals that a total of one hundred and fourteen security vulnerabilities are addressed in this month’s patches. The usual lineup of software products are affected, including Windows, Internet Explorer 9 and 11, Edge, Office, and Windows Defender. There are thirty-eight security bulletins in all, nineteen of which are flagged as Critical.
By now I’m sure you know the drill: find Windows Update in the Control Panel and check for updates. Whether you cross your fingers or not is entirely up to you. Windows 10 users need to keep their fingers crossed at all times I guess.
Update 2020Apr15: April’s Microsoft updates include fixes for those actively-exploited Adobe Type Library vulnerabilities recently reported.
A new version of Chrome addresses thirty-two security issues in previous versions.
Details of the vulnerabilities fixed in Chrome 81.0.4044.92 are sketchy, which is normal for newly-discovered and mostly unpatched security bugs. Google has published vulnerability identifiers (CVE numbers), along with links to Google’s internal bug tracking system, and credited the researchers who discovered them.
The links are mostly non-functional, and will remain so until Google decides that it’s safe to publish the vulnerability details. Even the CVE numbers aren’t that helpful: if you search the CVE list at Mitre.org for one of these recent vulnerabilities, you’ll see a placeholder page with no details — for now.
In a perfect world, it would be easy to discover exactly what a software update would change, before it’s installed. Sadly, opportunistic assholes have made this impractical and even dangerous for security-related updates. So, regardless of how one feels about the developer, at some level we have no choice but to trust them with security updates.
Chrome’s ‘three vertical dots’ menu is the place to start if you want to check which version you’re running and install an update. Drill down to
About Google Chrome. If an update is available, it will be installed automatically, after which you’ll see a
April 7’s announcement of Firefox 75.0 came just a few days after the release of Firefox 74.0.1, a special version that addresses two critical security vulnerabilities.
Firefox 75.0 features a reworked address bar, and includes fixes for another six security bugs.
The new address bar functionality may trip up some users initially, but it does appear to be an overall improvement. The changes are as follows:
- Searching using the address bar on smaller screens is now optimized, and should be less confusing.
- Clicking the empty address bar, or clicking on an address in the address bar, will now show a list of ‘top sites’. These are the sites you visit most often.
- The address bar is now slightly larger, and expands slightly when clicked. The font is also larger, and suggested URLs are shortened to provide more useful context.
- When entering search terms, Firefox will now suggest additional terms it thinks may be relevant.
- If you start entering a URL that is already open in another tab, Firefox will show a ‘Switch to Tab’ entry in the suggestions.
Depending on your configuration, Firefox will typically update itself in the days following a new release. If you prefer to do this yourself, or you’re not sure which version you have, navigate Firefox’s ‘hamburger’ menu (at the top right) to
About Firefox. If a newver version is available, you’ll be given the opportunity to install it.
Two Chrome releases this week address at least eight security vulnerabilities and other bugs.
The release notes for Chrome 80.0.3987.162 provide details for some of the security vulnerabilities. A usual, Google holds off publishing vulnerability details until most installs have been updated.
Chrome 80.0.3987.163 appears to roll back a bug fix that was addressed in an earlier version.
You can trust Google to update your installation of Chrome, or do it youself, by navigating its three-vertical-dots menu to
About Google Chrome. This will trigger a check for updates, and if a newer version is available, you should see an Update button or link.
Version 80.0.3987.149 of Google’s Chrome web browser is a security release. It includes fixes for at least thirteen security vulnerabilities.
Like most modern browsers, and many of Google’s software products, Chrome updates itself reliably, if somewhat unpredictably. This is arguably a good thing, as long as updates don’t break things and do improve security.
Regardless of your viewpoint on automatic updates, keeping your web browser up to date is critical if you use it to do any actual web browsing. Otherwise the risk of a drive-by malware infection is significantly higher.
To check the version of your Chrome browser, navigate its three-vertical-dots menu to
About Google Chrome. If there’s a newer version, you’ll see a button or link for installing it.
A new version of Adobe’s free PDF document viewer, Acrobat Reader DC, was released on March 17.
According to the release announcement, Reader 20.006.20042 addresses thirteen security vulnerabilities in earlier versions. Many of these bugs were detected and reported by third-party researchers, who are credited in the announcement.
If you use Reader, and particularly if you use it to open PDF files you obtain from email and the web, you should make sure it’s up to date.
Newer versions of Reader typically update themselves when they detect new versions, but since it’s not clear what triggers these updates, you might want to check your version and update it yourself.
Check the version of your Reader by navigating its menu to
About Adobe Acrobat Reader DC... If you’re not running the latest version, update it via
Check for Updates...
A new version of Firefox fixes some annoying problems with pinned tabs, improves password management, adds the ability to import bookmarks from the new Chromium-based Edge, resolves some long-standing issues with add-on management, introduces Facebook Container, and addresses several bugs, including twelve security vulnerabilities.
The release notes for Firefox 74.0 provide the details.
Starting with Firefox 74.0, it is no longer possible for add-ons to be installed programmatically. In other words, add-ons cannot be added by software; it can only be done manually by the user. Add-ons that were added by software in previous versions of Firefox can now be removed via the Add-ons manager, something that was previously not possible.
Facebook Container is a new Firefox add-on that “works by isolating your Facebook identity into a separate container that makes it harder for Facebook to track your visits to other websites with third-party cookies.” People who are concerned about Facebook’s ability to track their activity across browser sessions and tabs can use this add-on to limit that tracking, without having to access Facebook in a separate browser.
You can wait for Firefox to update itself, which — assuming that option is enabled — may take a day or so, or you can trigger an update by navigating Firefox’s ‘hamburger’ menu to
About Firefox. You’ll see an
Update button if a newer version is available.