Category Archives: Patches and updates

Microsoft pushes February updates to March

In an unprecedented move, Microsoft has decided to delay all February updates until next Patch Tuesday, which is March 14. It’s still not clear exactly why this is happening, but Microsoft is working on structural changes to the Windows Update system, so presumably something went horribly wrong in testing.

This is bad news for anyone who runs a server that’s vulnerable to a recently-discovered SMB flaw that was expected to be fixed with Tuesday’s updates.

Update 2017Feb23: Meanwhile, Google’s Project Zero went ahead and published the details of another vulnerability (in the GDI graphics library) that was supposed to be fixed this month. This was done in keeping with GPZ’s own policy, but as usual Microsoft isn’t happy about it.

Update 2017Feb28: Yet another vulnerability that was expected to be fixed in the February updates from Microsoft was just revealed by GPZ. This one affects Internet Explorer and Edge, and it’s ranked highly severe.

Flash update fixes 13 vulnerabilities

A new version of Flash, released yesterday, addresses at least thirteen vulnerabilities in previous versions.

According to the security bulletin for Flash 24.0.0.221, the new version fixes “critical vulnerabilities that could potentially allow an attacker to take control of the affected system.”

The release notes for Flash 24.0.0.221 describe some new features that are likely only of interest to developers.

As usual, Internet Explorer and Edge will get new versions of their embedded Flash via Windows Update, while Chrome’s embedded Flash will be updated automatically.

Anyone who still uses a web browser with Flash enabled should update it as soon as possible.

Vivaldi 1.7

Apparently the people who develop Vivaldi believe that adding a screen capture feature to the browser is a good use of their time. Perhaps if you don’t use any other web browsers, and you only ever need to capture screenshots of web sites, and never of anything outside the browser, this would be a useful feature. The rest of us will use the much more powerful features of general-purpose screen capture tools like ShareX.

Aside from the arguably pointless addition of screen capture, Vivaldi 1.7 further improves audio handling, and includes tweaks for domain expansion in the address bar. More importantly, Vivaldi now warns users when they navigate to a non-encrypted page that prompts for a password.

You can see the complete list of changes for Vivaldi 1.7 in the official release announcement.

Opera 43

The folks who develop the alternative web browser Opera are working on improving page loading time, and if their own benchmarks are any indication, those efforts have paid off.

Opera 43 shows significant speed gains over Opera 42, due mainly to the introduction of two new technologies: ‘instant page loading’, which predicts the site you’re looking for as you’re typing in the address bar, and PGO, which optimizes the browser code to make it run faster when it’s most important.

The new version also includes improvements to URL highlighting/selecting. Previously, there was no way to highlight linked text. With Opera 43, highlighting linked text works as expected if you use a horizontal motion, and if you use a vertical motion, the entire link is copied, as before.

There are loads of other changes in Opera 43, as you can see from the lengthy change log. However, none of the changes seem to be related to security vulnerabilities.

WordPress 4.7.2 – security update

Most WordPress sites are configured to automatically update themselves when a new version becomes available. Still, anyone who manages any WordPress sites should make sure they are up to date with version 4.7.2, released yesterday.

WordPress 4.7.2 addresses three serious security vulnerabilities. You can find all the details in the release announcement.

Update 2017Feb02: Apparently WordPress 4.7.2 included a fix for a fourth security vulnerability, which wasn’t announced until February 2. The vulnerability is so severe that the WordPress developers didn’t want to risk anyone knowing about it until the majority of WordPress sites were updated.

Firefox 51.0.1

There were a couple of problems with Firefox 51 that prompted Mozilla to push out another new version yesterday. Firefox 51.0.1 resolves the two problems, one of which was related to the new multiprocess features.

Firefox itself seems to take a few days to notice new versions. Click the ‘hamburger’ menu button at the top right, then click the question mark icon, then click ‘About Firefox’ to see the version you’re running. In my experience, Firefox will usually say ‘Firefox is up to date’ until a couple of days after a new release becomes available. This is potentially confusing, but Mozilla doesn’t seem to understand that.

If you don’t want to wait for Firefox to notice the new version, you’ll have to download it directly from Mozilla.

Chrome 56.0.2924.76

Chrome version 56.0.2924.76 includes fixes for fifty-one security vulnerabilities. But wait, that’s not all. If you want to see what happens when your web browser loads a really big web page, navigate to the change log for Chrome 56.0.2924.76. It’s a behemoth, documenting over ten thousand separate changes.

One change in particular deserves mention: starting with this version, Chrome will show ‘Secure’ at the left end of the address bar if a site is encrypted. When Chrome navigates to a web page that isn’t encrypted, but does include a password prompt, it will show ‘Not Secure’ in the address bar.

Chrome seems to update itself reliably, soon after a new version is released. Still, given the number of security fixes in this release, it’s not a bad idea to check.

Opera 42.0.2393.351 and 42.0.2393.517

Opera 42.0.2393.351 fixes a handful of bugs, several related to the 64-bit version of the browser. See the change log for details.

Opera 42.0.2393.517 fixes four more issues, some of which first appeared in 42.0.2393.351. See the change log for details.

None of the changes in either new version seem to be related to security. Opera will usually update itself shortly after a new version becomes available.