Category Archives: Patches and updates

Firefox, Mozilla, Patches and updates, Security

Firefox 51 fixes 24 security issues

Leave a comment

The latest version of Firefox addresses at least twenty-four security vulnerabilities and changes the way non-encrypted sites appear in the address bar.

As usual, there’s nothing like a proper announcement for Firefox 51. What we get from Mozilla instead is a blog post that discusses some new features in Firefox, and mentions the new version number almost accidentally in the third paragraph. Once again, CERT does a better job of announcing the new version than Mozilla.

Starting with version 51, Firefox will flag sites that are not secured with HTTPS if they prompt for user passwords. Secure sites will show a green lock at the left end of the address bar as before, but sites that are not secure will show a grey lock with a red line through it. Previously, non-encrypted sites showed no lock icon at all. The idea is to draw the user’s attention to the fact that they are browsing without the security of encryption, which is risky when sensitive information (passwords, credit card numbers) is entered by the user.

Java, Patches and updates, Security

Java 8 Update 121 released, and a mystery solved

Leave a comment

On January 17, Oracle published a Critical Patch Update Advisory for January 2017. The advisory lists Java 8 Update 111 as an ‘affected product’ but says nothing at all about a new version or what has changed. For that information, you have to dig around on the Oracle site: a good starting point is the main page for Java SE. There you’ll find links to news, release notes, and downloads for new Java versions.

The new version — Java 8 Update 121 — includes fixes for seventeen security vulnerabilities and eleven other bugs in previous versions. If you use a web browser with an enabled Java add-on, you should install the new version as soon as possible.

Mystery solved

On a related note: I missed the previous Java update (October 18, 2016) because the Oracle Security Advisory RSS feed stopped working in my RSS reader, Feedly. In Feedly, the last post shown from that feed is from July 2016.

To rule out a problem with the feed itself, I checked it in another RSS reader, The Old Reader, where it worked perfectly.

Feedly provides support via Uservoice, so I headed over there and looked for anyone reporting similar issues. And found someone with the exact same problem, which he reported in the form of a suggestion. Rather than create my own report, I added a comment with my observations, and applied as many upvotes as I could to the existing suggestion.

Hopefully the Feedly folks will see this and do something about it. I depend on RSS feeds to stay on top of technology news, and if my RSS reader is unreliable, I can’t use it.

Meanwhile, I’ll continue to rely on other sources for Java update news, including the CERT feed, which is how I learned of the January 2017 Oracle advisory.

Update 2017Jan20: I reported the feed problem to Feedly, and they immediately responded, saying that Oracle appears to be blocking Feedly for some reason. They are working on the problem.

Java, Patches and updates, Security

Java 8 Update 111

Leave a comment

Well, this is embarrassing. Way back in October, Oracle released another version of Java. Somehow I contrived to miss the announcement, if there was one.

Oracle’s quarterly Critical Patch Update for October 2016 includes information about Java, but doesn’t mention the new version. It only lists affected versions. The release notes for Java 8 Update 111 make it clear that the new version includes fixes for several security issues.

Anyone who still runs a web browser in which Java is enabled should make sure they’re running version 8 Update 111 (or 112, which is basically the same thing but with some new features). Default Java runtime installations are configured to update themselves automatically, but it’s a good idea to check.

I’ve noticed that the pace of Java security fixes seems to have slowed somewhat, which is a relief. There’s also slightly less urgency about Java updates because many popular Java-based software packages (e.g. Minecraft) now include their own embedded version instead of using any available system-wide version.

Adobe, Flash, Internet Explorer, Microsoft, Patches and updates, Security, Windows

Patch Tuesday for January 2017

Leave a comment

Another Patch Tuesday rolls around, bringing updates for Internet Explorer, Edge, Windows, and Office from Microsoft, and new versions of Flash and Reader from Adobe.

According to the Microsoft’s January 2017 bulletin summary,

“There are no security fixes or quality improvements for Windows 8.1 … on Update Tuesday for January 2017. As such, there is no Security Only Quality Update or Security Monthly Quality Rollup release for [Windows 8.1] this month.”

And in fact there are only four bulletins (with associated updates), addressing vulnerabilities in Windows, Edge, Office, and the Flash player built into Edge and Internet Explorer 11. Not including Flash, these updates address three security vulnerabilities.

Adobe’s contributions this month start with Flash 24.0.0.194, which addresses thirteen vulnerabilities in previous versions, adds some new features that are not particularly interesting, and improves support for high resolution displays in Firefox on Windows: Flash content will now scale properly in that context. As usual, Flash updates for Edge and Internet Explorer are handled by Microsoft, and Google Chrome will update itself automatically.

New versions of Adobe Reader address twenty-nine vulnerabilities. Reader XI is up to version 11.0.19, while its confusingly-named sister products Acrobat Reader DC (Continuous) and Acrobat Reader DC (Classic) are at versions 15.023.20053 and 15.006.30279, respectively.

So it’s an enjoyably light month. Visit Windows Update, update Adobe Reader, and if you use a web browser with Flash enabled, make sure to update that as well.

Microsoft, Patches and updates, Windows 8.x

When ‘Checking for updates…’ takes forever on Windows 8.1

Leave a comment

This week I once again encountered an old nemesis, the infinite ‘Checking for updates…’ Windows Update screen. Not this again! It happened when I was attempting to install the December 2016 updates on my main Windows 8.1 machine.

Is it working? How can you tell?

I tried the usual troubleshooting steps: rebooting, stopping all non-essential processes, the Windows Update troubleshooter, and so on. Nothing helped.

What makes this problem really annoying is that even when Windows Update is working properly, there are long pauses during which nothing appears to be happening. Even looking deeply into the running processes sometimes shows a complete lack of activity. Since a hung Windows Update often looks exactly like Windows Update actually doing something, all you can do is watch helplessly, in growing frustration, until you finally can’t stand it any more and stop the Windows Update process.

After banging my head against this problem for a while, it occurred to me that since most Windows updates are now available in ‘rollup’ form (i.e. packaged together in one update), I could install the appropriate ones manually, which would at least get my computer up to date, and could conceivably also fix Windows Update.

After a bit of searching I found the July 2016 update rollup for Windows 8.1 and Windows Server 2012 R2. One of the prerequisites for this update is the Servicing stack update for Windows 8.1 and Windows Server 2012 R2: July 12, 2016, but that had already been installed in July, so I proceeded to install the rollup. It only took a few minutes.

After rebooting, I tried Windows Update, and ‘Checking for updates’ took about a minute to find December’s Patch Tuesday updates. Yay! I installed those updates and the computer is now fully patched.

It’s difficult to know for sure why this Windows Update problem happens, but it’s depressingly common, as are the sometimes wacky solutions users have proposed. The rollup solution that worked for me may work for others, but there are no guarantees. It’s Windows, after all.