Category Archives: Patches and updates

Java 8 Update 77

A single major security bug fix appears to be the reason for the newest version of Java 8: Update 77.

The release notes don’t provide much useful information, and neither does the security alert for the bug addressed in the new version.

If you’re still using a web browser with Java enabled, you should consider disabling it. At least configure it as ‘click to play’, so that Java content doesn’t load and play automatically on any web page you visit. If you’re not sure whether Java is enabled in your browser, find out by visiting Check-and-Secure.

Flash 21.0.0.197

According to the announcement, the latest version of Flash – released on March 23 – fixes a specific bug that was causing problems for some Flash games.

A review of the release notes seems to show that Flash 21.0.0.197 doesn’t contain any security fixes, so this isn’t an urgent update. Unless of course you’re having trouble running Flash games in your browser.

The announcement for 21.0.0.197 contains at least one error: it shows the new PPAPI version of Flash, used in Chrome, Opera, and other Chromium-based browsers, as 21.0.0.286. My own tests, as well as the official release notes, shows that the new PPAPI version is actually 21.0.0.197. I reported the discrepancy to the author.

There is no new version of Flash for Internet Explorer and Edge on Windows 8.x and 10; the latest is Flash 21.0.0.182.

As usual, Chrome will update itself with the new version of Flash.

Windows 10 Insider Preview Build 14291

There’s another preview build for Windows 10. According to the accompanying announcement, build 14291 includes improvements to Edge and the Feedback Hub, Microsoft’s mechanism for reporting Windows 10 issues.

The changes to Edge show that Microsoft is still playing catchup, adding features that have existed in the other major browsers for a while. So there’s nothing particularly revolutionary, but if you’re forcing yourself to use Edge, being able to use extensions and pin tabs will be helpful.

Several of the Windows 10 apps have also been improved, including Maps, and Alarms & Clock.

Old Java vulnerability still not fixed

A serious security vulnerability affecting current versions of Java, originally reported in 2012 (PDF), remains only partially fixed, according to Adam Gowdiak of Security Explorations.

When Oracle released Java 7 Update 40 in October 2013, the original issue appeared to have been fixed. Subsequent testing showed that while the fix addressed the original Proof of Concept code provided by Mr. Gowdiak, changing the PoC code slightly revealed that the fix was incomplete.

Until recently, Gowdiak was reluctant to announce his discovery of the partial fix, because of his own organization’s disclosure policies. On March 7, 2016, those policies were updated: “A recent change to those policies means that if an instance of a broken fix for a vulnerability we already reported to the vendor is encountered, it gets disclosed by us without any prior notice.”

Mr. Gowdiak revealed his findings (PDF) at the recent Javaland conference, and on the Full Disclosure security email list. The original PoC code was altered slightly to demonstrate the vulnerability and provided to Oracle.

Whether we will ever see a complete fix for this issue remains to be seen. Meanwhile, our advice about Java is unchanged: if you don’t need it, uninstall it. If you need it to run a specific application, remove Java from your web browsers, or leave it enabled in a browser you only use for specific applications. At the very least, make sure your browsers are configured so that Java content does not run automatically (i.e. enable click-to-play).

You can read more about the history of this and other Java security vulnerability research conducted by Adam Gowdiak at his Security Explorations web site.

Other references: Ars Technica.

Opera 36

Take a look at this post on the Opera blog. Go ahead, I’ll wait here until you get back.

Now, did that look like an announcement for a new version of Opera? It does mention an Opera version (36), but it doesn’t say whether version 36 has been released, or if so, when. Maybe it means they’re still working on it. Maybe it was released two weeks ago and they’re just now talking about it. There are also no links to release notes or change logs.

I don’t keep current version numbers in my head. So I ran Opera and checked its About page. Sure enough, it was version 35, and it started downloading Opera 36 right away. Great!

To find out what changed in Opera 36, I started with the current software versions page (that I formerly maintained) on this site. That page had links to the Opera change logs and release notes (current, previous, and history).

According to the change log for Opera 36, the new version fixes numerous bugs, including some related to crashing and performance issues. None of the bugs addressed seem to be related to security.

The sort-of announcement for Opera 36 doesn’t provide much additional information. Mostly it’s about improvements related to Windows 10.

There’s also a ‘unified change log‘ for Opera 36, that lists what Opera considers to be the most important changes in Opera 36: better Windows 10 compatibility, minor improvements to the Start page, and stability and performance improvements.

Privacy-related updates to avoid on Windows 7 & 8.1

If you use Windows 7 or 8.1, by now you’ve no doubt noticed that Microsoft is trying to push you to upgrade to Windows 10. In my opinion, Microsoft is doing this because Windows 10 includes a lot of features that track your activities, and the information gathered is extremely valuable for the purposes of advertising. Windows 10 doesn’t have a lot of advertising yet, and Microsoft denies that this is what they’re planning, but it seems clear that Microsoft is jealous of Google’s enormously lucrative ad-supported empire.

But what about all those people staying with Windows 7 and 8.1? Microsoft’s solution is to retrofit those versions, via Windows Update, with some of the privacy-invading features from Windows 10. And of course, because we’re talking about Microsoft, they’re trying to hide what they’re doing by obfuscating the true purpose of these updates. The language used to describe these updates tends to include phrases like “This service provides benefits from the latest version of Windows to systems that have not yet upgraded.”

We’ve discussed the KB3035583 update (and how to remove it) before. That’s the update that adds all those annoying upgrade prompts to Windows 7 and 8.1. But you should be aware of (and watch for) a few other sneaky updates. These have been generally categorized as ‘telemetry’ updates; a reference to the way they monitor what’s happening on your computer.

Telemetry Updates

If you want to avoid these telemetry updates, check to see if they are already installed. If they are, uninstall them, and use the ‘hide’ feature of Windows Update to prevent them from reappearing. If you see these updates listed in Windows Update, make sure to de-select them, then hide them.

Varying interpretations

Woody Leonhard is getting a bit of a reputation as a Microsoft apologist. You may recall that he refused to believe that Microsoft would push Windows 10 onto Windows 7 users, and later had to admit he’d been wrong. Woody’s analysis of the telemetry updates is predictably pro-Microsoft.

At the other end of the spectrum, there’s a project on Github that consists of a batch script that automatically removes all of the telemetry updates from Windows 7 and 8.1. It actually removes twenty-one updates, many of which are shady for other reasons besides privacy.

A more balanced analysis is provided by the GHacks site. This article identifies the most problematic (telemetry) updates and explains how to get rid of them.

Emergency update for Flash

If you use a web browser with Flash enabled, you should stop what you’re doing and update Flash.

According to the associated Adobe security bulletin, Flash 21.0.0.182 fixes twenty-three security vulnerabilities, including one (CVE-2016-1010) that is being actively exploited on the web.

The release notes for Flash 21.0.0.182 provide additional details. The new version fixes several bugs that are unrelated to security, and adds some new features.

As usual, Chrome will update itself with the new version of Flash, and Internet Explorer and Edge on newer versions of Windows will be updated via Windows Update.

Firefox 45 released

The good people at CERT once again alerted me to a new version of Firefox, 45.0. Apparently Mozilla still can’t manage to announce new versions consistently.

According to the official release notes for Firefox 45.0, the new version includes minor improvements to syncing, searching, and HTML5 support. It also fixes several bugs, including at least twenty-two related to security vulnerabilities. On my main computer, Firefox’s About screen already offers to install the new version, but if yours doesn’t, you should grab it from the main Firefox download page ASAP.