Category Archives: Patches and updates

Patch Tuesday for April 2020

As if there wasn’t enough going on, it’s already time to patch your Windows computers again.

Of course at this point, given that Windows 7 is effectively no longer getting patches, and Windows 10 updates itself whether you want it to or not, we’re really just talking about Windows 8.1. Market share for Windows 8.x was never high, and it’s now below 5% overall. Oh well.

Somewhat confusingly, Microsoft continues to produce patches for Windows 7, and documents them along with all the others in the Security Update Guide. But if you look at the requirements for these Windows 7 updates, you’ll see that they can’t be installed unless you’ve already paid for and installed the Extended Security Updates (ESU) Licensing Preparation Package. Which most regular folks can’t afford.

This month we don’t have any interesting updates from Adobe, but there’s the usual pile from Microsoft. Analysis of the Security Update Guide reveals that a total of one hundred and fourteen security vulnerabilities are addressed in this month’s patches. The usual lineup of software products are affected, including Windows, Internet Explorer 9 and 11, Edge, Office, and Windows Defender. There are thirty-eight security bulletins in all, nineteen of which are flagged as Critical.

By now I’m sure you know the drill: find Windows Update in the Control Panel and check for updates. Whether you cross your fingers or not is entirely up to you. Windows 10 users need to keep their fingers crossed at all times I guess.

Update 2020Apr15: April’s Microsoft updates include fixes for those actively-exploited Adobe Type Library vulnerabilities recently reported.

Chrome 81.0.4044.92

A new version of Chrome addresses thirty-two security issues in previous versions.

Details of the vulnerabilities fixed in Chrome 81.0.4044.92 are sketchy, which is normal for newly-discovered and mostly unpatched security bugs. Google has published vulnerability identifiers (CVE numbers), along with links to Google’s internal bug tracking system, and credited the researchers who discovered them.

The links are mostly non-functional, and will remain so until Google decides that it’s safe to publish the vulnerability details. Even the CVE numbers aren’t that helpful: if you search the CVE list at Mitre.org for one of these recent vulnerabilities, you’ll see a placeholder page with no details — for now.

In a perfect world, it would be easy to discover exactly what a software update would change, before it’s installed. Sadly, opportunistic assholes have made this impractical and even dangerous for security-related updates. So, regardless of how one feels about the developer, at some level we have no choice but to trust them with security updates.

Chrome’s ‘three vertical dots’ menu is the place to start if you want to check which version you’re running and install an update. Drill down to Help > About Google Chrome. If an update is available, it will be installed automatically, after which you’ll see a Relaunch button.

Firefox 75.0

April 7’s announcement of Firefox 75.0 came just a few days after the release of Firefox 74.0.1, a special version that addresses two critical security vulnerabilities.

Firefox 75.0 features a reworked address bar, and includes fixes for another six security bugs.

The new address bar functionality may trip up some users initially, but it does appear to be an overall improvement. The changes are as follows:

  • Searching using the address bar on smaller screens is now optimized, and should be less confusing.
  • Clicking the empty address bar, or clicking on an address in the address bar, will now show a list of ‘top sites’. These are the sites you visit most often.
  • The address bar is now slightly larger, and expands slightly when clicked. The font is also larger, and suggested URLs are shortened to provide more useful context.
  • When entering search terms, Firefox will now suggest additional terms it thinks may be relevant.
  • If you start entering a URL that is already open in another tab, Firefox will show a ‘Switch to Tab’ entry in the suggestions.

Depending on your configuration, Firefox will typically update itself in the days following a new release. If you prefer to do this yourself, or you’re not sure which version you have, navigate Firefox’s ‘hamburger’ menu (at the top right) to Help > About Firefox. If a newver version is available, you’ll be given the opportunity to install it.

Chrome 80.0.3987.162 and 80.0.3987.163

Two Chrome releases this week address at least eight security vulnerabilities and other bugs.

The release notes for Chrome 80.0.3987.162 provide details for some of the security vulnerabilities. A usual, Google holds off publishing vulnerability details until most installs have been updated.

Chrome 80.0.3987.163 appears to roll back a bug fix that was addressed in an earlier version.

You can trust Google to update your installation of Chrome, or do it youself, by navigating its three-vertical-dots menu to Help > About Google Chrome. This will trigger a check for updates, and if a newer version is available, you should see an Update button or link.

Chrome 80.0.3987.149

Version 80.0.3987.149 of Google’s Chrome web browser is a security release. It includes fixes for at least thirteen security vulnerabilities.

Like most modern browsers, and many of Google’s software products, Chrome updates itself reliably, if somewhat unpredictably. This is arguably a good thing, as long as updates don’t break things and do improve security.

Regardless of your viewpoint on automatic updates, keeping your web browser up to date is critical if you use it to do any actual web browsing. Otherwise the risk of a drive-by malware infection is significantly higher.

To check the version of your Chrome browser, navigate its three-vertical-dots menu to Help > About Google Chrome. If there’s a newer version, you’ll see a button or link for installing it.

Adobe Acrobat Reader DC 20.006.20042

Adobe logoA new version of Adobe’s free PDF document viewer, Acrobat Reader DC, was released on March 17.

According to the release announcement, Reader 20.006.20042 addresses thirteen security vulnerabilities in earlier versions. Many of these bugs were detected and reported by third-party researchers, who are credited in the announcement.

If you use Reader, and particularly if you use it to open PDF files you obtain from email and the web, you should make sure it’s up to date.

Newer versions of Reader typically update themselves when they detect new versions, but since it’s not clear what triggers these updates, you might want to check your version and update it yourself.

Check the version of your Reader by navigating its menu to Help > About Adobe Acrobat Reader DC... If you’re not running the latest version, update it via Help > Check for Updates...

Firefox 74.0

A new version of Firefox fixes some annoying problems with pinned tabs, improves password management, adds the ability to import bookmarks from the new Chromium-based Edge, resolves some long-standing issues with add-on management, introduces Facebook Container, and addresses several bugs, including twelve security vulnerabilities.

The release notes for Firefox 74.0 provide the details.

Starting with Firefox 74.0, it is no longer possible for add-ons to be installed programmatically. In other words, add-ons cannot be added by software; it can only be done manually by the user. Add-ons that were added by software in previous versions of Firefox can now be removed via the Add-ons manager, something that was previously not possible.

Facebook Container is a new Firefox add-on that “works by isolating your Facebook identity into a separate container that makes it harder for Facebook to track your visits to other websites with third-party cookies.” People who are concerned about Facebook’s ability to track their activity across browser sessions and tabs can use this add-on to limit that tracking, without having to access Facebook in a separate browser.

You can wait for Firefox to update itself, which — assuming that option is enabled — may take a day or so, or you can trigger an update by navigating Firefox’s ‘hamburger’ menu to Help > About Firefox. You’ll see an Update button if a newer version is available.

Patch Tuesday for March 2020

Happy Patch Tuesday! Today’s gifts from the always-generous folks at Microsoft include forty-two updates, addressing one hundred and fifteen security bugs in Internet Explorer (9 and 11), Edge (the original version, not the one built on Chromium), Office (2010, 2016, and 2019), Windows (7, 8.1, and 10), and Windows Server.

You can dig into all the gory details over at the Microsoft Security Update Guide.

Computers running Windows 10 will update themselves at Microsoft’s whim over the coming days.

Windows 8.1 users can still exercise some freedom of choice in deciding when to install updates, but I encourage everyone to install them as soon as possible. Even with Microsoft’s recent bungling, you’re arguably better off with security fixes than without, even if those updates sometimes cause other problems.

To install updates on your Windows 8.1 computer, go to the Windows Control Panel and open Windows Update.

If you’re running Windows 7, you may be surprised to note that some of this month’s updates are available for that no-longer-officially-supported version. That’s because while those updates definitely exist, they’re not technically available to the general public.

To get access to the Windows 7 updates, you need to sign up for Extended Security Updates for Windows 7. This is typically only done by Enterprise users (businesses and educational institutions) who need more time to migrate computers to newer versions of Windows. For regular folks, the cost of ESU seems likely to be prohibitive.

The more adventurous among you might want to experiment with hacks to get around this limitation for Windows 7 updates. Apparently people are finding some success doing this.

Chrome 80.0.3987.122

Three more security vulnerabilities are fixed in the latest Chrome, version 80.0.3987.122.

According to the release notes, one of the vulnerabilities fixed in Chrome 80.0.3987.122 is already being exploited ‘in the wild’ so anyone using Chrome should check their version and update immediately.

To determine whether you need to install the new version, navigate Chrome’s menu button () to Help > About Google Chrome. You’ll see the current version, and if a newer one is available, there should be a button that allows you to install it.