The latest release of Thunderbird, Mozilla’s email client, is version 60.7.1. The new version addresses four security vulnerabilities.
Check your Thunderbird version by clicking its ‘hamburger’ menu icon at the top right, and navigating to Help > About Mozilla Thunderbird. If you’re not running the latest version, you’ll be prompted to update.
The latest Chrome release features a fix for one security vulnerability. There are about forty-five actual changes listed in the full change log, none of which are particularly noteworthy.
There’s not much of interest in the release announcement for Chrome 75.0.3770.90, although it does point out that the vulnerability was discovered and reported by a non-Google researcher.
Unless you’ve gone to the trouble of disabling Google’s persistent automatic update processes, your installation of Chrome will likely update itself over the next few days.
You can check your version and trigger any pending updates by navigating Chrome’s menu (the ‘three-vertical-dots’ button at the top right) to Help > About Google Chrome.
It’s update time once again, and along with the updates from Microsoft and Adobe, I’m going to annoy you with yet another reminder that Only You Can Prevent Internet Worms. That sounds kind of gross, actually.
Analysis of the Security Update Guide spreadsheet, so thoughtfully provided by Microsoft each month, shows that this month there are thirty-three updates, addressing eighty-eight security vulnerabilities in Windows (7, 8.1, 10, and Server); Flash in Internet Explorer and Edge; Internet Explorer 9 through 11; Edge; and Office 2010, 2016, and 2019. At least twenty-one of the vulnerabilities are categorized as Critical.
If you missed last month’s update festivities, you may not be aware that there’s a very dangerous vulnerability (CVE-2019-0708) in Microsoft’s Remote Desktop feature in Windows XP, Windows 7, and Server 2008. Updates for Windows 7 and Windows Server 2008 computers are available in the usual way, via Windows Update. An update for Windows XP is also available, but you’ll have to download and install it manually, from the Microsoft Update Catalog.
I’m pestering you about this because the last time a vulnerability like this appeared, we got the global WannaCry worm mess. Patch those systems and prevent a similar worm from giving the world another major headache. Here’s Microsoft on the subject, as well as Ars Technica.
As usual, Adobe has released software updates to coincide with Microsoft’s Patch Tuesday, which makes things nice and tidy with Flash being integrated into IE and Edge. Flash 32.0.0.207 fixes a single security vulnerability.
There are a few ways to update Flash on Windows, but starting with the Flash Player Control Panel works for me. On the Flash CP’s Updates tab, you’ll find a Check Now button, which will take you to the Get Adobe Flash page. That will tell you which version you’re running. If you need an update, click the Player Download Center link on that page.
A new version of Chrome includes fixes for forty-two security vulnerabilities.
The full log for Chrome 75.0.3770.80 lists over fourteen thousand changes, so good luck reading all that.
Google did not highlight any of the changes in the announcement for Chrome 75.0.3770.80, which only provides this somewhat cryptic message: “Watch out for upcoming Chrome and Chromium blog posts about new features and big efforts delivered in 75.”
Check your Chrome version by navigating its ‘three vertical dots’ menu icon (at the top right) to Help > About Google Chrome. If an update is available, it will be offered to you.
A new version of Mozilla’s email client Thunderbird was released last week. Thunderbird 60.7 is primarily a security update, fixing at least sixteen security vulnerabilities in earlier versions.
You can check your version of Thunderbird and trigger an update by navigating its ‘hamburger’ menu to Help > About Mozilla Thunderbird.
Firefox 67.0, released on May 21, improves the browser’s privacy, security, accessibility, performance, and compatibility. There are also twenty-one security fixes in the new version.
You can find all the details on the release notes page, and a related Mozilla blog post.
A couple of the changes are worth highlighting:
You can check your current version and trigger an update check by navigating Firefox’s ‘hamburger’ menu to Help > About Firefox.
A new version of Chrome fixes a single security bug. Chrome 74.0.3729.157 was announced and made available on May 14, so it may have already found its way to your computer by way of Google’s rather insistent update mechanisms.
If you’re not sure which version of Chrome you’re running, click that little ‘three vertical dots’ menu button at the top right, and navigate to Help > About Google Chrome. Besides showing you the version of your current installation, this will usually prompt Chrome to check for available updates and offer to install a new version.
From Microsoft this month, we get forty-six updates, addressing seventy-nine distinct vulnerabilities in the usual gang of idiots, namely Windows, Office, Internet Explorer, Edge, .NET, Flash in Internet Explorer, and Visual Studio. Nineteen of the updates have been flagged with Critical severity. Head over to Microsoft’s Security Update Guide for more details.
Those of you running Windows 10 may actually be satisfied with its automatic updates, despite the problems. Either that or you’ve given up fighting Microsoft. And of course there are plenty of folks running Windows 7 and 8 with automatic updates enabled, in response to which I can only tip my hat and tell you that you’re braver than I. The rest of us will (or should) be making the trudge over to Windows Update today.
One of the updates made available by Microsoft today fixes a serious vulnerability (CVE-2019-0708) in older versions of Windows, including Windows 7, XP, and Server 2008. Despite the fact that official support for these versions has ended, Microsoft decided to make the world a slightly better place, taking the time to develop, test, and publish these updates. Which is good, because the hole being fixed is a bad one, in that it could provide a handy new conduit for malicious software worms to propagate… just like WannaCry did in 2017.
So, two things: first of all, thanks Microsoft! Second, if you run Windows 7 or Windows Server 2008 computers, please check Windows Update and install the May 2019 monthly security rollup as described on this Microsoft page. For any computers running Windows XP, you’ll have to download the appropriate update from the Microsoft Update Catalog, as decribed on this Microsoft page.
Adobe’s contribution this month consists of new versions of Flash and Acrobat Reader. Flash 32.0.0.192 addresses a single security vulnerability, while Acrobat Reader DC 2019.012.20034 addresses a whopping eighty-four vulnerabilities in earlier versions.
Reader will generally update itself, but you can make sure by navigating its menu to Help > Check for Updates.... The easiest way to update Flash is to look for it in the Windows Control Panel. Go to the Updates tab of the Flash control panel widget and click Check Now. This will take you indirectly to the download page for Flash. Make sure you opt out of any additional software offered for install on that page.
On May 3, Firefox users all over the world noticed that the browser’s add-ons suddenly stopped working and disappeared from the toolbar. This caused major consternation, as you might imagine. Mozilla has previously made changes to Firefox which disabled some add-ons, so there was initially some concern that this was intentional. However, it turns out that someone at Mozilla failed to renew a critical security certificate, which then expired on May 3rd.
Mozilla added certificate checking to Firefox’s add-ons (extensions, themes, search engines, language packs) some time ago to weed out malicious add-ons and prevent them from being used. When the main certificate expired, Firefox suddenly identified all add-ons as invalid, and disabled them.
Many people use Firefox without add-ons, and those people were unaffected by this problem. Some people, including myself, use add-ons to provide functionality without which Firefox is almost unusable. For example, I use uBlock Origin to prevent Javascript from running on all web pages by default, and Dark Reader to make dark-themed web pages readable.
Once people started noticing the problem, they naturally tried to find workarounds, some of which did more harm than good. Mozilla scrambled to solve the problem, and on May 4 pushed out an official, temporary workaround using a little-known Firefox feature called Studies. Once installed, this fix did re-enable add-ons for many users, but didn’t help if the Studies feature was disabled, and was only effective for desktop versions of the browser.
On May 5 a new version of Firefox was released by Mozilla. Firefox 66.0.4 includes a single change that fixes the certificate expiry problem. There are a few caveats: some add-ons may need to be re-enabled manually. Certain add-ons will remain disabled. Other add-ons may need to be reconfigured.
This was a major (and embarassing) blunder, but Mozilla handled it reasonably well, although the information they published was occasionally somewhat misleading. There’s a useful record of what happened on this Mozilla blog post.
Update 2019May10: Yesterday, Mozilla published a followup/apology post.
The latest Chrome browser, version 74.0.3729.131, includes fixes for a pair of security vulnerabilities. Fifty-four changes are listed in the full change log, of which about half are actual changes and not just bookkeeping.
As usual, you can let Chrome update itself on its own mysterious schedule, or trigger an update by navigating its ‘three dots’ menu to Help > About Google Chrome. There are other ways to obtain the latest version, but that’s the most straightforward.
boot13