Category Archives: Security

aka infosec

Chrome 77.0.3865.75

On September 10, Google released a new version of Chrome that includes fifty-two fixes for security vulnerabilities. The full change log lists almost seventeen thousand changes in all, so I’m going to assume that there’s nothing in there worth mentioning, aside from the security fixes. Presumably, if Google wanted to highlight any of the changes, they’d be outlined in the official release notes for Chrome 77.0.3865.75.

As is often the case with Chrome security vulnerabilities, many of those addressed in Chrome 77.0.3865.75 were discovered and reported by independent security researchers. There’s a list of those fine folks in the release notes, along with the rewards they earned from Google for their work.

To update Chrome, click its ‘three dots’ menu and navigate to Help > About Google Chrome. If there’s a newer version than the one you’re running, you should see an update link.

Patch Tuesday for September 2019

It’s another Patch Tuesday, and this month we have the usual pile from Microsoft, along with a new version of Flash.

Analysis of the summary spreadsheet — helpfully provided by Microsoft on the Security Update Guide site — shows that there are forty-nine updates, addressing eighty vulnerabilities in Windows, Internet Explorer, .NET, Edge and Office. Seventeen of the vulnerabilities are critical.

Those of you running Windows 10 will get these updates automatically, unless you’ve explicitly configured Windows to delay updates. Everyone else should navigate to Windows Update in the Windows Control Panel or Windows Settings.

The new version of Flash is 32.0.0.255. It addresses two critical security bugs in earlier versions, both of which were discovered and reported by independent security researchers.

Anyone who still uses Flash, especially if it’s enabled in any web browser, should update Flash as soon as possible. Go to the Flash applet in the Windows Control Panel to check your version and install the new version.

Firefox 69.0: security improvements

The latest Firefox includes fixes for at least twenty security vulnerabilities, and improves overall privacy and security by enabling Enhanced Tracking Protection by default.

When enabled, Firefox’s Enhanced Tracking Protection reduces your exposure to the information-gathering efforts that otherwise silently occur when you browse. It also provides protection against cryptominers, which surrepticiously use a portion of your computer’s resources to make money for someone else.

New in Firefox 69.0 is a feature that allows you to block any video you encounter, not just those with autoplayed audio: Block Autoplay.

The ‘Always Activate’ option for Flash content has been removed. Firefox now asks for permission before it will play any Flash content.

Default installations of Firefox will usually update themselves, but if you’re not sure what version you’re running, click the browser’s ‘hamburger’ menu button at the top right, then navigate to Help > About Firefox.

Chrome 76.0.3809.132

The latest version of Chrome (Google’s browser, not the open source Chromium project upon which it is based) is 76.0.3809.132. The new version provides fixes for three security vulnerabilities, some of which were discovered and reported by independent researchers.

If you love digging into dry technical details, the Chrome change log is for you. The new version’s log is at least brief. A cursory scan shows nothing particularly interesting.

Chrome usually updates itself, albeit somewhat mysteriously, since Google’s update schedule is unclear and possibly varies widely from update to update. Google’s update mechanisms also occasionally stop working — silently. It’s a good idea to check which version you’re running and install a new version if it’s offered on the Help > About Google Chrome dialog (click the ‘three dot’ menu button at the top right of Chrome’s user interface).

Firefox 68.0.2

One security fix and a handful of other bug fixes were released in the form of Firefox 68.0.2 on August 14.

The lone security fix closes a hole in the way Firefox handles saved passwords. Before Firefox 68.0.2, it was possible to extract password information from the browser’s encrypted password database — even when it was protected by a master password — without entering the master password. That’s a rather large and (at least to anyone who uses Firefox’s password store with a master password) disturbing security hole.

As always, you can wait for Firefox to update itself, or expedite things by navigating the browser’s ‘hamburger’ menu to Help > About Firefox.

Patch Tuesday for August 2019

It’s another day of updates, with the usual load from Microsoft, and a new version of Reader from Adobe.

Analysis of the monthly data dump from Microsoft’s Security Update Guide shows that this month we have fifty-two updates (with associated bulletins), addressing ninety-five vulnerabilities in Office applications, Windows, Internet Explorer 9 through 11, Edge, Exchange, SharePoint, and Windows Defender.

Twenty-nine of the vulnerabilities are characterised as having Critical severity, and all of the usual nightmarish potential impacts are represented, including Denial of Service, Elevation of Privilege, Information Disclosure, Remote Code Execution, Security Feature Bypass, Spoofing, and Tampering.

If you’re running Windows 10, there’s not much you can do to avoid these updates, although you can at least delay them. The risks associated with installing updates as soon as they become available are still arguably lower that the risks of delaying them as much as possible, or somehow avoiding them altogether.

In this particular case, however, you definitely should install the updates immediately. That’s because they include fixes for a set of dangerous vulnerabilities in RDS (Remote Desktop Services) in all versions of Windows, including Windows 10. Still not convinced? This month’s updates also include a fix for a terrible vulnerability in the Text Services Framework that’s existed in all versions of Windows since XP. The RDS and Text Services vulnerabilities were discovered very recently; no related exploits or attacks have been observed, but it’s a safe bet that malicious persons are working on exploits right now.

Anyway, as always, Windows Update is your friend. Your annoying, can’t-seem-to-shake-them kind of friend.

Adobe logoAdobe released updates for several of its products today, of which only Acrobat Reader presents a significant risk, because malicious hacker types enjoy embedding various kinds of nastiness in PDF files, pretty much every computer on Earth has Acrobat Reader installed, and most people with computers open PDF files without even thinking about the risk.

The latest Acrobat Reader (DC Continuous, which is the variant most likely to be installed on your computer) is version 2019.012.20036. It addresses at least seventy-six security vulnerabilities in previous versions. The release bulletin gives credit to a number of non-Adobe security researchers who discovered and reported some of the vulnerabilities.

You can check your version of Acrobat Reader by navigating its menu to Help > About Adobe Acrobat Reader DC. Also on the Help menu is the handy Check for Updates option, which is probably the easiest way to update Reader.

Chrome 76.0.3809.100

Google released another version of Chrome a few days ago, and it includes fixes for four security vulnerabilities. The change log is mercifully brief, but there’s also not much there of interest. The announcement for Chrome 76.0.3809.100 gives credit to non-Google security researchers for discovering two of the vulnerabilities.

Check your version of Chrome by navigating its ‘three dot’ menu to Help > About Google Chrome. If an update is available, you can install it from there.

Chrome 76.0.3809.87 – 43 security fixes

On Tuesday, Google released another new version of Chrome: 76.0.3809.87. The announcement highlights sixteen vulnerabilities, discovered by security researchers not employed by Google, that are addressed in the new version. There are forty-three security fixes in all.

Google has chosen not to highlight any other changes in Chrome 76.0.3809.87, so if you want to know whether anything important changed, your only option is to read the thirteen thousand, five hundred and forty-three entries in the full change log. Good luck with that.

Chrome, uh, finds a way to keep itself updated, and fighting against that is a never-ending and ultimately pointless exercise. What you can do is check your version and thereby trigger an immediate update, by navigating Chrome’s ‘three vertical dots’ menu (at the top right) to Help > About Google Chrome. That way you don’t have to wait for Chrome to update itself, which happens “over the coming days/weeks” according to Google.

Thunderbird 60.8: ten security fixes

Earlier this month Mozilla released a new version of its (still free, and still pretty good) email client, Thunderbird. The new version (60.8) includes fixes for ten security issues in earlier versions.

If you use Thunderbird, you can check which version you’re running by clicking its (‘hamburger’) menu button, and navigate to Help > About Mozilla Thunderbird. If a newer version is available, you should see a prompt to install it.

Java 8u221 – ten security fixes

If you still use Java, and particularly if Java is enabled in Internet Explorer, it’s important to keep it up to date. Security vulnerabilities in Java are still a somewhat popular target for malicious hackers and malware purveyors.

If you’re not sure whether Java is even installed on your computer, look for a Java entry in the Windows Control Panel. If you see one, Java is installed. The Java Control Panel has an Update tab that allows you to check for pending updates and install the latest version.

You can check whether Java is enabled in Internet Explorer by using that browser to visit Oracle’s Verify Java Version page.

This is what you should see on the Verify Java Version page if you are using IE and Java is up to date.

Oracle issues quarterly updates for a wide range of software products, and that includes Java. The July 2019 update describes ten security vulnerabilities that are addressed in the latest version of Java, 8 update 221.