Category Archives: Security

aka infosec

Flash 32.0.0.101 fixes two security bugs

Released on December 5th, the latest Flash addresses two security vulnerabilities in earlier versions. The security bulletin for Flash 32.0.0.101 provides additional details.

If you’re still using Flash, you should install the new version as soon as possible. If you use a web browser with a Flash plugin enabled, don’t wait: update now. If you’re not sure whether your browser has Flash enabled, visit the Flash Player Help page with that browser. The Help page will detect Flash in your browser, tell you which version is installed, and provide a download link for the latest version.

Web browsers that include their own embedded Flash will be updated via their usual channels: for Microsoft browsers, that means Windows Update. Chrome usually updates itself automatically, but you can trigger an update by navigating its menu to Help > About Google Chrome.

Chrome 71.0.3578.80: lots of security fixes

According to the release announcement, Chrome 71.0.3578.80 addresses forty-three distinct security vulnerabilities in earlier versions of the browser.

The full change log for the new version has over twelve thousand entries, none of which are mentioned in the announcement. Many of the changes appear to be fixes for minor bugs.

To check your version of Chrome, click its menu button and navigate to Help > About Google Chrome. If you’re not running the latest version, you’ll be able to update it from there.

Flash 31.0.0.153: security fix

There’s another new version of Flash: 31.0.0.153. A single Critical security vulnerability is addressed in this version. The vulnerability, when exploited, can allow for arbitrary code execution.

If you’re using a web browser with Flash enabled, you should update it as soon as possible. If you’re not sure whether your browser is enabled for Flash content, head over to the Flash Player Help page. If Flash is installed and enabled in your browser, your Flash version will be shown.

You can install Flash by visiting the main Flash installer page. Make sure to disable all the optional installation checkboxes on that page, or you’ll get unwanted software along with Flash.

As usual, Google Chrome and Microsoft’s browsers, which have their own embedded Flash viewers, are updated separately. Chrome will update itself; Edge and Internet Explorer are updated via the Windows Update service.

Chrome 70.0.3538.110

According to the release announcement for Chrome 70.0.3538.110, the new version fixes a single, High-severity security vulnerability. The change log lists a few additional bug fixes but nothing particularly interesting.

Chrome will update itself automatically on most computers, over the next few days or weeks. If that’s not soon enough for you, click the browser’s menu button at the top right (three vertical dots) and drill down to Help > About Google Chrome. This will show your current version and — usually — offer to install the latest version.

Encouraging developments in the IoT security mess

By now you’re probably aware that the push to connect everything to the Internet has been at the cost of security. Many IoT (Internet of Things) devices are poorly secured and can expose users to significant threats. I always encourage people to consider whether they really need their toaster to be connected to the Internet, and disable that feature if the answer is no.

Until recently, the IoT landscape was like the wild west, with little or no regulation of the security aspects of these devices.

But there’s reason for optimism, as reported by Bruce Schneier. Consumer Reports, the venerable consumer protection organization, is now testing the security of IoT devices, starting with home security cameras. Hopefully CR’s focus on security will be extended to other types of IoT devices soon.

Goverments are also waking up to the threat. California’s new SB 327 law, which will come into effect in 2020, will require that all network-connected devices meet basic security requirements. Other governing bodies are sure to follow, hopefully soon. Ultimately, we should have security standards for connected devices everywhere.

These efforts seem likely to get the attention of IoT device manufacturers, and encourage them to improve the security of their products. In particular, IoT devices need better security out of the box, with risky features disabled by default instead of enabled. Many devices are still shipped with well-known default passwords, and remote administration access enabled by default.

Patch Tuesday for November 2018

This month, we have fifty-six updates from Microsoft. The updates fix security issues in .NET, Office, Internet Explorer, Edge, Microsoft Project, SharePoint, PowerShell, Skype, and Windows. Analysis of the Security Update Guide for this month shows that a total of sixty-three vulnerabilities are addressed by the updates. Twelve of the vulnerabilities are flagged as Critical.

Windows 10 computers will have relevant updates installed automatically over the next few days. Those of you running older versions of Windows that don’t have automatic updates enabled will need to use Windows Update (in the Windows Control Panel) to check for new updates.

Adobe logoMeanwhile, Adobe released new versions of Flash and Reader. Flash 31.0.0.148 addresses a single security vulnerability in earlier versions. Reader DC 2019.008.20081 fixes a single security bug in earlier versions. Adobe software will usually update itself, unless you’ve explicitly disabled its automatic update features.

Chrome 70.0.3538.102

Three security issues are fixed in the latest Chrome, released by Google on October 9. The Chrome 70.0.3538.102 change log is relatively brief, and the announcement doesn’t highlight any of the changes.

For most users, Chrome will update itself on its own mysterious schedule. You can regain some control by clicking Chrome’s ‘hamburger’ menu button and navigating to Help > About Google Chrome. This will show the version you’re currently runing and — usually — offer an update if it’s out of date.

Thunderbird 60.3

Released on October 31, Thunderbird 60.3 fixes a handful of bugs — some of which are security-related — affecting multiple versions and platforms.

From the security advisory: In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts. What they seem to be saying is that these vulnerabilities cannot be exploited through the act of opening and reading email in Thunderbird. As for the part about browser-like contexts, well, that’s not at all clear. What contexts?

You can update your install of Thunderbird by clicking its hamburger menu button at the top right. Click the small arrow to the right of Help, then click About Mozilla Thunderbird. The About dialog should show your current version and offer an update if one is available.

Thunderbird 60.2.1

There aren’t as many desktop email applications around as there used to be. Sure, some of the old classics are still available (hello Eudora), but they typically don’t provide support for the latest technologies.

I’ve never been comfortable using a web-based application for my email. I do use GMail, but mostly for client support. I just prefer to have more control over my email archive than is possible with a web-based solution. Email is a critical component of my business and personal communications, and leaving it at the mercy of Google or some other company is not acceptable.

That said, there are still a few good options for desktop email on Windows. I still use Outlook, because it’s always been rock solid for me, handling dozens of accounts efficiently and reliably. But Outlook is only available as part of Microsoft Office, and only the more expensive Professional or Business versions at that. And Office is not cheap, costing upwards of $300 USD.

So I’m always on the lookout for alternatives to Outlook. And sitting at the top of that list is Thunderbird, Mozilla’s email client. Thunderbird’s three-pane user interface should be familiar to anyone who has used Outlook, Outlook Express, or just about any other Windows email application. It supports all current email-related technologies.

Mozilla issued a major update for Thunderbird in early October: version 60.0. This update provides numerous improvements to the user interface, including a much-needed revamp for the way attachments are handled.

More recently, Thunderbird 60.2.1 was released to fix seven security issues in earlier versions, as well as a few non-security bugs.

As with Firefox, you can check the current version of Thunderbird by navigating its ‘hamburger’ menu (top right) to Help > About Mozilla Thunderbird. Doing this will usually trigger an update, if one is available.

Firefox 63.0

Released last week, Firefox 63.0 provides fixes for at least fourteen security issues.

Firefox 63 also includes performance improvements, content blocking functionality, some user interface improvements, and a few other bug fixes.

In keeping with the trend towards wresting control of updates away from users, the option to Never check for updates was removed from the Preferences page (about:preferences). Sigh.

Firefox can be updated by navigating its ‘hamburger’ menu (button at top right) to Help > About Firefox.