Category Archives: Security

aka infosec

Thunderbird 78.0

Earlier this month, Mozilla released a new version of its free — and still excellent — email client: Thunderbird 78.0.

Notable changes in Thunderbird 78.0

A total of fourteen security vulnerabilities are addressed in Thunderbird 78.0. That means it’s a good idea to install the new version as soon as possible; email clients are a popular attack vector for malware.

  • The compose window has been reworked subtly, to improve usability.
  • The recipient address fields (To, Cc, and Bcc) have been changed so that addresses are parsed into ‘pills’, and take less space.
  • The account setup screens have been changed to make them easier to understand.
  • The mail folder icons have been updated and can now be assigned custom colours.
  • On Windows, Thunderbird can now be minimized to the tray (aka the notification area) at the end of the task bar.
  • There’s now a global search box on the main window’s title bar. The display of global search results has been improved.

The release notes and What’s New page for Thunderbird 78.0 describe all the changes in the new version.

Getting Thunderbird 78.0

The new version is not yet available through the built-in updater, but it can be freely downloaded and installed from its main download page. If you’re already using Thunderbird and want to upgrade to 78.0, you can install it from the main download page and it will update your current version, leaving all your settings intact.

Mozilla released Thunderbird 78.0.1 a few days after 78.0. The new version addresses a few problems introduced by 78.0. That’s the version you’ll get if you go to the main Thunderbird download page.

Java 8 Update 261

Oracle recently released its Critical Patch Update Advisory for July 2020. The advisory includes a list of vulnerabilities in Java 8 Update 251 and earlier versions. The fix is to install the latest version, Java 8 Update 261.

There are eleven Java vulnerabilities listed in the advisory, all of which may be remotely exploitable without authentication (exploited over a network without requiring user credentials).

This is a good time to check whether your Windows computers have Java installed, and either update it, or remove it completely if it’s no longer required.

If you’re not sure whether you need Java, you might as well remove it. If you subsequently encounter an application or web site that doesn’t run properly without Java, it’s easy enough to simply reinstall Java from the main Java download page.

The simplest way to check whether Java is installed is to open up the Windows Control Panel and look for a Java (or Java 32-bit) entry. If you see one, open that and navigate to the About tab.

To update Java, you can use the Update tab of the Java Control Panel applet, or just head to the main Java download page.

Patch Tuesday for July 2020

Another month, another load of patches from Microsoft.

This month we have seventy-one bulletins and corresponding updates. One hundred and twenty-six vulnerabilities are addressed in all, affecting .NET, Internet Explorer 9 and 11, Edge, Office, SharePoint, Visual Studio, OneDrive, Skype, Windows, and Windows Defender. Nineteen of the vulnerabilities are flagged as having Critical severity.

As usual, you can find all the details in Microsoft’s Security Update Guide.

Those of you running Windows 10 know the drill: depending on which version of Windows 10 you’re running, you can delay installation of updates for a while, but not indefinitely. On Windows 8.1 computers, Windows Update is still the best way to install updates. Windows 7 users don’t have an official way to obtain updates for that O/S, despite the fact that Microsoft continues to develop them.

Update 2020Jul17: Again with this crap, Microsoft? One of the updates from this batch caused Outlook 2016 to crash on starting for users worldwide. This affected one of my clients, and affected critical business operations. A fix posted by someone other than Microsoft allowed Outlook to run, but killed the ability to print. Linux never looked so good.

You will now use Microsoft Edge!

On a related note, you may have noticed that Microsoft is pushing its new Chromium-based Edge browser to all Windows computers. This is happening not only on Windows 10 computers, but also those running Windows 8.1 and even 7. The new Edge cannot be removed in the usual way once it’s installed. This is causing consternation for many users, as Edge seems to take over once installed, forcing the user to make certain choices before the desktop can even be accessed. Isn’t this the kind of behaviour that got Microsoft in trouble in the 1990s?

The Verge has additional details. In case you were thinking about switching to Edge, you should be aware that a recent study by Yandex ranked Edge last in terms of privacy.

Firefox 78

Mozilla released Firefox 78.0 on June 30th, and followed up with Firefox 78.0.1 the next day, to fix a specific issue which “could cause installed search engines to not be visible when upgrading from a previous release.”

Changes in Firefox 78

The new Protections Dashboard, accessible from the Firefox menu or by browsing to about:protections, provides a summary of various protections provided by the browser. If Enhanced Tracking Protection is enabled, you’ll see the number of times Firefox has blocked social media trackers, cross-site tracking cookies, fingerprinters, and crypto-miners. If you’re using Firefox’s password manager, Lockwise, and you’ve signed up for breach alerts, those alerts will be shown here, along with references to exposed passwords.

The Firefox uninstaller will now offer an alternative to uninstalling Firefox when it’s not working properly: a Refresh button. “Refreshing Firefox can fix many issues by restoring Firefox to its default state, while saving your essential information like bookmarks, and passwords.”

The new version also includes improvements to video calls and videoconferencing, as well as graphics performance.

Firefox 78 addresses thirteen security vulnerabilities in earlier versions.

Firefox updates itself automatically by default. If you’ve disabled that option, or just want to get the new version right away, navigate the browser’s ‘hamburger’ menu at the top right to Help > About Firefox. You’ll see an update button if a newer version is available.

Adobe Flash 32.0.0.387

A new version of Flash was released by Adobe earlier this week.

Flash 32.0.0.387 fixes a single security vulnerability in earlier versions.

If you use Flash, and in particular if you use a web browser with Flash enabled, you should make sure you’re running the latest version.

The easiest way to determine whether you’re running Flash is to visit the Flash Player Help page on the Adobe web site. Click the Check Now button to see the version your browser is running. Further down the page, there’s a small Flash demo that you can use to verify that Flash is installed and running in your browser. Your browser may also block Flash or prompt you to allow Flash to run.

Also on that page there’s a link to Download the latest version of Flash Player.

Adobe will stop supporting and updating Flash after December 31, 2020. At that point we’ll be recommending that everyone completely disable and/or remove Flash from all their computers, unless there’s some specific reason it’s still needed. And the world will be a much better place.

Patch Tuesday for June 2020

It’s another Patch Day, and this month from Microsoft we’ve got thirty-two update bulletins and associated patches. Twenty-one of the bulletins are flagged as having Critical severity. One hundred and twenty-four security vulnerabilities are addressed, affecting Internet Explorer 9 and 11, Adobe Flash embedded in Microsoft browsers, Office applications, Edge (both the original version and the new version based on the Chromium engine), Sharepoint, Visual Studio, Windows 7, 8.1, and 10, and Windows Defender, the anti-malware program included with Windows 10.

You can find all the relevant details by perusing Microsoft’s Security Update Guide.

Although Microsoft produced Windows 7 updates this month, you won’t be able to obtain them through Windows Update unless you’ve subscribed to Microsoft’s Extended Security Updates (ESU) program. Still, you should check Windows Update because occasionally Microsoft makes new Windows 7 updates available to everyone.

Windows 8.1 is still getting updates, and that will continue until January 10, 2023. Windows Update is still the easiest way to check for and install updates for Windows 8.1.

As usual, Windows 10 computers will be force-fed these updates over the next few days. You can delay the inevitable for as much as a year for feature updates (changes other than bug fixes), or a month for bug fixes, but eventually they’ll be installed whether you want them or not. Which still seems crazy, given how many problems Windows 10 updates have caused.

Patch Tuesday for May 2020

We’re in the middle of a pandemic, but that’s no excuse to leave software unpatched. There’s certainly been no reduction in the rate at which vulnerabilities and exploits are being discovered.

This month’s contribution from Microsoft, as documented in the Security Update Guide, consists of thirty-eight updates, with corresponding bulletins, addressing one hundred and eleven vulnerabilities in .NET, Internet Explorer, Edge, Office, Visual Studio, and Windows. Eighteen of the updates are flagged as having Critical severity.

If you’re still using Windows 7, and you haven’t shelled out for Microsoft’s Extended Security Updates, you won’t find any of this month’s Windows 7 updates via Windows Update. You do have at least one other option: an organization called 0patch. These folks provide what they call ‘micropatches’ for known vulnerabilities in no-longer-officially-supported versions of Windows, including Windows 7 and Windows Server 2008. I haven’t tried these myself, but they seem legitimate. Well, presumably not in the view of Microsoft.

Windows 10 users will get the latest updates whether they’re wanted or not, although there are settings that allow you to delay them, for a while. That leaves Windows 8.1, for which Windows Update is still the appropriate tool.

Adobe logoAdobe once again tags along this month, with new versions of Reader and Acrobat. Most people use the free version of Reader, officially known as Acrobat Reader DC. The new version, 2020.009.20063, includes fixes for twenty-four security vulnerabilites in earlier versions.

Firefox 76 and 76.0.1

Announced on May 5, Firefox 76 tightens up password management and related security in several ways:

  • Lockwise, the password manager built into Firefox, now prompts for your Lockwise master password when you try to show or copy a password. If you’re not using a master password, Lockwise will prompt for your device’s password. Previously, Lockwise only prompted for the master password once, on Firefox startup.
  • Firefox now checks all your saved passwords against records from known breaches. Any password known to have been revealed in any breach will show in your Logins & Passwords list with a special icon. A different icon is shown if the associated site was breached since you last changed your password for that site.
  • Firefox can now generate secure, complex passwords for you.

Other changes in Firefox 76 include improvements to the Picture-In-Picture feature, and native support for more complex audio applications, including Zoom. There are also some minor cosmetic tweaks to the address bar and bookmarks bar.

There are eleven security fixes in Firefox 76 as well.

Default installations of Firefox keep themselves up to date, but you can hurry the process along by navigating its ‘hamburger’ menu to Help > About Firefox.

Firefox 76.0.1

The release of Firefox 76 was followed up quickly by Firefox 76.0.1, which fixes two bugs, neither of which are security-related.

Java 8 Update 251

At this point, most folks probably don’t need Java. Which is good, because it’s still a target for malicious hackers. If you don’t actually need Java, it’s a good idea to remove it completely from your computers.

You can check whether Java is installed by opening the Windows Control Panel and looking for a Java entry. On my Windows 8.1 computer, it looks like this: . If you can’t see a Java entry in the Control Panel, try changing View by to Small icons. If you still can’t see it, Java probably isn’t installed. To find the Control Panel on Windows 10, press the Windows key, then type ‘control’. You should see Control Panel in the search results.

You can also double-check by opening Programs and Features in the Control Panel. Search the Programs and Features list for ‘java’.

If you’re not sure whether you still need Java, uninstall it, then if something stops working, you can always reinstall it.

If you do need to keep Java around, to run old Java applications and games, access ancient Java-enabled web sites, or use work-related resources you have no control over, it’s best to keep it up to date.

The Java Control Panel will let you see the currently installed version, and provides a link to download and install the newest version.

Java 8 Update 251 includes fixes for fifteen security vulnerabilities in earlier versions.

Patch Tuesday for April 2020

As if there wasn’t enough going on, it’s already time to patch your Windows computers again.

Of course at this point, given that Windows 7 is effectively no longer getting patches, and Windows 10 updates itself whether you want it to or not, we’re really just talking about Windows 8.1. Market share for Windows 8.x was never high, and it’s now below 5% overall. Oh well.

Somewhat confusingly, Microsoft continues to produce patches for Windows 7, and documents them along with all the others in the Security Update Guide. But if you look at the requirements for these Windows 7 updates, you’ll see that they can’t be installed unless you’ve already paid for and installed the Extended Security Updates (ESU) Licensing Preparation Package. Which most regular folks can’t afford.

This month we don’t have any interesting updates from Adobe, but there’s the usual pile from Microsoft. Analysis of the Security Update Guide reveals that a total of one hundred and fourteen security vulnerabilities are addressed in this month’s patches. The usual lineup of software products are affected, including Windows, Internet Explorer 9 and 11, Edge, Office, and Windows Defender. There are thirty-eight security bulletins in all, nineteen of which are flagged as Critical.

By now I’m sure you know the drill: find Windows Update in the Control Panel and check for updates. Whether you cross your fingers or not is entirely up to you. Windows 10 users need to keep their fingers crossed at all times I guess.

Update 2020Apr15: April’s Microsoft updates include fixes for those actively-exploited Adobe Type Library vulnerabilities recently reported.