Category Archives: Security

aka infosec

Unpatched Windows 7 vulnerability being used in targeted attacks

A serious vulnerability in Adobe Type Manager Library, a Windows DLL file used by numerous software applications, is being actively exploited, but so far only in a very limited way.

The vulnerability technically could affect all versions of Windows, but security features in current releases of Windows 10 seem to provide sufficient protection.

So far the attacks only seem to be targeting Windows 7 computers. Given that Windows 7 is no longer supported by Microsoft, we might expect that this bug would remain unpatched forever. But Microsoft has shown that it is willing to provide certain post-support Windows 7 security updates to the general public.

In any case, if you run Windows 7, the advice for fending off attacks using this vulnerability are basically the same as always: exercise extreme caution when opening suspicious documents. Even simply previewing an infected document in the Windows Explorer preview pane can allow a Windows 7 computer to be exploited remotely.

So the old advice about disabling preview panes remains valid. Any software that shows a preview of the contents of a file or email is in effect opening that file or email, which can trigger an embedded exploit on vulnerable computers. I strongly recommend disabling all such functionality, so that files and emails are never opened unintentionally, and to see the contents of files and emails, you must explicitly open them.

The related security advisory published by Microsoft also includes some workarounds, but these involve making changes to Windows that are themselves risky.

Given the wording of Microsoft’s bulletin, it seems likely that the NSA discovered this vulnerability and developed the exploit, which they are now using in their investigations. If that’s the case, the NSA may — in the post-EternalBlue/WannaCry world — have decided to inform Microsoft for the good of all.

In other words, for now you’re safe unless you’re the target of an NSA investigation. But it won’t be long until exploits attacking this vulnerability are in the hands of malicious actors.

Chrome 80.0.3987.149

Version 80.0.3987.149 of Google’s Chrome web browser is a security release. It includes fixes for at least thirteen security vulnerabilities.

Like most modern browsers, and many of Google’s software products, Chrome updates itself reliably, if somewhat unpredictably. This is arguably a good thing, as long as updates don’t break things and do improve security.

Regardless of your viewpoint on automatic updates, keeping your web browser up to date is critical if you use it to do any actual web browsing. Otherwise the risk of a drive-by malware infection is significantly higher.

To check the version of your Chrome browser, navigate its three-vertical-dots menu to Help > About Google Chrome. If there’s a newer version, you’ll see a button or link for installing it.

Adobe Acrobat Reader DC 20.006.20042

Adobe logoA new version of Adobe’s free PDF document viewer, Acrobat Reader DC, was released on March 17.

According to the release announcement, Reader 20.006.20042 addresses thirteen security vulnerabilities in earlier versions. Many of these bugs were detected and reported by third-party researchers, who are credited in the announcement.

If you use Reader, and particularly if you use it to open PDF files you obtain from email and the web, you should make sure it’s up to date.

Newer versions of Reader typically update themselves when they detect new versions, but since it’s not clear what triggers these updates, you might want to check your version and update it yourself.

Check the version of your Reader by navigating its menu to Help > About Adobe Acrobat Reader DC... If you’re not running the latest version, update it via Help > Check for Updates...

Firefox 74.0

A new version of Firefox fixes some annoying problems with pinned tabs, improves password management, adds the ability to import bookmarks from the new Chromium-based Edge, resolves some long-standing issues with add-on management, introduces Facebook Container, and addresses several bugs, including twelve security vulnerabilities.

The release notes for Firefox 74.0 provide the details.

Starting with Firefox 74.0, it is no longer possible for add-ons to be installed programmatically. In other words, add-ons cannot be added by software; it can only be done manually by the user. Add-ons that were added by software in previous versions of Firefox can now be removed via the Add-ons manager, something that was previously not possible.

Facebook Container is a new Firefox add-on that “works by isolating your Facebook identity into a separate container that makes it harder for Facebook to track your visits to other websites with third-party cookies.” People who are concerned about Facebook’s ability to track their activity across browser sessions and tabs can use this add-on to limit that tracking, without having to access Facebook in a separate browser.

You can wait for Firefox to update itself, which — assuming that option is enabled — may take a day or so, or you can trigger an update by navigating Firefox’s ‘hamburger’ menu to Help > About Firefox. You’ll see an Update button if a newer version is available.

Patch Tuesday for March 2020

Happy Patch Tuesday! Today’s gifts from the always-generous folks at Microsoft include forty-two updates, addressing one hundred and fifteen security bugs in Internet Explorer (9 and 11), Edge (the original version, not the one built on Chromium), Office (2010, 2016, and 2019), Windows (7, 8.1, and 10), and Windows Server.

You can dig into all the gory details over at the Microsoft Security Update Guide.

Computers running Windows 10 will update themselves at Microsoft’s whim over the coming days.

Windows 8.1 users can still exercise some freedom of choice in deciding when to install updates, but I encourage everyone to install them as soon as possible. Even with Microsoft’s recent bungling, you’re arguably better off with security fixes than without, even if those updates sometimes cause other problems.

To install updates on your Windows 8.1 computer, go to the Windows Control Panel and open Windows Update.

If you’re running Windows 7, you may be surprised to note that some of this month’s updates are available for that no-longer-officially-supported version. That’s because while those updates definitely exist, they’re not technically available to the general public.

To get access to the Windows 7 updates, you need to sign up for Extended Security Updates for Windows 7. This is typically only done by Enterprise users (businesses and educational institutions) who need more time to migrate computers to newer versions of Windows. For regular folks, the cost of ESU seems likely to be prohibitive.

The more adventurous among you might want to experiment with hacks to get around this limitation for Windows 7 updates. Apparently people are finding some success doing this.

Chrome 80.0.3987.122

Three more security vulnerabilities are fixed in the latest Chrome, version 80.0.3987.122.

According to the release notes, one of the vulnerabilities fixed in Chrome 80.0.3987.122 is already being exploited ‘in the wild’ so anyone using Chrome should check their version and update immediately.

To determine whether you need to install the new version, navigate Chrome’s menu button () to Help > About Google Chrome. You’ll see the current version, and if a newer one is available, there should be a button that allows you to install it.

Chrome 80.0.3987.116

Sometimes when Google releases a new version of Chrome, the release announcement doesn’t mention any security fixes. That’s intentional:

Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.

Chrome 80.0.3987.116 was announced on February 18, but the initial announcement didn’t include any mention of five security vulnerabilities that were fixed in that version. Those details were added a few days later.

Three of the vulnerabilities addressed in Chrome 80.0.3987.116 were reported to Google by third party security researchers.

To check your current version of Chrome, click its menu button (three vertical dots) and navigate to Help > About Google Chrome. If a newer version is available, you should see a button or link that allows you to install it.

Firefox 73.0

There’s another new version of Firefox: 73.0. Despite the major version bump, there are no big changes. However, it’s an important update, because it addresses several security vulnerabilities. There are also fixes for a few long-standing annoyances.

According to the security advisory for Firefox 73.0, six security bugs are addressed in the new version. None of them are flagged as having Critical impact, but they all look nasty.

Firefox’s page zoom feature is very handy for viewing web sites with unfortunate font size choices. It’s not new: Firefox has had this feature for years. What is new is that you can now set a global zoom level, which seems likely to be useful for folks with impaired vision.

To zoom the page you’re looking at, hold down the Ctrl key and move your mouse’s scroll wheel up and down. To change the global zoom level, click Firefox’s menu button, and select Options. In the General section, change the Default Zoom setting.

Firefox now shows web page background images with a border when Windows is configured to use high contrast mode. Previously, background images were disabled in high contrast mode.

Firefox will now only prompt to save login credentials if at least one form element has been changed.

To see which version of Firefox you’re using, navigate its menu to Help > About Firefox. If a newer version is available, you should see a button or link to install the update.