Category Archives: Security

aka infosec

Mozilla, Patches and updates, Security, Thunderbird

Thunderbird 60.5: four security fixes

Leave a comment

Mozilla remains committed to Thunderbird, the company’s full-featured yet free email client for Windows, Mac, and Linux. Which is good news, because it’s getting increasingly difficult to find good email client software.

I’ve never been a fan of web-based email. It’s handy in certain situations, but leaves much to be desired for long-term use. I’ve been using Outlook for years, but it’s more than most people need; for them, there’s Thunderbird.

Thunderbird 60.5 plugs at least four security holes in previous versions.

To update Thunderbird, click its ‘hamburger’ menu icon at the top right, hover your mouse over Help, and click About Mozilla Thunderbird. If an update is available, you’ll be prompted to install it.

Chrome, Google, Patches and updates, Security

Chrome 72.0.3626.81: loads of security fixes

Leave a comment

There are at least fifty-eight security fixes in the latest Chrome browser, version 72.0.3626.81. Released on January 29, the new version contains more than fourteen thousand changes in all. If you have a few days to kill, you can read the full change log.

Chrome will generally update itself whether you want it to or not, but if you’re not sure, navigate its menu (three dot icon) to Help > About Google Chrome to see which version you have installed, and trigger an update if one is available.

I’m not sure why Google didn’t see fit to mention any of the changes in this version on the announcement page, but it’s hard to imagine that none of them were at all interesting. Besides listing about thirty of the security fixes, all they’ve done is point to the Chrome blog, which currently doesn’t show any posts related to this new version.

Firefox, Patches and updates, Security

Firefox 65.0: security improvements and bug fixes

Leave a comment

The latest Firefox version, released by Mozilla on January 29, is 65.0. The new version includes fixes for seven security vulnerabilities, as well as some security-related improvements and new features.

Firefox 65 makes it even easier to detect and control the tracking a web site is doing. At the far left end of the address bar, click the small ‘i’ with a circle around it. This will show the site information window. The new Content Blocking section in this window allows you to see the cookies and trackers being used by a site. There’s also a shortcut to the Content Blocking settings, where you can set global preferences for blocking: Strict, Standard, or Custom.

Firefox 65.0 adds support for a video compression technology called AV1, which is expected to provide improvements in video streaming performance for 64-bit Firefox users.

Depending on how you’ve configured Firefox’s update settings, it may prompt you to install the new version. If it doesn’t, try navigating Firefox’s menu (that ‘hamburger’ icon) to Help > About Firefox. You’ll be able to see the current version and update it from there if a new version is available.

Java, Patches and updates, Security

Java 8 Update 201 fixes five security bugs

Leave a comment

Oracle just released their first quarterly Critical Patch Update Advisory for 2019.

These advisories cover a lot of Oracle software, most of which is likely of very little interest for ordinary users. But buried in each of these reports you’ll usually find a reference to a new version of Java.

It’s increasingly unlikely that you have a shared Java installation on your Windows computer. You may run Java applications, such as Minecraft and some network and Internet tools, but these often include their own, separate installs of Java now.

The easiest way to see whether you have a shared install of Java on your Windows 7 or 8.x computer is to go to the Control Panel and look for a Java entry. If you see one, open it up and go to the Update tab, then click the Update Now button. If there’s an update available, you’ll be able to install it from there.

You can also visit the Verify Java Version page, but unless you’re using Internet Explorer, it won’t be able to tell you if you’re even running Java. If you’re on Windows 10, that’s also the easiest way to check your version.

Java 8 Update 201 addresses five security vulnerabilities in earlier versions. The details are listed in the quarterly advisory.

Adobe, Edge, Internet Explorer, Microsoft, Patches and updates, Security, Windows

Patch Tuesday for January 2019

Leave a comment

Patch Tuesday: the gift that keeps on giving. Imagine a world where the second Tuesday in a month came and went, with no updates to install. Something to celebrate. Meanwhile, back in the real world, there’s an apparently infinite supply of software bugs out there, most as-yet undiscovered.

But back to the matter at hand. Microsoft’s Security Update Guide is still annoying to use on the web, so I recommend downloading this month’s patch details in the form of a spreadsheet. Navigate to the SUG, which by default will show the updates for this month. You should see a ‘Download’ link to the far right of the Security Updates heading. Click that link and open the spreadsheet in Excel or something compatible. In Excel, depending on the version, you should be able to enable the Filter feature, which makes each column heading a drop-down control, allowing you to filter and sort on any column. Very handy.

This month Microsoft is issuing seventy-three bulletins, each corresponding to an update for one or more security vulnerabilities. Forty-eight vulnerabilities are addressed by the updates, which affect the usual targets, namely Windows, Internet Explorer, Edge, Office, .NET, Flash (in IE and Edge), Visual Studio, and Exchange Server.

Windows 10 users will get relevant updates whether they want them or not, as will anyone using older versions of Windows with automatic updates enabled. The rest of us will need to head to Windows Update and click the Check for Updates button.

Adobe logoFrom Adobe, we get a new version of Flash, to go along with last week’s new version of Reader.

The latest Flash is version 32.0.0.114, and it includes fixes for feature and performance bugs, but — surprisingly — none for security bugs.

As usual, the Flash embedded in Chrome will update itself along with the browser, while IE and Edge updates are provided via Windows Update. Your Flash installation may be configured to install updates automatically, but if not, head to the main Flash Player page, which will let you know if you need an update, and provide links.

The new version of Reader (Acrobat Reader DC), made available by Adobe on January 3, is A2019.010.20069. Flash 2019.010.20069 includes fixes for two Critical security issues.

Newer installations of Reader seem to keep themselves up to date, but you can grab the latest version at the Get Reader page. Remember to disable the optional applications, or you’ll get what is likely unwanted software such as McAfee antivirus products.

Internet Explorer, Microsoft, Patches and updates, Security

Special security update for Internet Explorer

Leave a comment

Last week Microsoft issued an unscheduled security update that fixes a serious security vulnerability in Internet Explorer 9, 10, and 11.

According to Microsoft, this vulnerability is currently being exploited on the web, which means that malicious activity that takes advantage of the security hole has been observed.

Details of the vulnerability can be found in Microsoft’s Security Update Guide.

Anyone who still uses Internet Explorer for web browsing should install this update by running Windows Update in the Windows Control Panel or system settings.

Chrome, Google, Patches and updates, Security

Chrome 71.0.3578.98 fixes one security bug

Leave a comment

A lone security vulnerability is addressed in the latest Chrome, version 71.0.3578.98. The full change log documents about twenty changes in all.

Chrome keeps itself up to date, mostly whether you want it to or not. I’ve long since stopped fighting Google’s automatic updates on my own computers, partly because those updates never seem to cause problems, which is refreshingly different from Microsoft’s sad history.

On the other hand, Chrome may not get around to updating itself for a while; Chrome release announcements usually include boilerplate text saying that the new version “will roll out over the coming days/weeks.” You can get it up to date right now by clicking its menu button and choosing Help > About Google Chrome.

Firefox, Mozilla, Patches and updates, Security

Firefox 64.0 fixes eleven security bugs

Leave a comment

The latest Firefox fixes a handful of bugs, eleven of them security vulnerabilities, ranging in impact from low to critical.

New in Firefox 64.0 is the ability to select and manipulate multiple tabs. Hold the Ctrl or Shift key while clicking to select several tabs, then right-click one of the tabs to see some new actions in the context menu. Unfortunately, there’s no visual indication of which tabs have been selected, making this otherwise helpful feature somewhat awkward to use. You can at least see how many tabs you have selected in the context menu, in the Send n Tabs To Device entry.

Firefox’s Task Manager, which you can show by navigating to about:performance, now shows the amount of power being used by each tab and Add-On. This should be very handy for mobile device users.

Starting with Firefox 64.0, TLS certificates issued by Symantec are no longer trusted. You’ll only notice this if you visit a web site that still uses a certificate from Symantec.

The special page about:crashes is improved in Firefox 64.0: it’s now clear when a crash is being submitted to Mozilla, and that removing crashes locally does not remove them from the Mozilla crash stats page.

The release notes for Firefox 64.0 have more details.

Edge, Flash, Internet Explorer, Microsoft, Patches and updates, Security, Windows

Patch Tuesday for December 2018

Leave a comment

It’s the second Tuesday of the month, so it’s once again time to play Patch Or Else, brought to you by Microsoft and Adobe.

It’s easy to get complacent about updating software: diligently installing updates as soon as they become available is an essential part of a good security strategy, and it means you’re less likely to fall afoul of malicious activity. But it also means that after a while you can lose sight of the risk of not staying up to date, and gradually become lax about installing updates. History is filled with stories of lost lessons; it’s apparently in our nature to forget what’s important when we aren’t reminded of the reasons for that importance.

Analysis of Microsoft’s Security Update Guide for the December 2018 updates reveals that this month we have sixty-seven distinct updates, half of which are flagged as having Critical severity. The updates address security issues in Adobe Flash (embedded in Internet Explorer and Edge), Internet Explorer, Edge, .NET, Office, Visual Studio, and Windows.

Update Windows and your other Microsoft software via Windows Update. In Windows 10, open the Start Menu and click on Settings > Update & Security settings > Windows Update. In older versions of Windows, you can find Windows Update in the Control Panel.

Presumably as part of the ongoing push for transparency in response to Windows 10 update problems earlier this year, Microsoft Corporate VP Michael Fortin posted an article, coinciding with this month’s updates, that explains some of the planning that goes into the monthly updates. Fortin points out that “During peak times, we update over 1,000 devices per second”.

Adobe’s contribution to the patch pile this month is a new version of Adobe Reader. The new Reader includes fixes for at least eighty-seven vulnerabilities, many having Critical severity. The release notes for Adobe Reader DC 2019.010.20064 provide additional details. Update Reader by pointing your browser to the Acrobat Reader Download Center.

Adobe, Flash, Patches and updates, Security

Flash 32.0.0.101 fixes two security bugs

Leave a comment

Released on December 5th, the latest Flash addresses two security vulnerabilities in earlier versions. The security bulletin for Flash 32.0.0.101 provides additional details.

If you’re still using Flash, you should install the new version as soon as possible. If you use a web browser with a Flash plugin enabled, don’t wait: update now. If you’re not sure whether your browser has Flash enabled, visit the Flash Player Help page with that browser. The Help page will detect Flash in your browser, tell you which version is installed, and provide a download link for the latest version.

Web browsers that include their own embedded Flash will be updated via their usual channels: for Microsoft browsers, that means Windows Update. Chrome usually updates itself automatically, but you can trigger an update by navigating its menu to Help > About Google Chrome.