Category Archives: Security

aka infosec

Internet Explorer, Java, Patches and updates, Security

Java Version 8 Update 191

Leave a comment

Earlier this week, Oracle released its quarterly Critical Patch Update Advisory for October 2018. As usual, there’s a new version of the Java runtime Engine (JRE): Version 8, Update 191 (Java 8u191).

The new version of Java fixes at least twelve security issues affecting earlier versions.

If you use Java, I encourage you to update it as soon as it’s convenient. Java is not the target it once was, but it’s still a good idea to reduce your exposure to Java-based threats by keeping it up to date. The only web browser that officially still supports Java is Internet Explorer. If you use Internet Explorer with Java enabled, you should update Java immediately.

The easiest way to check your Java version and download the latest is to go to the Windows Control Panel, open the Java applet, click the Update tab, then click the Update Now button. If you’re already up to date, you’ll see a message to that effect.

Firefox, Mozilla, Patches and updates, Security

Firefox 62.0.3: two critical security fixes

Leave a comment

Yesterday, Mozilla released Firefox 62.0.3, which includes fixes for two critical security vulnerabilities in previous versions of the popular web browser.

The two vulnerabilities addressed in Firefox 62.0.3 are described in some detail on the associated security advisory page.

Depending on how your Firefox is configured, it may display a small update dialog, or it may simply update itself. To control what happens with new versions, navigate Firefox’s ‘hamburger’ menu (at the top right) to Options > General > Firefox Updates. While there, you can click the Check for updates button to trigger an update if one is available.

Adobe, Patches and updates, Security

New Adobe Acrobat Reader fixes 80+ vulnerabilities

Leave a comment

Adobe logoSecurity researchers from around the world apparently turned their attention to Adobe’s Acrobat and Acrobat Reader recently, and their efforts revealed a big pile of new vulnerabilities. Adobe responded yesterday, releasing new versions of its Acrobat-related products that address eighty-six of those vulnerabilities.

Although Acrobat and Reader exist in several different forms, the one most people actually use these days is Adobe Acrobat Reader DC (Continuous), and the latest version of that variant is 2019.008.20071.

If you use any paid version of Acrobat, or any of its free Reader variants, you should update it as soon as possible. This is particularly important if you open PDF files with uncertain provenance on the web or received in email. If you use Reader as a browser plug-in or extension, you should drop everything and update immediately.

Recent versions of Acrobat and Reader include an automatic update system, so your install may already be up to date. The easiest way to find out is to run it, then navigate its menu to Help > Check for Updates... If an update is available, you’ll be able to install it from there.

Firefox, Mozilla, Patches and updates, Security

Firefox 62.0.2: one security fix

Leave a comment

The latest Firefox includes fixes for a handful of bugs, including one security vulnerability: CVE-2018-12385 (Crash in TransportSecurityInfo due to cached data).

If your installation of Firefox is configured to update itself, it will probably get around to doing that in the next few days, if it hasn’t already. You can expedite the process by starting the browser and navigating to Help > About Firefox in its ‘hamburger’ menu at the top right of the browser window.

The release notes for Firefox 62.0.2 provide additional details.

Adobe, Patches and updates, Security

Adobe Acrobat Reader DC 2018.011.20063

Leave a comment

Adobe logoAdobe usually releases security updates for its software on Patch Tuesday, but they apparently decided that the seven vulnerabilities addressed in Acrobat Reader DC 2018.011.20063 shouldn’t be delayed.

The release annoucement for Adobe Reader 2018.011.20063 provides some details about the vulnerabilities. One of them, CVE-2018-12848, can lead to Arbitrary Code Execution, and is flagged as Critical.

It’s important to keep Acrobat Reader DC up to date, because it’s still being used to deliver malware, embedded in PDF documents. It’s especially important if you’ve enabled Reader in your web browser.

If you use Acrobat Reader DC, you can check whether it’s up to date by navigating its menu to Help > About Adobe Acrobat Reader DC. There’s also a Check for Updates function in the Help menu. On my Windows 8.1 computer, a Windows Task Scheduler task (added by Adobe) updated the software within a few hours of the new version’s release.

Chrome, Google, Patches and updates, Security

Chrome 69.0.3497.100: one security fix

Leave a comment

Another new version of Chrome was released earlier this week: 69.0.3497.100. Although the change log lists twenty-eight total changes, none of them appear to be particularly interesting. Google highlights a single security fix in the release announcement.

You can check whether your install of Chrome is up to date by navigating its menu (click the three-vertical-dots button at the top right) to Help > About Google Chrome. If it’s not current, doing this will usually prompt Chrome to update itself.

Chrome, Google, Patches and updates, Security

Chrome 69.0.3497.92: two security fixes

Leave a comment

The latest Chrome, released on September 11, fixes a pair of security vulnerabilities in the browser. The release announcement for Chrome 69.0.3497.92 does not mention any other changes. There’s a mercifully brief change log, and all the changes appear to be relatively minor.

If Google’s planned “roll out over the coming days/weeks” isn’t fast enough for you, click Chrome’s ‘three dots’ menu button, and select Help > About Google Chrome. If you’re not already up to date, this will usually prompt Chrome to update itself.

Adobe, Edge, Flash, Internet Explorer, Microsoft, Patches and updates, Security, Windows

Patch Tuesday for September 2018

Leave a comment

Analysis of Microsoft’s Security Update Guide shows that this month’s updates address sixty-two security vulnerabilities, ranging from Low to Critical in severity, in the usual suspects, namely Edge, .NET, Internet Explorer, Office, and Windows. There are forty-five updates in all.

If you’re looking for a new way to evaluate Microsoft’s monthly patch offerings, I recommend Microsoft Patch Tuesday by security firm Morpheus Labs. It’s a lot less oppressive — and easier to use — than Microsoft’s Security Update Guide.

Adobe’s providing us with a new version of Flash this month. Flash version 31.0.0.108 fixes a single security vulnerability. As usual, the Flash code embedded in Chrome and Microsoft browsers will update itself through Google’s automatic update process and Windows Update, respectively.

Happy patching!

Firefox, Mozilla, Patches and updates, Security

Firefox 62.0: nine security updates

Leave a comment

Despite the major version increment, Firefox 62.0 doesn’t really have any new features worth mentioning. However, it’s an important update, because it addresses at least nine security vulnerabilities that range from Low to Critical in severity.

One change in Firefox 62.0 is worth pointing out: the Description field for bookmarks has been removed. Any Description information you previously added to your bookmarks can still be exported from Firefox. From the release notes: “Users who have stored descriptions using the field may wish to export these descriptions as html or json files, as they will be removed in a future release.”

You can usually encourage Firefox to update itself by navigating its ‘hamburger’ menu to Help > About Firefox.