Category Archives: Security

aka infosec

Adobe, Chrome, Edge, Flash, Internet Explorer, Microsoft, Patches and updates, Security, Windows

Patch Tuesday for May 2018

May 8, 2018 jrivett Leave a comment

Spring has sprung, and with it, a load of updates from Microsoft and Adobe.

This month from Microsoft: sixty-seven updates, fixing sixty-nine security vulnerabilities in Windows, Internet Explorer, Office, Edge, .NET, Flash, and various development tools. Seventeen of the vulnerabilities addressed are flagged as Critical and can lead to remote code execution.

The details are as usual buried in Microsoft’s Security Update Guide. You may find it easier to examine that information in spreadsheet form, which you can obtain by clicking little Download link partway down the page on the right. Just above that there’s a link to the release notes for this month’s updates, but don’t expect much useful information there.

Update 2018May11: If you were looking for something to motivate your patching endeavours, consider this: two of the vulnerabilities addressed in this month’s updates are being actively exploited on the web.

As you might have guessed from Microsoft’s Flash updates, Adobe released a new version of Flash today. Flash 29.0.0.171 addresses a single critical vulnerability in previous versions. You can find release notes for Flash 29 on the Adobe web site.

You can get Flash from Windows Update if you run a Microsoft browser, via Chrome’s internal updater, or from the official Flash download page. If you use the Flash download page, make sure to disable any optional installs, as they are generally not useful.

Chrome, Google, Patches and updates, Security

Chrome 66.0.3359.139

April 29, 2018 jrivett Leave a comment

Say what you will about Google, they do a great job of fixing security issues in their flagship browser software, Chrome.

Google recently released Chrome 66.0.3359.139, which includes fixes for three security vulnerabilities. The complete list of changes can be found in the change log.

As usual, Google says the new version “will roll out over the coming days/weeks”. Unless you’ve disabled all of Google’s automatic updating mechanisms, Chrome will update itself, but it’s difficult to predict exactly when that will happen. However, you can usually trigger an update by running Chrome, clicking its menu button (the three dot icon at the top right), and selecting Help > About Google Chrome.

Firefox, Internet Explorer, Java, Patches and updates, Security, Windows XP

Java 8 Update 171 (8u171)

April 20, 2018 jrivett Leave a comment

The only major browser that still officially supports Java is Internet Explorer, although there are workarounds for some of the other browsers. For example, you can switch to Firefox ESR (Extended Support Release), but even that support is likely to disappear before long. Google Chrome, and other browsers that use the same engine, can only be made to show Java content by installing an extension that runs Internet Explorer in a tab.

Java’s impact on security is diminishing, but it’s still being used on older systems where upgrading to newer O/S versions is not possible. There are still a lot of Windows XP systems out there, and most of them are either running older versions of Internet Explorer or Firefox ESR.

If you’re still using Java, you should install the latest version, Java 8 Update 171 (8u171), as soon as possible. The easiest way to check which version you’re running and install any available updates is to visit Oracle’s ‘Verify Java’ page. You’ll need to do that with a Java-enabled browser. Another option is to visit the third-party Java Tester site. Again, this site won’t work unless Java is enabled.

Java 8 Update 171 includes fixes for fourteen security vulnerabilities. Other changes are documented in the Java 8 release notes and the Java 8u171 bug fixes page.

Chrome, Google, Patches and updates, Security

Chrome 66.0.3359.117 released

April 19, 2018 jrivett Leave a comment

The latest version of Google Chrome includes sixty-two security fixes, and a limited trial of a new feature called Site Isolation that should help to reduce the risk from Spectre-related vulnerabilities.

The change log for Chrome 66.0.3359.117 is another whopper, listing over ten thousand changes in total.

Check your version of Chrome by clicking the three-vertical-dots menu button at the top right, and selecting Help > About Google Chrome. Doing that will usually trigger an update if one is pending.

Adobe, Chrome, Edge, Flash, Internet Explorer, Microsoft, Patches and updates, Security

Patch Tuesday for April 2018

April 11, 2018 jrivett Leave a comment

Microsoft’s contribution to our monthly headache starts with a post on the TechNet MSRC blog: April 2018 security update release. This brief page consists of the same boilerplate we get every month, and provides no details at all. We’re informed that “information about this month’s security updates can be found in the Security Update Guide” but there isn’t even a link to the SUG.

Analysis of the SUG for this month’s Microsoft updates shows that there are sixty updates, addressing sixty-eight vulnerabilities in Flash, Excel, Word, and other Office components, Internet Explorer, Edge, Windows, and Defender. Twenty-three of the vulnerabilities are flagged as Critical.

If your Windows computer is not configured for automatic updates, you’ll need to use Windows Update in the Control Panel to install them.

Adobe’s offering for this month’s patching fun is a new version of Flash Player: 29.0.0.140 (APSB18-08). Six security vulnerabilities — three flagged as Critical — are fixed in the new version.

If you’re using a web browser with Flash enabled, you should install Flash 29.0.0.140 as soon as possible. The embedded Flash used in Internet Explorer 11 and Edge on newer versions of Windows will get the new version via Windows Update. Chrome’s embedded Flash will be updated via Chrome’s automatic update system. To update the desktop version of Flash, visit the About Flash page.

Firefox, Mozilla, Patches and updates, Security

Firefox 59.0.2 released

March 27, 2018 jrivett Leave a comment

A single high-impact security bug is addressed in a new version of Firefox, released yesterday by Mozilla.

Firefox 59.0.2 includes several other bug fixes, some of which were causing crashes and performance issues on certain platforms.

For further details, see the release notes for Firefox 59.0.2.

Chrome, Google, Patches and updates, Security

Chrome 65.0.3325.181: one security fix

March 23, 2018 jrivett Leave a comment

A single security issue prompted the release of Chrome 65.0.3325.181 earlier this week.

Since this is a security update, it’s a good idea to check what version of Chrome you’re running, and update it if necessary.

Chrome usually updates itself automatically, but you can encourage it to update by selecting Help > About Google Chrome from its menu ( at the top right).

Firefox, Mozilla, Patches and updates, Security

Firefox 59 released

March 16, 2018 jrivett Leave a comment

Firefox 59 features performance and user interface improvements, as well as numerous other minor changes. At least eighteen security issues are fixed in the new version.

Particularly welcome are new Privacy and Security settings (Menu > Options > Privacy & Security) that will stop websites from asking to send notifications.

Note: Windows 7 users may have trouble using certain Windows accessibility features, such as the on-screen keyboard, when Firefox 59 is installed. Mozilla is working on a fix for this issue.

Update: Firefox 59.0.1 is also now available. It fixes a single security bug.

Adobe, Flash, Patches and updates, Security

Flash 29.0.0.113

March 14, 2018 jrivett Leave a comment

A new version of Flash, released on March 13 by Adobe, fixes two security vulnerabilities as well as a few other bugs.

If you use a browser with Flash enabled, you should update it as soon as possible. Most browsers no longer play Flash content automatically, or at least have options to make Flash content play only when explicitly allowed. Still, it’s best to be up to date if you use Flash at all.

Internet Explorer and Edge will get their Flash updates via Windows Update, and Google Chrome will update itself on its own mysterious schedule. You can force the issue by visiting the main Flash download page, or the About Flash page, which will prompt you to update if you’re not running the latest version. Don’t forget to disable installation of any additional software, including McAfee security products.

You can find more details in the release announcement, release notes, and the associated security bulletin.

Edge, Flash, Internet Explorer, Microsoft, Patches and updates, Security, Windows

Microsoft updates for March

March 13, 2018 jrivett Leave a comment

I count forty-seven separate bulletins in this month’s batch of updates, which means there are roughly that same number of updates. Over seventy security vulnerabilities in Windows, Internet Explorer, Edge, Office, and .NET are addressed in the updates. There’s a Flash update in there as well, for Edge and recent versions of Internet Explorer.

This month we also get more fixes for Spectre and Meltdown, including firmware updates for somewhat older processors (Skylake, Kaby Lake, and Coffee Lake). There’s still not much available for processors that are more than a few years old.

While Microsoft continues to push people to enable automatic updates, the more cautious among us (including myself) prefer to control what is updated and when. Windows 10 users still have effectively no control over Windows updates.

You can extract additional details for this month’s updates from Microsoft’s Security Update Guide.

boot13

Category Archives: Security

Patch Tuesday for May 2018

Chrome 66.0.3359.139

Java 8 Update 171 (8u171)

Chrome 66.0.3359.117 released

Patch Tuesday for April 2018

Firefox 59.0.2 released

Chrome 65.0.3325.181: one security fix

Firefox 59 released

Flash 29.0.0.113

Microsoft updates for March

Rants and musings on topics of interest. Sometimes about Windows, Linux, security and cool software.