Category Archives: Security

aka infosec

Chrome 80.0.3987.149

Version 80.0.3987.149 of Google’s Chrome web browser is a security release. It includes fixes for at least thirteen security vulnerabilities.

Like most modern browsers, and many of Google’s software products, Chrome updates itself reliably, if somewhat unpredictably. This is arguably a good thing, as long as updates don’t break things and do improve security.

Regardless of your viewpoint on automatic updates, keeping your web browser up to date is critical if you use it to do any actual web browsing. Otherwise the risk of a drive-by malware infection is significantly higher.

To check the version of your Chrome browser, navigate its three-vertical-dots menu to Help > About Google Chrome. If there’s a newer version, you’ll see a button or link for installing it.

Adobe Acrobat Reader DC 20.006.20042

Adobe logoA new version of Adobe’s free PDF document viewer, Acrobat Reader DC, was released on March 17.

According to the release announcement, Reader 20.006.20042 addresses thirteen security vulnerabilities in earlier versions. Many of these bugs were detected and reported by third-party researchers, who are credited in the announcement.

If you use Reader, and particularly if you use it to open PDF files you obtain from email and the web, you should make sure it’s up to date.

Newer versions of Reader typically update themselves when they detect new versions, but since it’s not clear what triggers these updates, you might want to check your version and update it yourself.

Check the version of your Reader by navigating its menu to Help > About Adobe Acrobat Reader DC... If you’re not running the latest version, update it via Help > Check for Updates...

Firefox 74.0

A new version of Firefox fixes some annoying problems with pinned tabs, improves password management, adds the ability to import bookmarks from the new Chromium-based Edge, resolves some long-standing issues with add-on management, introduces Facebook Container, and addresses several bugs, including twelve security vulnerabilities.

The release notes for Firefox 74.0 provide the details.

Starting with Firefox 74.0, it is no longer possible for add-ons to be installed programmatically. In other words, add-ons cannot be added by software; it can only be done manually by the user. Add-ons that were added by software in previous versions of Firefox can now be removed via the Add-ons manager, something that was previously not possible.

Facebook Container is a new Firefox add-on that “works by isolating your Facebook identity into a separate container that makes it harder for Facebook to track your visits to other websites with third-party cookies.” People who are concerned about Facebook’s ability to track their activity across browser sessions and tabs can use this add-on to limit that tracking, without having to access Facebook in a separate browser.

You can wait for Firefox to update itself, which — assuming that option is enabled — may take a day or so, or you can trigger an update by navigating Firefox’s ‘hamburger’ menu to Help > About Firefox. You’ll see an Update button if a newer version is available.

Patch Tuesday for March 2020

Happy Patch Tuesday! Today’s gifts from the always-generous folks at Microsoft include forty-two updates, addressing one hundred and fifteen security bugs in Internet Explorer (9 and 11), Edge (the original version, not the one built on Chromium), Office (2010, 2016, and 2019), Windows (7, 8.1, and 10), and Windows Server.

You can dig into all the gory details over at the Microsoft Security Update Guide.

Computers running Windows 10 will update themselves at Microsoft’s whim over the coming days.

Windows 8.1 users can still exercise some freedom of choice in deciding when to install updates, but I encourage everyone to install them as soon as possible. Even with Microsoft’s recent bungling, you’re arguably better off with security fixes than without, even if those updates sometimes cause other problems.

To install updates on your Windows 8.1 computer, go to the Windows Control Panel and open Windows Update.

If you’re running Windows 7, you may be surprised to note that some of this month’s updates are available for that no-longer-officially-supported version. That’s because while those updates definitely exist, they’re not technically available to the general public.

To get access to the Windows 7 updates, you need to sign up for Extended Security Updates for Windows 7. This is typically only done by Enterprise users (businesses and educational institutions) who need more time to migrate computers to newer versions of Windows. For regular folks, the cost of ESU seems likely to be prohibitive.

The more adventurous among you might want to experiment with hacks to get around this limitation for Windows 7 updates. Apparently people are finding some success doing this.

Chrome 80.0.3987.122

Three more security vulnerabilities are fixed in the latest Chrome, version 80.0.3987.122.

According to the release notes, one of the vulnerabilities fixed in Chrome 80.0.3987.122 is already being exploited ‘in the wild’ so anyone using Chrome should check their version and update immediately.

To determine whether you need to install the new version, navigate Chrome’s menu button () to Help > About Google Chrome. You’ll see the current version, and if a newer one is available, there should be a button that allows you to install it.

Chrome 80.0.3987.116

Sometimes when Google releases a new version of Chrome, the release announcement doesn’t mention any security fixes. That’s intentional:

Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.

Chrome 80.0.3987.116 was announced on February 18, but the initial announcement didn’t include any mention of five security vulnerabilities that were fixed in that version. Those details were added a few days later.

Three of the vulnerabilities addressed in Chrome 80.0.3987.116 were reported to Google by third party security researchers.

To check your current version of Chrome, click its menu button (three vertical dots) and navigate to Help > About Google Chrome. If a newer version is available, you should see a button or link that allows you to install it.

Firefox 73.0

There’s another new version of Firefox: 73.0. Despite the major version bump, there are no big changes. However, it’s an important update, because it addresses several security vulnerabilities. There are also fixes for a few long-standing annoyances.

According to the security advisory for Firefox 73.0, six security bugs are addressed in the new version. None of them are flagged as having Critical impact, but they all look nasty.

Firefox’s page zoom feature is very handy for viewing web sites with unfortunate font size choices. It’s not new: Firefox has had this feature for years. What is new is that you can now set a global zoom level, which seems likely to be useful for folks with impaired vision.

To zoom the page you’re looking at, hold down the Ctrl key and move your mouse’s scroll wheel up and down. To change the global zoom level, click Firefox’s menu button, and select Options. In the General section, change the Default Zoom setting.

Firefox now shows web page background images with a border when Windows is configured to use high contrast mode. Previously, background images were disabled in high contrast mode.

Firefox will now only prompt to save login credentials if at least one form element has been changed.

To see which version of Firefox you’re using, navigate its menu to Help > About Firefox. If a newer version is available, you should see a button or link to install the update.

Patch Tuesday for February 2020

Yesterday’s crop of updates includes the usual pile from Microsoft, as well as a few from Adobe, for Flash and Reader.

Analysis of Microsoft’s Security Update Guide for February 2020 reveals that there are thirty-eight updates, addressing one hundred and one security issues in Internet Explorer, Edge (both the old and new versions), Flash embedded in Internet Explorer, Office, and Windows. Thirteeen of the updates have been flagged as Critical.

To install Microsoft updates, go to Windows Update in the Control Panel for older versions of Windows, and in Settings > Update & Security for Windows 10. Alternatively, for Windows 10, you can just wait for the updates to be installed automatically.

Adobe logo

The latest version of Flash, 32.0.0.330, fixes a single security vulnerability in earlier versions.

Update Flash on pre-Windows 10 computers by heading to the Windows Control Panel and running the Flash applet. On the Updates tab, check the version and click the Check Now button. Click the link to the Player Download Center. Make sure to disable any checkboxes for installing additional software, then click the big Install Now button. Follow the prompts. You may have to restart your web browser for the update to finish.

Adobe Reader 2020.006.20034, also released this Patch Tuesday, includes fixes for seventeen security vulnerabilities in earlier versions.

Recent versions of Reader typically update themselves, but you can check your version and force an update by navigating Reader’s menu to Help > Check for Updates...