Category Archives: Security

aka infosec

Chrome 67.0.3396.62: security fixes

Yesterday’s release of Google Chrome brings its current version number to 67.0.3396.62. The new version is mostly about security fixes: there are thirty-four in all, none of which are flagged with Critical severity.

The change log for Chrome 67.0.3396.62 is a monster, listing 10855 changes in all. Don’t try viewing that page with an older computer or browser.

Google hasn’t seen fit to highlight any of the changes in Chrome 67.0.3396.62 in the release announcement, other than mentioning that Site Isolation may or may not be enabled. Site Isolation is a new security feature that’s being rolled out in stages.

As usual, the new Chrome version “will roll out over the coming days/weeks.” If that’s too vague for you (it is for me), an update can usually be triggered by navigating Chrome’s menu (the vertical ellipses icon at the top right) to Help > About Google Chrome.

More CPU flaws discovered

Microsoft and Google just announced a new CPU speculative execution flaw that’s similar to Spectre and Meltdown: Speculative Store Bypass.

As with Spectre and Meltdown, almost all CPU chips made in the last ten years are affected by this issue.

The Verge: Google and Microsoft disclose new CPU flaw, and the fix can slow machines down.

Bruce Schneier thinks there are more speculative execution flaws coming. And he’s probably right.

Spectre update

Intel has decided not to produce Spectre microcode updates for some of the oldest of their affected CPUs, leaving most Core 2 chips without any hope of a Spectre fix. As for first generation CPUs, some will get updates, and some will not. Microcode updates for all CPUs from generation 2 through generation 8 have already been released.

Not sure whether your computer is affected by Spectre? If you’re running Windows, Gibson Research’s free InSpectre tool will tell you what you need to know. Looking for a Spectre BIOS update for your computer? PCWorld’s guide is a good starting point.

Intel has produced new microcode for most Spectre-affected CPUs, but some manufacturers have yet to provide corresponding BIOS updates for all affected motherboards. They may have decided not to bother developing updates for older motherboards. That’s a potential problem for millions of computers running older CPUs that are new enough to be vulnerable to Spectre. If the manufacturer hasn’t released a BIOS update with Spectre fixes for your motherboard, consider contacting them to find out when that’s going to happen.

Update 2018May24: I contacted Asus about a particular desktop PC I happen to own, and was told that “details on whether or not there will be a Spectre BIOS update for the <model> is [sic] currently not available.” That doesn’t sound very encouraging. It feels like they’re waiting to see how many complaints they get before committing resources to developing patches.

Acrobat Reader security update

Adobe logoForty-seven security vulnerabilities in Acrobat Reader — many of them flagged as Critical — prompted Adobe to release a fixed version on May 14.

Acrobat Reader comes in a few different flavours, but the one targeted at regular users is Acrobat Reader DC, which is also sometimes refererred to as Acrobat Reader DC (Continuous Track). See the post Adobe Acrobat Reader updates from 2018Feb16 for more information about Acrobat/Reader variants.

Acrobat Reader DC version 2018.011.20040 contains fixes for all forty-seven vulnerabilities documented on the associated security bulletin.

You can install the latest Reader by visiting the Get Acrobat Reader page on Adobe’s web site. Don’t forget to disable any checkboxes for installing optional software. When I installed Acrobat Reader DC 2018.011.20040 from that page earlier, there were three such options, all enabled by default:

  • Install the Acrobat Reader Chrome Extension
  • … install the free McAfee Security Scan Plus utility …
  • … install McAfee Safe Connect …

Unless you know for sure you want to use those products, it’s best to avoid them.

Chrome 66.0.3359.170

The latest version of Chrome fixes four security bugs. The Chrome 66.0.3359.170 release notes and change log have additional details.

Check your version of Chrome by clicking that three-dot (vertical ellipses?) icon at the top right, and selecting Help > About Google Chrome from the menu.

Of course, while keeping Chrome up to date is a good way to protect yourself from browser-based malware, you should also be careful when using extensions. Even Google-approved extensions obtained from the Chrome Web Store may contain malware. Recently, as many as 100,000 computers running Chrome were infected with malware hidden in seven different extensions from the Chrome Web Store.

Firefox 60

Mozilla is making things easier for IT folks with Firefox 60. A new policy engine allows Firefox to be deployed with custom configurations appropriate for business and education environments. This seems likely to increase Firefox’s presense on enterprise desktops.

The New Tab (aka Firefox Home) page gets a bit of an overhaul in Firefox 60, with a responsive layout that should work better with wide screens, saved Pocket pages in the Highlights section, and more reordering options.

The Cookies and Site Data section of Firefox’s Preferences page is now a lot easier to understand: the amount of disk space involved is shown, as are the implications of each option.

Twenty-six security vulnerabilities are fixed in Firefox 60.

Patch Tuesday for May 2018

Spring has sprung, and with it, a load of updates from Microsoft and Adobe.

This month from Microsoft: sixty-seven updates, fixing sixty-nine security vulnerabilities in Windows, Internet Explorer, Office, Edge, .NET, Flash, and various development tools. Seventeen of the vulnerabilities addressed are flagged as Critical and can lead to remote code execution.

The details are as usual buried in Microsoft’s Security Update Guide. You may find it easier to examine that information in spreadsheet form, which you can obtain by clicking little Download link partway down the page on the right. Just above that there’s a link to the release notes for this month’s updates, but don’t expect much useful information there.

Update 2018May11: If you were looking for something to motivate your patching endeavours, consider this: two of the vulnerabilities addressed in this month’s updates are being actively exploited on the web.

Adobe logoAs you might have guessed from Microsoft’s Flash updates, Adobe released a new version of Flash today. Flash 29.0.0.171 addresses a single critical vulnerability in previous versions. You can find release notes for Flash 29 on the Adobe web site.

You can get Flash from Windows Update if you run a Microsoft browser, via Chrome’s internal updater, or from the official Flash download page. If you use the Flash download page, make sure to disable any optional installs, as they are generally not useful.

Chrome 66.0.3359.139

Say what you will about Google, they do a great job of fixing security issues in their flagship browser software, Chrome.

Google recently released Chrome 66.0.3359.139, which includes fixes for three security vulnerabilities. The complete list of changes can be found in the change log.

As usual, Google says the new version “will roll out over the coming days/weeks”. Unless you’ve disabled all of Google’s automatic updating mechanisms, Chrome will update itself, but it’s difficult to predict exactly when that will happen. However, you can usually trigger an update by running Chrome, clicking its menu button (the three dot icon at the top right), and selecting Help > About Google Chrome.

Java 8 Update 171 (8u171)

The only major browser that still officially supports Java is Internet Explorer, although there are workarounds for some of the other browsers. For example, you can switch to Firefox ESR (Extended Support Release), but even that support is likely to disappear before long. Google Chrome, and other browsers that use the same engine, can only be made to show Java content by installing an extension that runs Internet Explorer in a tab.

Java’s impact on security is diminishing, but it’s still being used on older systems where upgrading to newer O/S versions is not possible. There are still a lot of Windows XP systems out there, and most of them are either running older versions of Internet Explorer or Firefox ESR.

If you’re still using Java, you should install the latest version, Java 8 Update 171 (8u171), as soon as possible. The easiest way to check which version you’re running and install any available updates is to visit Oracle’s ‘Verify Java’ page. You’ll need to do that with a Java-enabled browser. Another option is to visit the third-party Java Tester site. Again, this site won’t work unless Java is enabled.

Java 8 Update 171 includes fixes for fourteen security vulnerabilities. Other changes are documented in the Java 8 release notes and the Java 8u171 bug fixes page.

Chrome 66.0.3359.117 released

The latest version of Google Chrome includes sixty-two security fixes, and a limited trial of a new feature called Site Isolation that should help to reduce the risk from Spectre-related vulnerabilities.

The change log for Chrome 66.0.3359.117 is another whopper, listing over ten thousand changes in total.

Check your version of Chrome by clicking the three-vertical-dots menu button at the top right, and selecting Help > About Google Chrome. Doing that will usually trigger an update if one is pending.

Patch Tuesday for April 2018

Microsoft’s contribution to our monthly headache starts with a post on the TechNet MSRC blog: April 2018 security update release. This brief page consists of the same boilerplate we get every month, and provides no details at all. We’re informed that “information about this month’s security updates can be found in the Security Update Guide” but there isn’t even a link to the SUG.

Analysis of the SUG for this month’s Microsoft updates shows that there are sixty updates, addressing sixty-eight vulnerabilities in Flash, Excel, Word, and other Office components, Internet Explorer, Edge, Windows, and Defender. Twenty-three of the vulnerabilities are flagged as Critical.

If your Windows computer is not configured for automatic updates, you’ll need to use Windows Update in the Control Panel to install them.


Adobe’s offering for this month’s patching fun is a new version of Flash Player: 29.0.0.140 (APSB18-08). Six security vulnerabilities — three flagged as Critical — are fixed in the new version.

If you’re using a web browser with Flash enabled, you should install Flash 29.0.0.140 as soon as possible. The embedded Flash used in Internet Explorer 11 and Edge on newer versions of Windows will get the new version via Windows Update. Chrome’s embedded Flash will be updated via Chrome’s automatic update system. To update the desktop version of Flash, visit the About Flash page.