Canadians: if you’ve tried to access your CRA accounts recently, you probably noticed that you can no longer log in. That’s because normal access has been disabled while the CRA works to undo the damage caused by two recent attacks on their services.
The CRA systems were penetrated by persons unknown over the past two weeks. According to the CRA, the breaches have been contained, but the My Account, My Business Account and Represent a Client services have been disabled as a precaution.
Several thousand user accounts have been compromised. Starting in early August, unusual and unauthorized access to accounts was noticed by the account holders and reported to the CRA. In some cases, email, banking, and other account details were changed by the attackers. Fraudulent CERB payments were also issued.
Access to the compromised accounts was apparently gained via ‘credential stuffing’, which is based on the sadly-still-true fact that many people continue to use specific passwords on multiple systems. To be clear: if nobody ever did that, this type of attack would never be successful.
“Of the roughly 12 million active GCKey accounts in Canada, the passwords and usernames of 9,041 users were acquired fraudulently and used to try and access government services, a third of which accessed such services and are being further examined for suspicious activity,” according to a statement from the CRA.
The CRA is in the process of alerting people whose accounts were compromised.
Earlier this week Adobe released new versions of its Acrobat/Reader product line, to fix a series of security vulnerabilities in earlier versions.
There are at least eight variants of Adobe Acrobat and its free counterpart, Reader, which can be confusing. Mitigating this potential confusion is the fact that the huge majority of people who have one of these products installed are using the free Acrobat Reader DC.
The release notes associated with this set of updates reveals that the new versions address at least twenty-six security vulnerabilities in earlier versions. Many of the vulnerabilities are flagged as Critical. The updated version of Acrobat Reader DC is 2020.012.20041.
With default settings, recent versions of Reader will update themselves, on a schedule determined by Adobe, within a few days of a new version’s release. Although it’s possible to override this default behaviour, doing so requires installation of an additional tool or editing the Windows registry directly.
If you’d like to check the version of Reader you’re using, navigate Reader’s menu to
About Adobe Acrobat Reader DC. To check for updates and install the latest version, go to
Check For Updates...
If you run Windows 10 and are curious about the updates Microsoft will be jamming down your throat in the next few days; if you run Windows 7 and want to know what you’re missing out on by not being rich enough to afford Microsoft’s Extended Security Updates program; or if you’re running Windows 8.1 and want to know a bit more about the updates you’re about to install, read on.
Analysis of Microsoft’s comprehensive — yet still oddly difficult to navigate — Security Update Guide for this month reveals that there are sixty-five distinct updates and associated bulletins. Actually, since Microsoft is now calling these things ‘articles’, I’ll do the same. So there are sixty-five articles with associated updates, many of which are packaged into bundles: one with all the month’s updates, and one with only security-related updates.
The updates address a total of one hundred and twenty vulnerabilities in the usual lineup of Microsoft software: Windows (10, 8.1, and 7), Office (2010, 2013, 2016, and 2019), Internet Explorer 9 and 11, Edge (the one built on Chromium), .NET, SharePoint, and Visual Studio.
As is usual these days, Windows 10 updates are installed at Microsoft’s whim, Windows 7 updates are out of reach for most folks, and Windows 8.1 updates are installed via Windows Update in the Control Panel.
Earlier this month, Mozilla released a new version of its free — and still excellent — email client: Thunderbird 78.0.
Notable changes in Thunderbird 78.0
A total of fourteen security vulnerabilities are addressed in Thunderbird 78.0. That means it’s a good idea to install the new version as soon as possible; email clients are a popular attack vector for malware.
- The compose window has been reworked subtly, to improve usability.
- The recipient address fields (To, Cc, and Bcc) have been changed so that addresses are parsed into ‘pills’, and take less space.
- The account setup screens have been changed to make them easier to understand.
- The mail folder icons have been updated and can now be assigned custom colours.
- On Windows, Thunderbird can now be minimized to the tray (aka the notification area) at the end of the task bar.
- There’s now a global search box on the main window’s title bar. The display of global search results has been improved.
The release notes and What’s New page for Thunderbird 78.0 describe all the changes in the new version.
Getting Thunderbird 78.0
The new version is not yet available through the built-in updater, but it can be freely downloaded and installed from its main download page. If you’re already using Thunderbird and want to upgrade to 78.0, you can install it from the main download page and it will update your current version, leaving all your settings intact.
Mozilla released Thunderbird 78.0.1 a few days after 78.0. The new version addresses a few problems introduced by 78.0. That’s the version you’ll get if you go to the main Thunderbird download page.
Oracle recently released its Critical Patch Update Advisory for July 2020. The advisory includes a list of vulnerabilities in Java 8 Update 251 and earlier versions. The fix is to install the latest version, Java 8 Update 261.
There are eleven Java vulnerabilities listed in the advisory, all of which may be remotely exploitable without authentication (exploited over a network without requiring user credentials).
This is a good time to check whether your Windows computers have Java installed, and either update it, or remove it completely if it’s no longer required.
If you’re not sure whether you need Java, you might as well remove it. If you subsequently encounter an application or web site that doesn’t run properly without Java, it’s easy enough to simply reinstall Java from the main Java download page.
The simplest way to check whether Java is installed is to open up the Windows Control Panel and look for a
Java 32-bit) entry. If you see one, open that and navigate to the
To update Java, you can use the Update tab of the Java Control Panel applet, or just head to the main Java download page.
Another month, another load of patches from Microsoft.
This month we have seventy-one bulletins and corresponding updates. One hundred and twenty-six vulnerabilities are addressed in all, affecting .NET, Internet Explorer 9 and 11, Edge, Office, SharePoint, Visual Studio, OneDrive, Skype, Windows, and Windows Defender. Nineteen of the vulnerabilities are flagged as having Critical severity.
As usual, you can find all the details in Microsoft’s Security Update Guide.
Those of you running Windows 10 know the drill: depending on which version of Windows 10 you’re running, you can delay installation of updates for a while, but not indefinitely. On Windows 8.1 computers, Windows Update is still the best way to install updates. Windows 7 users don’t have an official way to obtain updates for that O/S, despite the fact that Microsoft continues to develop them.
Update 2020Jul17: Again with this crap, Microsoft? One of the updates from this batch caused Outlook 2016 to crash on starting for users worldwide. This affected one of my clients, and affected critical business operations. A fix posted by someone other than Microsoft allowed Outlook to run, but killed the ability to print. Linux never looked so good.
You will now use Microsoft Edge!
On a related note, you may have noticed that Microsoft is pushing its new Chromium-based Edge browser to all Windows computers. This is happening not only on Windows 10 computers, but also those running Windows 8.1 and even 7. The new Edge cannot be removed in the usual way once it’s installed. This is causing consternation for many users, as Edge seems to take over once installed, forcing the user to make certain choices before the desktop can even be accessed. Isn’t this the kind of behaviour that got Microsoft in trouble in the 1990s?
The Verge has additional details. In case you were thinking about switching to Edge, you should be aware that a recent study by Yandex ranked Edge last in terms of privacy.
Mozilla released Firefox 78.0 on June 30th, and followed up with Firefox 78.0.1 the next day, to fix a specific issue which “could cause installed search engines to not be visible when upgrading from a previous release.”
Changes in Firefox 78
The new Protections Dashboard, accessible from the Firefox menu or by browsing to about:protections, provides a summary of various protections provided by the browser. If Enhanced Tracking Protection is enabled, you’ll see the number of times Firefox has blocked social media trackers, cross-site tracking cookies, fingerprinters, and crypto-miners. If you’re using Firefox’s password manager, Lockwise, and you’ve signed up for breach alerts, those alerts will be shown here, along with references to exposed passwords.
The Firefox uninstaller will now offer an alternative to uninstalling Firefox when it’s not working properly: a Refresh button. “Refreshing Firefox can fix many issues by restoring Firefox to its default state, while saving your essential information like bookmarks, and passwords.”
The new version also includes improvements to video calls and videoconferencing, as well as graphics performance.
Firefox 78 addresses thirteen security vulnerabilities in earlier versions.
Firefox updates itself automatically by default. If you’ve disabled that option, or just want to get the new version right away, navigate the browser’s ‘hamburger’ menu at the top right to
About Firefox. You’ll see an update button if a newer version is available.
A new version of Flash was released by Adobe earlier this week.
Flash 188.8.131.527 fixes a single security vulnerability in earlier versions.
If you use Flash, and in particular if you use a web browser with Flash enabled, you should make sure you’re running the latest version.
The easiest way to determine whether you’re running Flash is to visit the Flash Player Help page on the Adobe web site. Click the
Check Now button to see the version your browser is running. Further down the page, there’s a small Flash demo that you can use to verify that Flash is installed and running in your browser. Your browser may also block Flash or prompt you to allow Flash to run.
Also on that page there’s a link to Download the latest version of Flash Player.
Adobe will stop supporting and updating Flash after December 31, 2020. At that point we’ll be recommending that everyone completely disable and/or remove Flash from all their computers, unless there’s some specific reason it’s still needed. And the world will be a much better place.
It’s another Patch Day, and this month from Microsoft we’ve got thirty-two update bulletins and associated patches. Twenty-one of the bulletins are flagged as having Critical severity. One hundred and twenty-four security vulnerabilities are addressed, affecting Internet Explorer 9 and 11, Adobe Flash embedded in Microsoft browsers, Office applications, Edge (both the original version and the new version based on the Chromium engine), Sharepoint, Visual Studio, Windows 7, 8.1, and 10, and Windows Defender, the anti-malware program included with Windows 10.
You can find all the relevant details by perusing Microsoft’s Security Update Guide.
Although Microsoft produced Windows 7 updates this month, you won’t be able to obtain them through Windows Update unless you’ve subscribed to Microsoft’s Extended Security Updates (ESU) program. Still, you should check Windows Update because occasionally Microsoft makes new Windows 7 updates available to everyone.
Windows 8.1 is still getting updates, and that will continue until January 10, 2023. Windows Update is still the easiest way to check for and install updates for Windows 8.1.
As usual, Windows 10 computers will be force-fed these updates over the next few days. You can delay the inevitable for as much as a year for feature updates (changes other than bug fixes), or a month for bug fixes, but eventually they’ll be installed whether you want them or not. Which still seems crazy, given how many problems Windows 10 updates have caused.
We’re in the middle of a pandemic, but that’s no excuse to leave software unpatched. There’s certainly been no reduction in the rate at which vulnerabilities and exploits are being discovered.
This month’s contribution from Microsoft, as documented in the Security Update Guide, consists of thirty-eight updates, with corresponding bulletins, addressing one hundred and eleven vulnerabilities in .NET, Internet Explorer, Edge, Office, Visual Studio, and Windows. Eighteen of the updates are flagged as having Critical severity.
If you’re still using Windows 7, and you haven’t shelled out for Microsoft’s Extended Security Updates, you won’t find any of this month’s Windows 7 updates via Windows Update. You do have at least one other option: an organization called 0patch. These folks provide what they call ‘micropatches’ for known vulnerabilities in no-longer-officially-supported versions of Windows, including Windows 7 and Windows Server 2008. I haven’t tried these myself, but they seem legitimate. Well, presumably not in the view of Microsoft.
Windows 10 users will get the latest updates whether they’re wanted or not, although there are settings that allow you to delay them, for a while. That leaves Windows 8.1, for which Windows Update is still the appropriate tool.
Adobe once again tags along this month, with new versions of Reader and Acrobat. Most people use the free version of Reader, officially known as Acrobat Reader DC. The new version, 2020.009.20063, includes fixes for twenty-four security vulnerabilites in earlier versions.