A single security bug was fixed in Chrome 64.0.3282.167, released by Google on February 13.
The new version will find its way to your desktop automatically, unless you’re diligent about killing Google’s pesky auto-update processes. If that describes you, or you just don’t want to wait, you can usually encourage Chrome to update itself by navigating to >
About Google Chrome.
There’s additional information in the full change log for Chrome 64.0.3282.167.
Earlier today, Microsoft released forty-two updates to address fifty-four vulnerabilities in Windows, Internet Explorer, Edge, Flash, and Office software. Fourteen of the vulnerabilities are flagged as critical, and have the potential to be used for remote code execution.
This information was extracted from Microsoft’s Security Update Guide, the rather opaque reservoir into which Microsoft now dumps its update information. Of course Microsoft would be happier if we all just enabled auto-updates, and in fact the monthly patch bulletins are now little more than a link to the SUG and a recommendation to enable auto-updates.
As expected, Adobe has released a new version of Flash that addresses CVE-2018-4878 and another critical vulnerability, CVE-2018-4877. A new security bulletin (APSB18-03) provides additional details.
The new version was made available on February 6. The release notes show that at least one other bug was fixed in Flash 184.108.40.206.
Anyone still using a web browser with Flash enabled should make sure that it’s up to date. CVE-2018-4877 is already being actively exploited.
As usual, Chrome will update itself automatically, and Internet Explorer and Edge will get the new Flash via Windows Update.
There are about twenty changes in Chrome 64.0.3282.140. One of the changes is a fix for a security issue, and the rest are minor tweaks and other bug fixes.
As usual, the release announcement says that the new version “will roll out over the coming days/weeks”. Since this release includes a security fix, it’s a good idea to check what version you’re running by navigating to the About Chrome page ( >
About Google Chrome).
On February 1, Adobe published a security advisory about a critical vulnerability (CVE-2018-4878) in Flash Player 220.127.116.11 and earlier versions. Successful exploitation could allow an attacker to take control of an affected system.
An exploit for CVE-2018-4878 already exists, and is being used in targeted attacks against Windows users. So far, attacks based on this vulnerability have been delivered via Office documents with malicious Flash content as email attachments.
Adobe plans to address this vulnerability next week. Meanwhile, use extreme caution when deciding whether to open email attachments, especially if they appear to be Office documents.
Flash is gradually disappearing from use, but it’s still used enough to make it a tempting target for malicious hackers.
Duo Security: No Patch Yet: Flash Vulnerability Exploited in the Wild
Released on January 29, the latest version of Firefox addresses one security vulnerability and a bug related to Windows security policies.
Release notes for Firefox 58.0.1.
Microsoft has just released ‘out of band’ (outside the usual Patch Tuesday) updates that disable or reverse earlier updates that mitigate Spectre V2. These updates for updates are happening because Intel’s firmware fixes are causing a lot of problems for some folks.
If you were diligent and installed firmware updates on your Windows computers, you should install the new Microsoft updates as soon as possible. Of course doing that will leave your computer exposed to Spectre V2. There’s no solution, other than to be vigilant and extremely careful about visiting shady web sites, installing downloaded software, and clicking links in email.
I guess I’m lucky that no firmware updates are even available for my computers. If they were available and I had installed them, I might be suffering random reboots and even data loss.
Black-hat hackers who are working on malware that exploits the Spectre and Meltdown vulnerabilities are no doubt enjoying this mess, and I have no doubt that we’ll start seeing real-world examples of their handiwork before long.
The latest version of Chrome is 64.0.3282.119. The new version, released earlier this week, fixes fifty-three security issues, and includes additional mitigations for the Spectre/Meltdown vulnerabilities.
The full change log lists ten thousand changes in the new version. There might be some interesting stuff in there, but I’m going to assume that if there was anything worth pointing out, Google would have done that in the release announcement.
At least thirty-two security vulnerabilities are addressed in Firefox 58.0. The release notes for Firefox 58.0 provide additional details.
Note that Firefox 58.0 user profiles are not compatible with earlier versions of Firefox, so if you don’t like 58.0 and decide to downgrade, you’ll have to create a new profile.
Several Windows-specific issues were also addressed in Opera 50.0.2762.67. The change log for Opera 50 provides details.