Category Archives: Security

aka infosec

Edge, Microsoft, Patches and updates, Security, Windows, Windows 10, Windows 7, Windows 8.x

Patch Tuesday for October 2020

Leave a comment

It’s time for another round of updates for your Windows computers. Earlier today Microsoft published fifty-eight bulletins, with associated updates, addressing eighty vulnerabilities in Flash, .NET, Office (2010, 2013, 2016, and 2019), SharePoint, Visual Studio, and Windows (7, 8.1, 10, and Server). Ten of the vulnerabilities are flagged as having Critical severity.

Get the full details directly from the source: Microsoft’s Security Update Guide.

Interestingly, there are no updates for any version of Internet Explorer this time around. I don’t think that’s ever happened before.

What you need to do

Windows 10

Unless you’re running one of the more recent major releases of Windows 10, and you’ve configured it to delay updates, you’re going to get the new updates within the next day or so.

If your version of Windows 10 has settings that allow you to delay updates, I strongly recommend that you use them. Given Microsoft’s recent track record with updates, which includes rushing out fixes for a sadly long series of problematic updates, it seems like the smart choice.

Windows 8.1

It’s been a while since Microsoft broke Windows 8.1 with a bad update, but if you’re at all wary about these things (as am I), you should make sure Windows Update is not configured to install updates automatically, then wait a few days before installing them manually with Windows Update.

The more adventurous among you may choose to install the new updates right away via Windows Update, or even (shudder) configure Windows Update to do it all automatically.

Windows 7

If the organization you work for has paid for extended updates, your Windows 7 computer will get any applicable updates, but your IT folks probably do that for you anyway.

The rest of the world’s Windows 7 users can only wonder how much less secure their computers are without the new updates.

Edge, Internet Explorer, Microsoft, Patches and updates, Security, Windows

Patch Tuesday for September 2020

Leave a comment

This month’s pile from Microsoft includes fixes for vulnerabilities in Internet Explorer (9 and 11), both variants of Edge (Chromium and EdgeHTML), Office (2010, 2013, 2016, and 2019), SharePoint, Visual Studio, Windows (7, 8.1, and 10), and Windows Server (2008, 2012, 2016, 2019).

There are fifty-three security bulletins in all, and fifty-three associated updates. The updates includes fixes for one hundred and twenty vulnerabilities, twenty-one of which have been flagged as having critical severity. All of the critical vulnerabilities involve potential remote code execution.

As usual, the details are available in Microsoft’s Security Update Guide.

You can still get the Windows 7 updates legitimately, but only if you subscribe to Microsoft’s rather expensive Extended Security Updates program.

Windows 10 systems will update themselves automatically, although with newer versions, you have some control over when that happens. With Windows 10, most updates are going to get installed at some point. But delaying them can allow you to avoid updates that cause problems, since Microsoft usually issues fixes for the updates shortly after problems are discovered. But doing that potentially leaves your computer vulnerable in the interim. It’s your call. Adjust the update settings by going to Settings > Update & Security > Advanced options.

For Windows 8.1 users, it’s all about Windows Update. If you’ve configured it to install updates automatically, you’re basically in the same boat as Windows 10 users. Otherwise, locate Windows Update in the Control Panel, and click the Check for updates button.

Hacking, Internet crime, Privacy, Security, Things that are bad

Canada Revenue Agency hacked; shuts down online services

Leave a comment

Canadians: if you’ve tried to access your CRA accounts recently, you probably noticed that you can no longer log in. That’s because normal access has been disabled while the CRA works to undo the damage caused by two recent attacks on their services.

The CRA systems were penetrated by persons unknown over the past two weeks. According to the CRA, the breaches have been contained, but the My Account, My Business Account and Represent a Client services have been disabled as a precaution.

Several thousand user accounts have been compromised. Starting in early August, unusual and unauthorized access to accounts was noticed by the account holders and reported to the CRA. In some cases, email, banking, and other account details were changed by the attackers. Fraudulent CERB payments were also issued.

Access to the compromised accounts was apparently gained via ‘credential stuffing’, which is based on the sadly-still-true fact that many people continue to use specific passwords on multiple systems. To be clear: if nobody ever did that, this type of attack would never be successful.

“Of the roughly 12 million active GCKey accounts in Canada, the passwords and usernames of 9,041 users were acquired fraudulently and used to try and access government services, a third of which accessed such services and are being further examined for suspicious activity,” according to a statement from the CRA.

The CRA is in the process of alerting people whose accounts were compromised.

Adobe, Patches and updates, Security

Adobe Reader security fixes

Leave a comment

Adobe logoEarlier this week Adobe released new versions of its Acrobat/Reader product line, to fix a series of security vulnerabilities in earlier versions.

There are at least eight variants of Adobe Acrobat and its free counterpart, Reader, which can be confusing. Mitigating this potential confusion is the fact that the huge majority of people who have one of these products installed are using the free Acrobat Reader DC.

The release notes associated with this set of updates reveals that the new versions address at least twenty-six security vulnerabilities in earlier versions. Many of the vulnerabilities are flagged as Critical. The updated version of Acrobat Reader DC is 2020.012.20041.

With default settings, recent versions of Reader will update themselves, on a schedule determined by Adobe, within a few days of a new version’s release. Although it’s possible to override this default behaviour, doing so requires installation of an additional tool or editing the Windows registry directly.

If you’d like to check the version of Reader you’re using, navigate Reader’s menu to Help > About Adobe Acrobat Reader DC. To check for updates and install the latest version, go to Help > Check For Updates...

Edge, Internet Explorer, Microsoft, Patches and updates, Security, Windows

Patch Tuesday for August 2020

Leave a comment

If you run Windows 10 and are curious about the updates Microsoft will be jamming down your throat in the next few days; if you run Windows 7 and want to know what you’re missing out on by not being rich enough to afford Microsoft’s Extended Security Updates program; or if you’re running Windows 8.1 and want to know a bit more about the updates you’re about to install, read on.

Analysis of Microsoft’s comprehensive — yet still oddly difficult to navigate — Security Update Guide for this month reveals that there are sixty-five distinct updates and associated bulletins. Actually, since Microsoft is now calling these things ‘articles’, I’ll do the same. So there are sixty-five articles with associated updates, many of which are packaged into bundles: one with all the month’s updates, and one with only security-related updates.

The updates address a total of one hundred and twenty vulnerabilities in the usual lineup of Microsoft software: Windows (10, 8.1, and 7), Office (2010, 2013, 2016, and 2019), Internet Explorer 9 and 11, Edge (the one built on Chromium), .NET, SharePoint, and Visual Studio.

As is usual these days, Windows 10 updates are installed at Microsoft’s whim, Windows 7 updates are out of reach for most folks, and Windows 8.1 updates are installed via Windows Update in the Control Panel.

Mozilla, Patches and updates, Security, Thunderbird

Thunderbird 78.0

Leave a comment

Earlier this month, Mozilla released a new version of its free — and still excellent — email client: Thunderbird 78.0.

Notable changes in Thunderbird 78.0

A total of fourteen security vulnerabilities are addressed in Thunderbird 78.0. That means it’s a good idea to install the new version as soon as possible; email clients are a popular attack vector for malware.

  • The compose window has been reworked subtly, to improve usability.
  • The recipient address fields (To, Cc, and Bcc) have been changed so that addresses are parsed into ‘pills’, and take less space.
  • The account setup screens have been changed to make them easier to understand.
  • The mail folder icons have been updated and can now be assigned custom colours.
  • On Windows, Thunderbird can now be minimized to the tray (aka the notification area) at the end of the task bar.
  • There’s now a global search box on the main window’s title bar. The display of global search results has been improved.

The release notes and What’s New page for Thunderbird 78.0 describe all the changes in the new version.

Getting Thunderbird 78.0

The new version is not yet available through the built-in updater, but it can be freely downloaded and installed from its main download page. If you’re already using Thunderbird and want to upgrade to 78.0, you can install it from the main download page and it will update your current version, leaving all your settings intact.

Mozilla released Thunderbird 78.0.1 a few days after 78.0. The new version addresses a few problems introduced by 78.0. That’s the version you’ll get if you go to the main Thunderbird download page.

Java, Patches and updates, Security

Java 8 Update 261

Leave a comment

Oracle recently released its Critical Patch Update Advisory for July 2020. The advisory includes a list of vulnerabilities in Java 8 Update 251 and earlier versions. The fix is to install the latest version, Java 8 Update 261.

There are eleven Java vulnerabilities listed in the advisory, all of which may be remotely exploitable without authentication (exploited over a network without requiring user credentials).

This is a good time to check whether your Windows computers have Java installed, and either update it, or remove it completely if it’s no longer required.

If you’re not sure whether you need Java, you might as well remove it. If you subsequently encounter an application or web site that doesn’t run properly without Java, it’s easy enough to simply reinstall Java from the main Java download page.

The simplest way to check whether Java is installed is to open up the Windows Control Panel and look for a Java (or Java 32-bit) entry. If you see one, open that and navigate to the About tab.

To update Java, you can use the Update tab of the Java Control Panel applet, or just head to the main Java download page.

Edge, Internet Explorer, Microsoft, Patches and updates, Security, Windows, Windows 10, Windows 7, Windows 8.x

Patch Tuesday for July 2020

Leave a comment

Another month, another load of patches from Microsoft.

This month we have seventy-one bulletins and corresponding updates. One hundred and twenty-six vulnerabilities are addressed in all, affecting .NET, Internet Explorer 9 and 11, Edge, Office, SharePoint, Visual Studio, OneDrive, Skype, Windows, and Windows Defender. Nineteen of the vulnerabilities are flagged as having Critical severity.

As usual, you can find all the details in Microsoft’s Security Update Guide.

Those of you running Windows 10 know the drill: depending on which version of Windows 10 you’re running, you can delay installation of updates for a while, but not indefinitely. On Windows 8.1 computers, Windows Update is still the best way to install updates. Windows 7 users don’t have an official way to obtain updates for that O/S, despite the fact that Microsoft continues to develop them.

Update 2020Jul17: Again with this crap, Microsoft? One of the updates from this batch caused Outlook 2016 to crash on starting for users worldwide. This affected one of my clients, and affected critical business operations. A fix posted by someone other than Microsoft allowed Outlook to run, but killed the ability to print. Linux never looked so good.

You will now use Microsoft Edge!

On a related note, you may have noticed that Microsoft is pushing its new Chromium-based Edge browser to all Windows computers. This is happening not only on Windows 10 computers, but also those running Windows 8.1 and even 7. The new Edge cannot be removed in the usual way once it’s installed. This is causing consternation for many users, as Edge seems to take over once installed, forcing the user to make certain choices before the desktop can even be accessed. Isn’t this the kind of behaviour that got Microsoft in trouble in the 1990s?

The Verge has additional details. In case you were thinking about switching to Edge, you should be aware that a recent study by Yandex ranked Edge last in terms of privacy.

Firefox, Mozilla, Patches and updates, Security

Firefox 78

Leave a comment

Mozilla released Firefox 78.0 on June 30th, and followed up with Firefox 78.0.1 the next day, to fix a specific issue which “could cause installed search engines to not be visible when upgrading from a previous release.”

Changes in Firefox 78

The new Protections Dashboard, accessible from the Firefox menu or by browsing to about:protections, provides a summary of various protections provided by the browser. If Enhanced Tracking Protection is enabled, you’ll see the number of times Firefox has blocked social media trackers, cross-site tracking cookies, fingerprinters, and crypto-miners. If you’re using Firefox’s password manager, Lockwise, and you’ve signed up for breach alerts, those alerts will be shown here, along with references to exposed passwords.

The Firefox uninstaller will now offer an alternative to uninstalling Firefox when it’s not working properly: a Refresh button. “Refreshing Firefox can fix many issues by restoring Firefox to its default state, while saving your essential information like bookmarks, and passwords.”

The new version also includes improvements to video calls and videoconferencing, as well as graphics performance.

Firefox 78 addresses thirteen security vulnerabilities in earlier versions.

Firefox updates itself automatically by default. If you’ve disabled that option, or just want to get the new version right away, navigate the browser’s ‘hamburger’ menu at the top right to Help > About Firefox. You’ll see an update button if a newer version is available.

Adobe, Flash, Patches and updates, Security

Adobe Flash 32.0.0.387

Leave a comment

A new version of Flash was released by Adobe earlier this week.

Flash 32.0.0.387 fixes a single security vulnerability in earlier versions.

If you use Flash, and in particular if you use a web browser with Flash enabled, you should make sure you’re running the latest version.

The easiest way to determine whether you’re running Flash is to visit the Flash Player Help page on the Adobe web site. Click the Check Now button to see the version your browser is running. Further down the page, there’s a small Flash demo that you can use to verify that Flash is installed and running in your browser. Your browser may also block Flash or prompt you to allow Flash to run.

Also on that page there’s a link to Download the latest version of Flash Player.

Adobe will stop supporting and updating Flash after December 31, 2020. At that point we’ll be recommending that everyone completely disable and/or remove Flash from all their computers, unless there’s some specific reason it’s still needed. And the world will be a much better place.