Category Archives: Security

aka infosec

Edge, Internet Explorer, Microsoft, Patches and updates, Security, Windows

Patch Tuesday for June 2020

Leave a comment

It’s another Patch Day, and this month from Microsoft we’ve got thirty-two update bulletins and associated patches. Twenty-one of the bulletins are flagged as having Critical severity. One hundred and twenty-four security vulnerabilities are addressed, affecting Internet Explorer 9 and 11, Adobe Flash embedded in Microsoft browsers, Office applications, Edge (both the original version and the new version based on the Chromium engine), Sharepoint, Visual Studio, Windows 7, 8.1, and 10, and Windows Defender, the anti-malware program included with Windows 10.

You can find all the relevant details by perusing Microsoft’s Security Update Guide.

Although Microsoft produced Windows 7 updates this month, you won’t be able to obtain them through Windows Update unless you’ve subscribed to Microsoft’s Extended Security Updates (ESU) program. Still, you should check Windows Update because occasionally Microsoft makes new Windows 7 updates available to everyone.

Windows 8.1 is still getting updates, and that will continue until January 10, 2023. Windows Update is still the easiest way to check for and install updates for Windows 8.1.

As usual, Windows 10 computers will be force-fed these updates over the next few days. You can delay the inevitable for as much as a year for feature updates (changes other than bug fixes), or a month for bug fixes, but eventually they’ll be installed whether you want them or not. Which still seems crazy, given how many problems Windows 10 updates have caused.

Adobe, Edge, Internet Explorer, Microsoft, Patches and updates, Security, Windows

Patch Tuesday for May 2020

Leave a comment

We’re in the middle of a pandemic, but that’s no excuse to leave software unpatched. There’s certainly been no reduction in the rate at which vulnerabilities and exploits are being discovered.

This month’s contribution from Microsoft, as documented in the Security Update Guide, consists of thirty-eight updates, with corresponding bulletins, addressing one hundred and eleven vulnerabilities in .NET, Internet Explorer, Edge, Office, Visual Studio, and Windows. Eighteen of the updates are flagged as having Critical severity.

If you’re still using Windows 7, and you haven’t shelled out for Microsoft’s Extended Security Updates, you won’t find any of this month’s Windows 7 updates via Windows Update. You do have at least one other option: an organization called 0patch. These folks provide what they call ‘micropatches’ for known vulnerabilities in no-longer-officially-supported versions of Windows, including Windows 7 and Windows Server 2008. I haven’t tried these myself, but they seem legitimate. Well, presumably not in the view of Microsoft.

Windows 10 users will get the latest updates whether they’re wanted or not, although there are settings that allow you to delay them, for a while. That leaves Windows 8.1, for which Windows Update is still the appropriate tool.

Adobe logoAdobe once again tags along this month, with new versions of Reader and Acrobat. Most people use the free version of Reader, officially known as Acrobat Reader DC. The new version, 2020.009.20063, includes fixes for twenty-four security vulnerabilites in earlier versions.

Firefox, Mozilla, Patches and updates, Security

Firefox 76 and 76.0.1

Leave a comment

Announced on May 5, Firefox 76 tightens up password management and related security in several ways:

  • Lockwise, the password manager built into Firefox, now prompts for your Lockwise master password when you try to show or copy a password. If you’re not using a master password, Lockwise will prompt for your device’s password. Previously, Lockwise only prompted for the master password once, on Firefox startup.
  • Firefox now checks all your saved passwords against records from known breaches. Any password known to have been revealed in any breach will show in your Logins & Passwords list with a special icon. A different icon is shown if the associated site was breached since you last changed your password for that site.
  • Firefox can now generate secure, complex passwords for you.

Other changes in Firefox 76 include improvements to the Picture-In-Picture feature, and native support for more complex audio applications, including Zoom. There are also some minor cosmetic tweaks to the address bar and bookmarks bar.

There are eleven security fixes in Firefox 76 as well.

Default installations of Firefox keep themselves up to date, but you can hurry the process along by navigating its ‘hamburger’ menu to Help > About Firefox.

Firefox 76.0.1

The release of Firefox 76 was followed up quickly by Firefox 76.0.1, which fixes two bugs, neither of which are security-related.

Java, Patches and updates, Security

Java 8 Update 251

Leave a comment

At this point, most folks probably don’t need Java. Which is good, because it’s still a target for malicious hackers. If you don’t actually need Java, it’s a good idea to remove it completely from your computers.

You can check whether Java is installed by opening the Windows Control Panel and looking for a Java entry. On my Windows 8.1 computer, it looks like this: . If you can’t see a Java entry in the Control Panel, try changing View by to Small icons. If you still can’t see it, Java probably isn’t installed. To find the Control Panel on Windows 10, press the Windows key, then type ‘control’. You should see Control Panel in the search results.

You can also double-check by opening Programs and Features in the Control Panel. Search the Programs and Features list for ‘java’.

If you’re not sure whether you still need Java, uninstall it, then if something stops working, you can always reinstall it.

If you do need to keep Java around, to run old Java applications and games, access ancient Java-enabled web sites, or use work-related resources you have no control over, it’s best to keep it up to date.

The Java Control Panel will let you see the currently installed version, and provides a link to download and install the newest version.

Java 8 Update 251 includes fixes for fifteen security vulnerabilities in earlier versions.

Edge, Microsoft, Patches and updates, Security, Windows, Windows 8.x

Patch Tuesday for April 2020

Leave a comment

As if there wasn’t enough going on, it’s already time to patch your Windows computers again.

Of course at this point, given that Windows 7 is effectively no longer getting patches, and Windows 10 updates itself whether you want it to or not, we’re really just talking about Windows 8.1. Market share for Windows 8.x was never high, and it’s now below 5% overall. Oh well.

Somewhat confusingly, Microsoft continues to produce patches for Windows 7, and documents them along with all the others in the Security Update Guide. But if you look at the requirements for these Windows 7 updates, you’ll see that they can’t be installed unless you’ve already paid for and installed the Extended Security Updates (ESU) Licensing Preparation Package. Which most regular folks can’t afford.

This month we don’t have any interesting updates from Adobe, but there’s the usual pile from Microsoft. Analysis of the Security Update Guide reveals that a total of one hundred and fourteen security vulnerabilities are addressed in this month’s patches. The usual lineup of software products are affected, including Windows, Internet Explorer 9 and 11, Edge, Office, and Windows Defender. There are thirty-eight security bulletins in all, nineteen of which are flagged as Critical.

By now I’m sure you know the drill: find Windows Update in the Control Panel and check for updates. Whether you cross your fingers or not is entirely up to you. Windows 10 users need to keep their fingers crossed at all times I guess.

Update 2020Apr15: April’s Microsoft updates include fixes for those actively-exploited Adobe Type Library vulnerabilities recently reported.

Chrome, Google, Patches and updates, Security

Chrome 81.0.4044.92

Leave a comment

A new version of Chrome addresses thirty-two security issues in previous versions.

Details of the vulnerabilities fixed in Chrome 81.0.4044.92 are sketchy, which is normal for newly-discovered and mostly unpatched security bugs. Google has published vulnerability identifiers (CVE numbers), along with links to Google’s internal bug tracking system, and credited the researchers who discovered them.

The links are mostly non-functional, and will remain so until Google decides that it’s safe to publish the vulnerability details. Even the CVE numbers aren’t that helpful: if you search the CVE list at Mitre.org for one of these recent vulnerabilities, you’ll see a placeholder page with no details — for now.

In a perfect world, it would be easy to discover exactly what a software update would change, before it’s installed. Sadly, opportunistic assholes have made this impractical and even dangerous for security-related updates. So, regardless of how one feels about the developer, at some level we have no choice but to trust them with security updates.

Chrome’s ‘three vertical dots’ menu is the place to start if you want to check which version you’re running and install an update. Drill down to Help > About Google Chrome. If an update is available, it will be installed automatically, after which you’ll see a Relaunch button.

Firefox, Mozilla, Patches and updates, Security

Firefox 75.0

Leave a comment

April 7’s announcement of Firefox 75.0 came just a few days after the release of Firefox 74.0.1, a special version that addresses two critical security vulnerabilities.

Firefox 75.0 features a reworked address bar, and includes fixes for another six security bugs.

The new address bar functionality may trip up some users initially, but it does appear to be an overall improvement. The changes are as follows:

  • Searching using the address bar on smaller screens is now optimized, and should be less confusing.
  • Clicking the empty address bar, or clicking on an address in the address bar, will now show a list of ‘top sites’. These are the sites you visit most often.
  • The address bar is now slightly larger, and expands slightly when clicked. The font is also larger, and suggested URLs are shortened to provide more useful context.
  • When entering search terms, Firefox will now suggest additional terms it thinks may be relevant.
  • If you start entering a URL that is already open in another tab, Firefox will show a ‘Switch to Tab’ entry in the suggestions.

Depending on your configuration, Firefox will typically update itself in the days following a new release. If you prefer to do this yourself, or you’re not sure which version you have, navigate Firefox’s ‘hamburger’ menu (at the top right) to Help > About Firefox. If a newver version is available, you’ll be given the opportunity to install it.

Chrome, Google, Patches and updates, Security

Chrome 80.0.3987.162 and 80.0.3987.163

Leave a comment

Two Chrome releases this week address at least eight security vulnerabilities and other bugs.

The release notes for Chrome 80.0.3987.162 provide details for some of the security vulnerabilities. A usual, Google holds off publishing vulnerability details until most installs have been updated.

Chrome 80.0.3987.163 appears to roll back a bug fix that was addressed in an earlier version.

You can trust Google to update your installation of Chrome, or do it youself, by navigating its three-vertical-dots menu to Help > About Google Chrome. This will trigger a check for updates, and if a newer version is available, you should see an Update button or link.

Microsoft, Security, Windows 7

Unpatched Windows 7 vulnerability being used in targeted attacks

Leave a comment

A serious vulnerability in Adobe Type Manager Library, a Windows DLL file used by numerous software applications, is being actively exploited, but so far only in a very limited way.

The vulnerability technically could affect all versions of Windows, but security features in current releases of Windows 10 seem to provide sufficient protection.

So far the attacks only seem to be targeting Windows 7 computers. Given that Windows 7 is no longer supported by Microsoft, we might expect that this bug would remain unpatched forever. But Microsoft has shown that it is willing to provide certain post-support Windows 7 security updates to the general public.

In any case, if you run Windows 7, the advice for fending off attacks using this vulnerability are basically the same as always: exercise extreme caution when opening suspicious documents. Even simply previewing an infected document in the Windows Explorer preview pane can allow a Windows 7 computer to be exploited remotely.

So the old advice about disabling preview panes remains valid. Any software that shows a preview of the contents of a file or email is in effect opening that file or email, which can trigger an embedded exploit on vulnerable computers. I strongly recommend disabling all such functionality, so that files and emails are never opened unintentionally, and to see the contents of files and emails, you must explicitly open them.

The related security advisory published by Microsoft also includes some workarounds, but these involve making changes to Windows that are themselves risky.

Given the wording of Microsoft’s bulletin, it seems likely that the NSA discovered this vulnerability and developed the exploit, which they are now using in their investigations. If that’s the case, the NSA may — in the post-EternalBlue/WannaCry world — have decided to inform Microsoft for the good of all.

In other words, for now you’re safe unless you’re the target of an NSA investigation. But it won’t be long until exploits attacking this vulnerability are in the hands of malicious actors.

Chrome, Google, Patches and updates, Security

Chrome 80.0.3987.149

Leave a comment

Version 80.0.3987.149 of Google’s Chrome web browser is a security release. It includes fixes for at least thirteen security vulnerabilities.

Like most modern browsers, and many of Google’s software products, Chrome updates itself reliably, if somewhat unpredictably. This is arguably a good thing, as long as updates don’t break things and do improve security.

Regardless of your viewpoint on automatic updates, keeping your web browser up to date is critical if you use it to do any actual web browsing. Otherwise the risk of a drive-by malware infection is significantly higher.

To check the version of your Chrome browser, navigate its three-vertical-dots menu to Help > About Google Chrome. If there’s a newer version, you’ll see a button or link for installing it.