It’s another Patch Day, and this month from Microsoft we’ve got thirty-two update bulletins and associated patches. Twenty-one of the bulletins are flagged as having Critical severity. One hundred and twenty-four security vulnerabilities are addressed, affecting Internet Explorer 9 and 11, Adobe Flash embedded in Microsoft browsers, Office applications, Edge (both the original version and the new version based on the Chromium engine), Sharepoint, Visual Studio, Windows 7, 8.1, and 10, and Windows Defender, the anti-malware program included with Windows 10.
You can find all the relevant details by perusing Microsoft’s Security Update Guide.
Although Microsoft produced Windows 7 updates this month, you won’t be able to obtain them through Windows Update unless you’ve subscribed to Microsoft’s Extended Security Updates (ESU) program. Still, you should check Windows Update because occasionally Microsoft makes new Windows 7 updates available to everyone.
Windows 8.1 is still getting updates, and that will continue until January 10, 2023. Windows Update is still the easiest way to check for and install updates for Windows 8.1.
As usual, Windows 10 computers will be force-fed these updates over the next few days. You can delay the inevitable for as much as a year for feature updates (changes other than bug fixes), or a month for bug fixes, but eventually they’ll be installed whether you want them or not. Which still seems crazy, given how many problems Windows 10 updates have caused.
With Windows 10, Microsoft shifted a lot of their testing to users, through the Windows Insider program. Anyone can join the Insider program, and what you get is early access to new versions of Windows 10.
In return, you are expected to provide feedback to Microsoft when you encounter problems, primarily via the Windows 10 Feedback Hub app. I’ve used the Feedback Hub, and Microsoft does indeed seem to look at — and act on — user feedback.
While I do appreciate having the option of contributing to the quality of Windows 10, it seems clear that relying on users for testing is woefully inadequate, and hardly a substitute for systematic, formal software testing. Each new set of Windows 10 updates, and especially new versions, seem to cause more problems than they solve.
Windows 10 version 2004, released on May 27, is no exception. Microsoft has identified at least ten separate problems with the new version, mostly related to device drivers. Users unlucky enough to have the affected devices are reporting application crashes and good old Blue Screens of Death (BSODs). In some cases the new version renders affected computers unusable.
At least updates can now be delayed. Earlier versions of Windows 10 forced new updates on all computers. Without the ability to to put off updates, these unwanted and problematic changes would cause worldwide carnage at least every Patch Tuesday.
Hey, Microsoft. Thanks for giving us the option to help out with Windows testing. But please go back to doing more formal testing. Nobody needs these headaches. We’ve got enough problems without you piling on.
Update 2020Jun02: Microsoft has put a ‘compatibility hold’ on the recent problematic updates. If Microsoft decides that your device may have problems with an update, it won’t get installed until the hold is released. Of course that doesn’t help people who installed those updates before they were held.
I just discovered an interesting and useful web site: Should I Block Ads?
Created by Michael Howell, it’s collection of information that can be helpful in deciding whether to install an ad blocker in your web browser. It also provides ad-blocker recommendations for various platforms and browsers.
Michael’s analysis addresses all of the concerns I’ve had with web-based advertising, and confirms my choice to install and use uBlock Origin in Firefox, my primary web browser.
If you’re considering installing an ad blocker in your web browser, keep in mind that there can be a bit of a learning curve, and that blocking ads can cause some web sites to stop working. Blocking web ads usually ends up being an ongoing process; don’t expect it to be a magic bullet.
We’re in the middle of a pandemic, but that’s no excuse to leave software unpatched. There’s certainly been no reduction in the rate at which vulnerabilities and exploits are being discovered.
This month’s contribution from Microsoft, as documented in the Security Update Guide, consists of thirty-eight updates, with corresponding bulletins, addressing one hundred and eleven vulnerabilities in .NET, Internet Explorer, Edge, Office, Visual Studio, and Windows. Eighteen of the updates are flagged as having Critical severity.
If you’re still using Windows 7, and you haven’t shelled out for Microsoft’s Extended Security Updates, you won’t find any of this month’s Windows 7 updates via Windows Update. You do have at least one other option: an organization called 0patch. These folks provide what they call ‘micropatches’ for known vulnerabilities in no-longer-officially-supported versions of Windows, including Windows 7 and Windows Server 2008. I haven’t tried these myself, but they seem legitimate. Well, presumably not in the view of Microsoft.
Windows 10 users will get the latest updates whether they’re wanted or not, although there are settings that allow you to delay them, for a while. That leaves Windows 8.1, for which Windows Update is still the appropriate tool.
Adobe once again tags along this month, with new versions of Reader and Acrobat. Most people use the free version of Reader, officially known as Acrobat Reader DC. The new version, 2020.009.20063, includes fixes for twenty-four security vulnerabilites in earlier versions.
Announced on May 5, Firefox 76 tightens up password management and related security in several ways:
- Lockwise, the password manager built into Firefox, now prompts for your Lockwise master password when you try to show or copy a password. If you’re not using a master password, Lockwise will prompt for your device’s password. Previously, Lockwise only prompted for the master password once, on Firefox startup.
- Firefox now checks all your saved passwords against records from known breaches. Any password known to have been revealed in any breach will show in your Logins & Passwords list with a special icon. A different icon is shown if the associated site was breached since you last changed your password for that site.
- Firefox can now generate secure, complex passwords for you.
Other changes in Firefox 76 include improvements to the Picture-In-Picture feature, and native support for more complex audio applications, including Zoom. There are also some minor cosmetic tweaks to the address bar and bookmarks bar.
There are eleven security fixes in Firefox 76 as well.
Default installations of Firefox keep themselves up to date, but you can hurry the process along by navigating its ‘hamburger’ menu to
The release of Firefox 76 was followed up quickly by Firefox 76.0.1, which fixes two bugs, neither of which are security-related.
At this point, most folks probably don’t need Java. Which is good, because it’s still a target for malicious hackers. If you don’t actually need Java, it’s a good idea to remove it completely from your computers.
You can check whether Java is installed by opening the Windows Control Panel and looking for a Java entry. On my Windows 8.1 computer, it looks like this: . If you can’t see a Java entry in the Control Panel, try changing
View by to
Small icons. If you still can’t see it, Java probably isn’t installed. To find the Control Panel on Windows 10, press the Windows key, then type ‘control’. You should see
Control Panel in the search results.
You can also double-check by opening
Programs and Features in the Control Panel. Search the Programs and Features list for ‘java’.
If you’re not sure whether you still need Java, uninstall it, then if something stops working, you can always reinstall it.
If you do need to keep Java around, to run old Java applications and games, access ancient Java-enabled web sites, or use work-related resources you have no control over, it’s best to keep it up to date.
The Java Control Panel will let you see the currently installed version, and provides a link to download and install the newest version.
Java 8 Update 251 includes fixes for fifteen security vulnerabilities in earlier versions.
As if there wasn’t enough going on, it’s already time to patch your Windows computers again.
Of course at this point, given that Windows 7 is effectively no longer getting patches, and Windows 10 updates itself whether you want it to or not, we’re really just talking about Windows 8.1. Market share for Windows 8.x was never high, and it’s now below 5% overall. Oh well.
Somewhat confusingly, Microsoft continues to produce patches for Windows 7, and documents them along with all the others in the Security Update Guide. But if you look at the requirements for these Windows 7 updates, you’ll see that they can’t be installed unless you’ve already paid for and installed the Extended Security Updates (ESU) Licensing Preparation Package. Which most regular folks can’t afford.
This month we don’t have any interesting updates from Adobe, but there’s the usual pile from Microsoft. Analysis of the Security Update Guide reveals that a total of one hundred and fourteen security vulnerabilities are addressed in this month’s patches. The usual lineup of software products are affected, including Windows, Internet Explorer 9 and 11, Edge, Office, and Windows Defender. There are thirty-eight security bulletins in all, nineteen of which are flagged as Critical.
By now I’m sure you know the drill: find Windows Update in the Control Panel and check for updates. Whether you cross your fingers or not is entirely up to you. Windows 10 users need to keep their fingers crossed at all times I guess.
Update 2020Apr15: April’s Microsoft updates include fixes for those actively-exploited Adobe Type Library vulnerabilities recently reported.
A new version of Chrome addresses thirty-two security issues in previous versions.
Details of the vulnerabilities fixed in Chrome 81.0.4044.92 are sketchy, which is normal for newly-discovered and mostly unpatched security bugs. Google has published vulnerability identifiers (CVE numbers), along with links to Google’s internal bug tracking system, and credited the researchers who discovered them.
The links are mostly non-functional, and will remain so until Google decides that it’s safe to publish the vulnerability details. Even the CVE numbers aren’t that helpful: if you search the CVE list at Mitre.org for one of these recent vulnerabilities, you’ll see a placeholder page with no details — for now.
In a perfect world, it would be easy to discover exactly what a software update would change, before it’s installed. Sadly, opportunistic assholes have made this impractical and even dangerous for security-related updates. So, regardless of how one feels about the developer, at some level we have no choice but to trust them with security updates.
Chrome’s ‘three vertical dots’ menu is the place to start if you want to check which version you’re running and install an update. Drill down to
About Google Chrome. If an update is available, it will be installed automatically, after which you’ll see a
April 7’s announcement of Firefox 75.0 came just a few days after the release of Firefox 74.0.1, a special version that addresses two critical security vulnerabilities.
Firefox 75.0 features a reworked address bar, and includes fixes for another six security bugs.
The new address bar functionality may trip up some users initially, but it does appear to be an overall improvement. The changes are as follows:
- Searching using the address bar on smaller screens is now optimized, and should be less confusing.
- Clicking the empty address bar, or clicking on an address in the address bar, will now show a list of ‘top sites’. These are the sites you visit most often.
- The address bar is now slightly larger, and expands slightly when clicked. The font is also larger, and suggested URLs are shortened to provide more useful context.
- When entering search terms, Firefox will now suggest additional terms it thinks may be relevant.
- If you start entering a URL that is already open in another tab, Firefox will show a ‘Switch to Tab’ entry in the suggestions.
Depending on your configuration, Firefox will typically update itself in the days following a new release. If you prefer to do this yourself, or you’re not sure which version you have, navigate Firefox’s ‘hamburger’ menu (at the top right) to
About Firefox. If a newver version is available, you’ll be given the opportunity to install it.
Two Chrome releases this week address at least eight security vulnerabilities and other bugs.
The release notes for Chrome 80.0.3987.162 provide details for some of the security vulnerabilities. A usual, Google holds off publishing vulnerability details until most installs have been updated.
Chrome 80.0.3987.163 appears to roll back a bug fix that was addressed in an earlier version.
You can trust Google to update your installation of Chrome, or do it youself, by navigating its three-vertical-dots menu to
About Google Chrome. This will trigger a check for updates, and if a newer version is available, you should see an Update button or link.