Firefox 60

Mozilla is making things easier for IT folks with Firefox 60. A new policy engine allows Firefox to be deployed with custom configurations appropriate for business and education environments. This seems likely to increase Firefox’s presense on enterprise desktops.

The New Tab (aka Firefox Home) page gets a bit of an overhaul in Firefox 60, with a responsive layout that should work better with wide screens, saved Pocket pages in the Highlights section, and more reordering options.

The Cookies and Site Data section of Firefox’s Preferences page is now a lot easier to understand: the amount of disk space involved is shown, as are the implications of each option.

Twenty-six security vulnerabilities are fixed in Firefox 60.

Patch Tuesday for May 2018

Spring has sprung, and with it, a load of updates from Microsoft and Adobe.

This month from Microsoft: sixty-seven updates, fixing sixty-nine security vulnerabilities in Windows, Internet Explorer, Office, Edge, .NET, Flash, and various development tools. Seventeen of the vulnerabilities addressed are flagged as Critical and can lead to remote code execution.

The details are as usual buried in Microsoft’s Security Update Guide. You may find it easier to examine that information in spreadsheet form, which you can obtain by clicking little Download link partway down the page on the right. Just above that there’s a link to the release notes for this month’s updates, but don’t expect much useful information there.

Update 2018May11: If you were looking for something to motivate your patching endeavours, consider this: two of the vulnerabilities addressed in this month’s updates are being actively exploited on the web.

Adobe logoAs you might have guessed from Microsoft’s Flash updates, Adobe released a new version of Flash today. Flash 29.0.0.171 addresses a single critical vulnerability in previous versions. You can find release notes for Flash 29 on the Adobe web site.

You can get Flash from Windows Update if you run a Microsoft browser, via Chrome’s internal updater, or from the official Flash download page. If you use the Flash download page, make sure to disable any optional installs, as they are generally not useful.

Windows 10 April 2018 Update

Another big update for Windows 10 is scheduled to start rolling out to all Windows 10 computers on May 8. Microsoft is calling this one the Windows 10 April 2018 Update.

As with all Windows 10 updates, there’s no way to avoid it, and the only way to control when the update lands on your computer is to manually check for updates using Windows Update. Doing that any time after April 30 should show the April update and let you install it.

What’s new in the April 2018 update

Timeline is a new feature that allows you to see what you were doing on your computer on a specific date.

Nearby Sharing provides a new mechanism for quickly and easily sharing documents with nearby users. It uses Bluetooth and WiFi, depending on what’s available.

Focus Assist allows for easier control over Windows features that are potentially distracting, such as sounds, visual notifications and other alerts.

Improvements to Edge include several we’ve seen in other browsers for a while: tab audio muting, form autofill, clutter-free printing, full-screen reading mode, grammar tools, colour/theme improvements, and better compatibility with mobile platforms.

Windows Ink gets a few enhancements with this update, as do Windows Mixed Reality, Windows Hello, Microsoft Photos, Mixed Reality Viewer, Paint 3D, Cortana, Dictation, My People, and the Game Bar.

The once-discarded, then revived Start menu sees some improvement in the way pinning works.

HDR video support in Windows HD Color is expanded, as is support for the Touch Keyboard and Handwriting.

The April 2018 update also includes changes to:

  • Windows accessibility features
  • Windows Store
  • Security

Update 2018May07: Microsoft continues to have quality issues with Windows 10 updates. The April 2018 Update was postponed earlier in April when a serious Blue Screen of Death (BSoD) problem was discovered. Now, Google Chrome users are reporting problems using the browser after installing the Windows 10 April 2018 update. Microsoft is working on a fix that should become available with other Patch Tuesday updates on May 8.

Chrome 66.0.3359.139

Say what you will about Google, they do a great job of fixing security issues in their flagship browser software, Chrome.

Google recently released Chrome 66.0.3359.139, which includes fixes for three security vulnerabilities. The complete list of changes can be found in the change log.

As usual, Google says the new version “will roll out over the coming days/weeks”. Unless you’ve disabled all of Google’s automatic updating mechanisms, Chrome will update itself, but it’s difficult to predict exactly when that will happen. However, you can usually trigger an update by running Chrome, clicking its menu button (the three dot icon at the top right), and selecting Help > About Google Chrome.

Latest Google rug-pulling is a victory for censorship

Normally when Google cancels a service, it’s annoying and baffling, but we grumble and find an alternative. Google’s latest rug-pull is much worse: it effectively hands a massive win to those who wish to prevent access to things they don’t like.

Until the feature was disabled recently by Google, it was possible to use Google’s App Engine to make web sites and other online resources available to users who would normally be blocked due to state- and corporate-sponsored censorship. The method used was referred to as domain fronting.

Google says they never meant for domain fronting to be possible with App Engine, but they also allowed it to happen for years, without any indication that it was a problem or would be stopped. So people started to rely on the service to get around censorship.

There’s a lot of hate directed towards Google these days, and a lot of it is misguided. From my perspective, enticing users with new services, only to kill those services once they are widely used, is their most infuriating habit.

Java 8 Update 171 (8u171)

The only major browser that still officially supports Java is Internet Explorer, although there are workarounds for some of the other browsers. For example, you can switch to Firefox ESR (Extended Support Release), but even that support is likely to disappear before long. Google Chrome, and other browsers that use the same engine, can only be made to show Java content by installing an extension that runs Internet Explorer in a tab.

Java’s impact on security is diminishing, but it’s still being used on older systems where upgrading to newer O/S versions is not possible. There are still a lot of Windows XP systems out there, and most of them are either running older versions of Internet Explorer or Firefox ESR.

If you’re still using Java, you should install the latest version, Java 8 Update 171 (8u171), as soon as possible. The easiest way to check which version you’re running and install any available updates is to visit Oracle’s ‘Verify Java’ page. You’ll need to do that with a Java-enabled browser. Another option is to visit the third-party Java Tester site. Again, this site won’t work unless Java is enabled.

Java 8 Update 171 includes fixes for fourteen security vulnerabilities. Other changes are documented in the Java 8 release notes and the Java 8u171 bug fixes page.

Chrome 66.0.3359.117 released

The latest version of Google Chrome includes sixty-two security fixes, and a limited trial of a new feature called Site Isolation that should help to reduce the risk from Spectre-related vulnerabilities.

The change log for Chrome 66.0.3359.117 is another whopper, listing over ten thousand changes in total.

Check your version of Chrome by clicking the three-vertical-dots menu button at the top right, and selecting Help > About Google Chrome. Doing that will usually trigger an update if one is pending.

Patch Tuesday for April 2018

Microsoft’s contribution to our monthly headache starts with a post on the TechNet MSRC blog: April 2018 security update release. This brief page consists of the same boilerplate we get every month, and provides no details at all. We’re informed that “information about this month’s security updates can be found in the Security Update Guide” but there isn’t even a link to the SUG.

Analysis of the SUG for this month’s Microsoft updates shows that there are sixty updates, addressing sixty-eight vulnerabilities in Flash, Excel, Word, and other Office components, Internet Explorer, Edge, Windows, and Defender. Twenty-three of the vulnerabilities are flagged as Critical.

If your Windows computer is not configured for automatic updates, you’ll need to use Windows Update in the Control Panel to install them.


Adobe’s offering for this month’s patching fun is a new version of Flash Player: 29.0.0.140 (APSB18-08). Six security vulnerabilities — three flagged as Critical — are fixed in the new version.

If you’re using a web browser with Flash enabled, you should install Flash 29.0.0.140 as soon as possible. The embedded Flash used in Internet Explorer 11 and Edge on newer versions of Windows will get the new version via Windows Update. Chrome’s embedded Flash will be updated via Chrome’s automatic update system. To update the desktop version of Flash, visit the About Flash page.

Opera 52 released

The latest version of Opera, which is still a useful alternative to Firefox and Chrome, sports an improved (and faster) ad blocker.

The new ad blocker now provides protection against cryptojacking, where a web site will attempt to use your browser (and your computer) for mining cryptocurrency.

With Opera 52, you can now select multiple tabs, and perform various operations on all of the selected tabs, including copying the related URLs to the clipboard with a single command.

The release notes and change log for Opera 52 provide additional details.

News for me, stuff that matters… to me. Windows, Linux, security, tools & miscellany.