Firefox 62.0: nine security updates

Despite the major version increment, Firefox 62.0 doesn’t really have any new features worth mentioning. However, it’s an important update, because it addresses at least nine security vulnerabilities that range from Low to Critical in severity.

One change in Firefox 62.0 is worth pointing out: the Description field for bookmarks has been removed. Any Description information you previously added to your bookmarks can still be exported from Firefox. From the release notes: “Users who have stored descriptions using the field may wish to export these descriptions as html or json files, as they will be removed in a future release.”

You can usually encourage Firefox to update itself by navigating its ‘hamburger’ menu to Help > About Firefox.

Chrome 69.0.3497.81: forty security fixes

The release announcement for Chrome 69.0.3497.81 says the new version “contains a number of fixes and improvements.” Google hasn’t bothered to highlight any of those, which means it’s up to us users to figure out what has changed by reading the change log. Oh well, sounds easy enough. Until you notice that the change log has 15890 entries. Yeesh.

Google does provide useful information about the forty security fixes in Chrome 69.0.3497.81. They range from Low to High in terms of Severity.

As with most Google desktop software, Chrome will silently update itself in the background when it gets around to it. It’s possible to disable Google’s automatic update software, but doing that can cause other problems, so it’s not recommended. If you want to encourage Chrome to update itself — not a bad idea considering the security fixes — you can point the browser to chrome://settings/help.

Update 2018Sep07: If you’re using Chrome 69.0.3497.81, you may have noticed something different in the address bar: some common subdomains — particularly www. — are no longer displayed. It looks like this change was not particularly well tested, and it’s causing problems for some users and sites. Here’s the associated bug report.

Patch Tuesday for August 2018

It’s update time again.

Analysis of Microsoft’s Security Update Guide shows that this month there are seventy updates for Windows, Office, Internet Explorer, .NET, Edge, Excel, Outlook, PowerPoint, and Visual Studio. A total of sixty security bugs are addressed, twenty of which are categorized as Critical.

Adobe, meanhwile, has released new versions of Flash and Acrobat Reader. Flash 30.0.0.154 includes fixes for five security issues, all of which are ranked as Important. Acrobat Reader 2018.011.20058 addresses two Critical security vulnerabilities.

Remember, folks: although updating software is perhaps not the most exciting thing you’ll do today, it’s entirely worthwhile, as it limits the damage that can be done by any stray malware that may find itself on your computer… from that attachment you opened without thinking, or that web site you visited when you accidentally clicked that link.

Vivaldi 1.15.1147.64: security fixes

Vivaldi is based on the open source Chromium browser engine. When Chromium gets security updates, Vivaldi’s developers have to ‘backport’ those changes to Vivaldi, or leave Vivaldi users exposed to known security threats.

The Vivaldi developers do a good job of staying on top of this, and sometimes release a new version of Vivaldi in which the only changes are security fixes backported from Chromium. Vivaldi 1.15.1147.64 is the most recent example of this.

You can check your verison of Vivaldi by clicking the menu button at the top left of the browser, then selecting Help > About. If you’re not running the latest version, Vivaldi should offer to update itself.

Microsoft finally making Windows 10 updates less disruptive

One of Windows 10’s most frustrating features is the way it installs updates. Unless you’re using an enterprise version, updates are almost completely out of your control. You can’t prevent them from installing, and there’s very little you can do to control when they install, or when your computer restarts to complate installation.

While developing Windows 10, Microsoft somehow failed to understand that downloading, installing, and rebooting for updates automatically at potentially inconvenient times might be annoying to users.

The good news is that Microsoft is finally going to do something about this. What did it take to get Microsoft to look at the problem? A steady stream of customer complaints, starting immediately after Windows 10 was released.

The bad news is that you still won’t have any real control over when updates happen. Instead, Microsoft is planning to improve Windows 10’s ability to detect that a computer is in use before it automatically reboots. This is from the recent post Announcing Windows 10 Insider Preview Build 17723 and Build 18204:

“We trained a predictive model that can accurately predict when the right time to restart the device is. Meaning, that we will not only check if you are currently using your device before we restart, but we will also try to predict if you had just left the device to grab a cup of coffee and return shortly after.”

It’s too early to know how well this will work in practise, but at least it’s a (small) step in the right direction.

Chrome 68.0.3440.75: security fixes, address bar changes

The latest version of Chrome includes fixes for forty-two security vulnerabilities. It’s also the first version that will display Not Secure in the address bar for all non-encrypted web pages. When that indicator appears, traffic to and from the viewed page is not being encrypted.

Viewing a non-encrypted web page is not particularly risky, as long as no private information is being transmitted. That means user names, passwords, email addresses, credit card numbers, and so on. However, as discussed here previously, unencrypted sites open up a world of possibilities for intercepting and modifying web traffic.

The release announcement for Chrome 68.0.3440.75 provides additional details regarding the security issues addressed.

The simplest way to update Chrome is also the best way to determine which version you’re running: click the three-vertical-dots icon at the top right, then select Help > About Google Chrome. If your browser isn’t already up to date, this will usually trigger an update.

Java 8 Update 181

Oracle’s latest Critical Patch Update (CPU) Advisory — for July 2018 — as usual includes a section about Java.

A new version of Java (8 Update 181) addresses eight security vulnerabilities in earlier versions. The Release Highlights page for Java 8 provides additional details on changes in Update 181, most of which are likely only of interest to developers.

If you use Java, and in particular if you use a web browser that has Java enabled, you should install Java 8 Update 181 as soon as possible. Note that the only modern browser that still runs Java applications is Internet Explorer. The easiest way to update Java is to run the Java applet in the Windows Control Panel: on the Update tab, click the Update Now button.

A strong case for encrypting all web sites – even simple ones

Troy Hunt has put together a video that demonstrates various ways that traffic coming from an unencrypted web site can be dicked around with, for various nefarious purposes, using a technique called a Man In The Middle (MITM) attack.

You can usually tell if a web site is encrypted by looking at your web browser’s address bar. For example, URLs for this web site (boot13.com) should appear in the address bar with a lock, followed by https:// rather than the unencrypted http://. If you try to access any part of this site using http://, you’ll be redirected to the equivalent https:// address.

Although the video does get a bit technical, it’s worth watching all 24+ minutes. You should understand enough of it to see the danger.

Perhaps the most interesting of Troy’s observations is that encrypting a web site doesn’t really provide any direct benefit to the site’s owner. This is not about protecting your web site; it’s about protecting its visitors. In other words, encrypting your web site is an act of altruism.

After watching Troy’s video, I immediately started an evaluation of all my own web sites, as well as those of clients, to make sure that all traffic coming from them is encrypted. Most are already using HTTPS, but some don’t force the use of HTTPS.

Troy Hunt’s video

If you run a web site, you should realize by now that there’s no good reason to avoid turning on encryption. It’s also easier than ever, and — thanks to Let’s Encrypt — no longer has to cost anything. The HTTPS Is Easy video series is a good starting point if you’re not sure how to proceed.

Update 2018Aug08: Sadly, people in remote and underserved locations are having a lot of trouble accessing sites via HTTPS. While that certainly sucks for them, I’m confident that solutions to the specific technical issues involved will be found.

Patch Tuesday for July 2018

Adobe and Microsoft have issued their monthly updates for July, so even if you’d rather be doing anything else, you should be patching your computers.

We’ll start with Microsoft. As usual, this month’s Security Update Release bulletin serves as little more than a link to the Security Update Guide (SUG), Microsoft’s labyrinthine replacement for the individual bulletins we used to get.

In my experience, the SUG is much easier to digest in the form of a spreadsheet, so the first thing I do there is click the small Download link at the right edge of the page, to the right of the Security Updates heading. If you have Excel — or something compatible — installed, you should be able to open it directly.

Once the spreadsheet is loaded, I recommend enabling the Filter option. In Excel 2007, that setting is in the Sort & Filter section of the Data ribbon (toolbar). This makes every column heading a drop-down list, which allow you to select a particular product or platform, and hide everything else.

Analysis of this month’s updates from the SUG spreadsheet shows that there are sixty-two distinct updates, addressing fifty-three security vulnerabilities in Flash, Internet Explorer, SharePoint, Visual Studio, Edge, Office applications, .NET, and all supported versions of Windows. Seventeen of the updates are flagged as Critical.

As for Adobe, there are updates for Flash (version 30.0.0.134) and Acrobat Reader DC (version 2018.011.20055). The Flash update fixes two vulnerabilities, one of which is Critical. The Acrobat Reader DC update includes fixes for over one hundred security bugs.

How to spot phone call scams

Have you been getting a lot of scam phone calls lately? I sure have. On both the land line and my business cell phone. Some callers claim that I’m being sued by the government or that I’m under investigation. Others want me to think there’s something wrong with my computer and that they have the only fix.

I’m pretty good at spotting these scams, and for me, they’re sometimes entertaining, but usually just annoying. For some people, especially elderly folks with little technical knowledge, these calls can be a horrible trap.

The latest edition of the SANS OUCH! Newsletter is all about phone scams: how to spot them, and what to do when you receive them.

News for me, stuff that matters… to me. Windows, Linux, security, tools & miscellany.