boot13
On October 9th, Microsoft released a new batch of updates for its software. My analysis of the Security Update Guide shows that there are forty distinct updates, addressing fifty security vulnerabilities in .NET, Internet Explorer, Edge, Office applications, and Windows. Twelve of the updates are flagged as Critical.
Latest Google rug-pull: Google+
Google will terminate Google+ for individuals in the near future. The service will continue to exist for organizations, which presumably includes what Google calls ‘brand accounts’. But for anyone who bought into Google’s hype about the social media service, this is a major disappointment.
Just ask Mike Elgan, one of the more prolific Google+ contributors. In two recent posts, Mike expresses his profound disappointment with Google’s tendency to create new services, coerce people into using them, and then kill those services. I know all about this, having been a victim of Google’s rug-pulling shenanigans myself.
The rationale for Google’s decision to kill Google+ is the discovery of a huge hole in one of its programming interfaces (APIs). Apparently any developer using this API had access to Google+ user data beyond what was supposedly allowed. Lucky for Google+ users, hardly anyone was using this API, just as hardly anyone was using Google+. Anyway, Google fixed the hole back in March but didn’t tell anyone about it.
Okay, Google. This one doesn’t hurt me very much, as my use of Google+ is limited to parroting posts from my blogs to associated brand accounts. I’ll keep the brand accounts around, but I won’t be expanding my use of them. Fool me once… actually, I’ve lost track of how many times this has happened.
Windows 10 October Update is deleting user files
As you may be aware, there’s no longer any practical way to avoid installing Windows 10 updates. Once Microsoft pushes them out, they’re going to end up on your computer whether you want them or not. But maybe you trust Microsoft to make changes to your computer while you sleep (for the record, I’m definitely not). On the other hand, when an update ends up causing problems, it makes these forced updates look downright irresponsible.
According to numerous reports, the recently-announced October Update for Windows 10 is causing user files to be silently deleted. Now, before you go into panic mode, keep in mind that the October Update is not yet being pushed out to all Windows 10 computers: the only way to install it is to manually check for available Windows Updates. For now, the only people affected are those eager types who like to install shiny new things before looking closely at them.
Microsoft is aware of the problem, and they are looking into it, although it’s not at all clear when it might be resolved. Hopefully Microsoft will either pull the update, or at least delay pushing it out to all Windows 10 computers.
If you’re worried about losing files, I strongly suggest backing up all your documents, images, music, video, and other data files. Which you really should be doing anyway. I back up all my data nightly to an external hard drive, using the freeware Cobian Backup.
Update 2018Oct07: Microsoft put a halt to the planned rollout of the October update. The update is still available via Windows Update, so don’t think seeing it listed there means the problem has been fixed. All it means is that the update won’t be pushed out until the issue has been resolved.
Update 2018Oct08: When you shift testing away from professionals and to your user base, quality will suffer. Things are going to slip through. That’s why formal software testing is so important, especially for operating systems and other critical software. Microsoft seems to have made an erroneous assumption: that if you have a (nearly) infinite number of monkeys people using your software, they will find (and reliably reproduce) every bug. In fact, the people doing this unpaid “testing” are mostly power users who are just hoping that their own specific needs will be better served by the latest version. They aren’t testing every scenario, just the same one they tested for the last version. Power users are also much less likely to make the kinds of obvious mistakes that regular folks make, which can lead to surprises even after an update is pushed out to the general public. This situation seems likely to get worse, sadly. The Verge weighs in.
Update 2018Oct16: On October 9, Microsoft made a new (fixed) version of the October update available to users subscribed to the Windows Insider program. Microsoft also seems to understand that the current user-focused testing process is less than ideal: the Windows Insider Feedback Hub now allows users to provide an indication of impact and severity when filing User Initiated Feedback.
Firefox 62.0.3: two critical security fixes
Yesterday, Mozilla released Firefox 62.0.3, which includes fixes for two critical security vulnerabilities in previous versions of the popular web browser.
The two vulnerabilities addressed in Firefox 62.0.3 are described in some detail on the associated security advisory page.
Depending on how your Firefox is configured, it may display a small update dialog, or it may simply update itself. To control what happens with new versions, navigate Firefox’s ‘hamburger’ menu (at the top right) to Options > General > Firefox Updates. While there, you can click the Check for updates button to trigger an update if one is available.
New Adobe Acrobat Reader fixes 80+ vulnerabilities
Security researchers from around the world apparently turned their attention to Adobe’s Acrobat and Acrobat Reader recently, and their efforts revealed a big pile of new vulnerabilities. Adobe responded yesterday, releasing new versions of its Acrobat-related products that address eighty-six of those vulnerabilities.
Although Acrobat and Reader exist in several different forms, the one most people actually use these days is Adobe Acrobat Reader DC (Continuous), and the latest version of that variant is 2019.008.20071.
If you use any paid version of Acrobat, or any of its free Reader variants, you should update it as soon as possible. This is particularly important if you open PDF files with uncertain provenance on the web or received in email. If you use Reader as a browser plug-in or extension, you should drop everything and update immediately.
Recent versions of Acrobat and Reader include an automatic update system, so your install may already be up to date. The easiest way to find out is to run it, then navigate its menu to Help > Check for Updates... If an update is available, you’ll be able to install it from there.
Firefox 62.0.2: one security fix
The latest Firefox includes fixes for a handful of bugs, including one security vulnerability: CVE-2018-12385 (Crash in TransportSecurityInfo due to cached data).
If your installation of Firefox is configured to update itself, it will probably get around to doing that in the next few days, if it hasn’t already. You can expedite the process by starting the browser and navigating to Help > About Firefox in its ‘hamburger’ menu at the top right of the browser window.
The release notes for Firefox 62.0.2 provide additional details.
Adobe Acrobat Reader DC 2018.011.20063
Adobe usually releases security updates for its software on Patch Tuesday, but they apparently decided that the seven vulnerabilities addressed in Acrobat Reader DC 2018.011.20063 shouldn’t be delayed.
The release annoucement for Adobe Reader 2018.011.20063 provides some details about the vulnerabilities. One of them, CVE-2018-12848, can lead to Arbitrary Code Execution, and is flagged as Critical.
It’s important to keep Acrobat Reader DC up to date, because it’s still being used to deliver malware, embedded in PDF documents. It’s especially important if you’ve enabled Reader in your web browser.
If you use Acrobat Reader DC, you can check whether it’s up to date by navigating its menu to Help > About Adobe Acrobat Reader DC. There’s also a Check for Updates function in the Help menu. On my Windows 8.1 computer, a Windows Task Scheduler task (added by Adobe) updated the software within a few hours of the new version’s release.
Chrome 69.0.3497.100: one security fix
Another new version of Chrome was released earlier this week: 69.0.3497.100. Although the change log lists twenty-eight total changes, none of them appear to be particularly interesting. Google highlights a single security fix in the release announcement.
You can check whether your install of Chrome is up to date by navigating its menu (click the three-vertical-dots button at the top right) to Help > About Google Chrome. If it’s not current, doing this will usually prompt Chrome to update itself.
Chrome 69.0.3497.92: two security fixes
The latest Chrome, released on September 11, fixes a pair of security vulnerabilities in the browser. The release announcement for Chrome 69.0.3497.92 does not mention any other changes. There’s a mercifully brief change log, and all the changes appear to be relatively minor.
If Google’s planned “roll out over the coming days/weeks” isn’t fast enough for you, click Chrome’s ‘three dots’ menu button, and select Help > About Google Chrome. If you’re not already up to date, this will usually prompt Chrome to update itself.
Patch Tuesday for September 2018
Analysis of Microsoft’s Security Update Guide shows that this month’s updates address sixty-two security vulnerabilities, ranging from Low to Critical in severity, in the usual suspects, namely Edge, .NET, Internet Explorer, Office, and Windows. There are forty-five updates in all.
If you’re looking for a new way to evaluate Microsoft’s monthly patch offerings, I recommend Microsoft Patch Tuesday by security firm Morpheus Labs. It’s a lot less oppressive — and easier to use — than Microsoft’s Security Update Guide.
Adobe’s providing us with a new version of Flash this month. Flash version 31.0.0.108 fixes a single security vulnerability. As usual, the Flash code embedded in Chrome and Microsoft browsers will update itself through Google’s automatic update process and Windows Update, respectively.
Happy patching!