Chrome, Google, Patches and updates, Security

Chrome 68.0.3440.75: security fixes, address bar changes

July 26, 2018 jrivett Leave a comment

The latest version of Chrome includes fixes for forty-two security vulnerabilities. It’s also the first version that will display Not Secure in the address bar for all non-encrypted web pages. When that indicator appears, traffic to and from the viewed page is not being encrypted.

Viewing a non-encrypted web page is not particularly risky, as long as no private information is being transmitted. That means user names, passwords, email addresses, credit card numbers, and so on. However, as discussed here previously, unencrypted sites open up a world of possibilities for intercepting and modifying web traffic.

The release announcement for Chrome 68.0.3440.75 provides additional details regarding the security issues addressed.

The simplest way to update Chrome is also the best way to determine which version you’re running: click the three-vertical-dots icon at the top right, then select Help > About Google Chrome. If your browser isn’t already up to date, this will usually trigger an update.

Java, Patches and updates, Security

Java 8 Update 181

July 19, 2018 jrivett Leave a comment

Oracle’s latest Critical Patch Update (CPU) Advisory — for July 2018 — as usual includes a section about Java.

A new version of Java (8 Update 181) addresses eight security vulnerabilities in earlier versions. The Release Highlights page for Java 8 provides additional details on changes in Update 181, most of which are likely only of interest to developers.

If you use Java, and in particular if you use a web browser that has Java enabled, you should install Java 8 Update 181 as soon as possible. Note that the only modern browser that still runs Java applications is Internet Explorer. The easiest way to update Java is to run the Java applet in the Windows Control Panel: on the Update tab, click the Update Now button.

Internet, Security

A strong case for encrypting all web sites – even simple ones

July 13, 2018 jrivett 1 Comment

Troy Hunt has put together a video that demonstrates various ways that traffic coming from an unencrypted web site can be dicked around with, for various nefarious purposes, using a technique called a Man In The Middle (MITM) attack.

You can usually tell if a web site is encrypted by looking at your web browser’s address bar. For example, URLs for this web site (boot13.com) should appear in the address bar with a lock, followed by https:// rather than the unencrypted http://. If you try to access any part of this site using http://, you’ll be redirected to the equivalent https:// address.

Although the video does get a bit technical, it’s worth watching all 24+ minutes. You should understand enough of it to see the danger.

Perhaps the most interesting of Troy’s observations is that encrypting a web site doesn’t really provide any direct benefit to the site’s owner. This is not about protecting your web site; it’s about protecting its visitors. In other words, encrypting your web site is an act of altruism.

After watching Troy’s video, I immediately started an evaluation of all my own web sites, as well as those of clients, to make sure that all traffic coming from them is encrypted. Most are already using HTTPS, but some don’t force the use of HTTPS.

Troy Hunt’s video

If you run a web site, you should realize by now that there’s no good reason to avoid turning on encryption. It’s also easier than ever, and — thanks to Let’s Encrypt — no longer has to cost anything. The HTTPS Is Easy video series is a good starting point if you’re not sure how to proceed.

Update 2018Aug08: Sadly, people in remote and underserved locations are having a lot of trouble accessing sites via HTTPS. While that certainly sucks for them, I’m confident that solutions to the specific technical issues involved will be found.

Adobe, Flash, Microsoft, Patches and updates, Security, Windows

Patch Tuesday for July 2018

July 10, 2018 jrivett Leave a comment

Adobe and Microsoft have issued their monthly updates for July, so even if you’d rather be doing anything else, you should be patching your computers.

We’ll start with Microsoft. As usual, this month’s Security Update Release bulletin serves as little more than a link to the Security Update Guide (SUG), Microsoft’s labyrinthine replacement for the individual bulletins we used to get.

In my experience, the SUG is much easier to digest in the form of a spreadsheet, so the first thing I do there is click the small Download link at the right edge of the page, to the right of the Security Updates heading. If you have Excel — or something compatible — installed, you should be able to open it directly.

Once the spreadsheet is loaded, I recommend enabling the Filter option. In Excel 2007, that setting is in the Sort & Filter section of the Data ribbon (toolbar). This makes every column heading a drop-down list, which allow you to select a particular product or platform, and hide everything else.

Analysis of this month’s updates from the SUG spreadsheet shows that there are sixty-two distinct updates, addressing fifty-three security vulnerabilities in Flash, Internet Explorer, SharePoint, Visual Studio, Edge, Office applications, .NET, and all supported versions of Windows. Seventeen of the updates are flagged as Critical.

As for Adobe, there are updates for Flash (version 30.0.0.134) and Acrobat Reader DC (version 2018.011.20055). The Flash update fixes two vulnerabilities, one of which is Critical. The Acrobat Reader DC update includes fixes for over one hundred security bugs.

SANS, Security, Spam and scams

How to spot phone call scams

July 5, 2018 jrivett Leave a comment

Have you been getting a lot of scam phone calls lately? I sure have. On both the land line and my business cell phone. Some callers claim that I’m being sued by the government or that I’m under investigation. Others want me to think there’s something wrong with my computer and that they have the only fix.

I’m pretty good at spotting these scams, and for me, they’re sometimes entertaining, but usually just annoying. For some people, especially elderly folks with little technical knowledge, these calls can be a horrible trap.

The latest edition of the SANS OUCH! Newsletter is all about phone scams: how to spot them, and what to do when you receive them.

Firefox, Mozilla, Patches and updates, Security

Firefox 61.0 – security and performance improvements

June 29, 2018 jrivett Leave a comment

The latest Firefox release features faster page load times and tab switching, improvements to search provider setup, an improved dark theme, better bookmark syncing, and at least eighteen security fixes.

Settings related to the home page and ‘new tab’ page are now in their own section on Firefox’s Options pages. You can access the new section directly using this URL: about:preferences#home.

The Firefox 61.0 release notes provide additional details.

On most computers, Firefox will update itself. You can encourage it by visiting the About page: click the hamburger button, then select Help > About Firefox.

Chrome, Google, Patches and updates, Security

Chrome 67.0.3396.87

June 14, 2018 jrivett Leave a comment

A new version of Google’s web browser was announced on June 12. Chrome 67.0.3396.87 (change log) is a bug fix release; a single security vulnerability is addressed. Check your version by navigating Chrome’s menu to Help > About Google Chrome.

Edge, Flash, Internet Explorer, Microsoft, Patches and updates, Security, Windows

Patch Tuesday for June 2018

June 12, 2018 jrivett Leave a comment

The June 2018 Security Update Release bulletin on Microsoft’s TechNet blog is almost devoid of useful information, but if you click the link to the Security Update Guide, then click the big Go To Security Update Guide button, you’ll see a link to the release notes for this month’s updates.

According to the release notes, this month’s updates affect Internet Explorer, Edge, Windows, Office, Office Services and Web Apps, Flash embedded in IE and Edge, and ChakraCore. Analysis of the information in the SUG reveals that there are forty updates, fixing fifty-one separate vulnerabilities. Eleven of the vulnerabilties are flagged as Critical.

Firefox, Mozilla, Patches and updates, Security

Firefox 60.0.2

June 8, 2018 jrivett Leave a comment

When first published on June 6, the release notes for Firefox 60.0.2 didn’t mention anything about security, but they’ve since been updated to include a reference to a single vulnerability that is fixed in the new version.

The vulnerability fixed in Firefox 60.0.2 is flagged as having both Critical and High impact by Mozilla, and since there are as yet no details in the official vulnerability database for CVE-2018-6126, it’s difficult to know which is correct.

Regardless, if you use Firefox, you should update it as soon as possible. Depending on how it’s configured, Firefox will usually at least let you know that a new version is available within a few hours after it’s published. If not, you can usually trigger an update by clicking the ‘hamburger’ menu icon at the top right, then selecting Help > About.

Chrome, Google, Patches and updates, Security

Chrome 67.0.3396.79 fixes a single security bug

June 8, 2018 jrivett Leave a comment

The latest version of Chrome includes a fix for a single security vulnerability with High severity.

The change log for Chrome 67.0.3396.79 includes a few dozen changes, but none that Google considered worth highlighting in the release announcement, aside from the single vulnerability.

To check your Chrome version, click the vertical-ellipses icon at the top right of its window, then select Help > About Google Chrome. If an update is available, it will usually start downloading automatically.

Rants and musings on topics of interest. Sometimes about Windows, Linux, security and cool software.