Updates 2020-06-09

Welcome back, Folks!

Today is Patch Tuesday for June 2020.

Windows 10 v2004 has been released. Don’t be the guinea pig! Make sure you’ve installed v1909 recently so you won’t be forced into the new build before they work out the bugs. I don’t see a lot of differences between v2004 and v1909 that most people would benefit from, anyway, but these releases tend to take a couple months to work out most of the bugs. For example, many Windows policies are erased during the upgrade which can result in local accounts being forced into using inescapable Microsoft accounts for users that don’t understand that “skip for now” is an option.

If you’re running any commercial version of Windows 10 prior to v1809 (build 17763) then it’s no longer supported and you will not receive operating system security updates. Upgrade to v1909 ASAP to maintain security updates for your device. Don’t install v2004 yet, since it’s now in what most people would call the “public beta.” Download v1909 for your system using the ISO Downloader, mount the ISO, then use the setup.exe file to install. Change the option on the first page of the installer to DISABLE checking for updates until after the installation is completed.

This Month in Technology

You could have probably used an egg timer to measure the time between the Orwellian release of GACT – Google/Apple Contact Tracing, which we were assured time and time again would never be used for anything other than COVID-19 tracking – and when it was used to track and arrest protesters. The current version of GACT can be disabled by turning off Location and Bluetooth on your devices. This will not be the case in the next iteration due within the next month.

The number of security vulnerabilities discovered in popular open source projects more than doubled in 2019. The horror! The fear! Well, this is actually a good thing. Vulnerabilities aren’t created by evil third-parties or hackers. They’re created by the original developers. They’re baked into the programs and libraries that the developer created – generally through failure of imagination or insufficient testing. The hackers and other third-parties only discover them and report them to the developers. Think of it like someone testing all the car doors in a parking lot to see if a car is unlocked. The “discovered” (read “reported”) vulnerabilities are what happens when the guy checking doors tells the car owner that he left the doors unlocked, so they can lock their doors. Unfortunately, whether they’re discovered or not the vulnerabilities do exist. Bad people may have already checked those doors and stolen everything out of your car long before the vulnerabilities were reported to the developers. Seeing these numbers go up makes me smile – the whole world is better for it. 🙂

The recent attacks on Microsoft logins using Google and Amazon URL redirection to steal authentication keys are not the only phishing methods currently being widely deployed. Attackers are also sending fake VPN configurations to users, which would allow direct man-in-the-middle attacks to proceed against all sites and services the victim used with their device.

My position on most services and features in any operating system or device is “default deny.” Turning off unused and unwanted features ensures that they can’t be abused and effect greater control over your device or your network. The #CallStranger UPnP protocol vulnerability allows malicious scripts from any website to hijack your internal network and perform network scans, DDoS attacks, or foothold attacks against your internal devices, including the vulnerable router that has UPnP enabled. Disabling UPnP and using manual network assignment would prevent this and any future UPnP vulnerabilities from having any effect.

The IAB has released a framework to aid in compliance with the CCPA.

The Free Thought Project provides several alternatives to the current law enforcement crisis that can help prevent the riots and protests we’re seeing now in many major metropolitan areas.

REAL science for the win. I wonder if the MSM outlets that have been vilifying Hydroxychloroquine will ever retract their statements? Sorry, that’s facetious since we all know that the MSM never acknowledges their failings. Will the arbiters of “truth” at Twitter and Facebook concede that their censorship was actually in the name of bad science? Of course not.

A major attack against Ajit Pai’s elimination of Net Neutrality comes in the form of AT&T paying itself for zero-rating HBO Max data on their networks. This will likely spring back up the Net Neutrality battle in the FCC.

The next Y2K is coming. CA Certificates are the parent certificates of the ones that provide TLS/SSL security for websites. The first of several to expire within the next year expired a few days ago causing service disruption for automated processes that depended upon the expiring authority certificates. Roku, Stripe, Sectigo, Fortinet and many, many more. Four separate root certificates expire within the next year and a dozen in the next 5 years. Be prepared for this to happen several more times in the near future.

Now for the good news:

Linux LTS Kernel 4.19 and 5.4 will be supported for 6 years. This will have a huge impact on the effective life of IoT devices.

Let’s Get Busy

Now back to our regularly scheduled program.

Thanks to the unstopping barrage of updates pushed during “weekly update quarantine”, Patch Tuesday this month is very light. The typical computer should see roughly 1 GB in updates today. Let’s get started.

Microsoft released updates for Windows, Edge, .NET, Internet Explorer, Office, Servicing Stack, Microsoft Store, hardware security, and MSRT (~800 MB). This includes security updates. A reboot is required.

Adobe Flash Player is a security update.
Win: https://12pd.com/click?flash
Win: https://12pd.com/click?flashie
Mac: https://12pd.com/click?flashmac

Google Chrome OS 83.0.4103.97 is a security update. Use Menu, Help, About to install the most current version. A reboot is required.

Don’t forget to check your mobile devices, too! Many updates will also apply to your tablet, phone, kindle or television – so check your device-appropriate App Store and install updates.

Important Notes

Everything above this section should be checked by everyone on every computer. Chances are good that close to every single computer you touch will be affected by those updates. This is not the case with the items below, though you should still check each line item below to see if it applies to software you have installed.

The release of macOS Catalina (10.15) means that macOS Sierra (10.12) and older are no longer supported. If you can not install at least macOS High Sierra (10.13) on your Mac then you should immediately remove it from the Internet and use it offline only. It will no longer receive patches or updates and can now no longer be secured.

The now-current release of the Windows 10 (2004) is a huge (about 25% larger than any prior build) so will take a long time to download on slower connections. Windows 10 pushes you to get the latest Windows 10 release every 6 months. If you don’t let it finish and you’re on a slow connection, this process kill your Internet performance forever. If you don’t have the bandwidth to download the bits, I’m happy to provide loaner USB drives to our local clients, or, if you prefer to have me mail it to you please contact me for information.

Please remember that while I list many different applications within these updates, most people should ONLY install updates for a program if they already have a previous version of that program installed.

It is essential to maintain all the applications you have installed on your computer, but often you can minimize the time investment and the potential for exploitation simply by uninstalling software you do not need or use, reducing the attack surface.

Also note that using the applications own “check for updates” function, when available, will best preserve your current settings, and often avoid any crapware that might come with a fresh installer. Use this option if it’s available to you.

Finally, if you’re sick of doing this all yourself, let me! Call or email me any time, and we can set you up with subscription SaferPC updates which will be installed each month whenever necessary. Click, call or email for more details:

Browser Updates

One or more of these are likely to be of interest to everyone.

Brave 1.9.80 is a security update. This version removes the “accidental” hijacking of affiliate links. Use Menu, Help, About to install the most current version.

Microsoft Edge 83.0.478.45 is a security update. Use Menu, Help, About to install the most current version.

Email Updates

One or more of these are likely to be of interest to everyone.

Thunderbird 68.9.0 is a security update. Use Menu, Help, About to install the most current version.

Internet Updates

One or more of these are likely to be of interest to everyone.

Npcap 0.9993 resolves several bugs. This is not a security update.

Game Updates

These are unlikely to be of interest to most people.

Steam 2020.06.05 resolves several bugs. This is not a security update.

Office Updates

One or more of these are likely to be of interest to most people.

Notepad++ 7.8.7 resolves several bugs. This is not a security update.

Adobe Framemaker 2019.0.6 is a security update.

Adobe Experience Manager 6.4 and 6.5 are security updates.

Capture Updates

These are unlikely to be of interest to most people.

ScreenToGif 2.25 resolves several bugs, adds APNG support, adds option to disable tasks, and adds new URL metadata field. This is not a security update.

Converter Updates

These are unlikely to be of interest to most people.

DVDFab adds support for new encodings, improves default bit-rate and ripper modules, and resolves a SRT export bug. This is not a security update.

Utility Updates

These are unlikely to be of interest to most people.

Etcher 1.5.97 resolves several bugs. This is not a security update.

PowerToys 0.18.2 resolves an elevation bug and several other bugs. This should be treated as a security update.

RoboForm 8.9.0 improves data synchronization, and resolves bugs in import. This is not a security update.

USB Oblivion adds support for unknown USB devices and resolves a bug related to old hardware. This is not a security update.

WinScan2PDF 5.55 resolves a language selection bug and improves the scan integration. This is not a security update.

Developer Updates

These are unlikely to be of interest to most people.

SQLite 3.32.2 improves VFS and PostgreSQL compatibility, adds IIF() support, improves the import command, and several other improvements. This is a security update.

Virtual Machine Updates

These are unlikely to be of interest to most people.

VirtualBox 6.1.10-138449 adds support for Linux kernel 5.7, resolves several bugs, and improves Wayland compatibility. This is not a security update.

Web Package Updates

These are likely to be of interest only to web developers.

Docker Desktop upgrades the Linux kernel and resolves several bugs. This is a security update.

Akismet 4.1.6 resolves a race condition. This is not a security update.

Postie 1.9.53 adds a filter for postie_subject. This is not a security update.

WP Mail SMTP 2.1.1 adds a filter to set global reply-to address and improves documentation. This is not a security update.

That’s all for now folks. Keep it clean out there. 😉


Shawn K. Hall

Leave a Reply

Your email address will not be published. Required fields are marked *