Welcome back, Folks!
Today is Patch Tuesday for March, 2021.
This Month in Technology
Gab has been hacked at least a couple more times. (Would you trust the security of a Gab-owned bank?)
A new form of “supply-chain” attack demonstrating dependency vulnerabilities has been used against many major vendors, including Microsoft, Apple, Tesla, and dozens more.
32red, Accellion, Allergy Partners, Apple, Bombardier, CA DMV, Clubhouse Chats, Covenant HealthCare, CSX, D-Link devices, Ecuador’s Ministry of Finance and Banco Pichincha, the European Banking Authority, EXMO, Experian (again), France’s Ministry of Health, Georgetown County (SC), Hipcam (and other baby monitors), Humana, IBM, over a hundred Italian banks, KeepChange, Kia, Kroger, Lakehead University, Malaysia Airlines, Ness Digital Engineering, Ninja Forms, Ngrok, NurseryCam, Oxford University, RealPage, RIPE NCC accounts, Rockwell Automation PLCs, Maza, a Russian Cybercrime forum, Singtel, SITA (an airline service provider), SolarCity, PayPal, Qualys, Sendgrid accounts (to send spam – how could anyone tell the difference?!), Sequoia Capital, Signal, T-Mobile, TMS, 15 UK schools, Underwriters Laboratories, Universal Health Services, VMWare vCenter Server, Washington State Unemployment Department, Wawa, Apple’s WebKit, and Yandex have been hacked.
According to a study by Bridewell Consulting, 86% of UK critical national infrastructure organizations have experienced cyber-attacks. I think it would be more accurate to present these numbers as, “14% of UKs critical national infrastructure doesn’t have the technology in place to know they were hacked.”
Even more malware related to the SolarWinds hack has been discovered. Since AWS was used for the SolarWinds hack, shouldn’t Amazon shut AWS down, too?
Microsoft is now admitting that Azure and Exchange source code has been compromised by the SolarWinds attackers.
The big news this month is that a vulnerability in Microsoft Exchange (coincidence?) has resulted in over thirty thousand servers being hacked. This is huge. So what did Microsoft do? Microsoft has announced it has changed their policy to crack down on hosted email accounts that receive a lot of email. Sigh.
Another interesting new tactic, bitsquatting, has proved far more effective than one would think. The demonstration allowed them to hijack thousands of requests intended for Microsoft. Used maliciously, this method will cause serious damage.
Censorship has finally made it before the Supreme Court, but Dr. Suess is only the latest target, while Facebook allowed actual genocide, but forbade discussion about news articles, Google acknowledges their efforts to perform censorship “better,” and Firefox has released a new extension to aid in censorship, while Streamlabs waited for the payment to clear before censoring one paid user. The Beverly Hills Police Department is using the novel approach of playing copyrighted music to prevent their actions from being observed, and Congress is now violating federal law by demanding censorship of media.
It amazes me that people actually trust “fact checkers.” Censorship doesn’t work!
Poland isn’t taking it anymore. Italy is fining Facebook, too.
Tor was hacked years ago, but new implementations (like that in Brave) are still popping up with their own problems.
Another 21 million VPN users were taught the lesson about the difference between customers and products. If you’re not the customer, you’re the product.
Instagram (like parent Facebook) is sharing everything you do with law enforcement. So is Apple’s iCloud.
The Windows 10 implementation of web fonts can be used to hack you. Apple M1 chips (less than 6 months old) have been targeted with several pieces of malware, but we should trust the MORPHEUS chip, right? BTW, M1 Macs are eating their (soldered in) SSDs, too.
It’s not just Google. Apple can disable all of your accounts and services on a whim, too. Or for your name.
Amazon has been caught duplicating products, can they be trusted to sell your products or host your content?
Is half a billion dollars enough to get you to rethink a bad user interface?
The whole point of unified interfaces and consistent logins is to ensure a familiar experience so you know whether you’re visiting the real site. Attackers take advantage of this to build their own imagekits and forms, even using their own fake security measures to convince you you’re on the “real” site since they are forced to validate that *you* are really you.
The malicious Gootkit Trojan can help the SEO of your websites. Just not for you.
Never reuse passwords. Or hard-code them. And don’t use obvious passwords either. But if you do, don’t blame a fabricated intern.
Apple claims that a new (available since 2019, but only recently launched on iOS) application execution technique will make it more difficult for iPhones to be hacked,
while yet another iPhone bug has demonstrated to successfully jailbreak every active iOS/iPhone line.
North Dakota and Arizona may save the Internet by forbidding the ability for vendors to force the use of their own app stores.
While many treat Google’s lockdown of their data APIs in Chromium as a bad thing, I see it as getting Google further out of Chromium – which can only be a net positive.
AT&T and Frontier have consistently abandoned phone networks in California, but we knew that: AT&T said they were going to do this when Title II passed. Sometimes the only thing to make a company following through is enough bad press.
Deepfakes for everyone! While most focus on Deepfakes are about their potential for evil, they can be used for good.
On patents: Intel owes $2.2 billion for saving power, and Apple has violated several biometric patents.
Dr. Fauci has known all along that the PCR test was useless. The WHO has launched their own COVID-specific version of “we investigated ourselves and found we did nothing wrong.” The dystopian concept of vaccine passports has been struck down by the Council of Europe. Unfortunately their power is mostly cosmetic.
The CDC inflated “COVID deaths” over 1600% in violation of multiple federal laws. CDS is real though. COVID has been “really good for CNN ratings,” though. Thousands of people have died in the US from the experimental COVID “vaccines,” (and elsewhere) or suffered from other harm. Many more internationally. Quarantine internment camps are a real thing. People are being harmed from the tests (or forcefully vaccinated), too. You can do something about it. (They sure won’t.) BTW, the CDC has had to remove their claim that vaccines don’t cause Autism.
Pennsylvania, New Mexico, and Texas have joined in on efforts to end lockdown insanity.
Don’t be selfish! Masks still don’t work, but masks can kill you. (At least they won’t rape you.)
Keep the pedophile, but ban the words.
Green Energy killed Texas. It shouldn’t have been allowed to happen.
Governors Cuomo and Whitmer are finally being taken to task on their “accidental” murder of thousands of nursing home residents. Don’t expect the President to get involved. Genocide is just “different norms” to him. Instead of those in “National Security” investigating this, they’re convinced their time is better used calling half the population terrorists.
Facebook has had more than 20 million child sex abuse incidents, more than 20x greater than any other website, including Google. Nevertheless, the masses aren’t calling for cancelling Facebook. It’s tolerance when “they” do it.
Speaker Pelosi (who is responsible for security at the House) refused National Guard assistance, supposedly over “optics“, before the staged January 6 “riot“. Chris Wray lied to Congress about Antifa dressing as Trump supporters. So did former Deputy Attorney General Rod Rosenstein. They’ve knowingly falsified FISA warrants. So is it really any surprise there are calls to shut down the FBI?
Some states are finally allowing election audits, with evidence of 6% discrepancies in every single race, others as much as 78%, and other serious math problems, while others refuse to release ballots for inspection, purge election data, or allow the FBI to shred ballots without oversight or inspection. Then they poison the people they are forcing to guard them.
Is it any surprise that their Section 230 “reforms” are designed to completely silence online discourse? After all, the President doesn’t understand what “clandestine” means. (Quick tip: If you announce your intentions on the MSM, it’s not clandestine!)
The Babylon Bee is probably the best news site on the Internet, not because they actually have any news, but because they shine a light on the fraud that passes for news today.
Now for the good news:
California has finally been allowed to implement their own brand of Net Neutrality. I strongly oppose Net Neutrality, as getting government involved in something (even under the auspices of protection) always results in unintended consequences. This is, fortunately, no exception. CA Net Neutrality can now be used by myself and others to target Big Tech to penalize them for their continuous acts of censorship.
Let’s Get Busy
Now back to our regularly scheduled program.
Patch Tuesday this month is huge. The typical computer should see roughly 3 GB in updates today. Let’s get started.
Microsoft released updates for Windows, Edge, .NET, Servicing Stack, Internet Explorer, and MSRT (~2 GB). This includes security updates. A reboot is required.
Apple released updates for macOS Big Sur 11.2.3, watchOS 7.3.2, Safari 14.0.3, iOS 14.4.1 and iPadOS 14.4.1. This includes security updates. Use Apple Software Update to install these updates. A reboot is required.
iOS 14.4.1 is a security update. Use Settings, General, Software Update to install the most current update.
iPadOS 14.4.1 is a security update. Use Settings, General, Software Update to install the most current update.
watchOS 7.3.2 is a security update. Use the Watch app on your iPhone to install the most current version.
Google Chrome OS 88.0.4324.186 is a security update. Use Menu, Help, About to install the most current version. A reboot is required.
Don’t forget to check your mobile devices, too! Many updates will also apply to your tablet, phone, kindle or television – so check your device-appropriate App Store and install updates.
Important Notes
Everything above this section should be checked by everyone on every computer. Chances are good that close to every single computer you touch will be affected by those updates. This is not the case with the items below, though you should still check each line item below to see if it applies to software you have installed.
The release of macOS Big Sur (11.0) means that macOS High Sierra (10.13) and older are no longer supported. If you can not install at least macOS Mojave (10.14) on your Mac then you should immediately remove it from the Internet and use it offline only. It will no longer receive patches or updates and can now no longer be secured.
The now-current release of the Windows 10 (v2009) is huge (about 18% larger than v2004, which was 25% larger than any prior build) so will take a long time to download on slower connections. Windows 10 pushes you to get the latest Windows 10 release every 6 months and only supports any consumer builds for 18 months. If you don’t let it finish and you’re on a slow connection, this process kill your Internet performance forever. If you don’t have the bandwidth to download the bits, I’m happy to provide loaner USB drives to our local clients, or, if you prefer to have me mail it to you please contact me for information.
Please remember that while I list many different applications within these updates, most people should ONLY install updates for a program if they already have a previous version of that program installed.
It is essential to maintain all the applications you have installed on your computer, but often you can minimize the time investment and the potential for exploitation simply by uninstalling software you do not need or use, reducing the attack surface. This includes “free” applications like Avast, OpenOffice, and games you do not actually play.
Also note that using the applications own “check for updates” function, when available, will best preserve your current settings, and often avoid any crapware that might come with a fresh installer. Use this option if it’s available to you.
Finally, if you’re sick of doing this all yourself, let me! Call or email me any time, and we can set you up with subscription SaferPC updates which will be installed each month whenever necessary. Click, call or email for more details:
https://saferpc.info/updates/
209-565-12PD
shawn@12pointdesign.com
Driver Updates
If you’re using this hardware – these updates are for you.
BullZip PDF Printer 12.2.0.2902 resolves several bugs. This is not a security update.
https://www.bullzip.com/products/pdf/info.php#download
Display Driver Uninstaller 18.0.3.7 improves cleanup and adds network path support. This is not a security update.
https://www.wagnardsoft.com/display-driver-uninstaller-ddu
DirectX 9.29.1974.1 doesn’t provide a changelog, so should be treated as a security update.
nVidia 461.72 adds support for newer hardware and resolves several bugs. This is not a security update.
https://www.nvidia.com/Download/index.aspx?lang=en-us
Browser Updates
One or more of these are likely to be of interest to everyone.
Brave 1.21.74 resolved several bugs. This is a security update.
https://brave.com/
Google Chrome 89.0.4389.82 is a security update.
https://www.google.com/chrome/
Microsoft Edge 89.0.774.48 is a security update.
https://www.microsoft.com/en-us/edge/business/download
Firefox 86.0 is a security update.
https://www.mozilla.org/en-US/firefox/new/
Firefox ESR 78.8.0 is a security update.
https://www.mozilla.org/en-US/firefox/organizations/all/
Vivaldi 3.6.2165.40 is a security update.
https://vivaldi.com/
Email Updates
One or more of these are likely to be of interest to everyone.
Thunderbird 78.8.0 is a security update.
https://www.thunderbird.net/en-US/
Internet Updates
One or more of these are likely to be of interest to everyone.
Mumble 1.2.19 is a security update.
http://wiki.mumble.info/wiki/Main_Page
Prosody 0.11.8 is a security update.
https://prosody.im/download/start
Trillian 6.4.0.5 resolves a settings bug. This is not a security update.
https://www.trillian.im/
Dropbox 117.4.378 does not provide a changelog so should be treated like a security update.
https://www.dropbox.com/
FreeFileSync 11.8 resolves several bugs. This is not a security update.
https://www.freefilesync.org/download.php
Zoom 5.5.13142.0301 resolves several bugs, improves grid view, and better indicates when content is being shared. This is a security update.
https://zoom.us/
Media Updates
These are unlikely to be of interest to most people.
3tene 2.0.12 adds 3 new types of motion, show/hide shortcut, and resolves several bugs. This is not a security update.
https://en.3tene.com/
Flickr Downloadr 3.3.4.1 updates the Docker image. This is not a security update.
https://flickrdownloadr.com/downloads/
Office Updates
One or more of these are likely to be of interest to most people.
Atom 1.55.0 allows git configuration without a repository. This is not a security update.
https://atom.io/
IcoFX 3.5.1 resolves several bugs. This is not a security update.
https://icofx.ro/
LibreOffice Fresh 7.1.1 resolves almost a hundred bugs. Remember that this is beta software, so should be avoided for the stable version whenever possible. This should be treated as a security update.
https://www.libreoffice.org/
Nextcloud Desktop 3.1.3 is a security update.
https://nextcloud.com/
Notepad++ 7.9.3 adds new folder features that now prevent it working on Windows XP. If you are still running XP you should really consider switching to Linux, but if you must continue to use XP then use Notepad++ 7.9.2. This is not a security update.
https://12pd.com/click?npp32
VideoCleaner 5.8 improves Matrix, Sharpening and Mask features. This is not a security update.
https://videocleaner.com/download.html
Adobe Connect 11.2 is a security update.
https://helpx.adobe.com/security/products/connect/apsb21-19.html
Adobe Creative Cloud Desktop Application 5.4 is a security update.
https://helpx.adobe.com/security/products/creative-cloud/apsb21-18.html
Adobe Framemaker 2020.0.2 is a security update.
https://helpx.adobe.com/security/products/framemaker/apsb21-14.html
Security Software Updates
One or more of these is likely to be of interest to most people.
Tails 4.16 is a security update.
https://tails.boum.org/install/dvd-download/index.en.html
OpenSSL 1.1.1j is a security update.
https://www.openssl.org/source/
RogueKiller 14.8.5 updates core and resolves several bugs. This is not a security update.
https://www.adlice.com/download/roguekiller/
Wireless Network Watcher 2.25 improved compatibility with high-DPI. This is not a security update.
https://www.nirsoft.net/utils/wireless_network_watcher.html
Capture Updates
These are unlikely to be of interest to most people.
VideoCacheView 3.06 adds support for the new cache partitioning structure in chromium-based browsers. This is not a security update.
https://www.nirsoft.net/utils/video_cache_view.html
Converter Updates
These are unlikely to be of interest to most people.
MakeMKV 1.16.1 resolves several bugs and adds ARM support. This is not a security update.
https://12pd.com/click?makemkv
Utility Updates
These are unlikely to be of interest to most people.
1Password for Mac 7.8 adds native M1 support and resolves dozens of bugs. This is a security update.
https://1password.com/downloads/mac/
1Password for Windows 7.6.793 improves performance and resolves several bugs. This is not a security update.
https://1password.com/downloads/windows/
CCleaner 5.77.8521 improves cleaning and resolves several bugs. This is a security update.
https://www.ccleaner.com/
ControlMyMonitor 1.28 improves compatibility with high DPI. This is not a security update.
https://www.nirsoft.net/utils/control_my_monitor.html
Coreinfo 3.52 adds reporting for CET (shadow stack). This is not a security update.
https://docs.microsoft.com/en-us/sysinternals/downloads/coreinfo
Cygwin 3.1.7 resolves several bugs. This is not a security update.
https://cygwin.com/
Dell Command Update 4.1 is a security update.
https://www.dell.com/support/article/us/en/04/sln311129/dell-command-update?lang=en
DesktopOK 8.66 resolves several bugs. This is not a security update.
https://www.softwareok.com/?seite=Freeware/DesktopOK
Eraser 6.2.0.2992 doesn’t provide a changelog so should be treated as a security update.
https://eraser.heidi.ie/download/
Everything Toolbar 0.6.2 adds an installer, drag & drop support, elevation support, and more. This is not a security update.
https://github.com/stnkl/EverythingToolbar/
Homedale 1.93 adds an option to set the gps baud rate from the command line. This is not a security update.
https://www.the-sz.com/products/homedale/
IsMyHdOK 3.01 resolves a bug in screenshot generation. This is not a security update.
https://www.softwareok.com/?seite=Microsoft/IsMyHdOK
NTLite 2.0.0.7820 resolves several bugs. This is not a security update.
https://www.ntlite.com/download/
OSFMount 3.1.1000 updates drivers and improves CLI support. This is not a security update.
https://www.osforensics.com/tools/mount-disk-images.html
PointerStick 5.05 updates language files. This is not a security update.
https://www.softwareok.com/?seite=Freeware/PointerStick
QuickSetDNS 1.31 adds option to start hidden. This is not a security update.
https://www.nirsoft.net/utils/quick_set_dns.html
TeamViewer 15.15.5 was released. The TeamViewer release notes have been unavailable for months now, so while it might be a security update, it would be safer to remove TeamViewer until these issues are resolved.
https://www.teamviewer.com/en/download/windows/
TraceRouteOK 2.42 updates language files. This is not a security update.
https://www.softwareok.com/?seite=Microsoft/TraceRouteOK
WinScan2PDF 6.91 adds support for multi-page TIF and resolves several bugs. This is not a security update.
https://www.softwareok.com/?seite=Microsoft/WinScan2PDF
WizTree 3.37 improves compatibility, refresh behavior, and resolves several bugs. This is not a security update.
https://wiztreefree.com/
Developer Updates
These are unlikely to be of interest to most people.
AutoHotkey 1.1.33.05 resolves several bugs and improves compatibility. This is not a security update.
https://www.autohotkey.com/download/
Node.js 12.21.0 is a security update.
https://nodejs.org/en/
Node.js 14.16.0 is a security update.
https://nodejs.org/en/
Node.js 15.11.0 resolves dozens of bugs. This is a security update.
https://nodejs.org/en/
TortoiseSVN 1.14.1 resolves several bugs. This is not a security update.
https://tortoisesvn.net/downloads.html
Visual Studio Code 1.54 resolves an extension dependency bug. This is not a security update.
https://code.visualstudio.com/
Virtual Machine Updates
These are unlikely to be of interest to most people.
PPSSPP 1.11.3 resolves several bugs. This is not a security update.
https://ppsspp.org/downloads.html
Web Package Updates
These are likely to be of interest only to web developers.
Adminer 4.8.0 adds several new features and improves compatibility. This is not a security update.
https://www.adminer.org/en/
Docker Desktop 3.2.1 updates the Docker Engine. This is not a security update.
https://www.docker.com/products/docker-desktop
Drupal 9.1.5 resolves dozens of bugs. This is not a security update.
https://drupal.org/download
HumHub 1.8.0 adds a bunch of new features, improves permissions, brute force delays, style and administration improvements, and resolves several bugs. This is not a security update.
https://www.humhub.com/en/download
Joomla 3.9.25 is a security update.
https://www.joomla.org/
MailEnable 10.32 resolves several bugs and adds LDAP support. This is not a security update.
https://www.mailenable.com/
Nextcloud Server 21.0.0 improves performance (up to 10x!), collaboration, groupware and more. This is not a security update.
https://nextcloud.com/
OpenPetra 2021.02 adds several new features, improvements, and resolves bugs. This is not a security update.
https://www.openpetra.org/
phpList 3.6.1 improves short URLs, PHP8 support, and security improvements. This is a security update.
https://www.phplist.org/
phpMyAdmin 5.1.0 resolves several bugs, improves compatibility, and adds several new options. This is not a security update.
https://www.phpmyadmin.net/
ScreenConnect 21.3.2160.7699 resolves several bugs, renamed End to Delete, and improves compatibility. This is not a security update.
https://www.connectwise.com/software/control/download
YOURLS 1.8.1 improves IDN, UTF8, time zone, and PHP8 support, removes support for PHP 7.2, and resolves several bugs. This is not a security update.
https://yourls.org/
WordPress 5.7 resolves several bugs and adds a few new features, improving accessibility, and (finally) adding a feature to update HTTP to HTTPS links throughout your site when you switch to HTTPS. This is not a security update.
https://wordpress.org/
Akismet 4.1.9 improves handling of pingbacks in XML-RPC calls. This is not a security update.
BuddyPress 7.2.0 resolves several bugs. This is not a security update.
Conditional Widgets 3 improves translation support. This is not a security update.
Contact Form 7 5.4 adds Sendinblue support, updates libraries and improves reliability and compatibility. This is not a security update.
Social Post Feed 2.19 improves error handling and reporting, cleanup, resolves several bugs and updates libraries. This is not a security update.
myStickymenu 2.5.1 improves instructions and compatibility. This is not a security update.
Postie 1.9.55 improves compatibility and removes legacy image sizing feature. This is not a security update.
Really Simple CAPTCHA 2.1 improves hash comparison. This is not a security update.
W3 Total Cache 2.1.1 resolves several bugs and adds information links and ogg caching support. This is not a security update.
WooCommerce 5.1.0 is a major update. This version improves compatibility, localization, and resolves dozens of bugs. This is not a security update.
WordPress Zero Spam 5.0.9 resolves several bugs and improves spam detection. This is not a security update.
That’s all for now folks. Keep it clean out there. 😉
Regards,
Shawn K. Hall
https://SaferPC.info/
https://12PointDesign.com/