Updates 2020-03-10

Welcome back, Folks!

Today is Patch Tuesday for March 2020.

The next build of Windows 10 is just around the corner. If you don’t want to be the guinea pig I strongly suggest you update to v1909 within the next month. This will grant you a reprieve from the new version for a couple months. Let everyone else beta test and you can upgrade when they’ve worked out the bugs.

Windows 7 is still end-of-life (EOL). If you’re still running it, shame on you, and if you are running a licensed version of Windows 7 or 8 you can still upgrade to Windows 10 and have a supported version of Windows for the foreseeable future. Don’t want to do it yourself? Call me!
https://saferpc.info/contact/

This Month Week in Technology

In 2019, Android reportedly had the most vulnerabilities of any OS, but in its defense, there are literally dozens of manufacturers that build on Android and many of the issues stem from these third-parties. Also, if you’re running Android, you really should also be using SnoopSnitch which can identify whether security updates have been applied to your device or if it’s been abandoned by the vendor.

Movies like Eagle Eye demonstrated how easy it was for a malicious actor to observe your mobile remotely, but if you have a smart assistant enabled (such as Alexa, Siri, Google Assistant, Cortana) then it is possible to remotely control it using audio signals that are beyond the range of human hearing.

There’s more evidence than ever that selling your Intellectual Property to a third party puts your users at risk. It’s very common in browser extensions and website plugins. It doesn’t matter how secure the core engine is if the user installs a malicious or defective extension/plugin. There’s always a line, though, right? Facebook is actually suing an SDK maker for harvesting the data that…Facebook collected.

Netgear has issued security patches for almost 50 router models. If you use Wi-Fi then, by it’s very nature, you’re susceptible to being tracked. The protocol itself is your enemy since it requires that it transmit all your “known” networks on a regular basis during a heartbeat connection status report. Even if you disable Wi-Fi everywhere except trusted locations, those trusted locations can be still be compromised due to weak security in the on-device encryption key. Intel and AMD CPUs for nearly a decade have had significant flaws that allow data exfiltration by unprivileged users.

More than a million enterprise Microsoft accounts have been compromised, primarily through password reuse. Guys, NEVER reuse passwords! Defense contractors getting hacked isn’t really anything new, but you’d think they had better backups so they wouldn’t have to pay half-million dollar ransoms.

Malware authors evade detection in many ways. One of the most common diagnostic tests for malicious software is to run it within a virtual machine. As expected, developers can detect and disable their malware within these environments. The Malware Evasion Encyclopedia provides advice to educate researchers to keep one step ahead of the malware.

.NET Core 3.0 is dead. Long live .NET Core! Oh, and switching to 3.1 is easy.

I’ll end my soapbox on a happy note:

A new Wi-Fi chip design for IoT devices consumes only 1/5000th of the energy of current models. Wow!

Let’s Get Busy

Now back to our regularly scheduled program. Thanks to the monster of updates pushed during “weekly update February”, Patch Tuesday this month is pretty light. The typical computer should see roughly 1.1 GB in updates today. Let’s get started.

Microsoft released updates for Windows, Internet Explorer, Servicing Stack, and MSRT (~600 MB). This includes security updates. A reboot is required.

Google Chrome OS 80.0.3987.137 is a security update. Use Menu, Help, About to install the most current version. A reboot is required.

Don’t forget to check your mobile devices, too! Many updates will also apply to your tablet, phone, kindle or television – so check your device-appropriate App Store and install updates.

Important Notes

Everything above this section should be checked by everyone on every computer. Chances are good that close to every single computer you touch will be affected by those updates. This is not the case with the items below, though you should still check each line item below to see if it applies to software you have installed.

The release of macOS Catalina (10.15) means that macOS Sierra (10.12) and older are no longer supported. If you can not install at least macOS High Sierra (10.13) on your Mac then you should immediately remove it from the Internet and use it offline only. It will no longer receive patches or updates and can now no longer be secured.

The now-current release of the Windows 10 (1909) is a pretty small update so will install quickly. Windows 10 pushes you to get the latest Windows 10 release every 6 months. If you don’t let it finish and you’re on a slow connection, this process kill your Internet performance forever. If you don’t have the bandwidth to download the bits, I’m happy to provide loaner USB drives to our local clients, or, if you prefer to have me mail it to you please contact me for information.

Please remember that while I list many different applications within these updates, most people should ONLY install updates for a program if they already have a previous version of that program installed.

It is essential to maintain all the applications you have installed on your computer, but often you can minimize the time investment and the potential for exploitation simply by uninstalling software you do not need or use, reducing the attack surface.

Also note that using the applications own “check for updates” function, when available, will best preserve your current settings, and often avoid any crapware that might come with a fresh installer. Use this option if it’s available to you.

Finally, if you’re sick of doing this all yourself, let me! Call or email me any time, and we can set you up with subscription SaferPC updates which will be installed each month whenever necessary. Click, call or email for more details:
https://saferpc.info/updates/
209-565-12PD
shawn@12pointdesign.com

Driver Updates

If you’re using this hardware – these updates are for you.

BullZip PDF Printer 11.13.0.2823 resolves an SFTP bug. This is not a security update.
https://www.bullzip.com/products/pdf/info.php#download

Intel Driver and Support Assistant 20.2.9 resolves several bugs. This is not a security update.
https://www.intel.com/p/en_US/support/detect

nVidia 442.59 adds support for new hardware and resolves several bugs. This is not a security update.
https://www.nvidia.com/Download/index.aspx?lang=en-us

Logitech Options 8.10.154 adds support for newer hardware and resolves several bugs. This is not a security update.
https://www.logitech.com/en-us/product/options

Browser Updates

One or more of these are likely to be of interest to everyone.

Google Chrome 80.0.3987.132 is a security update. Use Menu, Help, About to install the most current version.

Firefox 74.0 is a security update. Use Menu, Help, About to install the most current version.

Firefox ESR 68.6.0 is a security update. Use Menu, Help, About to install the most current version.

Vivaldi 2.11.1811.47 is a security update. Use Menu, Help, About to install the most current version.
https://vivaldi.com/

Internet Updates

One or more of these are likely to be of interest to everyone.

WinSCP 5.17.2 resolves several bugs and disables TLS 1.3 by default. This is not a security update.
https://winscp.net/eng/index.php

Npcap 0.9988 resolves several bugs. This is not a security update.
https://nmap.org/npcap/

Office Updates

One or more of these are likely to be of interest to most people.

Notepad++ 7.8.5 resolves several bugs. This is not a security update.
https://notepad-plus-plus.org/

Nextcloud Desktop 2.6.4 resolves several bugs. This is not a security update.
https://nextcloud.com/

Security Software Updates

One or more of these is likely to be of interest to most people.

NSudo 8.0 resolves several bugs, improves reliability, and reduces file size. This is not a security update.
https://github.com/M2Team/NSudo/releases/latest

TinyWall 2.1.15 now offers the upgrade to 3.0.0 on 64-bit systems. 3.0.0 is in beta and provides user interface, performance, stability and reliability improvements. It is, however, beta software, so should be avoided until it is stable.
https://tinywall.pados.hu/

uBlock Origin 1.25.2 resolves several bugs and improves GUI. This is not a security update.
https://github.com/gorhill/uBlock/releases/latest

Capture Updates

These are unlikely to be of interest to most people.

ScreenToGif 2.22 resolves several bugs and improves automatic update. This is not a security update.
https://github.com/NickeManarin/ScreenToGif/releases/latest

SnagIt 2020.1.1 adds SharePoint sharing, and resolves several bugs. This is a security update.
https://download.techsmith.com/snagit/enu/snagit.exe

Converter Updates

These are unlikely to be of interest to most people.

MakeMKV 1.15.0 updates the user interface, adds new preferences for LibMMBD integration, and improves reliability. This is not a security update.
https://www.makemkv.com/download/

MKVToolnix 44.0.0 adds attachment drag and drop, improves reliability, and resolves several bugs. This is not a security update.
https://www.fosshub.com/MKVToolNix.html

DVDFab 11.0.7.7 adds support for new encodings, new profiles, and adds BluPath feature. This is not a security update.
https://www.dvdfab.cn/download.htm

Utility Updates

These are unlikely to be of interest to most people.

1Password for Windows 7.4.750 adds several new features, including Windows Hello support, rewritten interface engine, improved display support, and over 80 fixes and improvements. This is not a security update.
https://1password.com/downloads/windows/

Beyond Compare 4.3.4.24657 updates libraries, resolves several bugs, and improves compatibility. This is not a security update.
https://www.scootersoftware.com/download.php?zz=dl4

Bitcoin 0.19.1 resolves several bugs. This is not a security update.
https://bitcoin.org/en/download

DesktopOK 6.88 updates the language file. This is not a security update.
https://www.softwareok.com/?seite=Freeware/DesktopOK

DMDE 3.6.1.773 adds support for 64-bit macOS. This is not a security update.
https://dmde.com/

Everything 1.4.1.965 resolves several bugs. This is not a security update.
https://www.voidtools.com/

Fing 8.9.0 resolves several bugs and integrates a database of supported devices (Fingpedia), this is not a security update.
https://community.fing.com/

GoodSync 10.10.26 improves compatibility and status reporting. This is not a security update.
https://12pd.com/click?goodsync

Rufus 3.9 resolves several bugs and improves compatibility. This is not a security update.
https://rufus.ie/en_IE.html

TeamViewer 15.3.8497 resolves compatibility bug with hash authentication, but disables hash auth for settings. This is not a security update.
https://www.teamviewer.com/en/download/windows/

WSUS Offline 11.9 is the last version to support Windows 7, updates supersedence URLs, and resolves several bugs. This is not a security update.
https://download.wsusoffline.net/

Developer Updates

These are unlikely to be of interest to most people.

Android Studio 3.6.1.0 resolves several bugs. This is not a security update.
https://developer.android.com/studio/index.html

Godot 3.2.1 resolves several bugs. This is not a security update.
https://godotengine.org/

Node.js 13.10.1 resolves several bugs. This is not a security update.
https://nodejs.org/en/

TortoiseGit 2.10.0 updates libraries and resolves several bugs. This is not a security update.
https://tortoisegit.org/

Visual Studio Code 1.43 adds a search editor, shangle controls, minimap improvements, column selection, and more. This is not a security update.
https://code.visualstudio.com/

Web Package Updates

These are likely to be of interest only to web developers.

Joomla 3.9.16 is a security update.
https://www.joomla.org/

Drupal 8.8.3 resolves over 50 bugs and updates libraries. This is not a security update.
https://drupal.org/download

HumHub 1.4.3 resolves several bugs. This is not a security update.
https://www.humhub.com/en/download

ScreenConnect 20.1.27036.7360 resolves several bugs. This is not a security update.
https://www.connectwise.com/software/control/download

Contact Form 7 5.1.7 adds LTR support and adds a cosmetic change to warning. This is not a security update.

Email Log 2.3.2 improves compatibility, user interface, and resolves a couple bugs. This is not a security update.

Simple Lightbox 2.8.1 improves compatibility. This is not a security update.

NextScripts Social Networks Auto-Poster 4.3.13 resolves several bugs and improves compatibility. This is not a security update.

WooCommerce 4.0.0 is a major update adding over 70 changes and fixes, updated libraries, and feature improvements. This is not a security update.

That’s all for now folks. Keep it clean out there. 😉

Regards,

Shawn K. Hall
https://SaferPC.info/
https://12PointDesign.com/

Updates 2010-02-24

Hey folks!

Microsoft has released out-of-cycle updates: between four and six of them depending on your version of Windows: one for native scripting for a newly released standard, one for time-zone compatability, service packs for .NET Frameworks 2 and 3, and reliability changes to Windows Activation core files. On Windows 7 platforms, the last of these is UNCHECKED by default, but very necessary: the current spate of rogueware does corrupt the Windows and Office licensing files, which is directly responsible for some machines not booting correctly after this months’ Patch Tuesday series. A reboot is required. You should visit Microsoft Update immediately to install them.
  http://update.microsoft.com/


Important Notes

Everything above this section should be checked by everyone on every computer. Chances are good that close to every single computer you touch will be affected by those updates. This is not the case with the items below, though you should still check each line item below to see if it applies to software you have installed.

Please remember that while I list many different applications within these updates, most people should ONLY install updates for a program if they already have a previous version of that program installed.

It is essential to maintain all the applications you have installed on your computer, but often you can minimize the time investment and the potential for exploitation simply by uninstalling software you do not need.


Internet Updates
One or more of these are likely to be of interest to everyone.

Firefox 3.5.8 was released this week to address several security and stability issues. If you haven’t yet upgraded to 3.6, you need to either install this update, or go all the way to 3.6 ASAP. This is a security update.
  http://mozilla.com/firefox/

FileZilla 3.3.2 adds speed limits, performance improvements, and better mouse controls, as well as fixing a number of other bugs. This is not a security update.
  http://filezilla-project.org/

SeaMonkey 2.0.3 uses the Firefox codebase, so includes the same security and stability fixes you see in this week’s Firefox release, as well as a large number of additional fixes for crash bugs and other issues. This is a security update. ONLY if you have SeaMonkey installed, get the update with “Help, Check for Updates” or here:
  http://www.seamonkey-project.org/

Pidgin 2.6.6 corrects a wide array of bugs across multiple services, including some remotely exploitable vulnerabilities. If you use Pidgen, you should upgrade immediately. This is a security update.
  http://www.pidgin.im/

ICQ 7.0.1211 integrates into Facebook and Twitter, as well as a number of bug fixes. Since this is closed source and no incremental changelog is available, this should be treated as a security update. IF YOU ALREADY have ICQ installed, update it now.
  http://www.icq.com/download/


Office Updates
One or more of these are likely to be of interest to most people.

Notepad++ 5.6.7 fixes a crash bug, and a couple cosmetic issues. This is not a security update.
  http://sourceforge.net/projects/notepad-plus/files/


Security Software Updates
One or more of these is likely to be of interest to most people.

SuperAntiSpyware 4.34.1000 includes performance and user rights changes, and adds native 64bit support (though this functionality is still beta). This is a security update.
  http://www.superantispyware.com/

Ad-Aware 8.2.0.0 adds email scanning, network monitoring, and rootkit removal to it’s list of features provided in all versions, including Ad-Aware Free. This should be considered a security update.
  http://www.lavasoft.com/products/ad_aware_free.php


Media Updates
These are unlikely to be of interest to most people.

ATI Catalyst Drivers 10.2 fixes dozens of non-security bugs, and adds various additional features and new hardware support. This is not a security update. If you use an ATI video card, check for updates here:
  http://support.amd.com/us/gpudownload/Pages/index.aspx

Vista Codec Package 5.5.9 corrects an interface bug and updates to several codecs. This is not a security update.
  http://shark007.net/vistacodecpackage.html

GPU-Z 0.3.9 adds various additional hardware. This is not a security update.
  http://www.techpowerup.com/downloads/SysInfo/GPU-Z/


Utility Updates
These are unlikely to be of interest to most people.

VMware Player 3.0.1 corrects a multi-core bug that would seriously limit performance on newer hardware, as well as several other bugs. This is not a security update.
  http://www.vmware.com/products/player/

WinSCP 4.2.6 corrects several bugs, including a memory leak and multiple reliability issues. This is not a security update.
  http://winscp.net/eng/index.php


Developer updates:
These are unlikely to be of interest to most people.

Inno Setup 5.3.8 adds various updates and settings changes, including new default settings that will aid in Windows Logo certification for your application releases. This is not a security update.
  http://www.jrsoftware.org/isdl.php

MySQL 5.1.44 is a reliability and bug fix release, correcting a number of minor bugs, and a couple bugs that could cause data loss during certain commands. This is not a security update.
  http://www.mysql.com/downloads/mysql/

That’s all for now folks. Keep it clean out there. 😉

Regards,

Shawn K. Hall
https://SaferPC.info/
https://12PointDesign.com/

Updates 2009-07-07

Hey folks!

Microsoft has released an out of cycle security patch for the .NET Framework. This is a critical update, and corrects a remotely exploitable vulnerability that can be exploited through webpages visited in Internet Explorer **or** Firefox. It is very important that you install this update if you use Windows, even if Internet Explorer is not your default browser.
  http://update.microsoft.com/
While you’re there, make sure you’re getting the other important “optional” updates and drivers, which will only be listed if you select “custom” or select the option to “view all available updates” within the Vista update dialog.

Speaking of Vista…every single computer running Vista that I’ve seen in the last month had yet to install the Vista SP2 package! Folks, this is a big deal, and should not be avoided or dismissed lightly. It’s been out just shy of two months now, and is the only method for obtaining some of the security fixes within the (300mb+ for 32bit or 550mb+ for 64bit) package. Either use the Windows Update tool or download the package for your processor type from here:
  http://technet.microsoft.com/en-us/windows/dd262148.aspx

These last couple weeks Apple has released several security, stability and performance updates for Mac OSX, including firmware updates for a number of devices, Time Capsule, iPhoto, MacBook, Final Cut Pro, and other updates. Most importantly, Apple has finally taken it upon themselves to update the Mac Java environment to resolve a number of security issues that have been used for *over a year* to exploit OSX in the wild. Use the system updater, or visit:
  http://support.apple.com/downloads/

Mozilla has released an update to Firefox, to version 3.5. This update includes security and stability fixes, including remote exploits. It is now also the first browser to include certain advanced new aspects of the HTML5 spec that, unfortunately, are almost non-existent in the real-world Internet. If you have Firefox installed, you are advised to update ASAP.
  Mozilla Firefox: Help > Check for Updates
  http://www.mozilla.com/en-US/firefox/

Nullsoft has released another security patch for Winamp Media Player, to version 5.56. Notable among the fixes is better support for external devices including the iPod, and better support for accessing your iTunes library. If you use WinAMP, get the update here:
  http://www.winamp.com/player

This last week must have been a full moon or something, because *three* very popular freeware applications released updates that *all* had serious flaws. Two of those have since been patched and re-released, and we’re in a holding pattern for the third.

FileZilla Client 3.2.6.1 quickly followed the release of 3.2.6 a few days ago. This is a reliability
update, but adds a couple nifty security features as well. If you don’t know what FTP is, you don’t need it.
  http://filezilla-project.org/download.php?type=client

CD Burner XP 4.2.4.1420 was released and re-released this week, first breaking pretty much any ISO features, then correcting the issues with a timely patch. This version also includes several user interface enhancements, safer command parsing and a couple edge bugs that most people would probably not have noticed. While not a security update, the new ability to set a user-defined temp folder for caching can increase stability quite a bit, especially for older or slower computers.
  http://cdburnerxp.se/en/download

Notepad++ 5.4.4 was released a few days ago, correcting a dozen outstanding issues, butt adding a couple significant bugs. Most importantly, keyboard shortcuts are broken, so I suspect a number of the core users have reverted back to the “safe” 5.4.3 version. While you could update to the 5.4.4 release, it’s probably safer to wait another week or so to resolve the new bugs.
  http://sourceforge.net/projects/notepad-plus/files/

Security- and maintenance-conscious individuals will find that Syncaid is written “just for them.” I released version 1.0.40 last week, which adds several features to the engine, including the ability (as options) to queue decompression or execute downloaded files automatically. I wrote this engine specifically to aid in troubleshooting and repair of systems that are either infected or woefully neglected in maintenance. Having used it privately to synchronize updates for things like AVG and Stinger for over a year, I finally decided to publish it online several months ago, and have posted a number of “Sync” files for use with it as well. Learn more, and get it here:
  https://saferpc.info/syncaid/

For servers & websites:

phpMyAdmin 3.2.0.1 came out last week, fixing a bug that could be used to inject code from one user into anothers session. It requires MySQL 5+ and PHP 5.2+. Get it here:
  http://www.phpmyadmin.net/home_page/downloads.php

One other note about scripts like this…you should read the README files. Quite often people hosting with us simply upload the entire package without checking to see what is actually required, and what is not. In the case of phpMyAdmin, several of the folders (“scripts”, “setup” and “contrib”) have no use for most users, or any user after the package is successfully configured. The same is true for services like LimeSurvey, phpBB and others, including anything that has a “samples” directory. This is especially significant this week, following the recent automated defacements targeting vulnerable “sample” scripts released with FCKeditor – one of the most popular WYSIWYG editors used on the web. Dump the samples, folks!

MySQL Server 5.1.36 was released late last month, correcting a large number of bugs, including some crash, corruption and security issues. Get it here:
  http://dev.mysql.com/downloads/mysql/5.1.html

In new web packages, bbPress has *finally* been officially released in a 1.0 series! Most significantly, this forum package integrates directly into the WordPress/WPMU authentication system, so it can easily be used in conjunction with WPMU to immediately extend the capabilities of your online community site.
  http://bbpress.org/download/

That’s all for now folks. Keep it clean out there. 😉

Regards,

Shawn K. Hall
https://SaferPC.info/
https://12PointDesign.com/