A new version of Firefox was released by Mozilla yesterday. Version 35.0.1 includes fixes for various crashing and security issues.
There was no announcement from Mozilla for Firefox 35.0.1. As usual, I learned of the new release from non-Mozilla web sites. The struggle continues.
Although there have been some improvements to the release notes for Firefox, it’s still often difficult to determine whether the items listed changed in the version being discussed, or in a previous version. For instance, while all the items at the top of the list marked as ‘Fixed’ also refer to version 35.0.1, nothing else on the list refers to a specific version. Many of those items do in fact look like they are related to Firefox 35.0. There’s a link to ‘various security issues‘, but again it’s not clear what on that list is specific to version 35.0.1.
Another new version of Google’s web browser was released yesterday. The announcement contains very few details. It’s unclear whether any of the changes are related to security.
Update 2015Jan28: This version includes the recent Flash update (16.0.0.296), making it a critical update.
Initially, the new version was not available from the main Flash download page, although computers with Flash’s automatic update feature enabled did download and install it. As of January 27, the new version is available on the Flash download page.
Anyone using a web browser with Flash enabled should install the new version as soon as possible.
SANS Internet Storm Centre has upgraded their Infocon threat rating from green to yellow, in response to the recent zero-day vulnerabilities in Flash. From the associated post:
“Our reasoning is that the Adobe Flash Player is very widely installed, the vulnerability affects multiple platforms, remote code execution gives the attacker complete control of the system, the patch is not yet available, it affects both organizational IT systems as well as home or soho users, a crimeware kit is actively exploiting the vulnerabilities, people might mistakenly believe that the patch from yesterday fixes all of the issues, and last but not least mitigation through the use of EMET or other tools/means is not normally feasible for home users or quick deployment in enterprise environments without testing. In short, the high impact of these vulnerabilities being exploited warrants raising the Infocon from now until Monday.”
The Infocon rating is displayed in the left sidebar of this web site.
Microsoft needs to understand that it’s on the wrong side of this battle. Vulnerabilities must be patched quickly, and absent any incentive, big companies like Microsoft, Oracle and Adobe will take increasingly long periods of time to produce patches. Ninety days is plenty of time.
VLC is one of the most popular media players; it’s cross-platform, and has a reputation for being able to play almost any kind of media. Given its popularity, unpatched vulnerabilities in VLC are likely to make attractive targets to malicious hackers.
Two vulnerabilities in VLC, CVE-2014-9597 and CVE-2014-9598, have yet to be acknowledged by VLC’s developers. Both are memory corruption bugs that can allow attackers to execute arbitrary commands on target systems.
Note that these vulnerabilities only affect VLC running on Windows XP, and only FLV and M2V files.
If you use VLC, you should exercise extreme caution when playing media from sources not known to be safe.
On Thursday, Adobe announced an update that addresses a recently-discovered vulnerability in Flash. According to Adobe, the vulnerability addressed by Flash 16.0.0.287 is CVE-2015-0310.
Anyone using a web browser with Flash enabled should install the new Flash as soon as possible.
Apparently there is at least one additional vulnerability in Flash that affects even the most current version (16.0.0.287) and is currently being exploited in the wild. This zero-day vulnerability is identified as CVE-2015-0311. According to Adobe, they are working on a patch, which should be available in the next few days.
SANS has a useful summary of the recent updates and vulnerabilities related to Flash.
The latest version of Google’s web browser includes fixes for a whopping 62 security issues. Chrome should update itself to version 40.0.2214.91 automatically.
Users are being encouraged to upgrade from Java 7 to Java 8. The download page now offers Java 8 instead of Java 7. Computers configured for Java auto-updates will be automatically upgraded from 7 to 8. And according to Oracle, Java 7 will see its final updates in April 2015.
Even up to date installations of Flash are currently vulnerable to a new zero-day exploit that’s showing up in the wild. The exploit has already been added to at least one exploitation kit, which means attacks using this exploit are likely to increase rapidly. The exploit can be used to gain unauthorized access to affected computers.
Anyone using a web browser with Flash enabled should be extremely cautious when browsing web sites not known to be safe. The safest course of action is to disable Flash in your browser.
I personally use Firefox with Flash enabled, but I have the Flash add-on configured to always ‘Ask to activate’. That way any time I visit a web site that wants to display Flash content, I can avoid any danger by leaving Flash disabled for that site.
Rants and musings on topics of interest. Sometimes about Windows, Linux, security and cool software.
boot13