Monthly Archives: July 2014

Adobe, Chrome, Flash, Internet Explorer, Patches and updates, Security, Windows 8.x

Flash 14.0.0.145 fixes more security vulnerabilities

Leave a comment

These days ‘Patch Tuesday’ means Adobe updates as well as Microsoft updates. This month was no different: Adobe released a new version of Flash that addresses at least three vulnerabilities, including the JSONP callback API problem that made several popular sites potentially vulnerable.

The Flash runtime announcement for the new version outlines a few new features, most of which are likely only of interest to developers. The associated security bulletin gets into the details of the included security fixes.

As usual, Google Chrome will update itself, but this time via its internal ‘component updater’ rather than with a new version of the browser. Warning: the component updater sometimes takes a few days to do its work; unfortunately, there doesn’t seem to be any way to force the update.

Updates for the Flash component in Internet Explorer running on Windows 8.x will be made available through Windows Update.

Internet, Spam and scams

Canada’s new anti-spam law

1 Comment

There’s a lot of confusion and panic about CASL, the new Canadadian Anti Spam Law, which went into effect on July 1. Like many of you, I’ve been receiving slightly panicky email from businesses, asking me to consent to receive bulk email from those businesses. In fact, asking to confirm consent is not necessary in most cases.

The rules

If you ever send email with multiple recipients in Canada, then the new law may apply to you. That said, there are numerous exceptions. For instance: personal, family, and other non-commercial email is excluded, as is most inter-business and intra-business email.

If you were already following the rules (PIPEDA), you are almost certainly fine to continue what you were doing before. The basic rules of CASL are the same, namely:

  • To send commercial email, you must have consent from all recipients;
  • email must include contact information for the sender;
  • email must include a method for unsubscribing; and
  • email must not be deceptive in any way.

Consent

Most of the confusion about CASL is related to the issue of consent. Two forms of consent come into play: explicit and implicit. The Canadian Government’s information about consent is helpful in understanding the difference. If you obtain recipient addresses by asking customers if they would like to receive business-related email from you, and only record addresses of those who agree, then you already have explicit consent; there is no need to re-obtain consent.

The deadline

Some of the panic about CASL stems from the apparent deadline of July 1, 2014. In fact, although the law came into effect on that date, you have until July 2017 to comply.

What about Twitter?

Another source of confusion is that the new law seems to cover any Internet-based service that sends messages to multiple recipients, including web forums and Twitter. While technically true, most web-based messaging services make it very easy for a recipient to identify the source of a message and to unsubscribe.

An example of what NOT to do

Microsoft recently informed recipients of its security-related emails that it would stop sending those emails. It turned out that this was an ill-informed overreaction to CASL. CASL does not apply to email containing safety or security information. Even if CASL did apply, it would only have applied to Canadian recipients.

Additional information

Java, Security, Windows XP

Java no longer supported on Windows XP

Leave a comment

As of April 8, 2014, Oracle is no longer supporting the use of Java on Windows XP. Java 7 can still be installed on Windows XP, and Java 7 updates installed on Windows XP will probably work as expected, but Oracle says you’re on your own if bad things happen. Java 8 will refuse to install on Windows XP.

Recommendation: if you still have computers running Windows XP, stop using Java on those computers.

Update 2014Jul18: Oracle recently posted a clarification, saying that Java issues affecting only Windows XP will not be addressed with updates. Java issues affecting Windows XP as well as other versions of Windows will get updates, and those updates will work as expected on Windows XP.

Edit 2014Jul18: fixed two typos in the first paragraph.

Internet Explorer, Microsoft, Patches and updates, Security, Windows

Advance notification for July Microsoft updates

Leave a comment

This month’s updates will become available around 10am PST on July 8. There are expected to be six bulletins, with associated updates affecting Windows and Internet Explorer. Two are tagged as Critical.

The official advance notification bulletin has all the technical details, while as usual there’s a less technical summary over on the MSRC blog.

Microsoft, Windows 10, Windows 8.x, Windows XP

Windows 8 growth rate flatlines; XP still going strong

Leave a comment

Despite its initial growth spurt, it looks like people are staying away from Windows 8.x in droves. The latest stats show little to no change in the number of Windows 8.x installs in the last month. Windows XP’s recent slide, no doubt due to the end of its support, has also leveled out. As things stand, Windows XP use is roughly double that of Windows 8.x.

Microsoft may have have thrown in the towel on Windows 8.x. They recently announced that the Start menu won’t reappear in Windows 8.x, but will be included in Windows 9, which is giving those of us who advised against switching to Windows 8 an excuse to say ‘I told you so.’

Internet, Microsoft, Privacy

Microsoft adds encryption to its email and cloud storage services

Leave a comment

Traffic into and out of Microsoft’s Outlook.com email service will now be encrypted, as long as the other end also supports encryption. Both Outlook.com and OneDrive, Microsoft’s cloud storage service, now use random keys that are generated for each session.

That last change is a strong indication that Microsoft’s motivation in making these changes is to regain public trust in the wake of Snowden’s revelations. The NSA and other law enforcement agencies can only read encrypted communication if they obtain the encryption keys, and now those keys are temporary and disappear after use.

Ars Technica has additional details.

WordPress and other CMS

Vulnerability in WordPress plugin MailPoet

Leave a comment

A newly-identified bug in the popular WordPress plugin MailPoet exposes to hijacking any site using the plugin.

WordPress site admins who manage sites using MailPoet should upgrade to version 2.6.7 as soon as possible to avoid problems. WordPress sites are an extremely tempting target for nefarious hackers and news of this vulnerability has undoubtedly spread rapidly among them.

Update 2014Jul24: According to Sucuri, once a web server has been compromised via this MailPoet vulnerability, all sites on the server are vulnerable, including sites not even running WordPress or MailPoet. Ars Technica has more.

Internet, Internet crime, Malware, Microsoft

Microsoft gets careless in its anti-malware efforts

Leave a comment

Up to now we’ve been happy to report on the successes of Microsoft’s work on hindering or shutting down botnets and other malware networks and sites. But their most recent actions in this area were heavy-handed, resulting in millions of legitimate domains going offline.

From Microsoft’s official blog post:

On June 19, Microsoft filed for an ex parte temporary restraining order (TRO) from the U.S. District Court for Nevada against No-IP. On June 26, the court granted our request and made Microsoft the DNS authority for the company’s 23 free No-IP domains, allowing us to identify and route all known bad traffic to the Microsoft sinkhole and classify the identified threats.

Microsoft named two foreign nationals, Mohamed Benabdellah and Naser Al Mutairi, and a U.S. company, Vitalwerks Internet Solutions, LLC (doing business as No-IP.com), for their roles in creating, controlling, and assisting in infecting millions of computers with malicious software—harming Microsoft, its customers and the public at large.

We’re taking No-IP to task as the owner of infrastructure frequently exploited by cybercriminals to infect innocent victims with the Bladabindi (NJrat) and Jenxcus (NJw0rm) family of malware.

That all sounds fine, except for one thing: No-IP was also being used for millions of domains with perfectly legitimate purposes. Microsoft says they knew this, and took measures to protect non-malicious domains.

Backlash against Microsoft’s actions is ramping up. Microsoft’s PR people are now saying that this is all due to a technical error, but given their characterization of No-IP (see above), it seems more likely that this is just spin, and they really did mean to kill all domains using no-IPs services.

Brian Krebs has additional details, as does Ars Technica.

Update 2014Jul03: Microsoft has returned control of the No-IP domains to No-IP. There’s still some doubt as to whether Microsoft acted in good faith: No-IP claims they were never contacted by Microsoft prior to the domain seizure; Microsoft claims otherwise. Regardless, I imagine No-IP will quickly move to remove clients using No-IP for nefarious purposes.

Update 2014Jul13: The EFF has a useful followup of the debacle.