boot13Chrome 37.0.2062.120 was announced yesterday. The new version includes the latest Adobe Flash, and fixes several security vulnerabilities.
Monthly Archives: September 2014
Patch Tuesday for September 2014
This month’s crop of updates from Microsoft includes four security bulletins, addressing 42 CVEs in Microsoft Windows, Internet Explorer, .NET Framework, and Lync Server. The update for Internet Explorer is Critical, and should be installed ASAP.
From Adobe, we get another new version of Flash, 15.0.0.152. The new version addresses memory leakage vulnerabilities that could be used to bypass memory address randomization (CVE-2014-0557), a security bypass vulnerability (CVE-2014-0554), a use-after-free vulnerability that could lead to code execution (CVE-2014-0553), memory corruption vulnerabilities that could lead to code execution (CVE-2014-0547, CVE-2014-0549, CVE-2014-0550, CVE-2014-0551, CVE-2014-0552, CVE-2014-0555), a vulnerability that could be used to bypass the same origin policy (CVE-2014-0548), and a heap buffer overflow vulnerability that could lead to code execution (CVE-2014-0556, CVE-2014-0559). Anyone still using Flash, especially within a web browser, should update immediately.
Google Chrome and Internet Explorer on Windows 8.x will be updated automatically to include the new version of Flash.
WordPress 4.0 released
A new version of WordPress was announced on September 4.
WordPress 4.0 has some new features, but nothing groundbreaking. Mostly this version is about tweaking existing features to make them more useful: for example, media embedding is now slightly easier. The official change log has the complete list of changes.
WordPress 4.0 doesn’t include any security fixes, so there’s no need to rush your site updates.
Advance notification of Microsoft and Adobe updates
Microsoft and Adobe plan to release software updates on September 9.
There will be four bulletins from Microsoft, affecting Windows, Internet Explorer, and .NET. One of the updates is rated Critical.
There’s not much detail on the upcoming Adobe updates, but they will affect Reader/Acrobat.
CryptoWall ransomware growing
Not to be confused with its bigger, better-known rival, CryptoWall seems to be thriving in the wake of CryptoLocker’s demise. CryptoWall has infected at least 625,000 computers in the past five months.
Firefox 32.0 released
A new version of Firefox was released yesterday, with the usual complete lack of any kind of proper announcement. The only thing posted on the Mozilla blog (“the official source for Mozilla-related news, opinions, events and more”) yesterday was this post about Firefox for Android.
On a more positive note, the release notes for Firefox are looking better. It looks like my insistent prodding has led to some action, because the Firefox 32.0 release notes page now has a page title that includes the version, and the topmost heading also includes the version.
Firefox 32 includes fixes for at least six security vulnerabilities, so anyone using Firefox should update it as soon as possible. Version 32 also improves performance, and adds some minor features, including changes to the page context (right-click) menu.
Chrome 37.0.2062.103 released
A new version of Google’s web browser fixes one minor font rendering bug on Windows. See the official announcement for details.
Home Depot: massive security breach
Brian Krebs reports on the most recent security breach at a major retailer. According to some reports, the breach started as far back as April 2014. There’s no direct evidence of a breach, but it looks like it’s only a matter of time before that changes, given the suspicious activity related to Home Depot being reported by financial institutions.
Update 2014Sep04: Details are starting to appear, and it looks like almost all Home Depot stores in the USA are affected.
Update 2014Sep19: Brian Krebs has additional details on the scale of the breach. According to Home Depot, as many as 56 million debit and credit card numbers were stolen.
Update 2014Nov08: As if this breach wasn’t already bad enough, apparently the attackers also stole as many as 53 million email addresses from Home Depot systems. Maybe this explains the recent uptick in spam email I’ve noticed.
Targeted iCloud accounts compromised
By now you’ve likely heard that dozens of celebrity accounts on Apple’s iCloud service were recently accessed by unscrupulous persons, and embarrassing photos from those accounts posted on various web sites.
This should server as a reminder to everyone who uses web-based storage like iCloud that such services are extremely tempting targets for nefarious hackers.
In this case, the invader discovered that the ‘Find my Phone’ app had no protection against brute force (rapid, automated) login attempts. This was used, along with a list of common passwords, to learn the passwords of some targeted iCloud accounts, at which point all data stored on those accounts became available.
If you use cloud storage, make sure to use strong passwords; otherwise, you might as well assume everything you store there is publicly accessible.
The SANS InfoSec Handler’s Diary has more.
Update 2014Sep07: Ars Technica has a followup, in which Apple CEO Tim Cook admits Apple could have done more to prevent the incident, and talks about upcoming iCloud security changes. Over on Bruce Schneier’s blog, he reminds everyone that strong passwords would have protected the victims’ accounts, and to use an offline password manager.