boot13A new version of Google’s web browser was announced yesterday. Version 38.0.2125.104 includes the latest Flash update. It also includes some other changes, but presumably none of them are security-related, otherwise the changes would have been mentioned in the announcement. Unfortunately, the full change log is in a form that is essentially unreadable to non-programmers.
Monthly Archives: October 2014
Patch Tuesday for October 2014
Yesterday saw eight security bulletins and associated patches from Microsoft, as well as two new versions of Java from Oracle, and a new version of Adobe Flash.
The Microsoft updates include three flagged Critical. The updates address twenty-four CVEs in Windows, Office, .NET Framework, .ASP.NET, and Internet Explorer. A post on the MSRC blog provides a good overview.
Two new versions of Java from Oracle address as many as 25 security vulnerabilities in Java 7 and 8. If you’re using a web browser with Java enabled, you should install Java SE 8 Update 25 and/or Java SE 7 Update 72 as soon as possible. Unfortunately, Oracle has made things a bit confusing by saying that you should install SE 7 Update 72 only if you are being affected by the issues fixed in that version, and otherwise to install Update 71. Our recommendation is to install Update 72.
The new version of Flash is 15.0.0.189, and it includes fixes for at least three security vulnerabilities. If you’re like most people and use a browser with Flash enabled, you should update to the new version as soon as possible.
Microsoft once again realizes that there are different kinds of users
A lot of the criticism of Windows 8 focused on its lack of support for enterprise users. Most notably, the new user interface was spectacularly unsuited to business use. Enterprises stayed away from Windows 8, preferring to upgrade to – or stay with – Windows 7.
Microsoft seems to have given up on Windows 8. Although the Start menu was scheduled to reappear in Windows 8, plans for that change were later scrapped. Microsoft’s efforts are now firmly centered on Windows 10, where the Start menu will once again appear.
There’s more good news for enterprise users in Windows 10. According to a recent report from Ars Technica, the update process will have some new options that allow system administrators to control which updates are distributed to enterprise computers. This is already possible with Windows Server Update Services, but the new options promise to simplify things greatly.
Advance notification for October MS updates
Next week’s Patch Tuesday will see nine bulletins and associated updates from Microsoft. Three of the updates are flagged Critical. The updates will affect Windows, Internet Explorer, .NET, Office and ASP.NET.
Chrome 38.0.2125.101 released
A new version of Google’s web browser was announced on Tuesday. Version 38.0.2125.101 fixes a whopping 159 security issues in Chrome, and includes a number of other fixes and stability improvements.
USB firmware hacks published
We recently reported a new potential security threat in the form of hacked USB device firmware.
The details of the original hack were not reported by its discoverers, since it seemed likely that the vulnerability was widespread and difficult to fix.
Now a second team of researchers has published working code for a similar hack. Reactions have been mixed, with some categorizing this move as irresponsible.
This is probably going to get a lot worse before it gets better. There’s currently no way to detect whether a USB device has been hacked. Traditional anti-malware software is useless for this purpose.
Hopefully you were already exercising caution when using thumb drives, viewing drives from unknown sources with suspicion. With this new vulnerability, there’s probably no way to be perfectly safe unless you stop using thumb drives completely. Since that’s not practical for many users, you can stay relatively safe by making sure that your thumb drives are always on your person or stored in a secure location when not in use. So much for convenience.
Windows 10 Technical Preview
Anyone interested in looking at an early version of Windows 10 can sign up to the ‘Windows Insider Program’ at preview.windows.com. Signing up is free, but you are encouraged to think of this software in terms of short term testing only.
The accompanying preview document (ed: no longer available) describes some important features of the upcoming O/S, including the new Start menu, window snapping and multiple desktops. Interestingly, it also steers clear of calling the next version ‘Windows 10’.
Windows 8 fading, XP and 7 still going strong
Microsoft’s recent announcements about Windows 9 10 may have been the death knell for Windows 8. It seems people are happy to wait for the next Windows or switch to Windows 7 rather than take on the task of learning a user interface better suited to mobile phones than desktop computers.
According to the latest stats posted by Ars Technica, Windows 8 sales slipped slightly in the last month, while Windows 7 sales increased and Windows XP held steady.
Latest Ouch! newsletter: five steps to staying secure
October’s Ouch! newsletter from SANS explains the five most important factors in staying secure. It’s a useful overview for non-technical computer users.
Windows 9 is Windows 10
Microsoft has a long history of naming things strangely, and they’re showing no signs of stopping. Despite it being a) logical; and b) already announced, “Windows 9” will not be the name of the next version of Windows. No, it will be “Windows 10”, because 10 is better than 9.
That aside, Windows 9 10 is apparently going to be a lot like Windows 7, at least according to some early prototype reviewers.
On a positive note, it looks like Microsoft is finally starting to realize that they can make users really happy by fixing things that should have worked properly in Windows 95. A good example of this is the file copy/move dialog in Windows 8.x, which is vastly better than in any previous version of Windows. And now the creaky old command window is finally going to be improved in Windows 10.
Update 2014Oct02: According to some sources, the reason ’10’ was chosen over ‘9’ is that a lot of software currently includes code that determines whether a computer is running Windows 95 and 98 by looking at the Windows version and comparing it to “Windows 9”. However, while such code does exist, this is not the recommended method for determining Windows version. If Microsoft is going to make decisions like this based on sloppy, ancient coding practices, we’re in serious trouble.
