Monthly Archives: March 2016

Java, Patches and updates, Security

Old Java vulnerability still not fixed

Leave a comment

A serious security vulnerability affecting current versions of Java, originally reported in 2012 (PDF), remains only partially fixed, according to Adam Gowdiak of Security Explorations.

When Oracle released Java 7 Update 40 in October 2013, the original issue appeared to have been fixed. Subsequent testing showed that while the fix addressed the original Proof of Concept code provided by Mr. Gowdiak, changing the PoC code slightly revealed that the fix was incomplete.

Until recently, Gowdiak was reluctant to announce his discovery of the partial fix, because of his own organization’s disclosure policies. On March 7, 2016, those policies were updated: “A recent change to those policies means that if an instance of a broken fix for a vulnerability we already reported to the vendor is encountered, it gets disclosed by us without any prior notice.”

Mr. Gowdiak revealed his findings (PDF) at the recent Javaland conference, and on the Full Disclosure security email list. The original PoC code was altered slightly to demonstrate the vulnerability and provided to Oracle.

Whether we will ever see a complete fix for this issue remains to be seen. Meanwhile, our advice about Java is unchanged: if you don’t need it, uninstall it. If you need it to run a specific application, remove Java from your web browsers, or leave it enabled in a browser you only use for specific applications. At the very least, make sure your browsers are configured so that Java content does not run automatically (i.e. enable click-to-play).

You can read more about the history of this and other Java security vulnerability research conducted by Adam Gowdiak at his Security Explorations web site.

Other references: Ars Technica.

Opera, Patches and updates

Opera 36

Leave a comment

Take a look at this post on the Opera blog. Go ahead, I’ll wait here until you get back.

Now, did that look like an announcement for a new version of Opera? It does mention an Opera version (36), but it doesn’t say whether version 36 has been released, or if so, when. Maybe it means they’re still working on it. Maybe it was released two weeks ago and they’re just now talking about it. There are also no links to release notes or change logs.

I don’t keep current version numbers in my head. So I ran Opera and checked its About page. Sure enough, it was version 35, and it started downloading Opera 36 right away. Great!

To find out what changed in Opera 36, I started with the current software versions page (that I formerly maintained) on this site. That page had links to the Opera change logs and release notes (current, previous, and history).

According to the change log for Opera 36, the new version fixes numerous bugs, including some related to crashing and performance issues. None of the bugs addressed seem to be related to security.

The sort-of announcement for Opera 36 doesn’t provide much additional information. Mostly it’s about improvements related to Windows 10.

There’s also a ‘unified change log‘ for Opera 36, that lists what Opera considers to be the most important changes in Opera 36: better Windows 10 compatibility, minor improvements to the Start page, and stability and performance improvements.

Microsoft, Patches and updates, Privacy, Windows 10, Windows 7, Windows 8.x

Privacy-related updates to avoid on Windows 7 & 8.1

1 Comment

If you use Windows 7 or 8.1, by now you’ve no doubt noticed that Microsoft is trying to push you to upgrade to Windows 10. In my opinion, Microsoft is doing this because Windows 10 includes a lot of features that track your activities, and the information gathered is extremely valuable for the purposes of advertising. Windows 10 doesn’t have a lot of advertising yet, and Microsoft denies that this is what they’re planning, but it seems clear that Microsoft is jealous of Google’s enormously lucrative ad-supported empire.

But what about all those people staying with Windows 7 and 8.1? Microsoft’s solution is to retrofit those versions, via Windows Update, with some of the privacy-invading features from Windows 10. And of course, because we’re talking about Microsoft, they’re trying to hide what they’re doing by obfuscating the true purpose of these updates. The language used to describe these updates tends to include phrases like “This service provides benefits from the latest version of Windows to systems that have not yet upgraded.”

We’ve discussed the KB3035583 update (and how to remove it) before. That’s the update that adds all those annoying upgrade prompts to Windows 7 and 8.1. But you should be aware of (and watch for) a few other sneaky updates. These have been generally categorized as ‘telemetry’ updates; a reference to the way they monitor what’s happening on your computer.

Telemetry Updates

If you want to avoid these telemetry updates, check to see if they are already installed. If they are, uninstall them, and use the ‘hide’ feature of Windows Update to prevent them from reappearing. If you see these updates listed in Windows Update, make sure to de-select them, then hide them.

Varying interpretations

Woody Leonhard is getting a bit of a reputation as a Microsoft apologist. You may recall that he refused to believe that Microsoft would push Windows 10 onto Windows 7 users, and later had to admit he’d been wrong. Woody’s analysis of the telemetry updates is predictably pro-Microsoft.

At the other end of the spectrum, there’s a project on Github that consists of a batch script that automatically removes all of the telemetry updates from Windows 7 and 8.1. It actually removes twenty-one updates, many of which are shady for other reasons besides privacy.

A more balanced analysis is provided by the GHacks site. This article identifies the most problematic (telemetry) updates and explains how to get rid of them.

Adobe, Edge, Flash, Internet Explorer, Patches and updates, Security

Emergency update for Flash

Leave a comment

If you use a web browser with Flash enabled, you should stop what you’re doing and update Flash.

According to the associated Adobe security bulletin, Flash 21.0.0.182 fixes twenty-three security vulnerabilities, including one (CVE-2016-1010) that is being actively exploited on the web.

The release notes for Flash 21.0.0.182 provide additional details. The new version fixes several bugs that are unrelated to security, and adds some new features.

As usual, Chrome will update itself with the new version of Flash, and Internet Explorer and Edge on newer versions of Windows will be updated via Windows Update.

Firefox, Patches and updates, Security

Firefox 45 released

Leave a comment

The good people at CERT once again alerted me to a new version of Firefox, 45.0. Apparently Mozilla still can’t manage to announce new versions consistently.

According to the official release notes for Firefox 45.0, the new version includes minor improvements to syncing, searching, and HTML5 support. It also fixes several bugs, including at least twenty-two related to security vulnerabilities. On my main computer, Firefox’s About screen already offers to install the new version, but if yours doesn’t, you should grab it from the main Firefox download page ASAP.

Adobe, Edge, Internet Explorer, Microsoft, Patches and updates, Security, Windows

Patch Tuesday for March 2016

Leave a comment

It’s time once again to roll up the sleeves and get patching. This month we have thirteen security bulletins and associated updates from Microsoft. The updates address at least forty-four security vulnerabilities in Windows, Internet Explorer, Edge, Office, Windows Server, and .NET. Five of the updates are flagged as Critical.

Adobe’s contribution this month is new versions of Acrobat/Reader. You may have noticed that Adobe has confused things by splitting Acrobat/Reader into several variations: classic, continuous, and desktop. According to Adobe, the continuous variant always has all the most recent updates, fixes, and new features. I think it’s safe to assume that’s the variant most people should be using. The new continuous version of Reader is 15.010.20060. All of the new versions include fixes for three security vulnerabilities.

Internet, Security, Tools

Test your browser’s security

Leave a comment

A new, free, web-based service from cyscon GmbH tests your web browser and reports any security issues it finds.

Check-and-secure starts by checking your computer for open ports, then compares your IP address against a list of addresses associated with botnet activity.

Next, you have the option of checking your browser version and looking for out of date plugins like Java, Flash, and Silverlight. This is arguably the most useful part of the service, and you can get to it directly, which is handy.

The remainder of the service consists of offers to install various local security software packages. I haven’t yet tried the Cyscon Vaccination software, so can’t comment on its efficacy.

Hardware, Internet, Microsoft, Patches and updates, Security, Silverlight

February security roundup

Leave a comment

In February, a security researcher discovered that a Silverlight exploit – patched by Microsoft in January – is now being distributed through the Angler hacking kit. The researcher also found web sites using the exploit to infect site visitors who have not yet installed the Silverlight patch.

Comodo Internet Security, a highly-rated security package, was found to include features that actually make the host computer less secure. Most notably, that included a VNC server running without a password. VNC is a remote desktop application. The problems were resolved in subsequent updates from Comodo.

Brian Krebs wrote about serious security issues found in some Internet-connected Trane thermostats, and warns buyers to use caution when purchasing ‘smart’ devices.