Monthly Archives: May 2016

Adobe, Flash, Patches and updates, Security

Flash update incoming

1 Comment

Maybe the Flash developers didn’t make the deadline for Patch Tuesday, so they felt left out. Anyway, according to a security advisory published today, Adobe is working on an emergency update for Flash, to address one specific vulnerability, CVE-2016-4117.

That vulnerability is so new, it doesn’t appear in the vulnerability databases. Adobe refers to it as critical, and indeed, exploits have already been observed in the wild (which makes this a good example of a zero-day vulnerability). Adobe expects to publish a new version of Flash that addresses this vulnerability as early as May 12.

Interestingly, the advisory states that the vulnerability exists in Adobe Flash Player 21.0.0.226 and earlier, while the most recent published versions are 21.0.0.213 and 21.0.0.216. Now I’m thinking that Adobe delayed the Flash update scheduled for Patch Tuesday (which presumably would have been version 21.0.0.226) to give them time to fix CVE-2016-4117.

Adobe, Internet Explorer, Microsoft, Patches and updates, Security, Windows

Patch Tuesday for May 2016

Leave a comment

This month, besides the usual pile ‘o patches from Microsoft, we have updates for Adobe Reader/Acrobat, but (big surprise) not for Flash.

There are sixteen Microsoft updates, addressing thirty-seven vulnerabilities in Windows, Internet Explorer, Office, Edge, and .NET. There’s also Microsoft Security Advisory 3155527. At least one of the vulnerabilities (CVE-2016-0189) is being actively exploited. This flaw could allow an attacker to execute malicious code if an unpatched computer visits a malicious or compromised web site.

The Adobe Reader update addresses over ninety vulnerabilities, which must set some kind of record. And not the good kind. If you use Reader in any context, you should update it to address these critical security issues.

Opera, Patches and updates

Opera 37 released

Leave a comment

A major new revision of Opera was announced yesterday: 37.0.2178.32.

Opera 37 includes some significant changes:

  • The minimum Windows system requirement is Windows 7. Anyone using Opera on Windows XP or Vista will have to stick with earlier versions.
  • Opera now has a native (built-in) ad blocker.
  • Videos can now be popped out into their own window for viewing convenience.

The new version also includes a variety of bug fixes and performance improvements. You can see a list of all the changes on the official Opera 37 change log. Note: somewhat confusingly, that log shows changes in beta and developer versions going back to February 2016. Opera routinely makes major new versions available to developers and beta testers, and Opera 37 has been available in those forms for a few months.

Firefox, Patches and updates

Firefox 46.0.1

Leave a comment

I’m beginning to detect a weird kind of consistency to the way Mozilla assigns version numbers to Firefox.

If Mozilla staffers don’t want to formally announce a new version, they give it a minor revision number, like 46.0.1, which was released on Tuesday. If, on the other hand, Mozilla decides to announce a new version of Firefox, they give it a major revision number, like last week’s Firefox 46.0.

This sounds silly, but it seems to fit what we know. For example, despite the major difference in revision numbers between 46.0 and 46.0.1, both versions consist of a few bug fixes.

The release notes for Firefox 46.0.1 list six changes, all bug fixes for minor issues that aren’t particularly interesting. None of the fixes seem related to security.

Android, Edge, Flash, Google, Internet crime, Malware, Microsoft, Mobile, Security, Spam and scams, Windows, WordPress and other CMS

April security roundup

Leave a comment

People who store Slack credentials in Github code repositories learned that this a bad idea, as researchers demonstrated the ease with which this information can be gathered without any explicit permissions.

Scary news: computers at a German nuclear reactor facility were found to be loaded with malware. The only thing that prevented miscreants from playing with real nuclear reactors was the fact that these computers are not connected to the Internet.

Crappy security practices led to the theft of user account information (email addresses and poorly-encrypted passwords) from Minecraft community site Lifeboat.

The notorious hacking group known as Hacking Team made the news again, this time with reports of active drive-by exploits affecting Android devices.

The Nuclear exploit kit is still operating, despite recent, partially-successful, efforts to shut it down. Researchers showed that the kit is still being used, and may be involved in recent ransomware infections.

Good news: the two men responsible for the notorious SpyEye banking trojan, recently extradited to the US to face federal prosecution, will be spending nine and fifteen years in prison.

Zero-day exploits are on the rise, doubling from 24 in 2014 to 54 in 2015. A zero-day exploit is a hack that takes advantage of software vulnerabilities before the software’s maintainers have had a chance to develop a fix.

Cisco security researchers identified vulnerabilities in several enterprise software systems, including Red Hat’s JBoss. As many as three million web-facing servers running this software are at risk of being infected with ransomware, and in fact as many as 2100 infected servers were identified.

More good news: the Petya ransomware was found to contain a flaw that allows its victims to decrypt their data without paying any ransom.

The Mumblehard botnet was taken down by ESet researchers, after it infected at least 4000 computers and sent out countless spam emails.

Microsoft announced plans to prevent Flash content from playing automatically in the Windows 10 web browser Edge. All the major browsers appear to be heading in this direction, if they don’t already have the feature, as does Chrome.

April’s issue of the SANS ‘Ouch!’ newsletter is titled “I’m Hacked, Now What?” (PDF) and provides helpful information for the recently-hacked. The newsletter is aimed at regular users, so it may not be particularly useful for IT professionals, except as a means to educate users.

The wildly popular WhatsApp – a messaging application for mobile devices – now has end-to-end encryption. This will make life more difficult for spy agencies who want to know what users are saying to each other. But WhatsApp users should be aware that this does not make their communications invulnerable, since techniques exist to get around full encryption, such as keystroke loggers.

Bad idea: someone at CNBC thought it would be a good idea to ask users to submit their passwords to a web-based system that would test the passwords and report on their relative strength. The service itself was vulnerable, and exposed submitted passwords to network sniffing. The service was taken offline soon after the vulnerability was identified.

The web site for toy maker Maisto International was hacked and serving up ransomware for an unknown amount of time, probably several days or even weeks. The hack was made possible because the site was using outdated Joomla software.

Patches and updates, Security, Vivaldi

Vivaldi 1.1.453.52

Leave a comment

Now that it’s officially released, Vivaldi is seeing frequent updates. The developers appear to be listening to user feedback and are fixing reported issues and enhancing functionality at a steady pace.

Another new version of Vivaldi was released earlier today: 1.1.453.52. This new version updates the Chromium browser engine, which includes several security fixes. Some Linux installation issues were resolved, and the developer tools improved.

Microsoft, Patches and updates, Windows 7

Wrangling updates on a new Windows 7 install

1 Comment

I recently installed Windows 7 on a computer that was previously running Windows XP, and encountered a few issues. The biggest problem was Windows Update, which has trouble with new Windows 7 installs because of the huge number of post-Service Pack 1 updates. If you’re looking for a solution to that problem, you may want to skip to the Windows Update discussion, or jump directly to the fix that worked for me.

Install Now!

Booting from a Windows 7 install disc, the first thing I saw was a lone button in the center of the screen: Install Now. I found this disconcerting, because I was expecting to be able to choose a drive and partition on which to install Windows 7.

Not wanting the installer to choose the wrong partition, I powered down and disconnected all non-essential hard drives. Rebooting from the Windows 7 disc again, I clicked the Install Now button and was eventually allowed to choose the install destination. With a mixture of annoyance and relief, I carried on…

You should upgrade! (not)

I was planning a clean install, since as far as I was aware, it isn’t possible to upgrade from XP to 7.

Proceeding with the install, I assumed there would be no upgrade option. But the installer found the old Windows XP installation (which made sense), and suggested that I should perform an upgrade instead (which was unexpected).

So I followed the instructions: I rebooted the computer, this time from the old boot hard drive, which started Windows XP. Then I inserted the Windows 7 disc, and was told that upgrading from Windows XP to 7 was not possible. Thanks a lot for wasting my time, Microsoft.

Disconnect external drives

Proceeding with a clean install, past the message encouraging me to perform an upgrade install, past a warning about the old Windows directory being renamed windows.old, I was next informed that the installer was “unable to create a new system partition or locate an existing system partition.” There was no way to get past this message.

Turning to Google, I discovered that this message can occur when an external drive is connected to the computer. Remember when I said I disconnected all the other drives? Well, I forgot the external. I unplugged it, rebooted from the Windows 7 disc, and this time, the error did not appear.

Checking for updates…

Once the installer started actually installing, it didn’t take long to finish. At this point I allowed myself to see the light at the end of the tunnel. But that light was a train, and that train was called Windows Update.

In the good old days, Microsoft produced service packs for Windows. These were essentially giant collections of all previous updates, and were a big time saver for IT folks. Install Windows, download and run the most recent service pack, then install a few newer updates, and you’re done. Microsoft even provided Windows media with current service packs pre-installed, to save even more time.

Windows 7 Service Pack 1 was the last service pack ever, as Microsoft declined to produce SP2. It’s been a while since SP1, and Windows 7 is still supported, so the pile of post-SP1 patches is getting big. Well over 200, anyway. And this is a problem.

Aside: some people claim that the best way to install updates on a new Windows 7 install is to leave Automatic Updates enabled and walk away from the computer. This isn’t a viable option if you’re billing by the hour or have other clients waiting. Also, the idea of leaving everything in the hands of Microsoft makes me uneasy.

On my first attempt to run Windows Update, it displayed this error code: 8007000E. Microsoft provides a ‘help with this error’ link, which I clicked. This popped up a help dialog with a list of Windows Update error codes, but 8007000E was not listed. Not very helpful.

I tried running the Windows Update Troubleshooter, which claimed to find problems and fix them. After rebooting, I tried again to run Windows Update.

At this point, Windows Update said it was checking for updates, and it stayed like that for about an hour before I finally gave up and rebooted. Which brings up an interesting question: how long are we supposed to wait for Windows Update to check for updates? There’s no way for a user to determine whether Windows Update is actually doing something, or just frozen/hung. The progress indicator keeps whizzing by regardless. Yes, there are a lot of updates. But there’s no way it should take hours just to determine which updates are available.

After rebooting, I activated Windows 7, on the off chance that this would help. Running Windows Update again, I was presented with another, different error code: 80244019. And once again, the code wasn’t listed in the ‘help with this error code’ dialog.

Turning again to Google, I found a Microsoft knowledge base article about error code 80244019. This suggested that the computer had a virus. Really? A clean install onto a computer that’s behind a router isn’t going to magically become infected with a virus. However, I installed anti-malware software and ran a scan, which of course found nothing of interest.

Eventually, I decided to look for help elsewhere on the web. In other words, anywhere but Microsoft. And found it, on superuser, an extremely useful site where you can ask questions and get answers from other users. Full disclaimer: I’m an active contributor to the site.

Superuser to the rescue

The superuser question that provided the solution is titled “Windows 7 SP1 Windows Update stuck checking for updates“, and there are several answers.

The answer with the highest number of votes recommends installing Microsoft update KB3102810. I installed that update, rebooted, and tried Windows Update again. Almost immediately, it found 161 updates. Success? Only partly. After about an hour of thrashing, Windows Update reported that 93 updates had installed successfully, while 68 update failed to install. It also mentioned two more error codes, 8024200D and 8007000E. Yeesh.

After rebooting, I tried to install the magical KB3102810 update again, but was informed that it was already installed.

Referring again to that helpful superuser question, I decided to try the recommendations in the second highest ranking answer, which I have modified slightly:

  1. Make sure automatic updates are completely disabled: Control Panel > Windows Update > Change settings > Important updates > Never check for updates.
  2. Download the KB3138612 update, saving it somewhere you’ll remember.
  3. Download the Windows 7 System Update Readiness Tool (SUR), saving it somewhere you’ll remember.
  4. Restart the computer.
  5. Install the `KB3138612` update, running it from where you downloaded it earlier.
  6. If you’re prompted to restart, do so.
  7. Install the SUR Tool, running it from where you downloaded it earlier. This is a large set of updates and can take a while to install.
  8. If you’re prompted to restart, do so.
  9. Run Windows Update and check for updates. It may take a few minutes to finish checking.
  10. Install any remaining updates.

Following this procedure resolved all remaining problems. At the final Windows Update check, there were sixty-two important updates and sixty-three optional updates. All 62 of the important updates installed successfully.

Conclusions

Microsoft’s help for Windows Update problems like these is useless:

  • error codes are not listed in the popup help for those codes;
  • the many Knowledge Base articles on this subject are not helpful; and
  • various troubleshooters and FixIts are rarely effective (note that the third answer on that superuser question suggested running one of these, and although it was the accepted answer, it got far fewer votes).