The full change log lists forty changes in Chrome 54.0.2840.71. None of them seem to be related to security, but at least one is a fix for a crashing issue. The release announcement doesn’t get into any specifics.
All posts by jrivett
Firefox 49.0.2
Version 49.0.2 of Firefox fixes at least one security vulnerability, along with a few other minor bugs. There’s also a performance improvement for sites that use Flash.
If you’re still running an earlier version, you can usually trigger an update by going to the About page: click the ‘hamburger’ icon at the top right, click the question mark icon, then click About Firefox
.
Serious Linux kernel vulnerability patched
As amusing as it may sound, the recently-patched ‘Dirty Cow’ Linux kernel vulnerability (CVE-2016-5195) highlights a couple of important points:
- vulnerabilities – even known ones – can remain unpatched in critical software for years; and
- a misconfigured server that allows uploaded files to be executed is easily hacked.
At first glance, the Dirty Cow vulnerability may not seem particularly noteworthy. It doesn’t directly allow for arbitrary code execution. But it does allow an attacker who already has the ability to run arbitrary code on a target system to gain full access to that system via privilege escalation.
A Linux server that allows user uploads of any kind is normally configured so that uploaded files cannot be executed. However, it’s very easy to get this wrong, especially for web servers. Still, in most cases, being able to run an uploaded file remotely isn’t enough to provide the kind of access attackers want. Dirty Cow provides that access.
Anyone running a Linux server is strongly advised to install the available kernel updates for Dirty Cow immediately.
Silverlight 5.1.50901.0
These days, new Silverlight versions are typically released by Microsoft in connection with monthly Patch Tuesdays. That’s what happened with the latest version, 5.1.50901.0, which should have been installed with the other updates on Windows systems on October 11.
The new version fixes a single vulnerability, as documented in the associated security bulletin (MS16-120) and Knowledge Base article (KB3192884).
You can verify that you’re running the latest version of Silverlight by visiting the Get Microsoft Silverlight page.
Opera 40.0.2308.90
A few minor bug fixes and an update to the browser engine (Chromium) are what’s new for Opera 40.0.2308.90. The new version doesn’t include any security fixes.
Chrome 54.0.2840.59
A new version of Google’s Chrome web browser includes fixes for at least twenty-one security issues.
According to the announcement, Chrome 54 “contains a number of fixes and improvements”, but it doesn’t mention any specifics. If you want to know exactly what’s different, you’ll have to risk crashing your web browser and look at the full change log, which lists at least 10,000 changes.
For most users, Chrome will update itself over the next few days. You can usually trigger an update by running Chrome and navigating to the Help > About
page (click the ‘three dots’ icon at the top right).
Adobe software updates: October 2016
Adobe announced new versions of Flash and Reader/Acrobat yesterday.
Flash 23.0.0.185 fixes twelve vulnerabilities in previous versions. The new version also adds some new features, but these are likely only of interest to developers. If you still have Flash enabled in any web browser, you should either update it immediately, or disable Flash in the browser. As usual, Chrome will update itself with the latest version, and Internet Explorer and Edge on Windows will get the new Flash version via Windows Update.
New versions of Reader/Acrobat (XI, DC Classic and DC Continuous) address a whopping seventy-one vulnerabilities in previous versions. If you use a web browser with an Adobe Reader add-on, you should either update it as soon as possible or disable that add-on.
Patch Tuesday: October 2016
It’s the first day of a new era in Windows updates. Windows 7 and 8 now get updates in cumulative rollups, and updates are bundled together.
This month there are ten security bulletins. Each bulletin is associated with one fix for a specific vulnerability in an application, library, or API; or with a bundle of fixes that address several vulnerabilities in Windows.
Each bulletin is associated with at least one Knowledge Base article, and sometimes with additional KB articles that apply to different versions of Windows, Office, .NET, or some other application. Each additional KB article is associated with a version-specific update. There are often two sets of KB articles: one for the security only quality update and one for the security monthly quality update.
All of the security updates this month are available via Microsoft Update. Most are also available from the Microsoft Download Center and the Microsoft Update Catalog (MUC). Downloading updates from the MUC technically requires Internet Explorer, but you can use any other browser by navigating to http://catalog.update.microsoft.com/v7/site/Rss.aspx?q=KBxxxxxxx
(replacing KBxxxxxxx with the KB article number).
- MS16-118 Cumulative Security Update for Internet Explorer (KB3192887) – a set of security updates for Internet Explorer that address eleven separate vulnerabilities of six distinct types
- MS16-119 Cumulative Security Update for Microsoft Edge (KB3192890) – a set of security updates for Edge on Windows 10 that address thirteen separate vulnerabilities of seven distinct types
- MS16-120 Security Update for Microsoft Graphics Component (KB3192884) – a set of security updates for graphics components that are used in Windows, .NET, Office, Skype, and Lync; seven separate vulnerabilities of four distinct types are fixed
- MS16-121 Security Update for Microsoft Office (KB3194063) – a security update for Microsoft Office that addresses a single vulnerability
- MS16-122 Security Update for Microsoft Video Control (KB3195360) – a security update that addresses a single vulnerability in video control software on Windows
- MS16-123 Security Update for Windows Kernel-Mode Drivers (KB3192892) – a set of security updates for Windows kernel-mode drivers; five separate vulnerabilities of two distinct types are addressed
- MS16-124 Security Update for Windows Registry (KB3193227) – a set of security updates affecting the Windows registry; four separate elevation of privilege vulnerabilities are addressed
- MS16-125 Security Update for Diagnostics Hub (KB3193229) – a security update for the Windows Diagnostics Hub; a single vulnerability is fixed
- MS16-126 Security Update for Microsoft Internet Messaging API (KB3196067) – a security update for the Windows Messaging API; a single information disclosure vulnerability is fixed
- MS16-127 Security Update for Adobe Flash Player (KB3194343) – a set of security updates for Flash in Internet Explorer and Edge; thirteen separate vulnerabilities are fixed
So far I don’t see anything in these new updates that looks particularly worrisome. Of course there’s always a risk that Microsoft will slip something in that we don’t want, but there’s a non-trivial amount of scrutiny being directed toward Microsoft right now, and I’m confident someone will quickly spot anything untoward.
I was half-expecting the updates to be as poorly documented as Windows 10 updates, but instead the Windows 10 updates are now as well documented as the others. I also thought there would be fewer bundles, and I didn’t expect them to be grouped as sensibly as they are.
The new system is simpler in some ways, and it does at least unify all versions of Windows to some extent, although Windows 10 updates are still treated somewhat differently. It all actually seems less clunky than before, which is a very nice surprise.
Questions remain. It’s unclear how bad updates will be handled. In the past, if an update broke Windows, you could uninstall it. Now, presumably, you’d have to uninstall an entire bundle. Or something. We’ll see how it goes next month when rollups start arriving with multiple months worth of updates.
Update 2016Oct12: Brian Krebs’ take on the new Windows Update system.
Regulating Internet connected (IoT) devices
At this point it’s clear that thousands of poorly-secured IoT devices were used in the recent large-scale DDoS attacks against krebsonsecurity.com and OVH. Ongoing analysis points to devices manufactured by a Chinese company called XiongMai Technologies, which makes generic Digital Video Recorder (DVR) and Internet camera devices that are sold to vendors who use them in their own products.
Chinese vendor Dahua sells products that use these vulnerable devices. Dahua products appear several times in the list of affected devices published by Brian Krebs, and Flashpoint Intel also identifies Dahua devices as being involved.
Companies like XiongMai Technologies and Dahua share the blame for flooding the Internet with these easily-co-opted devices. XiongMai Technologies created devices that are inherently insecure and unsuitable for direct connection to the Internet. Dahua either failed to comprehend the danger, or chose to ignore it, producing deeply flawed consumer devices and – as Brian Krebs puts it – dumping toxic waste onto the Internet. These devices are spread around the globe, most to be plugged in and forgotten for years, ready to be abused by whoever can find them. Some of these devices can’t actually be fixed, since their vulnerabilities exist in firmware that can’t be updated.
Dahua’s response to all this isn’t likely to reduce concerns, since it tries to shift the blame onto users who failed to change default passwords, while ignoring the fact that these passwords cannot be changed in some cases.
What can be done about this? Beyond locating and removing the current crop of vulnerable devices – a difficult task in itself – how can we avoid this situation in the future? Preventing poor quality products from entering the market is ultimately the responsibility of governments. Until authorities get involved, this is likely to keep happening. If they fail to act now, the attacks will continue to get worse until commerce is affected, at which point it will no longer be possible for governments to ignore the problem. Bruce Schneier shares this view.
The good news is that the European Union is already taking action. The EU is planning to upgrade its telecommunications laws, which are now expected to include requirements for labeling IoT devices that are secure and approved for Internet connection. This kind of labeling already works well for showing the energy usage of electrical appliances.
Kudos to the European Commission for recognizing that the ongoing flood of crappy IoT devices is a major contributor to Internet-related problems, including the recent, massive DDoS attacks. Let’s hope that other governing bodies wake up soon.
Microsoft ‘clarifies’ upcoming Windows Update changes
Yesterday, in a blog post aimed at people who support Windows in organizations, Microsoft responded to some of the questions that arose in the wake of their announcement of upcoming changes to the way Windows 7 and 8.x are updated.
If you plan to risk a migraine and read Microsoft’s blog post, keep in mind that the intended audience is Enterprise users, not us lowly consumers (aka Windows 7/8 Home/Pro users). Parts of the post need to be interpreted differently for non-enterprise users. For instance, references to WSUS and ConfigMgr only apply to Enterprise users.
The changes will take effect on October 11, next week’s Patch Tuesday. The bottom line is that updates will no longer be delivered separately, but in large update packages. Each month, three of these packages will be produced:
- security-only quality update – a single update containing this month’s security updates; not available through Windows Update!
- security monthly quality rollup – a single update containing this month’s security updates, as well as non-security updates from the previous month, and the contents of all previous rollups.
- preview of the monthly quality rollup – perhaps weirdest of all, this update will contain next month’s non-security updates. In other words, this month’s non-security updates, which are otherwise not available in the regular monthly rollup. Microsoft seems to be saying “For those of you who want this month’s non-security updates but would prefer not to wait until next month to get them, here’s a preview of those updates.” Even weirder, this update will become available the week after the regular Patch Tuesday. The preview rollups will also include fixes from all previous monthly rollups, and older updates will be gradually added as well.
Questions
Why will the monthly rollups contain non-security updates from the previous month? For example, according to Microsoft, the first (October 2016) rollup will include non-security updates from September. But why delay October’s non-security fixes for another month? This makes no sense.
What happens if an update causes problems? In the past, you could just uninstall the problematic update. That won’t be an option with this new system. Microsoft’s response to this question makes it clear that this is your fault: “Every Windows update is extensively tested with our OEMs [customers] and ISVs [customers], and by customers – all before these updates are released to the general population. Your organization may also be interested in validating updates before they are publicly released, by participating in the Security Update Validation Program (SUVP).” In other words, our updates are thoroughly tested by you, and if you’re not testing them, you should be.
Why is Microsoft doing this?
According to Microsoft, these changes will “simplify your updating of Windows 7 SP1, Windows 8.1, … while also improving scanning and installation times and providing flexibility depending on how you typically manage Windows updates today.”
There may actually be some good reasons for bundling updates. But Microsoft is being so vague that it’s hard to believe they aren’t trying to foist something unwanted on us. Maybe the new system will make Windows Update faster and more reliable. Maybe it will simplify updates, an appealing notion for many users. Maybe it will make us all safer. It’s difficult to predict.
But there’s no question that these changes will make it difficult to avoid unwanted updates, and therein lies the problem. We already know for sure that Microsoft desperately wants us to either upgrade to Windows 10, or install updates that make Windows 7 and 8 more like Windows 10. Clearly these changes are beneficial to Microsoft, and we have a pretty good idea why (it’s advertising infrastructure). And, despite Microsoft’s assurances, we can be fairly certain that these changes don’t actually benefit the user, unless the user enjoys targeted advertising.
Given Microsoft’s recent actions, and suspicions concerning their actual motivation, these new updates are going to be examined closely. Are all the ‘security’ updates actually necessary? Are they even related to security? Microsoft can slap a ‘security’ label on anything they want and force it down our throats.
What can we do about this?
If you use Windows 7 or 8.x Home or Professional, there’s not much you can do. As I explained in an earlier post, you can trust that Microsoft will act in your best interest and let them install what they want on your computer (yikes), you can stop using Windows Update completely (also yikes), or you can switch to Linux.
It’s also still possible that – with enough pressure from users – Microsoft could make these changes more palatable. The Electronic Freedom Foundation says (and I totally agree) that “Microsoft should come clean with its user community. The company needs to acknowledge its missteps and offer real, meaningful opt-outs to the users who want them, preferably in a single unified screen. It also needs to be straightforward in separating security updates from operating system upgrades going forward, and not try to bypass user choice and privacy expectations.” I would add that Microsoft should describe in detail exactly what each update really does, and how it affects the collection and transmission of user activity and other information.
Related news
Woody Leonhard reports that Microsoft recently reactivated one of the Windows 7/8 updates associated with the ‘Get Windows 10’ nightmare. In response to the predictable uproar, Microsoft simply repeated their claims that this update is nothing to worry about, while saying nothing about what the update actually does.