boot13On October 15th, Mozilla slipped another Firefox version into production. Firefox 41.0.2 was released to address a single security issue, CVE-2015-7184. The bug is described in a post on the Mozilla security advisories site. The release notes for Firefox 41.0.2 don’t provide any additional detail. There was no new version announcement.
All posts by jrivett
Adobe releases fix for new zero-day exploit
Yesterday, Adobe released an update for the recently-discovered Flash security vulnerability CVE-2015-7645. Kudos to Adobe for acting quickly to fix this bug, which is being actively exploited on the web.
The new version of Flash (19.0.0.226) addresses the CVE-2015-7645 vulnerability and two others. Additional details are available in the associated security bulletin. Other changes in this version of Flash are described in a post on the Flash runtime announcement site.
As usual, Internet Explorer on newer versions of Windows will get the new version of Flash via Windows Update, and Chrome will update itself via its own auto-updater.
If you’re still using Flash in a web browser, you need to install this update as soon as possible.
Microsoft breaking Windows 7 & 8 so you’ll upgrade to Windows 10
In the couple of months since the release of Windows 10, there have been plenty of reports of strange, unexpected, and unwanted behaviour on Windows 7 and 8.x computers. At least one high profile writer dismissed these reports, but recanted after witnessing the behaviour themselves.
I ran into one such problem yesterday when I tried to install October’s Patch Tuesday updates on my Windows 7 computer. Although auto updates are disabled on that computer, I had previously decided to install all updates flagged as ‘Important’. The idea was to see what happened if I allowed Microsoft to push whatever they wanted to that computer, putting myself into the same situation as most typical users.
The first thing I noticed was the ‘Get Windows 10’ icon that started appearing in the notification area. At the time, I provided instructions for uninstalling the update that caused this icon to appear, and did that myself as well. But the icon – and the update that enables it – kept appearing. Even ‘hiding’ the update (KB3035583) in Windows Update could not prevent the damned thing from reappearing.
Fast forward to yesterday, and when I tried to install updates on that Windows 7 PC, I was able to check for updates, and see the pending updates, but there was no way to install them! Instead, all I could see was a panel urging me to upgrade to Windows 10 and a ‘Get Started’ button.
I eventually discovered a rather amusing article on The Inquirer’s site, which provided some useful insight into the problem. Besides singling out the writer who had previously pooh-poohed claims of this unwanted behaviour, the article pointed to a Microsoft Knowledge Base article that provides instructions for getting rid of all the Windows 10 upgrade prompts.
I followed the procedures in that KB article, and sure enough all the upgrade prompts vanished, the KB3035583 update stopped reappearing, and Windows Update once again allowed me to install updates.
Anyone using Windows 7 or 8.x who is seeing any of this unwanted and unwelcome behaviour is urged to follow the instructions in the KB3080351 article. If you’re unwilling or unable to do so yourself, ask your friendly local support person to do it.
Meanwhile, a message to Microsoft: are you serious? Are you so eager to push everyone to Windows 10 that you are now literally trying to trick or even force users to upgrade? This is not acceptable. You need to step down from this or the backlash is going to get serious. There is already discussion around the idea of a class action lawsuit.
Update 2015Oct18: I’m not the only person seeing this kind of thing. Some Windows 7 and 8.x users have reported the Windows 10 upgrade installing without any confirmation at all.
Nasty new zero-day exploit affects even most recent Flash
Security researchers at Trend Micro have identified a new Flash exploit being used in targeted attacks against various government agencies. The exploit takes advantage of a previously unknown vulnerability in all versions of Flash, including the most recent, 19.0.0.207. It seems likely that the exploit will be used more widely in the near future.
Adobe quickly confirmed the vulnerability and announced in a security bulletin that a patch will be made available some time next week.
At this point one wonders whether there’s any code left in Flash that hasn’t been afflicted with security vulnerabilities at some point.
As always, if you can possibly live without Flash enabled in your browser, just disable it. If you need to use it, your best option is to configure your browser to always ask before displaying Flash content.
24 security fixes in latest version of Chrome
Chrome 46.0.2490.71 includes fixes for a variety of issues, including at least 24 security vulnerabilities.
As usual, the details are buried in the rather technical change log. Go ahead and take a look, but set aside several hours, because that log is 245,986 lines long. That’s not a typo. I started reading the log, and after scrolling down about 20 pages, I noticed that my browser’s scrollbar hadn’t even moved. There may some interesting stuff in there, but life’s too short to read that monstrosity.
Patch Tuesday for October 2015
It’s a relatively light month for Microsoft, with only six bulletins, and associated updates affecting Windows, Windows Server, Internet Explorer, Office, and the new Windows 10 browser Edge. Three of the bulletins are flagged as Critical. The bulletin summary has all the details, and it includes a link to Microsoft’s Security Advisories page for 2015, which may be of some interest.
Meanwhile, Adobe’s contribution to this month’s patch pile is more updates for Flash and Reader/Acrobat. The new version of Flash is 19.0.0.207, and it addresses thirteen vulnerabilities. The release notes get into the details of what was changed, which includes a few bug fixes unrelated to security. As always, Chrome will update itself and Internet Explorer on newer versions of Windows will get the new Flash via Windows Update.
The newest versions of Adobe Reader are 11.0.13 for Reader XI, and 2015.009.20069 for Acrobat Reader DC. At least fifty-six vulnerabilities are addressed in these updates. Check out the related security bulletin for additional information.
Security & privacy roundup for September 2015
Android made security news in September for a lockscreen bypass hack and a ransomware app designated Android/Lockerpin.A.
Passwords in the leaked Ashley Madison user database became much easier to decrypt, once again reminding us to avoid re-using passwords.
A rogue version of the iPhone development tool XCode was found to have added malicious code to almost 500 legitimate apps. Those apps were published on the Apple App Store, and were subsequently installed by millions of iPhone and iPad users.
In other Apple-related news, a simple bypass for the Gatekeeper process, that protects Mac OS X users from malicious software, was discovered.
This month’s Flash updates prompted Brian Krebs to take another look at Adobe Shockwave. He found that even the most recent versions of Shockwave still contain very out of date versions of Flash, and strongly recommends that you remove Shockwave from all your computers.
A series of exploits against the Imgur and 8chan sites caused little damage, despite their enormous potential. The true goals of the hack are still in question, and the associated vulnerabilities on the affected sites have been fixed.
A researcher discovered several serious vulnerabilities in popular security software from Kaspersky Labs. While there’s no evidence of exploits in the wild, this is rather alarming. Anti-malware software typically has access to core system functionality, making working exploits very valuable to attackers. Kaspersky Labs acted quickly to fix the bugs, but this isn’t the first time security software has been found vulnerable, and likely won’t be the last.
A new botnet called Xor.DDoS is using compromised Linux computers to perform DDoS attacks against a variety of web sites, probably at the request of paying customers. The Linux computers hosting the botnet appear to have been compromised via weak root passwords. So far, most of the targets are in Asia. This marks a shift in platform for botnet developers, which previously focused almost exclusively on Windows.
Microsoft responds to Windows 10 privacy concerns
Microsoft has finally broken the silence, responding to Windows 10 privacy concerns in a post on the Windows Experience blog.
Unfortunately, the post does little to address actual concerns, instead making a lot of vague promises about not using your data to target ads “Unlike some other platforms” (a clear reference to Google reading your GMail communication to target ads).
For example, there’s nothing about Windows 10’s persistent and frequent communication with Microsoft servers, even when privacy-compromising settings are disabled.
Techdirt, Ars Technica and The Verge have additional analysis.
Suspicious update from Microsoft
A strange – and possibly harmful – update started being delivered to Windows computers yesterday. Early speculation ranged from problems with the Windows Update infrastructure to the service being compromised by attackers.
Microsoft eventually weighed in, saying that the update was part of a test, and that it was never intended to end up on user computers.
Apparently the update was installed on some Windows 7 computers, at least one of which was rendered nearly inoperable, according to the user.
Presumably there will be additional followup from Microsoft. This is the kind of problem that makes people (including myself) justifiably nervous about the forced automatic updates in Windows 10.
Ars Technica has additional details.
Firefox 41.0.1 released
The latest Firefox fixes a few bugs that caused crashes and hangs in relation to Flash, bookmarks, and Facebook. There are no security-related changes in this release.
The version 41.0.1 release notes provide additional detail.
It looks like Mozilla finally decided to stop putting all previous release notes for the associated major version on every release notes page. Instead, they’re adding a link to the major version’s release notes at the top of the What’s New list. Unfortunately, they managed to mess that up with this release, because the Reference: Release notes for Firefox 41.0 link actually points to the notes for Firefox 40.0. Here’s a link to the Firefox 41 notes.