Another new version of Chrome was announced yesterday by Google. The release announcement for version 44.0.2403.130 is again very light on details.
Reviewing the headache-inducing change log shows some minor changes related to Windows 10 shortcuts, mousewheel operation, character composition, and touchscreen operation. It doesn’t appear that this is a security release.
The latest WordPress release resolves several security issues, including an SQL injection that could be used to compromise a site.
The WordPress 4.2.4 release notes have additional details.
WordPress sites with the auto-update mechanism enabled should be updated automatically in the next day or so, but if you don’t want to wait, you can install the update manually from the site’s dashboard.
Adobe is trying desperately to keep Flash viable. In July, they announced structural changes that are expected to strengthen Flash’s overall security. The changes are so far only available in the most recent versions of Chrome, but they are expected to find their way into the other major browsers in August.
There’s an interesting (though technical) overview of recent changes in the behaviour of the Asprox botnet over on the SANS Handler’s Diary. Apparently the botnet is no longer sending malware attachments, and is instead sending pornography and diet-related spam. Comparing my inbox contents with the samples in the linked article, it looks like most of the spam I currently receive is thanks to Asprox. Hopefully Asprox will be targeted by the anti-botnet heavy hitters in the near future.
BIND is one of the most common pieces of software on Internet-facing servers. It translates human-readable addresses like ‘boot13.com’ into IP addresses. A bug in version 9 of BIND causes it to crash when a specially-crafted packet is sent to it. Attackers could exploit this bug to execute an effective Denial of Service (DoS) attack against a server running BIND9. Patches have been created and distributed, but any remaining unpatched servers are likely to be identified and attacked in the coming months. Update 2015Aug05: As expected, this bug is now being actively exploited.
Current, patched versions of Internet Explorer running on mobile devices were recently reported to have four flaws that could allow attackers to run code remotely. Exploits were published, although none have yet been seen in the wild. The vulnerabilities were disclosed by the HP/TippingPoint researchers who discovered them, six months after they privately reported them to Microsoft. Microsoft has yet to patch these vulnerabilities; they apparently feel that vulnerabilities are too difficult to exploit for them to be dangerous.
A flaw in Stagefright, a core Android software library that processes certain types of media, makes almost all Android phones and tablets vulnerable. The flaw can be exploited as easily as sending a specially-crafted text (MMS) message to a phone, but also by tricking the user into visiting a specific web site. Successful attackers can then access user data and execute code remotely. Unfortunately for users, it’s up to individual manufacturers to develop and provide patches, and this process may take months in some cases. There’s not much users can do to mitigate this problem until patches arrive. Update 2015Aug05: Google is working with its partners to push updates to affected mobile devices.
More bad news for Android users: the mediaserver service apparently has difficulty processing MKV media files, and can render a device unusable when it encounters one on a malicious web site. In most cases, the device can be brought back to life by powering it down and back up again.
And the hits just keep on coming for Android devices. Among the information revealed in the recent Hacking Team breach was the source code for an advanced Android spyware toolkit called RCSAndroid. Like everything else taken from Hacking Team’s systems, this has now been published, and no doubt malicious persons are working on ways to use the toolkit. There’s no easy way to protect yourself from this toolkit, aside from keeping your device up to date with patches. From Trend Micro: “Mobile users are called on to be on top of this news and be on guard for signs of monitoring. Some indicators may come in the form of peculiar behavior such as unexpected rebooting, finding unfamiliar apps installed, or instant messaging apps suddenly freezing.”
Another update for Chrome, with details again rather sparse. Presumably minor bug fixes, but you can’t tell from the release announcement.
You can now download the release version of Windows 10 directly from Microsoft. The tools on that page allow you to upgrade the computer you’re using, or to create bootable disc or thumb drive images, which can then be used to install Windows 10 from scratch on another computer. Both the Home and Pro versions are available, in 32 and 64 bit form.
If you’re running Windows 7 or 8.x, and you choose to perform an upgrade from the site linked above, you’ll get the Home version if you’re currently running one of the Home variants, and Pro otherwise.
It’s still not completely clear what happens when you don’t have a legitimate Windows 7 or 8.x license. At some point, you’ll be asked to enter a license key, and without one, presumably Windows 10 will stop functioning or suffer from reduced functionality. The same goes for in-place upgrades; as Microsoft has said, if you have a non-valid install of Windows 7 or 8.x and upgrade it to Windows 10, it will continue to be non-valid, with all that entails.
Update: My Windows 10 test computer is running whatever version is being provided via the Windows Insider program. It looks like the final release version, and has the build number Microsoft planned to use for the release: 10240. Because I joined the Windows Insider program (which involved having updates pushed to the computer regularly, and being asked to provide ratings and feedback), I’m now running Windows 10 Pro on a computer that previously ran Windows XP, and it didn’t cost anything, and it’s completely legit. Of course, if I ever want to stop logging in to Windows 10 with my Microsoft ID, I’ll have to purchase a Windows 10 license.
Some of you may remember dire predictions, years ago, that the Internet would soon run out of IP addresses. These predictions turned out to be somewhat early. A variety of factors combined to decrease the rate at which new address blocks were required. Still, it was clear that the limit would be reached, so the Internet Engineering Task Force (IETF) got to work designing a new IP address scheme. The new scheme is called IPv6, and supports a virtually unlimited number of addresses. The current IPv4 address system supports up to 4,294,967,296 unique addresses.
A typical IPv4 address: 96.49.181.168
A typical IPv6 address: 2001:db8:85a3::8a2e:370:7334
Now, according to American Registry for Internet Numbers (ARIN), the organization that doles out IP address blocks, we’re about to run out of IP addresses at last.
Before you start to panic, you should know that reaching this limit only really affects Internet Service Providers (ISPs). These organizations are the ones who buy IP blocks, then provide them to regular users. New ISPs, and ISPs that need to expand, are going to find it increasingly difficult to obtain the addresses they need.
There’s more good news: since we’ve seen this problem coming for a while now, most network hardware and operating systems are fully compatible with IPv6, including Windows XP and newer. When it’s time to make the switch, it will happen gradually, and will involve enabling IPv6 on devices and in operating systems where it’s currently disabled. Of course, there are likely to be glitches during the transition, but given the amount of testing already done, these should be resolved quickly. In most countries, the transition to IPv6 has already begun, with adoption as high as 35% in Belgium.
Windows 10 is scheduled for release on July 29. Microsoft really wants people to upgrade, offering the new O/S for free to anyone running legitimate installs of Windows 7 and 8.x, at least until July 28, 2016. Anyone who’s been running the Windows Insider Preview version of Windows 10 will also be able to install the release version for free. It sounds enticing, but is it right for you?
Unfortunately, there are still some unanswered questions regarding the free Windows 10 upgrades. How long will a ‘free’ install of Windows 10 remain free? If I try to reinstall it from scratch a few years from now, will I be forced to pay for it? What if my computer’s hard drive fails and I have to replace it and reinstall Windows 10? Microsoft has yet to produce definitive answers to these questions.
But the biggest unknown is the issue of forced updates. Windows 10 updates will be installed on ‘Home’ versions without allowing the user any choice whatsoever. That includes security updates and other bug fixes, but also new and changed features. ‘Pro’ users will be able to delay updates for several weeks, but have no way to prevent them indefinitely. While forced updates are arguably a good thing for most (especially non-technical) users, many power users find this prospect alarming. I don’t want Microsoft messing with my computer when I’m asleep. I want to be the only person who installs updates. I don’t want to see mysterious WAN bandwidth spikes that turn out to be huge, unwanted Windows 10 updates. Note: there may be a way to block certain updates indefinitely, according to Ed Bott, but the details are sketchy.
Is Windows 10 right for you? If you want the latest version of Windows, with the most up to date technologies and support for current hardware, and you don’t mind that the user interface is a hodgepodge of old and new (touch/tablet/mobile) style elements, you don’t mind forced updates, and your hardware supports it, then by all means upgrade to Windows 10.
If you’re running Windows 8.x, there’s no reason to hold back, since Windows 10 is basically Windows 8.2, and it addresses many Windows 8.x problems, including the lack of a Start menu.
The decision is not so easy for Windows 7 users. Windows 7 support (mostly in the form of security updates) will continue until January 14, 2020, so there’s no urgency. If you don’t like the new user interface, with its focus on touch and mobile devices, stay away. If you want to be able to use newer apps – the ones designed for the new UI – then you’ll have to upgrade. Support for Windows 7 by software and hardware makers is sure to decline over the next few years, which may force your hand.
I’ve been using the Windows 10 Insider Preview on a test machine, and so far, I like it. That machine was previously running Windows XP, which of course is no longer getting security updates and is increasingly risky to use. Upgrading to Windows 10 resolved a long-standing display issue on that computer, and I’ve had no new problems, aside from a few glitches and Explorer crashes that seem to have been resolved in later builds. I expect the computer to update automatically to the release version of Windows 10 at some point soon after July 29, but I’m ready to switch back to XP if Microsoft’s answers to the above questions prove unsatisfactory.
Chrome 44.0.2403.107 was made available yesterday. There’s not a lot of information in the release announcement, and the detailed change log is, as usual, not particularly illuminating. Presumably the new version is mostly about minor bug fixes.
Update: Apparently the previous update caused some web sites to render improperly or not at all.
A new version of WordPress was announced yesterday. Version 4.2.3 includes fixes for two security vulnerabilities, as well as about 20 other bug fixes. Sites configured for automatic updates should be updated within the next day or so. If you’d rather not wait for an auto-update, you can install it manually via the site’s dashboard.
A new version of Google’s web browser includes 43 fixes for security issues. Anyone who uses Chrome should make sure it updates itself, or install the new version manually as soon as possible.
The release notes for Chrome 44.0.2403.89 provide additional details.
boot13