boot13Another new version of Google’s web browser was announced on Friday. The release notes for version 40.0.2214.94 don’t provide any useful information on what’s different. There is only a link to the version control log entries for version 40.0.2214.94. And unfortunately, that log is both difficult to interpret (especially for non-technical folks) and extremely light on details. It looks like the new version fixes two minor issues, neither related to security.
All posts by jrivett
Firefox 35.0.1 fixes several bugs
A new version of Firefox was released by Mozilla yesterday. Version 35.0.1 includes fixes for various crashing and security issues.
There was no announcement from Mozilla for Firefox 35.0.1. As usual, I learned of the new release from non-Mozilla web sites. The struggle continues.
Although there have been some improvements to the release notes for Firefox, it’s still often difficult to determine whether the items listed changed in the version being discussed, or in a previous version. For instance, while all the items at the top of the list marked as ‘Fixed’ also refer to version 35.0.1, nothing else on the list refers to a specific version. Many of those items do in fact look like they are related to Firefox 35.0. There’s a link to ‘various security issues‘, but again it’s not clear what on that list is specific to version 35.0.1.
The ‘complete list of changes‘ link to Bugzilla is still not much help.
Chrome 40.0.2214.93 released
Another new version of Google’s web browser was released yesterday. The announcement contains very few details. It’s unclear whether any of the changes are related to security.
Update 2015Jan28: This version includes the recent Flash update (16.0.0.296), making it a critical update.
Adobe releases another Flash zero-day fix
Adobe has updated the bulletin related to the CVE-2015-311 vulnerability in Flash. Apparently a new version of Flash (16.0.0.296) has been released to address the bug.
Initially, the new version was not available from the main Flash download page, although computers with Flash’s automatic update feature enabled did download and install it. As of January 27, the new version is available on the Flash download page.
Anyone using a web browser with Flash enabled should install the new version as soon as possible.
Ars Technica has additional details.
Update 2015Jan28: Adobe has issued another security bulletin for this update.
Update 2015Jan30: Flash 16.0.0.296 also addresses the vulnerability CVE-2015-312.
SANS upgrades Infocon threat rating to yellow
SANS Internet Storm Centre has upgraded their Infocon threat rating from green to yellow, in response to the recent zero-day vulnerabilities in Flash. From the associated post:
“Our reasoning is that the Adobe Flash Player is very widely installed, the vulnerability affects multiple platforms, remote code execution gives the attacker complete control of the system, the patch is not yet available, it affects both organizational IT systems as well as home or soho users, a crimeware kit is actively exploiting the vulnerabilities, people might mistakenly believe that the patch from yesterday fixes all of the issues, and last but not least mitigation through the use of EMET or other tools/means is not normally feasible for home users or quick deployment in enterprise environments without testing. In short, the high impact of these vulnerabilities being exploited warrants raising the Infocon from now until Monday.”
The Infocon rating is displayed in the left sidebar of this web site.
Google vs. Microsoft disclosure debate continues
You may recall Microsoft’s recent statements of displeasure at Google’s disclosure of unpatched security vulnerabilities in Windows 8.1.
This argument shows no signs of abating, because Google has disclosed more unpatched vulnerabilities in Windows.
Microsoft needs to understand that it’s on the wrong side of this battle. Vulnerabilities must be patched quickly, and absent any incentive, big companies like Microsoft, Oracle and Adobe will take increasingly long periods of time to produce patches. Ninety days is plenty of time.
VLC has two unpatched vulnerabilities
VLC is one of the most popular media players; it’s cross-platform, and has a reputation for being able to play almost any kind of media. Given its popularity, unpatched vulnerabilities in VLC are likely to make attractive targets to malicious hackers.
Two vulnerabilities in VLC, CVE-2014-9597 and CVE-2014-9598, have yet to be acknowledged by VLC’s developers. Both are memory corruption bugs that can allow attackers to execute arbitrary commands on target systems.
Note that these vulnerabilities only affect VLC running on Windows XP, and only FLV and M2V files.
If you use VLC, you should exercise extreme caution when playing media from sources not known to be safe.
Adobe issues special update for Flash, while another 0-day rears its head
On Thursday, Adobe announced an update that addresses a recently-discovered vulnerability in Flash. According to Adobe, the vulnerability addressed by Flash 16.0.0.287 is CVE-2015-0310.
Anyone using a web browser with Flash enabled should install the new Flash as soon as possible.
Apparently there is at least one additional vulnerability in Flash that affects even the most current version (16.0.0.287) and is currently being exploited in the wild. This zero-day vulnerability is identified as CVE-2015-0311. According to Adobe, they are working on a patch, which should be available in the next few days.
SANS has a useful summary of the recent updates and vulnerabilities related to Flash.
Chrome 40.0.2214.91 fixes 62 vulnerabilities
The latest version of Google’s web browser includes fixes for a whopping 62 security issues. Chrome should update itself to version 40.0.2214.91 automatically.
Java 8u31 fixes 19 security issues
New versions of Java were announced by Oracle yesterday. Java 8 update 31 and Java 7 update 76 can be obtained from the main Java download site.
Users are being encouraged to upgrade from Java 7 to Java 8. The download page now offers Java 8 instead of Java 7. Computers configured for Java auto-updates will be automatically upgraded from 7 to 8. And according to Oracle, Java 7 will see its final updates in April 2015.
Brian Krebs has additional details.