Another new version of Flash was released today. Version 14.0.0.125 closes six security vulnerabilities found in previous versions.
If Flash is enabled in your web browser, you should update it as soon as possible.
As usual, the embedded Flash in Internet Explorer on Windows 8.x is updated via Windows Update, while the embedded Flash in Chrome will update itself automatically.
This month there are seven bulletins, with related patches affecting Internet Explorer, Windows and Office. A total of sixty-six security vulnerabilities are fixed with these updates.
Note that Microsoft is recommending upgrading to the latest version of Internet Explorer. IE 11 contains security features not found in previous versions and is therefore somewhat more secure than those older versions. Anyone still using Internet Explorer would do well to follow this advice.
Note also that this is the last set of updates that will be available for Windows 8.1 installations without Update 1. In other words, if you’ve held off on installing Update 1, you won’t get any updates next month or after that.
This month there will be seven bulletins and associated updates for Windows, Office and Internet Explorer. Two are rated Critical.
One of the updates will fix the recently-discovered vulnerability in Internet Explorer 8.
The official advance warning bulletin has all the technical details.
Two new vulnerabilities were recently discovered in widely-used security software OpenSSL and GnuTLS.
The OpenSSL vulnerability is not as dangerous as the infamous Heartbleed bug, but can allow attackers to pull private information from communications between unpatched systems, including passwords.
The GnuTLS vulnerability can be used by malicious persons to execute arbitrary code on devices accessing specially-crafted web pages.
As with Heartbleed, these vulnerabilites mainly affect servers, although client software and operating systems that use the GnuTLS and OpenSSL libraries are also at risk. Patches are expected to be made available soon.
In an effort to reduce the problems caused by buggy, incompatible, and malicious Chrome add-ons, Google now only allows add-ons from its Chrome Web Store to be installed. In addition, add-ons based on the old NPAPI technology will no longer install in Chrome.
While this is generally seen as a good idea, many users who were running older or unofficial add-ons are annoyed at this change.
Chrome, Firefox and Internet Explorer can be tricked into revealing your browsing history by unscrupulous web site owners.
The new vulnerability is similar to one that was discovered, then patched, in the major browsers several years ago. The new technique uses a different approach to accomplish the same thing.
Browser developers are working on fixes for this vulnerability, but in the meantime, anyone concerned about their browser history potentially being revealed should get into the habit of clearing their history frequently. Alternatively, you could switch to a privacy-oriented browsing solution such as the Tor Browser Bundle.
Anyone using the All in One SEO Pack plugin on their WordPress site should update the plugin to the most recent version (2.1.6) as soon as possible.
Security researchers recently discovered a flaw in the plugin that can make sites using it vulnerable to hijacking.
An international law enforcement project to disrupt the Gameover botnet is underway.
Gameover, aka Gameover Zeus or GOZ, is currently installed on up to a million computers worldwide. The botnet is rented out for malicious purposes, including harvesting private information, sending spam email, denial of service (DoS) attacks, extortion, and distribution of various kinds of malware, including the awful CryptoLocker [1,2] ransomware.
This effort to disrupt GOZ has already been very successful: the botnet’s owners are no longer able to control clients. As for Cryptolocker, newly-infected machines can no longer communicate with their controlling servers, which means they are safe, at least for now. Infected machines that are already encrypted are not affected and must still pay the decryption ransom or lose all encrypted information.
Brian Krebs provides additional details on his Krebs on Security blog.
Update 2014Jun09: Brian Krebs has a behind-the-scenes look at what went into this takeover. To this point, the takeover seems to have been 100% effective, but the botnet developers may have more moves left.
Yesterday another new version of the Webkit-based Opera browser was announced.
Opera 22.0.1471.50 introduces a new update process (on Windows computers) that is apparently completely silent: it updates Opera without any interaction from the user. A variety of stability and other issues were also fixed in the new version. For a complete list of what’s changed since version 21, see the official change log.
Sadly, there’s still no sidebar in Opera 22.
Someone recently discovered that it’s possible to trick Windows Update into providing updates for Windows XP.
Recall that even though Microsoft has stopped issuing updates for Windows XP to the general public, they are actually still developing updates – for paying customers.
The trick for obtaining updates for Windows XP involves changing a setting in Windows that makes Windows Update think that it’s actually running a variant of Windows XP that’s still supported, namely ‘POSReady 2009’.
There are all kinds of problems with this, starting with the likelihood that Microsoft will find a way to stop it. In short, if you’re desperate to keep running Windows XP and you want to install the available updates, and you’re willing to take the risk of totally messing up your system, it might be worth a try. But I seriously cannot recommend it.
Update 2014Jun04: For those of you who can’t resist the temptation to try this, the procedure is outlined in this betanews.com blog post.
boot13