boot13Another new version of Google’s web browser was released yesterday. Version 34.0.1847.131 includes the latest version of (embedded) Flash, as well as several stability improvements. Nine security flaws were also fixed in this version.
All posts by jrivett
A special Ouch! newsletter about Heartbleed
SANS just published a special issue (warning: PDF) of their monthly, user-focused security newsletter, Ouch!
This issue is titled ‘Heartbleed – Why Do I Care?’ Its goal is to help regular users understand Heartbleed and how it does – and does not – affect them. Highly recommended, since there seems to be a lot of confusion on this subject.
Start Menu for Windows 8.x getting closer
According to Ars Technica, Microsoft is planning to release another update for Windows 8.1 in August 2014. That update is expected to finally bring an actual Start menu to the troubled O/S.
Opera 12.17 fixes Heartbleed vulnerabilites
It looks like the Opera team is planning to keep the classic version of Opera (version 12.x) alive and secure – at least for now.
An update to the pre-Webkit version of Opera was announced yesterday. The new version addresses two Heartbleed vulnerabilities in the update software.
Note that this update is for Windows only. Mac and Linux versions are unaffected.
There doesn’t seem to be a release notes page for this version. The main change log page doesn’t even list version 12.17.
More Heartbleed fallout
The full extent of the damage caused by the Heartbleed vulnerability may not be known for months. New reports of compromised systems are appearing daily.
Ars Technica reports on a very unfortunate compromise of an OpenVPN installation. It’s particularly bad, because thousands of companies worldwide use VPN solutions to provide supposedly completely secure access to corporate networks from off-site. The potential for damage is enormous.
Also in Heartbleed news: apparently the recently-reported Heartbleed-based intrusion of the Canada Revenue Agency was the work of a teenaged computer science student. He’s been arrested. It seems clear that his motivation was curiosity rather than something more sinister, since he did absolutely nothing to conceal his identity.
Why Windows 8.1 Update 1 is ‘required’
We recently wrote about the release of Update 1 for Windows 8.1.
In that post, we noted that Microsoft was making this update mandatory for all subsequent security updates, and wondered why they would do that. Apparently we weren’t the only ones, and there was enough angry feedback that Microsoft extended the period during which Windows 8.1 systems without Update 1 could continue receiving security updates, from 30 days to 120.
But why add this kind of limitation at all?
Ars Technica may have the answer to that question. We previously wondered why Microsoft wasn’t simply labeling Update 1 as ‘Service Pack 1’, in keeping with their long-established practices. The answer is simple: Microsoft sees what Apple, Google, and other O/S developers are doing, and they want to do the same.
Anyone who owns a Mac knows that Apple’s support for previous versions of OS X is extremely limited. If you want to keep running that old version of OS X, you’re going to have problems, and you won’t have any recourse except to bite the bullet and upgrade. Often, that also means upgrading the hardware. While this is clearly a consumer-hostile stance, it’s easy to understand. Apple saves an enormous amount of money and effort that would otherwise be spent on supporting old versions, developing updates for multiple O/S versions, and so on.
It appears that Microsoft has finally started down the path away from backward-compatibility and support for old versions of Windows. This is both a good and a bad thing. Backward compatibility is why so many people still run Windows XP: why upgrade your O/S if it suits your purposes and can still be kept reasonably secure? But it’s also the source of many problems.
Moving to a more restricted update system in Windows 8.x looks like the first step in a general trend towards the less consumer-friendly model used by Apple and others. And if that’s true, we can expect more moves like this in Microsoft’s future. Which is sad, but probably inevitable.
WordPress updates
WordPress 3.8.3 was released on April 14, and WordPress sites with Auto Updates enabled should have been silently updated. In some cases, the 3.8.3 update may not have had time to auto-update before WordPress became available yesterday.
WordPress 3.8.3 fixes a minor bug that was introduced in the previous release, 3.8.2.
WordPress 3.9 makes several significant changes to the handling of media files, and makes it a bit easier for developers to experiment with widgets.
Neither release apparently includes any security fixes.
Oracle Critical Patch Update fixes 37 issues in Java
Oracle just announced a huge batch of Critical Patch Updates, including 37 updates for Java.
The updates affect all supported versions of Java, including Java 7 (7u55) and the recently-released Java 8 (8u5).
Oracle has clarified their position on the adoption of Java 8 in a special FAQ for version 8. According to that page, “The new release of Java is first made available to developers to ensure no major problems are found before we make it available on the java.com website for end users to download.”
So until Oracle decides that Java 8 is ready for general use, the main Java download page will still offer Java 7 as the ‘most recent’ version. Java 8 can be downloaded from the Oracle Java SE downloads page.
We recommend installing the latest version of Java 7 (7u55) unless you’re interested in testing your Java applications with Java 8, in which case you should install Java 8 Update 5.
Canada Revenue Agency hit by Heartbleed, recommends changing passwords
Anyone who has filed a business or personal tax return online using the Canada Revenue Agency’s web-based tools should change their CRA passwords.
According to the RCMP, about 900 Social Insurance numbers were obtained from CRA systems by unknown persons over a six hour period around April 8. The affected account holders will be contacted by the CRA via registered mail.
The CRA systems’ vulnerability has now been patched, but the CRA is advising all account holders to change their passwords.
Heartbleed followup
Fallout from the Heartbleed vulnerability continues.
The list of major web sites affected by this issue (and in most cases advising their users to change their passwords) is expanding rapidly. It includes Instagram, Tumblr, DropBox, and many others.
The list of affected software is also growing.
Ars Technica’s ongoing coverage includes the disturbing news that the Heartbleed vulnerability may have been exploited months before patch and Researchers find thousands of potential targets for Heartbleed OpenSSL bug.
Security researchers at the University of Michigan scanned the Internet looking for vulnerable web sites, and found plenty, which they list in their Heartbleed Bug Health Report.
Numerous tools for detecting Heartbleed vulnerability have appeared on the web, including this one at filippo.io. Use these tools with caution, since some will almost certainly turn out to be scams of some kind.
The XKCD web comic has joined in the fun:
