Category Archives: Chrome

Flash update fixes 13 vulnerabilities

A new version of Flash, released yesterday, addresses at least thirteen vulnerabilities in previous versions.

According to the security bulletin for Flash 24.0.0.221, the new version fixes “critical vulnerabilities that could potentially allow an attacker to take control of the affected system.”

The release notes for Flash 24.0.0.221 describe some new features that are likely only of interest to developers.

As usual, Internet Explorer and Edge will get new versions of their embedded Flash via Windows Update, while Chrome’s embedded Flash will be updated automatically.

Anyone who still uses a web browser with Flash enabled should update it as soon as possible.

Chrome 56.0.2924.76

Chrome version 56.0.2924.76 includes fixes for fifty-one security vulnerabilities. But wait, that’s not all. If you want to see what happens when your web browser loads a really big web page, navigate to the change log for Chrome 56.0.2924.76. It’s a behemoth, documenting over ten thousand separate changes.

One change in particular deserves mention: starting with this version, Chrome will show ‘Secure’ at the left end of the address bar if a site is encrypted. When Chrome navigates to a web page that isn’t encrypted, but does include a password prompt, it will show ‘Not Secure’ in the address bar.

Chrome seems to update itself reliably, soon after a new version is released. Still, given the number of security fixes in this release, it’s not a bad idea to check.

Chrome 55.0.2883.75

A new version of Chrome fixes at least thirty-six security issues in the browser. Aside from listing the vulnerabilities addressed, the release announcement says only that Chrome 55.0.2883.75 “contains a number of fixes and improvements”. You’ll have to read the change log to figure out what else is different. Sadly, the full change log is another one of those browser-killing monstrosities, with almost 10,000 changes listed. Don’t click that link if you have an older computer.

SHA-1 deprecation coming soon

SHA-1 (Secure Hash Algorithm 1) is still used by some web sites to encrypt their traffic. Starting in early 2017, most web browsers will start displaying scary-looking warnings when anyone tries to visit sites using SHA-1.

Like this one in Edge:

After Feb 14, 2017, Microsoft Edge will show this warning when it detects SHA-1 encryption
After Feb 14, 2017, Microsoft Edge will show this warning when it detects SHA-1 encryption

SHA-1 deprecation announcements

Microsoft

(From a post on the Microsoft Edge blog.)

Starting on February 14th, 2017, Microsoft Edge and Internet Explorer 11 will prevent sites that are protected with a SHA-1 certificate from loading and will display an invalid certificate warning. Though we strongly discourage it, users will have the option to ignore the error and continue to the website.

Mozilla

From a post on the Mozilla security blog.

In early 2017, Firefox will show an overridable “Untrusted Connection” error whenever a SHA-1 certificate is encountered that chains up to a root certificate included in Mozilla’s CA Certificate Program. SHA-1 certificates that chain up to a manually-imported root certificate, as specified by the user, will continue to be supported by default; this will continue allowing certain enterprise root use cases, though we strongly encourage everyone to migrate away from SHA-1 as quickly as possible.

Google

From a post on the Google security blog.

We are planning to remove support for SHA-1 certificates in Chrome 56, which will be released to the stable channel around the end of January 2017. The removal will follow the Chrome release process, moving from Dev to Beta to Stable; there won’t be a date-based change in behaviour.

Flash 23.0.0.205

Normally Adobe releases Flash updates on Patch Tuesday, but when there’s a critical security vulnerability they will release an ‘out of cycle’ fix. That’s what happened with Flash 23.0.0.205, which was released on October 26 to address a single vulnerability: CVE-2016-7855 (details pending).

Anyone who uses Flash in a web browser should update Flash as soon as possible. If you’re not sure whether you’re running the latest Flash, go to the About Flash page on the Adobe web site.

As always, Internet Explorer and Edge will get updates to their embedded Flash via Windows Update (bulletin MS16-128), and Chrome will update itself automatically. Still, it’s a good idea to make sure by visiting the About Flash page.