Chrome 45.0.2454.101 includes fixes for at least two security issues. The release notes are intentionally cryptic:
Access to bug details and links may be kept restricted until a majority of users are updated with a fix.
In any case, this is a security update, and as such you should definitely install it as soon as possible – if you use Chrome.
A new version of Chrome, just announced by Google, contains the latest Flash. Since the new Flash includes a bunch of security fixes, you should make sure Chrome is up to date wherever you use it.
There’s another new version of Chrome. The announcement for version 45.0.2454.93 is again light on details, and the log lists several minor bug fixes. It doesn’t appear that this version addresses any security vulnerabilities.
The newest version of Chrome is 45.0.2454.85. At least 29 security vulnerabilities were fixed in this release, and there are hints of bigger changes to come in later releases of version 45 in the associated announcement.
The change log for this version is enormous. The first reader who wants to risk a migraine to review the whole thing, and reports back to me everything that changed in this version, will win a six-pack of their favourite beer (offer expires with the next release of Chrome).
Update 2015Sep04: We now have at least a partial answer to the question. Yesterday Google published a post on the Chrome blog that explains some of the changes in Chrome 45. It’s all about performance. If you have Chrome configured to load open pages from its last session, it will now start more quickly. Chrome will now use idle time to free up memory it’s no longer using. And the expected change that prevents Flash content from auto-playing is now in effect.
Last month in security and privacy news…
A weakness was discovered in the open BitTorrent protocol, rendering torrent software vulnerable to being used to initiate DDoS attacks. The BitTorrent protocol flaw was quickly updated, and patches for affected software were developed and distributed.
Malvertising continued to spread, most recently affecting popular sites like weather.com, drudgereport.com, wunderground.com, and eBay. Anyone visiting those sites with an unpatched browser may have inadvertently caused their computer to be compromised. Needless to say, the malicious ads were built with Flash.
It was a bad month for Android, as one of the updates released by Google that were intended to fix the Stagefright flaw turned out to be faulty, leaving some devices still vulnerable, and forcing Google back to the drawing board. Security researchers also discovered a flaw in Android’s Admin program that allows apps to break out of the security ‘sandbox’ and access data that should be inaccessible. Two flaws in fingerprint handling were also found in many Android devices, leaving both stored fingerprints and the fingerprint scanner itself vulnerable. And finally, new research exposed the predictability of Android lock patterns, making this particular form of security much less effective.
Lenovo’s hapless blundering continued, with the discovery that many of their PCs were using a little-known BIOS technology to ensure that their flawed, insecure crapware gets installed even when the operating system is reinstalled from scratch. Will these bozos ever learn?
Jeff Atwood reported on a new danger: compromised routers. If an attacker gains control of your router, there’s almost no limit to the damage they can inflict. Worse, there are no tools for detecting infected routers. If your router is compromised, no amount of malware scanning on your network’s computers will help. You’re vulnerable until you realize that the router is the problem and replace it or re-flash its firmware.
Mozilla offered more details on planned changes to Firefox that are expected to improve the browser’s security, stability, and performance. These changes are likely to benefit Firefox users, but will come at a cost: many existing browser add-ons will become obsolete. Add-on developers will be forced to make big changes or retire their software. Certain types of add-ons may not even be possible with the changes Mozilla plans.
In privacy news, the Electronic Freedom Foundation (EFF) released version 1.0 of Privacy Badger, a Chrome and Firefox add-on that blocks tracking mechanisms used on the web. The add-on initially doesn’t block anything, but learns as you browse, detecting cookies that are used on more than one site and blocking them.
And in other EFF news, a new malware campaign uses spearphishing techniques to get targets to visit what is supposed to be an EFF web site but is in fact a source of virulent malware.
Google announced upcoming changes to Chrome that will prevent extension developers from using deceptive practices to trick users into installing their software. Specifically, the ‘inline installation’ process will no longer work for extensions that are associated with these deceptive techniques. This is a good example of a software maker (Google) backing away from a feature that improved usability at the cost of security.
Google also firmed up plans to prevent most Flash media from being displayed by default in Chrome. Flash media won’t be blocked, but users will be required to click on each embedded video before it will play. Google’s official reason for doing this is to improve Chrome’s performance, but the change should reduce the spread of malvertising as well. Of course, Google’s own advertising network still allows Flash-based ads, and those ads will still auto-play. Google’s advice to advertisers is to switch from Flash-based ads to HTML5-based ads, or move to Google’s ad network.
And finally, Ars Technica posted a useful overview and instructions for encrypting your desktop, laptop and mobile devices. Be warned, total device encryption is not for the faint-hearted and comes with certain risks. For example, if you forget to tell your IT person that your hard drive is encrypted and they try to recover your computer from a failure, you may lose everything, even if your data is backed up.
The latest version of Google’s web browser is 44.0.2403.157. The announcement is again light on details, but the change log shows that this version fixes a few minor bugs, some related to Windows 10. It doesn’t look like there are any fixes for security vulnerabilities.
Chrome updates now happen so frequently, and they so rarely cause problems, that I no longer have any qualms about the browser’s auto-update mechanism. Of course, if a Chrome update makes the browser unusable, I can use another browser for however long it takes Google to fix it, which would not be the case for a bad Windows update.
The release announcement for Chrome 44.0.2403.155 doesn’t provide any details, which is starting to become the norm, sadly. And Google was doing so well with this…
Parsing the change log reveals that the new version contains fixes for a few minor issues, including at least one related to stability.
Another new version of Chrome was announced yesterday by Google. The release announcement for version 44.0.2403.130 is again very light on details.
Reviewing the headache-inducing change log shows some minor changes related to Windows 10 shortcuts, mousewheel operation, character composition, and touchscreen operation. It doesn’t appear that this is a security release.
Adobe is trying desperately to keep Flash viable. In July, they announced structural changes that are expected to strengthen Flash’s overall security. The changes are so far only available in the most recent versions of Chrome, but they are expected to find their way into the other major browsers in August.
There’s an interesting (though technical) overview of recent changes in the behaviour of the Asprox botnet over on the SANS Handler’s Diary. Apparently the botnet is no longer sending malware attachments, and is instead sending pornography and diet-related spam. Comparing my inbox contents with the samples in the linked article, it looks like most of the spam I currently receive is thanks to Asprox. Hopefully Asprox will be targeted by the anti-botnet heavy hitters in the near future.
BIND is one of the most common pieces of software on Internet-facing servers. It translates human-readable addresses like ‘boot13.com’ into IP addresses. A bug in version 9 of BIND causes it to crash when a specially-crafted packet is sent to it. Attackers could exploit this bug to execute an effective Denial of Service (DoS) attack against a server running BIND9. Patches have been created and distributed, but any remaining unpatched servers are likely to be identified and attacked in the coming months. Update 2015Aug05: As expected, this bug is now being actively exploited.
Current, patched versions of Internet Explorer running on mobile devices were recently reported to have four flaws that could allow attackers to run code remotely. Exploits were published, although none have yet been seen in the wild. The vulnerabilities were disclosed by the HP/TippingPoint researchers who discovered them, six months after they privately reported them to Microsoft. Microsoft has yet to patch these vulnerabilities; they apparently feel that vulnerabilities are too difficult to exploit for them to be dangerous.
A flaw in Stagefright, a core Android software library that processes certain types of media, makes almost all Android phones and tablets vulnerable. The flaw can be exploited as easily as sending a specially-crafted text (MMS) message to a phone, but also by tricking the user into visiting a specific web site. Successful attackers can then access user data and execute code remotely. Unfortunately for users, it’s up to individual manufacturers to develop and provide patches, and this process may take months in some cases. There’s not much users can do to mitigate this problem until patches arrive. Update 2015Aug05: Google is working with its partners to push updates to affected mobile devices.
More bad news for Android users: the mediaserver service apparently has difficulty processing MKV media files, and can render a device unusable when it encounters one on a malicious web site. In most cases, the device can be brought back to life by powering it down and back up again.
And the hits just keep on coming for Android devices. Among the information revealed in the recent Hacking Team breach was the source code for an advanced Android spyware toolkit called RCSAndroid. Like everything else taken from Hacking Team’s systems, this has now been published, and no doubt malicious persons are working on ways to use the toolkit. There’s no easy way to protect yourself from this toolkit, aside from keeping your device up to date with patches. From Trend Micro: “Mobile users are called on to be on top of this news and be on guard for signs of monitoring. Some indicators may come in the form of peculiar behavior such as unexpected rebooting, finding unfamiliar apps installed, or instant messaging apps suddenly freezing.”
Another update for Chrome, with details again rather sparse. Presumably minor bug fixes, but you can’t tell from the release announcement.
boot13