boot13Version 51.0.2704.84 of Google’s web browser was released on June 6. The announcement doesn’t list any changes, but points to the full change log. The log lists about sixteen changes, mostly minor bug fixes. Although it’s not explicitly stated, some of the changes appear to be related to security, so we recommend updating Chrome as soon as possible.
Category Archives: Google
Chrome 51.0.2704.79
Another batch of security fixes highlights the release of Chrome 51.0.2704.79. At least fifteen security issues are addressed in the new version, so if you use the browser, you should make sure it’s up to date. The full change log (only about three dozen entries this time) provides additional details.
Chrome 51.0.2704.63
It’s a new version of Chrome, and there are at least 42 good reasons to install it, namely the 42 security issues Chrome 51.0.2704.63 addresses.
The release announcement doesn’t mention any new features, so although the full change log is another massive, browser-killing abomination, I’m going to leave parsing it as an exercise for readers.
Chrome 50.0.2661.102
50.0.2661.102 is the latest version of Chrome, and it includes fixes for five security issues, as well as about thirty other minor changes. See the full change log for details.
April security roundup
People who store Slack credentials in Github code repositories learned that this a bad idea, as researchers demonstrated the ease with which this information can be gathered without any explicit permissions.
Scary news: computers at a German nuclear reactor facility were found to be loaded with malware. The only thing that prevented miscreants from playing with real nuclear reactors was the fact that these computers are not connected to the Internet.
Crappy security practices led to the theft of user account information (email addresses and poorly-encrypted passwords) from Minecraft community site Lifeboat.
The notorious hacking group known as Hacking Team made the news again, this time with reports of active drive-by exploits affecting Android devices.
The Nuclear exploit kit is still operating, despite recent, partially-successful, efforts to shut it down. Researchers showed that the kit is still being used, and may be involved in recent ransomware infections.
Good news: the two men responsible for the notorious SpyEye banking trojan, recently extradited to the US to face federal prosecution, will be spending nine and fifteen years in prison.
Zero-day exploits are on the rise, doubling from 24 in 2014 to 54 in 2015. A zero-day exploit is a hack that takes advantage of software vulnerabilities before the software’s maintainers have had a chance to develop a fix.
Cisco security researchers identified vulnerabilities in several enterprise software systems, including Red Hat’s JBoss. As many as three million web-facing servers running this software are at risk of being infected with ransomware, and in fact as many as 2100 infected servers were identified.
More good news: the Petya ransomware was found to contain a flaw that allows its victims to decrypt their data without paying any ransom.
The Mumblehard botnet was taken down by ESet researchers, after it infected at least 4000 computers and sent out countless spam emails.
Microsoft announced plans to prevent Flash content from playing automatically in the Windows 10 web browser Edge. All the major browsers appear to be heading in this direction, if they don’t already have the feature, as does Chrome.
April’s issue of the SANS ‘Ouch!’ newsletter is titled “I’m Hacked, Now What?” (PDF) and provides helpful information for the recently-hacked. The newsletter is aimed at regular users, so it may not be particularly useful for IT professionals, except as a means to educate users.
The wildly popular WhatsApp – a messaging application for mobile devices – now has end-to-end encryption. This will make life more difficult for spy agencies who want to know what users are saying to each other. But WhatsApp users should be aware that this does not make their communications invulnerable, since techniques exist to get around full encryption, such as keystroke loggers.
Bad idea: someone at CNBC thought it would be a good idea to ask users to submit their passwords to a web-based system that would test the passwords and report on their relative strength. The service itself was vulnerable, and exposed submitted passwords to network sniffing. The service was taken offline soon after the vulnerability was identified.
The web site for toy maker Maisto International was hacked and serving up ransomware for an unknown amount of time, probably several days or even weeks. The hack was made possible because the site was using outdated Joomla software.
Chrome 50.0.2661.94
A total of thirty-one changes are listed in the log for Chrome 50.0.2661.94. Nine of the changes address security vulnerabilities.
If you use Chrome, make sure it’s up to date. Click the hamburger menu icon at the top right, then choose Help > About. If Chrome isn’t already the latest version, this should trigger an update.
Chrome 50.0.2661.87
The change log for Chrome 50.0.2661.87 lists just over forty differences from the previous version. None of them seem particularly interesting, and none are related to security. So this is not an urgent update.
Chrome 50 released
According to the full change log, 8748 changes were made to Chrome for version 50.0.2661.75. At least twenty of those changes are related to security, so this is an important update.
With this many changes, it seems reasonable to expect that one or two of them might be worth pointing out, but the release notes only say that there are a number of fixes and improvements, and to “Watch out for upcoming Chrome and Chromium blog posts about new features and big efforts delivered in 50.”
Rather than spend several days reading the details of all 8748 changes, I’ll wait for further announcements from Google. If I discover anything interesting, I’ll add it here.
Chrome 49.0.2623.112
Version 49.0.2623.112 of Google’s web browser is now available. For most users, the browser will update itself automatically.
The new version doesn’t seem to include any security fixes, but it does address a few other, minor bugs. Additional details are available in the full change log.
Security roundup for March 2016
Ransomware made news frequently in March. Two more healthcare networks in the USA were hit with ransomware. A new variety of ransomware called Petya took things to a new level, encrypting the core data structures of hard drives. TeslaCrypt continued its destructive march across Europe and into the USA. A surge in malware-laden advertising (aka malvertising) on several popular web sites, including the Certified Ethical Hacker site, led to numerous ransomware infections.
Smartphones and tablets running Google’s Android operating system remain a popular target for malware. A newly-discovered vulnerability can allow malware to permanently take over a device at the root level. Malware that exploits the still largely unpatched Stagefright vulnerability was identified.
Security researchers discovered malware that can infect computers that are not connected to networks, using external USB devices like thumb drives. The malware, dubbed USB Thief, steals large quantities of data and leaves very little evidence of its presence.
A hacking group known as Suckfly is using stolen security certificates to bypass code signing mechanisms, allowing them to distribute malware-laden apps more effectively.
The folks at Duo Security published an interesting post that aims to demystify malware attacks, describing malware infrastructure and explaining how malware spreads.
Ars Technica reported on the surprising resurgence of Office macro malware. Macros embedded in Office (Word, Excel) documents were a major problem in the 1990s but subsequent security improvements by Microsoft reduced their prevalence until recently. Getting around those improvements only requires tricking the document’s recipient into enabling macros, and it turns out that this is surprisingly easy.
Millions of customer records were made available in the wake of yet another major security breach, this time at Verizon.
Google continued to improve the security of its products, with more encryption, better user notifications and other enhancements to GMail.
Brian Krebs reported on spammers taking advantage of the trust users have in ‘.gov’ domains to redirect unsuspecting users to their spammy offerings.
Opera announced that their web browser will now include ad-blocking features that are enabled by default.