Category Archives: Google

Chrome, Google, Patches and updates, Security

Chrome 47 released

Leave a comment

Google just announced another new version of Chrome. Version 47.0.2526.73 includes fixes for at least 41 security vulnerabilities.

Alas, the only complete list of changes is the change log (warning: clicking may crash your browser), which as usual includes so much detail that it’s a headache to parse. It’s thousands of lines long. I started reading it, and ten minutes later, my browser scrollbar still hadn’t moved. Presumably if this version included any noteworthy changes, Google would mention them in the release announcement.

Meanwhile, if you use Chrome, you should install the new version, because of the security fixes it contains.

Chrome, Google, Security, Windows XP

Google to discontinue support for Chrome on Windows XP

Leave a comment

Google recently announced that they will no longer support Chrome running on Windows XP after April, 2016. Chrome will still run on Windows XP, but Google won’t address any new security issues in Chrome that don’t affect newer versions of Windows.

Standard advice to anyone still running Windows XP has included avoiding Internet Explorer in favour of a browser that’s still being updated, like Chrome. After next April, Chrome will be potentially as risky to use on XP as Internet Explorer.

Adobe, Chrome, Flash, Google, Internet Explorer, Microsoft, Patches and updates, Security, Windows

Patch Tuesday for November 2015

Leave a comment

It’s that time again. This month’s crop of updates from Microsoft addresses security problems in the usual suspects, namely Windows, Office, .NET and Internet Explorer. Adobe joins the fun with yet another batch of fixes for Flash, and Google releases another version of Chrome with the latest Flash.

The Microsoft security summary bulletin for November 2015 gets into all the technical details. There are twelve separate bulletins with associated updates. Four of the updates are flagged as Critical. One of the updates affects the Windows 10 web browser Edge. A total of 53 vulnerabilities are addressed.

Flash 19.0.0.245 includes fixes for at least seventeen vulnerabilities. As usual, Internet Explorer in recent versions of Windows will be updated via Windows Update. Chrome gets the new Flash via its internal updater. Anyone still using a web browser with Flash enabled should install the new Flash as soon as possible.

Chrome 46.0.2490.86 includes the latest Flash (see above) and fixes a security issue in its embedded PDF viewer.

Adobe, Adware, Android, Apple, Firefox, Flash, Google, Internet crime, Java, Malware, Mobile, Security, Silverlight, WordPress and other CMS

October Security Roundup

Leave a comment

You probably shouldn’t rely on the security of your encrypted email. Even if you’re using current encryption technologies, certain conditions may arise during transit that cause your message to be transmitted in plain text.

There’s a well-reasoned response to a common question about the responsibility of Certificate Authorities over on the Let’s Encrypt blog. These fine folks will soon be providing free HTTPS certificates to the world, so they’ve been answering a lot of questions about how their service will work.

There’s going to be a minor apocalypse, starting January 1, 2016. On that date, Certificate Authorities will stop issuing certificates that use SHA1 encryption. SHA1 is now considered too weak for use, and is being phased out in favour of SHA2, which is much stronger. Just one problem: people stuck using older browser software and devices will lose their ability to access secure web sites and use those devices. There’s more technical nitty-gritty over at Ars Technica.

Symantec hasn’t done enough to clean up its Certificate Authority activities, according to Google. This follows the discovery that Symantec employees were issuing unauthorized certificates. Google has warned Symantec to provide a proper accounting of its CA activities or face the consequences.

A critical vulnerability in the blogging platform Joomla was discovered in October. The bug exists in all versions of Joomla from 3.2 onward. A patch was developed and made available, and anyone who manages a Joomla 3.x -based site is strongly advised to install the patched version (3.4.5) as soon as possible.

It’s increasingly dangerous to be a computer security researcher. New agreements could even make the work illegal in some regions.

Flaws in many self-encrypting external hard drives from Western Digital mean their encryption can be bypassed, according to researchers.

Google made it easier to determine why a site is flagged as unsafe, adding a Safe Browsing Site Status feature to their Transparency Report tools.

Mozilla is following the lead of Google and Microsoft, and plans to all but eliminate support for binary plugins in Firefox by the end of 2016. Binary browser plugins for Java, Flash, and Silverlight provide convenience but are a never-ending security headache. There’s one exception: Mozilla will continue to support Flash as a Firefox plugin for the foreseeable future.

The FBI teamed up with security vendors to take down another botnet in October. The Dridex botnet mainly targeted banking and corporate institutions, gathering private data and uploading it to control servers.

Cisco researchers, working with Limestone Networks, disrupted a lucrative ransomware operation in October.

A stash of thirteen million user names and plain text passwords was recently obtained by a security researcher. The records were traced to 000Webhost, an Internet services provider.

The Patreon funding web site was breached, and private information about subscribers, including encrypted passwords and donation records, was published online. Source code was also stolen, which may make decrypting the passwords much easier.

Researchers discovered numerous iPhone applications that collect and transmit private user information, in violation of Apple’s privacy policies. These apps apparently made it into the App Store because of a loophole in the validation process.

87% of Android-based devices are vulnerable to security exploits. Google develops Android updates quickly enough, but phone makers are typically very slow to make updates available to users.

New Android vulnerabilities, dubbed ‘Stagefright 2.0’ by researchers, were announced in early October. As many as a billion Android devices are vulnerable, and although patches were made available by Google, they may take weeks or months to find their way to individual devices.

A malicious Android adware campaign tricks unwary users into installing apps that appear to be from trusted vendors. These apps use slightly-modified icons of legitimate apps to fool users.

Adobe, Chrome, Flash, Google, Patches and updates, Security

Flash update for Chrome

Leave a comment

Chrome has been updated to include the latest Flash, itself recently updated (outside the normal monthly update cycle) to fix a critical vulnerability. Luckily, if you use Chrome with Flash enabled, you don’t have to do anything; it will update itself.

Version 46.0.2490.80’s release notes don’t add much to the conversation, but predictably, the full change log is loaded with useless details. Nothing much of interest there, anyway.

Chrome, Google, Patches and updates, Security

24 security fixes in latest version of Chrome

Leave a comment

Chrome 46.0.2490.71 includes fixes for a variety of issues, including at least 24 security vulnerabilities.

As usual, the details are buried in the rather technical change log. Go ahead and take a look, but set aside several hours, because that log is 245,986 lines long. That’s not a typo. I started reading the log, and after scrolling down about 20 pages, I noticed that my browser’s scrollbar hadn’t even moved. There may some interesting stuff in there, but life’s too short to read that monstrosity.

Adobe, Android, Apple, Flash, Google, Hardware, Internet crime, Linux, Mac, Malware, Mobile, Privacy, Security, Shockwave

Security & privacy roundup for September 2015

Leave a comment

Android made security news in September for a lockscreen bypass hack and a ransomware app designated Android/Lockerpin.A.

Passwords in the leaked Ashley Madison user database became much easier to decrypt, once again reminding us to avoid re-using passwords.

A rogue version of the iPhone development tool XCode was found to have added malicious code to almost 500 legitimate apps. Those apps were published on the Apple App Store, and were subsequently installed by millions of iPhone and iPad users.

In other Apple-related news, a simple bypass for the Gatekeeper process, that protects Mac OS X users from malicious software, was discovered.

This month’s Flash updates prompted Brian Krebs to take another look at Adobe Shockwave. He found that even the most recent versions of Shockwave still contain very out of date versions of Flash, and strongly recommends that you remove Shockwave from all your computers.

A series of exploits against the Imgur and 8chan sites caused little damage, despite their enormous potential. The true goals of the hack are still in question, and the associated vulnerabilities on the affected sites have been fixed.

A researcher discovered several serious vulnerabilities in popular security software from Kaspersky Labs. While there’s no evidence of exploits in the wild, this is rather alarming. Anti-malware software typically has access to core system functionality, making working exploits very valuable to attackers. Kaspersky Labs acted quickly to fix the bugs, but this isn’t the first time security software has been found vulnerable, and likely won’t be the last.

A new botnet called Xor.DDoS is using compromised Linux computers to perform DDoS attacks against a variety of web sites, probably at the request of paying customers. The Linux computers hosting the botnet appear to have been compromised via weak root passwords. So far, most of the targets are in Asia. This marks a shift in platform for botnet developers, which previously focused almost exclusively on Windows.