Category Archives: Google

Chrome, Google, Patches and updates, Security

Chrome 45.0.2454.85 fixes 29 security bugs

Leave a comment

The newest version of Chrome is 45.0.2454.85. At least 29 security vulnerabilities were fixed in this release, and there are hints of bigger changes to come in later releases of version 45 in the associated announcement.

The change log for this version is enormous. The first reader who wants to risk a migraine to review the whole thing, and reports back to me everything that changed in this version, will win a six-pack of their favourite beer (offer expires with the next release of Chrome).

Update 2015Sep04: We now have at least a partial answer to the question. Yesterday Google published a post on the Chrome blog that explains some of the changes in Chrome 45. It’s all about performance. If you have Chrome configured to load open pages from its last session, it will now start more quickly. Chrome will now use idle time to free up memory it’s no longer using. And the expected change that prevents Flash content from auto-playing is now in effect.

Adware, Android, Chrome, Firefox, Flash, Google, Hardware, Malware, Mobile, Patches and updates, Privacy, Security

Security roundup for August 2015

Leave a comment

Last month in security and privacy news…

A weakness was discovered in the open BitTorrent protocol, rendering torrent software vulnerable to being used to initiate DDoS attacks. The BitTorrent protocol flaw was quickly updated, and patches for affected software were developed and distributed.

Malvertising continued to spread, most recently affecting popular sites like weather.com, drudgereport.com, wunderground.com, and eBay. Anyone visiting those sites with an unpatched browser may have inadvertently caused their computer to be compromised. Needless to say, the malicious ads were built with Flash.

It was a bad month for Android, as one of the updates released by Google that were intended to fix the Stagefright flaw turned out to be faulty, leaving some devices still vulnerable, and forcing Google back to the drawing board. Security researchers also discovered a flaw in Android’s Admin program that allows apps to break out of the security ‘sandbox’ and access data that should be inaccessible. Two flaws in fingerprint handling were also found in many Android devices, leaving both stored fingerprints and the fingerprint scanner itself vulnerable. And finally, new research exposed the predictability of Android lock patterns, making this particular form of security much less effective.

Lenovo’s hapless blundering continued, with the discovery that many of their PCs were using a little-known BIOS technology to ensure that their flawed, insecure crapware gets installed even when the operating system is reinstalled from scratch. Will these bozos ever learn?

Jeff Atwood reported on a new danger: compromised routers. If an attacker gains control of your router, there’s almost no limit to the damage they can inflict. Worse, there are no tools for detecting infected routers. If your router is compromised, no amount of malware scanning on your network’s computers will help. You’re vulnerable until you realize that the router is the problem and replace it or re-flash its firmware.

Mozilla offered more details on planned changes to Firefox that are expected to improve the browser’s security, stability, and performance. These changes are likely to benefit Firefox users, but will come at a cost: many existing browser add-ons will become obsolete. Add-on developers will be forced to make big changes or retire their software. Certain types of add-ons may not even be possible with the changes Mozilla plans.

In privacy news, the Electronic Freedom Foundation (EFF) released version 1.0 of Privacy Badger, a Chrome and Firefox add-on that blocks tracking mechanisms used on the web. The add-on initially doesn’t block anything, but learns as you browse, detecting cookies that are used on more than one site and blocking them.

And in other EFF news, a new malware campaign uses spearphishing techniques to get targets to visit what is supposed to be an EFF web site but is in fact a source of virulent malware.

Google announced upcoming changes to Chrome that will prevent extension developers from using deceptive practices to trick users into installing their software. Specifically, the ‘inline installation’ process will no longer work for extensions that are associated with these deceptive techniques. This is a good example of a software maker (Google) backing away from a feature that improved usability at the cost of security.

Google also firmed up plans to prevent most Flash media from being displayed by default in Chrome. Flash media won’t be blocked, but users will be required to click on each embedded video before it will play. Google’s official reason for doing this is to improve Chrome’s performance, but the change should reduce the spread of malvertising as well. Of course, Google’s own advertising network still allows Flash-based ads, and those ads will still auto-play. Google’s advice to advertisers is to switch from Flash-based ads to HTML5-based ads, or move to Google’s ad network.

And finally, Ars Technica posted a useful overview and instructions for encrypting your desktop, laptop and mobile devices. Be warned, total device encryption is not for the faint-hearted and comes with certain risks. For example, if you forget to tell your IT person that your hard drive is encrypted and they try to recover your computer from a failure, you may lose everything, even if your data is backed up.

Chrome, Google, Patches and updates

Chrome 44.0.2403.155 released

Leave a comment

Chrome updates now happen so frequently, and they so rarely cause problems, that I no longer have any qualms about the browser’s auto-update mechanism. Of course, if a Chrome update makes the browser unusable, I can use another browser for however long it takes Google to fix it, which would not be the case for a bad Windows update.

The release announcement for Chrome 44.0.2403.155 doesn’t provide any details, which is starting to become the norm, sadly. And Google was doing so well with this…

Parsing the change log reveals that the new version contains fixes for a few minor issues, including at least one related to stability.

Adobe, Chrome, Firefox, Flash, Google, Internet Explorer, Patches and updates, Security

Flash 18.0.0.209 fixes latest vulnerabilities

1 Comment

Earlier today, Adobe released yet another version of Flash to address the most recent vulnerabilities revealed in the Hacker Team leak (CVE-2015-5122 and CVE-2015-5123).

According to the release notes for version 18.0.0.209: “These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system. Adobe is aware of reports that exploits targeting these vulnerabilities have been published publicly.

If you still need to use a web browser with Flash enabled, you should install the new Flash version immediately. As usual, Internet Explorer 10/11 in Windows 8.x will receive the Flash update via Windows Update. A new version of Google Chrome (43.0.2357.134) includes the most recent Flash version.

Ars Technica has more about the latest updates and efforts to minimize Flash-related vulnerabilities by Mozilla and Google.

Adobe, Firefox, Flash, Google, Security

Yet another Flash exploit revealed

Leave a comment

At this point, the Hacking Team leak appears to be a never-ending source for Flash exploits. A third vulnerability was just discovered among the leaked materials. As always, we recommend disabling Flash completely in your browser, or setting up one browser with Flash, to be used only when you have no other choice.

To reduce potential damage, Mozilla has configured Firefox to block all versions of Flash up to version 18.0.0.203. Of course, that won’t help for as-yet unpatched vulnerabilities such as the last two from the Hacking Team leak.

Meanwhile, there’s renewed interest in eliminating Flash from the web completely. YouTube abandoned Flash for an HTML5-based video player recently, and organized campaigns like Occupy Flash are trying to keep the ball rolling by encouraging both users and service providers to stop using Flash. Facebook’s Chief Security Officer wants Adobe to announce the end of Flash.

We’re hoping that Google is working to remove Flash from their advertising infrastructure, since for many users, Flash-based advertisements are their biggest remaining exposure to Flash.