Adobe has released another new version of Flash (11.8.800.174), specifically for web browsers that use the ActiveX version of Flash, which means all versions of Internet Explorer other than IE 10 running on Windows 8.x.
This new version fixes a few small bugs, none of them security-related.
Another month, another pile of patches from Microsoft. This month there are fourteen bulletins, addressing security vulnerabilities in Windows, Internet Explorer, Office, and the .NET framework. Four of the bulletins are rated Critical.
As usual, the updates will become available after 10am PST from Windows Update.
The SANS Internet Storm Center has a detailed look at the vulnerabilities addressed by this month’s patches.
The Microsoft Security Response Center has a somewhat friendlier summary of this month’s updates.
A new version of Flash was announced by Adobe today. Version 11.8.800.168 fixes four critical vulnerabilities. The official release announcement from Adobe provides details on all of the changes in this new version.
Anyone who uses a Flash-enabled web browser should install the new version as soon as possible. That includes anyone who uses Youtube.
The changes in this version will be ported to the Chrome web browser as embedded Flash version 11.8.800.170. Flash updates for Chrome tend to happen silently in the background. You can see what version of Flash Chrome is currently running by browsing to the chrome://flash/ page. Recently, the version of Flash in Chrome mysteriously rolled back to 11.8.800.97, so it will be interesting to see what happens with 11.8.800.170 (Chrome finally updated itself with Flash 11.8.800.170 on 2013Sep18, a delay of one week, which is somewhat alarming. The version of Chrome itself also changed at the same time, to 29.0.1547.76.)
Internet Explorer 10 on Windows 8 also uses embedded Flash code. Microsoft Security Advisory 2755801, now available from Windows Update, patches IE10 on Windows 8 to use the new Flash version 11.8.800.168.
Next Tuesday, September 10th, will see another big pile of patches from Microsoft. Starting at 10am PST on that date, thirteen new updates will become available. Of those updates, four are flagged as Critical and affect Windows, Office and Internet Explorer. Many of the updates are related to security.
It’s that time again. This month Microsoft has issued eight bulletins, with three of them flagged as Critical. The associated patches affect Windows and Internet Explorer. The August 2013 security bulletin has all the technical details. A post on the Microsoft Security Response Center has a somewhat friendlier summary. For a slightly different view of this month’s updates, check out this post on the SANS Internet Storm Center.
Advance warning: This month there will be eight bulletins, affecting Windows and Internet Explorer. Three bulletins are flagged as Critical. The updates should become available by 10am PST on August 13.
Web browsers want to make your life easier, which is why they all offer to store web site userids and passwords. But if you thought this was a safe way to store passwords, you’d be wrong. Still, some browsers handle this better than others.
First of all, regardless of which web browser you use, if a person has access to your computer while you are logged in, and you allow your browser to store passwords, you should assume that the person now knows all your web site passwords. Simple techniques can be used to trick any web browser into displaying otherwise obfuscated (e.g. ‘*****’) passwords as plain text. This is yet another reason – as if you needed one – to always lock your computer when you walk away from it. Most operating systems have a setting that locks your computer for you after a period of inactivity. This is the only way to be at all secure; access to your logged-in computer potentially gives intruders access not only to your passwords, but also to all of your documents.
Given the above, does it even make sense to worry about how your web browser handles saved passwords? There are arguments for both points of view. From my perspective, security should be layered: getting past one security hurdle shouldn’t open up everything. So if you allow your browser to save passwords, you should consider using the browser’s settings to secure those passwords. The four browsers I use handle passwords with varying degrees of security:
Google Chrome stands out in this list, since it both shows your passwords, and has no master password feature. Elliot Kember recently wrote about this, describing Chrome’s password handling as ‘insane’. I’m not sure I would go that far, but Chrome clearly needs a master password feature.
I’d like to see all web browsers show a prominent warning to any user who uses a password saving feature: “WARNING: saved passwords can be retrieved extremely/relatively easily. Always lock your computer when you leave it unattended.”
Update 2013Aug11: Here’s Google’s response.
Update 2013Aug25: Tim Berners-Lee (the person who invented the World Wide Web) weighs in. tl;dr – he agrees that Chrome should at least have a master password.
It’s that time again. This month there are seven bulletins: “six Critical and one Important, addressing 34 vulnerabilities in Microsoft Windows, Internet Explorer, .NET Framework, Silverlight, GDI+ and Windows Defender.”
The MSRC blog post has additional details.
This month there are five bulletins, addressing 23 vulnerabilities in Windows, Office and Internet Explorer. Only one (MS13-047, affecting Internet Explorer) is marked as Critical.
The bulletin summary has all the technical details.
Related links:
– Improved cryptography infrastructure and the June 2013 bulletins
– SANS: Microsoft June 2013 Black Tuesday Overview
This month’s Patch Tuesday arrives on June 11. Updates should become available from about 10am PST on that date.
The bulletins: there are five this month, including one for Internet Explorer that’s marked Critical. More technical details are available on the official announcement page.
boot13