Category Archives: Internet Explorer

Adobe, Chrome, Flash, Google, Internet Explorer, Microsoft, Patches and updates, Security, Windows

Patch Tuesday for November 2015

Leave a comment

It’s that time again. This month’s crop of updates from Microsoft addresses security problems in the usual suspects, namely Windows, Office, .NET and Internet Explorer. Adobe joins the fun with yet another batch of fixes for Flash, and Google releases another version of Chrome with the latest Flash.

The Microsoft security summary bulletin for November 2015 gets into all the technical details. There are twelve separate bulletins with associated updates. Four of the updates are flagged as Critical. One of the updates affects the Windows 10 web browser Edge. A total of 53 vulnerabilities are addressed.

Flash 19.0.0.245 includes fixes for at least seventeen vulnerabilities. As usual, Internet Explorer in recent versions of Windows will be updated via Windows Update. Chrome gets the new Flash via its internal updater. Anyone still using a web browser with Flash enabled should install the new Flash as soon as possible.

Chrome 46.0.2490.86 includes the latest Flash (see above) and fixes a security issue in its embedded PDF viewer.

Adobe, Chrome, Flash, Internet Explorer, Patches and updates, Security

Adobe releases fix for new zero-day exploit

Leave a comment

Yesterday, Adobe released an update for the recently-discovered Flash security vulnerability CVE-2015-7645. Kudos to Adobe for acting quickly to fix this bug, which is being actively exploited on the web.

The new version of Flash (19.0.0.226) addresses the CVE-2015-7645 vulnerability and two others. Additional details are available in the associated security bulletin. Other changes in this version of Flash are described in a post on the Flash runtime announcement site.

As usual, Internet Explorer on newer versions of Windows will get the new version of Flash via Windows Update, and Chrome will update itself via its own auto-updater.

If you’re still using Flash in a web browser, you need to install this update as soon as possible.

Adobe, Chrome, Flash, Internet Explorer, Microsoft, Patches and updates, Security, Windows

Patch Tuesday for October 2015

Leave a comment

It’s a relatively light month for Microsoft, with only six bulletins, and associated updates affecting Windows, Windows Server, Internet Explorer, Office, and the new Windows 10 browser Edge. Three of the bulletins are flagged as Critical. The bulletin summary has all the details, and it includes a link to Microsoft’s Security Advisories page for 2015, which may be of some interest.

Meanwhile, Adobe’s contribution to this month’s patch pile is more updates for Flash and Reader/Acrobat. The new version of Flash is 19.0.0.207, and it addresses thirteen vulnerabilities. The release notes get into the details of what was changed, which includes a few bug fixes unrelated to security. As always, Chrome will update itself and Internet Explorer on newer versions of Windows will get the new Flash via Windows Update.

The newest versions of Adobe Reader are 11.0.13 for Reader XI, and 2015.009.20069 for Acrobat Reader DC. At least fifty-six vulnerabilities are addressed in these updates. Check out the related security bulletin for additional information.

Internet Explorer, Patches and updates, Security, Windows

Emergency patch for Internet Explorer

Leave a comment

Earlier today, Microsoft issued a special update (MS15-093) to address a critical vulnerability in all versions of Internet Explorer. The new Edge browser is not affected.

Normally, security updates for IE are provided on monthly Patch Tuesdays. Since Microsoft is making this update available outside the regular update cycle, we can assume that exploits for the vulnerability have been observed in the wild.

The vulnerability is a bad one. Merely visiting a specially-crafted web page with Internet Explorer can cause malicious code to execute, leading to the possibility of an attacker installing just about any kind of software or accessing any information on the affected Windows computer.

If you use Internet Explorer, please use Windows Update to install this patch as soon as possible.

Adobe, Flash, Internet Explorer, Microsoft, Patches and updates, Security, Silverlight, Windows

Patch Tuesday for August

Leave a comment

Ah, Patch Tuesday. Of all the tasks we have to perform, there’s nothing quite like it: it’s both tedious and critically important. I’m starting to consider enabling automatic updates, but given Murphy’s Law, no doubt the moment I do that, Microsoft will issue a catastrophic update.

This month we have fourteen updates from Microsoft, affecting the usual culprits (Windows, Internet Explorer, Office, Silverlight, .NET), plus a few new ones: Lync and Edge, the new web browser in Windows 10. Four of the updates are flagged as critical. The updates address a total of 58 vulnerabilities. The update for Silverlight brings its version to 5.1.40728.0. Several of the updates apply to Windows 10. One of the updates addresses a nasty bug that could allow an attacker to execute malicious code from a USB thumb drive.

Adobe is once again tagging along this month, releasing a new version of Flash (18.0.0.232) that addresses a whopping thirty-four vulnerabilities. Needless to say, you should install the new version as soon as possible if you still use Flash in any web browser. Internet Explorer 10 and 11 in Windows 8.x will receive the Flash update via Windows Update, as will the new Edge browser in Windows 10. Chrome will update itself to use the new version.

*nix, Adobe, Chrome, Flash, Internet, Internet Explorer, Malware, Mobile, Security, Spam and scams

July security roundup

Leave a comment

Flash improvements

Adobe is trying desperately to keep Flash viable. In July, they announced structural changes that are expected to strengthen Flash’s overall security. The changes are so far only available in the most recent versions of Chrome, but they are expected to find their way into the other major browsers in August.

Asprox botnet status

There’s an interesting (though technical) overview of recent changes in the behaviour of the Asprox botnet over on the SANS Handler’s Diary. Apparently the botnet is no longer sending malware attachments, and is instead sending pornography and diet-related spam. Comparing my inbox contents with the samples in the linked article, it looks like most of the spam I currently receive is thanks to Asprox. Hopefully Asprox will be targeted by the anti-botnet heavy hitters in the near future.

Flaw in BIND could cause widespread issues

BIND is one of the most common pieces of software on Internet-facing servers. It translates human-readable addresses like ‘boot13.com’ into IP addresses. A bug in version 9 of BIND causes it to crash when a specially-crafted packet is sent to it. Attackers could exploit this bug to execute an effective Denial of Service (DoS) attack against a server running BIND9. Patches have been created and distributed, but any remaining unpatched servers are likely to be identified and attacked in the coming months. Update 2015Aug05: As expected, this bug is now being actively exploited.

Mobile versions of IE are vulnerable

Current, patched versions of Internet Explorer running on mobile devices were recently reported to have four flaws that could allow attackers to run code remotely. Exploits were published, although none have yet been seen in the wild. The vulnerabilities were disclosed by the HP/TippingPoint researchers who discovered them, six months after they privately reported them to Microsoft. Microsoft has yet to patch these vulnerabilities; they apparently feel that vulnerabilities are too difficult to exploit for them to be dangerous.

Stagefright vulnerability on Android devices

A flaw in Stagefright, a core Android software library that processes certain types of media, makes almost all Android phones and tablets vulnerable. The flaw can be exploited as easily as sending a specially-crafted text (MMS) message to a phone, but also by tricking the user into visiting a specific web site. Successful attackers can then access user data and execute code remotely. Unfortunately for users, it’s up to individual manufacturers to develop and provide patches, and this process may take months in some cases. There’s not much users can do to mitigate this problem until patches arrive. Update 2015Aug05: Google is working with its partners to push updates to affected mobile devices.

Mediaserver vulnerability on Android devices

More bad news for Android users: the mediaserver service apparently has difficulty processing MKV media files, and can render a device unusable when it encounters one on a malicious web site. In most cases, the device can be brought back to life by powering it down and back up again.

Android spyware toolkit widely available

And the hits just keep on coming for Android devices. Among the information revealed in the recent Hacking Team breach was the source code for an advanced Android spyware toolkit called RCSAndroid. Like everything else taken from Hacking Team’s systems, this has now been published, and no doubt malicious persons are working on ways to use the toolkit. There’s no easy way to protect yourself from this toolkit, aside from keeping your device up to date with patches. From Trend Micro: “Mobile users are called on to be on top of this news and be on guard for signs of monitoring. Some indicators may come in the form of peculiar behavior such as unexpected rebooting, finding unfamiliar apps installed, or instant messaging apps suddenly freezing.

Adobe, Internet Explorer, Microsoft, Patches and updates, Security, Shockwave, Windows

Patch Tuesday for July 2015

Leave a comment

This month there are fourteen bulletins from Microsoft, with associated updates affecting Windows, Internet Explorer, Office and SQL Server. Four of the updates are flagged as Critical. The updates address at least fifty-nine vulnerabilities.

From Adobe, there are updates for Flash (see previous post), Reader/Acrobat (version 2015.008.20082) and Shockwave (version 12.1.9.159).

So, although installing updates on computers is probably not anyone’s idea of summer fun, let’s all try to keep our sense of humour as we once again work through the monthly update grind. Enjoy!

Update 2015Jul16: This month’s Microsoft updates address three vulnerabilities (two in Internet Explorer) exposed in the recent Hacker Team leak.

Adobe, Chrome, Firefox, Flash, Google, Internet Explorer, Patches and updates, Security

Flash 18.0.0.209 fixes latest vulnerabilities

1 Comment

Earlier today, Adobe released yet another version of Flash to address the most recent vulnerabilities revealed in the Hacker Team leak (CVE-2015-5122 and CVE-2015-5123).

According to the release notes for version 18.0.0.209: “These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system. Adobe is aware of reports that exploits targeting these vulnerabilities have been published publicly.

If you still need to use a web browser with Flash enabled, you should install the new Flash version immediately. As usual, Internet Explorer 10/11 in Windows 8.x will receive the Flash update via Windows Update. A new version of Google Chrome (43.0.2357.134) includes the most recent Flash version.

Ars Technica has more about the latest updates and efforts to minimize Flash-related vulnerabilities by Mozilla and Google.

Flash, Internet Explorer, Microsoft, Patches and updates, Security, Windows

Microsoft updates for May 2015

Leave a comment

It’s the second Tuesday of the month, so Microsoft is pushing out another set of updates. This month there are thirteen updates, addressing about 50 vulnerabilities in Windows, Internet Explorer, .NET, Office, and Silverlight. Three are flagged as Critical.

As always with security updates affecting Windows, you should install these as soon as possible.

Two of the updates (MS15-044 and MS15-049) affect Silverlight. Once you install these updates, your version of Silverlight should be 5.1.40416.0, which you can confirm on the Get Silverlight page. Installing from that page will also update Silverlight to version 5.1.40416.0. That’s also the only way you can get the latest version if you’re using Windows XP.