Category Archives: Patches and updates

Patches and updates, Security, WordPress and other CMS

Critical security update for Joomla

Leave a comment

Joomla 3.6.4, released on October 25, addresses two critical security vulnerabilities that could allow an attacker to gain control of a Joomla-based web site.

Like WordPress, Joomla forms the basis of numerous web sites, because it’s easy to set up and manage. Its popularity and ease of use have of course also made Joomla a target for malicious hackers, who know that many Joomla sites are not kept up to date by their inexperienced owners.

If you manage a Joomla 3+ web site, please install this update as soon as possible. It’s very likely that attackers are already searching the web for vulnerable sites. Unless of course you want your site to be part of a botnet (which may sound cool, but really isn’t).

Opera, Patches and updates

Opera 41

Leave a comment

Faster startup times when re-opening multiple tabs, better use of available hardware acceleration for video, and improvements to the news reader are featured in Opera 41.0.2353.46, released on October 25.

The release notes and history for Opera are no longer being updated, so aside from announcement blog posts, finding the details for a new version involves reviewing the major version change logs. These logs include beta and developer releases, and only sometimes include the main ‘Stable’ releases. The log for Opera 41 was last updated for the version 41.0.2353.30 beta on October 19.

Linux, Patches and updates, Security

Serious Linux kernel vulnerability patched

Leave a comment

As amusing as it may sound, the recently-patched ‘Dirty Cow’ Linux kernel vulnerability (CVE-2016-5195) highlights a couple of important points:

  • vulnerabilities – even known ones – can remain unpatched in critical software for years; and
  • a misconfigured server that allows uploaded files to be executed is easily hacked.

At first glance, the Dirty Cow vulnerability may not seem particularly noteworthy. It doesn’t directly allow for arbitrary code execution. But it does allow an attacker who already has the ability to run arbitrary code on a target system to gain full access to that system via privilege escalation.

A Linux server that allows user uploads of any kind is normally configured so that uploaded files cannot be executed. However, it’s very easy to get this wrong, especially for web servers. Still, in most cases, being able to run an uploaded file remotely isn’t enough to provide the kind of access attackers want. Dirty Cow provides that access.

Anyone running a Linux server is strongly advised to install the available kernel updates for Dirty Cow immediately.

Microsoft, Patches and updates, Security, Silverlight, Windows

Silverlight 5.1.50901.0

Leave a comment

These days, new Silverlight versions are typically released by Microsoft in connection with monthly Patch Tuesdays. That’s what happened with the latest version, 5.1.50901.0, which should have been installed with the other updates on Windows systems on October 11.

The new version fixes a single vulnerability, as documented in the associated security bulletin (MS16-120) and Knowledge Base article (KB3192884).

You can verify that you’re running the latest version of Silverlight by visiting the Get Microsoft Silverlight page.

Chrome, Google, Patches and updates, Security

Chrome 54.0.2840.59

Leave a comment

A new version of Google’s Chrome web browser includes fixes for at least twenty-one security issues.

According to the announcement, Chrome 54 “contains a number of fixes and improvements”, but it doesn’t mention any specifics. If you want to know exactly what’s different, you’ll have to risk crashing your web browser and look at the full change log, which lists at least 10,000 changes.

For most users, Chrome will update itself over the next few days. You can usually trigger an update by running Chrome and navigating to the Help > About page (click the ‘three dots’ icon at the top right).

Adobe, Flash, Patches and updates, Security, Windows

Adobe software updates: October 2016

Leave a comment

Adobe announced new versions of Flash and Reader/Acrobat yesterday.

Flash 23.0.0.185 fixes twelve vulnerabilities in previous versions. The new version also adds some new features, but these are likely only of interest to developers. If you still have Flash enabled in any web browser, you should either update it immediately, or disable Flash in the browser. As usual, Chrome will update itself with the latest version, and Internet Explorer and Edge on Windows will get the new Flash version via Windows Update.

New versions of Reader/Acrobat (XI, DC Classic and DC Continuous) address a whopping seventy-one vulnerabilities in previous versions. If you use a web browser with an Adobe Reader add-on, you should either update it as soon as possible or disable that add-on.

Adobe, Edge, Flash, Internet Explorer, Microsoft, Patches and updates, Security, Windows

Patch Tuesday: October 2016

Leave a comment

It’s the first day of a new era in Windows updates. Windows 7 and 8 now get updates in cumulative rollups, and updates are bundled together.

This month there are ten security bulletins. Each bulletin is associated with one fix for a specific vulnerability in an application, library, or API; or with a bundle of fixes that address several vulnerabilities in Windows.

Each bulletin is associated with at least one Knowledge Base article, and sometimes with additional KB articles that apply to different versions of Windows, Office, .NET, or some other application. Each additional KB article is associated with a version-specific update. There are often two sets of KB articles: one for the security only quality update and one for the security monthly quality update.

All of the security updates this month are available via Microsoft Update. Most are also available from the Microsoft Download Center and the Microsoft Update Catalog (MUC). Downloading updates from the MUC technically requires Internet Explorer, but you can use any other browser by navigating to http://catalog.update.microsoft.com/v7/site/Rss.aspx?q=KBxxxxxxx (replacing KBxxxxxxx with the KB article number).

So far I don’t see anything in these new updates that looks particularly worrisome. Of course there’s always a risk that Microsoft will slip something in that we don’t want, but there’s a non-trivial amount of scrutiny being directed toward Microsoft right now, and I’m confident someone will quickly spot anything untoward.

I was half-expecting the updates to be as poorly documented as Windows 10 updates, but instead the Windows 10 updates are now as well documented as the others. I also thought there would be fewer bundles, and I didn’t expect them to be grouped as sensibly as they are.

The new system is simpler in some ways, and it does at least unify all versions of Windows to some extent, although Windows 10 updates are still treated somewhat differently. It all actually seems less clunky than before, which is a very nice surprise.

Questions remain. It’s unclear how bad updates will be handled. In the past, if an update broke Windows, you could uninstall it. Now, presumably, you’d have to uninstall an entire bundle. Or something. We’ll see how it goes next month when rollups start arriving with multiple months worth of updates.

Update 2016Oct12: Brian Krebs’ take on the new Windows Update system.