Category Archives: Patches and updates

Android, Hardware, Internet, Linux, Patches and updates, Security, Things that are bad

Critical security flaw affects millions of systems

Leave a comment

Here we go again. Researchers have discovered (actually more like rediscovered) a very bad flaw in the commonly-used GNU C Library, also known as glibc.

The flaw has existed, undiscovered, since 2008. It was discovered and reported to the glibc maintainers in July of 2015 (CVE-2015-7547), but nothing was done about it until Google researchers re-discovered the flaw and reported it on a public security blog.

The glibc maintainers reacted to the Google revelations by developing and publishing a patch. It’s not clear why such a serious vulnerability was not fixed sooner.

But that’s not the end of the story. Any computer or device that runs some flavour of Linux, including most of the world’s web servers and many routers, is potentially vulnerable. Individual software applications that are compiled with glibc are also potentially vulnerable.

Although it’s safe to assume that diligent sysadmins will update their Linux computers, tracking down all the affected software will take time. The Linux firmware running on routers and other network devices will be updated much more slowly, if at all. All of this opens up many exploitation possibilities for the foreseeable future.

The good news is that there are several mitigating factors. Many routers don’t use glibc. In some cases, default settings will prevent exploits from working. Android devices are not vulnerable. Still, this problem is likely to get worse before it gets better.

Update 2016Feb20: Dan Kaminsky just posted his analysis of the glibc vulnerability. It’s very technical, but if you’re looking for a deeper dive into this subject, it’s a great place to start. Dan helpfully explains why it’s difficult to predict just how bad things will get.

Opera, Patches and updates, Security

Opera 12 isn’t dead yet

Leave a comment

It’s been ages since Opera updated the classic (pre-Webkit) version of their browser. Although still available for download and still technically supported, the old version is obviously not Opera’s focus. Before yesterday, the latest version of classic Opera was 12.17, and hadn’t changed since April 2014.

Yesterday, in response to recent web-wide changes affecting security, Opera released a new version of the 12-series browser: 12.18. The associated announcement explains why this was done. Sadly, the new version isn’t even mentioned on the change logs page. There is still a link to the 12.17 change log, but that link is still broken.

In related news, Opera (the company that develops the Opera browser) is expected to be sold to a Chinese consortium in the near future. It’s difficult to predict how the new owners will influence the browser, but I’m not optimistic. I had begun switching from Firefox to Opera as my main browser, but that’s on hold for now.

Meanwhile, I’m looking at Vivaldi, an alternative browser developed by former Opera employees. So far it looks promising.

Microsoft, Patches and updates, Windows 10

Windows 10 Insider Preview Build 14257

Leave a comment

My Windows 10 testing computer is still on the Windows Insider Preview ‘Fast Ring’, which means it gets the very latest Windows 10 preview builds as soon as they become available.

The test machine was just updated to preview build 14257. This build includes a lot of bug fixes, including one for a nasty app crashing problem related to memory management. The WSClient.dll error dialog box problem has not yet been resolved.

Firefox, Patches and updates, Security

Firefox 44.0.1 and 44.0.2

Leave a comment

Two stealth releases this week for Firefox. Version 44.0.1 was released on February 8 to fix a handful of minor bugs. Version 44.0.2 was released yesterday to fix a startup hanging problem and to address one security issue.

Most installations of Firefox will offer to update themselves automatically, but since 44.0.2 includes a security fix, you should check your version and trigger an update if you’re still running an older version.

If you’re wondering where Mozilla hid the ‘About’ box:

  1. Click the ‘hamburger’ button (three stacked horizontal lines) at the top right.
  2. Click the question mark button at the bottom of the menu.
  3. Click ‘About Firefox’.
Microsoft, Patches and updates, Security, Windows 10

Microsoft finally providing Windows 10 update history

Leave a comment

Responding to a steady stream of complaints since the launch of Windows 10, Microsoft has finally relented and will now provide useful notes to accompany changes to the operating system.

The Windows 10 update history page shows changes to release versions, starting with the initial release (build 10240.16683) in July, and ending with the most recent release version, 10586.104.

The notes for release 10586.104 show that a serious security flaw related to InPrivate browsing in the Edge browser has now been fixed.

Adobe, Flash, Internet Explorer, Microsoft, Patches and updates, Security, Windows

Patch Tuesday for February 2016

Leave a comment

Thirteen security updates from Microsoft this month address over forty issues in Windows, Internet Explorer, Edge, Office, server software and .NET. Six are flagged as Critical.

In keeping with their recent practise of tagging along with Microsoft, Adobe also just released several updates, most notably for Flash. The latest version of Flash is now 20.0.0.306. As usual, Internet Explorer on Windows 8.1 and 10 and Edge on Windows 10 will get their new Flash via Windows Update, and Chrome will update itself with the latest Flash. The associated security bulletin gets into all the technical details. A total of 22 vulnerabilities are addressed in the new version.

Java, Patches and updates, Security, Windows

New Java versions address installation vulnerability

Leave a comment

Java 8 Update 73, Java 7 Update 97, and Java 6 Update 113 were announced yesterday by Oracle. The new versions fix a serious vulnerability in the Windows installer for all previous versions of Java.

Although technically you don’t need to install the latest versions of Java if you were already up to date, you should at least make sure that you have uninstalled any older versions of Java on your Windows computers. Also, if you have any previously-downloaded Java installers, you should remove those as well.

And finally, be very careful about where you obtain Java. Always make sure that you’re getting it from Oracle, via the main Java download page or using the Windows Java Control Panel.

A security alert for the new Java versions provides additional information.

Microsoft, Patches and updates, Security, Tools, Windows

EMET 5.5 now available

Leave a comment

Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) version 5.5 was released on February 2.

EMET is not a substitute for anti-malware software, but it does provide an additional layer of security against typical malware activity. If malware finds its way onto your Windows computer, EMET can prevent it from causing actual damage; by default, it kills the affected process.

EMET is free, and recommended. Unfortunately, when you use EMET, there’s a chance that it will cause problems for legitimate software. A few weeks ago – before EMET 5.5 was released – EMET started reporting problems with my main computer’s Office software, including Outlook and Excel. I was forced to disable some of EMET’s detection settings for those programs. I had hoped that EMET 5.5 would resolve these issues, but it did not.

Still, EMET can be a useful addition to your security toolkit, if you’re willing to put up with the occasional glitch.