Category Archives: Patches and updates

Emergency patch for Internet Explorer

Earlier today, Microsoft issued a special update (MS15-093) to address a critical vulnerability in all versions of Internet Explorer. The new Edge browser is not affected.

Normally, security updates for IE are provided on monthly Patch Tuesdays. Since Microsoft is making this update available outside the regular update cycle, we can assume that exploits for the vulnerability have been observed in the wild.

The vulnerability is a bad one. Merely visiting a specially-crafted web page with Internet Explorer can cause malicious code to execute, leading to the possibility of an attacker installing just about any kind of software or accessing any information on the affected Windows computer.

If you use Internet Explorer, please use Windows Update to install this patch as soon as possible.

WordPress 4.3 released

There are big improvements to password handling in the newest version of WordPress:

You start out with a strong password by default and you are given the option to keep it or choose your own. A password strength meter is available as well as the option to hide your password from prying eyes. WordPress will no longer send passwords via email and the password reset links will expire in 24 hours. E-mail notifications will be sent out in the event that an e-mail or password is changed.

The release notes for WordPress 4.3 list other changes. There are no security vulnerability fixes in this version, so updating is not urgent, but the password-related changes alone are worth the trouble.

Chrome 44.0.2403.155 released

Chrome updates now happen so frequently, and they so rarely cause problems, that I no longer have any qualms about the browser’s auto-update mechanism. Of course, if a Chrome update makes the browser unusable, I can use another browser for however long it takes Google to fix it, which would not be the case for a bad Windows update.

The release announcement for Chrome 44.0.2403.155 doesn’t provide any details, which is starting to become the norm, sadly. And Google was doing so well with this…

Parsing the change log reveals that the new version contains fixes for a few minor issues, including at least one related to stability.

Firefox 40 improves add-on security

The newest Firefox is version 40, and as usual there was no proper announcement. There’s a post on the Mozilla blog that gets into the details of version 40’s security improvements, but it never mentions the version. The release notes provide additional details. Here are some of the more notable changes:

  • Improvements to Windows 10 support, including workarounds for the way Microsoft messes up default browser settings
  • Add-on certification: non-certified add-ons will be disabled by default
  • Improvements to visual style: for example, the ‘close’ button on tabs is now larger
  • Expanded malware protection, which warns users about to visit sites that are flagged by Google’s Safe Browsing Service
  • Smoother animation and scrolling for Windows
  • Improvements to JPEG image handling
  • At least fourteen security fixes

Patch Tuesday for August

Ah, Patch Tuesday. Of all the tasks we have to perform, there’s nothing quite like it: it’s both tedious and critically important. I’m starting to consider enabling automatic updates, but given Murphy’s Law, no doubt the moment I do that, Microsoft will issue a catastrophic update.

This month we have fourteen updates from Microsoft, affecting the usual culprits (Windows, Internet Explorer, Office, Silverlight, .NET), plus a few new ones: Lync and Edge, the new web browser in Windows 10. Four of the updates are flagged as critical. The updates address a total of 58 vulnerabilities. The update for Silverlight brings its version to 5.1.40728.0. Several of the updates apply to Windows 10. One of the updates addresses a nasty bug that could allow an attacker to execute malicious code from a USB thumb drive.

Adobe is once again tagging along this month, releasing a new version of Flash (18.0.0.232) that addresses a whopping thirty-four vulnerabilities. Needless to say, you should install the new version as soon as possible if you still use Flash in any web browser. Internet Explorer 10 and 11 in Windows 8.x will receive the Flash update via Windows Update, as will the new Edge browser in Windows 10. Chrome will update itself to use the new version.

Critical vulnerability in Firefox’s PDF viewer

Firefox has had its own internal PDF viewer for a while now, and it’s enabled by default. When you click on a PDF file link in Firefox, it will do one of the following: a) open with Firefox’s internal viewer; b) open with a PDF viewer plugin such as Adobe’s Reader plugin; or c) download and open with an external viewer. Unfortunately, PDF files can also be embedded on web pages, in which case there’s no need to click on anything to view them; merely visiting a web site with an embedded PDF will show the file’s contents. Worse still, some advertising platforms serve ads in the form of PDF files.

Now comes news that a newly-discovered vulnerability in Firefox’s internal PDF viewer is being actively exploited on at least one advertising network, and that malware-containing PDF ads were recently observed on a Russian news site.

Mozilla confirmed the bug and quickly released Firefox 39.0.3 to address it. All users are strongly encouraged to update Firefox as soon as possible.

But there’s more bad news. There’s no way to know whether this vulnerability has been exploited elsewhere on the web. There’s no reason to assume that only one Russian news site was affected, or that infected ads haven’t already appeared on other ad networks and web sites. If you use Firefox with the internal PDF viewer enabled, there’s a chance your computer ran a malicious script at some point. If you run a script blocker like Noscript, and you haven’t altered its default behaviour, you were probably protected.

The only known instance of a malicious script that exploits this vulnerability looks for configuration files related to Subversion, Pidgin, Filezilla, and other FTP applications on Windows systems. If you have any passwords stored in these configuration files, you should consider changing those passwords.

You might also want to consider disabling Firefox’s built-in PDF viewer. To do that, enter ‘about:config’ in the address bar. You’ll see a warning; confirm that you want to proceed by clicking the “I’ll be careful” button. In the Search box, enter ‘pdfjs.disabled’. One setting should appear in the list below. If the setting is currently ‘false’, double-click it to change it to ‘true’. This will prevent embedded PDFs from being shown on web pages.

WordPress 4.2.4 security release

The latest WordPress release resolves several security issues, including an SQL injection that could be used to compromise a site.

The WordPress 4.2.4 release notes have additional details.

WordPress sites with the auto-update mechanism enabled should be updated automatically in the next day or so, but if you don’t want to wait, you can install the update manually from the site’s dashboard.