boot13A critical cross site scripting (XSS) vulnerability in WordPress was revealed on April 27. Anyone managing a WordPress site should upgrade to version 4.2.1 as soon as possible. Ars Technica has more.
Category Archives: Patches and updates
WordPress 4.2 and 4.1.3
WordPress 4.2 was released yesterday. This version adds some new features and improves others. This is not a security-related update.
Updating to version 4.2 also seems to trigger several theme updates. On one of my sites, which uses a Twenty Eleven child theme, an update to the parent Twenty Eleven theme caused the site to stop working completely. I was able to resurrect the site by installing the Twenty Eleven theme again manually. Update: apparently one of the download servers had an incomplete copy of the theme. This problem has been resolved.
Confusingly, WordPress 4.1.3 was also released yesterday. Because it was released so soon after 4.1.2, it’s safe to assume that it contains more security fixes. However, details are sketchy at this point. There was no formal announcement of the release. The WordPress Codex entry for version 4.1.3 says ‘Fix database writes for esoteric character sets, broken in the WordPress 4.1.2 security release.’
WordPress sites configured for auto-updates will update themselves to version 4.1.3 over the next few days. Depending on the auto-update settings, WordPress sites may also update themselves to version 4.2, bypassing 4.1.3. This shouldn’t be a problem, since it’s safe to assume that any fixes in 4.1.3 are also in 4.2.
Your best bet at this point is to update your WordPress sites manually to version 4.1.3. Then start testing version 4.2; once you’re sure it’s not going to break anything, upgrade your production sites.
Critical security updates for WordPress and plugins
WordPress 4.1.2 was released on Tuesday to address a critical security vulnerability. Sites configured for auto updates will be updated over the next day or so, but you might want to consider installing the update via the dashboard right now.
In related news, security researchers at Sucuri just published a list of popular WordPress plugins that contain serious XSS vulnerabilities. Most of these plugins already have updates addressing the issue. Check your WordPress sites for these plugins, and either update or disable them.
Firefox 37.0.2 released
The latest version of Firefox includes a fix for at least one security vulnerability. Stability issues affecting specific display hardware were also resolved, as was an issue involving the display of Google Maps.
There was no announcement for Firefox 37.0.2 on the Mozilla blog. The release notes for version 37.0.2 provide additional details.
45 security issues fixed in Chrome 42.0.2311.90
The latest version of Chrome includes fixes for forty-five security vulnerabilities. According to the announcement, version 42.0.2311.90 also has improvements in stability and performance.
Starting with this version of Chrome, the old NPAPI technology used for plugins (including Java and Silverlight) is disabled by default. If any of your Chrome plugins still use this technology, you’ll need to enable them when the browser warns you.
Java 8u45 released
Oracle has released Update 45 for Java 8. Anyone using Java should install the update as soon as possible, since it contains fixes for at least fourteen security vulnerabilities.
NOTE: Java 7 is no longer being updated, so if you’re still using it, you should upgrade to Java 8 as soon as possible. If Java is configured to auto-update itself, it will upgrade Java 7 to Java 8 automatically.
Update 2015May14: The final update for Java 7 was 7u79/7u80, released on April 14, 2015.
Patch Tuesday for April 2015
It’s that time again. This month there are eleven updates from Microsoft, with four of them flagged as Critical, affecting Windows, Internet Explorer, Office and .NET.
Adobe has once again come along for the monthly festivities, today releasing a new version of Flash. Version 17.0.0.169 fixes at least fourteen vulnerabilities in Flash, including one for which exploits have been observed in the wild.
So, time to get busy updating your systems… especially where you’re using Flash in a web browser.
Update 2015Apr19: One of this month’s Windows updates is causing problems for people running Oracle VirtualBox, a popular emulator. The problematic update is KB3045999, also referred to as MS15-038. There’s no word yet from Oracle or Microsoft regarding a fix. Uninstalling the update appears to work, but this is obviously a temporary solution.
Firefox 37.0.1 fixes crashing and security issues in 37.0
Some of us never really had a chance to try Firefox 37.0, and that’s probably a good thing. Version 37.0 tends to crash when started, and it includes at least one new security vulnerability.
Mozilla pulled Firefox 37.0 from the auto-update queue after learning of these issues, and yesterday released 37.0.1 to resolve them.
Unfortunately, despite the fact that this would have been a really good time for some kind of announcement of what was going on, Mozilla has said exactly nothing about this. The release notes for Firefox 37.0.1 don’t provide any insight, and although the security advisories page has been updated for 37.0.1, it still doesn’t say much.
It does appear that Mozilla’s attempt to enable Opportunistic Encryption in Firefox 37.0 didn’t work out as expected, because the HTTP Alternative Services feature is disabled in Firefox 37.0.1.
Chrome 41.0.2272.118 fixes four vulnerabilities
The latest version of Google’s web browser is 41.0.2272.118. Four security issues, including at least one (CVE-2015-1233) flagged as critical, were addressed in this version. At least one of the vulnerabilities (CVE-2015-1234) came to light during the recent Pwn2Own contest.
Firefox 37 released
A new version of Firefox was announced yesterday by Mozilla. Yes, you read that correctly: a post on the Mozilla blog announced new versions of Firefox for all platforms. Of course, the announcement doesn’t mention the new version number, and it doesn’t provide any details, it just points to the release notes. Still, it’s progress!
According to the release notes for Firefox 37.0, the new version includes several changes related to security, including ‘improved protection against site impersonation’, and several fixes related to recently-discovered TLS vulnerabilities. WebGL rendering performance on Windows was improved. HTML5 support was also enhanced.
According to the Firefox Security Advisories page, at least 13 security vulnerabilities were fixed in Firefox 37.0.
Update: As of April 1 at 6:53am PST, the version of Firefox I’m currently using (36.0.4) is telling me that ‘Firefox is up to date’. It looks like someone may have forgotten a step when publishing version 37.0. Presumably this will be resolved shortly. If I visit the main Firefox download page, it tells me I’m using an older version of Firefox, and the download link definitely goes to Firefox 37.0.
Update 2015Apr02: According to sources on the official Firefox IRC channel, auto-updates for version 37 have been suspended while the developers look into a crashing problem being reported by some Windows 8 users.