The latest version of Firefox is 36.0.4. It was released on March 21 in response to a successful hack against the browser at the recent Pwn2Own contest. The Security Advisories page describes the vulnerability as Privilege escalation through SVG navigation.
In related news, all four of the major web browsers were successfully hacked at Pwn2Own.
On March 19, Google announced version 41.0.2272.101 of its Chrome web browser. The announcement doesn’t describe any changes, and only says that a ‘partial list of changes is available in the log’. The log is derived from the Git version control system used by Google to manage Chrome’s source code. As such, it’s difficult to parse for significant changes. It appears that only minor changes were made in Chrome 41.0.2272.101.
Two security vulnerabilities, discovered at the HP Zero Day Initiative Pwn2Own contest, have been fixed in Firefox 36.0.3.
As usual, there was no proper announcement for the new version. The release notes for 36.0.3 include changes made in previous versions, as you can see by comparing them to the release notes for 36.0.1. At least the changes specific to 36.0.3 are flagged as such.
The Security Advisories (aka Known Vulnerabilities) page now has a section for each version; the most recent changes are listed under the heading ‘Fixed in Firefox 36.0.3’.
It’s been about two weeks since the FREAK vulnerability was first reported. The flaw itself has existed for at least ten years, and we now know that it affects mobile devices, Mac OS X, and Windows.
From the related US-CERT alert:
FREAK (Factoring Attack on RSA-EXPORT Keys CVE-2015-0204) is a weakness in some implementations of SSL/TLS that may allow an attacker to decrypt secure communications between vulnerable clients and servers.
Google has released an updated version of its Android OS and Chrome browser for OS X to mitigate the vulnerability. Microsoft has released a Security Advisory that includes a workaround for supported Windows systems.
It’s now clear that this is a teaching moment for the Internet. The FREAK flaw exists because of the ridiculous (and short-lived) insistence by the US government that encryption software designated for export be made deliberately weak. The imposed restrictions ended, but the code involved in switching between strong and weak encryption remained. This intentional weakening of encryption is similar to the kind of ‘golden key’ (back door) for which intelligence organizations are currently clamouring. The lesson: Encryption Backdoors Will Always Turn Around And Bite You In The Ass. Bruce Schneier calls this a ‘security rollback‘. The Economist puts it succinctly, “…mathematics applies to just and unjust alike; a flaw that can be exploited by Western governments is vulnerable to anyone who finds it.”
Update 2015Mar19: Researchers determine that exploiting the remaining vulnerable systems is much easier than originally estimated. Thousands of iOS and Android apps are vulnerable.
A new version of the Enhanced Mitigation Experience Toolkit (EMET) was announced by Microsoft on March 12. EMET is an application that provides an additional level of security for Windows systems by detecting and blocking specific types of application behaviour that are associated with malware.
Version 5.2 of EMET adds new features for Windows 8.1 (and up), and for Internet Explorer.
EMET is highly recommended for Windows computers. You can obtain it from the main EMET page.
Update 2015Mar17: If you downloaded EMET 5.2 before March 16, you may have noticed that Internet Explorer on Windows 8.1 stopped working. Microsoft has re-released EMET 5.2 to address this problem.
A new version of Flash was announced by Adobe yesterday. Flash 17.0.0.134 addresses at least eleven critical security vulnerabilities.
Anyone who uses a web browser with Flash enabled should install this update as soon as possible. That includes anyone who ever looks at any videos on Youtube.
Internet Explorer 10 and up will receive this Flash update via Windows Update, and Google Chrome will update itself.
Update 2015Mar27: That didn’t take long. At least one popular exploit kit (aka ‘set of hacking tools’) now includes a pre-packaged attack that targets one of the vulnerabilities fixed in Flash 17.0.0.134. If you use Flash, and you’re not in the habit of updating it, you should either stop using Flash or keep it up to date.
One of the updates made available by Microsoft earlier this week is apparently causing problems on some Windows 7 computers. Details are sketchy at this point, but some users are reporting that their Windows 7 computers get into an infinite reboot loop after installing the KB3033929 update.
Microsoft is expected to release another update or pull the existing update soon. For now, anyone running Windows 7 should avoid this update.
Today Microsoft announced fourteen updates for security vulnerabilities in Windows, Office, Exchange, and Internet Explorer. Five of the updates are flagged as Critical.
The bulletin summary gets into all the technical details. All you really need to know is that you should install these updates as soon as possible, especially if you use Internet Explorer.
One of the updates provides what is hoped will be a complete fix for a vulnerability that allowed the Stuxnet worm to spread. Microsoft published a fix for this vulnerability in 2010, but the fix was incomplete and the vulnerability remained largely intact.
SANS provides a breakdown of the new updates every month. The information is presented in a way that may be more appealing/useful to some readers.
Another new version of Firefox was made available by Mozilla on Thursday. This one seems to consist mostly of bug fixes, although some new functionality was added, including full support for HTTP/2. Compatibility with HTML5 was improved. The release notes claim there were also ‘various security fixes’ but the Security Advisories (aka Known Vulnerabilities) page doesn’t bear that out.
As usual, I learned about the new version from a source other than Mozilla, which is an ongoing source of frustration.
On March 3, Oracle announced a new version of Java 8, designated Update 40. This update includes a variety of improvements for stability and performance, but no security fixes.
The release notes for Java JDK 8 Update 40 provide the technical details.
boot13