boot13As expected, Google just announced a new version of Chrome with the latest embedded Flash. Version 39.0.2171.95 also includes fixes for a few minor issues. Aside from the Flash update, none of the changes appear to be related to security.
Category Archives: Patches and updates
Patch Tuesday for December 2014
It’s patch time again.
As expected, Adobe released updates for Reader/Acrobat, but they also issued updates for Flash. The new version of Reader/Acrobat is 11.0.10, and it addresses at least twenty vulnerabilities.
The latest version of Flash is 16.0.0.235 (on most platforms), and it fixes six vulnerabilities in previous versions. As usual, Google Chrome will update its own internal Flash, and Microsoft will offer Flash updates for Internet Explorer on Windows 8.x via Microsoft Update. Note that Adobe also released Flash 15.0.0.246, which apparently fixes the same issues in earlier versions of Flash 15.
Meanwhile, Microsoft today released seven bulletins and associated patches. The patches address vulnerabilities in Windows, Internet Explorer, and Office. There’s a useful summary on the MSRC blog.
Brian Krebs has additional details.
Advance notification for December’s Patch Tuesday
Microsoft and Adobe have announced updates that are scheduled to drop next Tuesday, December 9. Microsoft is expected to issue nine seven bulletins and associated patches, affecting Windows, Internet Explorer, Office and Exchange. The updates from Adobe will address security issues in Reader/Acrobat.
Firefox 34/34.0.5 stealth release
Firefox 34.0 was released on December 1. The new version includes some security fixes, improves the search bar, and makes switching between profiles a bit easier.
As usual, there was no announcement for this version, despite Mozilla staffers telling me that major releases always get proper announcements on the Mozilla blog.
Further confusing things is a release notes page for version 34.0.5, linked from the main release notes page, that looks almost identical to the page for 34.0. Worse still, Firefox itself won’t update to 34.0.5, and the Firefox download page assures me that I’m running the latest version (that version being 34.0).
Is it just me, or is Mozilla getting worse at this stuff?
Update 2014Dec05: Apparently version 34.0.5 is somehow seen as optional. For whatever reason, the automatic updater and the download page see 34.0 and 34.0.5 as equivalent. The only way to upgrade from 34.0 to 34.0.5 is to download 34.0.5 from the ‘Download a fresh copy‘ page and install it on top of version 34.0.
Update 2014Dec08: Since the only difference between 34.0 and 34.0.5 is the default search provider, and that change only affects users in the US, it seems reasonable to assume that the Firefox download page (as well as Firefox’s self-updater) will only suggest 34.0.5 if you are in the US. My own tests were inconclusive.
Chrome updated with Flash 15.0.0.239
The latest version of Chrome includes a few minor fixes and a very important security update for the embedded Flash player. The official announcement for version 39.0.2171.71 has additional details.
Flash 15.0.0.239 strengthens protection against CVE-2014-8439
Security vulnerability CVE-2014-8439 was addressed in the October updates for Flash, but recent attacks made it clear that more work was required. Flash 15.0.0.239 provides additional protection against attacks based on CVE-2014-8439.
Anyone who uses Flash is advised to install the new version as soon as possible. Google Chrome and Internet Explorer 10/11 in Windows 8.x will be updated automatically.
Note that if you use Flash in Internet Explorer as well as in other web browsers, you may need to install the new version twice: once using IE and once using another browser.
WordPress 4.0.1 fixes security and other bugs
A critical vulnerability in WordPress 3.9.2 and earlier has been addressed with the release of versions 3.9.3, 3.8.5, and 3.7.5. The vulnerability does not exist in WordPress 4.0. Anyone running WordPress 3.9.2 or earlier should apply the appropriate update as soon as possible.
Several less critical – but still important – security issues have also been addressed in WordPress 4.0.1. WordPress sites that are configured for auto-update should be automatically updated in the next day or so.
Chrome 39.0.2171.65 released
The latest version of Google’s web browser is 39.0.2171.65. The new version of Chrome fixes forty-two security issues and includes a few other fixes and improvements. If you use Chrome, you should allow it to update itself as soon as possible.
Microsoft issues special update MS14-068
Two of the updates originally scheduled for release last week for Patch Tuesday were held back. Yesterday one of those updates was released. MS14-068 addresses security vulnerabilities in all versions of Windows. We recommend installing the update as soon as possible.
Brian Krebs has additional details, as does Ars Technica. A post on Microsoft’s Security Research and Defense Blog provides technical details of the vulnerability.
Chrome 38.0.2125.122 released
A new version of Google’s web browser was announced yesterday. Version 38.0.2125.122 fixes some bugs, and updates the embedded Flash to the latest version. Apparently there are no security fixes in this version, although the updated Flash does include security fixes.