Category Archives: Patches and updates

Adobe, Flash, Internet Explorer, Microsoft, Patches and updates, Security, Windows

Patch Tuesday for December 2014

December 9, 2014 jrivett Leave a comment

It’s patch time again.

As expected, Adobe released updates for Reader/Acrobat, but they also issued updates for Flash. The new version of Reader/Acrobat is 11.0.10, and it addresses at least twenty vulnerabilities.

The latest version of Flash is 16.0.0.235 (on most platforms), and it fixes six vulnerabilities in previous versions. As usual, Google Chrome will update its own internal Flash, and Microsoft will offer Flash updates for Internet Explorer on Windows 8.x via Microsoft Update. Note that Adobe also released Flash 15.0.0.246, which apparently fixes the same issues in earlier versions of Flash 15.

Meanwhile, Microsoft today released seven bulletins and associated patches. The patches address vulnerabilities in Windows, Internet Explorer, and Office. There’s a useful summary on the MSRC blog.

Brian Krebs has additional details.

Adobe, Microsoft, Patches and updates, Security

Advance notification for December’s Patch Tuesday

December 5, 2014 jrivett Leave a comment

Microsoft and Adobe have announced updates that are scheduled to drop next Tuesday, December 9. Microsoft is expected to issue ~~nine~~ seven bulletins and associated patches, affecting Windows, Internet Explorer, Office and Exchange. The updates from Adobe will address security issues in Reader/Acrobat.

Firefox, Patches and updates, Security

Firefox 34/34.0.5 stealth release

December 3, 2014 jrivett Leave a comment

Firefox 34.0 was released on December 1. The new version includes some security fixes, improves the search bar, and makes switching between profiles a bit easier.

As usual, there was no announcement for this version, despite Mozilla staffers telling me that major releases always get proper announcements on the Mozilla blog.

Further confusing things is a release notes page for version 34.0.5, linked from the main release notes page, that looks almost identical to the page for 34.0. Worse still, Firefox itself won’t update to 34.0.5, and the Firefox download page assures me that I’m running the latest version (that version being 34.0).

Is it just me, or is Mozilla getting worse at this stuff?

Update 2014Dec05: Apparently version 34.0.5 is somehow seen as optional. For whatever reason, the automatic updater and the download page see 34.0 and 34.0.5 as equivalent. The only way to upgrade from 34.0 to 34.0.5 is to download 34.0.5 from the ‘Download a fresh copy‘ page and install it on top of version 34.0.

Update 2014Dec08: Since the only difference between 34.0 and 34.0.5 is the default search provider, and that change only affects users in the US, it seems reasonable to assume that the Firefox download page (as well as Firefox’s self-updater) will only suggest 34.0.5 if you are in the US. My own tests were inconclusive.

Chrome, Flash, Google, Patches and updates, Security

Chrome updated with Flash 15.0.0.239

November 26, 2014 jrivett Leave a comment

The latest version of Chrome includes a few minor fixes and a very important security update for the embedded Flash player. The official announcement for version 39.0.2171.71 has additional details.

Adobe, Flash, Patches and updates, Security

Flash 15.0.0.239 strengthens protection against CVE-2014-8439

November 26, 2014 jrivett Leave a comment

Security vulnerability CVE-2014-8439 was addressed in the October updates for Flash, but recent attacks made it clear that more work was required. Flash 15.0.0.239 provides additional protection against attacks based on CVE-2014-8439.

Anyone who uses Flash is advised to install the new version as soon as possible. Google Chrome and Internet Explorer 10/11 in Windows 8.x will be updated automatically.

Note that if you use Flash in Internet Explorer as well as in other web browsers, you may need to install the new version twice: once using IE and once using another browser.

Patches and updates, Security, WordPress and other CMS

WordPress 4.0.1 fixes security and other bugs

November 21, 2014 jrivett Leave a comment

A critical vulnerability in WordPress 3.9.2 and earlier has been addressed with the release of versions 3.9.3, 3.8.5, and 3.7.5. The vulnerability does not exist in WordPress 4.0. Anyone running WordPress 3.9.2 or earlier should apply the appropriate update as soon as possible.

Several less critical – but still important – security issues have also been addressed in WordPress 4.0.1. WordPress sites that are configured for auto-update should be automatically updated in the next day or so.

Chrome, Google, Patches and updates, Security

Chrome 39.0.2171.65 released

November 19, 2014 jrivett Leave a comment

The latest version of Google’s web browser is 39.0.2171.65. The new version of Chrome fixes forty-two security issues and includes a few other fixes and improvements. If you use Chrome, you should allow it to update itself as soon as possible.

Microsoft, Patches and updates, Security, Windows

Microsoft issues special update MS14-068

November 19, 2014 jrivett 1 Comment

Two of the updates originally scheduled for release last week for Patch Tuesday were held back. Yesterday one of those updates was released. MS14-068 addresses security vulnerabilities in all versions of Windows. We recommend installing the update as soon as possible.

Brian Krebs has additional details, as does Ars Technica. A post on Microsoft’s Security Research and Defense Blog provides technical details of the vulnerability.

Chrome, Flash, Google, Patches and updates

Chrome 38.0.2125.122 released

November 12, 2014 jrivett Leave a comment

A new version of Google’s web browser was announced yesterday. Version 38.0.2125.122 fixes some bugs, and updates the embedded Flash to the latest version. Apparently there are no security fixes in this version, although the updated Flash does include security fixes.

Adobe, Flash, Internet Explorer, Microsoft, Patches and updates, Security, Windows

Patch Tuesday for November 2014

November 12, 2014 jrivett Leave a comment

Yesterday Microsoft released fourteen updates, addressing 33 CVEs in Windows, Internet Explorer, Office, .NET, Internet Information Services, Remote Desktop Protocol, Active Directory Federation Services, Input Method Editor, and Kernel Mode Driver. Four of the updates are flagged as Critical. You can find all the details in the main bulletin.

Two of the expected sixteen updates (MS14-068 and MS14-075) were held back by Microsoft, with release dates for those updates now being shown as ‘Release date to be determined’.

In keeping with its new monthly update policy, Adobe released a new version of Flash yesterday. Flash 15.0.0.223 addresses several security vulnerabilities in previous versions.

Brian Krebs has additional analysis of these updates.

Update 2014Nov15: One of the updates in this batch addresses a serious vulnerability that exists on all versions of Windows. MS14-066 fixes a bug in the way secure connections are handled by the Microsoft secure channel (schannel) security component. Most of the focus has been on Windows servers, especially those running Microsoft’s web server software, Internet Information Services (IIS). However, according to some sources, any Windows computer that is configured to accept secure network connections is potentially vulnerable. Recommendation: if you’re running any Internet-facing service on a Windows computer, install this patch ASAP. Ars Technica has additional details.

Update 2014Nov15: Another of this month’s patches (MS14-064) addresses problems with a previous patch (MS14-060). McAfee has a detailed breakdown of the problems with MS14-060.

Update 2014Nov19: MS14-068 was released.

Update 2014Nov26: Apparently the MS14-066 update caused problems for some Windows servers. Microsoft added a workaround to the update bulletin that should resolve one of the problems, but has yet to acknowledge the performance problems reported in SQL Server and IIS. InfoWorld has additional details.

boot13