boot13If you’re using Internet Explorer 11 on Windows 7 or 8, and you are also running EMET 5.0, you should install the EMET 5.1 update before you install the November Microsoft updates.
Category Archives: Patches and updates
Firefox 33.1 adds ‘Forget’ button
Another new version of Firefox was released yesterday: 33.1.
According to the release notes, new features in version 33.1 include a ‘forget’ button, and the ability to use DuckDuckGo as the default search engine. These changes are in keeping with Mozilla’s push to improve privacy in the browser: the Forget button allows the user to remove cookies and history related to recent browsing, and DuckDuckGo’s search engine does not remember searches.
As usual, there was no formal announcement. There was an associated post on the main Mozilla blog, but that post makes no reference to the new version.
On a more positive note, the What’s New section of the release notes for this version have been pruned down to show only changes in this version, although the link to ‘all changes’ still shows about 3500 Bugzilla items, making it essentially useless.
Advance notification for November Patch Tuesday
Next Tuesday Microsoft plans to publish 16 Security Bulletins, five of which are flagged as Critical. The updates affect Windows, Internet Explorer, Office, Exchange, .NET Framework, Internet Information Services (IIS), Remote Desktop Protocol (RDP), Active Directory Federation Services (ADFS), Input Method Editor (IME) (Japanese), and Kernel Mode Driver (KMD).
Firefox 33.0.3 released
The latest version of Firefox apparently fixes two more bugs related to hardware incompatibility. According to the release notes, version 33.0.3 was released on November 6. There was as usual no formal announcement of the new version. I discovered it only because Firefox popped up a message about it.
Firefox 33.0.3 doesn’t appear to include any fixes related to security, so this is not an urgent update.
Despite some improvements, the release notes for Firefox are still a hopeless jumble of old and new changes. The link to the ‘complete list of changes in this release‘ displays a list of over 3400 issues, most of which are not specifically related to version 33.0.3.
Serious vulnerability in WordPress e-commerce plugin
One of the more popular WordPress e-commerce plugins is WP eCommerce.
Recently, security researchers discovered a vulnerability that could allow attackers to obtain private data from WordPress sites that use the plugin.
The plugin’s developers released a new version that fixes the vulnerability. Anyone who manages a WordPress site that uses this plugin should install the new version (3.8.14.4) immediately.
Extremely critical Drupal vulnerability
Drupal is a Content Management System, similar to WordPress and Joomla. On October 15th, a very dangerous vulnerability in Drupal was announced. Within hours, exploits attacking this vulnerability started to appear on the web.
Yesterday, a special follow-up Public Service Announcement was posted on the Drupal web site. From the Drupal PSA:
Automated attacks began compromising Drupal 7 websites that were not patched or updated to Drupal 7.32 within hours of the announcement of SA-CORE-2014-005 – Drupal core – SQL injection. You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is 7 hours after the announcement. Simply updating to Drupal 7.32 will not remove backdoors.
Anyone who runs a Drupal site should deal with this issue immediately.
New versions of Firefox fix hardware-related problems
Two new Firefox releases in the past few days fix crashing and black screen problems experienced by some users in Firefox 33.0.
Firefox 33.0.1 fixes a black screen at start-up with certain graphics drivers.
Firefox 33.0.2 fixes a startup crash with some combinations of hardware and drivers.
As usual, there were no proper announcements for the new versions. The release notes have improved, but they still list changes from previous versions, and the link to the complete list of changes shows a list so long that Bugzilla can’t even display it properly. Clearly the vast majority of issues shown there were addressed in much earlier versions.
Chrome 38.0.2125.111 released
Another new version of Chrome was announced yesterday.
The announcement unfortunately contains no details about what was changed. There is a link to the full change log, but that page is rather technical and likely difficult to read for typical users. However, it appears that the new version fixes several minor bugs, none of which are related to security.
Reviewing the change log reveals this:
Flip 32-bit warning string to let users know itโs the end of the line. The string is changing to “This computer will no longer receive Google Chrome updates because its hardware is no longer supported.” Previously, the message began with “This computer will soon stop receiving”.
Since my main computer currently runs a 32-bit O/S, I became somewhat alarmed at this. Digging into the related material, I was able to determine that the message in question is only for Mac systems. 32-bit versions of Windows will continue to receive Chrome updates.
Java 8 ready for general use
Back in March, Java 8 was made available for developers and anyone else interested in testing it. Soon afterward, Oracle clarified their position on Java 8, explaining why it was not available on the main Java site.
As of October 27, Java 8 (update 25) is now available for general use, and can be obtained from the main Java site.
Windows vulnerable to document-based attack
According to Microsoft, all versions of Windows except Windows Server 2003 are vulnerable to attacks based on a bug in OLE (Object Linking and Embedding).
Attacks exploiting this vulnerability would take the form of a specially-crafted PowerPoint document.
Microsoft has released a Fix It solution that can be used to close this hole until a proper patch is released. If you commonly receive PowerPoint documents from unknown sources, you are strongly encouraged to apply this fix or refrain from opening those documents.
References: