Category Archives: Patches and updates

Windows 8 Internet Explorer shipping with vulnerable Flash

Update 2012Sep22: A Security Advisory published yesterday by Microsoft announced the availability of a patch for Flash in Internet Explorer 10. A related post on the Microsoft Security Response Center blog explains how security updates for Flash in Internet Explorer will be handled in the future. Anyone using Internet Explorer 10 or Windows 8 should install the Flash update as soon as possible.

Update 2012Sep11: Given the negative reaction to Microsoft’s previous announcement that recent Flash vulnerabilities would not be fixed in Internet Explorer 10 until after Windows 8 is released, today’s announcement is perhaps not much of a surprise. Microsoft is now saying that the Flash holes in IE10 will be plugged much sooner than originally announced. However, there will still be an easily-exploited delay between the launch of Windows 8 and the point at which all Windows 8 systems are patched.

Recently, Google switched to an integrated version of Flash in the Chrome web browser. They did this to simplify the update process: Chrome users no longer have to worry about keeping their browser’s Flash plugin up to date.

Microsoft has apparently done something similar with Internet Explorer 10, which is included with Windows 8. Unfortunately, the recent Flash vulnerabilities were not addressed in Internet Explorer 10 when Windows 8 was finalized recently. Which means Windows 8 has at least two very serious security holes in its integrated web browser, out of the box.

Microsoft says that the Flash vulnerabilities in Windows 8’s IE10 will be fixed during the regular patch cycle, but it’s not known exactly when the updates will appear.

Nefarious hackers are no doubt preparing for a surge of new Windows 8 systems to appear on the Internet, all with these rather large holes, ready to exploit.

If you are using Windows 8 or plan to start using it soon, your options are:

  • Stop using Internet Explorer. This isn’t really a viable option, since the browser is integrated into the O/S.
  • Disable Flash in Internet Explorer 10, assuming this is even possible.
  • Avoid all Flash content while using Internet Explorer 10. This is increasingly difficult to accomplish, given the prevalence of Flash content on the web.

That was fast… vulnerability found in latest Java

Researchers have already found a vulnerability in Java 7 Update 7, which was only released yesterday. So far all we know is that a report, along with code demonstrating the security hole, have been submitted to Oracle, Java’s developer.

Details on the new Java hole show that it could be used to take over a vulnerable computer. So, once again, users are being urged to disable Java, especially in web browser software.

Your move, Oracle.

UPDATE 2012Sep01: SANS reports that a new email phishing attack exploiting this new Java hole is showing up in the wild. The email appears to be from Microsoft, and is patterned on a recent, legitimate Microsoft email message. The mail contains an URL that – once clicked – sends web browsers to a site that has been infected with the published Java exploit code. Advice to users is the same as usual: be very careful about clicking on any link you don’t know for sure is safe, and consider disabling Java in your web browser.

New patch for Java plugs recently-discovered security hole

Much to their credit, Oracle has released a patch for Java that fixes a recently-discovered security hole in Java.

CERT confirms that the new patch does indeed resolve the problem. All Java users – and that’s you, unless you’re absolutely certain Java is disabled – should apply this update as soon as possible. This affects Windows, Linux and MacOS users.

This is a welcome reaction from Oracle. Until this patch was released, it was assumed that the hole would not be fixed until the next regular patch cycle in October 2012.

Opera 12.02 released

A new version of the Opera web browser was announced today. Version 12.02 includes some security fixes, as well as some other minor changes.

The Opera blog post announcing version 12.02 also describes a way to avoid potential problems with the recently-announced Java security hole. It involves changing an Opera setting that forces the user to ‘click to play’ for any content provided by a plugin (including Java). With this setting enabled, if you visit a site infected with a Java exploit, the exploit code won’t run unless you specifically allow it. While possibly overkill, this is as good a workaround as we can expect, at least until Oracle issues a fix for the Java hole.

Firefox 15 released

Another new version of Firefox was announced today. Version 15 includes some new features, like silent updates (which I will immediately disable), and some fixes for long-standing plugin memory use issues.

The Firefox release notes for version 15 have all the changes.

Interestingly, there doesn’t seem to be a list of previous Firefox versions or the corresponding release notes anywhere on the site. But you can find the release notes for a version by replacing ‘15.0’ with any other version number in this URL:
http://www.mozilla.org/en-US/firefox/15.0/releasenotes/.