Category Archives: Patches and updates

Reminder: latest Java still vulnerable

The most up to date version of Java (7 Update 25) is vulnerable to an exploit reported to Oracle on 2013Jul18 by Adam Gowdiak of Security Explorations.

This is just the latest version-specific vulnerability in a long series of related vulnerabilities that are all based on a fundamental weakness of Java that has existed for over ten years and has yet to be properly addressed.

Oracle has assured Mr. Gowdiak that this vulnerability will be eliminated in Java 7 Update 40, to be released in September 2013. The good news is that no active exploits for this vulnerability have yet been discovered.

As always, we recommend that you use Java with caution. Disabling Java in your web browser can decrease your exposure to Java-based attacks.

Update 2013Sep11: Java 7 update 40 was released yesterday, but there do not appear to be any specific fixes for this or any other security vulnerability. Some security-related changes were made in 7u40, and those changes may mitigate the vulnerability reported by Mr. Gowdiak. We will await an update from Mr. Gowdiak for confirmation either way.

Update 2013Oct16: Mr. Gowdiak has confirmed that this issue was resolved in Java 7 Update 40.

Opera version 16 released

The new WebKit-based Opera browser has been updated to version 16. The browser still looks and acts almost exactly like Google Chrome, and as such there’s not much to recommend it. Many features that worked well in the non-WebKit version of the browser – still available as version 12 – are missing from version 16. That includes the auto-update feature. In fact, there isn’t even a link on the About page or in the browser’s menus that points to a download page. My advice is to give this browser a pass. If you still like and use the old Opera 12 browser, keep your fingers crossed that it will continue to receive updates.

Firefox 23.0.1

A new version of Firefox was released yesterday. Version 23.0.1 apparently fixes three minor bugs, none related to security.

There was no official release announcement for this new version. The release notes are exactly the same as for version 23, with the three fixed bugs just added the top of the list of changes. The ‘complete list of changes’ link still points to an enormous list of bugs that appear to all be related to version 23.

I won’t bother rehashing everything that’s wrong with the way new Firefox versions are being documented by Mozilla. For that, see my post about Firefox 23.

When Windows XP support ends…

After April 2014, it will no longer be possible to obtain security updates for Windows XP – unless you’re paying Microsoft a ton of money. This has some interesting ramifications.

Clearly, there will be renewed interest in the aging O/S as an attack target. New vulnerabilities will continue to appear, but will remain unpatched on most Windows XP computers. Tools that exploit these vulnerabilities will increase in value, resulting in a boom for anyone developing them.

Depending on how many XP systems remain after April 2014, and the number and seriousness of vulnerabilities discovered after that date, there may be some backlash against Microsoft. There may be calls to extend support for XP even further. It’s possible that as many as one third of all computers and devices will still be running XP after support expires.

If Microsoft declines to extent support, you can bet that any new patches they develop for XP will find their way into the hands of regular users through unauthorized torrents and underground web sites.

On the other hand, while keeping Windows XP patched is obviously an important part of an overall security plan, there are other ways to protect yourself. Most users these days connect to the Internet through a router/firewall, which – if configured correctly – makes it almost impossible for an attacker outside the router to identify or even detect a computer inside the router. So, while I’m not recommending that you ignore this problem (you should really upgrade to Windows 7), there may not be a reason to panic if you’re still running Windows XP next year.

Update 2013Aug21: Another ComputerWorld post on this subject, and a post from ZDNet.

Today is Patch Tueday for August 2013

It’s that time again. This month Microsoft has issued eight bulletins, with three of them flagged as Critical. The associated patches affect Windows and Internet Explorer. The August 2013 security bulletin has all the technical details. A post on the Microsoft Security Response Center has a somewhat friendlier summary. For a slightly different view of this month’s updates, check out this post on the SANS Internet Storm Center.

Windows 8.1 update coming in October

Windows 8 Service Pack 1 8.1 will be made available starting some time in October 2013, according to various sources.

Included in the free update will be several tutorials on the new user interface. The exclusion of such tutorials in Windows 8 was a strange decision by Microsoft, since they were in every previous version of Windows.

The update will also include a variety of changes related to user interaction, affecting the use of touch, mouse and keyboard input. Context menus will be improved for better usability.

Related:

Update: Microsoft has set a firm date for availability of Windows 8.1: October 18, 2013.

Firefox 23 released

Another new version of Firefox was made available yesterday. Along with the usual crop of security bug fixes, version 23 sports a few changes worthy of mention:

  • A shiny new logo.
  • A Network panel was added to the Web Developer Tools. This panel shows the network activity associated with web browsing, including load times.
  • The HTML text ‘blink’ attribute has been removed. Blinking text has fallen out of fashion, and it’s generally seen as not user-friendly and non-accessible.
  • The ‘Disable Javascript’ setting has been removed from the Options dialog. The developers feel that since disabling Javascript causes many web sites to fail, the option should be hidden. The Javascript options are still accessible via about:config.
  • The ‘Load images automatically’ setting was removed from the Options dialog. Again, the developers decided that this option was too dangerous for most users. You can still find the setting in about:config.
  • The ‘Always show the tab bar’ setting was removed from the Options dialog. Like the other removed settings, somehow this option was felt to be too dangerous for most users. You can still find the setting in about:config.

Firefox version announcements still lacking

Update 2016Jan06: The release notes page for Firefox 23.0 no longer exists. It was moved to an archive site by Mozilla, but must have been lost in the process. There’s a broken link to the missing page on the Releases/Old/2013 page.

As always, there was no proper announcement for this release. I discovered the new version when I was reading Hacker News. I’ve outlined the problems with Firefox’s online resources in several previous posts, so I’ll just provide a brief list here. Suffice to say that nothing has improved since Firefox 22.

  • According to Mozilla, the Mozilla Blog is where new versions of Firefox are announced. The blog has an RSS feed, which is good, and whenever a new version of Firefox becomes available, there is usually at least one post on the blog that describes some of the new version’s features. But these posts do not qualify as release announcements, because they never mention the new version number, or even that there is a new version! Here’s the ‘announcement’ for Firefox 23: Firefox Makes it Easy to Share Your Favorite Content with Friends & Family.
  • The main release notes page has several problems, all of which would result in a failing grade in any ‘Web Pages 101’ course:
    • the page’s title makes no mention of the version;
    • the version isn’t mentioned in any of the page’s headings;
    • the first text on the page reads "Firefox Notes (First offered to release channel users on…", which makes it sound as though some ‘notes’ are being offered, not a specific version of Firefox;
    • the version is only visible in the page’s URL, which is barely human readable, and in an aside that thanks contributors.
  • A link on the release notes page titled ‘complete list of changes‘ points to a list of bugs in Mozilla’s bug tracking system. The list is huge, and the information is highly technical and not really intended for regular users.
  • The main download page never mentions the version, although all of the download links point to the most recent version.
  • The hidden ‘security advisories‘ page lists Firefox security vulnerabilities by the date on which they were first reported by Mozilla, with no indication of which vulnerabilities have been fixed, or when they were fixed. This is somewhat mitigated by the also hidden ‘known vulnerabilities‘ page, which lists security vulnerabilities and the versions of Firefox in which they were fixed.