boot13Preview versions of Windows 8.1 were recently made available to reviewers, and The Verge reports on some additional tweaks to the Start button. There’s still no Start menu, but right-clicking the Start button will show a power user menu of sorts. The menu includes options to disable hot corners and shut down the computer.
Category Archives: Patches and updates
Firefox 22 now available
Version 22 of Mozilla’s web browser was released yesterday, with the usual utter lack of anything approaching a proper announcement. The closest we got was a post on the Mozilla blog entitled “Firefox Delivers 3D Gaming, Video Calls and File Sharing to the Web“. That post discusses some of the new features of Firefox 22, but never actually mentions the new version number. I understand that Mozilla is trying to place less importance on version numbers, but in my opinion this is going too far.
Making things even more confusing, the main download page for Firefox never mentions the current version, although all the download links point to version 22 URLs, which you can see by hovering your mouse over them.
The release notes page is still a confusing mess. The first text you read on that page is “Firefox Notes (First offered to release channel users on June 25, 2013)”. It sounds like they’re saying that Firefox was released on June 25, 2013. What they really mean is that Firefox version 22 was released on June 25, 2013, but the version isn’t mentioned in the title. In fact, the only reference to the version is in a contributor “thank you” note below the title. Below that, the “What’s New” section lists changes made to Firefox, which we can only assume are specific to version 22 because the page’s URL includes the text “22.0”.
A link on the release notes page for version 22 titled “complete list of changes” now points to a list of bugs in Mozilla’s bug tracking system, Bugzilla. The list of bugs shown is huge, and although each of the 510 entries supposedly represents a bug fixed in version 22, the information is highly technical and not really intended for regular users. A proper change list is nowhere to be found.
Somewhat more useful are the confusingly-named and well hidden “known vulnerabilities” and “security advisories” pages for Firefox. The first of those pages lists security vulnerabilities and the versions of Firefox in which they were fixed, including version 22. The second page lists Firefox security vulnerabilities by the date on which they were first reported by Mozilla, with no indication of which vulnerabilities have been fixed, or when they were fixed.
I’ve been pointing out the lack of proper version announcement resources for Firefox here and in other online forums for a while now, but have yet to see any significant progress.
WordPress 3.5.2 released
WordPress 3.5.2 fixes several security vulnerabilities. Given the recent worldwide attacks against WordPress-based web sites, all WordPress sites should be upgraded to the new version as soon as possible.
One of the vulnerabilities fixed in version 3.5.2 is CVE-2013-2173, a Denial-of-Service (DoS) vulnerability recently disclosed on the VND blog. The vulnerability and a Proof of Concept were disclosed on that site one week after the author reported the issue to the WordPress security team. Concerned that a single email might have been caught in a spam filter, I posted a link to the report in two of the WordPress IRC channels (#wordpress and #wordpress-dev), and soon after that I was told that the security team had been notified. It was later disclosed that the original report had indeed been caught by a spam filter, even though the reporter had received a ‘we received your report’ auto-response. The lessons here are: 1) security email inboxes should not have spam filters; 2) don’t use an auto-responder on security email inboxes; and 3) don’t stop reporting a security issue until you’ve heard back from a human being, confirming receipt of your report.
Java 6 end-of-life
Oracle has quietly stopped updating Java 6, sort of. A page on the Java download FAQ site states that updates for Java 6 will no longer be publicly posted, and recommends upgrading to Java 7. Updates for Java 6 will still be available to customers who have support contracts from Oracle.
Switching from Java 6 to Java 7 is going to be a problem for anyone who uses Java-based software that is not yet compatible with Java 7. Large organizations with such Java 6 dependencies will either start paying for support (if they aren’t already), or deal with the consequences of allowing their Java 6 based software to become increasingly vulnerable. Smaller organizations and individuals with Java 6 dependencies who cannot afford to pay for Oracle support may want to consider switching to alternative software.
There’s likely to be a certain amount of backlash against this move. At the very least, if Oracle doesn’t back down from this stance, expect a ‘black market’ in Java 6 updates to start up fairly soon: people with access to the official Java 6 patches will make them available to the public. The main problem with this, besides annoying Oracle, is that nefarious persons are likely to use the need for Java 6 patches as a way to spread malware.
I predict that Oracle will relent; as long as they are still developing updates for Java 6, those updates will end up being publicly available.
Major Java update fixes 40 vulnerabilities
Oracle has released a new version of Java that addresses a large number of vulnerabilities. This is a scheduled “Critical Patch Update” (CPU) for June 2013.
This moves Java 7 from Update 21 to Update 25 (1.7.0_21 to 1.7.0_25).
Anyone using Java in a web browser should install this update immediately.
Google Chrome 27.0.1453.116 released
Yesterday, Google announced another new version of their web browser, Chrome.
The new version is 27.0.1453.116, and it includes a few security fixes, as well as the latest integrated version of Flash (11.7.700.225).
Major update for Java coming today
Oracle has announced an update for Java that is scheduled for release later today. The new version will fix a whopping 40 security vulnerabilities in current versions of Java, with 37 of those being remotely exploitable without authentication.
New version of Chrome with latest Flash
Google has announced a new version of Chrome with the latest updates to Flash. The new version of Chrome will contain Flash version 11.7.700.225.
At this time, the update has not yet become available for download.
Update for Adobe Flash
Adobe has just announced another Flash update. The new version is 11.7.700.224. As always, this update addresses “vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.”
The official bulletin has all the technical details. The runtime announcement has additional details.
An equivalent patch for Internet Explorer 10 on Windows 8 will be available from Microsoft Update. The new version of Flash in IE10 will be 11.7.700.224.
Google Chrome has also been updated to include a new version of Flash: 11.7.700.225. Chrome normally updates its own version of Flash automatically.
Update 2013Jun14: The Internet Explorer 10 Flash update is now available.
Patch Tuesday for June 2013
This month there are five bulletins, addressing 23 vulnerabilities in Windows, Office and Internet Explorer. Only one (MS13-047, affecting Internet Explorer) is marked as Critical.
The bulletin summary has all the technical details.
Related links:
– Improved cryptography infrastructure and the June 2013 bulletins
– SANS: Microsoft June 2013 Black Tuesday Overview