aka infosec
Fixes for three serious security vulnerabilities make Chrome 49.0.2623.87 an important update. Check your version to make sure it’s up to date, by navigating to chrome://help/. Chrome will offer to update itself if you’re running an older version.
The full change log provides additional details.
The good people at CERT once again alerted me to a new version of Firefox, 45.0. Apparently Mozilla still can’t manage to announce new versions consistently.
According to the official release notes for Firefox 45.0, the new version includes minor improvements to syncing, searching, and HTML5 support. It also fixes several bugs, including at least twenty-two related to security vulnerabilities. On my main computer, Firefox’s About screen already offers to install the new version, but if yours doesn’t, you should grab it from the main Firefox download page ASAP.
It’s time once again to roll up the sleeves and get patching. This month we have thirteen security bulletins and associated updates from Microsoft. The updates address at least forty-four security vulnerabilities in Windows, Internet Explorer, Edge, Office, Windows Server, and .NET. Five of the updates are flagged as Critical.
Adobe’s contribution this month is new versions of Acrobat/Reader. You may have noticed that Adobe has confused things by splitting Acrobat/Reader into several variations: classic, continuous, and desktop. According to Adobe, the continuous variant always has all the most recent updates, fixes, and new features. I think it’s safe to assume that’s the variant most people should be using. The new continuous version of Reader is 15.010.20060. All of the new versions include fixes for three security vulnerabilities.
A new, free, web-based service from cyscon GmbH tests your web browser and reports any security issues it finds.
Check-and-secure starts by checking your computer for open ports, then compares your IP address against a list of addresses associated with botnet activity.
Next, you have the option of checking your browser version and looking for out of date plugins like Java, Flash, and Silverlight. This is arguably the most useful part of the service, and you can get to it directly, which is handy.
The remainder of the service consists of offers to install various local security software packages. I haven’t yet tried the Cyscon Vaccination software, so can’t comment on its efficacy.
In February, a security researcher discovered that a Silverlight exploit – patched by Microsoft in January – is now being distributed through the Angler hacking kit. The researcher also found web sites using the exploit to infect site visitors who have not yet installed the Silverlight patch.
Comodo Internet Security, a highly-rated security package, was found to include features that actually make the host computer less secure. Most notably, that included a VNC server running without a password. VNC is a remote desktop application. The problems were resolved in subsequent updates from Comodo.
Brian Krebs wrote about serious security issues found in some Internet-connected Trane thermostats, and warns buyers to use caution when purchasing ‘smart’ devices.
There are fixes for at least twenty-six security issues in the latest version of Chrome, 49.0.2623.75.
The release announcement lists the most important security fixes, while making it clear that the full details may not be made available until the majority of users have had a chance to update.
The full change log for Chrome 49 seems to go on forever. I tried to find the end of it, but gave up after a few pages. At least it doesn’t try to load in one page, since that would probably crash most browsers. Presumably if Google had made any really interesting changes in Chrome 49, they would have been mentioned in the announcement.
The Opera web browser is based on Google’s Chromium ‘engine’ – the same core software that powers the Chrome browser. Aside: the Chromium browser engine is not to be confused with the other ‘Chromium’ – Google’s operating system, ChromiumOS. What is it with big corporations and confusing names?
Anyway… when Chrome gets a security fix, an Opera release with the same fix will soon follow. Opera 35.0.2066.82, announced on February 23, contains the same updated version of Chromium as Chrome 48.0.2564.116, which was released on February 18.
The Chromium security issue addressed in the latest versions of Opera and Chrome is CVE-2016-1629. The bug potentially allows attackers to bypass Same Origin Policy (SOP) measures that normally prevent scripts on other hosts from running.
If you use Chrome or Opera, or any other web browser based on the Chromium engine, you should update it as soon as possible. Chrome and Opera have self-updating features which can be triggered by navigating to their respective ‘About’ pages.
The newest version of Chrome includes a fix for one security issue and a few other minor bug fixes. The version 48.0.2564.116 announcement provides additional details, as does the full change log.
Here we go again. Researchers have discovered (actually more like rediscovered) a very bad flaw in the commonly-used GNU C Library, also known as glibc.
The flaw has existed, undiscovered, since 2008. It was discovered and reported to the glibc maintainers in July of 2015 (CVE-2015-7547), but nothing was done about it until Google researchers re-discovered the flaw and reported it on a public security blog.
The glibc maintainers reacted to the Google revelations by developing and publishing a patch. It’s not clear why such a serious vulnerability was not fixed sooner.
But that’s not the end of the story. Any computer or device that runs some flavour of Linux, including most of the world’s web servers and many routers, is potentially vulnerable. Individual software applications that are compiled with glibc are also potentially vulnerable.
Although it’s safe to assume that diligent sysadmins will update their Linux computers, tracking down all the affected software will take time. The Linux firmware running on routers and other network devices will be updated much more slowly, if at all. All of this opens up many exploitation possibilities for the foreseeable future.
The good news is that there are several mitigating factors. Many routers don’t use glibc. In some cases, default settings will prevent exploits from working. Android devices are not vulnerable. Still, this problem is likely to get worse before it gets better.
Update 2016Feb20: Dan Kaminsky just posted his analysis of the glibc vulnerability. It’s very technical, but if you’re looking for a deeper dive into this subject, it’s a great place to start. Dan helpfully explains why it’s difficult to predict just how bad things will get.
It’s been ages since Opera updated the classic (pre-Webkit) version of their browser. Although still available for download and still technically supported, the old version is obviously not Opera’s focus. Before yesterday, the latest version of classic Opera was 12.17, and hadn’t changed since April 2014.
Yesterday, in response to recent web-wide changes affecting security, Opera released a new version of the 12-series browser: 12.18. The associated announcement explains why this was done. Sadly, the new version isn’t even mentioned on the change logs page. There is still a link to the 12.17 change log, but that link is still broken.
In related news, Opera (the company that develops the Opera browser) is expected to be sold to a Chinese consortium in the near future. It’s difficult to predict how the new owners will influence the browser, but I’m not optimistic. I had begun switching from Firefox to Opera as my main browser, but that’s on hold for now.
Meanwhile, I’m looking at Vivaldi, an alternative browser developed by former Opera employees. So far it looks promising.
boot13