boot13According to the announcement, Chrome 48.0.2564.82 includes 37 security fixes, as well as an unstated number of other fixes and improvements. Looking at the full log (basic list view), I count 8044 separate changes.
Category Archives: Security
aka infosec
Java 8 Update 71 released
Oracle seems to be jealous of Microsoft’s ability to confuse the heck out of users. Of late, Java releases seem to come in two distinct versions, with the later version being typically unavailable to most users.
The latest update is a good example: the release announcement talks about Java 8u71 and 8u72, and says that 8u71 contains security fixes. It goes on to say that 8u72 contains the same bug fixes plus ‘additional features’.
If you use the Windows Java Control Panel to update Java on your computer, you’ll end up with Java 8u71. If you go to the main Java download page and choose one of the versions for Windows, again you’ll end up with 8u71. So what’s 8u72 for?
The release notes page for Java 8u71 describes a few non-security bug fixes. Oracle’s Critical Patch Update Advisory for January 2016 shows about eight security vulnerabilities that are addressed in Java 8u71. So if you use Java, you should install 8u71 as soon as possible.
More Flash updates
The latest version of Flash is 20.0.0.286, for most browsers. Microsoft Edge and Internet Explorer on newer versions of Windows are apparently still stuck at Flash 20.0.0.272.
Sadly, the information on the Adobe site related to these updates is inconsistent, confusing, or just missing.
The About Flash page doesn’t seem to agree with the announcement page. The former shows “Internet Explorer (embedded – Windows 8.x) – ActiveX 20.0.0.286”, while the latter shows “Flash Player 20 for Internet Explorer on Windows 8.1: 20.0.0.272”.
The Flash runtime announcement says “Security update details can be found here: Security Bulletin (APSB16-01)”. But the APSB16-01 bulletin is for the previous Flash updates. The linked URL is also wrong; it points to an even older bulletin: APSB15-32. And to top it off, the security bulletin that should exist (APSB16-02) for this update currently generates an error.
Hopefully Adobe will fix this mess ASAP.
Meanwhile, although the announcement doesn’t mention any security fixes in the new versions, it’s safe to assume they exist, so you should update Flash in any browser where it’s enabled.
As usual, Internet Explorer on new versions of Windows will receive these updates via Windows Update, and Chrome will get its new Flash automatically.
Update 2016Feb02: I reported the announcement and bulletin problems (noted above) to the author of the announcement. He replied that the About page would be fixed, and that he had fixed the link to the bulletin on the announcement page. Unfortunately, that link now goes to the bulletin for the previous Flash release. The author claims that bulletin still applies, but it really doesn’t, since it recommends the previous version of Flash.
Update 2016Feb04: According to the author of the announcement, there were effectively no changes in this Flash update. Certainly there were no security fixes. A link to the previous security bulletin was included simply because it was the most recent bulletin. The link text will be changed to make this more clear.
Shockwave 12.2.3.183 released
A new version of the Shockwave player is available from Adobe. The official download page correctly shows the new version as 12.2.3.183, and that’s what you’ll get if you install Shockwave Player from there.
Unfortunately, Adobe still lags behind in updating other web resources related to Shockwave. The Shockwave Player help page, which detects the version you’re running, correctly identifies the installed version, but claims that the newest version is 12.1.9.159. The release notes page for Shockwave 12.x lists the latest version as 12.2.1.171.
If you use a web browser with Shockwave enabled, you should install version 12.2.3.183 as soon as possible, because there are almost certainly security fixes in the new version.
Patch Tuesday for January 2016
This month’s Microsoft updates are more interesting than usual, in that they are the last for versions of Internet Explorer earlier than 11. No more patches for older IE versions means you should avoid using them if at all possible, since they are likely to become a major target for malicious persons intent on spreading malware and increasing the size of their botnets.
It’s interesting to speculate on how much of a hit Microsoft will take in terms of browser share once people move way from IE 8, 9, and 10. Estimates vary, but I’ve seen recent numbers that show IE 8 at 9%, IE 9 at 7%, and IE 10 at 4%. If everyone does the right thing and switches browsers, Microsoft could lose as much as 20% of their browser market share.
There are ten updates from Microsoft this month, affecting Windows, Internet Explorer, Edge, MS Office, Visual Basic, Silverlight, and Exchange Server. Six of the updates are flagged as Critical. A total of twenty-five vulnerabilities are addressed.
When installed, the Silverlight update will bump the software’s version up to Build 5.1.41212.0. Silverlight’s release notes page has been updated to show what’s changed.
Three security advisories were also published by Microsoft today, the most interesting of which is titled Deprecation of SHA-1 Hashing Algorithm for Microsoft Root Certificate Program.
Adobe joins the fun once again this month, but this time we only get an update for Reader that addresses fifteen vulnerabilities. Surprisingly, there are no updates for Flash.
Update: Support for Windows 8 has also ended. Anyone still using Windows 8 should upgrade to Windows 8.1 to continue receiving updates.
Clarification: Microsoft will still develop security updates for Internet Explorer 7, 8, 9, and 10, as well as Windows XP, Vista, and Windows 8, because they are still supported for some business clients, and for some Windows Server versions. The updates just won’t be available to regular folks.
WordPress 4.4.1 security release
A critical cross-site scripting (XSS) vulnerability in WordPress 4.4 and earlier versions has been addressed in a new WordPress version: 4.4.1.
Since this is a security release, anyone who administers a WordPress site is strongly encouraged to install the update as soon as possible. If your WordPress site is configured for auto-updates, it may have been updated already, but you should check it to be sure.
WordPress 4.4.1 also fixes a few minor non-security bugs. In all, 52 bugs were addressed in the new version. The release notes provide additional details.
You can also see what’s changed in 4.4.1 on the WordPress bug tracking site. Happily, the page on the other end of that link shows only what’s changed in WordPress 4.4.1, which is a lot more useful than Mozilla’s approach for Firefox, which is to list all changes since the last major version. The WordPress change list is also a lot easier to navigate (and understand) than the equivalent list for Google Chrome.
Firefox 43.0.4 re-enables SHA1 certificates
Well, that didn’t last long. Firefox 43.0.3 disabled SHA1 security certificates, but that caused a lot of problems for some users, and Mozilla has rolled back the change in the new Firefox 43.0.4. Most users won’t notice the difference, but if you started having problems browsing secure web sites after installing 43.0.3, that issue should be resolved with 43.0.4.
Firefox 43.0.4 also fixes a crashing bug affecting some users, and at least one other change is documented in the release notes.
Incidentally, there wasn’t a proper announcement for the new version. The closest we got was a post on the Mozilla security blog about the SHA1 reversal, which doesn’t mention Firefox version identifiers at all.
December security and privacy roundup
Security and privacy stories making the rounds in December…
Aethra modem botnet
In February I wrote about hack attempts on several of my WordPress sites. Most of those attacks originated in Italy, from Aethra modems provided by Italian service provider Albacom. At the time, I tried to contact Albacom and its new owner, BT Italy, with no success. Apparently I wasn’t the only person who noticed. The people who make Wordfence, an extremely useful security plugin for WordPress, recently reported on the efforts of a Voidsec security researcher to track down and report the problem.
Nemesis malware worse than ever
A particularly nasty piece of malware called Nemesis now has the ability to insert part of itself in the boot process of a PC, making it even more difficult to detect and remove. Luckily for regular folks, Nemesis mostly seems to be targeting financial institutions. On second thought, there’s nothing lucky about that.
Linux computers increasingly targeted – and vulnerable
It’s becoming clear that Linux computers can be just as vulnerable as computers running Windows: a single, unpatched application vulnerability can be all that’s required for attackers to gain complete control. Hacking groups are acting quickly when new vulnerabilities are revealed, and have been adding exposed Linux servers to their botnets at an alarming rate.
Mysterious attack on root DNS servers
In early December, most of the Internet’s core name servers were briefly flooded with requests from all over the net; the requests were all related to two specific (and undisclosed) domain names. It’s still not clear who perpetrated the attack, and no real damage was done, since the servers involved absorbed the traffic relatively easily.
Help for securing routers
The US-CERT security organization posted a useful guide for securing home routers. The guide necessarily gets into technical details, but anyone who is interested in keeping their home network secure – and has access to their router’s configuration – should give it a look.
Oracle spanked by the US FTC for its deceptive practices
Oracle has done a terrible job of informing Java users of the dangers of leaving old versions of Java installed. Worse, Java installation software is traditionally not very good at detecting and removing older Java installs. The FTC finally noticed, calling Oracle’s practices a “deceptive act or process” in violation of the Federal Trade Commission Act. In response, Oracle has posted a Java uninstall tool on its web site. To be fair, the newer Java runtime installers now also look for older versions and offer to uninstall them, so they are making progress.
A rational response to claims that encryption is somehow bad
You’ve no doubt noticed elected officials in various countries claiming that smartphone encryption is making police work more difficult. They often use the catchphrase ‘going dark’ and invoke ‘terrorism’ to scare people into believing their BS. There’s a post over on Techdirt that exposes the lunacy of these ‘going dark’ claims.
Panopticlick – is your browser keeping your activity private?
The Electronic Freedom Foundation (EFF) created a web-based tool that analyzes your web browser and lets you know how well it protects you against online tracking technologies. It’s a handy way to make sure that the browser you’re using is keeping your activity as private as you think it is. Keep in mind that a lot of web sites (including this one) use tracking technologies for legitimate reasons, such as counting the number of visits. To learn more, check out this helpful post over on the PixelPrivacy site that explains browser fingerprinting.
Security practices of some service providers still terrible
Brian Krebs recently reported that his PayPal account was hacked. During his subsequent investigation, he discovered that PayPal handed his credentials to someone impersonating him on the phone. PayPal’s responses to Krebs’ criticisms don’t exactly inspire confidence. Krebs says “the successful takeover of the account speaks volumes about why most organizations — including many financial institutions — remain woefully behind the times in authenticating their customers and staying ahead of identity thieves.”
Flash 20.0.0.267 fixes numerous security issues
There’s a holiday present from Adobe in the form of yet another new version of Flash. This one fixes at least nineteen security vulnerabilities – including one that is currently being exploited on the web – as well as a few other bugs. There are additional details in the release notes.
As usual, Chrome and Internet Explorer will get the new version via their own update mechanisms.
If you use Flash in a web browser, push that plate of turkey leftovers to the side and install the new Flash ASAP.
Update 2016Jan02: On January 1, Adobe released another version of Flash, this time just for the ActiveX version used in older versions of Internet Explorer on Windows 7 and earlier. According to the updated release notes, Flash 20.0.0.270 includes one change: “Fixed loading problem with Flash Player in embedded applications”.
Firefox 43.0.2
Firefox 43.0.2 was released on December 22, with no announcement at all. I learned about the new version when my copy of Firefox offered to update itself. The release notes say only that the new version includes a new security certificate for Windows. The notes also mention “Various stability and security fixes”, but the linked Security Advisories page lists security fixes for all of Firefox 43. Presumably at least one security issue was fixed in 43.0.2, but it’s not clear.