boot13A new version of Opera’s Webkit-based browser was released yesterday. Version 33.0.1990.115 includes fixes for several security and stability issues. The official announcement has details.
Category Archives: Security
aka infosec
Google to discontinue support for Chrome on Windows XP
Google recently announced that they will no longer support Chrome running on Windows XP after April, 2016. Chrome will still run on Windows XP, but Google won’t address any new security issues in Chrome that don’t affect newer versions of Windows.
Standard advice to anyone still running Windows XP has included avoiding Internet Explorer in favour of a browser that’s still being updated, like Chrome. After next April, Chrome will be potentially as risky to use on XP as Internet Explorer.
Latest Ouch! newsletters from SANS
It’s been a while since I posted a link to the SANS Ouch! Security Awareness (“Securing The Human”) Newsletter. It’s a monthly PDF publication that’s aimed at ordinary users, and each issue covers a topic that is – or should be – of interest to everyone.
The most recent issues are Two Step Verification, Password Managers, and Shopping Online Securely. Note: these are all PDF documents.
Note: because they are written for ordinary users, more knowledgeable users may not learn anything new from Ouch! newsletters. Still, they’re worth reading and passing on to anyone who may benefit.
Patch Tuesday for November 2015
It’s that time again. This month’s crop of updates from Microsoft addresses security problems in the usual suspects, namely Windows, Office, .NET and Internet Explorer. Adobe joins the fun with yet another batch of fixes for Flash, and Google releases another version of Chrome with the latest Flash.
The Microsoft security summary bulletin for November 2015 gets into all the technical details. There are twelve separate bulletins with associated updates. Four of the updates are flagged as Critical. One of the updates affects the Windows 10 web browser Edge. A total of 53 vulnerabilities are addressed.
Flash 19.0.0.245 includes fixes for at least seventeen vulnerabilities. As usual, Internet Explorer in recent versions of Windows will be updated via Windows Update. Chrome gets the new Flash via its internal updater. Anyone still using a web browser with Flash enabled should install the new Flash as soon as possible.
Chrome 46.0.2490.86 includes the latest Flash (see above) and fixes a security issue in its embedded PDF viewer.
Firefox 42 improves private browsing, fixes numerous bugs
Mozilla seems determined to keep us guessing with new versions of Firefox. New versions that are not assigned a major new version number (e.g. 41, 42) are not announced in any way. When a new version is (apparently arbitrarily) assigned a major new version number, Mozilla publishes a post on the Mozilla blog. This post never includes any mention of the new version identifier, and typically doesn’t even say that there’s a new version.
For example, the post associated with Firefox 42 says this: “We’re releasing a powerful new feature in Firefox Private Browsing called Tracking Protection” and “We hope you enjoy the new Firefox!” What new version? When will it be released? We’re left guessing the answers to these rather obvious questions.
According to the release notes for Firefox 42, it was released on November 3. The Mozilla blog post describes changes to Firefox’s Private Browsing mode, including the new Tracking Protection, which “actively blocks content like ads, analytics trackers and social share buttons that may record your behavior without your knowledge across sites.”
Firefox 42 adds a small speaker icon that appears next to the caption for any tab that’s currently playing audio. You can mute a tab’s audio by clicking the speaker icon. The Login Manager has been improved in several ways. Performance has also been beefed up for sites that perform a lot of restyling. HTML5 support was improved.
Firefox 42 includes fixes for at least eighteen security bugs, according to the Security Advisories page. Recommendation: update Firefox to version 42 as soon as possible.
October Security Roundup
You probably shouldn’t rely on the security of your encrypted email. Even if you’re using current encryption technologies, certain conditions may arise during transit that cause your message to be transmitted in plain text.
There’s a well-reasoned response to a common question about the responsibility of Certificate Authorities over on the Let’s Encrypt blog. These fine folks will soon be providing free HTTPS certificates to the world, so they’ve been answering a lot of questions about how their service will work.
There’s going to be a minor apocalypse, starting January 1, 2016. On that date, Certificate Authorities will stop issuing certificates that use SHA1 encryption. SHA1 is now considered too weak for use, and is being phased out in favour of SHA2, which is much stronger. Just one problem: people stuck using older browser software and devices will lose their ability to access secure web sites and use those devices. There’s more technical nitty-gritty over at Ars Technica.
Symantec hasn’t done enough to clean up its Certificate Authority activities, according to Google. This follows the discovery that Symantec employees were issuing unauthorized certificates. Google has warned Symantec to provide a proper accounting of its CA activities or face the consequences.
A critical vulnerability in the blogging platform Joomla was discovered in October. The bug exists in all versions of Joomla from 3.2 onward. A patch was developed and made available, and anyone who manages a Joomla 3.x -based site is strongly advised to install the patched version (3.4.5) as soon as possible.
It’s increasingly dangerous to be a computer security researcher. New agreements could even make the work illegal in some regions.
Flaws in many self-encrypting external hard drives from Western Digital mean their encryption can be bypassed, according to researchers.
Google made it easier to determine why a site is flagged as unsafe, adding a Safe Browsing Site Status feature to their Transparency Report tools.
Mozilla is following the lead of Google and Microsoft, and plans to all but eliminate support for binary plugins in Firefox by the end of 2016. Binary browser plugins for Java, Flash, and Silverlight provide convenience but are a never-ending security headache. There’s one exception: Mozilla will continue to support Flash as a Firefox plugin for the foreseeable future.
The FBI teamed up with security vendors to take down another botnet in October. The Dridex botnet mainly targeted banking and corporate institutions, gathering private data and uploading it to control servers.
Cisco researchers, working with Limestone Networks, disrupted a lucrative ransomware operation in October.
A stash of thirteen million user names and plain text passwords was recently obtained by a security researcher. The records were traced to 000Webhost, an Internet services provider.
The Patreon funding web site was breached, and private information about subscribers, including encrypted passwords and donation records, was published online. Source code was also stolen, which may make decrypting the passwords much easier.
Researchers discovered numerous iPhone applications that collect and transmit private user information, in violation of Apple’s privacy policies. These apps apparently made it into the App Store because of a loophole in the validation process.
87% of Android-based devices are vulnerable to security exploits. Google develops Android updates quickly enough, but phone makers are typically very slow to make updates available to users.
New Android vulnerabilities, dubbed ‘Stagefright 2.0’ by researchers, were announced in early October. As many as a billion Android devices are vulnerable, and although patches were made available by Google, they may take weeks or months to find their way to individual devices.
A malicious Android adware campaign tricks unwary users into installing apps that appear to be from trusted vendors. These apps use slightly-modified icons of legitimate apps to fool users.
Shockwave update adds latest Flash
Adobe finally noticed all the warnings about Shockwave using an old, less-secure version of Flash. The latest new version of Shockwave (12.2.1.171) fixes one specific security issue, while also adding support for the latest Flash using a new feature called ‘Flash Asset Xtra’.
The release notes for Shockwave 12.2.1.171 and the corresponding security bulletin have additional details.
If you use a web browser with a Shockwave plugin, you should install Shockwave 12.2.1.171 as soon as possible. You should also configure the plugin to prompt you before displaying any content, as long as your browser supports doing so.
Flash update for Chrome
Chrome has been updated to include the latest Flash, itself recently updated (outside the normal monthly update cycle) to fix a critical vulnerability. Luckily, if you use Chrome with Flash enabled, you don’t have to do anything; it will update itself.
Version 46.0.2490.80’s release notes don’t add much to the conversation, but predictably, the full change log is loaded with useless details. Nothing much of interest there, anyway.
Updates for Java
On October 20, Oracle released Java 8 Update 65. Hours later, they apparently released Java 8 Update 66.
It looks like there may have been some kind of screwup at Oracle, because the two versions seem to address many of the same issues. When I use the Java control panel to update to the most recent version, I end up with 8u65, and I’m never prompted to install 8u66. Presumably this confusion will be cleared up by Oracle in the next day or so.
Meanwhile, if you’re still using a web browser with Java enabled, you should install Java 8u65 as soon as you can. Java 8 Update 65 fixes a few bugs, including some related to security.
References:
- Oracle Critical Patch Update for October 2015
- Java 8 Update 65 release notes
- Java 8 Update 65 bug fixes
- Java 8 Update 66 release notes
- Java 8 Update 66 bug fixes
Update 2015Nov05: According to a post on The Java Source, a Java blog maintained by Oracle, “Java SE 8u66 is a patch-set update, including all of 8u65 plus additional features.” If you want the new features, you’ll have to download and install 8u66 manually, because Java’s own internal updater won’t do it.
Another stealth release of Firefox
On October 15th, Mozilla slipped another Firefox version into production. Firefox 41.0.2 was released to address a single security issue, CVE-2015-7184. The bug is described in a post on the Mozilla security advisories site. The release notes for Firefox 41.0.2 don’t provide any additional detail. There was no new version announcement.