WordPress 4.1.2 was released on Tuesday to address a critical security vulnerability. Sites configured for auto updates will be updated over the next day or so, but you might want to consider installing the update via the dashboard right now.
In related news, security researchers at Sucuri just published a list of popular WordPress plugins that contain serious XSS vulnerabilities. Most of these plugins already have updates addressing the issue. Check your WordPress sites for these plugins, and either update or disable them.
The latest version of Firefox includes a fix for at least one security vulnerability. Stability issues affecting specific display hardware were also resolved, as was an issue involving the display of Google Maps.
There was no announcement for Firefox 37.0.2 on the Mozilla blog. The release notes for version 37.0.2 provide additional details.
Recognizing that millions of people are still using Windows XP, Google has extended support for that O/S in their web browser. That means they will continue to develop fixes for security issues in Chrome running on Windows XP. Anyone still using Windows XP is strongly encouraged to stop using Internet Explorer, which is no longer supported by Microsoft, and use Google Chrome instead.
Nasty malware, hidden inside a phony ad that appeared on the Huffington Post web site, was exposed to thousands of users earlier this week. The Flash-based ad was delivered via Google’s Doubleclick advertising network. And this wasn’t even the largest malvertising exposure this week.
Law enforcement and security organizations have once again combined their efforts in taking down another large botnet: Simda. The takedown involved seizing fourteen command and control computers in various locations around the world. At its peak, Simba affected over 700,000 computers worldwide.
The latest version of Chrome includes fixes for forty-five security vulnerabilities. According to the announcement, version 42.0.2311.90 also has improvements in stability and performance.
Starting with this version of Chrome, the old NPAPI technology used for plugins (including Java and Silverlight) is disabled by default. If any of your Chrome plugins still use this technology, you’ll need to enable them when the browser warns you.
NOTE: Java 7 is no longer being updated, so if you’re still using it, you should upgrade to Java 8 as soon as possible. If Java is configured to auto-update itself, it will upgrade Java 7 to Java 8 automatically.
Update 2015May14: The final update for Java 7 was 7u79/7u80, released on April 14, 2015.
It’s that time again. This month there are eleven updates from Microsoft, with four of them flagged as Critical, affecting Windows, Internet Explorer, Office and .NET.
Adobe has once again come along for the monthly festivities, today releasing a new version of Flash. Version 17.0.0.169 fixes at least fourteen vulnerabilities in Flash, including one for which exploits have been observed in the wild.
So, time to get busy updating your systems… especially where you’re using Flash in a web browser.
Update 2015Apr19: One of this month’s Windows updates is causing problems for people running Oracle VirtualBox, a popular emulator. The problematic update is KB3045999, also referred to as MS15-038. There’s no word yet from Oracle or Microsoft regarding a fix. Uninstalling the update appears to work, but this is obviously a temporary solution.
What’s a passphrase? It’s a phrase or sentence that you use as a password. Phrases tend to be easier to remember than ordinary passwords, and they are much more difficult to crack.
This month’s Ouch! newsletter (PDF) provides a useful overview of passphrases and their use. Note that while passphrases can be very strong, you should still make sure to use a different one for each site or service. And of course you should use a good, offline password manager like Bruce Schneier’s Password Safe to keep track of them.
If you use Google’s web browser Chrome, and you’ve noticed that some extensions are causing problems, take heart. Google recently discovered that about 200 Chrome extensions are injecting ads in deceptive ways, often leading users to malware. These extensions have been killed by Google, and measures taken to prevent this type of abuse in the future. Note that Google doesn’t explicitly bar ad-injection extensions; however, such extensions are subject to certain limitations.
If you suspect that your installation of Chrome is running one or more of these rogue extensions, your best bet is to uninstall Chrome completely and reinstall it.
Update 2015Apr09: Google’s efforts to identify and remove problematic extensions are ongoing. More announcements of this type are expected. For example: the extension ‘Webpage Screenshot’ was found to be collecting user data inappropriately, and was also killed.
Rants and musings on topics of interest. Sometimes about Windows, Linux, security and cool software.
Close
Ad-blocker not detected
Consider installing a browser extension that blocks ads and other malicious scripts in your browser to protect your privacy and security. Learn more.
boot13