boot13Google released another new version of its web browser today. Chrome 37.0.2062.94 includes fixes for fifty security vulnerabilities, as well as other improvements to stability and performance. The official announcement has all the details.
Category Archives: Security
aka infosec
Chrome 36.0.1985.143: security fixes and new Flash
Another new version of Chrome was released on August 12. Version 36.0.1985.143 closes twelve security holes and includes a new version of Flash.
August Patch Tuesday for Adobe software
Adobe’s monthly updates continue to coincide with Microsoft’s. This month there are updates for Adobe Acrobat/Reader and Flash.
The new version of Flash is 14.0.0.176, unless you’re using Flash in a browser other than Internet Explorer, in which case it’s 14.0.0.179. Regardless, the new version includes several bug and security fixes, and adds some new features that are mainly of interest to developers.
The latest version of Adobe Reader is 11.0.0.8. This version fixes a specific vulnerability that allows attackers to circumvent security protections. According to Adobe, attacks based on this vulnerability have been seen in the wild.
August Patch Tuesday for Microsoft software
Time once again to crank up Windows Update and patch your Windows computers. As expected, this month’s batch includes nine bulletins with associated updates for SQL Server, OneNote, SharePoint, .NET, Windows and Internet Explorer. Two Critical updates affect Windows and Internet Explorer.
Related information from Microsoft:
Latest Ouch! newsletter: all about encryption
This month’s Ouch! newsletter (PDF) from SANS provides a useful overview of encryption, and what it means in the context of the web. Recommended reading for anyone hazy on the subject.
Another WordPress plugin with critical security issues
WordPress is still an extremely attractive target for malicious hackers. One of the ways they can gain access to WordPress sites is to examine third-party WordPress plugins, looking for security vulnerabilities. Plugins aren’t subject to any kind of approval or auditing process; anyone can develop and publish them.
Many of the most famous WordPress hacks were actually hacks of plugins, not the WordPress core software. The TimThumb graphics library is a good example.
Now there’s news that the popular Custom Contacts Form plugin is vulnerable, and sites using unpatched versions leave them exposed to complete takeover by nefarious persons.
Anyone who runs a WordPress site that uses Custom Contacts Form should immediately update the plugin to version 5.1.0.4 or higher.
What we know about the recent theft of 1.2 billion passwords
On August 5, the New York Times ran a story calculated to cause panic among Internet users. According to the story, a Russian gang had obtained up to 1.2 billion (yes, billion) login credentials.
The source of the story was Alex Holden, of Hold Security. Unfortunately, Holden didn’t provide much in the way of details, which has given rise to a lot of speculation about the facts, and of Holden’s motives.
Hold Security followed up the story by announcing that they planned to offer a fee-based service that would allow anyone to check whether an email address or user id was in the database of stolen credentials. Many took this as a sign that Hold Security was involved in some kind of scam, but well-known security blogger Brian Krebs came to Holden’s defense in a recent post.
Bruce Schneier, another famous security analyst, isn’t sure. He says – and we agree – that there’s something squirrely about this story.
In any case, it’s simply too soon to know for sure what’s going on. Until someone starts using the purloined information for something other than spam, all we can do is wait. Hopefully Hold Security will either create a free tool for checking credentials, or they’ll hand the database over to someone else who will.
In the meantime, our advice remains the same: use complex, unique passwords, especially for critical accounts like online banking.
Advance notification: Microsoft updates for August
Another month, another pile of patches from Microsoft. This month the updates will become available starting about 10am PST on August 12. According to the official advance notification, there will be nine security bulletins, with associated updates for Windows, Internet Explorer, .NET, SharePoint, OneNote and SQL Server. Two are rated critical.
CryptoLocker defanged at last
Security researchers have cracked the encryption used by the horrible CryptoLocker ransomware.
Recall that once CryptoLocker infects a computer, it encrypts all documents it can find, making them inaccessible until you pay the perpetrators $300 for a key to unlock them. Thousands of users have been hit, with some paying the ransom, while many others lost their data forever.
The researchers have set up a free web site (2016Jan09: the site has been decommissioned) that allows anyone hit by CryptoLocker to decrypt their files. You must upload one encrypted file, after which you are sent the required key. After decrypting your files, you can then use a CryptoLocker removal tool to get rid of the infection.
WordPress 3.9.2 fixes several security issues
A new version of the popular WordPress CMS was released yesterday. Version 3.9.2 includes a fix for a serious potential Denial-of-Service bug, and a few other changes that improve overall security.
Anyone who operates a WordPress site is strongly encouraged to update the software as soon as possible. Sites that are configured to allow auto-updates should be automatically updated in the next day or so.