aka infosec
It looks like the Opera team is planning to keep the classic version of Opera (version 12.x) alive and secure – at least for now.
An update to the pre-Webkit version of Opera was announced yesterday. The new version addresses two Heartbleed vulnerabilities in the update software.
Note that this update is for Windows only. Mac and Linux versions are unaffected.
There doesn’t seem to be a release notes page for this version. The main change log page doesn’t even list version 12.17.
The full extent of the damage caused by the Heartbleed vulnerability may not be known for months. New reports of compromised systems are appearing daily.
Ars Technica reports on a very unfortunate compromise of an OpenVPN installation. It’s particularly bad, because thousands of companies worldwide use VPN solutions to provide supposedly completely secure access to corporate networks from off-site. The potential for damage is enormous.
Also in Heartbleed news: apparently the recently-reported Heartbleed-based intrusion of the Canada Revenue Agency was the work of a teenaged computer science student. He’s been arrested. It seems clear that his motivation was curiosity rather than something more sinister, since he did absolutely nothing to conceal his identity.
Oracle just announced a huge batch of Critical Patch Updates, including 37 updates for Java.
The updates affect all supported versions of Java, including Java 7 (7u55) and the recently-released Java 8 (8u5).
Oracle has clarified their position on the adoption of Java 8 in a special FAQ for version 8. According to that page, “The new release of Java is first made available to developers to ensure no major problems are found before we make it available on the java.com website for end users to download.”
So until Oracle decides that Java 8 is ready for general use, the main Java download page will still offer Java 7 as the ‘most recent’ version. Java 8 can be downloaded from the Oracle Java SE downloads page.
We recommend installing the latest version of Java 7 (7u55) unless you’re interested in testing your Java applications with Java 8, in which case you should install Java 8 Update 5.
Anyone who has filed a business or personal tax return online using the Canada Revenue Agency’s web-based tools should change their CRA passwords.
According to the RCMP, about 900 Social Insurance numbers were obtained from CRA systems by unknown persons over a six hour period around April 8. The affected account holders will be contacted by the CRA via registered mail.
The CRA systems’ vulnerability has now been patched, but the CRA is advising all account holders to change their passwords.
Fallout from the Heartbleed vulnerability continues.
The list of major web sites affected by this issue (and in most cases advising their users to change their passwords) is expanding rapidly. It includes Instagram, Tumblr, DropBox, and many others.
The list of affected software is also growing.
Ars Technica’s ongoing coverage includes the disturbing news that the Heartbleed vulnerability may have been exploited months before patch and Researchers find thousands of potential targets for Heartbleed OpenSSL bug.
Security researchers at the University of Michigan scanned the Internet looking for vulnerable web sites, and found plenty, which they list in their Heartbleed Bug Health Report.
Numerous tools for detecting Heartbleed vulnerability have appeared on the web, including this one at filippo.io. Use these tools with caution, since some will almost certainly turn out to be scams of some kind.
The XKCD web comic has joined in the fun:
RIP Windows XP. At least from Microsoft’s point of view. In fact, use of the O/S continues, and will probably do so for years.
First, let’s get one thing out of the way: it’s not a good idea to keep running Windows XP. If your XP computer is never connected to the Internet, then you have much less to worry about, but continuing to use XP on a computer that is connected to the Internet is risky. Especially if you’re also still using Internet Explorer, in which case you will almost certainly end up with malware of some kind in the very near future.
Anyone who can’t or won’t upgrade from Windows XP should take certain precautions. Check out the Windows XP page on this site for some useful tips.
If you want to do the responsible thing and move away from Windows XP, what are your choices? The best option at this point is Windows 7. You can still buy Windows 7, but Microsoft says that they will stop selling it in February 2015. I’ll be updating the Windows 7 resources on this site to provide XP -> 7 migration tips in the near future.
Other possibilities – for the more adventurous – include Linux and Chrome OS. Linux comes in many flavours, but one in particular is designed to make Windows user feel at home: Zorin OS (free). Chromium OS from Google was designed to be used with its inexpensive and simple ChromeBook computers, but it can be installed on regular PC hardware. It’s free, but probably only useful for users with basic requirements. It runs on top of Linux.
There are loads of articles on the web about the ‘XPocalypse’ – as it’s come to be known. Ars Technica has this: ‘The XPocalypse is upon us: Windows XP support has ended‘.
A bug in the OpenSSL cryptography software running on most of the world’s servers has opened a window into random server data that was never meant to be exposed.
This newly-discovered vulnerability – now known as ‘Heartbleed’ – has apparently existed for at least two years. It’s unclear whether the bug was known to (and used by) nefarious persons to gather supposedly secure information during that time.
Patches for affected operating systems and other software that uses OpenSSL were made available almost immediately after the bug was discovered by researchers. Anyone running a Linux server is strongly advised to update the OpenSSL library ASAP.
Services that use OpenSSL to provide security are separately assessing the risk to their customers and issuing their own advisories and recommendations. For instance, Yahoo Mail is known to be vulnerable. Mojang, makers of the popular game Minecraft, advise all players to change their passwords. Ars Technica is also advising all its users to change their passwords.
This bug is so important that it has its own web page, which provides an overview of the issue and makes general recommendations.
Update 2014Apr10: The LastPass web site has some helpful information about major sites that have been affected by Heartbleed and recommends changing your passwords for those sites. They also provide a site check that allows you to determine whether a particular site was affected by Heartbleed.
By now, most WordPress sites that have auto-updates enabled should be running version 3.8.2. This is a security release, meaning that changes in the new version are either bug fixes or related to security.
Please check your WordPress sites and update them to the new version if they have not already been updated.
Version 34 of Google Chrome was announced yesterday. The new version includes fixes for numerous security vulnerabilities, some minor enhancements, and stability and performance improvements.
Yesterday, Adobe announced a new version of Flash, 13.0.0.182. The new version includes fixes for several security vulnerabilities (including one of the two found at Pwn2Own), as well as numerous other bug fixes and enhancements. There are also some new features, but these are mostly of interest to developers. The official release notes page has all the details.
As usual, the integrated versions of Flash in Internet Explorer 10 and 11 will be updated via Windows Update, and Chrome’s integrated Flash will be updated automatically by the browser itself.
boot13