There was yet another stealth release of Firefox yesterday. Version 28 was not announced on any of the myriad Mozilla blogs. I only discovered it because of release announcements on CERT and SANS blogs.
According to SANS, at least some of the security fixes in Firefox 28 are the result of successful hacks at the recent Pwn2Own contest. There’s a full list of the security fixes in this version at the top of the ‘Known Vulnerabilities‘ (aka ‘Security Advisories for Firefox’) page for Firefox.
The official release notes page for version 28 shows no improvement over previous release notes pages. But it does list the changes in the latest version, none of which are worthy of note.
Aside: I recently submitted two bugs to the Mozilla bug tracking system for Firefox. Bug #973330 is about the lack of proper announcements for new Firefox versions. Bug #973335 covers the many issues with the release notes pages for Firefox. So far the responses from Mozilla workers have not been encouraging.
The recent Pwn2Own contest revealed security vulnerabilities in several software products, including Google Chrome.
Within hours, Google corrected the flaws in Chrome and released new versions. The new Windows version is 33.0.1750.154. The official announcement provides additional details.
Adobe announced a new version of Flash yesterday. Version 12.0.0.77 fixes two security vulnerabilities flagged by Adobe as Important.
As usual, Google Chrome will update itself with the latest version of Flash, while Internet Explorer 10 and 11 on Windows 8 and 8.1 will receive the latest Flash updates via Windows Update.
You can check the version of Flash currently installed on your computer (or more accurately, in your browser), by visiting the About Adobe Flash page, and you can download the new version from the Player Download Center (warning: this page will install additional software by default; make sure to uncheck any optional software checkboxes).
Yesterday was Patch Tuesday, and Microsoft released five updates for Windows, Internet Explorer, and Silverlight. Two of the updates are flagged as Critical. The official summary bulletin has all the technical details, and a post on the MSRC blog has a less technical breakdown of the updates.
This month’s Ouch! (PDF) provides a useful overview of what you need to know if you’re still using Windows XP.
The SANS Ouch! newsletter is aimed at users, so it may not be useful for IT professionals. On the other hand, it’s a great place to send users looking for information adapted to their level of understanding.
Patch Tuesday for March 2014 happens on March 11. Microsoft currently plans to publish five new bulletins and associated patches starting at 10am PST on that date. The patches will address vulnerabilities in Windows, Internet Explorer, and Silverlight. Two of the patches are flagged as Critical.
Adobe will no longer test Flash on Windows XP after the next quarterly update. You can continue to use Flash on Windows XP after that, but it will become increasingly risky, especially if it’s enabled in your web browser. This is yet another nail in the coffin for Windows XP.
When a new Windows vulnerability is discovered, and particularly when exploits for that vulnerability are discovered in the wild, a common refrain from Microsoft is “use EMET”. EMET is security software that protects Windows systems from certain types of behaviour common to vulnerability-based attacks.
Installing and configuring EMET properly provides a level of protection beyond that of regular anti-malware software. Well, that was the idea, anyway.
Now it appears that attackers have found a way past EMET. The EMET bypass was discovered by security researchers at Bromium Labs and the details published in a whitepaper.
Malicious hackers are likely to start using this new information soon. Microsoft is working with Bromium Labs, but it may not be possible to prevent the bypass by improving EMET, in which case EMET will be reduced to a minor speed bump for attackers.
Rants and musings on topics of interest. Sometimes about Windows, Linux, security and cool software.
Close
Ad-blocker not detected
Consider installing a browser extension that blocks ads and other malicious scripts in your browser to protect your privacy and security. Learn more.
boot13