Category Archives: Security

aka infosec

Flash 12.0.0.77 released

Adobe announced a new version of Flash yesterday. Version 12.0.0.77 fixes two security vulnerabilities flagged by Adobe as Important.

As usual, Google Chrome will update itself with the latest version of Flash, while Internet Explorer 10 and 11 on Windows 8 and 8.1 will receive the latest Flash updates via Windows Update.

You can check the version of Flash currently installed on your computer (or more accurately, in your browser), by visiting the About Adobe Flash page, and you can download the new version from the Player Download Center (warning: this page will install additional software by default; make sure to uncheck any optional software checkboxes).

Microsoft updates for March 2014

Yesterday was Patch Tuesday, and Microsoft released five updates for Windows, Internet Explorer, and Silverlight. Two of the updates are flagged as Critical. The official summary bulletin has all the technical details, and a post on the MSRC blog has a less technical breakdown of the updates.

As expected, one of this month’s updates fixes the recently-reported zero-day vulnerability in Internet Explorer.

Advance notification of March updates from Microsoft

Patch Tuesday for March 2014 happens on March 11. Microsoft currently plans to publish five new bulletins and associated patches starting at 10am PST on that date. The patches will address vulnerabilities in Windows, Internet Explorer, and Silverlight. Two of the patches are flagged as Critical.

One of the patches will fix the Internet Explorer vulnerability recently reported here.

Microsoft EMET protection software bypassed

When a new Windows vulnerability is discovered, and particularly when exploits for that vulnerability are discovered in the wild, a common refrain from Microsoft is “use EMET”. EMET is security software that protects Windows systems from certain types of behaviour common to vulnerability-based attacks.

Installing and configuring EMET properly provides a level of protection beyond that of regular anti-malware software. Well, that was the idea, anyway.

Now it appears that attackers have found a way past EMET. The EMET bypass was discovered by security researchers at Bromium Labs and the details published in a whitepaper.

Malicious hackers are likely to start using this new information soon. Microsoft is working with Bromium Labs, but it may not be possible to prevent the bypass by improving EMET, in which case EMET will be reduced to a minor speed bump for attackers.

Extremely critical security flaw may affect Macs

Apple recently patched a critical vulnerability in iOS, the operating system that runs all iPhones. Now it appears that the same flaw may affect all Macs running OS X as well. So far there is no official confirmation from Apple, but security experts are warning Mac users to avoid using public networks until we know more.

Update 2014Feb24: Apple released a patch for iOS that fixes this flaw on iPhones. Meanwhile, it looks like the flaw does affect Macs (OS X). A security researcher at ImperialViolet has created a proof-of-concept test page (no longer functional). Steer your Mac web browser to that page; if you get an error message, your browser is not affected by the flaw. Vulnerable Mac browsers will see a message to that effect. Tests on my own Mac show Safari as vulnerable, while Firefox is not.

Update 2014Feb25: TechDirt has an amusing article on the surprising lack of information coming from Apple. There’s a general sense of dissatisfaction with Apple, and increasing clamour for information – any information – on how this issue affects Macs.

Update 2014Feb26: Apple has released an update for OS X that addresses this issue. OS X 10.9.2 includes several other security fixes and bug fixes.