aka infosec
On Tuesday, Mozilla released another new version of Firefox, version 20.
The new version includes several security fixes, as well as private browsing, changes to the download system, performance improvements, and several other bug fixes and enhancements.
As usual, the release notes and complete list of changes for this release are a jumbled mess of old and new information, making the job of figuring out what has actually changed needlessly difficult. Will they ever fix this?
Yesterday, Google announced version 26.0.1410.43 of their web browser, Chrome. The new version includes several fixes for security vulnerabilities, as well as improvements to the integrated spelling checker.
This month’s Ouch! newsletter (PDF) from SANS explains the security risks involved in using various kinds of social media, and provides tips for staying safe.
Another new version of Google’s web browser was announced today.
The new version includes the latest version of Flash (11.6.602.180), as well as some other stability improvements.
A new version of Flash was announced today. Version 11.6.602.180 fixes several security (and other) bugs and adds a few new features. The security issues are described in the associated security bulletin: APSB13-09. The rest of the changes are covered in the release notes for 11.6.602.180.
Like the “__ days since the last accident” signs that are common in workplaces, the Java Zero-day Countdown web site provides a quick check on Java’s current security issues.
Recall that a zero-day exploit/attack/threat is “an attack that exploits a previously unknown vulnerability in a computer application, meaning that the attack occurs on ‘day zero’ of awareness of the vulnerability.” [from Wikipedia]
Java has been hit by a stream of such attacks in recent months, and despite new security-tightening features added by Oracle (Java’s developer), there’s no end in sight. Java’s ubiquity makes it a prime target for the perpetrators of malicious hacks.
Maybe some day Oracle will tighten Java’s security to the point where sites like the Java Zero-day Countdown aren’t necessary. Until that happens, it’s a good way to get a quick overview on current threats to Java.
March 12th will see a new batch of updates for Windows, Office, Internet Explorer and other Microsoft software. This month there will be seven bulletins, four flagged as Critical.
Patches will become available at around 10am PDT on March 12. PCs configured for auto-updates will see the patches during the following day or so.
Technical details are available in the complete bulletin at TechNet.
Mozilla released a new version of Firefox today. Version 19.0.2 fixes one security vulnerability.
As usual, the release notes and complete list of changes for this release are a mixture of old and new information, making the job of figuring out what has actually changed needlessly difficult.
Yesterday, Google announced a new version of its web browser, Chrome. The new version fixes one security vulnerability.
As you’re no doubt well aware, Oracle has been churning out a lot of security updates for Java lately. They’ve also been adding security features, such as the new security settings options. And that’s a good thing.
Except that the security settings don’t actually work the way they’re supposed to. There’s an implicit assumption that ‘trusted’ Java applications – those with valid certificates – should be allowed to do whatever they want. Which would be fine, if certificate status was always reliable. But it’s not. A new vulnerability discovered by security researchers at Avast grants valid status to clearly invalid certificates.
So, the usual advice still applies: disable Java in your web browser unless you absolutely need it. If you need it, consider setting aside one browser just for use with Java, and limit your use of that browser.
Is Oracle losing ground in this battle? Sure feels like it.
boot13