boot13Yesterday, Google announced version 26.0.1410.43 of their web browser, Chrome. The new version includes several fixes for security vulnerabilities, as well as improvements to the integrated spelling checker.
Category Archives: Security
aka infosec
Ouch! newsletter for March: Social Network safety
This month’s Ouch! newsletter (PDF) from SANS explains the security risks involved in using various kinds of social media, and provides tips for staying safe.
Chrome 25.0.1364.172 released
Another new version of Google’s web browser was announced today.
The new version includes the latest version of Flash (11.6.602.180), as well as some other stability improvements.
Flash 11.6.602.180 released
A new version of Flash was announced today. Version 11.6.602.180 fixes several security (and other) bugs and adds a few new features. The security issues are described in the associated security bulletin: APSB13-09. The rest of the changes are covered in the release notes for 11.6.602.180.
Java Zero-day exploit status
Like the “__ days since the last accident” signs that are common in workplaces, the Java Zero-day Countdown web site provides a quick check on Java’s current security issues.
Recall that a zero-day exploit/attack/threat is “an attack that exploits a previously unknown vulnerability in a computer application, meaning that the attack occurs on ‘day zero’ of awareness of the vulnerability.” [from Wikipedia]
Java has been hit by a stream of such attacks in recent months, and despite new security-tightening features added by Oracle (Java’s developer), there’s no end in sight. Java’s ubiquity makes it a prime target for the perpetrators of malicious hacks.
Maybe some day Oracle will tighten Java’s security to the point where sites like the Java Zero-day Countdown aren’t necessary. Until that happens, it’s a good way to get a quick overview on current threats to Java.
Advance notification of March Patch Tuesday from Microsoft
March 12th will see a new batch of updates for Windows, Office, Internet Explorer and other Microsoft software. This month there will be seven bulletins, four flagged as Critical.
Patches will become available at around 10am PDT on March 12. PCs configured for auto-updates will see the patches during the following day or so.
Technical details are available in the complete bulletin at TechNet.
Firefox 19.0.2 fixes one security issue
Mozilla released a new version of Firefox today. Version 19.0.2 fixes one security vulnerability.
As usual, the release notes and complete list of changes for this release are a mixture of old and new information, making the job of figuring out what has actually changed needlessly difficult.
Chrome 25.0.1364.160 fixes one security issue
Yesterday, Google announced a new version of its web browser, Chrome. The new version fixes one security vulnerability.
More holes in Java’s latest security enhancements
As you’re no doubt well aware, Oracle has been churning out a lot of security updates for Java lately. They’ve also been adding security features, such as the new security settings options. And that’s a good thing.
Except that the security settings don’t actually work the way they’re supposed to. There’s an implicit assumption that ‘trusted’ Java applications – those with valid certificates – should be allowed to do whatever they want. Which would be fine, if certificate status was always reliable. But it’s not. A new vulnerability discovered by security researchers at Avast grants valid status to clearly invalid certificates.
So, the usual advice still applies: disable Java in your web browser unless you absolutely need it. If you need it, consider setting aside one browser just for use with Java, and limit your use of that browser.
Is Oracle losing ground in this battle? Sure feels like it.
Java 7 update 17 released
And just like that, another new version of Java. Version 7 update 17 (what happened to update 16?) includes fixes for some serious security vulnerabilities, as outlined in the associated security alert.
You’ll forgive me for not trusting Oracle’s word on whether any particular vulnerability has truly been fixed. I’ll defer to Adam Gowdiak and other security researchers for the final judgment. Certainly 7u17 is the latest version of Java, and it presumably fixes some of the holes in 7u15, so anyone using Java – especially in their browser – should install it ASAP. But I’m going to leave Java 7u17 flagged as possibly vulnerable.