New Internet Explorer vulnerability

On April 26, Microsoft released Security Advisory 2963983, which describes a newly-discovered vulnerability affecting all versions of Internet Explorer.

According to the related MSRC blog post, attacks based on this vulnerability are being seen in the wild, but so far those attacks are limited.

This IE vulnerability is apparently based on a vulnerability in Flash.

Microsoft is advising the usual caution, especially when clicking links in email and visiting unfamiliar web sites.

Presumably Microsoft will produce a patch for this vulnerability, and an interim ‘Fix-It’ workaround may be made available soon, but in the meantime, you should either stop using Internet Explorer completely, or at least install and configure EMET.

Windows XP users should not – under any circumstance – still be using Internet Explorer as their default web browser or for browsing the web. This vulnerability is only the first in what is sure to be a long series that make using Internet Explorer on Windows XP extremely risky.

Update 2014Apr28: Ars Technica, The Verge, and the SANS InfoSec handlers diary all have additional information.

Opera 12.17 fixes Heartbleed vulnerabilites

It looks like the Opera team is planning to keep the classic version of Opera (version 12.x) alive and secure – at least for now.

An update to the pre-Webkit version of Opera was announced yesterday. The new version addresses two Heartbleed vulnerabilities in the update software.

Note that this update is for Windows only. Mac and Linux versions are unaffected.

There doesn’t seem to be a release notes page for this version. The main change log page doesn’t even list version 12.17.

More Heartbleed fallout

The full extent of the damage caused by the Heartbleed vulnerability may not be known for months. New reports of compromised systems are appearing daily.

Ars Technica reports on a very unfortunate compromise of an OpenVPN installation. It’s particularly bad, because thousands of companies worldwide use VPN solutions to provide supposedly completely secure access to corporate networks from off-site. The potential for damage is enormous.

Also in Heartbleed news: apparently the recently-reported Heartbleed-based intrusion of the Canada Revenue Agency was the work of a teenaged computer science student. He’s been arrested. It seems clear that his motivation was curiosity rather than something more sinister, since he did absolutely nothing to conceal his identity.

Why Windows 8.1 Update 1 is ‘required’

We recently wrote about the release of Update 1 for Windows 8.1.

In that post, we noted that Microsoft was making this update mandatory for all subsequent security updates, and wondered why they would do that. Apparently we weren’t the only ones, and there was enough angry feedback that Microsoft extended the period during which Windows 8.1 systems without Update 1 could continue receiving security updates, from 30 days to 120.

But why add this kind of limitation at all?

Ars Technica may have the answer to that question. We previously wondered why Microsoft wasn’t simply labeling Update 1 as ‘Service Pack 1’, in keeping with their long-established practices. The answer is simple: Microsoft sees what Apple, Google, and other O/S developers are doing, and they want to do the same.

Anyone who owns a Mac knows that Apple’s support for previous versions of OS X is extremely limited. If you want to keep running that old version of OS X, you’re going to have problems, and you won’t have any recourse except to bite the bullet and upgrade. Often, that also means upgrading the hardware. While this is clearly a consumer-hostile stance, it’s easy to understand. Apple saves an enormous amount of money and effort that would otherwise be spent on supporting old versions, developing updates for multiple O/S versions, and so on.

It appears that Microsoft has finally started down the path away from backward-compatibility and support for old versions of Windows. This is both a good and a bad thing. Backward compatibility is why so many people still run Windows XP: why upgrade your O/S if it suits your purposes and can still be kept reasonably secure? But it’s also the source of many problems.

Moving to a more restricted update system in Windows 8.x looks like the first step in a general trend towards the less consumer-friendly model used by Apple and others. And if that’s true, we can expect more moves like this in Microsoft’s future. Which is sad, but probably inevitable.

WordPress updates

WordPress 3.8.3 was released on April 14, and WordPress sites with Auto Updates enabled should have been silently updated. In some cases, the 3.8.3 update may not have had time to auto-update before WordPress became available yesterday.

WordPress 3.8.3 fixes a minor bug that was introduced in the previous release, 3.8.2.

WordPress 3.9 makes several significant changes to the handling of media files, and makes it a bit easier for developers to experiment with widgets.

Neither release apparently includes any security fixes.

Oracle Critical Patch Update fixes 37 issues in Java

Oracle just announced a huge batch of Critical Patch Updates, including 37 updates for Java.

The updates affect all supported versions of Java, including Java 7 (7u55) and the recently-released Java 8 (8u5).

Oracle has clarified their position on the adoption of Java 8 in a special FAQ for version 8. According to that page, “The new release of Java is first made available to developers to ensure no major problems are found before we make it available on the java.com website for end users to download.”

So until Oracle decides that Java 8 is ready for general use, the main Java download page will still offer Java 7 as the ‘most recent’ version. Java 8 can be downloaded from the Oracle Java SE downloads page.

We recommend installing the latest version of Java 7 (7u55) unless you’re interested in testing your Java applications with Java 8, in which case you should install Java 8 Update 5.

Canada Revenue Agency hit by Heartbleed, recommends changing passwords

Anyone who has filed a business or personal tax return online using the Canada Revenue Agency’s web-based tools should change their CRA passwords.

According to the RCMP, about 900 Social Insurance numbers were obtained from CRA systems by unknown persons over a six hour period around April 8. The affected account holders will be contacted by the CRA via registered mail.

The CRA systems’ vulnerability has now been patched, but the CRA is advising all account holders to change their passwords.

Rants and musings on topics of interest. Sometimes about Windows, Linux, security and cool software.