boot13Version 33.0.1750.117 of Google’s web browser contains a whopping 28 fixes for security vulnerabilities. Anyone using Chrome should make sure that it has updated itself to the new version.
Emergency update for Flash
On February 20, Adobe announced a new version of Flash that addresses critical security vulnerabilities. Security bulletin apsb14-07 describes the vulnerabilities.
We strongly recommend upgrading to this new version of Flash (12.0.0.70) as soon as possible, especially if you have Flash enabled in a web browser and you use that web browser for web surfing.
As usual, Google Chrome will update itself to the latest version of Chrome, and Internet Explorer 10 and 11 will be updated to the latest Flash by way of Windows Update.
Firefox 27.0.1 released
There was another stealth release of Firefox on February 13. It’s not clear from the release notes exactly what’s different in version 27.0.1, aside from two minor Javascript fixes. No security vulnerabilities are listed as fixed in this version.
Internet Explorer vulnerable to new attack
Update 2014Feb19: Microsoft has released a ‘Fix-It’ patch that apparently removes this vulnerability in Internet Explorer 9 and 10. They are expected to release a regular update at some point, but for now, if you have to use IE9/10, you should apply this Fix-It.
Ars Technica reports on a new vulnerability affecting Internet Explorer 10 and 9. Visitors to the American Veterans of Foreign Wars (VFW) web site who are using Internet Explorer will become infected with malware.
The VFW site was recently compromised, and altered to include code that loads the malware from another site. Presumably the VFW site will be cleaned up very soon, but the vulnerability in IE remains, so we can expect to see this malware being served up by other compromised web sites very soon.
Microsoft said that they are aware of the problem but there’s no word yet on a possible fix.
For now, since there’s no way to know which web sites to avoid, we recommend not using Internet Explorer at all for general web surfing.
Opera 19.0.1326.63 released
A new version of the WebKit-based Opera web browser was announced today. Apparently the only change is some improvement to stability.
Patch Tuesday, February 2014
It’s the second Tuesday in February 2014, so it’s time to patch your Windows computers. Originally there were only going to be five bulletins this month, but two more were added late. The updates fix security vulnerabilities in Internet Explorer, Windows and .NET. Four of the updates are flagged as Critical.
The summary bulletin has all the technical details, and Dustin Childs has posted a friendlier summary over at the MSRC blog.
As usual, a SANS ISC Diary post provides a security-focused interpretation of the month’s updates, with its own recommendations, as well as useful references (CVE identifiers) to the specific vulnerabilities addressed.
Windows 8.1 update 1 news
Assorted rumours and leaks about the upcoming ‘Patch 1’ for Windows 8.1 are starting to coalesce into a solid picture of the update:
- It’s likely to be released in April 2014.
- This will be a free update.
- It may be available via Windows Update.
- The update is focused on improving the user interface for keyboard/mouse users:
- ‘Metro’ window title bars with context menus
- optional boot to traditional desktop
- the return of the Start menu
- search and shutdown options are easier to find
- ‘Metro’ apps optionally shown in taskbar
- show taskbar within ‘Metro’ apps
Followup 2014Mar17: Peter Bright over at Ars Technica looked at a leaked version of the upcoming Windows 8.1 update, and posted his observations. Although Microsoft seems to have made progress in reducing the memory requirements of Windows 8.x (allowing it to actually run on many mobile devices), he’s unconvinced that the user interface changes will placate desktop users. Case in point: there’s still no Start menu.
Advance notification of February 2014 Patch Tuesday
Tuesday, February 11 will see five bulletins and associated patches from Microsoft. According to the advance notification, the patches will affect Windows, .NET and security software.
As usual, Dustin Childs posted an overview of this month’s patches over at the MSRC blog.
Ouch newsletter: What is Malware?
This month’s Ouch! newsletter (warning: PDF) from SANS provides a basic overview of malware: what it is, where it comes from, who creates it, and how it infects your computer. A good read for anyone who has wondered what malware is and why it’s a problem.
Ballmer gone, Gates back at Microsoft
Steve Ballmer’s replacement as CEO of Microsoft is Satya Nadella, formerly in charge of the company’s enterprise and cloud products. Perhaps more interestingly, Nadella asked Bill Gates to get more involved in the company, and Gates agreed: he is stepping down as Chairman of the Board, and is expected to provide guidance for the company’s technology development.