boot13A new version of Google Chrome was released on December 4. Version 31.0.1650.63 includes fifteen security fixes.
Holiday season warnings from CERT
Christmas is coming, and along with it, holiday-themed scams, spam and malware. It’s a time for families to come together and celebrate, but it’s also a time to be wary and vigilant.
CERT has provided a handy set of guidelines and tools you can use to avoid being the recipient of one of these unwanted ‘gifts’.
Opera 18 released
Version 18.0.1284.49 of the Webkit-based (and sadly deficient) Opera web browser improves stability and adds a few new features, including camera/microphone support, the ability to move tabs between windows, custom themes, and custom search engines.
The official announcement and release notes pages have additional details.
Firefox 25.0.1 released
Another stealth release of Firefox happened on November 15. Version 25.0.1 apparently fixes some security vulnerabilities and other bugs. With the total lack of any kind of announcement for this release, and the way the release notes include changes in previous releases, it’s difficult to be certain what’s new in this version. For instance, the version 25.0.1 release notes point to the ‘Known vulnerabilities‘ page, but there’s nothing listed there that’s specific to version 25.0.1. The release notes for 25.0.1 also point to Bugzilla (‘complete list of changes‘), but the list of fixed bugs shows everything for version 25, and nothing specific to version 25.0.1. What a mess.
Update 2013Nov23: EWeek has more information about the security vulnerabilities fixed in Firefox 25.0.1 (even if Mozilla doesn’t).
Chrome 31.0.1650.57 released
Hot on the heels of version 31.0.1650.48, the latest version of Google’s web browser fixes multiple memory corruption issues as demonstrated by an exploit privately reported to Google.
Flash 11.9.900.152 released
The latest version of Flash includes several fixes for bugs and security vulnerabilities. The official announcement lists the bug fixes and other improvements, while the associated security bulletin provides additional technical details.
As usual, Flash in Google Chrome is updated automatically through Chrome’s built-in updater, while Flash in Internet Explorer on Windows 8 is updated via Windows Update.
Chrome 31.0.1650.48 released
The latest version of Google’s web browser includes an update to the embedded Flash player (to version 11.9.900.152), and 25 security fixes. The official announcement has the technical details.
Patch Tuesday for November 2013
It’s the second Tuesday of November, which means it’s time to update all your Windows computers. This month’s announcement lists eight bulletins, affecting Windows, Office, and Internet Explorer.
A patch for the recently-reported vulnerability in Internet Explorer will also be made available later today, according to Microsoft. It will appear in the November 2013 Patch Tuesday announcement as bulletin #3 (MS13-090).
For the full technical details on this month’s updates, see the related post on the Microsoft Security Response Center blog.
New Internet Explorer vulnerability being actively exploited
Another new exploit has been discovered by security researchers, this one affecting Internet Explorer. The exploit uses two as-yet unpatched vulnerabilities in IE 7 through 10.
This is not to be confused with the recently-announced exploit affecting Microsoft Office.
Recommendations:
- Avoid using Internet Explorer. If that’s not practicable, exercise extreme caution when browsing the web.
- Install and use Microsoft’s Enhanced Mitigation Experience Toolkit (EMET)
Ars Technica has more details.
Update 2013Nov12: a patch for this vulnerability will be included with this month’s Patch Tuesday updates, later today.
Ouch! newsletter: How to shop online securely
The latest installment of the Ouch! newsletter (PDF) from SANS provides tips for safely and securely shopping on the web. Learn how to identify shady web stores and avoid them, how to keep your credit card information secure, and what to do if you suspect fraud.
The Ouch! newsletter is aimed at regular users and the security challenges they face daily. Highly recommended, but if you’re a computing professional, you may not find much there you didn’t already know.