boot13Hot on the heels of version 31.0.1650.48, the latest version of Google’s web browser fixes multiple memory corruption issues as demonstrated by an exploit privately reported to Google.
Flash 11.9.900.152 released
The latest version of Flash includes several fixes for bugs and security vulnerabilities. The official announcement lists the bug fixes and other improvements, while the associated security bulletin provides additional technical details.
As usual, Flash in Google Chrome is updated automatically through Chrome’s built-in updater, while Flash in Internet Explorer on Windows 8 is updated via Windows Update.
Chrome 31.0.1650.48 released
The latest version of Google’s web browser includes an update to the embedded Flash player (to version 11.9.900.152), and 25 security fixes. The official announcement has the technical details.
Patch Tuesday for November 2013
It’s the second Tuesday of November, which means it’s time to update all your Windows computers. This month’s announcement lists eight bulletins, affecting Windows, Office, and Internet Explorer.
A patch for the recently-reported vulnerability in Internet Explorer will also be made available later today, according to Microsoft. It will appear in the November 2013 Patch Tuesday announcement as bulletin #3 (MS13-090).
For the full technical details on this month’s updates, see the related post on the Microsoft Security Response Center blog.
New Internet Explorer vulnerability being actively exploited
Another new exploit has been discovered by security researchers, this one affecting Internet Explorer. The exploit uses two as-yet unpatched vulnerabilities in IE 7 through 10.
This is not to be confused with the recently-announced exploit affecting Microsoft Office.
Recommendations:
- Avoid using Internet Explorer. If that’s not practicable, exercise extreme caution when browsing the web.
- Install and use Microsoft’s Enhanced Mitigation Experience Toolkit (EMET)
Ars Technica has more details.
Update 2013Nov12: a patch for this vulnerability will be included with this month’s Patch Tuesday updates, later today.
Ouch! newsletter: How to shop online securely
The latest installment of the Ouch! newsletter (PDF) from SANS provides tips for safely and securely shopping on the web. Learn how to identify shady web stores and avoid them, how to keep your credit card information secure, and what to do if you suspect fraud.
The Ouch! newsletter is aimed at regular users and the security challenges they face daily. Highly recommended, but if you’re a computing professional, you may not find much there you didn’t already know.
Internet Explorer 11 now available for Windows 7
Microsoft is obviously concentrating its development efforts on Windows 8, but they haven’t totally forgotten that much of the world still runs Windows 7. Windows XP users are out of luck, but Windows 7 users can now install Internet Explorer 11, which was previously only available for Windows 8.
Advance notification of November 2013 Patch Tuesday
Tuesday, November 12 will see a modest batch of updates from Microsoft. There will be eight bulletins in total, with five Critical updates addressing vulnerabilities in Windows and Internet Explorer, and three Important updates addressing vulnerabilities in Windows and Office.
The recently-discovered vulnerability in Office running on Vista will not get a patch on November 12, but Microsoft is working on it and will release it as soon as it’s ready.
Vulnerability in MS Office on Vista being actively exploited
Microsoft has issued a security advisory to users of Office on Windows Vista. A newly-discovered vulnerability in Microsoft Office versions 2003 through 2010, when running on Windows Vista, is already being exploited by nefarious hackers.
If you are using Office 2003 to 2010 on Windows Vista, you should take steps to protect yourself until Microsoft releases a patch for this vulnerability:
- Install and use Microsoft’s Enhanced Mitigation Experience Toolkit (EMET)
- Install the related Microsoft ‘Fix-It’ (see Microsoft Knowledge Base Article 2896666).
This vulnerability also affects Office 2003 through 2010 running on Windows Server 2008, but you shouldn’t be running desktop applications on server software anyway, right?
The MSRC blog has more information, as does an Ars Technica post on the subject.
Update 2013Nov09: apparently attacks based on this vulnerability are more widespread than was originally estimated.
Secunia’s Online Security Inspector is no more
The formerly excellent free OSI service provided by Secunia has been discontinued. I used the OSI service because it was an easy way to check for vulnerable software on any Windows computer.
Recently, OSI stopped working, and Secunia chose to retire the service rather than fix it. There’s probably more to their decision, but they’re not saying, at least not publicly. The OSI web site says only “We have discontinued the Secunia Online Software Inspector (OSI).” and recommends alternatives.
The primary alternative to OSI offered by Secunia is the “Personal Software Inspector”. As with OSI, PSI was developed in Java and requires Java to run. Unlike OSI, however, PSI runs as an application outside the context of your web browser. This has at least one advantage, in that there’s now one less reason to leave Java enabled in your web browser.
Unlike OSI, which was a strictly on-demand service, PSI by default sets itself up to start with Windows, checking for vulnerable software and updating it automatically. I’m not a fan of automatic updates: I want to be in control of what gets updated and when. Fortunately, PSI can be configured to only notify you of software that can be updated. You can also configure it NOT to start with Windows, but there are some additional steps you’ll need to take if you want to use PSI strictly on-demand.
PSI installs two services: Secunia PSI Agent and Secunia Update Agent. These services are configured to start automatically with Windows. If you want to run PSI on-demand only, you’ll need to change the Startup Type for both of these services from Automatic to Manual. When you run PSI, it will start both of these services. When you close PSI, it will stop the Secunia PSI Agent service, but leave the Secunia Update Agent running (it appears as sua.exe in the Windows process list). You’ll have to stop it manually.
Once PSI is running, it presents a list of installed software, along with status and options for each. We recommend changing the display to ‘Detailed View’ – click ‘Settings’ at the bottom of the PSI screen and enable that setting. While you’re there, you can also disable ‘Start on boot’ and select ‘Update handling: Notify’. For each application listed, the Status column shows the most obvious options, including ‘Download’ and ‘Update’. Right-clicking the entry for an application will show a context menu that allows you to see additional details about available updates, or choose to ignore updates for that application.
Warning: PSI seems to start scanning your computer before it presents any part of its user interface. That means you have to act quickly the first time you run it, if you want to configure it for on-demand scans only. Hopefully now that OSI users are migrating to PSI, Secunia will listen to their requests and make PSI more friendly to people who prefer the on-demand approach.
Additional information on setting up and using Secunia’s PSI can be found on this site’s ‘Scan for vulnerable software‘ page.