boot13Oracle has announced an update for Java that is scheduled for release later today. The new version will fix a whopping 40 security vulnerabilities in current versions of Java, with 37 of those being remotely exploitable without authentication.
New version of Chrome with latest Flash
Google has announced a new version of Chrome with the latest updates to Flash. The new version of Chrome will contain Flash version 11.7.700.225.
At this time, the update has not yet become available for download.
Update for Adobe Flash
Adobe has just announced another Flash update. The new version is 11.7.700.224. As always, this update addresses “vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.”
The official bulletin has all the technical details. The runtime announcement has additional details.
An equivalent patch for Internet Explorer 10 on Windows 8 will be available from Microsoft Update. The new version of Flash in IE10 will be 11.7.700.224.
Google Chrome has also been updated to include a new version of Flash: 11.7.700.225. Chrome normally updates its own version of Flash automatically.
Update 2013Jun14: The Internet Explorer 10 Flash update is now available.
Patch Tuesday for June 2013
This month there are five bulletins, addressing 23 vulnerabilities in Windows, Office and Internet Explorer. Only one (MS13-047, affecting Internet Explorer) is marked as Critical.
The bulletin summary has all the technical details.
Related links:
– Improved cryptography infrastructure and the June 2013 bulletins
– SANS: Microsoft June 2013 Black Tuesday Overview
How your login credentials can be stolen
An excellent post over at Duo Security reviews the seven methods used to steal your user IDs and passwords.
Unfortunately, aside from using strong, unique passwords, running anti-malware software, and being generally careful in one’s online activities, there’s not much an individual can do to protect oneself from these techniques. Most of the responsibility for protecting users is in the hands of the people who run the web sites that use your credentials. When they make mistakes, we all lose.
Actually, there is one sure-fire way to avoid these problems: just don’t use any online service that requires a password. Not too practical, but still better than getting rid of all your computers.
Advance notification for June 2013 Patch Tuesday
This month’s Patch Tuesday arrives on June 11. Updates should become available from about 10am PST on that date.
The bulletins: there are five this month, including one for Internet Explorer that’s marked Critical. More technical details are available on the official announcement page.
Another botnet disrupted
Microsoft and its partners have successfully disrupted another botnet. This time the target was Citadel, which was being used to harvest banking information.
Oracle’s response to Java’s ongoing security woes
A May 30 post on Oracle’s Software Security Assurance blog reviews Oracle’s plans to improve Java’s security.
Step 1 was apparently making sure that Java conforms to Oracle’s software security policies. Without knowing the details, I can only wonder whether the new policies are better or worse than whatever policies were already in place for Java, and whether they are even a good fit for a project like Java. Is it possible that this transition contributed to the recent spate of problems?
Step 2 is to throw more money at Java. Oracle describes this as “increasing investments in Java overall by Oracle”.
Oracle has been working on improving their response time to critical vulnerabilities, which is commendable. They are gradually coming to realize that scheduled releases just don’t cut it for security issues. These days, vulnerability and exploit details propagate almost instantly, and waiting weeks or months for fixes is unacceptable.
Apparently the use of automated security testing tools has been expanded. Presumably from ‘not used consistently or even at all’ to ‘used on a sensible schedule’.
The article goes into a lot of detail about the general security improvements made in recent Java updates. Good stuff, but not news.
On a positive (and actually news-worthy) note, Oracle is working on further separating Java as it runs in web browsers from Java used in server environments. This and other changes will make distribution and administration a lot easier for IT folks. Server Java will also be hardened in ways that are not practical for web-based Java.
So, not much to see here, although it seems clear that Oracle knows that Java security is a serious problem and is at least making an effort to fix it.
Infoworld proposes a design for the next version of Windows
It seems clear that Microsoft isn’t going to fix Windows 8 with Windows 8.1. The changes in 8.1 are trivial and do not address the major concerns about Windows 8.
Infoworld has a solution: a new design for the next version of Windows, code-named Windows Red. This is a serious re-thinking of the design choices made by Microsoft and an attempt to rectify Windows 8’s problems.
All of Infoworld’s changes make sense to me. It would be wonderful if Microsoft paid attention to this design and actually used some or all of it. But knowing Microsoft, they’ll ignore it completely.
Infoworld also posted a useful followup with additional details on Windows Red.
Latest Ouch! newsletter
Sans has published the latest edition (PDF) of their user-oriented newsletter Ouch! This edition covers URLs, URL shorteners, and QR codes.