Mozilla released a new version of Firefox today. Version 19.0.2 fixes one security vulnerability.
As usual, the release notes and complete list of changes for this release are a mixture of old and new information, making the job of figuring out what has actually changed needlessly difficult.
Yesterday, Google announced a new version of its web browser, Chrome. The new version fixes one security vulnerability.
As you’re no doubt well aware, Oracle has been churning out a lot of security updates for Java lately. They’ve also been adding security features, such as the new security settings options. And that’s a good thing.
Except that the security settings don’t actually work the way they’re supposed to. There’s an implicit assumption that ‘trusted’ Java applications – those with valid certificates – should be allowed to do whatever they want. Which would be fine, if certificate status was always reliable. But it’s not. A new vulnerability discovered by security researchers at Avast grants valid status to clearly invalid certificates.
So, the usual advice still applies: disable Java in your web browser unless you absolutely need it. If you need it, consider setting aside one browser just for use with Java, and limit your use of that browser.
Is Oracle losing ground in this battle? Sure feels like it.
Even before Windows 8 was released, you could find third party tools for resurrecting the missing Start menu. New software from Stardock goes even further in eliminating inexplicable Windows 8 behavior.
It’s called ModernMix, and its most notable feature brings back the ability to show applications in multiple windows concurrently. Apparently much of the underlying functionality was there in Windows 8 all along, and ModernMix just makes it possible to access the hidden goodies.
I knew eventually the world would hammer the Windows 8 mess into something usable. Attaboy, Stardock. ModernMix is currently priced at $4.99.
A few days ago, I reported Microsoft’s new policy of limiting Office installs to one computer forever. Apparently Microsoft heard the angry noise coming from the Internet, since they have now relented. You’re now allowed to transfer your Office license to another PC, although only every 90 days (except, apparently, in emergencies). No word on where they pulled that 90 from, but you can guess.
And just like that, another new version of Java. Version 7 update 17 (what happened to update 16?) includes fixes for some serious security vulnerabilities, as outlined in the associated security alert.
You’ll forgive me for not trusting Oracle’s word on whether any particular vulnerability has truly been fixed. I’ll defer to Adam Gowdiak and other security researchers for the final judgment. Certainly 7u17 is the latest version of Java, and it presumably fixes some of the holes in 7u15, so anyone using Java – especially in their browser – should install it ASAP. But I’m going to leave Java 7u17 flagged as possibly vulnerable.
Another new version of Google’s web browser was announced today. Version 25.0.1364.152 includes fixes for several security vulnerabilities.
Since Flash isn’t mentioned in the release notes, presumably the version of Flash included in the new version is still 11.6.602.171. Let’s see… okay, I just updated Chrome to 25.0.1364.152, and the integrated Flash is definitely still 11.6.602.171.
A few days ago, Adam Gowdiak of Security Explorations discovered vulnerabilities in the most recent version of Java, 7u15.
Oracle’s response was to deny that the problem existed. So Adam got to work, testing Java 7u15 in more detail, and checking his results against the published Java documentation. He was able to confirm that his original report was legitimate, and he also found five more new vulnerabilities along the way. All of this information has been passed on to Oracle. Will they believe him this time? I’m betting yes.
The hits just keep on coming for Java. As fast as Oracle/Sun plugs (or tries, but fails to plug) one hole, another is discovered by independent security researchers.
This time, it’s the security research team at FireEye that have found vulnerabilities in the latest Java, version 7u15, as well as the most recent 6-series version (6u41).
Making matters worse, the new vulnerability is being actively exploited in the wild: a remote access trojan is being installed on affected computers.
In other words, even if you have the latest version of Java, you can be hit by this exploit. As always, if you don’t actually need Java enabled in your browser, disable it. If that’s not an option, be extremely wary of browsing web sites that you don’t know for sure are safe.
A few days ago, I posed a series of questions about Flash in Chrome. Since then, I’ve done some digging, and I’m now able to answer most of those questions.
boot13