Edge, Flash, Internet Explorer, Microsoft, Patches and updates, Security, Windows

Patch Tuesday for May 2017

May 9, 2017 jrivett Leave a comment

Well, I was right. The announcement for May’s Patch Tuesday has almost exactly the same wording as last month’s. That’s because neither contains any useful information. No, it’s back to the new Security Update Guide, at least if you want to know what Microsoft wants to do to your computer this month.

According to my analysis of this month’s update information in the SUG, there are fifty distinct bulletins, affecting Flash, Internet Explorer, Edge, .NET, Office, and Windows. A total of fifty-six vulnerabilities are addressed. Fifteen of the vulnerabilities are categorized as Critical.

Today Microsoft also issued three advisories:

Microsoft Security Advisory 4022345: Identifying and correcting failure of Windows Update client to receive updates
Microsoft Security Advisory 4021279: Vulnerabilities in .NET Core, ASP.NET Core Could Allow Elevation of Privilege
Microsoft Security Advisory 4010323: Deprecation of SHA-1 for SSL/TLS Certificates in Microsoft Edge and Internet Explorer 11

JavaScript, Microsoft, Security, Things that are bad, Windows

Vulnerability in Microsoft’s anti-malware software

May 9, 2017 jrivett Leave a comment

All of Microsoft’s anti-malware software is based on a common core: MsMpEng, the Malware Protection service. That includes Microsoft Security Essentials, System Centre Endpoint Protection, and Windows Defender. If your PC is running Windows, there’s a good chance that MsMpEng is running as well.

Which is bad, because Google’s Project Zero just discovered a vulnerability in Microsoft’s anti-malware engine that has the potential to provide almost unlimited access to any computer running MsMpEng. The vulnerability can be exploited in various ways, including via specially-crafted email that can do its damage without even being opened.

Project Zero’s analysis includes a proof of concept, and shows that the vulnerable component of MsMpEng is nscript, which analyzes any file or activity that appears to be Javascript.

I just checked my Windows 8.1 test PC, and although Windows Defender is disabled, MpMpEng is running, describing itself as ‘Antimalware Service Executable’. On my Windows 7 test PC, I’ve installed Avast, which was supposed to have disabled Microsoft’s software; but again I see that MsMpEng is running.

If Windows Defender is disabled, why is MsMpEng running? If it’s disabled, is the computer still vulnerable to this exploit? I’d like to think that even though MsMpEng is running, it’s not actively analyzing file and network activity, in which case the vulnerability would be mitigated. But it’s difficult to know for sure.

In any case, Microsoft has issued an update, and since all of their various anti-malware offerings update themselves automatically, most Windows systems may already have the necessary fix in place. You can find out by checking your software’s ‘About’ information. For example, if you’re running Windows Defender for Windows 8.1, double-click the blue shield icon to open its interface, then click the small triangle next to Help and select About. In the About dialog, look for Engine Version; if it’s 1.1.13704.0 or later, it’s up to date.

Report from Ars Technica.

Firefox, Mozilla, Patches and updates, Security

Firefox 53.0.2

May 7, 2017 jrivett Leave a comment

Mozilla released Firefox 53.0.2 on May 5. The new version includes three bug fixes, one of them for a security vulnerability.

As usual, Mozilla did a lousy job of announcing the new version: in fact, they didn’t bother at all, apparently preferring to leave that job to others like the far more dependable CERT.

If you use Firefox, and you’re not sure which version you’re running, open its menu (click the ‘three horizontal lines’ icon at the top right), then click the question mark icon, then About Firefox. If an update is available, this should trigger it.

Chrome, Google, Patches and updates, Security

Chrome 58.0.3029.96

May 4, 2017 jrivett Leave a comment

A single security fix is the only change mentioned in the release announcement for the latest version of Chrome.

The change log contains forty-one changes, of which about twenty-five are minor bug fixes.

Chrome is pretty good about updating itself, but since this version includes a security fix, you should probably make sure by checking: three-dot-menu > Help > About Google Chrome. This will usually trigger an update if one is required.

Microsoft, Windows 10

Support for original Windows 10 release ending on May 9

May 4, 2017 jrivett Leave a comment

When Windows 10 was first released in July 2015, the version number assigned to it was 1507. (In case you haven’t noticed, those four digit version numbers Microsoft is using correspond to the year and month of the release.)

In keeping with Microsoft’s new policies, support for Windows 10 version 1507 will end on May 9, 2017. That meas no more security updates, and an ever-increasing risk from security threats.

If you’re still running the initial release version of Windows 10, you might want to think about upgrading, or perhaps reverting to a less problematic O/S, like Windows 7 or Linux.

Chrome, Google, Security

Chrome set to flag more sites as ‘Not Secure’

April 29, 2017 jrivett Leave a comment

Google’s efforts to make the web a safer place include the recent addition of a Not Secure indicator in Chrome’s address bar for sites that are not using HTTPS encryption.

Up to this point, that indicator only appears when a web page includes boxes for entering passwords or credit card information. In the near future, Chrome will expand the conditions in which sites are flagged as Not Secure. In October, Chrome 62 will start flagging as Not Secure any unencrypted web page that includes any data entry boxes, and all unencrypted pages accessed while Chrome is in Incognito mode. Eventually, Chrome will flag all unencrypted pages as Not Secure.

If you use Chrome, you’ve probably noticed that it also flags encrypted sites as Secure. This is misleading, since all it means is that the site is using HTTPS encryption. It doesn’t imply that the site is safe to use, only that it is using an encrypted connection. A site flagged as Secure can still be dangerous to visit, for example if it contains malware. Wordfence’s Mark Maunder recently wrote about the danger of assuming Chrome’s Secure flag means ‘safe’.

Patches and updates, Security, Vivaldi

Vivaldi 1.9

April 27, 2017 jrivett Leave a comment

Vivaldi’s selection of search engine choices has a new member: Ecosia, which bills itself as “the search engine that plants trees with its ad revenue.” Sadly, it appears that Ecosia is very easy to manipulate, since searching for a nonsense word will show at least two ads trying to sell it to you.

Vivaldi 1.9 also fixes a few bugs, including several related to security. The release announcement provides additional details.

Patches and updates, Security, WordPress and other CMS

Joomla 3.7

April 26, 2017 jrivett Leave a comment

WordPress is the current king of Content Management Systems, but there are others, including Joomla. Web sites built on popular CMS software are enticing targets for malicious hackers, because the people who manage such sites often lack the skills to keep them secure. Keeping a CMS-based site secure mainly involves keeping the CMS software up to date.

Joomla 3.7 — released yesterday — includes over 700 improvements, eight of which are related to security. Several of the security vulnerabilities addressed affect versions of Joomla going back to 1.5 and 2.5.

Joomla 1.0 through 2.5 are no longer supported. If you’re running a site that uses those older versions of Joomla, you should upgrade to 3.7 as soon as possible, as the site is otherwise likely to be hacked.

If you run a Joomla 3.x site, you should update it to 3.7 as soon as possible. If your site currently runs Joomla 3.6.x, it’s a single click update, so there’s no excuse not to do it.

Opera, Patches and updates, Security

Opera 44.0.2510.1449

April 26, 2017 jrivett Leave a comment

Opera’s developers were quick to respond to the recent discovery that many of the major web browsers (including Firefox and Chrome) allow site addresses to be obfuscated using special Unicode characters. Opera 44.0.2510.1449 now shows any Unicode characters in the address bar using the corresponding two digit hexadecimal code, rather than the character itself. The obfuscation technique was being used in phishing schemes.

Opera 44.0.2510.1449 also includes fixes for a few more minor issues. The change log has all the details.

Patches and updates, WordPress and other CMS

WordPress 4.7.4 released

April 21, 2017 jrivett Leave a comment

A new maintenance release of the popular Content Management System (CMS) software WordPress includes fixes for forty-seven issues. None of the fixes are related to security, but since this is a minor update, most WordPress sites will automatically update themselves. The release notes for WordPress 4.7.4 list all the changes.

boot13