Chrome 54.0.2840.99 fixes about ten bugs, including four related to security. If you use Chrome, make sure it’s up to date: click the ‘three vertical dots’ menu button at the top right, then click Help > About to check. This will also trigger an update if it hasn’t happened already.
The full change log has additional details.
A new version of Opera fixes a few minor bugs and includes an upgrade to the Chromium browser engine. No new security fixes are included, so there’s no rush to install it.
It’s Patch Tuesday, albeit a slightly more interesting one than usual. Patches we have, from both Microsoft and Adobe. More about that later.
Microsoft wants to simplify the way security update information is presented to the public. To that end, they’ve created a new ‘starting page’ of sorts, called the Security Updates Guide. The idea is that anyone should be able to find the information they need by starting here. Most of the links on the new page actually go to existing TechNet pages. It’s definitely worth checking out.
Among the updates from Microsoft this month is a fix for the Windows vulnerability recently reported by Google. You may recall that Microsoft was rather annoyed with Google for making the vulnerability public according to their own rules (sooner than Microsoft wanted). Microsoft did credit Neel Mehta and Billy Leonard of Google’s Threat Analysis Group for their assistance.
There are fourteen bulletins from Microsoft this month. The associated updates address seventy-five vulnerabilities in Windows, Edge, Office, and Internet Explorer.
Adobe’s monthly contribution to the festivities is a new version of Flash, 23.0.0.207. A release announcement provides an overview of the changes, while the associated security bulletin provides some background about the nine vulnerabilities addressed.
When Microsoft releases a new version of Windows 10, it’s delivered in the form of a bandwidth-annihilating all-inclusive package. Windows 10 basically downloads a new copy of itself. Most Windows 10 users also don’t have much control over whether and when these massive updates occur.
Earlier this week, Microsoft publicly admitted that this arrangement is perhaps not ideal, and announced upcoming changes that will make the Windows 10 upgrade system less awful. Users will be given slightly more choice for scheduling upgrades, and the updates will only include what’s actually changed in the O/S, making them significantly smaller.
What’s really weird is the way that Microsoft is portraying these changes, as if they’ve discovered something new. Sorry, Microsoft. The rest of the world already knew that limiting update packages to what’s actually changed is a good idea.
Microsoft’s big Windows 10 giveaway is over, and with it, interest in the new operating system. The latest numbers from netmarketshare.com show that growth in the number of Windows 10 devices has slowed to a crawl. Windows 7 growth in the last month or so is actually higher than for Windows 10.
To see the numbers on netmarketshare.com, select Operating Systems > Desktop Share by Version from the drop-down lists under Market Share Reports.
Thanks to Microsoft’s rules, it’s no longer possible to buy a new PC with any version of Windows other than 10. But Windows 7 and 8.1 are still available, so if you don’t mind installing Windows from scratch, you still have options.
Windows 7 will continue to receive support – and security updates – from Microsoft until January 14, 2020. Windows 8 will be supported until January 10, 2023. See the official Windows lifecycle fact sheet for details.
Google’s Threat Analysis Group recently discovered critical flaws in Flash and Windows that could allow an attacker to bypass Windows security mechanisms. Attacks based on these flaws have already been observed in the wild.
The flaw in Flash was fixed immediately by Oracle; hence the out-of-cycle Flash update on October 26. But Microsoft decided to delay the corresponding Windows fix until next Patch Tuesday (November 8), and is now rather annoyed with Google for reporting the vulnerability publicly. Google was following its own rules for vulnerability disclosure, but such rules differ widely between organizations. In any case, Microsoft would have been happier if Google had waited a bit longer before spilling the beans.
According to Google’s announcement, Chrome 54.0.2840.87 fixes at least one security issue. The change log lists forty-seven changes, none of which look particularly interesting or important. Still, this is a security fix, so you should make sure that Chrome has updated itself – if you use it.
Normally Adobe releases Flash updates on Patch Tuesday, but when there’s a critical security vulnerability they will release an ‘out of cycle’ fix. That’s what happened with Flash 23.0.0.205, which was released on October 26 to address a single vulnerability: CVE-2016-7855 (details pending).
Anyone who uses Flash in a web browser should update Flash as soon as possible. If you’re not sure whether you’re running the latest Flash, go to the About Flash page on the Adobe web site.
As always, Internet Explorer and Edge will get updates to their embedded Flash via Windows Update (bulletin MS16-128), and Chrome will update itself automatically. Still, it’s a good idea to make sure by visiting the About Flash page.
A litany of abuse and incompetence has prompted Mozilla to completely distrust security certificates from Certificate Authority (CA) WoSign in Firefox.
Starting with Firefox 51, the browser will no longer trust WoSign or StartCom certificates. According to Mozilla: “If you receive a certificate from one of these two CAs after October 21, 2016, your certificate will not validate in Mozilla products such as Firefox 51 and later, until these CAs provide new root certificates with different Subject Distinguished Names, and you manually import the root certificate that your certificate chains up to. Consumers of your website will also have to manually import the new root certificate until it is included by default in Mozilla’s root store.”
WoSign/StartCom can dig themselves out of this hole by applying for inclusion of new (replacement) root certificates, and there’s little doubt that they will pursue this course. But should anyone really trust their security and privacy to this company? I sure won’t, especially when there are excellent free alternatives like Let’s Encrypt.
Mozilla has been tracking WoSign’s failures since the beginning of 2015, recording their observations on their corporate wiki site.
The most recent example of WoSign’s failings stems from their acquisition of CA StartCom in November of 2015. WoSign failed to disclose the acquisition, then lied about it.
On a related note, Mozilla will also no longer accept audits performed by the consulting firm Ernst and Young (Hong Kong). That’s the company that failed to catch several of WoSign’s worst abuses. This is personally amusing to me, since I’ve had dealings with Ernst and Young that were somewhat less than positive.
Update 2016Nov01: Google is following Mozilla’s lead and removing trust for WoSign and StartCom certificates in Chrome, starting with Chrome 56.
Joomla 3.6.4, released on October 25, addresses two critical security vulnerabilities that could allow an attacker to gain control of a Joomla-based web site.
Like WordPress, Joomla forms the basis of numerous web sites, because it’s easy to set up and manage. Its popularity and ease of use have of course also made Joomla a target for malicious hackers, who know that many Joomla sites are not kept up to date by their inexperienced owners.
If you manage a Joomla 3+ web site, please install this update as soon as possible. It’s very likely that attackers are already searching the web for vulnerable sites. Unless of course you want your site to be part of a botnet (which may sound cool, but really isn’t).
boot13