On October 20, Oracle released Java 8 Update 65. Hours later, they apparently released Java 8 Update 66.
It looks like there may have been some kind of screwup at Oracle, because the two versions seem to address many of the same issues. When I use the Java control panel to update to the most recent version, I end up with 8u65, and I’m never prompted to install 8u66. Presumably this confusion will be cleared up by Oracle in the next day or so.
Meanwhile, if you’re still using a web browser with Java enabled, you should install Java 8u65 as soon as you can. Java 8 Update 65 fixes a few bugs, including some related to security.
Update 2015Nov05: According to a post on The Java Source, a Java blog maintained by Oracle, “Java SE 8u66 is a patch-set update, including all of 8u65 plus additional features.” If you want the new features, you’ll have to download and install 8u66 manually, because Java’s own internal updater won’t do it.
On October 15th, Mozilla slipped another Firefox version into production. Firefox 41.0.2 was released to address a single security issue, CVE-2015-7184. The bug is described in a post on the Mozilla security advisories site. The release notes for Firefox 41.0.2 don’t provide any additional detail. There was no new version announcement.
Yesterday, Adobe released an update for the recently-discovered Flash security vulnerability CVE-2015-7645. Kudos to Adobe for acting quickly to fix this bug, which is being actively exploited on the web.
The new version of Flash (19.0.0.226) addresses the CVE-2015-7645 vulnerability and two others. Additional details are available in the associated security bulletin. Other changes in this version of Flash are described in a post on the Flash runtime announcement site.
As usual, Internet Explorer on newer versions of Windows will get the new version of Flash via Windows Update, and Chrome will update itself via its own auto-updater.
If you’re still using Flash in a web browser, you need to install this update as soon as possible.
In the couple of months since the release of Windows 10, there have been plenty of reports of strange, unexpected, and unwanted behaviour on Windows 7 and 8.x computers. At least one high profile writer dismissed these reports, but recanted after witnessing the behaviour themselves.
I ran into one such problem yesterday when I tried to install October’s Patch Tuesday updates on my Windows 7 computer. Although auto updates are disabled on that computer, I had previously decided to install all updates flagged as ‘Important’. The idea was to see what happened if I allowed Microsoft to push whatever they wanted to that computer, putting myself into the same situation as most typical users.
The first thing I noticed was the ‘Get Windows 10’ icon that started appearing in the notification area. At the time, I provided instructions for uninstalling the update that caused this icon to appear, and did that myself as well. But the icon – and the update that enables it – kept appearing. Even ‘hiding’ the update (KB3035583) in Windows Update could not prevent the damned thing from reappearing.
Fast forward to yesterday, and when I tried to install updates on that Windows 7 PC, I was able to check for updates, and see the pending updates, but there was no way to install them! Instead, all I could see was a panel urging me to upgrade to Windows 10 and a ‘Get Started’ button.
I followed the procedures in that KB article, and sure enough all the upgrade prompts vanished, the KB3035583 update stopped reappearing, and Windows Update once again allowed me to install updates.
Anyone using Windows 7 or 8.x who is seeing any of this unwanted and unwelcome behaviour is urged to follow the instructions in the KB3080351 article. If you’re unwilling or unable to do so yourself, ask your friendly local support person to do it.
Meanwhile, a message to Microsoft: are you serious? Are you so eager to push everyone to Windows 10 that you are now literally trying to trick or even force users to upgrade? This is not acceptable. You need to step down from this or the backlash is going to get serious. There is already discussion around the idea of a class action lawsuit.
Security researchers at Trend Micro have identified a new Flash exploit being used in targeted attacks against various government agencies. The exploit takes advantage of a previously unknown vulnerability in all versions of Flash, including the most recent, 19.0.0.207. It seems likely that the exploit will be used more widely in the near future.
Adobe quickly confirmed the vulnerability and announced in a security bulletin that a patch will be made available some time next week.
At this point one wonders whether there’s any code left in Flash that hasn’t been afflicted with security vulnerabilities at some point.
As always, if you can possibly live without Flash enabled in your browser, just disable it. If you need to use it, your best option is to configure your browser to always ask before displaying Flash content.
Chrome 46.0.2490.71 includes fixes for a variety of issues, including at least 24 security vulnerabilities.
As usual, the details are buried in the rather technical change log. Go ahead and take a look, but set aside several hours, because that log is 245,986 lines long. That’s not a typo. I started reading the log, and after scrolling down about 20 pages, I noticed that my browser’s scrollbar hadn’t even moved. There may some interesting stuff in there, but life’s too short to read that monstrosity.
It’s a relatively light month for Microsoft, with only six bulletins, and associated updates affecting Windows, Windows Server, Internet Explorer, Office, and the new Windows 10 browser Edge. Three of the bulletins are flagged as Critical. The bulletin summary has all the details, and it includes a link to Microsoft’s Security Advisories page for 2015, which may be of some interest.
Meanwhile, Adobe’s contribution to this month’s patch pile is more updates for Flash and Reader/Acrobat. The new version of Flash is 19.0.0.207, and it addresses thirteen vulnerabilities. The release notes get into the details of what was changed, which includes a few bug fixes unrelated to security. As always, Chrome will update itself and Internet Explorer on newer versions of Windows will get the new Flash via Windows Update.
The newest versions of Adobe Reader are 11.0.13 for Reader XI, and 2015.009.20069 for Acrobat Reader DC. At least fifty-six vulnerabilities are addressed in these updates. Check out the related security bulletin for additional information.
This month’s Flash updates prompted Brian Krebs to take another look at Adobe Shockwave. He found that even the most recent versions of Shockwave still contain very out of date versions of Flash, and strongly recommends that you remove Shockwave from all your computers.
A series of exploits against the Imgur and 8chan sites caused little damage, despite their enormous potential. The true goals of the hack are still in question, and the associated vulnerabilities on the affected sites have been fixed.
A researcher discovered several serious vulnerabilities in popular security software from Kaspersky Labs. While there’s no evidence of exploits in the wild, this is rather alarming. Anti-malware software typically has access to core system functionality, making working exploits very valuable to attackers. Kaspersky Labs acted quickly to fix the bugs, but this isn’t the first time security software has been found vulnerable, and likely won’t be the last.
A new botnet called Xor.DDoS is using compromised Linux computers to perform DDoS attacks against a variety of web sites, probably at the request of paying customers. The Linux computers hosting the botnet appear to have been compromised via weak root passwords. So far, most of the targets are in Asia. This marks a shift in platform for botnet developers, which previously focused almost exclusively on Windows.
Unfortunately, the post does little to address actual concerns, instead making a lot of vague promises about not using your data to target ads “Unlike some other platforms” (a clear reference to Google reading your GMail communication to target ads).
For example, there’s nothing about Windows 10’s persistent and frequent communication with Microsoft servers, even when privacy-compromising settings are disabled.
A strange – and possibly harmful – update started being delivered to Windows computers yesterday. Early speculation ranged from problems with the Windows Update infrastructure to the service being compromised by attackers.
Microsoft eventually weighed in, saying that the update was part of a test, and that it was never intended to end up on user computers.
Apparently the update was installed on some Windows 7 computers, at least one of which was rendered nearly inoperable, according to the user.
Presumably there will be additional followup from Microsoft. This is the kind of problem that makes people (including myself) justifiably nervous about the forced automatic updates in Windows 10.