Security updates for QuickTime on Windows 7 and Vista

I don’t usually post about Apple software, but the QuickTime Player is installed on many Windows computers, so it falls into a kind of grey area.

Apple recently released an update for QuickTime to address at least nine vulnerabilities it exposes on Windows 7 and Vista computers. Anyone who uses QuickTime on Windows 7 or Vista should install the new version of QuickTime as soon as possible.

I no longer have QuickTime installed on my main computer. Downloaded QuickTime media files play in a combination of VLC and Windows Media Player. There’s no QuickTime player plugin in my my main web browser, either, but I don’t really mind not being able to see QuickTime media embedded in web pages. If I really need to see that content, I can always download it.

If you’re not sure whether you have QuickTime installed, or want to find out how QuickTime media is played on your computer, you can try playing these QuickTime sample media files.

Shockwave 12.1.9.160 released

There’s a new version of Adobe’s Shockwave Player. It’s not clear when the new version appeared, since there was no official announcement. There’s nothing at all on the release notes page, other than the fact that the most recent version of Shockwave is 12.1.9.160.

You can download the new version from the main Shockwave page, which also shows the most recent version as 12.1.9.160. You can check what version of Shockwave is installed (if any) on your computer at the Shockwave Help page.

Emergency patch for Internet Explorer

Earlier today, Microsoft issued a special update (MS15-093) to address a critical vulnerability in all versions of Internet Explorer. The new Edge browser is not affected.

Normally, security updates for IE are provided on monthly Patch Tuesdays. Since Microsoft is making this update available outside the regular update cycle, we can assume that exploits for the vulnerability have been observed in the wild.

The vulnerability is a bad one. Merely visiting a specially-crafted web page with Internet Explorer can cause malicious code to execute, leading to the possibility of an attacker installing just about any kind of software or accessing any information on the affected Windows computer.

If you use Internet Explorer, please use Windows Update to install this patch as soon as possible.

WordPress 4.3 released

There are big improvements to password handling in the newest version of WordPress:

You start out with a strong password by default and you are given the option to keep it or choose your own. A password strength meter is available as well as the option to hide your password from prying eyes. WordPress will no longer send passwords via email and the password reset links will expire in 24 hours. E-mail notifications will be sent out in the event that an e-mail or password is changed.

The release notes for WordPress 4.3 list other changes. There are no security vulnerability fixes in this version, so updating is not urgent, but the password-related changes alone are worth the trouble.

Chrome 44.0.2403.155 released

Chrome updates now happen so frequently, and they so rarely cause problems, that I no longer have any qualms about the browser’s auto-update mechanism. Of course, if a Chrome update makes the browser unusable, I can use another browser for however long it takes Google to fix it, which would not be the case for a bad Windows update.

The release announcement for Chrome 44.0.2403.155 doesn’t provide any details, which is starting to become the norm, sadly. And Google was doing so well with this…

Parsing the change log reveals that the new version contains fixes for a few minor issues, including at least one related to stability.

Firefox 40 improves add-on security

The newest Firefox is version 40, and as usual there was no proper announcement. There’s a post on the Mozilla blog that gets into the details of version 40’s security improvements, but it never mentions the version. The release notes provide additional details. Here are some of the more notable changes:

  • Improvements to Windows 10 support, including workarounds for the way Microsoft messes up default browser settings
  • Add-on certification: non-certified add-ons will be disabled by default
  • Improvements to visual style: for example, the ‘close’ button on tabs is now larger
  • Expanded malware protection, which warns users about to visit sites that are flagged by Google’s Safe Browsing Service
  • Smoother animation and scrolling for Windows
  • Improvements to JPEG image handling
  • At least fourteen security fixes

Patch Tuesday for August

Ah, Patch Tuesday. Of all the tasks we have to perform, there’s nothing quite like it: it’s both tedious and critically important. I’m starting to consider enabling automatic updates, but given Murphy’s Law, no doubt the moment I do that, Microsoft will issue a catastrophic update.

This month we have fourteen updates from Microsoft, affecting the usual culprits (Windows, Internet Explorer, Office, Silverlight, .NET), plus a few new ones: Lync and Edge, the new web browser in Windows 10. Four of the updates are flagged as critical. The updates address a total of 58 vulnerabilities. The update for Silverlight brings its version to 5.1.40728.0. Several of the updates apply to Windows 10. One of the updates addresses a nasty bug that could allow an attacker to execute malicious code from a USB thumb drive.

Adobe is once again tagging along this month, releasing a new version of Flash (18.0.0.232) that addresses a whopping thirty-four vulnerabilities. Needless to say, you should install the new version as soon as possible if you still use Flash in any web browser. Internet Explorer 10 and 11 in Windows 8.x will receive the Flash update via Windows Update, as will the new Edge browser in Windows 10. Chrome will update itself to use the new version.

Rants and musings on topics of interest. Sometimes about Windows, Linux, security and cool software.