Firefox, Patches and updates, Security

Firefox 40 improves add-on security

Leave a comment

The newest Firefox is version 40, and as usual there was no proper announcement. There’s a post on the Mozilla blog that gets into the details of version 40’s security improvements, but it never mentions the version. The release notes provide additional details. Here are some of the more notable changes:

  • Improvements to Windows 10 support, including workarounds for the way Microsoft messes up default browser settings
  • Add-on certification: non-certified add-ons will be disabled by default
  • Improvements to visual style: for example, the ‘close’ button on tabs is now larger
  • Expanded malware protection, which warns users about to visit sites that are flagged by Google’s Safe Browsing Service
  • Smoother animation and scrolling for Windows
  • Improvements to JPEG image handling
  • At least fourteen security fixes
Adobe, Flash, Internet Explorer, Microsoft, Patches and updates, Security, Silverlight, Windows

Patch Tuesday for August

Leave a comment

Ah, Patch Tuesday. Of all the tasks we have to perform, there’s nothing quite like it: it’s both tedious and critically important. I’m starting to consider enabling automatic updates, but given Murphy’s Law, no doubt the moment I do that, Microsoft will issue a catastrophic update.

This month we have fourteen updates from Microsoft, affecting the usual culprits (Windows, Internet Explorer, Office, Silverlight, .NET), plus a few new ones: Lync and Edge, the new web browser in Windows 10. Four of the updates are flagged as critical. The updates address a total of 58 vulnerabilities. The update for Silverlight brings its version to 5.1.40728.0. Several of the updates apply to Windows 10. One of the updates addresses a nasty bug that could allow an attacker to execute malicious code from a USB thumb drive.

Adobe is once again tagging along this month, releasing a new version of Flash (18.0.0.232) that addresses a whopping thirty-four vulnerabilities. Needless to say, you should install the new version as soon as possible if you still use Flash in any web browser. Internet Explorer 10 and 11 in Windows 8.x will receive the Flash update via Windows Update, as will the new Edge browser in Windows 10. Chrome will update itself to use the new version.

Adobe, Firefox, Patches and updates, Security, Windows

Critical vulnerability in Firefox’s PDF viewer

Leave a comment

Firefox has had its own internal PDF viewer for a while now, and it’s enabled by default. When you click on a PDF file link in Firefox, it will do one of the following: a) open with Firefox’s internal viewer; b) open with a PDF viewer plugin such as Adobe’s Reader plugin; or c) download and open with an external viewer. Unfortunately, PDF files can also be embedded on web pages, in which case there’s no need to click on anything to view them; merely visiting a web site with an embedded PDF will show the file’s contents. Worse still, some advertising platforms serve ads in the form of PDF files.

Now comes news that a newly-discovered vulnerability in Firefox’s internal PDF viewer is being actively exploited on at least one advertising network, and that malware-containing PDF ads were recently observed on a Russian news site.

Mozilla confirmed the bug and quickly released Firefox 39.0.3 to address it. All users are strongly encouraged to update Firefox as soon as possible.

But there’s more bad news. There’s no way to know whether this vulnerability has been exploited elsewhere on the web. There’s no reason to assume that only one Russian news site was affected, or that infected ads haven’t already appeared on other ad networks and web sites. If you use Firefox with the internal PDF viewer enabled, there’s a chance your computer ran a malicious script at some point. If you run a script blocker like Noscript, and you haven’t altered its default behaviour, you were probably protected.

The only known instance of a malicious script that exploits this vulnerability looks for configuration files related to Subversion, Pidgin, Filezilla, and other FTP applications on Windows systems. If you have any passwords stored in these configuration files, you should consider changing those passwords.

You might also want to consider disabling Firefox’s built-in PDF viewer. To do that, enter ‘about:config’ in the address bar. You’ll see a warning; confirm that you want to proceed by clicking the “I’ll be careful” button. In the Search box, enter ‘pdfjs.disabled’. One setting should appear in the list below. If the setting is currently ‘false’, double-click it to change it to ‘true’. This will prevent embedded PDFs from being shown on web pages.

Microsoft, Windows 10

Windows 10 DVD player is $15

Leave a comment

There’s no ‘Media Center’ edition of Windows 10, and there’s no DVD player software included with Windows 10. Now comes word that you can purchase the Windows 10 DVD player from the Windows Store for $14.99. If you’re considering doing this, please don’t. Instead, download and install the excellent, freeware VLC Player, which aside from being able to play just about any media you can throw at it, can also play DVDs.

Update 2015Aug11: Apparently, if you upgrade from a Media Center version of Windows to Windows 10, you are warned about the features you’re about to lose. Better still, you will apparently be credited with a free copy of the Windows 10 DVD player, so you should be able to install it from the Windows Store for free.

Patches and updates, Security, WordPress and other CMS

WordPress 4.2.4 security release

Leave a comment

The latest WordPress release resolves several security issues, including an SQL injection that could be used to compromise a site.

The WordPress 4.2.4 release notes have additional details.

WordPress sites with the auto-update mechanism enabled should be updated automatically in the next day or so, but if you don’t want to wait, you can install the update manually from the site’s dashboard.

*nix, Adobe, Chrome, Flash, Internet, Internet Explorer, Malware, Mobile, Security, Spam and scams

July security roundup

Leave a comment

Flash improvements

Adobe is trying desperately to keep Flash viable. In July, they announced structural changes that are expected to strengthen Flash’s overall security. The changes are so far only available in the most recent versions of Chrome, but they are expected to find their way into the other major browsers in August.

Asprox botnet status

There’s an interesting (though technical) overview of recent changes in the behaviour of the Asprox botnet over on the SANS Handler’s Diary. Apparently the botnet is no longer sending malware attachments, and is instead sending pornography and diet-related spam. Comparing my inbox contents with the samples in the linked article, it looks like most of the spam I currently receive is thanks to Asprox. Hopefully Asprox will be targeted by the anti-botnet heavy hitters in the near future.

Flaw in BIND could cause widespread issues

BIND is one of the most common pieces of software on Internet-facing servers. It translates human-readable addresses like ‘boot13.com’ into IP addresses. A bug in version 9 of BIND causes it to crash when a specially-crafted packet is sent to it. Attackers could exploit this bug to execute an effective Denial of Service (DoS) attack against a server running BIND9. Patches have been created and distributed, but any remaining unpatched servers are likely to be identified and attacked in the coming months. Update 2015Aug05: As expected, this bug is now being actively exploited.

Mobile versions of IE are vulnerable

Current, patched versions of Internet Explorer running on mobile devices were recently reported to have four flaws that could allow attackers to run code remotely. Exploits were published, although none have yet been seen in the wild. The vulnerabilities were disclosed by the HP/TippingPoint researchers who discovered them, six months after they privately reported them to Microsoft. Microsoft has yet to patch these vulnerabilities; they apparently feel that vulnerabilities are too difficult to exploit for them to be dangerous.

Stagefright vulnerability on Android devices

A flaw in Stagefright, a core Android software library that processes certain types of media, makes almost all Android phones and tablets vulnerable. The flaw can be exploited as easily as sending a specially-crafted text (MMS) message to a phone, but also by tricking the user into visiting a specific web site. Successful attackers can then access user data and execute code remotely. Unfortunately for users, it’s up to individual manufacturers to develop and provide patches, and this process may take months in some cases. There’s not much users can do to mitigate this problem until patches arrive. Update 2015Aug05: Google is working with its partners to push updates to affected mobile devices.

Mediaserver vulnerability on Android devices

More bad news for Android users: the mediaserver service apparently has difficulty processing MKV media files, and can render a device unusable when it encounters one on a malicious web site. In most cases, the device can be brought back to life by powering it down and back up again.

Android spyware toolkit widely available

And the hits just keep on coming for Android devices. Among the information revealed in the recent Hacking Team breach was the source code for an advanced Android spyware toolkit called RCSAndroid. Like everything else taken from Hacking Team’s systems, this has now been published, and no doubt malicious persons are working on ways to use the toolkit. There’s no easy way to protect yourself from this toolkit, aside from keeping your device up to date with patches. From Trend Micro: “Mobile users are called on to be on top of this news and be on guard for signs of monitoring. Some indicators may come in the form of peculiar behavior such as unexpected rebooting, finding unfamiliar apps installed, or instant messaging apps suddenly freezing.

Microsoft, Patches and updates, Windows 10

Windows 10 lands

Leave a comment

You can now download the release version of Windows 10 directly from Microsoft. The tools on that page allow you to upgrade the computer you’re using, or to create bootable disc or thumb drive images, which can then be used to install Windows 10 from scratch on another computer. Both the Home and Pro versions are available, in 32 and 64 bit form.

If you’re running Windows 7 or 8.x, and you choose to perform an upgrade from the site linked above, you’ll get the Home version if you’re currently running one of the Home variants, and Pro otherwise.

It’s still not completely clear what happens when you don’t have a legitimate Windows 7 or 8.x license. At some point, you’ll be asked to enter a license key, and without one, presumably Windows 10 will stop functioning or suffer from reduced functionality. The same goes for in-place upgrades; as Microsoft has said, if you have a non-valid install of Windows 7 or 8.x and upgrade it to Windows 10, it will continue to be non-valid, with all that entails.

Update: My Windows 10 test computer is running whatever version is being provided via the Windows Insider program. It looks like the final release version, and has the build number Microsoft planned to use for the release: 10240. Because I joined the Windows Insider program (which involved having updates pushed to the computer regularly, and being asked to provide ratings and feedback), I’m now running Windows 10 Pro on a computer that previously ran Windows XP, and it didn’t cost anything, and it’s completely legit. Of course, if I ever want to stop logging in to Windows 10 with my Microsoft ID, I’ll have to purchase a Windows 10 license.

Internet

We’re finally running out of IP addresses

Leave a comment

Some of you may remember dire predictions, years ago, that the Internet would soon run out of IP addresses. These predictions turned out to be somewhat early. A variety of factors combined to decrease the rate at which new address blocks were required. Still, it was clear that the limit would be reached, so the Internet Engineering Task Force (IETF) got to work designing a new IP address scheme. The new scheme is called IPv6, and supports a virtually unlimited number of addresses. The current IPv4 address system supports up to 4,294,967,296 unique addresses.

A typical IPv4 address: 96.49.181.168
A typical IPv6 address: 2001:db8:85a3::8a2e:370:7334

Now, according to American Registry for Internet Numbers (ARIN), the organization that doles out IP address blocks, we’re about to run out of IP addresses at last.

Before you start to panic, you should know that reaching this limit only really affects Internet Service Providers (ISPs). These organizations are the ones who buy IP blocks, then provide them to regular users. New ISPs, and ISPs that need to expand, are going to find it increasingly difficult to obtain the addresses they need.

There’s more good news: since we’ve seen this problem coming for a while now, most network hardware and operating systems are fully compatible with IPv6, including Windows XP and newer. When it’s time to make the switch, it will happen gradually, and will involve enabling IPv6 on devices and in operating systems where it’s currently disabled. Of course, there are likely to be glitches during the transition, but given the amount of testing already done, these should be resolved quickly. In most countries, the transition to IPv6 has already begun, with adoption as high as 35% in Belgium.

Rants and musings on topics of interest. Sometimes about Windows, Linux, security and cool software.

Close

Ad-blocker not detected

Consider installing a browser extension that blocks ads and other malicious scripts in your browser to protect your privacy and security. Learn more.