boot13A new version of WordPress was announced yesterday. Version 4.2.3 includes fixes for two security vulnerabilities, as well as about 20 other bug fixes. Sites configured for automatic updates should be updated within the next day or so. If you’d rather not wait for an auto-update, you can install it manually via the site’s dashboard.
Stability, performance and security fixes in Chrome 44.0.2403.89
A new version of Google’s web browser includes 43 fixes for security issues. Anyone who uses Chrome should make sure it updates itself, or install the new version manually as soon as possible.
The release notes for Chrome 44.0.2403.89 provide additional details.
Microsoft issues special update for critical Windows vulnerability
An update for a vulnerability in the Microsoft Font Driver – present in all supported versions of Windows – was released yesterday by Microsoft. Normally, updates like this are released as part of the monthly Patch Tuesday process, but Microsoft evidently decided that this vulnerability was serious enough to warrant this ‘out of band’ update.
Windows systems with Automatic Updates enabled will receive this update automatically. All other systems should be updated via Windows Update as soon as possible.
Mozilla’s plans to make Firefox better
For years, Firefox has been the go-to browser for tech-savvy users, who mainly want to avoid using Internet Explorer. More recently, Firefox has been losing users to Chrome, albeit slowly. Fast-forward to today, and it’s increasingly common to hear people complain about Firefox’s bloat, and its performance issues.
I still use Firefox, but I’d switch to Chrome in a heartbeat if that browser had a bookmark sidebar. And I’m not the only one: the comments in this Chrome Help Forum thread clearly show users’ frustration with Google’s foot-dragging.
Apparently Mozilla can see the writing on the wall. A new effort is underway to improve Firefox’s quality. Part of this will involve identifying and removing features that are incomplete or ineffective, which should help to reduce bloat and improve performance. It’s way too soon to know if this will be enough for Firefox to hold on to notoriously fickle browser users, but at least Firefox may now have a chance.
Meanwhile, Microsoft’s new web browser (Edge) is going to complicate things if it really is as fast as claimed.
Java 8 Update 51 fixes 25 vulnerabilities
Yesterday, Oracle released a huge set of updates for all its products, in the July installment of their quarterly Critical Patch Update.
Included in the updates is a new version of Java, version 8 update 51. The new Java includes fixes for at least 25 security vulnerabilities. Anyone who uses a web browser with Java enabled should install the new version as soon as possible. According to Oracle, exploits for at least one of the Java vulnerabilities have been seen in the wild.
Patch Tuesday for July 2015
This month there are fourteen bulletins from Microsoft, with associated updates affecting Windows, Internet Explorer, Office and SQL Server. Four of the updates are flagged as Critical. The updates address at least fifty-nine vulnerabilities.
From Adobe, there are updates for Flash (see previous post), Reader/Acrobat (version 2015.008.20082) and Shockwave (version 12.1.9.159).
So, although installing updates on computers is probably not anyone’s idea of summer fun, let’s all try to keep our sense of humour as we once again work through the monthly update grind. Enjoy!
Update 2015Jul16: This month’s Microsoft updates address three vulnerabilities (two in Internet Explorer) exposed in the recent Hacker Team leak.
Flash 18.0.0.209 fixes latest vulnerabilities
Earlier today, Adobe released yet another version of Flash to address the most recent vulnerabilities revealed in the Hacker Team leak (CVE-2015-5122 and CVE-2015-5123).
According to the release notes for version 18.0.0.209: “These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system. Adobe is aware of reports that exploits targeting these vulnerabilities have been published publicly.”
If you still need to use a web browser with Flash enabled, you should install the new Flash version immediately. As usual, Internet Explorer 10/11 in Windows 8.x will receive the Flash update via Windows Update. A new version of Google Chrome (43.0.2357.134) includes the most recent Flash version.
Ars Technica has more about the latest updates and efforts to minimize Flash-related vulnerabilities by Mozilla and Google.
Yet another Flash exploit revealed
At this point, the Hacking Team leak appears to be a never-ending source for Flash exploits. A third vulnerability was just discovered among the leaked materials. As always, we recommend disabling Flash completely in your browser, or setting up one browser with Flash, to be used only when you have no other choice.
To reduce potential damage, Mozilla has configured Firefox to block all versions of Flash up to version 18.0.0.203. Of course, that won’t help for as-yet unpatched vulnerabilities such as the last two from the Hacking Team leak.
Meanwhile, there’s renewed interest in eliminating Flash from the web completely. YouTube abandoned Flash for an HTML5-based video player recently, and organized campaigns like Occupy Flash are trying to keep the ball rolling by encouraging both users and service providers to stop using Flash. Facebook’s Chief Security Officer wants Adobe to announce the end of Flash.
We’re hoping that Google is working to remove Flash from their advertising infrastructure, since for many users, Flash-based advertisements are their biggest remaining exposure to Flash.
Another Flash exploit revealed in Hacking Team leak
Adobe has issued another security bulletin, for another new vulnerability in Flash. As with the previous vulnerability, this one was discovered in the information leaked following the Hacker Team server breach, and exploits have already been observed in the wild. The bug has yet to be fixed, although Adobe plans to issue an update next week. Brian Krebs has additional details.
Flash update fixes Hacking Team vulnerability
As much as I would like to see Flash disappear completely, I have to commend Adobe’s quick response to the recent discovery of a critical Flash exploit.
Flash 18.0.0.203 was released earlier today. The new version fixes the vulnerability associated with the Hacking Team leak (CVE-2015-5119), but it also addresses thirty-five other security vulnerabilities in Flash.
As usual, Google Chrome will update itself with the new Flash code, and Internet Explorer 10 and 11 on Windows 8.x will get the Flash changes via Windows Update.
Recommendation: if you use a web browser with Flash enabled, install the new Flash as soon as possible. Keep in mind that the standard Flash installer also installs McAfee security software by default: look for a checkbox for this option in the installer and disable it.
Ars Technica has additional details.