Microsoft issues special update for critical Windows vulnerability

An update for a vulnerability in the Microsoft Font Driver – present in all supported versions of Windows – was released yesterday by Microsoft. Normally, updates like this are released as part of the monthly Patch Tuesday process, but Microsoft evidently decided that this vulnerability was serious enough to warrant this ‘out of band’ update.

Windows systems with Automatic Updates enabled will receive this update automatically. All other systems should be updated via Windows Update as soon as possible.

Mozilla’s plans to make Firefox better

For years, Firefox has been the go-to browser for tech-savvy users, who mainly want to avoid using Internet Explorer. More recently, Firefox has been losing users to Chrome, albeit slowly. Fast-forward to today, and it’s increasingly common to hear people complain about Firefox’s bloat, and its performance issues.

I still use Firefox, but I’d switch to Chrome in a heartbeat if that browser had a bookmark sidebar. And I’m not the only one: the comments in this Chrome Help Forum thread clearly show users’ frustration with Google’s foot-dragging.

Apparently Mozilla can see the writing on the wall. A new effort is underway to improve Firefox’s quality. Part of this will involve identifying and removing features that are incomplete or ineffective, which should help to reduce bloat and improve performance. It’s way too soon to know if this will be enough for Firefox to hold on to notoriously fickle browser users, but at least Firefox may now have a chance.

Meanwhile, Microsoft’s new web browser (Edge) is going to complicate things if it really is as fast as claimed.

Java 8 Update 51 fixes 25 vulnerabilities

Yesterday, Oracle released a huge set of updates for all its products, in the July installment of their quarterly Critical Patch Update.

Included in the updates is a new version of Java, version 8 update 51. The new Java includes fixes for at least 25 security vulnerabilities. Anyone who uses a web browser with Java enabled should install the new version as soon as possible. According to Oracle, exploits for at least one of the Java vulnerabilities have been seen in the wild.

Patch Tuesday for July 2015

This month there are fourteen bulletins from Microsoft, with associated updates affecting Windows, Internet Explorer, Office and SQL Server. Four of the updates are flagged as Critical. The updates address at least fifty-nine vulnerabilities.

From Adobe, there are updates for Flash (see previous post), Reader/Acrobat (version 2015.008.20082) and Shockwave (version 12.1.9.159).

So, although installing updates on computers is probably not anyone’s idea of summer fun, let’s all try to keep our sense of humour as we once again work through the monthly update grind. Enjoy!

Update 2015Jul16: This month’s Microsoft updates address three vulnerabilities (two in Internet Explorer) exposed in the recent Hacker Team leak.

Flash 18.0.0.209 fixes latest vulnerabilities

Earlier today, Adobe released yet another version of Flash to address the most recent vulnerabilities revealed in the Hacker Team leak (CVE-2015-5122 and CVE-2015-5123).

According to the release notes for version 18.0.0.209: “These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system. Adobe is aware of reports that exploits targeting these vulnerabilities have been published publicly.

If you still need to use a web browser with Flash enabled, you should install the new Flash version immediately. As usual, Internet Explorer 10/11 in Windows 8.x will receive the Flash update via Windows Update. A new version of Google Chrome (43.0.2357.134) includes the most recent Flash version.

Ars Technica has more about the latest updates and efforts to minimize Flash-related vulnerabilities by Mozilla and Google.

Yet another Flash exploit revealed

At this point, the Hacking Team leak appears to be a never-ending source for Flash exploits. A third vulnerability was just discovered among the leaked materials. As always, we recommend disabling Flash completely in your browser, or setting up one browser with Flash, to be used only when you have no other choice.

To reduce potential damage, Mozilla has configured Firefox to block all versions of Flash up to version 18.0.0.203. Of course, that won’t help for as-yet unpatched vulnerabilities such as the last two from the Hacking Team leak.

Meanwhile, there’s renewed interest in eliminating Flash from the web completely. YouTube abandoned Flash for an HTML5-based video player recently, and organized campaigns like Occupy Flash are trying to keep the ball rolling by encouraging both users and service providers to stop using Flash. Facebook’s Chief Security Officer wants Adobe to announce the end of Flash.

We’re hoping that Google is working to remove Flash from their advertising infrastructure, since for many users, Flash-based advertisements are their biggest remaining exposure to Flash.

Flash update fixes Hacking Team vulnerability

As much as I would like to see Flash disappear completely, I have to commend Adobe’s quick response to the recent discovery of a critical Flash exploit.

Flash 18.0.0.203 was released earlier today. The new version fixes the vulnerability associated with the Hacking Team leak (CVE-2015-5119), but it also addresses thirty-five other security vulnerabilities in Flash.

As usual, Google Chrome will update itself with the new Flash code, and Internet Explorer 10 and 11 on Windows 8.x will get the Flash changes via Windows Update.

Recommendation: if you use a web browser with Flash enabled, install the new Flash as soon as possible. Keep in mind that the standard Flash installer also installs McAfee security software by default: look for a checkbox for this option in the installer and disable it.

Ars Technica has additional details.

Recent changes to Firefox prevent access to network resources

By now you’re no doubt familiar with the warnings displayed by web browsers when you navigate to sites that use out of date or incomplete security. Typically, a browser will allow you to continue to the site in question, regardless of the security issue. While it can be argued that allowing the user to ignore security warnings is a bad idea, in many cases this is the only way for users to access some sites.

The classic example of this is when a business creates a self-signed SSL certificate for a web resource that is only accessible internally. Typically this is done when non-secure access to the resource is simply not supported. Creating a self-signed certificate gets around this limitation and costs nothing. Users accessing the resource will see a warning about the self-signed certificate, but can tell their browser to proceed anyway, knowing that there’s no actual danger.

Unfortunately, Mozilla seems to have eliminated the ability for users to bypass these warnings. I recently encountered this when using the current version of Firefox (39.0) to access a router on a local network. I received a cryptic warning:

SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. (Error code: ssl_error_weak_server_ephemeral_dh_key)

In earlier versions of Firefox, I would then be allowed to continue regardless of the security issue. But that’s no longer the case. To access the router, I switched to Google Chrome, which showed the same warning, but allowed me to proceed.

I understand that Mozilla is trying to tighten security, and limit the ways in which uninformed users expose themselves to security risks, but I believe that this is going too far. It’s yet another example of how Mozilla is pushing users away from Firefox, to other web browsers.

Update 2015Jul09: I’m seeing workarounds for this problem, but they typically involve ignoring the security check completely. I only want to be able to bypass the check for specific sites.

Update 2015Aug07: Only certain types of SSL keys are being handled this way in Firefox now. Specifically, Diffie-Hellman keys that are 1024 bits long or shorter. Other self-signed keys still allow for exceptions to be added.

Update 2015Oct16: Chrome also no longer allows access to sites, services, or devices using Diffie-Hellman keys.

Rants and musings on topics of interest. Sometimes about Windows, Linux, security and cool software.