45 security issues fixed in Chrome 42.0.2311.90

The latest version of Chrome includes fixes for forty-five security vulnerabilities. According to the announcement, version 42.0.2311.90 also has improvements in stability and performance.

Starting with this version of Chrome, the old NPAPI technology used for plugins (including Java and Silverlight) is disabled by default. If any of your Chrome plugins still use this technology, you’ll need to enable them when the browser warns you.

Java 8u45 released

Oracle has released Update 45 for Java 8. Anyone using Java should install the update as soon as possible, since it contains fixes for at least fourteen security vulnerabilities.

NOTE: Java 7 is no longer being updated, so if you’re still using it, you should upgrade to Java 8 as soon as possible. If Java is configured to auto-update itself, it will upgrade Java 7 to Java 8 automatically.

Update 2015May14: The final update for Java 7 was 7u79/7u80, released on April 14, 2015.

Patch Tuesday for April 2015

It’s that time again. This month there are eleven updates from Microsoft, with four of them flagged as Critical, affecting Windows, Internet Explorer, Office and .NET.

Adobe has once again come along for the monthly festivities, today releasing a new version of Flash. Version 17.0.0.169 fixes at least fourteen vulnerabilities in Flash, including one for which exploits have been observed in the wild.

So, time to get busy updating your systems… especially where you’re using Flash in a web browser.

Update 2015Apr19: One of this month’s Windows updates is causing problems for people running Oracle VirtualBox, a popular emulator. The problematic update is KB3045999, also referred to as MS15-038. There’s no word yet from Oracle or Microsoft regarding a fix. Uninstalling the update appears to work, but this is obviously a temporary solution.

This month’s Ouch! newsletter: passphrases

What’s a passphrase? It’s a phrase or sentence that you use as a password. Phrases tend to be easier to remember than ordinary passwords, and they are much more difficult to crack.

This month’s Ouch! newsletter (PDF) provides a useful overview of passphrases and their use. Note that while passphrases can be very strong, you should still make sure to use a different one for each site or service. And of course you should use a good, offline password manager like Bruce Schneier’s Password Safe to keep track of them.

CRTC follows through on its efforts to curb spam

The Canadian Radio-television and Telecommunications Commission (CRTC) has handed out steep penalties to three organizations for failing to comply with Canada’s new anti-spam regulations.

Up to this point, there has been some doubt as to whether the CRTC and the Competition Bureau would follow through on the promise of the new law. Doubt no more: the worst offender was a Quebec company called Compu-Finder, which received a whopping 1.1 million dollar fine.

It’s not often that I find a reason to praise the CRTC, but this is one of those times. Nice work, folks! Keep it up.

Google clamping down on malicious Chrome extensions

If you use Google’s web browser Chrome, and you’ve noticed that some extensions are causing problems, take heart. Google recently discovered that about 200 Chrome extensions are injecting ads in deceptive ways, often leading users to malware. These extensions have been killed by Google, and measures taken to prevent this type of abuse in the future. Note that Google doesn’t explicitly bar ad-injection extensions; however, such extensions are subject to certain limitations.

If you suspect that your installation of Chrome is running one or more of these rogue extensions, your best bet is to uninstall Chrome completely and reinstall it.

Update 2015Apr09: Google’s efforts to identify and remove problematic extensions are ongoing. More announcements of this type are expected. For example: the extension ‘Webpage Screenshot’ was found to be collecting user data inappropriately, and was also killed.

WordPress sites targeted by pro-ISIL hacks

An active campaign pushing the agenda of ISIL is being perpetrated mainly via hacked WordPress sites. The FBI has issued a related warning.

Anyone who runs a WordPress site should immediately ensure that it is up to date with all WordPress and plugin updates. Of course this won’t help if your site has already been hacked, so if you have any doubt, please scan your site with one (or preferably all) of the following web-based site scanners:

Meanwhile, yet another popular WordPress plugin has been found to contain a serious vulnerability. The site caching plugin WP-Super-Cache has a nasty cross-site scripting bug. Anyone using this plugin on a WordPress site needs to update it to the fixed version (1.4.4) immediately.

Firefox 37.0.1 fixes crashing and security issues in 37.0

Some of us never really had a chance to try Firefox 37.0, and that’s probably a good thing. Version 37.0 tends to crash when started, and it includes at least one new security vulnerability.

Mozilla pulled Firefox 37.0 from the auto-update queue after learning of these issues, and yesterday released 37.0.1 to resolve them.

Unfortunately, despite the fact that this would have been a really good time for some kind of announcement of what was going on, Mozilla has said exactly nothing about this. The release notes for Firefox 37.0.1 don’t provide any insight, and although the security advisories page has been updated for 37.0.1, it still doesn’t say much.

It does appear that Mozilla’s attempt to enable Opportunistic Encryption in Firefox 37.0 didn’t work out as expected, because the HTTP Alternative Services feature is disabled in Firefox 37.0.1.

Rants and musings on topics of interest. Sometimes about Windows, Linux, security and cool software.