boot13The latest version of Google’s web browser is 41.0.2272.118. Four security issues, including at least one (CVE-2015-1233) flagged as critical, were addressed in this version. At least one of the vulnerabilities (CVE-2015-1234) came to light during the recent Pwn2Own contest.
Firefox 37 released
A new version of Firefox was announced yesterday by Mozilla. Yes, you read that correctly: a post on the Mozilla blog announced new versions of Firefox for all platforms. Of course, the announcement doesn’t mention the new version number, and it doesn’t provide any details, it just points to the release notes. Still, it’s progress!
According to the release notes for Firefox 37.0, the new version includes several changes related to security, including ‘improved protection against site impersonation’, and several fixes related to recently-discovered TLS vulnerabilities. WebGL rendering performance on Windows was improved. HTML5 support was also enhanced.
According to the Firefox Security Advisories page, at least 13 security vulnerabilities were fixed in Firefox 37.0.
Update: As of April 1 at 6:53am PST, the version of Firefox I’m currently using (36.0.4) is telling me that ‘Firefox is up to date’. It looks like someone may have forgotten a step when publishing version 37.0. Presumably this will be resolved shortly. If I visit the main Firefox download page, it tells me I’m using an older version of Firefox, and the download link definitely goes to Firefox 37.0.
Update 2015Apr02: According to sources on the official Firefox IRC channel, auto-updates for version 37 have been suspended while the developers look into a crashing problem being reported by some Windows 8 users.
More fun with names from Microsoft
Microsoft sure likes to keep people confused, don’t they? Most recently, they decided to designate the next version of Windows ’10’ instead of the otherwise completely sensible ‘9’ (being as it comes after 8).
Now, there’s a new chapter in the saga of ‘what the heck should we call applications that use the goofy new Start screen in Windows?’ Originally these applications were called ‘Metro apps’, to match the name of the new UI, Metro. Then they started calling them ‘Windows 8-style apps’. Then ‘Modern apps’. Then ‘Windows Store apps’. And then ‘Universal apps’. As of today, Microsoft has changed their collective minds once again, and now these Windows applications will be known as: ‘Windows apps’.
It would be fun to tally up what is has cost Microsoft to come up with the idea of calling Windows applications ‘Windows apps’.
Malvertising is a growing threat
If you’re not familiar with the term, you should be. ‘Malvertising‘ refers to the increasingly common tactic whereby malicious persons include exploit code within what otherwise appears to be legitimate, web-based advertising.
Over on eWEEK, a recent post (Why ‘Malvertising’ Has Become a Pervasive Security Risk) explains why Malvertising is a real and growing threat.
Organizations that provide advertising platforms – including Google – need to deal with this threat quickly. If they don’t, there’s likely to be a surge in users installing ad-blocking software in their browsers. I personally use and recommend NoScript, a browser plugin that blocks all Javascript (and Malvertising) by default.
Firefox 36.0.4 addresses Pwn2Own vulnerabilities
The latest version of Firefox is 36.0.4. It was released on March 21 in response to a successful hack against the browser at the recent Pwn2Own contest. The Security Advisories page describes the vulnerability as Privilege escalation through SVG navigation.
In related news, all four of the major web browsers were successfully hacked at Pwn2Own.
Chrome 41.0.2272.101 released
On March 19, Google announced version 41.0.2272.101 of its Chrome web browser. The announcement doesn’t describe any changes, and only says that a ‘partial list of changes is available in the log’. The log is derived from the Git version control system used by Google to manage Chrome’s source code. As such, it’s difficult to parse for significant changes. It appears that only minor changes were made in Chrome 41.0.2272.101.
Firefox 36.0.3 fixes two security bugs
Two security vulnerabilities, discovered at the HP Zero Day Initiative Pwn2Own contest, have been fixed in Firefox 36.0.3.
As usual, there was no proper announcement for the new version. The release notes for 36.0.3 include changes made in previous versions, as you can see by comparing them to the release notes for 36.0.1. At least the changes specific to 36.0.3 are flagged as such.
The Security Advisories (aka Known Vulnerabilities) page now has a section for each version; the most recent changes are listed under the heading ‘Fixed in Firefox 36.0.3’.
Vulnerabilities in two popular WordPress plugins
If you manage a WordPress web site that uses the plugins WordPress SEO by Yoast or WooCommerce, you should update those plugins as soon as possible. Serious vulnerabilities were recently discovered in both plugins. Updates addressing those vulnerabilities are now available.
FREAK vulnerability affects Windows, Mac, mobiles
It’s been about two weeks since the FREAK vulnerability was first reported. The flaw itself has existed for at least ten years, and we now know that it affects mobile devices, Mac OS X, and Windows.
From the related US-CERT alert:
FREAK (Factoring Attack on RSA-EXPORT Keys CVE-2015-0204) is a weakness in some implementations of SSL/TLS that may allow an attacker to decrypt secure communications between vulnerable clients and servers.
Google has released an updated version of its Android OS and Chrome browser for OS X to mitigate the vulnerability. Microsoft has released a Security Advisory that includes a workaround for supported Windows systems.
It’s now clear that this is a teaching moment for the Internet. The FREAK flaw exists because of the ridiculous (and short-lived) insistence by the US government that encryption software designated for export be made deliberately weak. The imposed restrictions ended, but the code involved in switching between strong and weak encryption remained. This intentional weakening of encryption is similar to the kind of ‘golden key’ (back door) for which intelligence organizations are currently clamouring. The lesson: Encryption Backdoors Will Always Turn Around And Bite You In The Ass. Bruce Schneier calls this a ‘security rollback‘. The Economist puts it succinctly, “…mathematics applies to just and unjust alike; a flaw that can be exploited by Western governments is vulnerable to anyone who finds it.”
Update 2015Mar19: Researchers determine that exploiting the remaining vulnerable systems is much easier than originally estimated. Thousands of iOS and Android apps are vulnerable.
Domain registration information leaked by Google
If you’ve registered domains using the Google Apps for Work service, there’s a good chance your registration (WHOIS) information is now available to unscrupulous persons.
Apparently a software defect in Google Apps started leaking the registration info (names, phone numbers, physical addresses, e-mail addresses, etc.) in mid-2013. The defect was recently discovered by a security researcher. Google acted quickly to stop the leaking, but for many, the damage has already been done.
If your information was leaked, you’ll likely start seeing an increase in spam to associated email addresses. The information may also be used in spear phishing attacks.
Note that while domain registration information is public, most domain registrars (including Google Apps) allow for this information to be hidden or only accessible indirectly. This likely encouraged many registrants to use accurate information, making the leak that much worse.