The latest version of Chrome apparently includes a few minor bug fixes. At least that’s my interpretation of the extremely uninformative release notes and associated version control log.
Google is getting increasingly sloppy with its release notes for Chrome. Will they clean up their act, or move even closer to the chaotic and confusing methods employed by Mozilla for Firefox?
PC manufacturer Lenovo has been shipping PCs with an extraordinarily nasty piece of adware called Superfish.
The basic concept is bad enough: Superfish watches your Internet activity and injects advertisements into web pages. But Superfish is much worse than that, since in the process of hijacking your web sessions, it opens your PC to ‘man in the middle’ attacks.
Lenovo has been downplaying the risks involved, while analysts continue to demonstrate just how bad this situation really is.
Affected models include:
You can confirm that your computer is affected using the Superfish CA test (offline as of 2016Jan06).
Anyone who owns or uses one of these models should follow the Superfish removal instructions or ask their IT/support person to look into it.
Update 2015Feb21-1: Lenovo is may be starting to recognize and admit their mistake. Meanwhile, Superfish (developers of the adware) remains defiant, and Komodia (who develop spyware that is apparently at the heart of this issue) is saying nothing at all.
Update 2015Feb21-2: Microsoft has added Superfish detection and automatic removal to Windows Defender.
Update 2015Feb21-3: Lenovo’s CTO is still in denial, saying the vulnerability is ‘theoretical’.
Update 2015Feb21-4: Ars Technica takes a closer look at the Komodia software and the risks related to the way it was used by Superfish.
Update 2015Feb21-5: Superfish (the company) has a history of annoying people with their intrusive technologies. That hasn’t stopped them from making a ton of money, however. The company’s CEO is insisting that they did nothing wrong, but doesn’t address the specific technical concerns.
A new version of WordPress, described as a maintenance release by the developers, was announced yesterday.
The new version includes fixes for several minor bugs, none of which are related to security. The announcement page includes a link to the list of tickets corresponding to the changes in this release.
WordPress sites that are configured for automatic updates should have the new version installed automatically over the next couple of days.
Several popular wireless routers made by Netgear are susceptible to attacks using a recently-discovered vulnerability in their firmware.
From the original report, posted by Peter Adkins on the Full Disclosure mailing list:
Platforms / Firmware confirmed affected:
—-
NetGear WNDR3700v4 – V1.0.0.4SH
NetGear WNDR3700v4 – V1.0.1.52
NetGear WNR2200 – V1.0.1.88
NetGear WNR2500 – V1.0.0.24Additional platforms believed to be affected:
—-
NetGear WNDR3800
NetGear WNDRMAC
NetGear WPN824N
NetGear WNDR4700
Anyone using one of these routers should immediately confirm that its web interface is NOT enabled for access from the WAN/Internet. If possible, it should also be configured to restrict access to the admin interface to specific IP addresses on the LAN.
A CVE number has not yet been assigned to this vulnerability. Hopefully Netgear will release firmware updates to address this flaw in the near future.
Microsoft has announced this month’s updates. There are nine bulletins and associated patches, addressing 56 vulnerabilities in Windows, Office and Internet Explorer. Three are flagged as Critical.
Recommendation: install these updates as soon as possible. At least one of them fixes a bug that’s currently being exploited in the wild.
The official bulletin summary has all the technical details.
I just received email purporting to be from Revenue Canada, telling me that I have overpaid my taxes in recent years, and urging me to claim my refund by clicking on a link.
The link actually goes to a Cloudflare-hosted web site, epathchina(.com). The site has nothing to do with Revenue Canada, and exists to trick unsuspecting people into divulging private/financial information to the site’s operators.
Currently, the site shows nothing untoward in Sucuri site check: it’s not on any blacklists and malware scans show nothing. But that’s likely to change.
With tax time nearing, we should expect email like this to appear in our inboxes. As a general rule, it’s a bad idea to click links in email. Of course, if you’re certain the source is legitimate, the risk is far less, but it’s still possible that the ‘legitimate’ source has been compromised. In this particular case, a much safer approach is to simply go to the Canada Revenue web site and log in.
Clues that this was a scam email:
Recommendations: configure your email client to display email in plain text format and display all headers. This will make your inbox less entertaining, but a lot safer, since it will much easier to spot suspicious links and headers.
Here’s the body of the email:
Dear Applicant:
Following an upgrade of our computer systems and review of our records we
have investigated your payments and latest tax returns over the last seven
years our calculations show you have made over payments of 226.99 CADDue to the high volume of refunds due you must complete the on line application,
the telephone help line is unable to assist with this application.To access the form for your tax refund,please click here
Your refund may take up to 3 weeks to process please make sure you complete the form correctly.
As we are upgrading our records we require the completed form showing your full current details by 10 February 2015
Please complete the form to confirm the refund.
A. B. Marions
Senior Manager
Canada Revenue Agency————————————————————–
© Copyright 2015, Canada Revenue Agency All rights reserved.
TAX REFUND ID: XXXXXXXXXXXXX
Brian Krebs recently reported on another tax-related scam affecting Americans, in which stolen credentials are used to post fraudulent tax returns.
The latest version of Chrome fixes eleven security issues. Version 40.0.2214.111 also includes the latest embedded version of Flash (16.0.0.305).
The release notes for Chrome 40.0.2214.111 describe some of the changes in the new version. There’s a link to the ‘full list of changes’, but since the linked page is an automated change log from the version management software Git, it’s aimed at developers and not much use for regular users. A link to ’11 security fixes’ currently displays an empty page.
In any case, since the new Chrome contains security fixes and the new Flash, anyone using the browser is strongly encouraged to allow Chrome to update itself before using it for web browsing.
To their credit, Adobe is reacting swiftly to the recent outbreak of critical vulnerabilities in Flash. They just released another new version (16.0.0.305) to address vulnerability CVE-2015-0313, which is being actively exploited on the Internet.
Anyone using Flash, especially in a web browser, should install the new version as soon as possible.
Internet Explorer for Windows 8.x and Google Chrome will see related updates in the very near future.
Update 2015Feb07: Ars Technica: As Flash 0day exploits reach new level of meanness, what are users to do?
Ars Technica reports on a serious bug in current versions of Internet Explorer that could allow attackers to gather security credentials from targeted Windows computers.
Microsoft is aware of the problem and is working on a fix. Anyone using Internet Explorer should exercise extreme caution when opening links from sources not known to be safe.
Adobe has posted an alert about yet another critical vulnerability in Flash. This issue (CVE-2015-0313) affects all versions of Flash, including the most recent (16.0.0.296).
So far there is no patch from Adobe, although one is expected this week. As always, disable flash in your browser if you don’t need it, exercise great care in web browsing if you need Flash, and configure Flash browser plugins as ‘Ask to activate’ where possible.
boot13