Another new version of Google’s web browser was released yesterday. The announcement contains very few details. It’s unclear whether any of the changes are related to security.
Update 2015Jan28: This version includes the recent Flash update (16.0.0.296), making it a critical update.
Adobe has updated the bulletin related to the CVE-2015-311 vulnerability in Flash. Apparently a new version of Flash (16.0.0.296) has been released to address the bug.
Initially, the new version was not available from the main Flash download page, although computers with Flash’s automatic update feature enabled did download and install it. As of January 27, the new version is available on the Flash download page.
Anyone using a web browser with Flash enabled should install the new version as soon as possible.
Ars Technica has additional details.
Update 2015Jan28: Adobe has issued another security bulletin for this update.
Update 2015Jan30: Flash 16.0.0.296 also addresses the vulnerability CVE-2015-312.
SANS Internet Storm Centre has upgraded their Infocon threat rating from green to yellow, in response to the recent zero-day vulnerabilities in Flash. From the associated post:
“Our reasoning is that the Adobe Flash Player is very widely installed, the vulnerability affects multiple platforms, remote code execution gives the attacker complete control of the system, the patch is not yet available, it affects both organizational IT systems as well as home or soho users, a crimeware kit is actively exploiting the vulnerabilities, people might mistakenly believe that the patch from yesterday fixes all of the issues, and last but not least mitigation through the use of EMET or other tools/means is not normally feasible for home users or quick deployment in enterprise environments without testing. In short, the high impact of these vulnerabilities being exploited warrants raising the Infocon from now until Monday.”
The Infocon rating is displayed in the left sidebar of this web site.
You may recall Microsoft’s recent statements of displeasure at Google’s disclosure of unpatched security vulnerabilities in Windows 8.1.
This argument shows no signs of abating, because Google has disclosed more unpatched vulnerabilities in Windows.
Microsoft needs to understand that it’s on the wrong side of this battle. Vulnerabilities must be patched quickly, and absent any incentive, big companies like Microsoft, Oracle and Adobe will take increasingly long periods of time to produce patches. Ninety days is plenty of time.
VLC is one of the most popular media players; it’s cross-platform, and has a reputation for being able to play almost any kind of media. Given its popularity, unpatched vulnerabilities in VLC are likely to make attractive targets to malicious hackers.
Two vulnerabilities in VLC, CVE-2014-9597 and CVE-2014-9598, have yet to be acknowledged by VLC’s developers. Both are memory corruption bugs that can allow attackers to execute arbitrary commands on target systems.
Note that these vulnerabilities only affect VLC running on Windows XP, and only FLV and M2V files.
If you use VLC, you should exercise extreme caution when playing media from sources not known to be safe.
On Thursday, Adobe announced an update that addresses a recently-discovered vulnerability in Flash. According to Adobe, the vulnerability addressed by Flash 16.0.0.287 is CVE-2015-0310.
Anyone using a web browser with Flash enabled should install the new Flash as soon as possible.
Apparently there is at least one additional vulnerability in Flash that affects even the most current version (16.0.0.287) and is currently being exploited in the wild. This zero-day vulnerability is identified as CVE-2015-0311. According to Adobe, they are working on a patch, which should be available in the next few days.
SANS has a useful summary of the recent updates and vulnerabilities related to Flash.
The latest version of Google’s web browser includes fixes for a whopping 62 security issues. Chrome should update itself to version 40.0.2214.91 automatically.
New versions of Java were announced by Oracle yesterday. Java 8 update 31 and Java 7 update 76 can be obtained from the main Java download site.
Users are being encouraged to upgrade from Java 7 to Java 8. The download page now offers Java 8 instead of Java 7. Computers configured for Java auto-updates will be automatically upgraded from 7 to 8. And according to Oracle, Java 7 will see its final updates in April 2015.
Brian Krebs has additional details.
Even up to date installations of Flash are currently vulnerable to a new zero-day exploit that’s showing up in the wild. The exploit has already been added to at least one exploitation kit, which means attacks using this exploit are likely to increase rapidly. The exploit can be used to gain unauthorized access to affected computers.
Anyone using a web browser with Flash enabled should be extremely cautious when browsing web sites not known to be safe. The safest course of action is to disable Flash in your browser.
I personally use Firefox with Flash enabled, but I have the Flash add-on configured to always ‘Ask to activate’. That way any time I visit a web site that wants to display Flash content, I can avoid any danger by leaving Flash disabled for that site.
In monitoring the logs for this web site, I’ve noticed a lot of weird URLs with invalid parameters like ‘loginid’ and ‘commentid’. At first I ignored them, because those parameters don’t do anything and are essentially ignored by WordPress.
But the volume of these strange requests grew to the point where I started to wonder what was going on. It turns out that although WordPress ignores invalid URL parameters, it also – in some cases – returns those invalid parameters in page content. If you go to the home page of boot13.com, and add ‘/?blahblah’ to the end of the URL, then hover your mouse over the ‘Older posts’ link at the bottom of the resulting page, it will show ‘/?blahblah’.
The fact that WordPress echoes arbitrary parameters in itself isn’t a huge problem. And most web crawlers are smart enough to recognize that the spurious parameters don’t correspond to unique pages on the site, so they are ignored automatically. That includes Googlebot. But some crawlers, in particular Bing’s crawler and the MJ12bot crawler, see every URL that includes any arbitrary parameters as a unique URL, and indexes them accordingly.
This produces a lot of clutter in Bing’s search results for boot13, and the information provided by Bing Webmaster Tools is filled with these bogus URLs. And that’s annoying.
I’ve taken several steps to try to reduce this clutter. I used robots.txt to tell crawlers to ignore any URL with ‘loginid’ or ‘commentid’. Using Bing Webmaster Tools, I told bingbot to ignore those parameters. As a result, Bing’s search results and site data are looking a lot better. But while most crawlers honour robots.txt, some don’t. In particular, some MJ12bot nodes clearly ignore robots.txt. These may be rogue MJ12bot nodes, or those nodes may be misconfigured in some way.
Now I’m trying to determine just how much of a problem this really is. I decided to see if I could introduce some arbitrary text into the search results and related data for another WordPress site (one not owned or managed by me).
Here’s a link to the UPS blog. That site runs on WordPress, and it exhibits the same behaviour I’ve been seeing on boot13. The URL in the first sentence of this paragraph contains a special, unique parameter. The idea is to see what happens when the URL is crawled by Bingbot. Will my special parameter show up in the search results for the UPS blog? I’ll update this post as I learn more.
Update 2015Jan30: The parameter is now appearing in Google site search results for the UPS blog! There are at least 79 entries, most of which are actually duplicates, as I write this. Still nothing in Bing’s search results.
Update 2015Jan31: I checked the WordPress bug tracking system to see if anyone had reported this previously. They had. I ended up re-opening an existing ticket and adding my observations. Hopefully this will lead to a fix!
boot13