boot13A new version of Google’s web browser fixes one minor font rendering bug on Windows. See the official announcement for details.
Home Depot: massive security breach
Brian Krebs reports on the most recent security breach at a major retailer. According to some reports, the breach started as far back as April 2014. There’s no direct evidence of a breach, but it looks like it’s only a matter of time before that changes, given the suspicious activity related to Home Depot being reported by financial institutions.
Update 2014Sep04: Details are starting to appear, and it looks like almost all Home Depot stores in the USA are affected.
Update 2014Sep19: Brian Krebs has additional details on the scale of the breach. According to Home Depot, as many as 56 million debit and credit card numbers were stolen.
Update 2014Nov08: As if this breach wasn’t already bad enough, apparently the attackers also stole as many as 53 million email addresses from Home Depot systems. Maybe this explains the recent uptick in spam email I’ve noticed.
Targeted iCloud accounts compromised
By now you’ve likely heard that dozens of celebrity accounts on Apple’s iCloud service were recently accessed by unscrupulous persons, and embarrassing photos from those accounts posted on various web sites.
This should server as a reminder to everyone who uses web-based storage like iCloud that such services are extremely tempting targets for nefarious hackers.
In this case, the invader discovered that the ‘Find my Phone’ app had no protection against brute force (rapid, automated) login attempts. This was used, along with a list of common passwords, to learn the passwords of some targeted iCloud accounts, at which point all data stored on those accounts became available.
If you use cloud storage, make sure to use strong passwords; otherwise, you might as well assume everything you store there is publicly accessible.
The SANS InfoSec Handler’s Diary has more.
Update 2014Sep07: Ars Technica has a followup, in which Apple CEO Tim Cook admits Apple could have done more to prevent the incident, and talks about upcoming iCloud security changes. Over on Bruce Schneier’s blog, he reminds everyone that strong passwords would have protected the victims’ accounts, and to use an offline password manager.
Chrome 37.0.2062.102 released
Another new version of Google’s web browser was announced yesterday. Version 37.0.2062.102 fixes one lone bug, that was causing font rendering problems in some situations. There are no security fixes in the new version, so there’s no urgency about updating.
Windows Store cleanup underway
If you’re using Windows 8.x, you’re familiar with the Windows Store, because it’s the main source for Windows 8 applications. Unfortunately the store hasn’t been at all well curated, and it’s filled with scammy and misleading apps.
After a series of complaints, Microsoft is finally doing something about it. At least 1500 scammy apps have been removed from the store. Apps must now (and retroactively) comply with more strict rules on app naming and icon use.
Microsoft re-releases buggy MS14-045 update
As recently reported here, Microsoft’s August updates included some that caused big problems for many Windows users. The updates were quickly removed from Microsoft’s update servers.
Yesterday, Microsoft re-released one of the problematic updates, MS14-045.
If you’re not using Windows Auto-update, you should install the new update as soon as possible.
64-bit Chrome released
Yesterday Google announced the availability of a 64 bit version of the Chrome web browser.
PC hardware has been 64-bit capable for several years now, and new PCs have been shipping with 64 bit operating systems for almost as long. The main difference between 32-bit and 64-bit PCs is that the latter can use more memory (RAM). More memory means faster operation.
We’ve been slow to move to 64-bit systems, mainly because the advantage of having access to more memory hasn’t been important to typical users. I’m writing this on a PC which has hardware capable of running a 64-bit operating system, but is in fact running 32-bit Windows 7. For the most part, this hasn’t been a problem, since even though I do run a lot of software, I typically haven’t needed more than the 3.25 gigabytes to which I’m currently limited. But that’s changing, and I’m about to make the switch to a 64 bit O/S.
Software developers have similarly been slow to embrace the new 64 bit world, and for the same reason: if running a 64 bit version of your software is indistinguishable from running the 32 bit version, why bother developing and maintaining a 64 bit version at all? There are of course exceptions; applications that use large amounts of memory, such as video editors, clearly benefit enormously from the availability of more RAM. Along with operating systems, that type of software has been available in 64 bit form for years.
Other software developers are slowly joining the 64 bit party, and the latest to do so is Google, for its web browser, Chrome. Although web browsers traditionally haven’t needed a lot of RAM to operate, that is starting to change, with ever more massive, media rich pages appearing on the web. Mozilla has been struggling to develop a stable 64 bit version of Firefox for Windows; they recently announced that they were giving up, only to reverse that decision in the face of criticism.
Ars Technica has more, including a breakdown of the pros and cons of the new 64 bit Chrome.
Chrome 37.0.2062.94 fixes 50 security issues
Google released another new version of its web browser today. Chrome 37.0.2062.94 includes fixes for fifty security vulnerabilities, as well as other improvements to stability and performance. The official announcement has all the details.
Problems with recent updates from Microsoft
Microsoft has removed the download links for several Windows updates that were released on August 12 for Patch Tuesday. Users have been reporting BSOD (Blue Screen Of Death) errors after installing the updates. Not all Windows computers received these updates, and not all computers where the updates were installed are affected negatively.
The updates in question are all related to the MS14-045 bulletin, which refers to a set of security updates for the Windows kernel. Microsoft is advising users to avoid installing the related updates and to uninstall them if already installed. The KB2982791 update notes have been amended to include information about the problem and how to remove the affected updates.
The affected updates are:
- KB2982791 MS14-045: Description of the security update for kernel-mode drivers: August 12, 2014
- KB2970228 Update to support the new currency symbol for the Russian ruble in Windows
- KB2975719 August 2014 update rollup for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2
- KB2975331 August 2014 update rollup for Windows RT, Windows 8, and Windows Server 2012
You can discover whether any of these updates exist on your Windows 7 or 8 computer by opening the Programs and Features item in the Control Panel, and clicking View installed updates. Enter a KB number in the search box at the top right to search for it.
Chrome 36.0.1985.143: security fixes and new Flash
Another new version of Chrome was released on August 12. Version 36.0.1985.143 closes twelve security holes and includes a new version of Flash.