boot13Another new version of Chrome was released on August 12. Version 36.0.1985.143 closes twelve security holes and includes a new version of Flash.
August Patch Tuesday for Adobe software
Adobe’s monthly updates continue to coincide with Microsoft’s. This month there are updates for Adobe Acrobat/Reader and Flash.
The new version of Flash is 14.0.0.176, unless you’re using Flash in a browser other than Internet Explorer, in which case it’s 14.0.0.179. Regardless, the new version includes several bug and security fixes, and adds some new features that are mainly of interest to developers.
The latest version of Adobe Reader is 11.0.0.8. This version fixes a specific vulnerability that allows attackers to circumvent security protections. According to Adobe, attacks based on this vulnerability have been seen in the wild.
August Patch Tuesday for Microsoft software
Time once again to crank up Windows Update and patch your Windows computers. As expected, this month’s batch includes nine bulletins with associated updates for SQL Server, OneNote, SharePoint, .NET, Windows and Internet Explorer. Two Critical updates affect Windows and Internet Explorer.
Related information from Microsoft:
Java 7 Update 67 fixes problems caused by previous release
Apparently Java 7 Update 65 created problems for some Java installations, preventing certain applications from launching.
On August 4, Oracle released Update 67 for Java 7. The new version fixes the problems introduced in Update 65. Anyone experiencing problems with their Java 7 installation should install Update 67. This is not a security update.
Latest Ouch! newsletter: all about encryption
This month’s Ouch! newsletter (PDF) from SANS provides a useful overview of encryption, and what it means in the context of the web. Recommended reading for anyone hazy on the subject.
Microsoft will only support most recent Internet Explorer after January 2016
If you want to keep receiving security and bug fixes for Internet Explorer after January 12, 2016, you’ll have to upgrade to the most recent version first. For now, that means IE 11. But if IE 12 is ready before January 12, you’ll be forced to update to that version.
Microsoft is doing this mainly to reduce support costs. But this is also the approach used by Google for its Chrome browser, and Mozilla is moving in that direction for Firefox.
Additional reading:
Another WordPress plugin with critical security issues
WordPress is still an extremely attractive target for malicious hackers. One of the ways they can gain access to WordPress sites is to examine third-party WordPress plugins, looking for security vulnerabilities. Plugins aren’t subject to any kind of approval or auditing process; anyone can develop and publish them.
Many of the most famous WordPress hacks were actually hacks of plugins, not the WordPress core software. The TimThumb graphics library is a good example.
Now there’s news that the popular Custom Contacts Form plugin is vulnerable, and sites using unpatched versions leave them exposed to complete takeover by nefarious persons.
Anyone who runs a WordPress site that uses Custom Contacts Form should immediately update the plugin to version 5.1.0.4 or higher.
What we know about the recent theft of 1.2 billion passwords
On August 5, the New York Times ran a story calculated to cause panic among Internet users. According to the story, a Russian gang had obtained up to 1.2 billion (yes, billion) login credentials.
The source of the story was Alex Holden, of Hold Security. Unfortunately, Holden didn’t provide much in the way of details, which has given rise to a lot of speculation about the facts, and of Holden’s motives.
Hold Security followed up the story by announcing that they planned to offer a fee-based service that would allow anyone to check whether an email address or user id was in the database of stolen credentials. Many took this as a sign that Hold Security was involved in some kind of scam, but well-known security blogger Brian Krebs came to Holden’s defense in a recent post.
Bruce Schneier, another famous security analyst, isn’t sure. He says – and we agree – that there’s something squirrely about this story.
In any case, it’s simply too soon to know for sure what’s going on. Until someone starts using the purloined information for something other than spam, all we can do is wait. Hopefully Hold Security will either create a free tool for checking credentials, or they’ll hand the database over to someone else who will.
In the meantime, our advice remains the same: use complex, unique passwords, especially for critical accounts like online banking.
Advance notification: Microsoft updates for August
Another month, another pile of patches from Microsoft. This month the updates will become available starting about 10am PST on August 12. According to the official advance notification, there will be nine security bulletins, with associated updates for Windows, Internet Explorer, .NET, SharePoint, OneNote and SQL Server. Two are rated critical.
CryptoLocker defanged at last
Security researchers have cracked the encryption used by the horrible CryptoLocker ransomware.
Recall that once CryptoLocker infects a computer, it encrypts all documents it can find, making them inaccessible until you pay the perpetrators $300 for a key to unlock them. Thousands of users have been hit, with some paying the ransom, while many others lost their data forever.
The researchers have set up a free web site (2016Jan09: the site has been decommissioned) that allows anyone hit by CryptoLocker to decrypt their files. You must upload one encrypted file, after which you are sent the required key. After decrypting your files, you can then use a CryptoLocker removal tool to get rid of the infection.