boot13A whopping 26 security vulnerabilities are addressed in the latest version of Google’s web browser. The new version also includes fixes related to stability and performance, and adds some minor features. The official announcement has all the details.
Web-based password managers found to be insecure
Researchers at the University of California, Berkeley tested several popular web-based password managers and found serious vulnerabilities.
Although it’s a good idea to use password management software, any web-based service is going to be a tempting target for nefarious persons, since discovering one password will typically open a treasure trove of additional passwords.
We recommend using an offline password manager like Bruce Schneier’s Password Safe or Password Corral.
New Java updates fix 20 vulnerabilities
Oracle published its most recent quarterly Critical Patch Update bulletin on Wednesday. The bulletin describes updates to most of Oracle’s products, including its flagship database software, but the updates of interest to most people are those related to Java.
New versions of Java include fixes for twenty security vulnerabilities, many of which could be exploited by attackers to gain control of affected computers. The Java SE 8 Update 11 and Java SE 7 Update 65 release announcement outlines some new features, while the full release notes for Java 7 Update 65 and Java 8 Update 11 provide additional details.
As usual, given the severity of the vulnerabilities fixed by these new versions, you are strongly encouraged to update as soon as possible, particularly if you are using a Java-enabled web browser. Brian Krebs has more.
Microsoft issues emergency update of Certificate Trust List
A set of fraudulent security certificates was identified by security researchers at Google on July 8. The certificates were issued by an authority in India, and trusted by the Microsoft Root Store. That means the bogus certificates potentially impact anyone using certain Windows applications, and especially Internet Explorer.
Microsoft was quick to react, issuing an update of their Certificate Trust List on July 10. Anyone using Internet Explorer should install the update as soon as possible.
Flash 14.0.0.145 fixes more security vulnerabilities
These days ‘Patch Tuesday’ means Adobe updates as well as Microsoft updates. This month was no different: Adobe released a new version of Flash that addresses at least three vulnerabilities, including the JSONP callback API problem that made several popular sites potentially vulnerable.
The Flash runtime announcement for the new version outlines a few new features, most of which are likely only of interest to developers. The associated security bulletin gets into the details of the included security fixes.
As usual, Google Chrome will update itself, but this time via its internal ‘component updater’ rather than with a new version of the browser. Warning: the component updater sometimes takes a few days to do its work; unfortunately, there doesn’t seem to be any way to force the update.
Updates for the Flash component in Internet Explorer running on Windows 8.x will be made available through Windows Update.
July Patch Tuesday for Microsoft software
As expected, there are six bulletins and associated patches this month. The updates affect Windows and Internet Explorer. Two are rated Critical. A total of 29 CVEs (Common Vulnerabilities and Exposures) are addressed. The MSRC post for this month’s updates has additional information.
Canada’s new anti-spam law
There’s a lot of confusion and panic about CASL, the new Canadadian Anti Spam Law, which went into effect on July 1. Like many of you, I’ve been receiving slightly panicky email from businesses, asking me to consent to receive bulk email from those businesses. In fact, asking to confirm consent is not necessary in most cases.
The rules
If you ever send email with multiple recipients in Canada, then the new law may apply to you. That said, there are numerous exceptions. For instance: personal, family, and other non-commercial email is excluded, as is most inter-business and intra-business email.
If you were already following the rules (PIPEDA), you are almost certainly fine to continue what you were doing before. The basic rules of CASL are the same, namely:
- To send commercial email, you must have consent from all recipients;
- email must include contact information for the sender;
- email must include a method for unsubscribing; and
- email must not be deceptive in any way.
Consent
Most of the confusion about CASL is related to the issue of consent. Two forms of consent come into play: explicit and implicit. The Canadian Government’s information about consent is helpful in understanding the difference. If you obtain recipient addresses by asking customers if they would like to receive business-related email from you, and only record addresses of those who agree, then you already have explicit consent; there is no need to re-obtain consent.
The deadline
Some of the panic about CASL stems from the apparent deadline of July 1, 2014. In fact, although the law came into effect on that date, you have until July 2017 to comply.
What about Twitter?
Another source of confusion is that the new law seems to cover any Internet-based service that sends messages to multiple recipients, including web forums and Twitter. While technically true, most web-based messaging services make it very easy for a recipient to identify the source of a message and to unsubscribe.
An example of what NOT to do
Microsoft recently informed recipients of its security-related emails that it would stop sending those emails. It turned out that this was an ill-informed overreaction to CASL. CASL does not apply to email containing safety or security information. Even if CASL did apply, it would only have applied to Canadian recipients.
Additional information
- The Canadian government’s main CASL page
- Michael Geist: The Fear-Free Guide to Canada’s Anti-Spam Legislation: Answers to Ten Common Questions
- Michael Geist: The Canadian Anti-Spam Law Panic: Same As It Ever Was
- Michael Geist: Keep Calm and Get Consent: Canada’s Anti-Spam Law Takes Effect This Week
- Michael Geist: The Benefits of Consent
- Michael Geist: Enforcing CASL: How To Report Spam Violations
- Michael Geist: In Defence of Canada’s Anti-Spam Law, Part One: Why Spam is Still a Problem and the New Law Will Help
- Michael Geist: In Defence of Canada’s Anti-Spam Law, Part Two: Why the Legislation Is Really a Consumer Protection and Privacy Law in Disguise
Java no longer supported on Windows XP
As of April 8, 2014, Oracle is no longer supporting the use of Java on Windows XP. Java 7 can still be installed on Windows XP, and Java 7 updates installed on Windows XP will probably work as expected, but Oracle says you’re on your own if bad things happen. Java 8 will refuse to install on Windows XP.
Recommendation: if you still have computers running Windows XP, stop using Java on those computers.
Update 2014Jul18: Oracle recently posted a clarification, saying that Java issues affecting only Windows XP will not be addressed with updates. Java issues affecting Windows XP as well as other versions of Windows will get updates, and those updates will work as expected on Windows XP.
Edit 2014Jul18: fixed two typos in the first paragraph.
Advance notification for July Microsoft updates
This month’s updates will become available around 10am PST on July 8. There are expected to be six bulletins, with associated updates affecting Windows and Internet Explorer. Two are tagged as Critical.
The official advance notification bulletin has all the technical details, while as usual there’s a less technical summary over on the MSRC blog.
This month’s Ouch! newsletter: Email etiquette
The SANS Ouch! newsletter for July (PDF) outlines what you should know about email, particularly things you should avoid doing. It’s worth reviewing for anyone who uses email.