A set of fraudulent security certificates was identified by security researchers at Google on July 8. The certificates were issued by an authority in India, and trusted by the Microsoft Root Store. That means the bogus certificates potentially impact anyone using certain Windows applications, and especially Internet Explorer.
Microsoft was quick to react, issuing an update of their Certificate Trust List on July 10. Anyone using Internet Explorer should install the update as soon as possible.
These days ‘Patch Tuesday’ means Adobe updates as well as Microsoft updates. This month was no different: Adobe released a new version of Flash that addresses at least three vulnerabilities, including the JSONP callback API problem that made several popular sites potentially vulnerable.
The Flash runtime announcement for the new version outlines a few new features, most of which are likely only of interest to developers. The associated security bulletin gets into the details of the included security fixes.
As usual, Google Chrome will update itself, but this time via its internal ‘component updater’ rather than with a new version of the browser. Warning: the component updater sometimes takes a few days to do its work; unfortunately, there doesn’t seem to be any way to force the update.
Updates for the Flash component in Internet Explorer running on Windows 8.x will be made available through Windows Update.
As expected, there are six bulletins and associated patches this month. The updates affect Windows and Internet Explorer. Two are rated Critical. A total of 29 CVEs (Common Vulnerabilities and Exposures) are addressed. The MSRC post for this month’s updates has additional information.
There’s a lot of confusion and panic about CASL, the new Canadadian Anti Spam Law, which went into effect on July 1. Like many of you, I’ve been receiving slightly panicky email from businesses, asking me to consent to receive bulk email from those businesses. In fact, asking to confirm consent is not necessary in most cases.
If you ever send email with multiple recipients in Canada, then the new law may apply to you. That said, there are numerous exceptions. For instance: personal, family, and other non-commercial email is excluded, as is most inter-business and intra-business email.
If you were already following the rules (PIPEDA), you are almost certainly fine to continue what you were doing before. The basic rules of CASL are the same, namely:
Most of the confusion about CASL is related to the issue of consent. Two forms of consent come into play: explicit and implicit. The Canadian Government’s information about consent is helpful in understanding the difference. If you obtain recipient addresses by asking customers if they would like to receive business-related email from you, and only record addresses of those who agree, then you already have explicit consent; there is no need to re-obtain consent.
Some of the panic about CASL stems from the apparent deadline of July 1, 2014. In fact, although the law came into effect on that date, you have until July 2017 to comply.
Another source of confusion is that the new law seems to cover any Internet-based service that sends messages to multiple recipients, including web forums and Twitter. While technically true, most web-based messaging services make it very easy for a recipient to identify the source of a message and to unsubscribe.
Microsoft recently informed recipients of its security-related emails that it would stop sending those emails. It turned out that this was an ill-informed overreaction to CASL. CASL does not apply to email containing safety or security information. Even if CASL did apply, it would only have applied to Canadian recipients.
As of April 8, 2014, Oracle is no longer supporting the use of Java on Windows XP. Java 7 can still be installed on Windows XP, and Java 7 updates installed on Windows XP will probably work as expected, but Oracle says you’re on your own if bad things happen. Java 8 will refuse to install on Windows XP.
Recommendation: if you still have computers running Windows XP, stop using Java on those computers.
Update 2014Jul18: Oracle recently posted a clarification, saying that Java issues affecting only Windows XP will not be addressed with updates. Java issues affecting Windows XP as well as other versions of Windows will get updates, and those updates will work as expected on Windows XP.
Edit 2014Jul18: fixed two typos in the first paragraph.
This month’s updates will become available around 10am PST on July 8. There are expected to be six bulletins, with associated updates affecting Windows and Internet Explorer. Two are tagged as Critical.
The official advance notification bulletin has all the technical details, while as usual there’s a less technical summary over on the MSRC blog.
The SANS Ouch! newsletter for July (PDF) outlines what you should know about email, particularly things you should avoid doing. It’s worth reviewing for anyone who uses email.
Despite its initial growth spurt, it looks like people are staying away from Windows 8.x in droves. The latest stats show little to no change in the number of Windows 8.x installs in the last month. Windows XP’s recent slide, no doubt due to the end of its support, has also leveled out. As things stand, Windows XP use is roughly double that of Windows 8.x.
Microsoft may have have thrown in the towel on Windows 8.x. They recently announced that the Start menu won’t reappear in Windows 8.x, but will be included in Windows 9, which is giving those of us who advised against switching to Windows 8 an excuse to say ‘I told you so.’
Traffic into and out of Microsoft’s Outlook.com email service will now be encrypted, as long as the other end also supports encryption. Both Outlook.com and OneDrive, Microsoft’s cloud storage service, now use random keys that are generated for each session.
That last change is a strong indication that Microsoft’s motivation in making these changes is to regain public trust in the wake of Snowden’s revelations. The NSA and other law enforcement agencies can only read encrypted communication if they obtain the encryption keys, and now those keys are temporary and disappear after use.
A newly-identified bug in the popular WordPress plugin MailPoet exposes to hijacking any site using the plugin.
WordPress site admins who manage sites using MailPoet should upgrade to version 2.6.7 as soon as possible to avoid problems. WordPress sites are an extremely tempting target for nefarious hackers and news of this vulnerability has undoubtedly spread rapidly among them.
Update 2014Jul24: According to Sucuri, once a web server has been compromised via this MailPoet vulnerability, all sites on the server are vulnerable, including sites not even running WordPress or MailPoet. Ars Technica has more.
boot13