This month there will be seven bulletins and associated updates for Windows, Office and Internet Explorer. Two are rated Critical.
One of the updates will fix the recently-discovered vulnerability in Internet Explorer 8.
The official advance warning bulletin has all the technical details.
Two new vulnerabilities were recently discovered in widely-used security software OpenSSL and GnuTLS.
The OpenSSL vulnerability is not as dangerous as the infamous Heartbleed bug, but can allow attackers to pull private information from communications between unpatched systems, including passwords.
The GnuTLS vulnerability can be used by malicious persons to execute arbitrary code on devices accessing specially-crafted web pages.
As with Heartbleed, these vulnerabilites mainly affect servers, although client software and operating systems that use the GnuTLS and OpenSSL libraries are also at risk. Patches are expected to be made available soon.
In an effort to reduce the problems caused by buggy, incompatible, and malicious Chrome add-ons, Google now only allows add-ons from its Chrome Web Store to be installed. In addition, add-ons based on the old NPAPI technology will no longer install in Chrome.
While this is generally seen as a good idea, many users who were running older or unofficial add-ons are annoyed at this change.
Chrome, Firefox and Internet Explorer can be tricked into revealing your browsing history by unscrupulous web site owners.
The new vulnerability is similar to one that was discovered, then patched, in the major browsers several years ago. The new technique uses a different approach to accomplish the same thing.
Browser developers are working on fixes for this vulnerability, but in the meantime, anyone concerned about their browser history potentially being revealed should get into the habit of clearing their history frequently. Alternatively, you could switch to a privacy-oriented browsing solution such as the Tor Browser Bundle.
Anyone using the All in One SEO Pack plugin on their WordPress site should update the plugin to the most recent version (2.1.6) as soon as possible.
Security researchers recently discovered a flaw in the plugin that can make sites using it vulnerable to hijacking.
An international law enforcement project to disrupt the Gameover botnet is underway.
Gameover, aka Gameover Zeus or GOZ, is currently installed on up to a million computers worldwide. The botnet is rented out for malicious purposes, including harvesting private information, sending spam email, denial of service (DoS) attacks, extortion, and distribution of various kinds of malware, including the awful CryptoLocker [1,2] ransomware.
This effort to disrupt GOZ has already been very successful: the botnet’s owners are no longer able to control clients. As for Cryptolocker, newly-infected machines can no longer communicate with their controlling servers, which means they are safe, at least for now. Infected machines that are already encrypted are not affected and must still pay the decryption ransom or lose all encrypted information.
Brian Krebs provides additional details on his Krebs on Security blog.
Update 2014Jun09: Brian Krebs has a behind-the-scenes look at what went into this takeover. To this point, the takeover seems to have been 100% effective, but the botnet developers may have more moves left.
Yesterday another new version of the Webkit-based Opera browser was announced.
Opera 22.0.1471.50 introduces a new update process (on Windows computers) that is apparently completely silent: it updates Opera without any interaction from the user. A variety of stability and other issues were also fixed in the new version. For a complete list of what’s changed since version 21, see the official change log.
Sadly, there’s still no sidebar in Opera 22.
Someone recently discovered that it’s possible to trick Windows Update into providing updates for Windows XP.
Recall that even though Microsoft has stopped issuing updates for Windows XP to the general public, they are actually still developing updates – for paying customers.
The trick for obtaining updates for Windows XP involves changing a setting in Windows that makes Windows Update think that it’s actually running a variant of Windows XP that’s still supported, namely ‘POSReady 2009’.
There are all kinds of problems with this, starting with the likelihood that Microsoft will find a way to stop it. In short, if you’re desperate to keep running Windows XP and you want to install the available updates, and you’re willing to take the risk of totally messing up your system, it might be worth a try. But I seriously cannot recommend it.
Update 2014Jun04: For those of you who can’t resist the temptation to try this, the procedure is outlined in this betanews.com blog post.
The search engine DuckDuckGo has received a lot of attention because of its attitude towards user privacy. Unlike Google, DuckDuckGo doesn’t store your search queries. Their motto is ‘The search engine that doesn’t track you.’
Not everyone cares whether their online activities are tracked. But for those who do, DuckDuckGo’s Fix Tracking! page is an excellent source of information. Once you’ve selected your web browser, you’ll be presented with a list of tools and techniques that can help to reduce the amount of tracking that is done when you use that browser.
The Fix Tracking! page also contains a section describing Common Tracking Methods. Recommended reading.
Brian Krebs runs an excellent security blog called Krebs on Security.
One particularly useful post on Brian’s blog is Tools for a Safer PC, in which he presents his recommendations for securing your PC against various threats. There are numerous similar lists on the web, but this is one of the best, and I have no qualms at all in recommending it.
boot13