In case you were wondering, that headline is intentionally ironic. There’s nothing joyful about changing passwords in the wake of yet another breach.
One of the SANS ISC handlers posted an entertaining report on his recent password-changing experiences. The upshot is that many web sites still don’t make this easy… especially Facebook.
Zero Day Initiative, a security vulnerability reporting initiative funded by HP, recently announced a vulnerability affecting Internet Explorer 8 (and possibly other versions).
The vulnerability was originally discovered and reported to Microsoft in October 2013, and confirmed by Microsoft in February 2014. Since Microsoft has not yet issued a patch, ZDI announced the vulnerability in keeping with their disclosure policy.
Anyone using Internet Explorer is strongly encouraged to install and use Microsoft EMET, which will help to mitigate this vulnerability.
Update 2014May25: Despite some reports to the contrary, Microsoft is planning to fix this vulnerability. The problem only seems to affect IE8, and no exploits have yet been seen in the wild.
Krebs on Security reports that anyone who purchased the hacking toolkit known as ‘Blackshades’ should be prepared for the authorities to kick in their door and confiscate their computers.
Blackshades is “a password-stealing Trojan horse program designed to infect computers throughout the world to spy on victims through their web cameras, steal files and account information, and log victims’ key strokes.”
eBay just revealed that their systems were hacked earlier this year. Encrypted passwords and other non-financial data were stolen.
Anyone with an eBay account is strongly encouraged to change their password as soon as possible.
Oddly, when I logged into my eBay account to change my password a few hours ago, there was no mention of this breach or any warning about changing passwords. The only announcement of the breach from eBay seems to be this blog post on ebayinc.com. Ars Technica has more information about this unfortunate lapse on the part of eBay.
Update 2014May23: All the recent attention to their passwords is leading to some criticism of eBay’s password-handling procedures. Hopefully eBay will be quick to improve in this area.
Update 2014May25: Lost in all the concern about password changes is the fact that even if none of the stolen encrypted passwords are cracked, the other – unencrypted – information stolen (including eBay customer names, email addresses, physical addresses, phone numbers and dates of birth) will be very useful for anyone involved in credit card fraud and phishing efforts. And there’s not much you can do about that.
Another increasingly popular target for malicious hackers is Adobe Shockwave. But what is Shockwave, and how does it related to Adobe Flash?
Like Flash, Shockwave is a media platform, and Shockwave media is most commonly found on the web. The two platforms do many of the same things, but the software for creating Shockwave media is both more powerful and more expensive. Flash media is much more common.
In any case, since Shockwave is a target, and since the Shockwave player is commonly installed on the computers of regular users (usually in the form of a browser plugin), I’m adding it to the Software Versions page on this web site.
Update 2014May22: Now comes word that Shockwave contains a version of the Flash player that is over a year out of date. None of the security updates and features added to Flash in the past fifteen months are present in Shockwave’s bundled Flash. Because of this, we recommend disabling Shockwave in your web browser immediately.
As the popularity of software and platforms ebbs and flows, so do the targets of malicious hackers. In the past few years, Java and Flash were the most notable targets.
More recently, Microsoft’s Silverlight media platform is increasingly being targeted. This is almost certainly due to the fact that Netflix uses that particular technology. Attackers are always drawn to platforms that are widely used by ordinary folks.
Because of this, I’m adding Silverlight to the list of software products that I track on this site’s Current Versions page.
The latest version of Chrome includes 23 security fixes, along with several other fixes and stability improvements.
The latest version of the Webkit-based Opera browser contains several fixes for stability issues. There are apparently no security-related fixes in this version.
Yesterday, Google announced the latest new version of its web browser. Chrome 34.0.1847.137 includes fixes for three security vulnerabilities, as well as the latest version of the embedded Flash viewer.
Adobe has settled into a routine of publishing updates for its software on the second Tuesday on each month, in line with Microsoft’s practices. Today Adobe announced updates for Flash and Reader/Acrobat.
Both the Flash bulletin and the Reader/Acrobat bulletin are a bit light on details, saying only that the updates address critical vulnerabilities in the software.
The release notes for the new version (13.0.0.214) of Flash go into more details, although most of the information is about new features.
As usual, Google Chrome and Internet Explorer on Windows 8.x will be updated automatically and via Windows Update, respectively.
boot13