Google Releases Chrome 27

Google today announced the release of a new version, 27.0.1453.93, of its Chrome browser for all platforms: Mac OS X, Linux, Windows, and Chrome Frame.   The new version incorporates some capability iimprovements:

• Web pages should, on average, load a bit faster (about 5%)
• The chrome.SyncFilesystem API for access to Google Drive is available
• Better spell checking and input prediction

The new release incorporates the latest version of the bundled Flash Player, as well as fixes for 14 identified security vulnrabilitues, 10 of which Google rates as High severity.  Further information is available in the Release Announcement.

Because of the security content of this release, I recommend that you update your systems as soon as you conveniently can.   Windows and Mac users can get the new version via the built-in update mechanism; Linux users should check their distribution’s repositories for the new version.  If you need to get a complete installation package, you can download it here.

Mozilla Releases Firefox 21, Updates Thunderbird

Not wishing, apparently, to be left out of the Patch Tuesday festivities, Mozilla today released the next major version, 21.0,  of its Firefox browser for Mac OS X, Windows, and Linux.  This version fixes eight security vulnerabilities, three of which Mozilla rates as critical.  The new version also incorporates some new features, including:

• Enhanced “Do Not Track” interface
• Support for multiple providers in the Social API
• Suggestions on how to improve application start-up time, if needed

Further information on the new version is available in the Release Notes.  You can download installation packages, in a variety of (human) languages.

Mozilla also released a new version, 17.0.6, of its Thunderbird E-mail client, for all platforms.  The new version provides an update to the Twitter API is uses, and also fixes six security vulnerabilities, three of which Mozilla rates as serious.  Further information is available in the Release Notes.  You can download installation packages for all languages and platforms.

Because of the security content of these releases, I suggest updating your systems as soon as it’s convenient.

Microsoft Patch Tuesday, May 2013

As expected, Microsoft today released its regular monthly batch of security bulletins and associated patches.  This month there are ten bulletins, addressing 32 identified vulnerabilities.    Two bulletins have a Critical severity rating, and the remaining eight are rated Important.   Five of the bulletins are for Windows and its components; every supported version of Windows is affected, and all desktop versions have one or more Critical vulnerabilities.

The remaining five bulletins, all of which are rated Important, apply to other Microsoft software products.   There are three bulletins for Microsoft Office and its components (including Word Viewer).  Microsoft Lync has one bulletin, and there is one for Windows Essentials.

Microsoft says that three of the Windows bulletins will definitely require a system reboot, and the others may require one, depending on the configuration of your system.

For more detailed information, and download links, please see the Microsoft Security Bulletin Summary for May 2013.

As usual, I recommend applying these patches to your systems as soon as you conveniently can.

The handlers at the SANS Internet Storm Center have posted their usual summary and evaluation of this month’s patches.

Update Tuesday, May 14, 14:40 EDT

According to the folks at the SANS Internet Storm Center, one of these bulletins, MS13-038, which applies to Internet Explorer 8, fixes a vulnerability that is being exploited currently.

Critical Updates for Adobe Reader, Acrobat — and Flash

As expected, Adobe has released new versions of its Acrobat and Reader software, incorporating critical security updates.  There is also a critical update for Flash Player, though this was not included in the preview announcement.

The updates for Reader and Acrobat address a total of 27 identified vulnerabilities. According to the Security Bulletin [APSB 13-15], the vulnerable versions of Acrobat and Reader are:

• Adobe Reader XI (11.0.02) and earlier 11.x versions for Windows and Macintosh
• Adobe Reader X (10.1.6) and earlier 10.x versions for Windows and Macintosh
• Adobe Reader 9.5.4 and earlier 9.x versions for Windows, Macintosh and Linux
• Adobe Acrobat XI (11.0.02) and earlier 11.x versions for Windows and Macintosh
• Adobe Acrobat X (10.1.6) and earlier 10.x versions for Windows and Macintosh
• Adobe Acrobat 9.5.4 and earlier 9.x versions for Windows and Macintosh

The Security Bulletin lists the appropriate new versions for these. Users of Reader or Acrobat on Windows or Mac OS X can get the new version via the update mechanism built into the software, which is set to check for updates automatically by default; to initiate a check manually, choose Help / Check for Updates from the product menu. Alternatively, you can download appropriate Reader updates from these links:

• Windows
• Mac OS X
• Linux [by FTP] (You want version 9.5.5.)

Please see the Security Bulletin for Acrobat update downloads, and for further details.

As noted above, Adobe has also released Critical updates for Flash Player; according to the Security Bulletin [ASPB 13-14], these fixes address 13 identified vulnerabilities. Affected versions of the software are:

• Adobe Flash Player 11.7.700.169 and earlier versions for Windows and Macintosh
• Adobe Flash Player 11.2.202.280 and earlier versions for Linux
• Adobe Flash Player 11.1.115.54 and earlier versions for Android 4.x
• Adobe Flash Player 11.1.111.50 and earlier versions for Android 3.x and 2.x
• Adobe AIR 3.7.0.1530 and earlier versions for Windows and Macintosh
• Adobe AIR 3.7.0.1660 and earlier versions for Android
• Adobe AIR 3.7.0.1530 SDK & Compiler and earlier versions

Users on Windows or Mac OS X systems should received the update automatically, if they have enabled the option “Allow Adobe to install updates”. Otherwise, they can obtain the new version from the Flash Player Download Center, as can Linux users. Please see the Security Bulletin for Android updates. Google Chrome ships with its own version of Flash Player, and I would expect a new version of Chrome, incorporating these updates, to appear “real soon now”. I’ll update this post when it’s available.

Because they are so widely installed across platforms, Reader and Flash Player have been tempting targets for the Bad Guys. I suggest that you update your systems as soon as you conveniently can.

Update Tuesday, 14 May, 13:05 EDT

According to a post on the Chrome Releases blog, Google is now pushing Flash Player updates for the Windows and Mac versions of Chrome.  (Mea culpa: I had forgotten that they had added to capability to update things like Flash without doing a whole new version.)

OUCH on Passwords

One of the “Useful Links” in the sidebar here is to the SANS Internet Storm Center [ISC].  The site, staffed by volunteer “handlers”, a group of highly skilled and experienced security professionals and systems/network administrators,  is a very valuable source of the latest security news.  It is, however, a site aimed at IT professionals, and tends, understandably, to be fairly technical, and to assume a fair amount of basic IT knowledge for starters.

However, to their credit, the folks at ISC have not neglected the ordinary user.  It has had, for a couple of years now, an initiative called Securing the Human, which attempts to address security policy issues considering the users’ perspective.  (In the interests of honesty, from personal experience, I am bound to say that this is probably not entirely from altruistic motives — better educated users are, on the whole, less likely to make terminally stupid mistakes.)    The Securing the Human initiative has also involved publishing a newsletter called OUCH!, which is oriented toward end users.

The latest issue of OUCH! has a short (three-page) article on good password practice [PDF].  It has some good, common sense advice that will help you use passwords securely.  If you are a systems admin person, you might want to consider giving copies to your users.

I’d just make one final suggestion: using a password manager, such as Bruce Schneier’s PasswordSafe, can be a big help in managing your passwords, and using them well.

Microsoft Patch Tuesday Preview, May 2013

In keeping with its usual schedule, Microsoft on Thursday  released the Security Bulletin Advanced Notification for May 2013, previewing the security bulletins and associated patches it intends to release next Tuesday, May 14, 2013.  This month there are ten bulletins in all; two of these have a maximum security rating of Critical; the rest are rated Important.   Five of the bulletins, including both the Critical ones, are for Windows and its components.  All supported desktop versions of Windows have at least one Critical bulletin.  The table below shows a breakdown of the Windows bulletins by severity and Windows version.

Windows Version	Critical	Important	Moderate
Windows XP+SP3	2	2	–
Windows Vista	2	2	–
Windows Server 2003	–	1	2
Windows Server 2008	–	1	2
Windows 7	2	2	–
Windows Server 2008 R2	–	2	2
Windows 8	1	3	–
Windows RT	1	2	1
Windows Server 2012	–	3	1
Windows Server Core	–	3	–

Microsoft says that four of the Windows bulletins will definitely require a restart, and the other bulletins may require one, depending on your system’s configuration.

The remaining five bulletins, all of which are rated Important, apply to other Microsoft software products.   There will be three bulletins that apply to Microsoft Office, one for Lync, and one for Windows Essentials.

As always, this information is subject to change between now and the actual release of the bulletins next Tuesday.  I will post a note here once the actual updates are available.