Google Updates Chrome, “Pinkie Pie” Makes $60K

Only a couple of days after the last update of Google’s Chrome browser, another new version, 22.0.1229,.94, has been released, for Windows, Linux, and Mac OS X.   This release fixes security flaws that make Chrome vulnerable to a specific exploit, involving the rendering process for Scalable Vector Graphics [SVG], and Chrome’s inter-process communications.  More details are available in the Release Announcement.

The exploit was discovered by a hacker who goes by the name “Pinkie Pie”, as part of Google’s second Pwnium contest. Google offers cash prizes to those who can demonstrate security vulnerabilities in its software; because this exploit attacked only code that is part of Chrome, Pinkie Pie was eligible for the top award of $ 60,000 and a ChromeBook computer.  Google software engineer Chris Evans has a blog post describing the exploit in more detail.  Ars Technica also has an article on the exploit.

I think Google is to be commended for taking an active approach to improving the security of its software, by the Pwnium contests, and by its regular “bug bounty” program.  They also deserve credit for developing a fix for this exploit in a matter of hours.

Mozilla Releases Thunderbird 16.0

Following on yesterday’s release of Firefox 16.0, Mozilla has released version 16.0 of the Thunderbird E-mail client, for Windows, Linux, and Mac OS X.  The new release contains a number of bug fixes; it also has fixes for 13 security vulnerabilities, 10 of which Mozilla rates as Critical.   The new version adds box.com to the services that can be used with FileLink (an alternative to mailing large attachments); it also adds the capability to do silent background software updates, if the user wishes.  More information is available in the Release Notes.

Because of its security content, I recommend that you update your systems as soon as you conveniently can.  You can get the new version using the built-in update mechanism (Help / About Thunderbird / Check for Updates); alternatively, you can download a complete installation package from Mozilla’s site.

Microsoft Patch Tuesday, October 2012

In keeping with its usual schedule, Microsoft yesterday released its monthly bundle of security patches for October.  This month, there are seven patches; these address 21 identified vulnerabilities (13 of these are for one server bulletin, MS12-067).  Two of these are for Windows and its components, three affect Microsoft Office, and the others are for other Microsoft software products.  (A quick breakdown is given in this month’s preview post.)  Microsoft rates one of the Office patches as Critical; the others are rated Important.  According to Microsoft, the two Windows patches will definitely require a system restart; the other patches may require one, depending on your system’s  configuration.  All the details are available in the Security Bulletin Summary for October, 2012.

As always, the good folks at the SANS Internet Storm Center have published their own summary of this month’s patches, including their severity ratings.

I recommend that you patch your systems as soon as you conveniently can.