Posts Tagged ‘Mac’
Thursday, April 16, 2015 @ 03:04 PM gHale
Chrome 42 for Windows, Mac and Linux is now up and running and this latest release fixes 45 security issues and removes NPAPI support, said Google officials.
The most serious vulnerability fixed in Chrome 42 is a cross-origin bypass flaw in the HTML parser (CVE-2015-1235). The discovery of this high severity bug earned an anonymous researcher $7,500.
The list of high severity vulnerabilities also includes a type confusion in V8 (CVE-2015-1242) reported by Cole Forrester of Onshape, a use-after-free in IPC (CVE-2015-1237) reported by Khalil Zhani, and an out-of-bounds write bug in the Skia graphics engine (CVE-2015-1238) identified by cloudfuzzer.
The medium severity security issues reported by external researchers are a cross-origin-bypass in the Blink web browser engine, an out-of-bounds read in WebGL, a use-after-free in PDFium, a tap-jacking flaw, an HSTS bypass in WebSockets, an out-of-bounds read in Blink, scheme issues in OpenSearch, and a SafeBrowsing bypass.
The researchers who contributed to making Chrome more secure gained $21,500, according to Google blog post.
“We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel,” said Alex Mineer of the Google Chrome team.
In September 2013, Google said it would phase out support for the Netscape Plugin API (NPAPI). The company noted at the time the API’s 90s-era architecture was causing crashes, security issues and other problems.
In January 2014, Google blocked web page-instantiated NPAPI plugins by default, but whitelisted some of the most popular applications, such as Silverlight, Unity, Google Earth, Google Talk, and Facebook Video. Java was also on the list of most popular plugins using NPAPI, but it ended up disabled earlier for security reasons.
Now, NPAPI support is out by default in Chrome and extensions requiring NPAPI plugins will end up removed from the Chrome Web Store. Advanced users and enterprises can temporarily re-enable NPAPI until the plugins they use transition to alternative technologies.
Starting with Chrome 45, scheduled to release in September, this override will end up removed and NPAPI support will go away forever.
Wednesday, September 3, 2014 @ 03:09 PM gHale
Mozilla launched Firefox 32 for Windows, Mac, Linux, and Android which includes a new HTTP cache for improved performance, public key pinning support, and easy language switching on Android.
Firefox 32 released over on Firefox.com and all existing users should be able to upgrade to it automatically. The Android version is trickling out slowly on Google Play.
Here is how Mozilla described the new HTTP cache back-end:
“The new HTTP cache back end has many improvements like request prioritization optimized for first-paint time, ahead of read data preloading to speed up large content load, delayed writes to not block first paint time, pool of most recently used response headers to allow 0ms decisions on reuse or re-validation of a cached payload, 0ms miss-time look-up via an index, smarter eviction policies using frecency algorithm, resilience to crashes and zero main thread hangs or jank. Also it eats less memory, but this may be subject to change based on my manual measurements with my favorite microSD card which shows that keeping at least data of html, css and js files critical for rendering in memory may be wise.”
The biggest addition for the desktop platforms is public key pinning, a security feature that helps ensure people are connecting to the sites they intend. Pinning allows webmasters to specify which certificate authorities (CAs) issue valid certificates for their sites, rather than accepting any one of the hundreds of built-in root certificates that ship with Firefox.
This means pinning can protect Firefox users from man-in-the-middle-attacks and rogue certificate authorities. Whether a CA mis-issues a certificate, or when the root cert for a pinned site does not match one of the known good CAs, Firefox will reject the connection.
Pinned domains include addons.mozilla.org and Twitter in Firefox 32. Google domains will add in with Firefox 33, with more domains to come.
Cache and pinning aside, the new desktop version has a sizeable list of changes. Here are some of the new offerings in Firefox 32:
• New: New HTTP cache provides improved performance including crash recovery.
• New: Integration of generational garbage collection.
• New: Public key pinning support enabled.
• Changed: Removed and turned off trust bit for some 1024-bit root certificates.
• Changed: Performance improvements to Password Manager and Add-on Manager.
• HTML5: drawFocusIfNeeded enabled by default.
• HTML5: CSS position:sticky enabled by default.
• Developer: HiDPI support in Developer Tools UI.
• Developer: Inspector button moved to the top left.
• Developer: Hidden nodes displayed differently in the markup-view.
• Fixed: Mac OS X: cmd-L does not open a new window when no window is available.
• Fixed: Text Rendering Issues on Windows 7 with Platform Update KB2670838 (MSIE 10 Prerequisite) or on Windows 8.1.
There are quite a few HTML5 additions in this release. If you’re a Web developer, you should probably check out Firefox 32 for developers.
New versions of Firefox release every six weeks. Firefox 33 will be out in mid-October.
Friday, August 15, 2014 @ 03:08 PM gHale
Google rolled out version 36 of the Chrome browser for Windows, Mac and Linux, including a set of security fixes, along with the latest revision of Flash Player.
Twelve vulnerabilities ended up fixed in this release, with some found by external security researchers, who earned cash for their efforts through Google’s bug bounty program.
For a use-after-free security flaw (CVE-2014-3165) in web sockets, Google paid $2,000 to researcher Collin Payne; additional information about this flaw is not available right now.
From another external researcher, the Google team received details about a security glitch that could lead to information disclosure in SPDY. Identified as CVE-2014-3166, the discovery goes to Antoine Delignat-Lavaud, second year PhD student in team Prosecco at Inria Paris.
In order to prevent the information leakage, Chrome developers decided to disable SPDY and QUIC session pooling in the latest revision of the web browser.
SPDY is a network protocol designed to increase page load speed and security, by manipulating HTTP traffic.
Disabling it translates to the user into slower page loads on websites using this protocol, but the latency is not as significant as to affect browsing at all.
Additional input came from the internal security team, who discovered an undisclosed number of glitches through internal audits or code fuzzing operations.
Build 36.0.1985.143 of the web browser also updates the Adobe Flash Player plug-in to the recently released version 18.104.22.168.
Adobe patched seven critical vulnerabilities, most of them referring to memory leaks that could end up taken advantage of for bypassing memory protection mechanisms (address randomization).
Wednesday, April 30, 2014 @ 04:04 PM gHale
Adobe created an update for it s Flash Player for Windows, Mac and Linux, as a newly discovered Zero Day vulnerability affecting the software is undergoing active hits in the industry.
In the security bulletin the company published to warn users and urge them to update, Kaspersky Lab researcher Alexander Polyakov gained credit for discovering the attacks.
The researchers discovered two separate SWF exploits that took advantage of the vulnerability, located in the Pixel Bender component, designed for video and image processing.
The exploits are in two .swf files, and both end up positioned in a innocuous-looking folder on a compromised site.
“The site was launched back in 2011 by the Syrian Ministry of Justice and was designed as an online forum for citizens to complain about law and order violations. We believe the attack was designed to target Syrian dissidents complaining about the government,” said Kaspersky Lab researcher Vyacheslav Zakorzhevsky.
The victims end up redirected to the exploits using a frame or a script located at the site and, according to the company’s products’ detections, seven unique users located in Syria ended up affected.
“It’s likely that the attack was carefully planned and that professionals of a pretty high caliber were behind it,” Zakorzhevsky said. The exploits are well-written, and the fact a vulnerability in the no longer supported Pixel Bender component was the target seems to imply they didn’t want the exploit seen for a long time.
“We are sure that all these tricks were used in order to carry out malicious activity against a very specific group of users without attracting the attention of security solutions. We believe that the Cisco add-in may be used to download/implement the payload as well as to spy directly on the infected computer,” Zakorzhevsky said.
Thursday, April 10, 2014 @ 06:04 PM gHale
Adobe updated Flash Player to address four security holes.
Windows and Mac users should update their installations to version 22.214.171.124, while Linux users should update to 126.96.36.1990.
Google Chrome, Internet Explorer 10 and Internet Explorer 11 installations automatically update.
The first vulnerability addressed with the release of Adobe Flash Player 188.8.131.52 refers to a use-after-free bug that could end exploited for arbitrary code execution.
This vulnerability came to Adobe via VUPEN at the Pwn2Own competition that took place alongside the CanSecWest security conference.
The second flaw is a buffer overflow that could also result in code execution. This issue, also disclosed at Pwn2Own 2014, came via Zeguang Zhao and Liang Chen.
According to the description on NIST’s National Vulnerability Database, the bug “allows remote attackers to execute arbitrary code and bypass a sandbox protection mechanism via unspecified vectors.”
The updates also address a security bypass vulnerability that could lead to information disclosure, Adobe said.
Finally, a cross-site scripting (XSS) vulnerability also received a patch. Masato Kinugawa disclosed the XSS vulnerability.
Some of the vulnerabilities are critical because an attacker could exploit them to take control of the impacted system.
There’s no evidence that these security holes are under attack, but user should apply the updates as soon as possible.
Thursday, March 13, 2014 @ 06:03 PM gHale
Adobe released updates for Flash Player 184.108.40.206 for Windows and Mac, and Flash Player 220.127.116.111 for Linux to address security holes.
The company advises all users of Adobe Flash Player 18.104.22.168 and earlier versions for Windows and Mac to update their installations to version 22.214.171.124. Linux users who still utilize version 126.96.36.1991 and earlier should update to Flash Player 188.8.131.526.
The updates address two vulnerabilities. The first one has the CVE identifier CVE-2014-0503 and it refers to a flaw that could end up exploited to bypass the same origin policy. The second issue, CVE-2014-0504, could allow attackers to read the contents of the clipboard.
The same origin policy bypass vulnerability ended up discovered by Masato Kinugawa. The other security hole by Jordan Milne.
Adobe said Flash Player 184.108.40.206 installed with Chrome, Internet Explorer 10 and Internet Explorer 11 will update automatically to the latest version.
Flash Player vulnerabilities often end up leveraged by bad guys in their operations. Last month, Adobe released an emergency update to fix a Zero Day exploit.
Monday, February 17, 2014 @ 11:02 AM gHale
Adobe Systems released fixes for Shockwave addressing two vulnerabilities that could allow attackers to remotely take control of affected systems.
The new Shockwave Player version released last week is 220.127.116.11 and is available for Windows and Mac.
The update fixes two memory corruption vulnerabilities identified as CVE-2014-0500 and CVE-2014-0501 that could lead to code execution, Adobe said in a security advisory. The vulnerabilities ended up reported to the company by researcher Liangliang Song of Fortinet’s FortiGuard Labs.
The Shockwave Player update comes one week after Adobe broke out of its regular patching cycle to release an emergency update for Flash Player that addressed an actively exploited vulnerability. Unlike the Flash Player flaw, there are no reports that the Shockwave Player vulnerabilities are suffering from active exploitation.
Shockwave Player displays online content like games, product demonstrations, e-learning courses and simulations created with Adobe’s Director software. It’s not as widespread as Flash Player, but it is on over 450 million desktop computers according to Adobe, which makes it a potential target for hackers.
Shockwave Player installs a plug-in in Web browsers which means it can suffer attack with drive-by download exploits loaded from maliciously crafted or infected websites.
Thursday, January 16, 2014 @ 05:01 PM gHale
In a move to hike it browser security, Google pushed out a new stable version of Chrome for Windows, Mac, and Linux Tuesday.
The company rewarded the contributors for uncovering two use-after-free vulnerabilities, one in web workers and the other related to forms.
In addition, the developer eliminated a security issue that could cause address bar spoofing in the Android version of the web browser.
As Google rewards researchers that find vulnerabilities, the largest payment ($3,000) went to Joao Lucas Melo Brasio, an information security researcher and specialist from Brazil, for revealing a flaw that caused an unprompted synchronization of data with the Google account of an attacker.
Internal security work also added to improved security of the browser and other fixes have come into play because of audits, fuzz testing (brute force vulnerability discovery), and other initiatives.
Monday, November 18, 2013 @ 07:11 PM gHale
Adobe has been under fire this year for vulnerabilities, and the most recent fix to Flash Player is no different as it fixes security holes that could lead to compromise of the targeted system.
The new Flash Player 11.9.900.152 eliminates two memory corruption vulnerabilities (CVE-2013-5329 and CVE-2013-5330) that would allow an attacker to execute malicious native code on the targeted machine surreptitiously.
Adobe labeled both security updates as critical and have the highest priority rating (1) on Windows and Mac. This means administrators should install the latest version in the shortest time possible.
The company did not provide any information about possible exploitation of the vulnerabilities.
Adobe released a security hotfix for ColdFusion as well, for versions 10, 9.0.2, 9.0.1, and 9.0 for Windows, Macintosh, and Linux.
The patch addresses a flaw (reflected cross site scripting – CVE-2013-5326) that an attacker could leverage remotely when the CFIDE directory ends up exposed (in ColdFusion 10 and earlier).
Another security hole plugged by the ColdFusion hotfix would allow unauthorized remote read access.