Google updates all Chrome editions

new-chrome-logoh-online: Google has updated the Stable, Beta and Developer Channels of the desktop version of its Chrome browser with a number of bug fixes and improvements. The Stable Channel update closes seven security vulnerabilities, three of them rated High, and includes bug fixes. New stable Chrome versions for iOS and Android have also been released and include minor improvements. The iOS version of the browser now supports Apple’s Passbook application.

The update to the Stable version of Chrome for Windows, Mac OS X, Linux and Chrome Frame (for running Chrome inside of Internet Explorer) brings it to version 23.0.1271.91. The update closes a security vulnerability in the Mac OS X version of the browser that is caused by a severe rendering bug with the operating system’s driver for Intel graphics cards. This problem was rated by Google as High priority, as was a buffer underflow problem in libxml and a use-after-free bug in the browser’s SVG filters, which have also been fixed.

The Beta Channel of Chrome for Windows, Mac OS X, Linux and Chrome Frame has been updated to version 24.0.1312.25, which includes a number of bug fixes for running applications within the browser, fixes stability issues, and solves two problems with the taskbar in Windows 8. The Beta version of Chrome for Chrome OS is now 23.0.1271.94; the update improves network stability and updates the included Pepper Flash plugin.

In the Developer Channel, Chrome for Windows, Mac OS X and Chrome Frame has been updated to version 25.0.1337.0 which includes a number of fixes and improvements, most noticeably improvements to the Live Tiles functionality for Windows 8 and bug fixes for Flash on Mac OS X. Chrome for the Chrome OS Developer Channel is now at version 25.0.1324.1, which includes a firmware update.

Chrome for iOS has been updated to version 23.0.1271.91 which has introduced the ability to open PDFs in other applications and enables users to save their airline boarding passes and tickets in Apple’s Passbook. The update also brings some security and stability improvements. Chrome for Android is now at version 18.0.1025469 on ARM and version 18.0.1026322 on x86 devices; both updates fix stability issues.

An overview over the different desktop Chrome release channels and platform is available from the Chromium Project, the open source upstream of Chrome. The listing includes download links for the different versions of the browser. All versions of Chrome should update themselves automatically; on some mobile platforms the user will be prompted to perform the update.

Source

Mozilla closes numerous critical holes in Firefox 16 [Update]

moztrioThe h-online: Following the recent Firefox 16 release, Mozilla has now detailed all of the security fixes in the new version of its open source web browser as well as in the Thunderbird news and email client. Version 2.13 of the SeaMonkey “all-in-one internet application suite” has also received fixes. In addition to adding new features, version 16.0 of Firefox closes a total of 14 security holes, 11 of which are rated as “Critical” by the project.

These critical vulnerabilities include several memory handling and corruption issues, buffer overflows and the possibility of arbitrary code execution through bypassing security checks for the cross-origin properties. Another vulnerability could lead to JavaScript crashing the browser when using an invalid cast with the instance of operator.

According to Mozilla, many of these vulnerabilities could be exploited remotely by an attacker to, for example, execute malicious code on a victim’s system.

Additionally, the desktop Firefox update corrects three high-risk vulnerabilities including a spoofing and script injection bug, and cross-site scripting (XSS) problems. The majority of these same vulnerabilities have been addressed in version 10.0.8 of Mozilla’s “enterprise” Extended Support Releases (ESR) of Firefox ESR and Thunderbird ESR. The developers have also fixed a critical issue in Reader Mode on Firefox for Android.

As they are all based on the same Gecko platform as Firefox, Thunderbird 16 (which has not been released yet) and the 2.13 release of SeaMonkey also close a number of the same security holes. However, Mozilla notes that many of the flaws “cannot be exploited through email in the Thunderbird and SeaMonkey products because scripting is disabled, but are potentially a risk in browser or browser-like contexts in those products”.

Further information about the security holes closed by these updates, including a full list of fixes, can be found in Mozilla’s security advisories. Firefox 16.0 (release notes), Firefox ESR 10.0.8 (release notes), Thunderbird 10.0.8 ESR (release notes) and SeaMonkey 2.13 (release notes) can be downloaded for Windows, Mac OS X and Linux from the project’s site – at the time of writing, Mozilla has yet to release Thunderbird 16. Existing users can upgrade to the new versions, either by waiting for the automated update notification or by manually checking for updates.

Update 12-10-12: Following the discovery of a privacy-related security hole, Mozilla has released version 16.0.1 of both Firefox and Thunderbird to address the problem along with other critical vulnerabilities discovered after the 16.0 releases. The organization advises all users to upgrade as soon as possible. Updates for the ESR versions of Thunderbird and Firefox are currently undergoing quality assurance testing and should be available soon. An update to SeaMonkey, version 2.13.1, is also expected, but has yet to be released at the time of writing.

http://h-online.com/-1726884

Symantec releases Norton 2013 security suites

Norton-Internet-Security-2013-600x450

BetaNews: Symantec has released brand new versions of its Norton security packages for Windows, Norton Anti-Virus 2013, Norton Internet Security 2013 and Norton 360 2013. It’s the first time all three packages have been updated simultaneously, while the branding has also been amended to remove all references to a date, simply naming each Norton Anti-Virus, Norton Internet Security and Norton 360, respectively.

The 2013 versions come with what Symantec describes as “five layers of patented protection”, which include stronger social networking and anti-scam protection. There’s also full, certified support for Windows 8 and the promise of better performance on multi-core CPUs.

Symantec has focused its efforts on two related areas of protection for the 2013 releases, providing stronger protection for those using social networking sites. One in ten social network users has, according to the current annual Norton CyberCrime Report, fallen prey to fake links or scams, and so a new Scam Insight tool provides warnings against potentially risky websites along with an improved Norton Safe Web for Facebook app, providing users with the ability to quickly scan their timeline for potential scams and fake links.

Other improvements to existing protection include more rapid updates for the Insight file reputation database, which now also tracks IP addresses to help determine where threats are originating from.

Norton’s 2013 product are also fully certified with Windows 8. This includes integration with Windows 8’s Early Launch of Anti-Malware (ELAM) technology that permits security software to be up and running much earlier in the boot process than was the case with Windows 7, and which helps nullify certain rootkits. Also implemented is a new memory heap manager for helping to block and minimize the dangers from memory exploits.

The user interface has also been tweaked to be more Windows 8-friendly, with touch support and tile-based buttons. Staying up to date has been made simpler too, with all product updates now delivered automatically, and reboots eliminated from the install and update process.

The 2013 product line comes with a Network Cost Awareness feature – choose Settings > Network Security Settings > Network Cost Awareness  and click Configure – that allows specific network connections to be set to Economy, to prevent unnecessary updates from being downloaded on bandwidth-limited connections such as 3G.

Finally, all three Norton 2013 products are engineered to take advantage of newer multi-core processors and inbuilt technologies in Windows 8 to deliver faster startup and shutdown times over its immediate predecessor. Sadly, boot times remain a little long in Windows 7, although the apps overall effect on system performance is light. Other performance tweaks include better support for digital media, plus reduced power consumption to help extend battery life.

Norton AntiVirus 2013 FINAL, Norton Internet Security 2013 FINAL and Norton 360 2013 are all available now as a free 30-day trial downloads for PCs running Windows XP SP2 or later. Prices start from $49.99 for a single-user, 12-month license of Norton AntiVirus 2013 FINAL, with three-user licenses for Norton Internet Security 2013 and Norton 360 2013 costing $79.99 and $89.99 respectively.

Oracle rushes out patch for critical 0-day Java exploit

JavaTheRegister: In an uncommon break with its thrice-annual security update schedule, Oracle has released a patch for three Java 7 security flaws that have recently been targeted by web-based exploits.

“Due to the high severity of these vulnerabilities, Oracle recommends that customers apply this Security Alert as soon as possible,” Eric Maurice, the company’s director of software security assurance, said in a blog post published on Thursday.

Maurice said that the vulnerabilities patched only affect Java running in browsers, and not standalone desktop Java applications or Java running on servers. According to Oracle’s official advisory on the flaws:

These vulnerabilities may be remotely exploitable without authentication, i.e., they may be exploited over a network without the need for a username and password. To be successfully exploited, an unsuspecting user running an affected release in a browser will need to visit a malicious web page that leverages this vulnerability. Successful exploits can impact the availability, integrity, and confidentiality of the user’s system.

That certainly matches the description of the vulnerabilities first spotted on a rogue website by security firm FireEye on Sunday. Exploits for the flaws have since been incorporated into the notorious Blackhole malware toolkit and the Metasploit penetration testing tool.

On Wednesday, Adam Gowdiak of Polish startup Security Explorations revealed that his company had disclosed details of the vulnerabilities in question – along with 29 others – to Oracle in April of this year, but that the database giant still had not fixed the flaws as of its June Critical Patch Update (CPU).

JAVA-updateOracle told Security Explorations that it had developed fixes for most of the other vulnerabilities it had submitted and that they would be ready for the next Java CPU. Unfortunately, however, that patch kit wasn’t scheduled to be released until October 16.

Now, in an apparent capitulation to growing public concern over the exploits, Oracle has issued a rare out-of-band update for Java 7 that it says should ameliorate the threat.

According to Maurice, Java users who run Windows can use the Java Automatic Update feature to get the latest, patched version, which is officially dubbed Java SE 7 Update 7. Users on other platforms can visit the official Java website to download and install it.

Download Firefox 15 and Thunderbird 15!

Cross-copied from BetaNews:

Firefox-15

Mozilla has quietly placed major new versions of its open-source, cross-platform web browser and email client onto its download servers ahead of an official release.

Firefox 15 FINAL benefits largely from behind-the-scenes performance tweaks, while Thunderbird 15 FINAL introduces a few new features, including a new curvy user interface.

Firefox 15 FINAL’s most notable changes are performance-based. There’s faster startup on Windows PCs, plus incremental garbage collection and better management of plugins to prevent memory leaks. Other performance improvements surround WebGL enhancements.

Version 15 also introduces a new Maintenance Service for Windows users that’s installed by default, and which ensures all future Firefox updates are delivered promptly. This feature can be toggled on and off via the Options dialog — select Advanced and switch to the Updates tab.

Developers get a new JavaScript debugger and new Responsive Design View option that allows them to toggle between mobile and desktop views of websites. An additional layout view providing details about the size and shape of an element is now accessible from the Inspector; click the Style button to see the dimensions of the currently selected element, then click the up arrow to reveal more details.

One feature that didn’t make it through to the final release is the inline PDF browser — although present in Firefox 15 Beta, it appears its appearance has slipped back to version 16. Neither can we confirm the existence of Mac accessibility improvements — one thing is certain, however, VoiceOver support is not yet available outside of the Nightly builds.

Those users willing to delve into the about:config portion of Firefox will find they can now toggle between showing Firefox’s options in a separate dialog box (the default) and in its own tab in the main Firefox window. Search for browser.preferences.inContent and double-click it to set it to true to enable the feature.

Similarly, the option for setting plugin content on websites to “click to play” still hasn’t been implemented by default; instead users should search for plugins.click_to_play and double-click it to switch it on.

Thunderbird Updates

Thunderbird 15 FINAL meanwhile has three major changes of note. The most obvious is the implementation of a new user interface called Australis. This introduces itself immediately with the rounded tabs at the top of the screen, but extends to redesigned lines, a repositioned toolbar and categorized filters.

The unified global search now covers the chat module, which supports Facebook, Twitter and Google Talk among others, while the “Do not track” option introduced in Firefox has been added to Thunderbird too. This option, accessible from the Web Content tab in the Security section of Thunderbird’s Options screen, is of less relevance to email users, but may stop some emails from tracking the user if they’ve signed up for the voluntary code of practice.

From November 12, Thunderbird’s code base will be split into two separate editions: Thunderbird and Thunderbird ESR. See here for details.

Both Firefox 15 FINAL and Thunderbird 15 FINAL are free, open-source downloads for Windows, Mac and Linux.

IE 9.0.9 Available via Windows Update

MSDN:

internetexplorer9logoThe August 2012 Cumulative Security Update for Internet Explorer is now available via Windows Update. This security update resolves four privately reported vulnerabilities in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights This security update is rated Critical for Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, and Internet Explorer 9 on Windows clients and Moderate for Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, and Internet Explorer 9 on Windows servers For more information, see the full bulletin.

Most customers have enabled automatic updating and do not need to take any action. We recommend that customers, who have not enabled automatic updating, enable it (Start Menu, type “Windows Update”). We recommend that administrators, enterprise installations, and end users who want to install this security update manually, apply the update immediately using update management software or by checking for updates using the Microsoft Update service.

—Tyson Storey, Program Manager, Internet Explorer

Adobe Flash Player 11.3.300.270 for Windows released to address a crash

Adobe wrote:

Adobe_Flash_120Today, Flash Player 11.3.300.270 for Windows was released to address a crash that was occurring in the Adobe Flash Player Update Service (FlashPlayerUpdateService.exe).  There are no other fixes or changes provided with this build.  This release is available for Windows only, and affects the Active X and Plug-in installers, uninstaller, and msi’s (available on the distribution page.)  No other platforms are affected.

Please be aware that this release is not available from the Product Download Center (http://get.adobe.com/flashplayer) which will continue to provide 11.3.300.268.  We realize that this might cause confusion for some users.  Due to the severity of this issue, we decided to make this build available immediately to help customers affected by this bug.  Due to logistical issues and time constraints, we were unable to update the release on the Product Download Center.  The next release of Flash Player will correct this disparity.  Please note that unless you have been affected by the FlashPlayerUpdateService.exe crash, both 11.3.300.270 and 11.3.300.268 will be functionally identical.

This release will be distributed using the following methods:

For full details on the 11.3 release, please see our release notes.

For those encountering problems with Flash Player, please see this tech note for suggestions and instructions on reporting Flash Player bugs

Report a Flash Player Crash

Firefox users crashing with Flash Player 11.3 who are willing to assist us in determining the cause of the crashes, please download and install the Firefox 15 beta release and submit all crash reports when they occur.  Crash logs created and submitted with Firefox 15 will allow us to gather critical details that are missing from the current crash reports that are being generated with Firefox 13 and 14 and earlier versions.

Chrome 21 arrives with new API for video and audio communication

new-chrome-logoh-online: With the release of Chrome 21, web applications can now directly access the local system’s built-in camera and microphone. Instead of requiring a special plugin, the major stable update to the WebKit-based web browser includes a new HTML5 getUserMedia API – currently a W3C Editor’s Draft – to provide web apps with access to the camera and microphone. For security purposes, users will be prompted to grant apps permission to access the hardware.

Google Software Engineer Shijing Xian says that the new release is Chrome’s “first step” towards implementing the Web Real Time Communication (WebRTC) standard, which enables browsers to use JavaScript to control real-time communications. The addition of the getUserMedia API support also enables functionality such as motion detection and real-time video effects – one demo, from StinkDigital, lets users play a xylophone by waving their hands, while another web app called HTML5 Webcam Toy uses WebGL fragment shaders (GLSL) to apply real-time special effects to a live camera video feed.

chrome-permissionBefore accessing a user’s built-in camera and microphone in Chrome, web apps must first get the user’s permission

Other changes include the addition of a Gamepad JavaScript API that enables game controllers to be used with web-based games, and improvements to Google’s Cloud Print technology, which lets users to print over the web from PCs, smartphones and tablets. On Mac OS X systems, Chrome 21 now supports the new Retina display (HiDPI) in Apple’s latest MacBook Pro laptop.

Version 21 of Chrome also closes a total of 26 security holes in the browser. These include integer overflows, use-after-free errors and out-of-bounds writes in the PDF viewer, as well as a use-after-free problem in CSS DOM, and a buffer overflow in the WebP image format decoder, all of which are rated as “high severity” by the company. A critical vulnerability in tab handling and a medium-severity cross-process interference problem in renderers that affect Linux systems have also been corrected.

A full list of security fixes can be found in a post on the Google Chrome Releases blog. Chrome 21 is available to download from google.com/chrome for Windows, Mac OS X and Linux; existing users can upgrade using the built-in update function. Chrome is built from Chromium, the open source browser project run by Google.

http://h-online.com/-1657169

Urgent security update for TeamViewer

TeamViewerh-online: The TeamViewer developers have released updates for a potential security vulnerability discovered in the remote access tool. The company recommends that users install the security updates immediately. Versions 5 to 7 of the Windows, Mac OS X and Linux editions of TeamViewer Full and TeamViewer QuickSupport are affected. The flaw does not appear to have been discovered in TeamViewer Host.

The company has not offered any details of the vulnerability, but updated editions of the software can be obtained from the TeamViewer Download page. The new version can simply be installed over the previous installation.

http://h-online.com/-1648586

Chrome 20 update fixes high-risk security vulnerabilities

Google_Chrome_LogoGoogle has published a new update to the stable 20.x branch of Chrome to close a number of security holes in the WebKit-based web browser. Version 20.0.1132.57 of Chrome addresses a total of three vulnerabilities, all of which are rated as “high severity” by the company.

These include two use-after-free errors in counter handling and in layout height tracking that were discovered by a security researcher by the name of “miaubiz”. As part of its Chromium Security Vulnerability Rewards program, Google paid the researcher, who is number three in the company’s Security Hall of Fame, $1,000 for discovering and reporting each of the holes. A third high-risk problem related to object access with JavaScript in PDFs has also been corrected. As usual, further details about the vulnerabilities are being withheld until “a majority of users are up-to-date with the fix”. Other changes include stability improvements, and updates to the V8 JavaScript engine and the built-in Flash player plug-in.

Google also updated the Stable Channel of its ChromeOS operating system, currently available only on Samsung and Acer’s Chromebook notebooks, to version 20, just over two weeks after Google released the Chrome 20 browser on 26 June. ChromeOS 20.0.1322.54, based on the open source Chromium OS project, includes the security and stability improvements from Chrome, while also adding support for Google Drive, using Google Docs offline and other enhancements.

Chrome 20.0.1132.57 is available to download for Windows, Mac OS X and Linux from google.com/chrome; existing users can upgrade via the built-in update function. Chrome is built from Chromium, the open source browser project run by Google.