Updates

The stable channel has been updated to 4.0.249.78 for Windows, and includes the following features and security fixes (since 3.0): Extensions Bookmark sync Enhanced developer tools HTML5: Notifications, Web Database, Local Storage, WebSockets, Ruby support v8 performance improvements Skia performance improvements Full ACID3 pass, due to re-enabled remote font support (with added defense against bugs in operating system font libraries) HTTP byte range support New security feature: “Strict Transport Security” support Experimental new anti-reflected-XSS feature called “XSS Auditor” Security Fixes: ...

But don’t. Please don’t!… just…. don’t!… Instead, why don’t you apply the out-of-band patch ( MS10-002 ) that Microsoft has just released…?!!! Patching remote-code-execution vulnerabilities is usually “a good idea” to say the least. But, considering that: Microsoft rushed to get this patch out…… ( Thank you Microsoft! ) And that, this patch addresses several Internet Explorer vulnerabilities – of which includes CVE-2010-0249 – the infamous “Aurora attacks” related vulnerability that’s well known to be making the rounds in the wild. ...

Early this afternoon Microsoft released an out-of-band security bulletin patching the vulnerabilities in Internet Explorer. The fix has been at the top of the news since the vulnerabilities it treats are believed to have led to the compromise of Google and about 30 other companies last week in what has been called the “Aurora” attack. The governments of France and Germany suggested that Internet users switch to a different browser until the vulnerability was fixed. ...

Microsoft has said it will issue an out-of-band patch today for critical vulnerabilities in Internet Explorer that allow remote execution of code. The company said yesterday it would not wait until the February “Patch Tuesday” to fix the vulnerabilities. The much discussed “Aurora” vulnerabilities in IE have been held at least partially responsible for cyber attacks on Google and more then two dozen other major companies. The attacks on Google were aimed at Gmail accounts of dissidents and Google’s source code. The attacks on the other companies were aimed at stealing intellectual property. ...

This Black Tuesday was different as anticipated – Microsoft releases only one security bulletin, but other companies “jumped in” and deliver updates now as well. For the windows operating systems, only one Security Bulletin was released. MS10-001 deals with a vulnerability in the decompression routines of the Embeded OpenType Font Engine. This means that especially in Windows 2000, programs like Internet Explorer, Word or PowerPoint for example which render EOT fonts can put the system at risk when viewing manipulated contents. In newer operating systems the flawed code is used differently so that Microsoft assumes that it isn’t exploitable there. ...

Earlier this evening, Microsoft formally announced a new search app for iPhone on the Bing Community blog. The Bing app is available now from the App Store, complete with voice search. I emphasize the now because the app has a December 16 release date on the 15th. Based on a very quick, cursory look, Bing is a competent iPhone app, tapping into the kind of capabilities expected from the platform. Bing fits nicely into the App Store repertoire. I wouldn’t call the features revolutionary — Apple and Google are there already with advanced mapping and GPS — but the packaging appeals, and Microsoft manages to offer a user experience that is fairly consistent with Bing Web search. ...

It’s the second Tuesday of the month and there are important updates being released. From Microsoft, of course, but also from Adobe. There’s a critical security issue in Adobe Flash Player 10.0.32.18 and earlier. It’s important that organizations deploy these updates before the Christmas holiday reduces IT staffing. Fortunately, this patch cycle is as early as can be landing on the 8th so there’s still time to test and deploy. ...