Google Chrome to abandon older versions of Windows and Mac OS X April 2016

Back in November of 2015, Google made an unwelcome announcement which was some very bad news for older Windows and older Mac OS X users.

On their Google Chrome Blog posting at that time, Google announced that it will stop providing updates to Google Chrome for the following Windows and Mac OS X versions;

• Windows XP
• Windows Vista
• Mac OS X 10.6 (Snow Leopard)
• Mac OS X 10.7 (Lion)
• Mac OS X 10.8 (Mountain Lion)

NOTE: Linux 32-bit Distribution users see the end of this article for your sad news too, but most of you are already aware of this since it happens this month!

This does not mean Google Chrome will stop working in these OS versions — which would almost be better security wise. Instead, Google has decided to simply stop providing updates to the installed versions of Google Chrome for these OS versions.

This is very bad news since Google Chrome has Flash built in (which is updated as needed with Google Chrome). These older versions of Windows and Mac OS X will be doubly vulnerable. Over the years, these users have gotten used to not having to update Flash separately like you need to do in other browsers like Firefox, Safari, Opera, earlier versions of Internet Explorer, Pale Moon, etc.
Because Flash is built in to Google Chrome, these abandoned users will not be getting the Flash updates either.

This will make these older versions of non updated Google Chrome extremely vulnerable to browser attacks from infected websites. Malware purveyors will quickly begin to adjust their attacks (if they have not already in anticipation of this change) to look for these older vulnerable systems using outdated/vulnerable versions of Google Chrome as new attack vectors for these abandoned Windows and Mac users.

Those thinking that being a Mac user will make you impervious to attack, think again. Browser attacks are one thing that every operating system including Windows, Macs and Linux have been subject to these days. Sure Windows users get hit more often but that is because they are the biggest user base and they have the largest target on their back, but Mac users and Linux users can still get hit at times if they have outdated operating systems, Flash, Java, etc. Even Android has been hit by a banking trojan these days – reported March 9, 2016 by ESET’s We Live Security Blog.

With other browsers, you could simply remove Flash from the system and be done with it if you were concerned about it and didn’t mind losing the ability to see YouTube videos and other Flash supported content on other websites. Although, with HTML5 support coming right along, that could be moot.

Some might be quick to blame Adobe Flash, but apparently this is not the case as Adobe is quick to point out in at least two places that they support these OSes:

• Adobe Flash – Archived Flash versions
• Adobe Flash Player – Tech Specs

Plus other browsers such as Firefox clearly still support these OSes and Flash on these OSes. However, they will have to update their supported browsers to NOT include Google Chrome after April 2016 unless Google rethinks all this for at least a couple of the newer, of the older, OS versions. 😉

If Google does not give a reprieve/stay of execution, once Adobe makes their final update to Adobe Flash in April 2016 and Google updates Google Chrome the final time for these OS version users that includes that last Flash version, it will apparently be the last Google Chrome AND thereby Flash update that these Google abandoned OSes will see Google based on the Google Chrome blog article posted November 2015.

Google has been very quiet on the subject since that date so no reprieve or stay of execution even for the newer OS versions to be abandoned; Windows Vista and Mac OS X 10.8 (Mountain Lion).

It seems quite harsh to drop support for these two OS versions (Vista and Mac OS X 10.8 (Mountain Lion)) since Google supported the earlier noted OS versions like Windows XP and Mac OS X 10.6 (Snow Leopard) for so many years! But there it is.

If you are using one of these older OS versions of Windows or Mac OS X, read it and weep for the loss of a great browser like Google Chrome, and make be wise to make the move to Mozilla Firefox newest version to-date 44.0.2 (STILL supports Mac OS X 10.6 Mountain Lion), or Opera (however NO support for Mac OS X 10.6 Mountain Lion, but does support Lion and Mountain Lion), which have not, so far, abandoned these users. But they are not the only players still in the game…

There is also another browser project that has gained a lot of popularity among Windows users — the Pale Moon browser. There are versions for Windows: Pale Moon, Pale Moon 64, Portable. There are also versions for:  Atom/XP, Linux and Android on the Download tab on the website.

There is also a Mac OS X version of Pale Moon 26.1.1 Unofficial available as of February 2016. As noted on their forum page:

Important note:
The Mac OSX version of Pale Moon is still very much in development. Your assistance in bringing this build to fruition is greatly appreciated, but you can expect there to be bugs and problems for a while yet!
Any specific bugs you find that don’t have their own topic yet: please make a new topic; one bug per topic please to keep things organized.
Please also note that these builds are currently created by BitVapor and Moonchild will likely not be able to provide insight or assistance due to lack of Mac hardware and OS/build knowledge for Mac.

Windows XP Vista already shows No Support Yellow Info band in Google Chrome

Those using these older versions of Windows (See image to the right), and Mac are already getting an annoying yellow warning info band across the top of their Google Chrome browsers.It is advising them to move to a more modern operating system. Wise move on Google’s part and it also servers to show that they  do not appear to be backing down from their November 2015 announcement.

That means Google Chrome users will need to do something to address the issues by either upgrading to a more modern operating system where possible, getting a newer computer with a more modern operating system since all of these operating systems are older and most have been abandoned by their creators anyway except Vista which is coming next April 2017 (preferable security wise), or barring all that, changing to a supported browser, or using an extension to address the old version of Flash issue (see end of article posting).

If you move to another browser, it will be very important to keep Adobe Flash updated since only Google Chrome in Windows 7, 8.1 and Windows 10, or on Mac OS X: Mavericks, Yosemite and El Capitan! will include Flash updates automatically with browser updates after April 2016.
NOTE: In addition, in Windows 8.1, the latest versions of Internet Explorer (IE10, IE11), and of course the new Edge browser on Windows 10 include Flash built in and updated for you like Google Chrome does.

Older versions of Windows and Mac are not the only users to be abandoned/axed by Google Chrome in early 2016. ALL 32-bit Linux distribution versions are also being abandoned — this month — March 2016 as noted in BetaNews, Slash Dot, and PCWorld and other news outlets back in November and December 2015.

Even though many and maybe even most computers these days are 64-bit, there are still a lot of 32-bit computers and 32-bit operating systems in use around the world today so this may be a move forward for 64-bit, but it is also a sad day for all the 32-bit hardware/operating systems worldwide.

Of course, there are still several browsers like Firefox, Opera and Pale Moon available for Linux 32-bit computers —  just as there are for Windows and Mac users. There are also some alternative browsers based on Firefox available (Pale Moon noted earlier here is included), and distro-specific versions of Firefox like Iceweasel in Debian Linux, etc.)

For all users of Google Chrome, there are some Flash blocking or control Extension possibilities that can protect everyone, but particularly these older users from having Flash run all the time if they choose to continue to use Google Chrome:

• uBlock Origin
• Flash Control

IE Zero-Day Vulnerability

Microsoft Security Advisory 2963983 – Vulnerability in Internet Explorer Could Allow Remote Code Execution – TechNet

General Information

Executive Summary

Microsoft is aware of limited, targeted attacks that attempt to exploit a vulnerability in Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, Internet Explorer 10, and Internet Explorer 11.

The vulnerability is a remote code execution vulnerability. The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.

On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs.

We are actively working with partners in our Microsoft Active Protections Program (MAPP) to provide information that they can use to provide broader protections to customers. For information about protections released by MAPP partners, see MAPP Partners with Updated Protections.

Microsoft continues to encourage customers to follow the guidance in the Microsoft Safety & Security Center of enabling a firewall, applying all software updates, and installing antimalware software.

Mitigating Factors:

• By default, Internet Explorer on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 runs in a restricted mode that is known as Enhanced Security Configuration. This mode mitigates this vulnerability.

• By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML email messages in the Restricted sites zone. The Restricted sites zone, which disables script and ActiveX controls, helps reduce the risk of an attacker being able to use this vulnerability to execute malicious code. If a user clicks a link in an email message, the user could still be vulnerable to exploitation of this vulnerability through the web-based attack scenario.

• An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

• In a web-based attack scenario, an attacker could host a website that contains a webpage that is used to exploit this vulnerability. In addition, compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these websites. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the attacker’s website.

More information in the full article. There is no patch. But Microsoft has given some recommendations which are easier to understand at Security Garden’s posting:

Recommendations

As illustrated in the “Security Research and Defense Blog” reference below, users of IE 10 and 11 should ensure they haven’t disabled Enhanced Protection Mode.

Another option is to install the Enhanced Mitigation Experience Toolkit (EMET). The recommended setting for EMET 4.1, available from KB Article 2458544, is automatically configured to help protect Internet Explorer. No additional steps are required.

See the Tech Net Advisory for instructions on changing the following settings to help protect against exploitation of this vulnerability:

• Change your settings for the Internet security zone to high to block ActiveX controls and Active Scripting

• Change your settings to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone.

 

Those still using Windows XP on the Internet, please be aware:

VERY IMPORTANT FOR ANY HOLD OUT WINDOWS XP USERS

This is the first of the security vulnerabilities that DOES NOT include workarounds  for Windows XP. The oldest Windows noted as being affected are: Windows Server 2003 SP2 and Vista SP2.

IMPORTANT NOTE: Once a Microsoft product’s support has expired — as is true now about Windows XP SP3 since April 8, 2014 — Microsoft no longer lists it as affected by the vulnerabilities being patched. Microsoft only list Windows versions which are still under Mainstream Support or Extended Support. This has always been the case.

If anyone is still using Windows XP on the Internet (UNWISE!!), it would be strongly recommended to disallow IE (Internet Explorer) access to the Internet through your software firewall*, and use another browser like Firefox and Google Chrome which will still be getting updates for a time.

* Any Windows XP users still on the Internet should at least have:

• a hardware router with Stateful Packet Firewall
• should be using a ‘real’ software firewall as well as a good AV program. Just one good choice that will continue to support Windows XP is ESET’s Smart Security which is a very good antivirus and firewall. It is the one I use. It is not free. There are several free antivirus programs but not many free security suites.
• block Internet Explorer through the ESET or other software firewall.
• should be using a 3rd party browser like Mozilla Firefox with NoScript, Adblock Plus and WOT to help sort out safer search results on search engines, or Google Chrome with ScriptSafe, Adblock Plus and WOT Extension.
• uninstall Java entirely, keep Adobe Flash religiously updated for Firefox as long as Adobe continues to provide them. Google Chrome updates Flash within itself. Might want to switch from Adobe Reader to Sumatra PDF reader which is a simple PDF viewer.
• need to be even more careful than ever before about where you go. The bad guys will be looking with great anticipation for computers with expired Windows XP.
• no risky behavior
• no banking … note very soon banks will be disallowing expired Windows XP entirely anyway.

IMPORTANT: You can not block a program from getting out to the Internet with the Windows XP Firewall. It is only a one way firewall. It only monitors incoming Internet requests, instead of both ways as any real firewall including Windows 7 and Windows 8 built-in software firewalls do.

Here’s a quote from a ZDNet article:

To those planning to stick resolutely with the aged Windows XP operating system even after Microsoft ends support next year, the advice from experts is simple: Don’t do it.

Again: I would strongly suggest you get a new computer, upgrade your computer if it can be upgraded to a modern/still supported Windows such as Windows 7 or Windows 8, or get a Mac, or you could  convert/upgrade the computer to Linux or use a Linux LiveCD to visit the Internet and still use Windows XP as a standalone NOT CONNECTED TO THE INTERNET computer.

If you need help with any of this, please contact your computer guru, join a forums like Scot’s Newsletter Forums – BATL (Bruno’s All Things Linux) to ask questions, or you can use the contact info on my website  to contact me for some help.

Critical Java SE update due Tuesday fixes 40 flaws

Critical Java SE update due Tuesday fixes 40 flaws – The Reg

And yes, most are remotely exploitable

According to Oracle’s security announcement, the patch pack addresses 40 different vulnerabilities. All update levels of Java SE 5, 6, and 7 are affected by the flaws, as are all versions of JavaFX.

Of the 40 bugs, all but three are remotely exploitable over a network without the need for a username or password.

Oracle plans to release its latest Java SE Critical Patch Update on June 18, 2013.

Watch for it and install it if you have Java installed on your system. If you are sure you don’t need Java for anything, it would be best to uninstall it or disable it until the update, or at least disable Java in your browsers.

IE10 is now available for Windows 7 – Finally

IE10 is now available for Windows 7 – Finally!!

It is great news that the most modern Internet Explorer browser will now be available for Windows 7.

Before today, IE10 was only available for Windows 8 and that only since about October 2012.

In SecurityGarden’s posting about this:

Key Improvements

Key improvements in IE9 include improved performance, security, and privacy.  Of major significance are the results of the independent testing conducted by NSS Labs, referenced below, in which IE10 with App Rep had a mean malware block rate of 99.1%.

More about CPU, Windows 7 32/64 bit requirements, check to see if your computer is 32-bit or 64-bit by clicking a link on the article,  and of course the download links, and more, all on SecurityGarden’s posting.

Oh, another cool feature of IE10, is one that is already built into Google Chrome. Flash is incorporated within IE10 and updated within the browser. Hopefully that will work out well over time for both browsers. And hopefully they will not fall down on their vigilance in being very fast in getting the Flash updates incorporated as they are released.

Microsoft Security Advisory (2798897)

Microsoft Security Advisory (2798897)

This is a security advisory about fraudulent certificates that need to be revoked!

As Security Garden wrote here:

Microsoft released Security Advisory 2798897 to provide notification regarding a a fraudulent digital certificate issued by TURKTRUST Inc.

TURKTRUST Inc. incorrectly created two subsidiary Certificate Authorities: (*.EGO.GOV.TR and e-islem.kktcmerkezbankasi.org). The *.EGO.GOV.TR subsidiary CA was used to issue a fraudulent digital certificate to *.google.com.

The Certificate Trust list update is available through Windows Updates.

Be sure to apply any Windows Updates that are waiting (showing in the lower right corner in the system tray) to be installed and/or check for Windows Updates manually to be sure you have the update!

This is an important update since fraudulent digital certificates can make spoofing attacks possible.

More information at KrebsOnSecurity here:

Google and Microsoft today began warning users about active phishing attacks against Google’s online properties. The two companies said the attacks resulted from a fraudulent digital certificate that was mistakenly issued by a Turkish domain registrar.

In a blog post published today, Google said that on Dec. 24, 2012, its Chrome Web browser detected and blocked an unauthorized digital certificate for the “*.google.com” domain.

More info from WOT and Firefox and Chrome:

Google blocked both certificates in Chrome on December 26. It now plans to no longer display “Extended Validation” status in Chrome for any certificate issued by TurkTrust. It’s debating whether to also block any connection to HTTPS sites validated by the CA.

Mozilla announced that it too was revoking trust for the two problem certificates in a Firefox update landing next Tuesday. TurkTrust’s root certificate is also being excluded from Firefox for the time being. Microsoft is doing the same, as are other browser vendors.

I would imagine that Apple will be also releasing an update to their Digital Certificate list if this is a universal issue.

Java flaws already included in Blackhole exploit kit within 12 hours

Java flaws already included in Blackhole exploit kit, Oracle was informed of vulnerabilities in April – Sophos Naked Security

It took less than 12 hours from the time the proof of concept for the latest Java zero-day vulnerabilities went public for exploits of those vulnerabilities to be included in a commercial crimeware kit.

Brian Krebs was first to mention having heard that CVE 2012-4681 was being added to the Blackhole exploit kit, and SophosLabs confirmed seeing it in the wild a few hours later.

And this about Macs in particular:

Some have asked if Mac users are at risk from the CVE 2012-4681 exploit and the answer is “Maybe.” The version officially distributed by Apple is Java 6, which is not vulnerable.

Interesting that an older version is not vulnerable to this particular zero day exploit. But if users of Lion and Mountain Lion have installed Java 7 directly from  Oracle’s Java.com site (which is the only way to even get Java on Lion and Mountain Lion), then they are vulnerable.

And of course, Windows and Linux/UNIX/BSD are all vulnerable as well if Java 7 has been installed.

Soon Twitter users were tweeting that Mac users were being attacked, but that the malware apparently on the blackhole server is serving Windows malware. Gives Mac users a reprieve to get their Java updated … if they installed it at all.

What is really sad is that Oracle was made aware of this vulnerability back in April and didn’t fix it in a timely manner.

Thankfully Firefox and Google Chrome will disable or at least not automatically run Java if it’s outdated. Other browsers (Internet Explorer, Opera, etc.) should be doing the same thing.

Java 7 ‘super dangerous’ vulnerability

There is a recently discovered ‘super dangerous’ vulnerability in Java 7.

This vulnerability affects all Java 7 users; whether they run a version of Windows, or using a Mac, or an Opensource Linux operating system:

Macs at risk from ‘super dangerous’ Java zero-day – Computerworld:

Hackers are exploiting a zero-day vulnerability in Java 7, security experts said today.

The unpatched bug can be exploited through any browser running on any operating system, from Windows and Linux to OS X, that has Java installed, said Tod Beardsley, the engineering manager for Metasploit, the open-source penetration testing framework used by both legitimate researchers and criminal hackers.

I think the reason they have singled out Mac users in the article is that most Windows users if they have a recent version of Java installed will get upgrade notifications from Oracle’s Java. Where many Mac users until Lion had Java being updated (albeit late) by Apple. Now they are responsible to keep it updated on Lion IF they decide to install Java manually themselves. Lion and Mountain Lion do not come with Java installed by default. But if you do have it installed on your Mac:

Maynor said he was able to trigger the vulnerability with the Metasploit code in both Firefox 14 and Safari 6 on OS X 10.8, better known as Mountain Lion.

These exploits are mainly aimed at Windows users, but Macs are becoming more and more popular because overall they have less issues than Windows for viruses, etc.

But browser exploits are a bain for all computer users. And we have to keep our plugins updated to stay one step ahead.

If you are using Firefox, there is a page you can go to where you can check to see if your plugins can be checked to make sure you are up to date:

Firefox Check Plugins page

Interestingly that Check Plugins page also seems to work pretty well on Google Chrome’s browser as well. Just remember that if it tells you Flash is outdated, Google Chrome will be updating that for you on their next update.

Looks like I am off for a new Flash update… see ya next time.

Flash Player Update Causes Firefox Crashes

[tweetmeme source=”franscomputerservices” only_single=false]Flash Player Update Causes Firefox Crashes
SecurityGarden and GHacks

Due to the severity of the vulnerabilities, it is still recommended to upgrade but either disable the Flash Plugin (as noted in the Security Garden posting) or edit the mms.cfg file to change protected mode to 0 as noted in the GHacks article.

There is a third alternative, remove the Flash Player entirely or disable it in Firefox, then install and use Google Chrome which has a pretty good Adobe Flash sandboxing mode already — at least until Adobe gets this issue corrected for Firefox users.

There is more information at the Adobe page about this: Inside Flash Player Protected Mode for Firefox – Adobe

New Flash Player Zero Day

[tweetmeme source=”franscomputerservices” only_single=false]ZDNet reports, Adobe warns of new Flash Player zero-day attack:

Hackers are embedding malicious Flash Player files in Microsoft Word documents to launch targeted attacks against select businesses, according to a warning from Adobe.

These are being used to steal secrets from corporations, likely through downloaded and emailed MS Word documents such as Excel.

Adobe is working on patches for Flash 10.2.x and for earlier versions as well, for just about every OS out there.

Adobe Reader X protected mode will “prevent an exploit of this kind from executing.” The actual fix won’t come till their normal patch cycle in June for Adobe Reader. So be sure to get the latest version (Adobe Reader X)!

Much more in the article including information and links to Adobe’s security release.

Internet Explorer Search Bar Malware Hijack

[tweetmeme source=”franscomputerservices” only_single=false]Recently, the Google Gala malware has been hijacking the Google Search engine in Internet Explorer’s Search Bar. In addition, Fast Browser Searching apparently has been being installed through some means and stealing the Google Homepage of other users.

Google Gala and Fast Search hijacks is nothing new, but they are making a serious comeback. I am not sure how they are injecting themselves into the Google Search on IE8 Search Bar, but they definitely are corrupting the Google Search engine in the IE8 Search Bar. This has been known to happen in Firefox in the past as well. And who knows how long it will be till Google Chrome and other browsers will be hit the same way, if not already.

Browser makers need to harden their Search Bar against this type of attack, but until they do, we have to take matters into our own hands.

If you feel the need to use Internet Explorer, I would strongly suggest hiding or removing the IE8 Search Box and going directly to Google website instead.

As shown at w7forums link above, to hide/remove the IE8 Search Box:

Start -> run -> gpedit.msc

Or better yet, change to an alternative browser, like Google Chrome or Mozilla Firefox.

The advantages of Google Chrome with built-in Flash player that is updated automatically through Google Chrome’s update mechanism is quite attractive. In addition, Google Chrome is fast to load and now has extensions such as Adblock Plus, WOT, FlashBlock and others, like Mozilla Firefox has had for a long time. In addition, Google Chrome has a built-in ‘sandbox’ feature which can save a world of hurt while browsing the web. Although it is not perfect, it is a great feature.

I have to say for years now, I have not used any built-in browser search bar. I go directly to the Google website, or other favorite search engine websites directly. I would suggest that, until browser developers harden their search bars, it would be wise to not make use of search bars for searching.

In addition, I would strongly suggest you install and run, CCleaner frequently. Close your browser after every use and right click on the Recycle Bin and choose Run CCleaner after every use of the browser.

If you do get hit with malware like Security Shield for any reason, but especially in this case, due to the redirection/hijack of search results in the IE8 Search Bar, you will need to use rkill or the Task Manager (if available) to find/kill the Security Shield oddball named process and then update and run Malwarebytes Antimalware to get rid of related registry entries, hidden files, etc., as shown at BleepingComputers Forum Security Shield (Uninstall Guide).

Or call your computer expert to help you with removal of the malware.

The most important thing is not to continue to use the computer on the Internet until it is removed to keep from getting hit with more malware. Redirection to malware sites posing as legitimate websites and searches is a strong possibility while infected with malware.

EDIT: I started writing this post yesterday morning and got it published at 12:06PM. Within hours, there was a security advisory by Microsoft and articles about:

Microsoft Security Advisory (2501696)
Vulnerability in MHTML Could Allow Information Disclosure

Frequently Asked Questions

What is the scope of the advisory?
Microsoft is investigating new public reports of a vulnerability in MHTML on all supported editions of Microsoft Windows. This vulnerability manifests itself in Internet Explorer.

Is this a security vulnerability that requires Microsoft to issue a security update?
Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process, or providing an out-of-cycle security update, depending on our customer needs.

What is MHTML?
MHTML (MIME Encapsulation of Aggregate HTML) is an Internet standard that defines the MIME structure that is used to wrap HTML content. The MHTML protocol handler in Windows provides a pluggable protocol (MHTML:) that permits MHTML encoded documents to be rendered in applications.

What causes this threat?
The vulnerability exists due to the way MHTML interprets MIME-formatted requests for content blocks within a document. It is possible for this vulnerability to allow an attacker to run script in the wrong security context.

What might an attacker use this vulnerability to do?
An attacker who successfully exploited this vulnerability could inject a client-side script in the user’s Internet Explorer instance. The script could spoof content, disclose information, or take any action that the user could take on the affected Web site on behalf of the targeted user.

How could an attacker exploit the vulnerability?
In a Web-based attack scenario, an attacker could convince a user to click a specially crafted link that would inject a malicious script in the response of the Web request.

Sure sounds like this may be the problem I was writing about in this posting.