Security Garden

Tuesday, October 21, 2014

Microsoft Security Advisory 3010060 with Fixit Solution

Tweet This

Security Advisory
Microsoft released Security Advisory 3010060 which relates to a vulnerability affecting all supported releases of Microsoft Windows, excluding Windows Server 2003.

The vulnerability could allow remote code execution if a user opens a specially crafted Microsoft Office file that contains an OLE object. Microsoft is aware of limited, targeted attacks. 

Recommendations

Microsoft has made available a Fix it solution "OLE packager shim workaround" which prevents execution of the vulnerability.  Below are direct links to both enable and disable the Fix it solution.



NoteThe Fix it solution is not at this time for 64-bit editions of PowerPoint on x64-based editions of Windows 8 and Windows 8.1. 
 
Enable Fix itDisable Fix it


Another option is to install the Enhanced Mitigation Experience Toolkit (EMET), described in the "workarounds" section of the Tech Net Advisory.

References:




Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Wednesday, October 15, 2014

Pale Moon 25.0.1 Released with Critical Security Update

Tweet This

Pale Moon
Pale Moon has released version 25.0.1 to address an important Jetpack extension compatibility issue. 

The update also includes a number of security fixes.

Security fixes:

  • Fix for VP9 decoder vulnerability
  • Fix for direct access to raw connection sockets in http 
  • Fix for unsafe conversion to JSON of data through the alarm dom element 
  • Update of NSS to 3.16.2.2-RTM 
    Other Changes
    • Update of the add-on SDK to add missing "PaleMoon" engine entries to lists in some modules. This should fix extension compatibility issues for things like Self-destructing cookies, Privacybadger and other Jetpack add-ons that should otherwise already work with the new GUID.
    • About box release notes link corrected

    Minimum system Requirements (Windows):
    • Windows Vista/Windows 7/Windows 8/Server 2008 or later
    • A processor with SSE2 support
    • 256 MB of free RAM (512 MB or more recommended)
    • At least 150 MB of free (uncompressed) disk space
    Pale Moon includes both 32- and 64-bit versions:

    Update

    To get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window.  Select About Pale Moon > Check for Updates.


    Home
    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...





    Tuesday, October 14, 2014

    Oracle Java Critical Security Update

    Tweet This

    java


    Oracle released the scheduled critical security updates for its Java SE Runtime Environment software. 

    This is a Critical Patch Update that affects Oracle Java SE, versions 5.0u71, 6u81, 7u67, 8u20.  From The Assurance Blog:
    "Out of the 154 vulnerabilities fixed with today’s Critical Patch Update release, 31 are for the Oracle Database. All but 3 of these database vulnerabilities are related to features implemented using Java in the Database, and a number of these vulnerabilities have received a CVSS Base Score of 9.0."

    Unwanted "Extras"

    Oracle has long included pre-checked options with the updates.  Although most people do not need Java on their computer, there are some programs and games that require Java.  In the event you need to continue using Java, How-to Geek discovered a little-known and  unpublicized option in the Java Control Panel to suppress the offers for the pre-checked unwanted extras.

    1. Launch the Windows Start menu
    2. Click on Programs
    3. Find the Java program listing
    4. Click Configure Java to launch the Java Control Panel
    5. Click the Advanced tab and go to the "Miscellaneous" section at the bottom.
    6. Check the box by the “Suppress sponsor offers when installing or updating Java” option and click OK.
    Java suppress sponsor offers

    Windows XP

    There has been a lot of recent controversy regarding Java updates for Windows XP.  While Windows XP has reached end of life, Java 7 will continue to be updated until April, 2015.

    Thus, organizations and individuals who must continue using Windows XP and have Java installed can also continue getting updates for Java 7.  It is noted, however, that if an issue arises that is specific to Windows XP, Oracle is not required to and also may not be able to create a patch.  For additional information, refer to the Oracle blog post, The future of Java on Windows XP (Henrik on Java).

    Update

    If Java is still installed on your computer, it is recommended that this update be applied as soon as possible due to the threat posed by a successful attack.

    Download Information

    Download link:  Java SE 8u25

    Verify your version:  http://www.java.com/en/download/testjava.jsp

    Notes:
    • UNcheck any pre-checked toolbar and/or software options presented with the update. They are not part of the software update and are completely optional.
    • Starting with Java SE 7 Update 21 in April 2013, all Java Applets and Web Start Applications should be signed with a trusted certificate.  It is not recommended to run untrusted/unsigned Certificates.  See How to protect your computer against dangerous Java Applets

    Critical Patch Updates

    For Oracle Java SE Critical Patch Updates, the next scheduled dates are as follows:
    • 20 January 2015
    • 14 April 2015
    • 14 July 2015
    • 20 October 2015

    Java Security Recommendations

    For those people who have desktop applications that require Java and cannot uninstall it, Java can now be disabled in Internet Explorer.  See Microsoft Fix it to Disable Java in Internet Explorer.

    1)  In the Java Control Panel, at minimum, set the security to high.
    2)  Keep Java disabled until needed.  Uncheck the box "Enable Java content in the browser" in the Java Control Panel.

    Java ControlPanel
    (Image via Sophos Naked Security Blog)

    3)  If you use Firefox, install NoScript and only allow Java on those sites where it is required.

    Instructions on removing older (and less secure) versions of Java can be found at http://java.com/en/download/faq/remove_olderversions.xml

    References





    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...