Wednesday, October 18, 2017

Oracle Java Critical Security Updates Released

java

Oracle released the scheduled critical security updates for its Java SE Runtime Environment software.  The update contains 22 new security fixes for Oracle Java SE.  Twenty-two (22) of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  

Update

If Java is still installed on your computer, it is recommended that this update be applied as soon as possible due to the threat posed by a successful attack.

Download Information

Java SE 8u151/ 8u152
Java™ SE Development Kit 8, Update 151 Release Notes
Java™ SE Development Kit 8, Update 152 Release Notes
Java SE Runtime Environment 8 - Downloads

Java SE 9.0.1  (x64-bit only)
Java™ SE Development Kit 9.0.1 Release Notes
Java SE Runtime Environment 9 - Downloads
Notes:
  • UNcheck any pre-checked toolbar and/or software options presented with the update. They are not part of the software update and are completely optional.  Preferably, see the instructions below on how to handle "Unwanted Extras".  
  • Oracle does not plan to migrate desktops from Java 8 to Java 9 through the auto update feature.  Therefore, it is strongly recommended that you uninstall JRE 8 prior to updating.
  • Verify your versionhttp://www.java.com/en/download/testjava.jsp.   Note:  The Java version verification page will only work if your browser has NPAPI support.  In that case, to check the version, open a cmd window and enter the following (note the space following Java):  java -version

Critical Patch Updates

For Oracle Java SE Critical Patch Updates, the next scheduled dates are as follows:
  • 16 January 2018
  • 17 April 2018
  • 17 July 2018
  • 16 October 2018

Unwanted "Extras"

Although most people do not need Java on their computer, there are some programs and games that require Java.  In the event you need to continue using Java, How-to Geek discovered a little-known and  unpublicized option in the Java Control Panel to suppress the offers for the pre-checked unwanted extras that Oracle has long included with the updates.  Although the Ask Toolbar has been removed, tha does not preclude the pre-checked option for some other unnecessary add-on.

Do the following to suppress the sponsor offers:
  1. Launch the Windows Start menu
  2. Click on Programs
  3. Find the Java program listing
  4. Click Configure Java to launch the Java Control Panel
  5. Click the Advanced tab and go to the "Miscellaneous" section at the bottom.
  6. Check the box by the “Suppress sponsor offers when installing or updating Java” option and click OK.
Java suppress sponsor offers

Java Security Recommendations

1)  In the Java Control Panel, at minimum, set the security to high.
2)  Keep Java disabled until needed.  Uncheck the box "Enable Java content in the browser" in the Java Control Panel.

3)  Instructions on removing older (and less secure) versions of Java can be found at http://java.com/en/download/faq/remove_olderversions.xml

References




Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...




Monday, October 16, 2017

Adobe Flash Player Out-of-Band Critical Security Update

Adobe Flashplayer

Adobe has released Version 27.0.0.170 of Adobe Flash Player for Microsoft Windows, Macintosh, Chrome and Linux.

The critical update addresses a report that an exploit for CVE-2017-11292 exists in the wild, and is being used in limited, targeted attacks against users running Windows.

Release date:  October 16, 2017
Vulnerability identifier: APSB17-32
CVE Numbers:   CVE-2017-11292
Platform: Windows, Macintosh, Linux and Chrome OS

Update:

*Important Note:  Downloading the update from the Adobe Flash Player Download Center link includes a pre-checked option to install unnecessary extras, such as McAfee Scan Plus or Google Drive.  If you use the download center, uncheck any unnecessary extras that you do not want.  They are not needed for the Flash Player update.

    Verify Installation

    To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu. 

    Do this for each browser installed on your computer.

    To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.

    References



    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...









    Tuesday, October 10, 2017

    Microsoft Security Updates for October, 2017



    The October security release consists of 62 security updates for the following software in which 27 are listed as Critical and 35 are rated Important. In particular, note that one CVE in Microsoft Office is listed as under active attack, and two other CVEs are listed as publically known prior to release.
    • Internet Explorer
    • Microsoft Edge
    • Microsoft Windows
    • Microsoft Office and Microsoft Office Services and Web Apps
    • Skype for Business and Lync
    • Chakra Core

      Known Issues
      The updates address Remote Code Execution, Information Disclosure, "Defense in Depth",Security Feature Bypass and Elevation of Privilege. Note:  "Defense-in-Depth" is a fix that does not apply to an actively exploitable vulnerability but prevents future vulnerabilities caused by the same code when surrounding code changes expose the problem.  In addition, Windows 10 1511 support ends today.

      For more information about the updates released today, see https://portal.msrc.microsoft.com/en-us/security-guidance/summary.  Updates can be sorted by OS from the search box. Information about the update for Windows 10 is available at Windows 10 Update history.

      CVEs addressed by Microsoft this month that deserve extra attention are discussed in Zero Day Initiative — The October 2017 Security Update Review by Dustin Childs.

        Additional Update Notes

        • Adobe Flash Player -- For Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows RT 8.1 and Windows 10, Adobe Flash Player is now a security bulletin rather than a security advisory and is included with the updates as identified above.
        • MSRT -- Microsoft released an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center. 
          Note:  Users who are paranoid about the remote possibility of a FP can opt to run this tool from a Command Prompt, appending a   /N   parameter [for "detect only" mode].
        • Windows 10 -- A summary of important product developments included in each update, with links to more details is available at Windows 10 Update History. The page will be regularly refreshed, as new updates are released.

        References


          Remember - "A day without laughter is a day wasted."
          May the wind sing to you and the sun rise in your heart...





          Adobe Flash Player Updates

          Adobe Flashplayer

          Adobe has released Version 27.0.0.159 of Adobe Flash Player for Microsoft Windows, Macintosh, Chrome and Linux.

          These updates address functionality bugs.

          Release date:  October 10, 2017
          Vulnerability identifier: APSB17-31
          CVE Numbers:   None
          Platform: Windows, Macintosh, Linux and Chrome OS

          Update:

          *Important Note:  Downloading the update from the Adobe Flash Player Download Center link includes a pre-checked option to install unnecessary extras, such as McAfee Scan Plus or Google Drive.  If you use the download center, uncheck any unnecessary extras that you do not want.  They are not needed for the Flash Player update.

            Verify Installation

            To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu. 

            Do this for each browser installed on your computer.

            To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.

            References



            Remember - "A day without laughter is a day wasted."
            May the wind sing to you and the sun rise in your heart...









            Pale Moon 27.5.1 Released


            Pale Moon
            Pale Moon has been updated to Version 27.5.1. This is a security and stability update.

            The security updates include DiD ("Defense-in-Depth") fixes.  This means that it is a fix that does not apply to a (potentially) actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code when surrounding code changes, exposing the problem.

            Details from the Release Notes:

            Changes/fixes:
            • Changed the default Windows 10 styling when no accent color is aplied to black-on-white.
            • Changed the theme styling on Windows 10 when the system window frame is used (menu bar enabled) to use the window manager background directly, preventing visual lag updating the window color when it changes.
            • Updated user agent overrides for DropBox, YouTube and Yahoo to work around user agent sniffing issues.
            • Fixed a crash in the media subsystem.
            • Fixed a regression where video playback hardware acceleration was disabled incorrectly on some systems.
             Security fixes:
            • Updated libhyphen to the latest upstream code to fix a security issue.
            • Updated NSPR to 4.16-RTM with a patch to un-bust building on win64.
            • Updated NSS to 3.32.1-RTM.
            • Worked around some more issues with Mac fonts (CVE-2017-7825).
            • Fixed a potential rooting hazard in NPAPI plugin code. DiD
            • Fixed a potential reference issue in JavaScript arrays. DiD
            Minimum system Requirements (Windows):
            • Windows Vista/Windows 7/8/10/Server 2008 or later
            • Windows Platform Update (Vista/7) strongly recommended
            • A processor with SSE2 instruction support
            • 256 MB of free RAM (512 MB or more recommended)
            • At least 150 MB of free (uncompressed) disk space
            Pale Moon includes both 32- and 64-bit versions for Windows:

            Update

            To get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window.  Select About Pale Moon > Check for Updates.




            Remember - "A day without laughter is a day wasted."
            May the wind sing to you and the sun rise in your heart...


            Monday, October 09, 2017

            Mozlla Firefox Version 56.0.1 Released


            FirefoxMozilla sent Firefox Version 56.0.1 to the release channel today.  The update includes one fix and the migration to 64-bit Firefox for users of the 32-bit version.  Note the unresolved issues! 

            Firefox ESR was remains at version 52.4.0.

            Fixed

            • Block D3D11 when using Intel drivers on Windows 7 systems with partial AVX support (bug 1403353)

            Changed

            • Users of 32-bit Firefox on 64-bit Windows are migrated to 64-bit Firefox for increased stability and security.

            Unresolved

            • Due to a bug in Mac OS X High Sierra, fullscreen mode has some issues
            • Startup crash with RelevantKnowledge adware installed. Firefox Support has helpful instructions to remove it.
            • Startup crashes with 64-bit Firefox on Windows 7, for users of Lenovo's "OneKey Theater" software for IdeaPad laptops. To fix this crash, please re-install 32-bit Firefox.
            • Users running Firefox for Windows over a Remote Desktop Connection (RDP) may find that audio playback is disabled due to increased security restrictions. Learn how to mitigate this issue until it is corrected in an upcoming release

            Update:

            To get the update now, select "Help" from the Firefox menu, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

            References




            Remember - "A day without laughter is a day wasted."
            May the wind sing to you and the sun rise in your heart...

            Tuesday, October 03, 2017

            Cycber Security Awareness Month


            October is National Cyber Security Awareness Month (NCSAM).  The 2017 Cyber Security Awareness Month marks the seventh anniversary of the campaign.  It is also European Cyber Security Awareness Month (ECSM) https://cybersecuritymonth.eu/  and in Canada, https://www.getcybersafe.gc.ca/index-eng.aspx 

              Stop | Think | Connect

            With that in mind, consider the following suggestions not only during Cyber Security Awareness month but every day:

                Stop:  Before you click that formatted link in your email, search results or social media account, mouse over the link to ensure the URL matches the description.

                Think:  Whether it is email, Facebook, Twitter, an online forum or other online media, instead of spouting off the first reply that comes to mind when you disagree, think before you click the send button.  Remember that your online reputation can follow you in "real life".

                Connect:  When you connect to the Internet, ensure your device software as well as any apps or third-party software are up to date.

            Each week, Malwarebytes Labs will focus on a theme and provide helpful articles, useful tips, and valuable analysis so that you can increase awareness and spread the word. This week’s theme: simple steps to online safety. The first:  National cybersecurity awareness month: simple steps to online safety | Malwarebytes Labs


            Home
            Remember - "A day without laughter is a day wasted."
            May the wind sing to you and the sun rise in your heart...