Thursday, October 29, 2009

Advance Notice: Security Updates for Java SE

The Sun Security Blog published the following update announcement:
"On November 3, 2009, Sun will release the following security updates:
  • JDK and JRE 6 Update 17
  • JDK and JRE 5.0 Update 22
  • SDK and JRE 1.4.2_24
  • SDK and JRE 1.3.1_27
The following Sun Alerts corresponding to these updates will be released following the availability of these updates.
  • 269868
  • 269869
  • 269870
  • 270474
  • 270475
  • 270476"
Sun Security Blog



Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Wednesday, October 28, 2009

Firefox and Opera Browser Updates

Browser updates were released yesterday for Mozilla Firefox and today for Opera. Details and download links for both browsers follow:

Firefox 3.5.4

In addition to the security fixes listed below, the update to Firefox fixed several stability issues, added the ability to re-submit crash reports and addressed the issue where after using Clear Recent History some SSL sites would not load all images and styles without pressing reload.

To get the update, click Help -> check for updates.

Security Issues:
  • MFSA 2009-64 Crashes with evidence of memory corruption (rv:1.9.1.4/ 1.9.0.15)
  • MFSA 2009-63 Upgrade media libraries to fix memory safety bugs
  • MFSA 2009-62 Download filename spoofing with RTL override
  • MFSA 2009-61 Cross-origin data theft through document.getSelection()
  • MFSA 2009-59 Heap buffer overflow in string to number conversion
  • MFSA 2009-57 Chrome privilege escalation in XPCVariant::VariantDataToJS()
  • MFSA 2009-56 Heap buffer overflow in GIF color map parser
  • MFSA 2009-55 Crash in proxy auto-configuration regexp parsing
  • MFSA 2009-54 Crash with recursive web-worker calls
  • MFSA 2009-53 Local downloaded file tampering
  • MFSA 2009-52 Form history vulnerable to stealing
Release Notes and Download: http://en-us.www.mozilla.com/en-US/firefox/3.5.4/releasenotes/


Opera 10.01

Opera users can obtain the update to version 10.01 by clicking "Help -> check for updates and following the prompts.

New users can download Opera from http://www.opera.com/browser/download/
Features: http://www.opera.com/browser/features/




Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Thursday, October 22, 2009

Windows 7 Launch = Success!

Hello, Windows 7!

Windows 7 Default Desktop, designed by Chuck Anderson

Although the Windows 7 launch events were scaled down from the Windows Vista launch, there was no less enthusiasm on the part of Microsoft employees, partners and Windows fans. If you missed the launch event, it is available at Microsoft PressPass.

The full video is 54:02 in length, but worth the time. I particularly enjoyed the demonstration by Brad Brooks, corporate vice president located around the 29 minute mark. Of course, Kylie, the little girl who won hearts around the world, made everyone smile when she introduced Steve Ballmer.

Kylie, from the Windows commercials, introduces
Microsoft CEO Steve Ballmer at the launch event
in New York City on Oct. 22.
(Silverlight Required)

If you are in the market for a new PC, check what is available in Brandon’s Guide to Awesome New Windows 7 PCs. From there, move on to the refreshed Windows 7 web site, being sure not to miss the 7 days of Windows 7 savings .

Edit Note: As pointed out in the comments, if available in your country, the URL link for the "7 days of Windows 7 savings" offers will vary. The above link is to the U.S. site.

Clubhouse Tags: Clubhouse, Windows 7, Microsoft, News, Tips, Information


Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Wednesday, October 21, 2009

How Would YOU Change the World?

To celebrate the launch of Windows 7, Microsoft wants to discover creative ways that a imagePC running Windows can help an organization make an even greater impact in the community

Do you have an idea how you could use Windows 7 to help your local community? Submit a short video explaining or illustrating how you would use Windows to help a community organization. Why? Because the 7 people with the best submissions (selected by Microsoft judges) will each win a new PC running Windows 7. In addition, each winner's chosen (eligible) community organization will receive a $7,000 grant.

Find the rules, get additional information and submit your video at 7 Ways to Change the World. The deadline for submission is November 11, 2009.

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Ok, I can hear the groans from here. You have a great idea and a worth-while community organization that could really benefit from that grant but you have never created a video before. Take my word for it, even an amateur can create a video with Windows Live Movie Maker.

For simple instructions check out the videos the Windows Live Team created and soon you will be on your way. Don’t take too long though, the deadline for submitting your video to 7 Ways to Change the World is November 11, 2009.

Windows Live Movie Maker Videos:

Windows Live Movie Maker References:


Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Windows 7 Launch Events and Deals!

Windows 7 Launch Events

Finally the event that people from around the globe have been waiting – the Windows7_v_Thumbofficial launch of Windows 7! Live streaming video, event photos, video highlights and more will be available starting at 8 AM Pacific (11 AM Eastern) at PressPass where you can “Watch the New York City Windows 7 Launch Party LIVE”.

Live coverage will also be provided by WinPatrol developer and fellow Microsoft MVP, Bill Pytlovany. He will be joined by the PC Pitstop Pit Crew. Join them tomorrow at: “Live Coverage – Windows 7 Launch Event in NYC”.

Watch for Windows 7 Launch Party invites in your area or host your own Windows 7 Meetup!. Brandon LeBlanc provided additional details in the Windows 7 Team Blog: Windows 7’s Big Day Tomorrow + New Offers Announced!

7 Days of Windows 7

Win7_PC Microsoft worked with their partners to introduce a series of limited-time offers that will include deals on hardware, Microsoft worked with their partners to introduce a series of limited-time offers that will include deals on hardware, software, upgrades, support, and other options. Brandon reported at the Windows 7 Team Blog that new offers will be released daily. The deals will be available for the next 7 days on Windows.com (site live tomorrow). The limited-time offers will also be available through participating retail and OEM partner sites.

Following are the Day 1 offers posted on the Windows Team Blog that will be included in Day 1:

  • Best Buy Bundle: HP Laptop, Desktop PC with monitor, Netbook, wireless router and set-up by Geek Squad for $1,199.
  • Dell: Save more than $100 on a Dell Studio XPS13
  • Gateway: All-in-one Acer Gateway ZX6800 23" for $880

Buy a PC - Get a Discounted Upgrade for another PC:

Buy a PC with Windows 7 Home Premium, Professional or Ultimate and purchase a discounted copy of Windows 7 Home Premium, Professional, or Ultimate to upgrade an existing Windows PC.

This offer will run through January 2nd, 2010 and be available in Germany, UK, Czech Republic, Greece, Slovakia, Poland, Latvia, Hungary, U.S., Canada, Denmark, France, New Zealand, Australia.

Windows 7 Family Pack:

The Windows 7 Family Pack is also available today while supplies last. Customers can buy 3 licenses of Windows 7 Home Premium for one low price – for the U.S. it’s available for $149.99.

The Windows 7 Family Pack is available in the U.S., Japan, Canada, Germany, UK, France, Netherlands, Switzerland, Austria, Ireland, Luxembourg, Sweden.

Windows 7 Student Offer:
If you are a student (an .edu email address is required), you can upgrade to Windows 7 at the LOWEST PRICE offered, $29.99 in the U.S.

This offer runs through January 3rd, 2010 for US, Canada, France, Germany, Korea, Mexico and UK and March 31st, 2010 for Australia.

See Microsoft Student for details.

Clubhouse Tags: Clubhouse, Windows 7, Microsoft, News, Tips, Information


Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Saturday, October 17, 2009

Firefox Add-ons Blocklist

Yesterday I told you about MS09-054: IE and Firefox Attack Surface and included recommendations for protecting your computer. Before posting that article, I made the changes to both Firefox and Internet Explorer on my computers.

Today, when I returned from running errands, I discovered the following Firefox pop-up message, "Add-ons may be causing problems"

FF_NetFramework

Following the "More information" link illustrated at the bottom of the above image, led me to a Mozilla page which lists blocklisted add-ons that should no longer be used with Mozilla products.

Take a couple minutes to confirm that you do not have the following add-ons active on your computer:
  • Internet Download Manager, v2.1-3.3 for Firefox 3.0a1 and newer. Reason: caused startup crashes (see bug 382356).
  • Free Download Manager, v1.0-1.3.1 for Firefox 3.0a1 and newer. Reason: high crash volume (see bug 408445).
  • Yahoo Application State Plugin, v1.0.0.5 and older for Firefox 3.0a1 and newer. Reason: high crash volume (see bug 419127).
  • Vietnamese Language Pack, v2.0 for all applications. Reason: corrupted files (see bug 432406).
  • Apple QuickTime Plugin, v7.1.*, for all Firefox 3 versions on Windows. Reason: remote code execution in multiple versions (see bug 430826).
  • Crawler Toolbar, for Firefox 3.0a1 and newer. Reason: high crash volume (see bug 441649).
  • Daemon Tools Toolbar, versions older than 1.0.0.5, for all applications. Reason: high crash volume (see bug 459850).
  • AVG SafeSearch, versions older than 8.0, for Firefox 3.1a1 and newer. Reason: breaks a core navigation method (see bug 479095).
  • Microsoft .NET Framework Assistant and Windows Presentation Foundation, all versions, for all applications. Reason: remote code execution vulnerability (see bug 522777).

Compliments to the Mozilla developers for providing this service.


Clubhouse Tags: Clubhouse, Firefox, Tips, Security, Windows Vista, Windows 7, Information, How-To




Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Friday, October 16, 2009

MS09-054: IE and Firefox Attack Surface

The Security Research & Defense blog provided additional information on the attack surface for the IE Security Bulletin MS09-059, Vulnerability in Local Security Authority Subsystem Service Could Allow Denial of Service (975467). As explained:

“A browse-and-get-owned attack vector exists. All that is needed is for a user to be lured to a malicious website. Triggering this vulnerability involves the use of a malicious XBAP (XAML Browser Application). Please not that while this attack vector matches one of the attack vectors for MS09-061, the underlying vulnerability is different. Here, the affected process is the Windows Presentation Foundation (WPF) hosting process, PresentationHost.exe.

While the vulnerability is in an IE component, there is an attack vector for Firefox users as well. The reason is that .NET Framework 3.5 SP1 installs a “Windows Presentation Foundation” plug-in in Firefox”

In other words, if you happen upon a malicious website, with the Windows Presentation Foundation (WPF) plug-in enabled in Firefox, your computer is vulnerable.

Recommendations:

Internet Explorer

Although XBAP is disabled in IE8 on Win2k8 and Win2k3, that is not the case for IE7 or other operating systems. To disable this setting, edit the security settings in the Internet Zone as follows:

Launch Internet Explorer --> Click Tools --> Security Tab --> in Internet, click Custom level. Under .NET Framework --> XAML browser applications, Change the setting to Disable:

IE_NetFramework


Firefox:

The WPF plug-in was installed in Firefox with .NET Framework 3.5. To disable the plug-in, do the following:

Click Tools --> Add-ons --> Click the Plugins Tab.
Select “Windows Presentation Foundation”, and click “Disable”.

FF_DisableWPF

To uninstall the “Windows Presentation Foundation” plug-in from Firefox, see to Microsoft KB Article 963707, How to remove the .NET Framework Assistant for Firefox.




Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Tuesday, October 13, 2009

Adobe Reader and Acrobat Critical Update

AdobeIcon Adobe has released a Security bulletin addressing 28 vulnerabilities in Adobe Reader and Acrobat. The updates are identified as critical. Details are available in Adobe Security Bulletin apsb09-15.

Should you wish to switch to an alternate PDF reader, there are a number of open source readers available from http://pdfreaders.org/.

Warning: Hat tip from my friend Randy. The Google Toolbar is not required as part of the installation. If you do not want the toolbar, uncheck that option when installing the update.

Affected software versions

  • Adobe Reader 9.1.3 and earlier versions for Windows, Macintosh, and UNIX
  • Adobe Acrobat 9.1.3 and earlier versions for Windows and Macintosh
Adobe Reader Update Locations:

Acrobat Update Locations:

Reference: Adobe Security Bulletin apsb09-15




Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Microsoft Security Bulletin: 13 October 2009

SecurityUpdates

Microsoft released 13 new bulletins which address 34 vulnerabilities in Windows, Internet Explorer and Microsoft Office.

Microsoft is also re-releasing MS08-069, vulnerability in Microsoft XML Core Services could allow remote code execution (955218) to add detection for Windows 7 and Windows Server 2008 R2. Although this component does not ship with these platforms but many applications install it in order to use its functionality.

There was a change in the severity rating since the advance notification for several versions of Windows in the .NET bulletin (MS09-061). Microsoft elevated the severity from Important to Critical. This is not a regular practice, however, it was determined that this was the appropriate rating for these products when certain versions of the .NET Framework are installed on them.

The Malicious Software Removal Tool (MSRT) adds one new family this month: Win32/FakeScanti.

Critical

Important

References


Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Thursday, October 08, 2009

Advance Notice: October 2009 Microsoft Security Bulletin Release

On October 13, 2009, Microsoft is planning to release 13 bulletins (eight critical and five important), addressing 34 vulnerabilities. The affected products include Windows, Internet Explorer, Office, Silverlight, Forefront, Developer Tools, and SQL Server. Most of these updates require a restart.

According to the Advance Notification, of the 13 bulletins only one is designated Critical for Internet Explorer 8 on Windows 7. Four bulletins are designated Important for Windows 7. The full version of the Microsoft Security Bulletin Advance Notification for this month can be found at the TechNet link below.

Critical, Windows 7 (32 and 64 Bit):

  • Bulletin 5, an update for Windows Internet Explorer 8.
Important, Windows 7 (32 and 64 Bit):
  • Bulletins 6, 7, 10 and 12 are updates for Windows
Microsoft is additionally closing out two current security advisories:

References:

Clubhouse Tags: Clubhouse, Security, Updates, Microsoft, Information




Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Wednesday, October 07, 2009

European Commission to Market Test Browser Option in Windows 7

At a Press Conference today in Brussels, the European Commission announced (finally):
"I am pleased to announce that the Commission will formally market test proposals made by Microsoft to address the Commission's concerns regarding the tying of Internet Explorer to the Windows PC operating system."
Brad Smith, General Counsel, Microsoft Corporation, welcomed the European Commission announcement to move forward with formal market testing of Microsoft’s web browser proposal in Europe. An example of what to expect in the Web browser ballot is shown in the image below.


Click for larger image
http://securitygarden.googlepages.com/EU_sm_BrowserBallot.GIF


Ideally, Europeans will be given the opportunity to select multiple browsers. This compromise is a major improvement over the prior option necessitating the separate downloading of a browser. The video and statement by Mr. Smith is available at Microsoft PressPass.

Clubhouse Tags: Clubhouse, Information, News, IE8





Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Monday, October 05, 2009

Windows Live Hotmail Phishing Scheme

Earlier today, Neowin reported that thousands of Windows Live Hotmail account details were publicly exposed:

“An anonymous user posted details of the accounts on October 1 at pastebin.com, a site commonly used by developers to share code snippets. The details have since been removed but Neowin has seen part of the list posted and can confirm the accounts are genuine and most appear to be based in Europe. The list details over 10,000 accounts starting from A through to B, suggesting there could be additional lists. Currently it appears only accounts used to access Microsoft's Windows Live Hotmail have been posted, this includes @hotmail.com, @msn.com and @live.com accounts.”

The Windows Live Team, Windows_Liveconfirmed that the logon account information of several thousand Windows Live Hotmail accounts were exposed on a third-party site. It is believed that this was due to a likely phishing scheme.

Edit to add Windows Live Team Update:

"As of 3pm PT: We want to provide a quick update, that as a result of our investigation we are taking measures to block access to all of the accounts that were exposed and have resources in place to help those users reclaim their accounts.

If you believe your information was documented on the illegal list, please fill out the following form to reclaim access to your account."

If your account was compromised, please see “What to do if you think your account has been stolen”.

The Windows Live Team provided the following steps to take if you are a victim to this or any phishing scam:

Q: What should you do if you fall victim to a phishing scam? How should you respond? What steps should you take?

A: If you think that you may have responded to a phishing scam with personal or financial information or entered this information into a fake website, you should take four key steps: (1) report the incident to the proper authorities, (2) change the passwords on all your online accounts, (3) review your credit reports and your bank and credit card statements, and (4) make sure you are using the latest technologies to help protect yourself from future scams.

  1. For the first step:
    • If you have given out your credit card information, contact your credit company right away. The sooner a company knows your account may have been compromised, the easier it will be for them to help protect you.
    • Next, contact the company that you believe was forged. Remember to contact the organization directly, not through the e-mail message you received. Or call the organization's toll-free number and speak to a customer service representative. For Microsoft, call the PC Safety hotline at:
      1-866-PCSAFETY.
    • Then, report the incident to the proper authorities. Send an e-mail to spam@uce.gov to report it to the Federal Trade Commission and to reportphishing@antiphishing.org to report it to the Anti-Phishing Working Group.
  2. The second step is to change the passwords on all your online accounts. The reason for this is that a lot of people use the same password for multiple accounts. Start with passwords that are related to financial institutions or personal information. If you think someone has accessed your e-mail account, change your password immediately. If you’re using Hotmail, go to: http://account.live.com.
  3. The third step is to review your bank and credit card statements and your credit report monthly for unexplained charges, inquiries or activity that you didn’t initiate.
  4. Finally, make sure you use the latest products, such as anti-spam and anti-phishing capabilities in e-mail services, phishing filters in Web browsers and other services to help warn and protect you from online scams.”

As a precautionary step,it is advised that Windows Live Hotmail passwords be changed every 90 days. Instructions for changing your password as well as getting a refresh reminder are available in “Let Hotmail Remind You To Refresh Your Passwords Every 72 Days”.

With the end of the year Holidays approaching, phishing scams will be on the rise. Learn how to Create strong passwords, Protect your Windows Live ID and much more at the Microsoft Online Safety Fraud Prevention web page.

Clubhouse Tags: Security, Password, Windows Live, How-to, Hotmail, Clubhouse, Safety, Phishing, Information




Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...


Trackback: http://windowslivewire.spaces.live.com/blog/cns!2F7EB29B42641D59!41528.trak

Sunday, October 04, 2009

October is Cyber Security Awareness Month

NCSAM-2009

Canada and the United States have set aside the month of October as Cyber Security Awareness Month. Where ever you may live, the tips provided by supporters of this endeavor are appropriate for all computer users.

To support the Cyber Security Awareness theme last year to "Protect Yourself Before You Connect Yourself", I scheduled a new "tip of the day" at Security Garden each day during October (Available in the Cyber Security label). Although it was a lot of fun, the theme this year is "Our Shared Responsibility".

With that in mind, where ever you may be, I challenge everyone who reads this to join in the endeavor – share the responsibility! As a home computer user or tech enthusiast, take responsibility for keeping yourself and your family safe online.

Cyber_FamilyA starting point is ensuring that your family computer(s) have basic protection. Some months ago, I wrote a popular tutorial, Basic Computer Security for the Home User. If you are a “beginner”, that is a good place to start.

After your computer is protected with the basics, it is time to consider that the Internet is a virtual world with potential dangers and . . .

PROTECT YOUR FAMILY

Cyber_Mother_DaughterCyber_BrothersAs part of "Our Shared Responsibility", teach your children, grandchildren, cousins, nieces and nephews that “stranger danger” applies to the internet as well as on the street. This is especially important today with the wide usage of social networking sites by young adults. Be sure your children understand the importance of maintaining their privacy. If you are uncertain where or how to begin, Microsoft has published a number of articles, available from the Microsoft Family Safety webpage: Cyber_Mother_Son


For those members of your family who are mature enough to participate in social networking sites, additional guidance is available from the Microsoft Family Safety webpage:

Cyber_Father_DaughterParticularly for younger children, I suggest child care-givers use Windows Live Family Safety or Windows Vista Parental Controls to create age-appropriate filters for internet usage of the children in your care.

Additional information on Cyber Security Awareness Month is available at the following locations:






Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...