Mozilla Firefox 7.0.1 Released to Fix Missing Add-On Problem

The rapid release path for Firefox version updates did not run all that smoothly for Version 7.  After updating to Version 7, there were instances in which users discovered one or more of their add-ons were hidden.  As a result, the release of the new updates to Firefox Version 7 was paused in order to minimize the impact.

An update fixing the issue has been released.  To get the update now, select Help, About Firefox, Check for Updates.

Also available now is the list of vulnerabilities that were fixed in Version 7.

Fixed in Firefox 7

MFSA 2011-45 Inferring Keystrokes from motion data
MFSA 2011-44 Use after free reading OGG headers
MFSA 2011-43 loadSubScript unwraps XPCNativeWrapper scope parameter
MFSA 2011-42 Potentially exploitable crash in the YARR regular expression library
MFSA 2011-41 Potentially exploitable WebGL crashes
MFSA 2011-40 Code installation through holding down Enter
MFSA 2011-39 Defense against multiple Location headers due to CRLF Injection
MFSA 2011-36 Miscellaneous memory safety hazards (rv:7.0 / rv:1.9.2.23)

References

• Issue discovered with Firefox add-on upgrades | Mozilla Add-ons Blog
• Security Advisories for Firefox

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Mozilla Firefox 7 Released, Includes Security Updates

In keeping with the rapid release schedule, Mozilla released Firefox 7 today.

As expected when a version update is released, you may find that many of your favorite add-ons are not compatible with the new release.  Use Add-on Compatibility Reporter to test and report on your favorite add-ons in version 7.

The Release Notes listed the following new features in version 7,  At this point the indicated security updates are not listed in the Security Advisories.  There is, however, a very lengthy list of Bug Fixes for version 7.

What's New

• Drastically improved memory handling for certain use cases
• Added a new rendering backend to speed up Canvas operations on Windows systems
• Bookmark and password changes now sync almost instantly when using Firefox Sync
• The 'http://' URL prefix is now hidden by default
• Added support for text-overflow: ellipsis
• Added support for the Web Timing specification
• Enhanced support for MathML
• The WebSocket protocol has been updated from version 7 to version 8
• Added an opt-in system for users to send performance data back to Mozilla to improve future versions of Firefox
• Fixed several stability issues
• Fixed several security issues

The upgrade to Firefox 7 will be offered through the browser update mechanism.  However, as the upgrade includes critical security updates, it is recommended that the update be applied as soon as possible.  To get the update now, select Help, About Firefox, Check for Updates.

References

• Common questions after updating Firefox
• Mozilla Firefox Release Notes

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Microsoft Removes Gold Certified Partner Over Telephone Scam Claims

As illustrated in this topic on the Microsoft Answers forum, the issue of fake tech support telephone calls has been a problem for over two years.  The scams appeared to have originated in the U.K., spread to Australia, followed by Canada and the United States.

Although reports in various forum topics have pointed fingers at other vendors, in the instant case, the finger was pointing at "Comantra" who was a Microsoft Gold Certified Partner. 

Comantra, like other vendors, was said to have cold-called people, implying that they represent Microsoft.  After convincing the call recipients that the errors seen in Event Viewer on Windows are dangerous, the technicians would attempt to convince the people to allow the technicians to have remote access to their computer.  Repairs, of course, required a credit card charge.

About Microsoft Gold Certified and Certified Partners

It is important to understand that being a Microsoft Partner, in any shape, whether Certified or Gold Certified, does not mean that the company represents Microsoft.  Rather, it merely means that the company has met the requisite requirements, has paid the requisite fee and has earned the appropriate Partner Points for the Partner level.  The requirements for both Microsoft Gold Certified and Microsoft Certified Partners are fully described at the eHow.com references below.

In addition to the above, Microsoft Gold Certified Partners must employ a minimum number of Microsoft certified professionals, meet the certification and sales requirements and submit competency-specific customer referrals.

Microsoft Certified Partners additionally complete one of three requirements (i.e. employ or employ by contract at least two Microsoft Certified Professionals, with three customer references approved by Microsoft or product software that Microsoft has tested and approved or hardware that a Microsoft authorized testing vendor has approved.)

How to handle telephone scams

If you receive a call from someone claiming to be representing Microsoft or Microsoft tech support, just hang up!  Microsoft does not make unsolicited calls.

In the event you have been taken in by one of the fake tech support calls, it is strongly recommended that you take the following steps:

• Change the passwords or PINs on your computer and your online accounts.
• Place a fraud alert on your credit reports.
• If you know of any accounts that were accessed or opened fraudulently, close those accounts.
• Routinely review your bank and credit card statements monthly for unexplained charges or inquiries that were not initiated by you.

People in Australia, Canada, U.K. and U.S. appear to have been hardest hit by telephone tech support scams.  The links below have additional information and resources.

• AU:  SCAM Watch
• CA:  Canadian Anti-Fraud Centre
• UK:  National Fraud Authority.
• US:  Consumer Fraud Reporting

References

• Microsoft dumps Gold partner accused of scamming customers
• Microsoft dumps partner over telephonescam claims | Naked Security
• Microsoft dumps partner over support call scam | News | PC Pro
• What is a Microsoft Gold Certified Partner? | eHow.com
• Microsoft Certified Partner Requirements | eHow.com

Microsoft References

• Avoid scams that use the Microsoft name fraudulently | Microsoft Security
• 08Mar2010 Don’t fall for phony phone tech support - Security Tips & Talk - Site Home - MSDN Blogs
• 26Aug2010 Microsoft issues warning on phone scam, Security and Privacy, News Centre | Microsoft Australia
• 16May2011 Local news says, “Those calls are not coming from Microsoft” - Security Tips & Talk - Site Home - MSDN Blogs

History

Articles illustrative of the on-going telephone scam problem:

• Bogus Support Organizations use Live Operators to Install Malware
• Police close in on PC support fraudsters
• Sunbelt Blog: Help desk phone scams are alive and well
• Virus phone scam being run from call centres in India | Technology | The Guardian
• Canadians increasingly defrauded by fake tech support phone calls | Naked Security
• ISC Diary | Microsoft Support Scam (again)

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Critical Adobe Flash Update

Adobe Flash Player was updated to address critical security issues as well as what is described as an important universal cross-site scripting issue that is reportedly being exploited in the wild in targeted attacks. The exploit could cause a crash and potentially allow an attacker to take control of the affected system.

The newest version for Windows, Macintosh, Linux and Solaris is 10.3.183.10 and the update for Android is 10.3.186.7.

Release date: September 21, 2011
Vulnerability identifier: APSB11-26
CVE number:  CVE-2011-2426, CVE-2011-2427, CVE-2011-2428, CVE-2011-2429, CVE-2011-2430, CVE-2011-2444
Platform: All platforms

Adobe Flash Player for Android 10.3.186.7 by downloading it from the Android Marketplace by browsing to it on a mobile phone.

Browser Update Instructions

Although Adobe suggests downloading the update from the Adobe Flash Player Download Center or by using the auto-update mechanism within the product when prompted, if you prefer, the direct download links are as follows:

• IE: http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player_ax.exe
• Non-IE (Opera, Firefox etc) http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player.exe

If you use the Adobe Flash Player Download Center, be careful to UNCHECK the box shown below. It is not needed for the Flash Player update.  In addition, any toolbar offered with Adobe products can be unchecked if not wanted.

Free McAfee® Security Scan Plus (optional) 

Verify Installation

To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu.

Do this for each browser installed on your computer.

References

• Adobe Security Advisory: Security update available for Adobe Flash Player
• Adobe PSIRT Blog: Security Update for Adobe Flash Player (APSB11-26)

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Critical Updates for Adobe Reader/Acrobat

Adobe released a Security Bulletin (APSB11-24) which contains the quarterly security updates for Adobe Reader and Acrobat. The updates address critical security issues in the products. Adobe recommends that users apply the updates for their product installations.

Details

• Release date: September 13, 2011
• Vulnerability identifier: APSB11-24
• CVE numbers: CVE-2011-1353, CVE-2011-2431,  CVE-2011-2432, CVE-2011-2433, CVE-2011-2434, CVE-2011-2435, CVE-2011-2436, CVE-2011-2437, CVE-2011-2438, CVE-2011-2439, CVE-2011-2440, CVE-2011-2441, CVE-2011-2442
• Platform: All

Acrobat and Reader users can update to the latest version using the built-in updater, by clicking “Help” and then “Check for Updates.” The Adobe Reader update for Windows is available from http://www.adobe.com/products/reader/. 

The next quarterly security updates for Adobe Reader and Acrobat are currently scheduled for December 13, 2011. 

Alternatively, you could switch to an alternate PDF reader.  There are a number of open source readers available from http://pdfreaders.org/.  I have been using Sumatra PDF for around three years.  Nitro Reader is also a viable substitute.

References

• Security Bulletin: Adobe-Security Bulletins: APSB11-08
• PSIRT Blog: Security updates available for Adobe Reader and Acrobat (APSB11-08)

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Microsoft September 2011 Security Bulletin Release

Microsoft released five (5) bulletins addressing vulnerabilities in Microsoft Windows and Office  All five bulletins are rated Important.

• MS11-070 Vulnerability in WINS Could Allow Elevation of Privilege (2571621)
• MS11-071 Vulnerability in Windows Components Could Allow Remote Code Execution (2570947)
• MS11-072 Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (2587505)
• MS11-073  Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2587634)
• MS11-074  Vulnerabilities in Microsoft SharePoint Could Allow Elevation of Privilege (2451858)

Although the Executive Summaries indicate that the updates "may" require a restart, regardless of the recommendation, it is always best to restart your computer after applying updates. 

Support

The following additional information is provided in the Security Bulletin:

• The affected software listed have been tested to determine which versions are affected. Other versions are past their support life cycle. To determine the support life cycle for your software version, visit Microsoft Support Lifecycle.
  
• Customers in the U.S. and Canada can receive technical support from Security Support or 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates. For more information about available support options, see Microsoft Help and Support.
• International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit International Help and Support.

References

• MSRC: More on DigiNotar Certificates, and September Bulletins
• TechNet: Microsoft Security Bulletin Summary for September 2011

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Mouse without Borders

Mouse without Borders is a program created in The Garage at Microsoft by Truong Do, a developer for Microsoft Dynamics.  The software allows you to use one keyboard and mouse across your PC's as if they were one desktop.  You can control up to four computers with a single mouse and keyboard with Mouse without Borders.

Features

• Control up to four (4) computers
• Move or copy files between computers by dragging from one desktop to another
• Lock or log in to all PCs from one PC
• Personalize Logon Screen
• Get/Send Screen Capture

Installation

Install Mouse Without Borders on the first PC:

At this screen, click No:

 

You will be presented with a Security Code:

 

Now follow the same installation instructions on the second PC, but this time click Yes to acknowledge installation on another computer and fill in the Security Code information from the first computer.

The two computers will be linked!

Uninstalling Mouse Without Borders

This update is to add information should you wish to uninstall Mouse Without Borders.  You can uninstall Mouse Without Borders as you would any other program through Control Panel.  However, if you cannot locate it, that is because you are looking in the wrong place!  Scroll further down further and you will find it under Windows Garage.

In the event you are still having problems removing it, run the following command as an Admin:

msiexec /uninstall {D3BC954F-D661-474C-B367-30EB6E56542E}

I recommend exiting the program prior to uninstalling.  

References

• Download Link: Download Now [1.1mb]
• Source: Microsoft download from The Garage: Mouse without Borders
• Privacy Information: Microsoft Office Labs Application Prototypes Privacy Statement
• Unofficial community-powered support for Mouse without Borders on Get Satisfaction

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Diagnose and Fix Program Installing/Uninstalling Problems

There are occasions when a program will not completely uninstall.  Other times, there are issues preventing a new program to be installed.

A recently released Microsoft Fix it solution is available to assist in diagnosing and fixing program installing and uninstalling problems automatically.

What it fixes...

• Removes bad registry key on 64 bit operating systems.
• Windows registry keys that control the upgrade (patching) data that become corrupted.
• Resolves problems that prevent new programs from being installed.
• Resolves problems that prevent programs from being completely uninstalled and blocking new installations and updates.
• Use this troubleshooter for an uninstall only if the program fails to uninstall using the windows add/remove programs feature.

Download Link

Diagnose and fix program installing and uninstalling problems automatically

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Adobe News: Released Updates, Advance Notice and DigiNotar

Critical security updates were issued by Adobe earlier this week for Adobe Flash Player, Shockwave Player, Photoshop and more.  Details are available in the Released Updates linked below.

On Tuesday, September 13, 2011, Adobe is planning to release updates for Adobe Reader X (10.1) and Adobe Acrobat X (10.1) and earlier versions for Windows and Macintosh to resolve critical security issues.

Adobe additionally announced that they are in the process of removing the DigiNotar Qualified CA certificate from the Adobe Approved Trust List, indicating a further update is forthcoming.

In the meantime, the instructions below were provided by PSIRT for manually removing the DigiNotar certificates from Adobe Reader and Acrobat:

Adobe Reader Version 9
1)   Open Adobe Reader.
2)   Open the Document Menu and choose Manage Trusted Identities.
3)   Drop down the ‘Display’ box that reads ‘Contacts’ and choose ‘Certificates.’
4)   Select the DigiNotar Qualified CA. If you do not see this certificate in the list, no further action is required.
5)   Click Delete, and then confirm the deletion by clicking OK.

Adobe Acrobat Version 9
1)   Open Adobe Acrobat.
2)   Open the Advanced Menu and choose Manage Trusted Identities.
3)   Drop down the ‘Display’ box that reads ‘Contacts’ and choose ‘Certificates.’
4)   Select the DigiNotar Qualified CA. If you do not see this certificate in the list, no further action is required.
5)   Click Delete, and then confirm the deletion by clicking OK.

Adobe Reader and Acrobat X
1)   Open Adobe Reader or Acrobat.
2)   Open the Edit Menu->Protection->Manage Trusted Identities.
3)   Drop down the ‘Display’ box that reads ‘Contacts’ and choose ‘Certificates.’
4)   Select the DigiNotar Qualified CA. If you do not see this certificate in the list, no further action is required.
5)   Click Delete, and then confirm the deletion by clicking OK.

 Adobe Product Released Updates

• APSB11-19 – Security update available for Adobe Shockwave Player (Critical Severity)
• APSB11-20 – Security update available for Adobe Flash Media Server (Critical Severity)
• APSB11-21 – Security update available for Adobe Flash Player (Critical Severity)
• APSB11-22 – Security update available for Adobe Photoshop CS5 (Critical Severity)
• APSB11-23 – Security updates available for RoboHelp (Important Severity)

References

• Adobe Product Security Updates
• PSIRT Blog: Prenotification: Quarterly Security Updates for Adobe Reader and Acrobat
• PSIRT Blog: Update on DigiNotar and the Adobe Approved Trust List (AATL)
• Security Bulletin APSB11-24: Prenotification Security Advisory for Adobe Reader and Acrobat

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Security Bulletin Advance Notification for September, 2011

On Tuesday, September 14, 2011, Microsoft is planning to release five (5) Security Bulletins, addressing 15 vulnerabilities. The bulletins are rated Important and address vulnerabilities in Microsoft Windows and Office.

The bulletins address Elevation of Privilege and Remote Code Execution, with at least one requiring a restart. Whether required or not, it is advised to restart your computer after installing updates.

References

• MSRC Blog: Advanced Notification for the September 2011 Bulletin Release
• TechNet: Microsoft Security Bulletin Advance Notification for September 2011

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Mozilla Firefox 6.0.2 Update Released

To complete the process of providing protection against fraudulent DigiNotar certificates, Firefox 6.0.2 was released to the update channel today.  (It has been available via FTP downloads since Sunday.)

From the Release Notes:

• Removed trust exceptions for certificates issued by Staat der Nederlanden (see bug 683449 and the security advisory)
• Resolved an issue with gov.uk websites (see bug 669792)

The update to Firefox 6.0.2 is being offered through the browser update mechanism.  To get the update now, select Help, About Firefox, Check for Updates.

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Microsoft Security Update for DigiNotar Certificates

Microsoft Security Advisory 2607712 has been updated to revoke the trust of the DigiNotar root certificates by placing them into the Microsoft Untrusted Certificate Store.

The update is available via Automatic Update and applies to all supported releases of Microsoft Windows, including Windows XP, Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2.

Copied below are the known issues from Microsoft KB Article 2607712, Microsoft Security Advisory: Fraudulent digital certificates could allow spoofing for this update. 

Known issues

• A restart is required for all editions of Windows XP and of Windows Server 2003.
  
  
• A restart is not required for all editions of Windows Vista, of Windows 7, of Windows Server 2008, and of Windows Server 2008 R2. The installer stops the required services, applies the update, and then restarts the services. However, if the required services cannot be stopped for any reason, or if required files are being used, this update will require a restart. If this behavior occurs, you receive a message that advises you to restart.
  
  
• At the explicit request of the Dutch government, the release of this update on Windows Update will be delayed for the Netherlands.
  
  This update will become available to the Netherlands on Windows Update and on all Automatic Update channels at a later date. Customers who want to manually install this update should click the appropriate platform download in the "Download information" section. On the next page, users will be able to select the language to install and can continue with the download and the installation.
  

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...