Friday, September 30, 2011

Mozilla Firefox 7.0.1 Released to Fix Missing Add-On Problem

The rapid release path for Firefox version updates did not run all that smoothly for Version 7.  After updating to Version 7, there were instances in which users discovered one or more of their add-ons were hidden.  As a result, the release of the new updates to Firefox Version 7 was paused in order to minimize the impact.

An update fixing the issue has been released.  To get the update now, select Help, About Firefox, Check for Updates.

Also available now is the list of vulnerabilities that were fixed in Version 7.

Fixed in Firefox 7

MFSA 2011-45 Inferring Keystrokes from motion data
MFSA 2011-44 Use after free reading OGG headers
MFSA 2011-43 loadSubScript unwraps XPCNativeWrapper scope parameter
MFSA 2011-42 Potentially exploitable crash in the YARR regular expression library
MFSA 2011-41 Potentially exploitable WebGL crashes
MFSA 2011-40 Code installation through holding down Enter
MFSA 2011-39 Defense against multiple Location headers due to CRLF Injection
MFSA 2011-36 Miscellaneous memory safety hazards (rv:7.0 / rv:1.9.2.23)

References



Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...


Tuesday, September 27, 2011

Mozilla Firefox 7 Released, Includes Security Updates


In keeping with the rapid release schedule, Mozilla released Firefox 7 today.

As expected when a version update is released, you may find that many of your favorite add-ons are not compatible with the new release.  Use Add-on Compatibility Reporter to test and report on your favorite add-ons in version 7.

The Release Notes listed the following new features in version 7,  At this point the indicated security updates are not listed in the Security Advisories.  There is, however, a very lengthy list of Bug Fixes for version 7.

What's New

  • Drastically improved memory handling for certain use cases
  • Added a new rendering backend to speed up Canvas operations on Windows systems
  • Bookmark and password changes now sync almost instantly when using Firefox Sync
  • The 'http://' URL prefix is now hidden by default
  • Added support for text-overflow: ellipsis
  • Added support for the Web Timing specification
  • Enhanced support for MathML
  • The WebSocket protocol has been updated from version 7 to version 8
  • Added an opt-in system for users to send performance data back to Mozilla to improve future versions of Firefox
  • Fixed several stability issues
  • Fixed several security issues

The upgrade to Firefox 7 will be offered through the browser update mechanism.  However, as the upgrade includes critical security updates, it is recommended that the update be applied as soon as possible.  To get the update now, select Help, About Firefox, Check for Updates.

References




Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...


Wednesday, September 21, 2011

Microsoft Removes Gold Certified Partner Over Telephone Scam Claims

As illustrated in this topic on the Microsoft Answers forum, the issue of fake tech support telephone calls has been a problem for over two years.  The scams appeared to have originated in the U.K., spread to Australia, followed by Canada and the United States.

Although reports in various forum topics have pointed fingers at other vendors, in the instant case, the finger was pointing at "Comantra" who was a Microsoft Gold Certified Partner. 

Comantra, like other vendors, was said to have cold-called people, implying that they represent Microsoft.  After convincing the call recipients that the errors seen in Event Viewer on Windows are dangerous, the technicians would attempt to convince the people to allow the technicians to have remote access to their computer.  Repairs, of course, required a credit card charge.

About Microsoft Gold Certified and Certified Partners

It is important to understand that being a Microsoft Partner, in any shape, whether Certified or Gold Certified, does not mean that the company represents Microsoft.  Rather, it merely means that the company has met the requisite requirements, has paid the requisite fee and has earned the appropriate Partner Points for the Partner level.  The requirements for both Microsoft Gold Certified and Microsoft Certified Partners are fully described at the eHow.com references below.

In addition to the above, Microsoft Gold Certified Partners must employ a minimum number of Microsoft certified professionals, meet the certification and sales requirements and submit competency-specific customer referrals.

Microsoft Certified Partners additionally complete one of three requirements (i.e. employ or employ by contract at least two Microsoft Certified Professionals, with three customer references approved by Microsoft or product software that Microsoft has tested and approved or hardware that a Microsoft authorized testing vendor has approved.)

How to handle telephone scams

If you receive a call from someone claiming to be representing Microsoft or Microsoft tech support, just hang up!  Microsoft does not make unsolicited calls.

In the event you have been taken in by one of the fake tech support calls, it is strongly recommended that you take the following steps:
  • Change the passwords or PINs on your computer and your online accounts.
  • Place a fraud alert on your credit reports.
  • If you know of any accounts that were accessed or opened fraudulently, close those accounts.
  • Routinely review your bank and credit card statements monthly for unexplained charges or inquiries that were not initiated by you.

People in Australia, Canada, U.K. and U.S. appear to have been hardest hit by telephone tech support scams.  The links below have additional information and resources.

References


Microsoft References


History


Articles illustrative of the on-going telephone scam problem:




Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...


Critical Adobe Flash Update


Adobe Flash Player was updated to address critical security issues as well as what is described as an important universal cross-site scripting issue that is reportedly being exploited in the wild in targeted attacks. The exploit could cause a crash and potentially allow an attacker to take control of the affected system.

The newest version for Windows, Macintosh, Linux and Solaris is 10.3.183.10 and the update for Android is 10.3.186.7.

Release date: September 21, 2011
Vulnerability identifier: APSB11-26
CVE number:  CVE-2011-2426, CVE-2011-2427, CVE-2011-2428, CVE-2011-2429, CVE-2011-2430, CVE-2011-2444
Platform: All platforms

Adobe Flash Player for Android 10.3.186.7 by downloading it from the Android Marketplace by browsing to it on a mobile phone.

Browser Update Instructions

Although Adobe suggests downloading the update from the Adobe Flash Player Download Center or by using the auto-update mechanism within the product when prompted, if you prefer, the direct download links are as follows:
If you use the Adobe Flash Player Download Center, be careful to UNCHECK the box shown below. It is not needed for the Flash Player update.  In addition, any toolbar offered with Adobe products can be unchecked if not wanted.





Verify Installation

To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu.

Do this for each browser installed on your computer.


References





Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...


Tuesday, September 13, 2011

Critical Updates for Adobe Reader/Acrobat



Adobe released a Security Bulletin (APSB11-24) which contains the quarterly security updates for Adobe Reader and Acrobat. The updates address critical security issues in the products. Adobe recommends that users apply the updates for their product installations.

Details

  • Release date: September 13, 2011
  • Vulnerability identifier: APSB11-24
  • CVE numbers: CVE-2011-1353, CVE-2011-2431,  CVE-2011-2432, CVE-2011-2433, CVE-2011-2434, CVE-2011-2435, CVE-2011-2436, CVE-2011-2437, CVE-2011-2438, CVE-2011-2439, CVE-2011-2440, CVE-2011-2441, CVE-2011-2442
  • Platform: All

Acrobat and Reader users can update to the latest version using the built-in updater, by clicking “Help” and then “Check for Updates.” The Adobe Reader update for Windows is available from http://www.adobe.com/products/reader/

The next quarterly security updates for Adobe Reader and Acrobat are currently scheduled for December 13, 2011. 

Alternatively, you could switch to an alternate PDF reader.  There are a number of open source readers available from http://pdfreaders.org/.  I have been using Sumatra PDF for around three years.  Nitro Reader is also a viable substitute.


References





Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...


Microsoft September 2011 Security Bulletin Release


Microsoft released five (5) bulletins addressing vulnerabilities in Microsoft Windows and Office  All five bulletins are rated Important.

  • MS11-070 Vulnerability in WINS Could Allow Elevation of Privilege (2571621)
  • MS11-071 Vulnerability in Windows Components Could Allow Remote Code Execution (2570947)
  • MS11-072 Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (2587505)
  • MS11-073  Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2587634)
  • MS11-074  Vulnerabilities in Microsoft SharePoint Could Allow Elevation of Privilege (2451858)

Although the Executive Summaries indicate that the updates "may" require a restart, regardless of the recommendation, it is always best to restart your computer after applying updates. 

Support

The following additional information is provided in the Security Bulletin:
  • The affected software listed have been tested to determine which versions are affected. Other versions are past their support life cycle. To determine the support life cycle for your software version, visit Microsoft Support Lifecycle.
  • Customers in the U.S. and Canada can receive technical support from Security Support or 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates. For more information about available support options, see Microsoft Help and Support.
  • International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit International Help and Support.

References





Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...


Sunday, September 11, 2011

Mouse without Borders

Mouse without Borders is a program created in The Garage at Microsoft by Truong Do, a developer for Microsoft Dynamics.  The software allows you to use one keyboard and mouse across your PC's as if they were one desktop.  You can control up to four computers with a single mouse and keyboard with Mouse without Borders.

Features

  • Control up to four (4) computers
  • Move or copy files between computers by dragging from one desktop to another
  • Lock or log in to all PCs from one PC
  • Personalize Logon Screen
  • Get/Send Screen Capture



Installation

Install Mouse Without Borders on the first PC:



At this screen, click No:

 

You will be presented with a Security Code:


Now follow the same installation instructions on the second PC, but this time click Yes to acknowledge installation on another computer and fill in the Security Code information from the first computer.


The two computers will be linked!


Uninstalling Mouse Without Borders

This update is to add information should you wish to uninstall Mouse Without Borders.  You can uninstall Mouse Without Borders as you would any other program through Control Panel.  However, if you cannot locate it, that is because you are looking in the wrong place!  Scroll further down further and you will find it under Windows Garage.

In the event you are still having problems removing it, run the following command as an Admin:

msiexec /uninstall {D3BC954F-D661-474C-B367-30EB6E56542E}

I recommend exiting the program prior to uninstalling.  

References



Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...


Saturday, September 10, 2011

Diagnose and Fix Program Installing/Uninstalling Problems


There are occasions when a program will not completely uninstall.  Other times, there are issues preventing a new program to be installed.

A recently released Microsoft Fix it solution is available to assist in diagnosing and fixing program installing and uninstalling problems automatically.

What it fixes...

  • Removes bad registry key on 64 bit operating systems.
  • Windows registry keys that control the upgrade (patching) data that become corrupted.
  • Resolves problems that prevent new programs from being installed.
  • Resolves problems that prevent programs from being completely uninstalled and blocking new installations and updates.
  • Use this troubleshooter for an uninstall only if the program fails to uninstall using the windows add/remove programs feature.

Download Link

Diagnose and fix program installing and uninstalling problems automatically


Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...


Friday, September 09, 2011

Adobe News: Released Updates, Advance Notice and DigiNotar


Critical security updates were issued by Adobe earlier this week for Adobe Flash Player, Shockwave Player, Photoshop and more.  Details are available in the Released Updates linked below.

On Tuesday, September 13, 2011, Adobe is planning to release updates for Adobe Reader X (10.1) and Adobe Acrobat X (10.1) and earlier versions for Windows and Macintosh to resolve critical security issues.

Adobe additionally announced that they are in the process of removing the DigiNotar Qualified CA certificate from the Adobe Approved Trust List, indicating a further update is forthcoming.

In the meantime, the instructions below were provided by PSIRT for manually removing the DigiNotar certificates from Adobe Reader and Acrobat:

Adobe Reader Version 9
1)   Open Adobe Reader.
2)   Open the Document Menu and choose Manage Trusted Identities.
3)   Drop down the ‘Display’ box that reads ‘Contacts’ and choose ‘Certificates.’
4)   Select the DigiNotar Qualified CA. If you do not see this certificate in the list, no further action is required.
5)   Click Delete, and then confirm the deletion by clicking OK.

Adobe Acrobat Version 9
1)   Open Adobe Acrobat.
2)   Open the Advanced Menu and choose Manage Trusted Identities.
3)   Drop down the ‘Display’ box that reads ‘Contacts’ and choose ‘Certificates.’
4)   Select the DigiNotar Qualified CA. If you do not see this certificate in the list, no further action is required.
5)   Click Delete, and then confirm the deletion by clicking OK.

Adobe Reader and Acrobat X
1)   Open Adobe Reader or Acrobat.
2)   Open the Edit Menu->Protection->Manage Trusted Identities.
3)   Drop down the ‘Display’ box that reads ‘Contacts’ and choose ‘Certificates.’
4)   Select the DigiNotar Qualified CA. If you do not see this certificate in the list, no further action is required.
5)   Click Delete, and then confirm the deletion by clicking OK.

 Adobe Product Released Updates

References



Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...


Thursday, September 08, 2011

Security Bulletin Advance Notification for September, 2011


On Tuesday, September 14, 2011, Microsoft is planning to release five (5) Security Bulletins, addressing 15 vulnerabilities. The bulletins are rated Important and address vulnerabilities in Microsoft Windows and Office.

The bulletins address Elevation of Privilege and Remote Code Execution, with at least one requiring a restart. Whether required or not, it is advised to restart your computer after installing updates.

References




Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...


Wednesday, September 07, 2011

Mozilla Firefox 6.0.2 Update Released


To complete the process of providing protection against fraudulent DigiNotar certificates, Firefox 6.0.2 was released to the update channel today.  (It has been available via FTP downloads since Sunday.)

From the Release Notes:

The update to Firefox 6.0.2 is being offered through the browser update mechanism.  To get the update now, select Help, About Firefox, Check for Updates.



Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...


Tuesday, September 06, 2011

Microsoft Security Update for DigiNotar Certificates

Microsoft Security Advisory 2607712 has been updated to revoke the trust of the DigiNotar root certificates by placing them into the Microsoft Untrusted Certificate Store.

The update is available via Automatic Update and applies to all supported releases of Microsoft Windows, including Windows XP, Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2.

Copied below are the known issues from Microsoft KB Article 2607712, Microsoft Security Advisory: Fraudulent digital certificates could allow spoofing for this update. 

Known issues

  • A restart is required for all editions of Windows XP and of Windows Server 2003.

  • A restart is not required for all editions of Windows Vista, of Windows 7, of Windows Server 2008, and of Windows Server 2008 R2. The installer stops the required services, applies the update, and then restarts the services. However, if the required services cannot be stopped for any reason, or if required files are being used, this update will require a restart. If this behavior occurs, you receive a message that advises you to restart.

  • At the explicit request of the Dutch government, the release of this update on Windows Update will be delayed for the Netherlands.

    This update will become available to the Netherlands on Windows Update and on all Automatic Update channels at a later date. Customers who want to manually install this update should click the appropriate platform download in the "Download information" section. On the next page, users will be able to select the language to install and can continue with the download and the installation.




Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...