Thursday, December 29, 2011

Out-of-Band Critical Security Update MS11-100


Microsoft ended the year with a critical security update.  Security Update MS11-100 was released to address the issue described in Security Advisory 2659883.

The update resolves a publicly disclosed remote unauthenticated Denial of Service issue in ASP.NET versions 1.1 and above on all supported versions of .NET Framework.

Update:   December 2011 Out-Of-Band Security Bulletin Webcast Q&A

Known Issues

See KB Article 2638420, MS11-100: Vulnerability in the .NET Framework could allow elevation of privilege: December 29, 2011.

Reminder

When updating .NET Framework, always install the update separately from other updates and follow with a shutdown/restart.

Support

The following additional information is provided in the Security Bulletin:
  • The affected software listed have been tested to determine which versions are affected. Other versions are past their support life cycle. To determine the support life cycle for your software version, visit Microsoft Support Lifecycle.
  • Customers in the U.S. and Canada can receive technical support from Security Support or 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates. For more information about available support options, see Microsoft Help and Support.
  • International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit International Help and Support.

References





    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...


    Saturday, December 24, 2011

    Merry Christmas, Ukrainian Style

    Merry Christmas to all my family, friends and Security Garden readers.

    Sending warmest wishes to you and your family. May you enjoy the spirit of Christmas every day of the coming year.

    ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~


    Our family celebrates Christmas Eve in the Ukrainian tradition.  The video below includes examples of some of the traditional foods that are part of the Christmas Eve celebration. 





    References:


    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...

    Tuesday, December 20, 2011

    Mozilla Firefox 9 Released, Includes Critical Security Fixes


    Mozilla released Firefox 9 today, in keeping with the rapid release schedule,

    As expected when a version update is released, you may find that many of your favorite add-ons are not compatible with the new release.  Use Add-on Compatibility Reporter to test and report on your favorite add-ons in version 9.

    Security Updates

    The following security updates are included in the release of Firefox 9, in which MFSA 2011-58, MFSA 2011-55, MFSA 2011-54 and MFSA 2011-53 are rated Critical, with MVSA 2011-57 High and MVSA 2011-56 as Low.

    MFSA 2011-58 Crash scaling to extreme sizes
    MFSA 2011-57 Crash when plugin removes itself on Mac OS X
    MFSA 2011-56 Key detection without JavaScript via SVG animation
    MFSA 2011-55 nsSVGValue out-of-bounds access
    MFSA 2011-54 Potentially exploitable crash in the YARR regular expression library
    MFSA 2011-53 Miscellaneous memory safety hazards (rv:9.0)

    What's New

    The Release Notes listed the following new features in version 9:

    The upgrade to Firefox 9 will be offered through the browser update mechanism.  However, as the upgrade includes critical security updates, it is recommended that the update be applied as soon as possible.  To get the update now, select Help, About Firefox, Check for Updates.

    If you do not use the English language version, Fully Localized Versions are available for download.

    References




    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...


    Friday, December 16, 2011

    Critical Security Update for Adobe Reader/Acrobat



    Adobe released a critical security update addressing vulnerabilities being actively exploited in limited, targeted attacks in the wild against Adobe Reader 9.x on Windows.

    The vulnerability relates to memory corruption vulnerabilities which could cause a crash and potentially allow an attacker to take control of the affected system.

    Acrobat and Reader users can update to the latest version using the built-in updater, by clicking “Help” and then “Check for Updates.” The Adobe Reader update for Windows is available from http://www.adobe.com/products/reader/

    Adobe plans on updating all other versions as part of the next quarterly update scheduled for January 10, 2011.  According to Adobe, Adobe Reader X Protected Mode and Adobe Acrobat X Protected View would prevent an exploit of this kind from executing.

    Release Details

    • Release date: December 16, 2011
    • Vulnerability identifier: APSB11-30
    • CVE number: CVE-2011-2462, CVE-2011-4369
    • Platform: Windows

    Alternatives

    Several years ago, I tired of Adobe Reader and switched to Sumatra PDF, an alternate PDF reader.  After I got past the bright yellow GUI, I found Sumatra PDF to be a nice, light-weight option with no unnecessary add-ons or toolbars.  There are a number of open source readers available from http://pdfreaders.org/.

      References





      Remember - "A day without laughter is a day wasted."
      May the wind sing to you and the sun rise in your heart...


      Tuesday, December 13, 2011

      Microsoft December 2011 Security Bulletin Release


      Microsoft released thirteen (13) bulletins addressing 19 vulnerabilities in Microsoft Windows, Microsoft Office (including Microsoft Office for Mac) and Internet Explorer.

      Three bulletins are rated Critical with the remaining ten rated as Important.  Most updates will require a restart to complete the installation.

      Originally, 14 bulletins were planned one was withdrawn after Microsoft discovered a compatibility issue between the bulletin-candidate addressing Security Advisory 2588513 and a major third-party vendor.  Microsoft is working with that vendor to address the issue on their platform.  Microsoft has been monitoring the issue in Security Advisory 2588513 and has not seen active attacks in the wild.

      Disable Microsoft Fix it

      MS11-087 was issued to address Security Advisory 2639658.  If you installed Microsoft Fix it 50792, before installing the updates released today, I recommend disabling the Fix it

      Direct download link:  Microsoft Fix it 50793


      Support

      The following additional information is provided in the Security Bulletin:
      • The affected software listed have been tested to determine which versions are affected. Other versions are past their support life cycle. To determine the support life cycle for your software version, visit Microsoft Support Lifecycle.
      • Customers in the U.S. and Canada can receive technical support from Security Support or 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates. For more information about available support options, see Microsoft Help and Support.
      • International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit International Help and Support.

      References





      Remember - "A day without laughter is a day wasted."
      May the wind sing to you and the sun rise in your heart...


      Thursday, December 08, 2011

      Security Bulletin Advance Notification for December, 2011


      On Tuesday, December 13, 2011, Microsoft is planning to release fourteen (14) Security Bulletins, of which three bulletins are identified as Critical with the remaining as Important.

      The bulletins address vulnerabilities in Microsoft Windows, Microsoft Office (including Microsoft Office for Mac) and Internet Explorer.  Most updates will require a restart to complete the installation.

      References




      Remember - "A day without laughter is a day wasted."
      May the wind sing to you and the sun rise in your heart...


      Tuesday, December 06, 2011

      Windows Defender Offline Beta, formerly Standalone System Sweeper

      Although the Microsoft Standalone System Sweeper is currently still available at Connect, it can now also be found as Windows Defender Offline Beta on the Microsoft Help & How-to web pages.

      Windows Defender Offline Beta Information


      Related Articles





      Remember - "A day without laughter is a day wasted."
      May the wind sing to you and the sun rise in your heart...


      Security Advisory for Adobe Reader and Acrobat (APSA11-04)



      Adobe released a Security Advisory (APSA11-04) which references a critical vulnerability in Adobe Reader X and Adobe Acrobat X (10.1.1) and earlier versions for all versions.

      The vulnerability relates to a memory corruption vulnerability which could cause a crash and potentially allow an attacker to take control of the affected system.  Adobe indicates that there are reports that the vulnerability is being actively exploited in the wild in limited, targeted attacks against Adobe Reader 9.x on Windows.

      An update for Adobe Reader and Acrobat 9.x only for Windows is expected no later than the week of December 12, 2011.  Adobe plans on updating all other versions as part of the next quarterly update scheduled for January 10, 2011.  According to Adobe, Adobe Reader X Protected Mode and Adobe Acrobat X Protected View would prevent an exploit of this kind from executing.

      Alternatives

      Several years ago, I tired of Adobe Reader and switched to Sumatra PDF, an alternate PDF reader.  After I got past the bright yellow GUI, I found Sumatra PDF to be a nice, light-weight option with no unnecessary add-ons or toolbars.  There are a number of open source readers available from http://pdfreaders.org/.

      Advisory Details

      • Release date: December 6, 2011
      • Vulnerability identifier: APSA11-04
      • CVE number: CVE-2011-2462
      • Platform: All

      References





      Remember - "A day without laughter is a day wasted."
      May the wind sing to you and the sun rise in your heart...