Monday, February 27, 2012

avast! Users Frustrated With Unwanted Chrome Browser

Reports of the inclusion of Google Chrome with the latest avast! upgrade began trickling in several days ago when Version 7 was released. 

As  illustrated below, the issue is complicated by differing reports of the upgrade process.
  • Some avast! users report that they were not presented with the pre-checked option to install Google Chrome.
  • There are reports that the avast! window presented after reboot does not remain active long enough to uncheck the pre-checked options.  (Note:  it was also reported that the window was presented after the first hard restart rather than the initial restart installing the upgrade.)
  • People with Google Chrome installed have reported that even unchecking the installation option resulted in a second install of Chrome! In addition, that second install wrecked havoc with the existing Chrome installation, resetting the current users profile to default and extensions missing.
  • Others reported problems with Hostman Server and Sandboxie, necessitating an uninstall/reinstall of avast!.
Granted, the Google Chrome browser is not scareware, adware or spyware.  When a vendor includes an add-on such as a toolbar or, in this case, the Google Browser, the point is "pay per install", thus the reason for the pre-checked option. 

From the sampling below of comments from the avast! forum, in a situation where the option to uncheck the install is either not left long enough for the user to access or their choice is ignored, trust in the vendor product is lost:
"I used to recommend Avast.  I won't be doing that anymore.  I just don't trust it after this happened and I see all the issues others had."

"One more dissatisfied user here!  Avast notified me that it wanted to install Version 7.  NOTHING ABOUT CHROME!!  Then after it installed 7 a screen pops up asking if I wanted to install Chrome.  I responded NO and the then the 7 installation wanted me to click "Finish."  When the screen  cleared there was a Chrome icon on the desktop."


"The install welcome screen launched and before I had time to read the screen the install started never a chance to opt-out or configure the install."

"I didn't have Chrome on my pc before I updated avas6. On rebooting the pc I found to my absolute horror that the developers at avast thik they know better than me about what software I need and had installed chrome. At no time did ANY warning appear, or my consent was sought to install anything other than the update. I consider this action to be one of MALWARE."

    Recommendations

    1. When upgrading to avast! Version 7, select "Custom" install and select the options you want to use.
    2. After the installation is complete.  Watch for the following window to appear:

    3. According to your preferences, leave checked or uncheck the option to "Participate in the avast! community".
    4. If you already have Google Chrome installed or do not want Google Chrome installed, uncheck the boxes in the following order:

      a)  First, uncheck "Make Google Chrome my default browser". 
      b)  Next, uncheck "No, do not install the Google Chrome web browser".
      c)  Click Finish.

    References





    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...


    Thursday, February 16, 2012

    Critical Updates to Adobe Flash and Shockwave Players

    Adobe released updates to both Adobe Flash and Shockwave Players. The updates address critical vulnerabilities to both products.  Vulnerability and update information details for both products is included below.



    As described in the Security Bulletin for Adobe Flash Player, the critical vulnerabilities addressed in the update could cause a crash and potentially allow an attacker to take control of the affected system. 

    It is also noted that the update addresses a cross-site scripting vulnerability in Internet Explorer on Windows systems that is being exploited in the wild.

    Release date: February 15, 2012
    Vulnerability identifier: APSB12-03
    CVE number: CVE-2012-0751, CVE-2012-0752, CVE-2012-0753, CVE-2012-0754, CVE-2012-0755, CVE-2012-0756, CVE-2012-0767
    Platform: All Platforms

    Flash Player Update Instructions

    Adobe Flash Player for Android

    The latest version for Adobe Flash Player for Android is available by downloading it from the Android Marketplace by browsing to it on a mobile phone.

    Flash Player for Windows, Macintosh, Linux and Solaris

    Although Adobe suggests downloading the update from the Adobe Flash Player Download Center or by using the auto-update mechanism within the product when prompted, if you prefer, direct download links are available.

    Notes:
    • If you use the Adobe Flash Player Download Center, be careful to uncheck the optional McAfee Security Plus box.  It is not needed for the Flash Player update.
    • Uncheck any toolbar offered with Adobe products if not wanted.
    • If you use alternate browsers, it is necessary to install the update for both Internet Explorer as well as the update for alternate browsers.

    Flash Player 11 (32-Bit)
    Flash Player 11 (64-Bit)

    Verify Installation

    To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu.

    Do this for each browser installed on your computer.



    The update to Adobe Shockwave Player for both Windows and Macintosh systems addresses vulnerabilities that could allow an attacker, who successfully exploits these vulnerabilities, to run malicious code on the affected system. The vulnerabilities include a heap overflow vulnerability and multiple memory corruption vulnerabilities.

    Release date: February 14, 2012
    Vulnerability identifier: APSB12-02
    CVE number: CVE-2012-0757, CVE-2012-0758, CVE-2012-0759, CVE-2012-0760, CVE-2012-0761, CVE-2012-0762, CVE-2012-0763, CVE-2012-0764, CVE-2012-0766
    Platform: Windows and Macintosh

    Update Information

    The newest version of Shockwave Player 11.6.4.634 is available here:  http://get.adobe.com/shockwave/.

    Notes:
    • Please remember to uncheck any unwanted 3rd party toolbars or other programs during installation. 
    • For information on how to disable the auto-update setting in Shockwave Player, see http://kb2.adobe.com/cps/166/tn_16683.html.  (This must be set every time Shockwave Player is updated if you do not want auto-updating.)

    Verify Installation

    To test the Adobe Shockwave Player installation on your computer, go to the Test Authorware Web Player page.

    References



    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...


    Wednesday, February 15, 2012

    Oracle Java SE Critical Security Update

    java

    Oracle Java released a critical security update to Java.  This Critical Patch Update contains fourteen (14) new security fixes across Java SE products.

    For Java SE 6, the full internal version number for this update release is 1.6.0_31-b04 (b05 in Windows, where "b" means "build"). The external version number is 6u31.

    It appears that Java SE 7 is no longer in "developer preview".  In the event you update to that version, check installed programs because it does not appear that upgrading removes Java SE 6.  The full internal version number for the update to the Java SE 7 release is 1.7.0_03-b04 (b05 in Windows, where "b" means "build"). The external version number is 7u3.

    Although Java is not required (See Do You Need Java?), if you do have Java installed on your computer, it is advisable to install the latest update.  It is also advised that all prior (and vulnerable) versions of Java SE be uninstalled from your computer.

    Download Update



    Verify your version:  http://www.java.com/en/download/testjava.jsp

    Note: UNcheck any pre-checked toolbar and/or software options presented with the update. They are not part of the software update and are completely optional.

    The next scheduled Oracle Java SE Critical Patch Update is 12 June 2012.

      References






      Remember - "A day without laughter is a day wasted."
      May the wind sing to you and the sun rise in your heart...

      Tuesday, February 14, 2012

      Microsoft February 2012 Security Bulletin Release


      Microsoft released nine (9) bulletins, of which four bulletins are identified as Critical with the remaining five as Important.

      The bulletins address vulnerabilities in Microsoft Windows and Microsoft Developer Tools And Software.  Most updates will require a restart to complete the installation.

      A number of people have a problem with .NET Framework updates.  As MS12-016 updates .NET Framework, it is recommended that this update by installed separately, followed by a shutdown/restart.

      The Security Research and Defense blog published several articles, located at the links below, regarding the updates:


      Security Bulletins

      Bulletin NumberBulletin TitleBulletin KB
      MS12-008Vulnerabilities in Microsoft Windows 2660465
      MS12-009Vulnerabilities in Microsoft Windows 2645640
      MS12-010Vulnerabilities in Internet Explorer 2647516
      MS12-011Vulnerabilities in Microsoft SharePoint 2663841
      MS12-012Vulnerability in Microsoft Windows 2643719
      MS12-013Vulnerability in Microsoft Windows 2654428
      MS12-014Vulnerability in Microsoft Windows 2661637
      MS12-015Vulnerabilities in Microsoft Office 2663510
      MS12-016Vulnerabilities in .NET Framework and Silverlight 2651026

      Support

      The following additional information is provided in the Security Bulletin:
      • The affected software listed have been tested to determine which versions are affected. Other versions are past their support life cycle. To determine the support life cycle for your software version, visit Microsoft Support Lifecycle.
      • Customers in the U.S. and Canada can receive technical support from Security Support or 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates. For more information about available support options, see Microsoft Help and Support.
      • International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit International Help and Support.

      References





      Remember - "A day without laughter is a day wasted."
      May the wind sing to you and the sun rise in your heart...


      Saturday, February 11, 2012

      Mozilla Firefox 10.0.1 Critical Security Update


      Mozilla quickly released Firefox 10.0.1, which includes a critical security update as well as a bug fix to a java-related issue which results in text input to become unresponsive (Bug 718939).

      Security Update

      MFSA 2012-10 use after free in nsXBLDocumentInfo::ReadPrototypeBindings
      Impact: Critical
      Announced: February 10, 2012
      Reporter: Andrew McCreight, Olli Pettay
      Products: Firefox, Thunderbird, SeaMonkey

      Fixed in: Firefox 10.0.1
        Firefox ESR 10.0.1
        Thunderbird 10.0.1
        Thunderbird ESR 10.0.1
        SeaMonkey 2.7.1

          Known Issues

          The following items remain as known issues with this version release:
          • Two-digit browser version numbers may cause a small number of website incompatibilities (see 690287)
          • If you try to start Firefox using a locked profile, it will crash (see 573369)
          • For some users, scrolling in the main GMail window will be slower than usual (see 579260)
          • Some synaptic touch pads are unable to vertical scroll (see 622410)
          • Firefox notifications may not work properly with Growl 1.3 or later (see 691662)
            Unresolved on v10 Resolved in v11
          • Under certain conditions, scrolling and text input may be jerky (see 711900)

          Update

          The update to Firefox 10.0.1 will be offered through the browser update mechanism.  However, as the upgrade includes a critical security update, it is recommended that the update be applied as soon as possible.  To get the update now, select Help, About Firefox, Check for Updates.

          If you do not use the English language version, Fully Localized Versions are available for download.

          References




          Remember - "A day without laughter is a day wasted."
          May the wind sing to you and the sun rise in your heart...


          Thursday, February 09, 2012

          Security Bulletin Advance Notification for February, 2012


          On Tuesday, February 14, 2012, Microsoft is planning to release nine (9) bulletins, of which four bulletins ares identified as Critical with the remaining five as Important.

          The bulletins address twenty-one (21) vulnerabilities in Microsoft Windows, Office, Internet Explorer, and .NET/Silverlight.  Most updates will require a restart to complete the installation.

          As happens each month, Microsoft will also release an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center.

          References




          Remember - "A day without laughter is a day wasted."
          May the wind sing to you and the sun rise in your heart...