Thursday, August 30, 2012

Critical Java Security Update

java


Oracle released an out-of-band security update for Java SE.  Security Alert CVE-2012-4681 addresses three distinct but related critical vulnerabilities and one security-in-depth issue affecting Java running in desktop browsers. 

These vulnerabilities may be remotely exploitable without authentication.  In other words, the vulnerabilities may be exploited over a network without the need for a username and password merely by visiting a malicious web page with an unpatched version of Java.

Affected versions:
  • JDK and JRE 7 Update 7 and earlier
  • JDK and JRE 6 Update 34 and earlier
It is strongly recommended that the update be applied as soon as possible due to the threat posed by a successful attack.


Although Java is not required (See Do You Need Java?), if you do have Java installed on your computer, it is advisable to install the latest update.  It is also advised that all prior (and vulnerable) versions of Java SE be uninstalled from your computer.

Instructions on removing older (and less secure) versions of Java can be found at http://java.com/en/download/faq/remove_olderversions.xml

Download Information

Now that Java SE 7 has been officially released, it is recommended that users of Java SE 6 upgrade to the latest version.  When you upgrade from Java SE 6 to Java SE7 please check installed program files and remove all versions of Java SE 6.

As of this posting, Java SE 7u7 is only available from this link:  http://java.com/en/download/index.jsp


Verify your version:  http://www.java.com/en/download/testjava.jsp

Note: UNcheck any pre-checked toolbar and/or software options presented with the update. They are not part of the software update and are completely optional.

Critical Patch Updates

For Oracle Java SE Critical Patch Updates, the next scheduled dates are:
  • 16 October 2012
  • 19 February 2013

    References






    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...

    Tuesday, August 28, 2012

    Firefox 15 Release Includes Critical Security Updates


    Firefox 15 was sent to the release channel today by Mozilla.  Included in the update are seven (7) critical, six (6) high, and three (3) moderate security updates.

    Based on the extensive list of security updates, it is recommended that the update be applied as soon as possible.

    Please also note that the release of Firefox 15 includes the completion of the inclusion of silent updates.

    Security Updates Fixed in Firefox 15

        MFSA 2012-72 Web console eval capable of executing chrome-privileged code
        MFSA 2012-71 Insecure use of __android_log_print
        MFSA 2012-70 Location object security checks bypassed by chrome code
        MFSA 2012-69 Incorrect site SSL certificate data display
        MFSA 2012-68 DOMParser loads linked resources in extensions when parsing text/html
        MFSA 2012-67 Installer will launch incorrect executable following new installation
        MFSA 2012-66 HTTPMonitor extension allows for remote debugging without explicit activation
        MFSA 2012-65 Out-of-bounds read in format-number in XSLT
        MFSA 2012-64 Graphite 2 memory corruption
        MFSA 2012-63 SVG buffer overflow and use-after-free issues
        MFSA 2012-62 WebGL use-after-free and memory corruption
        MFSA 2012-61 Memory corruption with bitmap format images with negative height
        MFSA 2012-60 Escalation of privilege through about:newtab
        MFSA 2012-59 Location object can be shadowed using Object.defineProperty
        MFSA 2012-58 Use-after-free issues found using Address Sanitizer
        MFSA 2012-57 Miscellaneous memory safety hazards (rv:15.0/ rv:10.0.7)

            What's New


            The Release Notes include new and fixed features in version 15.  The huge list of Bug Fixes are in the link available in the References below.
            • NEW -- Silent, background updates
            • NEW -- Support for SPDY networking protocol v3
            • NEW -- WebGL enhancements, including compressed textures for better performance
            • NEW -- Localization in Maithili (see all available locales)
            • CHANGED -- Optimized memory usage for add-ons
            • DEVELOPER -- JavaScript debugger integrated into developer tools
            • DEVELOPER -- New layout view added to Inspector
            • DEVELOPER -- High precision event timer implemented
            • DEVELOPER -- The CSS word-break property has been implemented.
            • DEVELOPER -- New responsive design tool allows web developers to switch between desktop and mobile views of sites
            • HTML5 -- Native support for the Opus audio codec added
            • HTML5 -- The audio and video eleents now support the played attribute
            • HTML5 -- The element now supports the media attribute
            • FIXED -- Focus rings keep growing when repeatedly tabbing through elements (720987)

             Known Issues

              • Unresolved -- Debugger breakpoints do not catch on page reload (see 783393) Note, in Resolved in v16
              • Unresolved -- If you try to start Firefox using a locked profile, it will crash (see 573369)
              • Unresolved -- For some users, scrolling in the main GMail window will be slower than usual (see 579260)
              • Unresolved -- Windows: The use of Microsoft's System Restore functionality shortly after updating Firefox may prevent future updates (see 730285)

                Update

                To get the update now, select "Help" from the Firefox menu at the upper left of the browser window, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu.

                If you do not use the English language version, Fully Localized Versions are available for download.

                References




                Remember - "A day without laughter is a day wasted."
                May the wind sing to you and the sun rise in your heart...


                Tuesday, August 21, 2012

                Adobe Flash Player Security Update (again!)


                Only a week has passed since the last Adobe Flash Player security update and another has been released.

                Adobe Flash Player was updated to address security vulnerabilities.  These updates address a vulnerability that could cause the application to crash and potentially allow an attacker to take control of the affected system.

                Update Information

                The newest version for Windows and Macintosh is 11.4.402.265.  For Linux, the newest version is 11.2.202.238.

                Release date: August 21, 2012
                Vulnerability identifier: APSB12-19
                Priority:  Critical for Windows, Important for Macintosh.
                CVE number: CVE-2012-4163, CVE-2012-4164, CVE-2012-4165, CVE-2012-4166, CVE-2012-4167, CVE-2012-4168
                Platform: All Platforms

                Flash Player Update Instructions


                Flash Player for Windows, Macintosh, Linux and Solaris

                Although Adobe suggests downloading the update from the Adobe Flash Player Download Center or by using the auto-update mechanism within the product when prompted, if you prefer, direct download links are available.


                Notes:
                • Users of Adobe AIR 3.3.0.3670 for Windows and Macintosh should update to Adobe AIR 3.4.0.2540.
                • Beginning with Adobe Flash Version 11.3, the universal 32-bit installer will include the 32-bit and 64-bit versions of the Flash Player.  
                • If you use the Adobe Flash Player Download Center, be careful to uncheck the optional McAfee Security Plus box.  It is not needed for the Flash Player update.
                • Uncheck any toolbar offered with Adobe products if not wanted.
                • If you use alternate browsers, it is necessary to install the update for both Internet Explorer as well as the update for alternate browsers.
                • The separate 32-bit and 64-bit uninstallers have been replaced with a single uninstaller.
                Adobe Flash Player for Android

                The latest version for Adobe Flash Player for Android is available by downloading it from the Android Marketplace by browsing to it on a mobile phone.

                Verify Installation

                To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu. 

                Do this for each browser installed on your computer.

                To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.

                References







                Remember - "A day without laughter is a day wasted."
                May the wind sing to you and the sun rise in your heart...


                Sunday, August 19, 2012

                WinPatrol PLUS or Family Pack 30% Discount Coupon

                WinPatrol
                Friends and Security Garden readers know that WinPatrol is my favorite program.  The list of WinPatrol features below illustrate why I wouldn't surf without Scotty watching my back. 

                My friend and fellow Microsoft MVP and WinPatrol developer, Bill Pytlovany, has created a special coupon for use by readers of my blog, Twitter followers, Facebook and forum friends.  The coupon provides a 30% discount on either the regularly priced single $29.95 WinPatrol PLUS license or the $49.95 Family Pack.

                If you are new to WinPatrol or have been putting off investing in a WinPatrol PLUS license, the SecurityGarden 30% discount coupon will be good through the end of August.

                For those not interested in the PLUS version, new users can download the free version of WinPatrol from http://www.winpatrol.com/download.html.

                To take advantage of the SecurityGarden 30% discount coupon, follow the links below.

                Credit Card OrdersClick Here and select the link for WinPatrol PLUS or the WinPatrol PLUS Super Family Pack.

                PayPal OrdersClick Here and complete the portion for WinPatrol PLUS or the WinPatrol PLUS Super Family Pack.

                Coupon Code:  SecurityGarden


                WinPatrol Features

                WinPatrol Free and WinPatrol PLUS:
                • Detect and Review New Auto-Startup Programs
                • Alerted to New Browser Add-Ons like BHO's and Tool Bars
                • Alerts to newly installed Window Services
                • Alerts to creation of Scheduled Tasks
                • Alerts and Locks Changes to File Type Associations
                • Alerts to newly registered ActiveX components
                • Alerts to changes in IE Home and Search pages
                • Alerts you to changes in the Windows HOST File
                • Lets you know if your Auto Update or UAC settings change
                • Add/Remove and Review Auto-Start up Programs
                • Automatically Disable Reoccurring Start up Programs
                • Delay Auto-Start up programs for quick boot up
                • Review and Remove unwanted Scheduled Tasks
                • Remove Unwanted Browser Add-Ons like BHO's and Tool Bars
                • Review, Display and Kill Multiple Running Tasks with a single click
                • Review, Stop and Control Window Services
                • Manage and Automatically Remove Unwanted Cookies
                • Review and Edit your Windows HOST File
                • Review and Remove Hidden Files
                • Track Date/Time when programs are first detected on your system
                • Multiple System Report Options
                • Advanced Examination of HIDDEN Registry Start up Keys
                • Start Program Removed Detection

                WinPatrol PLUS:
                • Access to WinPatrol PLUS Knowledgebase (24/7)
                • Real-time Infiltration Detection
                • Increased PLUS Performance
                • Automatically respond and/hide specific alerts.
                • Review and Remove ActiveX components
                • Custom Registry Monitoring and Reg Locking
                • Access to WinPatrol Cloud results
                • Uninstall Detection

                WinPatrol PLUS includes:
                • One Time fee includes free upgrade for ALL future WinPatrol versions.
                • No Hidden or Reoccurring Subscription Fees.
                • Single License valid on all your personal desktops and laptops!
                • No Toolbars or other unwanted software
                • WinPatrol PLUS is quicker and faster.



                Home
                Remember - "A day without laughter is a day wasted."
                May the wind sing to you and the sun rise in your heart...


                Tuesday, August 14, 2012

                Critical Security Update for Adobe Flash Player


                Adobe Flash Player was updated to address critical security vulnerabilities.  These updates address a vulnerability that could cause the application to crash and potentially allow an attacker to take control of the affected system.


                There are reports that the vulnerability is being exploited in the wild in limited targeted attacks, distributed through a malicious Word document. The exploit targets the ActiveX version of Flash Player for Internet Explorer on Windows.

                Update Information

                The newest version for Windows, Macintosh and Linux is 11.3.300.271.

                Release date: August 14, 2012
                Vulnerability identifier: APSB12-18
                Priority: Critical
                CVE number: CVE-2012-1535
                Platform: Windows, Macintosh and Linux

                Flash Player Update Instructions


                Flash Player for Windows, Macintosh, Linux and Solaris

                Although Adobe suggests downloading the update from the Adobe Flash Player Download Center or by using the auto-update mechanism within the product when prompted, if you prefer, direct download links are available.


                Notes:
                • Beginning with Adobe Flash Version 11.3, the universal 32-bit installer will include the 32-bit and 64-bit versions of the Flash Player.  
                • If you use the Adobe Flash Player Download Center, be careful to uncheck the optional McAfee Security Plus box.  It is not needed for the Flash Player update.
                • Uncheck any toolbar offered with Adobe products if not wanted.
                • If you use alternate browsers, it is necessary to install the update for both Internet Explorer as well as the update for alternate browsers.
                • The separate 32-bit and 64-bit uninstallers have been replaced with a single uninstaller.
                Adobe Flash Player for Android

                Adobe Flash Player for Android is not affected by the vulnerability addressed in this update.

                The latest version for Adobe Flash Player for Android is available by downloading it from the Android Marketplace by browsing to it on a mobile phone.

                Verify Installation

                To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu. 

                Do this for each browser installed on your computer.

                To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.


                References







                Remember - "A day without laughter is a day wasted."
                May the wind sing to you and the sun rise in your heart...


                Adobe Reader and Acrobat Critical Security Upates

                Adobe
                Adobe released critical security updates addressing vulnerabilities in Adobe Reader and Adobe Acrobat.

                The updates address vulnerabilities in the software that could cause the application to crash and potentially allow an attacker to take control of the affected system.


                Acrobat and Reader users can update to the latest version using the built-in updater, by clicking “Help” and then “Check for Updates.” The Adobe Reader update for Windows is available from http://www.adobe.com/products/reader/.  Even better to use is the FTP download site:  ftp://ftp.adobe.com/pub/adobe/reader/win/10.x/10.1.4/ with no risk of add-ons.


                Release Details

                • Release date: August 14, 2012
                • Vulnerability identifier: APSB12-16
                • Priority rating:  Critical
                • CVE numbers: CVE-2012-1525, CVE-2012-2049, CVE-2012-2050, CVE-2012-2051, CVE-2012-4147, CVE-2012-4148, CVE-2012-4149, CVE-2012-4150, CVE-2012-4151, CVE-2012-4152, CVE-2012-4153, CVE-2012-4154, CVE-2012-4155, CVE-2012-4156, CVE-2012-4157, CVE-2012-4158, CVE-2012-4159, CVE-2012-4160, CVE-2012-4161, CVE-2012-4162
                • Platform: Windows and Macintosh

                Affected software versions

                • Adobe Reader X (10.1.3) and earlier 10.x versions for Windows and Macintosh
                • Adobe Reader 9.5.1 and earlier 9.x versions for Windows and Macintosh
                • Adobe Acrobat X (10.1.3) and earlier 10.x versions for Windows and Macintosh
                • Adobe Acrobat 9.5.1 and earlier 9.x versions for Windows and Macintosh

                References




                Home
                Remember - "A day without laughter is a day wasted."
                May the wind sing to you and the sun rise in your heart...


                Microsoft August 2012 Security Bulletin Release


                Microsoft released nine (9) bulletins, of which five bulletins are identified as Critical and the remaining four as Important.  All but one bulletin are related to Remote Code Execution and will require a restart.

                The bulletins address twenty-six vulnerabilities in Microsoft Windows, Internet Explorer, Exchange Server, SQL Server, Server Software, Developer Tools, and Office.

                NoteMS12-043 (Microsoft XML Core Services) was re-released again this month with additional updates for Microsoft XML Core Services 5.0. The re-release does not affect the previous updates for versions 3.0, 4.0, and 6.0.

                Security Bulletins

                Bulletin NumberBulletin TitleBulletin KB
                MS12-052Cumulative Security Update for Internet Explorer 2722913
                MS12-053Vulnerability in Microsoft Windows 2723135
                MS12-054Vulnerabilities in Microsoft Windows 2733594
                MS12-055Vulnerability in Microsoft Windows 2731847
                MS12-056Vulnerability in Microsoft Windows 2706045
                MS12-057Vulnerability in Microsoft Office 2731879
                MS12-058Vulnerabilities in Microsoft Windows 2733829
                MS12-059Vulnerability in Microsoft Office 2733918
                MS12-060Vulnerabilities in Microsoft Windows 2720573

                Support

                The following additional information is provided in the Security Bulletin:

                References





                Remember - "A day without laughter is a day wasted."
                May the wind sing to you and the sun rise in your heart...


                Friday, August 10, 2012

                Gauss: Kaspersky Discovery, Analysis and Removal Tool

                First came Stuxnet, Duqu and then Flame.  The latest is Gauss.  Although Gauss is less sophisticated than Flame, it is a data-stealing banking trojan having already obtained data from the Bank of Beirut, EBLF, BlomBank, ByblosBank, FransaBank and Credit Libanais. Citibank and PayPal users are also reported as being targeted.


                As described on Securelist in  Gauss: Nation-state cyber-surveillance meets banking Trojan:
                "In 140 chars or less, “Gauss is a nation state sponsored banking Trojan which carries a warhead of unknown designation”. Besides stealing various kinds of data from infected Windows machines, it also includes an unknown, encrypted payload which is activated on certain specific system configurations "

                The majority of Kaspersky customers who have been found to be infected with Gauss are located in Lebanon. Others are in Israel and Palestine with a few in the U.S., UAE, Qatar, Jordan, Germany and Egypt.

                A quick check to determine if your computer is infected with Gauss is available from CrySyS at http://gauss.crysys.hu. The free Kaspersky Virus Removal Tool can be used to remove Dauss from your computer.  


                Home
                Remember - "A day without laughter is a day wasted."
                May the wind sing to you and the sun rise in your heart...


                Thursday, August 09, 2012

                Security Bulletin Advance Notice for August 2012

                Security Bulletin
                On Tuesday, August 14, 2012, Microsoft is planning to release nine (9) bulletins, of which five bulletins are identified as Critical and the remaining four as Important.  All but one bulletin are related to Remote Code Execution and will require a restart.

                The Critical security bulletins address ten vulnerabilities in Microsoft Windows, Internet Explorer, Exchange, SQL Server, Server Software, and Developer Tools. The bulletin for Exchange will address the issue first described in Security Advisory 2737111. The four bulletins that have been rated as Important will address vulnerabilities in Windows and Microsoft Office.

                As happens each month, Microsoft will also release an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center.

                References



                Home
                Remember - "A day without laughter is a day wasted."
                May the wind sing to you and the sun rise in your heart...


                Tuesday, August 07, 2012

                Windows Essentials 2012

                Microsoft has released Windows Essentials 2012 which includes new versions of Movie Maker and Photo Gallery for Windows 7 and Windows 8. Details about the new features in Movie Maker and Photo Gallery are available in the Windows Experience Blog, Introducing the New Windows Photo Gallery and Movie Maker.

                Windows Essentials 2012 includes the new SkyDrive for Windows app as well as Windows Live Mail, Windows Live Family Safety, Windows Live Writer, Windows Live Messenger, Outlook Connector Pack and Windows Photo Gallery and Windows Movie Maker.

                Windows Live Mesh and SkyDrive

                If you install Windows Essentials 2012, it is important to note that if you have Windows Live Mesh installed, it will automatically be removed if you install the new Movie Maker or Photo Gallery. In its place Microsoft SkyDrive will be installed. Microsoft has specified that if the new Movie Maker and/or Photo Gallery in Windows Essentials 2012 are installed, you can not have Windows Live Mesh on the same PC.

                In order to sync folders from the cloud to all of your PCs, it will then be necessary to install SkyDrive on all of your PCs or Macs. (Windows Live Mesh continues to be available from the Download Center: Windows Live Essentials.)

                Know the Difference

                The important thing to keep in mind is the one major difference between Windows Live Mesh and SkyDrive. With SkyDrive, all files are "in the cloud". Unless you update to Windows Essentials 2012 and install the new Movie Maker and/or Photo Gallery, with Windows Live Mesh, you can also have files in the cloud but you can also avoid the cloud and just sync files across PCs/Mac.


                Microsoft  has provided excellent step-by-step instructions for both Windows Live Mesh and SkyDrive in the articles linked below.

                References


                Windows Live Mesh

                Sky Drive

                Download: Windows Essentials 2012 (Web install)



                Home
                Remember - "A day without laughter is a day wasted."
                May the wind sing to you and the sun rise in your heart...