Minor Firefox Update to Version 17.0.1

Mozilla released what appears to be a minor update to version 17.0.1.  There are no updates listed for version 17.0.1 on the Security Advisories page.

From the Release Notes:

• 17.0.1: Font rendering issue in Firefox 17.0 (bug 814101)
• 17.0.1: Reverted user agent change causing some website incompatibilities
• 17.0.1: Leaving Private Browsing with Social API enabled should reset social components (814554)
• Pointer lock doesn't work in web apps (769150)
• Page scrolling on sites with fixed headers (780345)
  
  New:
• First revision of the Social API and support for Facebook Messenger
• Click-to-play blocklisting implemented to prevent vulnerable plugin versions from running without the user's permission (see blog post)
•  

To get the update now, select "Help" from the Firefox menu at the upper left of the browser window, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu.

If you do not use the English language version, Fully Localized Versions are available for download.

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Mozilla Firefox 17 Released, Includes Security Updates

Firefox 17 was sent to the release channel today by Mozilla.  Included in the update are six (6) critical, nine (9) high and one (1) Moderate security update.

Based on the extensive list of security updates, it is recommended that the update be applied as soon as possible.

Security Updates Fixed in Firefox 17

MFSA 2012-106 Use-after-free, buffer overflow, and memory corruption issues found using Address Sanitizer
MFSA 2012-105 Use-after-free and buffer overflow issues found using Address Sanitizer
MFSA 2012-104 CSS and HTML injection through Style Inspector
MFSA 2012-103 Frames can shadow top.location
MFSA 2012-102 Script entered into Developer Toolbar runs with chrome privileges
MFSA 2012-101 Improper character decoding in HZ-GB-2312 charset
MFSA 2012-100 Improper security filtering for cross-origin wrappers
MFSA 2012-99 XrayWrappers exposes chrome-only properties when not in chrome compartment
MFSA 2012-98 Firefox installer DLL hijacking
MFSA 2012-97 XMLHttpRequest inherits incorrect principal within sandbox
MFSA 2012-96 Memory corruption in str_unescape
MFSA 2012-95 Javascript: URLs run in privileged context on New Tab page
MFSA 2012-94 Crash when combining SVG text on path with CSS
MFSA 2012-93 evalInSanbox location context incorrectly applied
MFSA 2012-92 Buffer overflow while rendering GIF images
MFSA 2012-91 Miscellaneous memory safety hazards (rv:17.0/ rv:10.0.11)

What's New

• NEW -- First revision of the Social API and support for Facebook Messenger
• NEW -- Click-to-play blocklisting implemented to prevent vulnerable plugin versions from running without the user's permission (see blog post)

The Release Notes include additional changes and fixed features in version 17.  As with previous versions 15, the update includes a long list of Bug Fixes, referenced below.

Update

To get the update now, select "Help" from the Firefox menu at the upper left of the browser window, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu.

If you do not use the English language version, Fully Localized Versions are available for download.

References

• Common questions after updating Firefox
• Security Updates
• Mozilla Firefox Release Notes
• Bug Fixes 

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Microsoft Security Bulletin Release for November 2012

Microsoft released six (6) bulletins addressing 19 vulnerabilities in Microsoft Windows Shell, Windows Kernel, Internet Explorer, Internet Information Services (IIS), .NET Framework, and Excel.

Three bulletins are identified as Critical, one as Important and one as Moderate.

Bulletin Number	Bulletin Title	Bulletin KB
MS12-071	Cumulative Security Update for Internet Explorer	2761451
MS12-072	Vulnerabilities in Microsoft Windows	2727528
MS12-073	Vulnerabilities in Microsoft Windows	2733829
MS12-074	Vulnerabilities in Vulnerabilities in Microsoft Windows .NET Framework	2745030*
MS12-075	Vulnerabilities in Microsoft Windows	2761226
MS12-076	Vulnerabilities in Microsoft Office	2720184

*In the event you have had problems in the past with .NET Framework updates, it is suggested that you install MS12-074 (KB2745030) separately, including a shutdown/restart.

Support

The following additional information is provided in the Security Bulletin:

• The affected software listed have been tested to determine which versions are affected. Other versions are past their support life cycle. To determine the support life cycle for your software version, visit Microsoft Support Lifecycle.
• Security solutions for IT professionals: TechNet Security Troubleshooting and Support
• Help protect your computer that is running Windows from viruses and malware: Virus Solution and Security Center
• Local support according to your country: International Support

References

• MSRC: November Security Bulletin Release
• TechNet: Microsoft Security Bulletin Summary for November 2012
• Security and Safety Center:  Microsoft security updates for November 2012 
• Security Research and Defense:  Assessing risk for the November 2012 security updates 
• Security Research and Defense:  MS12-074: Addressing a vulnerability in WPAD’s PAC file handling 

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Security Bulletin Advance Notice for November 2012

On Tuesday, November 13, 2012, Microsoft is planning to release six (6) bulletins.

Four bulletins are identified as Critical and address thirteen vulnerabilities in Microsoft Windows, Internet Explorer and the .NET Framework.  Four vulnerabilities in Microsoft Office will be addressed in one bulletin rated Important.  The remaining bulletin rated Moderate will address two issues in Microsoft Windows.

As I have advised in the past, if you have problems with .NET Framework updates, please install that update separately with a shutdown/restart following the update.

As happens each month, Microsoft will also release an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center.

References

• MSRC Blog:  Advance Notification Service for November 2012 Security Bulletin Release
• TechNet: Microsoft Security Bulletin Advance Notification for November 2012

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Adobe Flash Player Critical Security Update

Adobe Flash Player was updated to address security vulnerabilities.  These updates address a vulnerability that could cause the application to crash and potentially allow an attacker to take control of the affected system.

Update Information

The newest version for Windows and Macintosh is 11.5.502.110.  For Linux, the newest version is 11.2.202.251.

Release date: November 6, 2012
Vulnerability identifier: APSB12-24
Priority: See table below
CVE number: CVE-2012-5274, CVE-2012-5275, CVE-2012-5276, CVE-2012-5277, CVE-2012-5278, CVE-2012-5279, CVE-2012-5280
Platform: All Platforms

Flash Player Update Instructions

Flash Player for Windows, Macintosh and Linux

Although Adobe suggests downloading the update from the Adobe Flash Player Download Center or by using the auto-update mechanism within the product when prompted, if you prefer, direct download links are available.

• Flash Player For Internet Explorer 7, 8 & 9:  http://download.macromedia.com/get/flashplayer/current/licensing/win/install_flash_player_11_active_x.exe
  
  Flash Player for Internet Explorer 10: Microsoft updated Security Advisory 2755801.  If you do not have Automatic Updates enabled, the Flash Player update can be downloaded from the Download Center at Update for Internet Explorer Flash Player for Windows 8 Release Preview (KB2758994).
  
  See MSRC Blog post Security Advisory 2755801 revised to address Adobe Flash Player issues.
  
  
• Non-IE (Opera, Firefox, Etc.):  http://download.macromedia.com/get/flashplayer/current/licensing/win/install_flash_player_11_plugin.exe
  
  
• Flash Player Uninstaller:  http://download.macromedia.com/get/flashplayer/current/support/uninstall_flash_player.exe

Notes:

• Users of Adobe AIR  3.5.0.600 for Windows and Macintosh should update to Adobe AIR 3.5.
• Beginning with Adobe Flash Version 11.3, the universal 32-bit installer will include the 32-bit and 64-bit versions of the Flash Player.  
• If you use the Adobe Flash Player Download Center, be careful to uncheck the optional McAfee Security Plus box.  It is not needed for the Flash Player update.
• Uncheck any toolbar offered with Adobe products if not wanted.
• If you use alternate browsers, it is necessary to install the update for both Internet Explorer as well as the update for alternate browsers.
• The separate 32-bit and 64-bit uninstallers have been replaced with a single uninstaller.

Adobe Flash Player for Android

The latest version for Adobe Flash Player for Android is available by downloading it from the Android Marketplace by browsing to it on a mobile phone.

Verify Installation

To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu. 

Do this for each browser installed on your computer.

To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.

References

• Adobe Priority Ratings
• Adobe Security Advisory: Security updates available for Adobe Flash Player
• Release Notes:  Flash Player® 11.5 AIR® 3.5

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Report: Top Ten Vulnerabilities Exclude Microsoft Products

Yes, you read the title correctly.  Kaspersky released their 2012 third quarter report of the top ten vulnerabilities and no Microsoft product is on the list.  The data in the report is based on vulnerable programs and files detected on the computers of KSN users.  There was an average of eight different vulnerabilities on each affected computer.

Topping the list is Oracle Java, followed by Adobe products, particularly Adobe Flash Player.  Also included in the list are two Apple products, Quick Time and iTunes.  The list of vulnerabilities can be found on the Securelist, "IT Threat Evolution: Q3 2012", here.

The takeaway?

• Continue installing Microsoft Security Updates:  Windows Update - Keep your PC up to date
  
• Use a software firewall:  Firewall: frequently asked questions
  
• Keep your antivirus software updated:  Microsoft Security Essentials - Microsoft Windows
  
• Consider uninstalling Oracle Java:  Do You Need Java?
  
• Allow Adobe Flash Player to Autoupdate: Adobe - Flash Player : Help - About Updating Adobe Flash Player.
  -- With Firefox, use NoScript or Flashblock which also blocks Macromedia Shockware.
  -- AdobeBlockIE has not been updated recently but works with Internet Explorer.
  
• Consider an alternative to Adobe Reader, such as Sumatra PDF.  

Don't be a statistic.  Stay safe and keep your computer updated.

If your computer does get infected or you need assistance determining if it is up to date, post the requested logs for review in the Analysis and Malware Removal forum at LandzDown or in the Security Arena at Sysnative.com.

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...