Fix it for Security Advisory 2794220 Available

Microsoft  Security Advisory 2794220 has been updated to provide a Fix it solution.  Applying this Fix it solution will prevent the vulnerability in the referenced Security Advisory from being used for code execution without affecting your ability to browse the Web. 

Microsoft Fix it

A Microsoft Fix it solution is available now for applying to protect your computer. The update will not require a restart.

Enable	Disable
Fix this problem Microsoft Fix it 50971	Fix this problem       Microsoft Fix it 50972

References

• MSRC Blog:  Fix it for Security Advisory 2794220 now available
• Microsoft Security Advisory: Vulnerability in Internet Explorer could allow information disclosure

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Microsoft Security Advisory 2794220

Microsoft released Security Advisory 2794220 to address an issue that affects Internet Explorer versions 6, 7 and 8.  Internet Explorer versions 9 and 10 are not affected.

At this time, Microsoft is aware of a very small number of targeted attacks.  This issue allows remote code execution if users browse to a malicious website with an affected browser.  Generally, this is a result of an attacker convincing someone to click a link in an email or instant message.

Recommendations:

Microsoft is actively working to develop a security update to address the issue.  In the meantime, please consider the following suggestions:

1.  Update Internet Explorer -- If your operating system is Windows Vista or Windows 7, update to Internet Explorer 9.  For Windows XP, your system will be more secure if you update to Internet Explorer 8.

2.  Update or Uninstall Java -- Current exploits of this type of vulnerability in Internet Explorer use third-party software, including Oracle’s Java, to help obtain reliable exploitation.

Most home computer users no longer need Java.  Following are reasons why someone may need Oracle Sun Java installed on their computer:

• Playing on-line games generally requires Java.
• With OpenOffice, Java is needed for the items listed here. 
• It used to be that Java was needed for websites to be properly displayed. However, that is generally not the case now with Flash having taken over.
• There may be commercial programs that depend on Java. If Java is needed for a software installed on your computer, there should be a prompt for it.

If you need Java, be sure you have uninstalled all old, vulnerable versions and have only the most recent release installed on your computer.  The current version of Java is Version 7 Update 10.
 

3.  Install and configure EMET -- The Enhanced Mitigation Experience Toolkit was designed to help prevent hackers from gaining access to your system. It prevents exploitation by applying in-box mitigations to help protect against this and other issues and should not affect usability of websites.

An easy guide for EMET installation and configuration is available in KB2458544.  Additional information about configuring EMET is available in the EMET User's Guide, in the following locations:

• 32-bit systems -- C:\Program Files\EMET\EMET User's Guide.pdf
• 64-bit systems -- C:\Program Files (x86)\EMET\EMET User's Guide.pdf

Additional suggestions are available in the MSRC Blog post and the Security Advisory, referenced below.

References:

• MSRC: Microsoft Releases Security Advisory 2794220
• Tech Net Advisory: Microsoft Security Advisory (2794220) Vulnerability in Internet Explorer Could Allow Remote Code Execution
• Download:  EMET (Enhanced Mitigation Toolkit v3.0)

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Critical Update MS12-078 Re-released

Microsoft re-released security update KB2753842 to resolve an issue with OpenType fonts not properly rendering after the original update was installed.

MS12-078 is a Critical update.  Thus, even if you have already installed the December security updates, the re-released KB2753842 update needs to be installed.

Note:  The update requires a restart to complete installation.

More Information:

Bulletin Number	Bulletin Title	Bulletin KB
MS12-078	Vulnerabilities in Microsoft Windows	2783534

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Adobe Flash Player Critical Security Updates

Adobe Flash Player was updated to address critical security vulnerabilities.  These updates address a vulnerability that could cause the application to crash and potentially allow an attacker to take control of the affected system.

Update Information

The newest versions are as follows:

Windows XP, Windows Vista, Windows 7:  11.5.502.135
Windows 8:  11.3.377.15
Macintosh:  11.5.502.136
Linux: 11.2.202.258.

Release date: December 11, 2012
Vulnerability identifier: APSB12-27
Priority: 1
CVE number: CVE-2012-5676, CVE-2012-5677, CVE-2012-5678
Platform: All Platforms

Flash Player Update Instructions

Flash Player for Windows, Macintosh and Linux

Although Adobe suggests downloading the update from the Adobe Flash Player Download Center or by using the auto-update mechanism within the product when prompted, if you prefer, direct download links are available.

• Flash Player For Internet Explorer 7, 8 & 9:  http://download.macromedia.com/get/flashplayer/current/licensing/win/install_flash_player_11_active_x.exe
  
  Flash Player for Internet Explorer 10: Microsoft updated Security Advisory 2755801.  If you do not have Automatic Updates enabled, the Flash Player update can be downloaded from the Download Center at Update for Internet Explorer Flash Player for Windows 8 Release Preview (KB2758994).
  
  
• Non-IE (Opera, Firefox, Etc.):  http://download.macromedia.com/get/flashplayer/current/licensing/win/install_flash_player_11_plugin.exe
• Flash Player Uninstaller:  http://download.macromedia.com/get/flashplayer/current/support/uninstall_flash_player.exe

Notes:

• Users of Adobe AIR for Windows should update to 3.5.0.880 and Macintosh users to 3.5.0.890.  See Determine version | Adobe AIR runtime. 
• Beginning with Adobe Flash Version 11.3, the universal 32-bit installer will include the 32-bit and 64-bit versions of the Flash Player.  
• If you use the Adobe Flash Player Download Center, be careful to uncheck the optional McAfee Security Plus box.  It is not needed for the Flash Player update.
• Uncheck any toolbar offered with Adobe products if not wanted.
• If you use alternate browsers, it is necessary to install the update for both Internet Explorer as well as the update for alternate browsers.
• The separate 32-bit and 64-bit uninstallers have been replaced with a single uninstaller.

Adobe Flash Player for Android

The latest version for Adobe Flash Player for Android is available by downloading it from the Android Marketplace by browsing to it on a mobile phone.

Verify Installation

To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu. 

Do this for each browser installed on your computer.

To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.

References

• Adobe Priority Ratings
• Adobe Security Advisory: Security updates available for Adobe Flash Player
• Release Notes:  Flash Player® 11.5 AIR® 3.5

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Microsoft Security Bulletin Release for December 2012

Microsoft released seven (7) bulletins addressing 17 vulnerabilities in Microsoft Windows, Internet Explorer (IE), Word and Windows Server.

Five bulletins are identified as Critical and two as Important.

Bulletin Number	Bulletin Title	Bulletin KB
MS12-077	Cumulative Security Update for Internet Explorer	2761465
MS12-078	Vulnerabilities in Microsoft Windows	2783534
MS12-079	Vulnerability in Microsoft Office	2780642
MS12-080	Vulnerabilities in Microsoft Exchange Server	2784126
MS12-081	Vulnerability in Microsoft Windows	2758857
MS12-082	Vulnerability in Microsoft Windows	2770660
MS12-083	Vulnerability in Microsoft Windows	2765809

Support

The following additional information is provided in the Security Bulletin:

• The affected software listed have been tested to determine which versions are affected. Other versions are past their support life cycle. To determine the support life cycle for your software version, visit Microsoft Support Lifecycle.
• Security solutions for IT professionals: TechNet Security Troubleshooting and Support
• Help protect your computer that is running Windows from viruses and malware: Virus Solution and Security Center
• Local support according to your country: International Support

References

• MSRC: It’s That Time of Year, For the December 2012 Bulletin Release
• TechNet: Microsoft Security Bulletin Summary for December 2012
• Security and Safety Center:  Microsoft security updates for December 2012 

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Introducing WinPatrol 2013, Enhanced for Windows 8

No question about it, Bill Pytylovany has done it again!  Officially released is WinPatrol 2013, version 26.0.2013, which Bill has enhanced for Windows 8.  It works with either Windows 8 or Windows 8 Professional.  However, there (currently at least) is not an App for Windows RT so it will not work on Windows RT.

Although additional features specific to Windows 8 will be added to WinPatrol in the future, for people using Windows 8 who want to go directly to the desktop, you can use WinPatrol to easily make that happen.  With File Explorer (explorer.exe) as a Start up Program will cause Windows 8 to switch to the desktop mode.  To add explorer.exe (or other programs) to Start up is easy with WinPatrol:

Adding Programs to Start up

• Right-click Scotty in the system tray and click "Display Startup Info..."  Accept the UAC prompt.
• At the bottom of the Start up Programs tab, click the Add button 
• Navigate to the location of the program to be added, locate and highlight the .exe file and click Open (explorer.exe is located in the C:\Windows directory).

See Bits from Bill: WinPatrol 2013 Enhanced for Windows 8 for additional information.

For anyone wondering, although the latest version update addresses Windows 8 features, WinPatrol runs on Windows XP, Vista and Windows 7, Windows 8 including x64 versions.

Download WinPatrol 26.0.2013 

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Security Bulletin Advance Notice for December 2012

On Tuesday, December 11, 2012, Microsoft is planning to release seven (7) bulletins addressing eleven (11) vulnerabilities.

Five bulletins are identified as Critical and address vulnerabilities in Microsoft Windows, Word, Windows Server and Internet Explorer.  The two remaining bulletins are rated Important and will address issues in Microsoft Windows.


As happens each month, Microsoft will also release an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center.

References

• MSRC Blog:  Advance Notification Service for December 2012 Security Bulletin Release
• TechNet: Microsoft Security Bulletin Advance Notification for December 2012

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...