Tuesday, June 25, 2013

Mozilla Firefox 22.0 Released with Critical Security Updates



Mozilla sent Firefox Version 22.0 to the release channel. The current update includes fourteen security updates of which four are critical, six high, three moderate and one low.

Note:  According to members at DSLReports, the update appears to have broken the Roboform toolbar.  (H/T, siljaline)

Notable Changes

Social Services:  New to version 22.0 is the ability to disable social media services that may be included with installed add-ons.  To disable social services, open the add-ons manager and select Services to disable or remove any service that you have installed in the browser.

Plain text files:  Word-wrap is a welcome change to viewing plain text files in this version of Firefox.

Fixed in Firefox 22

  • MFSA 2013-62 Inaccessible updater can lead to local privilege escalation
  • MFSA 2013-61 Homograph domain spoofing in .com, .net and .name
  • MFSA 2013-60 getUserMedia permission dialog incorrectly displays location
  • MFSA 2013-59 XrayWrappers can be bypassed to run user defined methods in a privileged context
  • MFSA 2013-58 X-Frame-Options ignored when using server push with multi-part responses
  • MFSA 2013-57 Sandbox restrictions not applied to nested frame elements
  • MFSA 2013-56 PreserveWrapper has inconsistent behavior
  • MFSA 2013-55 SVG filters can lead to information disclosure
  • MFSA 2013-54 Data in the body of XHR HEAD requests leads to CSRF attacks
  • MFSA 2013-53 Execution of unmapped memory through onreadystatechange event
  • MFSA 2013-52 Arbitrary code execution within Profiler
  • MFSA 2013-51 Privileged content access and execution via XBL
  • MFSA 2013-50 Memory corruption found using Address Sanitizer
  • MFSA 2013-49 Miscellaneous memory safety hazards (rv:22.0 / rv:17.0.7)


What’s New

  • NEW -- WebRTC is now enabled by default!
  • NEW -- Windows: Firefox now follows display scaling options to render text larger on high-res displays
  • NEW -- Mac OS X: Download progress in Dock application icon
  • NEW -- HTML5 audio/video playback rate can now be changed
  • NEW -- Social services management implemented in Add-ons Manager
  • NEW -- asm.js optimizations (OdinMonkey) enabled for major performance improvements
  • CHANGED -- Improved WebGL rendering performance through asynchronous canvas updates
  • CHANGED-- Plain text files displayed within Firefox will now word-wrap
  • CHANGED -- For user security, the |Components| object is no longer accessible from web content
  • CHANGED -- Improved memory usage and display time when rendering images
  • CHANGED-- Pointer Lock API can now be used outside of fullscreen
  • HTML5 -- New HTML5 and  elements
  • FIXED -- Scrolling using some high-resolution-scroll aware touchpads feels slow (829952)



Known Issues

  • Unresolved-- If you try to start Firefox using a locked profile, it will crash (see 573369)

Update

To get the update now, select "Help" from the Firefox menu at the upper left of the browser window, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu.

If you do not use the English language version, Fully Localized Versions are available for download.

References




Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...


Tuesday, June 18, 2013

Critical Oracle Java Security Update

java


Oracle released the scheduled critical security updates for its Java SE Runtime Environment software.

This is a Critical Patch Update that contains 40 new security fixes for Oracle Java SE.  Oracle indicated that thirty-seven (37) of the vulnerabilities may be remotely exploitable without authentication.  This was described as the possibility of being exploited over a network without the need for a username and password.

Additional details about the update are available in the Oracle Quality Assurance Blog post, June 2013 Critical Patch Update for Java SE Released.  If Java is still installed on your computer, it is recommended that this update be applied as soon as possible due to the threat posed by a successful attack.

For those people who have desktop applications that require Java and cannot uninstall it, Java can now be disabled in Internet Explorer.  See Microsoft Fix it to Disable Java in Internet Explorer.

Java Security Recommendations

1)  In the Java Control Panel, at minimum, set the security to high.
2)  Keep Java disabled until needed.  Uncheck the box "Enable Java content in the browser" in the Java Control Panel.

Java ControlPanel
(Image via Sophos Naked Security Blog)

3)  If you use Firefox, install NoScript and only allow Java on those sites where it is required.

Instructions on removing older (and less secure) versions of Java can be found at http://java.com/en/download/faq/remove_olderversions.xml

Download Information

Download link:  Java Version 7 Update 25

Verify your version:  http://www.java.com/en/download/testjava.jsp

Notes:
  • UNcheck any pre-checked toolbar and/or software options presented with the update. They are not part of the software update and are completely optional.
  • Starting with Java SE 7 Update 21 in April 2013, all Java Applets and Web Start Applications should be signed with a trusted certificate.  It is not recommended to run untrusted/unsigned Certificates.  See How to protect your computer against dangerous Java Applets

Critical Patch Updates

For Oracle Java SE Critical Patch Updates, the next scheduled dates are as follows:
  • 15 October 2013
  • 14 January 2014
  • 15 April 2014 

References





Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Monday, June 17, 2013

Linked Accounts Being Eliminated from Outlook

Outlook.com
Starting in late July, Microsoft will be eliminating the "linked accounts" feature from Outlook.com.  While this feature has been used for many reasons, particularly where you don't want to provide your primary email address, security is the primary reason Microsoft is giving for this change.

According to the announcement by Eric Doerr in the Outlook Blog, it has been increasingly found that linked accounts are less secure than using aliases, particularly because it is possible to sign in to Outlook.com on the web and then switch to any other linked account without entering a password.

Options

With the elimination of linked accounts, the remaining options currently available are to use mail forwarding from the previously linked account or create an alias. 

Microsoft is reportedly working on setting up the ability to move an email address and the accompanying email from one account to another.

Important Notes: 
  1. Mail Forwarding:  You must sign in to your forwarded account at least once every 365 days.  If you don't, the system will close the account.
  2. Reply to Forwarded Mail:  In order to reply directly to email forwarded to your primary account, it is necessary to configure Outlook.com to send email on behalf of a secondary email account.
  3. Aliases:  There is a limit of up to ten new aliases per year and an overall maximum of ten aliases.  Deleting an alias removes it from the count but not the ten/year limit. )   
Information on how to create an Outlook.com alias and set up mail forwarding is available from Microsoft in the help documents linked below.

~   ~   ~   ~   ~   ~

I am an Outlook.com Insider.  If you have a question about this post or Outlook.com, please leave a comment and I'll do my best to assist.  Learn more about the Outlook.com Insiders program here.

References


Home
Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...


Sunday, June 16, 2013

Microsoft Fix it to Disable Java in Internet Explorer

java

Java, how we love to hate you!  Many people have uninstalled Java and do not miss it.  That is most likely because they do not have desktop applications that require Java. Unfortunately, that is not the situation for those people who use Java-dependent software programs. 

Until recently, Internet Explorer was the only major browser that did not provide a way to disable Java.  The only way to completely disable Java in IE was to disable Java through the Java Control Panel, which meant re-enabling Java when using Java-dependent programs.  That is no longer true!

Microsoft released a Microsoft Fix it solution designed to block all Java web-attack vectors through Internet Explorer.  As explained by Cristian Craioveanu in the below-linked Security Research & Defense Blog article, the Fix it solution is made up of two parts. 
  1. The Fix It uses the Windows Application Compatibility Toolkit to change the behavior of Internet Explorer at runtime to prevent Oracle’s Java Web plugins from loading.  As a result, the Java ActiveX dlls are not loaded.
  2. The second part of the Fix it clears the access control list (ACL) in the registry for the Java Network Loading Protocol (JNLP) handler which prevents Internet Explorer from automatically opening  files.  

Instructions

Before installing the Fix it solution, please follow the following suggestions:

1.  Create a restore point

2.  Back up the Registry
3.  Apply the Fix it

Disable the Java web-plugin

Apply Fix it
Restore the Java web-plugin
 
Uninstall Fix it

4.  Restart Internet Explorer
For the changes to take effect, restart IE.

To undo the changes, run Microsoft Fix it 50995 and restart IE.

The Fix it solution has been tested by Microsoft and will work for all versions of Java from versions 5 and above.  It also works on all supported versions of Internet Explorer, whether 32- or 64-bit.


References


Home
Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...


Tuesday, June 11, 2013

Adobe Flash Player and AIR Security Update

Adobe Flashplayer

Adobe has released security updates for Adobe Flash Player and Adobe AIR for Windows, Macintosh, Linux and Android.  These updates address critical vulnerabilities.
With today's Windows Update, Internet Explorer 10 in Windows 8 and Windows RT is also updated.

Update Information

The newest versions are as follows:
Windows:  11.7.700.224
Macintosh:  11.7.700.225
Linux: 11.2.202.291
Android 4x:  11.1.115.63
Android 3x and 2x:  11.1.111.59
Adobe AIR for Windows:  3.7.0.2090
Adobe AIR for Macintosh:  3.7.0.2100

Release date: June 11, 2013
Vulnerability identifier: APSB13-16

CVE number: CVE-2013-3343
Platform: All Platforms

Flash Player Update Instructions

Warning:  Although Adobe suggests downloading the update from the Adobe Flash Player Download Center, that link includes a pre-checked option to install Google Drive.

It is recommended that you either use the auto-update mechanism within the product when prompted, or my preference, the direct download links.

Notes:
  • If you use the Adobe Flash Player Download Center, be careful to uncheck any optional downloads that you do not want.  Any pre-checked option is not needed for the Flash Player update.
  • Uncheck any toolbar offered with Adobe products if not wanted.
  • If you use alternate browsers, it is necessary to install the update for both Internet Explorer as well as the update for alternate browsers.
  • The separate 32-bit and 64-bit uninstallers have been replaced with a single uninstaller.
Adobe Flash Player for Android

The latest version for Adobe Flash Player for Android is available by downloading it from the Android Marketplace by browsing to it on a mobile phone.   

Verify Installation

To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu. 

Do this for each browser installed on your computer.

To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.

References







Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...


Microsoft Security Updates for June 2013


Microsoft released five (5) bulletins.  One bulletin  is identified as Critical with the remaining four bulletins rated Important.

The bulletins address 23 vulnerabilities in Internet Explorer, Microsoft Windows and Microsoft Office.  The updates to IE and Windows require a restart.


Users of Windows XP are reminded that support ends for Windows XP on April 8, 2014.  See Tim Rains article, The Countdown Begins: Support for Windows XP Ends on April 8, 2014.

Bulletin No.Bulletin TitleBulletin KB
MS13-047Cumulative Security Update for Internet Explorer 2838727
MS13-048Vulnerability in Microsoft Windows 2839229
MS13-049Vulnerability in Microsoft Windows 2845690
MS13-050Vulnerability in Microsoft Windows 2839894
MS13-051Vulnerability in Microsoft Office 2839571


Support

The following additional information is provided in the Security Bulletin:

References




Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...


Monday, June 10, 2013

Transition to Outlook from Hotmail

Outlook.com
Having used Hotmail for a very long-time, when Outlook.com was first introduced, I wasn't all that certain that I liked the changes.  However, it did not take long to appreciate the different features and I have put behind me any skepticism I had about the change.

Even though the migration of your Hotmail account to Outlook.com was completed a number of weeks ago, you may still be struggling to discover how to complete tasks that were second nature before the migration.

First a few quick tips and then a closer look at attachments and the Actions link.  

Quick Tips

Following is a selection of quick tips that will help you navigate the new design for Outlook.com:
  • To see the Menu bar, click any e-mail.
  • Click "New" to start a new e-mail.
  • To add additional recipient(s) to an e-mail, click To or the box below To.
  • To reply all or forward an e-mail, click the down arrow next to Reply or click Actions, shown below.

Attachments

Sending and replying to e-mail is, of course, the primary function of your account.  Often times that includes an attachment to accompany the message.

The familiar paperclip icon has been relocated from the e-mail creation area to a more logical location, the Menu bar.  This change makes complete sense due to the ability to not only attach a file but also embed a picture inline or share a file or picture from SkyDrive.

Hotmail Before:

Hotmail Create email


Outlook.com After:

The change to Outlook.com still includes the familiar paperclip icon.  It is the wording and location that have changed.  Insert is a better description because the option to insert pictures inline or share a link to a file from SkyDrive can also be added to your e-mail.

Outlook.com Attachments

  • Selecting "Files as attachments" is the familiar option for attaching a file or picture that can be downloaded by the recipient.
     
  • When you select "Pictures inline", you can navigate to an image to embed the picture right in the e-mail. Repeat the action to add additional pictures.
     
  • I love SkyDrive and believe that "Share from SkyDrive" is the ideal way to send large files rather than weighing family and friends inbox with large files. 

    Sharing from SkyDrive is also much easier than selecting multiple pictures with the "Pictures inline" option since it is a one-step process to select multiple files at one time.  Place a check in each picture or document to be shared by clicking the image or file name.

    Share from SkyDrive


    There will be a note at the bottom of the e-mail with instructions to the recipient to click the link to access the file(s).

Actions

It is not uncommon that there is more than one way to accomplish a task.  For example, one way to print an e-mail is to click the ellipsis (...) from the Menu bar and select Print.  With keyboard shortcuts set, the keyboard shortcut Shift +P will also provide the print option.  


There is a third way to print e-mails as well as access other useful functions.  With the e-mail open, clicking the familiar Actions link, carried forward from a Windows Live Hotmail update, provides not only the link to print but other immediate actions such as Forward, Delete or identifying the e-mail as Junk.  

Outlook.com Actions

Although the Outlook.com Junk e-mail filters are excellent, information contained in the message source, often referred to as the "Full Header" is useful when questioning whether an e-mail that slips through is a phishing attempt or spoofed address.  

~   ~   ~   ~   ~   ~

I am an Outlook.com and SkyDrive Insider.  If you have a question about this article, please leave a comment and I'll do my best to assist.

Learn more about the Outlook.com Insiders program here or the SkyDrive Insiders program from here.

Home
Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...


Thursday, June 06, 2013

Security Bulletin Advance Notice for June 2013

Security Bulletin
On Tuesday, June 11, 2013, Microsoft is planning to release five (5) bulletins.  One bulletin is identified as Critical with the remaining four bulletins rated Important.

The critical bulletis will address vulnerabilities in Microsoft Windows and Internet Explorer. The bulletins rated Important and will address issues in Microsoft Windows and Microsoft Office. 


As happens each month, Microsoft will also release an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center.

References



Home
Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...