Thursday, September 26, 2013

Sensationalist Press Got it WRONG! Microsoft Does Not Recommend Two Antivirus Programs!


A recent article published by PC Pro has taken wings and is being quoted in numerous stories implying that a second antivirus program is needed when using Microsoft Security Essentials.  The article states,
"Now, Microsoft has said it sees Security Essentials as merely the first layer of protection, advising customers to use additional, third-party antivirus - although the company stressed that wasn't because the product wasn't good enough to stand on its own." (bold added)

The above statement by PC Pro is an obvious misinterpretation of Holly Stewart's comment (bold added), 
"It’s not as efficient to have one kind of weapon," she said. "Like anything you must have that diversity. It’s a weakness to just have one."

Why PC Pro is Wrong

Starting with the obvious, Microsoft Security Essentials on Windows 7, or earlier and Windows Defender on Windows 8 are disabled when a third-party antivirus software is installed.  Thus, an active second antivirus program cannot be run along side Microsoft Security Essentials or Windows Defender.

As clearly stated in this Microsoft Malware Protection Center help topic,
"It’s not a good idea to run other antivirus or antispyware products at the same time as Microsoft Security Essentials or Windows Defender.

Using more than one real-time security product can affect your PC performance. You might also get an error code when you try to update or install, such as 0x80070643."

The use of the word "weapon" by Holly Stewart in the above quote does not mean a second antivirus software, rather, as has long been recommended by the security community, a layered approach of another weapon is needed.

In addition to one up-to-date antivirus software, it is also critical to maintain updated third-party applications such as Adobe products and Oracle Java and install Microsoft security updates.

Along with "safe surfing", having one or two secondary security applications, such as my favorite Malwarebytes Antimalware and WinPatrol to supplement the work of your antivirus software program is generally recommended.

Microsoft Strategy Works!  

As illustrated in the Microsoft Malware Protection Center report, Evaluating our protection performance and capabilities, 99.9% of computers using Microsoft real-time protection reported no infections on the average day of August, 2013.  With results like that, it is clear that the change in focus by Microsoft to prevalent threats is obviously working.

Thus, PC Pro, Microsoft Security Essentials is not designed to be at the bottom of the antivirus rankings.  It is designed to target prevalent threats to consumer's computers, as illustrated in the change log for 1.159.819.0, released today.

Update:  Microsoft published a response to the "misinterpretation" by PC Pro and the other authors who added to it.  The Microsoft article is referenced below as is an article by Leo Notenboom, who contacted Holly Stewart.  

Home
Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...


Tuesday, September 17, 2013

Security Advisory 2887505 and Microsoft Fix it

Security Advisory
Microsoft released Security Advisory 2887505 which relates to an issue with Internet Explorer.

It is important to note that there are a limited number of targeted attacks which are specifically directed at Internet Explorer 8 and 9. The issue, however, could potentially affect all supported versions of IE.

As described by Dustin Childs in the below-referenced MSRC Blog post,
"This issue could allow remote code execution if an affected system browses to a website containing malicious content directed towards the specific browser type. This would typically occur when an attacker compromises the security of trusted websites regularly frequented, or convinces someone to click on a link in an email or instant message."

Mitigations

Microsoft has made available a Fix it solution for users of Internet Explorer.  Additional mitigations include the following advice, also from the MSRC Blog post:

  • Set Internet and local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones
    This will help prevent exploitation but may affect usability; therefore, trusted sites should be added to the Internet Explorer Trusted Sites zone to minimize disruption.
  • Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and local intranet security zones
    This will help prevent exploitation but can affect usability, so trusted sites should be added to the Internet Explorer Trusted Sites zone to minimize disruption.
Below are the links to both apply and uninstall the Fix it solution.  Note:  The Fix it solution applies only 32-bit versions of Internet Explorer.
 
Apply Fix itUninstall Fix it


Another option is to install the Enhanced Mitigation Experience Toolkit (EMET), described in the "workarounds" section of the Tech Net Advisory.

If you have Windows Vista or Windows 7 installed, you should have updated to IE9 or IE10.  In the event you haven't, it is strongly advised that you update!

References:




Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Firefox 24.0 Released With Critical Security Updates



Firefox

Mozilla sent Firefox Version 24.0 to the release channel.  At the the time of this posting, there is no indication of security fixes included.  An update will be made if or when that information has been provided.

Update:  The security fixes included in version 24.0 have finally been posted.  It is advised that this update be installed ASAP.

Version 24.0 includes seventeen security updates of which seven are critical, four high, and six moderate.
 

Fixed in Firefox 24

MFSA 2013-92 GC hazard with default compartments and frame chain restoration
MFSA 2013-91 User-defined properties on DOM proxies get the wrong "this" object
MFSA 2013-90 Memory corruption involving scrolling
MFSA 2013-89 Buffer overflow with multi-column, lists, and floats
MFSA 2013-88 compartment mismatch re-attaching XBL-backed nodes
MFSA 2013-87 Shared object library loading from writable location
MFSA 2013-86 WebGL Information disclosure through OS X NVIDIA graphic drivers
MFSA 2013-85 Uninitialized data in IonMonkey
MFSA 2013-84 Same-origin bypass through symbolic links
MFSA 2013-83 Mozilla Updater does not lock MAR file after signature verification
MFSA 2013-82 Calling scope for new Javascript objects can lead to memory corruption
MFSA 2013-81 Use-after-free with select element
MFSA 2013-80 NativeKey continues handling key messages after widget is destroyed
MFSA 2013-79 Use-after-free in Animation Manager during stylesheet cloning
MFSA 2013-78 Integer overflow in ANGLE library
MFSA 2013-77 Improper state in HTML5 Tree Builder with templates
MFSA 2013-76 Miscellaneous memory safety hazards (rv:24.0 / rv:17.0.9)

What’s New

  • NEW -- Support for new scrollbar style in Mac OS X 10.7 and newer
  • NEW -- Implemented Close tabs to the right
  • NEW -- Social: Ability to tear-off chat windows to view separately by simply dragging them out
  • CHANGED -- Accessibility related improvements on using pinned tabs (see 577727)
  • CHANGED -- Removed support for Revocation Lists feature (see 867465)
  • CHANGED -- Performance improvements on New Tab Page loads (see 791670)
  • FIXED -- Replace fixed-ratio audio resampler in webrtc.org capture code with Speex resampler and eliminate pseudo-44000Hz rate ( see 886886)
  • FIXED -- 24.0: Security fixes can be found here

Update

To get the update now, select "Help" from the Firefox menu at the upper left of the browser window, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu.

If you do not use the English language version, Fully Localized Versions are available for download.

References




Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...


Tuesday, September 10, 2013

Oracle Java Update

java


Oracle released the Java SE 7u40 today.  In addition to bug fixes and enhancements, the update includes the following:
  • advanced monitoring and diagnostic capabilities that enable developers to gather detailed runtime information and perform efficient data analysis without impacting system performance; 
  • a new security policy that gives system administrators greater control over Java running on desktops; 
  • improved performance and efficiencies for Java on ARM servers and support for Mac OS X retina displays.

If Java is still installed on your computer, it is recommended that this update be installed.

For those people who have desktop applications that require Java and cannot uninstall it, Java can now be disabled in Internet Explorer.  See Microsoft Fix it to Disable Java in Internet Explorer.

Java Security Recommendations

1)  In the Java Control Panel, at minimum, set the security to high.
2)  Keep Java disabled until needed.  Uncheck the box "Enable Java content in the browser" in the Java Control Panel.

Java ControlPanel
(Image via Sophos Naked Security Blog)

3)  If you use Firefox, install NoScript and only allow Java on those sites where it is required.

Instructions on removing older (and less secure) versions of Java can be found at http://java.com/en/download/faq/remove_olderversions.xml

Download Information

Download link:   Java SE 7 Update 40

Verify your version:  http://www.java.com/en/download/testjava.jsp

Notes:
  • UNcheck any pre-checked toolbar and/or software options presented with the update. They are not part of the software update and are completely optional.
  • Starting with Java SE 7 Update 21 in April 2013, all Java Applets and Web Start Applications should be signed with a trusted certificate.  It is not recommended to run untrusted/unsigned Certificates.  See How to protect your computer against dangerous Java Applets

Critical Patch Updates

Starting with the October 2013 Critical Patch Update, security fixes for Java SE will be released under the normal Critical Patch Update schedule. A pre-release announcement will be published on the Thursday preceding each Critical Patch Update release.


For Oracle Java SE Critical Patch Updates, the next scheduled dates are as follows:
  • 15 October 2013
  • 14 January 2014
  • 15 April 2014
  • 15 July 2014

References





Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Microsoft Security Updates for September 2013


Microsoft released thirteen (13) bulletins.  Four of the bulletins are identified as Critical with the remaining nine bulletins rated Important.

The updates address 47 unique CVEs in Microsoft Windows, Office, Internet Explorer and SharePoint. The updates to Windows require a restart.



Critical:
  • MS13-067 -- Vulnerabilities in Microsoft SharePoint Server Could Allow Remote Code Execution (2834052)
  • MS13-068 -- Vulnerability in Microsoft Outlook Could Allow Remote Code Execution (2756473)
  • MS13-069 -- Cumulative Security Update for Internet Explorer (2870699)
  • MS13-070 -- Vulnerability in OLE Could Allow Remote Code Execution (2876217)

Important:
  • MS13-071 -- Vulnerability in Windows Theme File Could Allow Remote Code Execution (2864063)
  • MS13-072 -- Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2845537)
  • MS13-073 -- Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (2858300)  
  • MS13-074 -- Vulnerabilities in Microsoft Access Could Allow Remote Code Execution (2848637) 
  • MS13-075 -- Vulnerability in Microsoft Office IME (Chinese) Could Allow Elevation of Privilege (2878687) 
  • MS13-076 -- Vulnerabilities in Kernel-Mode Drivers Could Allow Elevation of Privilege (2876315) 
  • MS13-077 -- Vulnerability in Windows Service Control Manager Could Allow Elevation of Privilege (2872339) 
  • MS13-078 -- Vulnerability in FrontPage Could Allow Information Disclosure (2825621) 
  • MS13-079 -- Vulnerability in Active Directory Could Allow Denial of Service (2853587)  
Users of Windows XP are reminded that support ends for Windows XP on April 8, 2014.  See Tim Rains article, The Countdown Begins: Support for Windows XP Ends on April 8, 2014.

Support

The following additional information is provided in the Security Bulletin:

References




Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...


Critical Adobe Flash Player, AIR and Shockwave Player Updates

Adobe Flashplayer

Adobe has released security updates for Adobe Flash Player for Windows, Macintosh and Linux.  These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.
With today's Windows Update, Internet Explorer 10 and 11 in Windows 8 and Windows 8.1 Preview are also updated.  Windows RT must obtain the update from Windows Update.

Update Information

The newest versions are as follows:
Windows and Macintosh:  11.8.800.168
Linux: 11.2.202.310
Android 4x: 11.1.115.81
Android 3x:  11.1.111.73

Adobe AIR:  3.8.1430

Release date: September 10, 2013
Vulnerability identifier: APSB13-21
CVE number: CVE-2013-3361, CVE-2013-3362, CVE-2013-3363, CVE-2013-5324
Platform: All Platforms

Flash Player Update Instructions

Warning:  Although Adobe suggests downloading the update from the Adobe Flash Player Download Center, that link includes a pre-checked option to install Google Drive.

It is recommended that you either use the auto-update mechanism within the product when prompted, or my preference, the direct download links.

Notes:
  • If you use the Adobe Flash Player Download Center, be careful to uncheck any optional downloads that you do not want.  Any pre-checked option is not needed for the Flash Player update.
  • Uncheck any toolbar offered with Adobe products if not wanted.
  • If you use alternate browsers, it is necessary to install the update for both Internet Explorer as well as the update for alternate browsers.
  • The separate 32-bit and 64-bit uninstallers have been replaced with a single uninstaller.
Adobe Flash Player for Android

The latest version for Adobe Flash Player for Android is available by downloading it from the Android Marketplace by browsing to it on a mobile phone.   

Verify Installation

To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu. 

Do this for each browser installed on your computer.

To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.

Adobe Shockwave Player

Shockwave Player
Adobe has released a security update for Adobe Shockwave Player 12.0.3.133 and earlier versions on the Windows and Macintosh operating systems.

This update addresses vulnerabilities that could allow an attacker, who successfully exploits these vulnerabilities, to run malicious code on the affected system.

Although I have yet to need Shockwave Player on this computer, there are still many people who use it.  If you have Shockwave Player installed, please update to the latest version.

Release date: September 10, 2013
Vulnerability identifier: APSB13-23

CVE number: CVE-2013-3359 and CVE-2013-3360
Platform: Windows and Macintosh

The newest version  12.0.4.144 is available here: http://get.adobe.com/shockwave/.  As usual, watch for any pre-checked add-ons not needed for the update.

References







Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...


Adobe Reader Security Updates

Adobe
Adobe has released security updates for Adobe Reader and Acrobat XI (11.0.03) and earlier versions for Windows and Macintosh.

Adobe identifies this update as a regular quarterly update that provides security mitigations, feature enhancements, and bug fixes.  Note, however that the updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.


Release date: September 10, 2013
Vulnerability identifier: APSB13-22
CVE numbers: CVE-2013-3351, CVE-2013-3352, CVE-2013-3353, CVE-2013-3354, CVE-2013-3355, CVE-2013-3356, CVE-2013-3357, CVE-2013-3358
Platform: Windows and Macintosh

Update or Complete Download

Update checks can be manually activated by choosing Help > Check for Updates.
    Note: UNcheck any pre-checked additional options presented with the update. They are not part of the software update and are completely optional.

    Enable "Protected View"

    Due to frequent vulnerabilities, it is recommended that Windows users of Adobe Reader and Acrobat ensure that Protected View is enabled.  Neither the Protected Mode or Protected View option is available for Macintosh users.

    To enable this setting, do the following:
    • Click Edit > Preferences > Security (Enhanced) menu. 
    • Change the "Off" setting to "All Files".
    • Ensure the "Enable Enhanced Security" box is checked. 

    Adobe Protected View
    Image via Sophos Naked Security Blog
    If you are looking for a replacement for Adobe Reader, consider Replacing Adobe Reader with Sumatra PDF.

    References




    Home
    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...


    Thursday, September 05, 2013

    Security Bulletin Advance Notice for September, 2013

    Security Bulletin
    On Tuesday, September 10, 2013, Microsoft is planning to release fourteen (14) bulletins.  Four of the bulletins are identified as Critical with the remaining ten bulletins rated Important.

    The Critical updates will address issues in Internet Explorer, Outlook, SharePoint and Windows. The updates to Windows will require a restart.

    Users of Windows XP are reminded that support ends for Windows XP on April 8, 2014.  See Tim Rains article, The Risk of Running Windows XP After Support Ends April 2014.

    As happens each month, Microsoft will also release an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center.

    References




    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...