Tuesday, December 24, 2013

Merry Christmas -- Khristos Razhdayetsya


We celebrate Christmas Eve following Ukrainian traditions.
In what ever traditions you and your family celebrate,
I extend warmest wishes to each of you and your family.

Merry Christmas!


Home
Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...


Tuesday, December 10, 2013

Microsoft Security Updates for December 2013


Microsoft released eleven (11) bulletins.  Five of the bulletins are identified as Critical with the remaining six bulletins rated Important.

The security updates address twenty-four (24) unique CVEs in Microsoft Windows, Internet Explorer, Office and Exchange.

Critical:
  • MS13-096 -- Vulnerability in Microsoft Graphics Component Could allow Remote Code Execution (2908005) 
  • MS13-097 -- Cumulative Security Update for Internet Explorer (2898785) 
  • MS13-098 -- Vulnerability in Windows Could Allow Remote Code Execution (2893294)
  • MS13-099 -- Vulnerability in Microsoft Scripting Runtime Object Library Could Allow Remote Code Execution (2909158)
  • MS13-105 -- Vulnerabilities in Microsoft Exchange Server Could Allow Remote Code Execution (2915705)
     
Important: 
  • MS13-100 -- Vulnerabilities in Microsoft SharePoint Server Could Allow Remote Code Execution (2904244)
  • MS13-101 -- Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2880430) 
  • MS13-102 -- Vulnerability in LRPC Client Could Allow Elevation of Privilege (2898715) 
  • MS13-103 -- Vulnerability in ASP.NET SignalR Could Allow Elevation of Privilege (2905244)
  • MS13-104 -- Vulnerability in Microsoft Office Could Allow Information Disclosure (2909976)
  • MS13-106 -- Vulnerability in a Microsoft Office Shared Component Could Allow Security Feature Bypass
    (2905238) 

December Security Advisories

MSRT

Microsoft released an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center.

Support

Users of Windows XP are reminded that support ends for Windows XP on April 8, 2014.  See Tim Rains article, The Countdown Begins: Support for Windows XP Ends on April 8, 2014.


The following additional information is provided in the Security Bulletin:

References




Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...


Adobe Flash Player, AIR and Shockwave Player Security Updates

Adobe Flashplayer

Adobe has released bug and security updates for Adobe Flash Player, Adobe AIR and Shockwave Player for Windows, Macintosh and Linux. 
With today's Windows Update, Internet Explorer 10 and 11 in Windows 8 and Windows 8.1 are also updated.  Windows RT must obtain the update from Windows Update.  Google Chrome will be automatically updated.


Release date: December 10, 2013
Vulnerability identifier: APSB13-28
CVE number: CVE-2013-5331, CVE-2013-5332
Platform: All Platforms

Update Information

The newest versions are as follows:
Windows and Macintosh:  11.9.900.170
Linux: 11.2.202.332

Adobe AIR:  3.9.0.1380

Flash Player Update Instructions

Warning:  Although Adobe suggests downloading the update from the Adobe Flash Player Download Center, that link includes a pre-checked option to install unnecessary extras, such as McAfee Scan Plus or Google Drive.  If you use the download center, uncheck any unnecessary extras.

It is recommended that you either use the auto-update mechanism within the product when prompted, or my preference, the direct download links.

Notes:
  • If you use the Adobe Flash Player Download Center, be careful to uncheck any optional downloads that you do not want.  Any pre-checked option is not needed for the Flash Player update.
  • Uncheck any toolbar offered with Adobe products if not wanted.
  • If you use alternate browsers, it is necessary to install the update for both Internet Explorer as well as the update for alternate browsers.
  • The separate 32-bit and 64-bit uninstallers have been replaced with a single uninstaller.
Adobe Flash Player for Android

The latest version for Adobe Flash Player for Android is available by downloading it from the Android Marketplace by browsing to it on a mobile phone.   

Verify Installation

To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu. 

Do this for each browser installed on your computer.

To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.

Adobe Shockwave Player

Shockwave Player
Adobe has released a security update for Adobe Shockwave Player 12.0.2.122 and earlier versions on the Windows and Macintosh operating systems.

This update addresses vulnerabilities that could allow an attacker, who successfully exploits these vulnerabilities, to run malicious code on the affected system.

Although I have yet to need Shockwave Player on this computer, there are still many people who use it.  If you have Shockwave Player installed, please update to the latest version.


Release date:  December 10, 2013
Vulnerability identifier: APSB13-29

CVE number: CVE-2013-5333, CVE-2013-5334
Platform: Windows and Macintosh

The newest version 12.0.7.148 is available here: http://get.adobe.com/shockwave/.  As usual, watch for any pre-checked add-ons not needed for the update.

References







Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...


Mozilla Firefox Version 26.0 Released



Firefox

Mozilla sent Firefox Version 26.0 to the release channel.  At the time of this posting, no security fixes for this version have been listed in the Security Advisories page.  However, the default for Java plug-ins to "click to play" is a welcome change as is script-generated password fields.

Update:  The security updates have now been posted.  Version 26.0 includes five (5) critical, three (3) high, three (3) moderate, and three (3) low security updates.

Fixed in Firefox 26

  • MFSA 2013-117 Mis-issued ANSSI/DCSSI certificate
  • MFSA 2013-116 JPEG information leak
  • MFSA 2013-115 GetElementIC typed array stubs can be generated outside observed typesets
  • MFSA 2013-114 Use-after-free in synthetic mouse movement
  • MFSA 2013-113 Trust settings for built-in roots ignored during EV certificate validation
  • MFSA 2013-112 Linux clipboard information disclosure though selection paste
  • MFSA 2013-111 Segmentation violation when replacing ordered list elements
  • MFSA 2013-110 Potential overflow in JavaScript binary search algorithms
  • MFSA 2013-109 Use-after-free during Table Editing
  • MFSA 2013-108 Use-after-free in event listeners
  • MFSA 2013-107 Sandbox restrictions not applied to nested object elements
  • MFSA 2013-106 Character encoding cross-origin XSS attack
  • MFSA 2013-105 Application Installation doorhanger persists on navigation
  • MFSA 2013-104 Miscellaneous memory safety hazards (rv:26.0 / rv:24.2)

What’s New

  • NEW -- All Java plug-ins are defaulted to 'click to play'
  • NEW -- Password manager now supports script-generated password fields
  • NEW -- Updates can now be performed by Windows users without write permissions to Firefox install directory (requires Mozilla Maintenance Service)
  • NEW -- Support for H.264 on Linux if the appropriate gstreamer plug-ins are installed
  • CHANGED -- Support for MP3 decoding on Windows XP, completing MP3 support across Windows OS versions
  • CHANGED -- CSP implementation now supports multiple policies, including the case of both an enforced and Report-Only policy, per the spec


Known Issues

  • Unresolved -- Moving Firefox to background while playing a flash video in full screen mode and bring it back to view will freeze the app (see 809055)

Update

To get the update now, select "Help" from the Firefox menu at the upper left of the browser window, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu.

If you do not use the English language version, Fully Localized Versions are available for download.

References




Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...


Friday, December 06, 2013

Security Bulletin Advance Notice for December 2013

Security Bulletin
On Tuesday, December 10, 2013, Microsoft is planning to release eleven (11) bulletins.  Five of the bulletins are identified as Critical with the remaining six bulletins rated Important.

The Critical updates address vulnerabilities in Internet Explorer, Windows, Microsoft Exchange and GDI+. The Important updates will be directed to issues in Microsoft Office, Microsoft Server Software, Microsoft Windows and Microsoft Developer Tools.

The Critical update for GDI+ fully addresses the publicly disclosed issue described in Security Advisory 2896666. Microsoft is still working to develop a security update for Security Advisory 2914486 and will release it when ready.

Reminder

Users of Windows XP are reminded that support ends for Windows XP on April 8, 2014.  See Tim Rains article, The Risk of Running Windows XP After Support Ends April 2014.

As happens each month, Microsoft will also release an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center.

References




Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...