Wednesday, March 23, 2016

Another Oracle Java Out-of-Band Critical Security Update

java


Oracle released yet another out-of-band critical security update which addresses CVE-2016-0636 which is remotely exploitable without authentication.

If Java is still on your computer, it is strongly advised that this update be installed as soon as possible.

Download Information

Download link:  Java SE 8u77


Verify your version:  http://www.java.com/en/download/testjava.jsp

Notes:
  • UNcheck any pre-checked toolbar and/or software options presented with the update. They are not part of the software update and are completely optional.
  • Be sure to uninstall all previous versions of Java.
  • Starting with Java SE 7 Update 21 in April 2013, all Java Applets and Web Start Applications should be signed with a trusted certificate.  It is not recommended to run untrusted/unsigned Certificates.  See How to protect your computer against dangerous Java Applets

Critical Patch Updates

The next scheduled dates of Oracle Java SE Critical Patch Updates are as follows:
  • 19 April 2016
  • 19 July 2016
  • 18 October 2016
  • 17 January 2017

References





Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...





Adobe Flash Player Bug Fix

Adobe Flashplayer

Adobe has released Version 21.0.0.197 of Adobe Flash Player for Microsoft Windows and Macintosh.  Linux and the Extended Support Release for Windows and Macintosh were not updated and remain at Version 11.2.202.577 for Linux and Version 18.0.0.333 for the ESR.  Adobe AIR also remains unchanged at  Version 21.0.0.176.

The update was to provide an important bug fix that was affecting a subset of Flash gaming content. See the below-referenced release notes for further information.

Verify Installation

To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu. 

Do this for each browser installed on your computer.

To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.

References




Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...








Thursday, March 10, 2016

Adobe Flash Player and AIR Critical Security Update

Adobe Flashplayer

Adobe has released Version 21.0.0.182 of Adobe Flash Player for Microsoft Windows and Macintosh and Version 11.2.202.577 for Linux.  The Extended Support Release for Windows and Macintosh was updated to Version 18.0.0.333.  Adobe AIR has been updated to Version 21.0.0.176.

The updates are to address critical vulnerabilities that could potentially allow an attacker to take control of the affected system.

See the Adobe Security Bulletin for additional information.

Verify Installation

To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu. 

Do this for each browser installed on your computer.

To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.

References




Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...







Tuesday, March 08, 2016

Microsoft Security Bulletin Release for March, 2016


Microsoft released thirteen (13) bulletins.  Five (5) bulletins are identified as Critical and the remaining eight (8) are rated Important in severity.

The updates address vulnerabilities in Microsoft Windows, Microsoft Edge, Internet Explorer, Microsoft Office, Microsoft Office Services and Web Apps, Microsoft Server Software and Microsoft .NET Framework.


Critical:
      • MS16-023 Cumulative Security Update for Internet Explorer (3142015)
      • MS16-024 Cumulative Security Update for Microsoft Edge (3142019)
      • MS16-026 Security Update for Graphic Fonts to Address Remote Code Execution (3143148)                  
      • MS16-027 Security Update for Windows Media to Address Remote Code Execution (3143146)                  
      • MS16-028 Security Update for Microsoft Windows PDF Library to Address Remote Code Execution (3143081)   
        Important:
          • MS16-025 Security Update for Windows Library Loading to Address Remote Code Execution (3140709)       
          • MS16-029 Security Update for Microsoft Office to Address Remote Code Execution (3141806)                  
          • MS16-030 Security Update for Windows OLE to Address Remote Code Execution (3143136)                  
          • MS16-031 Security Update for Microsoft Windows to Address Elevation of Privilege (3140410)                  
          • MS16-032 Security Update for Secondary Logon to Address Elevation of Privilege (3143141)                  
          • MS16-033 Security Update for Windows USB Mass Storage Class Driver to Address Elevation of Privilege (3143142)
          • MS16-034 Security Update for Windows Kernel-Mode Drivers to Address Elevation of Privilege (3143145)
          • MS16-035 Security Update for .NET Framework to Address Security Feature Bypass (3141780)   

          Additional Update Notes

          • Adobe Flash Player -- For Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows RT 8.1, Windows 10, and Windows 10 Version 1511, Adobe Flash Player is now a security bulletin rather than a security advisory and is included with the updates.
          • MSRT -- Microsoft released an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center. 
          • Windows 8.x and Windows 10 -- Non-security new features and improvements for Windows 8.1 and Windows 10 are included with the updates.
          • Windows 10 -- A summary of important product developments included in each update, with links to more details is available at Windows 10 Update History. The page will be regularly refreshed, as new updates are released.

          References


            Remember - "A day without laughter is a day wasted."
            May the wind sing to you and the sun rise in your heart...


            Mozilla Firefox Version 45.0 Released with Critical Security Updates


            Firefox
            Mozilla sent Firefox Version 45.0 to the release channel.  The update includes eight (8) critical security updates, seven (7) high, six (6) moderate and one (1) low security updates.

            Firefox ESR was updated to version 38.7.0.

            The next scheduled release is April 19, 2016.

            Fixed in Firefox 45


            •     2016-37 Font vulnerabilities in the Graphite 2 library
            •     2016-36 Use-after-free during processing of DER encoded keys in NSS
            •     2016-35 Buffer overflow during ASN.1 decoding in NSS
            •     2016-34 Out-of-bounds read in HTML parser following a failed allocation
            •     2016-33 Use-after-free in GetStaticInstance in WebRTC
            •     2016-32 WebRTC and LibVPX vulnerabilities found through code inspection
            •     2016-31 Memory corruption with malicious NPAPI plugin
            •     2016-30 Buffer overflow in Brotli decompression
            •     2016-29 Same-origin policy violation using perfomance.getEntries and history navigation with session restore
            •     2016-28 Addressbar spoofing though history navigation and Location protocol property
            •     2016-27 Use-after-free during XML transformations
            •     2016-26 Memory corruption when modifying a file being read by FileReader
            •     2016-25 Use-after-free when using multiple WebRTC data channels
            •     2016-24 Use-after-free in SetBody
            •     2016-23 Use-after-free in HTML5 string parser
            •     2016-22 Service Worker Manager out-of-bounds read in Service Worker Manager
            •     2016-21 Displayed page address can be overridden
            •     2016-20 Memory leak in libstagefright when deleting an array during MP4 processing
            •     2016-19 Linux video memory DOS with Intel drivers
            •     2016-18 CSP reports fail to strip location information for embedded iframe pages
            •     2016-17 Local file overwriting and potential privilege escalation through CSP reports
            •     2016-16 Miscellaneous memory safety hazards (rv:45.0 / rv:38.7)

            New

            • Instant browser tab sharing through Hello
            • Tabs synced via Firefox Accounts from other devices are now shown in dropdown area of Awesome Bar when searching
            • Synced Tabs button in button bar
            • Introduce a new preference (network.dns.blockDotOnion) to allow blocking .onion at the DNS level
            • Guarani [gn] locale added

            Fixed

            • URLs containing a Unicode-format Internationalized Domain Name (IDN) are now properly redirected
            • Various security fixes

            Changed

            HTML5

            Unresolved

            • On-screen keyboard support was temporarily turned off for Windows 8 and Windows 8.1

            Update

            To get the update now, select "Help" from the Firefox menu at the upper left of the browser window, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

              References


              Remember - "A day without laughter is a day wasted."
              May the wind sing to you and the sun rise in your heart...













              Adobe Reader and Acrobat Out-of-Band Security Update

              Adobe
              Adobe has released out-of-band security updates for Adobe Reader and Acrobat XI for Windows and Macintosh. The update addresses numerous critical vulnerabilities and should be installed as soon as possible.

              Release date: March 8, 2016
              Vulnerability identifier: APSB16-09
              CVE numbers:  CVE-2016-1007, CVE-2016-1008, CVE-2016-1009
              Platform: Windows and Macintosh

              Update or Complete Download

              Update checks can be manually activated by choosing Help > Check for Updates.
                Note: UNcheck any pre-checked additional options presented with the update. They are not part of the software update and are completely optional.

                End of Support:  Adobe Acrobat X and Adobe Reader 

                Adobe Acrobat X and Adobe Reader X are no longer supported (see here). Adobe recommends Adobe Acrobat DC (FAQ) and Adobe Acrobat Reader DC (FAQ).  However, another alternate is available to replace Adobe Reader. Personally, I like Sumatra PDF.  It isn't a target and doesn't include unwanted extras with the install or updates.  

                Enable "Protected View"

                Due to frequent vulnerabilities, it is recommended that Windows users of Adobe Reader and Acrobat ensure that Protected View is enabled.  Neither the Protected Mode or Protected View option is available for Macintosh users.

                To enable this setting, do the following:
                • Click Edit > Preferences > Security (Enhanced) menu. 
                • Change the "Off" setting to "All Files".
                • Ensure the "Enable Enhanced Security" box is checked. 

                Adobe Protected View
                Image via Sophos Naked Security Blog

                References



                Home
                Remember - "A day without laughter is a day wasted."
                May the wind sing to you and the sun rise in your heart...