Security Bulletin Advance Notice for October 2013

On Tuesday, October 8, 2013, Microsoft is planning to release eight (8) bulletins.  Four of the bulletins are identified as Critical with the remaining four bulletins rated Important.

The Critical updates address vulnerabilities in Internet Explorer, .NET Framework and Windows. The Critical update for Internet Explorer will be a cumulative update which will address the publicly disclosed issue described in Security Advisory 2887505. 

The updates to Internet Explorer and Windows will require a restart.  For those people who run into problems with .NET Framework updates, it is recommended that the update be installed separately with a restart between other updates.

Users of Windows XP are reminded that support ends for Windows XP on April 8, 2014.  See Tim Rains article, The Risk of Running Windows XP After Support Ends April 2014.

As happens each month, Microsoft will also release an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center.

References

• MSRC: Advance Notification Service for October 2013 Security Bulletin Release
• TechNet: Microsoft Security Bulletin Summary for October 2013

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Read More

2013 U.S. and Canadian Cyber Security Awareness Month #NCSAM

Cyber Security Awareness Month is observed in the United States and Canada.  The purpose is to increase public awareness of cyber security.  The theme for the 2013 National Cyber Security Awareness Month (NCSAM) is Our Shared Responsibility.

There are many areas to consider when discussing cyber security.  The area I consider most dangerous is Identity Theft.  Identity Theft occurs when someone uses your personal information without your knowledge.  With your personal information, thieves are able to open credit cards and bank accounts, set up mobile service, make online purchases and more, destroying your credit in the process.

Let's examine what we can do to protect ourselves from Identity Theft.

Prevent Identity Theft

A few items to consider to protect your personal information include:

• Only provide your Social Security Number when absolutely necessary.  
• Never publicly post your address, phone number, driver’s license number, social security number (SSN) or student ID number.
• Shred documents that contain personal information.
• Use a strong password to protect your banking, credit card as well as accounts where you make online purchases or make payments.
• Use a unique password at each site.
• Don’t give out personal information on the phone, through the mail or over the Internet unless you initiated the contact.
• Keep your computer updated with both Microsoft Security Updates as well as third-party software such as Adobe and Oracle Java products.

What cyber security tips do you have?  Share your favorites in the comments and be sure to check the additional resources provided below.

Resources:

• Canadian Twitter Accounts:
  -- Public Safety Canada, @Safety_Canada
  -- Get Cyber Safe, @getcybersafe   
• Get Cyber Safe
• Microsoft Safety and Security Center
• Stay Safe on Line:  National Cyber Security Awareness Month
• Stop | Think | Connect
• U.S. Department of Homeland Security: National Cyber Security Awareness Month 
• U.S. Twitter Accounts:
  -- NatlCyberSecAlliance @StaySafeOnline
  -- Identity Theft Resource Center, @ITRCSD
  -- STOP THINK CONNECT, @STOPTHINKCONNECT

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Read More

Sensationalist Press Got it WRONG! Microsoft Does Not Recommend Two Antivirus Programs!

A recent article published by PC Pro has taken wings and is being quoted in numerous stories implying that a second antivirus program is needed when using Microsoft Security Essentials.  The article states,

"Now, Microsoft has said it sees Security Essentials as merely the first layer of protection, advising customers to use additional, third-party antivirus - although the company stressed that wasn't because the product wasn't good enough to stand on its own." (bold added)

The above statement by PC Pro is an obvious misinterpretation of Holly Stewart's comment (bold added), 

"It’s not as efficient to have one kind of weapon," she said. "Like anything you must have that diversity. It’s a weakness to just have one."

Why PC Pro is Wrong

Starting with the obvious, Microsoft Security Essentials on Windows 7, or earlier and Windows Defender on Windows 8 are disabled when a third-party antivirus software is installed.  Thus, an active second antivirus program cannot be run along side Microsoft Security Essentials or Windows Defender.

As clearly stated in this Microsoft Malware Protection Center help topic,

"It’s not a good idea to run other antivirus or antispyware products at the same time as Microsoft Security Essentials or Windows Defender.

Using more than one real-time security product can affect your PC performance. You might also get an error code when you try to update or install, such as 0x80070643."

The use of the word "weapon" by Holly Stewart in the above quote does not mean a second antivirus software, rather, as has long been recommended by the security community, a layered approach of another weapon is needed. 

In addition to one up-to-date antivirus software, it is also critical to maintain updated third-party applications such as Adobe products and Oracle Java and install Microsoft security updates. 

Along with "safe surfing", having one or two secondary security applications, such as my favorite Malwarebytes Antimalware and WinPatrol to supplement the work of your antivirus software program is generally recommended.

Microsoft Strategy Works!  

As illustrated in the Microsoft Malware Protection Center report, Evaluating our protection performance and capabilities, 99.9% of computers using Microsoft real-time protection reported no infections on the average day of August, 2013.  With results like that, it is clear that the change in focus by Microsoft to prevalent threats is obviously working.

Thus, PC Pro, Microsoft Security Essentials is not designed to be at the bottom of the antivirus rankings.  It is designed to target prevalent threats to consumer's computers, as illustrated in the change log for 1.159.819.0, released today.

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Read More

Security Advisory 2887505 and Microsoft Fix it

Microsoft released Security Advisory 2887505 which relates to an issue with Internet Explorer.

It is important to note that there are a limited number of targeted attacks which are specifically directed at Internet Explorer 8 and 9. The issue, however, could potentially affect all supported versions of IE.

As described by Dustin Childs in the below-referenced MSRC Blog post,

"This issue could allow remote code execution if an affected system browses to a website containing malicious content directed towards the specific browser type. This would typically occur when an attacker compromises the security of trusted websites regularly frequented, or convinces someone to click on a link in an email or instant message."

Mitigations

Microsoft has made available a Fix it solution for users of Internet Explorer.  Additional mitigations include the following advice, also from the MSRC Blog post:

• Set Internet and local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones
  This will help prevent exploitation but may affect usability; therefore, trusted sites should be added to the Internet Explorer Trusted Sites zone to minimize disruption.
• Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and local intranet security zones
  This will help prevent exploitation but can affect usability, so trusted sites should be added to the Internet Explorer Trusted Sites zone to minimize disruption.

Below are the links to both apply and uninstall the Fix it solution.  Note:  The Fix it solution applies only 32-bit versions of Internet Explorer.
 

Apply Fix it	Uninstall Fix it
Microsoft Fix it 51001	Microsoft Fix it 51002

Another option is to install the Enhanced Mitigation Experience Toolkit (EMET), described in the "workarounds" section of the Tech Net Advisory.

If you have Windows Vista or Windows 7 installed, you should have updated to IE9 or IE10.  In the event you haven't, it is strongly advised that you update!

References:

• Microsoft KB Article 2887505: Microsoft Security Advisory: Vulnerability in Internet Explorer could allow remote code execution
• MSRC: Microsoft Releases Security Advisory 2887505
• Security Research & Defense: CVE-2013-3893: Fix it workaround available
• Tech Net Advisory: Microsoft Security Advisory (2887505): Vulnerability in Internet Explorer Could Allow Remote Code Execution

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Read More

Firefox 24.0 Released With Critical Security Updates

Mozilla sent Firefox Version 24.0 to the release channel.  At the the time of this posting, there is no indication of security fixes included.  An update will be made if or when that information has been provided.

Update:  The security fixes included in version 24.0 have finally been posted.  It is advised that this update be installed ASAP.

Version 24.0 includes seventeen security updates of which seven are critical, four high, and six moderate.
 

Fixed in Firefox 24

MFSA 2013-92 GC hazard with default compartments and frame chain restoration
MFSA 2013-91 User-defined properties on DOM proxies get the wrong "this" object
MFSA 2013-90 Memory corruption involving scrolling
MFSA 2013-89 Buffer overflow with multi-column, lists, and floats
MFSA 2013-88 compartment mismatch re-attaching XBL-backed nodes
MFSA 2013-87 Shared object library loading from writable location
MFSA 2013-86 WebGL Information disclosure through OS X NVIDIA graphic drivers
MFSA 2013-85 Uninitialized data in IonMonkey
MFSA 2013-84 Same-origin bypass through symbolic links
MFSA 2013-83 Mozilla Updater does not lock MAR file after signature verification
MFSA 2013-82 Calling scope for new Javascript objects can lead to memory corruption
MFSA 2013-81 Use-after-free with select element
MFSA 2013-80 NativeKey continues handling key messages after widget is destroyed
MFSA 2013-79 Use-after-free in Animation Manager during stylesheet cloning
MFSA 2013-78 Integer overflow in ANGLE library
MFSA 2013-77 Improper state in HTML5 Tree Builder with templates
MFSA 2013-76 Miscellaneous memory safety hazards (rv:24.0 / rv:17.0.9)

What’s New

• NEW -- Support for new scrollbar style in Mac OS X 10.7 and newer
• NEW -- Implemented Close tabs to the right
• NEW -- Social: Ability to tear-off chat windows to view separately by simply dragging them out
• CHANGED -- Accessibility related improvements on using pinned tabs (see 577727)
• CHANGED -- Removed support for Revocation Lists feature (see 867465)
• CHANGED -- Performance improvements on New Tab Page loads (see 791670)
• FIXED -- Replace fixed-ratio audio resampler in webrtc.org capture code with Speex resampler and eliminate pseudo-44000Hz rate ( see 886886)
• FIXED -- 24.0: Security fixes can be found here

Update

To get the update now, select "Help" from the Firefox menu at the upper left of the browser window, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu.

If you do not use the English language version, Fully Localized Versions are available for download.

References

• Common questions after updating Firefox
• Security Updates
• Mozilla Firefox Release Notes
• Bug Fixes 

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Read More

Oracle Java Update

Oracle released the Java SE 7u40 today.  In addition to bug fixes and enhancements, the update includes the following:

• advanced monitoring and diagnostic capabilities that enable developers to gather detailed runtime information and perform efficient data analysis without impacting system performance; 
• a new security policy that gives system administrators greater control over Java running on desktops; 
• improved performance and efficiencies for Java on ARM servers and support for Mac OS X retina displays.

If Java is still installed on your computer, it is recommended that this update be installed.

For those people who have desktop applications that require Java and cannot uninstall it, Java can now be disabled in Internet Explorer.  See Microsoft Fix it to Disable Java in Internet Explorer.

Java Security Recommendations

1)  In the Java Control Panel, at minimum, set the security to high.
2)  Keep Java disabled until needed.  Uncheck the box "Enable Java content in the browser" in the Java Control Panel.

(Image via Sophos Naked Security Blog)

3)  If you use Firefox, install NoScript and only allow Java on those sites where it is required.

Instructions on removing older (and less secure) versions of Java can be found at http://java.com/en/download/faq/remove_olderversions.xml

Download Information

Download link:   Java SE 7 Update 40

Verify your version:  http://www.java.com/en/download/testjava.jsp

Notes:

• UNcheck any pre-checked toolbar and/or software options presented with the update. They are not part of the software update and are completely optional.
• Starting with Java SE 7 Update 21 in April 2013, all Java Applets and Web Start Applications should be signed with a trusted certificate.  It is not recommended to run untrusted/unsigned Certificates.  See How to protect your computer against dangerous Java Applets

Critical Patch Updates

Starting with the October 2013 Critical Patch Update, security fixes for Java SE will be released under the normal Critical Patch Update schedule. A pre-release announcement will be published on the Thursday preceding each Critical Patch Update release.


For Oracle Java SE Critical Patch Updates, the next scheduled dates are as follows:

• 15 October 2013
• 14 January 2014
• 15 April 2014
• 15 July 2014

References

• Critical Patch Updates, Security Alerts and Third Party Bulletin
• Oracle Blog
• Release Notes
• Java, The Never-Ending Saga  

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Read More

Microsoft Security Updates for September 2013

Microsoft released thirteen (13) bulletins.  Four of the bulletins are identified as Critical with the remaining nine bulletins rated Important.

The updates address 47 unique CVEs in Microsoft Windows, Office, Internet Explorer and SharePoint. The updates to Windows require a restart.



Critical:

• MS13-067 -- Vulnerabilities in Microsoft SharePoint Server Could Allow Remote Code Execution (2834052)
• MS13-068 -- Vulnerability in Microsoft Outlook Could Allow Remote Code Execution (2756473)
• MS13-069 -- Cumulative Security Update for Internet Explorer (2870699)
• MS13-070 -- Vulnerability in OLE Could Allow Remote Code Execution (2876217)

Important:

• MS13-071 -- Vulnerability in Windows Theme File Could Allow Remote Code Execution (2864063)
• MS13-072 -- Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2845537)
• MS13-073 -- Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (2858300)  
• MS13-074 -- Vulnerabilities in Microsoft Access Could Allow Remote Code Execution (2848637) 
• MS13-075 -- Vulnerability in Microsoft Office IME (Chinese) Could Allow Elevation of Privilege (2878687) 
• MS13-076 -- Vulnerabilities in Kernel-Mode Drivers Could Allow Elevation of Privilege (2876315) 
• MS13-077 -- Vulnerability in Windows Service Control Manager Could Allow Elevation of Privilege (2872339) 
• MS13-078 -- Vulnerability in FrontPage Could Allow Information Disclosure (2825621) 
• MS13-079 -- Vulnerability in Active Directory Could Allow Denial of Service (2853587)  

Users of Windows XP are reminded that support ends for Windows XP on April 8, 2014.  See Tim Rains article, The Countdown Begins: Support for Windows XP Ends on April 8, 2014.

Support

The following additional information is provided in the Security Bulletin:

• The affected software listed have been tested to determine which versions are affected. Other versions are past their support life cycle. To determine the support life cycle for your software version, visit Microsoft Support Lifecycle.
• Security solutions for IT professionals: TechNet Security Troubleshooting and Support
• Help protect your computer that is running Windows from viruses and malware: Virus Solution and Security Center
• Local support according to your country: International Support

References

• MSRC: Lovely tokens and the September 2013 security updates
• TechNet: Microsoft Security Bulletin Summary for September 2013

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Read More