Security Update: Java Runtime Environment (JRE) 6

Oracle released update 19 for Java SE JDK 6 and Java SE JRE 6. The update addresses the CVE-2009-3555 vulnerability. In simple terms, this relates to improper “handshakes” with an existing connection, allowing for a “man-in-the-middle” attacker to essentially intercept a and insert data into HTTPS sessions.

The official description is provided in CVE-2009-3555 as follows:

“The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a "plaintext injection" attack, aka the "Project Mogul" issue.”

Download Update: Java SE Runtime Environment 6u19

Please check add/remove programs to ensure that you have uninstalled all prior (and vulnerable) versions of SunJava.

Note: UNcheck any pre-checked toolbar and/or software options presented with the update. They are not part of the software update and are completely optional.

References:

• Release Notes
• Critical Patch Updates and Security Alerts
• Map to Public Vulnerability to Advisory/Alert

Clubhouse Tags: Clubhouse, Security, Vulnerabilities, Updates, Java


Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Read More

Security Bulletin MS10-018 Released Out of Band

Microsoft released MS10-018 out-of-band due to increases in attacks against Internet Explorer 6 and Internet Explorer 7 using the vulnerability discussed in Security Advisory 981374.

Although Internet Explorer 8 is not affected by Security Advisory 981374, MS10-018 is a cumulative update for IE and is directed to all versions. There are nine additional vulnerabilities addressed in the cumulative update. Detailed information is available in the MSRC Blog, Security Bulletin MS10-018 Released, including a video presentation.

References:

• MSRC Blog: Security Bulletin MS10-018 Released
• TechNet: MS10-018
• TechNet: Security Advisory 981374

Clubhouse Tags: Clubhouse, Microsoft, Windows, Security, Updates, Vulnerabilities, Information,
Internet Explorer


Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Read More

Out-of-Band Cumulative Update for IE Scheduled

Microsoft is releasing security update MS10-018 tomorrow, March 30, 2010, at approximately10:00 a.m. PDT (UTC-8). MS10-018 resolves Security Advisory 981374, addressing a publicly disclosed vulnerability in both IE6 and IE7. It is important to note that IE8 is not affected by the vulnerability addressed in the advisory.

If you have yet to update to IE8, it is strongly recommended that the update be installed as soon as it is available. As stated by Jerry Bryant in Internet Explorer Cumulative Update Releasing Out-of-Band:

"Once applied, customers are protected against the known attacks related to Security Advisory 981374. We have been monitoring this issue and have determined an out-of-band release is needed to protect customers. For customers using automatic updates, this update will automatically be applied once it is released. Additionally, because Security Bulletin MS10-18 is a cumulative update, it will also address nine other vulnerabilities in Internet Explorer that were planned for release on April 13."

References:

MSRC Blog: Internet Explorer Cumulative Update Releasing Out-of-Band
TechNet: Security Advisory 981374

Clubhouse Tags: Clubhouse, Microsoft, Windows, Security, Updates, Vulnerabilities, Information,
Internet Explorer


Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Read More

Mozilla Firefox 3.6.2 Security Update

Mozilla released Firefox version 3.6.2 which fixes the following critical issue found in previous versions of Firefox 3.6:

• Fixed a critical security issue that could potentially allow remote code execution (see bug 552216).

In addition, the update addressed the following:

• Fixed several additional security issues.
• Fixed several stability issues.

Please see the complete list of changes in this version. You may also be interested in the Firefox 3.6 release notes for a list of changes in the previous version.

References:

• Firefox 3.6 release notes
• Security Advisories for Firefox 3.6

Clubhouse Tags: Clubhouse, Security, Vulnerabilities, Updates, Information


Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Read More

Its Income Tax Time – Avoid Tax Fraud

The deadline for filing income tax returns in the U.S. is April 15. As that date approaches tax payers are anxiously searching references and online tax preparation services. Caution is advised because fraudsters and phishers thrive during this time of year.

The best authority for tax questions is the official IRS website, located at irs.gov. Just as Microsoft does not contact an individual directly about security updates, neither will the IRS use e-mail to communicate any personal information. (Telephone 1-800-829-1040 to determine if an IRS contact is legitimate.)

The same goes for unsolicited e-mails from a supposed tax-preparation company. Always expect that such e-mails are phishing attempts. To better understand phishing attempts, see How to recognize phishing e-mails or links.

Not everyone is in a position to afford the latest computer operating system. In the event you are still using Window XP, you will want to ensure that your computer is as secure as possible prior to using an online tax preparation service. A computer infected with a backdoor trojan or keylogger is an invitation to identity theft. To determine if your computer is infected, run a full-system scan with an up-to-date antivirus product such as Microsoft Security Essentials, the Windows Live OneCare safety scanner or ESET Online Scanner.

If you are filing your taxes online, it is important that you use as secure a browser as possible. I recommend either Internet Explorer 8 or Mozilla Firefox 3.6. Also make sure that the Web address begins with https.

Save and happy returns!

References:

• Avoid Online Tax Fraud
• How to recognize phishing e-mails or links
• Internal Revenue (IRS)
  

Clubhouse Tags: Clubhouse, Security, IE8, Internet Explorer, How-to, Firefox, Safety

, Phishing, Fraud


Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Read More

March 2010 Security Bulletin Release

Microsoft released two Important security bulletins addressing eight vulnerabilities in Windows and Microsoft Office. Both bulletins have an aggregate Exploitability Index rating of “1” so it is recommended that the updates be installed as soon as possible.

Microsoft Security Bulletin MS10-016: Vulnerability in Windows Movie Maker Could Allow Remote Code Execution (975561). From the MSRC Blog:

"MS10-016 addresses one vulnerability in Windows Movie Maker. Both Windows XP and Windows Vista ship with affected versions (2.1 and 6.0 respectively). Version 2.6 is also vulnerable and can be freely downloaded and installed from the web. Customers who install 2.6 on any supported platform, including Windows 7, will be offered the update. In order to take advantage of the vulnerability, a user would need to open a specially crafted Movie Maker project file. These are files with the .mswmm file extension.

The MS10-016 bulletin also calls out Microsoft Producer 2003 in the affected products list. Producer 2003 is a free download with limited distribution. At this time, we are not offering an update for Producer 2003. Our standard approach is to produce updates that can be deployed automatically for all affected products at the same time but Producer 2003 does not offer a means for automatic update. Based on our investigation, we determined that the best way to protect the vast majority of customers was to release an update addressing the components that shipped with Windows. While we continue to investigate Producer 2003, we recommend that customers either uninstall the application or apply an available Microsoft Fix It to disassociate the project file type from the application to add an extra layer of security."

Microsoft Security Bulletin MS10-017: Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (980150). As described in the MSRC Blog:

"MS10-017 affects all currently supported versions of Microsoft Office Excel. It also affects Office 2004 and Office 2008 for Mac, the Open XML File Format Converter for Mac, supported versions of Excel viewer and SharePoint 2007. As with most Office vulnerabilities, a user would have to open a specially crafted file in order to be exploited."

References:

• MSRC: March 2010 Security Bulletin Release
• TechNet: Microsoft Security bulletin summary for March 2010
  

Clubhouse Tags: Clubhouse, Microsoft, Windows, Security, Updates, Vulnerabilities, Information


Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Read More