Out-of-Band Critical Security Update MS11-100

Microsoft ended the year with a critical security update.  Security Update MS11-100 was released to address the issue described in Security Advisory 2659883.

The update resolves a publicly disclosed remote unauthenticated Denial of Service issue in ASP.NET versions 1.1 and above on all supported versions of .NET Framework.

Update:   December 2011 Out-Of-Band Security Bulletin Webcast Q&A

Known Issues

See KB Article 2638420, MS11-100: Vulnerability in the .NET Framework could allow elevation of privilege: December 29, 2011.

Reminder

When updating .NET Framework, always install the update separately from other updates and follow with a shutdown/restart.

Support

The following additional information is provided in the Security Bulletin:

• The affected software listed have been tested to determine which versions are affected. Other versions are past their support life cycle. To determine the support life cycle for your software version, visit Microsoft Support Lifecycle.
  
• Customers in the U.S. and Canada can receive technical support from Security Support or 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates. For more information about available support options, see Microsoft Help and Support.
• International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit International Help and Support.

References

• MSRC: Microsoft releases MS11-100 for Security Advisory 2659883
• TechNet: Microsoft Security Bulletin MS11-100 - Critical 
• Microsoft Security Advisory (2659883): Vulnerability in ASP.NET Could Allow Denial of Service
• ASP.NET security update is live!

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Read More

Merry Christmas, Ukrainian Style

Merry Christmas to all my family, friends and Security Garden readers.

Sending warmest wishes to you and your family. May you enjoy the spirit of Christmas every day of the coming year.

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Our family celebrates Christmas Eve in the Ukrainian tradition.  The video below includes examples of some of the traditional foods that are part of the Christmas Eve celebration. 

References:

• Christmas Traditions in Ukraine
• Ukrainian Christmas

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Read More

Mozilla Firefox 9 Released, Includes Critical Security Fixes

Mozilla released Firefox 9 today, in keeping with the rapid release schedule,

As expected when a version update is released, you may find that many of your favorite add-ons are not compatible with the new release.  Use Add-on Compatibility Reporter to test and report on your favorite add-ons in version 9.

Security Updates

The following security updates are included in the release of Firefox 9, in which MFSA 2011-58, MFSA 2011-55, MFSA 2011-54 and MFSA 2011-53 are rated Critical, with MVSA 2011-57 High and MVSA 2011-56 as Low.

MFSA 2011-58 Crash scaling to extreme sizes
MFSA 2011-57 Crash when plugin removes itself on Mac OS X
MFSA 2011-56 Key detection without JavaScript via SVG animation
MFSA 2011-55 nsSVGValue out-of-bounds access
MFSA 2011-54 Potentially exploitable crash in the YARR regular expression library
MFSA 2011-53 Miscellaneous memory safety hazards (rv:9.0)

What's New

The Release Notes listed the following new features in version 9:

• Added Type Inference, significantly improving JavaScript performance
• Improved theme integration for Mac OS X Lion
• Added two finger swipe navigation for Mac OS X Lion
• Added support for querying Do Not Track status via JavaScript
• Added support for font-stretch
• Improved support for text-overflow
• Improved standards support for HTML5, MathML, and CSS
• Fixed several stability issues
• Fixed several security issues

The upgrade to Firefox 9 will be offered through the browser update mechanism.  However, as the upgrade includes critical security updates, it is recommended that the update be applied as soon as possible.  To get the update now, select Help, About Firefox, Check for Updates.

If you do not use the English language version, Fully Localized Versions are available for download.

References

• Common questions after updating Firefox
• Mozilla Firefox Release Notes
• Security Advisories

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Read More

Critical Security Update for Adobe Reader/Acrobat

Adobe released a critical security update addressing vulnerabilities being actively exploited in limited, targeted attacks in the wild against Adobe Reader 9.x on Windows.

The vulnerability relates to memory corruption vulnerabilities which could cause a crash and potentially allow an attacker to take control of the affected system.

Acrobat and Reader users can update to the latest version using the built-in updater, by clicking “Help” and then “Check for Updates.” The Adobe Reader update for Windows is available from http://www.adobe.com/products/reader/. 

Adobe plans on updating all other versions as part of the next quarterly update scheduled for January 10, 2011.  According to Adobe, Adobe Reader X Protected Mode and Adobe Acrobat X Protected View would prevent an exploit of this kind from executing.

Release Details

• Release date: December 16, 2011
• Vulnerability identifier: APSB11-30
• CVE number: CVE-2011-2462, CVE-2011-4369
• Platform: Windows

Alternatives

Several years ago, I tired of Adobe Reader and switched to Sumatra PDF, an alternate PDF reader.  After I got past the bright yellow GUI, I found Sumatra PDF to be a nice, light-weight option with no unnecessary add-ons or toolbars.  There are a number of open source readers available from http://pdfreaders.org/.

References

• Security Advisory: Security updates available for Adobe Reader and Acrobat 9.x for Windows
• PSIRT Blog: Security updates released for Adobe Reader and Acrobat 9.x for Windows (APSB11-30)

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Read More

Microsoft December 2011 Security Bulletin Release

Microsoft released thirteen (13) bulletins addressing 19 vulnerabilities in Microsoft Windows, Microsoft Office (including Microsoft Office for Mac) and Internet Explorer.

Three bulletins are rated Critical with the remaining ten rated as Important.  Most updates will require a restart to complete the installation.

Originally, 14 bulletins were planned one was withdrawn after Microsoft discovered a compatibility issue between the bulletin-candidate addressing Security Advisory 2588513 and a major third-party vendor.  Microsoft is working with that vendor to address the issue on their platform.  Microsoft has been monitoring the issue in Security Advisory 2588513 and has not seen active attacks in the wild.

Disable Microsoft Fix it

MS11-087 was issued to address Security Advisory 2639658.  If you installed Microsoft Fix it 50792, before installing the updates released today, I recommend disabling the Fix it

Direct download link:  Microsoft Fix it 50793

Support

The following additional information is provided in the Security Bulletin:

• The affected software listed have been tested to determine which versions are affected. Other versions are past their support life cycle. To determine the support life cycle for your software version, visit Microsoft Support Lifecycle.
  
• Customers in the U.S. and Canada can receive technical support from Security Support or 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates. For more information about available support options, see Microsoft Help and Support.
• International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit International Help and Support.

References

• MSRC: The December Bulletins are Released
• TechNet: Microsoft Security Bulletin Summary for December 2011

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Read More

Security Bulletin Advance Notification for December, 2011

On Tuesday, December 13, 2011, Microsoft is planning to release fourteen (14) Security Bulletins, of which three bulletins are identified as Critical with the remaining as Important.

The bulletins address vulnerabilities in Microsoft Windows, Microsoft Office (including Microsoft Office for Mac) and Internet Explorer.  Most updates will require a restart to complete the installation.

References

• MSRC Blog:  News from MAPP, and Advance Notification Service for the December 2011 Bulletin Release
• TechNet: Microsoft Security Bulletin Advance Notification for December 2011

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Read More

Windows Defender Offline Beta, formerly Standalone System Sweeper

Although the Microsoft Standalone System Sweeper is currently still available at Connect, it can now also be found as Windows Defender Offline Beta on the Microsoft Help & How-to web pages.

Windows Defender Offline Beta Information

• What is Windows Defender Offline Beta?
• Windows Defender Beta:  frequently asked questions

Related Articles

• Setting Up the Microsoft Standalone System Sweeper Beta, Now Windows Defender Offline
• Solve Microsoft Standalone System Sweeper Errors
• How to Use the New Microsoft Safety Scanner
• Understanding Microsoft Anti-Malware Software 2012

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Read More

Security Advisory for Adobe Reader and Acrobat (APSA11-04)

Adobe released a Security Advisory (APSA11-04) which references a critical vulnerability in Adobe Reader X and Adobe Acrobat X (10.1.1) and earlier versions for all versions.

The vulnerability relates to a memory corruption vulnerability which could cause a crash and potentially allow an attacker to take control of the affected system.  Adobe indicates that there are reports that the vulnerability is being actively exploited in the wild in limited, targeted attacks against Adobe Reader 9.x on Windows.

An update for Adobe Reader and Acrobat 9.x only for Windows is expected no later than the week of December 12, 2011.  Adobe plans on updating all other versions as part of the next quarterly update scheduled for January 10, 2011.  According to Adobe, Adobe Reader X Protected Mode and Adobe Acrobat X Protected View would prevent an exploit of this kind from executing.

Alternatives

Several years ago, I tired of Adobe Reader and switched to Sumatra PDF, an alternate PDF reader.  After I got past the bright yellow GUI, I found Sumatra PDF to be a nice, light-weight option with no unnecessary add-ons or toolbars.  There are a number of open source readers available from http://pdfreaders.org/.

Advisory Details

• Release date: December 6, 2011
• Vulnerability identifier: APSA11-04
• CVE number: CVE-2011-2462
• Platform: All

References

• Security Advisory: Security Advisory for Adobe Reader and Acrobat
• PSIRT Blog: Security Advisory for Adobe Reader and Acrobat (APSA11-04)

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Read More