SecurityGarden

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Tuesday, January 31, 2012

Mozilla Firefox 10 Released, Includes Security Update

Posted on 3:17 PM by Unknown

Mozilla released Firefox 10 today, including a major update that will make both developers as well as Firefox users happy -- default compatibility of almost all add-ons.

Although default compatibility of add-ons will make a lot of people happy, this change is "prioritized as a P1 and part of achieving 'silent update'." as indicated in the feature tracking entry of "Add-ons Default to Compatible" in Mozilla Wiki.

Security Update

"Title: Frame scripts calling into untrusted objects bypass security checks
Impact: Critical
Announced: January 31, 2012

Products: Firefox, Thunderbird, SeaMonkey

Fixed in: Firefox 10.0, Thunderbird 10.0, SeaMonkey 2.7

Description:  Mozilla security researcher moz_bug_r_a4 reported that frame scripts bypass XPConnect security checks when calling untrusted objects. This allows for cross-site scripting (XSS) attacks through web pages and Firefox extensions. The fix enables the Script Security Manager (SSM) to force security checks on all frame scripts."

What's New

The Release Notes include new and fixed features in version 10.  The numerous Bug Fixes are in the link available in References.
  • NEW -- The forward button is now hidden until you navigate back
  • NEW -- Most add-ons are now compatible with new versions of Firefox by default
  • NEW -- Anti-Aliasing for WebGL is now implemented (see bug 615976)
  • NEW -- CSS3 3D-Transforms are now supported (see bug 505115)
  • HTML5 -- New element for bi-directional text isolation, along with supporting CSS properties (see bugs 613149 and 662288)
  • HTML5 -- Full Screen APIs allow you to build a web application that runs full screen (see the feature page)
  • DEVELOPER -- We've added IndexedDB APIs to more closely match the specification
  • DEVELOPER -- Inspect tool with content highlighting, includes new CSS Style Inspector
  • FIXED -- Mac OS X only - after installing the latest Java release from Apple, Firefox may crash when closing a tab with a Java applet installed (700835)
  • FIXED -- Some users may experience a crash when moving bookmarks (681795)

    Known Issues

    • Two-digit browser version numbers may cause a small number of website incompatibilities (see 690287)
    • If you try to start Firefox using a locked profile, it will crash (see 573369)
    • For some users, scrolling in the main GMail window will be slower than usual (see 579260)
    • Some synaptic touch pads are unable to vertical scroll (see 622410)
    • Firefox notifications may not work properly with Growl 1.3 or later (see 691662)
      Unresolved on v10 Resolved in v11
    • Under certain conditions, scrolling and text input may be jerky (see 711900)
    • Silverlight video may not play on some Macintosh hardware (see 715396)

    The upgrade to Firefox 10 will be offered through the browser update mechanism.  However, as the upgrade includes a critical security update as well as many bug fixes, it is recommended that the update be applied as soon as possible.  To get the update now, select Help, About Firefox, Check for Updates.

    If you do not use the English language version, Fully Localized Versions are available for download.

    References

    • Common questions after updating Firefox
    • Mozilla Firefox Release Notes
    • Security Advisory MFSA 2012-05
    • Bug Fixes 



    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...

    Read More
    Posted in Browser, Firefox, Security, Updates | No comments

    Monday, January 30, 2012

    When imitation isn’t a form of flattery

    Posted on 3:12 PM by Unknown
    Rogues (fake antivirus programs) have been around for many years.  Members of the security community and people who have been on the Internet for a number of years will recall the various "SpyAxe", "SpyTrooper" and associated rogues in 2005 that we relied so heavily on the smitRem tool developed by "noahdfear" to remove. 

    Over the years, the rogues have evolved, many with rootkit components.  Just like clever phishing e-mails, the rogues are also very convincing with legitimate-looking windows as they attempt to convince people to fork over hard-earned money in order to "clean" the infected computer.

    Today, we are faced with not only rogues imitating Microsoft security software but also scammers telephoning unsuspecting people, attempting to obtain remote access to their computer.  These scammers misrepresent themselves as calling on behalf of Microsoft or as Microsoft technicians.

    As illustrated in When imitation isn’t a form of flattery, by Jasmine Sesso, MMPC Melbourne, Microsoft is not only adding the rogues to detection but also warning customers that Microsoft will NEVER call anyone to tell them that their computer is infected.  As clarified in the article:
    • "Our consumer products, namely Microsoft Security Essentials, Safety Scanner and Windows Defender are available to all genuine Windows users for free. That's right – we offer these products at no cost! So please, do not enter your credit card details into a program that looks like one of ours, as this is most likely a rogue.
    • We do not pop up on your screen every 30 seconds, minute, 90 seconds, etc. Rogues, however, will pester you and pester you until you either a) click OK and concede to buy their malicious program, or b) remove them once and for all with a reputable antivirus.
    • Microsoft will never cold-call a user. Ever. If you receive one of these phone calls, hang up."
    Note:  Never click on the rogue pop-up window.  Even attempting to close the window by clicking the "X" will result in giving permission to continue with the installation.  Instead, use the keyboard command Alt + F4 to close the window.  Follow with an updated scan with your onboard antivirus software.

    Please also note this excellent advice included in the article:

    "We will continue to fight the good fight, and do what we can to prevent the spread of malicious programs; but in the meantime, stay safe online, and think twice before handing over your credit card details to a third party you cannot verify – like one displaying pop-ups, or on the end of an unsolicited phone call."
    Read the full article on the MMPC Blog: When imitation isn’t a form of flattery.



    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...

    Read More
    Posted in Microsoft, safety, Security | No comments

    Wednesday, January 25, 2012

    Data Privacy Day 2012

    Posted on 5:19 PM by Unknown
    Data Privacy Day is an annual international celebration designed to promote awareness about privacy and education about best privacy practices.

    The 2012 international celebration of Data Privacy Day is scheduled for January 28. 


    Why the concern about privacy?


    What may begin as a casual Facebook update or an innocuous tweet could easily come back to haunt you down the road.  Unlike writing something on the bathroom wall, which can be easily painted over, what we do online is permanent.  This includes status updates or comments on a friend's wall in Facebook, tweets, e-mail and online chats.

    All of these on-line activities contribute to your online reputation -- a reputation that can impact being accepted to the college or university of your choice or a future employment opportunity.

    Disclosing too much information online can also lead to identity theft, resulting in the loss of personal data, such as passwords, user names, banking information, or credit card numbers.

    Protect Your Privacy

    Take steps now to protect your privacy.  

    Don't share too much personal information online.  Having your date of birth, address, where you went to school, mother's maiden name, and other personal information available to the public is the first step to identity theft.

    The public does not need to know every location you "check-in" to via your smart phone and neither do the burglars! 

    Take advantage of the enhanced security and privacy features available in the browser you use.  (See my article, Internet Explorer 9, Privacy and Security Enhancements, for tips on protecting your privacy and security.) 

    Use caution accepting friend requests in social media venues such as Facebook.  Just because someone sends a friend request, it is not necessary to accept it.  Be certain the person is someone known to you.

    Parents need to monitor the online activities of their children.

    Resources

    Take advantage of the helpful resources below which include information on privacy settings for Microsoft products and excellent advice from Sophos on Facebook privacy.
    • Microsoft Press Pass: Microsoft Provides Tips to Help Protect Your Online Image
    • Microsoft Privacy: Privacy Settings and Technology
    • Sophos: Facebook Security - Best Practices For Protecting Yourself On Facebook
    • Sophos, Naked Security: Facebook’s ticker privacy scare, and what you should do about it
    • Stay Safe Online: Data Privacy Day
    • The Washington Post: Google tracks consumers’ online activities across products, and users can’t opt out

    Related:  Data Privacy



    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...

    Read More
    Posted in Privacy, Security | No comments

    Thursday, January 19, 2012

    To My "Other" Girl

    Posted on 9:01 PM by Unknown




    Happy Birthday,
         Nickerbee!

    A special person in my life is officially a teenager!

    Happy Birthday, Sweetheart!





    (It seems like yesterday I sent the same wishes to my other girl.  Time certainly flies!)





    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...

    Read More
    Posted in General | No comments

    Tuesday, January 10, 2012

    Adobe Reader and Acrobat Critical Security Updates

    Posted on 2:55 PM by Unknown

    Adobe released critical security updates addressing vulnerabilities in Adobe Reader and Adobe Acrobat.  The vulnerabilities relate to memory and heap corruption vulnerabilities which could cause a crash and potentially allow an attacker to take control of the affected system.

    Acrobat and Reader users can update to the latest version using the built-in updater, by clicking “Help” and then “Check for Updates.” The Adobe Reader update for Windows is available from http://www.adobe.com/products/reader/.  Even better is the FTP download site:  ftp://ftp.adobe.com/pub/adobe/reader/win/10.x/10.1.2/ with no risk of add-ons.

    The next quarterly security updates for Adobe Reader and Acrobat are currently scheduled for April 10, 2012.

    Release Details

    • Release date: January 10, 2012
    • Vulnerability identifier: APSB12-01
    • CVE numbers: CVE-2011-2462, CVE-2011-4369, CVE-2011-4370, CVE-2011-4371, CVE-2011-4372, CVE-2011-4373
    • Platform: Windows and Macintosh

      Affected Software Versions

      • Adobe Reader X (10.1.1) and earlier 10.x versions for Windows and Macintosh
      • Adobe Reader 9.4.7 and earlier 9.x versions for Windows
      • Adobe Reader 9.4.6 and earlier 9.x versions for Macintosh
      • Adobe Acrobat X (10.1.1) and earlier 10.x versions for Windows and Macintosh
      • Adobe Acrobat 9.4.7 and earlier 9.x versions for Windows
      • Adobe Acrobat 9.4.6 and earlier 9.x versions for Macintosh


      References

      • Security Advisory: Security updates available for Adobe Reader and Acrobat
      • PSIRT Blog: Security updates released for Adobe Reader and Acrobat (APSB12-01)




      Remember - "A day without laughter is a day wasted."
      May the wind sing to you and the sun rise in your heart...

      Read More
      Posted in Adobe, Security, Updates, Vulnerabilities | No comments

      Microsoft January 2012 Security Bulletin Release

      Posted on 12:51 PM by Unknown

      Microsoft released seven (7) security bulletins, one of which is rated Critical in severity, with the remaining six classified as Important.

      The bulletins address vulnerabilities in Microsoft Windows and Microsoft Developer Tools And Software.  Most updates will require a restart to complete the installation.


      The security bulletin withdrawn last month after Microsoft discovered a compatibility issue between the bulletin-candidate addressing Security Advisory 2588513 and a major third-party vendor has been included in the release as MS12-006, "Vulnerability in SSL/TLS Could Allow Information Disclosure (2643584)". 

      Security Bulletins

      Bulletin NumberBulletin TitleBulletin KB
      MS12-001Vulnerability in Microsoft Windows 2644615
      MS12-002Vulnerability in Microsoft Windows 2603381
      MS12-003Vulnerability in Microsoft Windows 2646524
      MS12-004Vulnerabilities in Microsoft Windows 2636391
      MS12-005Vulnerability in Microsoft Windows 2584146
      MS12-006Vulnerability in Microsoft Windows 2643584
      MS12-007Vulnerability in Microsoft ASP.NET 2607664


      Support

      The following additional information is provided in the Security Bulletin:
      • The affected software listed have been tested to determine which versions are affected. Other versions are past their support life cycle. To determine the support life cycle for your software version, visit Microsoft Support Lifecycle.
      • Customers in the U.S. and Canada can receive technical support from Security Support or 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates. For more information about available support options, see Microsoft Help and Support.
      • International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit International Help and Support.

      References

      • MSRC: January 2012 Security Bulletins Released
      • TechNet: Microsoft Security Bulletin Summary for January 2012
      • Security Research and Defense:  More information on MS12-004
      • Security and Safety Center:  Microsoft security updates for January 2012 




      Remember - "A day without laughter is a day wasted."
      May the wind sing to you and the sun rise in your heart...

      Read More
      Posted in Microsoft, Security, Updates, Vulnerabilities | No comments

      Thursday, January 5, 2012

      Security Bulletin Advance Notification for January, 2012

      Posted on 11:09 AM by Unknown

      On Tuesday, January 10, 2012, Microsoft is planning to release seven (7) Security Bulletins, of which one bulletin is identified as Critical with the remaining as Important.

      The bulletins address vulnerabilities in Microsoft Windows and Microsoft Developer Tools And Software.  Most updates will require a restart to complete the installation.

      Note from the Advance Notification that Bulletin 2, identified as Important addresses a "Security Feature Bypass" in Microsoft Windows.  As indicated by the MSRC Blog, Security Feature Bypass (SFB) class issues cannot be leveraged by an attacker.  It is explained that a would-be attacker would use such issues to facilitate use of another exploit.  Further information is expected to be available in the SRD blog following the release of the update.

      References

      • MSRC Blog:  January 2012 ANS is released
      • TechNet: Microsoft Security Bulletin Advance Notification for January 2012



      Remember - "A day without laughter is a day wasted."
      May the wind sing to you and the sun rise in your heart...

      Read More
      Posted in Microsoft, Security, Updates, Vulnerabilities | No comments

      Sunday, January 1, 2012

      2012 Microsoft® MVP Award

      Posted on 4:05 PM by Unknown








      Dear Corrine Chorney,

      Congratulations! We are pleased to present you with the 2012 Microsoft® MVP Award! This award is given to exceptional technical community leaders who actively share their high quality, real world expertise with others. We appreciate your outstanding contributions in Consumer Security technical communities during the past year.

      ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

      Starting off the New Year with notice of being re-awarded as Microsoft® MVP is certainly a great way to begin the year! 

      Wishing family, friends and Security Garden readers a happy and healthy 2012!


      Remember - "A day without laughter is a day wasted."
      May the wind sing to you and the sun rise in your heart...

      Read More
      Posted in General, MVP | No comments
      Newer Posts Older Posts Home
      Subscribe to: Comments (Atom)

      Popular Posts

      • Security Bulletin Advance Notice for August, 2013
        On Tuesday, August 13, 2013, Microsoft is planning to release eight (8) bulletins.  Three of the bulletins are identified as Critical with f...
      • Critical Out-of-Band Update Released for MS10-046
        Microsoft released Security Bulletin MS10-046 out-of-band to address a vulnerability in Windows. The security update is identified as crit...
      • Hotmail Security to Protect and Recover Your Account
        Time and time again I see reports from Hotmail users who have lost control of their e-mail account.  As explained by Walter Harp, Director o...
      • Long Awaited Outlook.com Calendar Refresh Rollout
        The long-awaited Outlook.com calendar refresh has been released and is in the process of being rolled out. Because the servers are grouped i...
      • Microsoft Security Advisory 2269637 Released
        Microsoft released Security Advisory 2269637 which relates to a remote attack vector to a class of vulnerabilities affecting applications t...
      • Oracle Java Update
        Oracle released the Java SE 7u40 today.  In addition to bug fixes and enhancements, the update includes the following: advanced monitoring ...
      • Adobe Reader Security Updates
        Adobe has released security updates for Adobe Reader and Acrobat XI (11.0.03) and earlier versions for Windows and Macintosh. Adobe identif...
      • Advance Notice: Security Updates for Java SE
        The Sun Security Blog published the following update announcement: "On November 3, 2009, Sun will release the following security update...
      • Adobe Flash Player and Adobe Air Security Updates
        Adobe released updates to both Adobe Flash Player and Adobe AIR to correct a critical vulnerability in both products. From the Adobe Securi...
      • Waledac Botnet Takedown
        The Waledac botnet had the capability of sending 1.5 billion spam e-mails per day. During a three-week period in December, 2009, approximat...

      Categories

      • Adobe
      • Advisory
      • Amero
      • AntiVirus
      • Apple
      • Ask
      • AVG
      • Bing
      • Browser
      • Child Safety
      • email
      • ESET
      • Ethics
      • Facebook
      • Firefox
      • Firewall
      • FixIt
      • Fraud
      • General
      • Google
      • Hotmail
      • IE10
      • IE6
      • IE7
      • IE8
      • IE9
      • Java
      • Lavasoft
      • malware
      • Microsoft
      • Microsoft Apps
      • Mozilla
      • MVP
      • NCSAM
      • Office
      • Office 2007
      • Office 2010
      • Opera
      • Outlook.com
      • Phishing
      • Privacy
      • safety
      • Search
      • Security
      • Service Pack
      • SkyDrive
      • Skype
      • Software
      • SP1
      • sp2
      • SP3
      • Spotlight
      • Sumatra
      • tutorial
      • UAC
      • Updates
      • Vulnerabilities
      • Windows
      • Windows 7
      • Windows 8
      • Windows Live
      • Windows Live OneCare
      • Windows Vista
      • Windows XP
      • WinPatrol

      Blog Archive

      • ►  2013 (93)
        • ►  October (2)
        • ►  September (8)
        • ►  August (9)
        • ►  July (5)
        • ►  June (8)
        • ►  May (7)
        • ►  April (15)
        • ►  March (9)
        • ►  February (16)
        • ►  January (14)
      • ▼  2012 (98)
        • ►  December (7)
        • ►  November (6)
        • ►  October (11)
        • ►  September (5)
        • ►  August (10)
        • ►  July (8)
        • ►  June (12)
        • ►  May (7)
        • ►  April (12)
        • ►  March (6)
        • ►  February (6)
        • ▼  January (8)
          • Mozilla Firefox 10 Released, Includes Security Update
          • When imitation isn’t a form of flattery
          • Data Privacy Day 2012
          • To My "Other" Girl
          • Adobe Reader and Acrobat Critical Security Updates
          • Microsoft January 2012 Security Bulletin Release
          • Security Bulletin Advance Notification for January...
          • 2012 Microsoft® MVP Award
      • ►  2011 (130)
        • ►  December (8)
        • ►  November (10)
        • ►  October (7)
        • ►  September (12)
        • ►  August (9)
        • ►  July (6)
        • ►  June (13)
        • ►  May (14)
        • ►  April (13)
        • ►  March (15)
        • ►  February (10)
        • ►  January (13)
      • ►  2010 (146)
        • ►  December (10)
        • ►  November (15)
        • ►  October (19)
        • ►  September (15)
        • ►  August (14)
        • ►  July (8)
        • ►  June (19)
        • ►  May (5)
        • ►  April (11)
        • ►  March (6)
        • ►  February (14)
        • ►  January (10)
      • ►  2009 (33)
        • ►  December (11)
        • ►  November (11)
        • ►  October (11)
      Powered by Blogger.

      About Me

      Unknown
      View my complete profile