August 2012 ~ SecurityGarden

Thursday, August 30, 2012

Critical Java Security Update

Posted on 2:14 PM by Unknown

Oracle released an out-of-band security update for Java SE. Security Alert CVE-2012-4681 addresses three distinct but related critical vulnerabilities and one security-in-depth issue affecting Java running in desktop browsers.

These vulnerabilities may be remotely exploitable without authentication. In other words, the vulnerabilities may be exploited over a network without the need for a username and password merely by visiting a malicious web page with an unpatched version of Java.

Affected versions:

JDK and JRE 7 Update 7 and earlier
JDK and JRE 6 Update 34 and earlier

It is strongly recommended that the update be applied as soon as possible due to the threat posed by a successful attack.

Although Java is not required (See Do You Need Java?), if you do have Java installed on your computer, it is advisable to install the latest update. It is also advised that all prior (and vulnerable) versions of Java SE be uninstalled from your computer.

Instructions on removing older (and less secure) versions of Java can be found at http://java.com/en/download/faq/remove_olderversions.xml

Download Information

Now that Java SE 7 has been officially released, it is recommended that users of Java SE 6 upgrade to the latest version. When you upgrade from Java SE 6 to Java SE7 please check installed program files and remove all versions of Java SE 6.

As of this posting, Java SE 7u7 is only available from this link: http://java.com/en/download/index.jsp

Verify your version: http://www.java.com/en/download/testjava.jsp

Note: UNcheck any pre-checked toolbar and/or software options presented with the update. They are not part of the software update and are completely optional.

Critical Patch Updates

For Oracle Java SE Critical Patch Updates, the next scheduled dates are:

16 October 2012
19 February 2013

References

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Posted in Java, Security, Updates, Vulnerabilities | No comments

Tuesday, August 28, 2012

Firefox 15 Release Includes Critical Security Updates

Posted on 4:37 PM by Unknown

Firefox 15 was sent to the release channel today by Mozilla. Included in the update are seven (7) critical, six (6) high, and three (3) moderate security updates.

Based on the extensive list of security updates, it is recommended that the update be applied as soon as possible.

Please also note that the release of Firefox 15 includes the completion of the inclusion of silent updates.

Security Updates Fixed in Firefox 15

MFSA 2012-72 Web console eval capable of executing chrome-privileged code
MFSA 2012-71 Insecure use of __android_log_print
MFSA 2012-70 Location object security checks bypassed by chrome code
MFSA 2012-69 Incorrect site SSL certificate data display
MFSA 2012-68 DOMParser loads linked resources in extensions when parsing text/html
MFSA 2012-67 Installer will launch incorrect executable following new installation
MFSA 2012-66 HTTPMonitor extension allows for remote debugging without explicit activation
MFSA 2012-65 Out-of-bounds read in format-number in XSLT
MFSA 2012-64 Graphite 2 memory corruption
MFSA 2012-63 SVG buffer overflow and use-after-free issues
MFSA 2012-62 WebGL use-after-free and memory corruption
MFSA 2012-61 Memory corruption with bitmap format images with negative height
MFSA 2012-60 Escalation of privilege through about:newtab
MFSA 2012-59 Location object can be shadowed using Object.defineProperty
MFSA 2012-58 Use-after-free issues found using Address Sanitizer
MFSA 2012-57 Miscellaneous memory safety hazards (rv:15.0/ rv:10.0.7)

What's New

The Release Notes include new and fixed features in version 15. The huge list of Bug Fixes are in the link available in the References below.

NEW -- Silent, background updates
NEW -- Support for SPDY networking protocol v3
NEW -- WebGL enhancements, including compressed textures for better performance
NEW -- Localization in Maithili (see all available locales)
CHANGED -- Optimized memory usage for add-ons
DEVELOPER -- JavaScript debugger integrated into developer tools
DEVELOPER -- New layout view added to Inspector
DEVELOPER -- High precision event timer implemented
DEVELOPER -- The CSS word-break property has been implemented.
DEVELOPER -- New responsive design tool allows web developers to switch between desktop and mobile views of sites
HTML5 -- Native support for the Opus audio codec added
HTML5 -- The audio and video eleents now support the played attribute
HTML5 -- The element now supports the media attribute
FIXED -- Focus rings keep growing when repeatedly tabbing through elements (720987)

Known Issues

Unresolved -- Debugger breakpoints do not catch on page reload (see 783393) Note, in Resolved in v16
Unresolved -- If you try to start Firefox using a locked profile, it will crash (see 573369)
Unresolved -- For some users, scrolling in the main GMail window will be slower than usual (see 579260)
Unresolved -- Windows: The use of Microsoft's System Restore functionality shortly after updating Firefox may prevent future updates (see 730285)

Update

To get the update now, select "Help" from the Firefox menu at the upper left of the browser window, then pick "About Firefox." Mac users need to select "About Firefox" from the Firefox menu.

If you do not use the English language version, Fully Localized Versions are available for download.

References

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Posted in Firefox, Security, Updates, Vulnerabilities | No comments

Tuesday, August 21, 2012

Adobe Flash Player Security Update (again!)

Posted on 1:40 PM by Unknown

Only a week has passed since the last Adobe Flash Player security update and another has been released.

Adobe Flash Player was updated to address security vulnerabilities. These updates address a vulnerability that could cause the application to crash and potentially allow an attacker to take control of the affected system.

Update Information

The newest version for Windows and Macintosh is 11.4.402.265. For Linux, the newest version is 11.2.202.238.

Release date: August 21, 2012
Vulnerability identifier: APSB12-19
Priority: Critical for Windows, Important for Macintosh.
CVE number: CVE-2012-4163, CVE-2012-4164, CVE-2012-4165, CVE-2012-4166, CVE-2012-4167, CVE-2012-4168
Platform: All Platforms

Flash Player Update Instructions

Flash Player for Windows, Macintosh, Linux and Solaris

Although Adobe suggests downloading the update from the Adobe Flash Player Download Center or by using the auto-update mechanism within the product when prompted, if you prefer, direct download links are available.

Flash Player For Internet Explorer: http://download.macromedia.com/get/flashplayer/current/licensing/win/install_flash_player_11_active_x.exe
Non-IE (Opera, Firefox, Etc.): http://download.macromedia.com/get/flashplayer/current/licensing/win/install_flash_player_11_plugin.exe
Flash Player Uninstaller: http://download.macromedia.com/get/flashplayer/current/support/uninstall_flash_player.exe

Notes:

Users of Adobe AIR 3.3.0.3670 for Windows and Macintosh should update to Adobe AIR 3.4.0.2540.
Beginning with Adobe Flash Version 11.3, the universal 32-bit installer will include the 32-bit and 64-bit versions of the Flash Player.
If you use the Adobe Flash Player Download Center, be careful to uncheck the optional McAfee Security Plus box. It is not needed for the Flash Player update.
Uncheck any toolbar offered with Adobe products if not wanted.
If you use alternate browsers, it is necessary to install the update for both Internet Explorer as well as the update for alternate browsers.
The separate 32-bit and 64-bit uninstallers have been replaced with a single uninstaller.

Adobe Flash Player for Android

The latest version for Adobe Flash Player for Android is available by downloading it from the Android Marketplace by browsing to it on a mobile phone.

Verify Installation

To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu.

Do this for each browser installed on your computer.

To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.

References

Adobe Priority Ratings
Adobe Security Advisory: Security update available for Adobe Flash Player
Release Notes: Flash Player® 11.4 AIR® 3.4

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Posted in Adobe, Security, Updates, Vulnerabilities | No comments

Sunday, August 19, 2012

WinPatrol PLUS or Family Pack 30% Discount Coupon

Posted on 5:30 PM by Unknown

Friends and Security Garden readers know that WinPatrol is my favorite program. The list of WinPatrol features below illustrate why I wouldn't surf without Scotty watching my back.

My friend and fellow Microsoft MVP and WinPatrol developer, Bill Pytlovany, has created a special coupon for use by readers of my blog, Twitter followers, Facebook and forum friends. The coupon provides a 30% discount on either the regularly priced single $29.95 WinPatrol PLUS license or the $49.95 Family Pack.

If you are new to WinPatrol or have been putting off investing in a WinPatrol PLUS license, the SecurityGarden 30% discount coupon will be good through the end of August.

For those not interested in the PLUS version, new users can download the free version of WinPatrol from http://www.winpatrol.com/download.html.

To take advantage of the SecurityGarden 30% discount coupon, follow the links below.

Credit Card Orders: Click Here and select the link for WinPatrol PLUS or the WinPatrol PLUS Super Family Pack.

PayPal Orders: Click Here and complete the portion for WinPatrol PLUS or the WinPatrol PLUS Super Family Pack.

Coupon Code: SecurityGarden

WinPatrol Features

WinPatrol Free and WinPatrol PLUS:
• Detect and Review New Auto-Startup Programs
• Alerted to New Browser Add-Ons like BHO's and Tool Bars
• Alerts to newly installed Window Services
• Alerts to creation of Scheduled Tasks
• Alerts and Locks Changes to File Type Associations
• Alerts to newly registered ActiveX components
• Alerts to changes in IE Home and Search pages
• Alerts you to changes in the Windows HOST File
• Lets you know if your Auto Update or UAC settings change
• Add/Remove and Review Auto-Start up Programs
• Automatically Disable Reoccurring Start up Programs
• Delay Auto-Start up programs for quick boot up
• Review and Remove unwanted Scheduled Tasks
• Remove Unwanted Browser Add-Ons like BHO's and Tool Bars
• Review, Display and Kill Multiple Running Tasks with a single click
• Review, Stop and Control Window Services
• Manage and Automatically Remove Unwanted Cookies
• Review and Edit your Windows HOST File
• Review and Remove Hidden Files
• Track Date/Time when programs are first detected on your system
• Multiple System Report Options
• Advanced Examination of HIDDEN Registry Start up Keys
• Start Program Removed Detection

WinPatrol PLUS:
• Access to WinPatrol PLUS Knowledgebase (24/7)
• Real-time Infiltration Detection
• Increased PLUS Performance
• Automatically respond and/hide specific alerts.
• Review and Remove ActiveX components
• Custom Registry Monitoring and Reg Locking
• Access to WinPatrol Cloud results
• Uninstall Detection

WinPatrol PLUS includes:
• One Time fee includes free upgrade for ALL future WinPatrol versions.
• No Hidden or Reoccurring Subscription Fees.
• Single License valid on all your personal desktops and laptops!
• No Toolbars or other unwanted software
• WinPatrol PLUS is quicker and faster.

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Posted in WinPatrol | No comments

Tuesday, August 14, 2012

Critical Security Update for Adobe Flash Player

Posted on 11:40 AM by Unknown

Adobe Flash Player was updated to address critical security vulnerabilities. These updates address a vulnerability that could cause the application to crash and potentially allow an attacker to take control of the affected system.

There are reports that the vulnerability is being exploited in the wild in limited targeted attacks, distributed through a malicious Word document. The exploit targets the ActiveX version of Flash Player for Internet Explorer on Windows.

Update Information

The newest version for Windows, Macintosh and Linux is 11.3.300.271.

Release date: August 14, 2012
Vulnerability identifier: APSB12-18
Priority: Critical
CVE number: CVE-2012-1535
Platform: Windows, Macintosh and Linux

Flash Player Update Instructions

Flash Player For Internet Explorer: http://download.macromedia.com/get/flashplayer/current/licensing/win/install_flash_player_11_active_x.exe
Non-IE (Opera, Firefox, Etc.): http://download.macromedia.com/get/flashplayer/current/licensing/win/install_flash_player_11_plugin.exe
Flash Player Uninstaller: http://download.macromedia.com/get/flashplayer/current/support/uninstall_flash_player.exe

Notes:

Beginning with Adobe Flash Version 11.3, the universal 32-bit installer will include the 32-bit and 64-bit versions of the Flash Player.
If you use the Adobe Flash Player Download Center, be careful to uncheck the optional McAfee Security Plus box. It is not needed for the Flash Player update.
Uncheck any toolbar offered with Adobe products if not wanted.
If you use alternate browsers, it is necessary to install the update for both Internet Explorer as well as the update for alternate browsers.
The separate 32-bit and 64-bit uninstallers have been replaced with a single uninstaller.

Adobe Flash Player for Android

Adobe Flash Player for Android is not affected by the vulnerability addressed in this update.

The latest version for Adobe Flash Player for Android is available by downloading it from the Android Marketplace by browsing to it on a mobile phone.

Verify Installation

References

Adobe Priority Ratings
Adobe Security Advisory: Security update available for Adobe Flash Player
Adobe PSIRT Blog: Adobe Security Bulletins Posted
Release Notes | Flash Player 11.3 AIR 3.3

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Posted in Adobe, Security, Updates, Vulnerabilities | No comments

Adobe Reader and Acrobat Critical Security Upates

Posted on 11:25 AM by Unknown

Adobe released critical security updates addressing vulnerabilities in Adobe Reader and Adobe Acrobat.

The updates address vulnerabilities in the software that could cause the application to crash and potentially allow an attacker to take control of the affected system.

Acrobat and Reader users can update to the latest version using the built-in updater, by clicking “Help” and then “Check for Updates.” The Adobe Reader update for Windows is available from http://www.adobe.com/products/reader/. Even better to use is the FTP download site: ftp://ftp.adobe.com/pub/adobe/reader/win/10.x/10.1.4/ with no risk of add-ons.

Release Details

Release date: August 14, 2012
Vulnerability identifier: APSB12-16
Priority rating: Critical
CVE numbers: CVE-2012-1525, CVE-2012-2049, CVE-2012-2050, CVE-2012-2051, CVE-2012-4147, CVE-2012-4148, CVE-2012-4149, CVE-2012-4150, CVE-2012-4151, CVE-2012-4152, CVE-2012-4153, CVE-2012-4154, CVE-2012-4155, CVE-2012-4156, CVE-2012-4157, CVE-2012-4158, CVE-2012-4159, CVE-2012-4160, CVE-2012-4161, CVE-2012-4162
Platform: Windows and Macintosh

Affected software versions

Adobe Reader X (10.1.3) and earlier 10.x versions for Windows and Macintosh
Adobe Reader 9.5.1 and earlier 9.x versions for Windows and Macintosh
Adobe Acrobat X (10.1.3) and earlier 10.x versions for Windows and Macintosh
Adobe Acrobat 9.5.1 and earlier 9.x versions for Windows and Macintosh

References

Security Advisory: Security updates available for Adobe Reader and Acrobat
PSIRT Blog: Adobe Security Bulletins Posted

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Posted in Adobe, Security, Updates, Vulnerabilities | No comments

Microsoft August 2012 Security Bulletin Release

Posted on 10:43 AM by Unknown

Microsoft released nine (9) bulletins, of which five bulletins are identified as Critical and the remaining four as Important. All but one bulletin are related to Remote Code Execution and will require a restart.

The bulletins address twenty-six vulnerabilities in Microsoft Windows, Internet Explorer, Exchange Server, SQL Server, Server Software, Developer Tools, and Office.

Note: MS12-043 (Microsoft XML Core Services) was re-released again this month with additional updates for Microsoft XML Core Services 5.0. The re-release does not affect the previous updates for versions 3.0, 4.0, and 6.0.

Security Bulletins

Bulletin Number	Bulletin Title	Bulletin KB
MS12-052	Cumulative Security Update for Internet Explorer	2722913
MS12-053	Vulnerability in Microsoft Windows	2723135
MS12-054	Vulnerabilities in Microsoft Windows	2733594
MS12-055	Vulnerability in Microsoft Windows	2731847
MS12-056	Vulnerability in Microsoft Windows	2706045
MS12-057	Vulnerability in Microsoft Office	2731879
MS12-058	Vulnerabilities in Microsoft Windows	2733829
MS12-059	Vulnerability in Microsoft Office	2733918
MS12-060	Vulnerabilities in Microsoft Windows	2720573

Support

The following additional information is provided in the Security Bulletin:

The affected software listed have been tested to determine which versions are affected. Other versions are past their support life cycle. To determine the support life cycle for your software version, visit Microsoft Support Lifecycle.
Security solutions for IT professionals: TechNet Security Troubleshooting and Support
Help protect your computer that is running Windows from viruses and malware: Virus Solution and Security Center
Local support according to your country: International Support

References

MSRC: August 2012 Bulletin Release
TechNet: Microsoft Security Bulletin Summary for August 2012
Security and Safety Center: Microsoft security updates for Augsut 2012

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Posted in Microsoft, Security, Updates, Vulnerabilities | No comments

Friday, August 10, 2012

Gauss: Kaspersky Discovery, Analysis and Removal Tool

Posted on 3:42 PM by Unknown

First came Stuxnet, Duqu and then Flame. The latest is Gauss. Although Gauss is less sophisticated than Flame, it is a data-stealing banking trojan having already obtained data from the Bank of Beirut, EBLF, BlomBank, ByblosBank, FransaBank and Credit Libanais. Citibank and PayPal users are also reported as being targeted.

As described on Securelist in Gauss: Nation-state cyber-surveillance meets banking Trojan:

"In 140 chars or less, “Gauss is a nation state sponsored banking Trojan which carries a warhead of unknown designation”. Besides stealing various kinds of data from infected Windows machines, it also includes an unknown, encrypted payload which is activated on certain specific system configurations "

The majority of Kaspersky customers who have been found to be infected with Gauss are located in Lebanon. Others are in Israel and Palestine with a few in the U.S., UAE, Qatar, Jordan, Germany and Egypt.

A quick check to determine if your computer is infected with Gauss is available from CrySyS at http://gauss.crysys.hu. The free Kaspersky Virus Removal Tool can be used to remove Dauss from your computer.

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Posted in malware, Security | No comments

Thursday, August 9, 2012

Security Bulletin Advance Notice for August 2012

Posted on 10:25 AM by Unknown

On Tuesday, August 14, 2012, Microsoft is planning to release nine (9) bulletins, of which five bulletins are identified as Critical and the remaining four as Important. All but one bulletin are related to Remote Code Execution and will require a restart.

The Critical security bulletins address ten vulnerabilities in Microsoft Windows, Internet Explorer, Exchange, SQL Server, Server Software, and Developer Tools. The bulletin for Exchange will address the issue first described in Security Advisory 2737111. The four bulletins that have been rated as Important will address vulnerabilities in Windows and Microsoft Office.

As happens each month, Microsoft will also release an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center.

References

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Posted in Microsoft, Security, Updates, Vulnerabilities | No comments

Tuesday, August 7, 2012

Windows Essentials 2012

Posted on 7:18 PM by Unknown

Microsoft has released Windows Essentials 2012 which includes new versions of Movie Maker and Photo Gallery for Windows 7 and Windows 8. Details about the new features in Movie Maker and Photo Gallery are available in the Windows Experience Blog, Introducing the New Windows Photo Gallery and Movie Maker.

Windows Essentials 2012 includes the new SkyDrive for Windows app as well as Windows Live Mail, Windows Live Family Safety, Windows Live Writer, Windows Live Messenger, Outlook Connector Pack and Windows Photo Gallery and Windows Movie Maker.

Windows Live Mesh and SkyDrive

If you install Windows Essentials 2012, it is important to note that if you have Windows Live Mesh installed, it will automatically be removed if you install the new Movie Maker or Photo Gallery. In its place Microsoft SkyDrive will be installed. Microsoft has specified that if the new Movie Maker and/or Photo Gallery in Windows Essentials 2012 are installed, you can not have Windows Live Mesh on the same PC.

In order to sync folders from the cloud to all of your PCs, it will then be necessary to install SkyDrive on all of your PCs or Macs. (Windows Live Mesh continues to be available from the Download Center: Windows Live Essentials.)

Know the Difference

The important thing to keep in mind is the one major difference between Windows Live Mesh and SkyDrive. With SkyDrive, all files are "in the cloud". Unless you update to Windows Essentials 2012 and install the new Movie Maker and/or Photo Gallery, with Windows Live Mesh, you can also have files in the cloud but you can also avoid the cloud and just sync files across PCs/Mac.

Microsoft has provided excellent step-by-step instructions for both Windows Live Mesh and SkyDrive in the articles linked below.

References:

Windows Live Mesh

Sky Drive

Download: Windows Essentials 2012 (Web install)

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Posted in Microsoft, Microsoft Apps, SkyDrive, Windows 7, Windows 8, Windows Live | No comments