October 2012 ~ SecurityGarden

Friday, October 26, 2012

Firefox 16.0.2 Released to Fix Critical Security Issue

Posted on 3:54 PM by Unknown

Mozilla released version 16.0.2 to address a critical security issue which, if unfixed, could be combined with some plugins to perform a cross-site scripting (XSS) attack on users.

Security Update Fixed in Firefox 16.0.2

MFSA 2012-90 Fixes for Location object issues

Update

To get the update now, select "Help" from the Firefox menu at the upper left of the browser window, then pick "About Firefox." Mac users need to select "About Firefox" from the Firefox menu.

If you do not use the English language version, Fully Localized Versions are available for download.

References

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Posted in Firefox, Security, Updates, Vulnerabilities | No comments

Thursday, October 25, 2012

WinPatrol PLUS for 99 Cents (Limited Time)

Posted on 10:30 AM by Unknown

If you missed other opportunities to purchase a WinPatrol PLUS license for 99 cents, this may be your last chance. Although Bill Pytlovany is once again providing this wonderful opportunity, he expects it will be the last.

The special is available now through Friday, ~~October 25, 2012.~~ October 26, 2012 (thanks, Kosh!). Each 99 cent license is good for a single machine, although you can indeed order multiple licenses. A single activation code will be created per order. The name/code combination can be used on each machine.

NOTE: Bill told me that many people are not waiting or clicking continue to get their PLUS code after making the purchase. Although Bill can get it for you, there will be a delay while he processes the e-mail and tracks down the code. So, please wait for the code!!!

If you already have the free version of WinPatrol installed, all you need do is launch WinPatrol and click the About/PLUS tab. Just enter your new PLUS code and the PLUS features will automatically be activated!!!

If you do not have WinPatrol installed, you can download it at the time of purchasing the PLUS code or just go to WinPatrol.com and download it. You'll download the "free" version and then add your PLUS code after installing it.

Its that simple!

As always with your WinPatrol PLUS license, the 99 cent license is transferable if you get a new computer.

If you are new to WinPatrol or a long-time supporter of this great software program, we're happy to help with WinPatrol questions at LandzDown in our WinPatrol Help & Information forum.

See Bill's post for additional information: WinPatrol® PLUS for 99 cents Best October News or head right to BillP Studios to place your order. Click on the link that looks like the copy below at http://www.billp.com/store.html:

PayPal Upgrade Option
Experimental Special

WinPatrol PLUS Only $0.99

One license per computer
One code for each order

Be sure to wait after payment for code creation page.

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Posted in WinPatrol | No comments

Wednesday, October 17, 2012

Oracle Java Quartely Security and Patch Update

Posted on 11:16 AM by Unknown

Oracle released security updates for its Java SE Runtime Environment software.

Oracle Java SE Critical Patch Update Advisory - October 2012 identifies the following affected product releases and versions:

Affected product releases and versions:

Java SE	Patch Availability
JDK and JRE 7 Update 7 and earlier	Java SE
JDK and JRE 6 Update 35 and earlier	Java SE
JDK and JRE 5.0 Update 36 and earlier	Java SE
SDK and JRE 1.4.2_38 and earlier	Java SE
JavaFX 2.2 and earlier	JavaFX

It is strongly recommended that the update be applied as soon as possible.

Although Java is not required (See Do You Need Java?), if you do have Java installed on your computer, it is advisable to install the latest update. It is also advised that all prior (and vulnerable) versions of Java SE be uninstalled from your computer.

Download Information

Now that Java SE 7 has been officially released, it is recommended that users of Java SE 6 upgrade to the latest version. When you upgrade from Java SE 6 to Java SE 7, please check installed program files and remove all versions of Java SE 6. The "end of life" date for Java SE 6 has been extended from July 2012 to February 2013, to allow additional time for businesses to transition to JDK 7.

Select Java SE 7u9 from http://java.com/en/download/inc/windows_new_xpi.jsp?locale=en

or Java SE 6 Update 37 from http://java.com/en/download/manual_v6.jsp

Verify your version: http://www.java.com/en/download/testjava.jsp

Note: UNcheck any pre-checked toolbar and/or software options presented with the update. They are not part of the software update and are completely optional.

Critical Patch Updates

For Oracle Java SE Critical Patch Updates, the next scheduled dates are as follows:

19 February 2013
18 June 2013
15 October 2013

References

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Posted in Java, Security, Updates, Vulnerabilities | No comments

Monday, October 15, 2012

Adobe Reader and Acrobat Version XI Released

Posted on 11:41 AM by Unknown

Adobe released Version XI of both Adobe Reader and Adobe Acrobat which include new cloud services. This version of Adobe products is compatible with Windows 8.

System Requirements

1.3GHz or faster processor
Microsoft® Windows® XP with Service Pack 3 for 32 bit or Service Pack 2 for 64 bit; Windows Server® 2003 R2 (32 bit and 64 bit); Windows Server 2008 or 2008 R2 (32 bit and 64 bit); Windows 7 (32 bit and 64 bit); Windows 8 (32 bit and 64 bit)
256MB of RAM (512MB recommended)
320MB of available hard-disk space
1024x768 screen resolution
Internet Explorer 7, 8, 9, or 10; Firefox Extended Support Release; Chrome

Note: For 64-bit versions of Windows Server 2003 R2 and Windows XP (with Service Pack 2), Microsoft Update KB930627 is required.

Security Enhancements

Enhanced Protected Mode now includes data theft prevention capabilities
New Protected View implements a separate desktop and winstation for the UI, which provides an additional layer of defense
PDF Whitelisting Framework allows selective enablement of JavaScript for both Windows and Mac OS
Elliptic Curve Cryptography support for digital signatures

Download Adobe Reader

References

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Posted in Adobe, Security, Updates | No comments

Thursday, October 11, 2012

Mozilla Firefox Updated to 16.0.1 Due to Security Vulnerability

Posted on 4:46 PM by Unknown

Due to a critical security vulnerability, Firefox 16 was pulled from the release channel shortly after its release yesterday. The vulnerability has been addressed in the release of version 16.0.1. Also addressed were two bugs resulting in crashes.

For additional information, see the Mozilla Security Blog, Security Vulnerability in Firefox 16.

Security Updates Fixed in Firefox 16.0.1

MFSA 2012-89 default Value security checks not applied
MFSA 2012-88 Miscellaneous memory safety hazards (rv:16.0.1)

Update

References

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Posted in Firefox, Mozilla, Security, Updates, Vulnerabilities | No comments

Tuesday, October 9, 2012

Mozilla Firefox 16 Released, Includes Critical Security Updates

Posted on 3:36 PM by Unknown

UPDATE: Firefox 16 was pulled from the update channel. See the Mozilla Security Blog: Security Vulnerability in Firefox 16. Until the problems with version 16 are fixed, the previous version 15.0.1 can be downloaded from this direct link: Firefox 15.

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Firefox 16 was sent to the release channel today by Mozilla. Included in the update are eleven (11) critical and three (3) high security updates.

Based on the extensive list of security updates, it is recommended that the update be applied as soon as possible.

Security Updates Fixed in Firefox 16

MFSA 2012-87 Use-after-free in the IME State Manager
MFSA 2012-86 Heap memory corruption issues found using Address Sanitizer
MFSA 2012-85 Use-after-free, buffer overflow, and out of bounds read issues found using Address Sanitizer
MFSA 2012-84 Spoofing and script injection through location.hash
MFSA 2012-83 Chrome Object Wrapper (COW) does not disallow acces to privileged functions or properties
MFSA 2012-82 top object and location property accessible by plugins
MFSA 2012-81 GetProperty function can bypass security checks
MFSA 2012-80 Crash with invalid cast when using instanceof operator
MFSA 2012-79 DOS and crash with full screen and history navigation
MFSA 2012-78 Reader Mode pages have chrome privileges
MFSA 2012-77 Some DOMWindowUtils methods bypass security checks
MFSA 2012-76 Continued access to initial origin after setting document.domain
MFSA 2012-75 select element persistance allows for attacks
MFSA 2012-74 Miscellaneous memory safety hazards (rv:16.0/ rv:10.0.8)

What's New

NEW -- Firefox on Mac OS X now has preliminary VoiceOver support turned on by default
NEW -- Initial web app support (Windows/Mac/Linux
NEW -- Acholi and Kazakh localizations added

The Release Notes include additional changes and fixed features in version 16. As with version 15, there the update includes a long list of Bug Fixes, referenced below.

Update

References

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Posted in Firefox, Mozilla, Security, Updates, Vulnerabilities | No comments

Microsoft Security Bulletin Release for October 2012

Posted on 12:33 PM by Unknown

Microsoft released seven (7) bulletins addressing 20 issues in Microsoft Windows, SQL Server, and Office including SharePoint, Lync, Microsoft Works and InfoPath. One bulletin is identified as Critical with the remaining six bulletins rated Important.

As indicated in the Advance Notice, the issues in FAST Search Server are addressed in the MS12-067, Security Advisory 2737111.

Also released today are the following Security Advisories:

Users of Microsoft Works are advised that this product reaches the end of its support lifecycle this week.

Support

The following additional information is provided in the Security Bulletin:

The affected software listed have been tested to determine which versions are affected. Other versions are past their support life cycle. To determine the support life cycle for your software version, visit Microsoft Support Lifecycle.
Security solutions for IT professionals: TechNet Security Troubleshooting and Support
Help protect your computer that is running Windows from viruses and malware: Virus Solution and Security Center
Local support according to your country: International Support

References

MSRC: Welcome to the 1024-bit world and the October security updates
TechNet: Microsoft Security Bulletin Summary for October 2012
Security and Safety Center: Microsoft security updates for October 2012

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Posted in Microsoft, Security, Updates, Vulnerabilities | No comments

Monday, October 8, 2012

Critical Adobe Flash Player Update Released

Posted on 11:10 AM by Unknown

Adobe Flash Player was updated to address security vulnerabilities. These updates address a vulnerability that could cause the application to crash and potentially allow an attacker to take control of the affected system.

Note: For users of Internet Explorer 10, Microsoft updated Security Advisory 2755801. If you do not have Automatic Updates enabled, the Flash Player update can be downloaded from the Download Center at Update for Internet Explorer Flash Player for Windows 8 Release Preview (KB2758994).

See the MSRC Blog post at Security Advisory 2755801 addresses Adobe Flash Player issues for additional information regarding Adobe Flash Player updates to IE10.

November 6, 2012 Update: Security Advisory 2755801 revised to address Adobe Flash Player issues.

Update Information

The newest version for Windows and Macintosh is 11.4.402.287. For Linux, the newest version is 11.2.202.243.

Release date: October 8, 2012
Vulnerability identifier: APSB12-22
Priority: Critical
CVE numbers: CVE-2012-5248, CVE-2012-5249, CVE-2012-5250, CVE-2012-5251, CVE-2012-5252, CVE-2012-5253, CVE-2012-5254, CVE-2012-5255, CVE-2012-5256, CVE-2012-5257, CVE-2012-5258, CVE-2012-5259, CVE-2012-5260, CVE-2012-5261, CVE-2012-5262, CVE-2012-5263, CVE-2012-5264, CVE-2012-5265, CVE-2012-5266, CVE-2012-5267, CVE-2012-5268, CVE-2012-5269, CVE-2012-5270, CVE-2012-5271, CVE-2012-5272
Platform: All Platforms

Flash Player Update Instructions

Flash Player for Windows, Macintosh, Linux and Solaris

Although Adobe suggests downloading the update from the Adobe Flash Player Download Center or by using the auto-update mechanism within the product when prompted, if you prefer, direct download links are available.

Flash Player For Internet Explorer: http://download.macromedia.com/get/flashplayer/current/licensing/win/install_flash_player_11_active_x.exe
Non-IE (Opera, Firefox, Etc.): http://download.macromedia.com/get/flashplayer/current/licensing/win/install_flash_player_11_plugin.exe
Flash Player Uninstaller: http://download.macromedia.com/get/flashplayer/current/support/uninstall_flash_player.exe

Notes:

Users of Adobe AIR 3.3.0.3670 for Windows and Macintosh should update to Adobe AIR 3.4.0.2710.
Beginning with Adobe Flash Version 11.3, the universal 32-bit installer will include the 32-bit and 64-bit versions of the Flash Player.
If you use the Adobe Flash Player Download Center, be careful to uncheck the optional McAfee Security Plus box. It is not needed for the Flash Player update.
Uncheck any toolbar offered with Adobe products if not wanted.
If you use alternate browsers, it is necessary to install the update for both Internet Explorer as well as the update for alternate browsers.
The separate 32-bit and 64-bit uninstallers have been replaced with a single uninstaller.

Adobe Flash Player for Android

The latest version for Adobe Flash Player for Android is available by downloading it from the Android Marketplace by browsing to it on a mobile phone.

Verify Installation

To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu.

Do this for each browser installed on your computer.

To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.

References

Adobe Priority Ratings
Adobe Security Advisory: Security updates available for Adobe Flash Player
Release Notes: Flash Player® 11.4 AIR® 3.4

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Posted in Adobe, IE10, Security, Updates, Vulnerabilities | No comments

Thursday, October 4, 2012

FTC Action Against Fake Tech Support Scams

Posted on 5:26 PM by Unknown

Since early in 2009, people have been harassed by telephone scams by telemarketers claiming to represent Microsoft and other vendors such as Dell, McAfee and Norton. The telemarketing scammers attempt to convince the call recipient that malware has been detected on their computer which they can, of course, remove for a hefty fee.

The attempted "proof of infection" is normal and generally harmless error messages in the Event Log, completely unrelated to any indication of infection.

With October being National Cyber Security Awareness Month, the timing of the announcement by the Federal Trade Commission (FTC) yesterday that, at FTC request, a U.S. District Court Judge ordered a halt to six alleged tech support scams pending further hearings and has frozen their assets (see October 3, 2012 List of Commission Actions) was ideal.

The United States has not been alone in being harassed by fake tech support scammers. Australian, Canadian and U.K. citizens have also been targets as has New Zealand and Ireland It was through the combined efforts of the Australian Communications Authority, Canadian Radio-television and Telecommunications Commission and United Kingdom’s Serious Organised Crime Agency that the FCC was able to take this action.

Knowledge is Key

Although the action by the FCC will most certainly help, the problem is not eliminated. Should you receive an unsolicited telephone all from someone purporting to be from Microsoft (or any other vendor), the best advice is to just hang up! Microsoft does not make this type telephone call.

In the event you have been tricked by one of these fake tech support scammers and logged on to a third-party website so they could remotely access your computer, malware may have been installed on your computer to allow remote access. This could have provided the scammers with access to steal personal and financial details from your computer. Update your antivirus software and complete a full system scan.

If you supplied credit card information, in addition to contacting your credit card company, notify the appropriate government agency:

Australia: scamwatch.gov.au
Canada: http://www.crtc.gc.ca/eng/info_sht/g9.htm
New Zealand: http://www.theorb.org.nz/
U.K.: http://www.actionfraud.police.uk/
U.S.: ftc.gov/complaint

Not only during National Cyber Security Awareness Month, but every day Stop | Think | Connect.

References

Australian Communications Authority (ACMA): ACMA media release 71/2012 – 4 October
Canadian Radio-television and Telecommunications Commission (CRTC): The CRTC takes action against telemarketers offering anti-virus software
FTC Halts Massive Tech Support Scams
FTC Combats Tech Support Scams | OnGuard Online
Microsoft Imposter Scam
Microsoft Security: Fraudulent Emails and Credit Card Scam Tips
Microsoft Security: Avoid Phone Scams | Cybercriminal Tech Support Scam | Security Threats
Tech Support Scams | OnGuard Online
United Kingdom’s Serious Organised Crime Agency (SOCA): SOCA
Microsoft Community: Who are my tech gurus? Are they bone fide Microsoft support

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Posted in Fraud, Microsoft, NCSAM, Security | No comments

Security Bulletin Advance Report for October 2012

Posted on 10:58 AM by Unknown

On Tuesday, October 9, 2012, Microsoft is planning to release seven (7) bulletins.

One bulletin is identified as Critical and addresses vulnerabilities in Microsoft Word. The remaining six bulletins are rated Important and will address issues in Windows, Microsoft Office, and SQL Server. The release will also address the issue in FAST Search Server (see Security Advisory 2737111.

As indicated last month, Security Advisory 2661254 (Update For Minimum Certificate Key Length) will be added to Automatic Updates. This update requires that RSA key lengths be a minimum of 1024 bits.

As happens each month, Microsoft will also release an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center.

References

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Posted in Microsoft, Security, Updates, Vulnerabilities | No comments

Monday, October 1, 2012

2012 National Cyber Security Awareness Month

Posted on 2:00 AM by Unknown

Once again October is dedicated as National Cyber Security Awareness Month in both the United States and Canada. Although the National Cyber Security Alliance is celebrating its 10th anniversary, 2012 marks the ninth year of the National Cyber Security Awareness Month.

The most important message home computer users can get from National Security Awareness Month is Stop | Think | Connect:

"STOP: Before you use the Internet, take time to understand the risks and learn how to spot potential problems.

THINK: Take a moment to be certain the path ahead is clear. Watch for warning signs and consider how your actions online could impact your safety, or your family’s.

CONNECT: Enjoy the Internet with greater confidence, knowing you’ve taken the right steps to safeguard yourself and your computer.

Protect yourself and help keep the web a safer place for everyone."

Identity theft is a serious issue and is a major reason why it is important to Stop | Think | Connect. With the popularity of social networking sites (i.e., Facebook and Twitter), it is all the more important to be cautious about the personal information shared in those and other venues.

If you shop online, conduct online banking, use public computers or a mobile phone, please take some time to review the recommendations on the Microsoft Online Safety & Privacy pages.

Although not particularly sophisticated, the information and tips provided with the Online Identity Risk Calculator are spot on. All it takes to calculate your personal identity risk score, is to answer 10 questions about your online activity and how it can make you more vulnerable to identity theft as well as fraud.

I took the test and am pleased that my risk level is low.

See how you do with the Online Identity Risk Calculator.

Additional Resources:

Microsoft Safety and Security Center
Stay Safe on Line: National Cyber Security Awareness Month
Stop | Think | Connect
Trustworthy Computing: TwC and NCSA - 10 Years of Online Safety & Security

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Posted in NCSAM, safety, Security | No comments