February 2013 ~ SecurityGarden

Tuesday, February 26, 2013

Critical Security Update for Adobe Flash Player

Posted on 12:19 PM by Unknown

Adobe Flash Player was updated again today to address critical security vulnerabilities. These updates address vulnerabilities currently being exploited in the wild.

CVE-2013-0643 and CVE-2013-0648 are being exploited in the wild in targeted attacks designed to trick the user into clicking a link which directs to a website serving malicious Flash (SWF) content.

CVE-2013-0643 and CVE-2013-0648 are designed to target Flash Player in Firefox.

Update Information

The newest versions are as follows:

Windows and Macintosh: 11.6.602.171
Linux: 11.2.202.273

Release date: February 26, 2013
Vulnerability identifier: APSB13-08
CVE number: CVE-2013-0504, CVE-2013-0643, CVE-2013-0648
Platform: All platforms

Flash Player Update Instructions

Flash Player for Windows, Macintosh and Linux

Although Adobe suggests downloading the update from the Adobe Flash Player Download Center or by using the auto-update mechanism within the product when prompted, if you prefer, direct download links are available.

Non-IE (Opera, Firefox, Etc.): http://download.macromedia.com/get/flashplayer/current/licensing/win/install_flash_player_11_plugin.exe
Flash Player For Internet Explorer 7, 8 & 9: http://download.macromedia.com/get/flashplayer/current/licensing/win/install_flash_player_11_active_x.exe

Flash Player for Internet Explorer 10: Microsoft updated Security Advisory 2755801. If you do not have Automatic Updates enabled, the Flash Player update can be downloaded from the Download Center at Update for Internet Explorer Flash Player for Windows 8 Release Preview (KB2758994).
Flash Player Uninstaller: http://download.macromedia.com/get/flashplayer/current/support/uninstall_flash_player.exe

Notes:

If you use the Adobe Flash Player Download Center, be careful to uncheck the optional McAfee Security Plus box. It is not needed for the Flash Player update.
Uncheck any toolbar offered with Adobe products if not wanted.
If you use alternate browsers, it is necessary to install the update for both Internet Explorer as well as the update for alternate browsers.
The separate 32-bit and 64-bit uninstallers have been replaced with a single uninstaller.

Adobe Flash Player for Android

The latest version for Adobe Flash Player for Android is available by downloading it from the Android Marketplace by browsing to it on a mobile phone.

Verify Installation

To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu.

Do this for each browser installed on your computer.

To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.

References

Adobe Priority Ratings
Adobe Security Advisory: Security updates available for Adobe Flash Player
PSIRT Blog: Security updates available for Adobe Flash Player (APSB13-08)
Release Notes: Flash Player® 11.5 AIR® 3.5

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Posted in Adobe, Security, Updates, Vulnerabilities | No comments

IE10 for Windows 7 Released

Posted on 11:28 AM by Unknown

Internet Explorer 10 has been released globally for Windows 7. It is available in 95 languages.

Initially, the update will be available via Windows Update for those running the IE10 release preview, followed in stages for the remaining Windows 7 users. If you would rather not wait to be offered the update, IE10 is available via the links shown below.

Note that IE10 is not compatible with Windows Vista.

Key Improvements

Key improvements in IE9 include improved performance, security, and privacy. Of major significance are the results of the independent testing conducted by NSS Labs, referenced below, in which IE10 with App Rep had a mean malware block rate of 99.1%.

System Requirements

Processor

Computer with a 1 gigahertz (GHz) 32-bit (x86) or 64-bit (x64) processor.

Operating system

Windows 7 32-bit with Service Pack 1 (SP1) or higher
Windows 7 64-bit with Service Pack 1 (SP1) or higher
Windows Server 2008 R2 with Service Pack 1 (SP1) 64-bit

Memory

Windows 7 32-bit—512 MB
Windows 7 64-bit—512 MB
Windows Server 2008 R2 64-bit—512 MB

Hard drive space

Windows 7 32-bit—70 MB
Windows 7 64-bit—120 MB
Windows Server 2008 R2 64-bit—200 MB

Display

Super VGA (800 x 600) or higher-resolution monitor with 256 colors

Download Link

Go here to determine if your PC is running the 32-bit or 64-bit version of Windows.

Worldwide: http://windows.microsoft.com/en-us/internet-explorer/downloads/ie-10/worldwide-languages

References

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Posted in IE10, Windows 7 | No comments

Wednesday, February 20, 2013

Moving to SkyDrive

Posted on 5:08 PM by Unknown

I hope Security Garden readers haven't missed the message from the Windows Live Mesh and SkyDrive Teams announcing the retirement of Mesh earlier this month.

With the retirement of Mesh the following changes are taking place:

Remote desktop and peer-to-peer sync are no longer be available.
Any data on the Mesh cloud (Mesh synced storage or SkyDrive synced storage) will be permanently deleted on August 13, 2013. (Mesh users go here to access your Mesh online storage.)
Synced folders have stopped syncing.
You are no longer able to connect to your PCs remotely using Mesh.

Get SkyDrive

Whether you are a former Windows Live Mesh user or just never tried SkyDrive, you will discover that it is very easy to set up. SkyDrive works on Windows 8, Windows 7, or Vista, and Mac OS X Lion computers.

Setting up SkyDrive couldn't be easier.

Download SkyDrive Desktop App for Windows
Double-click SkyDriveSetup to start the installation.
Click the Getting Started link on the Wizard that launches after installation.
Sign in with your Microsoft Account. If you don't have a Microsoft Account yet, just click the link to sign up.
Click Next and you have the option to change the location of the Skydrive folder, although you may want to stay with the default.
As appropriate, check the box to "Make files on this PC available to me on my other devices" and then click Done.
All you need to do to get started is drag the files and folders to your new SkyDrive folder and the application does the rest!

It is that easy!

Now you can easily access your files from another computer or device. With 7 GB of free storage, you have enough space for 20,000 Office documents or 7,000 photos.

SkyDrive Desktop for Windows System Requirements

Operating system: One of the following:
- 32- or 64-bit version of either Windows 8, Windows 7, or Windows Vista with Service Pack 2 and the Platform Update for Windows Vista. (This app can't be installed on PCs running Windows RT.)
- Windows Server 2008 R2 or Windows Server 2008 with Service Pack 2 and the Platform Update for Windows Server 2008
Processor: 1.6 GHz or higher, Pentium IV or higher
Memory: 1 GB of RAM or higher
Internet connection: High-speed Internet access is recommended.

~ ~ ~ ~ ~ ~

As a SkyDrive Insider, I am excited to share information about SkyDrive. If you have a question about this post, please leave a comment and I'll do my best to assist.

Learn more about the SkyDrive Insiders program here.

References

Download SkyDrive Desktop App for Windows
Download SkyDrive Apps
SkyDrive Help & How-to

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Posted in SkyDrive, Windows 7, Windows 8, Windows Vista | No comments

Happy 1st Anniversary, Sysnative.com!

Posted on 12:05 PM by Unknown

It was one year ago today that hosting and vBulletin 4 software license were purchased by site owner and fellow Microsoft MVP John Griffith, for the express purpose of BSOD App development at Sysnative.com.

A year later and not only was the goal of further development of the Sysnative BSOD App achieved (and ongoing), but also Sysnative has grown into a full-fledged support forum. A wonderful and talented group of people have contributed to making Sysnative a wonderful place to both provide and obtain help.

If you need help, would like to learn more about analyzing BSOD's or see the amazing work being done solving Windows Update and other computer problems, join us at Sysnative.com! Membership and help are free. Only registration is required.

To get a taste for the wide range of areas covered, see Lots of help here...this tells you where to find it.

Additional information: Sysnative - What is it?

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Posted in Microsoft, Security, Windows 7, Windows 8, Windows Vista, Windows XP | No comments

Adobe Reader and Acrobat Critical Security Update

Posted on 9:55 AM by Unknown

Following the release of Security Advisory (APSA13-02) related to critical security vulnerabilities in Adobe Reader and Acrobat XI (11.0.01 and earlier), X (10.1.5 and earlier) and 9.5.3 and earlier for Windows and Macintosh, Adobe released an update to those versions today.

Because the vulnerabilities are being exploited in the wild in targeted attacks, it is recommended that users of Adobe Reader and Acrobat apply the update as soon as possible. These updates address critical vulnerabilities could cause the application to crash and potentially allow an attacker to take control of the affected system.

Release Details

Release date: February 20, 2013
Vulnerability identifier: APSB13-07
CVE number: CVE-2013-0640, CVE-2013-0641
Platform: All Platforms

Update or Complete Download

Note: UNcheck any pre-checked additional options presented with the update. They are not part of the software update and are completely optional.

Enable "Protected View"

Due to frequent vulnerabilities, it is recommended that Windows users of Adobe Reader and Acrobat ensure that Protected View is enabled. Neither the Protected Mode or Protected View option is available for Macintosh users.

To enable this setting, do the following:

Click Edit > Preferences > Security (Enhanced) menu.
Change the "Off" setting to "All Files".
Ensure the "Enable Enhanced Security" box is checked.

Image via Sophos Naked Security Blog

If you are looking for a replacement for Adobe Reader, consider Replacing Adobe Reader with Sumatra PDF.

References

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Posted in Adobe, Security, Updates, Vulnerabilities | No comments

Tuesday, February 19, 2013

Critical Oracle Java Security Update

Posted on 2:47 PM by Unknown

When Oracle released an out-of-band security update for Java SE, additional updates that had been planned were not included. As a result, this critical security update was released to add the additional five fixes omitted earlier this month.

In an surprising move, Oracle has added two additional dates to the update schedule in order to further accelerate Java security fixes.

If Java is still installed on your computer, it is recommended that this update be applied as soon as possible due to the threat posed by a successful attack.

Java Security Recommendations

1) In the Java Control Panel, set the security to high.
2) Keep Java disabled until needed. Uncheck the box "Enable Java content in the browser" in the Java Control Panel.

(Image via Sophos Naked Security Blog)

3) If you use Firefox, install NoScript and only allow Java on those sites where it is required.

Instructions on removing older (and less secure) versions of Java can be found at http://java.com/en/download/faq/remove_olderversions.xml

Download Information

Download link: Java Version 7 Update 15

Verify your version: http://www.java.com/en/download/testjava.jsp

Note: UNcheck any pre-checked toolbar and/or software options presented with the update. They are not part of the software update and are completely optional.

Critical Patch Updates

For Oracle Java SE Critical Patch Updates, the next scheduled dates are as follows:

16 April 2013
18 June 2013
15 October 2013
14 January 2014

References

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Posted in Java, Security, Updates, Vulnerabilities | No comments

Mozilla Firefox 19.0 Released with Built-in PDF Viewer

Posted on 9:52 AM by Unknown

Firefox 19.0.0 was sent to the release channel today by Mozilla. Although the release includes the usual long list of bug fixes, the release does not include security updates. Firefox 19 does include a new addition, a built-in PDF viewer.

Using Firefox PDF Viewer

It is important to note that the addition is just that, a viewer. It is not possible, for example, to use it for completing fill-in forms. However, when using the viewer, the option is available in the right-hand corner of the viewed file to "Open with a Different Viewer".

As illustrated below, the built-in .PDF reader can be enabled or disabled via the Tools > Options > Applications tab.

With a default PDF program set on the computer, the first option is presented when clicking a PDF file:

To select Firefox for viewing the file, navigate to where you have Firefox installed on your computer; i.e., C:\Program Files (x86)\Mozilla Firefox\Firefox.exe and select it. The PDF will then be viewable in Firefox.

When the PDF is opened in the built-in PDF viewer there may be a warning in the message bar reading, "This PDF document might not be displaying properly". It is at this point where you can elect to openthe file with a different viewer.

The Release Notes include additional changes and fixed features in version 19.0. For a complete note of all fixes, see the Bug Fixes in the link below in References.

Update

To get the update now, select "Help" from the Firefox menu at the upper left of the browser window, then pick "About Firefox." Mac users need to select "About Firefox" from the Firefox menu.

If you do not use the English language version, Fully Localized Versions are available for download.

References

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Posted in Firefox, Updates | No comments

Friday, February 15, 2013

Replacing Adobe Reader with Sumatra PDF

Posted on 7:33 PM by Unknown

Following the recent critical security advisory for Adobe Reader, questions have been raised in forums about an alternate PDF software program.

Although I provide security update information about Adobe Reader, I uninstalled it several years ago. I switched to the open source software program SumatraPDF.

SumatraPDF is a free PDF, eBook (ePub, Mobi), XPS, DjVu, CHM, Comic Book (CBZ and CBR) reader for Windows, created by Krzysztof Kowalczyk. The most recent update added support for FictionBook e-book format as well as support for PDF documents encrypted with Acrobat X.

I selected SumatraPDF because it has a small footprint, has no added toolbars and is not a target of malware writers. Although I indicated that SumatraPDF is not a target of malware writers like we have seen lately with Adobe Reader, that does not mean that the normal cautions should be thrown away.

A SumatraPDF feature I particularly like is that you can select text or an image and copy it. I have not had any problems opening PDF files at sites that specify "Adobe Reader Required". Someone mentioned that they heard there is a problem printing from SumatraPDF. My five year old printer has no problems printing from PDF files from Sumatra PDF.

How to Change the SumatraPDF Background Color

One comment about SumatraPDF is that many people do not care for the bright yellow background. If you don't like the yellow background, it can be changed to the color of your choice.

The first thing you need to do is to select the color you want to use to replace the yellow. There is a simple chart to select a color on this color chart or this list of color codes. Another source for selecting colors is available here.

This can be done either via the shortcut or a Command Prompt, both illustrated below:

Locate the SumatraPDF shortcut in Windows' Start menu.
Right-click it and select Properties
Select the Shortcut tab:
Append the line line below the Target line, substituting the hex code for the color you choose following the # symbol. (Note the space before -bg and also before #)
-bg-color #EEEEEE

The target line will read something like the following:

"C:\Program Files\SumatraPDF\SumatraPDF.exe" -bg-color #DDDDDD

or, on 64-bit systems,

"C:\Program Files (86)\SumatraPDF\SumatraPDF.exe" -bg-color #DDDDDD
Click Apply and launch SumatraPDF to see the change from yellow to the color you select, in my case gray:

If you prefer, this can be done via Command Prompt.

Click Start, type cmd
Right-click cmd.exe and select "Run as Administrator".
Change the path to Sumatra and add the change as shown below.
Note the space between SumatraPDF and .exe

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Windows\system32>cd C:\Program Files (x86)\SumatraPDF

C:\Program Files (x86)\SumatraPDF>SumatraPDF .exe -bg-color #DDDDDD

C:\Program Files (x86)\SumatraPDF>

SumatraPDF does not support Windows 8, which has a built in PDF reader. The currently supported operating systems are Windows 7, Windows Vista, and Windows XP.

References

Download Sumatra PDF -- Select the installer or the portable version
Manual -- Includes Keyboard Shortcuts, Command Line
Project Home

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Posted in Adobe, Sumatra, tutorial | No comments

Thursday, February 14, 2013

Critical Security Advisory for Adobe Reader and Acrobat (APSA13-02)

Posted on 3:21 PM by Unknown

Adobe released Security Advisory (APSA13-02) related to critical security vulnerabilities in Adobe Reader and Acrobat XI (11.0.01 and earlier), X (10.1.5 and earlier) and 9.5.3 and earlier for Windows and Macintosh.

Release date: February 13, 2012
Last updated: February 14, 2012
Vulnerability identifier: APSA13-02
CVE number: CVE-2013-0640, CVE-2013-0641
Platform: All Platforms

Adobe reported that the vulnerabilities are being exploited in the wild in targeted attacks designed to trick Windows users into clicking on a malicious PDF file delivered in an email message. These vulnerabilities could cause the application to crash and potentially allow an attacker to take control of the affected system.

Both Windows and Macintosh operating systems are vulnerable, however mitigation is only provided for users of Adobe Reader XI and Acrobat XI for Windows.

Enable "Protected View"

In order to minimize vulnerability it is recommended Windows users of Adobe Reader and Acrobat ensure that Protected View is enabled. Unfortunately, neither the Protected Mode or Protected View option is available for Macintosh users.

To enable this setting, do the following:

Click Edit > Preferences > Security (Enhanced) menu.
Change the "Off" setting to "All Files".
Ensure the "Enable Enhanced Security" box is checked.

Image via Sophos Naked Security Blog

If you haven't updated to the latest version of Adobe Reader it is strongly advised that you do so and enable the settings as illustrated above. On other hand, if you are looking for a replacement for Adobe Reader, consider Replacing Adobe Reader with Sumatra PDF.

References

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Posted in Adobe, Advisory, Security, Vulnerabilities | No comments

Tuesday, February 12, 2013

Another Critical Adobe Update, Includes Flash Player, AIR and Shockwave

Posted on 11:30 AM by Unknown

Although a critical security update was released for Adobe Flash Player just last week, yet another critical security update has been released today.

The updates released are for Adobe Flash Player, Adobe AIR and Adobe Shockwave Player. Details and update instructions are included below.

Adobe Flash Player was again updated to address critical security vulnerabilities. These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.

Update Information

The newest versions are as follows:

Product Updated version Platform Priority rating
Adobe Flash Player 11.6.602.168 Windows 1

11.6.602.167 Macintosh 2

11.2.202.270 Linux 3

11.1.115.37 Android 4.x 3

11.1.111.32 Android 3.x and 2.x 3
Adobe AIR 3.6.0.597 Windows, Macintosh and Android 3
Adobe AIR SDK 3.6.0.599 Windows, Macintosh and Android 3

Product	Updated version	Platform	Priority rating
Adobe Flash Player	11.6.602.168	Windows	1
	11.6.602.167	Macintosh	2
	11.2.202.270	Linux	3
	11.1.115.37	Android 4.x	3
	11.1.111.32	Android 3.x and 2.x	3
Adobe AIR	3.6.0.597	Windows, Macintosh and Android	3
Adobe AIR SDK	3.6.0.599	Windows, Macintosh and Android	3

Release date: February 12, 2013
Vulnerability identifier: APSB13-05
Priority: Critical
CVE number: CVE-2013-1372, CVE-2013-0645, CVE-2013-1373, CVE-2013-1369, CVE-2013-1370, CVE-2013-1366, CVE-2013-0649, CVE-2013-1365, CVE-2013-1374, CVE-2013-1368, CVE-2013-0642, CVE-2013-0644, CVE-2013-0647, CVE-2013-1367, CVE-2013-0639, CVE-2013-0638, CVE-2013-0637
Platform: All Platforms

Flash Player Update Instructions

Non-IE (Opera, Firefox, Etc.): http://download.macromedia.com/get/flashplayer/current/licensing/win/install_flash_player_11_plugin.exe
Flash Player For Internet Explorer 7, 8 & 9: http://download.macromedia.com/get/flashplayer/current/licensing/win/install_flash_player_11_active_x.exe

Flash Player for Internet Explorer 10: Microsoft updated Security Advisory 2755801. If you do not have Automatic Updates enabled, the Flash Player update can be downloaded from the Download Center at Update for Internet Explorer Flash Player for Windows 8 Release Preview (KB2758994).
Flash Player Uninstaller: http://download.macromedia.com/get/flashplayer/current/support/uninstall_flash_player.exe

Notes:

For Adobe AIR see Determine version | Adobe AIR runtime.
Beginning with Adobe Flash Version 11.3, the universal 32-bit installer will include the 32-bit and 64-bit versions of the Flash Player.
If you use the Adobe Flash Player Download Center, be careful to uncheck the optional McAfee Security Plus box. It is not needed for the Flash Player update.
Uncheck any toolbar offered with Adobe products if not wanted.
If you use alternate browsers, it is necessary to install the update for both Internet Explorer as well as the update for alternate browsers.
The separate 32-bit and 64-bit uninstallers have been replaced with a single uninstaller.

Adobe Flash Player for Android

The latest version for Adobe Flash Player for Android is available by downloading it from the Android Marketplace by browsing to it on a mobile phone.

Verify Installation

The update to Adobe Shockwave Player for both Windows and Macintosh systems addresses vulnerabilities that could allow an attacker, who successfully exploits these vulnerabilities, to run malicious code on the affected system.

Release date: February 12, 2013
Vulnerability identifier: APSB13-06
Priority: Critical
CVE number: CVE-2013-0635, CVE-2013-0636
Platform: Windows and Macintosh

Update Information

The newest version of Shockwave Player 12.0.0.112 is available here: http://get.adobe.com/shockwave/.

Notes:

Please remember to uncheck any unwanted 3rd party toolbars or other programs during installation.
For information on how to disable the auto-update setting in Shockwave Player, see http://kb2.adobe.com/cps/166/tn_16683.html. (This must be set every time Shockwave Player is updated if you do not want auto-updating.)

Verify Installation

To test the Adobe Shockwave Player installation on your computer, go to the Test Authorware Web Player page.

References

Adobe Priority Ratings
Adobe Security Advisory: Security updates available for Adobe Flash Player
Security updates available for Adobe Shockwave Player
Release Notes: Flash Player® 11.5 AIR® 3.5

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Posted in Adobe, Security, Updates, Vulnerabilities | No comments

Microsoft Security Bulletin Release for February 2013

Posted on 10:53 AM by Unknown

Microsoft released twelve (12) bulletins addressing 57 vulnerabilities in Microsoft Windows, Office, Internet Explorer, Exchange and .NET Framework*. Five bulletins are identified as Critical and seven as Important.

Bulletin Number	Bulletin Title	Bulletin KB
MS13-009	Cumulative Security Update for Internet Explorer	2792100
MS13-010	Vulnerability in Internet Explorer	2797052
MS13-011	Vulnerability in Microsoft Windows	2780091
MS13-012	Vulnerabilities in Microsoft Exchange	2809279
MS13-013	Vulnerabilities in Microsoft Office	2784242
MS13-014	Vulnerability in Microsoft Windows	2790978
MS13-015	*Vulnerability in .NET Framework	2800277
MS13-016	Vulnerabilities in Microsoft Windows	2778344
MS13-017	Vulnerabilities in Microsoft Windows	2799494
MS13-018	Vulnerability in Microsoft Windows	2790113
MS13-019	Vulnerability in Microsoft Windows	2790113
MS13-020	Vulnerability in Microsoft Windows	2802968

*Note: If you have problems with .NET Framework updates, it is recommended that you install this update separately with an shutdown/restart.

Support

The following additional information is provided in the Security Bulletin:

The affected software listed have been tested to determine which versions are affected. Other versions are past their support life cycle. To determine the support life cycle for your software version, visit Microsoft Support Lifecycle.
Security solutions for IT professionals: TechNet Security Troubleshooting and Support
Help protect your computer that is running Windows from viruses and malware: Virus Solution and Security Center
Local support according to your country: International Support

References

MSRC: Baseball, Bulletins and the February 2013 Release
TechNet: Microsoft Security Bulletin Summary for February 2013
Security and Safety Center: Microsoft security updates for February 2013

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Posted in Microsoft, Security, Updates, Vulnerabilities | No comments

Thursday, February 7, 2013

Critical Adobe Flash Player Security Update

Posted on 1:49 PM by Unknown

Adobe Flash Player was updated to address critical security vulnerabilities. These updates address vulnerabilities currently being exploited in the wild.

The vulnerability described by CVE-2013-0633 is designed to trick the user into opening a Microsoft Word document delivered as an email attachment which contains malicious Flash (SWF) content. The exploit targets the ActiveX version of Flash Player on Windows.

CVE-2013-0634 relates to a buffer overflow vulnerability that could lead to code execution. Attacks are delivered via malicious Flash (SWF) content hosted on websites that target Flash Player in Firefox or Safari on the Macintosh platform. Attacks are also designed to trick Windows users into opening a Microsoft Word document delivered as an email attachment which contains malicious Flash (SWF) content.

Update Information

The newest versions are as follows:

Windows and Macintosh: 11.5.502.149
Linux: 11.2.202.262
Android 4.x: 11.1.115.37
Android 3.x and 2.x: 11.1.111.32

Release date: February 7, 2013
Vulnerability identifier: APSB13-04
CVE number: CVE-2013-0633, CVE-2013-0634
Platform: All Platforms

Flash Player Update Instructions

Non-IE (Opera, Firefox, Etc.): http://download.macromedia.com/get/flashplayer/current/licensing/win/install_flash_player_11_plugin.exe
Flash Player For Internet Explorer 7, 8 & 9: http://download.macromedia.com/get/flashplayer/current/licensing/win/install_flash_player_11_active_x.exe

Flash Player for Internet Explorer 10: Microsoft updated Security Advisory 2755801. If you do not have Automatic Updates enabled, the Flash Player update can be downloaded from the Download Center at Update for Internet Explorer Flash Player for Windows 8 Release Preview (KB2758994).
Flash Player Uninstaller: http://download.macromedia.com/get/flashplayer/current/support/uninstall_flash_player.exe

Notes:

Adobe AIR 3.5.0.880 and earlier versions for Windows, Adobe AIR 3.5.0.890 and earlier versions for Macintosh and Adobe AIR 3.5.0.880 for Android. See Determine version | Adobe AIR runtime.
Beginning with Adobe Flash Version 11.3, the universal 32-bit installer will include the 32-bit and 64-bit versions of the Flash Player.
If you use the Adobe Flash Player Download Center, be careful to uncheck the optional McAfee Security Plus box. It is not needed for the Flash Player update.
Uncheck any toolbar offered with Adobe products if not wanted.
If you use alternate browsers, it is necessary to install the update for both Internet Explorer as well as the update for alternate browsers.
The separate 32-bit and 64-bit uninstallers have been replaced with a single uninstaller.

Adobe Flash Player for Android

The latest version for Adobe Flash Player for Android is available by downloading it from the Android Marketplace by browsing to it on a mobile phone.

Verify Installation

References

Adobe Priority Ratings
Adobe Security Advisory: Security updates available for Adobe Flash Player
Release Notes: Flash Player® 11.5 AIR® 3.5

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Posted in Adobe, Security, Updates, Vulnerabilities | No comments

Security Bulletin Advance Notice for February 2013

Posted on 11:03 AM by Unknown

On Tuesday, February 12, 2013, Microsoft is planning to release twelve (12) bulletins addressing twelve (57) vulnerabilities.

Five bulletins are identified as Critical and address vulnerabilities in Microsoft Windows, Internet Explorer and Exchange Software. The seven remaining bulletins are rated Important and will address issues in Microsoft Windows, Office, .NET Framework, and Microsoft Server Software.

In the event you have had problems installing .NET Framework updates in the past, please consider installing those updates separately with a shutdown/restart included, regardless of whether or not it is required.

As happens each month, Microsoft will also release an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center.

References

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Posted in Microsoft, Security, Updates, Vulnerabilities | No comments

Tuesday, February 5, 2013

Mozilla Firefox 18.0.2 Release Includes Massive Bug Fixes

Posted on 4:19 PM by Unknown

Firefox 18.0.2 was sent to the release channel today by Mozilla. Although this update does not include any security updates, the massive list of bug fixes suggests that it is advisable to install this update sooner rather than later.

Update: Thanks to a tip from a friend, I discovered that the update to version 18.0.2 added a check to the option to allow 3rd party cookies. If you, like me, do not want to accept 3rd party cookies, you can reverse the change at Firefox > Options > Privacy.

What's New

FIXED --18.0.2: Fix JavaScript related stability issues
FIXED --18.0.1: Problems involving HTTP Proxy Transactions (Associated bugs)
FIXED --18.0.1: Unity player crashes on Mac OS X (bug 828954)
FIXED --18.0.1: Disabled HIDPI support when using external monitors to avoid rendering glitches (bug 814434)
NEW --Faster JavaScript performance via IonMonkey compiler
NEW --Support for Retina Display on OS X 10.7 and up
NEW --Preliminary support for WebRTC
CHANGED --Experience better image quality with our new HTML scaling algorithm
CHANGED --Performance improvements around tab switching
DEVELOPER --Support for new DOM property window.devicePixelRatio
DEVELOPER --Improvement in startup time through smart handling of signed extension certificates
HTML5 --Support for W3C touch events implemented, taking the place of MozTouch events
FIXED --Disable insecure content loading on HTTPS pages (62178)
FIXED --Improved responsiveness for users on proxies (769764)

View the incredibly long list of Bug Fixes for version 18.0.2 in the link listed below.

Update

References

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Posted in | No comments

Monday, February 4, 2013

Safer Internet Day, Connect With Respect #SID2013

Posted on 5:28 PM by Unknown

Safer Internet Day is marking its tenth year in promoting safer and more responsible use of online technology and mobile phones, especially among children and young people across the world.

The annual February event is organized by Insafe and co-sponsored by the European Union. The theme for the event this year is "Online rights and responsibilities", with the goal to encourage everyone to Connect With Respect.

Children and Teens Online

It is important for parents to ensure that your children understand that after information is made public on the Internet, it cannot be taken back. Be sure they understand the dangers that lurk not only in the form of computer viruses but also child predators.

Review the information at How to help your kids use social websites more safely and ensure that household rules are established and followed.

Cyber Bullying

As reported by Microsoft, 37% of children indicated in a survey that they have been bullied online. Another 24% admitted that they have bullied someone online.

Take a couple of minutes to go through the following quiz which includes five online-bullying scenarios. Follow the "learn more" links for helpful tips on correcting negative and reinforcing positive behaviors.

Safer Online Teen Challenge

With cyber bullying a continuing problem, parents of youths between the ages of 13-18 are encouraged to point those teenagers to the Microsoft-sponsored Safer Online Teen Challenge.

The Teen Challenge is designed to enable teens to learn about online safety issues. It’s a fun way to get creative and talk with others about important digital topics.

Take the challenge to make every day a Safer Internet Day for you and your family to Connect With Respect.

Additional information about Safer Internet Day is available in the references below.

References

Insafe: Safer Internet Day
Microsoft: Safer Internet Day
Safer Internet Day

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Posted in Child Safety, safety, Security | No comments

Friday, February 1, 2013

Accelerated Java Critical Update

Posted on 1:34 PM by Unknown

The scheduled February Java critical patch update was accelerated due to active exploitation “in the wild” of one of the vulnerabilities affecting the Java Runtime Environment (JRE) in desktop browsers.

The new Java release is Java™ SE Development Kit 7, Update 13 (JDK 7u13), with the full version string for this update release being 1.7.0_13-b20 (where "b" means "build") and the version number is 7u13.

If you have uninstalled Java due to recent critical vulnerabilities and have not missed it, my suggestion is to bypass re-installing it until or unless it is needed. See Java, The Never-Ending Saga for additional information on removing or disabling Java.

Should there be software programs you use or websites that you visit that require Java, it is strongly advised that the update be applied as soon as possible.

Java Security Recommendations

1) In the Java Control Panel, set the security to high.
2) Keep Java disabled until needed. Uncheck the box "Enable Java content in the browser" in the Java Control Panel.

(Image via Sophos Naked Security Blog)

Download Information

Download link: Java Version 7 Update 13

Verify your version: http://www.java.com/en/download/testjava.jsp

Note: UNcheck any pre-checked toolbar and/or software options presented with the update. They are not part of the software update and are completely optional.

Critical Patch Updates

For Oracle Java SE Critical Patch Updates, the next scheduled dates are:

18 June 2013
15 October 2013
14 January 2014

References

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Posted in Java, Security, Updates, Vulnerabilities | No comments