Mozilla Firefox 22.0 Released with Critical Security Updates

Mozilla sent Firefox Version 22.0 to the release channel. The current update includes fourteen security updates of which four are critical, six high, three moderate and one low.

Note:  According to members at DSLReports, the update appears to have broken the Roboform toolbar.  (H/T, siljaline)

Notable Changes

Social Services:  New to version 22.0 is the ability to disable social media services that may be included with installed add-ons.  To disable social services, open the add-ons manager and select Services to disable or remove any service that you have installed in the browser.

Plain text files:  Word-wrap is a welcome change to viewing plain text files in this version of Firefox.

Fixed in Firefox 22

• MFSA 2013-62 Inaccessible updater can lead to local privilege escalation
• MFSA 2013-61 Homograph domain spoofing in .com, .net and .name
• MFSA 2013-60 getUserMedia permission dialog incorrectly displays location
• MFSA 2013-59 XrayWrappers can be bypassed to run user defined methods in a privileged context
• MFSA 2013-58 X-Frame-Options ignored when using server push with multi-part responses
• MFSA 2013-57 Sandbox restrictions not applied to nested frame elements
• MFSA 2013-56 PreserveWrapper has inconsistent behavior
• MFSA 2013-55 SVG filters can lead to information disclosure
• MFSA 2013-54 Data in the body of XHR HEAD requests leads to CSRF attacks
• MFSA 2013-53 Execution of unmapped memory through onreadystatechange event
• MFSA 2013-52 Arbitrary code execution within Profiler
• MFSA 2013-51 Privileged content access and execution via XBL
• MFSA 2013-50 Memory corruption found using Address Sanitizer
• MFSA 2013-49 Miscellaneous memory safety hazards (rv:22.0 / rv:17.0.7)

What’s New

• NEW -- WebRTC is now enabled by default!
• NEW -- Windows: Firefox now follows display scaling options to render text larger on high-res displays
• NEW -- Mac OS X: Download progress in Dock application icon
• NEW -- HTML5 audio/video playback rate can now be changed
• NEW -- Social services management implemented in Add-ons Manager
• NEW -- asm.js optimizations (OdinMonkey) enabled for major performance improvements
• CHANGED -- Improved WebGL rendering performance through asynchronous canvas updates
• CHANGED-- Plain text files displayed within Firefox will now word-wrap
• CHANGED -- For user security, the |Components| object is no longer accessible from web content
• CHANGED -- Improved memory usage and display time when rendering images
• CHANGED-- Pointer Lock API can now be used outside of fullscreen
• HTML5 -- New HTML5 and  elements
• FIXED -- Scrolling using some high-resolution-scroll aware touchpads feels slow (829952)

Known Issues

• Unresolved-- If you try to start Firefox using a locked profile, it will crash (see 573369)

Update

To get the update now, select "Help" from the Firefox menu at the upper left of the browser window, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu.

If you do not use the English language version, Fully Localized Versions are available for download.

References

• Common questions after updating Firefox
• Security Updates
• Mozilla Firefox Release Notes
• Bug Fixes 

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Read More

Critical Oracle Java Security Update

Oracle released the schedules critical security updates for its Java SE Runtime Environment software.

This is a Critical Patch Update that contains 40 new security fixes for Oracle Java SE.  Oracle indicated that thirty-seven (37) of the vulnerabilities may be remotely exploitable without authentication.  This was described as the possibility of being exploited over a network without the need for a username and password.

Additional details about the update are available in the Oracle Quality Assurance Blog post, June 2013 Critical Patch Update for Java SE Released.  If Java is still installed on your computer, it is recommended that this update be applied as soon as possible due to the threat posed by a successful attack.

For those people who have desktop applications that require Java and cannot uninstall it, Java can now be disabled in Internet Explorer.  See Microsoft Fix it to Disable Java in Internet Explorer.

Java Security Recommendations

1)  In the Java Control Panel, at minimum, set the security to high.
2)  Keep Java disabled until needed.  Uncheck the box "Enable Java content in the browser" in the Java Control Panel.

(Image via Sophos Naked Security Blog)

3)  If you use Firefox, install NoScript and only allow Java on those sites where it is required.

Instructions on removing older (and less secure) versions of Java can be found at http://java.com/en/download/faq/remove_olderversions.xml

Download Information

Download link:  Java Version 7 Update 25

Verify your version:  http://www.java.com/en/download/testjava.jsp

Notes:

• UNcheck any pre-checked toolbar and/or software options presented with the update. They are not part of the software update and are completely optional.
• Starting with Java SE 7 Update 21 in April 2013, all Java Applets and Web Start Applications should be signed with a trusted certificate.  It is not recommended to run untrusted/unsigned Certificates.  See How to protect your computer against dangerous Java Applets

Critical Patch Updates

For Oracle Java SE Critical Patch Updates, the next scheduled dates are as follows:

• 15 October 2013
• 14 January 2014
• 15 April 2014 

References

•  June 2013 Critical Patch Update for Java SE Released
• Java SE 7 Update Release Notes
• Critical Patch Updates, Security Alerts and Third Party Bulletin 
• Java, The Never-Ending Saga  

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Read More

Linked Accounts Being Eliminated from Outlook

Starting in late July, Microsoft will be eliminating the "linked accounts" feature from Outlook.com.  While this feature has been used for many reasons, particularly where you don't want to provide your primary email address, security is the primary reason Microsoft is giving for this change.

According to the announcement by Eric Doerr in the Outlook Blog, it has been increasingly found that linked accounts are less secure than using aliases, particularly because it is possible to sign in to Outlook.com on the web and then switch to any other linked account without entering a password.

Options

With the elimination of linked accounts, the remaining options currently available are to use mail forwarding from the previously linked account or create an alias. 

Microsoft is reportedly working on setting up the ability to move an email address and the accompanying email from one account to another.

Important Notes: 

1. Mail Forwarding:  You must sign in to your forwarded account at least once every 365 days.  If you don't, the system will close the account.
2. Reply to Forwarded Mail:  In order to reply directly to email forwarded to your primary account, it is necessary to configure Outlook.com to send email on behalf of a secondary email account.
3. Aliases:  There is a limit of up to ten new aliases per year and an overall maximum of ten aliases.  Deleting an alias removes it from the count but not the ten/year limit. )   

Information on how to create an Outlook.com alias and set up mail forwarding is available from Microsoft in the help documents linked below.

~   ~   ~   ~   ~   ~

I am an Outlook.com Insider.  If you have a question about this post or Outlook.com, please leave a comment and I'll do my best to assist.  Learn more about the Outlook.com Insiders program here.

References

• Outlook Blog: An update to linked accounts
• Add an Outlook.com alias to your account
• Set up your Gmail, Yahoo! Plus, or Microsoft email accounts in Outlook.com

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Read More

Microsoft Fix it to Disable Java in Internet Explorer

Java, how we love to hate you!  Many people have uninstalled Java and do not miss it.  That is most likely because they do not have desktop applications that require Java. Unfortunately, that is not the situation for those people who use Java-dependent software programs. 

Until recently, Internet Explorer was the only major browser that did not provide a way to disable Java.  The only way to completely disable Java in IE was to disable Java through the Java Control Panel, which meant re-enabling Java when using Java-dependent programs.  That is no longer true!

Microsoft released a Microsoft Fix it solution designed to block all Java web-attack vectors through Internet Explorer.  As explained by Cristian Craioveanu in the below-linked Security Research & Defense Blog article, the Fix it solution is made up of two parts. 

1. The Fix It uses the Windows Application Compatibility Toolkit to change the behavior of Internet Explorer at runtime to prevent Oracle’s Java Web plugins from loading.  As a result, the Java ActiveX dlls are not loaded.
2. The second part of the Fix it clears the access control list (ACL) in the registry for the Java Network Loading Protocol (JNLP) handler which prevents Internet Explorer from automatically opening  files.  

Instructions

Before installing the Fix it solution, please follow the following suggestions:

1.  Create a restore point

• Windows XP: How to set a system restore point in Windows XP
• Windows Vista, Windows 7, Windows 8: Create a restore point
• (Note:  For Windows 8, open the Windows Charms Bar by pressing Windows key + Q.  In the Apps search Bar, type Restore Point, Create Restore Point.)

2.  Back up the Registry

• Windows XP: How to back up and restore the registry in Windows XP
• Windows Vista, Windows 7, Windows 8: Back up the registry (Note: For Windows 8, open the Windows Charms Bar by pressing Windows key + Q.  In the Apps search Bar, type regedit and press Enter to open Registry Editor.)

3.  Apply the Fix it

Disable the Java web-plugin Apply Fix it	Restore the Java web-plugin   Uninstall Fix it
Microsoft Fix it 50994	Microsoft Fix it 50995

4.  Restart Internet Explorer

For the changes to take effect, restart IE.

To undo the changes, run Microsoft Fix it 50995 and restart IE.

The Fix it solution has been tested by Microsoft and will work for all versions of Java from versions 5 and above.  It also works on all supported versions of Internet Explorer, whether 32- or 64-bit.

References

• Security Research & Defense Blog: Java: A Fix it for when you cannot let go 
• Microsoft KB 2751647: How to disable the Java web plug-in in Internet Explorer

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Read More

Adobe Flash Player and AIR Security Update

Adobe has released security updates for Adobe Flash Player and Adobe AIR for Windows, Macintosh, Linux and Android.  These updates address critical vulnerabilities.

With today's Windows Update, Internet Explorer 10 in Windows 8 and Windows RT is also updated.

Update Information

The newest versions are as follows:

Windows:  11.7.700.224
Macintosh:  11.7.700.225
Linux: 11.2.202.291
Android 4x:  11.1.115.63
Android 3x and 2x:  11.1.111.59

Adobe AIR for Windows:  3.7.0.2090
Adobe AIR for Macintosh:  3.7.0.2100

Release date: June 11, 2013
Vulnerability identifier: APSB13-16

CVE number: CVE-2013-3343
Platform: All Platforms

Flash Player Update Instructions

Warning:  Although Adobe suggests downloading the update from the Adobe Flash Player Download Center, that link includes a pre-checked option to install Google Drive.

It is recommended that you either use the auto-update mechanism within the product when prompted, or my preference, the direct download links.

• Non-IE (Opera, Firefox, Etc.):  http://download.macromedia.com/get/flashplayer/current/licensing/win/install_flash_player_11_plugin.exe
   
• Windows XP, Vista and 7:
  Flash Player For Internet Explorer 7, 8, 9, 10:  http://download.macromedia.com/get/flashplayer/current/licensing/win/install_flash_player_11_active_x.exe
  
  Windows 8:
  Flash Player for Internet Explorer 10: Microsoft updated Security Advisory 2755801.  If you do not have Automatic Updates enabled, the Flash Player update can be downloaded from the Download Center at Update for Internet Explorer Flash Player for Windows 8 Release Preview (KB2758994).
  
  
• Flash Player Uninstaller:  http://download.macromedia.com/get/flashplayer/current/support/uninstall_flash_player.exe

Notes:

• If you use the Adobe Flash Player Download Center, be careful to uncheck any optional downloads that you do not want.  Any pre-checked option is not needed for the Flash Player update.
• Uncheck any toolbar offered with Adobe products if not wanted.
• If you use alternate browsers, it is necessary to install the update for both Internet Explorer as well as the update for alternate browsers.
• The separate 32-bit and 64-bit uninstallers have been replaced with a single uninstaller.

Adobe Flash Player for Android

The latest version for Adobe Flash Player for Android is available by downloading it from the Android Marketplace by browsing to it on a mobile phone.   

Verify Installation

To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu. 

Do this for each browser installed on your computer.

To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.

References

• Adobe Priority Ratings
• Adobe Security Advisory: Security updates available for Adobe Flash Player
• AIR Download Center
• PSIRT Blog: Security updates available for Adobe Flash Player (APSB13-16)
• Release Notes:  Flash Player® 11.7 AIR® 3.7

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Read More

Microsoft Security Updates for June 2013

Microsoft released five (5) bulletins.  One bulletin  is identified as Critical with the remaining four bulletins rated Important.

The bulletins address 23 vulnerabilities in Internet Explorer, Microsoft Windows and Microsoft Office.  The updates to IE and Windows require a restart.


Users of Windows XP are reminded that support ends for Windows XP on April 8, 2014.  See Tim Rains article, The Countdown Begins: Support for Windows XP Ends on April 8, 2014.

Bulletin No.	Bulletin Title	Bulletin KB
MS13-047	Cumulative Security Update for Internet Explorer	2838727
MS13-048	Vulnerability in Microsoft Windows	2839229
MS13-049	Vulnerability in Microsoft Windows	2845690
MS13-050	Vulnerability in Microsoft Windows	2839894
MS13-051	Vulnerability in Microsoft Office	2839571

Support

The following additional information is provided in the Security Bulletin:

• The affected software listed have been tested to determine which versions are affected. Other versions are past their support life cycle. To determine the support life cycle for your software version, visit Microsoft Support Lifecycle.
• Security solutions for IT professionals: TechNet Security Troubleshooting and Support
• Help protect your computer that is running Windows from viruses and malware: Virus Solution and Security Center
• Local support according to your country: International Support

References

• MSRC: Improved cryptography infrastructure and the June 2013 bulletins
• TechNet: Microsoft Security Bulletin Summary for June 2013
• Security and Safety Center:  Microsoft security updates for June 2013 

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Read More

Transition to Outlook from Hotmail

Having used Hotmail for a very long-time, when Outlook.com was first introduced, I wasn't all that certain that I liked the changes.  However, it did not take long to appreciate the different features and I have put behind me any skepticism I had about the change.

Even though the migration of your Hotmail account to Outlook.com was completed a number of weeks ago, you may still be struggling to discover how to complete tasks that were second nature before the migration.

First a few quick tips and then a closer look at attachments and the Actions link.  

Quick Tips

Following is a selection of quick tips that will help you navigate the new design for Outlook.com:

• To see the Menu bar, click any e-mail.
• Click "New" to start a new e-mail.
• To add additional recipient(s) to an e-mail, click To or the box below To.
• To reply all or forward an e-mail, click the down arrow next to Reply or click Actions, shown below.

Attachments

Sending and replying to e-mail is, of course, the primary function of your account.  Often times that includes an attachment to accompany the message.

The familiar paperclip icon has been relocated from the e-mail creation area to a more logical location, the Menu bar.  This change makes complete sense due to the ability to not only attach a file but also embed a picture inline or share a file or picture from SkyDrive.

Hotmail Before:

Outlook.com After:

The change to Outlook.com still includes the familiar paperclip icon.  It is the wording and location that have changed.  Insert is a better description because the option to insert pictures inline or share a link to a file from SkyDrive can also be added to your e-mail.

• Selecting "Files as attachments" is the familiar option for attaching a file or picture that can be downloaded by the recipient.
   
• When you select "Pictures inline", you can navigate to an image to embed the picture right in the e-mail. Repeat the action to add additional pictures.
   
• I love SkyDrive and believe that "Share from SkyDrive" is the ideal way to send large files rather than weighing family and friends inbox with large files. 
  
  Sharing from SkyDrive is also much easier than selecting multiple pictures with the "Pictures inline" option since it is a one-step process to select multiple files at one time.  Place a check in each picture or document to be shared by clicking the image or file name.
  
  
  
  
  
  There will be a note at the bottom of the e-mail with instructions to the recipient to click the link to access the file(s).

Actions

It is not uncommon that there is more than one way to accomplish a task.  For example, one way to print an e-mail is to click the ellipsis (...) from the Menu bar and select Print.  With keyboard shortcuts set, the keyboard shortcut Shift +P will also provide the print option.  

There is a third way to print e-mails as well as access other useful functions.  With the e-mail open, clicking the familiar Actions link, carried forward from a Windows Live Hotmail update, provides not only the link to print but other immediate actions such as Forward, Delete or identifying the e-mail as Junk.  

Although the Outlook.com Junk e-mail filters are excellent, information contained in the message source, often referred to as the "Full Header" is useful when questioning whether an e-mail that slips through is a phishing attempt or spoofed address.  

~   ~   ~   ~   ~   ~

I am an Outlook.com and SkyDrive Insider.  If you have a question about this article, please leave a comment and I'll do my best to assist.

Learn more about the Outlook.com Insiders program here or the SkyDrive Insiders program from here.

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Read More

Security Bulletin Advance Notice for June 2013

On Tuesday, June 11, 2013, Microsoft is planning to release five (5) bulletins.  One bulletin is identified as Critical with the remaining four bulletins rated Important.

The critical bulletis will address vulnerabilities in Microsoft Windows and Internet Explorer. The bulletins rated Important and will address issues in Microsoft Windows and Microsoft Office. 


As happens each month, Microsoft will also release an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center.

References

• MSRC Blog:  Advance Notification Service for June 2013 Security Bulletin Release
• TechNet: Microsoft Security Bulletin Advance Notification for June 2013

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Read More