Sensationalist Press Got it WRONG! Microsoft Does Not Recommend Two Antivirus Programs!

A recent article published by PC Pro has taken wings and is being quoted in numerous stories implying that a second antivirus program is needed when using Microsoft Security Essentials.  The article states,

"Now, Microsoft has said it sees Security Essentials as merely the first layer of protection, advising customers to use additional, third-party antivirus - although the company stressed that wasn't because the product wasn't good enough to stand on its own." (bold added)

The above statement by PC Pro is an obvious misinterpretation of Holly Stewart's comment (bold added), 

"It’s not as efficient to have one kind of weapon," she said. "Like anything you must have that diversity. It’s a weakness to just have one."

Why PC Pro is Wrong

Starting with the obvious, Microsoft Security Essentials on Windows 7, or earlier and Windows Defender on Windows 8 are disabled when a third-party antivirus software is installed.  Thus, an active second antivirus program cannot be run along side Microsoft Security Essentials or Windows Defender.

As clearly stated in this Microsoft Malware Protection Center help topic,

"It’s not a good idea to run other antivirus or antispyware products at the same time as Microsoft Security Essentials or Windows Defender.

Using more than one real-time security product can affect your PC performance. You might also get an error code when you try to update or install, such as 0x80070643."

The use of the word "weapon" by Holly Stewart in the above quote does not mean a second antivirus software, rather, as has long been recommended by the security community, a layered approach of another weapon is needed. 

In addition to one up-to-date antivirus software, it is also critical to maintain updated third-party applications such as Adobe products and Oracle Java and install Microsoft security updates. 

Along with "safe surfing", having one or two secondary security applications, such as my favorite Malwarebytes Antimalware and WinPatrol to supplement the work of your antivirus software program is generally recommended.

Microsoft Strategy Works!  

As illustrated in the Microsoft Malware Protection Center report, Evaluating our protection performance and capabilities, 99.9% of computers using Microsoft real-time protection reported no infections on the average day of August, 2013.  With results like that, it is clear that the change in focus by Microsoft to prevalent threats is obviously working.

Thus, PC Pro, Microsoft Security Essentials is not designed to be at the bottom of the antivirus rankings.  It is designed to target prevalent threats to consumer's computers, as illustrated in the change log for 1.159.819.0, released today.

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Read More

Security Advisory 2887505 and Microsoft Fix it

Microsoft released Security Advisory 2887505 which relates to an issue with Internet Explorer.

It is important to note that there are a limited number of targeted attacks which are specifically directed at Internet Explorer 8 and 9. The issue, however, could potentially affect all supported versions of IE.

As described by Dustin Childs in the below-referenced MSRC Blog post,

"This issue could allow remote code execution if an affected system browses to a website containing malicious content directed towards the specific browser type. This would typically occur when an attacker compromises the security of trusted websites regularly frequented, or convinces someone to click on a link in an email or instant message."

Mitigations

Microsoft has made available a Fix it solution for users of Internet Explorer.  Additional mitigations include the following advice, also from the MSRC Blog post:

• Set Internet and local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones
  This will help prevent exploitation but may affect usability; therefore, trusted sites should be added to the Internet Explorer Trusted Sites zone to minimize disruption.
• Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and local intranet security zones
  This will help prevent exploitation but can affect usability, so trusted sites should be added to the Internet Explorer Trusted Sites zone to minimize disruption.

Below are the links to both apply and uninstall the Fix it solution.  Note:  The Fix it solution applies only 32-bit versions of Internet Explorer.
 

Apply Fix it	Uninstall Fix it
Microsoft Fix it 51001	Microsoft Fix it 51002

Another option is to install the Enhanced Mitigation Experience Toolkit (EMET), described in the "workarounds" section of the Tech Net Advisory.

If you have Windows Vista or Windows 7 installed, you should have updated to IE9 or IE10.  In the event you haven't, it is strongly advised that you update!

References:

• Microsoft KB Article 2887505: Microsoft Security Advisory: Vulnerability in Internet Explorer could allow remote code execution
• MSRC: Microsoft Releases Security Advisory 2887505
• Security Research & Defense: CVE-2013-3893: Fix it workaround available
• Tech Net Advisory: Microsoft Security Advisory (2887505): Vulnerability in Internet Explorer Could Allow Remote Code Execution

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Read More

Firefox 24.0 Released With Critical Security Updates

Mozilla sent Firefox Version 24.0 to the release channel.  At the the time of this posting, there is no indication of security fixes included.  An update will be made if or when that information has been provided.

Update:  The security fixes included in version 24.0 have finally been posted.  It is advised that this update be installed ASAP.

Version 24.0 includes seventeen security updates of which seven are critical, four high, and six moderate.
 

Fixed in Firefox 24

MFSA 2013-92 GC hazard with default compartments and frame chain restoration
MFSA 2013-91 User-defined properties on DOM proxies get the wrong "this" object
MFSA 2013-90 Memory corruption involving scrolling
MFSA 2013-89 Buffer overflow with multi-column, lists, and floats
MFSA 2013-88 compartment mismatch re-attaching XBL-backed nodes
MFSA 2013-87 Shared object library loading from writable location
MFSA 2013-86 WebGL Information disclosure through OS X NVIDIA graphic drivers
MFSA 2013-85 Uninitialized data in IonMonkey
MFSA 2013-84 Same-origin bypass through symbolic links
MFSA 2013-83 Mozilla Updater does not lock MAR file after signature verification
MFSA 2013-82 Calling scope for new Javascript objects can lead to memory corruption
MFSA 2013-81 Use-after-free with select element
MFSA 2013-80 NativeKey continues handling key messages after widget is destroyed
MFSA 2013-79 Use-after-free in Animation Manager during stylesheet cloning
MFSA 2013-78 Integer overflow in ANGLE library
MFSA 2013-77 Improper state in HTML5 Tree Builder with templates
MFSA 2013-76 Miscellaneous memory safety hazards (rv:24.0 / rv:17.0.9)

What’s New

• NEW -- Support for new scrollbar style in Mac OS X 10.7 and newer
• NEW -- Implemented Close tabs to the right
• NEW -- Social: Ability to tear-off chat windows to view separately by simply dragging them out
• CHANGED -- Accessibility related improvements on using pinned tabs (see 577727)
• CHANGED -- Removed support for Revocation Lists feature (see 867465)
• CHANGED -- Performance improvements on New Tab Page loads (see 791670)
• FIXED -- Replace fixed-ratio audio resampler in webrtc.org capture code with Speex resampler and eliminate pseudo-44000Hz rate ( see 886886)
• FIXED -- 24.0: Security fixes can be found here

Update

To get the update now, select "Help" from the Firefox menu at the upper left of the browser window, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu.

If you do not use the English language version, Fully Localized Versions are available for download.

References

• Common questions after updating Firefox
• Security Updates
• Mozilla Firefox Release Notes
• Bug Fixes 

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Read More

Oracle Java Update

Oracle released the Java SE 7u40 today.  In addition to bug fixes and enhancements, the update includes the following:

• advanced monitoring and diagnostic capabilities that enable developers to gather detailed runtime information and perform efficient data analysis without impacting system performance; 
• a new security policy that gives system administrators greater control over Java running on desktops; 
• improved performance and efficiencies for Java on ARM servers and support for Mac OS X retina displays.

If Java is still installed on your computer, it is recommended that this update be installed.

For those people who have desktop applications that require Java and cannot uninstall it, Java can now be disabled in Internet Explorer.  See Microsoft Fix it to Disable Java in Internet Explorer.

Java Security Recommendations

1)  In the Java Control Panel, at minimum, set the security to high.
2)  Keep Java disabled until needed.  Uncheck the box "Enable Java content in the browser" in the Java Control Panel.

(Image via Sophos Naked Security Blog)

3)  If you use Firefox, install NoScript and only allow Java on those sites where it is required.

Instructions on removing older (and less secure) versions of Java can be found at http://java.com/en/download/faq/remove_olderversions.xml

Download Information

Download link:   Java SE 7 Update 40

Verify your version:  http://www.java.com/en/download/testjava.jsp

Notes:

• UNcheck any pre-checked toolbar and/or software options presented with the update. They are not part of the software update and are completely optional.
• Starting with Java SE 7 Update 21 in April 2013, all Java Applets and Web Start Applications should be signed with a trusted certificate.  It is not recommended to run untrusted/unsigned Certificates.  See How to protect your computer against dangerous Java Applets

Critical Patch Updates

Starting with the October 2013 Critical Patch Update, security fixes for Java SE will be released under the normal Critical Patch Update schedule. A pre-release announcement will be published on the Thursday preceding each Critical Patch Update release.


For Oracle Java SE Critical Patch Updates, the next scheduled dates are as follows:

• 15 October 2013
• 14 January 2014
• 15 April 2014
• 15 July 2014

References

• Critical Patch Updates, Security Alerts and Third Party Bulletin
• Oracle Blog
• Release Notes
• Java, The Never-Ending Saga  

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Read More

Microsoft Security Updates for September 2013

Microsoft released thirteen (13) bulletins.  Four of the bulletins are identified as Critical with the remaining nine bulletins rated Important.

The updates address 47 unique CVEs in Microsoft Windows, Office, Internet Explorer and SharePoint. The updates to Windows require a restart.



Critical:

• MS13-067 -- Vulnerabilities in Microsoft SharePoint Server Could Allow Remote Code Execution (2834052)
• MS13-068 -- Vulnerability in Microsoft Outlook Could Allow Remote Code Execution (2756473)
• MS13-069 -- Cumulative Security Update for Internet Explorer (2870699)
• MS13-070 -- Vulnerability in OLE Could Allow Remote Code Execution (2876217)

Important:

• MS13-071 -- Vulnerability in Windows Theme File Could Allow Remote Code Execution (2864063)
• MS13-072 -- Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2845537)
• MS13-073 -- Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (2858300)  
• MS13-074 -- Vulnerabilities in Microsoft Access Could Allow Remote Code Execution (2848637) 
• MS13-075 -- Vulnerability in Microsoft Office IME (Chinese) Could Allow Elevation of Privilege (2878687) 
• MS13-076 -- Vulnerabilities in Kernel-Mode Drivers Could Allow Elevation of Privilege (2876315) 
• MS13-077 -- Vulnerability in Windows Service Control Manager Could Allow Elevation of Privilege (2872339) 
• MS13-078 -- Vulnerability in FrontPage Could Allow Information Disclosure (2825621) 
• MS13-079 -- Vulnerability in Active Directory Could Allow Denial of Service (2853587)  

Users of Windows XP are reminded that support ends for Windows XP on April 8, 2014.  See Tim Rains article, The Countdown Begins: Support for Windows XP Ends on April 8, 2014.

Support

The following additional information is provided in the Security Bulletin:

• The affected software listed have been tested to determine which versions are affected. Other versions are past their support life cycle. To determine the support life cycle for your software version, visit Microsoft Support Lifecycle.
• Security solutions for IT professionals: TechNet Security Troubleshooting and Support
• Help protect your computer that is running Windows from viruses and malware: Virus Solution and Security Center
• Local support according to your country: International Support

References

• MSRC: Lovely tokens and the September 2013 security updates
• TechNet: Microsoft Security Bulletin Summary for September 2013

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Read More

Critical Adobe Flash Player, AIR and Shockwave Player Updates

Adobe has released security updates for Adobe Flash Player for Windows, Macintosh and Linux.  These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.

With today's Windows Update, Internet Explorer 10 and 11 in Windows 8 and Windows 8.1 Preview are also updated.  Windows RT must obtain the update from Windows Update.

Update Information

The newest versions are as follows:

Windows and Macintosh:  11.8.800.168
Linux: 11.2.202.310
Android 4x: 11.1.115.81
Android 3x:  11.1.111.73

Adobe AIR:  3.8.1430

Release date: September 10, 2013
Vulnerability identifier: APSB13-21
CVE number: CVE-2013-3361, CVE-2013-3362, CVE-2013-3363, CVE-2013-5324
Platform: All Platforms

Flash Player Update Instructions

Warning:  Although Adobe suggests downloading the update from the Adobe Flash Player Download Center, that link includes a pre-checked option to install Google Drive.

It is recommended that you either use the auto-update mechanism within the product when prompted, or my preference, the direct download links.

• Non-IE (Opera, Firefox, Etc.):  http://download.macromedia.com/get/flashplayer/current/licensing/win/install_flash_player_11_plugin.exe
   
• Windows XP, Vista and 7:
  Flash Player For Internet Explorer 7, 8, 9, 10:  http://download.macromedia.com/get/flashplayer/current/licensing/win/install_flash_player_11_active_x.exe
  
  Windows 8 and 8.1:
  Flash Player for Internet Explorer 10 and 11: Microsoft updated Security Advisory 2755801.  If you do not have Automatic Updates enabled, the Flash Player update can be downloaded from Microsoft Security Advisory: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer 10: July 9, 2013.
  
  
• Flash Player Uninstaller:  http://download.macromedia.com/get/flashplayer/current/support/uninstall_flash_player.exe

Notes:

• If you use the Adobe Flash Player Download Center, be careful to uncheck any optional downloads that you do not want.  Any pre-checked option is not needed for the Flash Player update.
• Uncheck any toolbar offered with Adobe products if not wanted.
• If you use alternate browsers, it is necessary to install the update for both Internet Explorer as well as the update for alternate browsers.
• The separate 32-bit and 64-bit uninstallers have been replaced with a single uninstaller.

Adobe Flash Player for Android

The latest version for Adobe Flash Player for Android is available by downloading it from the Android Marketplace by browsing to it on a mobile phone.   

Verify Installation

To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu. 

Do this for each browser installed on your computer.

To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.

Adobe Shockwave Player

Adobe has released a security update for Adobe Shockwave Player 12.0.3.133 and earlier versions on the Windows and Macintosh operating systems.

This update addresses vulnerabilities that could allow an attacker, who successfully exploits these vulnerabilities, to run malicious code on the affected system.

Although I have yet to need Shockwave Player on this computer, there are still many people who use it.  If you have Shockwave Player installed, please update to the latest version.

Release date: September 10, 2013
Vulnerability identifier: APSB13-23

CVE number: CVE-2013-3359 and CVE-2013-3360
Platform: Windows and Macintosh

The newest version  12.0.4.144 is available here: http://get.adobe.com/shockwave/.  As usual, watch for any pre-checked add-ons not needed for the update.

References

• Adobe Priority Ratings
• Adobe Security Advisory: Security updates available for Adobe Flash Player
• AIR Download Center
• PSIRT Blog
• Release Notes:  Flash Player® 11.8 AIR® 3.8

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Read More

Adobe Reader Security Updates

Adobe has released security updates for Adobe Reader and Acrobat XI (11.0.03) and earlier versions for Windows and Macintosh.

Adobe identifies this update as a regular quarterly update that provides security mitigations, feature enhancements, and bug fixes.  Note, however that the updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.


Release date: September 10, 2013
Vulnerability identifier: APSB13-22
CVE numbers: CVE-2013-3351, CVE-2013-3352, CVE-2013-3353, CVE-2013-3354, CVE-2013-3355, CVE-2013-3356, CVE-2013-3357, CVE-2013-3358
Platform: Windows and Macintosh

Update or Complete Download

Update checks can be manually activated by choosing Help > Check for Updates.

• Adobe Reader XI (11.0.04) for Windows is available here: http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows.
• Adobe Reader XI (11.0.04) for Macintosh is available here: http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Macintosh.
• Adobe Reader for Linux is not updated. 

Note: UNcheck any pre-checked additional options presented with the update. They are not part of the software update and are completely optional.

Enable "Protected View"

Due to frequent vulnerabilities, it is recommended that Windows users of Adobe Reader and Acrobat ensure that Protected View is enabled.  Neither the Protected Mode or Protected View option is available for Macintosh users.

To enable this setting, do the following:

• Click Edit > Preferences > Security (Enhanced) menu. 
• Change the "Off" setting to "All Files".
• Ensure the "Enable Enhanced Security" box is checked. 

Image via Sophos Naked Security Blog

If you are looking for a replacement for Adobe Reader, consider Replacing Adobe Reader with Sumatra PDF.

References

• PSIRT Blog
• Release Notes | Acrobat, Reader
• Security Bulletin
• System Requirements

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Read More

Security Bulletin Advance Notice for September, 2013

On Tuesday, September 10, 2013, Microsoft is planning to release fourteen (14) bulletins.  Four of the bulletins are identified as Critical with the remaining ten bulletins rated Important.

The Critical updates will address issues in Internet Explorer, Outlook, SharePoint and Windows. The updates to Windows will require a restart.

Users of Windows XP are reminded that support ends for Windows XP on April 8, 2014.  See Tim Rains article, The Risk of Running Windows XP After Support Ends April 2014.

As happens each month, Microsoft will also release an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center.

References

• MSRC: Advance Notification Service for September 2013 Security Bulletin Release
• TechNet: Microsoft Security Bulletin Summary for September 2013

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Read More