Friday, September 7, 2012

Uninstall or downgrade Java, update Flash Player and your PDF Reader

After a couple of busy months which kept me from updating this blog I am back. I will try to update this at least weekly from now on.

1. Uninstall Java or go back to version 6.  If you have Java installed on your computer and don't need it, UNINSTALL IT. There is an unpatched flaw in the all releases of version 7 which can be used in drive-by downloads to infect your computer just by visiting a hacked or malicious website.  Check your version number here: Verify Java Version If you must use Java for any reason, I recommend uninstalling version 7 and getting version 6u35, which does not have the same flaws.   If you have to have it for some reason, disable it in your browser except when needed.  More below, and please feel free to email me (with your browser version) if you need help disabling Java.

2. Update Flash Player (or uninstall it).  Flash Player, required for Youtube and other videos, is now at version 11.4.x for Windows (different version numbers for Mac, Linux, and Android) If you have it and are not at the current version, update it ASAP. Check your version number here: Adobe Flash Player.

3. Update your PDF Reader. My current PDF Reader is Sumatra PDF (v2.1.1(, but I also have the latest Foxit Reader (v5.4) installed.  Both were updated this summer.   If you still have Adobe Reader, you should be at version 9.5.2 or 10.1.4 as earlier versions have known "in the wild" exploits against them.

4. Do Windows Updates.  If you do not have Windows Update set to automatic, you need to update Windows. Several critical issues were fixed in the August and September Patch-Tuesday events. See these ISC pages (July and August) for more technical details or these ZDNet pages (July and August) and Krebs on Security pages (July and August) for user-friendly discussions.

5. Update Apple Remote Desktop.  Apple Remote Desktop, which many Mac users use to connect to their home or office computer while on the road, would connect insecurely without informing the remote user.



Java Runtime Engine
30 August 2012 (5 September 2012 for Apple)

More info here:Pages about the unpatched new vulnerability reported after 7u7 was released are here:NOTE 1: download the OFFLINE installer, not the ONLINE installer. The "online installer" often comes with additional installed-by-default crapware like "McAfee Security Scanner" or the Ask toolbar" while the "offline installer" does not.
NOTE 2: after you update Java, home users should go to the Control Panel and change the "Check for updates" frequency from the default (once a month) to "Daily".
NOTE 3: Even Microsoft says Update Java or kill it (an article on ZDNet).



Adobe Flash Player
21 August 2012
Adobe - Security Bulletins: APSB12-19 - Security updates available for Adobe Flash Player
Adobe has released security updates for Adobe Flash Player 11.3.300.271 and earlier versions for Windows and Macintosh, Adobe Flash Player 11.2.202.236 and earlier versions for Linux, Adobe Flash Player 11.1.115.11 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.10 and earlier versions for Android 3.x and 2.x. These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.
Even though Adobe has abandoned Linux a security update is available.
For more info, see these pages:


Firefox 15.0.1
7 September 2012

Mozilla has released Version 15.0.1 of the Firefox browser. This version fixes a bug with Private Browsing mode.



Your PDF reader should be one of these (more below):
  • SumatraPDF 2.1.1
  • Foxit Reader 5.4
  • Adobe Reader 9.5.2 or 10.1.4
. I have both SumatraPDF for daily use and Foxit Reader for advanced use installed on my primary systems. I do NOT have Adobe Reader installed anywhere at this time.
Sumatra PDF v2.1.1
Sumatra PDF is a very lightweight PDF reader which is my current preferred reader. Get it here:
Foxit Reader 5.4.2
7 September 2012

The free Foxit PDF Reader has been updated to Version 5.4.2.0901. This update adds support for DocuSign and Microsoft SharePoint Server, as well as a range of bug fixes.

See: Foxit Reader Security Bulletin
SUMMARY
Foxit Reader 5.4 fixed an issue where Foxit Reader may call and run malicious code in the Dynamic Link Library (DLL) file. Attackers could place the infected DLL file, whose name is the same as the system DLL in the Windows prior search path, and then enable Foxit Reader to call the malicious file.

Affected Versions
  • Foxit Reader 5.3.1.0606 and earlier.
Fixed in Version
  • Foxit Reader 5.4

Note that the Enterprise Foxit Reader has not been updated since version 5.1 and should be removed from your system. Replace it with SumatraPDF or the home-user version of Foxit Reader.

Adobe Reader 9.5.2 or 10.1.4
14 August 2012
See:
Adobe - Security Bulletins: APSB12-16 - Security update available for Adobe Reader and Acrobat
Adobe has released security updates for Adobe Reader and Acrobat X (10.1.3) and earlier versions for Windows and Macintosh. These updates address vulnerabilities in the software that could cause the application to crash and potentially allow an attacker to take control of the affected system.

Adobe recommends users update their product installations to the latest versions:
  • Users of Adobe Reader X (10.1.3) and earlier versions for Windows and Macintosh should update to Adobe Reader X (10.1.4).
  • For users of Adobe Reader 9.5.1 and earlier versions for Windows and Macintosh, who cannot update to Adobe Reader X (10.1.4), Adobe has made available the update Adobe Reader 9.5.2.
Get Adobe Reader installers and patches here: Adobe - Adobe Reader : For Windows


Apple Remote Desktop
20 August 2012
Apple Remote Desktop, which many Mac users use to connect to their home or office computer while on the road, would connect insecurely even when told to connect securely.

Apple Remote Desktop 3.6.1
When connecting to a third-party VNC server with "Encrypt all network data" set, data is not encrypted and no warning is produced. This issue is addressed by creating an SSH tunnel for the VNC connection in this configuration, and preventing the connection if the SSH tunnel cannot be created.