After a couple of busy months which kept me from updating this blog I am back. I will try to update this at least weekly from now on.
1. Uninstall Java or go back to version 6. If you have Java installed on your computer and don't need it, UNINSTALL IT. There is an unpatched flaw in the all releases of version 7 which can be used in drive-by downloads to infect your computer just by visiting a hacked or malicious website. Check your version number here: Verify Java Version If you must use Java for any reason, I recommend uninstalling version 7 and getting version 6u35, which does not have the same flaws. If you have to have it for some reason, disable it in your browser except when needed. More below, and please feel free to email me (with your browser version) if you need help disabling Java.
2. Update Flash Player (or uninstall it). Flash Player, required for Youtube and other videos, is now at version 11.4.x for Windows (different version numbers for Mac, Linux, and Android) If you have it and are not at the current version, update it ASAP. Check your version number here: Adobe Flash Player.
3. Update your PDF Reader. My current PDF Reader is Sumatra PDF (v2.1.1(, but I also have the latest Foxit Reader (v5.4) installed. Both were updated this summer. If you still have Adobe Reader, you should be at version 9.5.2 or 10.1.4 as earlier versions have known "in the wild" exploits against them.
4. Do Windows Updates. If you do not have Windows Update set to automatic, you need to update Windows. Several critical issues were fixed in the August and September Patch-Tuesday events. See these ISC pages (July and August) for more technical details or these ZDNet pages (July and August) and Krebs on Security pages (July and August) for user-friendly discussions.
5. Update Apple Remote Desktop. Apple Remote Desktop, which many Mac users use to connect to their home or office computer while on the road, would connect insecurely without informing the remote user.
Java Runtime Engine
Adobe Flash Player
Firefox 15.0.1
Your PDF reader should be one of these (more below):
Apple Remote Desktop
1. Uninstall Java or go back to version 6. If you have Java installed on your computer and don't need it, UNINSTALL IT. There is an unpatched flaw in the all releases of version 7 which can be used in drive-by downloads to infect your computer just by visiting a hacked or malicious website. Check your version number here: Verify Java Version If you must use Java for any reason, I recommend uninstalling version 7 and getting version 6u35, which does not have the same flaws. If you have to have it for some reason, disable it in your browser except when needed. More below, and please feel free to email me (with your browser version) if you need help disabling Java.
2. Update Flash Player (or uninstall it). Flash Player, required for Youtube and other videos, is now at version 11.4.x for Windows (different version numbers for Mac, Linux, and Android) If you have it and are not at the current version, update it ASAP. Check your version number here: Adobe Flash Player.
3. Update your PDF Reader. My current PDF Reader is Sumatra PDF (v2.1.1(, but I also have the latest Foxit Reader (v5.4) installed. Both were updated this summer. If you still have Adobe Reader, you should be at version 9.5.2 or 10.1.4 as earlier versions have known "in the wild" exploits against them.
4. Do Windows Updates. If you do not have Windows Update set to automatic, you need to update Windows. Several critical issues were fixed in the August and September Patch-Tuesday events. See these ISC pages (July and August) for more technical details or these ZDNet pages (July and August) and Krebs on Security pages (July and August) for user-friendly discussions.
5. Update Apple Remote Desktop. Apple Remote Desktop, which many Mac users use to connect to their home or office computer while on the road, would connect insecurely without informing the remote user.
Java Runtime Engine
30 August 2012 (5 September 2012 for Apple)
- Oracle Security Alert for CVE-2012-4681
- Oracle Java Runtime Environment 6u35 Downloads
- Oracle Java Runtime Environment 7u7 Downloads
More info here:Pages about the unpatched new vulnerability reported after 7u7 was released are here:
- ISC Diary | Quick Bits about Today's Java 0-Day
- ISC Diary | Oracle Releases Java Security Updates
- Oracle issues emergency fix for Java security vulnerabilities - SC Magazine
- Security Fix for Critical Java Flaw Released — Krebs on Security
- Apple Releases Fix for Critical Java Flaw — Krebs on Security
NOTE 1: download the OFFLINE installer, not the ONLINE installer. The "online installer" often comes with additional installed-by-default crapware like "McAfee Security Scanner" or the Ask toolbar" while the "offline installer" does not.
- Java Users Still Not Safe, Experts Report New Vulnerability to Oracle (Exclusive) - Softpedia
- Disable Java NOW, users told, as 0-day exploit hits web * The Register
- Warning on critical Java hole - The H Security: News and Features
- Java zero day vulnerability actively used in targeted attacks | ZDNet
Security researchers from FireEye, AlienVault, and DeependResearch have intercepted targeted malware attacks utilizing the latest Java zero day exploit. The vulnerability affects Java 7 (1.7) Update 0 to 6. It does not affect Java 6 and below.
NOTE 2: after you update Java, home users should go to the Control Panel and change the "Check for updates" frequency from the default (once a month) to "Daily".
NOTE 3: Even Microsoft says Update Java or kill it (an article on ZDNet).
Adobe Flash Player
21 August 2012
Adobe - Security Bulletins: APSB12-19 - Security updates available for Adobe Flash PlayerAdobe has released security updates for Adobe Flash Player 11.3.300.271 and earlier versions for Windows and Macintosh, Adobe Flash Player 11.2.202.236 and earlier versions for Linux, Adobe Flash Player 11.1.115.11 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.10 and earlier versions for Android 3.x and 2.x. These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.Even though Adobe has abandoned Linux a security update is available.
For more info, see these pages:
Firefox 15.0.1
7 September 2012
Mozilla has released Version 15.0.1 of the Firefox browser. This version fixes a bug with Private Browsing mode.
Your PDF reader should be one of these (more below):
- SumatraPDF 2.1.1
- Foxit Reader 5.4
- Adobe Reader 9.5.2 or 10.1.4
Sumatra PDF v2.1.1Sumatra PDF is a very lightweight PDF reader which is my current preferred reader. Get it here:
- Download page
- Direct link to Installer
- Direct link to Portable version (a single executable that can be run e.g. from USB drive and doesn't write to registry)
Foxit Reader 5.4.27 September 2012
The free Foxit PDF Reader has been updated to Version 5.4.2.0901. This update adds support for DocuSign and Microsoft SharePoint Server, as well as a range of bug fixes.
See: Foxit Reader Security BulletinSUMMARY
Foxit Reader 5.4 fixed an issue where Foxit Reader may call and run malicious code in the Dynamic Link Library (DLL) file. Attackers could place the infected DLL file, whose name is the same as the system DLL in the Windows prior search path, and then enable Foxit Reader to call the malicious file.
Affected VersionsFixed in Version
- Foxit Reader 5.3.1.0606 and earlier.
- Foxit Reader 5.4
Note that the Enterprise Foxit Reader has not been updated since version 5.1 and should be removed from your system. Replace it with SumatraPDF or the home-user version of Foxit Reader.
Adobe Reader 9.5.2 or 10.1.414 August 2012
See:
Adobe - Security Bulletins: APSB12-16 - Security update available for Adobe Reader and AcrobatAdobe has released security updates for Adobe Reader and Acrobat X (10.1.3) and earlier versions for Windows and Macintosh. These updates address vulnerabilities in the software that could cause the application to crash and potentially allow an attacker to take control of the affected system.Get Adobe Reader installers and patches here: Adobe - Adobe Reader : For Windows
Adobe recommends users update their product installations to the latest versions:
- Users of Adobe Reader X (10.1.3) and earlier versions for Windows and Macintosh should update to Adobe Reader X (10.1.4).
- For users of Adobe Reader 9.5.1 and earlier versions for Windows and Macintosh, who cannot update to Adobe Reader X (10.1.4), Adobe has made available the update Adobe Reader 9.5.2.
Apple Remote Desktop
20 August 2012
Apple Remote Desktop, which many Mac users use to connect to their home or office computer while on the road, would connect insecurely even when told to connect securely.
Apple Remote Desktop 3.6.1When connecting to a third-party VNC server with "Encrypt all network data" set, data is not encrypted and no warning is produced. This issue is addressed by creating an SSH tunnel for the VNC connection in this configuration, and preventing the connection if the SSH tunnel cannot be created.
Posts
