Oracle has released a new version of Java that addresses a large number of vulnerabilities. This is a scheduled “Critical Patch Update” (CPU) for June 2013.
This moves Java 7 from Update 21 to Update 25 (1.7.0_21 to 1.7.0_25).
Anyone using Java in a web browser should install this update immediately.
Yesterday, Google announced another new version of their web browser, Chrome.
The new version is 27.0.1453.116, and it includes a few security fixes, as well as the latest integrated version of Flash (11.7.700.225).
A Flash vulnerability supposedly already fixed by Adobe is still a problem in some browser/platform combinations. This clickjacking exploit works by hiding a Flash security dialog under other page content, enticing the user into unintentionally clicking the dialog and allowing remote access to the user’s camera and microphone. Be careful what you click!
Oracle has announced an update for Java that is scheduled for release later today. The new version will fix a whopping 40 security vulnerabilities in current versions of Java, with 37 of those being remotely exploitable without authentication.
Google has announced a new version of Chrome with the latest updates to Flash. The new version of Chrome will contain Flash version 11.7.700.225.
At this time, the update has not yet become available for download.
Adobe has just announced another Flash update. The new version is 11.7.700.224. As always, this update addresses “vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.”
The official bulletin has all the technical details. The runtime announcement has additional details.
An equivalent patch for Internet Explorer 10 on Windows 8 will be available from Microsoft Update. The new version of Flash in IE10 will be 11.7.700.224.
Google Chrome has also been updated to include a new version of Flash: 11.7.700.225. Chrome normally updates its own version of Flash automatically.
Update 2013Jun14: The Internet Explorer 10 Flash update is now available.
This month there are five bulletins, addressing 23 vulnerabilities in Windows, Office and Internet Explorer. Only one (MS13-047, affecting Internet Explorer) is marked as Critical.
The bulletin summary has all the technical details.
Related links:
– Improved cryptography infrastructure and the June 2013 bulletins
– SANS: Microsoft June 2013 Black Tuesday Overview
An excellent post over at Duo Security reviews the seven methods used to steal your user IDs and passwords.
Unfortunately, aside from using strong, unique passwords, running anti-malware software, and being generally careful in one’s online activities, there’s not much an individual can do to protect oneself from these techniques. Most of the responsibility for protecting users is in the hands of the people who run the web sites that use your credentials. When they make mistakes, we all lose.
Actually, there is one sure-fire way to avoid these problems: just don’t use any online service that requires a password. Not too practical, but still better than getting rid of all your computers.
This month’s Patch Tuesday arrives on June 11. Updates should become available from about 10am PST on that date.
The bulletins: there are five this month, including one for Internet Explorer that’s marked Critical. More technical details are available on the official announcement page.
Microsoft and its partners have successfully disrupted another botnet. This time the target was Citadel, which was being used to harvest banking information.
boot13