Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) is free software that improves the overall security of Windows computers. EMET isn’t a replacement for anti-malware software; rather, it provides additional protections that complement anti-malware software.
There’s little downside to using EMET, so we recommend installing it on all Windows computers. By default, it provides specific protections for Microsoft software, including Office and Internet Explorer.
Apparently a new version of Adobe Shockwave was released on July 1, 2014. The new version is 12.1.3.153.
The main welcome/download page for Shockwave shows the latest version and provides a test that shows the version you’re currently running. If you’re not running the latest version, you can download and install it from that page. The Shockwave Player Help page does much the same thing.
Adobe’s web resources for Shockwave are appallingly bad. The list of security updates is over a year out of date. The most recent update listed is for version 12.1.0.150. The official Shockwave version history is even worse, as it hasn’t been updated since 2007! There doesn’t seem to be any kind of an update alert mechanism such as an RSS feed, although with the information so out of date, that wouldn’t really help.
Thanks once again to organizations like CERT and SANS, this morning I was alerted to a new version of Firefox.
Version 31 includes fixes for security vulnerabilities and other bugs, and adds several features, none of which is likely to be of much interest to anyone except developers.
A whopping 26 security vulnerabilities are addressed in the latest version of Google’s web browser. The new version also includes fixes related to stability and performance, and adds some minor features. The official announcement has all the details.
Oracle published its most recent quarterly Critical Patch Update bulletin on Wednesday. The bulletin describes updates to most of Oracle’s products, including its flagship database software, but the updates of interest to most people are those related to Java.
As usual, given the severity of the vulnerabilities fixed by these new versions, you are strongly encouraged to update as soon as possible, particularly if you are using a Java-enabled web browser. Brian Krebs has more.
A set of fraudulent security certificates was identified by security researchers at Google on July 8. The certificates were issued by an authority in India, and trusted by the Microsoft Root Store. That means the bogus certificates potentially impact anyone using certain Windows applications, and especially Internet Explorer.
These days ‘Patch Tuesday’ means Adobe updates as well as Microsoft updates. This month was no different: Adobe released a new version of Flash that addresses at least three vulnerabilities, including the JSONP callback API problem that made several popular sites potentially vulnerable.
The Flash runtime announcement for the new version outlines a few new features, most of which are likely only of interest to developers. The associated security bulletin gets into the details of the included security fixes.
As usual, Google Chrome will update itself, but this time via its internal ‘component updater’ rather than with a new version of the browser. Warning: the component updater sometimes takes a few days to do its work; unfortunately, there doesn’t seem to be any way to force the update.
Updates for the Flash component in Internet Explorer running on Windows 8.x will be made available through Windows Update.
As expected, there are six bulletins and associated patches this month. The updates affect Windows and Internet Explorer. Two are rated Critical. A total of 29 CVEs (Common Vulnerabilities and Exposures) are addressed. The MSRC post for this month’s updates has additional information.
This month’s updates will become available around 10am PST on July 8. There are expected to be six bulletins, with associated updates affecting Windows and Internet Explorer. Two are tagged as Critical.
One of the updates made available by Microsoft for June’s Patch Tuesday makes Internet Explorer much more resistant to attacks based on a particular form of security flaw known as ‘use after free‘.
boot13