Category Archives: Patches and updates

Vulnerability in Microsoft Malware Protection Engine

A serious vulnerability in the software at the core of Microsoft’s anti-malware solutions (Microsoft Malware Protection Engine) could open the door for DDoS attacks.

An attacker could create a special file, which – when scanned by affected software – would make the anti-malware software ineffective against any and all malware. A new patch from Microsoft fixes the vulnerability.

Software that uses the Malware Protection Engine is typically configured to update itself automatically. That includes Microsoft Security Essentials, a free Windows-based anti-malware solution.

If you are using MSSE, you can determine whether the patch has been installed by opening MSSE, clicking the small arrow next to ‘Help’, then clicking ‘About’. You should see a line like this:

Engine Version: 1.1.10701.0

If your Engine Version is 1.1.10701.0 or higher, then the patch has been installed and you are protected against this vulnerability. If the version is 1.1.10600.0 or lower, go to the Update tab and click the Update button.

Microsoft Security Advisory 2974294 provides additional details.

Required update for Internet Explorer 11

Microsoft is apparently trying to reduce the amount of work they face when creating software updates.

The latest wrinkle is that anyone running Internet Explorer 11 on Windows 7 must install update KB2929437 in order to continue receiving updates for Internet Explorer.

In other words, if you fail to install KB2929437, you will stop seeing updates (including critical security updates) for Internet Explorer in Windows Update and Autoupdate.

Shockwave 12.1.2.152

The latest version of Adobe Shockwave Player is 12.1.2.152.

Unfortunately, the release notes for Shockwave on the Adobe site haven’t been updated since 2007, so it’s difficult to know for sure what’s different about this version. However, given Adobe’s reputation, it’s safe to assume that running an older version of Shockwave will make your computer less secure.

Then again, since Shockwave apparently includes an old, unsecure version of Flash, you might want to consider removing Shockwave from your computer completely, unless you absolutely require it. Another alternative is to configure your browser to prompt for activation whenever Shockwave media is encountered. See the instructions for doing this in Firefox elsewhere on this site.

Firefox 30.0 released

At least seven security issues were fixed in version Firefox 30.0, released yesterday.

The release notes for version 30.0 show several other changes in this release, but only one is worth mentioning. A new ‘Sidebars’ toolbar button was added, presumably based on complaints that version 29 made it more difficult to toggle the bookmark sidebar on and off. But toggling the sidebar still requires two clicks as opposed to the single click that was required before version 29. So that’s not exactly progress.

For those of you keeping score, the release notes pages for Firefox are still a mess.

Flash 14.0.0.125 fixes security issues

Another new version of Flash was released today. Version 14.0.0.125 closes six security vulnerabilities found in previous versions.

If Flash is enabled in your web browser, you should update it as soon as possible.

As usual, the embedded Flash in Internet Explorer on Windows 8.x is updated via Windows Update, while the embedded Flash in Chrome will update itself automatically.

Microsoft Patch Tuesday for June 2014

This month there are seven bulletins, with related patches affecting Internet Explorer, Windows and Office. A total of sixty-six security vulnerabilities are fixed with these updates.

Note that Microsoft is recommending upgrading to the latest version of Internet Explorer. IE 11 contains security features not found in previous versions and is therefore somewhat more secure than those older versions. Anyone still using Internet Explorer would do well to follow this advice.

Note also that this is the last set of updates that will be available for Windows 8.1 installations without Update 1. In other words, if you’ve held off on installing Update 1, you won’t get any updates next month or after that.

Related links

More flaws found in critical security software

Two new vulnerabilities were recently discovered in widely-used security software OpenSSL and GnuTLS.

The OpenSSL vulnerability is not as dangerous as the infamous Heartbleed bug, but can allow attackers to pull private information from communications between unpatched systems, including passwords.

The GnuTLS vulnerability can be used by malicious persons to execute arbitrary code on devices accessing specially-crafted web pages.

As with Heartbleed, these vulnerabilites mainly affect servers, although client software and operating systems that use the GnuTLS and OpenSSL libraries are also at risk. Patches are expected to be made available soon.

Opera 22 released

Yesterday another new version of the Webkit-based Opera browser was announced.

Opera 22.0.1471.50 introduces a new update process (on Windows computers) that is apparently completely silent: it updates Opera without any interaction from the user. A variety of stability and other issues were also fixed in the new version. For a complete list of what’s changed since version 21, see the official change log.

Sadly, there’s still no sidebar in Opera 22.