It looks to be a light month for Windows updates. The September 2012 Patch Tuesday advance warning bulletin lists only two bulletins, affecting Visual FoxPro and System Center Configuration Manager for Windows Server.
This month’s updates will become available on September 11.
Researchers have already found a vulnerability in Java 7 Update 7, which was only released yesterday. So far all we know is that a report, along with code demonstrating the security hole, have been submitted to Oracle, Java’s developer.
Details on the new Java hole show that it could be used to take over a vulnerable computer. So, once again, users are being urged to disable Java, especially in web browser software.
Your move, Oracle.
UPDATE 2012Sep01: SANS reports that a new email phishing attack exploiting this new Java hole is showing up in the wild. The email appears to be from Microsoft, and is patterned on a recent, legitimate Microsoft email message. The mail contains an URL that – once clicked – sends web browsers to a site that has been infected with the published Java exploit code. Advice to users is the same as usual: be very careful about clicking on any link you don’t know for sure is safe, and consider disabling Java in your web browser.
Another day, another new version of Chrome. Version 21.0.1180.89 includes security fixes as well as some other minor bug fixes.
Much to their credit, Oracle has released a patch for Java that fixes a recently-discovered security hole in Java.
CERT confirms that the new patch does indeed resolve the problem. All Java users – and that’s you, unless you’re absolutely certain Java is disabled – should apply this update as soon as possible. This affects Windows, Linux and MacOS users.
This is a welcome reaction from Oracle. Until this patch was released, it was assumed that the hole would not be fixed until the next regular patch cycle in October 2012.
A new version of the Opera web browser was announced today. Version 12.02 includes some security fixes, as well as some other minor changes.
The Opera blog post announcing version 12.02 also describes a way to avoid potential problems with the recently-announced Java security hole. It involves changing an Opera setting that forces the user to ‘click to play’ for any content provided by a plugin (including Java). With this setting enabled, if you visit a site infected with a Java exploit, the exploit code won’t run unless you specifically allow it. While possibly overkill, this is as good a workaround as we can expect, at least until Oracle issues a fix for the Java hole.
Another new version of Firefox was announced today. Version 15 includes some new features, like silent updates (which I will immediately disable), and some fixes for long-standing plugin memory use issues.
The Firefox release notes for version 15 have all the changes.
Interestingly, there doesn’t seem to be a list of previous Firefox versions or the corresponding release notes anywhere on the site. But you can find the release notes for a version by replacing ‘15.0’ with any other version number in this URL:
Yesterday, in yet another attempt to finally get it right, Adobe announced a new minor release of its ubiquitous (and problematic) Flash player for all platforms. The new release takes us from the 10.3 series to 10.4.
Additional details are available in the in the related Security Bulletin.
As usual, the new version addresses security issues that could lead to attacks on systems running older versions. It also includes a few new features; the release notes cover all the changes.
Windows and Mac users should update to the new version (11.4.402.265) as soon as possible. Attacks based on this vulnerability are spreading fast on the Internet.
New versions of Google’s web browser were announced yesterday.
There are several, platform-specific versions of Chrome, and they are currently out of sync: 21.0.1180.81 for Linux, 21.0.1180.83 for Windows and 21.0.1180.82 for Mac.
The new versions address several security and bug fixes, including the print-preview-takes-forever problem in Windows XP.
Adobe issued several new bulletins today.
First up is Adobe Acrobat and Acrobat Reader. Adobe security bulletin APSB12-16 announces Reader and Acrobat versions 10.1.4 and 9.5.2, which address a specific crashing problem that could allow an attacker to gain control of affected computers.
Next is Adobe security bulletin APSB12-17. This bulletin announces version 188.8.131.526 of Shockwave. Once again, the new version addresses a security issue.
Finally, a new version of the Flash player is announced in Adobe security bulletin APSB12-18. The new version is 11.3.300.271, and it addresses yet another crash-leading-to-possible-exploit security problem. As mentioned previously here, Google Chrome users will receive the new version of Flash for Chrome with the latest version of that browser. It remains to be seen whether this latest fix will resolve the long-standing crashing problems with the Flash player on Windows 7 systems.
Google really pushes out a lot of updates for Chrome, don’t they? The latest update takes the browser to version 21.0.1180.79. The only change is a security fix for Adobe Flash, with the modified code being provided by Adobe. New versions of the Flash plugin for browsers were also released by Adobe today.