Category Archives: Security

aka infosec

Critical Patch Update fixes 30 Java security issues

Oracle has released updates for all of its Java packages. The updates include a variety of bug and security fixes across all the affected Java products.

You can download the Java Runtime Environment (JRE) or Java Developer Kit (JDK) appropriate for your computing environment from the Java downloads page.

Java browser plugins that are not updated as part of a JRE update will require separate updates, in some cases from the web browser developer (Chrome, Internet Explorer).

It is unclear whether these updates include fixes for the vulnerabilities reported in late September 2012. Update 2012-Oct-25: Apparently they do not, according to security researcher Adam Gowdiak.

Firefox 16.0 pulled due to vulnerability

Update 2012Oct12: Version 16.0.1 of Firefox has just been released. The new version fixes the vulnerability that caused version 16.0 to be pulled from the Firefox download site yesterday. All users are encouraged to upgrade to 16.0.1 as soon as possible.

Firefox 16.0 has been removed from the Mozilla web site due to a new vulnerability. Users who have already upgraded to the new version should either downgrade to version 15.0.1 or exercise extreme caution before visiting any unfamiliar or suspicious web site. The new vulnerability makes it possible for web sites to access information that is normally protected by the browser.

Update 2012Oct12: No exploits using this vulnerability have yet been seen in the wild, but a proof of concept has been published. The POC demonstrates the vulnerability with a few lines of Javascript code that could be embedded on a web site. Now that this POC has been made public, it’s reasonable to assume that similar code will start appearing on hacked and malicious web sites in the very near future.

More security fixes for Adobe Flash

Released yesterday, version 11.4.402.287 addresses security, performance and stability issues in the previous versions of Flash. Users are encouraged to install the new Flash as soon as possible.

Note that at the time of this post, the Flash Player Update Announcement on Adobe’s site shows the wrong version in the first paragraph. It should show the new version as 11.4.402.287 but instead shows it as 11.4.402.278.

Updates for Internet Explorer 10 and Google Chrome, containing associated fixes for Adobe Flash, were also released yesterday.

October 2012 Patch Tuesday Advance Notice

Another month, another batch of updates from Microsoft. On October 9, starting at about 10 am PDT, Microsoft will release patches that address a total of twenty vulnerabilities in Windows and Office. Seven security bulletins will cover the defects being patched, one of which is a critical vulnerability in Word.

Also included in the upcoming updates will be Microsoft Security Advisory (2661254): Update For Minimum Certificate Key Length. This update is the final step in a series of actions taken by Microsoft to improve Internet-based security for its products. This update will force RSA-encrypted communications in Internet Explorer and Outlook to use keys that are 1024 bits in length or greater. If you access secure web sites with Internet Explorer or use encrypted email with Outlook, this update may cause those services to stop working. For further details, see:

Another Java vulnerability revealed

As if things weren’t bad enough for Java on the web, security researcher Adam Gowdiak of Security Explorations yesterday announced yet another critical security flaw.

The new flaw apparently affects all versions of Java, including the most recent updates of Java 5, 6 and 7.

How does this affect users? Nothing has really changed: users are strongly urged to disable Java in their web browsers, since web sites are the most likely vector for attacks based on Java vulnerabilities. If that isn’t possible or practical for you, then your best course of action is to be extremely cautious when deciding whether to click any kind of link, in email or anywhere else. Simply visiting a web site can be enough to infect your computer.

Oracle has not responded to this latest report, and they have yet to respond to the previous Java vulnerability reports.

Active attacks targeting Internet Explorer

Update 2012Sep22: As promised by Microsoft, patches for Internet Explorer versions 9 and earlier were made available yesterday. The patches are available through regular update channels, including Windows Update and Microsoft Update. Security Bulletin MS12-063 has all the details, including links for downloading the updates separately.

Update 2012Sep21: A fix for this issue, promised earlier this week by Microsoft, was announced yesterday. Anyone using Internet Explorer for web browsing is strongly encouraged to install the fix immediately. A proper (i.e. fully tested) patch will be available from Microsoft later today.

Update 2012Sep19: Another bulletin from Microsoft promises an ‘out of cycle’ fix for this issue in the next few days. Meanwhile, the list of sites known to contain the exploit code is growing.

Update 2012Sep18: Microsoft has issued a security bulletin that goes into some detail about this issue and suggests workarounds. Apparently you can install the ‘Enhanced Mitigation Experience Toolkit’, or configure Internet Explorer to either prompt before running ActiveX scripts or prevent them from running altogether.

A newly-discovered vulnerability in most versions of Internet Explorer is being exploited in current, ongoing attacks.

Anyone using IE 6, 7, 8 or 9 on Windows XP, Vista or 7 is potentially at risk. To become infected, a user need only visit a web site that contains the exploit code. Typically, trojan malware is then installed silently on the user’s computer. The computer is then open to further attacks as well as remote control by the perpetrators.

Internet Explorer 10 is not affected.

The exploit code may be placed on a web site without the knowledge of the site owner, if the site is not secure.

This vulnerability and the associated attacks are serious enough to warrant extreme caution when using Internet Explorer. Some experts are recommending discontinuing the use of Internet Explorer until a fix becomes available.

Microsoft has issued a bulletin that provides additional details.