Internet Explorer, Microsoft, Patches and updates, Security, Windows

Patch Tuesday for May 2013

Leave a comment

The month’s updates include fixes for vulnerabilities in Windows, Internet Explorer, .NET and Office. The main bulletin has all the technical details, and the Microsoft Security Response Center has a more reader-friendly summary, entitled “Microsoft Customer Protections for May 2013”.

The expected patch for recently-discovered vulnerabilities in Internet Explorer 8 is included in this month’s patches as MS13-038. According to Microsoft, you can install this patch whether or not you previously installed the emergency “Fix-It” released by Microsoft.

Microsoft, Patches and updates, Security, Windows

Advance notification for May 2013 Patch Tuesday

Leave a comment

As usual, Microsoft has issued an advance notification for this month’s Patch Tuesday. The updates will become available on Tuesday, May 14 at about 10am PST.

There are ten bulletins this month, two of them flagged Critical. In total, 34 vulnerabilities in Windows, Office, Internet Explorer, .NET and server software will be addressed.

Update 2013May11: The upcoming patches will include a fix for the Internet Explorer 8 vulnerability recently discovered.

Internet Explorer, Microsoft, Security, Windows

Internet Explorer 8 vulnerable to new web-based attack

1 Comment

Update 2013May09: Microsoft has issued a ‘Fix-It’ for this problem. This is a temporary, band-aid solution to the problem. It will be superseded by an actual patch at some point. The original bulletin about this issue has been updated to include information about the ‘Fix-It’.

Microsoft recently announced a new attack, targeted at a specific version of Internet Explorer, being exploited in the wild. More details are provided in the associated security advisory from Microsoft.

Only Internet Explorer version 8 is vulnerable to this attack, which begins when someone using IE8 is tricked into visiting a compromised web site. Once infected, the user’s computer can be remotely controlled by the attacker.

Anyone using Internet Explorer 8 is strongly urged to upgrade to IE9, or – if using Windows 7 or 8 – to IE10. If upgrading Internet Explorer is not an option, you can reduce the risk of infection by increasing the level of protection provided by the browser, as follows:

Set Internet and local intranet security zone settings to “High” to block ActiveX Controls and Active Scripting in these zones. This will help prevent exploitation but may affect usability; therefore, trusted sites should be added to the Internet Explorer Trusted Sites zone to minimize disruption.

Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and local intranet security zones. This will help prevent exploitation but can affect usability, so trusted sites should be added to the Internet Explorer Trusted Sites zone to minimize disruption.

Ars Technica has additional details.

Google

I talked to Google Support! (but didn’t like what I heard)

Leave a comment

One of the most common complaints about Google has always been that it’s almost impossible to get real live in-person support from them. Sure, they have support forums and feedback links, and occasionally you’ll even hear back from them when you report a problem. Clearly they do have support staff. But actually talking to Google support on the phone? No way.

Don’t get me wrong – I understand why Google has chosen not to have a general support call center: it’s expensive. Just ask Microsoft. When most of the services you offer are free, providing live support is going to kill your bottom line. As long as Google’s services are both excellent and free, and there are useful alternatives to live support, I’m happy to let Google slide on this.

So imagine my surprise, this morning, at being offered an option to have Google support staff call me on my phone and provide live, in-person assistance!

Here’s what happened: if you run a business and you care about your online presence, you are almost certainly familiar with Google Places. It’s a Google service that allows business owners to create listings that then appear on Google Maps and elsewhere. Recently, Google moved the public side of these listings to Google+, calling it Google+ Local. This is where your business listing now appears. Okay, I can live with that.

Or not. I recently discovered that not all of the details entered on a Google Places page end up on the public Google+ Local page. Missing items for me include images (in particular, the company logo), payment types accepted, email address, and additional details (free wireless, parking, etc.) What’s going on?

I poked around in the Google Places help for a while, but didn’t find anything about this problem. What I did see surprised me: an offer to speak with Google support staff about a problem with my Places listing. Recognizing that this was a rare opportunity (akin to sighting an extinct animal), I jumped at the offer. Within seconds, my cell rang, and I was talking to an actual Google support person.

I quickly explained the problem. I was told the following:

  • Some elements of the Places listing don’t appear in Google+ Local; apparently a mysterious Google algorithm decides what is relevant and shows only that.
  • Suggested workarounds:
    • Submit changes using the public page (Google+ Local).
    • Just wait to see what happens.
    • Stuff all the details into the business description.

Really? None of that makes any sense. If not all the Places information gets to the public listing, shouldn’t that be obvious when you’re filling it out? And what’s the point of entering something if it never appears anywhere? What criteria are used to decide what appears in my listing, and why should that decision be anyone’s but mine? If it’s easier (and much faster, apparently) for a random Internet user to update my business listing than it is for me to do it myself, something is seriously broken. If I stuff the missing information into the description, then it magically appears later on where it should have been in the first place, the information will be redundant. Worse still, the description is limited to 200 characters.

So my first ever conversation with Google Support left me with mixed emotions: happy to talk to a real live Googler, but dismayed at the mess that Google Places has now officially become.

Microsoft, Patches and updates, Windows

Problematic update re-issued by Microsoft

Leave a comment

Microsoft today released a new version of the update that caused so many problems this past Patch Tuesday, MS013-036.

The new version is KB2840149, and it replaces the update originally associated with MS013-036, KB2823324.

The new update will be installed automatically on computers with auto-update enabled. Anyone using manual updates should install the new version by visiting the Windows Update site or the KB2840149 page.

Java, Patches and updates, Security

Latest Java still vulnerable

Leave a comment

According to Adam Gowdiak of Security Explorations, many of the Java vulnerabilities he reported to Oracle in recent months were fixed in the April update (Java 7, Update 21).

However, several of the reported vulnerabilities remain, and Oracle has confirmed that they are working on fixes for those issues.

On April 22, Mr. Gowdiak reported another new Java vulnerability to Oracle:

The new flaw was verified to affect all versions of Java SE 7 (including the recently released 1.7.0_21-b11). It can be used to achieve a complete Java security sandbox bypass on a target system. Successful exploitation in a web browser scenario requires proper user interaction (a user needs to accept the risk of executing a potentially malicious Java application when a security warning window is displayed).

Current Java status: vulnerable.

Details are on the Security Explorations web site (scroll to the end).

Update 2013Apr27: Ars Technica reports that exploits for the just-patched Java vulnerabilities are showing up in attack kits and being seen in the wild. If you use Java, patch it ASAP!

Java, Patches and updates, Security, Windows

Java 7 Update 21 fixes 42 security issues

Leave a comment

As expected, Oracle yesterday released a new update for the series 7 Java Runtime Environment (JRE). Java 7 Update 21 includes fixes for a whopping forty-two security vulnerabilities.

Adam Gowdiak of Security Explorations reports that several of the issues previously reported by him have apparently been fixed in Java 7u21. He points out that one issue in particular took six weeks to fix, and that this delay was unwarranted.

Update 21 also includes some general security improvements. Java will now pop up security warnings whenever unsigned Java code starts to run. Requiring Java code to be signed is going to annoy some users, but given the number of Java security issues in recent months, this is definitely a good idea. The Internet Storm Center has additional details.

Given that most of the fixed vulnerabilities can allow remote attackers to gain control of unprotected computers, we recommend installing the update as soon as possible on any computer running Java, especially those with Java enabled in web browsers.

Unfortunately, as with most Java updates, the announcement from Oracle leaves much to be desired. The date of the announcement is buried toward the bottom of the document. The version of the update is never mentioned. Instructions to users are needlessly complex.

Microsoft, Windows 8.x

Windows 8.1 will bring back the desktop – sort of

Leave a comment

The Verge reports on rumours that Microsoft will make the new (formerly ‘Metro’) interface skippable in the next version of Windows 8. That next version is being referred to as ‘Windows 8.1’ and ‘Windows Blue’, and Microsoft may or may not make it a paid upgrade.

The details are sketchy, but it sounds like users will have a new option to boot straight to the desktop, bypassing the new UI. It’s unclear whether the Start menu will reappear; if it doesn’t, then the usefulness of this new option will be limited. The new UI will probably still rear its ugly head in many circumstances as well.

Java, Patches and updates, Security

Big Java security update expected today

Leave a comment

Yesterday, Oracle announced that it will soon issue a significant update for Java. The update will include fixes for forty-two known security vulnerabilities, including thirty-nine that may be remotely exploitable without authentication. Apparently the update will also introduce some new general security improvements.

Ars Technica has additional details.

The update is scheduled for release later today (April 16, 2013).

Rants and musings on topics of interest. Sometimes about Windows, Linux, security and cool software.