boot13A new version of Flash was announced today. Version 11.6.602.180 fixes several security (and other) bugs and adds a few new features. The security issues are described in the associated security bulletin: APSB13-09. The rest of the changes are covered in the release notes for 11.6.602.180.
Patch Tuesday for March, 2013
Yes, it’s that time again. Time to update all your Windows computers, or at any rate helplessly watch as auto-update randomly siphons away your computer’s resources at the most inopportune times.
This month’s crop of updates includes a total of seven bulletins, which address vulnerabilities in Internet Explorer, Outlook, Visio, Silverlight, SharePoint, OneNote and Windows driver technologies.
This month’s bulletins:
- MS13-021 – Critical : Cumulative Security Update for Internet Explorer (2809289)
- MS13-022 – Critical : Vulnerability in Silverlight Could Allow Remote Code Execution (2814124)
- MS13-023 – Critical : Vulnerability in Microsoft Visio Viewer 2010 Could Allow Remote Code Execution (2801261)
- MS13-024 – Critical : Vulnerabilities in SharePoint Could Allow Elevation of Privilege (2780176)
- MS13-025 – Important : Vulnerability in Microsoft OneNote Could Allow Information Disclosure (2816264)
- MS13-026 – Important : Vulnerability in Office Outlook for Mac Could Allow Information Disclosure (2813682)
- MS13-027 – Important : Vulnerabilities in Kernel-Mode Drivers Could Allow Elevation Of Privilege (2807986)
If you can’t get enough about these patches, there’s more technical stuff over at the MSRC blog.
Java Zero-day exploit status
Like the “__ days since the last accident” signs that are common in workplaces, the Java Zero-day Countdown web site provides a quick check on Java’s current security issues.
Recall that a zero-day exploit/attack/threat is “an attack that exploits a previously unknown vulnerability in a computer application, meaning that the attack occurs on ‘day zero’ of awareness of the vulnerability.” [from Wikipedia]
Java has been hit by a stream of such attacks in recent months, and despite new security-tightening features added by Oracle (Java’s developer), there’s no end in sight. Java’s ubiquity makes it a prime target for the perpetrators of malicious hacks.
Maybe some day Oracle will tighten Java’s security to the point where sites like the Java Zero-day Countdown aren’t necessary. Until that happens, it’s a good way to get a quick overview on current threats to Java.
New Linux PC, running 64-bit Ubuntu 12.04
When my main game server died recently – a row of capacitors went bad on the motherboard – I took it as a sign that it’s time to build a powerful new server. But instead of running Windows, I decided it was time to take the next step in switching my systems over to Linux.
I’ve been running an Ubuntu Linux server for a while, mainly to help educate myself in Linux administration. It’s at least partially a production server: it runs the centralized syslog logging service for the local network, and it runs the email services for my self-hosted web sites. But it’s nowhere close to being able to run a Linux client GUI: a 688 MHz Celeron CPU and a paltry 384 MB of RAM.
The new PC is running an Intel Core i7-3770K on an ASUS P8Z77-V LGA 1155 Intel Z77 Intel Motherboard, with 8GB of DDR3 SDRAM. The case is a real beauty, a Corsair Obsidian Series 550D Black Aluminum / Steel ATX Mid Tower: big, quiet fans; detachable vent covers; removable filters on all intakes; no-tool installation of drives; hidden cable routing; foam insulation; silicon fan, power supply and drive mounts; one-touch removal side panels; and removable drive bays. Highly recommended.
I had some trouble installing Ubuntu from my USB thumb drive, so I finally gave up and installed a $5 DVD drive and installed from there without any trouble.
By default, Ubuntu 12.04 runs the Unity desktop GUI. It’s probably a good choice for novice computer users, since it hides a lot of technical details and is fairly simple. It’s too simple for my taste, however. So now I’m installing KDE. I’ll post more as the work continues.
Advance notification of March Patch Tuesday from Microsoft
March 12th will see a new batch of updates for Windows, Office, Internet Explorer and other Microsoft software. This month there will be seven bulletins, four flagged as Critical.
Patches will become available at around 10am PDT on March 12. PCs configured for auto-updates will see the patches during the following day or so.
Technical details are available in the complete bulletin at TechNet.
Firefox 19.0.2 fixes one security issue
Mozilla released a new version of Firefox today. Version 19.0.2 fixes one security vulnerability.
As usual, the release notes and complete list of changes for this release are a mixture of old and new information, making the job of figuring out what has actually changed needlessly difficult.
Chrome 25.0.1364.160 fixes one security issue
Yesterday, Google announced a new version of its web browser, Chrome. The new version fixes one security vulnerability.
More holes in Java’s latest security enhancements
As you’re no doubt well aware, Oracle has been churning out a lot of security updates for Java lately. They’ve also been adding security features, such as the new security settings options. And that’s a good thing.
Except that the security settings don’t actually work the way they’re supposed to. There’s an implicit assumption that ‘trusted’ Java applications – those with valid certificates – should be allowed to do whatever they want. Which would be fine, if certificate status was always reliable. But it’s not. A new vulnerability discovered by security researchers at Avast grants valid status to clearly invalid certificates.
So, the usual advice still applies: disable Java in your web browser unless you absolutely need it. If you need it, consider setting aside one browser just for use with Java, and limit your use of that browser.
Is Oracle losing ground in this battle? Sure feels like it.
More improvements to Windows 8’s dumb UI
Even before Windows 8 was released, you could find third party tools for resurrecting the missing Start menu. New software from Stardock goes even further in eliminating inexplicable Windows 8 behavior.
It’s called ModernMix, and its most notable feature brings back the ability to show applications in multiple windows concurrently. Apparently much of the underlying functionality was there in Windows 8 all along, and ModernMix just makes it possible to access the hidden goodies.
I knew eventually the world would hammer the Windows 8 mess into something usable. Attaboy, Stardock. ModernMix is currently priced at $4.99.
Microsoft relents on tighter Office licensing restrictions
A few days ago, I reported Microsoft’s new policy of limiting Office installs to one computer forever. Apparently Microsoft heard the angry noise coming from the Internet, since they have now relented. You’re now allowed to transfer your Office license to another PC, although only every 90 days (except, apparently, in emergencies). No word on where they pulled that 90 from, but you can guess.