Internet Explorer, Microsoft, Patches and updates, Windows

Patch Tuesday for March, 2013

Leave a comment

Yes, it’s that time again. Time to update all your Windows computers, or at any rate helplessly watch as auto-update randomly siphons away your computer’s resources at the most inopportune times.

This month’s crop of updates includes a total of seven bulletins, which address vulnerabilities in Internet Explorer, Outlook, Visio, Silverlight, SharePoint, OneNote and Windows driver technologies.

This month’s bulletins:

  • MS13-021 – Critical : Cumulative Security Update for Internet Explorer (2809289)
  • MS13-022 – Critical : Vulnerability in Silverlight Could Allow Remote Code Execution (2814124)
  • MS13-023 – Critical : Vulnerability in Microsoft Visio Viewer 2010 Could Allow Remote Code Execution (2801261)
  • MS13-024 – Critical : Vulnerabilities in SharePoint Could Allow Elevation of Privilege (2780176)
  • MS13-025 – Important : Vulnerability in Microsoft OneNote Could Allow Information Disclosure (2816264)
  • MS13-026 – Important : Vulnerability in Office Outlook for Mac Could Allow Information Disclosure (2813682)
  • MS13-027 – Important : Vulnerabilities in Kernel-Mode Drivers Could Allow Elevation Of Privilege (2807986)

If you can’t get enough about these patches, there’s more technical stuff over at the MSRC blog.

Java, Security

Java Zero-day exploit status

Leave a comment

Like the “__ days since the last accident” signs that are common in workplaces, the Java Zero-day Countdown web site provides a quick check on Java’s current security issues.

Recall that a zero-day exploit/attack/threat is “an attack that exploits a previously unknown vulnerability in a computer application, meaning that the attack occurs on ‘day zero’ of awareness of the vulnerability.” [from Wikipedia]

Java has been hit by a stream of such attacks in recent months, and despite new security-tightening features added by Oracle (Java’s developer), there’s no end in sight. Java’s ubiquity makes it a prime target for the perpetrators of malicious hacks.

Maybe some day Oracle will tighten Java’s security to the point where sites like the Java Zero-day Countdown aren’t necessary. Until that happens, it’s a good way to get a quick overview on current threats to Java.

Linux

New Linux PC, running 64-bit Ubuntu 12.04

Leave a comment

When my main game server died recently – a row of capacitors went bad on the motherboard – I took it as a sign that it’s time to build a powerful new server. But instead of running Windows, I decided it was time to take the next step in switching my systems over to Linux.

I’ve been running an Ubuntu Linux server for a while, mainly to help educate myself in Linux administration. It’s at least partially a production server: it runs the centralized syslog logging service for the local network, and it runs the email services for my self-hosted web sites. But it’s nowhere close to being able to run a Linux client GUI: a 688 MHz Celeron CPU and a paltry 384 MB of RAM.

The new PC is running an Intel Core i7-3770K on an ASUS P8Z77-V LGA 1155 Intel Z77 Intel Motherboard, with 8GB of DDR3 SDRAM. The case is a real beauty, a Corsair Obsidian Series 550D Black Aluminum / Steel ATX Mid Tower: big, quiet fans; detachable vent covers; removable filters on all intakes; no-tool installation of drives; hidden cable routing; foam insulation; silicon fan, power supply and drive mounts; one-touch removal side panels; and removable drive bays. Highly recommended.

I had some trouble installing Ubuntu from my USB thumb drive, so I finally gave up and installed a $5 DVD drive and installed from there without any trouble.

By default, Ubuntu 12.04 runs the Unity desktop GUI. It’s probably a good choice for novice computer users, since it hides a lot of technical details and is fairly simple. It’s too simple for my taste, however. So now I’m installing KDE. I’ll post more as the work continues.

Microsoft, Patches and updates, Security, Windows

Advance notification of March Patch Tuesday from Microsoft

Leave a comment

March 12th will see a new batch of updates for Windows, Office, Internet Explorer and other Microsoft software. This month there will be seven bulletins, four flagged as Critical.

Patches will become available at around 10am PDT on March 12. PCs configured for auto-updates will see the patches during the following day or so.

Technical details are available in the complete bulletin at TechNet.

Java, Security

More holes in Java’s latest security enhancements

Leave a comment

As you’re no doubt well aware, Oracle has been churning out a lot of security updates for Java lately. They’ve also been adding security features, such as the new security settings options. And that’s a good thing.

Except that the security settings don’t actually work the way they’re supposed to. There’s an implicit assumption that ‘trusted’ Java applications – those with valid certificates – should be allowed to do whatever they want. Which would be fine, if certificate status was always reliable. But it’s not. A new vulnerability discovered by security researchers at Avast grants valid status to clearly invalid certificates.

So, the usual advice still applies: disable Java in your web browser unless you absolutely need it. If you need it, consider setting aside one browser just for use with Java, and limit your use of that browser.

Is Oracle losing ground in this battle? Sure feels like it.

Microsoft, Tools, Windows 8.x

More improvements to Windows 8’s dumb UI

Leave a comment

Even before Windows 8 was released, you could find third party tools for resurrecting the missing Start menu. New software from Stardock goes even further in eliminating inexplicable Windows 8 behavior.

It’s called ModernMix, and its most notable feature brings back the ability to show applications in multiple windows concurrently. Apparently much of the underlying functionality was there in Windows 8 all along, and ModernMix just makes it possible to access the hidden goodies.

I knew eventually the world would hammer the Windows 8 mess into something usable. Attaboy, Stardock. ModernMix is currently priced at $4.99.

Microsoft

Microsoft relents on tighter Office licensing restrictions

Leave a comment

A few days ago, I reported Microsoft’s new policy of limiting Office installs to one computer forever. Apparently Microsoft heard the angry noise coming from the Internet, since they have now relented. You’re now allowed to transfer your Office license to another PC, although only every 90 days (except, apparently, in emergencies). No word on where they pulled that 90 from, but you can guess.

Java, Patches and updates, Security

Java 7 update 17 released

Leave a comment

And just like that, another new version of Java. Version 7 update 17 (what happened to update 16?) includes fixes for some serious security vulnerabilities, as outlined in the associated security alert.

You’ll forgive me for not trusting Oracle’s word on whether any particular vulnerability has truly been fixed. I’ll defer to Adam Gowdiak and other security researchers for the final judgment. Certainly 7u17 is the latest version of Java, and it presumably fixes some of the holes in 7u15, so anyone using Java – especially in their browser – should install it ASAP. But I’m going to leave Java 7u17 flagged as possibly vulnerable.

Rants and musings on topics of interest. Sometimes about Windows, Linux, security and cool software.

Close

Ad-blocker not detected

Consider installing a browser extension that blocks ads and other malicious scripts in your browser to protect your privacy and security. Learn more.