Oracle/Sun has released Java version 7, update 15. What happened to update 14? Anyway, the new version includes a batch of security and other bugfixes they wanted to release with the last batch, and which were originally scheduled for release today. Confused yet?
Since the new version is all about fixing the rather horrible Java security vulnerabilities that have been revealed in recent weeks, you should go ahead and install the update, if you use Java. If you don’t use it, pat yourself on the back and count yourself lucky.
If you read the announcement linked above, you’ll notice that once again, determining the version being discussed is left as an exercise for the reader, since the version (7u15) is not mentioned anywhere on the page. There are plenty of references to the versions being replaced, which only adds to the confusion. Annoying.
Firefox 19 was released today, with the usual lack of a proper announcement, and a confusing jumble of change information from Mozilla.
Instead of a proper announcement for the new version, all we get is this post announcing a new, built-in PDF viewer.
As usual, the release notes for version 19 are confusing, but at least the new version is mentioned, albeit in an unusual congratulatory note to ‘new Mozillians’ – whatever they are. And, as always, the complete list of changes for version 19 actually includes every bugfix in recent history. When are they going to clean this stuff up, one wonders.
Still, a built-in PDF viewer will allow users to steer clear of at least one buggy piece of Adobe software in the form of a Reader plugin. It remains to be seen whether the new viewer has as many security issues as what it’s replacing.
If you’re running Windows 7, and you haven’t already installed Service Pack 1, you should do so before April 9, 2013. After that date, Microsoft will no longer provide patches for Windows 7 without SP1. That includes security patches.
Microsoft will continue to supply patches for Windows 7 with SP1 until January 14, 2020.
Oracle/Sun has announced that additional security-related updates for Java will be made available on February 19. The emergency updates released on February 1 were originally scheduled to be released with the upcoming updates on February 19. Stay tuned.
There’s a brief announcement on the Adobe Product Security Incident Response Team (PSIRT) Blog stating that Adobe is looking into reports of a new exploit for their Reader software. No further details are provided. Since this exploit is apparently being seen in the wild, we recommend extreme caution when opening PDF documents from unknown or untrusted sources. Better yet, switch to a different PDF reader like Foxit, thereby avoiding the dangers inherent in using Adobe Reader.
Update:Ars Technica has the details. Apparently the vulnerability was reported by the security company FireEye, and attacks based on the vulnerability have been seem in the wild. Further, the vulnerability is important because security in version 11 of the Reader software was supposedly much more difficult to circumvent.
Update 2: There’s a new post on the Security Advisory blog for Adobe Reader and Acrobat that covers this issue.
Update 3:Ars Technica points out that Adobe Reader 11 would protect users from this vulnerability, if its security settings were actually enabled by default (which they aren’t). On learning this, I immediately made the required changes to my installation of Reader, enabling Protected View. Check the bottom of this post for the procedure.
Update 4:Adobe announced that updates for the vulnerabilities in Reader will be made available some time during the coming week.
Enabling Protected View in Adobe Reader 11
Start Adobe Reader.
From the menu, select Edit > Preferences.
Select Security (Enhanced) from the list on the left.
In the Sandbox Protections section at the top, make sure that the setting for Protected View is All files.
Version 24.0.1312.70 of Google’s web browser contains the latest version of Adobe Flash.
Update: Something funny going on here. The announcement linked above states that version 24.0.1312.70 is actually for the Linux platform. It goes on to say: “This release contains an update to Flash (11.6.602.167). This Flash update has been pushed to Windows, Mac, and Chrome Frame platforms through component updater.” But what is the ‘component updater’, and how will it affect the version number of Chrome in Windows? There’s nothing on the Chrome support site about it. My own Chrome installation reports itself as being up to date at version 24.0.1312.57. Has Flash been updated in my installation or not? How can I determine what version of Flash is running in Chrome? Comments below the announcement linked above show other users similarly confused. Meanwhile, another new version was announced on Feb 14: “The Stable channel has been updated to 24.0.1312.71 for Windows Standalone Enterprise. This build contains an updated Flash (11.6.602.167).” That version at least seems to be targeted at Windows, but what is “Windows Standalone Enterprise”? It contains the same version of Flash as 24.0.1312.70, but again my version of Chrome reports that it is up to date at 24.0.1312.57. Not much we can do at this point except wait for Google to sort out this mess.
It’s that time again: time to patch your Windows systems. This month there are twelve bulletins, addressing a total of 57 vulnerabilities in Windows, Internet Explorer and other Microsoft software.
Microsoft and Symantec, working with law enforcement authorities in the US and Spain, have disabled another botnet. The Bamital botnet first appeared in 2009, and at its height, included as many as 1.8 million computers.
User computers became infected with the Bamital malware through drive-by web-based infections (often from porn sites) and corrupted software downloads.
Infected computers were used to generate revenue for the perpetrators by generating or redirecting traffic to specific web sites.
Updates this month comprise twelve bulletins, five of them critical, that address 57 vulnerabilities in Windows, Internet Explorer and other Microsoft software.
boot13