boot13Microsoft has apparently fixed the vulnerability in Internet Explorer versions 6 through 8 recently reported. The previous ‘Fix-It’ – a temporary solution at best – was rendered ineffective almost immediately. The fix will be available from Windows Update starting at 10am PST today.
Java Update (hopefully) fixes recent 0-day vulnerability
A new update for Java (Version 7, Update 11) was released today. This update is supposed to fix the serious 0-day vulnerability discovered last week. Anyone using Java 7 in a web browser should install this update immediately. Given the recent track record of Oracle/Sun (Java’s developer), it remains to be seen whether this update actually fixes the vulnerability. I will wait for Adam Gowdiak to weigh in before I’m certain one way or the other.
Technical details:
Update 2013Jan17: An interesting post over at NetworkWorld reviews what’s being said about the state of Java’s vulnerability.
Latest Java still vulnerable, new exploits in the wild
A new vulnerability in all the most recent versions of Java is already being exploited in the wild. It’s being called a critical zero-day bug, meaning that the vulnerability can be exploited right now, before the developers have had a chance to fix it, and that it allows for serious security breaches.
The Ars Technica article linked above points out that several hacking toolkits have already been updated to include exploits specific to this vulnerability.
Our advice on using Java remains the same: if you require Java to be enabled in your web browser, use the available security features to prevent Java from running in any context where it’s not actually necessary. If you only require Java to be available outside of a web browser, disable Java in your web browser. If you don’t need Java at all, disable or remove it completely.
For additional details, see the CERT post. Mozilla has a helpful post about protecting users from this vulnerability.
Update 2013Jan12: Adam Gowdiak has weighed in on this issue. According to Mr. Gowdiak, this new vulnerability is the result of a previous vulnerability being improperly fixed by an earlier patch.
And now, an apology: somehow I missed the release of Java Version 7 Update 10, which apparently became available on December 12, 2012. That version addressed a variety of vulnerabilities and other bugs, and enhanced security in general with new features like the ability to prevent any Java application from running in a web browser.
Chrome updated to version 24.0.1312.52
A new version of Google’s Chrome web browser was announced today. Version 24.0.1312.52 fixes a number of security vulnerabilities, and improves speed and stability. It also includes the security fixes for Flash recently announced by Adobe. The version of Flash embedded in this new version of Chrome is 11.5.31.137.
Latest SANS Ouch! newsletter: What is Java?
This month’s Ouch! newsletter from SANS explains what Java is, why you may or may not need it, why it’s a security concern and how to reduce your exposure to Java-based threats. Highly recommended for anyone who doesn’t already know the answers to these questions.
Downgrade from Windows 8 to Windows 7
Lifehacker has an interesting post that points to information from Microsoft on downgrading Windows 8 to Windows 7.
The downgrade option is not available for all new PCs and license types. The Microsoft page linked above goes over the details.
There are a lot of legitimate reasons one might want to downgrade.
It’s no longer possible to purchase a PC with Windows 7, so anyone buying a new PC will get Windows 8 by default. Being forced to switch operating systems by a big corporation is annoying for many people. You know, people who prefer to have a choice.
If you’re not interested in learning the new O/S, or setting the computer up for someone who is comfortable in Windows 7 (say your grandmother) and doesn’t want to change, this is a useful option.
I’ve personally downgraded a set of Windows computers like this, when software required for a business just didn’t run with the delivered O/S. Sure, it’s the developers’ fault, but waiting for a fix wasn’t an option.
You may use hardware and/or drivers that don’t work on the new O/S, in which case, again, you don’t have much choice until you buy new hardware or (if you’re very lucky), the hardware maker produces new drivers.
Corporate IT providers use the downgrade option more than anyone. There’s a constant need to replace aging PC hardware, but upgrading operating systems involves an enormous amount of re-training that most companies would prefer to do on their own schedule, instead of Microsoft’s.
And so on.
Suprisingly, a lot of the comments on the Lifehacker story are negative. “just learn the new O/S” is a common refrain. Unpaid (or possibly paid) marketing drones, all of them.
Firefox 18 released
Firefox 18 fixes several security vulnerabilities, as well as a truly massive number of bugs.
The release notes for Firefox 18.0 cover the highlights. Notable changes include faster Javascript and better image quality, as well as performance improvements in relation to tabs and startup.
Adobe announces patches for Reader and Flash
As expected, Adobe has released new versions of its Acrobat/Reader software to coincide with Microsoft’s Patch Tuesday for January 2013. Adobe also announced new versions of Flash today.
An Adobe Reader bulletin identifies new versions for the 9, 10 and 11 series of Reader software as 9.5.3, 10.1.5, and 11.0.1 respectively. Anyone who uses Adobe Acrobat/Reader software is strongly encouraged to install the appropriate new version. As usual, the new versions address security and crashing issues.
A Flash bulletin identifies the new version of Flash as 11.5.502.146. This version is for all web browsers except Chrome and Internet Explorer 10, which now use embedded Flash code. The most recent version of Flash in Google Chrome at this time is 11.5.31.137. The most recent version in Internet Explorer 10 is 11.3.378.5. As usual, the new versions address security and crashing issues.
Patch Tuesday for January 2013
Patch Tuesday comes early this month, since January started on a Tuesday. There are seven bulletins, addressing twelve issues in Windows, admin software and developer tools.
January 2013 bulletins
- MS13 – 001 (Windows – Critical)
- MS13 – 002 (Windows – Critical)
- MS13 – 003
- MS13 – 004 (.NET Framework)
- MS13 – 005 (Windows)
- MS13 – 006 (Windows)
- MS13 – 007 (Windows)
Advance warning of updates for Adobe Acrobat and Reader
Adobe is planning to release security updates for its PDF reader and authoring software on January 8, 2013. Security advisory APSB13-02 has all the details.