Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) is free software that improves the overall security of Windows computers. EMET isn’t a replacement for anti-malware software; rather, it provides additional protections that complement anti-malware software.
There’s little downside to using EMET, so we recommend installing it on all Windows computers. By default, it provides specific protections for Microsoft software, including Office and Internet Explorer.
Apparently a new version of Adobe Shockwave was released on July 1, 2014. The new version is 12.1.3.153.
The main welcome/download page for Shockwave shows the latest version and provides a test that shows the version you’re currently running. If you’re not running the latest version, you can download and install it from that page. The Shockwave Player Help page does much the same thing.
Adobe’s web resources for Shockwave are appallingly bad. The list of security updates is over a year out of date. The most recent update listed is for version 12.1.0.150. The official Shockwave version history is even worse, as it hasn’t been updated since 2007! There doesn’t seem to be any kind of an update alert mechanism such as an RSS feed, although with the information so out of date, that wouldn’t really help.
Numerous versions of this library are available for Windows, and any or all of them can be installed at the same time on Windows PCs. Some versions are no longer supported by Microsoft, and updates for those older versions won’t appear in Windows Update.
Because of this, many Windows PCs contain versions of this library that have security vulnerabilities.
Microsoft’s documentation on the XML library is confusing and incomplete. For what it’s worth, here are a couple of links to said documentation:
We recommend installing and running Secunia’s PSI, which scans for out of date software, including Microsoft’s XML libraries. PSI also helpfully provides links to download any missing updates.
Update 2014Jul30: A reader pointed out that getting MSXML4 up to date is not a simple task. Here’s what you need to know:
The most up to date MSXML4 is a patched version of MSXML4 SP3, specifically 4.30.2117.0.
Windows Update won’t offer newer updates for MSXML4 if the version on your computer is SP2. This is the basic problem pointed out by Secunia.
To get the most recent MSXML4 on your computer, you have to manually download and install MSXML4 SP3, then run Windows Update, which should show this update: Security Update for Microsoft XML Core Services 4.0 Service Pack 3 (KB2758694). Once you install that update, you should be running MSXML4 SP3 version 4.30.2117.0.
Even after you’re running the most recent version of MSXML4, Secunia PSI will tell you it needs to be updated. That’s because Secunia has decided to report MSXML4 as ‘end-of-life’ (which it is) and direct users to MSXML6 instead. There are two problems with this: first, installing MSXML6 will not remove any earlier versions, including MSXML4; second, Microsoft recommends leaving MSXML4 in place as long as it’s up to date. The upshot is that unless you manually remove all remnants of MSXML4, PSI will keep telling you to install MSXML6, even if it’s already installed.
It looks like Microsoft really won’t be bringing the Start menu back to Windows 8, and will instead try to win users back with the next version of Windows. One wonders whether Microsoft should just skip every other Windows release, given their track record.
The Verge has leaked screenshots of Windows 9’s Start menu, and it appears to be an amalgamation of features from Windows 8 and Windows 7, with the right half of the menu showing pinned ‘Metro’ style apps.
By now you’re probably sick of hearing the password mantras “use long, complex passwords”, and “don’t reuse specific passwords for multiple accounts”. Sick or not, that advice is still valid, and anyone who signs in to online services should be following it.
But you can make your online life a bit easier if you give some thought to the risk associated with each account you’re trying to protect. A password used to access an obscure web forum doesn’t need to be as complex (and difficult to remember) as the password for your online bank account.
Researchers from Microsoft and Carleton University have done the math, and conclude that this risk-based approach is sound.
We still strongly recommend the use of an offline password manager such as Password Corral or Password Safe. But at least now you can consider using easier-to-remember passwords for some accounts.
Thanks once again to organizations like CERT and SANS, this morning I was alerted to a new version of Firefox.
Version 31 includes fixes for security vulnerabilities and other bugs, and adds several features, none of which is likely to be of much interest to anyone except developers.
The upshot? That even the mighty Google can be shamed into fixing things. Okay, folks, let’s all start screaming about the ridiculous lack of a bookmark sidebar in Chrome. Maybe if we make enough noise, that long-requested feature will finally appear.
A whopping 26 security vulnerabilities are addressed in the latest version of Google’s web browser. The new version also includes fixes related to stability and performance, and adds some minor features. The official announcement has all the details.
Researchers at the University of California, Berkeley tested several popular web-based password managers and found serious vulnerabilities.
Although it’s a good idea to use password management software, any web-based service is going to be a tempting target for nefarious persons, since discovering one password will typically open a treasure trove of additional passwords.
Oracle published its most recent quarterly Critical Patch Update bulletin on Wednesday. The bulletin describes updates to most of Oracle’s products, including its flagship database software, but the updates of interest to most people are those related to Java.
As usual, given the severity of the vulnerabilities fixed by these new versions, you are strongly encouraged to update as soon as possible, particularly if you are using a Java-enabled web browser. Brian Krebs has more.
Rants and musings on topics of interest. Sometimes about Windows, Linux, security and cool software.
Close
Ad-blocker not detected
Consider installing a browser extension that blocks ads and other malicious scripts in your browser to protect your privacy and security. Learn more.
boot13