Tuesday, October 18, 2011

Oracle Java SE Critical Security Update


Oracle Java released a critical security update to Java Runtime Environment (JRE).  The full internal version number for this update release is 1.6.0_29-b11 (where "b" means "build"). The external version number is 6u29.

The critical update is a collection of patches for multiple security vulnerabilities in Oracle Java SE.  The update includes twenty (20) new security vulnerability fixes, of which six (6) are applicable to JRockit.

The update to Java SE 6u29 follows Java SE 6u27. Java SE 6u28 was used as an internal build and by-passed in favor of the current release of Java SE 6u29.

Although Java is not required (See Do You Need Java?), if you do have Java installed on your computer, it is advisable to install the latest update.  It is also advised that all prior (and vulnerable) versions of Java SE be uninstalled from your computer.

Download Update: Java SE Runtime Environment 6u29

Note: UNcheck any pre-checked toolbar and/or software options presented with the update. They are not part of the software update and are completely optional.

Affected Java SE Products and Components

  • JDK and JRE 7
  • JDK and JRE 6 Update 27 and earlier
  • JDK and JRE 5.0 Update 31 and earlier
  • SDK and JRE 1.4.2_33 and earlier
  • JavaFX 2.0
  • JRockit R28.1.4 and earlier(JDK and JRE 6 and 5.0)
The next scheduled Oracle Java SE Critical Patch Update is 14 February 2012.


    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...

    SUPERAntiSpyware Adds Opt-in Toolbar

    Personally, I prefer not to use toolbars.  However, there are many people who like add-on toobars on their browser of choice.

    Something that has been a point of contention, particularly within the security community, is the inclusion of pre-checked toolbars with security software.  This practice has resulted in discontinuing recommendations for those programs, even though the software is offered free for personal use.

    SUPERAntiSpyware has apparently found it necessary to supplement the support of the free version of SUPERAntiSpyware by the inclusion of the Ask Toolbar.  The difference between the inclusion of the toolbar by SUPERAntiSpyware and other vendors is that it is opt-in rather than opt-out (pre-checked).

    Nick Skrepetos*, developer of SUPERAntiSpyware, provided the statement below at Wilders Security Forums:
    "It's not bundled, but rather an optional install that, if elected, enables a Professional feature - scheduled scanning at no charge. A "bundle" means it's included and installed as part of the package - we have an optional install. Nothing is disabled or features lost if the user elects not to install - it's still the great free SUPERAntiSpyware we have always produced!"


    If SUPERAntiSpyware is your anti-malware software program of choice, consider purchasing a license for the software.  However, if your preference is to continue using the free version, the built in Windows Scheduler is an option to use in order to schedule scanning.

    *SUPERAntiSpyware was acquired by Support.com in June, 2011. Press Release: Support.com Expands Software Offerings With Acquisition of SUPERAntiSpyware

    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...

    Tuesday, October 11, 2011

    Microsoft October 2011 Security Bulletin Release

    Microsoft released eight (8) bulletins addressing vulnerabilities in Internet Explorer, .NET Framework & Silverlight, Microsoft Windows, Microsoft Forefront UAG, and Microsoft Host Integration Server.  Two of the bulletins are rated Critical and six are rated Important

    Note:  With the inclusion of .NET Framework updates, it is recommended that those updates be installed separately from the remaining updates.  This is due to issues many people experience when installing .NET Framework updates.  Shutdown/restart the computer to complete the installation.

    Below are the Bulletins identified as Critical.  As noted above, it is recommended that MS11-078 be installed separately.

    • MS11-081 (Internet Explorer): This security update resolves eight privately reported vulnerabilities in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer.
    • MS11-078 (.NET Framework & Silverlight): This security update resolves a privately reported vulnerability in Microsoft .NET Framework and Microsoft Silverlight. The vulnerability could allow remote code execution on a client system if a user views a specially crafted Web page using a Web browser that can run XAML Browser Applications (XBAPs) or Silverlight applications. The vulnerability could also allow remote code execution on a server system running IIS, if that server allows processing ASP.NET pages and an attacker succeeds in uploading a specially crafted ASP.NET page to that server and then executes the page, as could also be used by Windows .NET applications to bypass Code Access Security (CAS) restrictions.

    Although the Executive Summaries indicate that some of the updates "may" require a restart, regardless of the recommendation, it is always best to restart your computer after applying updates.


    The following additional information is provided in the Security Bulletin:
    • The affected software listed have been tested to determine which versions are affected. Other versions are past their support life cycle. To determine the support life cycle for your software version, visit Microsoft Support Lifecycle.
    • Customers in the U.S. and Canada can receive technical support from Security Support or 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates. For more information about available support options, see Microsoft Help and Support.
    • International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit International Help and Support.


    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...

    Sunday, October 09, 2011

    How Windows PCs Get Infected with Malware

    CSIS Security Group in Denmark conducted a study of almost three months where they collected real-time data from various so-called exploit kits that Danish users were exposed to.  As described by Peter Kruse, Partner and Security Specialist at CSIS:
    "An exploit kit is a commercial hacker toolbox that is actively exploited by computer criminals who take advantage of vulnerabilities in popular software. Up to 85 % of all virus infections occur as a result of drive-by attacks automated via commercial exploit kits."

    How PCs Get Infected

    The CSIS study revealed that as much as 99.8 % of all virus/malware infections were a direct result of not updating five specific software packages.  Aside from missing Microsoft security updates, the study revealed the following out of date programs as being the most used by malware:  Java JRE (37%), Adobe Reader and Adobe Acrobat (32%), Adobe Flash (16%) and Microsoft Internet Explorer (10%).

    Third-Party Software

    Setting aside browser and operating system for the moment, what is notable from the CSIS study is the impact of third-party software, notably Java JRE, Adobe Reader and Adobe Acrobat and Adobe Flash.

    Oracle Java JRE
    When it comes to Oracle Java JRE, you may have it installed on your computer but might not even need it.  Following are reasons why someone may need Oracle Sun Java installed on their computer:
    • Playing on-line games generally requires Java.
    • With OpenOffice, Java is needed for the items listed  here . 
    • It used to be that Java was needed for websites to be properly displayed. However, that is generally not the case now with Flash having taken over.
    • There may be commercial programs that depend on Java. If Java is needed for a software installed on your computer, there should be a prompt for it.
    If the above does not apply to you, consider uninstalling Java.  In the event you discover that it is needed, you can always download the most recent version.

    Adobe Products
    Regular readers of this blog are familiar with my postings of critical updates for Adobe products.  You may not realize, however, that there have been over a dozen critical updates of Adobe products just this year between February and September.  Combined, out-dated Adobe products were the direct result of 48% of the infections in the analysis.

    Although I will continue providing updates for these products, it is advisable that you check that you have the most recent versions of Adobe products.  Personally, I switched to an alternate PDF reader some time ago.  There are a number of open source readers available from http://pdfreaders.org/.  Others include Nitro Reader and Sumatra PDF.

    Internet Explorer

    Although Internet Explorer is listed as shown in the CSIS analysis as the most affected browser, the report falls short in not breaking down the statistics by browser version.  According to the IE6 Countdown, at the end of September, 2011, 9% of the world is still using IE6.

    It is not very likely that 66% of  reported thousands of users in the analysis who had been exposed to drive-by attacks were using IE9.  Nonetheless, Denmark should be commended with only 0.7% of the users still on IE6.  The percentage still using IE7 is unknown.  Considering the high percentage of affected Windows XP computers, it would not be surprising to learn that the majority have not updated to IE8.


    CSIS: This is how Windows get infected with malware
    IE6 Countdown
    Microsoft Download Center - Windows Internet Explorer 8 for Windows XP

    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...

    Thursday, October 06, 2011

    Security Bulletin Advance Notification for October, 2011

    On Tuesday, October 11, 2011, Microsoft is planning to release eight (8) Security Bulletins, addressing 23 vulnerabilities. Two of the bulletins are rated Critical and six are rated Important, addressing vulnerabilities in Internet Explorer, .NET Framework & Silverlight, Microsoft Windows, Microsoft Forefront UAG, and Microsoft Host Integration Server.

    The bulletins address Remote Code Execution, Elevation of Privilege and Denial of Service, several requiring a restart. Whether required or not, it is advised to restart your computer after installing updates.  In addition, due to issues many people experience when installing .NET Framework updates, it is advised that update be installed separately.


    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...

    Wednesday, October 05, 2011

    To Mozilla: Update Fatigue, Yes, Silent Updates, No!

    Mozilla, what is the matter with your thinking?  Being stuck with a slow dial-up connection, I switched to Phoenix because it was faster that other browsers I tried.  I stayed with Firebird and then the final product name, Firefox.  That is a lot of years history, which I can envision coming to an end.

    It has almost reached the point that the only thing that is keeping me from uninstalling Firefox is the extensions that I use throughout the day.

    Update Fatigue

    First came the rush out the door every six weeks with the "rapid-release process".  This nonsense put unnecessary stress and strain on both devoted Firefox users as well as developers of users' favorite extensions.  The process has not been error free, particularly as evidenced by the problems users encountered with the update to version 7, resulting in "hidden add-ons". 

    There would be no "update fatigue" if the silly rapid-release process is put to rest, where it belongs.  New features important for maintaining excitement and interest in the product.  Prompt security updates are critical.  However, what value is there in introducing new features every six weeks when the users have not fully appreciated or become accustomed to the previous changes?

    Silent Updates

    Now, brought back from the dark channels is the ill-planned silent update currently in development for version 10.  Back up, Mozilla.  You have no right to override UAC in order to achieve your silent update plans.  Only the computer owner has the right to make any changes to UAC, not a third-party software program.  It is my computer and I will decide what I install on it and when it will be installed.

    Can anyone hear the world-wide uproar if Microsoft switched to silent updates? 

    Additional Reading

    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...

    Monday, October 03, 2011

    Cyber Security Awareness Month 2011

    For the eighth consecutive year, October has been declared Cyber Security Awareness Month. 

    The purpose of Cyber Security Awareness Month is to provide both awareness and education for all digital citizens, whether using a desktop PC, laptop, tablet, smart phone, or multiple devices.

    The official declaration was made in the United States in an official proclamation by The President. Again this year, the theme is "Our Shared Responsibility", with Stay Safe Online continuing as the official sponsor site. 

    The United States is not alone in declaring October as Cyber Security Awareness Month.  Canada’s Minister of Public Safety kicked off Cyber Security Awareness Month in Canada with the launch of Get Cyber Safe.

    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...