Tuesday, January 31, 2012

Mozilla Firefox 10 Released, Includes Security Update

Mozilla released Firefox 10 today, including a major update that will make both developers as well as Firefox users happy -- default compatibility of almost all add-ons.

Although default compatibility of add-ons will make a lot of people happy, this change is "prioritized as a P1 and part of achieving 'silent update'." as indicated in the feature tracking entry of "Add-ons Default to Compatible" in Mozilla Wiki.

Security Update

"Title: Frame scripts calling into untrusted objects bypass security checks
Impact: Critical
Announced: January 31, 2012

Products: Firefox, Thunderbird, SeaMonkey

Fixed in: Firefox 10.0, Thunderbird 10.0, SeaMonkey 2.7

Description:  Mozilla security researcher moz_bug_r_a4 reported that frame scripts bypass XPConnect security checks when calling untrusted objects. This allows for cross-site scripting (XSS) attacks through web pages and Firefox extensions. The fix enables the Script Security Manager (SSM) to force security checks on all frame scripts."

What's New

The Release Notes include new and fixed features in version 10.  The numerous Bug Fixes are in the link available in References.
  • NEW -- The forward button is now hidden until you navigate back
  • NEW -- Most add-ons are now compatible with new versions of Firefox by default
  • NEW -- Anti-Aliasing for WebGL is now implemented (see bug 615976)
  • NEW -- CSS3 3D-Transforms are now supported (see bug 505115)
  • HTML5 -- New element for bi-directional text isolation, along with supporting CSS properties (see bugs 613149 and 662288)
  • HTML5 -- Full Screen APIs allow you to build a web application that runs full screen (see the feature page)
  • DEVELOPER -- We've added IndexedDB APIs to more closely match the specification
  • DEVELOPER -- Inspect tool with content highlighting, includes new CSS Style Inspector
  • FIXED -- Mac OS X only - after installing the latest Java release from Apple, Firefox may crash when closing a tab with a Java applet installed (700835)
  • FIXED -- Some users may experience a crash when moving bookmarks (681795)

    Known Issues

    • Two-digit browser version numbers may cause a small number of website incompatibilities (see 690287)
    • If you try to start Firefox using a locked profile, it will crash (see 573369)
    • For some users, scrolling in the main GMail window will be slower than usual (see 579260)
    • Some synaptic touch pads are unable to vertical scroll (see 622410)
    • Firefox notifications may not work properly with Growl 1.3 or later (see 691662)
      Unresolved on v10 Resolved in v11
    • Under certain conditions, scrolling and text input may be jerky (see 711900)
    • Silverlight video may not play on some Macintosh hardware (see 715396)

    The upgrade to Firefox 10 will be offered through the browser update mechanism.  However, as the upgrade includes a critical security update as well as many bug fixes, it is recommended that the update be applied as soon as possible.  To get the update now, select Help, About Firefox, Check for Updates.

    If you do not use the English language version, Fully Localized Versions are available for download.


    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...

    Monday, January 30, 2012

    When imitation isn’t a form of flattery

    Rogues (fake antivirus programs) have been around for many years.  Members of the security community and people who have been on the Internet for a number of years will recall the various "SpyAxe", "SpyTrooper" and associated rogues in 2005 that we relied so heavily on the smitRem tool developed by "noahdfear" to remove. 

    Over the years, the rogues have evolved, many with rootkit components.  Just like clever phishing e-mails, the rogues are also very convincing with legitimate-looking windows as they attempt to convince people to fork over hard-earned money in order to "clean" the infected computer.

    Today, we are faced with not only rogues imitating Microsoft security software but also scammers telephoning unsuspecting people, attempting to obtain remote access to their computer.  These scammers misrepresent themselves as calling on behalf of Microsoft or as Microsoft technicians.

    As illustrated in When imitation isn’t a form of flattery, by Jasmine Sesso, MMPC Melbourne, Microsoft is not only adding the rogues to detection but also warning customers that Microsoft will NEVER call anyone to tell them that their computer is infected.  As clarified in the article:
    • "Our consumer products, namely Microsoft Security Essentials, Safety Scanner and Windows Defender are available to all genuine Windows users for free. That's right – we offer these products at no cost! So please, do not enter your credit card details into a program that looks like one of ours, as this is most likely a rogue.
    • We do not pop up on your screen every 30 seconds, minute, 90 seconds, etc. Rogues, however, will pester you and pester you until you either a) click OK and concede to buy their malicious program, or b) remove them once and for all with a reputable antivirus.
    • Microsoft will never cold-call a user. Ever. If you receive one of these phone calls, hang up."
    Note:  Never click on the rogue pop-up window.  Even attempting to close the window by clicking the "X" will result in giving permission to continue with the installation.  Instead, use the keyboard command Alt + F4 to close the window.  Follow with an updated scan with your onboard antivirus software.

    Please also note this excellent advice included in the article:

    "We will continue to fight the good fight, and do what we can to prevent the spread of malicious programs; but in the meantime, stay safe online, and think twice before handing over your credit card details to a third party you cannot verify – like one displaying pop-ups, or on the end of an unsolicited phone call."
    Read the full article on the MMPC Blog: When imitation isn’t a form of flattery.

    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...

    Wednesday, January 25, 2012

    Data Privacy Day 2012

    Data Privacy Day is an annual international celebration designed to promote awareness about privacy and education about best privacy practices.

    The 2012 international celebration of Data Privacy Day is scheduled for January 28. 

    Why the concern about privacy?

    What may begin as a casual Facebook update or an innocuous tweet could easily come back to haunt you down the road.  Unlike writing something on the bathroom wall, which can be easily painted over, what we do online is permanent.  This includes status updates or comments on a friend's wall in Facebook, tweets, e-mail and online chats.

    All of these on-line activities contribute to your online reputation -- a reputation that can impact being accepted to the college or university of your choice or a future employment opportunity.

    Disclosing too much information online can also lead to identity theft, resulting in the loss of personal data, such as passwords, user names, banking information, or credit card numbers.

    Protect Your Privacy

    Take steps now to protect your privacy.  

    Don't share too much personal information online.  Having your date of birth, address, where you went to school, mother's maiden name, and other personal information available to the public is the first step to identity theft.

    The public does not need to know every location you "check-in" to via your smart phone and neither do the burglars! 

    Take advantage of the enhanced security and privacy features available in the browser you use.  (See my article, Internet Explorer 9, Privacy and Security Enhancements, for tips on protecting your privacy and security.) 

    Use caution accepting friend requests in social media venues such as Facebook.  Just because someone sends a friend request, it is not necessary to accept it.  Be certain the person is someone known to you.

    Parents need to monitor the online activities of their children.


    Take advantage of the helpful resources below which include information on privacy settings for Microsoft products and excellent advice from Sophos on Facebook privacy.

    Related:  Data Privacy

    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...

    Friday, January 20, 2012

    To My "Other" Girl

    Happy Birthday,

    A special person in my life is officially a teenager!

    Happy Birthday, Sweetheart!

    (It seems like yesterday I sent the same wishes to my other girl.  Time certainly flies!)

    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...

    Tuesday, January 10, 2012

    Adobe Reader and Acrobat Critical Security Updates

    Adobe released critical security updates addressing vulnerabilities in Adobe Reader and Adobe Acrobat.  The vulnerabilities relate to memory and heap corruption vulnerabilities which could cause a crash and potentially allow an attacker to take control of the affected system.

    Acrobat and Reader users can update to the latest version using the built-in updater, by clicking “Help” and then “Check for Updates.” The Adobe Reader update for Windows is available from http://www.adobe.com/products/reader/.  Even better is the FTP download site:  ftp://ftp.adobe.com/pub/adobe/reader/win/10.x/10.1.2/ with no risk of add-ons.

    The next quarterly security updates for Adobe Reader and Acrobat are currently scheduled for April 10, 2012.

    Release Details

    • Release date: January 10, 2012
    • Vulnerability identifier: APSB12-01
    • CVE numbers: CVE-2011-2462, CVE-2011-4369, CVE-2011-4370, CVE-2011-4371, CVE-2011-4372, CVE-2011-4373
    • Platform: Windows and Macintosh

      Affected Software Versions

      • Adobe Reader X (10.1.1) and earlier 10.x versions for Windows and Macintosh
      • Adobe Reader 9.4.7 and earlier 9.x versions for Windows
      • Adobe Reader 9.4.6 and earlier 9.x versions for Macintosh
      • Adobe Acrobat X (10.1.1) and earlier 10.x versions for Windows and Macintosh
      • Adobe Acrobat 9.4.7 and earlier 9.x versions for Windows
      • Adobe Acrobat 9.4.6 and earlier 9.x versions for Macintosh


      Remember - "A day without laughter is a day wasted."
      May the wind sing to you and the sun rise in your heart...

      Microsoft January 2012 Security Bulletin Release

      Microsoft released seven (7) security bulletins, one of which is rated Critical in severity, with the remaining six classified as Important.

      The bulletins address vulnerabilities in Microsoft Windows and Microsoft Developer Tools And Software.  Most updates will require a restart to complete the installation.

      The security bulletin withdrawn last month after Microsoft discovered a compatibility issue between the bulletin-candidate addressing Security Advisory 2588513 and a major third-party vendor has been included in the release as MS12-006, "Vulnerability in SSL/TLS Could Allow Information Disclosure (2643584)". 

      Security Bulletins

      Bulletin NumberBulletin TitleBulletin KB
      MS12-001Vulnerability in Microsoft Windows 2644615
      MS12-002Vulnerability in Microsoft Windows 2603381
      MS12-003Vulnerability in Microsoft Windows 2646524
      MS12-004Vulnerabilities in Microsoft Windows 2636391
      MS12-005Vulnerability in Microsoft Windows 2584146
      MS12-006Vulnerability in Microsoft Windows 2643584
      MS12-007Vulnerability in Microsoft ASP.NET 2607664


      The following additional information is provided in the Security Bulletin:
      • The affected software listed have been tested to determine which versions are affected. Other versions are past their support life cycle. To determine the support life cycle for your software version, visit Microsoft Support Lifecycle.
      • Customers in the U.S. and Canada can receive technical support from Security Support or 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates. For more information about available support options, see Microsoft Help and Support.
      • International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit International Help and Support.


      Remember - "A day without laughter is a day wasted."
      May the wind sing to you and the sun rise in your heart...

      Thursday, January 05, 2012

      Security Bulletin Advance Notification for January, 2012

      On Tuesday, January 10, 2012, Microsoft is planning to release seven (7) Security Bulletins, of which one bulletin is identified as Critical with the remaining as Important.

      The bulletins address vulnerabilities in Microsoft Windows and Microsoft Developer Tools And Software.  Most updates will require a restart to complete the installation.

      Note from the Advance Notification that Bulletin 2, identified as Important addresses a "Security Feature Bypass" in Microsoft Windows.  As indicated by the MSRC Blog, Security Feature Bypass (SFB) class issues cannot be leveraged by an attacker.  It is explained that a would-be attacker would use such issues to facilitate use of another exploit.  Further information is expected to be available in the SRD blog following the release of the update.


      Remember - "A day without laughter is a day wasted."
      May the wind sing to you and the sun rise in your heart...

      Sunday, January 01, 2012

      2012 Microsoft® MVP Award

      Dear Corrine Chorney,

      Congratulations! We are pleased to present you with the 2012 Microsoft® MVP Award! This award is given to exceptional technical community leaders who actively share their high quality, real world expertise with others. We appreciate your outstanding contributions in Consumer Security technical communities during the past year.

      ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

      Starting off the New Year with notice of being re-awarded as Microsoft® MVP is certainly a great way to begin the year! 

      Wishing family, friends and Security Garden readers a happy and healthy 2012!

      Remember - "A day without laughter is a day wasted."
      May the wind sing to you and the sun rise in your heart...