Tuesday, June 26, 2012

Microsoft .NET Framework Repair Tool

Anyone who has every had a problem with .NET Framework, particularly a repeatedly offered security update, knows how difficult it can be to fix. Without a specific error code, it is more difficult to research the source of the problem.

Until recently, the primary go-to source for help was Aaron Stebner's WebLog on MSDN Blogs at Unified .NET Framework Troubleshooting Guide. I have also provided the recommendation to install .NET Framework security updates, with a shutdown/restart and separately from other security updates.

Troubleshooting .NET Framework problems may be near an end with the release by Microsoft of the Microsoft .NET Framework Repair Tool. As described in Microsoft KB Article 2698555,

"The tool may make one or more of several possible changes to the installed product. For example, it may correct the state of Windows Installer on the computer, reset the DACLs on certain folders, or resolve some issues that are related to invalid or corrupted update registration.

The tool follows a four-step process:
  1. Try to troubleshoot the issue.
  2. Apply the fixes (with user consent).
  3. Try to repair the .NET Framework 4.
  4. Collect logs (with user consent)."






Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...


Friday, June 22, 2012

Firefox 'New Tab' Feature Exposes Secure Information


A report at The Register indicates that the "New Tab" thumbnail feature in Firefox 13 is "taking snapshots of the user's HTTPS session content".

The reader of The Register indicated when he opened a new tab, he was presented with his earlier online banking and webmail sessions, complete with account number information, balance, etc.
 
On the computer where I generally have 16-20 tabs open, the new tab did indeed include thumbnails of cached pages of sites I had logged on to. On a second computer that generally has only four tabs open, my email page was prominently displayed.

Although the display of the cached pages is highly undesirable, since my Firefox profile is associated with my computer logon, I can see that the thumbnail is displaying the past page visited and, in some cases, the page currently displayed on another tab! 

Recommendations

If you use a shared or public computer use the Private Browsing feature:   
At the top of the Firefox window, click the Firefox button (Tools menu in Windows XP) and select "Start Private Browsing" (Keyboard shortcut = Ctrl+Shift+P).
 
Although it will not help for an existing session, use the setting to clear history when Firefox closes.    
At the top of the Firefox window, click the Firefox button (Tools menu in Windows XP).  Select Options > Privacy > Clear history when Firefox closes.  When you relaunch Firefox and click the "New Tab" button, empty thumbnails with just the site name are presented.

According to Mozilla, the new tab appears when you click the “+” at the end of your tab strip. Strangely, although I have the latest version installed, some customizations or an installed add-on apparently result in no "+" at the end of the tab strip. For standard installations, apparently there is a small button, in the upper right corner that hides the site tiles, leaving only the small button visible.  Perhaps a Security Garden reader can confirm that and provide a link to a screen capture.


Mozilla Statement

Following is the statement provided by Mozilla when presented with the issue by The Register:


"We are aware of the concern and have a fix that will be released in a future version of Firefox. Mozilla remains resolute in its commitment to privacy and user control. The new tab thumbnail feature within Firefox does not  transmit nor store personal information outside the user's direct control.

The new tab thumbnails are based on  users' browsing history. All information is contained within the browser and can be deleted at any time. Users can also switch back to using blank new tab screens by clicking the square icon in the top right corner of the browser. That will change the default preference to show a blank page, rather than the most visited websites when a new tab is opened.
Users who share their computer or use Firefox on a public computer should follow best practices for protecting their privacy by utilizing the built-in privacy tools in in Firefox, such as Private Browsing Mode.

Reference

 


Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...


Thursday, June 21, 2012

Adobe Flash Player "Plug-in Version" Updated


As indicated by the comments in Mozilla Firefox 13.0.1 Addresses Adobe Flash Crashes, the Firefox update did not solve all of the problems people who use the "Plug-in Version" (non-IE) have been having with Adobe Flash Player since the update to include Protected Mode (“sandboxing”)
Thanks to ky331 who reported:
1) Flash Player plug-in version only (for browsers othan than IE) has been updated to 11.3.300.262
[Flash ActiveX for IE remains at 11.3.300.257 ]

2) Users of Sandboxie experiencing problems with Flash 11.3 should update Sandboxie to version 3.72
http://www.sandboxie.com/index.php?VersionChanges#v_3_72

I recommend the direct download link for the update since it does not include the unnecessary, pre-checked optional McAfee Security Scan Plus scan.  Alternatively, the update is available at the Adobe Flash Player Download Center.


Verify Installation

To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu. 



    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...


Saturday, June 16, 2012

Mozilla Firefox 13.0.1 Addresses Adobe Flash Crashes


Firefox 13.0.1 was released to address problems encountered after the Adobe Flash Player update caused Firefox to freeze or crash (see Flash Player Update Causes Firefox Crashes).

The Flash Player update included Protected Mode for users of Firefox 4.0 and greater on Windows Vista and higher.  The purpose of Protected Mode is to limit the impact of attacks launched from malicious Flash content (SWF files).

Edit Note:  Also see Adobe Flash Player "Plug-in Version" Updated


What's New


The Release Notes include fixed features in version 13.0.1.
  • FIXED -- Windows Messenger did not load in Hotmail, and the Hotmail inbox did not auto-update (764546, fixed in 13.0.1)
  • FIXED -- Hebrew text sometimes rendered incorrectly (756850, fixed in 13.0.1)
  • FIXED -- Flash 11.3 sometimes caused a crash on quit (747683, fixed in 13.0.1)
  •  

      Update

      The update to Firefox 13.0.1 will be offered through the browser update mechanism after any impacts related to the Microsoft Security Updates are analyzed.  To get the update now, select "Help" from the Firefox menu at the upper left of the browser window, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu.

      If you do not use the English language version, Fully Localized Versions are available for download.

      References




      Remember - "A day without laughter is a day wasted."
      May the wind sing to you and the sun rise in your heart...


      Tuesday, June 12, 2012

      Microsoft Security Advisory 2719615 + Fix it Solution


      Microsoft released Security Advisory 2719615 which relates to a Remote Code Execution issue involving MSXML Core Services 3.0, 4.0, 5.0, and 6.0. The vulnerability affects all supported releases of Microsoft Windows, and all supported editions of Microsoft Office 2003 and Microsoft Office 2007.

      As described in the Security Advisory:
      "The vulnerability could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker would have no way to force users to visit such a website. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes them to the attacker's website."


      Microsoft Fix it

      As an interim work-around, Microsoft has provided a Microsoft Fix it solution that blocks the attack vector for this vulnerability.

      The Fix it solution is available from Microsoft KB Article 2719615, with direct links to the download files to enable and disable the solution below.  I suggest that you save both files so that you can disable the solution prior to installing the update when it is released.


      EnableDisable
      Fix this problem
      Microsoft Fix it 50897
      Fix this problem
            Microsoft Fix it 50898

      References


      HatTip:  ky331


      Remember - "A day without laughter is a day wasted."
      May the wind sing to you and the sun rise in your heart...

      Oracle Java SE Critical Security Update

      java

      Oracle released security updates for its Java SE Runtime Environment software.  The updates address fourteen (14) new security vulnerability fixes affecting the following product versions:
      • JDK and JRE 7 Update 4 and earlier
      • JDK and JRE 6 Update 32 and earlier
      • JDK and JRE 5.0 Update 35 and earlier
      • SDK and JRE 1.4.2_37 and earlier
      • JavaFX 2.1 and earlier
      It is strongly recommended that the update be applied as soon as possible due to the threat posed by a successful attack.


      Although Java is not required (See Do You Need Java?), if you do have Java installed on your computer, it is advisable to install the latest update.  It is also advised that all prior (and vulnerable) versions of Java SE be uninstalled from your computer.

      Download Information

      Now that Java SE 7 has been officially released, it is recommended that users of Java SE 6 upgrade to the latest version.  When you upgrade from Java SE 6 to Java SE7 please check installed program files and remove all versions of Java SE 6. The "end of life" date for Java SE 6 has been extended from July 2012 to November 2012, to allow some more time for the transition to JDK 7.


      Select Java SE 7u5 from http://www.oracle.com/technetwork/java/javase/downloads/jre7-downloads-1637588.html

      or Java SE 6 Update 33 from http://java.com/en/download/manual_v6.jsp


      Verify your version:  http://www.java.com/en/download/testjava.jsp

      Note: UNcheck any pre-checked toolbar and/or software options presented with the update. They are not part of the software update and are completely optional.

      Critical Patch Updates

      For Oracle Java SE Critical Patch Updates, the next scheduled dates are:
      • 16 October 2012
      • 19 February 2013

        References






        Remember - "A day without laughter is a day wasted."
        May the wind sing to you and the sun rise in your heart...

        Microsoft June 2012 Security Bulletin Release


        Microsoft released seven (7) bulletins, of which three (3) bulletins ares identified as Critical and four (4) as Important.

        The bulletins address twenty-six (26) vulnerabilities in Microsoft Windows, Internet Explorer, Visual Basic for Applications, Dynamics AX, and the .NET Framework.

        In addition to the security bulletins identified below, an automatic updater feature for Windows Vista and Windows 7 untrusted certificates is being released.  As described in the MSRC Blog:
        "This new automatic updater feature provides a mechanism that allows Windows to specifically flag certificates as untrusted. With this new feature, Windows will check daily for updated information about certificates that are no longer trustworthy. In the past, movement of certificates to the untrusted store required a manual update. This new automatic update mechanism, which relies on a list of untrusted certificates known as a Disallowed Certificate Trust List (CTL), is detailed on the PKI blog. We encourage all customers to install this new feature immediately."

        If you have had difficulties with .NET Framework in the past, it is strongly advised that the MS12-038 .NET update be installed separately, including a shutdown/restart.

        Security Bulletins

        • MS12-036 -- Vulnerability in Remote Desktop Could Allow Remote Code Execution (2685939)
        • MS12-037 -- Cumulative Security Update for Internet Explorer (2699988)
        • MS12-038 -- Vulnerability in .NET Framework Could Allow Remote Code Execution (2706726)
        • MS12-039 -- Vulnerabilities in Lync Could Allow Remote Code Execution (2707956)
        • MS12-040 -- Vulnerability in Microsoft Dynamics AX Enterprise Portal Could Allow Elevation of Privilege (2709100)
        • MS12-041 -- Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2709162)
        • MS12-042 -- Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2711167)

        Support

        The following additional information is provided in the Security Bulletin:

        References





        Remember - "A day without laughter is a day wasted."
        May the wind sing to you and the sun rise in your heart...


        Sunday, June 10, 2012

        Flash Player Update Causes Firefox Crashes


        Update: See Mozilla Firefox 13.0.1 Addresses Adobe Flash Crashes and  Adobe Flash Player "Plug-in Version" Updated.

        From reports at Ghacks, it appears that the Adobe Flash Player update including Flash Player Protected Mode for Firefox is causing Firefox to freeze or crash. 
        The addition of Protected Mode is for users of Firefox 4.0 and greater on Windows Vista and higher.  (Protected Mode for Firefox is not available on Windows XP.)  The purpose of Protected Mode is to limit the impact of attacks launched from malicious Flash content (SWF files).

        If you experience crashes or freezing of Firefox after installing the latest Adobe Flash Player update, protected mode can be disabled as follows:

        Solutions


        1. The easiest solution is to disable the Flash Player Plugin.  Select Add-ons > Plugins.  Scroll through the list of plugins to "Shockwave Flash" and click "Disable".
        2. Follow the instructions provided by Adobe:  How do I disable Flash Player's protected mode for Firefox?
        3. As some of the reports indicate the crashes occur if multiple pages with flash content are opened at the same time on Firefox, consider NoScript, which provides the ability to selectively allow Flash content.
        Edit Note:  Adobe provides instructions for doing a "clean install" of Flash Player at How do I do a clean install of Flash Player?.

        Due to the critical nature of the Adobe Flash Player security updates, it is recommended that the update be installed.  Adobe claims that the feature is fully tested and reliable.




          Remember - "A day without laughter is a day wasted."
          May the wind sing to you and the sun rise in your heart...


        Friday, June 08, 2012

        Adobe Flash Player Security Update


        Adobe Flash Player was updated to address critical security vulnerabilities.
        Note that beginning with Adobe Flash Version 11.3, the universal 32-bit installer includes the 32-bit and 64-bit versions of the Flash Player.  Additionally, the separate 32-bit and 64-bit uninstallers have been replaced with a single uninstaller.
        Three security improvements were included in the release of Flash Player 11.3.  From the ASSET Blog, linked below:
        • Flash Player Protected Mode (“sandboxing”) is now available for Firefox users on Windows.  (Note:  As explained in the ASSET Blog, Protected Mode for Firefox is not available on Windows XP.) 
        • For Mac users, this release will include the background updater for Mac OS X.
        • This release and all future Flash Player releases for Mac OS X will be signed with an Apple Developer ID, so that Flash Player can work with the new Gatekeeper technology for Mac OS X Mountain Lion (10.8).

        Update Information

        The newest version for Windows, Macintosh, Linux and Solaris is 11.3.300.257. (Edit Note:  Solaris was not included in this update.)

        Release date: June 8, 2012
        Vulnerability identifier: APSB12-14
        Priority: See table below
        CVE number: CVE-2012-2034, CVE-2012-2035, CVE-2012-2036, CVE-2012-2037, CVE-2012-2038, CVE-2012-2039, CVE-2012-2040
        Platform: All Platforms

        Priority and Severity ratings

        Adobe categorizes these updates with the following priority ratings and recommends users update their installations to the newest versions:
        Product
        Updated Version
        Platform
        Priority Rating
        Adobe Flash Player 11.3.300.257 Windows and Macintosh
        2

        11.2.202.236 Linux
        3

        11.1.115.9 Android 4.x
        3

        11.1.111.10 Android 3.x and 2.x
        3
        Adobe AIR 3.3.0.3610 Windows, Macintosh, and Android
        3

        These updates will address critical vulnerabilities in the software.

        Flash Player Update Instructions


        Flash Player for Windows, Macintosh, Linux and Solaris

        Although Adobe suggests downloading the update from the Adobe Flash Player Download Center or by using the auto-update mechanism within the product when prompted, if you prefer, direct download links are available.
        (H/T ky331 for the correct Uninstaller link!)

        Notes:
        • Beginning with Adobe Flash Version 11.3, the universal 32-bit installer will include the 32-bit and 64-bit versions of the Flash Player.  
        • If you use the Adobe Flash Player Download Center, be careful to uncheck the optional McAfee Security Plus box.  It is not needed for the Flash Player update.
        • Uncheck any toolbar offered with Adobe products if not wanted.
        • If you use alternate browsers, it is necessary to install the update for both Internet Explorer as well as the update for alternate browsers.
        • The separate 32-bit and 64-bit uninstallers have been replaced with a single uninstaller.
        Adobe Flash Player for Android

        The latest version for Adobe Flash Player for Android is available by downloading it from the Android Marketplace by browsing to it on a mobile phone.

        Verify Installation

        To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu. 

        Do this for each browser installed on your computer.

        To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.

        When Adobe Flash Player is updated, it is recommended that Adobe AIR version be checked as well.  Go to Adobe AIR Help to determine the version of Adobe AIR runtime installed.  The current version of Adobe AIR is 3.3.0.3610.

        References







        Remember - "A day without laughter is a day wasted."
        May the wind sing to you and the sun rise in your heart...


        Thursday, June 07, 2012

        Security Bulletin Advance Notice for June


        On Tuesday, June 12, 2012, Microsoft is planning to release seven (7) bulletins, of which three bulletins are identified as Critical and the remaining four as Important.  Most of the updates will require a restart.

        The bulletins address twenty-five (25) vulnerabilities in Microsoft Windows, Internet Explorer, Visual Basic for Applications, Dynamics AX, and the .NET Framework.  If you have had difficulties with .NET Framework in the past, it is strongly advised that update be installed separately. 

        As happens each month, Microsoft will also release an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center.

        References




        Remember - "A day without laughter is a day wasted."
        May the wind sing to you and the sun rise in your heart...


        Tuesday, June 05, 2012

        Mozzila Firefox 13 Released With Critical Security Updates


        Firefox 13 was sent to the release channel today by Mozilla.  Included in the update are five (5) critical, two (2) high, and one (1) moderate security update.  Of greatest concern is MFSA 2012-35, introduced with the first step toward silent updates included in the Firefox 12 update:

        "Security researcher James Forshaw of Context Information Security found two issues with the Mozilla updater and the Mozilla updater service introduced in Firefox 12 for Windows. The first issue allows Mozilla's updater to load a local DLL file in a privileged context. The updater can be called by the Updater Service or independently on systems that do not use the service. The second of these issues allows for the updater service to load an arbitrary local DLL file, which can then be run with the same system privileges used by the service. Both of these issues require local file system access to be exploitable."


        Security Updates Fixed in Firefox 13

        • MFSA 2012-40 Buffer overflow and use-after-free issues found using Address Sanitizer
        • MFSA 2012-39 NSS parsing errors with zero length items
        • MFSA 2012-38 Use-after-free while replacing/inserting a node in a document
        • MFSA 2012-37 Information disclosure though Windows file shares and shortcut files
        • MFSA 2012-36 Content Security Policy inline-script bypass
        • MFSA 2012-35 Privilege escalation through Mozilla Updater and Windows Updater Service
        • MFSA 2012-34 Miscellaneous memory safety hazards

        What's New

        An interesting new feature is the change when opening a new tab.  Where it was previously a blank space, the new tab now has a feature like Internet Explorer 9 and the other major browsers.  Where IE9, for example, includes links to "Your most popular sites", Firefox 13 now displays tab views and links to "most visited pages".

        The Release Notes include new and fixed features in version 13.  The numerous Bug Fixes are in the link available in References.
        • NEW -- When opening a new tab, users are now presented with their most visited pages
        • NEW -- General performance improvements through incremental JavaScript garbage collection
        • NEW -- The default home page now has quicker access to bookmarks, history, settings, and more
        • CHANGED -- SPDY protocol now enabled by default for faster browsing on supported sites
        • CHANGED -- Restored background tabs are not loaded by default for faster startup
        • CHANGED -- Smooth scrolling is now enabled by default

            Known Issues

            • If you try to start Firefox using a locked profile, it will crash (see 573369)
            • For some users, scrolling in the main GMail window will be slower than usual (see 579260)
            • Windows: The use of Microsoft's System Restore functionality shortly after updating Firefox may prevent future updates (see 730285)
            • OS X: nsCocoaWindow::ConstrainPosition uses wrong screen in multi-display setup (see 752149)
            • CSS :hover regression when an element's class name is set by Javascript (see 758885)

            Update

            The upgrade to Firefox 13 will be offered through the browser update mechanism after any impacts related to the Microsoft Security Updates are analyzed.  To get the update now, select "Help" from the Firefox menu at the upper left of the browser window, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu.

            If you do not use the English language version, Fully Localized Versions are available for download.

            References




            Remember - "A day without laughter is a day wasted."
            May the wind sing to you and the sun rise in your heart...


            Monday, June 04, 2012

            Security Advisory & Update Related to Flame

            Microsoft discovered that some components of the Flame malware have been signed by certificates that allow software to appear as if it was produced by Microsoft.  Apparently there is an older cryptography algorithm that could be exploited and used to sign code to make it appear that it originated from Microsoft.

            As a result, Microsoft released Security Advisory 2718704, Unauthorized Digital Certificates Could Allow Spoofing and a security update.  The security update revokes the trust of the following intermediate CA certificates:
            • Microsoft Enforced Licensing Intermediate PCA (2 certificates)
            • Microsoft Enforced Licensing Registration Authority CA (SHA1)

            If you do not have automatic updating enabled, the update is available by checking for updates or can be downloaded from Microsoft KB Article 2718704.


            References





            Remember - "A day without laughter is a day wasted."
            May the wind sing to you and the sun rise in your heart...