Tuesday, December 09, 2014

Microsoft Security Bulletin Release for December, 2014


Microsoft released seven (7) bulletins.  Three (3) bulletins are identified as Critical and four (4) are rated Moderate in severity.

The updates address 24 unique Common Vulnerabilities and Exposures (CVEs) in Microsoft Windows, Internet Explorer (IE), Office and Exchange.

For those testing Windows 10 Technical Preview, please see the important information below.

Critical:
    • MS14-080 -- Cumulative Security Update for Internet Explorer (3008923)
    • MS14-081 -- Vulnerabilities in Microsoft Word and Microsoft Office Web Apps Could Allow Remote Code Execution (3017301)
    • MS14-084 -- Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution (3016711)
    Important:
    • MS14-075 -- Vulnerabilities in Microsoft Exchange Server Could Allow Elevation of Privilege (3009712)
    • MS14-082 -- Vulnerability in Microsoft Office Could Allow Remote Code Execution (3017349)
    • MS14-083 -- Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (3017347)
    • MS14-085 -- Vulnerability in Microsoft Graphics Component Could Allow Information Disclosure (3013126)

    The following two Security Bulletins were re-released:
    Information on non-security update information can be found in KB 894199.

    Windows 10 Technical Preview

    Updates to Windows 10 Technical Preview include three updates for 9879.  Two of the updates address security vulnerabilities and one update is for a HDD failure affecting some people.

    Microsoft Office on Windows 10 Technical Preview:
    Via https://twitter.com/GabeAul:  For those running Microsoft Office on the Windows 10 Technical Preview, the installer fails on 9879 if Office is installed.  The decision was made to publish as is rather than rolling a new fix which would result in the loss of several days in the process.  Unfortunately, the workaround is painful: uninstall Office, install the hotfix, reinstall Office.

    Before attempting the workaround to uninstall Office, try to install KB3022827 first. It will work for many, no harm if not.

    Additional Update Notes

    • MSRT -- Microsoft released an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center.  The updated version does not include new families but includes updates to several prevelant malware families.  Additional details ave available in the MMPC blog post.

    • Internet Explorer -- For additional information about the blocking of out-of-date ActiveX controls see the TechNet article, Out-of-date ActiveX control blocking.  Additional changes introduced this month include the blocking of outdated Silverlight.  Additional information is available in the IE Blog.

    • Windows 8.x -- Non-security new features and improvements for Windows 8.1. are now included with the second Tuesday of the month updates.  Additional information is available at August updates for Windows 8.1 and Windows Server 2012 R2.

    • Windows XP -- Although Microsoft has stopped providing Microsoft Security Essentials for Windows XP, definitions will be available until July 15, 2015.  See Microsoft antimalware support for Windows XP.  The MSRT still works on Windows XP.


    The following additional information is provided in the Security Bulletin:

    References




      Remember - "A day without laughter is a day wasted."
      May the wind sing to you and the sun rise in your heart...





      Adobe Reader and Acrobat Quarterly Security Update

      Adobe
      Adobe has released security updates for Adobe Reader and Acrobat XI (11.0.09) and earlier versions for Windows and Macintosh.  The updates address vulnerabilities that could potentially allow an attacker to take over the affected system. 

      Release date: December 9, 2014
      Vulnerability identifier: APSB14-28
      CVE numbers: CVE-2014-9165, CVE-2014-8445, CVE-2014-9150, CVE-2014-8446, CVE-2014-8447, CVE-2014-8448, CVE-2014-8449, CVE-2014-8451, CVE-2014-8452, CVE-2014-8453, CVE-2014-8454, CVE-2014-8455, CVE-2014-8456, CVE-2014-8457, CVE-2014-8458, CVE-2014-8459, CVE-2014-8460, CVE-2014-8461, CVE-2014-9158, CVE-2014-9159
      Platform: Windows and Macintosh

      Update or Complete Download

      Update checks can be manually activated by choosing Help > Check for Updates.
        Note: UNcheck any pre-checked additional options presented with the update. They are not part of the software update and are completely optional.

        Windows XP

        If you are still using Windows XP and have Adobe Reader installed, please note that there will be no additional security updates for it.  I suggest uninstalling it and install an alternate reader.  Personally, I like Sumatra PDF.  It isn't a target and doesn't include unwanted extras with the install or updates.  (See Replacing Adobe Reader with Sumatra PDF.)  Adobe Reference:  End of support | Acrobat and Reader for Windows XP

        Enable "Protected View"

        Due to frequent vulnerabilities, it is recommended that Windows users of Adobe Reader and Acrobat ensure that Protected View is enabled.  Neither the Protected Mode or Protected View option is available for Macintosh users.

        To enable this setting, do the following:
        • Click Edit > Preferences > Security (Enhanced) menu. 
        • Change the "Off" setting to "All Files".
        • Ensure the "Enable Enhanced Security" box is checked. 

        Adobe Protected View
        Image via Sophos Naked Security Blog
        If you are looking for a replacement for Adobe Reader, consider Replacing Adobe Reader with Sumatra PDF.

        References




        Home
        Remember - "A day without laughter is a day wasted."
        May the wind sing to you and the sun rise in your heart...




        Adobe Flash Player Security Update

        Adobe Flashplayer

        Adobe has released security updates for Adobe Flash Player 15.0.0.242 and earlier versions for Windows and Macintosh and Adobe Flash Player 11.2.202.424 and earlier versions for Linux.

        These updates address vulnerabilities that could potentially allow an attacker to take control of the affected system.  Adobe is aware of reports that an exploit for CVE-2014-9163 exists in the wild. The updates to Flash Player are rated Critical. 

        Note: Users who have been updated to version 15.0.0.246 are not affected by CVE-2014-9163.

        Update Information

        Release date: December 9, 2014
        Vulnerability identifier: APSB14-27
        CVE number: CVE-2014-0580, CVE-2014-0587, CVE-2014-8443, CVE-2014-9162, CVE-2014-9163, CVE-2014-9164
        Platform: All Platforms
        • Users of the Adobe Flash Player desktop runtime for Windows and Macintosh should update to Adobe Flash Player 16.0.0.235.
        • Users of the Adobe Flash Player Extended Support Release should update to Adobe Flash Player 13.0.0.259.
        • Users of Adobe Flash Player for Linux should update to Adobe Flash Player 11.2.202.425.
        • Adobe Flash Player installed with Google Chrome, as well as Internet Explorer on Windows 8.x, will automatically update to the current version.

        Flash Player Update Instructions

        Warning:  Although Adobe suggests downloading the update from the Adobe Flash Player Download Center, that link includes a pre-checked option to install unnecessary extras, such as McAfee Scan Plus or Google Drive.  If you use the download center, uncheck any unnecessary extras.

        It is recommended that you either use the auto-update mechanism within the product when prompted, or my preference, the direct download links.

          Notes:
          • If you use the Adobe Flash Player Download Center, be careful to uncheck any optional downloads that you do not want.  Any pre-checked option is not needed for the Flash Player update.
          • Uncheck any toolbar offered with Adobe products if not wanted.
          • If you use alternate browsers, it is necessary to install the update for both Internet Explorer as well as the update for alternate browsers.
          • The separate 32-bit and 64-bit uninstallers have been replaced with a single uninstaller.
          • Users of the Adobe Flash Player Extended Support Release should update to Adobe Flash Player 13.0.0.259.
          Adobe Flash Player for Android

          The latest version for Adobe Flash Player for Android is available by downloading it from the Android Marketplace by browsing to it on a mobile phone.   

          Verify Installation

          To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu. 

          Do this for each browser installed on your computer.

          To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.

          References






          Remember - "A day without laughter is a day wasted."
          May the wind sing to you and the sun rise in your heart...


          Thursday, December 04, 2014

          Microsoft Security Bulletin Advance Notice for December 2014

          Security Bulletin
          On Tuesday, December 9, 2014, Microsoft is planning to release seven (7) bulletins.  Three bulletins are identified as Critical and four as Important in severity.

          These updates will address vulnerabilities in Microsoft Windows, Internet Explorer (IE), Office and Exchange.

          As happens each month, Microsoft will also release an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center.

          References




            Remember - "A day without laughter is a day wasted."
            May the wind sing to you and the sun rise in your heart...









            Tuesday, December 02, 2014

            Mozilla Firefox Version 34 Released with Critical Security Updates


            Firefox
            Mozilla sent Firefox Version 34.0.5 to the release channel.  The update includes eight (8) security updates, three (3) of which are Critical, three (3) High and two (2) moderate.

            Default Search Engine Changes

            Mozilla is including major changes in default search engines in the release of version 34, reportedly "Promoting Choice and Innovation". Looking deeper, perhaps the real reason is the flat revenue from Google-Firefox search deal.

            Regardless of the reason behind the change, the default search engine in North America has been changed to Yahoo!  According to the agreement, Yahoo! will support "do not track".  Google, Bing, DuckDuckGo, eBay, Amazon, Twitter and Wikipedia continue to be built-in as alternate search options.  After updating, there was no change to Bing as my choice for search engine.

            For search engine changes in other countries, see New Search Strategy for Firefox: Promoting Choice & Innovation.

            Fixed in Firefox 34

            • 2014-90 -- Apple CoreGraphics framework on OS X 10.10 logging input data to /tmp directory
            • 2014-89 -- Bad casting from the BasicThebesLayer to BasicContainerLayer
            • 2014-88 -- Buffer overflow while parsing media content
            • 2014-87 -- Use-after-free during HTML5 parsing
            • 2014-86 -- CSP leaks redirect data via violation reports
            • 2014-85 -- XMLHttpRequest crashes with some input streams
            • 2014-84 -- XBL bindings accessible via improper CSS declarations
            • 2014-83 -- Miscellaneous memory safety hazards (rv:34.0 / rv:31.3)

            What’s New

            • New -- Default search engine changed to Yahoo! for North America
            • New -- Default search engine changed to Yandex for Belarusian, Kazakh, and Russian locales
            • New -- Improved search bar (en-US only)
            • New -- Firefox Hello real-time communication client
            • New -- Easily switch themes/personas directly in the Customizing mode
            • New -- Wikipedia search now uses HTTPS for secure searching (en-US only)
            • New -- Implementation of HTTP/2 (draft14) and ALPN
            • New -- Recover from a locked Firefox process in the "Firefox is already running" dialog on Windows
            • Changed -- Disabled SSLv3
            • Changed -- Proprietary window.crypto properties/functions re-enabled (to be removed in Firefox 35)
            • Changed -- Firefox signed by Apple OS X version 2 signature
            • Fixed -- CSS transitions start correctly when started at the same time as changes to display, position, overflow, and similar properties

            Update

            To get the update now, select "Help" from the Firefox menu at the upper left of the browser window, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu.

            If you do not use the English language version, Fully Localized Versions are available for download.

            References




            Remember - "A day without laughter is a day wasted."
            May the wind sing to you and the sun rise in your heart...