Java Update

Yesterday Oracle released Java 6 update 29 (skipping update 28). This release fixes several security issues and should be applied as soon as possible. As usual for java you can update from the Java control panel utility, or directly from the site. You can also check which version you have and see if it needs updated.

October Updates and some definitions

Last Tuesday Microsoft released several updates for Windows, .NET and Office. These should be installed using windows update, either from the start menu or by going to https://www.update.microsoft.com/.

Some terms you might see when looking at updates and what they mean:

• Vulnerability - A flaw in the software that allows an attacker to bypass some kind of security.
• Exploit - The method used to take advantage of a vulnerability.
• Zero-Day Exploit - An exploit that is used before the vendor has published a fix for the vulnerability.
• Remote Code Execution - This type of vulnerability means exactly what it seems to. Someone can run software of their choosing on your computer. The severity of this depends on what else is required for the exploit to work.
• Elevation of Privileges - This type of vulnerability allows an attacker to gain extra privileges (usually full system privileges). This requires the ability to run programs on the system already. When combined with a remote code execution attack it will give the attacker full privileges from what could be an otherwise limited exploit.
• Local/Remote Denial of Service - This type of vulnerability includes system crashes, service crashes, hangs, resource exhaustion, etc. This is usually not a high threat (unless you are a service provider or run some critical systems).
• Data Disclosure - This type of vulnerability can be used to read data from a system (most often a file or data left in memory after a program exits) that the attacker normally wouldn't be able to read. This can include sensitive data and files stored on your system.

Update Tuesday

There were a few updates released by Microsoft last Tuesday. None of them were rated as critical but the update for digital certificates is important to run as there are now 200+ fraudulent certificates that were issued by DigiNotar. Adobe also released a quarterly update to Adobe Reader that fixes some critical security flaws as well as also removing the DigiNotar certificates from the internal certificate trust in Adobe Reader.

Also in my last post I seem to have missed an update by Adobe for Flash Player that addresses some critical flaws.

Microsoft Update Tuesday

It's Microsoft Update Tuesday again. This time there are 8 to 14 updates (depending on the versions of software you have installed) fixing 22 security flaws, including some updates for Internet Explorer. Be sure to install these ASAP (use Microsoft Update from your Start Menu or the website link to the right).

More details about the updates can be found here: http://www.microsoft.com/security/pc-security/bulletins/201008.aspx

Microsoft Update Tuesday

Yesterday was update Tuesday for Microsoft. There are 4 updates and one is rated critical. More info about the updates can be found here: http://aka.ms/1107updates

As usual updates can be started from the start menu in Windows or by going to http://update.microsoft.com

More flash updates

A new Adobe Flash Player update came out last Thursday. This update moves Flash Player to version 10.3.181.34. Adobe isn't really clear on what is in this update. They say it fixes Security Bulletin APSB11-18 but that was supposed to be fixed by the last update. It's possible that the last update didn't completely fix the issue so to be safe you should install this ASAP. As usual, you should check that you have the latest version and upgrade if you don't.

Yet Another Adobe Flash Player Update

Another out-of-band (not in the normal release cycle) security update has been released for Adobe's Flash Player. This update moves it to version 10.3.181.26. You should check that you have the latest version and upgrade if you don't.

This one is being exploited to download and install malicious software to peoples computers already so update as soon as you can.

Microsoft Update Tuesday and Adobe Reader Patches

Today is update Tuesday. Microsoft has release several updates that you should install as soon as possible. Just open Windows/Microsoft update from the start menu to get started.

Adobe also released a patch for their Adobe Reader X that updates it to 10.1.0. The Adobe updater should prompt you to install the update from the system tray by the clock or you can download and install the update directly (17.2 MB).

Update for Java(TM) Runtime

There is a new update for the Java(TM) 6 Runtime: 1.6.0 update 26

See which version of java you have installed (if any).

You can update Java by going to Control Panel -> Java -> Update -> Check now or download the latest version directly.

Update for Adobe Flash Player

Time to update your Adobe Flash Player again. You can go to http://www.adobe.com/go/getflash to get the lastest version (10.3.181.22 or 10.3.181.23 depending on which browser you use).

If you use Google Chrome it should update automatically and just need a restart.

Keep your computer software up to date

I've had several family members get hit by drive-by installs of fake "anti-virus" software lately. Here are some tips on avoiding these and some links/instructions to get updates.

Tip 1: Don't install software you don't use.

Most software has vulnerabilities and the more software you have installed the more likely you are to have one of those vulnerabilities exploited. It is hard to know what software you use and don't use sometimes but you can always uninstall it and if you need it you can install it again later.

Commonly installed software that you might want to consider removing:

Java - If you don't use java applications or java applets. If you need it you can always re-install it from the link below.

Apple Quick-time/iTunes - If you don't have an iPod or buy things from the iTunes store. Quicktime player may be required for some web content (but again, you can always re-install if you find that you need it).

Adobe Reader - This is used for viewing PDF content both online and stored on your computer. Most people will want a PDF reader but if you use Google Chrome browser there is a PDF reader built-in. The Adobe Reader supports more features than most other readers so you may want to keep it, be sure to update it regularly.

Tip 2: Use the ad block plugin in Firefox/Chrome.

This removes ads from sites that you browse which are the primary source for most drive-by installs.

http://adblockplus.org

Tip 3: Use the latest version of your web-browser.

The latest version of most web-browsers have features that make it harder to exploit vulnerabilities.

http://www.mozilla.com/en-US/firefox/new/

http://www.google.com/chrome

Or IE 8 (Windows XP) / 9 (Windows Vista/7) via windows update.

Tip 4: Keep your software up-to-date.

Windows (and Microsoft Office): Go to start -> all programs -> Windows/Microsoft update. Microsoft releases updates on the second Tuesday of every month and occasional security updates at any time.

Adobe Flash Player: http://get.adobe.com/flashplayer/ (version 10.3.181.14 as of 5/18/2011)

Flash player should also request an update when your computer reboots (usually).

Adobe Reader: http://get.adobe.com/reader/ (version 10.0.3 as of 5/18/2011)

Reader will also request updates from the system tray (by the clock) if updates are enabled. This will only upgrade the version installed not upgrade to the latest version (Reader 9 to Reader X).

Java: Go to Control Panel -> Java -> Update -> Check now (version 1.6.0 update 25 as of 5/18/2011)

Java will prompt you to update from the system tray but is set to check only once a month by default and will not download the update automatically. I recommend that you change the update settings to check every day and automatically download the update (from the control panel as above).

You can also download the latest version from: http://www.java.com/en/download/index.jsp

Quicktime/iTunes: Use the apple software updater from your start menu (version 7.6.9 for Quicktime and 10.2.2 for iTunes as of 5/18/2011).

Be sure you don't accidentally install extra software that you don't want (Apple sometimes has extra software checked by default).

You can also download the latest version from: http://www.apple.com/quicktime/download/

I hope this has been helpful for people. I'll try and post whenever there are new releases of software that need updating.