Java Update

Yesterday Oracle released Java 6 update 29 (skipping update 28). This release fixes several security issues and should be applied as soon as possible. As usual for java you can update from the Java control panel utility, or directly from the site. You can also check which version you have and see if it needs updated.

October Updates and some definitions

Last Tuesday Microsoft released several updates for Windows, .NET and Office. These should be installed using windows update, either from the start menu or by going to https://www.update.microsoft.com/.

Some terms you might see when looking at updates and what they mean:

• Vulnerability - A flaw in the software that allows an attacker to bypass some kind of security.
• Exploit - The method used to take advantage of a vulnerability.
• Zero-Day Exploit - An exploit that is used before the vendor has published a fix for the vulnerability.
• Remote Code Execution - This type of vulnerability means exactly what it seems to. Someone can run software of their choosing on your computer. The severity of this depends on what else is required for the exploit to work.
• Elevation of Privileges - This type of vulnerability allows an attacker to gain extra privileges (usually full system privileges). This requires the ability to run programs on the system already. When combined with a remote code execution attack it will give the attacker full privileges from what could be an otherwise limited exploit.
• Local/Remote Denial of Service - This type of vulnerability includes system crashes, service crashes, hangs, resource exhaustion, etc. This is usually not a high threat (unless you are a service provider or run some critical systems).
• Data Disclosure - This type of vulnerability can be used to read data from a system (most often a file or data left in memory after a program exits) that the attacker normally wouldn't be able to read. This can include sensitive data and files stored on your system.