As usual for Patch Tuesday, many security updates were issued. I’m here to provide all the details for these critical updates. Not only did Windows get patched, but Adobe Flash and Shockwave Players did too.
Microsoft released a span of nine patch bundles, plugging security holes in Windows and other products. Separately, Adobe did its usual thing, and took part in Patch Tuesday as well for updates to Adobe Flash and Shockwave Players.
A cumulative update was made to Internet Explorer, which fixed two critical vulnerabilities present in almost all versions of Internet Explorer (in history). It should be noted that this includes IE 9 and 10.
Either you will receive Automatic Updates, if you’ve set Windows up to do so. Otherwise, go to Start, search Windows Update. Or for Windows 8, search for Windows Update on the Start screen.
Other than that, Adobe brings an update to Adobe Flash Player for Windows and Mac to v. 11.7.700.169. Linux should be updated to 184.108.40.2060. Android 4.x+: 220.127.116.11 and 2.x-3.x: 18.104.22.168.
Keep in mind that Google Chrome and Internet Explorer 10 (Windows 8) automatically update Flash Player on their own.
Shockwave Player should be updated as well to v. 22.214.171.124! For these updates, go to www.Adobe.com
You should be able to update to Adobe AIR, which will help secure your computer even further from vulnerability. If you have Adobe AIR installed, which is required for quite a few programs that are built on its architecture (such as Tweetdeck, Pandora Internet Radio, games, etc.). AIR should automatically prompt to update.
Patch Tuesday is approaching in a few days with 57 security fixes by Microsoft. The company detailed the fixes in its latest security bulletin.
According to Microsoft, every version, 6-10, of Internet Explorer needs to be patched! They are all vulnerable to drive-by exploit attacks. A simple boobytrapped webpage can lay out many victims in its path with this vulnerability.
Five of the twelve updates are given the title of “critical”. Some of the updates are for Windows, Server, Office, and .NET Framework. These patches are set to be released on February 12th at 1:00 PM EST.
Microsoft has issued the usual Patch Tuesday round of updates, but this time – guess what? Windows 8 updates are included, as well as for RT. Isn’t that wonderful?
19 flaws have been fixed in this round of updates. All are being updated in six bulletins this month. These bulletins are listed as MS12-071 through MS12-076. Four are rated critical and two of them urgent.
Now, some have asked about Internet Explorer 10 being vulnerable yet…not at this time. It is not currently vulnerable to the current set of three related flaws in Internet Explorer 9.
However, a font parsing flaw has been found, which could affect Windows 8, as noted in CVE-2012-2897.
Here is a general CVE list of the latest vulnerabilities fixed in the current round:
- Internet Explorer CRITICAL
- Windows Shell Remote Code Execution CRITICAL
- Microsoft Internet Information Systems (IIS) URGENT
- .NET Framework vulnerabilities, affecting multiple versions CRITICAL
- Kernel Mode Drivers CRITICAL
- Microsoft Office Excel Remote Code Execution CRITICAL
Say you are on the Gmail login page and the web browser, as always, has auto-filled the username and passwords fields for you.
This is convenient because you can sign-in to your account with a click but because you have not been typing these saved passwords for a while now, you don’t even remember the Gmail password anymore.
All web browsers, for security reasons, mask the password fields in login forms behind asterisk characters thus making it impossible for passersby to see your secret string.
There’s however an easy workaround that will let you convert those asterisks into the actual password and you don’t need any external utilities or bookmarklets for this. Here’s how:
Windows 8 is apparently more secure than Windows 7. Perhaps this is true, and it is best to learn what security features there are for the new operating system. Some of these security features are verified to help out very well in the security of Windows 8, and some may not be in time, or lastly some may not work at all.
One of the most discussed security features is Secure Boot. Now, Secure Boot is a Unified Extensible Firmware Interface (UEFI) specified in the boot process to check cryptographic signatures of kernel-mode drivers, making sure they aren’t modified or corrupted. In other words, the boot process is now made to check if the operating system has been corrupted by malware or some other issue.
This is all part of a hardware restriction process called Hardware DRM. All non-ARM devices have the option to turn Secure Boot off, however ARM devices must keep it on. Experts state that it will be resistant to rootkits, since the MBR and BIOS cannot be accessed, unless if someone working on the computer penetrates it.
Next, Windows 8 features better built in antivirus software, with a much better improved Windows Defender. The software in Windows 8 is combined with the optional tool Microsoft Security Essentials. Now, with Windows Defender super-powered with MSE, it has much more anti-malware features.
With better anti-malware features, Internet Explorer is now made with better features as well. It has the ability to prevent zero-day exploits much greater than previous versions of Internet Explorer. With the challenges of exploiting Windows 7, there was the issue risen up again for Java and Flash Player, so hackers can gain control over the operating system. Those browser plugins are now easier to exploit than the Internet Explorer’s code.
A new application sandboxing environment called AppContainer provides the ability to run all apps in a controlled environment, where it controls how apps work. This prevents apps from disrupting the operating system. Of course, this is just supplemented by Internet Explorer’s SmartScreen filter, which prevents the download/install of known malicious software. However, Windows 8 now has SmartScreen available for any app, allowing even more prevention. Of course, this means Microsoft employees are going to increase in numbers, if they really want to keep up. Now that hackers know their new challenges, they will be relentless.
The questions are still played on whether Windows 8 will be a repeat of Vista or not. The reality of the situation, is if Windows 8 has big popularity, then the security issues will also light up big time. However, many will stick to Windows 7, so the security issues for Windows users are not close to be over. Feel free to take a look at related articles below for Symantec’s opinions, which aren’t too well on the new OS.
Added October 31, 2012: Trusted Platform Module, read more
Keep up with the latest security tips on our blog here. In addition, please donate to help us continue to write these awesome whitepapers.
- Over Half Of Windows 8 Users Still Prefer Windows 7 (webpronews.com)
- Gates: New Windows 8 system is `very exciting’ (seattletimes.com)
- Windows 8 Security Is Not Good – Symantec (news.softpedia.com)
- UEFI and Secure Boot: The Hell I Went Through (prismdragon.wordpress.com)
When it comes to browser security, it is best to always keep in mind the different issues with malware exploitation. In other words, the possibility for viruses/malware to install itself on your computer without your permission is more apparent depending on your web browser.
The problem that is faced in current popular web browsers is that it does not warn the user if a download is coming from a third-party domain. This is found in Google Chrome, Mozilla Firefox, and Windows Internet Explorer.
Also, a vulnerability exists in HTML5 that allows widgets, sandboxed frames, etc. to download data from a thid-party. If a user browses a malicious widget inadvertently, like on a popular website, viruses/malware can be installed on the user’s computer. This is mainly if they don’t have good antivirus protection, which can block these types of incidents.
The only one that seems to be serious about it, per speculation, are Google. Microsoft may be thinking about a fix for the issues in future versions of IE. Mozilla may not be addressing the issue anytime soon!
Browser security needs to improve as soon as possible, and if the above vulnerabilities are fixed, issues should resolve from inadvertent downloading.
Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution
Unpatched, critical, security vulnerability in Microsoft XML Core Services is actively being exploited by attackers.
By simply visiting the website on vulnerable machine, the computer can become infected.
Here are the provisions of this bug:
- Web-based attack scenario, which means users have to be led to the site to exploit the vulnerability through a specifically crafted link (such as email message, instant message, etc.)
- If the attacker successfully exploits this flaw and gets on to the victim’s machine, it will obtain the same user rights as the current user logged in. Depending on the type of account (limited or administrator), will declare the ability of the malware.
CVE entry: CVE-2012-1889
Microsoft KB entry: KB2719615
A temporary fix is in place by Microsoft: Fix-It – Please secure your system now! The final fix is being developed by Microsoft.
- Microsoft XML vulnerability under active exploitation (googleonlinesecurity.blogspot.com)
- IE remote code execution vulnerability being actively exploited in the wild (nakedsecurity.sophos.com)
You may want to consider purchasing Malwarebytes’ Anti-Malware to protect against these types of threats.
Patch Tuesday this month (June 2012) was quite a show of vulnerability patching.
From Microsoft Updates to Oracle Updates!
Java Standard Edition needed patched big time, Oracle notes. 14 vulnerabilities were found recently, which ensured the update. It is recommended to patch immediately from Java.com, because six of the vulnerabilities received the highest possible common vulnerability scoring system (CVSS) rating.
If 12 out of 14 vulnerabilities stay unpatched, they are remotely exploitable, which means they present a HUGE security risk!
This update addresses security vulnerabilities in the Java development kit (JDK) and runtime environment (JRE) version 7 update 4 and earlier, JDK and JRE version 6 update 32 and earlier, JDK and JRE update 35 and earlier, JDK and JRE 1.4.2 update 37 and earlier, and JavaFX 2.1 and earlier.
Oracle gives credit for reporting these vulnerabilities to Adam Gowdiak of Security Explorations, Andrei Costin of Secunia, Chris Ries of TippingPoint, and Clayton Smith of Entrust.
Microsoft Windows Updates
3 critical updates – 4 important updates = 7 total bulletins that were addressed.
Here is a rundown of the critical updates:
- MS12-036 – remote desktop vulnerability: an attacker could obtain the credentials to perform attacks through the Remote Desktop Protocol (RDP).
- MS12-037 – cumulative security update for Internet Explorer…addressed 1 public and 12 private vulnerabilities.
- MS12-038 – This is a .NET Framework issue in XAML browser applications (XBAP), where an attacker can execute remote code if credentials are right.
Overall, Patch Tuesday this time around was a huge hit.
Now, get to work on the updates: