As you’re reading this, another “Windows Patch Tuesday” has come and gone (Microsoft normally sends their updates on the second Tuesday of the month), and, as is often the case lately, there are some critical security flaws being remedied in this latest round of patches. Do you sometimes feel that this is a never ending battle? Well, in many ways, it is.
Complexity is the enemy of security, and today’s operating systems and the software we employ within them are incredibly complex… breeding grounds for programming errors, which can lead to security flaws.
What’s a poor person to do? How do you keep track of all this churn?
Keep your software up to date automatically, where possible, and check back here on Wednesdays where I’ll be keeping a pulse on the world of software security, and letting you know the straight scoop.
On today’s agenda – Windows monthly update, Snow Leopard introduction, and a summary of browser updates. Let’s start with Microsoft:
On September 8, Microsoft released five critical patches, fixing seven security holes in Windows. Users with “automatic updates” enabled should be seeing these patches come through any time now. On the slate for this month:
- MS09-045 – A “critical” vulnerability in JScript Scripting Engine can allow remote code execution. This can be exploited by visiting a malicious website, and affects Windows 2000, XP, Vista, and Server 2003 and Server 2008.
- MS09-046 – A “critical” vulnerability in DHTML Editing Component ActiveX Control can allow remote code execution. This can be exploited by visiting a malicious website, and affects Windows 2000, and XP, and with “moderate” severity for Server 2003.
- MS09-047 – Two “critical” vulnerabilities in Windows Media Format can allow remote code execution. This can be exploited by playing a malicious mp3 or asf file, and affects Windows Media Format Runtime 9.0, Windows Media Format Runtime 9.5, Windows Media Format Runtime 11, Microsoft Media Foundation, Windows Media Services 9.1, and Windows Media Services 2008.
- MS09-048 – Three different vulnerabilities in Windows TCP/IP network handling protocol. Ratings range from “important” to “critical” depending on platform. Affects Windows 2000, Vista, and Server 2003 and Server 2008.
- MS09-049 – A “critical” vulnerability in Wireless LAN AutoConfig Service can allow remote code execution. Another remote code execution exploit affecting wireless clients or servers. Affects Windows Vista and Server 2008.
In addition, Microsoft released an update for Microsoft Silverlight, an update to the Outlook Junk Email filter, updates to Genuine Advantage for Office, and the latest version of their Malicious Software Removal Tool.
Make sure you stay up to date! Many of these flaws are already being exploited today!
By now, almost everyone with a Mac has heard about Snow Leopard, Mac OS X 10.6. If you haven’t already upgraded, I’d recommend caution… stay away until things have stabilized a bit. However, if you’ve already taken the plunge, there are some things you need to know:
- For some unknown reason, Apple shipped Snow Leopard with an older version of Adobe Flash Player. The retail version of the OS comes with version 10.0.23.1, while the current version is actually 10.0.32.18. This has the unfortunate effect of downgrading your system, even if you were completely up to date prior to installing Snow Leopard. Further, the older version is vulnerable to several flaws that are being exploited in the wild. So, the first thing you’ll want to do, is head over to Adobe’s Flash Version tester, and refresh your Flash Player if needed.
- Also in Snow Leopard, Apple included a malware scanner in the operating system intended to check for certain known families of malicious software. This is intended to make the system safer and is a good move for the future, but I’m not convinced it is enough reason to upgrade just yet.
Adobe software users will also be interested in Snow Leopard’s interaction with the Creative Suite, version CS3 and CS4. Several issues have bubbled to the surface, from compatibility problems to crashes to color space changes, so you might want to head over to John Nack’s blog, or Adobe’s CS4 FAQ page with Snow Leopard information, to check the latest compatibility information.
It’s time to shift gears and talk about browsers for a bit!
First up is Firefox, whose makers at Mozilla recently announced that its browser would *automatically* check for Flash Player updates from now on. This is a welcome change, and means that many users who were using vulnerable versions of Flash Player will get automatically upgraded. This will be introduced in the forthcoming version 3.5.3 and 3.0.14.
Also in browser news this past week, Opera version 10 was released, and I was quite impressed as I tried it out! It is simple, clean, elegant – and fast! Quite zippy, in fact. Some of the new features, such as Speed Dial and built in anti-malware protection, as well as a revamped tabbed interface, are quite good. I recommend giving it a spin, you’ll be impressed!
To summarize the state of major browser revisions, here is where you should be. You should be able to check your browser version with “Help > About…”:
- Internet Explorer: 8.0.6001.18702
- Firefox: 3.5.2 or 3.0.13 (watch for a new release coming soon!)
- Opera: 10.00
- Safari: 4.0.3
- Chrome: 220.127.116.11
- Camino: 1.6.9
Check your browsers, and make sure you are up to date!
That’s all for this week (or, should I say, that’s “enough” for this week?) Keep that software up to date, and check back here on Wednesdays when we’ll bring you the latest security news you can use. Have a security question? Leave a comment or drop me an email, and I’ll do my best to help you out!