Sunday, July 15, 2007

Update, Update, Update!

These past weeks have seen a number of application updates issued for applications common to most all Windows users' systems.

I highly recommend going to the Java-based Secunia Software Inspector page and running an on-line scan of your system. It is free, quick and painless; unless you have some vulnerable versions! Windows and Firefox compatible.

Adobe Flash

US-CERT Technical Cyber Security Alert TA07-192A -- Adobe Flash Player Updates for Multiple Vulnerabilities

Microsoft Windows, Apple Mac OS X, Linux and Solaris systems are primarily vulnerable if running an older version of Flash.

"Exploitation of these vulnerabilities could allow a remote, unauthenticated attacker to execute arbitrary code or cause a denial of service on a vulnerable system."

First, go to the Adobe "Get Flash" page in each of your system's web browsers and download the most recent file. This is necessary as Firefox uses a different flash file than Microsoft Internet Explorer.

Secondly, once done, head over to to the Secunia Software Inspector and run to find out which of the older Flash version files you need to manually delete off your system. Adobe does not provide an Add/Remove Programs uninstaller for its Flash products, so the only way I know of to identify and locate which vulnerable files you need to manually remove from your system is Secunia Software Inspector.

Thirdly, don't forget to configure your Flash player's global and website settings for best security practices. Go to this Adobe - Flash Player : Settings Manager - Global Privacy Settings Panel and make your changes as appropriate on each tab.

Which changes are appropriate? Well, it's up to you, but MSMVP Donna Benenaventura recommends you use these these Flash Player's Global and Website settings. Sounds good to me!

Apple Quicktime and iTunes

Apple released Quicktime 7.2 for Mac and Windows users. It fixes a number of bugs and updates a codec, but best of now adds full screen playback capabilities for the free version of Quicktime where as previously you had to go to the for $ "Pro" version for that feature.

iTunes was also updated to version 7.3.1 to fix a minor issue accessing the iTunes Library for some users.

Update Method One: Go and manually download the latest version of QuickTime and iTunes direct from Apple, then run the installers.

Update Method Two: If you have previously installed either of these, check your All Programs list in your Start Menu and see if you can find an "Apple Software Update" icon listed in there. This application utility from Apple is usually installed along with iTunes (and I highly recommend installing this optional piece of software when you do install iTunes).

Use this handy page to find all the most recent Apple software updates.

If Quicktime isn't your cup of tea, there are great (free) alternatives that can also handle and play Quicktime files: VLC, Media Player Classic, or QuickTime Alternative.

Toss Out Those Bad Java Beans

The ISC-SANS Handler's Diary carried this alert this week: Java Run Time Advisory Issued.

Then came ominous sounding doom-filled tech articles like this one: Dangerous Java flaw threatens virtually everything.

Then Sun came out and blew away the clouds of fear and terror: Sun says Java flaw has been patched.

How? ISC-SANS then reminded folks that Java SE 6.0 Update 2 Released


Step One

Method A: If you are a Sysadmin (or just like doing things the confusingly hard way go to this Sun Developer Network Java SE Downloads page and try to figure out which version you need to deploy, download it, and install it.

Method B: If you are regular home-pc user, simply go to the Verify Java Installation webpage and click the big friendly green "Verify Installation" button. It should quickly tell you if you have the most recent Java version installed on your pc or not. If not go to this Download Free Java Software link and click the big friendly green "Free Java Download" button and install it.

Step Two

You might not know it but Java does not uninstall previous versions of Java when you install the latest version. Sun seems to recommend keeping older versions of Java around on a system, even if they have security vulnerabilities as some Java-based applications may not work with the newer Java version releases. I personally haven't ever run into that problem at work or at home in all my years of Java updating. And as Java is a very common programming language across the Net and beyond, I feel better with the older versions off.

So if you agree with me, go to your Control Panel's Add/Remove Program list and uninstall all but the most current version of Sun's Java SE platform from your system.

One Final Check

Unless you passed the Secunia Software Inspector scan the first time by, I recommend going back and doing a final scan once you think you have everything cleaned up.

Done? Passed? Fully Patched and Updated?


A "Haute" Bonus Security Tip

heiseSecurity tips us to a new beta anti-malware tool from Haute Secure for Windows Internet Explorer browsers (XP/Vista) with a Firefox Add-on promised soon. According to heiseSecurity, it uses both a heuristic scanner to protect the browser as well as both a blacklist technique to block malicious websites and web content, and a process hook that sandboxes about seventy system functions. Community user feedback and contributions add to the "black-lists."

Malicious findings caught by the program are sent to the Haute Secure servers for additional reporting and analysis. It's certainly an interesting approach and might be worth looking into and keeping an eye on.

If nothing else, the warning graphics demo'ed on Haute's web-page look pretty cool and wickedly scary!

Gotta like that at least!

For even more security attitude, check out Hautness: the haute secure blog.

I'll probably load it up on one of our family laptops and give it a whirl. Check back for updates....


No comments: