Welcome to the February edition of a Watchful UI!
Microsoft has released 9 patches for this month. Four of them are rated critical while the rest are listed as important. It is interesting to note that there are more patches for Windows 7 than XP this month.
The SANS Black Tuesday overview:
There have been reports of some issues applying these updates and needing multiple reboots. Please test and plan your patching time accordingly.
Microsoft also had some issues with their AV products falsely detecting Google.com as a virus. For home users, Microsoft Security Essentials by default only updates every 24 hours, so even though Microsoft has now issued an update to fix the problem, it may linger for some users.
Oracle released their critical patch update for Java SE and JavaFX. In total there are 14 security fixes. This brings the current public versions to 6.0update31 and 7.0update3.
Note that Java vulnerabilities are high on the list of the most common exploits in the wild, making it even more important to keep patched, or uninstalled if not used:
Adobe has released updates for Shockwave Player, RoboHelp and Flash.
Don’t forget to make sure you have the updates they released for Reader and Acrobat in January as they patch critical vulnerabilities.
As a last minute addition, Adobe on Wednesday also updated Flash player to address a zero-day vulnerability that is being exploited in the wild. [Mitch]
Apple released a huge update for Lion with 10.7.3, and also Update 2012-001 for 10.6.8. These updates address a whopping 52 CVEs, and unfortunately have a huge download size to match. Note that Apple has not yet updated Java to the current version. Also note what is missing – updates for 10.5 have not been released. While Apple doesn’t officially declare an end of life (EOL) for their operating systems, they typically only supply patches for the last two versions. If you are not already running 10.6 or 10.7, you should be planning to update soon.
Mozilla Firefox is now up to version 10.0.1. Keep in mind that Firefox 10 will be the base version for the initial Extended Support Release. Firefox 3.6 will be end-of-lifed on April 24th, 2012.
Google updated Chrome to version 17.0.963.46
Be sure if you use Skype that you upgrade to the latest version. Nessus is detecting older versions of Skype as a critical vulnerability because there is an as-of-yet unspecified vulnerability that could lead to anonymous exploit over the listening port. If a public exploit becomes available we may be required to take action to remove vulnerable machines from the UI network.
And for some general advice, removing admin rights remains a good way to reduce risk when possible:
Keeping your browser plugins checked and updated regularly also helps significantly. I know some users who have set either the Mozilla plugin check page or the Qualys Browsercheck page as their home page so they remember to check it regularly:
Your comments and feedback are always appreciated, please let us know at ITS-Security@uidaho.edu
Desktop Security Analyst
Desktop Security Assistant