Archive for October, 2013

Goodbye Microsoft Security Essentials: Microsoft Now Recommends You Use a Third-Party Antivirus

October 17, 2013

Microsoft Security Essentials (Windows Defender on Windows 8) was once on top. Over the years, it’s slid in the test results, but Microsoft argued the tests weren’t meaningful. Now, Microsoft is advising Windows users to use a third-party antivirus instead.

 This revelation comes to us from an interview Microsoft gave. Microsoft’s official website still bills MSE as offering “comprehensive malware protection” without any hint that they no longer recommend using it. Microsoft is not communicating well with its users.

Advertisements

Critical Java Update Plugs 51 Security Holes

October 16, 2013

Oracle has released a critical security update that fixes at least 51 security vulnerabilities in its Java software. Patches are available for Linux, Mac OS X, Solaris and Windows versions of the software.

This update brings Java 7 to Update 45, and addresses a whole mess of security flaws. Oracle says that all but one of the 51 vulnerabilities fixed in this update may be remotely exploitable without authentication.

Updates are available from Java.com and the Java Control Panel. Apple has issued an update to its supported version of Java, which brings Java on the Mac to 1.6.0_65 for OS X 10.6.8 or later. As CNet notes, Apple is using this update to further encourage users to switch to Oracle’s Java runtime, especially for Web-based Java services.

“When this latest update is installed, according to Apple’s documentation it will remove the Apple-supplied Java plugin, and result in a ‘Missing plug-in’ section of a Web page that tries to run a Java applet,” CNet’s Topher Kessler writes. “If you click on the missing plug-in message, the system will direct you to Oracle’s Java Web site so you can download the latest version of Java 7, which will not only support the latest features in the Java runtime, but also include the latest bug and vulnerability fixes. Apple’s last supported version of Java is Java SE 6, and since handing the reigns over to Oracle, has progressively stepped back from supporting the runtime in OS X.”

Broken record alert: If you really need and use Java for specific Web sites or applications, take a few minutes to update this software. Oracle likes to remind everyone that 3 billion devices worldwide run Java, and that 89 percent of desktops run some form of Java (that roughly matches what vulnerability management firm Secunia found last year). But that huge install base — combined with a hit parade of security bugs and a component that plugs straight into the Web browser — makes Java software a perennial favorite target of malware and malcontents alike.

If you have an affirmative use or need for Java, unplug it from the browser unless and until you’re at a site that requires it (or at least take advantage of click to play). Java 7 lets users disable Java content in web browsers through the Java Control Panel. Alternatively, consider a dual-browser approach, unplugging Java from the browser you use for everyday surfing, and leaving it plugged in to a second browser that you only use for sites that require Java.

Otherwise, seriously consider removing Java altogether.  I’ve long urged end users to junk Java unless they have a specific use for it (this advice does not scale for businesses, which often have legacy and custom applications that rely on Java). This widely installed and powerful program is riddled with security holes, and is a top target of malware writers and miscreants.

There are a couple of ways to find out if you have Java installed and what version may be running.  Windows users can click Start, then Run, then type “cmd” without the quotes. At the command prompt, type “java -version” (again, no quotes). Users also can visit Java.com and click the “Do I have Java?” link on the homepage. Updates also should be available via the Java Control Panel or from Java.com.

Microsoft releases 28 Security Updates

October 8, 2013

Microsoft today issued 28 security updates for Windows and related software including one which patches the highly publicized ms13-080 mshtml.dll exploit in Internet Explorer. All of these updates are available for immediate installation using Windows Update. Included in this series of updates is another Internet Exploit that was private disclosed to Microsoft by Trustwave and the National Cyber Security Centre. More information about this exploit can be found in this Microsoft Security Research & Defense blog post.

If you are not automatically installing updates, it is strongly recommended that you immediately run Windows update and install them now. Many of these exploits are actively being used in exploit kits to install malware on your computer and issue other commands without your knowledge.