More from: Adobe

Yep Another Emergency Flash Update

From Krebs

For the third time in two weeks, Adobe has issued an emergency security update for its Flash Player software to fix a dangerous zero-day vulnerability that hackers already are exploiting to launch drive-by download attacks.

brokenflash-aThe newest update, version 16.0.0.305, addresses a critical security bug (CVE-2015-0313) present in the version of Flash that Adobe released on Jan. 27 (v. 16.0.0.296). Adobe said it is are aware of reports that this vulnerability is being actively exploited in the wild via drive-by-download attacks against systems running Internet Explorer and Firefox on Windows 8.1 and below.

Adobe’s advisory credits both Trend Micro and Microsoft with reporting this bug. Trend Micro published a blog post three days ago warning that the flaw was being used in malvertising attacks – booby-trapped ads uploaded by criminals to online ad networks. Trend also published a more in-depth post examining this flaw’s use in the Hanjuan Exploit Kit, a crimeware package made to be stitched into hacked Web sites and foist malware on visitors via browser plug-in flaws like this one.

 


Another Critical Emergency Adobe Update

For the second time in a week, Adobe has issued an emergency update to fix a critical security flaw that crooks are actively exploiting in its Flash Player software. Updates are available for Flash Player on Windows and Mac OS X.

brokenflash-aLast week, Adobe released an out-of-band Flash Patch to fix a dangerous bug that attackers were already exploiting. In that advisory, Adobe said it was aware of yet another zero-day flaw that also was being exploited, but that last week’s patch didn’t fix that flaw.

Earlier this week, Adobe began pushing out Flash v. 16.0.0.296 to address the outstanding zero-day flaw. Adobe said users who have enabled auto-update for Flash Player will be receiving the update automatically this week. Alternatively, users can manually update by downloading the latest version from this page.

Adobe said it is working with its distribution partners to make the update available in Google Chrome and Internet Explorer 10 and 11. Google Chrome version 40.0.2214.93 includes this update, and is available now. To check for updates in Chrome, click the stacked three bars to the right of the address bar in Chrome, and look for a listing near the bottom that says “Update Chrome.”

To see which version of Flash you have installed, check this link. Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).


Flash Patch Targets Zero-Day Exploit


Adobe today released an important security update for its Flash Player software that fixes a vulnerability which is already being exploited in active attacks. Compounding the threat, the company said it is investigating reports that crooks may have developed a separate exploit that gets around the protections in this latest update.

brokenflash-aEarly indicators of a Flash zero-day vulnerability came this week in a blog post by Kafeine, a noted security researcher who keeps close tabs on new innovations in “exploit kits.” Often called exploit packs — exploit kits are automated software tools that help thieves booby-trap hacked sites to deploy malicious code.

Kafeine wrote that a popular crimeware package called the Angler Exploit Kit was targeting previously undocumented vulnerability in Flash that appears to work against many different combinations of the Internet Explorer browser on Microsoft Windows systems.

Attackers may be targeting Windows and IE users for now, but the vulnerability fixed by this update also exists in versions of Flash that run on Mac and Linux as well. The Flash update brings the media player to version 16.0.0.287 on Mac and Windows systems, and 11.2.202.438 on Linux.

While Flash users should definitely update as soon as possible, there are indications that this fix may not plug all of the holes in Flash for which attackers have developed exploits. In a statement released along with the Flash update today, Adobe said its patch addresses a newly discovered vulnerability that is being actively exploited, but that there appears to be another active attack this patch doesn’t address.

“Adobe is aware of reports that an exploit for CVE-2015-0310 exists in the wild, which is being used in attacks against older versions of Flash Player,” Adobe said. “Additionally, we are investigating reports that a separate exploit for Flash Player 16.0.0.287 and earlier also exists in the wild.”


Microsoft, Adobe Push Critical Fixes

If you use Microsoft products or Adobe Flash Player, please take a moment to read this post and update your software. Adobe today issued a critical update that plugs at least three security holes in the program. Separately, Microsoft released six security updates that address 29 vulnerabilities in Windows and Internet Explorer.

Most of the bugs that Microsoft addressed with today’s updates (24 of the 29 flaws) are fixed in a single patch for the company’s Internet Explorer browser. According to Microsoft, one of those 24 flaws (a weakness in the way IE checks Extended Validation SSL certificates) was already publicly disclosed prior to today’s bulletins.

The other critical patch fixes a security problem with the way that Windows handles files meant to be opened and edited by Windows Journal, a note-taking application built in to more recent versions of the operating system (including Windows Vista, 7 and 8).

More details on the rest of the updates that Microsoft released today can be found at Microsoft’s Technet blogQualys’s site, and the SANS Internet Storm Center.

Adobe’s Flash Player update brings Flash to version 14.0.0.145 on Windows, Mac and Linux systems. Adobe said it is not aware of exploits in the wild for any of the vulnerabilities fixed in this release.

To see which version of Flash you have installed, check this link. IE10/IE11 and Chrome should auto-update their versions of Flash, although my installation of Chrome says it is up-to-date and yet is still running v. 14.0.0.125.

Flash has a built-in auto-updater, but you might wait days or weeks for it to prompt you to update, regardless of its settings. The most recent versions of Flash are available from the Adobe download center, but beware potentially unwanted add-ons, like McAfee Security Scan. To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here.

Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.). If you have Adobe AIR installed (required by some programs like Tweetdeck and Pandora Desktop), you’ll want to update this program. AIR ships with an auto-update function that should prompt users to update when they start an application that requires it; the newest, patched version is v. 14.0.0.137 for Windows, Mac, and Android.

kissimmee saint cloud osceola county 192 34769 34744 34772 34771 34743 34746 computer repair st cloud computer reapir kissimee lake nona narcossee virus malware virus removal


Critical Java Update Plugs 37 Security Holes

As I always say the number one way to avoid viruses is to update, update, update.

 

From Krebs:

Oracle has pushed a critical patch update for its Java SE platform that fixes at least 37 security vulnerabilities in the widely-installed program. Several of these flaws are so severe that they are likely to be exploited by malware or attackers in the days or weeks ahead. So — if you have Java installed — it is time to update (or to ditch the program once and for all).

javamessThe latest update for Java 7 (the version most users will have installed) brings the program to Java 7 Update 55. Those who’ve chosen to upgrade to the newer, “feature release” version of Java — Java 8 — will find fixes available in Java 8 Update 5 (Java 8 doesn’t work on Windows XP).

According to Oracle, at least four of the 37 security holes plugged in this release earned a Common Vulnerability Scoring System (CVSS) rating of 10.0 — the most severe possible. According to Oracle, vulnerabilities with a 10.0 CVSS score are those which can be easily exploited remotely and without authentication, and which result in the complete compromise of the host operating system.

There are a couple of ways to find out if you have Java installed and what version may be running.  Windows users can click Start, then Run, then type “cmd” without the quotes. At the command prompt, type “java -version” (again, no quotes). Users also can visit Java.com and click the “Do I have Java?” link on the homepage. Updates also should be available via the Java Control Panel or from Java.com.

If you really need and use Java for specific Web sites or applications, take a few minutes to update this software. Updates are available from Java.com or via the Java Control Panel. Keep in mind that updating via the control panel will auto-select the installation of the Ask Toolbar, so de-select that if you don’t want the added crapware.

Otherwise, seriously consider removing Java altogether.  I’ve long urged end users to junk Java unless they have a specific use for it (this advice does not scale for businesses, which often have legacy and custom applications that rely on Java). This widely installed and powerful program is riddled with security holes, and is a top target of malware writers and miscreants.

If you have an affirmative use or need for Java, unplug it from the browser unless and until you’re at a site that requires it (or at least take advantage of click-to-play). The latest versions of Java let users disable Java content in web browsers through the Java Control Panel. Alternatively, consider a dual-browser approach, unplugging Java from the browser you use for everyday surfing, and leaving it plugged in to a second browser that you only use for sites that require Java.

For Java power users — or for those who are having trouble upgrading or removing a stubborn older version — I recommend JavaRa, which can assist in repairing or removing Java when other methods fail (requires the Microsoft .NET Framework).

kissimmee saint cloud osceola county 192 34769 34744 34772 34771 34743 34746 computer repair st cloud computer reapir kissimee lake nona narcossee virus malware virus removal