Apply your monthly patches just as soon as you can

There are only six patches in this month’s edition of Patch Tuesday, and only one of them is critical, but it’s a big one.

The critical patch fixes a flaw in Remote Desktop Protocol, something typically only present in the business-oriented flavors of Windows. But if you don’t know whether you’re affected, it behooves you to let Windows update whatever it wants to update. Read more

Yesterday was Patch Tuesday again

I’m way too tired to do the kind of Patch Tuesday writeup I did last month, so I’ll just remind you, and hope that suffices. This month we have vulnerabilities in Windows, Internet Explorer, Silverlight, and .NET, some of which can cause remote code execution, which is a holy grail for spreading malware. So apply those updates. The Silverlight update applies to Macintoshes as well.

We’re just about ready for an era of 64-bit browsers

Adobe released a new Flash player this week. As almost an afterthought, they mentioned there’s a 64-bit version included.

That means Windows users can finally have mainstream 64-bit web browsers without using any beta software. I can put one on my main machine, and Gmail and Youtube and anything else that relies on Flash works the way it’s supposed to work.

What about Firefox? Read on.
Read more

Happy Patch Tuesday, September 2011

Microsoft has five updates and Adobe has two for us on this fine Patch Tuesday, in addition to a patch Mozilla pushed out for Firefox last week.

Don’t get too complacent if you run something other than Windows. If you run Microsoft Office on a Mac, or Adobe Reader or Acrobat on a Mac, or Adobe Reader on Unix or Linux, you’re vulnerable. The vulnerabilities in those affected products are more serious than the vulnerabilities for Windows. So keep that in mind. Don’t be smug about security. It’ll bite you.

Read more

How to check your downloaded files’ integrity

On some web pages offering programs to download, you may have seen something called an MD5 near the program link, consisting of a long, weird code like 6cbfd919baa7c9e03c8471ae4d8f8bb.

You can use that code to make sure the file you downloaded is what the author intended you to get and wasn’t corrupted during the download process or, worse yet, booby-trapped by someone else. Here’s how.

Read more

Don’t use Internet Explorer this Christmas

In case you haven’t heard elsewhere, there’s a nifty unpatched vulnerability for Internet Explorer floating around. And it’s actively being exploited. Metasploit, an exploit toolkit used by penetration testers and script kiddies alike, is able to detect and utilize it.

Under these circumstances, Microsoft has been known to rush out a patch before the next scheduled Patch Tuesday, but the Christmas and New Year’s holidays will obviously slow things down.

In the meantime, installing Firefox and/or Chrome is prudent. I have and use both, since, to my knowledge, there hasn’t been a time yet when both of the two most popular alternative browsers had unpatched exploits in the wild.

Happy Patch Tuesday

Today was the first Patch Tuesday in nearly four years that I didn’t have to worry about professionally. Since Microsoft released 13 patches today and Adobe released two, my former coworkers might be wondering if I knew something. (I didn’t.)

But I still patched my machine at home, and I recommend you do too. Macintosh owners, you’re not immune, so I have some homework for you too.The Adobe patches apply to Acrobat and to the so-called Adobe Reader (which used to be called Acrobat Reader). I recommend you launch Adobe Reader, go to the Help menu, and select Check for Updates. Unless you’re reading this site on a Commodore 64, these updates apply to you.

Mac users tend to be awfully smug about security, and that myth really needs to stop. Apple hasn’t released any security fixes this month, but they did release 9 fixes last month. The biggest one fixes flaws in 16 different applications. Microsoft probably would have released 16 different patches instead of just one. I prefer the Microsoft approach–besides being a little more honest, it also results in smaller download packages if by some chance one or more of those 16 vulnerabilities happen to not apply to a particular machine.

And now, please excuse me for a moment while I recover from the shock of having used the word “honest” to describe Microsoft.

Just out of curiosity, I looked, and Apple has released security updates every month this year except for April. Unlike Microsoft, they don’t follow a set schedule, and the month isn’t over yet, so I wouldn’t be surprised to see something from them later this month.

I won’t bore you with the details, but basically, what it comes down to is this: If I really want into your computer, all I really have to do is booby-trap a file and get you to open it. It could be a PDF file, a movie, a music file, or something else. I can embed code into that file that gives me complete control of the computer. I just have to know whether your computer runs Mac OS or Windows. And how to write the code, of course. (I don’t know how to write the code and I don’t want control of your computer, so there’s no reason to be afraid of me.)

If you’ve been installing your patches, there’s little reason to be afraid of the guy who who DOES know how to write the code and DOES want control of your computer.

Your computer may update automatically. If you don’t know for certain whether it does, I suggest you find out. Now. No matter whose name is stamped on the case.

WordPress Appliance - Powered by TurnKey Linux