It's been over a month since I published a roundup of security news and bulletins that have a major impact on computer users. Quite a lot of vulnerabilities and fixes have been announced just in the first 11 days of this month. Links are provided to obtain patched versions of affected software. All of these are very serious and could be, or are being exploited in the wild. I will start with the newest announcements and work my way back to early January.
Oracle Releases Security Alert for Java Runtime Environment
February 10, 2011
Oracle has released a security alert to address a vulnerability in the Java Runtime Environment (JRE) component of the Oracle Java SE and Java for Business products. Exploitation of this vulnerability may allow an attacker to cause a denial-of-service condition. To cut through the geek-speak, this involves the Java "plug-in" that many computers use in the browsers to be able to use and interact with Java Applets in web pages. This plug-in, as well as the standalone version of Java need to be updated as soon as possible, if not sooner.
The new Java is coded Version 6 Update 23 - for Windows, Solaris, and Linux. Go here to download the latest Java Virtual Machine, or go here to see if you have the latest version, or an older, vulnerable version. You must make sure that older versions are uninstalled from your computers, not just left behind. Malware can still exploit older versions left on a computer by specifying the original default path to their executables and JAR files.
I want you to be aware that Java is the most frequently exploited browser plug-in for the last year. When an update is released, do not delay in applying it. Java normally is setup for automatic updates. You can verify this, or even change the frequency of checking, via Control Panel > Java > "Update" tab.
Google Releases Chrome 9.0.597.98
February 10, 2011
Google has released an updated version of their Chrome browser: Chrome 9.0.597.98, for all platforms to address multiple vulnerabilities. Exploitation of these vulnerabilities may allow an attacker to execute arbitrary code or cause a denial-of-service condition. This update also includes a recently released version of Adobe Flash Player that repairs several vulnerabilities.
If you have the Chrome browser installed, open it and click on the wrench icon to the right side of the browser, which opens the Tools menu. From there, click on "About Google Chrome" - which launches a check for updates, or tells you if it has already updated itself in the background (it does that via the Google Updater).
Adobe Releases Security Update for Flash Player
February 9, 2011
Adobe Flash Player has also been updated this week, to version 10.2.152.26, to address multiple vulnerabilities in Flash Player 10.1.102.64 and earlier versions for Windows, Macintosh, Linux, and Solaris. Exploitation of these vulnerabilities may allow an attacker to execute arbitrary code or cause a denial-of-service condition. (This leads to taking over your computer, if you operate with Administrator level privileges)
You can download the latest version of Flash Player from the Adobe Flash Player page. If you have the Windows operating system and use other browsers too, you'll need to visit the Flash Player page once with Internet Explorer, and once with Firefox, or Opera. Google Chrome maintains its own installation of Flash and updates the entire browser when Adobe updates the Flash plug-in.
Find out what version of Flash Player you have installed, for Internet Explorer and your other browsers, on the Adobe About Flash page. Only install Flash Player at Adobe.com! Criminals use fake Flash Player icons and links to fool people into installing Trojan Horse Botnet programs, from hostile web pages linked to in spam emails.
RealNetworks, Inc. Releases Security Updates for RealPlayer
February 9, 2011
RealNetworks, Inc. has released security updates to address a vulnerability affecting Windows RealPlayer 14.0.1 and earlier versions and RealPlayer Enterprise 2.1.4 and earlier versions. Exploitation of this vulnerability may allow an attacker to execute arbitrary code in the context of the browser. You can update your version of RealPlayer here.
Adobe Releases Updates for Adobe Reader and Acrobat
February 8, 2011
Adobe has released updates for Reader and Acrobat to address multiple vulnerabilities affecting the following software versions:
* Adobe Reader X (10.0) and earlier versions for Windows and Macintosh
* Adobe Reader 9.4.1 and earlier versions for Windows, Macintosh, and Unix
* Adobe Acrobat x (10.0) and earlier versions for Windows and Macintosh
Exploitation of these vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, operate with escalated privileges, or conduct cross-site scripting attacks.
At this time, updates are available for the Windows platform. Adobe indicates that it plans to release updates for Macintosh and Unix the week of February 28, 2011. All recent versions of Adobe Reader and Acrobat are now set to automatically check for updates. I still recommend manually checking by opening Adobe Reader, clicking on Help, then "Check for Updates."
Adobe Reader updates require Administrator privileges.
Patch Tuesday Windows Updates
Microsoft released a bunch of Windows Updates on Patch Tuesday, February 8, 2011. If you operate a Windows XP (with SP3), Vista, or 7, or Server 2008, you need to make sure you have received all updates available for your computers. There is a link to do so in your Start Menu, and in Internet Explorer's Safety menu.
Webmaster Alert! WordPress Releases Version 3.0.5
February 8, 2011
WordPress has released WordPress 3.0.5 to address multiple vulnerabilities. Execution of these vulnerabilities may allow an attacker to conduct cross-site scripting attacks or obtain sensitive information.
To download WordPress 3.0.5, update automatically from the Dashboard > Updates menu in your site's admin area or visit the Wordpress.org current stable version download page.
This updated followed closely on the heels of a previous mandatory security updated for WordPress, which was version 3.0.4, which was released on January 3, 2011.
That is the roundup for January 3, through February 11, 2011. You can keep up with all of these updates by using the Secunia Online Software Inspector. It scans your computer, using Java, then displays a readout of any vulnerable software it finds, along with links to download the latest versions.
Get Norton 360 Version 6.0 - All-In-One Security.
Comprehensive, easy to use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 6.0.