NITECORE -- Keep Innovating        
Results 1 to 7 of 7

Thread: [Computer security] ~~ June 15th: patches for Apple's Java, Microsoft's DirectX ~~

  1. #1

    Exclamation [Computer security] ~~ June 15th: patches for Apple's Java, Microsoft's DirectX ~~

    June 15th update

    If you use Mac OS X, Apple's just released an important security update for your Java. download it here or run OS X's Software Update to get your Java updated. This fixes a high-profile vulnerability with proof-of-concept attack code publicly available. If you don't actually need Java for anything at this time, disabling it is another safeguard to consider, and that's easily done:

    Fuller recommends that Mac OS X users disable Java applets in their browsers (both Firefox and Safari) and disable ‘Open “safe” files after downloading’ in Safari.

    If you use Windows 2000, Windows XP, or Windows Server 2003, Microsoft has a temporary fix for an exploitable DirectX component. Click the Fix It button on this page, save the file, and run it from an Administrator-level account. This vulnerability is being attacked in the wild, so until a final security update is released, I'd suggest using Microsoft's temporary fix. Windows Vista, Windows 7 and Windows Server 2008 aren't affected, but Vista users might want to take this opportunity to enable a new security option called "SEHOP".


    Older content

    If you have Apple's Safari web browser, they've just released version 4.0 with security fixes and enhancements. You can get that from http://www.apple.com/safari/.

    Apple also updated QuickTime Player to fix some security vulnerabilities. The latest version is available at http://www.apple.com/quicktime/download/ for Mac and Windows.

    Tomorrow (June 9th) is Patch Tuesday for Microsoft. Security patches are planned for Windows, Internet Explorer, Office for Windows, and also the Mac versions of Office 2004 / Word / Excel. Windows users can visit http://update.microsoft.com to get the Microsoft Update engine if you don't have it already, then check for the updates.

    Statistics show that the bad guys are favoring maliciously-constructed .PDF files as an attack method lately (article at F-Secure with stats). They can be auto-launched by exploits sneaked into compromised websites, for example. So I'd suggest checking for security updates to your .PDF-reading program, whether it's Foxit, Adobe Reader, or something else. For example, in Adobe Reader, you can click Help > Check for updates.

    Speaking of Adobe, they will be doing Patch Tuesdays four times a year from now on, and tomorrow (June 9th) will be their first one. There will reportedly be updates for Adobe Reader and the full-blown Adobe Acrobat tomorrow, so if you have Reader and/or Acrobat proper, tomorrow would be a good day to check for updates
    Last edited by mechBgon; 06-16-2009 at 11:40 AM.

  2. #2
    *Flashaholic* js's Avatar
    Join Date
    Aug 2003
    Location
    Upstate New York
    Posts
    5,791

    Default Re: [Computer security] Apple's Safari 4.0, Patch Tuesday and stuff

    Thanks for the info, mechBgon.

    One thing I've noticed is that most, if not all, security vulnerabilities that are patched in OS X, are vulnerabilities only to others on your local network with you. Which, in my book, is a lot different than WAN vulnerabilities.

    As for Safari 4, we've been using the public beta version of it at home for some time now, and I can say that I have indeed found it to be noticeably faster at loading web pages than either Safari 3 or FireFox. I don't like every change they've made to it, but I certainly appreciate the speed increase!
    -Jim Sexton, creator of the M6-R, the TigerLight Upgrades, Fixture-ring lamp potting, the SL60, co-designer of the B90 Upgrade, and proponent of the SF A2, the SF M6 X-LOLA, Titanium, the Haiku, and the LunaSol 20

  3. #3

    Default Re: [Computer security] Apple's Safari 4.0, Patch Tuesday and stuff

    Quote Originally Posted by js View Post
    Thanks for the info, mechBgon.

    One thing I've noticed is that most, if not all, security vulnerabilities that are patched in OS X, are vulnerabilities only to others on your local network with you. Which, in my book, is a lot different than WAN vulnerabilities.
    Taking a quick look at the list in this Apple Knowledge Base article, it looks like the last large OS X patch did fix some remote code-execution vulnerabilities. Tangentially, Apple has an OS X security guide (.PDF) for those looking to harden their system, including a section on the use of low-rights accounts, which I know one Mac security researcher (Dino Dai Zovi) definitely recommends as a security enhancement.

    In the past, some of Safari's vulnerabilities have been a liability on OS X even when the user is browsing with FireFox or another browser. So for the same reason that I recommend upgrading Windows systems to Internet Explorer 8 even if people don't use IE themselves, it would also be worthwhile to upgrade their Mac's Safari installation to the latest & greatest, even if they don't routinely use Safari for web browsing.
    Last edited by mechBgon; 06-09-2009 at 11:42 AM.

  4. #4
    *Flashaholic* js's Avatar
    Join Date
    Aug 2003
    Location
    Upstate New York
    Posts
    5,791

    Default Re: [Computer security] Apple's Safari 4.0, Patch Tuesday and stuff

    One thing that annoys me about the Leopard firewall, is that it comes completely open by default, and the ipfw firewall is active, but allows all traffic. I wish they had just stuck with the same setup as Tiger. For myself, I reactivated the ipfw firewall, and set the application firewall to allow some: printer sharing and local file sharing.

    Plus, I am behind a NAT router with an SPI firewall set to drop WAN requests.

    This, in my opinion, is way more security than is needed, so I'm not worried about surfing the web with an administrator account. It still needs a password for root access.
    -Jim Sexton, creator of the M6-R, the TigerLight Upgrades, Fixture-ring lamp potting, the SL60, co-designer of the B90 Upgrade, and proponent of the SF A2, the SF M6 X-LOLA, Titanium, the Haiku, and the LunaSol 20

  5. #5

    Default Re: [Computer security] Apple's Safari 4.0, Patch Tuesday and stuff

    Bump for another security update that came out today.

  6. #6
    Flashaholic* monkeyboy's Avatar
    Join Date
    Mar 2006
    Location
    UK
    Posts
    2,326

    Default Re: [Computer security] ~~ June 15th: patches for Apple's Java, Microsoft's DirectX

    I just got safari 4.01 (updated from 3.23) with the software update today. I guess it's no longer a beta version.

    There's a whole heap of osX updates today actually.
    Last edited by monkeyboy; 06-18-2009 at 09:39 AM.

  7. #7
    Flashaholic* LEDninja's Avatar
    Join Date
    Jun 2005
    Location
    Hamilton Canada
    Posts
    4,896

    Default Re: [Computer security] ~~ June 15th: patches for Apple's Java, Microsoft's DirectX

    Thanks for the heads up.

    Software update ownloaded Safari 4.0 in addition to Java.
    Huh.
    How come I only got Safari 4.0 just now? (not 4.01)
    BTW they changed the default page. Took me awhile to figure out how to remove it (set new window to empty page)
    CPF came up wrong initially (wrong page width for my monitor, no scroll bars). Problem went away after I closed all windows and reopened them

    Then I clicked on the quicktime link and got a blank page.

    Sent 2 bug reports so far.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •