by

Microsoft Patch Tuesday March 2013 – Flash and Java

Microsoft has released seven items in their Security Bulletin for March 2013. Most are for Microsoft Office, one is for Internet Explorer and two in Windows itself.

NOTE: If you are using Windows 8, in addition to the other Microsoft Windows, Internet Explorer and Microsoft Office updates, you will also get a Flash update. Don’t forget that Flash is built into Internet Explorer in Windows 8, just like Flash is included with and updated by Google Chrome. What that means is that you do not have to keep Flash updated for those two browsers – IE 10 in Windows 8 and Google Chrome  keep Flash updated for you.

More information at Security Garden blog.

You do still need to keep Flash updated for other browsers like Firefox and Opera, and Internet Explorer on earlier versions of Windows.

Also don’t forget that Oracle’s Java has had three, count them three, updates over the past month for Java. Make sure/verify you are at the latest version of Java: Java 7 Update 17.

 

 

by

Microsoft restores transfer rights for retail Office 2013 copies

Microsoft restores transfer rights for retail Office 2013 copies – ZDNET – Ed Bott

As part of its shift to a subscription model, Microsoft introduced a controversial “no transfer” restriction with Office 2013. Now, after an intense outcry from customers, the company has reversed course and agreed to allow users to transfer retail Office licenses between devices.

Thank you Microsoft coming through after the public outcry on the changes to the Retail licenses for Microsoft Office 2013!

Office 2013 now transferable – Microsoft’s Office News Blog

A couple weeks ago, I posted this blog to clarify the new Office 2013 licensing terms. Based on customer feedback we have changed the Office 2013 retail license agreement to allow customers to transfer the software from one computer to another. This means customers can transfer Office 2013 to a different computer if their device fails or they get a new one. Previously, customers could only transfer their Office 2013 software to a new device if their PC failed under warranty.

So what Retail Licenses are included:

Office Home and Student 2013

Office Home and Business 2013

Office Professional 2013

and the standalone Office 2013 applications.

Here’s the changed text in the license as noted on Office 2013 now transferrable posting at the Office News blog:

Updated transferability provision to the Retail License Terms of the Software License Agreement for Microsoft Office 2013 Desktop Application Software:

Can I transfer the software to another computer or user? You may transfer the software to another computer that belongs to you, but not more than one time every 90 days (except due to hardware failure, in which case you may transfer sooner). If you transfer the software to another computer, that other computer becomes the “licensed computer.” You may also transfer the software (together with the license) to a computer owned by someone else if a) you are the first licensed user of the software and b) the new user agrees to the terms of this agreement before the transfer. Any time you transfer the software to a new computer, you must remove the software from the prior computer and you may not retain any copies.

Again, I personally thank Microsoft and the Office Team for positively responding to the public outcry regarding the license change for the retail versions. I hope they will not be changing this in a future Retail versions of Office any time soon!

The closing comment by Jack Fark, Office Team on the article:

At Microsoft, we strive to make Office the very best product to help busy people and families get things done. A key ingredient in our formula for success is listening to our customers, and we’re grateful for the feedback behind this change in Office licensing. Thank you.

BOLD emphasis mine.

by

New Twist to Online Tech Support Scam and more

This one has been going on for quite a while, but it is definitely spreading like a bad rash. Just to prove it, one of my clients got a call from one of these while I was actually at their home for an appointment to work on their computer. What’s the chance of that happening? It’s certainly never happened before. And they are definitely using some serious social engineering to fool people into allowing them to get into their computers to quote/unquote fix their computers.

Thanks to Windows Secrets and Fred Langa for the link:

Windows Secrets reader Scott Brande was recently on the receiving end of a typical tech-support con. Recognizing it for what it was, he carefully documented the attempted snow job, then sent in his notes as a service to all Windows Secrets readers.

Check out the rest of Fred Langa’s article for the fully documented story.

And from IC3.gov site:

New Twist to Online Tech Support Scam and more – IC3.gov Scam Alerts (Jan 7, 2013)

NEW TWIST TO ONLINE TECH SUPPORT SCAM

The IC3 continues to receive complaints reporting telephone calls from individuals claiming to be with Tech Support from a well-known software company. The callers have very strong accents and use common names such as “Adam” or “Bill.” Callers report the user’s computer is sending error messages, and a virus has been detected. In order to gain access to the user’s computer, the caller claims that only their company can resolve the issue.

The caller convinces the user to grant them the authority to run a program to scan their operating system. Users witness the caller going through their files as the caller claims they are showing how the virus has infected their computer.

Users are told the virus could be removed for a fee and are asked for their credit card details. Those who provide the caller remote access to their computers, whether they paid for the virus to be removed or not, report difficulties with their computer afterwards; either their computers would not turn on or certain programs/files were inaccessible.

Some report taking their computers to local technicians for repair and the technicians confirmed software had been installed. However, no other details were provided.

In a new twist to this scam, it was reported that a user’s computer screen turned blue, and eventually black, prior to receiving the call from Tech Support offering to fix their computer. At this time, it has not been determined if this is related to the telephone call or if the user had been experiencing prior computer problems.

Unbelievable! MICROSOFT DOESN’T DO THAT!

Avoid tech support phone scams

Cybercriminals don’t just send fraudulent email messages and set up fake websites. They might also call you on the telephone and claim to be from Microsoft. They might offer to help solve your computer problems or sell you a software license. Once they have access to your computer, they can do the following:

  • Trick you into installing malicious software that could capture sensitive data, such as online banking user names and passwords. They might also then charge you to remove this software.
  • Take control of your computer remotely and adjust settings to leave your computer vulnerable.
  • Request credit card information so they can bill you for phony services.
  • Direct you to fraudulent websites and ask you to enter credit card and other personal or financial information there.

Neither Microsoft nor our partners make unsolicited phone calls (also known as cold calls) to charge you for computer security or software fixes.

More here at Microsoft’s article: Avoid Phone Scams

Some more interesting things in the IC3 Scam Alerts:

You might also find the rest of the IC3 Scam Alerts interesting; including a list of the most popular passwords out there. If you are using any of them as passwords, you might just want to change it now!

Also some info on Java Exploit that is for sale for 5 digits! :

Miscreants in the cyber underground are selling an exploit for a previously undocumented security hole in Oracle’s Java software that attackers can use to remotely seize control over systems running the program, KrebsOnSecurity has learned.

Might want to check out: How to Unplug Java from the Browser

by

IE10 is now available for Windows 7 – Finally

IE10 is now available for Windows 7 – Finally!!

It is great news that the most modern Internet Explorer browser will now be available for Windows 7.

Before today, IE10 was only available for Windows 8 and that only since about October 2012.

In SecurityGarden’s posting about this:

Key Improvements

Key improvements in IE9 include improved performance, security, and privacy.  Of major significance are the results of the independent testing conducted by NSS Labs, referenced below, in which IE10 with App Rep had a mean malware block rate of 99.1%.

More about CPU, Windows 7 32/64 bit requirements, check to see if your computer is 32-bit or 64-bit by clicking a link on the article,  and of course the download links, and more, all on SecurityGarden’s posting.

Oh, another cool feature of IE10, is one that is already built into Google Chrome. Flash is incorporated within IE10 and updated within the browser. Hopefully that will work out well over time for both browsers. And hopefully they will not fall down on their vigilance in being very fast in getting the Flash updates incorporated as they are released.

by

Microsoft moving Hotmail users to Outlook.com

Microsoft moving Hotmail users to Outlook.com this Summer.

Here’s some pointers from a CNET article about the move:

Microsoft announced earlier this week that it is closing Hotmail and moving the “hundreds of millions” still using it to Outlook.com by this summer.

The move isn’t unexpected, but perhaps more sudden than some anticipated. Hotmail users, once they move (or are moved) will get Outlook.com’s clean, Metro-Style interface for their mail — and ultimately, calendars. (For a walk-through of the user-interface changes Hotmail users will see, check out this Microsoft FAQ.)

One of the most important things folks will want to know is if their favorite browser will work with Outlook.com. Well, looks like it will work much better than Hotmail or MSN email did in other browsers.

Outlook.com is optimized for Internet Explorer 8, 9, and 10; Google Chrome 17 and higher;Firefox 10 and higher; Safari 5.1 on Mac. It also works relatively well on IE 7, Google Chrome 16 and 5; Firefox 9 and 5; Safari 5.1 on Windows and Safari 5 on Windows and Mac. It doesn’t work at all on IE 6 and older; Google Chrome 4 and older; Firefox 4 and older; and Safari 4.X and older.

And you won’t have to move your email address if you don’t want to:

Do I have to get a new email address?

No. You can keep using your existing @hotmail.com, @live.com, or @msn.com address. Or you can get a new @outlook.com address.

Much more in the Microsoft FAQ including a video.

by

MSHTML Shim Workaround – Microsoft Security Advisory 2794220

Microsoft Security Advisory (2794220) and more here.

Vulnerability in Internet Explorer Could Allow Remote Code Execution

Microsoft is investigating public reports of a vulnerability in Internet Explorer 6, Internet Explorer 7, and Internet Explorer 8. Internet Explorer 9 and Internet Explorer 10 are not affected by the vulnerability. Microsoft is aware of targeted attacks that attempt to exploit this vulnerability through Internet Explorer 8. Applying the Microsoft Fix it solution, “MSHTML Shim Workaround,” prevents the exploitation of this issue. See the Suggested Actions section of this advisory for more information.

Apply the Microsoft Fix it solution, “MSHTML Shim Workaround”, that prevents exploitation of this issue

See Microsoft Knowledge Base Article 2794220 to use the automated Microsoft Fix it solution to enable or disable this workaround.

Security Garden posted about this yesterday. More in the original posting:

On Monday, January 14, 2013, Microsoft is planning to release an out-of-band critical security update for the issue described in  Security Advisory 2794220.

The update is to address an issue that affects Internet Explorer versions 6, 7 and 8.  Internet Explorer versions 9 and 10 are not affected.

Although Microsoft has seen only a limited number of customers affected by the issue, the potential exists that more could be affected.  Thus, it is advised that the update be installed as soon as possible.

If you use Vista and Windows 7, you should already be at Internet Explorer 9. If Windows XP, you should already be at Internet Explorer 8. If that is not the case, please update asap.

 

IMPORTANT! NEW INFORMATION ABOUT THE FIX IT:

Note:  The Advance Notice for this update to Internet Explorer versions 6-8 indicated if the Microsoft Fix it was applied, it was not necessary to uninstall it prior to updating IE.

The advice provided now is to disable the Fix it after updating as it is no longer required.

Thanks Corrine!

by

Disable Java – Windows, Mac, Linux

US Department of Homeland Security advises disabling Java following fresh zero-day vulnerability – The Verge

A new Trojan horse has been discovered that exploits a flaw found in Java, leaving computers running Windows, Mac OS, and Linux vulnerable to attack. Mal/JavaJar-B allows attackers to remotely trigger code once it infects a system, potentially leading to the installation of malware, or even ransomware. Oracle hasn’t yet patched the vulnerability, which targets even the latest version of Java.

US-CERT RECOMMENDS THAT USERS DISABLE JAVA IN WEB BROWSERS

Apple has already taken care of this on the Mac by updating to disallow all Java except including the new one that hasn’t even been released yet. Excellent move from Apple.

Firefox and Google Chrome has had you click to even use Java for awhile now. From my experience, I believe that includes the current version of Java as well. As noted above, Firefox now includes the current version of Java in their blacklist. You have to personally choose to actually use Java using their Click to Play feature. Thank you Mozilla!

Google Chrome has instituted on December 21, 2012, noted in their blog posting, a feature that disallows silent extension addon installations. I believe this is something that Mozilla did some time ago when they experienced problems with it. Or maybe not.

So you will definitely want to disable Java in all browsers in Windows, Linux and on the Mac just to be safe for now.

Internet Explorer now allows you to disallow plugins by default and only allow those you specifically allow. But if you have allowed Java in the past, you will want to disable it:

How to Disable Java – PCMag

The PCMag article gives instructions for all the main browsers. Check it out and please for your sake don’t use a browser for general use that allows Java at least for now.

Disable it in at least one browser that you can use for general purpose use.

Whichever method you choose, visit the Java test page at http://java.com/en/download/testjava.jsp to confirm that Java is disabled. Yes, you’ll occasionally run across a website that relies on Java. If necessary, you can temporarily enable Java for those sites. But you may be surprised at how little you miss it.

More here at Security Garden, Dottech.org (How to/tutorial with images) and Venture Beat as well.

I have Java totally disallowed in my main browser, and enabled in one of my other browsers so I can still go to Secunia.com to use their OSI (Online Security Inspector) to check plugins and Internet facing programs. I also compare that with Firefox’s plugin checker. This in Windows. On my Mac, I have Java disabled in all but one browser and turn Java on and off as needed overall. In Linux Java is also disabled in my main browser.

This is very important until Oracle gets this updated and is quick to fix these vulnerabilities.

Oracle really needs to get on the stick before they and all the programs that make use of them are made obsolete! And there are millions of them!!!

EDIT: As of 1/11/2013 - Added Mozilla’s and Apple’s change to include blacklisting of the current version of Java due to the Trojan affecting even the current version of Java. See the info earlier in the posting.