This is getting tiresome. If you don't require Java - remove it. If you do require it, keep it updated but disable except when required.

Ditto Adobe Acrobat and Reader

As usual the patches are available through Microsoft Update. It's advised that 2800277 for .NET Framework be installed last, after installing the other updates and rebooting.

Adobe wants users to grab the latest Ffflash updates from its Flash Player Download Center, but that tries to install rubbish like McAfee VirusScan. Better to download from the Flash Player Distribution page.

You can find out what version of Flash is installed through this link.

Flash Player for Google Chrome is automatically updated with the latest Google Chrome version. Internet Explorer 10 users on Windows 8 will get the update, Microsoft Security Advisory (2755801), through Windows Update.

AIR can be downloaded here

Suggestion:- avoid Internet Explorer wherever possible, likewise that steaming pile of merde called Adobe Flash. Use HTML5 for multimedia content, Firefox/Iceweasel or Chromium/Chrome or Safari, Opera, or anything but IE) - employ NoScript, FlashBlock (there are Chrome variants of both), and good judgement where ever possible and you will avoid this all too common class of problem.

Did you know Youtuber has a HTML 5 option?

Affected versions - Adobe Shockwave Player 11.6.8.638 and earlier versions for Windows and Macintosh.

Check your current version, and if necessary upgrade to the latest release 12.0.0.112.

Quote:-
Adobe is aware of reports that CVE-2013-0633 is being exploited in the wild in targeted attacks designed to trick the user into opening a Microsoft Word document delivered as an email attachment which contains malicious Flash (SWF) content. The exploit for CVE-2013-0633 targets the ActiveX version of Flash Player on Windows.

Adobe is also aware of reports that CVE-2013-0634 is being exploited in the wild in attacks delivered via malicious Flash (SWF) content hosted on websites that target Flash Player in Firefox or Safari on the Macintosh platform, as well as attacks designed to trick Windows users into opening a Microsoft Word document delivered as an email attachment which contains malicious Flash (SWF) content.

Adobe wants users to grab the latest updates from its Flash Player Download Center, but that tries to install rubbish like McAfee VirusScan. Better to download from the Flash Player Distribution page.

You can find out what version of Flash is installed through

It appears that another unpatched critical Java exploit may be actively in use by cyber-criminals (or will be very soon).

Brian Krebs, an IT journalist I respect, reports that a new critical Java exploit has been sold for cybercrime exploits, and appears to have been sold to at least 2 customers for $5K US ea. with a third customer paying an unknown amount.

Previously Microsoft had published a shim (Fix It Tool) that proved ineffective in preventing exploits against the browser. You can install it through Microsoft Update.

Note: if you did install the MS Fix It Tool/shim MS recommend you un-install it - though it's not mandatory.

tl;dr If you must run MS Internet Explorer, do ensure you have the latest MS updates installed.

If you really must use Java then update now, and keep Java disabled except on an application by application basis.

It's great the Oracle have released a fix so quickly. But it does little to mitigate the appalling history of insecurities associated with this clunky, unnecessary, steaming pile of merde. May Java and Ffflash both die a quick death. A pox on both their houses. (yes really).

Until Foxit release a fix which limits the length of URLs your best protection is either to avoid PDF files, or downloaded them before opening. Do not use Adobe Acrobat Reader instead.

Sadly too many PDFs are deployed instead of the original, open, document formats eg. RTF, plain text, HTML etc. Convenience comes at a price.

As noted by Krebs, a new Java exploit has been marketed for at least the last week, and overnight DontNeedCoffee has found it actively deployed in the wild.

Java belongs in the same big round filing cabinet as Flash and PDFs. Widely deployed, popular, constantly exploited, and redundant. Much, if not all of Java's justifications for being can be fulfilled with HTML5. If you need it - make sure you are running the very latest version (v7 update 10), and unplug it except when you absolutely need to use it. You can check your version here, and download the latest version here. Instructions on how to unplug it are here.

Adobe wants users to grab the latest Ffflash updates from its Flash Player Download Center, but that tries to install rubbish like McAfee VirusScan. Better to download from the Flash Player Distribution page.

You can find out what version of Flash is installed through Microsoft’s site, or wait for the browser to auto-update the plugin.

The latest Adobe Reader can be got here, or use the built-in update function. AIR can be downloaded here

Suggestion:- avoid Internet Explorer wherever possible, likewise that steaming pile of merde called Adobe Flash. Use HTML5 for multimedia content, Firefox/Iceweasel or Chromium/Chrome or Safari, Opera, or anything but IE) - employ NoScript, FlashBlock (there are Chrome variants of both), and good judgement where ever possible and you will avoid this all too common class of problem.

Did you know Youtuber has a HTML 5 option?

This months patches include two "critical" releases and five "important".

One of the patches addresses an exploit that has made the news recently in attacks against Internet Explorer 6 - 8 at the CFR website and is now part of at least one cybercrime toolkit. Unfortunately that patch is no longer relevant as it can be got around.

tl:dr - Run the Microsoft Update Manager - but don't run Internet Explorer.

After several years of urging, and possibly as a result of a recent, critical, 0-day xss exploit, Yahoo is finally offering SSL.

It's disabled by default (go figure).
To enable the SSL option, users can go into the Options tab and click the box next to "Make your Yahoo Mail more secure with SSL". The option is not enabled by default, but that could happen in the future.

Darien Kindlund gives one report. Apparently Microsoft is "investigating the vulnerability at this time".

After writing that "We have chosen not to release the technical details of this exploit" (then goes on to do everything but a full analysis of the flash file).

This only one variant of the heap spray attack, and some antivirus tools will detect it.

Solution:- avoid Internet Explorer wherever possible, likewise that steaming pile of merde called Adobe Flash. Use HTML5 for multimedia content, Firefox/Iceweasel or Chromium/Chrome or Safari, Opera, or anything but IE) - employ NoScript, FlashBlock (there are Chrome variants of both), and good judgement where ever possible and you will avoid this all too common class of problem.

Marko Myllynen discovered that ELinks, a powerful text-mode browser, incorrectly delegates user credentials during GSS-Negotiate.

Squeeze (stable), fixed in v0.12~pre5-2+squeeze1. Since the initial Squeeze release, XULRunner needed to be updated and the version currently in the archive is incompatible with ELinks. As such, JavaScript support needed to be disabled (only a small subset of typical functionality was supported anyway). It will likely be re-enabled in a later point update.

Wheezy (testing) fixed in v0.12~pre5-9

Sid (unstable) fixed in v0.12~pre5-9

tl;dr
#apt-get update;apt-get upgrade

• CVE-2012-4201
  The evalInSandbox implementation uses an incorrect context during the handling of JavaScript code that sets the location.href property, which allows remote attackers to conduct cross-site scripting (XSS) attacks or read arbitrary files by leveraging a sandboxed add-on.
• CVE-2012-4207
  The HZ-GB-2312 character-set implementation does not properly handle a ~ (tilde) character in proximity to a chunk delimiter, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted document.
• CVE-2012-4216
  Use-after-free vulnerability in the gfxFont::GetFontEntry function allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via unspecified vectors.
• CVE-2012-5829
  Heap-based buffer overflow in the nsWindow::OnExposeEvent function could allow remote attackers to execute arbitrary code.
• CVE-2012-5842
  Multiple unspecified vulnerabilities in the browser engine could allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code.

Fixed in Squeeze (stable) v3.0.11-1+squeeze15, and Sid (unstable) v10.0.11-1

tl;dr
#apt-get update;apt-get upgrade

Quicktime 7.7.3 is available for download - install it.

A security vulnerability in Internet Explorer, versions 6–10, allows your mouse cursor to be tracked anywhere on the screen, even if the Internet Explorer window is inactive, unfocused or minimised. The vulnerability is notable because it compromises the security of virtual keyboards and virtual keypads.

As a user of Internet Explorer, your mouse movements can be recorded by an attacker even if you are security conscious and you never install any untoward software. An attacker can get access to your mouse movements simply by buying a display ad slot on any web-page you visit.

Nick Johnson from spider.io found the flaw and notified Microsoft at the beginning of October. "Microsoft Security Research Center has acknowledged the vulnerability in Internet Explorer, they have also stated that there are no immediate plans to patch this vulnerability in existing versions of the browser."

Solution:- don't use Internet Explorer. Use Firefox/Iceweasel, or Google Chrome, or Opera, or Safari, etc.

Install the latest Microsoft security patches for IE 9 & 10 (MS12-077), Exchange Server (MSA-1280), Word , and a nasty affecting XP, Vista, and 7 (MS-081) ASAP. A reboot will be required.

Adobe has released a new version of Flash Player and AIR to address newly exposed problems.

The latest update Google's Chrome will update itself by default.

CVE-2012-4557 A flaw in mod_proxy_ajp could lead to a temporary denial of service.

CVE-2012-4929 A man-in-the-middle attack flaw has been discovered.

In both cases the the fix is simple. #apt-get update;apt-get upgrade

Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following packages will be upgraded:
  apache2 apache2-doc apache2-mpm-prefork apache2-suexec-custom apache2-utils apache2.2-bin
  apache2.2-common
7 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 4,240 kB of archives.
After this operation, 139 kB of additional disk space will be used.

Adobe has released a critical security update for its Flash Player and Adobe AIR software that fixes at least seven dangerous vulnerabilities in these products. Updates are available for Windows, Mac, Linux and Android systems.

Today’s update, part of Adobe’s regularly scheduled patch cycle for Flash, brings Flash Player to version 11.5.502.110 on Windows and Mac systems.

Adobe wants users to grab the latest updates from its Flash Player Download Center, but that tries to install rubbish like McAfee VirusScan. Better to download from the Flash Player Distribution page.

You can find out what version of Flash is installed through Microsoft’s site, or wait for the browser to auto-update the plugin.

Adobe’s advisory is here, including links to update AIR if you have that installed.

For the stable distribution (squeeze), this problem has been fixed in version 3.0.11-1+squeeze13.

For the testing distribution (wheezy), this problem has been fixed in version 10.0.7-1.

For the unstable distribution (sid), this problem has been fixed in version 10.0.7-1.

TL;DR The problem has been fixed - if you have recently (in the last week) run apt-get upgrade there's no need to worry.

Unlike previous example which require the attacker to use a compromised website - this exploit can use a URL shortner service.

NOTE: Google's URL shortener goo.gl won't allow this exploit.

The flaw seems to have been first mentioned at rdot.org

A fuller explanation can be found at Detectify.com

The Catlin Seaview Survey used a specially designed underwater camera, the SVII, to capture underwater imagery around the world, as part of their expedition to document the composition and health of coral reefs.

The following Java SE versions were verified to be vulnerable:

• Java SE 5 Update 22 (build 1.5.0_22-b03)
• Java SE 6 Update 35 (build 1.6.0_35-b10)
• Java SE 7 Update 7 (build 1.7.0_07-b10)

All tests were successfully conducted in the environment of a fully patched Windows 7 32-bit system and with the following web browser applications:

• Firefox 15.0.1
• Google Chrome 21.0.1180.89
• Internet Explorer 9.0.8112.16421 (update 9.0.10)
• Opera 12.02 (build 1578)
• Safari 5.1.7 (7534.57.2)

ITSEC analysed the UEFI platform now that Microsoft has ported old BIOS and MBR's boot loader to the new UEFI technology in Windows 8. Andrea Allievi, a senior security researcher at ITSEC, was able to use the research to cook up what's billed as the first ever UEFI bootkit designed to hit Windows 8. The proof-of-concept malware is able to defeat Windows 8's Kernel Patch Protection and Driver Signature Enforcement policy.

The UEFI boot loader developed by Allievi overwrites the legitimate Windows 8 UEFI bootloader, bypassing security defences in the process.

"Our bootloader hooked the UEFI disk I/O routines and it intercepted the loading of the Windows 8 kernel, thus our bootkit tampered the kernel by disabling the security features used by Windows to prevent the loading of unsigned drivers," Marco Giuliani, of ITSEC.

This patch addresses two vulnerabilities in Internet Explorer 10 - both of which were fixed in updates from Adobe last month.

This patch (apparently) fixes the flaws mentioned here which can allow Remote Administration of Windows running Versions 6 - 9 of Internet Explorer.

TL,DR? Update Windows now!

Brian Krebs confirms Eric Romang's initial report that the vulnerability is being actively exploited in the wild, and that it appears to be connected to the same group of Chinese hackers responsible for unleashing a pair of Java zero-day exploits late last month.

Microsoft advices users to use EMET.

My advice is don't use Internet Explorer unless it's IE 10.

Yet another reason to ditch Internet Explorer - for almost any other browser (sigh).

First reported in 2009, more information about malicious code inside Microsoft Office documents can be read here.

How might you analyze a suspicious RTF file, perhaps delivered to you or your users as an email attachment? RTFScan, now available as part of Frank Boldewin's OfficeMalScanner toolkit, can examine RTF files and assist in extracting embedded artifacts.

Domain services are available for 40 Top Level Domains. Discounts are available where 5 and 10 year terms are available, ask me about volume discounts.

Choose your own nameservers or ask me about the right nameserver setup for your needs. I can also advise you on various mail and site hosting options and web site design - just ask!

Scott Ferguson