recent posts

Web Fraud 2.0: Distributing Your Malware
Opera Update Plugs Multiple Security Holes
Web Fraud 2.0: Digital Forgeries
Web Fraud 2.0: Validating Your Stolen Goods
Web Fraud 2.0: Cloaking Connections

Stories by Category

Stories By Date

related links

The Archives
Security Fix Live: Web Chats
About This Blog
Password Primer
7 Security Tips
Technology Section

syndicate

About This Blog   |   Archives   |   RSS Feeds RSS Feed   (What's RSS?)

A Little Patch Housekeeping

Security Fix has been a tad sparse on patch updates lately because I've been taking some use-it-or-lose-it vacation time. The time off served as a good reminder of how quickly the programs on your machine can get outdated even in just a few weeks time.

Last Tuesday, Mozilla released security updates for its Firefox Web browser and Thunderbird e-mail software. The Firefox updates fixed at least three separate "critical" security bugs in the browser, but people using the new 2.0 version of Firefox do not have to worry. Normally, Firefox will alert you when there are updates available; for some reason, my copy of Firefox 1.5.0.7 didn't, but I was able to download the 1.5.0.8 update by clicking on "Help" and then "Check for Updates."

Speaking of browser updates, I'm way late on blogging about an important update for Opera users. In mid-October, the company shipped a patch to fix what appears to be a very serious and easy-to-exploit flaw in the browser that bad guys could use to install software just by getting an Opera user to click on a really long hyperlink. The vulnerability is present in versions 9.0 and 9.01 on Windows and Linux (version 8.x is reportedly not affected). Opera 9.0 users should make sure they're using the latest version, v. 9.0.2.

There is also a new version of AOL's Nullsoft Winamp media player available that fixes what appear to be a pair of pretty serious security holes. The current, patched version is Winamp 5.31.

Finally, my personal favorite software application to write about -- Java. -- also received more updates recently. The current version of the J2SE Runtime Environment (something most people probably don't even know is on their machine) is JRE 5.0 Update 9. There do not appear to be any security fixes in Update 9 that weren't also included in Update 8, but for some reason I never covered Update 8 when it was released so I'm mentioning it here. If you are running Update 8 already, I see no reason to go through the whole process again unless you're having problems with the program. Remember, it's important to uninstall any previous versions of Java that remain on your machine after updating.

By Brian Krebs |  November 13, 2006; 11:40 AM ET New Patches
Previous: Exploit Targets Widely Deployed Wireless Flaw | Next: Report: Firefox 2.0 Trumps IE7 In Phish-Fighting

Comments

Please email us to report offensive comments.



I am going to order a new computer this week from Dell. Will it have all of the latest patches already installed? Or will I have to visit various sites on my own to check for updated patches and the like?

Does Microsoft Office (which I will be getting installed) have the latest patches, or will I have to visit that website, too?

Posted by: Jim E. | November 13, 2006 2:13 PM

Jim -- You will almost certainly have to visit Microsoft Update to get patches that were released after the computer was imaged and put together. If you're getting the latest version of Office, Microsoft Update should detect and install any missing updates for Office as well.

Posted by: Bk | November 13, 2006 2:45 PM

Q: "...Will it have all of the latest patches already installed? Or will I have to visit various sites on my own to check for updated patches and the like?"

A:
> Who do you "trust"?
> How long did the hardware and software sit "on the shelf" before you received it?

.

Posted by: J. Warren | November 13, 2006 2:47 PM

Thanks for the response, Bk.

Posted by: Jim E. | November 13, 2006 3:52 PM

I hope you'll continue keeping us on top of news about the Opera browser as well as Mozilla. The dreadfully lame Internet Explorer 7 is forcing a lot of us to look at the alternatives.

Posted by: John B. | November 13, 2006 6:44 PM

I hope you'll continue keeping us on top of news about the Opera browser as well as that concerning Mozilla. The dreadfully lame Internet Explorer 7 is forcing a lot of us to look at the alternatives.

Posted by: John B. | November 13, 2006 6:46 PM

I got the JRE1.509.b03 or whatever they call it. For a "security update", it is always disconcerting when they try to foist Google Toolbar and Google Desktop when installing. And thanks for reminding me about the uninstalls. I went back and uninstalled 4 previous versions, I guessing 3 would have been exploitable.

Posted by: JavaHater | November 14, 2006 9:53 PM

Sun Java JRE Security Bypass - update available
- http://secunia.com/advisories/22910/
Release Date: 2006-11-15
Critical: Moderately critical
Impact: Security Bypass
Where: From remote
Solution Status: Vendor Patch
Software: Sun Java JDK 1.5.x, Sun Java JRE 1.5.x / 5.x...
...The vulnerability is caused due to an unspecified error in the Java Runtime Environment Swing library and may allow a malicious, untrusted applet to access data in other applets. The vulnerability is reported in JDK and JRE 5.0 Update 7 and earlier.
Note: SDK and JRE 1.4.2_xx and earlier, and 1.3.1_xx and earlier are not affected.
Solution: Update to JDK and JRE 5.0 Update 8 or later.
Original Advisory: http://sunsolve.sun.com/search/document.do?assetkey=1-26-102622-1 ..."

> http://java.sun.com/javase/downloads/index.jsp

.

Posted by: J. Warren | November 15, 2006 10:09 AM

The comments to this entry are closed.

 
 

©  The Washington Post Company