Wednesday, January 15, 2014

Lots of security patches for you

Yesterday saw a bumper crop of security patches from Microsoft, Adobe, and Oracle (Java).  Since of most of all y'all use these, you'll want to top up your security.  Remember, it's like changing the oil in your car - you can put it off, but if you put it off too long then bad things happen to you.

Windows is easiest.  Take Internet Explorer (you need it for this but shouldn't use it for anything else) to  Simples.  It's a once a month security oil change.

Adobe has important updates to Flash, which drives most video and a ton of ads.  The biggest risk you'll face is malware coming via ads, so go get the update.  Be careful with the update - Adobe packages a bunch of stuff with the patch (like McAfee's horrible Security Scan - not recommended), so pay attention and uncheck the bloatware options.  You'll probably have to install twice - once for the OS and once for your browser.

Adobe also has an update for Reader (the thing you use to read PDF files) that you want to get.  Malware has been embedded in PDFs for several years, so this is a credible threat vector.  Unfortunately, there's no good way to hotlink directly to the update, so go here and search for Reader.

Java has been a sucking chest wound of security fail for a while, and this month is no exception - there are 36 security updates (!).  If you haven't disabled Java in your browser (recommended) then you'll need the update because the Bad Guys are actively exploiting this.  The easiest way to get the update is via the Java Console. - just remember that this will also automatically include crapware (the Ask Toolbar), so make sure you uncheck the crapware boxes.

I will leave for another day the rant about using critical security updates to fob off bloatware on an unsuspecting public ...


Comrade Misfit said...

Roger that, but do I need to install the Windows Net framework thing? The description says that it's useful for writing apps for the Windows Store (which I have no intention of ever doing).

Rev. Paul said...

As always, we appreciate the time you spend keeping us up to date. Thank you!

Borepatch said...

Rev Paul, no need to thank me. It's all part of being a full service security blog.

Comrade Misfit, no, you almost certainly do not need the .NET framework.

Old NFO said...

Thanks, looks like a busy night tonight... sigh

newrebeluniv said...

I was helping my mom with tech support one time. she was wondering why her browser windows were so small. She had 10 toolbars installed. Not much room left to actually see a website.

She didn't know she could say no.


Jim Bravo said...

Thanks for the update.

Jake (formerly Riposte3) said...

I just did the Java updates on the office computers (being the "in-house" IT geek is interesting, but I do sometimes wonder what we're paying the actual IT guy for. I should not have to be the one installing security updates).

@ Borepatch: On a slightly related note, and hitting on your theme of "they didn't even consider security" with these things, have you seen this yet?

Security researchers at Proofpoint have uncovered the very first wide-scale hack that involved television sets and at least one refrigerator.

Yes, a fridge.

This is being hailed as the first home appliance "botnet" and the first cyberattack from the Internet of Things.


In this case, hackers broke into more than 100,000 everyday consumer gadgets, such as home-networking routers, connected multi-media centers, televisions, and at least one refrigerator, Proofpoint says. They then used those objects to send more than 750,000 malicious emails to enterprises and individuals worldwide.

Borepatch said...

Jake I can't say that I'm surprised. Who would think to change the password of their refrigerator?