Oracle rushes out patch for critical 0-day Java exploit

JavaTheRegister: In an uncommon break with its thrice-annual security update schedule, Oracle has released a patch for three Java 7 security flaws that have recently been targeted by web-based exploits.

“Due to the high severity of these vulnerabilities, Oracle recommends that customers apply this Security Alert as soon as possible,” Eric Maurice, the company’s director of software security assurance, said in a blog post published on Thursday.

Maurice said that the vulnerabilities patched only affect Java running in browsers, and not standalone desktop Java applications or Java running on servers. According to Oracle’s official advisory on the flaws:

These vulnerabilities may be remotely exploitable without authentication, i.e., they may be exploited over a network without the need for a username and password. To be successfully exploited, an unsuspecting user running an affected release in a browser will need to visit a malicious web page that leverages this vulnerability. Successful exploits can impact the availability, integrity, and confidentiality of the user’s system.

That certainly matches the description of the vulnerabilities first spotted on a rogue website by security firm FireEye on Sunday. Exploits for the flaws have since been incorporated into the notorious Blackhole malware toolkit and the Metasploit penetration testing tool.

On Wednesday, Adam Gowdiak of Polish startup Security Explorations revealed that his company had disclosed details of the vulnerabilities in question – along with 29 others – to Oracle in April of this year, but that the database giant still had not fixed the flaws as of its June Critical Patch Update (CPU).

JAVA-updateOracle told Security Explorations that it had developed fixes for most of the other vulnerabilities it had submitted and that they would be ready for the next Java CPU. Unfortunately, however, that patch kit wasn’t scheduled to be released until October 16.

Now, in an apparent capitulation to growing public concern over the exploits, Oracle has issued a rare out-of-band update for Java 7 that it says should ameliorate the threat.

According to Maurice, Java users who run Windows can use the Java Automatic Update feature to get the latest, patched version, which is officially dubbed Java SE 7 Update 7. Users on other platforms can visit the official Java website to download and install it.

Download Firefox 15 and Thunderbird 15!

Cross-copied from BetaNews:

Firefox-15

Mozilla has quietly placed major new versions of its open-source, cross-platform web browser and email client onto its download servers ahead of an official release.

Firefox 15 FINAL benefits largely from behind-the-scenes performance tweaks, while Thunderbird 15 FINAL introduces a few new features, including a new curvy user interface.

Firefox 15 FINAL’s most notable changes are performance-based. There’s faster startup on Windows PCs, plus incremental garbage collection and better management of plugins to prevent memory leaks. Other performance improvements surround WebGL enhancements.

Version 15 also introduces a new Maintenance Service for Windows users that’s installed by default, and which ensures all future Firefox updates are delivered promptly. This feature can be toggled on and off via the Options dialog — select Advanced and switch to the Updates tab.

Developers get a new JavaScript debugger and new Responsive Design View option that allows them to toggle between mobile and desktop views of websites. An additional layout view providing details about the size and shape of an element is now accessible from the Inspector; click the Style button to see the dimensions of the currently selected element, then click the up arrow to reveal more details.

One feature that didn’t make it through to the final release is the inline PDF browser — although present in Firefox 15 Beta, it appears its appearance has slipped back to version 16. Neither can we confirm the existence of Mac accessibility improvements — one thing is certain, however, VoiceOver support is not yet available outside of the Nightly builds.

Those users willing to delve into the about:config portion of Firefox will find they can now toggle between showing Firefox’s options in a separate dialog box (the default) and in its own tab in the main Firefox window. Search for browser.preferences.inContent and double-click it to set it to true to enable the feature.

Similarly, the option for setting plugin content on websites to “click to play” still hasn’t been implemented by default; instead users should search for plugins.click_to_play and double-click it to switch it on.

Thunderbird Updates

Thunderbird 15 FINAL meanwhile has three major changes of note. The most obvious is the implementation of a new user interface called Australis. This introduces itself immediately with the rounded tabs at the top of the screen, but extends to redesigned lines, a repositioned toolbar and categorized filters.

The unified global search now covers the chat module, which supports Facebook, Twitter and Google Talk among others, while the “Do not track” option introduced in Firefox has been added to Thunderbird too. This option, accessible from the Web Content tab in the Security section of Thunderbird’s Options screen, is of less relevance to email users, but may stop some emails from tracking the user if they’ve signed up for the voluntary code of practice.

From November 12, Thunderbird’s code base will be split into two separate editions: Thunderbird and Thunderbird ESR. See here for details.

Both Firefox 15 FINAL and Thunderbird 15 FINAL are free, open-source downloads for Windows, Mac and Linux.

Java zero day vulnerability actively used in targeted attacks

JavaZDNet: Security researchers from FireEye, AlienVault, and DeependResearch have intercepted targeted malware attacks utilizing the latest Java zero day exploit. The vulnerability affects Java 7 (1.7) Update 0 to 6. It does not affect Java 6 and below.

Based on related reports, researchers were able to reproduce the exploit on Windows 7 SP1 with Java 7 Update 6. There’s also a Metasploit module available.

Upon successful exploitation, the campaign drops MD5: 4a55bf1448262bf71707eef7fc168f7d – detected by 28 out of 42 antivirus scanners as Gen:Trojan.Heur.FU.bqW@a4uT4@bb; Backdoor:Win32/Poison.E

Users are advised to consider browsing the Web, and interacting with emails in an isolated environment, or to to block Java in their Web browsers until Oracle ships a patch for the security flaw.

Although what we’ve got here is a clear indication of an ongoing malicious attack utilizing a zero day flaw, on the majority of occasions cybercriminals wouldn’t necessarily rely on a zero day flaw in order to infect as many users as possible. Instead, they would stick to using outdated and already patched vulnerabilities taking into consideration the fact that end and corporate users aren’t patching their third-party software and browser plugins.

Dropbox tests two-factor authentication

Dropbox-Logo-BGh-online: Cloud backup provider Dropbox says it has begun a public test of two-factor authentication for its service. Dropbox had announced it would start offering the security measure after the service experienced a data leak at the beginning of the month.

Users who activate two factor authentication will have to enter a security code after logging in with their username and password. The security code can only be used once and is sent to the user’s mobile phone in a text message. To generate security codes, users can also use a variety of smartphone applications such as Google Authenticator. Details of the process are given on the two-step verification help page.

Two-factor authentication protects a user’s account even when an attacker gains access to the account password. The second factor, in this case the user’s mobile phone which receives or generates the security code, is needed to take over the account. When activating two-factor authentication on Dropbox, the user also receives a 16-character emergency code that can be used if the user loses their mobile phone or runs into problems with the code generator. The emergency code should be kept in a safe place, out of the reach of hackers. It would be prudent not to store it in the same place as the Dropbox account password. Web sites that have been using two-factor authentication for a while include Google and Facebook.

Users who want to take part in the test of two-factor authentication, have to explicitly activate the security feature for their Dropbox account and install the experimental version 1.5.12 of the Dropbox client. The current versions of the Dropbox smartphone applications for Android and iOS are already usable with the experimental feature.

http://h-online.com/-1676276

Tarja Turunen Performed “Act 1” Live in Rosario

Act 1 is the first Live concert released by Tarja. It was released on CD, DVD and Blu-ray on the 24th of August, 2012.

“Act 1” is the first live album from the Finnish former Nightwish soprano, Tarja Turunen. The two concerts were recorded and filmed with 10 HD cameras at the El Círculo Theatre in Rosario, Argentina, in March 2012. The track listing consists in a mix of her three solo albums, Nightwish’s classic Nemo and covers of Andrew Lloyd Webber, Gary Moore and Whitesnake plus a variety of extras.

Watch the full concert here:

http://www.youtube.com/watch?v=6ylUmIitDC8

On the 10th of July Earmusic released the very first Official Teaser for “Act 1”.

tarja-act-1

Double DVD track listing

DVD1
No. Title Length
1. “If You Believe (Intro)” 4:00
2. “Anteroom Of Death” 4:20
3. “My Little Phoenix” 5:20
4. “Dark Star” 5:15
5. “Naiad” 7:22
6. “Falling Awake” 5:18
7. “I Walk Alone” 5:45
8. “Orpheus Hallucination / Orpheus In The Underworld” 6:35
9. “Little Lies (Band Instrumental)” 2:17
10. “Little Lies” 5:48
11. “Into The Sun” 4:38
12. “Nemo (Nightwish)” 6:05
13. “Acoustic Set:

  • Rivers Of Lust
  • Minor Heaven
  • Montañas De Silencio
  • Sing For Me
  • I Feel Immortal”
10:40
14. “Never Enough” 5:05
15. “In For A Kill” 6:10
16. “Toccata And Fugue D-minor (BWV 565) (Johann Sebastian Bach) / The Phantom of the Opera (Andrew Lloyd Webber)” 7:05
17. “Die Alive” 5:00
18. “Until My Last Breath” 8:40
19. “Over The Hills And Far Away (Gary Moore)” 12:01
DVD2
No. Title Length
1. “Boy And The Ghost” 4:30
2. “Lost Northern Star” 5:15
3. “Ciarán’s Well” 3:45
4. “Tired of Being Alone” 6:40
5. “Where Were You Last Night / Heaven Is A Place On Earth / Livin’ On A Prayer (Medley)” 4:10
6. “Underneath” 6:05
7. “The Reign” 5:05
8. “Oasis / The Archive Of Lost Dream” 5:45
9. “Still Of The Night (Whitesnake)” 7:00
10. “Crimson Deep” 7:43

+ Bonus:

  • Interviews with Tarja & the band members
  • Videoclip: Into The Sun
  • Photogallery 1: Through the eyes of the fans
  • Photogallery 2: From our vaults: A fly on the wall

Double CD track listing

CD1
No. Title Length
1. “Anteroom Of Death” 4:20
2. “My Little Phoenix” 4:42
3. “Dark Star” 4:44
4. “Naiad” 7:34
5. “Falling Awake” 5:15
6. “I Walk Alone” 4:27
7. “Little Lies” 4:23
8. “Into The Sun” 4:31
9. “Nemo (Nightwish)” 5:03
10. “Never Enough” 4:55
11. “Still of the Night (Whitesnake)” 6:41
12. “In For A Kill” 5:07
CD2
No. Title Length
1. “Boy And The Ghost” 4:29
2. “Lost Northern Star” 4:38
3. “Ciarán’s Well” 3:40
4. “Tired Of Being Alone” 5:56
5. “Where Were You Last Night / Heaven Is a Place on Earth / Livin’ On A Prayer (Medley)” 4:05
6. “Underneath” 5:40
7. “Oasis / The Archive Of Lost Dream” 4:17
8. “Crimson Deep” 7:35
9. “The Phantom of the Opera (Andrew Lloyd Webber)” 6:48
10. “Die Alive” 4:11
11. “Until My Last Breath” 4:40
12. “Over The Hills And Far Away (Gary Moore)”

For the first time in 25 years, Microsoft is changing its logo

In advance of one of the most significant waves of product launches in Microsoft’s history, today they are unveiling a new logo for the company.

4162.Microsoft_Logo-for-screen.jpg-450x0

Microsoft TechNet wrote:

It’s been 25 years since we’ve updated the Microsoft logo and now is the perfect time for a change. This is an incredibly exciting year for Microsoft as we prepare to release new versions of nearly all of our products. From Windows 8 to Windows Phone 8 to Xbox services to the next version of Office, you will see a common look and feel across these products providing a familiar and seamless experience on PCs, phones, tablets and TVs. This wave of new releases is not only a reimagining of our most popular products, but also represents a new era for Microsoft, so our logo should evolve to visually accentuate this new beginning.

The Microsoft brand is about much more than logos or product names. We are lucky to play a role in the lives of more than a billion people every day. The ways people experience our products are our most important “brand impressions”. That’s why the new Microsoft logo takes its inspiration from our product design principles while drawing upon the heritage of our brand values, fonts and colors.

Microsoft unveils a new look

The logo has two components: the logotype and the symbol. For the logotype, we are using the Segoe font which is the same font we use in our products as well as our marketing communications. The symbol is important in a world of digital motion (as demonstrated in the video above.) The symbol’s squares of color are intended to express the company’s diverse portfolio of products.

Basic RGB

Click to see full size

Starting today, you’ll see the new Microsoft logo being used prominently. It will be used on Microsoft.com – the 10th most visited website in the world. It is in three of our Microsoft retail stores today (Boston, Seattle’s University Village and Bellevue, Wash.) and will shine brightly in all our stores over the next few months. It will sign off all of our television ads globally. And it will support our products across various forms of marketing. Fully implementing a change like this takes time, so there may be other instances where you will see the old logo being used for some time.

We’re excited about the new logo, but more importantly about this new era in which we’re reimagining how our products can help people and businesses throughout the world realize their full potential.

Crisis malware infects VMware virtual machines

vmware-logov3.co.uk: The Windows version of the Crisis Trojan is far more dangerous than first thought, being capable of infecting VMware virtual machine images, Windows Mobile devices and removable USB drives, research has revealed.

Crisis was originally uncovered targeting businesses with social engineering attacks that trick users into running a malicious Java applet in July.

Symantec has since revealed that the malware has more advanced capabilities, letting it search for and copy itself onto VMware virtual machine images on compromised computers.

Once on the images the malware can reportedly steal and intercept data from virtual machines including financial information.

“We’ve discovered it getting onto VM systems not via exploits but by copying itself into the VM code,” Symantec senior security response manager Peter Coogan told V3.

“We haven’t seen this before […] they’re increasing the amount of information the spyware can gather.”

As well as its VMware capabilities, Symantec also reported discovering the malware installing rogue modules on Windows Mobile devices connected to compromised systems, though the purpose of the modules remains unknown.

Coogan went on to clarify that Crisis “is incredibly complex and likely created by an advanced group”, warning that its full capabilities remain unknown.

Despite its sophisticated nature, Crisis is believed to have infected a select number of systems. Kaspersky Lab has reported discovering the malware on 21 systems located in Italy, Mexico, Iran, Turkey, Iraq, Oman, Brazil, Kazakhstan, Kyrgyzstan and Tajikistan, said Sergey Golovanov, Kaspersky Lab malware expert.

Adobe Flash Player update patches six critical holes

Adobe_Flash_120h-Online: Adobe has released the second update for its Flash Player software in a week, this time for six critical vulnerabilities. Four of the issues addressed are problems with memory corruption that could lead to remote code execution; additionally, the update fixes an integer overflow vulnerability that could also lead to remote code execution. Another bug that was fixed is a cross-domain information leak. The problems exist in Flash Player 11.3.300.271 and earlier versions on Windows, Macintosh and Linux, and in the Android versions 11.1.115.11 (Android 4.0) and 11.1.111.10 (Android 3.x and 2.x) and earlier.

All six vulnerabilities were rated critical by Adobe. The company’s security bulletin does not contain any detailed information about the flaws. Users are advised to update their version of Flash as soon as possible.

Adobe has released Flash Player 11.4.402.265 for Windows and Mac OS X, version 11.2.202.238 for Linux and Flash Player 11.1.115.17 and 11.1.111.16 for Android. The Android updates are only available to devices that had Flash Player installed before 15 August when Adobe stopped making Flash for Android available. As Adobe’s AIR is based on Flash, it has also been updated to version 3.4.0.2540.

Windows, Mac OS X and Linux users can get the update appropriate for their system from the Flash Player Download Center or for a different system through another page on Adobe’s web site. The users of Google’s Chrome browser will be automatically updated to the latest version of the Flash Player component, which is included in version 21.0.1180.81 of Chrome for Linux, 21.0.1180.83 for Windows and 21.0.1180.82 for Mac OS X.

The latest Flash update comes a week after Adobe had fixed several other vulnerabilities in its Flash Player and Adobe Reader software. Several vulnerabilities in Adobe Reader remain unpatched.

http://h-online.com/-1672359

Firefox 17 to make add-ons more secure

logo-onlyh-Online: As suggested by some of its developers back in 2010, the Firefox browser will introduce enhanced separation between add-ons and the rest of the browser. With the change, which is planned to take effect with the release of Firefox 17, scripts on web pages will only be able to access the data belonging to add-ons if they are included in a whitelist.

The beta version of Firefox 15 already logs warning messages in the browser’s Error Console when a page that is not on the whitelist tries to access data from add-ons. This behavior has been included to make add-on developers aware of the new policy and to give them time to fix their add-on’s behavior before the release of Firefox 17.

In the current versions of Firefox, entire add-on objects can be shared by adding them tocontentWindow.wrappedJSObject which allows scripts on web sites to access all data belonging to these objects through the window.sharedObject variable. With Firefox 17, add-on developers are required to explicitly mark attributes with the __exposedProps__property which acts as a whitelist for objects that Firefox will share. Possible values for this property allow read-only access, write-only access and read and write access.

Web site code will not have to be modified. The change also does not affect add-ons that are passing numbers, booleans or strings from the add-on to the web page; only actual add-on objects are affected.

Mozilla recommends that add-on developers thoroughly test their code in the Firefox 15 beta, keeping an eye out for errors in the Error Console. Afterwards, they should test with a nightly release version of Firefox 17 and see whether their add-ons break. Add-ons developed with Firefox’s Add-on SDK should be automatically compatible after updating to the latest release of the SDK, but Mozilla recommends that developers test them after updating nonetheless.

http://h-online.com/-1672626