Link Computer Corporation

Original release date: February 20, 2013 | Last revised: -- Systems Affected Any system using Oracle Java including JDK and JRE 7 Update 13 and earlier JDK and JRE 6 Update 39 and earlier JDK and JRE 5.0 Update 39 and earlier SDK and JRE 1.4.2_41 and earlier Web browsers using the Java plug-in are at high risk. Overview Multiple vulnerabilities in Java could allow an attacker to execute arbitrary code on a vulnerable system. Description The Oracle Java SE Critical Patch Update Advisory Update for February 2013 addresses multiple vulnerabilities in the Java Runtime Environment (JRE). An additional five fixes that had been previously planned for delivery are in this update. This distribution therefore completes the content for all originally planned fixes to be included in the Java SE Critical Patch Update for February 2013.  Both Java applets delivered via web browsers and stand-alone Java applications are affected, however web browsers using the Java plug-in are at particularly high risk. The Java plug-in, the Java Deployment Toolkit plug-in, and Java Web Start can be used as attack vectors. An attacker could use social engineering techniques to entice a user to visit a link to a website hosting a malicious Java applet. An attacker could also compromise a legitimate website and upload a malicious Java applet (a "drive-by download" attack). Some vulnerabilities affect stand-alone Java applications, depending on how the Java application functions and how it processes untrusted data. Reports indicate that at least one of these vulnerabilities is being actively exploited. Impact By convincing a user to load a malicious Java applet or Java Network Launching Protocol (JNLP) file, an attacker could execute arbitrary code on a vulnerable system with the privileges of the Java plug-in process. Stand-alone java applications may also be affected. Solution Update Java The Oracle Java SE Critical Patch Update Advisory Update for February 2013 states that Java 7 Update 15 and Java 6 Update 41 address these vulnerabilities. Disable Java in web browsers These and previous Java vulnerabilities have been widely targeted by attackers, and new Java vulnerabilities are likely to be discovered. To defend against this and future Java vulnerabilities, consider disabling Java in web browsers until adequate updates have been installed. As with any software, unnecessary features should be disabled or removed as appropriate for your environment. Starting with Java 7 Update 10, it is possible to disable Java content in web browsers through the Java control panel applet. From Setting the Security Level of the Java Client: For installations where the highest level of security is required, it is possible to entirely prevent any Java apps (signed or unsigned) from running in a browser by de-selecting Enable Java content in the browser in the Java Control Panel under the Security tab. If you are unable to update to at least Java 7 Update 10, please see the solution section of Vulnerability Note VU#636312 for instructions on how to disable Java on a per-browser basis. Restrict access to Java applets Network administrators unable to disable Java in web browsers may be able to help mitigate these and other Java vulnerabilities by restricting access to Java applets using a web proxy. Most web proxies have features that can be used to block or whitelist requests for .jar and .class files based on network location. Filtering requests that contain a Java User-Agent header may also be effective. For environments where Java is required on the local intranet, the proxy can be configured to allow access to Java applets hosted locally, but block access to Java applets on the internet. References Oracle Java SE Critical Patch Update Advisory Update - February 2013 Setting the Security Level of the Java Client The Security Manager How to disable the Java web plug-in in Safari How to turn off Java applets NoScript Securing Your Web Browser Vulnerability Note VU#636312 Revision History February 20, 2013: Initial release This product is provided subject to this Notification and this Privacy & Use policy.

Original release date: February 12, 2013 | Last revised: -- Systems Affected Microsoft Windows Microsoft Internet Explorer Microsoft Office Microsoft Server Software Microsoft .NET Framework Overview Select Microsoft software products contain multiple vulnerabilities. Microsoft has released updates to address these vulnerabilities. Description The Microsoft Security Bulletin Summary for February 2013 describes multiple vulnerabilities in Microsoft software. Microsoft has released updates to address the vulnerabilities. Impact A remote, unauthenticated attacker could execute arbitrary code, cause a denial of service, or gain unauthorized access to your files or system. Solution Apply Updates Microsoft has provided updates for these vulnerabilities in the Microsoft Security Bulletin Summary for February 2013, which describes any known issues related to the updates. Administrators are encouraged to note these issues and test for any potentially adverse effects. In addition, administrators should consider using an automated update distribution system such as Windows Server Update Services (WSUS). Home users are encouraged to enable automatic updates. References Microsoft Security Bulletin Summary for February 2013 Microsoft Windows Server Update Services Microsoft Update Microsoft Update Overview Turn Automatic Updating On or Off Revision History February 12, 2013: Initial release This product is provided subject to this Notification and this Privacy & Use policy.

Original release date: February 12, 2013 | Last revised: -- Systems Affected Adobe Flash Player 11.5.502.149 and earlier versions for Windows and Macintosh Adobe Flash Player 11.2.202.262 and earlier versions for Linux Adobe Flash Player 11.1.115.37 and earlier versions for Android 4.x Adobe Flash Player 11.1.111.32 and earlier versions for Android 3.x and 2.x Adobe AIR 3.5.0.1060 and earlier versions Adobe AIR 3.5.0.1060 SDK and earlier versions Adobe Shockwave Player 11.6.8.638 and earlier versions for Windows and Macintosh Overview Select Adobe software products contain multiple vulnerabilities. Adobe has released updates to address these vulnerabilities. Description Adobe Security Bulletin APSB13-05 and APSB13-06 describe multiple vulnerabilities in Adobe software. Adobe has released updates to address the vulnerabilities. Impact A remote, unauthenticated attacker could execute arbitrary code, cause a denial of service, or gain unauthorized access to your files or system. Solution Apply Updates Adobe has provided updates for these vulnerabilities in Adobe Security Bulletin APSB13-05 and APSB13-06. References APSB13-05: Security updates available for Adobe Flash Player APSB13-06: Security updates available for Adobe Shockwave Player Revision History February 12, 2013: Initial release This product is provided subject to this Notification and this Privacy & Use policy.

Original release date: February 01, 2013 | Last revised: -- Systems Affected Any system using Oracle Java 7 (1.7, 1.7.0) including Java Platform Standard Edition 7 (Java SE 7) Java SE Development Kit (JDK 7) Java SE Runtime Environment (JRE 7) All versions of Java 7 before Update 13 are affected. Web browsers using the Java 7 plug-in are at high risk. Overview Multiple vulnerabilities in Java 7 could allow an attacker to execute arbitrary code on a vulnerable system. Description The Oracle Java SE Critical Patch Update Advisory for February 2013 addresses multiple vulnerabilities in the Java Runtime Environment (JRE). Both Java applets delivered via web browsers and stand-alone Java applications are affected, however web browsers using the Java 7 plug-in are at particularly high risk. Java 7 versions below Update 13 are affected. The Java 7 plug-in, the Java Deployment Toolkit plug-in, and Java Web Start can be used as attack vectors. An attacker could use social engineering techniques to entice a user to visit a link to a website hosting a malicious Java applet. An attacker could also compromise a legitimate web site and upload a malicious Java applet (a "drive-by download" attack). Some vulnerabilities affect stand-alone Java applications, depending on how the Java application functions and how it processes untrusted data. Reports indicate that at least one of these vulnerabilities is being actively exploited. Further technical details are available in Vulnerability Note VU#858729. Impact By convincing a user to load a malicious Java applet or Java Network Launching Protocol (JNLP) file, an attacker could execute arbitrary code on a vulnerable system with the privileges of the Java plug-in process. Stand-alone java applications may also be affected. Solution Update Java The Oracle Java SE Critical Patch Update Advisory for February 2013 states that Java 7 Update 13 addresses these vulnerabilities. Disable Java in web browsers These and previous Java vulnerabilities have been widely targeted by attackers, and new Java vulnerabilities are likely to be discovered. To defend against this and future Java vulnerabilities, consider disabling Java in web browsers until adequate updates have been installed. As with any software, unnecessary features should be disabled or removed as appropriate for your environment. Starting with Java 7 Update 10, it is possible to disable Java content in web browsers through the Java control panel applet. From Setting the Security Level of the Java Client: For installations where the highest level of security is required, it is possible to entirely prevent any Java apps (signed or unsigned) from running in a browser by de-selecting Enable Java content in the browser in the Java Control Panel under the Security tab. If you are unable to update to at least Java 7 Update 10 please see the solution section of Vulnerability Note VU#636312 for instructions on how to disable Java on a per-browser basis. Restrict access to Java applets Network administrators unable to disable Java in web browsers may be able to help mitigate these and other Java vulnerabilities by restricting access to Java applets using a web proxy. Most web proxies have features that can be used to block or whitelist requests for .jar and .class files based on network location. Filtering requests that contain a Java User-Agent header may also be effective. For environments where Java is required on the local intranet, the proxy can be configured to allow access to Java applets hosted locally, but block access to Java applets on the internet. References Vulnerability Note VU#858729 Oracle Java SE Critical Patch Update Advisory - February 2013 Setting the Security Level of the Java Client The Security Manager How to disable the Java web plug-in in Safari How to turn off Java applets NoScript Securing Your Web Browser Vulnerability Note VU#636312 Java SE Development Kit 7, Update 13 (JDK 7u13) Do Devs Care About Java (In)Security? (Comment about proxy filtering) Revision History February 01, 2013: Initial release This product is provided subject to this Notification and this Privacy & Use policy.

Original release date: January 15, 2013 | Last revised: -- Systems Affected Microsoft Internet Explorer 6 Microsoft Internet Explorer 7 Microsoft Internet Explorer 8 Overview Microsoft has released Security Bulletin MS13-008 to address the CButton use-after-free vulnerability (CVE-2012-4792). Description Microsoft Internet Explorer versions 6, 7, and 8 are susceptible to a use-after-free vulnerability. This vulnerability is being actively exploited in the wild. Microsoft has released Security Bulletin MS13-008 to address this vulnerability. Additional information is available in Vulnerability Note VU#154201. Impact A remote, unauthenticated attacker could execute arbitrary code, cause a denial of service, or gain unauthorized access to your files or system. Solution US-CERT recommends that Internet Explorer users run Windows Update as soon as possible to apply the MS13-008 update. References Revision History January 15, 2013: Initial release This product is provided subject to this Notification and this Privacy & Use policy.

Original release date: January 10, 2013 | Last revised: -- Systems Affected Any system using Oracle Java 7 (1.7, 1.7.0) including Java Platform Standard Edition 7 (Java SE 7) Java SE Development Kit (JDK 7) Java SE Runtime Environment (JRE 7) All versions of Java 7 through update 10 are affected.  Web browsers using the Java 7 plug-in are at high risk. Overview A vulnerability in the way Java 7 restricts the permissions of Java applets could allow an attacker to execute arbitrary commands on a vulnerable system. Description A vulnerability in the Java Security Manager allows a Java applet to grant itself permission to execute arbitrary code. An attacker could use social engineering techniques to entice a user to visit a link to a website hosting a malicious Java applet. An attacker could also compromise a legitimate web site and upload a malicious Java applet (a "drive-by download" attack). Any web browser using the Java 7 plug-in is affected. The Java Deployment Toolkit plug-in and Java Web Start can also be used as attack vectors. Reports indicate this vulnerability is being actively exploited, and exploit code is publicly available. Further technical details are available in Vulnerability Note VU#625617. Impact By convincing a user to load a malicious Java applet or Java Network Launching Protocol (JNLP) file, an attacker could execute arbitrary code on a vulnerable system with the privileges of the Java plug-in process. Solution Disable Java in web browsers This and previous Java vulnerabilities have been widely targeted by attackers, and new Java vulnerabilities are likely to be discovered. To defend against this and future Java vulnerabilities, disable Java in web browsers. Starting with Java 7 Update 10, it is possible to disable Java content in web browsers through the Java control panel applet. From Setting the Security Level of the Java Client: For installations where the highest level of security is required, it is possible to entirely prevent any Java apps (signed or unsigned) from running in a browser by de-selecting Enable Java content in the browser in the Java Control Panel under the Security tab. If you are unable to update to Java 7 Update 10 please see the solution section of Vulnerability Note VU#636312 for instructions on how to disable Java on a per browser basis. References Vulnerability Note VU#625617 Setting the Security Level of the Java Client The Security Manager How to disable the Java web plug-in in Safari How to turn off Java applets NoScript Securing Your Web Browser Vulnerability Note VU#636312 Revision History January 10, 2013: Initial release This product is provided subject to this Notification and this Privacy & Use policy.

Original release date: January 08, 2013 | Last revised: -- Systems Affected Microsoft Windows Microsoft Office Microsoft Server Software Microsoft .NET Framework Microsoft Developer Tools Overview Select Microsoft software products contain multiple vulnerabilities. Microsoft has released updates to address these vulnerabilities. Description The Microsoft Security Bulletin Summary for January 2013 describes multiple vulnerabilities in Microsoft software. Microsoft has released updates to address the vulnerabilities. Impact A remote, unauthenticated attacker could execute arbitrary code, cause a denial of service, or gain unauthorized access to your files or system. Solution Apply Updates Microsoft has provided updates for these vulnerabilities in the Microsoft Security Bulletin Summary for January 2013, which describes any known issues related to the updates. Administrators are encouraged to note these issues and test for any potentially adverse effects. In addition, administrators should consider using an automated update distribution system such as Windows Server Update Services (WSUS). Home users are encouraged to enable automatic updates. References Microsoft Security Bulletin Summary for January 2013 Microsoft Windows Server Update Services Microsoft Update Microsoft Update Overview Turn Automatic Updating On or Off Revision History January 08, 2013: Initial release This product is provided subject to this Notification and this Privacy & Use policy.

Original release date: December 11, 2012 | Last revised: -- Systems Affected Microsoft Windows Microsoft Office Microsoft Server Software Internet Explorer Overview Select Microsoft software products contain multiple vulnerabilities. Microsoft has released updates to address these vulnerabilities. Description The Microsoft Security Bulletin Summary for December 2012 describes multiple vulnerabilities in Microsoft software. Microsoft has released updates to address the vulnerabilities. Impact A remote, unauthenticated attacker could execute arbitrary code, cause a denial of service, or gain unauthorized access to your files or system. Solution Apply Updates Microsoft has provided updates for these vulnerabilities in the Microsoft Security Bulletin Summary for December 2012, which describes any known issues related to the updates. Administrators are encouraged to note these issues and test for any potentially adverse effects. In addition, administrators should consider using an automated update distribution system such as Windows Server Update Services (WSUS). Home users are encouraged to enable automatic updates. References Microsoft Security Bulletin Summary for December 2012 Microsoft Windows Server Update Services Microsoft Update Microsoft Update Overview Turn Automatic Updating On or Off Revision History December 11, 2012: Initial release This product is provided subject to this Notification and this Privacy & Use policy.

Original release date: November 13, 2012 | Last revised: -- Systems Affected Microsoft Windows Microsoft Office Microsoft .NET Framework Internet Explorer Overview Select Microsoft software products contain multiple vulnerabilities. Microsoft has released updates to address these vulnerabilities. Description The Microsoft Security Bulletin Summary for November 2012 describes multiple vulnerabilities in Microsoft software. Microsoft has released updates to address the vulnerabilities. Impact A remote, unauthenticated attacker could execute arbitrary code, cause a denial of service, or gain unauthorized access to your files or system. Solution Apply Updates Microsoft has provided updates for these vulnerabilities in the Microsoft Security Bulletin Summary for November 2012, which describes any known issues related to the updates. Administrators are encouraged to note these issues and test for any potentially adverse effects. In addition, administrators should consider using an automated update distribution system such as Windows Server Update Services (WSUS). Home users are encouraged to enable automatic updates. References Microsoft Security Bulletin Summary for November 2012 Microsoft Windows Server Update Services Microsoft Update Microsoft Update Overview Turn Automatic Updating On or Off Revision History November 13, 2012: Initial release This product is provided subject to this Notification and this Privacy & Use policy.

Original release date: October 09, 2012 | Last revised: -- Systems Affected Microsoft Windows Microsoft Office Microsoft Server Software Microsoft Lync Microsoft SQL Server Overview Select Microsoft software products contain multiple vulnerabilities. Microsoft has released updates to address these vulnerabilities. Description The Microsoft Security Bulletin Summary for October 2012 describes multiple vulnerabilities in Microsoft software. Microsoft has released updates to address the vulnerabilities. Impact A remote, unauthenticated attacker could execute arbitrary code, cause a denial of service, or gain unauthorized access to your files or system. Solution Apply Updates Microsoft has provided updates for these vulnerabilities in the Microsoft Security Bulletin Summary for October 2012, which describes any known issues related to the updates. Administrators are encouraged to note these issues and test for any potentially adverse effects. In addition, administrators should consider using an automated update distribution system such as Windows Server Update Services (WSUS). Home users are encouraged to enable automatic updates. References Microsoft Security Bulletin Summary for October 2012 Microsoft Windows Server Update Services Microsoft Update Microsoft Update Overview Turn Automatic Updating On or Off Revision History October 09, 2012: Initial release This product is provided subject to this Notification and this Privacy & Use policy.

Original release date: September 21, 2012 | Last revised: -- Systems Affected Microsoft Internet Explorer 6 Microsoft Internet Explorer 7 Microsoft Internet Explorer 8 Microsoft Internet Explorer 9 Overview Microsoft has released Security Bulletin MS12-063 to address the use-after-free vulnerability that has been actively exploited this past week. Description Microsoft Internet Explorer versions 6, 7, 8, and 9 are susceptible to a use-after-free vulnerability. This vulnerability is being actively exploited in the wild. Microsoft has released Security Bulletin MS12-063 to patch this vulnerability and four others. This vulnerability was previously mentioned in US-CERT Alert TA12-262A. Additional information is available in US-CERT Vulnerability Note VU#480095. Impact A remote, unauthenticated attacker could execute arbitrary code, cause a denial of service, or gain unauthorized access to your files or system. Solution US-CERT recommends that Internet Explorer users run Windows Update as soon as possible to apply the MS12-063 patch. References Microsoft Security Bulletin MS12-063 US-CERT Alert: Microsoft Security Advisory for Internet Explorer Exploit Microsoft Windows Update US-CERT Vulnerability Note VU#480095 Revision History September 21, 2012: Initial release This product is provided subject to this Notification and this Privacy & Use policy.

Original release date: September 18, 2012 | Last revised: -- Systems Affected Microsoft Internet Explorer 7 Microsoft Internet Explorer 8 Microsoft Internet Explorer 9 Overview An unpatched use-after-free vulnerability in Microsoft Internet Explorer versions 7, 8, and 9 is being exploited in the wild. Microsoft has released Security Advisory 2757760 with mitigation techniques. Description Microsoft Internet Explorer versions 7, 8, and 9 are susceptible to a use-after-free vulnerability. This vulnerability is being actively exploited in the wild. At this time, there is no patch available for this vulnerability. End-users can mitigate the vulnerability by using Microsoft's Enhanced Mitigation Experience Toolkit. Additional mitigation advice is available in the MSRC blog post: "Microsoft Releases Security Advisory 2757760" and US-CERT Vulnerability Note VU#480095. Impact A remote, unauthenticated attacker could execute arbitrary code, cause a denial of service, or gain unauthorized access to your files or system. Solution US-CERT recommends Internet Explorer users read Microsoft Security Advisory 2757760 and apply mitigation techniques such as using the Microsoft Enhanced Mitigation Experience Toolkit. References Microsoft Security Advisory (2757760) MSRC Blog: Microsoft Releases Security Advisory 2757760 Download Microsoft EMET 3.0 US-CERT Vulnerability Note VU#480095 Revision History September 18, 2012: Initial release This product is provided subject to this Notification and this Privacy & Use policy.

Original release date: September 11, 2012 | Last revised: -- Systems Affected Microsoft Developer Tools Microsoft Server Software Overview Select Microsoft software products contain multiple vulnerabilities. Microsoft has released updates to address these vulnerabilities. Description The Microsoft Security Bulletin Summary for September 2012 describes multiple vulnerabilities in Microsoft software. Microsoft has released updates to address the vulnerabilities. Impact A remote, unauthenticated attacker could execute arbitrary code, cause a denial of service, or gain unauthorized access to your files or system. Solution Apply updates Microsoft has provided updates for these vulnerabilities in the Microsoft Security Bulletin Summary for September 2012, which describes any known issues related to the updates. Administrators are encouraged to note these issues and test for any potentially adverse effects. In addition, administrators should consider using an automated update distribution system such as Windows Server Update Services (WSUS). Home users are encouraged to enable automatic updates. References Microsoft Security Bulletin Summary for September 2012 Microsoft Windows Server Update Services Microsoft Update Microsoft Update Overview Turn Automatic Updating On or Off Revision History September 11, 2012: Initial release This product is provided subject to this Notification and this Privacy & Use policy.

Original release date: September 07, 2012 | Last revised: -- Systems Affected Windows XP Service Pack 3 Windows XP Professional x64 Edition Service Pack 2 Windows Server 2003 Service Pack 2 Windows Server 2003 x64 Edition Service Pack 2 Windows Server 2003 with SP2 for Itanium-based Systems Windows Vista Service Pack 2 Windows Vista x64 Edition Service Pack 2 Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2008 for Itanium-based Systems Service Pack 2 Windows 7 for 32-bit Systems and Windows 7 for 32-bit Systems Service Pack 1 Windows 7 for x64-based Systems and Windows 7 for x64-based Systems Service Pack 1 Windows Server 2008 R2 for x64-based Systems and Windows Server 2008 R2 for x64-based Systems Service Pack 1 Windows Server 2008 R2 for Itanium-based Systems Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) Windows Server 2008 R2 for x64-based Systems and Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) Overview Microsoft has announced the availability of an update to Windows that restricts the use of certificates with RSA keys that are less than 1024 bits in length. Microsoft is planning to release this update through Microsoft Update in October 2012. System administrators of Microsoft Windows platforms should assess the impact of this update on their environment before any wide-scale deployment. Description Microsoft's KB2661254 article states in part: "The strength of public-key-based cryptographic algorithms is determined by the time that it takes to derive the private key by using brute-force methods. The algorithm is considered to be strong enough when the time that it takes to derive private key is prohibitive enough by using the computing power at disposal. The threat landscape continues to evolve. Therefore, Microsoft is further hardening the criteria for the RSA algorithm with key lengths that are less than 1024 bits long. After the update is applied, only certificate chains that are built by using the CertGetCertificateChain function are affected. The CryptoAPI builds a certificate trust chain and validates that chain by using time validity, certificate revocation, and certificate policies (such as intended purposes). The update implements an additional check to make sure that no certificate in the chain has an RSA key length of less than 1024 bits." Impact The private keys used in certificates with RSA keys that are less than 1024 bits in length can be derived and could allow an attacker to duplicate the certificates and use them fraudulently to spoof content, perform phishing attacks, or perform man-in-the-middle attacks. Solution US-CERT recommends that system administrators of Microsoft Windows platforms read Microsoft's KB2661254 article and perform an extensive test of the update before doing any wide-scale deployment in their environment. The update will be sent to Microsoft Update for the October 2012 patch cycle. System administrators can obtain the update now from Microsoft's Download Center. References Microsoft Security Advisory: Update for minimum certificate key length Microsoft Security Advisory (2661254) Update For Minimum Certificate Key Length Windows PKI Blog: RSA keys under 1024 bits are blocked Windows PKI Blog: Blocking RSA Keys less than 1024 bits (part 2) Microsoft Download Center: Search results for KB2661254 Revision History September 07, 2012: Initial release This product is provided subject to this Notification and this Privacy & Use policy.

Original release date: August 27, 2012 | Last revised: -- Systems Affected Any system using Oracle Java 7 (1.7, 1.7.0) including: Java Platform Standard Edition 7 (Java SE 7) Java SE Development Kit (JDK 7) Java SE Runtime Environment (JRE 7) Web browsers using the Java 7 Plug-in are at high risk. Overview A vulnerability in the way Java 7 restricts the permissions of Java applets could allow an attacker to execute arbitrary commands on a vulnerable system. Description A vulnerability in the Java Security Manager allows a Java applet to grant itself permission to execute arbitrary operating system commands. An attacker could use social engineering techniques to entice a user to visit a link to a web site hosting a malicious applet. Any web browser using the Java 7 Plug-in is affected. Reports indicate this vulnerability is being actively exploited, and exploit code is publicly available. Impact By convincing a user to load a malicious Java applet, an attacker could execute arbitrary operating system commands on a vulnerable system with the privileges of the Java Plug-in process. Solution Disable the Java Plug-in Disabling the Java web browser plug-in will prevent Java applets from from running. Here are instructions for several common web browsers: Apple Safari: How to disable the Java web plug-in in Safari Mozilla Firefox: How to turn off Java applets Google Chrome: See the "Disable specific plug-ins" section of the Chrome Plug-ins documentation. Microsoft Internet Explorer: Change the value of the UseJava2IExplorer registry key to 0. Depending on the versions of Windows and the Java plug-in, the key can be found in these locations: HKLM\Software\JavaSoft\Java Plug-in\{version}\UseJava2IExplorer HKLM\Software\Wow6432Node\JavaSoft\Java Plug-in\{version}\UseJava2IExplorer The Java Control Panel (javacpl.exe) does not reliably configure the Java plug-in for Internet Explorer. Instead of editing the registry, it is possible to run javacpl.exe as Administrator, navigate to the Advanced tab, Default Java for browsers, and use the space bar to de-select the Microsoft Internet Explorer option. Use NoScript NoScript is a browser extension for Mozilla Firefox browsers that provides options to block Java applets. References Vulnerability Note VU#636312 Zero-Day Season is Not Over Yet Let's start the week with a new Java 0-day in Metasploit http://pastie.org/4594319 The Security Manager Java 7 0-Day vulnerability information and mitigation. How to disable the Java web plug-in in Safari How to turn off Java applets NoScript Revision History August 27, 2012: Initial release This product is provided subject to this Notification and this Privacy & Use policy.

Original release date: August 14, 2012 | Last revised: -- Systems Affected Microsoft Windows Microsoft Internet Explorer Microsoft Office Microsoft Developer Tools Microsoft Server Software Microsoft SQL Server Microsoft Exchange Overview Select Microsoft software products contain multiple vulnerabilities.  Microsoft has released updates to address these vulnerabilities. Description The Microsoft Security Bulletin Summary for August 2012 describes multiple vulnerabilities in Microsoft software. Microsoft has released updates to address the vulnerabilities. Impact A remote, unauthenticated attacker could execute arbitrary code, cause a denial of service, or gain unauthorized access to your files or system. Solution Apply updates Microsoft has provided updates for these vulnerabilities in the Microsoft Security Bulletin Summary for August 2012, which describes any known issues related to the updates. Administrators are encouraged to note these issues and test for any potentially adverse effects. In addition, administrators should consider using an automated update distribution system such as Windows Server Update Services (WSUS). Home users are encouraged to enable automatic updates. References Microsoft Security Bulletin Summary for August 2012 Microsoft Windows Server Update Services Microsoft Update Microsoft Update Overview Turn Automatic Updating On or Off Revision History August 14, 2012: Initial release This product is provided subject to this Notification and this Privacy & Use policy.

Original release date: July 10, 2012 | Last revised: -- Systems Affected Microsoft Windows Microsoft Internet Explorer Microsoft Office Microsoft Developer Tools Microsoft Server Software Overview Select Microsoft software products contain multiple vulnerabilities.  Microsoft has released updates to address these vulnerabilities. Description The Microsoft Security Bulletin Summary for July 2012 describes multiple vulnerabilities in Microsoft software. Microsoft has released updates to address the vulnerabilities. Impact A remote, unauthenticated attacker could execute arbitrary code, cause a denial of service, or gain unauthorized access to your files or system. Solution Apply updates Microsoft has provided updates for these vulnerabilities in the Microsoft Security Bulletin Summary for July 2012, which describes any known issues related to the updates. Administrators are encouraged to note these issues and test for any potentially adverse effects. In addition, administrators should consider using an automated update distribution system such as Windows Server Update Services (WSUS). Home users are encouraged to enable automatic updates. References Microsoft Security Bulletin Summary for July 2012 Microsoft Windows Server Update Services Microsoft Update Microsoft Update Overview Turn Automatic Updating On or Off Revision History July 10, 2012: Initial release This product is provided subject to this Notification and this Privacy & Use policy.

Original release date: June 22, 2012 | Last revised: -- Systems Affected Microsoft XML Core Services 3.0, 4.0, 5.0, and 6.0 are affected. Microsoft Internet Explorer, Microsoft Office 2003, and Microsoft Office 2007 are affected due to their use of XML Core Services. Overview Microsoft Security Advisory (2719615) warns of active attacks using a vulnerability in Microsoft XML Core Services. Microsoft Internet Explorer and Microsoft Office can be used as attack vectors. Description Microsoft Security Advisory (2719615), a Google Online Security blog post, Sophos, and other sources report active attacks exploiting a vulnerability in Microsoft XML Core Services (CVE-2012-1889). Attack scenarios involve exploits served by compromised web sites and delivered in Office documents. Reliable public exploit code is available, and attacks may become more widespread. Impact By convincing a victim to view a specially crafted web page or Office document, an attacker could execute arbitrary code and take any action as the victim. Solution As of June 22, 2012, a comprehensive update is not available. Consider the following workarounds. Apply Fix it Apply the Fix it solution described in Microsoft Knowledge Base Article 2719615. This solution uses the Application Compatibility Database feature to make runtime modifications to XML Core Services to patch the vulnerability. Disable scripting Configure Internet Explorer to disable Active Scripting in the Internet  and Local intranet zones as described in Microsoft Security Advisory (2719615). See also Securing Your Web Browser. Use the Enhanced Mitigation Experience Toolkit (EMET) EMET is a utility to configure Windows runtime mitigation features such as Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR), and Structured Exception Handler Overwrite Protection (SEHOP). These features, particularly the combination of system-wide DEP and ASLR, make it more difficult for an attacker to successfully exploit a vulnerability. Configure EMET for Internet Explorer as described in Microsoft Security Advisory (2719615). References Microsoft Security Advisory (2719615) Microsoft Security Advisory: Vulnerability in Microsoft XML Core Services could allow remote code execution NVD Vulnerability Summary for CVE-2012-1889 Microsoft XML vulnerability under active exploitation European aeronautical supplier's website infected with "state-sponsored" zero-day exploit Securing Your Web Browser Application Compatibility Database Revision History June 22, 2012: Initial release This product is provided subject to this Notification and this Privacy & Use policy.