- Internet Explorer Zero Day – There was a nasty zero day vulnerability discovered in Internet Explorer this month. The vulnerability was very similar to countless other zero day vulnerabilities found in Internet Explorer in past months / years but this one seemed to seize the attention of the media, so it got a lot of press. One thing that it did that was good was it reiterated the importance of using an alternate web browser (Google Chrome, Mozila Firefox, even Apple Safari or Opera). Basically, anything but the ‘big blue e’.
- First month with no Windows XP Updates – As many / most of you know, 8 April was the last update for Microsoft Windows XP and a number of other Microsoft products. This does not mean that Windows XP (or the other discontinued products) will just magically stop working but it does mean that the discontinued products are at a significantly higher risk of being infected with viruses and the like.
- CryptoLocker still making the rounds – For those that are not aware, the CryptoLocker virus encrypts all of your files and, once the encryption is complete, displays a message that you have to pay a ransom (typically between $400 and $4,000) to get your data back. The files are encrypted with very strong encryption so, without a backup, paying the ransom or losing the data are the only two options available.
Microsoft – According to the Advanced Notification of May 2014, there are a total of 9 bulletins with 3 listed as critical and the remaining 6 listed as important. All 3 of the critical bulletins address vulnerabilities that can allow remote code execution (someone can install software onto your computer without your permission or knowledge). The important bulletins range from remote code execution to privilege escalation (allowing a user or process / program to run with administrative privileges without the administrative password) and security feature bypass (bypassing specific security features). Most of the updates require a reboot and, at least with the critical vulnerabilities, should be installed as soon as testing permits.
Microsoft releases regular updates the second Tuesday of each month, often referred to as ‘Patch Tuesday’. These updates are catagorized as Low, Moderate, Important or Critical. Details on the categories are available here. The updates can include any supported Microsoft product from Windows to Office to Internet Explorer and server products like Exchange and SQL Server. If you have one or more of these products installed, especially if the update is listed as Important or Critial, it’s important that the updates are installed.
Adobe – Adobe has released critical updates for muliple products this month. One thing to take away from this, especially in light of all of the recent “I’m going to get a Mac since Windows XP is going away, plus Macs don’t get viruses” chatter that we’re hearing lately. It’s important to note that several of the critical vulnerabilities address problems with software that affect only or affect also the Mac platform. All users are encouraged to review the udpates and apply them as soon as testing permits. All MyIT clients already have these updates installed.
Like Microsoft, Adobe now releases updates to their products on the second Tuesday of each month. Adobe will also release ‘out of band’ updates if necessary to address critical vulnerabilities in their products. Adobe products include Adobe Reader (for viewing PDF files), Adobe Flash Player (often used to watch videos, for interactive content like games, etc.), Adobe Shockwave and the Adobe Creative Suite (Photoshop, Illustrator, Acrobat, Lightroom, etc.).
Java – Java has been relatively quiet for a long time but has released Java 7 update 55 this month. Java 8 is still out and available but isn’t recommended for mainstream use yet.
Java is a tool that’s widely used by banks, online service providers and even security companies for SSL VPN connections. Java’s ‘official’ release cycle is approximately quarterly but Java updates have been ‘fast and furious’ in recent months. It’s worth noting again that, if you don’t absolutely need Java on your computer, it’s not a bad idea to remove it altogether.