Updates - 10/12/2010: "Patch Tuesday", Opera, Java

The following has been copied/pasted from http://secunia.com/advisories/41740/

Description
Multiple [highly critical] vulnerabilities have been reported in Opera, which can be exploited by malicious people to bypass certain security restrictions or conduct spoofing and cross-site scripting attacks.

1) A combination of cross-domain content inclusion being allowed and the manner in which the CSS parser is fault-tolerant when processing content can be exploited to bypass cross-domain checks and obtain sensitive information from a web page in another domain.

2) An error when altering the size of the browser window may cause the wrong part of the URL of a web page to be displayed.

3) An error in the handling of reloads and redirects combined with caching may result in scripts executing in the wrong security context. This can be exploited to spoof the address bar or conduct cross-site scripting attacks.

Successful exploitation of this vulnerability allows manipulating Opera's configuration with minimal user interaction to execute arbitrary code.

4) In certain cases the origin of video content may not be checked, which may result in videos from unrelated sites being used as HTML5 canvas content without protecting it from scripts. This can be exploited to intercept private video streams.

Successful exploitation of this vulnerability requires that the address is known and that a user is tricked into opening a specially crafted web page.

5) An error when handling invalid URLs may in certain cases be exploited to execute arbitrary script code in the context of another domain if a linked, invalid URL displayed in an error page runs script code.

Successful exploitation of this vulnerability requires that a user interacts with a specially crafted error page.

The vulnerabilities are reported in versions prior to 10.63.

Solution
Update to version 10.63.

the Opera change-log, copied/pasted from http://www.opera.com/docs/changelogs/windows/1063/

User interface

Fixed

• Crash when removing custom settings folders
• Start Bar being blanked out after opening a background tab
• Opera Unite Messenger application not loading
• Crash when saving a file while the page redirects
• Crash after leaving a page containing Flash with wmode="transparent"
• Using Opera Link, bookmarks dragged out of the Opera Mini folder are recreated when sent as added in the Opera Mini folder again
• Opera Link freezing on startup
• Fallback to a second address being very slow
• Reloading pages give multiple unclosable download dialogs

Display and scripting

Improved

• Handling of Content-Disposition extended parameters

Fixed

• Memory corruption when using SVG in an element
• Several JavaScript-related issues, including one with Yahoo! Mail Classic
• A mouse focus problem related to plug-ins
• Incorrect compilation to native code leads to wrong arithmetic results
• Crash when assigning data or src attribute on a focused and highlighted element with dirty layout
• JavaScript alerts opening shortly after a page loads close instantly

Miscellaneous

Improved

• Added search suggestions from Baidu

Fixed

• 100% CPU usage occurring when starting Opera
• Crash when opening a file with Content-Disposition: attachment directly in Opera

Security

Fixes

• Fixed an issue that allowed cross-domain checks to be bypassed, allowing limited data theft using CSS, as reported by Isaac Dawson; see our advisory.
• Fixed an issue where manipulating the window could be used to spoof the page address; see our advisory.
• Fixed an issue with reloads and redirects that could allow spoofing and cross-site scripting; see our advisory.
• Fixed an issue that allowed private video streams to be intercepted, as reported by Nirankush Panchbhai of Microsoft Vulnerability Research; see our advisory.
• Fixed an issue that caused JavaScript to run in the wrong security context after manual interaction; see our advisory.

Windows Malicious Software Removal Tool (MSRT) for October, version 3.12

32-bit version, for Win 7/Vista/Server 2003/ XP  http://www.microsoft.com/downloads/en/details.aspx?FamilyID=ad724ae0-e72d-4f54-9ab3-75b8eb148356

x64-bit version http://www.microsoft.com/downloads/en/details.aspx?FamilyId=585D2BDE-367F-495E-94E7-6349F4EFFC74&displaylang=en

the following updates are rated CRITICAL:

MS10-071 Cumulative Security Update for Internet Explorer (2360131)

MS10-075 Vulnerability in Media Player Network Sharing Service Could Allow Remote Code Execution (2281679)

MS10-076 Vulnerability in the Embedded OpenType Font Engine Could Allow Remote Code Execution (982132)

MS10-077  Vulnerability in .NET Framework Could Allow Remote Code Execution (2160841)

----------------

The following updates are rated IMPORTANT:

MS10-072 Vulnerabilities in SafeHTML Could Allow Information Disclosure (2412048)

MS10-073 Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (981957)

MS10-078 Vulnerabilities in the OpenType Font (OTF) Format Driver Could Allow Elevation of Privilege (2279986)

MS10-079 Vulnerabilities in Microsoft Word Could Allow Remote Code Execution (2293194)

MS10-080 Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (2293211)

MS10-081 Vulnerability in Windows Common Control Library Could Allow Remote Code Execution (2296011)

MS10-082 Vulnerability in Windows Media Player Could Allow Remote Code Execution (2378111)

MS10-083 Vulnerability in COM Validation in Windows Shell and WordPad Could Allow Remote Code Execution (2405882)

MS10-085 Vulnerability in SChannel Could Allow Denial of Service (2207566)

--------

the following updates are rated MODERATE:

MS10-074 Vulnerability in Microsoft Foundation Classes Could Allow Remote Code Execution (2387149)

MS10-086 Vulnerability in Windows Shared Cluster Disks Could Allow Tampering (2294255)

As should be apparent, we have a WHOPPER of an update today...

on this first PC i'm updating (XP SP3), it found 15 updates ---- totaling 47.4 MEG (including 5 updates for Office 2003/2007)

EDIT:  on a 2nd PC (also XP SP3), found 10 updates --- 24.2 MEG (without anything for Office).

This month's MSRT (cited above) adds detection/removal of Win32/Zbot ,

Sun Java (JRE) Security Update v1.6.0_22 available

v1.6.0_22 Release Notes: http://www.oracle.com/technetwork/java/javase/6u22releasenotes-176121.html

Full Updating instructions are here: http://aumha.net/viewtopic.php?f=26&t=44617

Note: I do not need or use Sun Java (JRE), nor do I recommend  it for those that don't need it, as it is a frequent target for hackers. Most people have it installed, and if you use it, should keep it up to date.

Some details from Kaspersky Lab Security News Service on the Sun Java (JRE) update:

http://threatpost.com/en_us/blogs/oracle-fixes-29-bugs-huge-java-update-101310

Note: I do not need or use Sun Java (JRE), nor do I recommend  it for those that don't need it, as it is a frequent target for hackers. Most people have it installed, and if you use it, should keep it up to date.

Sound advice, with which the experts certainly agree.  I've also uninstalled Java long ago.

Java: Should it stay or should it go?

Java: A Gift to Exploit Pack Makers

I'm also on record ---- along with Joe & Red Dawn --- as a former Java "user" who has removed it from my systems.   

That's not to say I never found a use for Java... a primary example is the Secunia OSI (ONLINE System Inspector)... which will NOT run without Java.   However, Secunia's PSI (PERSONAL Software Inspector) does everything the Online version does ---- and MORE ---- withOUT using Java.  (The PSI uses Flash, and that's another matter).

As an experiment, I first  disabled  java for a few weeks... and ultimately,  removed  it... after I realized that my routine surfing patterns did NOT access any sites that made any significant use of Java.   I typically visit secure online banking / credit-card / brokerage sites, forums (like DELL, Avast), and yes, Facebook :emotion-4:... ALL of which work just fine withOUT java.   [If memory serves me, I did ultimately stumble upon two sites that in fact used Java... but as these were "one-time" visits, and the information therein wasn't really critical to me, I saw no reason to re-install Java for these "flukes".]   In short, I have no regrets about removing Java... and have in fact "gained", in that (1) my system is no longer subject to java exploits, and (2)  I am no longer "burdened" to keep Java up-to-date every time Oracle/Sun releases a new version.

I cannot assert unequivocally that all java "users" will be as fortunate... perhaps YOUR bank site might in fact invoke java.  Some people may indeed find essential uses for Java.   For example, after following my lead for several months, my wife attempted to do something on Ebay (or maybe it was Half.com ) that wouldn't proceed until she (re-)installed Java... which she easily did at that point.   I'll also mention that certain aspects of OpenOffice ... an OFFLINE program suite (cloning Microsoft Office)... uses Java for SOME of its features (such as its "wizards").   In particular, its (data)BASE module allegedly uses java extensively.   But much of its WRITER and CALC modules can run withOUT java.

So I am glad to see Brian Krebs article (cited by Red Dawn above) suggesting people consider removing java... unless/until they have an actual need for it.

Before concluding, let me emphasize that java is completely separate/different from [the "sound-alike"] javaSCRIPT.    Virtually all websites you visit make use of javaSCRIPT.   Its omnipresence makes its use/functioning essential to do most things on the web.   javaSCRIPT will continue to work, 100%, after java is uninstalled.

-----------------

On the matter of programs people keep around but don't use, let me also mention SHOCKWAVE player.   Aside from some gamers, I don't know that anyone needs it.   I got rid of it months ago.

Note:   Do NOT confuse Shockwave PLAYER with "Shockwave FLASH" --- which is an older name for what's now referred to as Adobe Flash (or even more simply, Flash).   While Flash itself is all-too-often the target of exploits, I find its presence on the web to be so overwhelmingly common that I could not enjoy "the full web experience" without out.   So i *do* keep Flash around... and in use.

Concerning ZBOT, and this month's MSRT:

Since the release of MSRT on Tuesday we have removed Zbot 281,491 times from 274,873 computers and is the #1 family of malware removed (which is not uncommon the month a family is added). Of the 1,344,669 computers cleaned, this is about 1 in 5, a ratio that’s higher than we typically see even when accounting for the normal, first-month spike which results from adding a new family but not exceptionally so. 

To put this in greater perspective the removals of Zbot are almost as many as the removals of the #2 and #3 malware families this month combined (Win32/Vundo and Win32/Bubnix respectively). Approximately 86 million computers have run this version of MSRT as we compile this data so we should expect this number to increase as the month continues.

http://www.facebook.com/notes/microsoft-malware-protection-center/an-early-look-at-the-impact-of-msrt-on-zbot/447838758925