Got Java?
There's a new version of Java available (JRE 6 Update 4) that includes a fix for a security vulnerability.
Here's the Secunia Advisory, and here's the Advisory from Sun.
If you have Java running on your system you can go into your Control Panel and double-click on the Java entry. Then open up the Updates [tab] and check for updates to the new version. Of course if you have it set to check for updates automatically, depending on when/how often it's set to check, it may have already downloaded the update. If not, just tell it to check, and it should download the update. If you just want to go to the Sun web site and download it from there, here's that link.
There's another Advisory over at Secunia about the Yahoo! Music Jukebox labeled "Extremely Critical". If you use it, be sure to check out that Advisory. There's no patch available yet, and most people won't know how to configure the 'workaround' (setting the 'Kill-Bit'), so for those folks I'd suggest staying away from the Yahoo! Music Jukebox until Yahoo fixes it. That also means staying away from the web sites that use or could run the Jukebox.
If you go to the Yahoo Music Jukebox web site, there's no information anywhere (that I could find) referring to the security issue. If you use the Firefox browser instead of Internet Explorer you *might* be unaffected by this, but because I don't know for sure if Firefox's equivalent of ActiveX (XPCOM) could also be affected similarly, I'd stay away for now.
I wish Yahoo! (and all similar sites) would provide their own 'Advisories' for their customers! When users of their software are affected by security vulnerabilities, those users should be provided with timely advise and information on how to avoid being affected. To not provide that is irresponsible.
I wish someone would develop a utility with a simple to use interface that everyday users could use to 'set the kill bit' on their PCs (and then reverse it when the software update becomes available). People don't want to be messing around in their computer's registry if they don't know exactly what they're doing, and there are enough of these ActiveX vulnerabilities that require this temporary 'workaround' so that it would be a valuable tool to have! This would be an excellent addition to the free utility SpywareBlaster from Javacool Software.
SpywareBlaster already uses this method to protect Internet Explorer from certain threats. It would be a useful feature to have if they could adapt it so that a user could just input a CLSID/GUID and have it change the registry settings for them.
I also want to remind users (again) of older versions of Microsoft Excel, that the vulnerabilities 'are currently being exploited'. This is another Secunia vulnerability labeled "Extremely Critical".
Here is the list of affected versions:
The vulnerability is reported in the following versions:
* Microsoft Office Excel 2003 Service Pack 2
* Microsoft Office Excel Viewer 2003
* Microsoft Office Excel 2002
* Microsoft Office Excel 2000
* Microsoft Excel 2004 for Mac.
****************************************************
That's all for now, but stay tuned for a DOJ/FBI alert about fraudulent emails that look like they come from the DOJ, IRS, Social Security Administration, or the Better Business Bureau.
