Bug is a dirty word in the software world. After all, it means "mistake" and no one wants to admit they made a mistake. Instead of calling the fix for a mistake by its rightful name, a bug fix, software companies refer to "patches" or "updates". Soft words. Happy words.
The bug itself is called a "hole" or a "vulnerability". Initially, bugs were called "issues" but eventually people caught on. Did you happen to notice that Mitt Romney recently "suspended" his campaign (a soft word), as if he was taking the weekend off, rather than actually stopping (a harsh word).
But getting back to software, below I go over a slew of important bug fixes released in the last few days. I also describe the latest updates to Java and the Flash player even though they weren't released this week. As more and more Windows users get their Windows fixes automatically, the bad guys are naturally going to attack other software on your computer. Thus, it's important to install the fixes described below. This is a Defensive Computing blog after all.
Recent Bug Fixes
Firefox released version 2.0.0.12 on February 7th to fix ten bugs, three of which are considered critical. Firefox runs on Windows, Macs, Linux and more. Mozilla, the company behind Firefox, doesn't say if any of the bugs are specific to an operating system, so all Firefox users should upgrade.
The usual Help -> About displays the currently installed version. You can force Firefox to check for updates with Help -> Check for Updates.
Firefox normally checks for updates often enough that you don't need to be concerned. From what I've seen, looking at website usage statistics, the vast majority of Firefox users are using the latest version. That means most Firefox users have it configured to automatically check for updates. To see how your copy of Firefox is configured, do Tools -> Options -> Advanced -> Updates tab. When updates are found, Firefox can either apply them automatically or to ask you before applying them. All in all, the self-updating of Firefox works great.
The Adobe Acrobat Reader was updated on February 6th to fix security problems on Windows and Macs. Interestingly, Adobe says they support Mac OS X Leopard up through version 10.5.1. That was as of February 7th, but Apple updated Leopard to version 10.5.2 just four days later (see below for more on updates to OS X). Adobe hasn't yet said if this latest update to the Reader works on the latest version of Leopard.
The latest and greatest Acrobat Reader is version 8.1.2. If you are running version 7, the latest edition, 7.0.9, has known bugs but Adobe has not yet issued fixes for. They intend to. According to Adobe Reader 8.1.2 Release Notes the latest version of the Adobe Reader is available on Windows 2000, XP, Vista, 2003 Server, as well as Macs, Linux and Solaris.
In both versions 7 and 8, the usual Help -> About displays the current version and you can check for updates with Help -> Check for updates. Most likely you will find available updates. Version 7 dealt with this well, displaying the all the available updates and letting you pick and chose those to install. Version 8 has, by default, done away with displaying information about each available update. I mention this because there are updates that version 8 users may not want or need.
If you are using version 8, then after checking for updates, click on the "Show details" link before downloading anything. You may also want to click on the "preferences" link to configure self-updates. In terms of security, you don't need the update that installs dictionaries for spell checking for multiple languages. You also don't need the Photoshop Album Starter Edition.
Depending on how your copy of the Adobe Reader is configured, it may notify you of the need to update itself as soon as the program starts up.
According to Adobe, bug fixes are also needed if you are running "Adobe Acrobat Professional, 3D and Standard 8.1.1 and earlier versions". For more see Security update available for Adobe Reader and Acrobat 8 and the Secunia advisory.
Apple's QuickTime was updated on February 6th to fix a security problem. The latest version is 7.4.1. The update affects Mac OS X v10.3.9, v10.4.9, v10.5, Windows Vista and Windows XP SP2. You can download it here and see the Secunia advisory . Apple has a software update service for both Macs and Windows, but I'm not familiar with it.
Skype was updated on February 5th to fix a security problem that only affects Windows users. The new version of Skype for Windows is 3.6.0.248. You can download the latest Skype software here. For more, see the Secunia advisory or read about the problem from Skype.
Windows users can check for software that is missing bug fixes using the online Secunia Software Inspector .
Not So Recent Bug Fixes
Java was updated a few weeks ago, but there was confusion about the need for the latest version, 1.6.0_04. I wrote about this on February 8th, see Sun's Java sloppiness.
Update. February 13, 2008: Sun provides recent copies of Java for Windows, Linux and Solaris here but not for Macs. At this Java.com download page, Sun links to Apple's web site, where the available versions of Java are very old. Specifically, this page offers downloads of Java version 1.5.0_08 and 1.4.2_12. More recent was the December 13, 2007 release by Apple of Java for Mac OS X 10.4 which offers up versions 1.5.0_13 and 1.4.2_16. Despite the title, it seems as if these versions of Java are supported on Leopard (10.5). I am not a Mac user so I can't test this myself. If and when Apple will release a version of Java in the 1.6.x family is anyone's guess. For more see developer.apple.com/java/.
To see which version of Java is installed on your computer, you can use my javatester.org web site. Be sure to check in every web browser that you use.
The confusion included Secunia recommending version 1.6.0_04, while Sun recommended version 1.6.0_03. Since writing about this on the 8th, I've been in contact with Sun. I'll have more to say on this later, but suffice it to say that version 1.6.0_04 contains many updates but only one that might be considered a security update. Sun's position is that version 1.6.0_03 is secure for normal consumer usage.
If you are running version 1.6.0_03, it may not be worth the trouble to update to the latest version. If you have an earlier version of the 1.6 family however, then you should update and, if you're going to update, you might as well go for 1.6.0_04. The last version of the previous 1.5 family is 1.5.0_14. According to Secunia, this version is secure, but earlier versions of 1.5.x are not.
Before updating Java, I suggest removing older versions. Windows users can do this with the usual Add/Remove programs thingy in the Control Panel (I say "thingy" because when discussing Java, the normal term, "applet", has a specific non-Windows meaning).
The latest version of Adobe Flash player was released in mid-December. I mention it here because it fixed a number of critical security bugs, everybody has a copy and didn't get a lot of publicity.
To see which version of the Flash player is installed on your computer, go to www.adobe.com/products/flash/about/. The latest is version 9,0,115,0. As with Java, you need to check this in all web browsers on your computer as different browsers can be using different versions.
I wrote about updating the Flash player on January 28th, see A heads-up on the Adobe Flash player. For safety, old version(s) should be manually un-installed before installing a new version. Unfortunately, removing the Flash player can be problematical. My blog posting has more on this, but after removing the Flash player, check with the above web page, that each browser on your machine is, in fact, not able to access Flash. Adobe has a dedicated Flash Player un-installer, if need be.
The latest version of the Flash player is available at www.adobe.com/go/getflashplayer.
Operating Systems Too
Both Windows and the Mac OS X were also just updated.
Updates to Mac OS X were released yesterday (February 11th). The latest Leopard is now 10.5.2. For more, see this from Apple docs.info.apple.com/article.html?artnum=307109 and Apple updates Leopard, Tiger with security updates from fellow CNET blogger Robert Vamosi. I couldn't find any references to recent Tiger (10.4) bug fixes at Apple's web site.
All users of Mac OS X should read Mac OS X: Updating your software from Apple.
Update: February 13, 2008: The title says it all: Rush Limbaugh begs Steve Jobs for bug fixes.
The latest Microsoft bug fixes roll out today, February 12th, otherwise known as "Patch Tuesday". Some fixes are for Windows, some are for Microsoft Office. Specifically, there are bug fixes for Windows 2000, XP, Vista and Server 2003 as well as Office 2000 and 2003 and Office for the Mac 2004.
For the gory details see Microsoft Security Bulletin Advance Notification for February 2008 from Microsoft and Microsoft fixes 17 flaws in 11 patches; 6 are critical by CNET blogger Robert Vamosi.
I need your help here. The latter article starts with "Microsoft on Tuesday released its February 2008 security bulletin, which includes eleven bulletins, six of which are deemed Critical by Microsoft, while five are deemed Important."
The latest soft word in the bug field seems to be "bulletin". I missed the memo. What's a bulletin? Is it a bug? A bug fix? A description of the bug? How can the February bulletin include eleven bulletins?
See a summary of all my Defensive Computing postings.
In researching assorted postings on this blog I've dealt with security firm Secunia and thus ended up on their mailing list. They sent a notice yesterday warning that QuickTime has a security problem and everyone should upgrade to the newest version. A new bug in QuickTime certainly comes as no shock.
But the email was about more than just QuickTime. Secunia said this latest fix was the "...fourth major security update during the last two days required to protect private PCs against criminal attacks ... Users of Skype, Adobe Reader, and Java also run a risk of falling victim to online criminals ..."
The message is both a warning and a plug for Secunia. They offer a free online Software Inspector service for Windows that I'm a big fan of. It examines a computer and reports on software that is missing important bug fixes. It's not perfect, but any computer that passes the test is safer than one that doesn't. Highly recommended.
According to Secunia, anyone running Java version 1.6.0_03 from Sun should upgrade to version 1.6.0_04. They issued a pair of advisories about bugs in Java, one on Feb 6th and one on Feb 1st.
You can visit my website, www.javatester.org to see which version of Java you are running. I describe many ways to determine the version number, but the straight from the horse's mouth method runs a Java program (technically an applet) that reports the version number and the vendor directly from Java. This simple, reliable method works on any computer with Java installed, be it Windows, Macs, Linux or anything else. Sample output is shown below.
Be aware that if you use multiple web browsers you need to check the Java version from each browser. It is possible for two different browsers to be using different versions of Java on the same computer. Also, Sun is not the only company offering a Java runtime environment. This posting is only about Sun's versions of Java. Versions from other vendors will have their own issues. ThinkPad owners may find their Java came from IBM/Lenovo.
Note: The biggest drawback to Secunia's Software Inspector is that it requires Java. This requirement is listed as "Sun Java JRE 1.5.0_12 or later". JRE is nerd talk for the Java Runtime Environment, which is the part of Java that lives on your computer and lets you run Java programs. It is the logical equivalent of the Adobe Flash player. Like the Flash Player, the Java Runtime Environment is free.
If you run the Secunia Software Inspector on a Windows machine with Java version 1.6.0_03 you get this message: "This installation of Sun Java JRE 1.6.x / 6.x is insecure and potentially exposes your system to security threats! The detected version installed on your system is 6.0.30.5, however, the latest secure version released by the vendor, fixing one or more vulnerabilities, is 6.0.40.0." A screenshot of this is below.
Who's On First? What's On Second?
I know what you're thinking. How did we get from version 1.6.0_03 displayed by my JavaTester.org site to version 6.0.30.5 that Secunia reports? How is anyone supposed to realize that 6.0.30.5 translates to 1.6.0_03? How can it be both version 1 and version 6?
A while back I complained to Secunia that their version numbering scheme for Java was confusing. They basically said, don't shoot the messenger. Secunia looks at files and they get the version number from the Java executable itself. In this case, on a Windows XP machine, the executable is file java.exe in C:\Program Files\Java\jre1.6.0_03\bin. The version number is shown below. Sure enough, that's what Secunia reports. Don't ask me why software released in 2007 is copyright 2004.
For years Sun has referred to a single version of Java with multiple names. It's as if they just don't care.
In the Windows XP Control Panel, the Add/Remove Programs feature refers to this same version of Java with a third format "Java (TM) 6 Update 3". The Java Control Panel in the Windows Control Panel has yet another format for the version number as shown below:
Pushing Old Software
Regardless of the many names, Java version 1.6.0_03 is old, the latest version from Sun is 1.6.0_04. Here is your reward for reading this far:
Sun still offers version 1.6.0_03 for download and recommends it no less!
Go to sun.com and click on "Java for your computer" off the Java menu at the top. You end up at java.com/download/ where the latest version (see screenshot above) is said to be Version 6 Update 3. It's as if one division at Sun didn't tell another division that there's a new release of the software. If you're keeping score at home, this is naming format number three.
Clicking on the "Do I have Java?" link took me to a page with a big green "Verify Installation" button. On an XP machine running IE6 with version 1.5.0_12 installed, the verification correctly identified the version of Java and warned that it was old. But rather than offer to install the latest version, it offered to install Version 6 Update 3. A screen shot is above. Note the use of naming format number one and number three only inches apart on the same web page.
On an XP machine with version 1.6.0_03 installed, I went to the java.com home page and let the website test the installed version of Java. As shown above, it again recommended Version 6 Update 3.
There seems to be a failure to communicate at Sun, both within the company itself and to the outside world. We're left to guess whether to go with Sun's recommendation or that from Secunia. I asked Sun to comment on this a couple days ago and got no response.
What To Do?
I'd install the latest version, be it referred to as "1.6.0_04" or "Version 6 Update 4" or "6.0.40.0".
Back on January 23rd Brian Krebs wrote in his Security Fix column that version 1.6.0_04 fixed 370 bugs. As proof he linked to java.sun.com/javase/6/webnotes/ReleaseNotes.html where you can count the bug fixes for yourself.
To get the latest Java version, you can follow the link provided by the Secunia Software Inspector or you can go to java.sun.com/javase/downloads/index.jsp and look for "Java Runtime Environment (JRE) 6 Update 4" (yes, that's naming format number five).
Note: If you are running Java version 1.5.x, Secunia says version 1.5.0_12 is not secure but that version 1.5.0_14 is.
See a summary of all my Defensive Computing postings.
- prev
- 1
- next
