Wednesday, July 13, 2016

Security update available for Adobe XMP Toolkit for Java - July 2016

Adobe Security Bulletin

Release date: July 12, 2016

Vulnerability identifier: APSB16-24

Priority: 3

CVE number: CVE-2016-4216

Platform: All

Adobe has released a security update for the Adobe XMP Toolkit for Java. This update resolves an important vulnerability that could lead to information disclosure (CVE-2016-4216). Adobe recommends users update their product installation using the instructions provided in the “Solution” Section below.

Product	Affected Version	Platform
Adobe XMP Tooklit for Java	5.1.2 and earlier versions	All

Adobe categorizes this update with the following priority rating and recommends users update their installation to the newest version by following the instructions below:

Product	Updated version	Platform	Priority rating	Availability
Adobe XMP Toolkit for Java	5.1.3	All	3	Download page

Adobe XMP toolkit for Java users can download the updated version via the following download page:http://www.adobe.com/devnet/xmp.html. Adobe expects the updated version to be available during the week of July 11, 2016.

This update resolves an issue associated with the parsing of crafted XML external entities in XMPCore that could lead to information disclosure (CVE-2016-4216).

Adobe would like to thank Tim Allison of the MITRE corporation for reporting this issue (CVE-2016-4216) and for working with Adobe to help protect our customers.

- wong chee tat :)

Patch Tuesday - July 2016

Webpages, Word files, print servers menacing Windows PCs, and disk encryption bypasses – yup, it's Patch Tuesday

Plus: 52 security bugs fixed in Adobe Flash

Cthulu emerges from a printer. Image created by illustrator Andy Davies. Copyright: The Register

12 Jul 2016 at 20:53, Shaun Nichols

Microsoft will fix critical holes in Internet Explorer, Edge, Office and Windows with this month's Patch Tuesday security bundle. Meanwhile, Adobe has patched dozens of exploitable vulnerabilities in its Flash player.
Redmond's July release includes 11 sets of patches, six rated as "critical" and five classified as "important." The highlights are: a BitLocker device encryption bypass, evil print servers executing code on vulnerable machines, booby-trapped webpages and Office files injecting malware into PCs, and the usual clutch of privilege elevation flaws.
Get patching now before miscreants develop and distribute code exploiting the programming blunders. As far as we can tell, none of the bugs below are being exploited in the wild right now.

MS16-084 is a cumulative fix for Internet Explorer that addresses 15 CVE-listed vulnerabilities, including five memory corruption bugs and four scripting engine memory corruption bugs that can be exploited to execute code remotely on vulnerable machines. In other words, opening up a booby-trapped website that exploits these flaws could lead to malware infecting your PC.
"The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user," said Microsoft.
MS16-085 is also a cumulative browser fix, this time for the new Edge browser. Among the 13 CVE-listed holes in Edge are five remote code execution flaws in the Chakra JavaScript engine. Also patched are three information disclosure flaws, three spoofing vulnerabilities, and two other memory corruption flaws. Again, a malicious webpage could use these security holes to infect PCs with software nasties.
MS16-088 patches seven memory corruption vulnerabilities in Office. The flaws could allow remote code execution if opened as local documents or information disclosure if targeted at SharePoint or Office Web Apps server. Office for Mac users will receive an update as well. Basically, malicious software can be smuggled in Office documents and will infect computers when opened.
MS16-094 remedies a security bypass flaw in Windows Secure Boot. An attacker with admin or physical access – such as a thief or someone who has seized your PC – can exploit the vulnerability to install a policy that bypasses BitLocker and disk encryption.
"A security feature bypass vulnerability exists when Windows Secure Boot improperly applies an affected policy," Microsoft explained.
"An attacker who successfully exploited this vulnerability could disable code integrity checks, allowing test-signed executables and drivers to be loaded on a target device. In addition, an attacker could bypass the Secure Boot Integrity Validation for BitLocker and the Device Encryption security features.
"To exploit the vulnerability, an attacker must either gain administrative privileges or physical access to a target device to install an affected policy. The security update addresses the vulnerability by blacklisting affected policies."
MS16-093 is Microsoft's distribution of this month's Adobe Flash Player security fixes. In all, 24 CVE-listed flaws are addressed, including remote code execution vulnerabilities. Users running Windows 8.1 and later and Server 2012 will get this update automatically. Older versions will need to get the update from Adobe (more details below).
MS16-086 covers a single remote code execution flaw in the JScript and VBScript engines for Windows Vista and Server 2008. Later versions are not affected. "The vulnerability could allow remote code execution if a user visits a specially crafted website," admitted Microsoft.
MS16-090 addresses six elevation of privilege vulnerabilities in all supported versions of Windows and Windows Server. An attacker can run a specially crafted application that exploits the kernel-level flaws to increase their user permissions and take over the system.
MS16-087 is an update for flaws in the print spooler component of Windows: a man-in-the-middle attacker on a network can execute code on a remote vulnerable machine, or elevate their privileges if already running code on a system. Essentially, a rogue printer server on a network can inject malware into connected PCs. All supported versions of Windows and Windows Server are vulnerable.
"A remote code execution vulnerability exists when the Windows Print Spooler service does not properly validate print drivers while installing a printer from servers," Microsoft confessed. "An attacker who successfully exploited this vulnerability could use it to execute arbitrary code and take control of an affected system.
"An elevation of privilege vulnerability exists when the Windows Print Spooler service improperly allows arbitrary writing to the file system. An attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted script or application."
MS16-089 fixes a single information disclosure flaw triggered when the Windows 10 kernel improperly handles objects in memory.
MS16-091 is a patch for an information disclosure flaw in the .NET Framework triggered by running an XML file on a web application. The bug is found in all supported versions of Windows and Windows Server.
MS16-092 addresses two flaws in the Windows kernel, one that discloses information about the kernel and another bypassing security access checks. All supported versions of Windows and Windows Server should be updated.

Meanwhile, Adobe is applying a few more strips of duct tape to holes in the internet's screen door with the July Flash Player update.
Windows, OS X, Linux, and ChromeOS users should check to make sure they have the latest version of the software.
In total, this month's patch remedies 52 CVE-listed vulnerabilities. If targeted, 49 of those would allow remote code execution, while the other three would allow information disclosure and memory leaks.
Adobe has also released an update for Acrobat/Reader and XMP Toolkit for Java. ®

- wong chee tat :)

Security updates available for Adobe Flash Player - July 2016

Adobe Security Bulletin

Release date: July 12, 2016

Vulnerability identifier: APSB16-25

Priority: See table below

CVE number: CVE-2016-4172, CVE-2016-4173, CVE-2016-4174, CVE-2016-4175, CVE-2016-4176, CVE-2016-4177, CVE-2016-4178, CVE-2016-4179, CVE-2016-4180, CVE-2016-4181, CVE-2016-4182, CVE-2016-4183, CVE-2016-4184, CVE-2016-4185, CVE-2016-4186, CVE-2016-4187, CVE-2016-4188, CVE-2016-4189, CVE-2016-4190, CVE-2016-4217, CVE-2016-4218, CVE-2016-4219, CVE-2016-4220, CVE-2016-4221, CVE-2016-4222, CVE-2016-4223, CVE-2016-4224, CVE-2016-4225, CVE-2016-4226, CVE-2016-4227, CVE-2016-4228, CVE-2016-4229, CVE-2016-4230, CVE-2016-4231, CVE-2016-4232, CVE-2016-4233, CVE-2016-4234, CVE-2016-4235, CVE-2016-4236, CVE-2016-4237, CVE-2016-4238, CVE-2016-4239, CVE-2016-4240, CVE-2016-4241, CVE-2016-4242, CVE-2016-4243, CVE-2016-4244, CVE-2016-4245, CVE-2016-4246, CVE-2016-4247, CVE-2016-4248, CVE-2016-4249

Platform: Windows, Macintosh, Linux and ChromeOS

Adobe has released security updates for Adobe Flash Player for Windows, Macintosh, Linux and ChromeOS. These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system.

Product	Affected Versions	Platform
Adobe Flash Player Desktop Runtime	22.0.0.192 and earlier	Windows and Macintosh
Adobe Flash Player Extended Support Release	18.0.0.360 and earlier	Windows and Macintosh
Adobe Flash Player for Google Chrome	22.0.0.192 and earlier	Windows, Macintosh, Linux and ChromeOS
Adobe Flash Player for Microsoft Edge and Internet Explorer 11	22.0.0.192 and earlier	Windows 10 and 8.1
Adobe Flash Player for Linux	11.2.202.626 and earlier	Linux

To verify the version of Adobe Flash Player installed on your system, access the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe (or Macromedia) Flash Player" from the menu. If you use multiple browsers, perform the check for each browser you have installed on your system.

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version:

Product	Updated Versions	Platform	Priority rating	Availability
Adobe Flash Player Desktop Runtime	22.0.0.209	Windows and Macintosh	1	Flash Player Download Center Flash Player Distribution
Adobe Flash Player Extended Support Release	18.0.0.366	Windows and Macintosh	1	Extended Support
Adobe Flash Player for Google Chrome	22.0.0.209	Windows, Macintosh, Linux and ChromeOS	1	Google Chrome Releases
Adobe Flash Player for Microsoft Edge and Internet Explorer 11	22.0.0.209	Windows 10 and 8.1	1	Microsoft Security Advisory
Adobe Flash Player for Linux	11.2.202.632	Linux	3	Flash Player Download Center

Adobe recommends users of the Adobe Flash Player Desktop Runtime for Windows and Macintosh update to 22.0.0.209 via the update mechanism within the product when prompted [1], or by visiting the Adobe Flash Player Download Center.
Adobe recommends users of the Adobe Flash Player Extended Support Release should update to version 18.0.0.366 by visiting http://helpx.adobe.com/flash-player/kb/archived-flash-player-versions.html.
Adobe recommends users of Adobe Flash Player for Linux update to Adobe Flash Player 11.2.202.632 by visiting the Adobe Flash Player Download Center.
Adobe Flash Player installed with Google Chrome will be automatically updated to the latest Google Chrome version, which will include Adobe Flash Player 22.0.0.209 for Windows, Macintosh, Linux and Chrome OS.
Adobe Flash Player installed with Microsoft Edge and Internet Explorer for Windows 10 and 8.1 will be automatically updated to the latest version, which will include Adobe Flash Player 22.0.0.209.
Please visit the Flash Player Help page for assistance in installing Flash Player.

[1] Users of Flash Player 11.2.x or later for Windows, or Flash Player 11.3.x or later for Macintosh, who have selected the option to 'Allow Adobe to install updates' will receive the update automatically. Users who do not have the 'Allow Adobe to install updates' option enabled can install the update via the update mechanism within the product when prompted.

These updates resolve a race condition vulnerability that could lead to information disclosure (CVE-2016-4247).

These updates resolve type confusion vulnerabilities that could lead to code execution (CVE-2016-4223, CVE-2016-4224, CVE-2016-4225).

These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2016-4173, CVE-2016-4174, CVE-2016-4222, CVE-2016-4226, CVE-2016-4227, CVE-2016-4228, CVE-2016-4229, CVE-2016-4230, CVE-2016-4231, CVE-2016-4248).

These updates resolve a heap buffer overflow vulnerability that could lead to code execution (CVE-2016-4249).

These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2016-4172, CVE-2016-4175, CVE-2016-4179, CVE-2016-4180, CVE-2016-4181, CVE-2016-4182, CVE-2016-4183, CVE-2016-4184, CVE-2016-4185, CVE-2016-4186, CVE-2016-4187, CVE-2016-4188, CVE-2016-4189, CVE-2016-4190, CVE-2016-4217, CVE-2016-4218, CVE-2016-4219, CVE-2016-4220, CVE-2016-4221, CVE-2016-4233, CVE-2016-4234, CVE-2016-4235, CVE-2016-4236, CVE-2016-4237, CVE-2016-4238, CVE-2016-4239, CVE-2016-4240, CVE-2016-4241, CVE-2016-4242, CVE-2016-4243, CVE-2016-4244, CVE-2016-4245, CVE-2016-4246).

These updates resolve a memory leak vulnerability (CVE-2016-4232).

These updates resolve stack corruption vulnerabilities that could lead to code execution (CVE-2016-4176, CVE-2016-4177).

These updates resolve a security bypass vulnerability that could lead to information disclosure (CVE-2016-4178)

Yuki Chen of Qihoo 360 Vulcan Team working with the Chromium Vulnerability Rewards Program (CVE-2016-4249)

Nicolas Joly of Microsoft Vulnerability Research (CVE-2016-4173)

Wen Guanxing from Pangu LAB (CVE-2016-4188, CVE-2016-4248)

Jaehun Jeong(@n3sk) of WINS WSEC Analysis Team working with Trend Micro's Zero Day Initiative (CVE-2016-4222)

Kai Kang (a.k.a 4B5F5F4B) working with Trend Micro's Zero Day Initiative (CVE-2016-4174)

willJ of Tencent PC Manager (CVE-2016-4172)

Natalie Silvanovich of Google Project Zero (CVE-2016-4226, CVE-2016-4227, CVE-2016-4228, CVE-2016-4229, CVE-2016-4230, CVE-2016-4231, CVE-2016-4232)

Garandou Sara working with Trend Micro's Zero Day Initiative (CVE-2016-4223)

Sébastien Morin of COSIG (CVE-2016-4175, CVE-2016-4179)

Kurutsu Karen working with Trend Micro's Zero Day Initiative (CVE-2016-4225)

Soroush Dalili from NCC Group (CVE-2016-4178)

Yuki Chen of Qihoo 360 Vulcan Team (CVE-2016-4180, CVE-2016-4181, CVE-2016-4183, CVE-2016-4184, CVE-2016-4185, CVE-2016-4186, CVE-2016-4187, CVE-2016-4233, CVE-2016-4234, CVE-2016-4235, CVE-2016-4236, CVE-2016-4237, CVE-2016-4238, CVE-2016-4239, CVE-2016-4240, CVE-2016-4241, CVE-2016-4242, CVE-2016-4243, CVE-2016-4244, CVE-2016-4245, CVE-2016-4246)

Yuki Chen of Qihoo 360 Vulcan Team and Wen Guanxing from Pangu LAB (CVE-2016-4182)

Junfeng Yang and Genwei Jiang of FireEye and Yuki Chen of Qihoo 360 Vulcan Team (CVE-2016-4185)

Ohara Rinne working with Trend Micro's Zero Day Initiative (CVE-2016-4224)

Francis Provencher of COSIG (CVE-2016-4176, CVE-2016-4177)

Jie Zeng of Tencent Zhanlu Lab (CVE-2016-4189, CVE-2016-4190, CVE-2016-4217, CVE-2016-4218, CVE-2016-4219, CVE-2016-4220, CVE-2016-4221)

Stefan Kanthak (CVE-2016-4247)

- wong chee tat :)

Homage to the 36 trillion, 119 thousand, 500 Amitabha Buddhas

Homage to the 36 trillion, 119 thousand, 500 Amitabha Buddhas

- wong chee tat :)

McAfee DAT version = 8224 (jul 12th 2016)

McAfee DAT version = 8224 (jul 12th 2016)

Link: here ( Select Yes. And it keeps getting updated daily. Region=US)

- wong chee tat :)

Cashflow and Milk

Need to improve my cashflow so that I can buy more fresh milk!

- Pic from Internet

- wong chee tat :)

Om Mani Padme Hum

Om Mani Padme Hum

- wong chee tat :)

Om Mani Padme Hum

Om Mani Padme Hum

- wong chee tat :)

Om Mani Padme Hum

Om Mani Padme Hum

- wong chee tat :)

六字真言頌怙主三寶

六字真言頌怙主三寶

虔心皈依怙主三寶，真心憐憫慈母眾生，嗡瑪尼巴美吽……

佛為導師法為正道，僧為善侶同為救主，嗡瑪尼巴美吽……
登山階梯過河船舟，驅愚慧燈險隘坦途，嗡瑪尼巴美吽……
口誦真言心中祈禱，地獄烈火從此熄滅，嗡瑪尼巴美吽……
唱頌六字胸中發願，冷獄冰雪消融變暖，嗡瑪尼巴美吽……
誦持六字威力無比，十八地獄變成樂土，嗡瑪尼巴美吽……
世間無實因緣難料，生死輪回行善為要，嗡瑪尼巴美吽……
萬物無常善惡交替，向善精進矢志不渝，嗡瑪尼巴美吽……
暇滿人身難得至寶，虛度此生實為可惜，嗡瑪尼巴美吽……
貪心無盡欲望皆空，惡趣業因棄之從善，嗡瑪尼巴美吽……
萬惡煩惱罪孽根源，時刻提防凡夫癡念，嗡瑪尼巴美吽……
強壯身軀入土荒野，驅走死神上師引路，嗡瑪尼巴美吽……
瑪尼頌詞怙主三寶，諾言活佛順口編唱，嗡瑪尼巴美吽……
虔誠頂禮觀音菩薩，消除罪孽速證佛果，嗡瑪尼巴美吽……
如來佛子慈悲引路，眾生往生極樂佛土，嗡瑪尼巴美吽……

六字斷除六道苦難頌

嗡字放光照耀天界，死苦難忍觀音救度，嗡瑪尼巴美吽……
瑪字光照阿修羅界，爭斗死傷觀音救度，嗡瑪尼巴美吽……
尼字放光照亮人間，生老病死觀音救度，嗡瑪尼巴美吽……
巴字放光照亮畜生，蠢啞痛苦觀音救度，嗡瑪尼巴美吽……
美字放光照亮惡鬼，饑餓難熬觀音救度，嗡瑪尼巴美吽……
吽字放光照亮地獄，冷熱煎熬觀音救度，嗡瑪尼巴美吽……

- wong chee tat :)

六字真言頌怙主三寶

Homage to the 36 trillion, 119 thousand, 500 Amitabha Buddhas

Homage to the 36 trillion, 119 thousand, 500 Amitabha Buddhas

Homage to the 36 trillion, 119 thousand, 500 Amitabha Buddhas

Homage to the 36 trillion, 119 thousand, 500 Amitabha Buddhas

Homage to the 36 trillion, 119 thousand, 500 Amitabha Buddhas

Homage to the 36 trillion, 119 thousand, 500 Amitabha Buddhas

Homage to the 36 trillion, 119 thousand, 500 Amitabha Buddhas

Homage to the 36 trillion, 119 thousand, 500 Amitabha Buddhas

Homage to the 36 trillion, 119 thousand, 500 Amitabha Buddhas

Homage to the 36 trillion, 119 thousand, 500 Amitabha Buddhas

- wong chee tat :)

Homage to the 36 trillion, 119 thousand, 500 Amitabha Buddhas

Medicine Master Buddha

- Pic from Internet

- wong chee tat :)

me think :)

Wednesday, July 13, 2016

Security update available for Adobe XMP Toolkit for Java - July 2016

Adobe Security Bulletin

Security update available for Adobe XMP Toolkit for Java

Summary

Affected software versions

Solution

Vulnerability Details

Acknowledgments

Patch Tuesday - July 2016

Webpages, Word files, print servers menacing Windows PCs, and disk encryption bypasses – yup, it's Patch Tuesday

Plus: 52 security bugs fixed in Adobe Flash

Security updates available for Adobe Flash Player - July 2016

Adobe Security Bulletin

Security updates available for Adobe Flash Player

Summary

Affected Versions

Solution

Vulnerability Details

Acknowledgments

Homage to the 36 trillion, 119 thousand, 500 Amitabha Buddhas

McAfee DAT version = 8224 (jul 12th 2016)

Cashflow and Milk

Om Mani Padme Hum

Om Mani Padme Hum

Om Mani Padme Hum

六字真言頌怙主三寶

六字真言頌怙主三寶

六字真言頌怙主三寶

Homage to the 36 trillion, 119 thousand, 500 Amitabha Buddhas

Homage to the 36 trillion, 119 thousand, 500 Amitabha Buddhas

Medicine Master Buddha