Archive | August 2015

Adobe issues security updates for ColdFusion v10 / v11

According to Adobe the hotfix includes an updated version of BlazeDS, which addresses a vulnerability that could result in information disclosure.  Adobe recommends users apply the hotfix available for their version.

ColdFusion 10 Update

ColdFusion 11 Update

Two Android browsers vulnerable to exploit

We are aware of multiple companies we work with where users utilize the Dolphin web browser on Android phones.  Zero-day flaws found in Dolphin and Mercury Android browsers could allow hackers to perform remote code execution. Both browsers are available on Android devices with over 100 million downloads between the two. The Dolphin remote code execution exploit allows a hacker to replace the browser’s theme package with an infected counterpart.

Firmware update available for Surface Pro 3

Microsoft has released an update to the HD Graphics Family driver update (v10.18.15.4256) improves graphics performance and stability on Windows 10. You can get the update through Updates and security:

HD Update

Security update for Internet Explorer released

Microsoft has released a security update resolves a vulnerability in Internet Explorer that could allow remote code execution if a user views a specially crafted webpage by using Internet Explorer. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less affected than those who operate with administrative user rights.

You can install the update through Windows Update or it can be downloaded Here.

Adobe Flash Player and AIR updated

Adobe released Flash Player and AIR updates that address 35 bugs, some of which could be exploited by an attacker to take control of a vulnerable system.

Windows and Macintosh users should update Flash Player to version

Microsoft: 14 security bulletins; four critical

Two of the four critical vulnerabilities are for Windows operating systems, one affects the Office. The most severely addressed vulnerability in the Office bulletin could allow Remote Code Execution if a user opens a specially crafted Microsoft office file.

“An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user,” Microsoft wrote. “Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.”

The final critical update is for the Edge web browser in Windows 10, The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Microsoft Edge. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Windows 10: Disable updates from non Microsoft sources

By default Windows 10 will gather updates to the OS not only from Microsoft but from other machines that have the updates. This is enabled by default and automatically adds your workstation as an updater of Windows 10 machines.

We recommend disabling this entirely or at least changing the setting to “PCs on my local network”.

The settings can be changed under Settings, Updates, Windows Updates, Choose how updates are delivered:

W10 Updates

Firefox: New exploit found, update immediately

Mozilla has released a security update for a vulnerability in their Firefox web browser. The vulnerability comes from the interaction of the mechanism that enforces JavaScript context separation (the “same origin policy”) and Firefox’s PDF Viewer. Mozilla products that don’t contain the PDF Viewer, such as Firefox for Android, are not vulnerable. The vulnerability does not enable the execution of arbitrary code but the exploit was able to inject a JavaScript payload into the local file context. This allowed it to search for and upload potentially sensitive local files.

To manually update Firefox:

  1. Click the menu button New Fx Menu , click help Help-29 and select About Firefox. On the menu bar click the Firefox menu and select About Firefox.
  2. The About Firefox window will open and Firefox will begin checking for updates and downloading them automatically.
    Update Win1 Fx14
  3. When the updates are ready to be installed, click Restart to UpdateRestart Firefox to Update.
    Update Win2 Fx14 Update Win2 Fx34

New name, new features for “Outlook Web Access” (OWA)

Outlook Web App (OWA), going forward, will be called “Outlook on the Web”. New features have been added including a new action bar across Mail, Calendar, People and Task experiences; a more prominent subject line; indented reading pane messages are all part of the new “cleaner” UI, according to Microsoft.

The ability to pin messages, Sweep, Archive, Undo and optional single-line view features are all coming to Outlook on the Web, too. Users will get more mail customization options, plus new Calendar additions like weather, visual cues, and mail reminders.


Office 365 business users with Exchange Online who are part of the First Release program will have access first with other Office365 subscriptions getting the features in September. These features will all be available for on premises

Security: Tech support phone scams

Recently we have reports from clients of an increase in the number of persons calling claiming to be from Microsoft. These individuals are attempting to gain access to workstations with the assistance of users. They might offer to help solve your computer problems or sell you a software license. Once they have access to your computer, they can do the following:

  • Trick you into installing software that could capture sensitive data, such as online banking user names and passwords. They might also then charge you to remove this software.
  • Convince you to visit legitimate websites (like to download software that will allow them to take control of your computer remotely and adjust settings to leave your computer vulnerable.
  • Request credit card information so they can bill you for phony services.
  • Direct you to fraudulent websites and ask you to enter credit card and other personal or financial information there.

Neither Microsoft nor our partners make unsolicited phone calls (also known as cold calls) to charge you for computer security or software fixes.

Telephone tech support scams: What you need to know

Cybercriminals often use publicly available phone directories, so they might know your name and other personal information when they call you. They might even guess what operating system you’re using.

Once they’ve gained your trust, they might ask for your user name and password or ask you to go to a legitimate website (such as to install software that will let them access your computer to fix it. Once you do this, your computer and your personal information are vulnerable.

Do not trust unsolicited calls. Do not provide any personal information.

Here are some of the organizations that cybercriminals claim to be from:

  • Windows Helpdesk
  • Windows Service Center
  • Microsoft Tech Support
  • Microsoft Support
  • Windows Technical Department Support Group
  • Microsoft Research and Development Team (Microsoft R & D Team)