CIO

Bugs and Fixes: updates to Windows iTunes, Java, and Internet Explorer

A fix stops Java from disabling itself, and iTunes for Windows and Internet Explorer get some security tweaks.

Update, update, update: Form that habit now, if you haven't already, to keep up with security fixes. The latest include the usual tweaks to fend off malicious attacks, and a fix to Java that should prevent it from disabling itself constantly. That would be nice.

Apple updates Windows iTunes to 11.1.2

The 11.1.2 version of iTunes for Windows (10/22/2013) fixes several potential security issues. The program could be crashed if someone of sufficiently evil intent exploited memory access flaws in the handling of text tracks.

A bug related to WebKit memory corruption issues could allow nefarious beings to insert themselves between iTunes and the iTunes store. It has also been addressed with this update.

Finally, Apple has updated its usage of libxml and libxslt to 2.9.0 and 1.1.28, respectively, to ward off potential tampering that could cause unexpected program shutdowns or the running of malicious code.

Java's Slew of Fixes

If you've be tracking your browser's add-ons or extensions recently, you may have noticed that Java has been disabled with alarming regularity recently (if you've forgone the automated Java updates). Hopefully Java 7 update 45 (7u45) will lessen the onslaught of disablement with its whopping 51 fixes, all part of Oracle's latest Critical Patch Update released on 10/13/2013 (no, it wasn't a Friday). There are protections against code redistribution, and a warning if an application is started in an unexpected location, just to name two.

Apple issued its own update, but it's probably time to move to Oracle's plug-in if you're a Mac user.

Cumulative Security Update for Internet Explorer (2879017)

If you don't have automatic updates enabled for Internet Explorer, you might want to grab this one, which was made available on 10/8/2013 for every version of IE since 6. It addresses a number of security flaws, including one that "could allow remote code execution if a user views a specially crafted webpage...". Not only that, attackers could gain local administrative rights and play havoc with your PC in any way they see fit.

2879017 is a must-have, as is any security fix that's been publicized. There are always bad guys waiting to prey on laggards. If you have automatic updates enabled, you probably already have it.