Security Garden

Tuesday, July 29, 2014

Pale Moon Version 24.7.0 Released

Tweet This

Pale Moon
Pale Moon has been updated to version 24.7.0.  In addition to fixing some performance issues with the new rendering engine on Windows, there are many other updates, including the following security and privacy fixes:


  • Google SafeBrowsing, which is defunct, has been removed from the browser.
    Google SafeBrowsing no longer works in Pale Moon, and still having it in the browser and enabled caused a potential privacy issue by sending the domain check to Google. Considering the limited use of the service to begin with and defunct nature, removal was the only logical option.


  • Updated the NSS library to 3.16.2 RTM to address a few critical SSL issues. 
  • There was a possibility to lose the source frame for raster images if images had to be discarded in low-memory situations. This has been fixed. 
  • Made refcounting logic around PostTimerEvent more explicit. 
  • Prevented an invalid pointer state in docloader. 
  • Added proper refcounting of font faces. 
Detailed information about this update is available in the Announcement.


To get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window.  Select About Pale Moon > Check for Updates.

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Tuesday, July 22, 2014

Mozilla Firefox Version 31.0 Released

Tweet This


Mozilla sent Firefox Version 31.0 to the release channel. At this time, no security updates are listed as being included in the release.

Update:  Although not included in the Release Notes, the Security Fixes page now shows that the update includes three (3) Critical, four (4) High, two (2) Moderate and one (1) Low security updates.

Fixed in Firefox 31

  • MFSA 2014-66 -- IFRAME sandbox same-origin access through redirect
  • MFSA 2014-65 -- Certificate parsing broken by non-standard character encoding
  • MFSA 2014-64 -- Crash in Skia library when scaling high quality images
  • MFSA 2014-63 -- Use-after-free while when manipulating certificates in the trusted cache
  • MFSA 2014-62 -- Exploitable WebGL crash with Cesium JavaScript library
  • MFSA 2014-61 -- Use-after-free with FireOnStateChange event
  • MFSA 2014-60 -- Toolbar dialog customization event spoofing
  • MFSA 2014-59 -- Use-after-free in DirectWrite font handling
  • MFSA 2014-58 -- Use-after-free in Web Audio due to incorrect control message ordering
  • MFSA 2014-57 -- Buffer overflow during Web Audio buffering for playback
  • MFSA 2014-56 -- Miscellaneous memory safety hazards (rv:31.0 / rv:24.7)
Highlights of the new version include a search field added to the New Tab Page and preferences to modify the browser.tabs.closeButtons was removed.  If you have modified close tabs, this update changes it to default (one close button for each tab).  To restore the setting, an add-on such as Classic Theme Restorer is suggested.

The issue introduced with version 29.1 that many users have experienced with slow shut downs resulting in the "Firefox is already running" warning continues unresolved.  In the meantime, Firefox users having this issue may want to refer to the KB article, "Firefox is already running but is not responding" error message - How to fix it.

What’s New

  • New -- Add the search field to the new tab pag  
  • New -- mozilla::pkix as default certificate verifier (learn more)
  • New -- Block malware from downloaded files (learn more)
  • New -- Partial implementation of the OpenType MATH table (section 6.3.6) see documentation about mathematical fonts and the MathML Torture Test for details
  • New -- Support of Prefer:Safe http header for parental control.
  • New -- audio/video .ogg and .pdf files handled by Firefox if no application specified (Windows only)
  • Changed -- Removal of the CAPS infrastructure for specifying site-specific permissions (via capability.policy.* preferences). Most notably, attempts to use this functionality to grant access to the clipboard will no longer work. The sole exception is the checkloaduri permission, which may still be used as before to allow sites to load file:// URIs.
  • HTML5 -- WebVTT implemented and enabled (learn more)
  • HTML5 -- CSS3 variables implemented (learn more)
  • Developer -- Numerous Developer Tools and other changes.  See Release Notes for details.
  • Fixed -- Search for partially selected link text from context menu (985824)

Known Issues

  • unresolved -- Slow shut downs lead to 'Firefox is already running' warning (see 966469 and 985655)
  • unresolved -- PDF.js: With some fonts, some characters might not be displayed. Affects a very small number of PDF (1028735)
  • unresolved -- Mac OS X and Windows: Citrix Receiver no longer works. As a workaround, mark the plugin as Always Enable in the addon manager (1025627)
  • unresolved -- GNU/Linux and Windows XP: Google Maps Street View displays a black screen (1034593)
  • unresolved -- Mac OS X: cmd-L no longer opens a new window when no window is available (1008793)


To get the update now, select "Help" from the Firefox menu at the upper left of the browser window, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu.

If you do not use the English language version, Fully Localized Versions are available for download.


Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Monday, July 21, 2014

WinPatrol v32 Update

Tweet This

WinPatrol Scotty

As I have said, "WinPatrol is the first program I install on my computers.  I recommend WinPatrol to my friends and to people I have helped with malware removal.  I wouldn't think of surfing without Scotty covering my back."

After the last update to WinPatrol, that statement needs to be supplemented to include that WinPatrol users are extremely dedicated to Scotty and not only quick to point out any quirks but also ready to help resolve those quirks.

Prior to the WinPatrol update to version 32, a dedicated group of WinPatrol users provided information to Bret and Bill about issues they were experiencing with Delayed Start.  Although the version 32.0.2014 update partially addressed the issues, there continued to be a bit of a problem.

Bret and Bill followed the discussion closely and Bret quickly provided a diagnostic tool so volunteers could provide the information he and Bill needed to resolve the remaining issues.  The end result was the release of WinPatrol version 32.0.2014.5. 

From WinPatrol 2014 Upgrade Version 32.0.2014.5
"Thanks to the quick reports from our dedicated fans a new release is available that resolves some errors due to a change to a new default folder. Using a new tool from Ruiware for inspecting registry data and the cooperation of folks in the Landzdown Forum we tracked down some remaining failures in the Delayed Start program list.

Other reports from the first day of downloading indicated some files from the previous BillP Studios folder we not copied to the new folder as planned. In particular, the history.txt was not copied and is useful if a startup program needed to be restored.

Quoting* Bill at LandzDown:
"It's been a long day but I need to let everyone know how grateful I am for help, patience and guidance. The posts we've read along with Bret's tool to inspect the data has been critical in finding problems with the initial release of version 32 quickly.

You'll find a new version 32.0.2014.5 which has a number of changes that will stablize the Delayed Start list.
I also thought I had considered the impact of having a new default folder but some of our thoughts were not implemented. I can't say for sure if the new version will include everything we wanted for folks who have installed 32.0.2014.5 but for new downloads, it will correctly copy any previous data in the BillP folder to the Ruiware folder.
If you still have the BillP Studios folder, you can manually copy the history.txt file to the Ruiuware folder. If you noticed any subfolders copy those as well.

Special thanks to Corine and the Landzdown folks for convincing me this was the place to have a WinPatrol Forum.

Thanks again,
You can find the WinPatrol forum at LandzDown here: WinPatrol Help & Information.

*Minor typos corrected in quote.

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...