Security Garden

Tuesday, June 23, 2015

Out of Band Critical Adobe Flash Player Update

Tweet This

Adobe Flashplayer

Adobe has released Version of Adobe Flash Player for Windows and Macintosh to address a critical vulnerability that is being exploited in limited, targeted attacks. 

Version information for Linux and the Extended Release is available in the Release Notes.

Release date: June 23, 2015
Vulnerability identifier: APSB15-14
Priority: See table below
CVE number: CVE-2015-3113
Platform: Windows, Macintosh and Linux

Users of the Adobe Flash Player desktop runtime for Windows and Macintosh should update to Adobe Flash Player
  • Users of the Adobe Flash Player Extended Support Release should update to Adobe Flash Player
  • Users of Adobe Flash Player for Linux should update to Adobe Flash Player
  • Adobe Flash Player installed with Google Chrome, as well as Internet Explorer on Windows 8.x and Windows 10 TP, will automatically update to the current version.

Flash Player Update Instructions

It is recommended that you either use the auto-update mechanism within the product when prompted or the direct download links.  The problem with the auto-update mechanism is that it can take a few days to finally provide the update and up to a week if using the "Notify me to install updates" setting.

Flash Player Auto-Update

The update settings for Flash Player versions 10.3 and above can found in the Advanced tab of the Flash Player Settings Manager.  The locations are as follows:
  • Windows: click Start > Settings > Control Panel > Flash Player
  • Macintosh: System Preferences (under Other) click Flash Player
  • Linux Gnome: System > Preferences > Adobe Flash Player
  • Linux KDE: System Settings > Adobe Flash Player
Also note that the Flash Player Settings Manager is where to manage local settings.

Flash Player Direct Download Links

Warning:  Although Adobe suggests downloading the update from the Adobe Flash Player Download Center, that link includes a pre-checked option to install unnecessary extras, such as McAfee Scan Plus or Google Drive.  If you use the download center, uncheck any unnecessary extras.

    • If you use the Adobe Flash Player Download Center, be careful to uncheck any optional downloads that you do not want.  Any pre-checked option is not needed for the Flash Player update.
    • Uncheck any toolbar offered with Adobe products if not wanted.
    • If you use alternate browsers, it is necessary to install the update for both Internet Explorer as well as the update for alternate browsers.
    • The separate 32-bit and 64-bit uninstallers have been replaced with a single uninstaller.

    Verify Installation

    To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu. 

    Do this for each browser installed on your computer.

    To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.


    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...

    Wednesday, June 10, 2015

    Pale Moon 25.5.0 Released with Security Updates

    Tweet This

    Pale Moon

    Pale Moon has been updated to version 25.5 and includes numerous fixes/changes as well as security updates.

    Security fixes:
    • Fixes for miscellaneous memory safety hazards (relevant and applicable fixes from CVE-2015-2708 and CVE-2015-2709)
    • DiD (defense-in-depth) fix to prevent potential overflows in CSS restyling
    • Fix for updater hijacking (CVE-2015-2720)
    • Fix to prevent potential disclosure of sensitive information in Android logs (CVE-2015-2714)
    • Fix for a buffer overflow in the XML parser (CVE-2015-2716)
    • Fix for a potentially exploitable crash in DNS handling

    A complete list of the fixes, changes and additions is available in the Release Notes. Some of the changes that may be of particular interest to users are as follows:
    • Logjam fix: Refuse DHE keys with less than 1024 key bits
    • Search plugin updates to re-enable Google suggestions and reduce tracking (Squarefractal)
    • Added a preference for always preferring a certain dictionary language.
      To use this, create a new preference spellchecker.dictionary.override (string) and set it to your language code.
    • Updated SQLite to version
    • Changed the after-upgrade page loaded to the release notes instead of the home page (and hoping people actually do take a moment to read them, preventing unnecessary support requests).
    • Reorganized the AppMenu (give equal ease for windowed and tabbed browsing, deprioritize Sync)

      Minimum system Requirements (Windows):
      • Windows Vista/Windows 7/Windows 8/Server 2008 or later
      • A processor with SSE2 support
      • 256 MB of free RAM (512 MB or more recommended)
      • At least 150 MB of free (uncompressed) disk space
      Pale Moon includes both 32- and 64-bit versions for Windows:
      Other versions:


        To get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window.  Select About Pale Moon > Check for Updates.

        Remember - "A day without laughter is a day wasted."
        May the wind sing to you and the sun rise in your heart...

        Tuesday, June 09, 2015

        Microsoft Security Bulletin Release for June 2015

        Tweet This

        Microsoft released eight (8) bulletins.  Two (2) bulletins are identified as Critical and the remaining six (6) are rated Important in severity.

        The updates address vulnerabilities in Microsoft Windows, Microsoft Office, Internet Explorer and Microsoft Exchange Server.  Details about the CVEs can be found in the below-referenced TechNet Security Bulletin.

        Also released was one new Security Advisory:
        One Security Advisory was revised for Windows 8.x:

        • MS15-056 -- Cumulative Security Update for Internet Explorer (3049563)
        • MS15-057 -- Vulnerability in Windows Media Player Could Allow Remote Code Execution (3033890)
        • MS15-059 -- Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (3064949)
        • MS15-060 -- Vulnerability in Microsoft Common Controls Could Allow Remote Code Execution (3059317)
        • MS15-061 -- Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (3057839)
        • MS15-062 -- Vulnerability in Active Directory Federation Services Could Allow Elevation of Privilege (3062577)
        • MS15-063 -- Vulnerability in Windows Kernel Could Allow Elevation of Privilege (3063858)
        • MS15-064 -- Vulnerabilities in Microsoft Exchange Server Could Allow Elevation of Privilege (3062157)

        Additional Update Notes

        • MSRT -- Microsoft released an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center. 

        • Internet Explorer -- For additional information about the blocking of out-of-date ActiveX controls see the TechNet article, Out-of-date ActiveX control blocking.  Additional changes introduced this month include the blocking of outdated Silverlight.  Additional information is available in the IE Blog.

        • Windows 8.x -- Non-security new features and improvements for Windows 8.1 are now included with the second Tuesday of the month updates.  Additional information about this change is available here.

        • Windows XP -- Although Microsoft has stopped providing Microsoft Security Essentials for Windows XP, definitions will be available until July 15, 2015.  See Microsoft antimalware support for Windows XP.  The MSRT still works on Windows XP.


          Remember - "A day without laughter is a day wasted."
          May the wind sing to you and the sun rise in your heart...