Security Garden

Wednesday, October 15, 2014

Pale Moon 25.0.1 Released with Critical Security Update

Tweet This

Pale Moon
Pale Moon has released version 25.0.1 to address an important Jetpack extension compatibility issue. 

The update also includes a number of security fixes.

Security fixes:

  • Fix for VP9 decoder vulnerability
  • Fix for direct access to raw connection sockets in http 
  • Fix for unsafe conversion to JSON of data through the alarm dom element 
  • Update of NSS to 3.16.2.2-RTM 
    Other Changes
    • Update of the add-on SDK to add missing "PaleMoon" engine entries to lists in some modules. This should fix extension compatibility issues for things like Self-destructing cookies, Privacybadger and other Jetpack add-ons that should otherwise already work with the new GUID.
    • About box release notes link corrected

    Minimum system Requirements (Windows):
    • Windows Vista/Windows 7/Windows 8/Server 2008 or later
    • A processor with SSE2 support
    • 256 MB of free RAM (512 MB or more recommended)
    • At least 150 MB of free (uncompressed) disk space
    Pale Moon includes both 32- and 64-bit versions:

    Update

    To get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window.  Select About Pale Moon > Check for Updates.


    Home
    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...





    Tuesday, October 14, 2014

    Oracle Java Critical Security Update

    Tweet This

    java


    Oracle released the scheduled critical security updates for its Java SE Runtime Environment software. 

    This is a Critical Patch Update that affects Oracle Java SE, versions 5.0u71, 6u81, 7u67, 8u20.  From The Assurance Blog:
    "Out of the 154 vulnerabilities fixed with today’s Critical Patch Update release, 31 are for the Oracle Database. All but 3 of these database vulnerabilities are related to features implemented using Java in the Database, and a number of these vulnerabilities have received a CVSS Base Score of 9.0."

    Unwanted "Extras"

    Oracle has long included pre-checked options with the updates.  Although most people do not need Java on their computer, there are some programs and games that require Java.  In the event you need to continue using Java, How-to Geek discovered a little-known and  unpublicized option in the Java Control Panel to suppress the offers for the pre-checked unwanted extras.

    1. Launch the Windows Start menu
    2. Click on Programs
    3. Find the Java program listing
    4. Click Configure Java to launch the Java Control Panel
    5. Click the Advanced tab and go to the "Miscellaneous" section at the bottom.
    6. Check the box by the “Suppress sponsor offers when installing or updating Java” option and click OK.
    Java suppress sponsor offers

    Windows XP

    There has been a lot of recent controversy regarding Java updates for Windows XP.  While Windows XP has reached end of life, Java 7 will continue to be updated until April, 2015.

    Thus, organizations and individuals who must continue using Windows XP and have Java installed can also continue getting updates for Java 7.  It is noted, however, that if an issue arises that is specific to Windows XP, Oracle is not required to and also may not be able to create a patch.  For additional information, refer to the Oracle blog post, The future of Java on Windows XP (Henrik on Java).

    Update

    If Java is still installed on your computer, it is recommended that this update be applied as soon as possible due to the threat posed by a successful attack.

    Download Information

    Download link:  Java SE 8u25

    Verify your version:  http://www.java.com/en/download/testjava.jsp

    Notes:
    • UNcheck any pre-checked toolbar and/or software options presented with the update. They are not part of the software update and are completely optional.
    • Starting with Java SE 7 Update 21 in April 2013, all Java Applets and Web Start Applications should be signed with a trusted certificate.  It is not recommended to run untrusted/unsigned Certificates.  See How to protect your computer against dangerous Java Applets

    Critical Patch Updates

    For Oracle Java SE Critical Patch Updates, the next scheduled dates are as follows:
    • 20 January 2015
    • 14 April 2015
    • 14 July 2015
    • 20 October 2015

    Java Security Recommendations

    For those people who have desktop applications that require Java and cannot uninstall it, Java can now be disabled in Internet Explorer.  See Microsoft Fix it to Disable Java in Internet Explorer.

    1)  In the Java Control Panel, at minimum, set the security to high.
    2)  Keep Java disabled until needed.  Uncheck the box "Enable Java content in the browser" in the Java Control Panel.

    Java ControlPanel
    (Image via Sophos Naked Security Blog)

    3)  If you use Firefox, install NoScript and only allow Java on those sites where it is required.

    Instructions on removing older (and less secure) versions of Java can be found at http://java.com/en/download/faq/remove_olderversions.xml

    References





    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...


    Microsoft Security Bulletin Release for October 2014

    Tweet This


    Microsoft released eight (8) bulletins.  Three (3) bulletins are identified as Critical and five (5) as Important.

    The updates address 24 Common Vulnerabilities & Exposures (CVEs) in Windows, Office, .NET Framework, .ASP.NET, and Internet Explorer (IE). Reminder to those who have problems with .NET updates to install separately with a restart between other updates.

    Critical:

    • MS14-056 -- Cumulative Security Update for Internet Explorer (2987107)  
    • MS14-057 -- Vulnerabilities in .NET Framework Could Allow Remote Code Execution (3000414) 
    • MS14-058 -- Vulnerability in Kernel-Mode Driver Could Allow Remote Code Execution (3000061) 

    Important:
    • MS14-059 -- Vulnerability in ASP.NET MVC Could Allow Security Feature Bypass (2990942) 
    • MS14-060 -- Vulnerability in Windows OLE Could Allow Remote Code Execution (3000869)
    • MS14-061 -- Vulnerability in Microsoft Word and Office Web Apps Could Allow Remote Code Execution (3000434) 
    • MS14-062 -- Vulnerability in Message Queuing Service Could Allow Elevation of Privilege (2993254) 
    • MS14-063 -- Vulnerability in FAT32 Disk Partition Driver Could Allow Elevation of Privilege (2998579)   
    Information on non-security update information can be found in KB 894199.

    Security Advisories


    The following security advisories were released:
    Revised advisories:

    Notes



    The following additional information is provided in the Security Bulletin:

    References




      Remember - "A day without laughter is a day wasted."
      May the wind sing to you and the sun rise in your heart...