Security Garden

Monday, July 27, 2015

Pale Moon Version 25.6.0 Released with Security Updates and Fixes

Tweet This

Pale Moon

Pale Moon has been updated to version 25.6.  This update includes critical security updates as well as numerous fixes/changes.

Security fixes:
  • Fixed a memory safety bug due to a bad test in nsZipArchive.cpp (CVE-2015-2735).
  • Fixed a memory safety bug in nsZipArchive::BuildFileList (CVE-2015-2736).
  • Fixed a memory safety bug caused by an overflow in nsXMLHttpRequest::AppendToResponseText (CVE-2015-2740).
  • Fixed a Use After Free in CanonicalizeXPCOMParticipant (CVE-2015-2722).
  • Fixed off-main-thread nsIPrincipal use of various consumers in the tree (only grab the principal when needed).
  • Fixed an issue where an IPDL message was sent off the main thread.
  • Fixed a potentially exploitable TCPSocket crash due to a race condition.

A complete list of the fixes, changes and additions is available in the Release Notes. Some of the changes that may be of particular interest to users are as follows:
  • Canvas anti-fingerprinting option: Pale Moon now includes the option to make canvas fingerprinting much more difficult. By setting the about:config preference canvas.poisondata to true, any data read back from canvas surfaces will be "poisoned" with humanly-imperceptible data changes. By default this is off, because it has a large performance impact on the routines reading this data.
  • Added a feature to allow icon fonts to be used even when users disallow the use of document-specified fonts. This should retain full navigation for icon-font heavy websites (no more dreaded "boxes" with hex codes) when custom text fonts are disabled.
  • Added a feature to prevent screen savers from kicking in when playing full-screen HTML5 video. This is currently not yet operational on Linux because of stability issues we've run into on that OS, but Windows should properly benefit from this change.
  • Fixed miscellaneous crash scenarios (See Release Notes)

    Minimum system Requirements (Windows):
    • Windows Vista/Windows 7/Windows 8/Server 2008 or later
    • A processor with SSE2 support
    • 256 MB of free RAM (512 MB or more recommended)
    • At least 150 MB of free (uncompressed) disk space
    Pale Moon includes both 32- and 64-bit versions for Windows:
    Other versions:


      To get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window.  Select About Pale Moon > Check for Updates.

      Remember - "A day without laughter is a day wasted."
      May the wind sing to you and the sun rise in your heart...

      Monday, July 20, 2015

      Out-of-band release for Security Bulletin MS15-078

      Tweet This

      Microsoft released out-of-band critical security update which addresses a vulnerability in Microsoft font driver that could allow remote code execution.

      The vulnerability affects all supported versions of Microsoft Windows.  A restart is required in order to apply the update.


        • MS15-078 --Vulnerability in Microsoft Font Driver Could Allow Remote Code Execution (3079904).
          This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a specially crafted document or visits an untrusted webpage that contains embedded OpenType fonts.


          Remember - "A day without laughter is a day wasted."
          May the wind sing to you and the sun rise in your heart...

          Remember - "A day without laughter is a day wasted."
          May the wind sing to you and the sun rise in your heart...

          Tuesday, July 14, 2015

          Oracle Java Quarterly Security Updates, July 2015

          Tweet This


          Oracle released the scheduled critical security updates for its Java SE Runtime Environment software. 

          Unwanted "Extras"

          Although most people do not need Java on their computer, there are some programs and games that require Java.  In the event you need to continue using Java, How-to Geek discovered a little-known and  unpublicized option in the Java Control Panel to suppress the offers for the pre-checked unwanted extras that Oracle has long included with the updates.  Although the Ask Toolbar has been removed, tha does not preclude the pre-checked option for some other unnecessary add-on.

          Do the following to suppress the sponsor offers:
          1. Launch the Windows Start menu
          2. Click on Programs
          3. Find the Java program listing
          4. Click Configure Java to launch the Java Control Panel
          5. Click the Advanced tab and go to the "Miscellaneous" section at the bottom.
          6. Check the box by the “Suppress sponsor offers when installing or updating Java” option and click OK.
          Java suppress sponsor offers

          Windows XP

          For information on Java support for Windows XP, organizations and individuals who must continue using Windows XP and have Java installed are referred to the Oracle blog post, The future of Java on Windows XP (Henrik on Java).


          If Java is still installed on your computer, it is recommended that this update be applied as soon as possible due to the threat posed by a successful attack.

          Download Information

          Download link:  Java SE 8u51

          Verify your version:

          • UNcheck any pre-checked toolbar and/or software options presented with the update. They are not part of the software update and are completely optional.
          • Starting with Java SE 7 Update 21 in April 2013, all Java Applets and Web Start Applications should be signed with a trusted certificate.  It is not recommended to run untrusted/unsigned Certificates.  See How to protect your computer against dangerous Java Applets

          Critical Patch Updates

          For Oracle Java SE Critical Patch Updates, the next scheduled dates are as follows:
          • 20 October 2015
          • 19 January 2016 
          • 19 April 2016

          Java Security Recommendations

          For those people who have desktop applications that require Java and cannot uninstall it, Java can now be disabled in Internet Explorer.  See Microsoft Fix it to Disable Java in Internet Explorer.

          1)  In the Java Control Panel, at minimum, set the security to high.
          2)  Keep Java disabled until needed.  Uncheck the box "Enable Java content in the browser" in the Java Control Panel.

          Java Security

          3)  If you use Firefox or Pale Moon, install NoScript and only allow Java on those sites where it is required.

          Instructions on removing older (and less secure) versions of Java can be found at


          Remember - "A day without laughter is a day wasted."
          May the wind sing to you and the sun rise in your heart...