Monday, April 20, 2015

Mozilla Firefox Version 37.0.2 Released with Security Update


Firefox
Mozilla sent Version 37.0.2 to the release channel.  The update includes one (1) High security update and includes two bug fixes.

Fixed in Firefox 37.0.2

  • 2015-45 -- Memory corruption during failed plugin initialization



What’s New

  • Fixed Google Maps may render incorrectly in some cases
  • Fixed Stability fixes for select graphics hardware and feature sets
  • Fixed Various security fixes

Update

To get the update now, select "Help" from the Firefox menu at the upper left of the browser window, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

References

Home
Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...





Tuesday, April 14, 2015

Oracle Java Quarterly Security Update Released

java


Oracle released the scheduled critical security updates for its Java SE Runtime Environment software. 

It is important to also note that this release will be the last Oracle JDK 7 publicly available update. For more information, and details on how to receive longer term support for Oracle JDK 7, please see the Oracle Java SE Support Roadmap.
 

Unwanted "Extras"

Oracle has long included pre-checked options with the updates.  Although most people do not need Java on their computer, there are some programs and games that require Java.  In the event you need to continue using Java, How-to Geek discovered a little-known and  unpublicized option in the Java Control Panel to suppress the offers for the pre-checked unwanted extras.

  1. Launch the Windows Start menu
  2. Click on Programs
  3. Find the Java program listing
  4. Click Configure Java to launch the Java Control Panel
  5. Click the Advanced tab and go to the "Miscellaneous" section at the bottom.
  6. Check the box by the “Suppress sponsor offers when installing or updating Java” option and click OK.
Java suppress sponsor offers

Windows XP

For information on Java support for Windows XP, organizations and individuals who must continue using Windows XP and have Java installed are referred to the Oracle blog post, The future of Java on Windows XP (Henrik on Java).

Update

If Java is still installed on your computer, it is recommended that this update be applied as soon as possible due to the threat posed by a successful attack.

Download Information

Download link:  Java SE 8u45

Verify your version:  http://www.java.com/en/download/testjava.jsp

Notes:
  • UNcheck any pre-checked toolbar and/or software options presented with the update. They are not part of the software update and are completely optional.
  • Starting with Java SE 7 Update 21 in April 2013, all Java Applets and Web Start Applications should be signed with a trusted certificate.  It is not recommended to run untrusted/unsigned Certificates.  See How to protect your computer against dangerous Java Applets

Critical Patch Updates

For Oracle Java SE Critical Patch Updates, the next scheduled dates are as follows:
  • 14 April 2015
  • 14 July 2015
  • 20 October 2015
  • 19 January 2016 
  •  

Java Security Recommendations

For those people who have desktop applications that require Java and cannot uninstall it, Java can now be disabled in Internet Explorer.  See Microsoft Fix it to Disable Java in Internet Explorer.

1)  In the Java Control Panel, at minimum, set the security to high.
2)  Keep Java disabled until needed.  Uncheck the box "Enable Java content in the browser" in the Java Control Panel.

Java ControlPanel
(Image via Sophos Naked Security Blog)

3)  If you use Firefox or Pale Moon, install NoScript and only allow Java on those sites where it is required.

Instructions on removing older (and less secure) versions of Java can be found at http://java.com/en/download/faq/remove_olderversions.xml

References





Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...



Adobe Flash Player and Adobe AIR Critical Security Update

Adobe Flashplayer

Adobe has released Version 17.0.0.169 of Adobe Flash Player and Adobe AIR 17.0.0.144 for Windows and Macintosh.  Version 11.2.202.457 has been released for Linux.  The Extended Release Version is 13.0.0.281.

These updates address vulnerabilities that could potentially allow an attacker to take control of the affected system.  Details of the vulnerabilities are included in the below-referenced Security Bulletin.

Update Information:

Release date: April 14, 2015
Vulnerability identifier: APSB15-06

CVE numbers: CVE-2015-0346, CVE-2015-0347, CVE-2015-0348, CVE-2015-0349, CVE-2015-0350, CVE-2015-0351, CVE-2015-0352, CVE-2015-0353, CVE-2015-0354, CVE-2015-0355, CVE-2015-0356, CVE-2015-0357, CVE-2015-0358, CVE-2015-0359, CVE-2015-0360, CVE-2015-3038, CVE-2015-3039, CVE-2015-3040, CVE-2015-3041, CVE-2015-3042, CVE-2015-3043, CVE-2015-3044
Platform: All Platforms

Flash Player Update Instructions

It is recommended that you either use the auto-update mechanism within the product when prompted or the direct download links.  The problem with the auto-update mechanism is that it can take a few days to finally provide the update and up to a week if using the "Notify me to install updates" setting.

Flash Player Auto-Update

The update settings for Flash Player versions 10.3 and above can found in the Advanced tab of the Flash Player Settings Manager.  The locations are as follows:
  • Windows: click Start > Settings > Control Panel > Flash Player
  • Macintosh: System Preferences (under Other) click Flash Player
  • Linux Gnome: System > Preferences > Adobe Flash Player
  • Linux KDE: System Settings > Adobe Flash Player
Also note that the Flash Player Settings Manager is where to manage local settings.

Flash Player Direct Download Links

Warning:  Although Adobe suggests downloading the update from the Adobe Flash Player Download Center, that link includes a pre-checked option to install unnecessary extras, such as McAfee Scan Plus or Google Drive.  If you use the download center, uncheck any unnecessary extras.

    Notes:
    • If you use the Adobe Flash Player Download Center, be careful to uncheck any optional downloads that you do not want.  Any pre-checked option is not needed for the Flash Player update.
    • Uncheck any toolbar offered with Adobe products if not wanted.
    • If you use alternate browsers, it is necessary to install the update for both Internet Explorer as well as the update for alternate browsers.
    • The separate 32-bit and 64-bit uninstallers have been replaced with a single uninstaller.
    Adobe Flash Player for Android

    The latest version for Adobe Flash Player for Android is available by downloading it from the Android Marketplace by browsing to it on a mobile phone.   

    Verify Installation

    To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu. 

    Do this for each browser installed on your computer.

    To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.

    References






    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...


    Microsoft Security Bulletin Release for April, 2015


    Microsoft released fourteen (11) bulletins.  Four (4) bulletins are identified as Critical and the remaining seven (7) are rated Important in severity.

    The updates address vulnerabilities in Microsoft Windows, Microsoft Office, Internet Explorer, Microsoft Server Software, Productivity Software and .NET Framework.  Details about the CVEs can be found in the below-referenced TechNet Security Bulletin.

    For those who have had issues with .NET Framework updates, it is suggested that MS-041 be installed separately with a shut/down restart between other updates.

    As part of the Internet Explorer update released today, SSL 3.0 has been disabled by default in Internet Explorer 11.



    Critical:
    • MS15-032 Cumulative Security Update for Internet Explorer (3038314) 
    • MS15-033 Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (3048019) 
    • MS15-034 Vulnerability in HTTP.sys Could Allow Remote Code Execution (3042553) 
    • MS15-035 Vulnerability in Microsoft Graphics Component Could Allow Remote Code Execution (3046306)
    Important:
    • MS15-036 Vulnerabilities in Microsoft SharePoint Server Could Allow Elevation of Privilege (3052044)
    • MS15-037 Vulnerability in Windows Task Scheduler Could Allow Elevation of Privilege (3046269) 
    • MS15-038 Vulnerabilities in Microsoft Windows Could Allow Elevation of Privilege (3049576) 
    • MS15-039 Vulnerability in XML Core Services Could Allow Security Feature Bypass (3046482) 
    • MS15-040 Vulnerability in Active Directory Federation Services Could Allow Information Disclosure (3045711) 
    • MS15-041 Vulnerability in .NET Framework Could Allow Information Disclosure (3048010)
    • MS15-042 Vulnerability in Windows Hyper-V Could Allow Denial of Service (3047234)

    Additional Update Notes

    • MSRT -- Microsoft released an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center. 

      The updated version includes the Win32/Saluchtra, Win32/Dexter, Win32/Unskal and Win32/IeEnablerCby malware families.  Additional details ave available in the MMPC blog post.

    • Internet Explorer -- For additional information about the blocking of out-of-date ActiveX controls see the TechNet article, Out-of-date ActiveX control blocking.  Additional changes introduced this month include the blocking of outdated Silverlight.  Additional information is available in the IE Blog.

    • Windows 8.x -- Non-security new features and improvements for Windows 8.1 are now included with the second Tuesday of the month updates.  Additional information about this change is available here.

    • Windows XP -- Although Microsoft has stopped providing Microsoft Security Essentials for Windows XP, definitions will be available until July 15, 2015.  See Microsoft antimalware support for Windows XP.  The MSRT still works on Windows XP.

    References




      Remember - "A day without laughter is a day wasted."
      May the wind sing to you and the sun rise in your heart...







      WinPatrol Version 33.5.2015.3 Released

      WinPatrol Scotty

      WinPatrol Version 33.5.2015.3 was released with several fixes and improvements.

      Fixes:
      • Fixed issue with recurring alerts
      • Fixed issue where registry monitoring did not always alert
      • Fixed sorting on Delay Time in Delayed Start tab
      Improvements:
      • Enhanced background process to improve speed of detections
      • Enhanced product display and sorting on systems with large numbers of programs
      • Improved registration process

      Direct Download Link: WinPatrol Version 33.5.2015.3


      You can find the WinPatrol forum at LandzDown here: WinPatrol Help & Information.




      Home
      Remember - "A day without laughter is a day wasted."
      May the wind sing to you and the sun rise in your heart...




      Saturday, April 04, 2015

      Mozilla Firefox Version (37.0) 37.0.1 Released


      Firefox
      Update:  Version 37.0 was withdrawn from the release channel due to users experiencing start-up crashes with certain graphics hardware and third party software.  Version 37.0.1 has been released to fix that issue as well as disabling HTTP/2 AltSvc and including one (1) critical and one (1) high security update.

      Fixed in Firefox 37.0.1

      • 2015-44 Certificate verification bypass through the HTTP/2 Alt-Svc header
      • 2015-43 Loading privileged content through Reader mode

      Mozilla sent Firefox Version 37.0 to the release channel.  The update does not include any security fixes.

      Correction:  Although not listed in the Release Notes, it appears that Version 37.0 does indeed include security fixes:  four (4) critical, two (2) high, five (5) moderate and one (1) low.

      A major addition included in the browser is called Heartbeat, described as User Voice in Firefox. Essentially, it is a user rating system.  Heartbeat will appear randomly requesting a rating:

      Heartbeat

      which may be followed by an "Engagement" request:

      Engagement


      Personally, this seems like a whole lot of nonsense to me and a wasted effort on the part of Mozilla.org to increase its following.  It is nonsense like that that convinces me further that I made the right decision to switch to Pale Moon.

      If you do not wish to allow Heartbeat, it can be disabled as follows:
      1. Open about:config
      2. Click "I'll be careful, I promise!" when presented with the warning.
      3. Type selfsupport in the search box
      4. Set browser.selfsupport.url to "" 

      Fixed in Firefox 37


      • 2015-42 Windows can retain access to privileged content on navigation to unprivileged pages
      • 2015-40 Same-origin bypass through anchor navigation
      • 2015-39 Use-after-free due to type confusion flaws
      • 2015-38 Memory corruption crashes in Off Main Thread Compositing
      • 2015-37 CORS requests should not follow 30x redirections after preflight
      • 2015-36 Incorrect memory management for simple-type arrays in WebRTC
      • 2015-35 Cursor clickjacking with flash and images
      • 2015-34 Out of bounds read in QCMS library
      • 2015-33 resource:// documents can load privileged pages
      • 2015-32 Add-on lightweight theme installation approval bypassed through MITM attack
      • 2015-31 Use-after-free when using the Fluendo MP3 GStreamer plugin
      • 2015-30 Miscellaneous memory safety hazards (rv:37.0 / rv:31.6)

      What’s New

      • New Heartbeat user rating system - your feedback about Firefox
      • New Yandex set as default search provider for the Turkish locale
      • New Bing search now uses HTTPS for secure searching
      • New Improved protection against site impersonation via OneCRL centralized certificate revocation
      • New Opportunistically encrypt HTTP traffic where the server supports HTTP/2 AltSvc
      • Changed Disabled insecure TLS version fallback for site security
      • Changed Extended SSL error reporting for reporting non-certificate errors
      • Changed TLS False Start optimization now requires a cipher suite using AEAD construction
      • Changed Improved certificate and TLS communication security by removing support for DSA
      • Changed Improved performance of WebGL rendering on Windows
      • HTML5 Implemented a subset of the Media Source Extensions (MSE) API to allow native HTML5 playback on YouTube
      • HTML5 Added support for CSS display:contents
      • HTML5 IndexedDB now accessible from worker threads
      • HTML5 New SDP/JSEP implementation in WebRTC

      Update

      To get the update now, select "Help" from the Firefox menu at the upper left of the browser window, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

      References

      Home
      Remember - "A day without laughter is a day wasted."
      May the wind sing to you and the sun rise in your heart...