Wednesday, September 30, 2015

Firefox Version 41.0.1 Released with Fixes


Firefox
Mozilla sent Firefox Version 41.0.1 to the release channel to add a number of bug fixes.  No security updates are included.

There were no changes to Firefox ESR which remains at version 38.3.0.

What’s New

  • Fixed -- Startup crash in mozilla::layers::CompositorD3D11::GetTextureFactoryIdentifier()
  • Fixed -- Changing properties of a new bookmark while adding it acts on the last bookmark in the current container
  • Fixed -- Firefox hangs with flash plugins
  • Fixed -- Startup crash in nsStyleSet::GatherRuleProcessors(nsStyleSet::sheetType) possibly related to Yandex toolbar and Adblock Plus
  • Fixed -- Crash in mozilla::gl::GLBlitHelper::BlitImageToTexture

Update

To get the update now, select "Help" from the Firefox menu at the upper left of the browser window, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

References

Home
Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...










Monday, September 28, 2015

Pale Moon Version 25.7.1 Released with Security Updates


Pale Moon

Pale Moon has been updated to version 25.7.1.  This update includes critical security updates as well stability and web-compatibility update.

Security updates have also been made in the Android version of Pale Moon in order to keep users of the otherwise currently unmaintained OS updated regarding known security vulnerabilities.

Included in the security updates is an update described as "DiD", "Defense-in-Depth.  This fix does not apply to an actively exploitable vulnerability in Pale Moon.  Rather, it is a preventative measure to prevent future vulnerabilities caused by the same code when surrounding code changes.

Security fixes:
  • Changed the jemalloc poison address to something that is not a NOP-slide. DiD
  • Fixed a memory safety hazard in ConvertDialogOptions (CVE-2015-4521)
  • Fixed a buffer overflow/crash hazard in the VertexBufferInterface::reserveVertexSpace function in libGLES in ANGLE (CVE-2015-7179)
  • Fixed an overflow/crash hazard in the XULContentSinkImpl::AddText function (CVE-2015-7175)
  • Fixed a stack buffer overread hazard in the ICC v4 profile parser (CVE-2015-4504)
  • Fixed an HTMLVideoElement Use-After-Free Remote Code Execution 0-day vulnerability (ZDI-CAN-3176) (CVE-2015-4509)
  • Fixed a potentially exploitable crash in nsXBLService::GetBinding
  • Fixed a memory safety hazard in nsAttrAndChildArray::GrowBy (CVE-2015-7174)
  • Fixed a memory safety hazard for callers of nsUnicodeToUTF8::GetMaxLength (CVE-2015-4522)
  • Fixed a heap buffer overflow/crash hazard caused by invalid WebM headers (CVE-2015-4511)
Fixes/changes:

A complete list of the fixes, changes and additions is available in the Release Notes.  Of note is additional code cleanup:
  • Removed the majority of remaining telemetry code (including the data reporting back-end and health report) to prevent a few issues with partially removed code in earlier versions.

Minimum system Requirements (Windows):
  • Windows Vista/Windows 7/Windows 8/Server 2008 or later
  • A processor with SSE2 support
  • 256 MB of free RAM (512 MB or more recommended)
  • At least 150 MB of free (uncompressed) disk space
Pale Moon includes both 32- and 64-bit versions for Windows:
Other versions:

Update

To get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window.  Select About Pale Moon > Check for Updates.





Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...









Tuesday, September 22, 2015

Mozilla Firefox Version 41.0 Released with Critical Security Updates


Firefox
Mozilla sent Firefox Version 41.0 to the release channel.  The update includes four (4) critical, five (5) high, nine (9) moderate and one (1) minor security update.

Firefox ESR version has been updated to 38.3.0.

Fixed in Firefox 41.0

  • 2015-114 Information disclosure via the High Resolution Time API
  • 2015-113 Memory safety errors in libGLES in the ANGLE graphics library
  • 2015-112 Vulnerabilities found through code inspection
  • 2015-111 Errors in the handling of CORS preflight request headers
  • 2015-110 Dragging and dropping images exposes final URL after redirects
  • 2015-109 JavaScript immutable property enforcement can be bypassed
  • 201-108 Scripted proxies can access inner window
  • 2015-107 Out-of-bounds read during 2D canvas display on Linux 16-bit color depth systems
  • 2015-106 Use-after-free while manipulating HTML media content
  • 2015-105 Buffer overflow while decoding WebM video
  • 2015-104 Use-after-free with shared workers and IndexedDB
  • 2015-103 URL spoofing in reader mode
  • 2015-102 Crash when using debugger with SavedStacks in JavaScript
  • 2015-101 Buffer overflow in libvpx while parsing vp9 format video
  • 2015-100 Arbitrary file manipulation by local user through Mozilla updater
  • 2015-99 Site attribute spoofing on Android by pasting URL with unknown scheme
  • 2015-98 Out of bounds read in QCMS library with ICC V4 profile attributes
  • 2015-97 Memory leak in mozTCPSocket to servers
  • 2015-96 Miscellaneous memory safety hazards (rv:41.0 / rv:38.3)

What’s New

  • New Enhance IME support on Windows (Vista +) using TSF (Text Services Framework)
  • New Ability to set a profile picture for your Firefox Account
  • New Firefox Hello now includes instant messaging
  • New SVG images can be used as favicons
  • New Improved box-shadow rendering performance
  • Changed WebRTC now requires perfect forward secrecy
  • Changed WARP is disabled on Windows 7
  • Changed Updates to image decoding process
  • Changed Support for running animations of 'transform' and 'opacity' on the compositor thread
  • Fixed Picture element does not react to resize/viewport changes

Update

To get the update now, select "Help" from the Firefox menu at the upper left of the browser window, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

References

Home
Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...








Monday, September 21, 2015

Adobe Flash Player and Adobe AIR Critical Security Update

Adobe Flashplayer

Adobe has released Version 19.0.0.185 of Adobe Flash Player for Microsoft Windows and Macintosh.  The Extended Release Version was incremented to Version 18.0.0.241 with this update.

These updates address critical vulnerabilities that are actively being exploited. It is strongly advised that the updates be applied as soon as possible. Details of the vulnerabilities are included in the below-referenced Security Bulletin.

Release date: September 21, 2015

Vulnerability identifier: APSB15-23


CVE number: CVE-2015-5567, CVE-2015-5568, CVE-2015-5570, CVE-2015-5571, CVE-2015-5572, CVE-2015-5573, CVE-2015-5574, CVE-2015-5575, CVE-2015-5576, CVE-2015-5577, CVE-2015-5578, CVE-2015-5579, CVE-2015-5580, CVE-2015-5581, CVE-2015-5582, CVE-2015-5584, CVE-2015-5587, CVE-2015-5588, CVE-2015-6676, CVE-2015-6677, CVE-2015-6678, CVE-2015-6679, CVE-2015-6682
Platform:  All Platforms
  • Users of the Adobe Flash Player desktop runtime for Windows and Macintosh should update to Adobe Flash Player 19.0.0.185. 
  • Users of the Adobe Flash Player Extended Support Release should update to Adobe Flash Player 18.0.0.241.
  • Users of Adobe Flash Player for Linux should update to Adobe Flash Player 11.2.202.521.
  • Adobe Flash Player installed with Google Chrome, as well as Internet Explorer on Windows 8.x and Windows 10, will automatically update to the current version.

Flash Player Update Instructions

It is recommended that you either use the auto-update mechanism within the product when prompted or the direct download links.  The problem with the auto-update mechanism is that it can take a few days to finally provide the update and up to a week if using the "Notify me to install updates" setting.

Flash Player Auto-Update

The update settings for Flash Player versions 10.3 and above can found in the Advanced tab of the Flash Player Settings Manager.  The locations are as follows:
  • Windows: click Start > Settings > Control Panel > Flash Player
  • Macintosh: System Preferences (under Other) click Flash Player
  • Linux Gnome: System > Preferences > Adobe Flash Player
  • Linux KDE: System Settings > Adobe Flash Player
Also note that the Flash Player Settings Manager is where to manage local settings.

Flash Player Direct Download Links

Warning:  Although Adobe suggests downloading the update from the Adobe Flash Player Download Center, that link includes a pre-checked option to install unnecessary extras, such as McAfee Scan Plus or Google Drive.  If you use the download center, uncheck any unnecessary extras.

    Notes:
    • If you use the Adobe Flash Player Download Center, be careful to uncheck any optional downloads that you do not want.  Any pre-checked option is not needed for the Flash Player update.
    • Uncheck any toolbar offered with Adobe products if not wanted.
    • If you use alternate browsers, it is necessary to install the update for both Internet Explorer as well as the update for alternate browsers.
    • The separate 32-bit and 64-bit uninstallers have been replaced with a single uninstaller.

    Verify Installation

    To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu. 

    Do this for each browser installed on your computer.

    To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.

    References






    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...


    Tuesday, September 08, 2015

    Microsoft Security Bulletin Release for September, 2015


    Microsoft released twelve (12) bulletins.  Five (5) bulletins are identified as Critical and the remaining seven (7) are rated Important in severity.

    The updates address vulnerabilities in Microsoft Windows, Microsoft,.NET Framework, Microsoft Office, Microsoft Lync, Microsoft Silverlight, Skype for Business Server, Microsoft Lync Server, Microsoft Edge and Internet Explorer.

    Details about the CVEs can be found in the below-referenced TechNet Security Bulletin.

    Update:  You won't want to miss the new Monthly Patch Review by Dustin Childs.

    Critical:
    • MS15-094 -- Cumulative Security Update for Internet Explorer (3089548) 
    • MS15-095 -- Cumulative Security Update for Microsoft Edge (3089665) 
    • MS15-097 --Vulnerabilities in Microsoft Graphics Component  Could Allow Remote Code Execution (3089656) 
    • MS15-098 -- Vulnerabilities in Windows Journal Could Allow Remote Code Execution (3089669)  
    • MS15-099 -- Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (3089664)  
    Important:
    • MS15-096 -- Vulnerability in Active Directory Service Could Allow Denial of Service (3072595)
    • MS15-100 -- Vulnerability in Windows Media Center Could Allow Remote Code Execution (3087918) 
    • MS15-101 -- Vulnerabilities in .NET Framework Could Allow Elevation of Privilege (3089662) 
    • MS15-102 -- Vulnerabilities in Windows Task Management Could Allow Elevation of Privilege (3089657) 
    • MS15-103 -- Vulnerabilities in Microsoft Exchange Server Could Allow Information Disclosure (3089250) 
    • MS15-104 -- Vulnerabilities in Skype for Business Server and Lync Server Could Allow Elevation of Privilege (3089952) 
    • MS15-105 -- Vulnerability in Windows Hyper-V Could Allow Security Feature Bypass (3091287) 

    Additional Update Notes

    • MSRT -- Microsoft released an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center. The updated version includes detection for the prevalent ransomware family Win32/Teerac. Details are available in the MMPC Blog Post.
    • Windows 8.x and Windows 10 -- Non-security new features and improvements for Windows 8.1 and Windows 10 are included with the updates.

    References




      Remember - "A day without laughter is a day wasted."
      May the wind sing to you and the sun rise in your heart...




      Adobe Shockvare Player Critical Security Update

      Shockwave Player Adobe has released a critical security update for Adobe Shockwave Player which addresses vulnerabilities that could potentially allow an attacker to take control of the affected system.


      Although I have yet to need Shockwave Player on this computer, there are still many people who use it.  If you have Shockwave Player installed, please update to the latest version.

      Release date: September 8, 2015
      Vulnerability identifier: APSB15-22

      CVE number: CVE-2015-6680, CVE-2015-6681
      Platform: Windows

      The newest version 12.2.0.162 is available here: http://get.adobe.com/shockwave/.  As usual, watch for any pre-checked add-ons not needed for the update.

      References


      Remember - "A day without laughter is a day wasted."
      May the wind sing to you and the sun rise in your heart...