Thursday, August 27, 2015

Mozilla Firefox Version 40.0.3 Released with Security Updates


Firefox
Mozilla sent Firefox Version 40.0.3 to the release channel.  The update includes one (1) critical and one (1) high security update.

Firefox ESR version has been updated to 38.2.1.


Fixed in Firefox 40.0.3

  • 2015-95 Add-on notification bypass through data URLs
  • 2015-94 Use-after-free when resizing canvas element during restyling 

What’s New

  • Changed -- Disable the asynchronous plugin initialization (1198590)
  • Fixed -- Fix a segmentation fault in the GStreamer support (GNU/Linux) (1145230)
  • Fixed -- Fix a startup crash when using DisplayLink (Windows Only) (1195844)
  • Fixed -- Fix a regression with some Japanese fonts used in the field (1194055)
  • Fixed -- On some sites, the selection in a select combox box using the mouse could be broken (1194733)
  • Fixed -- Some search partner codes were missing (1195683)




Update

To get the update now, select "Help" from the Firefox menu at the upper left of the browser window, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

References

Home
Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...








Wednesday, August 26, 2015

Pale Moon Version 25.7 Released with Security Updates


Pale Moon

Pale Moon has been updated to version 25.7.  This update includes critical security updates as well as some code cleanup and fixes.

Included in the security updates is an update described as "DiD", "Defense-in-Depth.  This fix does not apply to an actively exploitable vulnerability in Pale Moon.  Rather, it is a preventative measure to prevent future vulnerabilities caused by the same code when surrounding code changes.

Security fixes:
  • Added protection against potential bugs where our SVG mPositions is out of sync with the characters in the DOM. DiD
  • Fixed use-after-free vulnerability in XMLHttpRequest::Open() (CVE-2015-4492)
  • Fixed use-after-free vulnerability in the StyleAnimationValue class (CVE-2015-4488)
  • Fixed crash or memory corruption in nsTArray (CVE-2015-4489)
  • Fixed crash or memory corruption in nsTSubstring::ReplacePrep (CVE-2015-4487)
  • Fixed potential escalation of privileges or crash (out-of-bounds write) via a crafted name in MARs (x64 only) (CVE-2015-4482)
  • Fixed an issue that would allow man-in-the-middle attackers to bypass a mixed-content protection mechanism via a feed: URL in a POST request. (CVE-2015-4483)


Fixes/changes:

A complete list of the fixes, changes and additions is available in the Release Notes.

    Minimum system Requirements (Windows):
    • Windows Vista/Windows 7/Windows 8/Server 2008 or later
    • A processor with SSE2 support
    • 256 MB of free RAM (512 MB or more recommended)
    • At least 150 MB of free (uncompressed) disk space
    Pale Moon includes both 32- and 64-bit versions for Windows:
    Other versions:

      Update

      To get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window.  Select About Pale Moon > Check for Updates.



      Home
      Remember - "A day without laughter is a day wasted."
      May the wind sing to you and the sun rise in your heart...









      Friday, August 21, 2015

      OEM Supported Systems for Windows 10 Upgrade

      Windows 10

      It has been over three weeks since Windows 10 was officially released.  However, there are still inquiries in forums with people asking why they haven't received the upgrade to Windows 10 and are still getting the "Thank you" message:

      Windows 10 Thank you for reserving your free upgrade

      Granted, with an anticipated billion computers to be upgraded, many are still in the queue.  There is also another side of the coin.  Although Microsoft indicated that all qualified Windows 7 and Windows 8.1 computers could upgrade to Windows 10, it seems that for many devices the "qualification" is dependent upon the OEM.  For example, as stated by a Dell representative here,
      "As per the update from Microsoft, all Windows 7 and Windows 8.1 systems should be eligible for the Windows 10 free upgrade. But, Dell will decide which systems Dell will validate and support with Windows 10."
      Other OEMs may be following a similar procedure.  If you are still waiting to get the upgrade, it may be beneficial to check the OEM website.

      The links below may be helpful in determining whether your device has been approved by the OEM as supported for Windows 10 upgrade.

      You may also want to check the OEM website for any driver updates for your device.
           
      h/t:  Thanks, Techie, for helping to track down the references!

      Home
      Remember - "A day without laughter is a day wasted."
      May the wind sing to you and the sun rise in your heart...


      Tuesday, August 18, 2015

      Critical Security Update for IE, August 18, 2015


      Microsoft released an out-of-band critical security update for all supported versions of Internet Explorer.  The update addresses a vulnerability in Internet Explorer that could allow remote code execution if a user views a specially crafted webpage by using Internet Explorer.

      In addition, the correct version of Flash Player update for Windows 8.1 and Windows Server 2012 R2 was also released to replace the "debug version" that was included with the  security updates on August 11.


      References




        Remember - "A day without laughter is a day wasted."
        May the wind sing to you and the sun rise in your heart...


        Tuesday, August 11, 2015

        Microsoft Security Bulletin Release for August, 2015


        Microsoft released fourteen (14) bulletins.  Four (4) bulletins are identified as Critical and the remaining ten (10) are rated Important in severity.

        The updates address vulnerabilities in Microsoft Windows, Microsoft .NET Framework, Microsoft Office, Microsoft Lync, Microsoft Silverlight Microsoft Server Software, Microsoft Edge and Internet Explorer.  Details about the CVEs can be found in the below-referenced TechNet Security Bulletin.

        Critical:
        • MS15-079 -- Cumulative Security Update for Internet Explorer (3082442)
        • MS15-080 -- Vulnerabilities in Microsoft Graphics Component Could Allow Remote Code Execution (3078662)
        • MS15-081  -- Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (3080790)
        • MS15-091  -- Cumulative Security Update for Microsoft Edge (3084525)
        Important:
        • MS15-082 -- Vulnerabilities in RDP Could Allow Remote Code Execution (3080348)
        • MS15-083 --  Vulnerability in Server Message Block Could Allow Remote Code Execution (3073921)
        • MS15-084 -- Vulnerabilities in XML Core Services Could Allow Information Disclosure (3080129)
        • MS15-085 -- Vulnerability in Mount Manager Could Allow Elevation of Privilege (3082487)
        • MS15-086 -- Vulnerability in System Center Operations Manager Could Allow Elevation of Privilege (3075158)
        • MS15-087  -- Vulnerability in UDDI Services Could Allow Elevation of Privilege (3082459)
        • MS15-088  -- Unsafe Command Line Parameter Passing Could Allow Information Disclosure (3082458)
        • MS15-089 -- Vulnerability in WebDAV Could Allow Information Disclosure (3076949)
        • MS15-090 -- Vulnerabilities in Microsoft Windows Could Allow Elevation of Privilege (3060716)
        • MS15-092 -- Vulnerabilities in .NET Framework Could Allow Elevation of Privilege (3086251)

        Additional Update Notes

        • MSRT -- Microsoft released an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center. The updated version includes Win32/Vawtrak, Win32/Critroni and Win32/Kasidet.  Details are available in the MMPC Blog Post.
        • Internet Explorer -- For additional information about the blocking of out-of-date ActiveX controls see the TechNet article, Out-of-date ActiveX control blocking.  Additional changes introduced this month include the blocking of outdated Silverlight.  Additional information is available in the IE Blog.
        • Windows 8.x and Windows 10 -- Non-security new features and improvements for Windows 8.1 and Windows 10 are included with the updates.


        References




          Remember - "A day without laughter is a day wasted."
          May the wind sing to you and the sun rise in your heart...


          Mozilla Firefox Version 40 Released With Critical Security Updates


          Firefox
          Mozilla sent Firefox Version 40.0 to the release channel.  The update includes four (4) critical, seven (7) high and two (2)moderate security updates.

          Firefox ESR version has been updated to 38.2.0.

          Fixed in Firefox 40

          • MFSA 2015-92 -- Use-after-free in XMLHttpRequest with shared workers
          • MFSA 2015-91 -- Mozilla Content Security Policy allows for asterisk wildcards in violation of CSP specification
          • MFSA 2015-90 -- Vulnerabilities found through code inspection
          • MFSA 2015-89 -- Buffer overflows on Libvpx when decoding WebM video
          • MFSA 2015-88 -- Heap overflow in gdk-pixbuf when scaling bitmap images
          • MFSA 2015-87 -- Crash when using shared memory in JavaScript
          • MFSA 2015-85 -- Out-of-bounds write with Updater and malicious MAR file
          • MFSA 2015-84 -- Arbitrary file overwriting through Mozilla Maintenance Service with hard links
          • MFSA 2015-83 -- Overflow issues in libstagefright
          • MFSA 2015-82 -- Redefinition of non-configurable JavaScript object properties
          • MFSA 2015-81 -- Use-after-free in MediaStream playback
          • MFSA 2015-80 -- Out-of-bounds read with malformed MP3 file
          • MFSA 2015-79 -- Miscellaneous memory safety hazards (rv:40.0 / rv:38.2)

          What’s New

          • Support for Windows 10--Added protection against unwanted software downloads
          • Suggested Tiles show sites of interest, based on categories from your recent browsing history
          • Hello allows adding a link to conversations to provide context on what the conversation will be about
          • New style for add-on manager based on the in-content preferences style
          • Improved scrolling, graphics, and video playback performance with off main thread compositing (GNU/Linux only)
          • Graphic blocklist mechanism improved: Firefox version ranges can be specified, limiting the number of devices blocked
          • Changed
          • Add-on extensions that are not signed by Mozilla will display a warning
          • Smoother animation and scrolling with hardware vsync (Windows only)
          • JPEG images use less memory when scaled and can be painted faster
          • Sub-resources can no longer request HTTP authentication, thus protecting users from inadvertently disclosing login data
          • NPAPI Plug-in performance improved via asynchronous initialization
          • HTML5
          • IndexedDB transactions are now non-durable by default
          • Implemented AudioBufferSourceNode.detune to modulate playback rate in cents, a logarithmic unit of measure used for musical intervals
          • Developer
          • Improved Performance tools in the developer tools: Waterfall view, Call Tree view and a Flame Chart view
          • Console API messages from SharedWorker and ServiceWorker are now displayed in web console
          • Inspector now searches across all content frames in a page
          • New rules view tooltip in the Inspector to tweak CSS Filter values
          • New page ruler highlighting tool that displays lightweight horizontal and vertical rules on a page
          • Fixed
          • Kannada text does not display properly in built-in pdf viewer






          Known Issues

          • If Firefox is restarted from an add-on install notification, on-going private browsing downloads might be canceled without warning (1185294)

          Update

          To get the update now, select "Help" from the Firefox menu at the upper left of the browser window, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

          References

          Home
          Remember - "A day without laughter is a day wasted."
          May the wind sing to you and the sun rise in your heart...







          Adobe Flash Player Updated with Critical Security Updates

          Adobe Flashplayer

          Adobe has released Version 18.0.0.232 of Adobe Flash Player for Windows, Macintosh and Linux.  The Extended Release Version was incremented to Version 18.0.0.232 with this update.

          These updates address critical vulnerabilities that are actively being exploited. It is strongly advised that the updates be applied as soon as possible. Details of the vulnerabilities are included in the below-referenced Security Bulletin.

          Release date: August 11, 2015
          Vulnerability identifier: APSB15-19
          CVE number: CVE-2015-3107, CVE-2015-5124, CVE-2015-5125, CVE-2015-5127, CVE-2015-5128, CVE-2015-5129, CVE-2015-5130, CVE-2015-5131, CVE-2015-5132, CVE-2015-5133, CVE-2015-5134, CVE-2015-5539, CVE-2015-5540, CVE-2015-5541, CVE-2015-5544, CVE-2015-5545, CVE-2015-5546, CVE-2015-5547, CVE-2015-5548, CVE-2015-5549, CVE-2015-5550, CVE-2015-5551, CVE-2015-5552, CVE-2015-5553, CVE-2015-5554, CVE-2015-5555, CVE-2015-5556, CVE-2015-5557, CVE-2015-5558, CVE-2015-5559, CVE-2015-5560, CVE-2015-5561, CVE-2015-5562, CVE-2015-5563
          Platform: All Platforms
          • Users of the Adobe Flash Player desktop runtime for Windows and Macintosh should update to Adobe Flash Player 18.0.0.232. 
          • Users of the Adobe Flash Player Extended Support Release should update to Adobe Flash Player 18.0.0.232.
          • Users of Adobe Flash Player for Linux should update to Adobe Flash Player 11.2.202.508.
          • Adobe Flash Player installed with Google Chrome, as well as Internet Explorer on Windows 8.x, will automatically update to the current version.

          Flash Player Update Instructions

          It is recommended that you either use the auto-update mechanism within the product when prompted or the direct download links.  The problem with the auto-update mechanism is that it can take a few days to finally provide the update and up to a week if using the "Notify me to install updates" setting.

          Flash Player Auto-Update

          The update settings for Flash Player versions 10.3 and above can found in the Advanced tab of the Flash Player Settings Manager.  The locations are as follows:
          • Windows: click Start > Settings > Control Panel > Flash Player
          • Macintosh: System Preferences (under Other) click Flash Player
          • Linux Gnome: System > Preferences > Adobe Flash Player
          • Linux KDE: System Settings > Adobe Flash Player
          Also note that the Flash Player Settings Manager is where to manage local settings.

          Flash Player Direct Download Links

          Warning:  Although Adobe suggests downloading the update from the Adobe Flash Player Download Center, that link includes a pre-checked option to install unnecessary extras, such as McAfee Scan Plus or Google Drive.  If you use the download center, uncheck any unnecessary extras.

            Notes:
            • If you use the Adobe Flash Player Download Center, be careful to uncheck any optional downloads that you do not want.  Any pre-checked option is not needed for the Flash Player update.
            • Uncheck any toolbar offered with Adobe products if not wanted.
            • If you use alternate browsers, it is necessary to install the update for both Internet Explorer as well as the update for alternate browsers.
            • The separate 32-bit and 64-bit uninstallers have been replaced with a single uninstaller.

            Verify Installation

            To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu. 

            Do this for each browser installed on your computer.

            To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.

            References






            Remember - "A day without laughter is a day wasted."
            May the wind sing to you and the sun rise in your heart...


            Friday, August 07, 2015

            Firefox Updated to Version 39.0.3 Due to Critical Vulnerability


            Firefox
            Mozilla sent Version 39.0.3 to the release channel due to a critical vulnerability in Firefox's PDF Viewer to search for sensitive files on users' local file systems.  Additional information about the vulnerability is available in the Mozilla Security Blog.

            The update includes one (1) critical security update. Firefox ESR version has been updated to 38.1.1. 


            Fixed in Firefox 39.0.3

            • 2015-78 Same origin violation and local file stealing via PDF reader


            Known Issues

            No known issues are reported.

            Update

            To get the update now, select "Help" from the Firefox menu at the upper left of the browser window, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

            References

            Home
            Remember - "A day without laughter is a day wasted."
            May the wind sing to you and the sun rise in your heart...