Thursday, December 28, 2017

Mozilla Firefox Version 57.0.3 Released


FirefoxMozilla sent yet another update for Firefox Version 57 to the release channel, Version 57.0.3.  Firefox ESR was updated to version 52.5.3.

Fixed

  • Fix a crash reporting issue that inadvertently sends background tab crash reports to Mozilla without user opt-in (bug 1427111)
No mention in the release notes of Catalin Cimpanu's Tweet that [url=https://twitter.com/campuscodi/status/945859281504501761]"lol, Firefox had a tag... they removed it now"[/url].

      Update:

      To get the update now, select "Help" from the Firefox menu, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

      References




      Remember - "A day without laughter is a day wasted."
      May the wind sing to you and the sun rise in your heart...

      Sunday, December 24, 2017

      Merry Christmas, Khristos Razhdayetsya

      The "Carol of the Bells" (Shchedryk) is one of my favorite Christmas songs.  Many people are unaware of its true origin.  From The Unknown Ukrainian Carol that everyone knows:
      "There’s a Ukrainian folksong that you know. Except that you don’t know that it’s Ukrainian, and a folksong. The enchanting music that from the pen of Peter J. Wilhousky became known to the world as “Carol of the Bells” was composed by Ukrainian composer Mykola Leontovych in 1904 based on a Ukrainian folk song. Peter J. Wilhousky made his arrangement following a performance of the original song by Alexander Koshetz’s Ukrainian National Chorus at Carnegie Hall on October 5, 1921."  
      A number of years ago I created the video below with the Windows Movie Maker, a part of the Windows Essentials 2012 suite which, sadly for many, reached end of support on January 10, 2017.  The video includes examples of some of the traditional foods that are part of the Ukrainian Christmas Eve celebration. 




      Merry Christmas to all my family, friends and Security Garden readers.

      Sending warmest wishes to you and your family. 
      May you enjoy the spirit of Christmas every day of the coming year.

      References:

      Home
      Remember - "A day without laughter is a day wasted."
      May the wind sing to you and the sun rise in your heart...

      Tuesday, December 12, 2017

      Microsoft Security Updates for December, 2017



      The December security release consists of 32 security updates in which 20 are listed as Critical and 12 are rated Important. The release consists of security updates for the following software: 
      • Internet Explorer
      • Microsoft Edge
      • Microsoft Windows
      • Microsoft Office and Microsoft Services and Web Apps
      • Microsoft Exchange Server
      • ChakraCore
      • Microsoft Malware Protection Engine 
      The updates address Remote Code Execution, Information Disclosure, "Defense in Depth" (Note:  "Defense-in-Depth" is a fix that does not apply to an actively exploitable vulnerability but prevents future vulnerabilities caused by the same code when surrounding code changes expose the problem.), Security Feature Bypass, Spoofing and Denial of Service.

      For more information about the updates released today, see https://portal.msrc.microsoft.com/en-us/security-guidance/summary.  Updates can be sorted by OS from the search box. Information about the update for Windows 10 is available at Windows 10 Update history.

      Also see this month's Zero Day Initiative — The December 2017 Security Update Review by Dustin Childs in which he discusses several of the patches.

      Additional Update Notes

      • Adobe Flash Player -- For Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows RT 8.1 and Windows 10, Adobe Flash Player is now a security bulletin rather than a security advisory and is included with the updates as identified above.
      • MSRT -- Microsoft released an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center.  Note:  Users who are paranoid about the remote possibility of a FP can opt to run this tool from a Command Prompt, appending a   /N   parameter [for "detect only" mode].
      • Windows 10 -- A summary of important product developments included in each update, with links to more details is available at Windows 10 Update History. The page will be regularly refreshed, as new updates are released.

      References


      Remember - "A day without laughter is a day wasted."
      May the wind sing to you and the sun rise in your heart...





      Adobe Flash Player and AIR Security Update

      Adobe Flashplayer

      Adobe has released Version 28.0.0.126 of Adobe Flash Player and Version 28.0.0.127 of Adobe AIR.  The update addresses CVE-2017-11305, a regression that could lead to the unintended reset of the global settings preference file.

      Release date:  December 12, 2017
      Vulnerability identifier: APSB17-42
      Platform:  Windows, Macintosh, Linux and Chrome OS

      Update:

      *Important Note:  Downloading the update from the Adobe Flash Player Download Center link includes a pre-checked option to install unnecessary extras, such as McAfee Scan Plus or Google Drive.  If you use the download center, uncheck any unnecessary extras that you do not want.  They are not needed for the Flash Player update.

        Verify Installation

        To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu. 

        Do this for each browser installed on your computer.

        To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.

        References



        Remember - "A day without laughter is a day wasted."
        May the wind sing to you and the sun rise in your heart...









        Thursday, December 07, 2017

        Mozilla Firefox Version 57.0.2 Released


        FirefoxMozilla sent yet another update for Firefox Version 57 to the release channel, Version 57.0.2.

        Fixed

        • Block old versions of G Data Endpoint Security for crashing Firefox on start up - Windows only (bug 1421991)
        • Fix a regression with WebGL and D3D9 - Windows only

          Update:

          To get the update now, select "Help" from the Firefox menu, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

          References




          Remember - "A day without laughter is a day wasted."
          May the wind sing to you and the sun rise in your heart...

          Thursday, November 30, 2017

          Mozilla Firefox Version 57.0.1 Released


          FirefoxMozilla sent Firefox Version 57.0.1 to the release channel.

          Update:  The version update also included one Critical and two High security updates.


          Security vulnerabilities fixed in Firefox 57.0.1
          Critical:
           High:

          Fixed

          • Fix a video color distortion issue on YouTube and other video sites with some AMD devices (bug 1417442)
          • Fix an issue with prefs.js when the profile path has non-ascii characters (bug 1420427)
          • Various security fixes
          • Google map crashes on OSX with Intel HD Graphics 3000

          Changed

          • Block injection of a client library associated with the RealPlayer Free player which is known to cause performance problems in Firefox. (Bug 1418535)
            Update:

            To get the update now, select "Help" from the Firefox menu, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

            References




            Remember - "A day without laughter is a day wasted."
            May the wind sing to you and the sun rise in your heart...

            Tuesday, November 28, 2017

            Pale Moon Version 27.6.2 Released


            Pale Moon
            Pale Moon has been updated to Version 27.6.2. This is a security and minor bugfix update. Details from the Release Notes:

            Changes/fixes:
            • Implemented the concept of so-called "cookie-averse document objects" which is a security&privacy measure that blocks certain web content from setting cookies. This mitigates cookie-injection, which might help against "hidden" cookie tracking.
            • Mitigated some domain name spoofing through IDN by using dotless-i and dotless-j with accents. (CVE-2017-7832)
              Pale Moon will display these kinds of spoofed domains in punycode now in the actual address bar. (See Identity Panel below)*
              Please note that the identity panel will always be able to help you on secure sites when IDNs are in use to notice potential spoofing, as opposed to relying on detection algorithms in the URL itself. As such, some other issues like CVE-2017-7833 are already mitigated by us.
            • Fixed an issue with mixed-content blocking. (CVE-2017-7835)
            • Added an extra check for the correct signature data type on certificates.
            • Added missing sanitization in exporting bookmarks to HTML. (CVE-2017-7840)
            • Fixed several crashes and memory safety hazards.
            *Identity Panel

            If you are visiting a phishing site using an IDN (International-character Domain Names) to try and spoof the original domain, this identity panel, since 27.3.0, will clearly display the "raw" code of the IDN (also called "punycode", a domain starting with "xn--") instead of what the site is trying to spoof:

            spoofed-epic.png


             Minimum system Requirements (Windows):
            • Windows Vista/Windows 7/8/10/Server 2008 or later
            • Windows Platform Update (Vista/7) strongly recommended
            • A processor with SSE2 instruction support
            • 256 MB of free RAM (512 MB or more recommended)
            • At least 150 MB of free (uncompressed) disk space
            Pale Moon includes both 32- and 64-bit versions for Windows:

            Update

            To get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window.  Select About Pale Moon > Check for Updates.




            Remember - "A day without laughter is a day wasted."
            May the wind sing to you and the sun rise in your heart...


            Tuesday, November 14, 2017

            Microsoft Security Updates for November, 2017



            The November security release consists of 53 security updates in which 20 are listed as Critical, 30 are rated Important and 3 rated as Moderate. The November security release consists of security updates for the following software:
            • Internet Explorer
            • Microsoft Edge
            • Microsoft Windows
            • Microsoft Office and Microsoft Office Services and Web Apps
            • ASP.NET Core and .NET Core
            • Chakra Core
            The updates address Remote Code Execution, Information Disclosure, "Defense in Depth" (Note:  "Defense-in-Depth" is a fix that does not apply to an actively exploitable vulnerability but prevents future vulnerabilities caused by the same code when surrounding code changes expose the problem.), Denial of Service, Security Feature Bypass, Spoofing and Elevation of Privilege.

            For more information about the updates released today, see https://portal.msrc.microsoft.com/en-us/security-guidance/summary.  Updates can be sorted by OS from the search box. Information about the update for Windows 10 is available at Windows 10 Update history.

            Also see this month's Zero Day Initiative — The November 2017 Security Update Review by Dustin Childs in which he discusses ADV170020 - Microsoft Office Defense in Depth Update, CVE-2017-11830 - Device Guard Security Feature Bypass Vulnerability and CVE-2017-11877 - Microsoft Excel Security Feature Bypass Vulnerability.

            Known Issues

              Additional Update Notes

              • Adobe Flash Player -- For Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows RT 8.1 and Windows 10, Adobe Flash Player is now a security bulletin rather than a security advisory and is included with the updates as identified above.
              • MSRT -- Microsoft released an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center. 
                Note:  Users who are paranoid about the remote possibility of a FP can opt to run this tool from a Command Prompt, appending a   /N   parameter [for "detect only" mode].
              • Windows 10 -- A summary of important product developments included in each update, with links to more details is available at Windows 10 Update History. The page will be regularly refreshed, as new updates are released.

              References


                Remember - "A day without laughter is a day wasted."
                May the wind sing to you and the sun rise in your heart...





                Adobe Shockwave Player Critical Update

                Shockwave Player
                Adobe has released a security update for Adobe Shockwave Player for Windows. This update resolves a critical memory corruption vulnerability that could lead to code execution.

                Although I have yet to need Shockwave Player on this computer, there are still many people who use it.  If you have Shockwave Player installed, please update to the latest version.

                Release date: November 14, 2017
                Vulnerability identifier: APSB17-40
                CVE number: CVE-2017-11294
                Platform: Windows

                The newest version 12.3.1.201 is available here: http://get.adobe.com/shockwave/.  As usual, watch for any pre-checked add-ons not needed for the update.

                References


                Home
                Remember - "A day without laughter is a day wasted."
                May the wind sing to you and the sun rise in your heart...

                Adobe Reader DC and Adobe Acrobat DC Security Updates Released

                Adobe

                Adobe has released security updates for Adobe Reader DC and Adobe Acrobat DC for Windows and Macintosh.  In addition, although Adobe Reader XI reached end-of-life last month, an update has also been released.  These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system.  

                Release date:  November 9, 2017
                Vulnerability identifier: APSB17-36
                Platform: Windows and Macintosh

                Update or Complete Download

                Update checks can be manually activated by choosing Help > Check for Updates.  Although Reader DC and Acrobat DC are both updated to the 2018.009.20044 version, the unexpected update for Adobe reader remains in the incremental version 11. 
                Note: UNcheck any pre-checked additional options presented with the update. They are not part of the software update and are completely optional.


                References





                Home
                Remember - "A day without laughter is a day wasted."
                May the wind sing to you and the sun rise in your heart...







                Adobe Flash Player Critical Security Update

                Adobe Flashplayer

                Adobe has released Version 27.0.0.187 of Adobe Flash Player.  The update addresses critical vulnerabilities that could lead to code execution for Microsoft Windows, Macintosh, Chrome and Linux.  The update also includes bug fixes.

                Release date:  November 14, 2017
                Vulnerability identifier: APSB17-33
                Platform: Windows and Macintosh

                Update:

                *Important Note:  Downloading the update from the Adobe Flash Player Download Center link includes a pre-checked option to install unnecessary extras, such as McAfee Scan Plus or Google Drive.  If you use the download center, uncheck any unnecessary extras that you do not want.  They are not needed for the Flash Player update.

                  Verify Installation

                  To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu. 

                  Do this for each browser installed on your computer.

                  To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.

                  References



                  Remember - "A day without laughter is a day wasted."
                  May the wind sing to you and the sun rise in your heart...









                  Mozilla Firefox Version 57.0 Released with Security Updates


                  FirefoxMozilla sent Firefox Version 57.0 to the release channel today.  The update includes four (4) security updates, 1 Critical, 1 High, 1 Moderate and 1 Low.  

                  Update:  Firefox ESR version 52.5 has been released.

                  With this release, "legacy" add-ons (XUL-based) will no longer function.  This update changes the add-ons system to the WebExtensions API. The Mozilla Add-ons portal will list only WebExtensions-compatible add-ons by default.  Legacy Extensions are listed separately located under Tools > Add-ons.  From there click "Find a Replacement"and check the three pages of available extensions.

                  In addition, this update introduces the new Quantum engine (Firefox Quantum) which is replacing parts of parts of the familiar old Gecko engine.

                  Security Updates
                  • Critical Vulnerability: Can be used to run attacker code and install software, requiring no user interaction beyond normal browsing.
                  • High Vulnerability:  Can be used to gather sensitive data from sites in other windows or inject data or code into those sites, requiring no more than normal browsing actions.
                  • Moderate:  Vulnerabilities that would otherwise be High or Critical except they only work in uncommon non-default configurations or require the user to perform complicated and/or unlikely steps.
                  • Low:  Minor security vulnerabilities such as Denial of Service attacks, minor data leaks, or spoofs. (Undetectable spoofs of SSL indicia would have "High" impact because those are generally used to steal sensitive data intended for other sites.)

                  New

                  • A completely new browsing engine, designed to take full advantage of the processing power in modern devices
                  • A redesigned interface with a clean, modern appearance, consistent visual elements, and optimizations for touch screens
                  • A unified address and search bar. New installs will see this unified bar. Learn how to add the stand-alone search bar to the toolbar
                  • A revamped new tab page that includes top visited sites, recently visited pages, and recommendations from Pocket (in the US, Canada, and Germany)
                  • An updated product tour to orient new and returning Firefox users
                  • AMD VP9 hardware video decoder support for improved video playback with lower power consumption
                  • An expanded section in preferences to manage all website permissions

                  Changed

                  • Firefox now exclusively supports extensions built using the WebExtension API, and unsupported legacy extensions will no longer work. Learn more about our efforts to improve the performance and security of extensions
                  • The browser's autoscroll feature, as well as scrolling by keyboard input and touch-dragging of scrollbars, now use asynchronous scrolling. These scrolling methods are now similar to other input methods like mousewheel, and provide a smoother scrolling experience
                  • The content process now has a stricter security sandbox that blocks filesystem reading and writing on Linux, similar to the protections for Windows and macOS that shipped in Firefox 56
                  • Middle mouse paste in the content area no longer navigates to URLs by default on Unix systems
                  • Removed the toolbar Share button. If you relied on this feature, you can install the Share Backported extension instead.
                  • Some older versions of the ATOK IME, including ATOK 2006, 2008, 2009 and 2010, can cause crashes and are therefore disabled on the Windows 64-bit version of Firefox Quantum. To fix those incompatibility issues, please use a newer version of ATOK or one of other IMEs.
                  • The default font for Japanese text is now Meiryo

                    Update:

                    To get the update now, select "Help" from the Firefox menu, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

                    References




                    Remember - "A day without laughter is a day wasted."
                    May the wind sing to you and the sun rise in your heart...

                    Friday, November 10, 2017

                    Lest We Forget

                    Whether you call it Veteran's Day, Armistice Day or Remembrance Day, November 11th is a time to put aside politics and pay tribute to all who died for their country.  It is also a perfect time to thank the Veterans in whatever country you live in. 

                    As in previous years, I am republishing my friend Canuk's last tribute and, once again, adding a special thank you to my friends "Phantom Phixer" and "Ghost".

                    The comment Canuk posted provides one example of why he was a special person:
                    "I too "will remember your friends who never had a full life", while thanking you and your comrades who have served with pride, honesty and honour.

                    Despite anyone's thoughts of the current conflict in Iraq - opposition or agreement, we must always remember that these brave young men and women are fighting for a cause they also may or may not agree with. The huge difference between them and us is that they are putting their lives on the line 24/7 while we sit in our homes in comfort, using the freedom of speech previous warriors won for us, and for that they deserve our love, respect, and support."
                    LEST WE FORGET




                    We Shall Keep the Faith by Moira Michael, November 1918
                    Oh! you who sleep in Flanders Fields, Sleep sweet - to rise anew! We caught the torch you threw And holding high, we keep the Faith With All who died. We cherish, too, the poppy red That grows on fields where valor led; It seems to signal to the skies That blood of heroes never dies, But lends a lustre to the red Of the flower that blooms above the dead In Flanders Fields. And now the Torch and Poppy Red We wear in honor of our dead. Fear not that ye have died for naught; We'll teach the lesson that ye wrought In Flanders Fields. Flags courtesy of3DFlags.com









                    Remember - "A day without laughter is a day wasted."
                    May the wind sing to you and the sun rise in your heart...



                    Tuesday, November 07, 2017

                    Pale Moon Version 27.6.0 Released With Security Updates


                    Pale Moon
                    Pale Moon has been updated to Version 27.6.0. This is a major development update. Details from the Release Notes:

                    Security/privacy fixes:
                    • Added an option to clear Site Connectivity Data (delete history).
                    • Removed stale entries from the HSTS preload list, and improved generation/processing of it.
                    • Removed undesired certificate issuer organization to common name fallback (if issuer org is empty).
                    • Added pretty-printing for ECDSA-SHA224, 256, 384 and 512 hashed certificate signatures.
                    • Worked around some more issues with broken Apple fonts.
                    Changes/fixes:

                    • Dropped support for Direct2D 1.0 to avoid font rendering issues. Windows installations not capable of using Direct2D 1.1 will now fall back to software rendering. As a result, fonts may look different from this version onwards if you are on Windows Vista or Windows 7. Users on Windows 7 affected by this should install the Platform Update to re-enable Direct2D.
                    • Updated the Brotli decoder library, and enabled support for Brotli HTTP content-encoding by default.
                    • Added notifications to inform users about WebExtensions not being supported if they try to install them (as opposed to "extension is corrupt")
                    • Added a number of DOM childNode convenience functions. This should fix some lazy-loading frameworks.
                      (enjoy your LOLcats again!)
                    • Changed automatic updates over to the new infrastructure.
                    • Added extra proxy settings in Options, covering DNS lookups through SOCKS v5 and automatic proxy authentication with known credentials.
                    • Added a selectable fallback character encoding of UTF-8 and fallback to UTF-8 as a last effort. (Issue #1423)
                    • Improved timing of canplay and canplaythrough firing to work around a potential race condition locking up queued video playback.
                    • Improved upmixing of mono sound for multi-channel setups.
                    • Fixed a parallelization issue with the KISS-FFT library causing CPU-deadlocked threads (Issue #1425)
                    • Fixed "Remove from history" function from the downloads panel.
                    • Forced focus on the address bar in new windows if the content is a blank/empty document.
                    • Fixed the dropmarker in the address bar to allow the suggestions to be closed with a click.
                    • Further cleaned up the status bar code.
                    • Disabled window.showModalDialog; it's been removed from the spec 2 years ago and has potential abuse issues (modal dialogs block the UI)
                    • Fixed image decoder calls to make sure the image load event doesn't fire prematurely.
                    • Updated LibPNG to 1.6.28, and enabled faster SSE2 decoding.
                    • Updated WOFF2 code from upstream.
                    • Updated the zlib compression library.
                    • Made general improvements to internal code structure and spec adherence.
                    • Fixed an issue with certain command-line parameters being used.
                    • Updated the default theme to improve consistency and contrast of toolbar and download buttons.
                    • Increased the default duration of notification pop-ups and made them configurable.
                    • Improved handling of audio-visual media (ongoing).
                    • Fixed an issue in CSS where elements would sometimes reflow to the next line even with sufficient visual space.
                    • Aligned the implementation of for(let x=y;;) loops with the final ES6 specification.
                    • Fixed the selection system inside of a nested contenteditable element being broken.
                    • Fixed Windows 10 detection for blocklisting graphics drivers.
                    • Enabled pasting of clipboard data in documents without an editor element to improve web compatibility.
                    • Fixed the uninstallation routine of restartless add-ons.
                    • Fixed the handling of unimplemented functions in the console API.
                    • Updated the Facebook user-agent to enable otherwise vendor-restricted functionality.
                    • Updated the SVG scaling cache limit to be more lenient for larger SVG images at a small performance trade-off, working around some sites' design issues.
                     Minimum system Requirements (Windows):
                    • Windows Vista/Windows 7/8/10/Server 2008 or later
                    • Windows Platform Update (Vista/7) strongly recommended
                    • A processor with SSE2 instruction support
                    • 256 MB of free RAM (512 MB or more recommended)
                    • At least 150 MB of free (uncompressed) disk space
                    Pale Moon includes both 32- and 64-bit versions for Windows:

                    Update

                    To get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window.  Select About Pale Moon > Check for Updates.




                    Remember - "A day without laughter is a day wasted."
                    May the wind sing to you and the sun rise in your heart...


                    Thursday, October 26, 2017

                    Mozilla Firefox Version 56.0.2 Released


                    FirefoxMozilla sent Firefox Version 56.0.2 to the release channel today.  The update includes several bug fixes.  There is no mention of the previously listed unresolved issues.

                    Firefox ESR remains at version 52.4.0.

                    Fixed

                        Previous Listed Unresolved Issues

                        • Due to a bug in Mac OS X High Sierra, fullscreen mode has some issues
                        • Startup crash with RelevantKnowledge adware installed. Firefox Support has helpful instructions to remove it.
                        • Startup crashes with 64-bit Firefox on Windows 7, for users of Lenovo's "OneKey Theater" software for IdeaPad laptops. To fix this crash, please re-install 32-bit Firefox.
                        • Users running Firefox for Windows over a Remote Desktop Connection (RDP) may find that audio playback is disabled due to increased security restrictions. Learn how to mitigate this issue until it is corrected in an upcoming release

                        Update:

                        To get the update now, select "Help" from the Firefox menu, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

                        References




                        Remember - "A day without laughter is a day wasted."
                        May the wind sing to you and the sun rise in your heart...

                        Wednesday, October 25, 2017

                        Another Adobe Flash Player Update

                        Adobe Flashplayer

                        Adobe has released Version 27.0.0.183 of Adobe Flash Player for Microsoft Windows, Macintosh, Chrome and Linux.

                        The update does not include any security fixes.  Rather, it is to correct an important functional fix impacting Flex content.  If impacted, it is recommend the update be installed.  For those who have the option to 'Allow Adobe to install updates', the update will be automatic. 

                        Update:

                        *Important Note:  Downloading the update from the Adobe Flash Player Download Center link includes a pre-checked option to install unnecessary extras, such as McAfee Scan Plus or Google Drive.  If you use the download center, uncheck any unnecessary extras that you do not want.  They are not needed for the Flash Player update.

                          Verify Installation

                          To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu. 

                          Do this for each browser installed on your computer.

                          To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.

                          References



                          Remember - "A day without laughter is a day wasted."
                          May the wind sing to you and the sun rise in your heart...









                          Saturday, October 21, 2017

                          Adobe Reader XI and Acrobat XI -- End-of-Life

                          Adobe

                          Adobe provides product support from the general availability date of Adobe Acrobat and Adobe Reader for five years.  The five-year date was October 15, 2017, meaning Adobe Reader XI and Acrobat XI have reached end-of-life.  As a result, Adobe will no longer be providing technical support for those products.  This also includes both product and, more importantly, security updates.

                          If either or both of these programs are installed on your computer it is strongly advised that you uninstall them as soon as possible.  If you wish to stay with Adobe products, the Adobe Acrobat Reader DC can be downloaded from here.
                          Note: UNcheck any pre-checked additional options presented with the download. They are not part of the software and are completely optional.
                          If you use Windows 10, Microsoft Edge works great to read PDF documents.  In addition, new features are included in the Windows 10 Fall Creators Update.   See How Microsoft Edge will beat Chrome as the best PDF reader with the Fall Creators Update for additional information.

                          Another alternative is Sumatra PDF:
                          "Sumatra PDF is a free PDF, eBook (ePub, Mobi), XPS, DjVu, CHM, Comic Book (CBZ and CBR) reader for Windows.
                          Sumatra PDF is powerful, small, portable and starts up very fast.
                          Simplicity of the user interface has a high priority."

                          h/t ky331

                          References

                          Adobe Acrobat XI and Adobe Reader XI End of Support
                          Adobe Support Lifecycle Policy,


                          Home
                          Remember - "A day without laughter is a day wasted."
                          May the wind sing to you and the sun rise in your heart...







                          Wednesday, October 18, 2017

                          Oracle Java Critical Security Updates Released

                          java

                          Oracle released the scheduled critical security updates for its Java SE Runtime Environment software.  The update contains 22 new security fixes for Oracle Java SE.  Twenty-two (22) of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  

                          Update

                          If Java is still installed on your computer, it is recommended that this update be applied as soon as possible due to the threat posed by a successful attack.

                          Download Information

                          Java SE 8u151/ 8u152
                          Java™ SE Development Kit 8, Update 151 Release Notes
                          Java™ SE Development Kit 8, Update 152 Release Notes
                          Java SE Runtime Environment 8 - Downloads

                          Java SE 9.0.1  (x64-bit only)
                          Java™ SE Development Kit 9.0.1 Release Notes
                          Java SE Runtime Environment 9 - Downloads
                          Notes:
                          • UNcheck any pre-checked toolbar and/or software options presented with the update. They are not part of the software update and are completely optional.  Preferably, see the instructions below on how to handle "Unwanted Extras".  
                          • Oracle does not plan to migrate desktops from Java 8 to Java 9 through the auto update feature.  Therefore, it is strongly recommended that you uninstall JRE 8 prior to updating.
                          • Verify your versionhttp://www.java.com/en/download/testjava.jsp.   Note:  The Java version verification page will only work if your browser has NPAPI support.  In that case, to check the version, open a cmd window and enter the following (note the space following Java):  java -version

                          Critical Patch Updates

                          For Oracle Java SE Critical Patch Updates, the next scheduled dates are as follows:
                          • 16 January 2018
                          • 17 April 2018
                          • 17 July 2018
                          • 16 October 2018

                          Unwanted "Extras"

                          Although most people do not need Java on their computer, there are some programs and games that require Java.  In the event you need to continue using Java, How-to Geek discovered a little-known and  unpublicized option in the Java Control Panel to suppress the offers for the pre-checked unwanted extras that Oracle has long included with the updates.  Although the Ask Toolbar has been removed, tha does not preclude the pre-checked option for some other unnecessary add-on.

                          Do the following to suppress the sponsor offers:
                          1. Launch the Windows Start menu
                          2. Click on Programs
                          3. Find the Java program listing
                          4. Click Configure Java to launch the Java Control Panel
                          5. Click the Advanced tab and go to the "Miscellaneous" section at the bottom.
                          6. Check the box by the “Suppress sponsor offers when installing or updating Java” option and click OK.
                          Java suppress sponsor offers

                          Java Security Recommendations

                          1)  In the Java Control Panel, at minimum, set the security to high.
                          2)  Keep Java disabled until needed.  Uncheck the box "Enable Java content in the browser" in the Java Control Panel.

                          3)  Instructions on removing older (and less secure) versions of Java can be found at http://java.com/en/download/faq/remove_olderversions.xml

                          References




                          Remember - "A day without laughter is a day wasted."
                          May the wind sing to you and the sun rise in your heart...




                          Monday, October 16, 2017

                          Adobe Flash Player Out-of-Band Critical Security Update

                          Adobe Flashplayer

                          Adobe has released Version 27.0.0.170 of Adobe Flash Player for Microsoft Windows, Macintosh, Chrome and Linux.

                          The critical update addresses a report that an exploit for CVE-2017-11292 exists in the wild, and is being used in limited, targeted attacks against users running Windows.

                          Release date:  October 16, 2017
                          Vulnerability identifier: APSB17-32
                          CVE Numbers:   CVE-2017-11292
                          Platform: Windows, Macintosh, Linux and Chrome OS

                          Update:

                          *Important Note:  Downloading the update from the Adobe Flash Player Download Center link includes a pre-checked option to install unnecessary extras, such as McAfee Scan Plus or Google Drive.  If you use the download center, uncheck any unnecessary extras that you do not want.  They are not needed for the Flash Player update.

                            Verify Installation

                            To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu. 

                            Do this for each browser installed on your computer.

                            To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.

                            References



                            Remember - "A day without laughter is a day wasted."
                            May the wind sing to you and the sun rise in your heart...









                            Tuesday, October 10, 2017

                            Microsoft Security Updates for October, 2017



                            The October security release consists of 62 security updates for the following software in which 27 are listed as Critical and 35 are rated Important. In particular, note that one CVE in Microsoft Office is listed as under active attack, and two other CVEs are listed as publically known prior to release.
                            • Internet Explorer
                            • Microsoft Edge
                            • Microsoft Windows
                            • Microsoft Office and Microsoft Office Services and Web Apps
                            • Skype for Business and Lync
                            • Chakra Core

                              Known Issues
                              The updates address Remote Code Execution, Information Disclosure, "Defense in Depth",Security Feature Bypass and Elevation of Privilege. Note:  "Defense-in-Depth" is a fix that does not apply to an actively exploitable vulnerability but prevents future vulnerabilities caused by the same code when surrounding code changes expose the problem.  In addition, Windows 10 1511 support ends today.

                              For more information about the updates released today, see https://portal.msrc.microsoft.com/en-us/security-guidance/summary.  Updates can be sorted by OS from the search box. Information about the update for Windows 10 is available at Windows 10 Update history.

                              CVEs addressed by Microsoft this month that deserve extra attention are discussed in Zero Day Initiative — The October 2017 Security Update Review by Dustin Childs.

                                Additional Update Notes

                                • Adobe Flash Player -- For Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows RT 8.1 and Windows 10, Adobe Flash Player is now a security bulletin rather than a security advisory and is included with the updates as identified above.
                                • MSRT -- Microsoft released an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center. 
                                  Note:  Users who are paranoid about the remote possibility of a FP can opt to run this tool from a Command Prompt, appending a   /N   parameter [for "detect only" mode].
                                • Windows 10 -- A summary of important product developments included in each update, with links to more details is available at Windows 10 Update History. The page will be regularly refreshed, as new updates are released.

                                References


                                  Remember - "A day without laughter is a day wasted."
                                  May the wind sing to you and the sun rise in your heart...