Tuesday, August 22, 2017

Pale Moon Version 27.4.2 Released with Security Updates


Pale Moon
Pale Moon version 27.4.2 has been released to address some security and stability issues.  Details from the Release Notes:

Security fixes:
  • Updated NSPR to 4.15.
  • Updated NSS to 3.31.1.
  • Fixed a DoS issue using overly long Username in URL scheme (CVE-2017-7783)
  • Fixed an issue where (cross domain) iframes could break scope (CVE-2017-7787)
  • Fixed an issue in WindowsDllDetourPatcher (CVE-2017-7804)
  • Fixed an issue with elliptic curve addition in mixed Jacobian-affine coordinates (CVE-2017-7781)
  • Fixed a UAF in nsImageLoadingContent (CVE-2017-7784)
  • Fixed a UAF in WebSockets (CVE-2017-7800)
  • Fixed a heap-UAF in RelocateARIAOwnedIfNeeded (CVE-2017-7809) DiD (accessibility is disabled)
*DiD stands for "Defense-in-Depth" and is a fix that does not apply to an actively exploitable vulnerability in Pale Moon but prevents future vulnerabilities caused by the same code when surrounding code changes, exposing the problem.

Changes/fixes:
  • Fixed a number of crashes.
  • Enabled the opt-in debugging feature to log SSL keys to a file in all builds.
  • Added a fix for TLS 1.3 handshakes causing a browser hangup.
    Handshakes should be considerably faster now and no longer stall in the wrong circumstances.
Minimum system Requirements (Windows):
  • Windows Vista/Windows 7/8/10/Server 2008 or later
  • Windows Platform Update (Vista/7) strongly recommended
  • A processor with SSE2 instruction support
  • 256 MB of free RAM (512 MB or more recommended)
  • At least 150 MB of free (uncompressed) disk space
Pale Moon includes both 32- and 64-bit versions for Windows, Pale Moon Portable, Pale Moon for Linux and Pale Moon for Android.

    Update

    To get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window.  Select About Pale Moon > Check for Updates.


    References:


    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...


    Tuesday, August 08, 2017

    Microsoft Security Updates for August, 2017




    The August security release consists of security updates for the following software:
      • Internet Explorer
      • Microsoft Edge
      • Microsoft Windows
      • Microsoft SharePoint
      • Adobe Flash Player
      • Microsoft SQL Server

        The updates address Remote Code Execution, Denial of Service, Information Disclosure and Elevation of Privilege in 48 CVE's in which 25 are Critical, 21 Important, and 2 Moderate in severity.

        For more information about the updates released today, see https://portal.msrc.microsoft.com/en-us/security-guidance/summary.  Updates can be sorted by OS from the search box. Information about the update for Windows 10 is available at Windows 10 Update history.

        For a list of the CVEs addressed in the August update requiring special attention, see the The August 2017 Security Update Review by Dustin Childs.

          Additional Update Notes

          • Adobe Flash Player -- For Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows RT 8.1 and Windows 10, Adobe Flash Player is now a security bulletin rather than a security advisory and is included with the updates as identified above.
          • MSRT -- Microsoft released an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center. 
          • Windows 10 -- A summary of important product developments included in each update, with links to more details is available at Windows 10 Update History. The page will be regularly refreshed, as new updates are released.

          References


            Remember - "A day without laughter is a day wasted."
            May the wind sing to you and the sun rise in your heart...





            Adobe Flash Player Critical Security Updates

            Adobe Flashplayer

            Adobe has released Version 26.0.0.151 of Adobe Flash Player for Microsoft Windows, Macintosh, Chrome and Linux.

            These updates address vulnerabilities could lead to remote code execution, information disclosure and Memory address disclosure..

            Release date:  August 8, 2017
            Vulnerability identifier: APSB17-23
            CVE Numbers:   CVE-2017-3085, CVE-2017-3106
            Platform: Windows, Macintosh, Linux and Chrome OS

            Update:

            *Important Note:  Downloading the update from the Adobe Flash Player Download Center link includes a pre-checked option to install unnecessary extras, such as McAfee Scan Plus or Google Drive.  If you use the download center, uncheck any unnecessary extras that you do not want.  They are not needed for the Flash Player update.

              Verify Installation

              To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu. 

              Do this for each browser installed on your computer.

              To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.

              References



              Remember - "A day without laughter is a day wasted."
              May the wind sing to you and the sun rise in your heart...









              Adobe Reader and Acrobat Critical Security Updates

              Adobe

              Adobe has released security updates for Adobe Reader and Acrobat XI for Windows. These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system.

              Release date: August 8, 2017
              Vulnerability identifier: APSB17-24
              Platform: Windows

              Update or Complete Download

              Update checks can be manually activated by choosing Help > Check for Updates.

              Note: UNcheck any pre-checked additional options presented with the update. They are not part of the software update and are completely optional.

              Enable "Protected View"

              Due to frequent vulnerabilities, it is recommended that Windows users of Adobe Reader and Acrobat ensure that Protected View is enabled.  Neither the Protected Mode or Protected View option is available for Macintosh users.

              To enable this setting, do the following:

              • Click Edit > Preferences > Security (Enhanced) menu. 
              • Change the "Off" setting to "All Files".
              • Ensure the "Enable Enhanced Security" box is checked. 

              Adobe Protected View
              Image via Sophos Naked Security Blog

              References



              Home
              Remember - "A day without laughter is a day wasted."
              May the wind sing to you and the sun rise in your heart...







              Mozilla Firefox Version 55 Released With Significant Changes and Security Updates


              FirefoxMozilla sent Firefox Version 55.0 to the release channel today.  Firefox ESR was updated to version 52.3.  There is no mention in the Release Notes of security updates.*  However, there are major changes that will affect users:
              1. Warningvia ghacks.net, "Firefox 55.0 breaks compatibility with older versions of the browser and Firefox ESR. Users who want to downgrade are advised to back up their profiles prior to installing the update." See "Changed" below.
              2. Important Note:  Although installations of 32x will upgrade with this version, the 64x version is now default on 64x systems with 2GB RAM.  Starting with version 56, Firefox will "silently and forcibly auto-upgrade" users running the 32-bit version of Firefox on 64-bit computers with more than 2GB of RAM to the 64-bit version. The next scheduled release is September 26, 2017 (5 week cycle with release for critical fixes as needed).  
              3. Adobe Flash Player is now click-to-activate. 
              4. Also, see the following regarding add-ons starting in Firefox 57:  Firefox add-on technology is modernizing 
              *UPDATE:  At the time of publishing the Release Notes, there was no indication of security fixes included.  In the interim, however, the Release Notes have been updated and Version 55 includes five (5) critical, ten (10 high, seven (7) moderate and six (6) low security updates.
              New
              • Launched Windows support for WebVR, bringing immersive experiences to the web. See examples and try working demos at Mozilla VR.
              • Added options that let users optimize recent performance improvements
                • Setting to enable Hardware VP9 acceleration on Windows 10 Anniversary Edition for better battery life and lower CPU usage while watching videos
                • Setting to modify the number of concurrent content processes for faster page loading and more responsive tab switching
              • Simplified installation process with a streamlined Windows stub installer
                • Firefox for Windows 64-bit is now installed by default on 64-bit systems with at least 2GB of RAM
                • Full installers with advanced installation options are still available
              • Improved address bar functionality
                • Search with any installed one-click search engine directly from the address bar
                • Search suggestions appear by default
                • When entering a hostname (like pinterest.com) in the URL bar, Firefox resolves to the secure version of the site (https://www.pinterest.com) instead of the insecure version (http://www.pinterest.com) when possible
              • Updated Sidebar for bookmarks, history, and synced tabs so it can appear at the right edge of the window as well as the left
              • Added support for stereo microphones with WebRTC
              • Simplified printing from Reader Mode
              • Updated Firefox for OSX and macOS to allow users to assign custom keyboard shortcuts to Firefox menu items via System Preferences
              • Browsing sessions with a high number of tabs are now restored in an instant
              • Make screenshots of webpages, and save them locally or upload them to the cloud. This feature will undergo A/B testing and will not be visible for some users.
              • Added Belarusian (be) locale

              Changed

              • Modernized application update UI to be less intrusive and more aligned with the rest of the browser. Only users who have not restarted their browser 8 days after downloading an update or users who opted out of automatic updates will see this change.
              • Firefox does not support downgrades, even though this may have worked in past versions. Users who install Firefox 55+ and later downgrade to an earlier version may experience issues with Firefox.
              • Made the Adobe Flash plugin click-to-activate by default and allowed only on http:// and https:// URL schemes. (This change will not be visible to all users immediately. For more information see the Firefox plugin roadmap)
              Update:

              To get the update now, select "Help" from the Firefox menu, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

              References




              Remember - "A day without laughter is a day wasted."
              May the wind sing to you and the sun rise in your heart...

              Thursday, July 27, 2017

              Out-of-Band Java SE Update

              java

              Oracle released an out-of-band update for its Java SE Runtime Environment software.  The update contains bug fixes for Oracle Java SE.  

              Update

              If Java is still installed on your computer, it is recommended that this update be applied as soon as possible due to the threat posed by a successful attack.

              Download Information

              Download link:  Java SE 8u144

              Verify your version:  http://www.java.com/en/download/testjava.jsp

              Notes:
              • Minimally, UNcheck any pre-checked toolbar and/or software options presented with the update. They are not part of the software update and are completely optional.  Preferably, see the instructions below on how to handle "Unwanted Extras". 
              • Starting with Java SE 7 Update 21 in April 2013, all Java Applets and Web Start Applications should be signed with a trusted certificate.  It is not recommended to run untrusted/unsigned Certificates.  See How to protect your computer against dangerous Java Applets

              Critical Patch Updates

              For Oracle Java SE Critical Patch Updates, the next scheduled dates are as follows:
              • 17 October 2017
              • 16 January 2018
              • 17 April 2018
              • 17 July 2018

              Unwanted "Extras"

              Although most people do not need Java on their computer, there are some programs and games that require Java.  In the event you need to continue using Java, How-to Geek discovered a little-known and  unpublicized option in the Java Control Panel to suppress the offers for the pre-checked unwanted extras that Oracle has long included with the updates.  Although the Ask Toolbar has been removed, tha does not preclude the pre-checked option for some other unnecessary add-on.

              Do the following to suppress the sponsor offers:
              1. Launch the Windows Start menu
              2. Click on Programs
              3. Find the Java program listing
              4. Click Configure Java to launch the Java Control Panel
              5. Click the Advanced tab and go to the "Miscellaneous" section at the bottom.
              6. Check the box by the “Suppress sponsor offers when installing or updating Java” option and click OK.
              Java suppress sponsor offers

              Java Security Recommendations


              1)  In the Java Control Panel, at minimum, set the security to high.
              2)  Keep Java disabled until needed.  Uncheck the box "Enable Java content in the browser" in the Java Control Panel.

              3)  Instructions on removing older (and less secure) versions of Java can be found at http://java.com/en/download/faq/remove_olderversions.xml

              References




              Remember - "A day without laughter is a day wasted."
              May the wind sing to you and the sun rise in your heart...




              Tuesday, July 18, 2017

              Java SE Critical Security Update

              java

              Oracle released the scheduled critical security updates for its Java SE Runtime Environment software.  The update contains 32 new security fixes for Oracle Java SE.  28 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. 

              Update

              If Java is still installed on your computer, it is recommended that this update be applied as soon as possible due to the threat posed by a successful attack.

              Download Information

              Download link:  Java SE 8u141

              Verify your version:  http://www.java.com/en/download/testjava.jsp

              Notes:
              • Minimally, UNcheck any pre-checked toolbar and/or software options presented with the update. They are not part of the software update and are completely optional.  Preferably, see the instructions below on how to handle "Unwanted Extras". 
              • Starting with Java SE 7 Update 21 in April 2013, all Java Applets and Web Start Applications should be signed with a trusted certificate.  It is not recommended to run untrusted/unsigned Certificates.  See How to protect your computer against dangerous Java Applets

              Critical Patch Updates

              For Oracle Java SE Critical Patch Updates, the next scheduled dates are as follows:
              • 17 October 2017
              • 16 January 2018
              • 17 April 2018
              • 17 July 2018

              Unwanted "Extras"

              Although most people do not need Java on their computer, there are some programs and games that require Java.  In the event you need to continue using Java, How-to Geek discovered a little-known and  unpublicized option in the Java Control Panel to suppress the offers for the pre-checked unwanted extras that Oracle has long included with the updates.  Although the Ask Toolbar has been removed, tha does not preclude the pre-checked option for some other unnecessary add-on.

              Do the following to suppress the sponsor offers:
              1. Launch the Windows Start menu
              2. Click on Programs
              3. Find the Java program listing
              4. Click Configure Java to launch the Java Control Panel
              5. Click the Advanced tab and go to the "Miscellaneous" section at the bottom.
              6. Check the box by the “Suppress sponsor offers when installing or updating Java” option and click OK.
              Java suppress sponsor offers

              Java Security Recommendations


              1)  In the Java Control Panel, at minimum, set the security to high.
              2)  Keep Java disabled until needed.  Uncheck the box "Enable Java content in the browser" in the Java Control Panel.

              3)  Instructions on removing older (and less secure) versions of Java can be found at http://java.com/en/download/faq/remove_olderversions.xml

              References




              Remember - "A day without laughter is a day wasted."
              May the wind sing to you and the sun rise in your heart...




              Wednesday, July 12, 2017

              Pale Moon Version 27.4.0 Released with Security Updates


              Pale Moon
              Pale Moon version 27.4.0 has been released with security fixes, including DiD* patches.
              *DiD stands for "Defense-in-Depth" and is a fix that does not apply to an actively exploitable vulnerability in Pale Moon but prevents future vulnerabilities caused by the same code when surrounding code changes, exposing the problem.
              This is a major update to address most of the media streaming issues users have had.  In addition, the update includes enhancements, bug fixes and security fixes to the browser.


              Details from the Release Notes:

              Security fixes:
              • Removed preloading of HPKP hosts and enabled HPKP header enforcement.
              • Added support for TLS 1.3, the up-next secure connection protocol.
              • Fixed an issue with TLS 1.3 not supporting renegotiation by design.
              • Relaxed some restrictions for CSP to temporarily work around web compatibility issues with the CSP-3 deprecated child-src directive.
              • Updated NSS to 3.28.5.1-PM to address some security issues.
              • Updated the installer selfextractor module to address unsafe loading of libraries.
              • Changed the way certain resources are included to reduce effectiveness of some common fingerprinting techniques. (e.g. browserleaks.org)
              • Fixed a regression in the display of security information in the page info dialog for insecure content.
              • Fixed two potential issues with allocating memory for video. DiD
              • Fixed a potential issue with the network prediction algorithm. DiD
              • Restricted the use of Aspirational scripts in IDNs to prevent domain spoofing, in anticipation of the UAX#31 update making this official.
              • Prevented a Mac font specific issue that could be abused for domain spoofing (CVE-2017-7763)
              • Fixed several potentially exploitable crashes. (CVE-2017-7751) (CVE-2017-7757) and some that do not have a CVE designation.
              Changes/fixes:
              • Completely re-worked the Media Source Extensions code to make it spec compliant, and asynchronous as per specification for MSE with MP4. This should fix playback problems on YouTube, Twitch, Vimeo and other sites that previously had some issues. A massive thank you to Travis for his tireless work on making this happen!
                Please note that MSE+WebM (disabled by default) is not using this new code yet (planned for the next release), and as such there is a temporary set of things to keep in mind if you don't use default settings:
                • If you have previously enabled MSE+WebM, this setting will be reset when you update to avoid conflicting settings with the updated MSE code.
                • We've added an extra setting in Options to disable the updated MSE code (asynchronous use) in case you need to use WebM or are otherwise having issues with the updated code (please let us know in that case).
                • Once again, the MSE+WebM and Asynchronous MSE use are currently mutually exclusive. You can have one or the other, not both, until we sort out the code for WebM. To enable MSE+WebM you will first have to disable Asynchronouse MSE in settings (otherwise the WebM setting will be greyed out and disabled).
              • Added a control in options/preferences for HSTS and HPKP usage.
              • Changed HTML bookmark exports to write CRLF line endings to the file on Windows.
              • Leveraged multi-core rendering for libVPX (VP8/VP9 WebM decoding).
              • Fixed some issues accessing DeviantArt (useragent-sniffing).
              • Aligned CSS text-align with the spec.
              • Added a recovery module for browser initialization issues (e.g. when using a wrong language pack).
              • Fixed spurious console errors for XHR requests with certain http response codes.
              • Enabled v-sync aligned refresh for a smoother scrolling experience.
              • Removed support for CSS XP-theme media queries.
              • Improved console error reporting.
              • Fixed resetting toolbars and controls from the safe mode dialog.
              • Fixed bookmark recovery option from the safe mode dialog.
              • Fixed innerText getters for display:none elements.
              • Fixed a GL buffer crash that might occur with certain combinations of drivers and hardware.
              • Added some more details to about:support.
              • Fixed a potential crash when the last audio device is removed during playback.
              • Fixed a crash on about:support when windowless browsers are created.
              • Updated
              • Updated the interpretation of 2-digit years in date formats to match other browsers: 0-49 = 2000-2049, 50-99 = 1950-1999.
              • Added q units to CSS (quarter of a millimeter).
              • Added .origin property to blobs.
              • Fixed several minor layout issues.
              • Fixed disabled HTML elements not producing the proper JS events.
              • Implemented web content handler blacklist according to the spec, allowing more than feeds to be registered.
              • Fixed a spec compliance issue with execCommand() on HTML elements.
              • Fixed a problem with table borders being drawn uneven or being omitted when zooming the page.
              • Added devtools "filter URLs" option in the network panel.
              • Added visual sorting options to the Network inspector.
              • Added importing of login data from Chrome profiles on Windows (Chrome has to be closed first).
              • Added importing of tags from bookmark export files (HTML format).
              • Updated usage of SourceMap headers with the updated spec (SourceMap header, keeping X-SourceMap as a fallback).
              • Fixed several cases of wrongly-used negations in JS modules.
              • Added the auxclick mouse event.
              • Added a control to not autoplay video unless it is in view (media.block-play-until-visible).
              • Updated the Graphite font library to 1.3.10.
              • Updated how image and media elements respond to window size changes (responsive design).
              • Added parsing and use of rotation meta data in video.
              • Fixed several crashes in a number of modules.
              • Fixed performance regression for scaling large vector images (e.g. MSIE Chalkboard test)
              • Fixed some issues with notification icons.
              • Fixed some internal errors with live bookmarks.
              • Updated SQLite to 3.19.3.
              • Fixed several reported issues with devtools (cli-cookies, cli help, copying cURL, inspecting SVGs, element size calculations, etc.)
              • Fixed an issue where a server response was allowed to override add-ons' specified version ranges even for add-ons that have strict compatibility (e.g. themes, language packs).

              Minimum system Requirements (Windows):
              • Windows Vista/Windows 7/8/10/Server 2008 or later
              • Windows Platform Update (Vista/7) strongly recommended
              • A processor with SSE2 instruction support
              • 256 MB of free RAM (512 MB or more recommended)
              • At least 150 MB of free (uncompressed) disk space
              Pale Moon includes both 32- and 64-bit versions for Windows, Pale Moon Portable, Pale Moon for Linux and Pale Moon for Android.

                Update

                To get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window.  Select About Pale Moon > Check for Updates.


                References:


                Remember - "A day without laughter is a day wasted."
                May the wind sing to you and the sun rise in your heart...


                Tuesday, July 11, 2017

                Microsoft Security Updates for July, 2017




                The July security release consists of security updates for the following software:
                • Internet Explorer
                • Microsoft Edge
                • Microsoft Windows
                • Microsoft Office and Microsoft Office Services and Web Apps
                • .NET Framework
                • Adobe Flash Player
                • Microsoft Exchange Server


                The updates address Remote Code Execution, Denial of Service, Information Disclosure and Elevation of Privilege in 57 CVE's in which 19 are Critical, 35 Important, and 3 Moderate in severity.

                For more information about the updates released today, see https://portal.msrc.microsoft.com/en-us/security-guidance/summary.  Updates can be sorted by OS from the search box. Information about the update for Windows 10 is available at Windows 10 Update history.

                For a complete list of the CVEs addressed in the July update, see the The July 2017 Security Update Review by Dustin Childs.


                  Additional Update Notes

                  • Adobe Flash Player -- For Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows RT 8.1 and Windows 10, Adobe Flash Player is now a security bulletin rather than a security advisory and is included with the updates as identified above.
                  • MSRT -- Microsoft released an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center. 
                  • Windows 10 -- A summary of important product developments included in each update, with links to more details is available at Windows 10 Update History. The page will be regularly refreshed, as new updates are released.

                  References


                    Remember - "A day without laughter is a day wasted."
                    May the wind sing to you and the sun rise in your heart...





                    Adobe Flash Player Security Update Released

                    Adobe Flashplayer

                    Adobe has released Version 26.0.0.137 of Adobe Flash Player for Microsoft Windows, Macintosh, Chrome and Linux.

                    These updates address vulnerabilities could lead to remote code execution, information disclosure and Memory address disclosure..

                    Release date:  July 11, 2017
                    Vulnerability identifier: APSB17-21
                    CVE Numbers:   CVE-2017-3080, CVE-2017-3099, CVE-2017-3100
                    Platform: Windows, Macintosh, Linux and Chrome OS

                    Update:

                    *Important Note:  Downloading the update from the Adobe Flash Player Download Center link includes a pre-checked option to install unnecessary extras, such as McAfee Scan Plus or Google Drive.  If you use the download center, uncheck any unnecessary extras that you do not want.  They are not needed for the Flash Player update.

                      Verify Installation

                      To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu. 

                      Do this for each browser installed on your computer.

                      To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.

                      References



                      Remember - "A day without laughter is a day wasted."
                      May the wind sing to you and the sun rise in your heart...









                      Saturday, July 01, 2017

                      Windows Insider MVP!

                      What a great way to start the day!  🐱‍👤
                      "Congratulations! Thank you for your continued contributions to the Windows community, we are excited to re-award you as a Windows Insider MVP. This award is a token of our appreciation, your leadership and passion help make Windows the best yet. We look forward to our on-going collaboration with you and all of our Windows Insider MVPs as we continue to strengthen the Windows Insider MVP (WI MVP) Program."


                      Home
                      Remember - "A day without laughter is a day wasted."
                      May the wind sing to you and the sun rise in your heart...

                      Thursday, June 29, 2017

                      Mozilla Firefox Version 54.0.1 Released


                      FirefoxMozilla sent Firefox Version 54.0.1 to the release channel today.  Firefox ESR was updated to version 52.2.1. 

                      The update includes a number of bug fixes.

                      The next scheduled release is August 8, 2017 (5 week cycle with release for critical fixes as needed).

                      Fixes:

                      To get the update now, select "Help" from the Firefox menu, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

                      References




                      Remember - "A day without laughter is a day wasted."
                      May the wind sing to you and the sun rise in your heart...

                      Tuesday, June 13, 2017

                      Mozilla Firefox Version 54.0


                      FirefoxMozilla sent Firefox Version 54.0 to the release channel today.  Firefox ESR was updated to version 52. The update includes 1 (one) critical, 8 (eight) high and 1 (one) moderate security update.

                      The next scheduled release is August 8, 2017 (5 week cycle with release for critical fixes as needed).

                      New
                      • Added Burmese (my) locale
                      • Added support for multiple content processes (e10s-multi)
                      • Simplified the download button and download status panel

                      Changed
                      • Moved the mobile bookmarks folder to the main bookmarks menu for easier access
                      Update:

                      To get the update now, select "Help" from the Firefox menu, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

                      References




                      Remember - "A day without laughter is a day wasted."
                      May the wind sing to you and the sun rise in your heart...

                      Microsoft Security Updates for June, 2017



                      The June Microsoft updates address vulnerabilities in Internet Explorer, Microsoft Edge, Microsoft Windows, Microsoft Office and Microsoft Office Services and Web Apps, Silverlight, Skype for Business and Lync and Adobe Flash Player for Windows 8.1 and above.  Addressed in the updates are Remote Code Execution and Elevation of Privilege.  

                      Known Issues
                      4022717
                      4022726
                      4022715


                      For more information about the updates released today, see https://portal.msrc.microsoft.com/en-us/security-guidance/summary.  Information about the update for Windows 10 is available at Windows 10 Update history.

                      To have a better understanding about the updates released today, see the Zero Day Initiative — The June 2017 Security Update Review by Dustin Childs.

                        Additional Update Notes

                        • Adobe Flash Player -- For Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows RT 8.1 and Windows 10, Adobe Flash Player is now a security bulletin rather than a security advisory and is included with the updates as identified above.
                        • MSRT -- Microsoft released an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center. 
                        • Windows 10 -- A summary of important product developments included in each update, with links to more details is available at Windows 10 Update History. The page will be regularly refreshed, as new updates are released.

                        References


                          Remember - "A day without laughter is a day wasted."
                          May the wind sing to you and the sun rise in your heart...





                          Adobe Critical Shockware Player Update

                          Shockwave Player Adobe has released a critical security update for Adobe Shockwave Player which update address a memory corruption that could potentially lead to remote code execution.

                          Although I have yet to need Shockwave Player on this computer, there are still many people who use it.  If you have Shockwave Player installed, please update to the latest version.

                          Release date: June 13, 2017
                          Vulnerability identifier: APSB17-18

                          CVE number: CVE-2017-3086
                          Platform: Windows

                          The newest version 12.2.9.199 is available here: http://get.adobe.com/shockwave/.  As usual, watch for any pre-checked add-ons not needed for the update.

                          References


                          Home
                          Remember - "A day without laughter is a day wasted."
                          May the wind sing to you and the sun rise in your heart...

                          Adobe Flash Player Critical Security Update

                          Adobe Flashplayer

                          Adobe has released Version 26.0.0.126 of Adobe Flash Player for Microsoft Windows, Macintosh, Chrome and Linux.

                          These updates address critical vulnerabilities including a use-after-free vulnerability that could lead to code execution and memory corruption vulnerabilities that could lead to remote code execution.

                          Release date:  June 13, 2017
                          Vulnerability identifier: APSB17-17
                          CVE Numbers:   CVE-2017-3075, CVE-2017-3081, CVE-2017-3083, CVE-2017-3084, CVE-2017-3076, CVE-2017-3077, CVE-2017-3078, CVE-2017-3079, CVE-2017-3082
                          Platform: Windows, Macintosh, Linux and Chrome OS

                          Update:

                          *Important Note:  Downloading the update from the Adobe Flash Player Download Center link includes a pre-checked option to install unnecessary extras, such as McAfee Scan Plus or Google Drive.  If you use the download center, uncheck any unnecessary extras that you do not want.  They are not needed for the Flash Player update.

                            Verify Installation

                            To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu. 

                            Do this for each browser installed on your computer.

                            To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.

                            References



                            Remember - "A day without laughter is a day wasted."
                            May the wind sing to you and the sun rise in your heart...









                            Sunday, May 28, 2017

                            Memorial Day: Remembering Those Who Gave Their All for Their Country

                            Vietnam Memorial Wall
                            April 30, 2005
                            Photograph by Luigi Masu

                            Memorial Day is a day set aside to remember those who have died in the service of their country.  It is also a time when I remember a very special Canadian who likely knew more about U.S. politics and history than most U.S. citizens. Memorial Day 2007 was his last blog post, reading in part:
                            "Memorial Day was officially proclaimed on 5 May 1868 by General John Logan, national commander of the Grand Army of the Republic, in his General Order No. 11, and was first observed on 30 May 1868, when flowers were placed on the graves of Union and Confederate soldiers at Arlington National Cemetery. The first state to officially recognize the holiday was New York in 1873. By 1890 it was recognized by all of the northern states. The South refused to acknowledge the day, honoring their dead on separate days until after World War I (when the holiday changed from honoring just those who died fighting in the Civil War to honoring Americans who died fighting in any war). For more history of Memorial Day visit Memorial Day History."

                            Home
                            Remember - "A day without laughter is a day wasted."
                            May the wind sing to you and the sun rise in your heart...

                            Tuesday, May 09, 2017

                            Microsoft Security Updates for May, 2017


                            After today, Windows 10 devices running version 1507 will no longer receive security and quality updates.  Instructions on how to update to the latest Windows 10 version are available in this Microsoft support article.

                            May Security Update Details:

                            The May Microsoft updates address vulnerabilities in  Internet Explorer, Microsoft Edge, Microsoft Windows, Microsoft Office and Microsoft Office Services and Web Apps, .NET Framework and Adobe Flash Player for Windows 8.1 and above.  Addressed in the updates are Remote Code Execution and Elevation of Privilege.  

                            For more information about the updates released today, see https://portal.msrc.microsoft.com/en-us/security-guidance/summary.  Information about the update for Windows 10 is available at Windows 10 update history.

                            However, to actually have a better understanding about the updates released today, see Zero Day Initiative — The May 2017 Security Update Review by Dustin Childs.
                             

                              Additional Update Notes

                              • Adobe Flash Player -- For Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows RT 8.1 and Windows 10, Adobe Flash Player is now a security bulletin rather than a security advisory and is included with the updates as identified above.
                              • MSRT -- Microsoft released an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center. 
                              • Windows 10 -- A summary of important product developments included in each update, with links to more details is available at Windows 10 Update History. The page will be regularly refreshed, as new updates are released.

                              References


                                Remember - "A day without laughter is a day wasted."
                                May the wind sing to you and the sun rise in your heart...





                                Adobe Flash Player Critical Update

                                Adobe Flashplayer

                                Adobe has released Version 25.0.0.171 of Adobe Flash Player for Microsoft Windows, Macintosh, Chrome and Linux.

                                These updates address critical vulnerabilities including a use-after-free vulnerability that could lead to code execution and memory corruption vulnerabilities that could lead to code execution.

                                Release date:  May 9 11, 2017
                                Vulnerability identifier: APSB17-15
                                CVE number: CVE-2017-3068, CVE-2017-3069, CVE-2017-3070, CVE-2017-3071, CVE-2017-3072, CVE-2017-3073, CVE-2017-30744
                                Platform: Windows, Macintosh, Linux and Chrome OS

                                Update:

                                *Important Note:  Downloading the update from the Adobe Flash Player Download Center link includes a pre-checked option to install unnecessary extras, such as McAfee Scan Plus or Google Drive.  If you use the download center, uncheck any unnecessary extras that you do not want.  They are not needed for the Flash Player update.

                                  Verify Installation

                                  To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu. 

                                  Do this for each browser installed on your computer.

                                  To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.

                                  References



                                  Remember - "A day without laughter is a day wasted."
                                  May the wind sing to you and the sun rise in your heart...









                                  Monday, May 08, 2017

                                  Security Update for Microsoft Malware Protection Engine



                                  Microsoft released Security Advisory 4022344 about an update to the Microsoft Malware Protection Engine.  The update addresses a security vulnerability that was reported to Microsoft.

                                  The vulnerability addressed in the update could allow remote code execution if the Microsoft Malware Protection Engine scans a specially crafted file. According to the Advisory,
                                  "An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take control of the system."

                                  An updated MSRT will be included with the Security Updates on May 9.  Windows Defender will automatically update or can be manually launched and checked for updates.

                                  References:




                                  Home
                                  Remember - "A day without laughter is a day wasted."
                                  May the wind sing to you and the sun rise in your heart...

                                  False/Positives of WinPatrol wpsetup.exe and Access to Website

                                  WinPatrol Scotty

                                  Since the new release of WinPatrol Version 35.5.2017.8 was announced, there have been reports of the wpsetup.exe being detected as a trojan.  I reached out to Bret Lowry who gave me permission to share information about both the false/positives as well as problems reaching WinPatrol.com.

                                  False/Positives

                                  Those are false positives; we have reported them to most of the manufacturers.
                                  Many are due to BitDefender having a false positive.
                                  Emsisoft
                                  GData
                                  eScan
                                  Ad-Aware

                                  All use BitDefender under the covers. You can tell by looking at the detection name in VirusTotal.
                                  Symantec reports ALL new binaries as a potential threat until the manufacturer contacts them, that is how they are handling the flood of new malware. They’ve been doing that for years now but no one calls them out for it out of fear of the giant.

                                  It is due to our using the InstallMate installer.
                                  The installer is not infected. {emphasis added}

                                  What would be super helpful would be a grass roots campaign demanding VirusTotal act responsibly by providing a link on their site for reporting false positives directly to the manufacturer in question.

                                  Access to WinPatrol.com

                                  There have also been reports of problems reaching the WinPatrol website.  Bret indicated that problem with the slowness is not due to problems at WinPatrol.com.  Rather the issue is due to the Internet Backbone company Level3.  As can be seen from the following link to the Level3 Outage map, the problem with Level3 connectivity is widespread:  http://downdetector.com/status/level3/map/Although I found access slow earlier today, I was able to get the update by launching WinPatrol and selecting "Check for Save Updates" from the PLUS tab.

                                  You can find the unofficial WinPatrol forum at LandzDown here

                                  Home
                                  Remember - "A day without laughter is a day wasted."
                                  May the wind sing to you and the sun rise in your heart...

                                  WinPatrol Update Released

                                  WinPatrol Scotty

                                  WinPatrol Version 35.5.2017.8 was released with several fixes to better align with Windows 10.

                                  Fixes:
                                  • Fixed addition of Startup programs to be compatible with recent changes to Windows 10.
                                  • Fixed removal of Startup programs to be compatible with recent changes to Windows 10.
                                  • Disabled and removed checkbox for “Allow PLUS info data collection” because recent changes in allowed URL length resulting in no data being returned for customers.

                                  Direct Download Link: WinPatrol Version 35.5.2017.8


                                  You can find the unofficial WinPatrol forum at LandzDown here.


                                  Home
                                  Remember - "A day without laughter is a day wasted."
                                  May the wind sing to you and the sun rise in your heart...