Saturday, October 21, 2017

Adobe Reader XI and Acrobat XI -- End-of-Life

Adobe

Adobe provides product support from the general availability date of Adobe Acrobat and Adobe Reader for five years.  The five-year date was October 15, 2017, meaning Adobe Reader XI and Acrobat XI have reached end-of-life.  As a result, Adobe will no longer be providing technical support for those products.  This also includes both product and, more importantly, security updates.

If either or both of these programs are installed on your computer it is strongly advised that you uninstall them as soon as possible.  If you wish to stay with Adobe products, the Adobe Acrobat Reader DC can be downloaded from here.
Note: UNcheck any pre-checked additional options presented with the download. They are not part of the software and are completely optional.
If you use Windows 10, Microsoft Edge works great to read PDF documents.  In addition, new features are included in the Windows 10 Fall Creators Update.   See How Microsoft Edge will beat Chrome as the best PDF reader with the Fall Creators Update for additional information.

Another alternative is Sumatra PDF:
"Sumatra PDF is a free PDF, eBook (ePub, Mobi), XPS, DjVu, CHM, Comic Book (CBZ and CBR) reader for Windows.
Sumatra PDF is powerful, small, portable and starts up very fast.
Simplicity of the user interface has a high priority."

h/t ky331

References

Adobe Acrobat XI and Adobe Reader XI End of Support
Adobe Support Lifecycle Policy,


Home
Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...







Wednesday, October 18, 2017

Oracle Java Critical Security Updates Released

java

Oracle released the scheduled critical security updates for its Java SE Runtime Environment software.  The update contains 22 new security fixes for Oracle Java SE.  Twenty-two (22) of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  

Update

If Java is still installed on your computer, it is recommended that this update be applied as soon as possible due to the threat posed by a successful attack.

Download Information

Java SE 8u151/ 8u152
Java™ SE Development Kit 8, Update 151 Release Notes
Java™ SE Development Kit 8, Update 152 Release Notes
Java SE Runtime Environment 8 - Downloads

Java SE 9.0.1  (x64-bit only)
Java™ SE Development Kit 9.0.1 Release Notes
Java SE Runtime Environment 9 - Downloads
Notes:
  • UNcheck any pre-checked toolbar and/or software options presented with the update. They are not part of the software update and are completely optional.  Preferably, see the instructions below on how to handle "Unwanted Extras".  
  • Oracle does not plan to migrate desktops from Java 8 to Java 9 through the auto update feature.  Therefore, it is strongly recommended that you uninstall JRE 8 prior to updating.
  • Verify your versionhttp://www.java.com/en/download/testjava.jsp.   Note:  The Java version verification page will only work if your browser has NPAPI support.  In that case, to check the version, open a cmd window and enter the following (note the space following Java):  java -version

Critical Patch Updates

For Oracle Java SE Critical Patch Updates, the next scheduled dates are as follows:
  • 16 January 2018
  • 17 April 2018
  • 17 July 2018
  • 16 October 2018

Unwanted "Extras"

Although most people do not need Java on their computer, there are some programs and games that require Java.  In the event you need to continue using Java, How-to Geek discovered a little-known and  unpublicized option in the Java Control Panel to suppress the offers for the pre-checked unwanted extras that Oracle has long included with the updates.  Although the Ask Toolbar has been removed, tha does not preclude the pre-checked option for some other unnecessary add-on.

Do the following to suppress the sponsor offers:
  1. Launch the Windows Start menu
  2. Click on Programs
  3. Find the Java program listing
  4. Click Configure Java to launch the Java Control Panel
  5. Click the Advanced tab and go to the "Miscellaneous" section at the bottom.
  6. Check the box by the “Suppress sponsor offers when installing or updating Java” option and click OK.
Java suppress sponsor offers

Java Security Recommendations

1)  In the Java Control Panel, at minimum, set the security to high.
2)  Keep Java disabled until needed.  Uncheck the box "Enable Java content in the browser" in the Java Control Panel.

3)  Instructions on removing older (and less secure) versions of Java can be found at http://java.com/en/download/faq/remove_olderversions.xml

References




Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...




Monday, October 16, 2017

Adobe Flash Player Out-of-Band Critical Security Update

Adobe Flashplayer

Adobe has released Version 27.0.0.170 of Adobe Flash Player for Microsoft Windows, Macintosh, Chrome and Linux.

The critical update addresses a report that an exploit for CVE-2017-11292 exists in the wild, and is being used in limited, targeted attacks against users running Windows.

Release date:  October 16, 2017
Vulnerability identifier: APSB17-32
CVE Numbers:   CVE-2017-11292
Platform: Windows, Macintosh, Linux and Chrome OS

Update:

*Important Note:  Downloading the update from the Adobe Flash Player Download Center link includes a pre-checked option to install unnecessary extras, such as McAfee Scan Plus or Google Drive.  If you use the download center, uncheck any unnecessary extras that you do not want.  They are not needed for the Flash Player update.

    Verify Installation

    To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu. 

    Do this for each browser installed on your computer.

    To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.

    References



    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...









    Tuesday, October 10, 2017

    Microsoft Security Updates for October, 2017



    The October security release consists of 62 security updates for the following software in which 27 are listed as Critical and 35 are rated Important. In particular, note that one CVE in Microsoft Office is listed as under active attack, and two other CVEs are listed as publically known prior to release.
    • Internet Explorer
    • Microsoft Edge
    • Microsoft Windows
    • Microsoft Office and Microsoft Office Services and Web Apps
    • Skype for Business and Lync
    • Chakra Core

      Known Issues
      The updates address Remote Code Execution, Information Disclosure, "Defense in Depth",Security Feature Bypass and Elevation of Privilege. Note:  "Defense-in-Depth" is a fix that does not apply to an actively exploitable vulnerability but prevents future vulnerabilities caused by the same code when surrounding code changes expose the problem.  In addition, Windows 10 1511 support ends today.

      For more information about the updates released today, see https://portal.msrc.microsoft.com/en-us/security-guidance/summary.  Updates can be sorted by OS from the search box. Information about the update for Windows 10 is available at Windows 10 Update history.

      CVEs addressed by Microsoft this month that deserve extra attention are discussed in Zero Day Initiative — The October 2017 Security Update Review by Dustin Childs.

        Additional Update Notes

        • Adobe Flash Player -- For Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows RT 8.1 and Windows 10, Adobe Flash Player is now a security bulletin rather than a security advisory and is included with the updates as identified above.
        • MSRT -- Microsoft released an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center. 
          Note:  Users who are paranoid about the remote possibility of a FP can opt to run this tool from a Command Prompt, appending a   /N   parameter [for "detect only" mode].
        • Windows 10 -- A summary of important product developments included in each update, with links to more details is available at Windows 10 Update History. The page will be regularly refreshed, as new updates are released.

        References


          Remember - "A day without laughter is a day wasted."
          May the wind sing to you and the sun rise in your heart...





          Adobe Flash Player Updates

          Adobe Flashplayer

          Adobe has released Version 27.0.0.159 of Adobe Flash Player for Microsoft Windows, Macintosh, Chrome and Linux.

          These updates address functionality bugs.

          Release date:  October 10, 2017
          Vulnerability identifier: APSB17-31
          CVE Numbers:   None
          Platform: Windows, Macintosh, Linux and Chrome OS

          Update:

          *Important Note:  Downloading the update from the Adobe Flash Player Download Center link includes a pre-checked option to install unnecessary extras, such as McAfee Scan Plus or Google Drive.  If you use the download center, uncheck any unnecessary extras that you do not want.  They are not needed for the Flash Player update.

            Verify Installation

            To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu. 

            Do this for each browser installed on your computer.

            To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.

            References



            Remember - "A day without laughter is a day wasted."
            May the wind sing to you and the sun rise in your heart...









            Pale Moon 27.5.1 Released


            Pale Moon
            Pale Moon has been updated to Version 27.5.1. This is a security and stability update.

            The security updates include DiD ("Defense-in-Depth") fixes.  This means that it is a fix that does not apply to a (potentially) actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code when surrounding code changes, exposing the problem.

            Details from the Release Notes:

            Changes/fixes:
            • Changed the default Windows 10 styling when no accent color is aplied to black-on-white.
            • Changed the theme styling on Windows 10 when the system window frame is used (menu bar enabled) to use the window manager background directly, preventing visual lag updating the window color when it changes.
            • Updated user agent overrides for DropBox, YouTube and Yahoo to work around user agent sniffing issues.
            • Fixed a crash in the media subsystem.
            • Fixed a regression where video playback hardware acceleration was disabled incorrectly on some systems.
             Security fixes:
            • Updated libhyphen to the latest upstream code to fix a security issue.
            • Updated NSPR to 4.16-RTM with a patch to un-bust building on win64.
            • Updated NSS to 3.32.1-RTM.
            • Worked around some more issues with Mac fonts (CVE-2017-7825).
            • Fixed a potential rooting hazard in NPAPI plugin code. DiD
            • Fixed a potential reference issue in JavaScript arrays. DiD
            Minimum system Requirements (Windows):
            • Windows Vista/Windows 7/8/10/Server 2008 or later
            • Windows Platform Update (Vista/7) strongly recommended
            • A processor with SSE2 instruction support
            • 256 MB of free RAM (512 MB or more recommended)
            • At least 150 MB of free (uncompressed) disk space
            Pale Moon includes both 32- and 64-bit versions for Windows:

            Update

            To get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window.  Select About Pale Moon > Check for Updates.




            Remember - "A day without laughter is a day wasted."
            May the wind sing to you and the sun rise in your heart...


            Monday, October 09, 2017

            Mozlla Firefox Version 56.0.1 Released


            FirefoxMozilla sent Firefox Version 56.0.1 to the release channel today.  The update includes one fix and the migration to 64-bit Firefox for users of the 32-bit version.  Note the unresolved issues! 

            Firefox ESR was remains at version 52.4.0.

            Fixed

            • Block D3D11 when using Intel drivers on Windows 7 systems with partial AVX support (bug 1403353)

            Changed

            • Users of 32-bit Firefox on 64-bit Windows are migrated to 64-bit Firefox for increased stability and security.

            Unresolved

            • Due to a bug in Mac OS X High Sierra, fullscreen mode has some issues
            • Startup crash with RelevantKnowledge adware installed. Firefox Support has helpful instructions to remove it.
            • Startup crashes with 64-bit Firefox on Windows 7, for users of Lenovo's "OneKey Theater" software for IdeaPad laptops. To fix this crash, please re-install 32-bit Firefox.
            • Users running Firefox for Windows over a Remote Desktop Connection (RDP) may find that audio playback is disabled due to increased security restrictions. Learn how to mitigate this issue until it is corrected in an upcoming release

            Update:

            To get the update now, select "Help" from the Firefox menu, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

            References




            Remember - "A day without laughter is a day wasted."
            May the wind sing to you and the sun rise in your heart...

            Tuesday, October 03, 2017

            Cycber Security Awareness Month


            October is National Cyber Security Awareness Month (NCSAM).  The 2017 Cyber Security Awareness Month marks the seventh anniversary of the campaign.  It is also European Cyber Security Awareness Month (ECSM) https://cybersecuritymonth.eu/  and in Canada, https://www.getcybersafe.gc.ca/index-eng.aspx 

              Stop | Think | Connect

            With that in mind, consider the following suggestions not only during Cyber Security Awareness month but every day:

                Stop:  Before you click that formatted link in your email, search results or social media account, mouse over the link to ensure the URL matches the description.

                Think:  Whether it is email, Facebook, Twitter, an online forum or other online media, instead of spouting off the first reply that comes to mind when you disagree, think before you click the send button.  Remember that your online reputation can follow you in "real life".

                Connect:  When you connect to the Internet, ensure your device software as well as any apps or third-party software are up to date.

            Each week, Malwarebytes Labs will focus on a theme and provide helpful articles, useful tips, and valuable analysis so that you can increase awareness and spread the word. This week’s theme: simple steps to online safety. The first:  National cybersecurity awareness month: simple steps to online safety | Malwarebytes Labs


            Home
            Remember - "A day without laughter is a day wasted."
            May the wind sing to you and the sun rise in your heart...

            Thursday, September 28, 2017

            Mozilla Firefox Version 56.0 Released with Security Updates


            FirefoxMozilla sent Firefox Version 56.0 to the release channel today.  The update includes two (2) Critical, six (6) High, seven (7) Moderate and two (2) Low security updates.  Firefox ESR was updated to version 52.4.0.

            Important Notes:  
            1. Although version 56 is scheduled to "silently and forcibly auto-upgrade" users running the 32-bit version of Firefox on 64-bit computers with more than 2GB of RAM to the 64-bit version, it was not updated to the 64-bit version on my machine. 
            2.  Users of Lenovo's "OneKey Theater" software for IdeaPad laptops and users running Firefox for Windows over a Remote Desktop Connection (RDP) are advised to check the unresolved issues below.
            3. Version 56 makes Firefox Screenshots and Send Tabs available to all users.
            4. See the following regarding add-ons starting in Firefox 57:  Firefox add-on technology is modernizing 

            Security Fixes:

            Critical:
            High:
            Moderate:
            Low:
            New
            • Launched Firefox Screenshots, a feature that lets users take, save, and share screenshots without leaving the browser
            • Added support for address form autofill (en-US only)
            • Updated Preferences
              • Added search tool so users can find a specific setting quickly
              • Reorganized preferences so users can more easily scan settings
              • Rewrote descriptions so users can better understand choices and how they affect browsing
              • Revised data collection choices so they align with updated Privacy Notice and data collection strategy
            • Media opened in a background tab will not play until the tab is selected
            • Improved Send Tabs feature of Sync for iOS and Android, and Send Tabs can be discovered even by users without a Firefox Account

            Changed

            • Replaced character encoding converters with a new Encoding Standard-compliant implementation written in Rust
            • Added hardware acceleration for AES-GCM
            • Updated the Safe Browsing protocol to version 4
            • Reduced update download file size by approximately 20 percent
            • Improved security for verifying update downloads

            Unresolved

            • Startup crash with RelevantKnowledge adware installed. Firefox Support has helpful instructions to remove it.
            • Startup crashes with 64-bit Firefox on Windows 7, for users of Lenovo's "OneKey Theater" software for IdeaPad laptops. To fix this crash, please re-install 32-bit Firefox.
            • Users running Firefox for Windows over a Remote Desktop Connection (RDP) may find that audio playback is disabled due to increased security restrictions. Learn how to mitigate this issue until it is corrected in an upcoming release

            Update:

            To get the update now, select "Help" from the Firefox menu, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

            References




            Remember - "A day without laughter is a day wasted."
            May the wind sing to you and the sun rise in your heart...

            Tuesday, September 26, 2017

            Pale Moon Version 27.5.0 Released


            Pale Moon
            Pale Moon has been updated to Version 27.5.0. This is a major release furthering the development of the browser.


            The changes and fixes in this release are extensive and include user interface changes including a menu option to restart the browser, media improvements and much more.

            Details from the Release Notes:

            Changes/fixes:
            • User interface:
              • Added a menu option to restart the browser.
              • Added Windows-specific CSS parameters and queries for the use of the system accent color. Added are parameters -moz-win-accentcolor and -moz-win-accentcolortext, and the media query -moz-win-accentcolor-applies to know if Windows is actively using an accent color.
              • Changed Windows' browser CSS sheet ot use variables instead of hard-coding colors, simplifying its style and making it more flexible. Further cleaned up the Windows 10 specific browser style.
              • Changed the theme on Windows 10 to use the new accent colors and improve O.S. consistency.
              • Fixed some general inconsistencies in the Windows theme on all Windows operating systems.
              • Updated Windows widgets to be able to pick up Windows 10 accent colors dynamically and have the browser 's look and feel respond accordingly, even with automatic color changes based on desktop wallpaper.
              • Removed the experimental FF4 prerelease status-in-addressbar feature because the already-crowded address bar needs a break. This should solve some extension interop issues, theme issues and domain highlighting issues people have reported.
              • Cleaned up some dead code for the plugin updater that no longer exists.
              • Fixed a text direction issue in preferences.
              • Fixed an issue with disabled context menu entries after using Customize...
              • Reorganized and cleaned up the status preferences.
            • Media:
              • MSE Media updates (ongoing). We are focusing on improving MP4 handling.
              • Improved MP3 metadata parsing (e.g. incorrect duration with embedded album cover)
              • Fixed a number of searching issues in MP3 files
              • Fixed a few crashes.
            • Fixed an issue with automatically exporting bookmarks to HTML on shutdown.
            • Fixed a regression re: domains allowed to/blocked from installing add-ons.
            • Fixed several internal errors thrown in the front-end.
            • Fixed several minor issues in the devtools.
            • Added a fix to prevent the home page from being loaded (and subsequently overridden) when restoring a session.
            • Added an option to control add-on blocklist behavior (Options -> Security)
            • Added DOM function isSameNode().
            • Added DOM onvisibilitychange event.
            • Added document.scrollingelement (CSSOM).
            • Added a basic implementation of Object.values and Object.entries enumerator functions (ECMA2017 draft).
            • Added "Open in new private window" to bookmarks, feeds and history entries.
            • Added HTTP request method OPTIONS.
            • Added an option to exit to a no-content page after encountering a network or security error.
              This is controlled with the preference browser.escape_to_blank -- when set to true, "Get me out of here" buttons will load a blank page instead of the browser's home page.
            • Added experimental Brotli accept-encoding (alternative to gzip/deflate compressed http data transfer). Disabled by default for now because it causes issues.
            • Improved the handling of several CSS selectors.
            • Changed session storage to remember form data for https sites by default.
            • Added (yet another) trap prevention method to onbeforeunload events.
            • Fixed privacy preferences not correctly resetting all options when choosing "Remember History"
            • Fixed not being able to deselect loading bookmarks in the sidebar.
            • Limited the display of user names and hosts in the http auth dialog to sane lengths, preventing over-sizing issues.
            • Fixed a number of potential crash points.
            • Improved the security of the Windows dll loader module.
            • Reinstated "Open all in tabs" option on folders of live bookmarks (feeds).
            • Made URL matching more liberal in selected text to make it easier to open stated addresses.
            • Fixed an issue with Graphite font rendering where automatic font collision fixing didn't always work.
            • Color Management for images is now disabled by default on Linux, due to many distributions not having a streamlined setup with sane default ICC profiles, which makes images look worse when color management is enabled.
            • Tightened the update security check to prevent acceptance of update manifests that have been intercepted/replaced through https MitM attacks.
              Please be aware that https-filtering antivirus may interfere with future application updates as a result.
            • Updated the ANGLE library to broaden WebGL support and reduce the potential of crashes (due to junk being sent to the video driver).
            • Added content-sniffing for WebP images (working around CloudFront's incorrect content-type headers).
            • Fixed a problem with some H.264 media not playing (SPS NAL).
            • Improved timer efficiency (switch back to lower precision when high precision is no longer needed, reducing CPU/power consumption).
            • Improved context search on selected text/links.
            • Updated address bar handling with Alt or Shift modifiers, so that "switch to tab" with a modifier can open copies of already-opened sites.
            • Added a fix on Linux for starting the browser from Enlightenment.
            • Privacy fix: Pale Moon will now clear QuotaManager storage (asm.js cache/IndexedDB data) as part of clearing Offline Website Data.
            Minimum system Requirements (Windows):
            • Windows Vista/Windows 7/8/10/Server 2008 or later
            • Windows Platform Update (Vista/7) strongly recommended
            • A processor with SSE2 instruction support
            • 256 MB of free RAM (512 MB or more recommended)
            • At least 150 MB of free (uncompressed) disk space
            Pale Moon includes both 32- and 64-bit versions for Windows:

            Update

            To get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window.  Select About Pale Moon > Check for Updates.




            Remember - "A day without laughter is a day wasted."
            May the wind sing to you and the sun rise in your heart...


            Saturday, September 23, 2017

            Oracle Java™ Platform, Standard Edition 9 Released

            java


            Oracle released Java™ Platform, Standard Edition 9, 64-bit only, for Windows 7, Windows 8x, Windows 10 as well as Windows Server 2012, Windows Server 2012 R2 and Windows Server 2016 R and Windows Server 2016 R2.  The update includes security enhancements.

            For browser support as well as Linux, Solaris and Mac OS X, see Oracle JDK 9 and JRE 9 Certified System Configurations Contents. Java Version 9 is not compatible with Windows XP or Windows Vista. 

            Oracle does not plan to migrate desktops from Java 8 to Java 9 through the auto update feature.  Therefore, it is strongly recommended that you uninstall JRE 8 prior to updating.


              Download Information



              Notes:
              • UNcheck any pre-checked toolbar and/or software options presented with the update. They are not part of the software update and are completely optional.  Preferably, see the instructions below on how to handle "Unwanted Extras". 
              • Verify your versionhttp://www.java.com/en/download/testjava.jsp.

                Note
                :  The Java version verification page will only work if your browser has NPAPI support.  In that case, to check the version, open a cmd window and enter the following (note the space following Java):  java -version

              Critical Patch Updates

              For Oracle Java SE Critical Patch Updates, the next scheduled dates are as follows:
              • 17 October 2017
              • 16 January 2018
              • 17 April 2018
              • 17 July 2018

              "Unwanted Extras"

              Although most people do not need Java on their computer, there are some programs and games that require Java.  In the event you need to continue using Java, How-to Geek discovered a little-known and  unpublicized option in the Java Control Panel to suppress the offers for the pre-checked unwanted extras that Oracle has long included with the updates.  Although the Ask Toolbar has been removed, tha does not preclude the pre-checked option for some other unnecessary add-on.

              Do the following to suppress the sponsor offers:
              1. Launch the Windows Start menu
              2. Click on Programs
              3. Find the Java program listing
              4. Click Configure Java to launch the Java Control Panel
              5. Click the Advanced tab and go to the "Miscellaneous" section at the bottom.
              6. Check the box by the “Suppress sponsor offers when installing or updating Java” option and click OK.
              Java suppress sponsor offers

              Java Security Recommendations

              1)  In the Java Control Panel, at minimum, set the security to high.
              2)  Keep Java disabled until needed.  Uncheck the box "Enable Java content in the browser" in the Java Control Panel.

              3)  Instructions on removing older (and less secure) versions of Java can be found at http://java.com/en/download/faq/remove_olderversions.xml
               


              Remember - "A day without laughter is a day wasted."
              May the wind sing to you and the sun rise in your heart...


              Tuesday, September 12, 2017

              Microsoft Security Updates for September, 2017



              The September security release consists of 81 security updates for the following software in which 26 are listed as Critical, 53 are rated Important, and two are Moderate in severity. 
              • Internet Explorer
              • Microsoft Edge
              • Microsoft Windows
              • Microsoft Office and Microsoft Office Services and Web Apps
              • Adobe Flash Player
              • Skype for Business and Lync
              • .NET Framework
              • Microsoft Exchange Server
                The updates address Remote Code Execution, Spoofing, "Defense in Depth", Information Disclosure and Elevation of Privilege. "Defense-in-Depth" is a fix that does not apply to an actively exploitable vulnerability but prevents future vulnerabilities caused by the same code when surrounding code changes expose the problem.

                For more information about the updates released today, see https://portal.msrc.microsoft.com/en-us/security-guidance/summary.  Updates can be sorted by OS from the search box. Information about the update for Windows 10 is available at Windows 10 Update history.

                A few of the CVEs addressed by Microsoft this month that deserve some extra attention are discussed in Zero Day Initiative — The September 2017 Security Update Review by Dustin Childs.

                  Additional Update Notes

                  • Adobe Flash Player -- For Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows RT 8.1 and Windows 10, Adobe Flash Player is now a security bulletin rather than a security advisory and is included with the updates as identified above.
                  • MSRT -- Microsoft released an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center. 
                  • Windows 10 -- A summary of important product developments included in each update, with links to more details is available at Windows 10 Update History. The page will be regularly refreshed, as new updates are released.

                  References


                    Remember - "A day without laughter is a day wasted."
                    May the wind sing to you and the sun rise in your heart...





                    Adobe Flash Player Critical Security Updates

                    Adobe Flashplayer

                    Adobe has released Version 27.0.0.130 of Adobe Flash Player for Microsoft Windows, Macintosh, Chrome and Linux.

                    These updates address vulnerabilities could lead to remote code execution.

                    Release date:  September 12, 2017
                    Vulnerability identifier: APSB17-28
                    CVE Numbers:   CVE-2017-11281, CVE-2017-3106
                    Platform: Windows, Macintosh, Linux and Chrome OS

                    Update:

                    *Important Note:  Downloading the update from the Adobe Flash Player Download Center link includes a pre-checked option to install unnecessary extras, such as McAfee Scan Plus or Google Drive.  If you use the download center, uncheck any unnecessary extras that you do not want.  They are not needed for the Flash Player update.

                      Verify Installation

                      To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu. 

                      Do this for each browser installed on your computer.

                      To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.

                      References



                      Remember - "A day without laughter is a day wasted."
                      May the wind sing to you and the sun rise in your heart...









                      Wednesday, August 30, 2017

                      Adobe Acrobat and Reader Security Bulletin APSB17-24 Updated

                      Adobe

                      Adobe Security Bulletin APSB17-24 for Adobe Acrobat and Reader has been updated to include the availability of new updates as of August 29. 

                      From the blog post:
                      "The August 29 updates resolve a functional regression with XFA forms functionality that affected some users, as well as provide a resolution to security vulnerability CVE-2017-11223.  This CVE was originally addressed in the August 8 updates (versions 2017.012.20093, 2017.011.30059 and 2015.006.30352). Due to a functional regression in those releases, optional hotfixes [0,1,2] were offered to affected customers that temporarily reverted the fix for CVE-2017-11223. The August 29 releases resolve both the functional regression and provide a fix for CVE-2017-11223.
                      At this time, Adobe is not aware of exploits in the wild for CVE-2017-11223, or any of the other issues addressed in the August 8 or August 29 releases.
                      References:
                      [0] Hotfix for 2017.012.20093
                      [1] Hotfix for 2017.011.30059
                      [2] Hotfix for 2015.006.30352"
                      Version 11.0.22 is available at 11.0.22 Out of cycle update, August 22, 2017 — Acrobat and Adobe Reader Release Notes.   

                      References





                      Home
                      Remember - "A day without laughter is a day wasted."
                      May the wind sing to you and the sun rise in your heart...







                      Tuesday, August 22, 2017

                      Pale Moon Version 27.4.2 Released with Security Updates


                      Pale Moon
                      Pale Moon version 27.4.2 has been released to address some security and stability issues.  Details from the Release Notes:

                      Security fixes:
                      • Updated NSPR to 4.15.
                      • Updated NSS to 3.31.1.
                      • Fixed a DoS issue using overly long Username in URL scheme (CVE-2017-7783)
                      • Fixed an issue where (cross domain) iframes could break scope (CVE-2017-7787)
                      • Fixed an issue in WindowsDllDetourPatcher (CVE-2017-7804)
                      • Fixed an issue with elliptic curve addition in mixed Jacobian-affine coordinates (CVE-2017-7781)
                      • Fixed a UAF in nsImageLoadingContent (CVE-2017-7784)
                      • Fixed a UAF in WebSockets (CVE-2017-7800)
                      • Fixed a heap-UAF in RelocateARIAOwnedIfNeeded (CVE-2017-7809) DiD (accessibility is disabled)
                      *DiD stands for "Defense-in-Depth" and is a fix that does not apply to an actively exploitable vulnerability in Pale Moon but prevents future vulnerabilities caused by the same code when surrounding code changes, exposing the problem.

                      Changes/fixes:
                      • Fixed a number of crashes.
                      • Enabled the opt-in debugging feature to log SSL keys to a file in all builds.
                      • Added a fix for TLS 1.3 handshakes causing a browser hangup.
                        Handshakes should be considerably faster now and no longer stall in the wrong circumstances.
                      Minimum system Requirements (Windows):
                      • Windows Vista/Windows 7/8/10/Server 2008 or later
                      • Windows Platform Update (Vista/7) strongly recommended
                      • A processor with SSE2 instruction support
                      • 256 MB of free RAM (512 MB or more recommended)
                      • At least 150 MB of free (uncompressed) disk space
                      Pale Moon includes both 32- and 64-bit versions for Windows, Pale Moon Portable, Pale Moon for Linux and Pale Moon for Android.

                        Update

                        To get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window.  Select About Pale Moon > Check for Updates.


                        References:


                        Remember - "A day without laughter is a day wasted."
                        May the wind sing to you and the sun rise in your heart...


                        Tuesday, August 08, 2017

                        Microsoft Security Updates for August, 2017




                        The August security release consists of security updates for the following software:
                          • Internet Explorer
                          • Microsoft Edge
                          • Microsoft Windows
                          • Microsoft SharePoint
                          • Adobe Flash Player
                          • Microsoft SQL Server

                            The updates address Remote Code Execution, Denial of Service, Information Disclosure and Elevation of Privilege in 48 CVE's in which 25 are Critical, 21 Important, and 2 Moderate in severity.

                            For more information about the updates released today, see https://portal.msrc.microsoft.com/en-us/security-guidance/summary.  Updates can be sorted by OS from the search box. Information about the update for Windows 10 is available at Windows 10 Update history.

                            For a list of the CVEs addressed in the August update requiring special attention, see the The August 2017 Security Update Review by Dustin Childs.

                              Additional Update Notes

                              • Adobe Flash Player -- For Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows RT 8.1 and Windows 10, Adobe Flash Player is now a security bulletin rather than a security advisory and is included with the updates as identified above.
                              • MSRT -- Microsoft released an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center. 
                              • Windows 10 -- A summary of important product developments included in each update, with links to more details is available at Windows 10 Update History. The page will be regularly refreshed, as new updates are released.

                              References


                                Remember - "A day without laughter is a day wasted."
                                May the wind sing to you and the sun rise in your heart...





                                Adobe Flash Player Critical Security Updates

                                Adobe Flashplayer

                                Adobe has released Version 26.0.0.151 of Adobe Flash Player for Microsoft Windows, Macintosh, Chrome and Linux.

                                These updates address vulnerabilities could lead to remote code execution, information disclosure and Memory address disclosure..

                                Release date:  August 8, 2017
                                Vulnerability identifier: APSB17-23
                                CVE Numbers:   CVE-2017-3085, CVE-2017-3106
                                Platform: Windows, Macintosh, Linux and Chrome OS

                                Update:

                                *Important Note:  Downloading the update from the Adobe Flash Player Download Center link includes a pre-checked option to install unnecessary extras, such as McAfee Scan Plus or Google Drive.  If you use the download center, uncheck any unnecessary extras that you do not want.  They are not needed for the Flash Player update.

                                  Verify Installation

                                  To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu. 

                                  Do this for each browser installed on your computer.

                                  To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.

                                  References



                                  Remember - "A day without laughter is a day wasted."
                                  May the wind sing to you and the sun rise in your heart...









                                  Adobe Reader and Acrobat Critical Security Updates

                                  Adobe

                                  Adobe has released security updates for Adobe Reader and Acrobat XI for Windows. These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system.

                                  Release date: August 8, 2017
                                  Vulnerability identifier: APSB17-24
                                  Platform: Windows

                                  Update or Complete Download

                                  Update checks can be manually activated by choosing Help > Check for Updates.

                                  Note: UNcheck any pre-checked additional options presented with the update. They are not part of the software update and are completely optional.

                                  Enable "Protected View"

                                  Due to frequent vulnerabilities, it is recommended that Windows users of Adobe Reader and Acrobat ensure that Protected View is enabled.  Neither the Protected Mode or Protected View option is available for Macintosh users.

                                  To enable this setting, do the following:

                                  • Click Edit > Preferences > Security (Enhanced) menu. 
                                  • Change the "Off" setting to "All Files".
                                  • Ensure the "Enable Enhanced Security" box is checked. 

                                  Adobe Protected View
                                  Image via Sophos Naked Security Blog

                                  References



                                  Home
                                  Remember - "A day without laughter is a day wasted."
                                  May the wind sing to you and the sun rise in your heart...







                                  Mozilla Firefox Version 55 Released With Significant Changes and Security Updates


                                  FirefoxMozilla sent Firefox Version 55.0 to the release channel today.  Firefox ESR was updated to version 52.3.  There is no mention in the Release Notes of security updates.*  However, there are major changes that will affect users:
                                  1. Warningvia ghacks.net, "Firefox 55.0 breaks compatibility with older versions of the browser and Firefox ESR. Users who want to downgrade are advised to back up their profiles prior to installing the update." See "Changed" below.
                                  2. Important Note:  Although installations of 32x will upgrade with this version, the 64x version is now default on 64x systems with 2GB RAM.  Starting with version 56, Firefox will "silently and forcibly auto-upgrade" users running the 32-bit version of Firefox on 64-bit computers with more than 2GB of RAM to the 64-bit version. The next scheduled release is September 26, 2017 (5 week cycle with release for critical fixes as needed).  
                                  3. Adobe Flash Player is now click-to-activate. 
                                  4. Also, see the following regarding add-ons starting in Firefox 57:  Firefox add-on technology is modernizing 
                                  *UPDATE:  At the time of publishing the Release Notes, there was no indication of security fixes included.  In the interim, however, the Release Notes have been updated and Version 55 includes five (5) critical, ten (10 high, seven (7) moderate and six (6) low security updates.
                                  New
                                  • Launched Windows support for WebVR, bringing immersive experiences to the web. See examples and try working demos at Mozilla VR.
                                  • Added options that let users optimize recent performance improvements
                                    • Setting to enable Hardware VP9 acceleration on Windows 10 Anniversary Edition for better battery life and lower CPU usage while watching videos
                                    • Setting to modify the number of concurrent content processes for faster page loading and more responsive tab switching
                                  • Simplified installation process with a streamlined Windows stub installer
                                    • Firefox for Windows 64-bit is now installed by default on 64-bit systems with at least 2GB of RAM
                                    • Full installers with advanced installation options are still available
                                  • Improved address bar functionality
                                    • Search with any installed one-click search engine directly from the address bar
                                    • Search suggestions appear by default
                                    • When entering a hostname (like pinterest.com) in the URL bar, Firefox resolves to the secure version of the site (https://www.pinterest.com) instead of the insecure version (http://www.pinterest.com) when possible
                                  • Updated Sidebar for bookmarks, history, and synced tabs so it can appear at the right edge of the window as well as the left
                                  • Added support for stereo microphones with WebRTC
                                  • Simplified printing from Reader Mode
                                  • Updated Firefox for OSX and macOS to allow users to assign custom keyboard shortcuts to Firefox menu items via System Preferences
                                  • Browsing sessions with a high number of tabs are now restored in an instant
                                  • Make screenshots of webpages, and save them locally or upload them to the cloud. This feature will undergo A/B testing and will not be visible for some users.
                                  • Added Belarusian (be) locale

                                  Changed

                                  • Modernized application update UI to be less intrusive and more aligned with the rest of the browser. Only users who have not restarted their browser 8 days after downloading an update or users who opted out of automatic updates will see this change.
                                  • Firefox does not support downgrades, even though this may have worked in past versions. Users who install Firefox 55+ and later downgrade to an earlier version may experience issues with Firefox.
                                  • Made the Adobe Flash plugin click-to-activate by default and allowed only on http:// and https:// URL schemes. (This change will not be visible to all users immediately. For more information see the Firefox plugin roadmap)
                                  Update:

                                  To get the update now, select "Help" from the Firefox menu, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

                                  References




                                  Remember - "A day without laughter is a day wasted."
                                  May the wind sing to you and the sun rise in your heart...