Friday, April 28, 2017

PaleMoon Version 27.3 Released with Security Updates


Pale Moon
Pale Moon has been updated to Version 27.3.  Included in the updates are DiD* patches.
*DiD stands for "Defense-in-Depth" and is a fix that does not apply to an actively exploitable vulnerability in Pale Moon but prevents future vulnerabilities caused by the same code when surrounding code changes, exposing the problem.

Note that Version 27.3 is a major development update with many changes in the media back-end.  As a result, it is important to realize that some aspects are still a work in progress and some html5 video playback issues with MSE (Media Source Encryption) may be encountered.

Details from the Release Notes:

Security/privacy changes:
  • Updated NSS to 3.28.4-RTM to address a number of issues.
  • Added support for RSA-AES(-GCM)-SHA256/384 suites to broaden compatibility.
  • Reconfigured networking security: disabled static DHE suites by default, enabled all RSA-AES(-GCM)-SHA256/384 suites in their stead.
  • Fixed referrer policy keyword to align with the current spec ("cross-origin" vs "crossorigin").
  • Added an option to display punycode domain for IDN websites to combat phishing.
    This is enabled by default for domain-validated https sites.
    Preference: browser.identity.display_punycode
    0 = Display IDN name in identity panel (previous behavior)
    1 = Display punycode name for DV SSL domains (default)
    2 = Also display punycode for HTTP sites if IDN name used
  • Fixed an issue to prevent contacting remote servers when a connection might get blocked.
  • Fixed 3 public security flaws in libevent, which may affect Mozilla-based products. DiD
  • Fixed several memory- and thread-safety hazards.
  • Fixed an address bar spoofing issue. (CVE-2017-5451)
  • Fixed a potentially exploitable crash with HTTP/2. (CVE-2017-5446)
  • Fixed several security hazards in XSLT processing. (CVE-2017-5438) (CVE-2017-5439) (CVE-2017-5440)
  • Fixed several security hazards in old protocols. (CVE-2017-5444) (CVE-2017-5445)
  • Fixed out-of-bounds access in text formatting. (CVE-2017-5447)
  • Fixed a potentially exploitable issue with innerText. (CVE-2017-5442)
  • Fixed a potentially exploitable issue in graphite font shaping.
  • Fixed a potentially exploitable crash with credential-authentication.
  • Fixed out-of-bounds access with text selection in rare cases.
  • Fixed a security hazard in the ANGLE library.
      Changes/fixes:
      • Fixed up, checked and enabled vertical text writing modes!
        Pale Moon will now be able to display vertical, right-to-left script.
      • Added the option to reset non-default profiles.
      • Fixed various issues in the WebP image decoder.
      • Added internally-supported document types to allowed types.
      • Fixed locale selection in ICU after update to ICU58.
        (Note: Pale Moon uses the system locale for date formatting, not the browser locale)
      • Re-implemented the previous spellchecker dictionary logic (allow user override of document/element language, improve logic and make it unambiguous).
      • Ongoing fixes for the MP4 parser and MSE.
      • Made HTML Media Elements' preload attribute MSE-spec compliant.
        The preload attribute on HTML media elements is now ignored in the case of an MSE source. This prevents an issue with sourceopen not firing when preload="none".
      • Fixed some issues with Windows WMF media playback.
      • Fixed an issue with Synced preferences sometimes overwriting stored individual preferences.
      • Fixed display of RSS folder icons.
      • Fixed issues with custom context menus.
      • Fixed an issue importing bookmarks with separators losing their extra data.
      • Changed the way numeric addresses are handled in the address bar so it doesn't perform a search when it shouldn't.
      • Added an option (browser.sessionstore.cache_behavior) to control from which source restored tabs pull their page content:
        0 = load restored tab data from cache (current behavior, default)
        1 = refresh restored tab data from the network
        2 = refresh stored tab data from the network and bypass any cached data.
      • Improved upon a v27 performance regression with SVG scaling.
      • Improved performance by being more selective which CSS animations to process.
        As a side-effect, elements changing their display from "none" to something visible now also animate.
      • Increased memory allocation for the use of very large PAC files.
      • Added menu entries for the permissions manager and improvements to its function and display.
      • Added preferences to control "highlight all" behavior of the find bar:
        accessibility.typeaheadfind.highlightallbydefault = true/false highlight all found words by default.
        accessibility.typeaheadfind.highlightallremember = true/false remember the last-used state of Highlight All.
      • Added devtools command-line options.
      • Added remote IP and protocol to Devtools->Network entry details.
      • Added support for
        and HTML tags.
      • Fixed a regression in the MSIE profile migrator.
      • Removed migration of browser-specific settings when migrating data from IE/Safari.
      • Implemented optional parameters for permessage-deflate in preparation for RFC7692 errata making acceptance of them mandatory (and to prevent web compat issues doe to the current conflicting text of it).
      • Made the image document favicon skinnable.
      • Aligned DOM selection addRange with the spec.
      • Exposed mozAnon constructor js binding to system scopes for XHR.
      • Enhanced form data handling from JavaScript.
      Minimum system Requirements (Windows):
      • Windows Vista/Windows 7/8/10/Server 2008 or later
      • Windows Platform Update (Vista/7) strongly recommended
      • A processor with SSE2 instruction support
      • 256 MB of free RAM (512 MB or more recommended)
      • At least 150 MB of free (uncompressed) disk space
      Pale Moon includes both 32- and 64-bit versions for Windows, Pale Moon Portable, Pale Moon for Linux and Pale Moon for Android.

        Update

        To get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window.  Select About Pale Moon > Check for Updates.


        References:


        Remember - "A day without laughter is a day wasted."
        May the wind sing to you and the sun rise in your heart...


        Wednesday, April 19, 2017

        Mozilla Firefox Version 53.0 Released with Massive Security Updates


        FirefoxMozilla sent Firefox Version 53.0 to the release channel today.  The update includes a massive 35 security updates identified as eight (8) Critical, sixteen (16) High, seven (7) Moderate updates and four (4) low security updates.  Firefox ESR was updated to version 45.9.0.

        The next scheduled release is June 13, 2017 (5 week cycle with release for critical fixes as needed).

        Security Fixes:

        Critical

        High

        Moderate

        Low

        New

        • Improved graphics stability for Windows users with the addition of compositor process separation (Quantum Compositor)
        • Two new 'compact' themes available in Firefox, dark and light, based on the Firefox Developer Edition theme
        • Lightweight themes are now applied in private browsing windows
        • Reader Mode now displays estimated reading time for the page
        • Windows 7+ users on 64-bit OS can select 32-bit or 64-bit versions in the stub installer

        Changed

        • Updated the design of site permission requests to make them harder to miss and easier to understand
        • Windows XP and Vista are no longer supported. XP and Vista users running Firefox 52 will continue to receive security updates on Firefox ESR 52.
        • 32-bit Mac OS X is no longer supported. 32-bit Mac OS X users can switch to Firefox ESR 52 to continue receiving security updates.
        • Updates for Mac OS X are smaller in size compared to updates for Firefox 52
        • Media playback on new tabs is blocked until the tab is visible
        • The last few characters of shortened tab titles fade out instead of being replaced by ellipses to keep more of the title visible
        • New visual design for audio and video controls
        • Ended Firefox Linux support for processors older than Pentium 4 and AMD Opteron
        Update:

        To get the update now, select "Help" from the Firefox menu, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

          References




          Remember - "A day without laughter is a day wasted."
          May the wind sing to you and the sun rise in your heart...




          Tuesday, April 18, 2017

          Oracle Java Critical Security Updates Released

          java

          Oracle released the scheduled critical security updates for its Java SE Runtime Environment software.  The update contains eight (8) new security fixes for Oracle Java SE. 
          Details for the CVE's addressed in the update are available here.

          Update

          If Java is still installed on your computer, it is recommended that this update be applied as soon as possible due to the threat posed by a successful attack.

          Download Information

          Download link:  Java SE 8u131

          Verify your version:  http://www.java.com/en/download/testjava.jsp

          Notes:
          • Minimally, UNcheck any pre-checked toolbar and/or software options presented with the update. They are not part of the software update and are completely optional.  Preferably, see the instructions below on how to handle "Unwanted Extras". 
          • Starting with Java SE 7 Update 21 in April 2013, all Java Applets and Web Start Applications should be signed with a trusted certificate.  It is not recommended to run untrusted/unsigned Certificates.  See How to protect your computer against dangerous Java Applets

          Critical Patch Updates

          For Oracle Java SE Critical Patch Updates, the next scheduled dates are as follows:
          • 18 July 2017
          • 17 October 2017
          • 16 January 2018
          • 17 April 2018

          Unwanted "Extras"

          Although most people do not need Java on their computer, there are some programs and games that require Java.  In the event you need to continue using Java, How-to Geek discovered a little-known and  unpublicized option in the Java Control Panel to suppress the offers for the pre-checked unwanted extras that Oracle has long included with the updates.  Although the Ask Toolbar has been removed, tha does not preclude the pre-checked option for some other unnecessary add-on.

          Do the following to suppress the sponsor offers:
          1. Launch the Windows Start menu
          2. Click on Programs
          3. Find the Java program listing
          4. Click Configure Java to launch the Java Control Panel
          5. Click the Advanced tab and go to the "Miscellaneous" section at the bottom.
          6. Check the box by the “Suppress sponsor offers when installing or updating Java” option and click OK.
          Java suppress sponsor offers

          Java Security Recommendations


          1)  In the Java Control Panel, at minimum, set the security to high.
          2)  Keep Java disabled until needed.  Uncheck the box "Enable Java content in the browser" in the Java Control Panel.

          3)  Instructions on removing older (and less secure) versions of Java can be found at http://java.com/en/download/faq/remove_olderversions.xml

          References




          Remember - "A day without laughter is a day wasted."
          May the wind sing to you and the sun rise in your heart...




          Sunday, April 16, 2017

          "Khrystos Voskres!" Happy Easter!



          "Khrystos Voskres!"

          (Christ is Risen!)






          "Voistyno Voskres!"

          (He is Truly Risen!)






          Remember - "A day without laughter is a day wasted."
          May the wind sing to you and the sun rise in your heart...




          Tuesday, April 11, 2017

          Microsoft Security Updates for April, 2017


          Today marks a red letter day for Microsoft updates.  In addition to security updates, sparking the most attention is the official release of the Windows 10 Creators Update (see the Windows Experience Blog post, What’s new in the Windows 10 Creators Update).

          Of lesser interest to many is the official "End of Life_ for Windows Vista.

          Also of note is the security guidance, Defense-in-Depth Update for Microsoft Office:
          "Microsoft has released an update for Microsoft Office that turns off, by default, the Encapsulated PostScript (EPS) Filter in Office as a defense-in-depth measure. Microsoft is aware of limited targeted attacks that could leverage an unpatched vulnerability in the EPS filter and is taking this action to help reduce customer risk until the security update is released.

          Microsoft strongly recommends against turning on the EPS filter at this time, however customers who need to turn on the EPS filter can reference KB Article 2479871."

          April Security Update Details:

          The April Microsoft updates address vulnerabilities in  Internet Explorer, Microsoft Edge, Microsoft Windows, Microsoft Office and Microsoft Office Services and Web Apps, Visual Studio for Mac, .NET Framework, Silverlight and Adobe Flash Player for Windows 8.1 and above.  Addressed in the updates are Remote Code Execution and Elevation of Privilege.  

          Microsoft has completed the change replacing security bulletins with the new Security Updates Guide.  The new guide includes the ability to view and search security vulnerability information in a single online database. The guide is described as a "portal" by the MSRC Team in Furthering our commitment to security updates. For more information about the updates released today, see https://portal.msrc.microsoft.com/en-us/security-guidance/summary.  Information about the update for Windows 10 is available at Windows 10 update history.
           

            Additional Update Notes

            • Adobe Flash Player -- For Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows RT 8.1 and Windows 10, Adobe Flash Player is now a security bulletin rather than a security advisory and is included with the updates as identified above.
            • MSRT -- Microsoft released an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center. 
            • Reminder:  Windows Vista Reaching End of Live (EoL)
            • Windows 10 -- A summary of important product developments included in each update, with links to more details is available at Windows 10 Update History. The page will be regularly refreshed, as new updates are released.

            References


              Remember - "A day without laughter is a day wasted."
              May the wind sing to you and the sun rise in your heart...





              Adobe Flash Player Critical Security Update

              Adobe Flashplayer

              Adobe has released Version 25.0.0.148 of Adobe Flash Player for Microsoft Windows, Macintosh, Chrome and Linux.

              These updates address critical vulnerabilities that could lead to code execution and potentially allow an attacker to take control of the affected system. 

              Release date: April 11, 2017
              Vulnerability identifier: APSB17-10
              CVE number: CVE-2017-3058, CVE-2017-3059, CVE-2017-3060, CVE-2017-3061, CVE-2017-3062, CVE-2017-3063, CVE-2017-3064
              Platform: Windows, Macintosh, Linux and Chrome OS

              Update:

              Important Note:  Downloading the update from the Adobe Flash Player Download Center link includes a pre-checked option to install unnecessary extras, such as McAfee Scan Plus or Google Drive.  If you use the download center, uncheck any unnecessary extras that you do not want.  They are not needed for the Flash Player update.

                Verify Installation

                To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu. 

                Do this for each browser installed on your computer.

                To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.

                References



                Remember - "A day without laughter is a day wasted."
                May the wind sing to you and the sun rise in your heart...








                Adobe Reader and Acrobat Critical Security Updates

                Adobe

                Adobe has released security updates for Adobe Reader and Acrobat XI for Windows and Macintosh. These updates address critical vulnerabilities including code execution, heap buffer overflow, memory corruption, integer overflow, memory corruption and, finally, vulnerabilities in the directory search path used to find resources that could lead to code execution.


                Release date: April 11, 2017
                Vulnerability identifier: APSB17-11
                CVE Numbers: CVE-2017-3011, CVE-2017-3012, CVE-2017-3013, CVE-2017-3014, CVE-2017-3015, CVE-2017-3017, CVE-2017-3018, CVE-2017-3019, CVE-2017-3020, CVE-2017-3021, CVE-2017-3022, CVE-2017-3023, CVE-2017-3024, CVE-2017-3025, CVE-2017-3026, CVE-2017-3027, CVE-2017-3028, CVE-2017-3029, CVE-2017-3030, CVE-2017-3031, CVE-2017-3032, CVE-2017-3033, CVE-2017-3034, CVE-2017-3035, CVE-2017-3036, CVE-2017-3037, CVE-2017-3038, CVE-2017-3039, CVE-2017-3040, CVE-2017-3041, CVE-2017-3042, CVE-2017-3043, CVE-2017-3044, CVE-2017-3045, CVE-2017-3046, CVE-2017-3047, CVE-2017-3048, CVE-2017-3049, CVE-2017-3050, CVE-2017-3051, CVE-2017-3052, CVE-2017-3053, CVE-2017-3054, CVE-2017-3055, CVE-2017-3056, CVE-2017-3057, CVE-2017-3065
                Platform: Windows and Macintosh

                Update or Complete Download

                Update checks can be manually activated by choosing Help > Check for Updates.
                  Note: UNcheck any pre-checked additional options presented with the update. They are not part of the software update and are completely optional.

                  Enable "Protected View"

                  Due to frequent vulnerabilities, it is recommended that Windows users of Adobe Reader and Acrobat ensure that Protected View is enabled.  Neither the Protected Mode or Protected View option is available for Macintosh users.

                  To enable this setting, do the following:
                  • Click Edit > Preferences > Security (Enhanced) menu. 
                  • Change the "Off" setting to "All Files".
                  • Ensure the "Enable Enhanced Security" box is checked. 

                  Adobe Protected View
                  Image via Sophos Naked Security Blog

                  References



                  Home
                  Remember - "A day without laughter is a day wasted."
                  May the wind sing to you and the sun rise in your heart...