Tuesday, November 14, 2017

Microsoft Security Updates for November, 2017

The November security release consists of 53 security updates in which 20 are listed as Critical, 30 are rated Important and 3 rated as Moderate. The November security release consists of security updates for the following software:
  • Internet Explorer
  • Microsoft Edge
  • Microsoft Windows
  • Microsoft Office and Microsoft Office Services and Web Apps
  • ASP.NET Core and .NET Core
  • Chakra Core
The updates address Remote Code Execution, Information Disclosure, "Defense in Depth" (Note:  "Defense-in-Depth" is a fix that does not apply to an actively exploitable vulnerability but prevents future vulnerabilities caused by the same code when surrounding code changes expose the problem.), Denial of Service, Security Feature Bypass, Spoofing and Elevation of Privilege.

For more information about the updates released today, see https://portal.msrc.microsoft.com/en-us/security-guidance/summary.  Updates can be sorted by OS from the search box. Information about the update for Windows 10 is available at Windows 10 Update history.

Also see this month's Zero Day Initiative — The November 2017 Security Update Review by Dustin Childs in which he discusses ADV170020 - Microsoft Office Defense in Depth Update, CVE-2017-11830 - Device Guard Security Feature Bypass Vulnerability and CVE-2017-11877 - Microsoft Excel Security Feature Bypass Vulnerability.

Known Issues

    Additional Update Notes

    • Adobe Flash Player -- For Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows RT 8.1 and Windows 10, Adobe Flash Player is now a security bulletin rather than a security advisory and is included with the updates as identified above.
    • MSRT -- Microsoft released an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center. 
      Note:  Users who are paranoid about the remote possibility of a FP can opt to run this tool from a Command Prompt, appending a   /N   parameter [for "detect only" mode].
    • Windows 10 -- A summary of important product developments included in each update, with links to more details is available at Windows 10 Update History. The page will be regularly refreshed, as new updates are released.


      Remember - "A day without laughter is a day wasted."
      May the wind sing to you and the sun rise in your heart...

      Adobe Shockwave Player Critical Update

      Shockwave Player
      Adobe has released a security update for Adobe Shockwave Player for Windows. This update resolves a critical memory corruption vulnerability that could lead to code execution.

      Although I have yet to need Shockwave Player on this computer, there are still many people who use it.  If you have Shockwave Player installed, please update to the latest version.

      Release date: November 14, 2017
      Vulnerability identifier: APSB17-40
      CVE number: CVE-2017-11294
      Platform: Windows

      The newest version is available here: http://get.adobe.com/shockwave/.  As usual, watch for any pre-checked add-ons not needed for the update.


      Remember - "A day without laughter is a day wasted."
      May the wind sing to you and the sun rise in your heart...

      Adobe Reader DC and Adobe Acrobat DC Security Updates Released


      Adobe has released security updates for Adobe Reader DC and Adobe Acrobat DC for Windows and Macintosh.  In addition, although Adobe Reader XI reached end-of-life last month, an update has also been released.  These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system.  

      Release date:  November 9, 2017
      Vulnerability identifier: APSB17-36
      Platform: Windows and Macintosh

      Update or Complete Download

      Update checks can be manually activated by choosing Help > Check for Updates.  Although Reader DC and Acrobat DC are both updated to the 2018.009.20044 version, the unexpected update for Adobe reader remains in the incremental version 11. 
      Note: UNcheck any pre-checked additional options presented with the update. They are not part of the software update and are completely optional.


      Remember - "A day without laughter is a day wasted."
      May the wind sing to you and the sun rise in your heart...

      Adobe Flash Player Critical Security Update

      Adobe Flashplayer

      Adobe has released Version of Adobe Flash Player.  The update addresses critical vulnerabilities that could lead to code execution for Microsoft Windows, Macintosh, Chrome and Linux.  The update also includes bug fixes.

      Release date:  November 14, 2017
      Vulnerability identifier: APSB17-33
      Platform: Windows and Macintosh


      *Important Note:  Downloading the update from the Adobe Flash Player Download Center link includes a pre-checked option to install unnecessary extras, such as McAfee Scan Plus or Google Drive.  If you use the download center, uncheck any unnecessary extras that you do not want.  They are not needed for the Flash Player update.

        Verify Installation

        To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu. 

        Do this for each browser installed on your computer.

        To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.


        Remember - "A day without laughter is a day wasted."
        May the wind sing to you and the sun rise in your heart...

        Mozilla Firefox Version 57.0 Released with Security Updates

        FirefoxMozilla sent Firefox Version 57.0 to the release channel today.  The update includes four (4) security updates, 1 Critical, 1 High, 1 Moderate and 1 Low.  

        Update:  Firefox ESR version 52.5 has been released.

        With this release, "legacy" add-ons (XUL-based) will no longer function.  This update changes the add-ons system to the WebExtensions API. The Mozilla Add-ons portal will list only WebExtensions-compatible add-ons by default.  Legacy Extensions are listed separately located under Tools > Add-ons.  From there click "Find a Replacement"and check the three pages of available extensions.

        In addition, this update introduces the new Quantum engine (Firefox Quantum) which is replacing parts of parts of the familiar old Gecko engine.

        Security Updates
        • Critical Vulnerability: Can be used to run attacker code and install software, requiring no user interaction beyond normal browsing.
        • High Vulnerability:  Can be used to gather sensitive data from sites in other windows or inject data or code into those sites, requiring no more than normal browsing actions.
        • Moderate:  Vulnerabilities that would otherwise be High or Critical except they only work in uncommon non-default configurations or require the user to perform complicated and/or unlikely steps.
        • Low:  Minor security vulnerabilities such as Denial of Service attacks, minor data leaks, or spoofs. (Undetectable spoofs of SSL indicia would have "High" impact because those are generally used to steal sensitive data intended for other sites.)


        • A completely new browsing engine, designed to take full advantage of the processing power in modern devices
        • A redesigned interface with a clean, modern appearance, consistent visual elements, and optimizations for touch screens
        • A unified address and search bar. New installs will see this unified bar. Learn how to add the stand-alone search bar to the toolbar
        • A revamped new tab page that includes top visited sites, recently visited pages, and recommendations from Pocket (in the US, Canada, and Germany)
        • An updated product tour to orient new and returning Firefox users
        • AMD VP9 hardware video decoder support for improved video playback with lower power consumption
        • An expanded section in preferences to manage all website permissions


        • Firefox now exclusively supports extensions built using the WebExtension API, and unsupported legacy extensions will no longer work. Learn more about our efforts to improve the performance and security of extensions
        • The browser's autoscroll feature, as well as scrolling by keyboard input and touch-dragging of scrollbars, now use asynchronous scrolling. These scrolling methods are now similar to other input methods like mousewheel, and provide a smoother scrolling experience
        • The content process now has a stricter security sandbox that blocks filesystem reading and writing on Linux, similar to the protections for Windows and macOS that shipped in Firefox 56
        • Middle mouse paste in the content area no longer navigates to URLs by default on Unix systems
        • Removed the toolbar Share button. If you relied on this feature, you can install the Share Backported extension instead.
        • Some older versions of the ATOK IME, including ATOK 2006, 2008, 2009 and 2010, can cause crashes and are therefore disabled on the Windows 64-bit version of Firefox Quantum. To fix those incompatibility issues, please use a newer version of ATOK or one of other IMEs.
        • The default font for Japanese text is now Meiryo


          To get the update now, select "Help" from the Firefox menu, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.


          Remember - "A day without laughter is a day wasted."
          May the wind sing to you and the sun rise in your heart...

          Friday, November 10, 2017

          Lest We Forget

          Whether you call it Veteran's Day, Armistice Day or Remembrance Day, November 11th is a time to put aside politics and pay tribute to all who died for their country.  It is also a perfect time to thank the Veterans in whatever country you live in. 

          As in previous years, I am republishing my friend Canuk's last tribute and, once again, adding a special thank you to my friends "Phantom Phixer" and "Ghost".

          The comment Canuk posted provides one example of why he was a special person:
          "I too "will remember your friends who never had a full life", while thanking you and your comrades who have served with pride, honesty and honour.

          Despite anyone's thoughts of the current conflict in Iraq - opposition or agreement, we must always remember that these brave young men and women are fighting for a cause they also may or may not agree with. The huge difference between them and us is that they are putting their lives on the line 24/7 while we sit in our homes in comfort, using the freedom of speech previous warriors won for us, and for that they deserve our love, respect, and support."
          LEST WE FORGET

          We Shall Keep the Faith by Moira Michael, November 1918
          Oh! you who sleep in Flanders Fields, Sleep sweet - to rise anew! We caught the torch you threw And holding high, we keep the Faith With All who died. We cherish, too, the poppy red That grows on fields where valor led; It seems to signal to the skies That blood of heroes never dies, But lends a lustre to the red Of the flower that blooms above the dead In Flanders Fields. And now the Torch and Poppy Red We wear in honor of our dead. Fear not that ye have died for naught; We'll teach the lesson that ye wrought In Flanders Fields. Flags courtesy of3DFlags.com

          Remember - "A day without laughter is a day wasted."
          May the wind sing to you and the sun rise in your heart...

          Tuesday, November 07, 2017

          Pale Moon Version 27.6.0 Released With Security Updates

          Pale Moon
          Pale Moon has been updated to Version 27.6.0. This is a major development update. Details from the Release Notes:

          Security/privacy fixes:
          • Added an option to clear Site Connectivity Data (delete history).
          • Removed stale entries from the HSTS preload list, and improved generation/processing of it.
          • Removed undesired certificate issuer organization to common name fallback (if issuer org is empty).
          • Added pretty-printing for ECDSA-SHA224, 256, 384 and 512 hashed certificate signatures.
          • Worked around some more issues with broken Apple fonts.

          • Dropped support for Direct2D 1.0 to avoid font rendering issues. Windows installations not capable of using Direct2D 1.1 will now fall back to software rendering. As a result, fonts may look different from this version onwards if you are on Windows Vista or Windows 7. Users on Windows 7 affected by this should install the Platform Update to re-enable Direct2D.
          • Updated the Brotli decoder library, and enabled support for Brotli HTTP content-encoding by default.
          • Added notifications to inform users about WebExtensions not being supported if they try to install them (as opposed to "extension is corrupt")
          • Added a number of DOM childNode convenience functions. This should fix some lazy-loading frameworks.
            (enjoy your LOLcats again!)
          • Changed automatic updates over to the new infrastructure.
          • Added extra proxy settings in Options, covering DNS lookups through SOCKS v5 and automatic proxy authentication with known credentials.
          • Added a selectable fallback character encoding of UTF-8 and fallback to UTF-8 as a last effort. (Issue #1423)
          • Improved timing of canplay and canplaythrough firing to work around a potential race condition locking up queued video playback.
          • Improved upmixing of mono sound for multi-channel setups.
          • Fixed a parallelization issue with the KISS-FFT library causing CPU-deadlocked threads (Issue #1425)
          • Fixed "Remove from history" function from the downloads panel.
          • Forced focus on the address bar in new windows if the content is a blank/empty document.
          • Fixed the dropmarker in the address bar to allow the suggestions to be closed with a click.
          • Further cleaned up the status bar code.
          • Disabled window.showModalDialog; it's been removed from the spec 2 years ago and has potential abuse issues (modal dialogs block the UI)
          • Fixed image decoder calls to make sure the image load event doesn't fire prematurely.
          • Updated LibPNG to 1.6.28, and enabled faster SSE2 decoding.
          • Updated WOFF2 code from upstream.
          • Updated the zlib compression library.
          • Made general improvements to internal code structure and spec adherence.
          • Fixed an issue with certain command-line parameters being used.
          • Updated the default theme to improve consistency and contrast of toolbar and download buttons.
          • Increased the default duration of notification pop-ups and made them configurable.
          • Improved handling of audio-visual media (ongoing).
          • Fixed an issue in CSS where elements would sometimes reflow to the next line even with sufficient visual space.
          • Aligned the implementation of for(let x=y;;) loops with the final ES6 specification.
          • Fixed the selection system inside of a nested contenteditable element being broken.
          • Fixed Windows 10 detection for blocklisting graphics drivers.
          • Enabled pasting of clipboard data in documents without an editor element to improve web compatibility.
          • Fixed the uninstallation routine of restartless add-ons.
          • Fixed the handling of unimplemented functions in the console API.
          • Updated the Facebook user-agent to enable otherwise vendor-restricted functionality.
          • Updated the SVG scaling cache limit to be more lenient for larger SVG images at a small performance trade-off, working around some sites' design issues.
           Minimum system Requirements (Windows):
          • Windows Vista/Windows 7/8/10/Server 2008 or later
          • Windows Platform Update (Vista/7) strongly recommended
          • A processor with SSE2 instruction support
          • 256 MB of free RAM (512 MB or more recommended)
          • At least 150 MB of free (uncompressed) disk space
          Pale Moon includes both 32- and 64-bit versions for Windows:


          To get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window.  Select About Pale Moon > Check for Updates.

          Remember - "A day without laughter is a day wasted."
          May the wind sing to you and the sun rise in your heart...