Friday, March 24, 2017

Microsoft Released Replacement Cumulative Updates



Microsoft released three replacement cumulative updates.

There is one update each for Windows 10 version 1607 (Anniversary Update) and version 1511.  The update includes quality improvements with no new operating system features introduced.

The third update is for Windows 8.1, Windows Server 2012 R2, Windows 7 Service Pack 1 (SP1), and Windows Server 2008 R2 SP1 and is applicable if experiencing the symptom described below.

  • Windows 10, 1607, OS Build 14393.970: KB4016635
    • Addressed a known issue with KB4013429 that caused form display issues with CRM 2011 on Internet Explorer 11. 
    • Addressed the issue with KB4013429 that prevents users from updating apps from Windows Store with 0x80070216 error.
    • To get the stand-alone package for this update, go to the Microsoft Update Catalog

  • Windows 10, 1511, OS Build 10586.842: KB4016636
    • Addressed a known issue with KB4013198 that caused form display issues with CRM 2011 on Internet Explorer 11.
    • To get the stand-alone package for this update, go to the Microsoft Update Catalog.

  • Windows 8.1, Windows Server 2012 R2, Windows 7 Service Pack 1 (SP1), and Windows Server 2008 R2 SP1: KB4016446
    • This update is only needed if you are experiencing an issue with forms in Microsoft Dynamics CRM 2011 not displayed correctly after KB 4013073 is installed on a Windows system that is running Internet Explorer 11.
    • To get the stand-alone package for this update, go to the Microsoft Update Catalog website.
If you installed earlier updates, only the new fixes contained in the respective package will be downloaded and installed.

The updates are also available from Windows Update.




Home
Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Pale Moon Version 27.2.1 Released


Pale Moon
Pale Moon has been updated to Version 27.2.1.  The update fixes some stability and usability issues.

Details from the Release Notes:

      Changes/fixes:

      • Fixed an issue with planar alpha handling (transparency) when drawing JXR images.
      • Fixed a crash related to a change JavaScript array handling introduced in 27.2.0.
        This became apparent with the pentadactyl extension, but could happen in other situations as well.
      • Fixed a crash when opening ridiculously large images with HQ scaling enabled (default).
        Pale Moon will now only apply HQ scaling for images within reasonable limits (64 Mpix or smaller). Images larger than that may not display properly when zooming in, or may not display at all, even scaled down (e.g. >256 Mpix large) and show a "broken image" placeholder instead; please use dedicated image viewer applications for those kinds of images; it is outside the scope of a web browser to handle such large images.
      • Changed the way URL hashes are handled, and will no longer %-decode anchor hash identifiers by default.
        Note that this is against RFC 3986, which states that any part of the URL scheme that isn't data should be decoded.
        This is required for web compatibility because several sites use hash links to pass actual data to web applications (Please don't do this! Hashes ar part of the URL address, should only consist of "safe" characters, and aren't suited to pass arbitrary data) and the most common browsers no longer follow the RFC in that respect.
        If you want RFC compliance, switch dom.url.getters_decode_hash to true
      • Restored 2 RSA Camellia cipher suites that were missing: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA and TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
      • Fixed an issue with custom toolbars getting deleted during upgrade from 27.0/27.1 to 27.2

        Minimum system Requirements (Windows):
        • Windows Vista/Windows 7/8/10/Server 2008 or later
        • Windows Platform Update (Vista/7) strongly recommended
        • A processor with SSE2 instruction support
        • 256 MB of free RAM (512 MB or more recommended)
        • At least 150 MB of free (uncompressed) disk space
        Pale Moon includes both 32- and 64-bit versions for Windows:

        Update

        To get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window.  Select About Pale Moon > Check for Updates.




        Remember - "A day without laughter is a day wasted."
        May the wind sing to you and the sun rise in your heart...


        Monday, March 20, 2017

        Microsoft Released Replacement Cumulative Update



        Microsoft released a new cumulative update for PCs running the "Anniversary Update, Version 1607.  KB4015438 replaces KB4013429 and is a quality improvement update and does not include any new features.

        Key changes include:
        • Addressed a known issue with KB4013429 that caused Windows DVD Player (and 3rd party apps that use Microsoft MPEG-2 handling libraries) to crash.

        • Addressed a known issue with KB4013429, that some customers using Windows Server 2016 and Windows 10 1607 Client with Switch Embedded Teaming (SET) enabled might experience a deadlock or when changing the physical adapter’s link speed property. This issue is most commonly seen as a DPC_WATCHDOG_VIOLATION or when verifier is enabled a VRF_STACKPTR_ERROR is seen in the Memory dump.
        If you installed earlier updates, only the new fixes contained in this package will be downloaded and installed.

        The update is available from Windows Update.  The standalone package is available in the Microsoft Update Catalog.




        Home
        Remember - "A day without laughter is a day wasted."
        May the wind sing to you and the sun rise in your heart...

        Saturday, March 18, 2017

        Pale Moon Version 27.2 Released with Security Updates


        Pale Moon
        Pale Moon has been updated to Version 27.2.  The update focuses on back-end improvements and security. Included in the updates are DiD* patches.
        *DiD stands for "Defense-in-Depth" and is a fix that does not apply to an actively exploitable vulnerability in Pale Moon but prevents future vulnerabilities caused by the same code when surrounding code changes, exposing the problem.
        Details from the Release Notes:

        Security and Privacy Changes:
        • Added support for 256-bit AES-GCM encryption.
        • Added support for ChaCha20-Poly1305 encryption.
        • Removed support for Camellia-GCM since nobody seems interested in it.
          (Camellia in 128/256-bit CBC block mode is still fully supported).
        • Added support for SHA-224, SHA-256, SHA-384 and SHA-512 to Crypto utils.
        • Improved status handling of secure sites to be less sensitive to "insecure" items that are local.
        • Fixed print preview hijacking. (CVE-2017-5421)
        • Fixed a potentially exploitable crash in OnStartRequest. (CVE-2017-5416)
        • Fixed potential cross-origin content-stealing through a timing attack. (CVE-2017-5407) DiD
        • Fixed a denial-of-service problem with view-source. (CVE-2017-5422)
        • Fixed crash in directional controls. (CVE-2017-5413)
        • Fixed a perceived problem with chrome manifests. (CVE-2017-5427)
        • Fixed the use of an uninitialized value. (CVE-2017-5405)
        • Fixed a buffer overflow. (CVE-2017-5412)
        • Fixed a UAF situation. (CVE-2017-5403)
        • Fixed a potential spoofing issue with the address bar. (CVE-2017-5417)
        • Fixed a potential issue in libvpx. (CVE-2017-5402) DiD
        • Fixed a potential issue with HTTP auth. (CVE-2017-5418)
        • Fixed several memory safety hazards and potentially exploitable crashes. DiD
            Changes/fixes:
            • Updated the ICU lib to 58.2 to fix a number of issues.
            • Added proper control for the user for offline storage for web applications.
            • Added a check to prevent auto-filled URLs from copying the auto-filled selection to clipboard/primary.
            • Added the feature to pass a URL to open in a private window from the command-line.
            • Improved the display of the downloads indicator on the button in bright-text situations.
            • DOM storage now honors the "3rd party cookie" setting in that it will not allow 3rd party data to be stored if 3rd party cookies are disallowed.
            • Allowed toolbar button badges to be properly styled.
            • Updated the hunspell spellchecking library to 1.6.0 to fix a number of issues.
            • Fixed desktop notifications being off-screen if fired in rapid succession.
            • Added Element.insertAdjacentElement and Element.insertAdjacentText DOM functions.
            • Added support for JPEG-XR images.
              This makes Pale Moon have the broadest support for image formats of all web browsers.
              (enabled by default; you can disable this with media.jxr.enabled).
            • Completely removed the use of GStreamer on Linux.
            • Added support for element.innerText.
            • Custom toolbars should now properly remember their state.
            • Fixed some more playback issues with MP4/MSE videos.
              Please be aware that we are still working on further improving MSE video handling.
            • Changed media processing to reduce dangerous processing asynchronicity.
              This should also make media elements and playback more responsive.
            • Fixed a useragent string regression always displaying the minor Goanna version as .0
            • Updated NSPR to 4.13.1.
            • Updated NSS to 3.28.3-RTM.
            • Fixed unrestricted icon sizes in PMkit buttons.
            • Fixed unresponsive buttons on support page when not building the updater.
            • Fixed the use of "View image" and "Save image as" on extremely large images.
            • Changed the way "View Image" and "Save image as" work on canvas elements.
            • Made checking for dangerously large resolution PNG images smarter.
              It will now accept larger "strip"-aspect ratio images while reducing unsupported large image resolutions.
              This will e.g. fix Gmail's "emoji" window that uses a ridiculously long but very narrow single image to store all the emoticon pictures.
            • Converted several hard-coded URLs to preferences.
            • Updated the google.com override so it would not cripple services based on UA sniffing.
            • Added Inner and Outer Window ID administration.
            • Fixed the add-on discovery pane detection.
            • Added support for canvas ellipse.
            • Improved drawing of certain MathML elements at problematic zoom levels.
            • No longer building gamepad support.
            • Updated Harfbuzz font shaper to 1.4.3 to fix a number of issues.
            • Fixed a number of crashes (layout, plugins, uncommon navigation, bad URLs).
            • Aligned SVG specular filters with the spec.
            Minimum system Requirements (Windows):
            • Windows Vista/Windows 7/8/10/Server 2008 or later
            • Windows Platform Update (Vista/7) strongly recommended
            • A processor with SSE2 instruction support
            • 256 MB of free RAM (512 MB or more recommended)
            • At least 150 MB of free (uncompressed) disk space
            Pale Moon includes both 32- and 64-bit versions for Windows:

            Update

            To get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window.  Select About Pale Moon > Check for Updates.




            Remember - "A day without laughter is a day wasted."
            May the wind sing to you and the sun rise in your heart...


            Mozilla Firefox Version 52.0.1 Released with One Critical Security Update


            FirefoxMozilla sent Firefox Version 52.0.1 to the release channel. The update includes one (1) Critical security update.

            Security Fix:



            Critical

              Update

              To get the update now, select "Help" from the Firefox menu, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

                References




                Remember - "A day without laughter is a day wasted."
                May the wind sing to you and the sun rise in your heart...




                Tuesday, March 14, 2017

                Adobe Shockware Player Security Update

                Shockwave Player Adobe has released a critical security update for Adobe Shockwave Player which update address an important vulnerability that could potentially lead to escalation of privilege.

                Although I have yet to need Shockwave Player on this computer, there are still many people who use it.  If you have Shockwave Player installed, please update to the latest version.

                Release date: March 14, 2017
                Vulnerability identifier: APSB17-08

                CVE number: CVE-2017-2983
                Platform: Windows

                The newest version 12.2.8.198 is available here: http://get.adobe.com/shockwave/.  As usual, watch for any pre-checked add-ons not needed for the update.

                References


                Remember - "A day without laughter is a day wasted."
                May the wind sing to you and the sun rise in your heart...


                Microsoft Security Updates for March, 2017


                After the last minute issue that resulted in the postponement of the February updates, security updates have been released for March.

                Although this was to be the start of replacing security bulletins with the new Security Updates Guide, security bulletins were also published this month to provide extra time to prepare for the transition. The new guide includes the ability to view and search security vulnerability information in a single online database. The guide is described as a "portal" by the MSRC Team in Furthering our commitment to security updates.

                March Security Update Details:

                Microsoft released seventeen (17) bulletins.  Nine (9) bulletins are identified as Critical and eight (8) rated Important in severity

                The updates address vulnerabilities in Microsoft Windows, Microsoft Edge, Internet Explorer, Microsoft Office, Skype for Business, Microsoft Lync, Microsoft Silverlight, Microsoft Server Software, Microsoft Communications Platforms and Software, Microsoft Exchange and Adobe Flash Player for Windows 8.1 and above. 

                Addressed in the updates are Remote Code Execution, Information Disclosure and Elevation of Privilege.

                Information about the update for Windows 10 is available at Windows 10 update history.
                 
                Critical:
                • MS17-006 -- Cumulative Security Update for Internet Explorer (4013073)
                • MS17-007 -- Cumulative Security Update for Microsoft Edge (4013071)
                • MS17-008 -- Security Update for Windows Hyper-V (4013082)
                • MS17-009 -- Security Update for Microsoft Windows PDF Library (4010319)
                • MS17-010 -- Security Update for Microsoft Windows SMB Server (4013389)
                • MS17-011 -- Security Update for Microsoft Uniscribe (4013076) 
                • MS17-012 -- Security Update for Microsoft Windows (4013078)
                • MS17-013 -- Security Update for Microsoft Graphics Component (4013075)
                • MS17-023 -- Security Update for Adobe Flash Player (4014329) 
                Important:
                • MS17-014 -- Security Update for Microsoft Office (4013241)
                • MS17-015 -- Security Update for Microsoft Exchange Server (4013242) 
                • MS17-017 -- Security Update for Windows Kernel (4013081)
                • MS17-018 -- Security Update for Windows Kernel-Mode Drivers (4013083)
                • MS17-019 -- Security Update for Active Directory Federation Services (4010320)
                • MS17-020 -- Security Update for Windows DVD Maker (3208223)
                • MS17-021 -- Security Update for Windows DirectShow (4010318)
                • MS17-022 -- Security Update for Microsoft XML Core Services (4010321)      

                  Additional Update Notes

                  • Adobe Flash Player -- For Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows RT 8.1 and Windows 10, Adobe Flash Player is now a security bulletin rather than a security advisory and is included with the updates as identified above.
                  • MSRT -- Microsoft released an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center. 
                  • Windows 10 -- A summary of important product developments included in each update, with links to more details is available at Windows 10 Update History. The page will be regularly refreshed, as new updates are released.

                  References


                    Remember - "A day without laughter is a day wasted."
                    May the wind sing to you and the sun rise in your heart...





                    Adobe Flash Player Critical Security Update

                    Adobe Flashplayer

                    Adobe has released Version 25.0.0.127 of Adobe Flash Player for Microsoft Windows, Macintosh, Chrome and Linux.

                    These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system. 

                    Release date: March 14, 2017
                    Vulnerability identifier: APSB17-07
                    CVE number: CVE-2017-2997, CVE-2017-2998, CVE-2017-2999, CVE-2017-3000, CVE-2017-3001, CVE-2017-3002, CVE-2017-3003
                    Platform: Windows, Macintosh, Linux and Chrome OS

                    Update:

                    Important Note:  Downloading the update from the Adobe Flash Player Download Center link includes a pre-checked option to install unnecessary extras, such as McAfee Scan Plus or Google Drive.  If you use the download center, uncheck any unnecessary extras that you do not want.  They are not needed for the Flash Player update.

                      Verify Installation

                      To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu. 

                      Do this for each browser installed on your computer.

                      To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.

                      References



                      Remember - "A day without laughter is a day wasted."
                      May the wind sing to you and the sun rise in your heart...








                      Tuesday, March 07, 2017

                      Mozilla Firefox Version 52.0 Released with Security Updates


                      FirefoxMozilla sent Firefox Version 52.0 to the release channel today.  The update includes six (6) Critical, four (4) High, eleven (11) Moderate updates and six (6) low security updates.  Firefox ESR was updated to version 45.8.0.

                      Note in particular the removal of support for Netscape Plugin API (NPAPI) plugins other than Flash.  Silverlight, Java, Acrobat and the like are no longer supported.  See Why do Java, Silverlight, Adobe Acrobat and other plugins no longer work? for Mozilla's explanation.

                      Additionally, Firefox users on Windows XP (EoL, End of Life, April 8, 2014) and Windows Vista (EoL April 11, 2017) have been migrated to the extended support release (ESR) version of Firefox. 

                      The next scheduled release is April 18,  2017 (5 week cycle with release for critical fixes as needed).

                      Security Fixes:

                      Critical

                      High

                      Moderate

                      Low

                      New

                      Added support for WebAssembly, an emerging standard that brings near-native performance to Web-based games, apps, and software libraries without the use of plugins.
                      • Implemented the Strict Secure Cookies specification which forbids insecure HTTP sites from setting cookies with the "secure" attribute. In some cases, this will prevent an insecure site from setting a cookie with the same name as an existing "secure" cookie from the same base domain.
                      • Added user warnings for non-secure HTTP pages with logins. Firefox now displays a “This connection is not secure” message when users click into the username and password fields on pages that don’t use HTTPS.
                      • Enabled multi-process Firefox for Windows users with touch screens
                      • Enhanced Sync to allow users to send and open tabs from one device to another.

                      Fixed

                      • Improved text input for third-party keyboard layouts on Windows. This will address some keyboard layouts that
                        • have chained dead keys
                        • input two or more characters with a non-printable key or a dead key sequence
                        • input a character even when a dead key sequence failed to compose a character

                      Changed

                      • Removed support for Netscape Plugin API (NPAPI) plugins other than Flash. Silverlight, Java, Acrobat and the like are no longer supported.
                      • Display (but allow users to override) an “Untrusted Connection” error when encountering SHA-1 certificates that chain up to a root certificate included in Mozilla’s CA Certificate Program. (Note: Firefox continues to permit SHA-1 certificates that chain to manually imported root certificates.) Read more about the Mozilla Security Team’s plans to deprecate SHA-1
                      • Improved experience for downloads:
                        • Notification in the toolbar when a download fails
                        • Quick access to five most recent downloads rather than three
                        • Larger buttons for canceling and restarting downloads
                      • Removed Battery Status API to reduce fingerprinting of users by trackers
                      • When not using Direct2D on Windows, Skia is used for content rendering
                      • Migrated Firefox users on Windows XP and Windows Vista operating systems to the extended support release (ESR) version of Firefox. 
                      Update:

                      To get the update now, select "Help" from the Firefox menu, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

                        References




                        Remember - "A day without laughter is a day wasted."
                        May the wind sing to you and the sun rise in your heart...