Java Critical Security Updates Released

Oracle released the scheduled critical security updates for its Java SE Runtime Environment software.  This Critical Patch Update contains 5 new security fixes for Oracle Java SE, all of which may be remotely exploitable without authentication.

Update

If Java is still installed on your computer, it is recommended that this update be applied as soon as possible due to the threat posed by a successful attack.

Download Information

Java SE 8u201 or 8u202

• Release Notes:
  8u201:  https://www.oracle.com/technetwork/java/javase/8u201-relnotes-5209271.html
  8u202:  https://www.oracle.com/technetwork/java/javase/8u202-relnotes-5209339.html
  
  
• Download:  https://www.oracle.com/technetwork/java/javase/downloads/index.html 

Java SE 11.0.2  (x64-bit only) 

Note:  JDK only.

• Release Notes: https://www.oracle.com/technetwork/java/javase/documentation/11u-relnotes-5093844.html 
• Download:  https://www.oracle.com/technetwork/java/javase/downloads/index.html

Notes:

• UNcheck any pre-checked toolbar and/or software options presented with the update. They are not part of the software update and are completely optional.  Preferably, see the instructions below on how to handle "Unwanted Extras".  
• Oracle does not plan to migrate desktops from Java 8 to Java 9 through the auto update feature.  Therefore, it is strongly recommended that you uninstall JRE 8 prior to updating.
• Verify your version:  http://www.java.com/en/download/testjava.jsp.   Note:  The Java version verification page will only work if your browser has NPAPI support.  In that case, to check the version, open a cmd window and enter the following (note the space following Java):  java -version

Critical Patch Updates

For Oracle Java SE Critical Patch Updates, the next scheduled dates are as follows:

• 16 April 2019
• 16 July 2019
• 15 October 2019
• 14 January 2020

Unwanted "Extras"

Although most people do not need Java on their computer, there are some programs and games that require Java.  In the event you need to continue using Java, How-to Geek discovered a little-known and  unpublicized option in the Java Control Panel to suppress the offers for the pre-checked unwanted extras that Oracle has long included with the updates.  Although the Ask Toolbar has been removed, tha does not preclude the pre-checked option for some other unnecessary add-on.

Do the following to suppress the sponsor offers:

1. Launch the Windows Start menu
2. Click on Programs
3. Find the Java program listing
4. Click Configure Java to launch the Java Control Panel
5. Click the Advanced tab and go to the "Miscellaneous" section at the bottom.
6. Check the box by the “Suppress sponsor offers when installing or updating Java” option and click OK.

Java Security Recommendations

1)  In the Java Control Panel, at minimum, set the security to high.
2)  Keep Java disabled until needed.  Uncheck the box "Enable Java content in the browser" in the Java Control Panel.

3)  Instructions on removing older (and less secure) versions of Java can be found at http://java.com/en/download/faq/remove_olderversions.xml

References

• Java, The Never-Ending Saga  
• Critical Patch Updates and Security Alerts
• Oracle Java SE Risk Matrix 
• Oracle Quality Assurance Blog 

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Pale Moon Version 28.3.0 Released

Pale Moon has been updated to version 28.3.0.  This is a major development and bugfix release.

The release includes DiD ("Defense-in-Depth") changes.  This means that a fix does not apply to a (potentially)actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code, e.g. when surrounding code changes, exposing the problem, or when new attack vectors are discovered.

The Linux versions will follow.

From the Release Notes:

Changes/fixes:

• Added AV1 support for MP4/MSE videos. Please note that this is a reference library implementation and the upstream decoding lib currently has poor performance for higher resolutions (720p+). This is disabled by default; use the about:config preference media.av1.enabled to enable this codec.
  
• Changed the API used for video playback with FFmpeg 58+. This should solve performance issues with VPx.
• Redesigned the main toolbar icons as SVG images to make them HiDPI compliant.
• Fixed the sync notification (infobar) icon.
• Fixed a potential cycle collector resource leak.
• Added icons and controls to tabs to indicate if sound is playing the tab and if so, allowing the user to mute it with a click.
  This is a native implementation of the API in use in Basilisk and performs the same function as the "expose noisy tabs" extension, although the extension may still be preferred by some for e.g. skinning capabilities. The feature may be disabled with browser.tabs.showAudioPlayingIcon.
• Removed support for VR hardware.
• Fixed out-of-bounds sizes for CSS calculation strings.
• Removed the DirectShow component since it is no longer necessary.
• Removed Firefox Accounts integration, phase 1:
  
• Changed the Sync client to the one from Tycho.
• Made Sync optional at build time.
• Stopped trying to cater to addons.mozilla.org since they no longer offer anything useful to Pale Moon after the Great XUL Extension Purge™.
• Added an option to process favicons for optimal sized display and removing animations. Enable this with browser.chrome.favicons.process
• Fixed an incorrect preference reference in feed reader.
• Fixed an issue with lazy frame construction on display:contents elements. This should solve e.g. the use of mathjax in comments on stackoverflow.
  
• Media code improvements and cleanup (ongoing).
• Updated the DropBox useragent override to solve login issues.
• Fixed potential crashes due to shutdown observers in VTT and font lists. DiD
• Enabled some mistakingly-disabled optimizations in the JS JIT compiler.
• Fixed several potential crashes in JS. DiD
• Fixed several potential crashes in WebCrypto. DiD
• Fixed a potential crash in JS Range Analysis. DiD
• Fixed a potential crash in the layout engine due to combo boxes. DiD
• Fixed a potential shutdown crash in non-standard environments related to 2D Canvas. DiD
• Fixed a potential overflow in the PNG writer. DiD
• Fixed a potential double-free in the MAR signing utility. DiD
• Fixed an issue where URLs could be extracted cross-origin (CVE-2018-18494).
• Updated NSPR to v4.20.
• Updated NSS to 3.41, providing (among other things) full compatibility with the final version of TLS 1.3 on websites.
• Updated location.protocol to the latest spec.
• Updated Intersection Observers to the latest spec and enabled them by default.
• Updated the SQLite lib to 3.26.0.
• Fixed errors about the login manager's recipeManager not being available (yet).
• Switched status bar download arrow to SVG.
• Fixed a crash in IntersectionObservers.
• Fixed initialization of the Search service from browser code to avoid synchronous init.
• Added logging of performance warnings to devtools consoles.
• Fixed favicons in taskbar tab preview listings.
• Blocked Comodo IS dll < version 6.3 to prevent startup crashes.
• Fixed issues in the HTML form submit observer module.
• Limited resolving depth of CSS variables to a sane maximum (fixes cras.sh issue).
• Removed Mozilla's proprietary constructor on WebAudio's AudioContext, aligning it with the standard specification.
• Exposed the previously hidden preference in about:config for page thumbnail generation (some people prefer this for local privacy).
• Aligned Element.ScrollIntoView with the DOM specification. This improves, among other things, compatibility with the React framework.

Download:

• Pale Moon for Windows
• Pale Moon for Linux

Update

To get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window.  Select About Pale Moon > Check for Updates.

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Mozilla Firefox Version 64.0.2 Released

Mozilla sent Firefox Version 64.0.2 to the release channel today.  Firefox ESR remains at Version 60.4.

Fixed

• Fixed a browser crash on MacOS (bug 1510058)
  
• Updated the Japanese translation for missing strings (bug 1513259)
  
• Properly restore column sizes in developer tools inspector (bug 1503175)
  
• Fixed video stuttering on Youtube (bug 1513511)
  
• Fix updates for some lightweight themes (bug 1508777)
  

Update:  To get the update now, select "Help" from the Firefox menu, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

References

• Common questions after updating Firefox
• Security Updates
• Mozilla Firefox Release Notes
• Rapid Release Calendar

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...