Tuesday, April 29, 2014

Mozilla Firefox 29



Firefox

Mozilla sent Firefox Version 29.0, referred to as Australis, to the release channel.

EditNo security updates are included in the update.   Security updates have been published.  The update includes five (5) Critical, six (6) High and three (3) Moderate updates.

The update to Australis incorporates major GUI (Graphic User Interface) changes.  Some of those changes include the following:
  • Removal of the Firefox button, replaced with three diagonal lines located to the far right in the Navigation Toolbar.
  • If you used the add-on bar, it is now gone with the content moved to navigation bar.
  • The bookmarks icon is no longer available in the Address Bar and has been merged with the bookmarks button.
  • The ability to move some elements such as the back and forward buttons has been removed.
  • Elimination of small icons and no option to display icons and text in the interface.
After you have had an opportunity to experiment with the changes, if your experience with the updated version is similar to mine and there are some you just don't think you can live with, check out the suggestions at gHacks on How to turn the new Firefox 29 into the old Firefox.

You could also switch to the Pale Moon Browser, based on Firefox ESR.  The developer is fast to include any needed security fixes but doesn't make changes merely for the sake of change.

Personal comment:  These latest changes to Firefox have resulted in a rather ugly interface.  I'm glad I switched to Pale Moon as my go-to browser.

Fixed in Firefox 29

  • MFSA 2014-47 -- Debugger can bypass XrayWrappers with JavaScript
  • MFSA 2014-46 -- Use-after-free in nsHostResolve
  • MFSA 2014-45 -- Incorrect IDNA domain name matching for wildcard certificates
  • MFSA 2014-44 -- Use-after-free in imgLoader while resizing images
  • MFSA 2014-43 -- Cross-site scripting (XSS) using history navigations
  • MFSA 2014-42 -- Privilege escalation through Web Notification API
  • MFSA 2014-41 -- Out-of-bounds write in Cairo
  • MFSA 2014-40 -- Firefox for Android addressbar suppression
  • MFSA 2014-39 -- Use-after-free in the Text Track Manager for HTML video
  • MFSA 2014-38 -- Buffer overflow when using non-XBL object as XBL
  • MFSA 2014-37 -- Out of bounds read while decoding JPG images
  • MFSA 2014-36 -- Web Audio memory corruption issues
  • MFSA 2014-35 -- Privilege escalation through Mozilla Maintenance Service Installer
  • MFSA 2014-34 -- Miscellaneous memory safety hazards (rv:29.0 / rv:24.5)



What’s New

  • New -- Significant new customization mode makes it easy to personalize your Web experience to access the features you use the most (learn more)
  • New -- A new, easy to access menu sits in the right hand corner of Firefox and includes popular browser controls
  • New -- Sleek new tabs provide an overall smoother look and fade into the background when not active
  • New -- An interactive onboarding tour to guide users through the new Firefox changes
  • New -- The ability to set up Firefox Sync by creating a Firefox account (learn more)
  • New -- Gamepad API finalized and enabled (learn more)
  • New -- Malay [ma] locale added
  • Changed -- Clicking on a W3C Web Notification will switch to the originating tab

Known Issues

  • unresolved -- Text Rendering Issues on Windows 7 with Platform Update KB2670838 (MSIE 10 Prerequisite) or on Windows 8.1 has a workaround (see 812695)
  • unresolved -- Without affecting security, after restoring your session, Extended Validation Certificates might not display (See 995801)

Update

To get the update now, select "Help" from the Firefox menu at the upper left of the browser window, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu.

If you do not use the English language version, Fully Localized Versions are available for download.

References




Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...




Monday, April 28, 2014

Adobe Flash Player Critical Security Updates

Adobe Flashplayer

Adobe has released security updates for Adobe Flash Player 13.0.0.182 and earlier versions for Windows, version 13.0.0.201 and earlier versions for Macintosh and Adobe Flash Player 11.2.202.350 and earlier versions for Linux.

With today's Windows Update, Internet Explorer 10 and 11 in Windows 8 and Windows 8.1 will be updated.  Windows RT must obtain the update from Windows Update.  Google Chrome will be automatically updated. 

These updates are rated as "Critical".  However, the updates do not address the zero-day vulnerability in Internet Explorer versions 6-11, which will require a Microsoft update to IE.  

Windows XP 

Since Windows XP is out of support, Microsoft will not be releasing an IE update for Windows XP.  Anyone still using Windows XP and unable to move to a new computer/operating system, first should use an alternate browser.  In addition, unregister the VGX.DLL file as shown in Paul Ducklin's instructions here.

Update Information

The newest versions are as follows:
Windows and Macintosh:  13.0.0.206
Linux: 11.2.202.350

Release date: April 28, 2014
Vulnerability identifier: APSB14-13
CVE number: CVE-2014-0515
Platform: All Platforms

Flash Player Update Instructions

Warning:  Although Adobe suggests downloading the update from the Adobe Flash Player Download Center, that link includes a pre-checked option to install unnecessary extras, such as McAfee Scan Plus or Google Drive.  If you use the download center, uncheck any unnecessary extras.

It is recommended that you either use the auto-update mechanism within the product when prompted, or my preference, the direct download links.

    Notes:
    • If you use the Adobe Flash Player Download Center, be careful to uncheck any optional downloads that you do not want.  Any pre-checked option is not needed for the Flash Player update.
    • Uncheck any toolbar offered with Adobe products if not wanted.
    • If you use alternate browsers, it is necessary to install the update for both Internet Explorer as well as the update for alternate browsers.
    • The separate 32-bit and 64-bit uninstallers have been replaced with a single uninstaller.
    • As requested by a Security Garden reader, the update information for the "Extended Release of Flash Player 11.7" can be found here. Note, however, that beginning May 13, 2014, Adobe Flash Player 13 for Mac and Windows will replace version 11.7 as the extended support version.
    Adobe Flash Player for Android

    The latest version for Adobe Flash Player for Android is available by downloading it from the Android Marketplace by browsing to it on a mobile phone.   

    Verify Installation

    To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu. 

    Do this for each browser installed on your computer.

    To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.

    References







    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...


    Sunday, April 27, 2014

    Security Advisory 2963983, IE Zero-Day Vulnerability

    Security Advisory
    Microsoft released Security Advisory 2963983 which relates to a vulnerability in Internet Explorer.

    With the vulnerability, an attacker could cause remote code execution if someone visited a malicious website with an affected browser. Generally, this would occur by an attacker convincing someone to click a link in an email or instant message.

    Although the vulnerability affects all versions of IE, at this time, Microsoft is aware of limited, targeted attacks, in which the exploit observed appears to target IE9, IE10 and IE11.


    Additional details about the exploit are available from the FireEye Blog, New Zero-Day Exploit targeting Internet Explorer Versions 9 through 11 Identified in Targeted Attacks.

    Recommendations 

    As illustrated in the "Security Research and Defense Blog" reference below, users of IE 10 and 11 should ensure they haven't disabled Enhanced Protection Mode. 

    Another option is to install the Enhanced Mitigation Experience Toolkit (EMET).  The recommended setting for EMET 4.1, available from KB Article 2458544, is automatically configured to help protect Internet Explorer. No additional steps are required.

    See the Tech Net Advisory for instructions on changing the following settings to help protect against exploitation of this vulnerability:
    • Change your settings for the Internet security zone to high to block ActiveX controls and Active Scripting
    • Change your settings to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone. 

    References:




    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...

    Thursday, April 24, 2014

    WinPatrol v30.9.2014


    WinPatrol Scotty

    The focus by WinPatrol developer Bill Pytloany for 2014 is monthly updates to make WinPatrol both easier to use and more powerful.

    Although the default setting is unchanged, a nice inclusion in the update is Windows tooltips to provide a consistent, helpful interface.  The balloon setting is available from the Options tab.

    Other changes include an update to the newest library used for cookies by Google Chrome, Mozilla Firefox and other new browsers. 

    In addition, some Windows components have been updated with custom DPI.

    WinPatrol runs on Windows XP, Windows Vista, Windows 7 and Windows 8 systems, including x64 versions.

    Download WinPatrol 30.9.2014 now!



    Home
    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...



    Sunday, April 20, 2014

    Happy Easter! "Khrystos Voskres!"



    "Khrystos Voskres!"

    (Christ is Risen!)






    "Voistyno Voskres!"

    (He is Truly Risen!)




    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...



    Wednesday, April 16, 2014

    Import Yahoo or other IMAP Mail to Outlook

    Outlook.com
    For almost two years, I've read complaints by users of Yahoo email about a host of complaints, including difficulties with password resets, problems logging in, loss of features, spam filters not working, and more.

    Tired of the problems with Yahoo email?  The Outlook Team has a simple solution.  Finally, Yahoo and many other IMAP-enabled email can be imported to your Outlook.com account. 

    The steps are really simple.  Just go to your Outlook.com Inbox and click the "gear" icon in the upper right, selecting Options.  Next, click "Import email accounts" and select the option for Yahoo.

    When the window below opens, merely choose from where you want to import your account.  Expand the Option link to select how you want to import your email.

    Import Yahoo to Outlook.com

    While the import is being completed, you can learn more about forwarding Yahoo mail from the linked Yahoo KB Article, Automatically forward emails with Yahoo Mail.

    Import Yahoo mail

    When the process is complete, you will receive an email in your Outlook.com Inbox.

    Import complete


    Now you can get all of your email in one place!  With rules, it is easy to direct mail to specific folders.

    References:


    Home
    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...


    Oracle Java Critical Security Update

    java


    Oracle released the scheduled critical security updates for its Java SE Runtime Environment software. 

    This is a Critical Patch Update that contains 37 fixes for Java, 35 of which Oracle indicated can be exploited by an attacker without the need for authentication.  Additional details about the update are available in the Java Release Notes, referenced below.


    Oracle reported that Java SE does not include OpenSSL and, therefore is not affected by HeartBleed and CVE-2014-0160.  For Oracle products that are affected, see the reference linked below.

    If Java is still installed on your computer, it is recommended that this update be applied as soon as possible due to the threat posed by a successful attack.

    For those people who have desktop applications that require Java and cannot uninstall it, Java can now be disabled in Internet Explorer.  See Microsoft Fix it to Disable Java in Internet Explorer.

    Java Security Recommendations

    1)  In the Java Control Panel, at minimum, set the security to high.
    2)  Keep Java disabled until needed.  Uncheck the box "Enable Java content in the browser" in the Java Control Panel.

    Java ControlPanel
    (Image via Sophos Naked Security Blog)

    3)  If you use Firefox, install NoScript and only allow Java on those sites where it is required.

    Instructions on removing older (and less secure) versions of Java can be found at http://java.com/en/download/faq/remove_olderversions.xml

    Download Information

    Download link:  Java Version 7 Update 55

    Verify your version:  http://www.java.com/en/download/testjava.jsp

    Notes:
    • UNcheck any pre-checked toolbar and/or software options presented with the update. They are not part of the software update and are completely optional.
    • Starting with Java SE 7 Update 21 in April 2013, all Java Applets and Web Start Applications should be signed with a trusted certificate.  It is not recommended to run untrusted/unsigned Certificates.  See How to protect your computer against dangerous Java Applets

    Critical Patch Updates

    For Oracle Java SE Critical Patch Updates, the next scheduled dates are as follows:
    • 15 July 2014
    • 14 October 2014
    • 20 January 2015
    • 14 April 2015

    References





    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...


    Tuesday, April 08, 2014

    Microsoft Security Bulletin for April, 2014


    Microsoft released four (4) bulletins.  Two of the bulletins are identified as Critical with the other two as Important.

    The security update provided through MS14-017 addresses the Microsoft Word issue described in Security Advisory 2953095.  If the Fix it solution was installed on your computer, install the update first and then disable the Fix it.

    Disable Fix it


    Critical:

    • MS14-017 -- Vulnerabilities in Microsoft Word and Office Web Apps Could Allow Remote Code Execution (2949660)
    • MS14-018 -- Cumulative Security Update for Internet Explorer (2950467)
    Important:
    • MS14-019 -- Vulnerability in Windows File Handling Component Could Allow Remote Code Execution (2922229)
    • MS14-020 -- Vulnerability in Microsoft Publisher Could Allow Remote Code Execution (2950145)

    MSRT

    Microsoft released an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center.  Included in the update is detection for Win32/Ramdo and Win32/Kilim


    Windows XP and Windows 8.1

    As has been widely publicized, support ends for Windows XP and Office 2003 today.  Thus, this will be the last security updates for those products.  See Tim Rains article, The Countdown Begins: Support for Windows XP Ends on April 8, 2014.

    Also note that effective after today, technical assistance for Windows XP will no longer be available.  This includes automatic updates that help protect your PC. Microsoft will also stop providing Microsoft Security Essentials for download.  Note, however, that definitions will be available until July 15, 2015.  See Microsoft antimalware support for Windows XP.

    Windows 8.1 users note: Windows 8.1 users: It's time to move to Windows 8.1 Update

    ____________

    The following additional information is provided in the Security Bulletin:

    References




    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...



    Adobe Flash Player and AIR Security Update

    Adobe Flashplayer

    Adobe has released security updates for Adobe Flash Player 12.0.0.77 and earlier versions for Windows and Macintosh and Adobe Flash Player 11.2.202.346 and earlier versions for Linux.

    These updates are rated as "Critical" and resolve the following issues:
    • CVE-2014-0506:  These updates resolve a use-after-free vulnerability that could result in arbitrary code execution.
    • CVE-2014-0507:  These updates resolve a buffer overflow vulnerability that could result in arbitrary code execution.
    • CVE-2014-0508:  These updates resolve a security bypass vulnerability that could lead to information disclosure.
    • CVE-2014-0509:  These updates resolve a cross-site-scripting vulnerability.
    With today's Windows Update, Internet Explorer 10 and 11 in Windows 8 and Windows 8.1 will be updated.  Windows RT must obtain the update from Windows Update.  Google Chrome will be automatically updated.

    Update Information

    The newest versions are as follows*:
    Windows and Macintosh:  13.0.0.182
    Linux: 11.2.202.350

    Release date: April 8, 2014
    Vulnerability identifier: APSB14-09

    CVE number: CVE-2014-0506, CVE-2014-0507, CVE-2014-0508, CVE-2014-0509
    Platform: All Platforms

    Flash Player Update Instructions

    Warning:  Although Adobe suggests downloading the update from the Adobe Flash Player Download Center, that link includes a pre-checked option to install unnecessary extras, such as McAfee Scan Plus or Google Drive.  If you use the download center, uncheck any unnecessary extras.

    It is recommended that you either use the auto-update mechanism within the product when prompted, or my preference, the direct download links.

      Notes:
      • If you use the Adobe Flash Player Download Center, be careful to uncheck any optional downloads that you do not want.  Any pre-checked option is not needed for the Flash Player update.
      • Uncheck any toolbar offered with Adobe products if not wanted.
      • If you use alternate browsers, it is necessary to install the update for both Internet Explorer as well as the update for alternate browsers.
      • The separate 32-bit and 64-bit uninstallers have been replaced with a single uninstaller.
      • *As requested by a Security Garden reader, the update information for the "Extended Release of Flash Player 11.7" can be found here.
      Adobe Flash Player for Android

      The latest version for Adobe Flash Player for Android is available by downloading it from the Android Marketplace by browsing to it on a mobile phone.   

      Verify Installation

      To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu. 

      Do this for each browser installed on your computer.

      To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.

      References







      Remember - "A day without laughter is a day wasted."
      May the wind sing to you and the sun rise in your heart...


      Thursday, April 03, 2014

      Security Bulletin Advance Notice for April, 2014

      Security Bulletin
      On Tuesday, April 8, 2014, Microsoft is planning to release four (4) bulletins.  Two of the bulletins are identified as Critical with the other two as Important.

      The updates address vulnerabilities in Microsoft Windows, Office and Internet Explorer. 

      The update provided through MS14-017 fully addresses the Microsoft Word issue first described in Security Advisory 2953095.  If the Fix it was installed on your computer, after installing the update, it will be necessary to disable the Fix it to ensure RTF files will again render normally.  Although update will fully address all affected versions of Microsoft Word, at this time, Microsoft is still only aware of limited, targeted attacks directed at Microsoft Word 2010.

      Reminder

      As has been widely publicized, support ends for Windows XP and Office 2003 on April 8, 2014.  Thus, this will be the last security updates for those products.  See Tim Rains article, The Risk of Running Windows XP After Support Ends April 2014. Note also that Microsoft Security Essentials will no longer be available for download for Windows XP.

      As happens each month, Microsoft will also release an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center.

      References




      Remember - "A day without laughter is a day wasted."
      May the wind sing to you and the sun rise in your heart...