Tuesday, November 25, 2014

Adobe Flash Player Out of Band Critical Security Update

Adobe Flashplayer

Adobe has released security updates for Adobe Flash Player.  The updates address a critical bug and includes security fixes, particularly improving the security mitigation that was introduced in the October 14th release of APSB14-22.

Affected software versions


  • Adobe Flash Player 15.0.0.223 and earlier versions
  • Adobe Flash Player 13.0.0.252 and earlier 13.x versions
  • Adobe Flash Player 11.2.202.418 and earlier versions for Linux

Update Information

The newest versions are as follows:
ActiveX for IE and Macintosh version:  15.0.0.239
Plugin:  15.0.0.239
Linux: 11.2.202.424
Release date: November 25, 2014
Vulnerability identifier: APSB14-26

CVE number: CVE-2014-8439
Platform: All Platforms

Flash Player Update Instructions


Warning:  Although Adobe suggests downloading the update from the Adobe Flash Player Download Center, that link includes a pre-checked option to install unnecessary extras, such as McAfee Scan Plus or Google Drive.  If you use the download center, uncheck any unnecessary extras.

It is recommended that you either use the auto-update mechanism within the product when prompted, or my preference, the direct download links.

Note:  At the time of this posting, the direct download links have not been updated!  The direct download links are now available.

    Notes:
    • If you use the Adobe Flash Player Download Center, be careful to uncheck any optional downloads that you do not want.  Any pre-checked option is not needed for the Flash Player update.
    • Uncheck any toolbar offered with Adobe products if not wanted.
    • If you use alternate browsers, it is necessary to install the update for both Internet Explorer as well as the update for alternate browsers.
    • The separate 32-bit and 64-bit uninstallers have been replaced with a single uninstaller.
    • Users of the Adobe Flash Player Extended Support Release should update to Adobe Flash Player 13.0.0.252.
    Adobe Flash Player for Android

    The latest version for Adobe Flash Player for Android is available by downloading it from the Android Marketplace by browsing to it on a mobile phone.   

    Verify Installation

    To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu. 

    Do this for each browser installed on your computer.

    To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.

    References







    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...


    Thursday, November 20, 2014

    Fake Tech Support Scams

    Fake Tech Support Scam

    Although not all of the fake tech support callers misrepresent that they are calling on behalf of Microsoft, claiming to represent Microsoft or Windows is most commonly used in such calls.  Scammers also claim to represent other vendors such as Dell, McAfee and Norton.

    Two operations working out of the state of Florida have conned tens of thousands of consumers out of more than $120 million through their deceptions.  The FTC and state of Florida obtained a federal court orders to shut down those two operations for deceptively marketing computer software and tech support services. The court orders have additionally placed a temporary freeze on the defendants’ assets and have placed the businesses under the control of a court-appointed receiver.

    As welcome as the FTC action is, fake tech support scams have been harassing people since early in 2009 and this is not the end of it.  As I recommended over two years ago:
    Should you receive an unsolicited telephone all from someone purporting to be from Microsoft (or any other vendor), the best advice is to just hang up! Microsoft does not make this type telephone call.
    There are also people who try to keep these cybercriminals on the telephone in order to not only waste their time but also to keep them tied up so they are not calling someone else who may not realize the caller is a scammer.  Microsoft recently published an online form to Report a technical support scam.  By supplying as much of the information as possible requested on the form, you will be assisting both Microsoft and law enforcement agencies in stopping these cybercriminals.  

    References:


    Home
    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...


    Tuesday, November 18, 2014

    Microsoft Out-of-Band Critical Security Update


    One of the security updates that was delayed in the regular patch cycle last week has been released.

    MS14-068 is a critical update that addresses a vulnerability in Kerbeos that could allow elevation of privilege.  Microsoft is aware of limited, targeted attacks that attempt to exploit this vulnerability.

    As described in the security bulletin:
    "An attacker could use these elevated privileges to compromise any computer in the domain, including domain controllers. An attacker must have valid domain credentials to exploit this vulnerability. The affected component is available remotely to users who have standard user accounts with domain credentials; this is not the case for users with local account credentials only."

    References:


    Home
    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...


    Friday, November 14, 2014

    Pale Moon Version 25.1.0 Released with Security Updaters

    Pale Moon
    Pale Moon has released version 25.1.0 to address current incompatibilities with websites.  The version includes security updates and introduces new features.

    Security fixes:
    • Fixed several memory security hazards CVE-2014-1574 and CVE-2014-1575
    • Fixed CVE-2014-1581.
    • Fixed bug 1069584: Bail if a cairo surface is in an invalid state.
    • Made sure to initialize surfaces for draw targets.
    • Fixed bug 1074280: Use AsContainerLayer() in order to avoid a bad cast.
    • Fixed several problems in the HTML parser (multiple vulnerabilities).
    • Improved security of XHR by filtering out types of requests that can potentially be abused.

    New Features and Improvements:

    • New feature: multi-line flexbox support.
      Pale Moon now supports more advanced multi-line and multi-column flex elements. This will allow websites to use these elements for easier responsive design of web pages and ordering/layout of multiple elements. This should address layout issues on several recently-updated websites (e.g. the MSN home page).
    • New feature: added support for collapsed flex element items.
      Previously, flex elements that would be "collapsed" through CSS would be hidden, but still take up their flex space.
    • Enhanced feature: Content Security Policy (CSP)
      Pale Moon now fully supports the CSP 1.0 specification allowing websites to set restrictions on content to prevent XSS (Cross-site scripting) attacks. Previously, the implementation in Pale Moon was partial, and did not support a number of features, resulting in some websites not rendering properly because Pale Moon was being too strict in enforcing the policy. This should address issues on websites enforcing CSP (e.g. the Dropbox web interface and FaceBook galleries).
    • New feature: added support for iframes with inline content.
      This added HTML5 feature makes it possible for web designers to specify the content of iframes in-line, instead of having to link to an external source. This allows for more dynamic use of iframe elements.
    • Updated the Firefox Compatibility mode version to 31.9.
      With the improvements in rendering, HTML5 support and overall feature set in this version, the Firefox Compatibility mode (as presented in the UserAgent string) has been bumped to prevent websites from complaining about "using a too old/unsupported version of Firefox" (e.g. Google websites) while offering those sites a Firefox Compatibility version that is in line with the "expected" feature set of the browser. You may still run into some websites that don't like Pale Moon's user agent and require a manual override as outlined in the FAQ.
    • Pale Moon no longer builds the so-called "media navigator" by default.
      This module provides access to the user's webcam and microphone. Although it can be used for other purposes, in practice this is only used for WebRTC and, in fact, its support (GetUserMedia) is often mistaken for actually supporting WebRTC in a browser (causing errors since Pale Moon does not support WebRTC). No longer including these features reduces input complexity and overhead for a feature not actively used. This also circumvents privacy concerns/confusion like CVE-2014-1586.
    • Improved tab handling on lightweight themes (personas) some more to enhance contrast on certain themes and to make the tab hover effect slightly more distinct.
     Additional Fixes are documented in the Release Notes.

    Minimum system Requirements (Windows):
    • Windows Vista/Windows 7/Windows 8/Server 2008 or later
    • A processor with SSE2 support
    • 256 MB of free RAM (512 MB or more recommended)
    • At least 150 MB of free (uncompressed) disk space
    Pale Moon includes both 32- and 64-bit versions:

    Update

    To get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window.  Select About Pale Moon > Check for Updates.


    Home
    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...






    Home
    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...


    Tuesday, November 11, 2014

    Microsoft Security Bulletin Release for November 2014


    Microsoft released fourteen (14) bulletins*.  Four (4) bulletins are identified as Critical, eight (8) as Important, and two (2) are rated Moderate in severity.

    The updates address 33 Common Vulnerabilities and Exposures (CVEs) in Microsoft Windows, Internet Explorer (IE), Office, .NET Framework, Internet Information Services (IIS), Remote Desktop Protocol (RDP), Active Directory Federation Services (ADFS), Input Method Editor (IME) (Japanese), and Kernel Mode Driver (KMD). 

    Anyone who frequently experiences issues with .NET Framework updates should install those updates separately with a shutdown/restart between other updates.

    Critical:
    • MS14-064 -- Vulnerabilities in Windows OLE Could Allow Remote Code Execution (3011443)
    • MS14-065 -- Cumulative Security Update for Internet Explorer (3003057)
    • MS14-066 -- Vulnerability in Schannel Could Allow Remote Code Execution (2992611)
    • MS14-067 --Vulnerability in XML Core Services Could Allow Remote Code Execution (2993958)

    Important:
    • MS14-069 -- Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (3009710)
    • MS14-070 -- Vulnerability in TCP/IP Could Allow Elevation of Privilege (2989935)
    • MS14-071 -- Vulnerability in Windows Audio Service Could Allow Elevation of Privilege (3005607)
    • MS14-072 -- Vulnerability in .NET Framework Could Allow Elevation of Privilege (3005210)
    • MS14-073 -- Vulnerability in Microsoft SharePoint Foundation Could Allow Elevation of Privilege (3000431)
    • MS14-074 -- Vulnerability in Remote Desktop Protocol Could Allow Security Feature Bypass (3003743)
    • MS14-076 -- Vulnerability in Internet Information Services (IIS) Could Allow Security Feature Bypass (2982998)
    • MS14-077 -- Vulnerability in Active Directory Federation Services Could Allow Information Disclosure (3003381) 

    Moderate:
    • MS14-078 -- Vulnerability in IME (Japanese) Could Allow Elevation of Privilege (3005210)
    • MS14-079 -- Vulnerability in Kernel Mode Driver Could Allow Denial of Service (3002885)

    *Note: MS14-068 and MS14-075 are shown as "Release date to be determined".

    Information on non-security update information can be found in KB 894199.

    Notes



    The following additional information is provided in the Security Bulletin:

    References




      Remember - "A day without laughter is a day wasted."
      May the wind sing to you and the sun rise in your heart...




      Adobe Flash Player Security Update

      Adobe Flashplayer

      Adobe has released security updates for Adobe Flash Player 15.0.0.223 and earlier versions for Windows and Macintosh and Adobe Flash Player 11.2.202.418 and earlier versions for Linux.

      These updates address vulnerabilities that could potentially allow an attacker to take control of the affected system.  The updates to Flash Player are rated Critical.

      Internet Explorer in Windows 8x systems will be updated via Windows Update.  Windows RT must obtain the update from Windows Update.  Google Chrome will be automatically updated.

      Update Information

      Release date: November 11, 2014
      Vulnerability identifier: APSB14-24

      CVE number: CVE-2014-0573, CVE-2014-0574, CVE-2014-0576, CVE-2014-0577, CVE-2014-0581, CVE-2014-0582, CVE-2014-0583, CVE-2014-0584, CVE-2014-0585, CVE-2014-0586, CVE-2014-0588, CVE-2014-0589, CVE-2014-0590, CVE-2014-8437, CVE-2014-8438, CVE-2014-8440, CVE-2014-8441, CVE-2014-8442
      Platform: All Platforms

      Users of Adobe AIR 15.0.0.293 and earlier versions for Windows and Macintosh should update to the Adobe AIR 15.0.0.356.


      Flash Player Update Instructions

      Warning:  Although Adobe suggests downloading the update from the Adobe Flash Player Download Center, that link includes a pre-checked option to install unnecessary extras, such as McAfee Scan Plus or Google Drive.  If you use the download center, uncheck any unnecessary extras.

      It is recommended that you either use the auto-update mechanism within the product when prompted, or my preference, the direct download links.

        Notes:
        • If you use the Adobe Flash Player Download Center, be careful to uncheck any optional downloads that you do not want.  Any pre-checked option is not needed for the Flash Player update.
        • Uncheck any toolbar offered with Adobe products if not wanted.
        • If you use alternate browsers, it is necessary to install the update for both Internet Explorer as well as the update for alternate browsers.
        • The separate 32-bit and 64-bit uninstallers have been replaced with a single uninstaller.
        • Users of the Adobe Flash Player Extended Support Release should update to Adobe Flash Player 13.0.0.252.
        Adobe Flash Player for Android

        The latest version for Adobe Flash Player for Android is available by downloading it from the Android Marketplace by browsing to it on a mobile phone.   

        Verify Installation

        To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu. 

        Do this for each browser installed on your computer.

        To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.

        References







        Remember - "A day without laughter is a day wasted."
        May the wind sing to you and the sun rise in your heart...


        Lest We Forget

        Whether you call it Veteran's Day, Armistice Day or Remembrance Day, November 11th is a time to put aside politics and pay tribute to all who served their country.   

        As in previous years, I am republishing my friend Canuk's last tribute and dedicating this post to my friends "Phantom Phixer" and "Ghost".  (This year, I have scheduled this to be published at 11/11/14 11:11 AM.)
        "I too "will remember your friends who never had a full life", while thanking you and your comrades who have served with pride, honesty and honour.
        LEST WE FORGET




         
         
        We Shall Keep the Faith by Moira Michael, November 1918
        Oh! you who sleep in Flanders Fields, Sleep sweet - to rise anew! We caught the torch you threw And holding high, we keep the Faith With All who died. We cherish, too, the poppy red That grows on fields where valor led; It seems to signal to the skies That blood of heroes never dies, But lends a lustre to the red Of the flower that blooms above the dead In Flanders Fields. And now the Torch and Poppy Red We wear in honor of our dead. Fear not that ye have died for naught; We'll teach the lesson that ye wrought In Flanders Fields.










        Remember - "A day without laughter is a day wasted."
        May the wind sing to you and the sun rise in your heart...

        Monday, November 10, 2014

        Updates to Internet Explorer ActiveX Blocking

        Internet Explorer 11


        Blocking of out-of-date ActiveX controls was added to Internet Explorer versions 9 through 11 in October.  
        With the update being released in November (11NOV2014), Microsoft is adding additional changes to out-of-date AxtiveX control blocking. 

        To be included will be updates to currently supported operating system and browser combinations.  This is a welcome addition for users of Windows Vista.  Another addition to ActiveX blocking will include blocking out-of-date Silverlight.

        Note:  After January 12, 2016, only the following configurations will be supported:


        Windows operating system Internet Explorer version
        Windows Vista SP2 Internet Explorer 9
        Windows Server 2008 SP2 Internet Explorer 9
        Windows 7 SP1 Internet Explorer 11
        Windows Server 2008 R2 SP1 Internet Explorer 11
        Windows 8.1 Internet Explorer 11
        Windows Server 2012 Internet Explorer 10
        Windows Server 2012 R2 Internet Explorer 11


        References:

        Home
        Remember - "A day without laughter is a day wasted."
        May the wind sing to you and the sun rise in your heart...


        Another Mozilla Firefox Update, Version 33.1 Released



        Firefox

        Mozilla sent Firefox Version 33.1 to the release channel.  The update includes a number of new items and lists several known issues.

        It appears that this update is to celebrate 10 years of Firefox.  It seems a rather artificial celebration since evolution of the name to Firefox was based on a trademark dispute and brand confusion.  (Yes, I started with Phoenix (2002), renamed Firebird (2003) and finally Firefox (2004).  Having become disenchanted with the "Rapid Release Program", I have changed to Pale Moon as my primary browser.)


        What’s New

        Known Issues

        • unresolved -- PDF.js: With some images, wrong colors could show up. Affects a very small number of PDF
        • unresolved -- Windows: Interface may be slow when typing or selecting text (1089183)
        • unresolved -- Windows: On some combination of hardware and drivers, some flickering can happen

        Update

        To get the update now, select "Help" from the Firefox menu at the upper left of the browser window, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu.

        If you do not use the English language version, Fully Localized Versions are available for download.

        References




        Remember - "A day without laughter is a day wasted."
        May the wind sing to you and the sun rise in your heart...










        Friday, November 07, 2014

        Mozilla Firefox Released Another Update, Version 33.0.3



        Firefox

        Mozilla sent Firefox Version 33.0.3 to the release channel.  The update includes additional fixes for drivers and startup crashes with some hardware/driver combinations.

        Isn't it time Mozilla took a closer look at their "Rapid Release Program"?   Three updates in 24 days, all relating to hardware and driver issues caused by the updates.

        1.  Version 33.0 released:  October 13, 2014

        2.  Version 33.0.1 released:  October 24, 2014
        • 33.0.1: Firefox displays a black screen at start-up with certain graphics drivers
        3.  Version 33.0.2 released:  October 28, 2014
        • 33.0.2: Fix a startup crash with some combination of hardware and drivers
        4.  Version 33.0.3 released:  November 6, 2014
        • 33.0.3: Blacklisted graphics drivers that were causing black screens with OMTC enabled (1093863)
        • 33.0.3 Fix two startup crashes with some combination of hardware and drivers (1064107 and 1021265)

        Update

        To get the update now, select "Help" from the Firefox menu at the upper left of the browser window, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu.

        If you do not use the English language version, Fully Localized Versions are available for download.

        References




        Remember - "A day without laughter is a day wasted."
        May the wind sing to you and the sun rise in your heart...









        Thursday, November 06, 2014

        Microsoft Security Bulletin Advance Notice for November 2014

        Security Bulletin
        On Tuesday, November 11, 2014, Microsoft is planning to release sixteen (16) bulletins.  Five bulletins are identified as Critical, nine as Important, and two are rated Moderate in severity.

        These updates will address vulnerabilities in Microsoft Windows, Internet Explorer, Office, Exchange, .NET Framework, Internet Information Services (IIS), Remote Desktop Protocol (RDP), Active Directory Federation Services (ADFS), Input Method Editor (IME) (Japanese), and Kernel Mode Driver (KMD).

        As happens each month, Microsoft will also release an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center.

        References




          Remember - "A day without laughter is a day wasted."
          May the wind sing to you and the sun rise in your heart...