Tuesday, January 27, 2015

Pale Moon Minor Update to Version 25.2.1

Pale Moon
Pale Moon version 25.2.1 has been released to address cookie handling through proxies causing issues for some authenticating proxies in corporate environments.

Minimum system Requirements (Windows):
  • Windows Vista/Windows 7/Windows 8/Server 2008 or later
  • A processor with SSE2 support
  • 256 MB of free RAM (512 MB or more recommended)
  • At least 150 MB of free (uncompressed) disk space
Pale Moon includes both 32- and 64-bit versions for Windows:
Other versions:

Update

To get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window.  Select About Pale Moon > Check for Updates.

Release Notes

Home
Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...







Monday, January 26, 2015

Mozilla Firefox Version 35.0.1 Released


Firefox
Mozilla sent Firefox Version 35.0.1 incorporating bug fixes to the release channel. 

What’s New

  • Fixed 35.0.1 - With the Enhanced Steam extension, Firefox could crash (1123732)
  • Fixed 35.0.1 - Fix a potential startup crash (1122367)
  • Fixed 35.0.1 - Kerberos authentication did not work with alias (1108971)
  • Fixed 35.0.1 - SVG / CSS animation had a regression causing rendering issues on websites like openstreemap.org (1083079)
  • Fixed 35.0.1 - On Godaddy webmail, Firefox could crash (1113121)
  • Fixed 35.0.1 - document.baseURI did not get updated to document.location after base tag was removed from DOM for site with a CSP (1121857)
  • Fixed 35.0.1 - With a Right-to-left (RTL) version of Firefox, the text selection could be broken (1104036)
  • Fixed 35.0.1 - CSP had a change in behavior with regard to case sensitivity resources loading (1122445)



Known Issues

  • unresolved -- Sometimes images don't display when hovered over (see bug 1083113)-- marked Resolved/Won't Fix.
  • unresolved -- WebGL games might not display some textures (see bug 1113633) -- scheduled for version 36.
  • unresolved -- Issues affecting RTL in Hello can be found here
  • unresolved -- Crashes with "Enhanced Steam" extension enabled on Steam websites (see bug 1117873

Update

To get the update now, select "Help" from the Firefox menu at the upper left of the browser window, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu.

If you do not use the English language version, Fully Localized Versions are available for download.

References




Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...








Saturday, January 24, 2015

Second Out-of-Band Adobe Flash Player Update

Adobe Flashplayer

Although not expected until next week, Adobe has released the update addressing a Zero-Day being distributed through the Angler Exploit Kit in Adobe Flash Player.  The vulnerability was discovered by security researcher Kafeine (See Unpatched Vulnerability (0day) in Flash Player is being exploited by Angler EK | Malware don't need Coffee) and applies to Adobe Flash Player 16.0.0.287 and earlier versions for Windows and Macintosh and Adobe Flash Player 11.2.202.438 and earlier versions for Linux.

Although the update has been released early, it is only available 
for those who have Flash Player set to auto-update.  The direct download links are not expected to be available until next week. 



To set Flash Player to auto-update, do the following:
  • Windows: click Start > Settings > Control Panel > Flash Player
  • Macintosh: System Preferences (under Other) click Flash Player
  • Linux Gnome: System > Preferences > Adobe Flash Player
  • Linux KDE: System Settings > Adobe Flash Player

Edit Note:  (1/25/2015) The direct download links are now available.  See below.

Adobe is working with Google Chrome and Microsoft to provide the update for Chrome and Internet Explorer on Windows 8.x and Windows 10 Technical Preview. 

Update Information:

Release date: January 22, 2015
Last updated: January 24, 2015
Vulnerability identifier: APSA15-01
CVE number: CVE-2015-0311
Platform: All Platforms

The direct download links:
Verify Installation:

To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu. 

Do this for each browser installed on your computer.

To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.

References






Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...


Thursday, January 22, 2015

Out of Band Adobe Flash Player Critical Security Update

Adobe Flashplayer

Adobe has released security updates for Adobe Flash Player 16.0.0.257 and earlier versions for Windows and Macintosh and Adobe Flash Player 11.2.202.425 and earlier versions for Linux.

Correction: From Threatpost, Adobe Patches One Zero Day in Flash, Still Investigating Separate Vulnerability:

"The vulnerability that Adobe patched Thursday is under active attack, but Adobe officials said that this flaw is not the one that security researcher Kafeine said Wednesday was being used in the Angler attacks."
The Threatpost article further indicated that there is no indication from Adobe officials that an update is in the works for the Angler zero-day vulnerability.
Adobe officials did not say whether there is an update in the works for the zero-day vulnerability. - See more at: http://threatpost.com/adobe-patches-one-zero-day-in-flash-still-investigating-separate-vulnerability#sthash.l1CqIaAn.dpuf
Adobe officials did not say whether there is an update in the works for the zero-day vulnerability. - See more at: http://threatpost.com/adobe-patches-one-zero-day-in-flash-still-investigating-separate-vulnerability#sthash.l1CqIaAn.dpuf
Adobe officials did not say whether there is an update in the works for the zero-day vulnerability. - See more at: http://threatpost.com/adobe-patches-one-zero-day-in-flash-still-investigating-separate-vulnerability#sthash.l1CqIaAn.dpuf



This update address a Zero-Day in Adobe Flash Player discovered by security researcher Kafeine that was being distributed through the Angler Exploit Kit (See Unpatched Vulnerability (0day) in Flash Player is being exploited by Angler EK | Malware don't need Coffee.)  

The update below has been released by Adobe to address the vulnerability.  It is strongly advised that the update be applied as soon as possible.

Update Information:


Release date: January 22, 2015
Vulnerability identifier: APSB15-02

CVE number: CVE-2015-0310
Platform: All Platforms
  • Users of the Adobe Flash Player desktop runtime for Windows and Macintosh should update to Adobe Flash Player 16.0.0.287.
  • Users of the Adobe Flash Player Extended Support Release should update to Adobe Flash Player 13.0.0.262.
  • Users of Adobe Flash Player for Linux should update to Adobe Flash Player 11.2.202.438.
  • Adobe Flash Player installed with Google Chrome, as well as Internet Explorer on Windows 8.x, will automatically update to the current version.

Flash Player Update Instructions

Warning:  Although Adobe suggests downloading the update from the Adobe Flash Player Download Center, that link includes a pre-checked option to install unnecessary extras, such as McAfee Scan Plus or Google Drive.  If you use the download center, uncheck any unnecessary extras.

It is recommended that you either use the auto-update mechanism within the product when prompted, or my preference, the direct download links.

    Notes:
    • If you use the Adobe Flash Player Download Center, be careful to uncheck any optional downloads that you do not want.  Any pre-checked option is not needed for the Flash Player update.
    • Uncheck any toolbar offered with Adobe products if not wanted.
    • If you use alternate browsers, it is necessary to install the update for both Internet Explorer as well as the update for alternate browsers.
    • The separate 32-bit and 64-bit uninstallers have been replaced with a single uninstaller.
    • Users of the Adobe Flash Player Extended Support Release should update to Adobe Flash Player 13.0.0.259.
    Adobe Flash Player for Android

    The latest version for Adobe Flash Player for Android is available by downloading it from the Android Marketplace by browsing to it on a mobile phone.   

    Verify Installation

    To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu. 

    Do this for each browser installed on your computer.

    To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.

    References






    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...


    Wednesday, January 21, 2015

    Oracle Java Critical Security Update

    java


    Oracle released the scheduled critical security updates for its Java SE Runtime Environment software. 

    This is a Critical Patch Update that has 19 new security fixes for Oracle Java SE. From The Assurance Blog:
    "The most severe of these vulnerabilities received a CVSS Base Score of 10.0. This score is reported for 4 distinct Java SE client-only vulnerabilities (CVE-2014-6601; CVE-2015-0412; CVE-2014-6549; and CVE-2015-0408). Out of these 19 vulnerabilities, 15 affect client-only installations, 2 affect client and server installations, and 2 affect JSSE installations."

    Important Changes in this Release

    With this release, the SSLv3 protocol (Secure Socket Layer) has been deactivated and is not available by default.It should be noted that SSLv3 is obsolete and should no longer be used.

    Additionally, the SSLv3 protocol is removed from the Java Control Panel advanced options, although it can be re-enabled manually, described in the below-linked Release Notes and Assurance blog post.

    Unwanted "Extras"

    Oracle has long included pre-checked options with the updates.  Although most people do not need Java on their computer, there are some programs and games that require Java.  In the event you need to continue using Java, How-to Geek discovered a little-known and  unpublicized option in the Java Control Panel to suppress the offers for the pre-checked unwanted extras.

    1. Launch the Windows Start menu
    2. Click on Programs
    3. Find the Java program listing
    4. Click Configure Java to launch the Java Control Panel
    5. Click the Advanced tab and go to the "Miscellaneous" section at the bottom.
    6. Check the box by the “Suppress sponsor offers when installing or updating Java” option and click OK.
    Java suppress sponsor offers

    Windows XP

    There has been a lot of recent controversy regarding Java updates for Windows XP.  While Windows XP has reached end of life, Java 7 will continue to be updated until April, 2015.

    Thus, organizations and individuals who must continue using Windows XP and have Java installed can also continue getting updates for Java 7.  It is noted, however, that if an issue arises that is specific to Windows XP, Oracle is not required to and also may not be able to create a patch.  For additional information, refer to the Oracle blog post, The future of Java on Windows XP (Henrik on Java).

    Update

    If Java is still installed on your computer, it is recommended that this update be applied as soon as possible due to the threat posed by a successful attack.

    Download Information

    Download link:  Java SE 8u31

    Verify your version:  http://www.java.com/en/download/testjava.jsp

    Notes:
    • UNcheck any pre-checked toolbar and/or software options presented with the update. They are not part of the software update and are completely optional.
    • Starting with Java SE 7 Update 21 in April 2013, all Java Applets and Web Start Applications should be signed with a trusted certificate.  It is not recommended to run untrusted/unsigned Certificates.  See How to protect your computer against dangerous Java Applets

    Critical Patch Updates

    For Oracle Java SE Critical Patch Updates, the next scheduled dates are as follows:
    • 14 April 2015
    • 14 July 2015
    • 20 October 2015
    • 19 January 2016

    Java Security Recommendations

    For those people who have desktop applications that require Java and cannot uninstall it, Java can now be disabled in Internet Explorer.  See Microsoft Fix it to Disable Java in Internet Explorer.

    1)  In the Java Control Panel, at minimum, set the security to high.
    2)  Keep Java disabled until needed.  Uncheck the box "Enable Java content in the browser" in the Java Control Panel.

    Java ControlPanel
    (Image via Sophos Naked Security Blog)

    3)  If you use Firefox or Pale Moon, install NoScript and only allow Java on those sites where it is required.

    Instructions on removing older (and less secure) versions of Java can be found at http://java.com/en/download/faq/remove_olderversions.xml

    References





    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...



    Thursday, January 15, 2015

    Pale Moon Version 25.2 Released with Security Updates

    Pale Moon
    Pale Moon has released version 25.2 to extend browser capabilities and implement some ES6 draft functions for web programmers.  The update includes important crash fixes, bug fixes and security updates.
      Security/privacy fixes:
      • Added a preference network.stricttransportsecurity.enabled to enable or disable the use of HSTS (HTTP Strict Transport Security), allowing users to choose between privacy and security in this matter. (hidden pref)
      • Fixed CVE-2014-1589 by whitelisting XBL bindings that may be applied to untrusted content.
        Important: extension developers should read this related thread.
      • Fixed CVE-2014-1593.
      • Mac: fixed CVE-2014-1595.
      • Fixed CVE-2014-8639 by adjusting cookie handling through proxies.
      • Fixed CVE-2014-8636.
      • Fixed several memory safety hazards that do not have CVE numbers.
        Fixes and changes are documented in the Release Notes.

        Minimum system Requirements (Windows):
        • Windows Vista/Windows 7/Windows 8/Server 2008 or later
        • A processor with SSE2 support
        • 256 MB of free RAM (512 MB or more recommended)
        • At least 150 MB of free (uncompressed) disk space
        Pale Moon includes both 32- and 64-bit versions:

        Update

        To get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window.  Select About Pale Moon > Check for Updates.



        Home
        Remember - "A day without laughter is a day wasted."
        May the wind sing to you and the sun rise in your heart...


        Tuesday, January 13, 2015

        Mozillia Firefox Version 35.0 Released with Security Updates


        Firefox
        Mozilla sent Firefox Version 35.0 to the release channel.  The update includes nine (9) security updates, three (3) of which are Critical, one (1) High, four (4) Moderate and one (1) low.

        Fixed in Firefox 35



        What’s New

        • New -- Firefox Hello with new rooms-based conversations model
        • New -- New search UI improved and enabled for more locales
        • New -- Access the Firefox Marketplace from the Tools menu and optional toolbar button
        • New -- Built-in support for H264 (MP4) on Mac OS X Snow Leopard (10.6) and newer through native APIs
        • New -- Improved handling of dynamic styling changes to increase responsiveness
        • New -- Use tiled rendering on OS X
        • New -- Improved high quality image resizing performance
        • HTML5 -- Changed JavaScript 'let' semantics to conform better to the ES6 specification
        • HTML5 -- Resource Timing API implemented
        • HTML5 -- CSS filters enabled by default
        • HTML5 -- Added support for the CSS Font Loading API
        • Fixed -- Various security fixes
        • Fixed -- Show DOM Properties context menu item in inspector
        • Fixed -- Reduced resource usage for scaled images
        • Fixed -- PDF.js updated to version 1.0.907
        • Fixed -- Non-HTTP(S) XHR now returns correct status code

        Known Issues

        • unresolved -- WebGL games might not display some textures (see bug 1113633)
        • unresolved -- Sometimes images don't display when hovered over (see bug 1083113)
        • unresolved -- Issues affecting RTL in Hello can be found here
        • unresolved -- Crashes with "Enhanced Steam" extension enabled on Steam websites (see bug 1117873)

        References




        Remember - "A day without laughter is a day wasted."
        May the wind sing to you and the sun rise in your heart...








        Microsoft Security Bulletin Release for January, 2015


        Microsoft released eight (8) bulletins.  One (1) bulletin is identified as Critical and the remaining seven (7) are rated Important in severity.

        The updates address 8 unique Common Vulnerabilities and Exposures (CVEs) in Microsoft Windows   MS15-001 and MS15-003 have been publicly disclosed.  Details about the CVEs can be found in the below-referenced TechNet Security Bulletin.

        Important Note:  
        Although it was officially released in May, 2014, non-Security updates include the release of .NET Framework 4.5.2 to Automatic Updates, WSUS, and Catalog.

        Because many people have problems with .NET updates, it is strongly recommended that they be installed separately from other updates with a shutdown/restart.

        Critical:
        • MS15-002 -- Vulnerability in Windows Telnet Service Could Allow Remote Code Execution (3020393)

        Important:
        • MS15-001 -- Vulnerability in Windows Application Compatibility Cache Could Allow Elevation of Privilege (3023266)
        • MS15-003 -- Vulnerability in Windows User Profile Service Could Allow Elevation of Privilege (3021674)
        • MS15-004 -- Vulnerability in Windows Components Could Allow Elevation of Privilege (3025421)
        • MS15-005 -- Vulnerability in Network Location Awareness Service Could Allow Security Feature Bypass (3022777)
        • MS15-006 -- Vulnerability in Windows Error Reporting Could Allow Security Feature Bypass (3004365)
        • MS15-007 -- Vulnerability in Network Policy Server RADIUS Implementation Could Cause Denial of Service (3014029)
        • MS15-008 -- Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (3019215)

        Security Bulletin MS14-080 Cumulative Security Update for Internet Explorer was re-released.  Also note the following additional information:
        1. Information on non-security update information can be found in KB 894199.
        2. Outdated ActiveX control blocking will be added to Windows Vista SP2 and Windows Server 2008 SP2.  See the TechNet article, Out-of-date ActiveX control blocking and the IE Blog for information on what this entails.
        3. For those interested in determining specific updates applicable to their operating system, see myBulletin.

        Additional Update Notes

        • MSRT -- Microsoft released an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center. 

          The updated version includes the Win32/Emotet and Win32/Dyap malware families.  Additional details ave available in the MMPC blog post.

        • Internet Explorer -- For additional information about the blocking of out-of-date ActiveX controls see the TechNet article, Out-of-date ActiveX control blocking.  Additional changes introduced this month include the blocking of outdated Silverlight.  Additional information is available in the IE Blog.

        • Windows 8.x -- Non-security new features and improvements for Windows 8.1 are now included with the second Tuesday of the month updates.  Additional information about this change is available here.

        • Windows XP -- Although Microsoft has stopped providing Microsoft Security Essentials for Windows XP, definitions will be available until July 15, 2015.  See Microsoft antimalware support for Windows XP.  The MSRT still works on Windows XP.

        References




          Remember - "A day without laughter is a day wasted."
          May the wind sing to you and the sun rise in your heart...






          Adobe Flash Player and AIR Critical Security Updates

          Adobe Flashplayer

          Adobe has released security updates for Adobe Flash Player 16.0.0.235 and earlier versions for Windows and Macintosh and Adobe Flash Player 11.2.202.425 and earlier versions for Linux.

          Version 16 of Adobe AIR has been released.

          These updates address vulnerabilities that could potentially allow an attacker to take control of the affected system.  Details of the vulnerabilities are included in the below-referenced Security Bulletin.

          Update Information:

          Release date: January 13, 2015
          Vulnerability identifier: APSB15-01

          CVE number: CVE-2015-0301, CVE-2015-0302, CVE-2015-0303, CVE-2015-0304, CVE-2015-0305, CVE-2015-0306, CVE-2015-0307, CVE-2015-0308, CVE-2015-0309
          • Users of the Adobe Flash Player desktop runtime for Windows and Macintosh should update to Adobe Flash Player 16.0.0.257.
          • Users of the Adobe Flash Player Extended Support Release should update to Adobe Flash Player 13.0.0.260.
          • Users of Adobe Flash Player for Linux should update to Adobe Flash Player 11.2.202.429.
          • Adobe Flash Player installed with Google Chrome, as well as Internet Explorer on Windows 8.x, will automatically update to the current version.
          • Adobe AIR version 16 has been released.  The latest version is 16.0.0.272.

          Flash Player Update Instructions

          Warning:  Although Adobe suggests downloading the update from the Adobe Flash Player Download Center, that link includes a pre-checked option to install unnecessary extras, such as McAfee Scan Plus or Google Drive.  If you use the download center, uncheck any unnecessary extras.

          It is recommended that you either use the auto-update mechanism within the product when prompted, or my preference, the direct download links.

            Notes:
            • If you use the Adobe Flash Player Download Center, be careful to uncheck any optional downloads that you do not want.  Any pre-checked option is not needed for the Flash Player update.
            • Uncheck any toolbar offered with Adobe products if not wanted.
            • If you use alternate browsers, it is necessary to install the update for both Internet Explorer as well as the update for alternate browsers.
            • The separate 32-bit and 64-bit uninstallers have been replaced with a single uninstaller.
            • Users of the Adobe Flash Player Extended Support Release should update to Adobe Flash Player 13.0.0.259.
            Adobe Flash Player for Android

            The latest version for Adobe Flash Player for Android is available by downloading it from the Android Marketplace by browsing to it on a mobile phone.   

            Verify Installation

            To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu. 

            Do this for each browser installed on your computer.

            To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.

            References






            Remember - "A day without laughter is a day wasted."
            May the wind sing to you and the sun rise in your heart...


            Thursday, January 01, 2015

            2015 - Ten Years as a Microsoft MVP


            Microsoft Most Valuable Professional

            "Dear Corrine Chorney,

            Congratulations! We are pleased to present you with the 2015 Microsoft® MVP Award! This award is given to exceptional technical community leaders who actively share their high quality, real world expertise with others. We appreciate your outstanding contributions in Consumer Security technical communities during the past year."

            Each year since receiving the first award as Microsoft Most Valuable Professional ten years ago, ringing in the New Year has been a special occasion.  It became a time of reflection on the previous year as well as renewed enthusiasm for continuing to provide help in the year ahead.

            This year, rather than reflecting on the past, I extend my heartfelt thanks to family and friends for their love and support in dealing with the loss of my husband.  He will always be in my heart.

            To each of you, I wish a very happy and healthy year ahead.  May 2015 be filled with all things positive and all your dreams come true!


            Microsoft MVP 2015


            Home
            Remember - "A day without laughter is a day wasted."
            May the wind sing to you and the sun rise in your heart...