Wednesday, March 25, 2015

Pale Moon Moon Update To Address pwn2own Contest Vulnerability

Pale Moon
Pale Moon has been updated to version 25.3.1 to address a critical vulnerability discovered in the HP Zero Day Initiative's Pwn2Own contest.  Only one vulnerability discovered applied to Pale Moon.

From the Release Notes:


Security fix:
  • Fixed security vulnerability CVE-2015-0818. This vulnerability would allow remote attackers to bypass the Same Origin Policy and execute arbitrary JavaScript code with chrome privileges via vectors involving SVG hash navigation.

    Additional Fix:
    • Fixed IPv6 DNS resolution regression in some less common cases.

    Minimum system Requirements (Windows):
    • Windows Vista/Windows 7/Windows 8/Server 2008 or later
    • A processor with SSE2 support
    • 256 MB of free RAM (512 MB or more recommended)
    • At least 150 MB of free (uncompressed) disk space
    Pale Moon includes both 32- and 64-bit versions for Windows:
    Other versions:

      Update

      To get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window.  Select About Pale Moon > Check for Updates.



      Home
      Remember - "A day without laughter is a day wasted."
      May the wind sing to you and the sun rise in your heart...








      Saturday, March 21, 2015

      Updated Security Fix Released in Mozilla Firefox Version 36.0.4


      Firefox
      Mozilla sent Firefox Version 36.0.4 and Firefox ESR 31.5.3 to the release channel to repair the incomplete version of this fix that was shipped in Firefox 36.0.3, resulting from the HP Zero Day Initiative's Pwn2Own contest. The update includes one (1) revised critical security update.

      Fixed in Firefox 36.0.4

      • 2015-28 Privilege escalation through SVG navigation

      Update

      To get the update now, select "Help" from the Firefox menu at the upper left of the browser window, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

      References

      Home
      Remember - "A day without laughter is a day wasted."
      May the wind sing to you and the sun rise in your heart...




      Mozilla Firefox Version 36.0.3 Released with Critical Security Updates


      Firefox
      Mozilla sent Firefox Version 36.0.3 and Firefox ESR 31.5.2 to the release channel to fix security issues disclosed at the HP Zero Day Initiative's Pwn2Own contest. The update includes two (2) critical security updates.

      It appears that version 36.0.2 has been skipped in order to release the critical updates.

      Fixed in Firefox 36.0.3

      • 2015-29 Code execution through incorrect JavaScript bounds checking elimination
      • 2015-28 Privilege escalation through SVG navigation

      Update

      To get the update now, select "Help" from the Firefox menu at the upper left of the browser window, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

      References

      Home
      Remember - "A day without laughter is a day wasted."
      May the wind sing to you and the sun rise in your heart...



      Friday, March 13, 2015

      PaleMoon Version 25.3.0 Released with Security Updates

      Pale Moon
      Pale Moon has been updated to version 25.3.0 with improved features and performance as well as security updates.

      From the Release Notes, it is noted that several security fixes are identified as DiD.  This means that the fix is "Defense-in-Depth":
      "It is a fix that does not apply to an actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code when surrounding code changes, exposing the problem."

      Security fixes:

      • Disabled all RC4-based encryption ciphers by default. [More info]
      • Fixed several miscellaneous memory safety hazards.
        (applicable bugs related to CVE-2015-0835 and CVE-2015-0836)
      • Fixed loading of locally stored DLL files through the internal updater. (CVE-2015-0833)
      • Fixed a potential crash point in IndexedDB. (CVE-2015-0831) DiD
      • Fixed a double-free situation when using non-default memory allocators and a 0-length XHR. (CVE-2015-0828)
        Note: production builds of Pale Moon were never vulnerable.
      • Fixed a crash using DrawTarget in the Cairo graphics library. (CVE-2015-0824)
      • Fixed potential reading of local files through manipulation of form autocomplete. (CVE-2015-0822)
      • Fixed a potential PNG heap-overflow crash. DiD
      • Followed up on research regarding CVE-2014-8639 (see 25.2) and made cookie handling through proxies more restrictive again.
      Fixes:
      • Fixed incorrect Sync "howto" instruction links from the Sync dialogs.
      • Fixed the color of selected tabs in Linux when personas (lightweight themes) are in use that do not match the overall tone of the OS system theme.
      • Fixed a bug where a variable in parentheses would abort Javascript parsing.
      • Fixed a bug where the address bar would incorrectly be cleared.
      • Fixed padding issues for dropdown lists.
      • Fixed DNS lookups so proper record types are requested for IPv4 and IPv6.

      Additions:
      • Added several significant performance optimizations for arrays and strings in javascript.
      • Added several code performance optimizations and bugfixes in SVG, the presentation shell, SCTP, style gradients and CSS parsing routines. (Thanks, Axiomatic!)
      • Added an "Open link in current tab" context menu entry on links for UI consistency.
      • Added a special case check for the Flash plugin version check on Linux failing due to commas instead of periods in the version string.
      • Added Windows 10 compatibility in executable manifests
      The additional improvements included in this update are available in the Release Notes.

      Minimum system Requirements (Windows):
      • Windows Vista/Windows 7/Windows 8/Server 2008 or later
      • A processor with SSE2 support
      • 256 MB of free RAM (512 MB or more recommended)
      • At least 150 MB of free (uncompressed) disk space
      Pale Moon includes both 32- and 64-bit versions for Windows:
      Other versions:

        Update

        To get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window.  Select About Pale Moon > Check for Updates.



        Home
        Remember - "A day without laughter is a day wasted."
        May the wind sing to you and the sun rise in your heart...








        Thursday, March 12, 2015

        Adobe Flash Player Version 17 Released with Security Updates

        Adobe Flashplayer

        Adobe has released Version 17.0.0.134 of Adobe Flash Player and Adobe AIR for Windows and Macintosh.  Version 11.2.202.451 has been released for Linux.  The Extended Release Version is 13.0.0.277.

        These updates address vulnerabilities that could potentially allow an attacker to take control of the affected system.  Details of the vulnerabilities are included in the below-referenced Security Bulletin.

        Update Information:

        Release date: March 12, 2015
        Vulnerability identifier: APSB15-05

        CVE number: CVE-2015-0332, CVE-2015-0333, CVE-2015-0334, CVE-2015-0335, CVE-2015-0336, CVE-2015-0337, CVE-2015-0338, CVE-2015-0339, CVE-2015-0340, CVE-2015-0341, CVE-2015-0342

        Flash Player Update Instructions

        It is recommended that you either use the auto-update mechanism within the product when prompted or the direct download links.  The problem with the auto-update mechanism is that it can take a few days to finally provide the update.

        Flash Player Auto-Update

        The update settings for Flash Player versions 10.3 and above can found in the Advanced tab of the Flash Player Settings Manager.  The locations are as follows:

        • Windows: click Start > Settings > Control Panel > Flash Player
        • Macintosh: System Preferences (under Other) click Flash Player
        • Linux Gnome: System > Preferences > Adobe Flash Player
        • Linux KDE: System Settings > Adobe Flash Player
        Also note that the Flash Player Settings Manager is where to manage local settings.

        Flash Player Direct Download Links

        Warning:  Although Adobe suggests downloading the update from the Adobe Flash Player Download Center, that link includes a pre-checked option to install unnecessary extras, such as McAfee Scan Plus or Google Drive.  If you use the download center, uncheck any unnecessary extras.

          Notes:
          • If you use the Adobe Flash Player Download Center, be careful to uncheck any optional downloads that you do not want.  Any pre-checked option is not needed for the Flash Player update.
          • Uncheck any toolbar offered with Adobe products if not wanted.
          • If you use alternate browsers, it is necessary to install the update for both Internet Explorer as well as the update for alternate browsers.
          • The separate 32-bit and 64-bit uninstallers have been replaced with a single uninstaller.
          • Users of the Adobe Flash Player Extended Support Release should update to Adobe Flash Player 13.0.0.259.
          Adobe Flash Player for Android

          The latest version for Adobe Flash Player for Android is available by downloading it from the Android Marketplace by browsing to it on a mobile phone.   

          Verify Installation

          To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu. 

          Do this for each browser installed on your computer.

          To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.

          References






          Remember - "A day without laughter is a day wasted."
          May the wind sing to you and the sun rise in your heart...


          Tuesday, March 10, 2015

          Microsoft Security Bulletin Release for March 2015


          Microsoft released fourteen (14) bulletins.  Five (5) bulletins are identified as Critical and the remaining nine (9) are rated Important in severity.

          The updates address vulnerabilities in Microsoft Windows, Microsoft Office, Microsoft Exchange and Internet Explorer.  Details about the CVEs can be found in the below-referenced TechNet Security Bulletin.

          Security Bulletin MS15-031 addresses the vulnerability in Security Advisory 3046015 which relates to the SSL/TLS issue referred being referred to as “FREAK” (Factoring attack on RSA-EXPORT Keys).


          In addition to providing information about the additional families added to the MSRT, information regarding Superfish and steps by Microsoft, Lenovo and others is available in the MMPC blog post, MSRT March: Superfish cleanup.



          Updates:

          Critical:
          • MS15-022 -- Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (3038999)
          • MS15-021 -- Vulnerabilities in Adobe Font Driver Could Allow Remote Code Execution (3032323) 
          • MS15-020 -- Vulnerability in Microsoft Windows Could Allow Remote Code Execution (3041836) 
          • MS15-019 -- Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution (3040297) 
          • MS15-018 -- Cumulative Security Update for Internet Explorer (3032359) 

          Important:
          • MS15-031 -- Vulnerability in Schannel Could Allow Security Feature Bypass (3046049) 
          • MS15-030 -- Vulnerability in Remote Desktop Protocol Could Allow Denial of Service (3039976) 
          • MS15-029 -- Vulnerability in Windows Photo Decoder Component Could Allow Information Disclosure (3035126) 
          • MS15-028 -- Vulnerability in Windows Task Scheduler Could Allow Security Feature Bypass (3030377)
          • MS15-027 -- Vulnerability in NETLOGON Could Allow Spoofing (3002657)
          • MS15-026 -- Vulnerabilities in Microsoft Exchange Server Could Allow Elevation of Privilege (3040856) 
          • MS15-025 -- Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (3038680) 
          • MS15-024 -- Vulnerability in PNG Processing Could Allow Information Disclosure (3035132) 
          • MS15-023 -- Vulnerabilities in Kernel-Mode Driver Could Allow Elevation of Privilege (3034344) 

          Additional Update Notes

          • MSRT -- Microsoft released an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center. 

            The updated version includes the Win32/CompromisedCert and Win32/Alinaos malware families.  Additional details ave available in the MMPC blog post.

          • Internet Explorer -- For additional information about the blocking of out-of-date ActiveX controls see the TechNet article, Out-of-date ActiveX control blocking.  Additional changes introduced this month include the blocking of outdated Silverlight.  Additional information is available in the IE Blog.

          • Windows 8.x -- Non-security new features and improvements for Windows 8.1 are now included with the second Tuesday of the month updates.  Additional information about this change is available here.

          • Windows XP -- Although Microsoft has stopped providing Microsoft Security Essentials for Windows XP, definitions will be available until July 15, 2015.  See Microsoft antimalware support for Windows XP.  The MSRT still works on Windows XP.

          References




            Remember - "A day without laughter is a day wasted."
            May the wind sing to you and the sun rise in your heart...







            Thursday, March 05, 2015

            Microsoft Security Advisory 3046015 (FREAK)

            Security Advisory
            Microsoft released Security Advisory 3046015 which relates to the SSL/TLS issue referred being referred to as “FREAK” (Factoring attack on RSA-EXPORT Keys).

            Most of the publicity surrounding FREAK has been addressing the vulnerability in the Safari, Chrome and Android browsers with OS X, iOS and Android.  However, the flaw also affects many popular websites.  As described in the Security Advisory:
            "The vulnerability could allow a man-in-the-middle (MiTM) attacker to force the downgrading of the cipher used in an SSL/TLS connection on a Windows client system to weaker individual ciphers that are disabled but part of a cipher suite that is enabled."
            The problem is that it isn't only the browser that is vulnerable but websites as well.  Are you or the sites you frequent vulnerable?  To find out, do the following:
            To learn more about FREAK, see Time to FREAK out? How to tell if you're vulnerable | Computerworld by Gregg Keizer.

            References:




            Remember - "A day without laughter is a day wasted."
            May the wind sing to you and the sun rise in your heart...

            Mozilla Firefox Version 36.0.1 Released with Security Updates


            Firefox
            Mozilla sent Firefox Version 36.0.1 to the release channel. The update includes eight (9) security updates, of which four (4) are identified as high, four (4) moderate and one (1) low.

            Fixed in Firefox 36.0.1

            • 2015-27 Caja Compiler JavaScript sandbox bypass
            • 2015-26 UI Tour whitelisted sites in background tab can spoof foreground tabs
            • 2015-25 Local files or privileged URLs in pages can be opened into new tabs
            • 2015-24 Reading of local files through manipulation of form autocomplete
            • 2015-23 Us-after-free in Developer Console date with OpenType Sanitiser
            • 2015-22 Crash using DrawTarget in Cairo graphics library
            • 2015-21 Buffer underflow during MP3 playback
            • 2015-20 Buffer overflow during CSS restyling
            • 2015-19 Out-of-bounds read and write while rendering SVG content

            What’s New

            • Fixed 36.0.1 - Disable the usage of the ANY DNS query type (1093983)
            • Fixed 36.0.1 - Fixed a startup crash with EMET (1137050)
            • Fixed 36.0.1 - Hello may become inactive until restart (1137469)
            • Fixed 36.0.1 - Print preferences may not be preserved (1136855)
            • Fixed 36.0.1 - Hello contact tabs may not be visible (1137141)
            • Fixed 36.0.1 - Accept hostnames that include an underscore character ("_") (1136616)
            • Fixed 36.0.1 - WebGL may use significant memory with Canvas2d (1137251)
            • Fixed 36.0.1 - Option -remote has been restored (1080319)
            • Fixed 36.0.1 - Fix a top crash

            Known Issues

            • unresolved  Style Editor: Extra white space appearing above the editor for a sourcemapped scss file (1128747)
            • unresolved  For users who removed the Share & Hello buttons, this new version brings them back unexpectedly (1136300)
            • unresolved  Firefox Hello does not work for link generators if there is no camera installed (1106941)

            Update

            To get the update now, select "Help" from the Firefox menu at the upper left of the browser window, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

            References

            Home
            Remember - "A day without laughter is a day wasted."
            May the wind sing to you and the sun rise in your heart...