Monday, July 27, 2015

Pale Moon Version 25.6.0 Released with Security Updates and Fixes

Pale Moon

Pale Moon has been updated to version 25.6.  This update includes critical security updates as well as numerous fixes/changes.


Security fixes:
  • Fixed a memory safety bug due to a bad test in nsZipArchive.cpp (CVE-2015-2735).
  • Fixed a memory safety bug in nsZipArchive::BuildFileList (CVE-2015-2736).
  • Fixed a memory safety bug caused by an overflow in nsXMLHttpRequest::AppendToResponseText (CVE-2015-2740).
  • Fixed a Use After Free in CanonicalizeXPCOMParticipant (CVE-2015-2722).
  • Fixed off-main-thread nsIPrincipal use of various consumers in the tree (only grab the principal when needed).
  • Fixed an issue where an IPDL message was sent off the main thread.
  • Fixed a potentially exploitable TCPSocket crash due to a race condition.
Fixes/changes:

A complete list of the fixes, changes and additions is available in the Release Notes. Some of the changes that may be of particular interest to users are as follows:
  • Canvas anti-fingerprinting option: Pale Moon now includes the option to make canvas fingerprinting much more difficult. By setting the about:config preference canvas.poisondata to true, any data read back from canvas surfaces will be "poisoned" with humanly-imperceptible data changes. By default this is off, because it has a large performance impact on the routines reading this data.
  • Added a feature to allow icon fonts to be used even when users disallow the use of document-specified fonts. This should retain full navigation for icon-font heavy websites (no more dreaded "boxes" with hex codes) when custom text fonts are disabled.
  • Added a feature to prevent screen savers from kicking in when playing full-screen HTML5 video. This is currently not yet operational on Linux because of stability issues we've run into on that OS, but Windows should properly benefit from this change.
  • Fixed miscellaneous crash scenarios (See Release Notes)

    Minimum system Requirements (Windows):
    • Windows Vista/Windows 7/Windows 8/Server 2008 or later
    • A processor with SSE2 support
    • 256 MB of free RAM (512 MB or more recommended)
    • At least 150 MB of free (uncompressed) disk space
    Pale Moon includes both 32- and 64-bit versions for Windows:
    Other versions:

      Update

      To get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window.  Select About Pale Moon > Check for Updates.



      Home
      Remember - "A day without laughter is a day wasted."
      May the wind sing to you and the sun rise in your heart...









      Monday, July 20, 2015

      Out-of-band release for Security Bulletin MS15-078


      Microsoft released out-of-band critical security update which addresses a vulnerability in Microsoft font driver that could allow remote code execution.

      The vulnerability affects all supported versions of Microsoft Windows.  A restart is required in order to apply the update.



      Critical:

        • MS15-078 --Vulnerability in Microsoft Font Driver Could Allow Remote Code Execution (3079904).
          This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a specially crafted document or visits an untrusted webpage that contains embedded OpenType fonts.

        References




          Remember - "A day without laughter is a day wasted."
          May the wind sing to you and the sun rise in your heart...











          Home
          Remember - "A day without laughter is a day wasted."
          May the wind sing to you and the sun rise in your heart...


          Tuesday, July 14, 2015

          Oracle Java Quarterly Security Updates, July 2015

          java


          Oracle released the scheduled critical security updates for its Java SE Runtime Environment software. 

          Unwanted "Extras"

          Although most people do not need Java on their computer, there are some programs and games that require Java.  In the event you need to continue using Java, How-to Geek discovered a little-known and  unpublicized option in the Java Control Panel to suppress the offers for the pre-checked unwanted extras that Oracle has long included with the updates.  Although the Ask Toolbar has been removed, tha does not preclude the pre-checked option for some other unnecessary add-on.

          Do the following to suppress the sponsor offers:
          1. Launch the Windows Start menu
          2. Click on Programs
          3. Find the Java program listing
          4. Click Configure Java to launch the Java Control Panel
          5. Click the Advanced tab and go to the "Miscellaneous" section at the bottom.
          6. Check the box by the “Suppress sponsor offers when installing or updating Java” option and click OK.
          Java suppress sponsor offers

          Windows XP

          For information on Java support for Windows XP, organizations and individuals who must continue using Windows XP and have Java installed are referred to the Oracle blog post, The future of Java on Windows XP (Henrik on Java).

          Update

          If Java is still installed on your computer, it is recommended that this update be applied as soon as possible due to the threat posed by a successful attack.

          Download Information

          Download link:  Java SE 8u51

          Verify your version:  http://www.java.com/en/download/testjava.jsp

          Notes:
          • UNcheck any pre-checked toolbar and/or software options presented with the update. They are not part of the software update and are completely optional.
          • Starting with Java SE 7 Update 21 in April 2013, all Java Applets and Web Start Applications should be signed with a trusted certificate.  It is not recommended to run untrusted/unsigned Certificates.  See How to protect your computer against dangerous Java Applets

          Critical Patch Updates

          For Oracle Java SE Critical Patch Updates, the next scheduled dates are as follows:
          • 20 October 2015
          • 19 January 2016 
          • 19 April 2016

          Java Security Recommendations

          For those people who have desktop applications that require Java and cannot uninstall it, Java can now be disabled in Internet Explorer.  See Microsoft Fix it to Disable Java in Internet Explorer.

          1)  In the Java Control Panel, at minimum, set the security to high.
          2)  Keep Java disabled until needed.  Uncheck the box "Enable Java content in the browser" in the Java Control Panel.

          Java Security

          3)  If you use Firefox or Pale Moon, install NoScript and only allow Java on those sites where it is required.

          Instructions on removing older (and less secure) versions of Java can be found at http://java.com/en/download/faq/remove_olderversions.xml

          References





          Remember - "A day without laughter is a day wasted."
          May the wind sing to you and the sun rise in your heart...

          Microsoft Security Bulletin Release for July, 2015


          Microsoft released fourteen (14) bulletins.  Four (4) bulletins are identified as Critical and the remaining ten (10) are rated Important in severity.

          The updates address vulnerabilities in Microsoft Windows, Microsoft Office, Microsoft SQL Server, and Internet Explorer.  Details about the CVEs can be found in the below-referenced TechNet Security Bulletin.

          Two Security Advisories were also released:

          KB3057154 -- Update to Harden Use of DES Encryption
          KB3074162 -- Vulnerability in Microsoft Malicious Software Removal Tool Could Allow Elevation of Privilege

          Critical:
          • MS15-065  -- Security Update for Internet Explorer (3076321) 
          • MS15-066  -- Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution (3072604) 
          • MS15-067 -- Vulnerability in RDP Could Allow Remote Code Execution (3073094) 
          • MS15-068 -- Vulnerabilities in Windows Hyper-V Could Allow Remote Code Execution (3072000) 
          Important:
          • MS15-058 -- Vulnerabilities in SQL Server Could Allow Remote Code Execution (3065718) 
          • MS15-069 -- Vulnerabilities in Windows Could Allow Remote Code Execution (3072631) 
          • MS15-070 -- Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (3072620) 
          • MS15-071 -- Vulnerability in Netlogon Could Allow Elevation of Privilege (3068457) 
          • MS15-072 -- Vulnerability in Windows Graphics Component Could Allow Elevation of Privilege (3069392) 
          • MS15-073 -- Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (3070102) 
          • MS15-074 -- Vulnerability in Windows Installer Service Could Allow Elevation of Privilege (3072630) 
          • MS15-075 -- Vulnerabilities in OLE Could Allow Elevation of Privilege (3072633) 
          • MS15-076 -- Vulnerability in Windows Remote Procedure Call Could Allow Elevation of Privilege (3067505) 
          • MS15-077 -- Vulnerability in ATM Font Driver Could Allow Elevation of Privilege (3077657) 

          Additional Update Notes

          • MSRT -- Microsoft released an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center. The updated version includes Win32/Crowti and Win32/Reveton.  Details are available in the MMPC Blog Post.
          • Internet Explorer -- For additional information about the blocking of out-of-date ActiveX controls see the TechNet article, Out-of-date ActiveX control blocking.  Additional changes introduced this month include the blocking of outdated Silverlight.  Additional information is available in the IE Blog.

          • Windows 8.x -- Non-security new features and improvements for Windows 8.1 are now included with the second Tuesday of the month updates.  Additional information about this change is available here.

          • Windows XP -- Effective today, Microsoft definition updates for Microsoft Security Essentials for Windows XP are finished!  See Microsoft antimalware support for Windows XP

          References




            Remember - "A day without laughter is a day wasted."
            May the wind sing to you and the sun rise in your heart...











            Home
            Remember - "A day without laughter is a day wasted."
            May the wind sing to you and the sun rise in your heart...


            Adobe Shockwave Player Critical Security Update

            Shockwave Player Adobe has released a critical security update for Adobe Shockwave Player which resolves memory corruption vulnerabilities that could lead to code execution on the Windows and Macintosh operating systems.


            Although I have yet to need Shockwave Player on this computer, there are still many people who use it.  If you have Shockwave Player installed, please update to the latest version.

            Release date: July 14, 2015
            Vulnerability identifier: APSB15-17

            CVE number: CVE-2015-5120, CVE-2015-5121
            Platform: Windows and Macintosh

            The newest version 12.1.9.159 is available here: http://get.adobe.com/shockwave/.  As usual, watch for any pre-checked add-ons not needed for the update.

            References


            Remember - "A day without laughter is a day wasted."
            May the wind sing to you and the sun rise in your heart...


            Adobe Reader Critical Quarterly Security Updates Released

            Adobe
            Adobe has released the quarterly security update for Adobe Reader and Acrobat XI for Windows and Macintosh. The update addresses critical vulnerabilities and should be installed as soon as possible.

            Release date: July 14, 2015
            Vulnerability identifier: APSB15-15

            CVE Numbers: CVE-2014-0566, CVE-2014-8450, CVE-2015-3095, CVE-2015-4435, CVE-2015-4438, CVE-2015-4441, CVE-2015-4443, CVE-2015-4444, CVE-2015-4445, CVE-2015-4446, CVE-2015-4447, CVE-2015-4448, CVE-2015-4449, CVE-2015-4450, CVE-2015-4451, CVE-2015-4452, CVE-2015-5085, CVE-2015-5086, CVE-2015-5087, CVE-2015-5088, CVE-2015-5089, CVE-2015-5090, CVE-2015-5091, CVE-2015-5092, CVE-2015-5093, CVE-2015-5094, CVE-2015-5095, CVE-2015-5096, CVE-2015-5097, CVE-2015-5098, CVE-2015-5099, CVE-2015-5100, CVE-2015-5101, CVE-2015-5102, CVE-2015-5103, CVE-2015-5104, CVE-2015-5105, CVE-2015-5106, CVE-2015-5107, CVE-2015-5108, CVE-2015-5109, CVE-2015-5110, CVE-2015-5111, CVE-2015-5113, CVE-2015-5114, CVE-2015-5115
            Platform: Windows and Macintosh

            Update or Complete Download

            Update checks can be manually activated by choosing Help > Check for Updates.
              Note: UNcheck any pre-checked additional options presented with the update. They are not part of the software update and are completely optional.

              Windows XP

              If you are still using Windows XP and have Adobe Reader installed, please note that there will be no additional security updates for it.  I suggest uninstalling it and install an alternate reader.  Personally, I like Sumatra PDF.  It isn't a target and doesn't include unwanted extras with the install or updates.  (See Replacing Adobe Reader with Sumatra PDF.)  Adobe Reference:  End of support | Acrobat and Reader for Windows XP

              Enable "Protected View"

              Due to frequent vulnerabilities, it is recommended that Windows users of Adobe Reader and Acrobat ensure that Protected View is enabled.  Neither the Protected Mode or Protected View option is available for Macintosh users.

              To enable this setting, do the following:
              • Click Edit > Preferences > Security (Enhanced) menu. 
              • Change the "Off" setting to "All Files".
              • Ensure the "Enable Enhanced Security" box is checked. 

              Adobe Protected View
              Image via Sophos Naked Security Blog
              If you are looking for a replacement for Adobe Reader, consider Replacing Adobe Reader with Sumatra PDF.

              References




              Home
              Remember - "A day without laughter is a day wasted."
              May the wind sing to you and the sun rise in your heart...




              Adobe Flash Player Critical Security Update

              Adobe Flashplayer

              Adobe has released Version 18.0.0.209 of Adobe Flash Player for Windows, Macintosh and Linux.  The Extended Release Version was updated to 13.0.0.305.

              These updates address critical vulnerabilities that are actively being exploited. It is strongly advised that the updates be applied as soon as possible. Details of the vulnerabilities are included in the below-referenced Security Bulletin.

              Release date: July 14, 2015
              Vulnerability identifier: APSB15-18
              CVE number: CVE-2015-5122, CVE-2015-5123
              Platform: Windows, Macintosh and Linux
              • Users of the Adobe Flash Player desktop runtime for Windows and Macintosh should update to Adobe Flash Player 18.0.0.209. 
              • Users of the Adobe Flash Player Extended Support Release should update to Adobe Flash Player 13.0.0.305. Note: Beginning August 11, 2015, Adobe will update the version of the "Extended Support Release" from Flash Player 13 to Flash Player 18 for Macintosh and Windows.
              • Users of Adobe Flash Player for Linux should update to Adobe Flash Player 11.2.202.481.
              • Adobe Flash Player installed with Google Chrome, as well as Internet Explorer on Windows 8.x, will automatically update to the current version.

              Flash Player Update Instructions

              It is recommended that you either use the auto-update mechanism within the product when prompted or the direct download links.  The problem with the auto-update mechanism is that it can take a few days to finally provide the update and up to a week if using the "Notify me to install updates" setting.

              Flash Player Auto-Update

              The update settings for Flash Player versions 10.3 and above can found in the Advanced tab of the Flash Player Settings Manager.  The locations are as follows:
              • Windows: click Start > Settings > Control Panel > Flash Player
              • Macintosh: System Preferences (under Other) click Flash Player
              • Linux Gnome: System > Preferences > Adobe Flash Player
              • Linux KDE: System Settings > Adobe Flash Player
              Also note that the Flash Player Settings Manager is where to manage local settings.

              Flash Player Direct Download Links

              Warning:  Although Adobe suggests downloading the update from the Adobe Flash Player Download Center, that link includes a pre-checked option to install unnecessary extras, such as McAfee Scan Plus or Google Drive.  If you use the download center, uncheck any unnecessary extras.

                Notes:
                • If you use the Adobe Flash Player Download Center, be careful to uncheck any optional downloads that you do not want.  Any pre-checked option is not needed for the Flash Player update.
                • Uncheck any toolbar offered with Adobe products if not wanted.
                • If you use alternate browsers, it is necessary to install the update for both Internet Explorer as well as the update for alternate browsers.
                • The separate 32-bit and 64-bit uninstallers have been replaced with a single uninstaller.

                Verify Installation

                To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu. 

                Do this for each browser installed on your computer.

                To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.

                References






                Remember - "A day without laughter is a day wasted."
                May the wind sing to you and the sun rise in your heart...


                Wednesday, July 08, 2015

                Out-of-Band Critical Adobe Flash Player and AIR Update

                Adobe Flashplayer

                Adobe has released Version 18.0.0.203 of Adobe Flash Player for Windows and Macintosh and Version 18.0.0.180 of Adobe AIR.  Version information for Linux and the Extended Release is available below.

                This update addresses critical vulnerabilities that could potentially allow an attacker to take control of the affected system.  Because an exploit targeting CVE-2015-5119 has been published publicly, updating to the latest version as soon as possible is advised.

                Details of the vulnerabilities are included in the below-referenced Security Bulletin.  At the time of this posting, the Release Notes have not yet been released but will be available later in the reference below.

                Release date: July 8, 2015
                Vulnerability identifier: APSB15-16
                CVE number: CVE number: CVE-2014-0578, CVE-2015-3097, CVE-2015-3114, CVE-2015-3115, CVE-2015-3116, CVE-2015-3117, CVE-2015-3118, CVE-2015-3119, CVE-2015-3120, CVE-2015-3121, CVE-2015-3122, CVE-2015-3123, CVE-2015-3124, CVE-2015-3125, CVE-2015-3126, CVE-2015-3127, CVE-2015-3128, CVE-2015-3129, CVE-2015-3130, CVE-2015-3131, CVE-2015-3132, CVE-2015-3133, CVE-2015-3134, CVE-2015-3135, CVE-2015-3136, CVE-2015-3137, CVE-2015-4428, CVE-2015-4429, CVE-2015-4430, CVE-2015-4431, CVE-2015-4432, CVE-2015-4433, CVE-2015-5116, CVE-2015-5117, CVE-2015-5118, CVE-2015-5119
                Platform: All Platforms
                • Users of the Adobe Flash Player desktop runtime for Windows and Macintosh should update to Adobe Flash Player 18.0.0.203.  The current version of Adobe AIR is 18.0.0.180.
                • Users of the Adobe Flash Player Extended Support Release should update to Adobe Flash Player 13.0.0.302.
                • Users of Adobe Flash Player for Linux should update to Adobe Flash Player  11.2.202.481.
                • Adobe Flash Player installed with Google Chrome, as well as Internet Explorer on Windows 8.x, will automatically update to the current version.
                • The latest version of Adobe AIR for Android is 18.0.0.180 and earlier versions, available by downloading it from the Android Marketplace by browsing to it on a mobile phone.   

                Flash Player Update Instructions

                It is recommended that you either use the auto-update mechanism within the product when prompted or the direct download links.  The problem with the auto-update mechanism is that it can take a few days to finally provide the update and up to a week if using the "Notify me to install updates" setting.

                Flash Player Auto-Update

                The update settings for Flash Player versions 10.3 and above can found in the Advanced tab of the Flash Player Settings Manager.  The locations are as follows:
                • Windows: click Start > Settings > Control Panel > Flash Player
                • Macintosh: System Preferences (under Other) click Flash Player
                • Linux Gnome: System > Preferences > Adobe Flash Player
                • Linux KDE: System Settings > Adobe Flash Player
                Also note that the Flash Player Settings Manager is where to manage local settings.

                Flash Player Direct Download Links

                Warning:  Although Adobe suggests downloading the update from the Adobe Flash Player Download Center, that link includes a pre-checked option to install unnecessary extras, such as McAfee Scan Plus or Google Drive.  If you use the download center, uncheck any unnecessary extras.

                  Notes:
                  • If you use the Adobe Flash Player Download Center, be careful to uncheck any optional downloads that you do not want.  Any pre-checked option is not needed for the Flash Player update.
                  • Uncheck any toolbar offered with Adobe products if not wanted.
                  • If you use alternate browsers, it is necessary to install the update for both Internet Explorer as well as the update for alternate browsers.
                  • The separate 32-bit and 64-bit uninstallers have been replaced with a single uninstaller.

                  Verify Installation

                  To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu. 

                  Do this for each browser installed on your computer.

                  To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.

                  References






                  Remember - "A day without laughter is a day wasted."
                  May the wind sing to you and the sun rise in your heart...


                  Thursday, July 02, 2015

                  Firefox Version 39.0 Released with Critical Security Updates


                  Firefox
                  Mozilla sent Version 39.0 to the release channel.  The update includes four (4) critical, two (2) high, six (6) moderate and one (1) low security update. 

                  Firefox ESR version has been updated to 31.8.

                  Fixed in Firefox 39

                  • 2015-71 -- NSS incorrectly permits skipping of ServerKeyExchange
                  • 2015-70 -- NSS accepts export-length DHE keys with regular DHE cipher suites
                  • 2015-69 -- Privilege escalation in PDF.js
                  • 2015-68 -- OS X crash reports may contain entered key press information
                  • 2015-67 -- Key pinning is ignored when overridable errors are encountered
                  • 2015-66 -- Vulnerabilities found through code inspection
                  • 2015-65 -- Use-after-free in workers while using XMLHttpRequest
                  • 2015-64 -- ECDSA signature validation fails to handle some signatures correctly
                  • 2015-63 -- Use-after-free in Content Policy due to microtask execution error
                  • 2015-62 -- Out-of-bound read while computing an oscillator rendering range in Web Audio
                  • 2015-61 -- Type confusion in Indexed Database Manager
                  • 2015-60 -- Local files or privileged URLs in pages can be opened into new tabs
                  • 2015-59 -- Miscellaneous memory safety hazards (rv:39.0 / rv:31.8 / rv:38.1)

                  What’s New

                  • New -- Share Hello URLs with social networks
                  • New -- Project Silk: Smoother animation and scrolling (Mac OS X)
                  • New -- Support for 'switch' role in ARIA 1.1 (web accessibility)
                  • New -- SafeBrowsing malware detection lookups enabled for downloads (Mac OS X and Linux)
                  • New -- Support for new Unicode 8.0 skin tone emoji
                  • Changed -- Removed support for insecure SSLv3 for network communications
                  • Changed -- Disable use of RC4 except for temporarily whitelisted hosts
                  • Changed -- The malware detection service for downloads now covers common Mac file types (Bug 1138721)
                  • Changed -- Performance of displaying dashed lines is improved (Mac OS X) (Bug 1123019)
                  • HTML5 -- List-style-type now accepts a string value
                  • HTML5 -- Enable the Fetch API for network requests from dedicated, shared and service workers
                  • HTML5 -- Cascading of CSS transitions and animations now matches the current spec
                  • HTML5 -- Implement allowing anticipation of a future connection without revealing any information
                  • HTML5 -- Added support for CSS Scroll Snap Points
                  • Fixed -- Improve performance for IPv6 fallback to IPv4
                  • Fixed -- Fix incomplete downloads being marked as complete by detecting broken HTTP1.1 transfers
                  • Fixed -- The Security state indicator on a page now correctly ignores loads caused by previous pages
                  • Fixed -- Fixed an issue where a Hello conversation window would sometimes fail to open
                  • Fixed -- A regression that could lead to Flash not displaying has been fixed
                  • Fixed -- Update to NSS 3.19.2




                  Known Issues

                  No known issues are reported.

                  Update

                  To get the update now, select "Help" from the Firefox menu at the upper left of the browser window, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

                  References

                  Home
                  Remember - "A day without laughter is a day wasted."
                  May the wind sing to you and the sun rise in your heart...