Tuesday, February 16, 2016

Pale Moon Version 26.1.0 Released with Security Update


Pale Moon

Pale Moon has been updated to version 26.1.0.  In addition to the security update, the update includes web compatibility, stability and bugfix updates.

The updates as described in the Release Notes include the following:

Security fixes:
Updated the Graphite2 font library to 1.3.5+ to fix a number of vulnerabilities (and some font bugs).

Changes/fixes:

  • Disabled our ES6 Promise implementation introduced in 26.0 since there were some severe issues with its implementation that caused a lot of inexplicable failures on websites. This means that some sites that insist on using Promises without checking availability and that do not provide sufficient web client compatibility by way of server-side libraries or polyfills will currently not work as-intended. Apologies for any inconvenience this may cause; providing a perfectly-working implementation will be our top priority going forward.
  • Improved website compatibility with many sites and web applications by making our cookie gate less strict.
  • Fixed web compatibility with Google Hangouts and Yahoo Calendar.
  • Changed the memory allocator on Windows platforms to a much more modern full-library implementation of jemalloc, with miscellaneous additional fixes. This should give comparable speed to the system one and will allocate free memory more dynamically. This should fix issues like "huge animated gif choking" and inexplicable pauses when using many tabs, scrolling (extremely) long pages, or viewing media.
  • Fixed a few rare crashing issues on Windows due to the build process.
  • Reduced so-called "jank" on inner frame scrolling reflows.
  • Extension compatibility: partial implementation of Firefox 26 download js modules as shims; this should make more Firefox extensions compatible with us out-of-the-box. (Thanks, Chaoskagami!)
  • Added a "superstop" key combination (Shift+Esc) that will stop all (foreground and background) network activity, stop animated gifs, etc. even after the page itself has fully loaded (and the stop button not being available) - some web applications may not like this if you use it since it will also cancel XHR requests, etc.
  • Updated NTLM authentication, deprecating v1 and adding a proper v2 implementation (Thanks, Trava90!)
  • Updated the default theme to tweak/improve it some more (Thanks, Antonius32!)
 Minimum system Requirements (Windows):
  • Windows Vista/Windows 7/Windows 8/Server 2008 or later
  • A processor with SSE2 support
  • 256 MB of free RAM (512 MB or more recommended)
  • At least 150 MB of free (uncompressed) disk space
Pale Moon includes both 32- and 64-bit versions for Windows:
Other versions:

    Update

    To get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window.  Select About Pale Moon > Check for Updates.





    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...














    Thursday, February 11, 2016

    Mozilla Firefox Version 44.0.2 Released With Critical Security Update


    Firefox
    Mozilla sent Firefox Version 44.0.2 to the release channel.  The update includes one (1) critical security update. Firefox ESR was updated to version 38.6.1.

    Mozilla has also announced the move to a variably scheduled six-to-eight week release cycle for Firefox.  Of course, the release schedule has already been interrupted with two updates to version 44 and one to ESR.

    2016 Firefox Release Schedule

    2016-01-26 – Firefox 44
    2016-03-08 – Firefox 45, ESR 45 (6 weeks cycle)
    2016-04-19 – Firefox 46 (6 weeks cycle)
    2016-06-07 – Firefox 47 (7 weeks cycle)
    2016-08-02 – Firefox 48 (8 weeks cycle)
    2016-09-13 – Firefox 49 (6 weeks cycle)
    2016-11-08 – Firefox 50 (8 weeks cycle)
    2016-12-13 – Firefox 50.0.1 (5 week cycle, release for critical fixes as needed)
    2017-01-24 – Firefox 51 (6 weeks from prior release)

    Note: Firefox ESR will continue to ship point releases on the same day that Firefox ships.


    Fixed in Firefox 44.0.2



      What’s New

      Fixed

      • Firefox hangs or crashes on startup (1243098)

      Update

      To get the update now, select "Help" from the Firefox menu at the upper left of the browser window, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

      References


      Remember - "A day without laughter is a day wasted."
      May the wind sing to you and the sun rise in your heart...













      Tuesday, February 09, 2016

      Adobe Flash Player and AIR Critical Security Updates

      Adobe Flashplayer

      Adobe has released Version 20.0.0.306 of Adobe Flash Player for Microsoft Windows and Macintosh and Version 11.2.202.569 for Linux.  The updates are to address critical vulnerabilities that could potentially allow an attacker to take control of the affected system.  Adobe AIR has been updated to Version 20.0.260.


      Release date: February 9, 2016
      Vulnerability identifier: APSB16-04
      Priority: See table below
      CVE number: CVE-2016-0964, CVE-2016-0965, CVE-2016-0966, CVE-2016-0967, CVE-2016-0968, CVE-2016-0969, CVE-2016-0970, CVE-2016-0971, CVE-2016-0972, CVE-2016-0973, CVE-2016-0974, CVE-2016-0975, CVE-2016-0976, CVE-2016-0977, CVE-2016-0978, CVE-2016-0979, CVE-2016-0980, CVE-2016-0981, CVE-2016-0982, CVE-2016-0983, CVE-2016-0984, CVE-2016-0985
      Platform: Windows, Macintosh and Linux

      Warning:  Although Adobe suggests downloading the update from the Adobe Flash Player Download Center, that link includes a pre-checked option to install unnecessary extras, such as McAfee Scan Plus or Google Drive.  If you use the download center, uncheck any unnecessary extras. 

        Notes:
        • If you use the Adobe Flash Player Download Center, be careful to uncheck any optional downloads that you do not want.  Any pre-checked option is not needed for the Flash Player update.
        • Uncheck any toolbar offered with Adobe products if not wanted.
        • If you use alternate browsers, it is necessary to install the update for both Internet Explorer as well as the update for alternate browsers.
        • The separate 32-bit and 64-bit uninstallers have been replaced with a single uninstaller.

        Verify Installation

        To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu. 

        Do this for each browser installed on your computer.

        To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.

        References




        Remember - "A day without laughter is a day wasted."
        May the wind sing to you and the sun rise in your heart...






        Microsoft Security Bulletin Release for February, 2016


        Microsoft released thirteen (13) bulletins.  Six (6) bulletins are identified as Critical and the remaining seven (7) are rated Important in severity.

        The updates address vulnerabilities in Microsoft Windows, Microsoft Edge, Internet Explorer, Microsoft .NET Framework, Microsoft Office Services and Web Apps,
        Microsoft Server Software and Microsoft .NET Framework.

        For Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows RT 8.1, Windows 10, and Windows 10 Version 1511, Adobe Flash Player is now a security bulletin rather than a security advisory and was included with the updates.

        As a very welcome change in response to feedback, Microsoft is now providing more details about the Windows 10 updates delivered through Windows Update. A summary of important product developments included in each update, with links to more details is available at Windows 10 Update History. The page will be regularly refreshed, as new updates are released.

        Critical:
          • MS16-009 Cumulative Security Update for Internet Explorer (3134220) 
          • MS16-011 Cumulative Security Update for Microsoft Edge (3134225)
          • MS16-012 Security Update for Microsoft Windows PDF Library to Address Remote Code Execution (3138938)
          • MS16-013 Security Update for Windows Journal to Address Remote Code Execution (3134811)
          • MS16-015 Security Update for Microsoft Office to Address Remote Code Execution (3134226)
          • MS16-022 Security Update for Adobe Flash Player (3135782)
          Important:
          • MS16-014 Security Update for Microsoft Windows to Address Remote Code Execution (3134228)
          • MS16-016 Security Update for WebDAV to Address Elevation of Privilege (3136041)
          • MS16-017 Security Update for Remote Desktop Display Driver to Address Elevation of Privilege (3134700) 
          • MS16-018 Security Update for Windows Kernel-Mode Drivers to Address Elevation of Privilege (3136082)
          • MS16-019 Security Update for .NET Framework to Address Denial of Service (3137893)
          • MS16-020 Security Update for Active Directory Federation Services to Address Denial of Service (3134222)
          • MS16-021  Security Update for NPS RADIUS Server to Address Denial of Service (3133043)

            Additional Update Notes

            Sunday, February 07, 2016

            Java Out-of-Band Critical Security Update

            java


            Oracle released an out-of-band critical security update which addresses CVE-2016-0603 which can be exploited when installing Java SE 6, 7 or 8 on the Windows platform. 

            Important Note:  The exposure exists only during the installation process.  Thus, Java SE users who have downloaded any old version of Java SE prior to 6u113, 7u97 or 8u73 for later installation needs to discard the old downloads and replace them with 6u113, 7u97 or 8u73 or later. 

            The Java SE Advanced Enterprise installers are not affected.

            Download Information

            Download link:  Java SE 8u73

            Java SE 8u74, which is a "patch-set" update, including all of 8u73 plus additional features can be found here.  Select the appropriate version for your operating system.

            Verify your version:  http://www.java.com/en/download/testjava.jsp

            Notes:
            • UNcheck any pre-checked toolbar and/or software options presented with the update. They are not part of the software update and are completely optional.
            • Starting with Java SE 7 Update 21 in April 2013, all Java Applets and Web Start Applications should be signed with a trusted certificate.  It is not recommended to run untrusted/unsigned Certificates.  See How to protect your computer against dangerous Java Applets

            Critical Patch Updates

            The next scheduled dates of Oracle Java SE Critical Patch Updates are as follows:
            • 19 April 2016
            • 19 July 2016
            • 18 October 2016
            • 17 January 2017

            References





            Remember - "A day without laughter is a day wasted."
            May the wind sing to you and the sun rise in your heart...




            Saturday, February 06, 2016

            Pale Moon Bugfix Update to Version 26.0.3


            Pale Moon

            Pale Moon has been updated to version 26.0.3.  The update is a bugfix with two small but important changes.

            The updates as described in the Release Notes include the following:

            • Changed our cookie gate to allow cookie names with spaces in them, to improve web compatibility. Restricting cookies to address CVE-2016-1939 also blacklisted a "grey" character (being 0x20, or the space character) in cookie names, causing some issues with some websites. This also affected Firefox who will be releasing a similar compatibility update soon.

              Critical note: if your site uses cookie names with spaces in them, please consider moving away from doing that so you are no longer in the "grey" area of cookie behavior.
            • Changed the configuration of our XSS filter to address some known, harmless filter hits that have been reported.

            Minimum system Requirements (Windows):
            • Windows Vista/Windows 7/Windows 8/Server 2008 or later
            • A processor with SSE2 support
            • 256 MB of free RAM (512 MB or more recommended)
            • At least 150 MB of free (uncompressed) disk space
            Pale Moon includes both 32- and 64-bit versions for Windows:
            Other versions:

              Update

              To get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window.  Select About Pale Moon > Check for Updates.





              Remember - "A day without laughter is a day wasted."
              May the wind sing to you and the sun rise in your heart...













              Wednesday, February 03, 2016

              Pale Moon Version 26.0.2 Release With Security Updates


              Pale Moon

              Pale Moon has been updated to version 26.0.2.  The update is described as a bugfix, security and web compatibility release.

              Web compatibility issues with Youtube, Netflix and other sites were included in the changes/fixes.  For information on additionally included fixes/changes, see the Release Notes

              Note that two of the security fixes are described as "DiD" which stands for "Defense-in-Depth".  These changes do not apply to any actively exploitable vulnerabilities in Pale Moon.  Rather the updates are to prevent future vulnerabilities caused by the same code when surrounding code changes, exposing the problem.

              Security fixes:
              • Updated NSS to 3.19.4.1-PM to fix a potential UAF and CVE-2015-7575.
              • Crash fix: Prevented queueing multiple media sources that could lead to unsafe memory access.
              • Prevented unsafe memory manipulations in zip archives. (CVE-2016-1945) DiD
              • Prevented a potential buffer overflow in WebGL. (x64 only) (CVE-2016-1935) DiD
              • Updated the way binaries are code-signed. Not only does v26.0 use a new SHA256-signed digital certificate, but starting this version will also be signed with both SHA1 and SHA256 digest algorithms to satisfy later Windows' code-signing requirements.



              Minimum system Requirements (Windows):
              • Windows Vista/Windows 7/Windows 8/Server 2008 or later
              • A processor with SSE2 support
              • 256 MB of free RAM (512 MB or more recommended)
              • At least 150 MB of free (uncompressed) disk space
              Pale Moon includes both 32- and 64-bit versions for Windows:
              Other versions:

                Update

                To get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window.  Select About Pale Moon > Check for Updates.





                Remember - "A day without laughter is a day wasted."
                May the wind sing to you and the sun rise in your heart...