Another Oracle Java Out-of-Band Critical Security Update

Oracle released yet another out-of-band critical security update which addresses CVE-2016-0636 which is remotely exploitable without authentication.

If Java is still on your computer, it is strongly advised that this update be installed as soon as possible.

Download Information

Download link:  Java SE 8u77


Verify your version:  http://www.java.com/en/download/testjava.jsp

Notes:

• UNcheck any pre-checked toolbar and/or software options presented with the update. They are not part of the software update and are completely optional.
• Be sure to uninstall all previous versions of Java.
• Starting with Java SE 7 Update 21 in April 2013, all Java Applets and Web Start Applications should be signed with a trusted certificate.  It is not recommended to run untrusted/unsigned Certificates.  See How to protect your computer against dangerous Java Applets

Critical Patch Updates

The next scheduled dates of Oracle Java SE Critical Patch Updates are as follows:

• 19 April 2016
• 19 July 2016
• 18 October 2016
• 17 January 2017

References

• Release Notes
• Oracle Security Alert for CVE-2016-0636 
• Java, The Never-Ending Saga  
• Oracle Quality Assurance Blog 

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Adobe Flash Player Bug Fix

Adobe has released Version 21.0.0.197 of Adobe Flash Player for Microsoft Windows and Macintosh.  Linux and the Extended Support Release for Windows and Macintosh were not updated and remain at Version 11.2.202.577 for Linux and Version 18.0.0.333 for the ESR.  Adobe AIR also remains unchanged at  Version 21.0.0.176.

The update was to provide an important bug fix that was affecting a subset of Flash gaming content. See the below-referenced release notes for further information.

Verify Installation

To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu. 

Do this for each browser installed on your computer.

To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.

References

• Adobe Priority Ratings
• AIR Download Center 
• Release Notes:  Flash Player® 21 AIR® 21
• PSIRT

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Adobe Flash Player and AIR Critical Security Update

Adobe has released Version 21.0.0.182 of Adobe Flash Player for Microsoft Windows and Macintosh and Version 11.2.202.577 for Linux.  The Extended Support Release for Windows and Macintosh was updated to Version 18.0.0.333.  Adobe AIR has been updated to Version 21.0.0.176.

The updates are to address critical vulnerabilities that could potentially allow an attacker to take control of the affected system.

See the Adobe Security Bulletin for additional information.

Verify Installation

To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu. 

Do this for each browser installed on your computer.

To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.

References

• Adobe Priority Ratings
• AIR Download Center 
• Release Notes:  Flash Player® 21 AIR® 21
• PSIRT

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Microsoft Security Bulletin Release for March, 2016

Microsoft released thirteen (13) bulletins.  Five (5) bulletins are identified as Critical and the remaining eight (8) are rated Important in severity.

The updates address vulnerabilities in Microsoft Windows, Microsoft Edge, Internet Explorer, Microsoft Office, Microsoft Office Services and Web Apps, Microsoft Server Software and Microsoft .NET Framework.


Critical:

• MS16-023 Cumulative Security Update for Internet Explorer (3142015)
• MS16-024 Cumulative Security Update for Microsoft Edge (3142019)
• MS16-026 Security Update for Graphic Fonts to Address Remote Code Execution (3143148)                  
• MS16-027 Security Update for Windows Media to Address Remote Code Execution (3143146)                  
• MS16-028 Security Update for Microsoft Windows PDF Library to Address Remote Code Execution (3143081)   

Important:

• MS16-025 Security Update for Windows Library Loading to Address Remote Code Execution (3140709)       
• MS16-029 Security Update for Microsoft Office to Address Remote Code Execution (3141806)                  
• MS16-030 Security Update for Windows OLE to Address Remote Code Execution (3143136)                  
• MS16-031 Security Update for Microsoft Windows to Address Elevation of Privilege (3140410)                  
• MS16-032 Security Update for Secondary Logon to Address Elevation of Privilege (3143141)                  
• MS16-033 Security Update for Windows USB Mass Storage Class Driver to Address Elevation of Privilege (3143142)
• MS16-034 Security Update for Windows Kernel-Mode Drivers to Address Elevation of Privilege (3143145)
• MS16-035 Security Update for .NET Framework to Address Security Feature Bypass (3141780)   

Additional Update Notes

• Adobe Flash Player -- For Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows RT 8.1, Windows 10, and Windows 10 Version 1511, Adobe Flash Player is now a security bulletin rather than a security advisory and is included with the updates.
• MSRT -- Microsoft released an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center. 
• Windows 8.x and Windows 10 -- Non-security new features and improvements for Windows 8.1 and Windows 10 are included with the updates.
• Windows 10 -- A summary of important product developments included in each update, with links to more details is available at Windows 10 Update History. The page will be regularly refreshed, as new updates are released.

References

• MSRC
• TechNet: Microsoft Security Bulletin for March 2016 
• Windows 10 Update History

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Mozilla Firefox Version 45.0 Released with Critical Security Updates

Mozilla sent Firefox Version 45.0 to the release channel.  The update includes eight (8) critical security updates, seven (7) high, six (6) moderate and one (1) low security updates.

Firefox ESR was updated to version 38.7.0.

The next scheduled release is April 19, 2016.

Fixed in Firefox 45

•     2016-37 Font vulnerabilities in the Graphite 2 library
•     2016-36 Use-after-free during processing of DER encoded keys in NSS
•     2016-35 Buffer overflow during ASN.1 decoding in NSS
•     2016-34 Out-of-bounds read in HTML parser following a failed allocation
•     2016-33 Use-after-free in GetStaticInstance in WebRTC
•     2016-32 WebRTC and LibVPX vulnerabilities found through code inspection
•     2016-31 Memory corruption with malicious NPAPI plugin
•     2016-30 Buffer overflow in Brotli decompression
•     2016-29 Same-origin policy violation using perfomance.getEntries and history navigation with session restore
•     2016-28 Addressbar spoofing though history navigation and Location protocol property
•     2016-27 Use-after-free during XML transformations
•     2016-26 Memory corruption when modifying a file being read by FileReader
•     2016-25 Use-after-free when using multiple WebRTC data channels
•     2016-24 Use-after-free in SetBody
•     2016-23 Use-after-free in HTML5 string parser
•     2016-22 Service Worker Manager out-of-bounds read in Service Worker Manager
•     2016-21 Displayed page address can be overridden
•     2016-20 Memory leak in libstagefright when deleting an array during MP4 processing
•     2016-19 Linux video memory DOS with Intel drivers
•     2016-18 CSP reports fail to strip location information for embedded iframe pages
•     2016-17 Local file overwriting and potential privilege escalation through CSP reports
•     2016-16 Miscellaneous memory safety hazards (rv:45.0 / rv:38.7)

New

• Instant browser tab sharing through Hello
  
• Tabs synced via Firefox Accounts from other devices are now shown in dropdown area of Awesome Bar when searching
  
• Synced Tabs button in button bar
  
• Introduce a new preference (network.dns.blockDotOnion) to allow blocking .onion at the DNS level
  
• Guarani [gn] locale added
  

Fixed

• URLs containing a Unicode-format Internationalized Domain Name (IDN) are now properly redirected
  
• Various security fixes
  

Changed

• Tab Groups (Panorama) feature removed
  

HTML5

• Push API support, part of Progressive Web Applications
  
• Support delivery of a Content Security Policy (CSP) via a meta tag
  
• Web Speech synthesis API
  
• ES6 Classes
  

Unresolved

• On-screen keyboard support was temporarily turned off for Windows 8 and Windows 8.1
  

Update

To get the update now, select "Help" from the Firefox menu at the upper left of the browser window, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

References

• Common questions after updating Firefox
• Security Updates
• Mozilla Firefox Release Notes
• Bug Fixes 

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Adobe Reader and Acrobat Out-of-Band Security Update

Adobe has released out-of-band security updates for Adobe Reader and Acrobat XI for Windows and Macintosh. The update addresses numerous critical vulnerabilities and should be installed as soon as possible.

Release date: March 8, 2016
Vulnerability identifier: APSB16-09
CVE numbers:  CVE-2016-1007, CVE-2016-1008, CVE-2016-1009
Platform: Windows and Macintosh

Update or Complete Download

Update checks can be manually activated by choosing Help > Check for Updates.

• Adobe Reader XI (11.0.15, Pro and Standard) for Windows is available here: https://www.adobe.com/support/downloads/detail.jsp?ftpID=6011. 
• Reader DC (Document Cloud) and other Reader versions for Windows can be found here:  https://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows 
• Acrobat for Windows is available here:  http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Windows

Note: UNcheck any pre-checked additional options presented with the update. They are not part of the software update and are completely optional.

End of Support:  Adobe Acrobat X and Adobe Reader 

Adobe Acrobat X and Adobe Reader X are no longer supported (see here). Adobe recommends Adobe Acrobat DC (FAQ) and Adobe Acrobat Reader DC (FAQ).  However, another alternate is available to replace Adobe Reader. Personally, I like Sumatra PDF.  It isn't a target and doesn't include unwanted extras with the install or updates.  

Enable "Protected View"

Due to frequent vulnerabilities, it is recommended that Windows users of Adobe Reader and Acrobat ensure that Protected View is enabled.  Neither the Protected Mode or Protected View option is available for Macintosh users.

To enable this setting, do the following:

• Click Edit > Preferences > Security (Enhanced) menu. 
• Change the "Off" setting to "All Files".
• Ensure the "Enable Enhanced Security" box is checked. 

Image via Sophos Naked Security Blog

References

• PSIRT
• Release Notes | Acrobat, Reader
• Security Bulletin
• System Requirements

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...