Tuesday, June 21, 2016

Pale Moon Version 26.3.0 Released with Security Updates


Pale Moon
Pale Moon has been updated to Version 26.3.0. In addition to security updates, the new version includes bug fixes and better Windows 10 theme integration.

Details from the Release Notes:

Security fixes:
  • Fixed a number of memory safety hazards and potentially exploitable crashes.
  • Fixed CVE-2016-2821 Use-after-free in the mozilla::dom::Element class
  • Fixed netaddr deserialization for AF_UNSPEC and AF_LOCAL.
  • Fixed a memory overrun error in the VP8 encoder. DiD*
  • Fixed non-threadsafe re-use of pixman images to prevent potential race conditions. DiD*
  • Fixed CVE-2016-2825 Partial Same Origin Policy violation
*DiD -- This means that the fix is "Defense-in-Depth": It is a fix that does not apply to an actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code when surrounding code changes, exposing the problem.

 Changes/fixes:

  • Added detection for dark system themes on Windows 10 and re-worked Windows 10 specific theming to better integrate into the OS and provide more clarity.
  • HTML5 media controls have been reworked to a horizontal volume control on all media, including HTML5 audio that was previously without an element-control for volume.
  • Default HTML5 media volume preference added as media.default_volume -- fractional, default 1.0 (=100%).
  • String.prototype.match() and .replace() are now fully spec compliant.
  • NSPR and NSS now correctly no longer enforce IA32 architecture compatibility, getting the advantage of SSE2 like the rest of the code.
  • Worked around crashes in the XSS filter when navigating back in history due to document fragments.
  • Instated a hard minimum of 10,000 places entries regardless of free disk space and total memory to prevent undesired expiration of history. That is around 16MB for an average entry size, which should be sane enough even on low-memory machines.
  • Fixed a typo in networking code introduced in 26.2.2 that would cause issues on some sites due to adding extra forward slashes to the URL.
 Minimum system Requirements (Windows):
  • Windows Vista/Windows 7/Windows 8/Server 2008 or later
  • A processor with SSE2 support
  • 256 MB of free RAM (512 MB or more recommended)
  • At least 150 MB of free (uncompressed) disk space
Pale Moon includes both 32- and 64-bit versions for Windows:
Other versions:

    Update

    To get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window.  Select About Pale Moon > Check for Updates.





    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...
















    Thursday, June 16, 2016

    Adobe Flash Player and AIR Critical Security Update

    Adobe Flashplayer

    Adobe has released Version 22.0.0.192 of Adobe Flash Player for Microsoft Windows and Macintosh and Version  11.2.202.626 for Linux.  The Extended Support Release for Windows and Macintosh was updated to Version 18.0.0.360.  Adobe AIR has been updated to Version 22.0.0.153.

    The updates are to address critical vulnerabilities that could potentially allow an attacker to take control of the affected system.  In particular, an exploit for CVE-2016-4171 exists in the wild, and is being used in limited, targeted attacks.

    Flash Player:

    Release date: June 16, 2016
    Vulnerability identifier: APSB16-18
    CVE number: CVE-2016-4122, CVE-2016-4123, CVE-2016-4124, CVE-2016-4125, CVE-2016-4127, CVE-2016-4128, CVE-2016-4129, CVE-2016-4130, CVE-2016-4131, CVE-2016-4132, CVE-2016-4133, CVE-2016-4134, CVE-2016-4135, CVE-2016-4136, CVE-2016-4137, CVE-2016-4138, CVE-2016-4139, CVE-2016-4140, CVE-2016-4141, CVE-2016-4142, CVE-2016-4143, CVE-2016-4144, CVE-2016-4145, CVE-2016-4146, CVE-2016-4147, CVE-2016-4148, CVE-2016-4149, CVE-2016-4150, CVE-2016-4151, CVE-2016-4152, CVE-2016-4153, CVE-2016-4154, CVE-2016-4155, CVE-2016-4156, CVE-2016-4166, CVE-2016-4171-4171
    Platform: Windows, Macintosh, Linux and Chrome OS

    Adobe AIR:

    Release date: June 16, 2016
    Vulnerability identifier: APSB16-23
    CVE number: CVE-2027
    Platform: Windows


    Warning:  Although Adobe suggests downloading the update from the Adobe Flash Player Download Center, that link includes a pre-checked option to install unnecessary extras, such as McAfee Scan Plus or Google Drive.  If you use the download center, uncheck any unnecessary extras. 


    Update
    The security update has been released for IE and Edge for Windows Server 2012,  Windows 8.1, Windows Server 2012 R2, Windows RT 8.1, Windows 10, and  Windows 10 Version 1511:   Microsoft Security Bulletin MS16-083 - Critical.
      Notes:
      • If you use the Adobe Flash Player Download Center, be careful to uncheck any optional downloads that you do not want.  Any pre-checked option is not needed for the Flash Player update.
      • Uncheck any toolbar offered with Adobe products if not wanted.
      • If you use alternate browsers, it is necessary to install the update for both Internet Explorer as well as the update for alternate browsers.
      • The separate 32-bit and 64-bit uninstallers have been replaced with a single uninstaller.

      Verify Installation

      To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu. 

      Do this for each browser installed on your computer.

      To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.

      References




      Remember - "A day without laughter is a day wasted."
      May the wind sing to you and the sun rise in your heart...








      Tuesday, June 14, 2016

      Microsoft Security Updates for June, 2016


      Microsoft released sixteen (16) bulletins addressing 44 CVE's.  Five (5) bulletins are identified as Critical and the remaining eleven (11) are rated Important in severity


      The updates address vulnerabilities in Microsoft Windows, Internet Explorer, Microsoft Edge, Microsoft Office and Microsoft Office Services and Web Apps and address Remote Code Execution, Elevation of Privilege.  One Update for Microsoft Exchange Server addresses Information Disclosure.

      Information about the update for Windows 10 is available at Windows 10 update history.

      Critical:
      • MS16-063  -- Cumulative Security Update for Internet Explorer (3163649)
      • MS16-068  -- Cumulative Security Update for Microsoft Edge (3163656)
      • MS16-069  -- Cumulative Security Update for JScript and VBScript (3163640)
      • MS16-070  -- Security Update for Microsoft Office (3163610)
      • MS16-071  -- Security Update for Microsoft Windows DNS Server (3164065)

      Important:
      • MS16-072  -- Security Update for Group Policy (3163622)
      • MS16-073  -- Security Update for Windows Kernel-Mode Drivers (3164028)
      • MS16-074  -- Security Update for Microsoft Graphics Component (3164036)
      • MS16-075  -- Security Update for Windows SMB Server (3164038)
      • MS16-076  -- Security Update for Netlogon (3167691)
      • MS16-077  -- Security Update for WPAD (3165191)
      • MS16-078  -- Security Update for Windows Diagnostic Hub (3165479)
      • MS16-079  -- Security Update for Microsoft Exchange Server (3160339)
      • MS16-080  -- Security Update for Microsoft Windows PDF (3164302)
      • MS16-081  -- Security Update for Active Directory (3160352)
      • MS16-082  -- Security Update for Microsoft Windows Search Component (3165270)

      Additional Update Notes

      • Adobe Flash Player -- For Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows RT 8.1, Windows 10, and Windows 10 Version 1511, Adobe Flash Player is now a security bulletin rather than a security advisory and is included with the updates.
      • MSRT -- Microsoft released an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center. 
      • Windows 8.x and Windows 10 -- Non-security new features and improvements for Windows 8.1 and Windows 10 are included with the updates.
      • Windows 10 -- A summary of important product developments included in each update, with links to more details is available at Windows 10 Update History. The page will be regularly refreshed, as new updates are released.

      References


        Remember - "A day without laughter is a day wasted."
        May the wind sing to you and the sun rise in your heart...





        Tuesday, June 07, 2016

        Mozilla Firefox Version 47.0 Released with Security Updates


        FirefoxMozilla sent Firefox Version 47.0.0 to the release channel today.  The update is a major release and includes two (2) critical, five (5) high, four (4) moderate and two (2) low security updates.


        The next scheduled release is August 2, 2016.  Firefox ESR will continue to ship point releases on the same day that Firefox ships and can be downloaded from here.

        Fixed in Firefox 47

        • 2016-62 Network Security Services (NSS) vulnerabilities
        • 2016-60 Java applets bypass CSP protections
        • 2016-59 Information disclosure of disabled plugins through CSS pseudo-classes
        • 2016-58 Entering fullscreen and persistent pointerlock without user permission
        • 2016-57 Incorrect icon displayed on permissions notifications
        • 2016-56 Use-after-free when textures are used in WebGL operations after recycle pool destruction
        • 2016-55 File overwrite and privilege escalation through Mozilla Windows updater
        • 2016-54 Partial same-origin-policy through setting location.host through data URI
        • 2016-53 Out-of-bounds write with WebGL shader
        • 2016-52 Addressbar spoofing though the SELECT element
        • 2016-51 Use-after-free deleting tables from a contenteditable document
        • 2016-50 Buffer overflow parsing HTML5 fragments
        • 2016-49 Miscellaneous memory safety hazards (rv:47.0 / rv:45.2)


        New

        • Support for Google’s Widevine CDM on Windows and Mac OS X so streaming services like Amazon Video can switch from Silverlight to encrypted HTML5 video.
        • Enable VP9 video codec for users with fast machines
        • Embedded YouTube videos now play with HTML5 video if Flash is not installed.
        • View and search open tabs from your smartphone or another computer in a sidebar
        • Allow no-cache on back/forward navigations for https resources
        • Latgalu [ltg] locale added. Wikipedia tells us there are 164,500 daily speakers.

        Changed

        HTML5

        • cuechange events are now available on TextTrack objects
        • WebCrypto: PBKDF2 supports SHA-2 hash algorithms
        • WebCrypto: RSA-PSS signature support

        Known Issues

          Update

          To get the update now, select "Help" from the Firefox menu at the upper left of the browser window, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

            References




            Remember - "A day without laughter is a day wasted."
            May the wind sing to you and the sun rise in your heart...