Wednesday, November 30, 2016

Mozilla Firefox Version 50.0.2 Released to Address Critical Zero-Day Vulnerability


FirefoxMozilla sent Firefox Version 50.0.2 to the release channel today to address a critical zero-day vulnerability in the wild.  Firefox ESR was updated to version 45.5.1.

The next scheduled release is December 13, 2016 (5 week cycle with release for critical fixes as needed).

Critical
Additional information about the vulnerability is available in Vulnerability Note VU#791496, "Mozilla Firefox SVG animation nsSMILTimeContainer use-after-free vulnerability".

Note:  As explained in the Pale Moon forum announcement, although significantly diverted from Mozilla development, the question arose as to whether Pale Moon is also vulnerable.  After evaluation, it was reported that it is extremely unlikely that Pale Moon is vulnerable to this exploit.

Update via Twitter message from PaleMoon:
"Despite this, we'll still be releasing a DiD patched update on Dec 2nd that fixes the crash at the root of this."

Update

To get the update now, select "Help" from the Firefox menu at the upper left of the browser window, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

    References




    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...




    Monday, November 28, 2016

    Mozilla Firefox Version 50.0.1 Released with Critical Security Update


    FirefoxMozilla sent Firefox Version 50.0.1 to the release channel today.  The update includes one (1) critical security update affecting Firefox versions 49 and 50.  Firefox ESR is not affected.  Also included in the update is a bugfix.

    The next scheduled release is December 13, 2016 (5 week cycle with release for critical fixes as needed).

    Critical

    Fixed

    • Firefox crashes with 3rd party Chinese IME when using IME text

    Update

    To get the update now, select "Help" from the Firefox menu at the upper left of the browser window, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

      References




      Remember - "A day without laughter is a day wasted."
      May the wind sing to you and the sun rise in your heart...




      Tuesday, November 22, 2016

      Pale Moon Version 27.0.0 Released


      Pale Moon
      Pale Moon has been updated to Version 27.0.0. This is a major release, eight months in development.

      Update:  Version 27.0.1 was released to fix some of the issues that popped up with the new milestone.

      As explained in the Release Notes, Version 27 is a full upgrade of the back-end platform.  This means that many things work different "under the hood".  As a result, you may run into a number of extension compatibility issues and may wish to run the v27 Compatibility Checking Tool.  Also note the "Removed/support features" in the Release Notes.

      Edit Note:   If you are having problems with the upgrade, see Some known issues when upgrading to Pale Moon 27.


      Details from the Release Notes:

      Security highlights:
      • All relevant security fixes up to and including Firefox 50 have been ported across from Mozilla to continue to provide an as secure as possible browser.
      • Several libraries have been updated to their latest versions to pick up any important vulnerability fixes.
      • There's a new option and control to determine whether to save zone information (marking files as "downloaded from the Internet") on downloaded files (Windows+NTFS). You can find this in Options.
      New and updated features:
      • Support for DirectX 11 and Direct2d 1.1 on Windows. This will bring Pale Moon more in line with the capabilities for current-day operating systems and graphics hardware.
      • Update of the Goanna engine to 3.0 - with many changes to layout and rendering for the modern web.
      • Pale Moon now fully supports HTTP/2.
      • Ruby Annotations are now an integral part of the HTML parser, controllable with CSS.
      • Media Source Extensions have been implemented to solve many video playback issues.
        This can be enabled/disabled and configured in Options. It's recommended at this time to not enable MSE for WebM since there are a few issues with it on services like YouTube (e.g. losing audio when looping/skipping).
      • Support for reading and playing so-called "fragmented" MP4 files has been added, further solving media playback issues.
      • Support for SSL/TLS connections to proxy servers.
      • Support for the WOFF2 font format for downloadable fonts.
      • The JavaScript engine has been updated with support for many landmark ECMAScript6 features (chief among them promises and generators). This will solve many of the web compatibility issues that people have started to run into in the past few months (e.g. webmail interfaces, some sites coming up blank because they are script-generated).
      • The way web content is cached has been changed to be more efficient. If you want to immediately take advantage of this, clear your cache.
      Minimum system Requirements (Windows):
      • Windows Vista/Windows 7/8/10/Server 2008 or later
      • Windows Platform Update (Vista/7) strongly recommended
      • A processor with SSE2 instruction support
      • 256 MB of free RAM (512 MB or more recommended)
      • At least 150 MB of free (uncompressed) disk space
      Pale Moon includes both 32- and 64-bit versions for Windows:

      Update

      To get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window.  Select About Pale Moon > Check for Updates.




      Remember - "A day without laughter is a day wasted."
      May the wind sing to you and the sun rise in your heart...


      Tuesday, November 15, 2016

      Mozilla Firefox Version 50.0 Released With an Abundance of Security Updates


      FirefoxMozilla sent Firefox Version 50.0 to the release channel today.  The update includes a very large set of security fixes, comprising three (3) Critical, twelve (12) High, ten (10) Moderate and (2) low security updates.  Also included in the release are new, fixed and changes.

      The next scheduled release is December 13, 2016 (5 week cycle with release for critical fixes as needed).

      Firefox ESR will continue to ship point releases on the same day that Firefox ships and can be downloaded from here. The ESR version was updated to 45.5.0.

      Security Fixes:



      Critical


      High


      Moderate

      Low

      Firefox Version 50 New, Fixed & Changed:

      New

      • Updates to keyboard shortcuts
        • Set a preference to have Ctrl+Tab cycle through tabs in recently used order
        • View a page in Reader Mode by using Ctrl+Alt+R (command+alt+r on Mac)
      • Added option to Find in page that allows users to limit search to whole words only
      • Added Guarani (gn) locale
      • Increased availability of WebGL to more than 98 percent of users on Windows 7 and newer
      • Added download protection for a large number of executable file types on Windows, Mac and Linux
      • Improved performance for SDK extensions or extensions using the SDK module loader
      • Playback video on more sites without plugins with WebM EME Support for Widevine on Windows and Mac

      Fixed

      • Fixed rendering of dashed and dotted borders with rounded corners (border-radius)

      Changed

      • Added a built-in Emoji set for operating systems without native Emoji fonts (Windows 8.0 and lower and Linux)
      • Blocked versions of libavcodec older than 54.35.1

        Update

        To get the update now, select "Help" from the Firefox menu at the upper left of the browser window, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

          References




          Remember - "A day without laughter is a day wasted."
          May the wind sing to you and the sun rise in your heart...




          Friday, November 11, 2016

          Lest We Forget

          Whether you call it Veteran's Day, Armistice Day or Remembrance Day, November 11th is a time to put aside politics and pay tribute to all who died for their country.  It is also a perfect time to thank the Veterans in whatever country you live in. 

          As in previous years, I am republishing my friend Canuk's last tribute and, once again, adding a special thank you to my friends "Phantom Phixer" and "Ghost".

          The comment Canuk posted provides one example of why he was a special person:
          "I too "will remember your friends who never had a full life", while thanking you and your comrades who have served with pride, honesty and honour.

          Despite anyone's thoughts of the current conflict in Iraq - opposition or agreement, we must always remember that these brave young men and women are fighting for a cause they also may or may not agree with. The huge difference between them and us is that they are putting their lives on the line 24/7 while we sit in our homes in comfort, using the freedom of speech previous warriors won for us, and for that they deserve our love, respect, and support."
          LEST WE FORGET




          We Shall Keep the Faith by Moira Michael, November 1918
          Oh! you who sleep in Flanders Fields, Sleep sweet - to rise anew! We caught the torch you threw And holding high, we keep the Faith With All who died. We cherish, too, the poppy red That grows on fields where valor led; It seems to signal to the skies That blood of heroes never dies, But lends a lustre to the red Of the flower that blooms above the dead In Flanders Fields. And now the Torch and Poppy Red We wear in honor of our dead. Fear not that ye have died for naught; We'll teach the lesson that ye wrought In Flanders Fields. Flags courtesy of3DFlags.com








          Remember - "A day without laughter is a day wasted."
          May the wind sing to you and the sun rise in your heart...

          Tuesday, November 08, 2016

          Microsoft Security Bulletin Release for November, 2016


          As this is the second Tuesday of the month, there will be one  security monthly rollup for Windows 7 and 8.1 as well as Server 2008 and 2012.  The details of the updates included are listed below.

          Another change available this month is a preview of the new Security Updates Guide. Instead of publishing bulletins to describe related vulnerabilities, the "Security Updates Guide" includes the ability to view and search security vulnerability information in a single online database.  After the January 2017 Update Tuesday release, bulletins will be eliminated and the information will only be available from the new Security Updates Guide.

          The guide, described as a "portal" by the MSRC Team in Furthering our commitment to security updates, includes the following features:
          • Sort and filter security vulnerability and update content, for example, by CVE, KB number, product, or release date.
          • Filter out products that don’t apply to you, and drill down to more detailed security update information for products that do.
          • Leverage a new RESTful API to obtain Microsoft security update information. This eliminates the need for you to employ outdated methods like screen-scraping of security bulletin web pages to assemble working databases of necessary and actionable information.

          November Security Update Details:

          Microsoft released fourteen (14) bulletins.  six (6) bulletins are identified as Critical and eight (8) rated Moderate in severity

          The updates address vulnerabilities in Microsoft Windows, Internet Explorer, Microsoft Edge, Microsoft Office, Microsoft Office Services and Web Apps, Microsoft SQL Server and Adobe Flash Player for Windows 8.1 and above. 

          Addressed in the updates are Remote Code Execution, Elevation of Privilege and Security Feature Bypass.

          Information about the update for Windows 10 is available at Windows 10 update history.

          Critical:
          • MS16-129 -- Cumulative Security Update for Microsoft Edge (3199057)
          • MS16-130 -- Security Update for Microsoft Windows (3199172)
          • MS16-131  -- Security Update for Microsoft Video Control (3199151)
          • MS16-132 -- Security Update for Microsoft Graphics Component (3199120
          • MS16-141 -- Security Update for Adobe Flash Player (3202790)
          • MS16-142 -- Cumulative Security Update for Internet Explorer (3198467)


          Important:
          • MS16-133 -- Security Update for Microsoft Office (3199168)
          • MS16-134 -- Security Update for Common Log File System Driver (3193706)
          • MS16-135 -- Security Update for Windows Kernel-Mode Drivers (3199135)
          • MS16-136 -- Security Update for SQL Server (3199641)
          • MS16-137 -- Security Update for Windows Authentication Methods (3199173)
          • MS16-138 -- Security Update to Microsoft Virtual Hard Disk Driver (3199647)
          • MS16-139 -- Security Update for Windows Kernel (3199720)
          • MS16-140 -- Security Update for Boot Manager (3193479)

            Additional Update Notes

            • Adobe Flash Player -- For Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows RT 8.1, Windows 10, and Windows 10 Version 1511, Adobe Flash Player is now a security bulletin rather than a security advisory and is included with the updates.
            • MSRT -- Microsoft released an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center. 
            • Windows 8.x and Windows 10 -- Non-security new features and improvements for Windows 8.1 and Windows 10 are included with the updates.
            • Windows 10 -- A summary of important product developments included in each update, with links to more details is available at Windows 10 Update History. The page will be regularly refreshed, as new updates are released.

            References


              Remember - "A day without laughter is a day wasted."
              May the wind sing to you and the sun rise in your heart...





              Adobe Flash Player and AIR Critical Security Updates Released

              Adobe Flashplayer

              Adobe has released Version 23.0.0.207 of Adobe Flash Player for Microsoft Windows, Macintosh and Chrome as well as Version 11.2.202.644 for Linux. 

              The updates resolve type confusion vulnerabilities that could lead to code execution as well as use-after-free vulnerabilities that could lead to code execution.

              Release date: November 8, 2016
              Vulnerability identifier: APSB16-37
              CVE number: CVE-2016-7857, CVE-2016-7858, CVE-2016-7859, CVE-2016-7860, CVE-2016-7861, CVE-2016-7862, CVE-2016-7863, CVE-2016-7864, CVE-2016-7865
              Platform: Windows, Macintosh, Linux and Chrome OS

              Warning:  Although Adobe suggests downloading the update from the Adobe Flash Player Download Center, that link includes a pre-checked option to install unnecessary extras, such as McAfee Scan Plus or Google Drive.  If you use the download center, uncheck any unnecessary extras. 

                Notes:
                • If you use the Adobe Flash Player Download Center, be careful to uncheck any optional downloads that you do not want.  Any pre-checked option is not needed for the Flash Player update.
                • Uncheck any toolbar offered with Adobe products if not wanted.
                • If you use alternate browsers, it is necessary to install the update for both Internet Explorer as well as the update for alternate browsers.
                • The separate 32-bit and 64-bit uninstallers have been replaced with a single uninstaller.

                Verify Installation

                To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu. 

                Do this for each browser installed on your computer.

                To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.

                References




                Remember - "A day without laughter is a day wasted."
                May the wind sing to you and the sun rise in your heart...