Friday, December 16, 2016

Pale Moon Version 27.0.3 Released with Security Updates


Pale Moon
Pale Moon has been updated to Version 27.0.3.  The update addresses a number of bugs and regressions with the new milestone release as well as security updates.  Included in the updates are DiD* patches.
*DiD stands for "Defense-in-Depth" and is a fix that does not apply to an actively exploitable vulnerability in Pale Moon but prevents future vulnerabilities caused by the same code when surrounding code changes, exposing the problem.
Details from the Release Notes:

Security and Crash fixes:
  • Fixed use-after-free while manipulating DOM events and removing audio elements (CVE-2016-9899).
  • Fixed CSP bypass using the marquee tag (CVE-2016-9895).
  • Fixed a vulnerability in the internal Jetpack modules (CVE-2016-9903). DiD
  • Fixed use-after-free in Editor while manipulating DOM subtrees (CVE-2016-9898).
  • Fixed an error in the buffer logic in http-chunked decoder.
  • Fixed a crash in generational GC code (not in use by default) DiD
  • Fixed a compartment mismatch bug in plug-in code
  • Fixed a crash trying to get a nonexistent property.
  • Improved MediaRecorder's observer safety.
  • Fixed a crash related to document history.
      Changes/fixes:
      • Fixed certain network errors not displaying.
      • Fixed network error page styling.
      • Fixed the writing of DOM storage data to tabs (should solve the "tabs not loading their contents" issue when migrating a profile and some other situations).
      • Disabled downloadable font unicode-ranges on non-Windows platforms.
      • Added a Google Fonts user-agent override for non-Windows platforms so they don't send unicode-ranged composite fonts (Feature detection? Google apparently still doesn't know what that is).
      • Re-enabled the reporting of CSS errors to the console by default to prevent issues with some extensions who rely on this (e.g. Stylish).
      • Fixed and updated preferences for location bar suggestions.
      • Fixed several x64-specific issues in memory allocation code (regression fix).
      • Fixed timer issues when resuming a computer from stand-by (regression fix).
      • Fixed a number of branding and textual issues in the browser.
      • Fixed prompting for the saving of off-line data (previously always allowed without prompting).
      • Fixed a layout regression that would cause block elements following left floats to not wrap to the next line if there wasn't enough clearance.
      • Fixed a mismatch in Firefox extension compatibility-mode installation where Firefox extensions served by addons.mozilla.org would be marked incompatible when trying to install.
      Minimum system Requirements (Windows):
      • Windows Vista/Windows 7/8/10/Server 2008 or later
      • Windows Platform Update (Vista/7) strongly recommended
      • A processor with SSE2 instruction support
      • 256 MB of free RAM (512 MB or more recommended)
      • At least 150 MB of free (uncompressed) disk space
      Pale Moon includes both 32- and 64-bit versions for Windows:

      Update

      To get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window.  Select About Pale Moon > Check for Updates.




      Remember - "A day without laughter is a day wasted."
      May the wind sing to you and the sun rise in your heart...


      Tuesday, December 13, 2016

      Mozilla Firefox Version 50.1.0 Released with Critical Security Updates


      FirefoxMozilla sent Firefox Version 50.1.0 to the release channel today.  The update includes four (4) Critical, six (6) High and three (3) Moderate updates.  No additional changes are indicated in the release notes.  Firefox ESR was updated to version 45.6.0.

      The next scheduled release is January 23, 2017 (5 week cycle with release for critical fixes as needed).

      Security Fixes:


      Critical
      High

      Moderate

      Update

      To get the update now, select "Help" from the Firefox menu, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

        References




        Remember - "A day without laughter is a day wasted."
        May the wind sing to you and the sun rise in your heart...




        Microsoft Security Bulletin Release for December, 2016


        As this is the second Tuesday of the month, there will be one security monthly rollup for Windows 7 and 8.1 as well as Server 2008 and 2012.  The details of the updates included are listed below.

        Reminder:  After the January 2017 Update Tuesday release, bulletins will be eliminated and the information will only be available from the new Security Updates Guide which includes the ability to view and search security vulnerability information in a single online database. The guide is described as a "portal" by the MSRC Team in Furthering our commitment to security updates.

        December Security Update Details:

        Microsoft released twelve (12) bulletins.  Six (6) bulletins are identified as Critical and six (6) rated Important in severity

        The updates address vulnerabilities in Microsoft Windows, Internet Explorer, Microsoft Edge, Microsoft Office, Microsoft Office Services and Web Apps, .NET Framework and Adobe Flash Player for Windows 8.1 and above. 

        Addressed in the updates are Remote Code Execution, Elevation of Privilege and Information Disclosure.

        Information about the update for Windows 10 is available at Windows 10 update history with #KB3206632 for 1607, #KB3205386 for 1511 and #KB3205853 for RTM. 

        Critical:
        • MS16-144 -- Cumulative Security Update for Internet Explorer (3204059)
        • MS16-145 -- Cumulative Security Update for Microsoft Edge (3204062)
        • MS16-146 -- Security Update for Microsoft Graphics Component (3204066)
        • MS16-147 -- Security Update for Microsoft Uniscribe (3204063)
        • MS16-148 -- Security Update for Microsoft Office (3204068)
        • MS16-154 -- Security Update for Adobe Flash Player (3209498)
        Important:
        • MS16-149 -- Security Update for Microsoft Windows (3205655)
        • MS16-150 -- Security Update for Secure Kernel Mode (3205642)
        • MS16-151 -- Security Update for Windows Kernel-Mode Drivers (3205651)
        • MS16-152 -- Security Update for Windows Kernel (3199709)
        • MS16-153 -- Security Update for Common Log File System Driver (3207328)
        • MS16-155 -- Security Update for .NET Framework (3205640) 

          Additional Update Notes

          • Adobe Flash Player -- For Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows RT 8.1, Windows 10, and Windows 10 Version 1511, Adobe Flash Player is now a security bulletin rather than a security advisory and is included with the updates as identified above.
          • MSRT -- Microsoft released an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center. 
          • Windows 10 -- A summary of important product developments included in each update, with links to more details is available at Windows 10 Update History. The page will be regularly refreshed, as new updates are released.

          References


            Remember - "A day without laughter is a day wasted."
            May the wind sing to you and the sun rise in your heart...





            Adobe Flash Player and AIR Critical Security Update Released

            Adobe Flashplayer

            Adobe has released Version 24.0.0.186 of Adobe Flash Player for Microsoft Windows, Macintosh, Chrome and Linux.

            These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system.  Note in particular that an exploit for CVE-2016-7892 exists in the wild, and is being used in limited, targeted attacks against users running Internet Explorer (32-bit) on Windows.

            Release date: December 13, 2016
            Vulnerability identifier: APSB16-39
            CVE number: CVE-2016-7867, CVE-2016-7868, CVE-2016-7869, CVE-2016-7870, CVE-2016-7871, CVE-2016-7872, CVE-2016-7873, CVE-2016-7874, CVE-2016-7875, CVE-2016-7876, CVE-2016-7877, CVE-2016-7878, CVE-2016-7879, CVE-2016-7880, CVE-2016-7881, CVE-2016-7890, CVE-2016-7892
            Platform: Windows, Macintosh, Linux and Chrome OS

            Warning:  Although Adobe suggests downloading the update from the Adobe Flash Player Download Center, that link includes a pre-checked option to install unnecessary extras, such as McAfee Scan Plus or Google Drive.  If you use the download center, uncheck any unnecessary extras. 

              Notes:
              • If you use the Adobe Flash Player Download Center, be careful to uncheck any optional downloads that you do not want.  Any pre-checked option is not needed for the Flash Player update.
              • Uncheck any toolbar offered with Adobe products if not wanted.
              • If you use alternate browsers, it is necessary to install the update for both Internet Explorer as well as the update for alternate browsers.
              • The separate 32-bit and 64-bit uninstallers have been replaced with a single uninstaller.

              Verify Installation

              To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu. 

              Do this for each browser installed on your computer.

              To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.

              References




              Remember - "A day without laughter is a day wasted."
              May the wind sing to you and the sun rise in your heart...








              Thursday, December 08, 2016

              Malwarebytes Version 3.0 Released


              Malwarebytes Version 3.0, announced as a public beta one month ago, has officially been released.

              Malwarebytes Premium subscribers will be pleased to learn that in addition to the anti-malware product, Version 3.0 of Malwarebytes also includes Malwarebytes Anti-Exploit and Malwarebytes Anti-Ransomware.  With that combination, new subscription purchases for Malwarebytes Premium will be $39.99 per computer per year, a savings of $9.91 and about 33% less than the average traditional antivirus license.

              Due to the layered defense built into Malwarebytes 3.0, Malwarebytes (MBAM) Premium subscribers have the option of keeping their traditional anti-virus software program or they can uninstall it and just run MBAM.  MBAM 3.0 is compatible with all major antivirus software, including Windows Defender and Microsoft Security Essentials. 

              Malwarebytes Anti-Malware users with a perpetual subscription are grandfathered and users of the free versions need not worry, all three programs remain available as free stand-alone versions.

              A Few of the Changes and Improvements:

              • Although the new version retains the protective capabilities of Malwarebytes Anti-Malware v.2.x along with the efficacy of the web modules, Version 3.0 is a complete rewrite and re-architecting of the earlier Malwarebytes Anti-Malware v.2.x.
              • You'll notice a major improvement in scan time.  A threat scan on my Windows 10 Pro, Version 1607 with MBAM v2.x took 32 minutes, 45 seconds to scan 358,337 objects. On Windows 10 Pro Insider Preview Build 14971, it only took 21 minutes, 22 seconds to scan 434,652 objects.  That was ten minutes less for almost 100,000 more objects with MBAM v3.0!
              • Updates should be applied automatically according to the setting located on the Settings > Protection tab and should only alert you if there is an issue.
              • The Scan Schedule can be a changed or additional scans scheduled from Scan Schedule.
              • The Reports section includes all Scan Reports and any Real-time Detection / Block events. IP blocks will be in the Reports area entitled ‘Website Blocked’ report Malware files blocked will be in the Reports area entitled 'Malware Blocked'.  The Protection Logs, which merely provided a list of the application and event actions for the day have been removed.  Thus, only Scan and Block reports are included in the Reports section.

              System Requirements:  Malwarebytes Version 3.0 is supported on all versions from Windows XP to the latest Windows 10.  Note, however, that the Anti-Ransomware technology is only enabled on Windows 7 or higher.

              Update:

              Malwarebytes 3.0 can be installed over the top of your exist Malwarebytes programs.  If you do not want to wait for the upgrade to be offered, you can download and run the installer from https://www.malwarebytes.com/ (direct download link here)  Malwarebytes 3.0 will automatically remove the old Anti-Malware, Anti-Exploit and Anti-Ransomware and upgrade them all to Malwarebytes 3.0. 

              References:




              Home
              Remember - "A day without laughter is a day wasted."
              May the wind sing to you and the sun rise in your heart...

              Friday, December 02, 2016

              Pale Moon Version 27.0.2 Releaed as DiD


              Pale Moon
              Pale Moon has been updated to Version 27.0.2, released as a DiD* patched update that fixes the crash at the root of CVE-2016-9079.  The update also includes usability fixes.
              *DiD stands for "Defense-in-Depth" and is a fix that does not apply to an actively exploitable vulnerability in Pale Moon but prevents future vulnerabilities caused by the same code when surrounding code changes, exposing the problem.
              Details from the Release Notes:


                Security fix:
                • Fixed a crash in SVG, related to CVE-2016-9079, as a defense-in-depth measure.
                  Usability Fixes:
                  • Enabled Firefox Compatibility mode by default for the useragent string.
                    Unfortunately too many websites (and especially the big players who should know better like Google, Apple and Microsoft) still require the "we must pretend to be Firefox if we want this site to work" status quo to be maintained, because people still insist on using useragent sniffing to determine "browser features", or even worse, discriminate against free choice of browser by flat-out refusing service (I'm looking at you, banking industry and cloud services!) when visiting websites just because companies don't want to provide assistance to any but users on the main 3.
                    HTML offers plenty of ways to do proper feature detection; site owners should use them.
                    Seriously people, it was a bad idea 20 years ago, and it's a worse idea in 2016.
                  • The built-in devtools are back, and with a facelift!
                    Thanks to some consistent community help, the built-in devtools, sorely missed by a number of our users, are back. They've received a code and style update and should be fully functional on the new platform. This was originally planned for 27.1, but it was decided to include this as soon as possible, not in the least to assist extension developers in their efforts to adapt to Pale Moon 27.
                  Minimum system Requirements (Windows):
                  • Windows Vista/Windows 7/8/10/Server 2008 or later
                  • Windows Platform Update (Vista/7) strongly recommended
                  • A processor with SSE2 instruction support
                  • 256 MB of free RAM (512 MB or more recommended)
                  • At least 150 MB of free (uncompressed) disk space
                  Pale Moon includes both 32- and 64-bit versions for Windows:

                  Update

                  To get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window.  Select About Pale Moon > Check for Updates.




                  Remember - "A day without laughter is a day wasted."
                  May the wind sing to you and the sun rise in your heart...