Wednesday, August 30, 2017

Adobe Acrobat and Reader Security Bulletin APSB17-24 Updated

Adobe

Adobe Security Bulletin APSB17-24 for Adobe Acrobat and Reader has been updated to include the availability of new updates as of August 29. 

From the blog post:
"The August 29 updates resolve a functional regression with XFA forms functionality that affected some users, as well as provide a resolution to security vulnerability CVE-2017-11223.  This CVE was originally addressed in the August 8 updates (versions 2017.012.20093, 2017.011.30059 and 2015.006.30352). Due to a functional regression in those releases, optional hotfixes [0,1,2] were offered to affected customers that temporarily reverted the fix for CVE-2017-11223. The August 29 releases resolve both the functional regression and provide a fix for CVE-2017-11223.
At this time, Adobe is not aware of exploits in the wild for CVE-2017-11223, or any of the other issues addressed in the August 8 or August 29 releases.
References:
[0] Hotfix for 2017.012.20093
[1] Hotfix for 2017.011.30059
[2] Hotfix for 2015.006.30352"
Version 11.0.22 is available at 11.0.22 Out of cycle update, August 22, 2017 — Acrobat and Adobe Reader Release Notes.   

References





Home
Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...







Tuesday, August 22, 2017

Pale Moon Version 27.4.2 Released with Security Updates


Pale Moon
Pale Moon version 27.4.2 has been released to address some security and stability issues.  Details from the Release Notes:

Security fixes:
  • Updated NSPR to 4.15.
  • Updated NSS to 3.31.1.
  • Fixed a DoS issue using overly long Username in URL scheme (CVE-2017-7783)
  • Fixed an issue where (cross domain) iframes could break scope (CVE-2017-7787)
  • Fixed an issue in WindowsDllDetourPatcher (CVE-2017-7804)
  • Fixed an issue with elliptic curve addition in mixed Jacobian-affine coordinates (CVE-2017-7781)
  • Fixed a UAF in nsImageLoadingContent (CVE-2017-7784)
  • Fixed a UAF in WebSockets (CVE-2017-7800)
  • Fixed a heap-UAF in RelocateARIAOwnedIfNeeded (CVE-2017-7809) DiD (accessibility is disabled)
*DiD stands for "Defense-in-Depth" and is a fix that does not apply to an actively exploitable vulnerability in Pale Moon but prevents future vulnerabilities caused by the same code when surrounding code changes, exposing the problem.

Changes/fixes:
  • Fixed a number of crashes.
  • Enabled the opt-in debugging feature to log SSL keys to a file in all builds.
  • Added a fix for TLS 1.3 handshakes causing a browser hangup.
    Handshakes should be considerably faster now and no longer stall in the wrong circumstances.
Minimum system Requirements (Windows):
  • Windows Vista/Windows 7/8/10/Server 2008 or later
  • Windows Platform Update (Vista/7) strongly recommended
  • A processor with SSE2 instruction support
  • 256 MB of free RAM (512 MB or more recommended)
  • At least 150 MB of free (uncompressed) disk space
Pale Moon includes both 32- and 64-bit versions for Windows, Pale Moon Portable, Pale Moon for Linux and Pale Moon for Android.

    Update

    To get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window.  Select About Pale Moon > Check for Updates.


    References:


    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...


    Tuesday, August 08, 2017

    Microsoft Security Updates for August, 2017




    The August security release consists of security updates for the following software:
      • Internet Explorer
      • Microsoft Edge
      • Microsoft Windows
      • Microsoft SharePoint
      • Adobe Flash Player
      • Microsoft SQL Server

        The updates address Remote Code Execution, Denial of Service, Information Disclosure and Elevation of Privilege in 48 CVE's in which 25 are Critical, 21 Important, and 2 Moderate in severity.

        For more information about the updates released today, see https://portal.msrc.microsoft.com/en-us/security-guidance/summary.  Updates can be sorted by OS from the search box. Information about the update for Windows 10 is available at Windows 10 Update history.

        For a list of the CVEs addressed in the August update requiring special attention, see the The August 2017 Security Update Review by Dustin Childs.

          Additional Update Notes

          • Adobe Flash Player -- For Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows RT 8.1 and Windows 10, Adobe Flash Player is now a security bulletin rather than a security advisory and is included with the updates as identified above.
          • MSRT -- Microsoft released an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center. 
          • Windows 10 -- A summary of important product developments included in each update, with links to more details is available at Windows 10 Update History. The page will be regularly refreshed, as new updates are released.

          References


            Remember - "A day without laughter is a day wasted."
            May the wind sing to you and the sun rise in your heart...





            Adobe Flash Player Critical Security Updates

            Adobe Flashplayer

            Adobe has released Version 26.0.0.151 of Adobe Flash Player for Microsoft Windows, Macintosh, Chrome and Linux.

            These updates address vulnerabilities could lead to remote code execution, information disclosure and Memory address disclosure..

            Release date:  August 8, 2017
            Vulnerability identifier: APSB17-23
            CVE Numbers:   CVE-2017-3085, CVE-2017-3106
            Platform: Windows, Macintosh, Linux and Chrome OS

            Update:

            *Important Note:  Downloading the update from the Adobe Flash Player Download Center link includes a pre-checked option to install unnecessary extras, such as McAfee Scan Plus or Google Drive.  If you use the download center, uncheck any unnecessary extras that you do not want.  They are not needed for the Flash Player update.

              Verify Installation

              To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu. 

              Do this for each browser installed on your computer.

              To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.

              References



              Remember - "A day without laughter is a day wasted."
              May the wind sing to you and the sun rise in your heart...









              Adobe Reader and Acrobat Critical Security Updates

              Adobe

              Adobe has released security updates for Adobe Reader and Acrobat XI for Windows. These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system.

              Release date: August 8, 2017
              Vulnerability identifier: APSB17-24
              Platform: Windows

              Update or Complete Download

              Update checks can be manually activated by choosing Help > Check for Updates.

              Note: UNcheck any pre-checked additional options presented with the update. They are not part of the software update and are completely optional.

              Enable "Protected View"

              Due to frequent vulnerabilities, it is recommended that Windows users of Adobe Reader and Acrobat ensure that Protected View is enabled.  Neither the Protected Mode or Protected View option is available for Macintosh users.

              To enable this setting, do the following:

              • Click Edit > Preferences > Security (Enhanced) menu. 
              • Change the "Off" setting to "All Files".
              • Ensure the "Enable Enhanced Security" box is checked. 

              Adobe Protected View
              Image via Sophos Naked Security Blog

              References



              Home
              Remember - "A day without laughter is a day wasted."
              May the wind sing to you and the sun rise in your heart...







              Mozilla Firefox Version 55 Released With Significant Changes and Security Updates


              FirefoxMozilla sent Firefox Version 55.0 to the release channel today.  Firefox ESR was updated to version 52.3.  There is no mention in the Release Notes of security updates.*  However, there are major changes that will affect users:
              1. Warningvia ghacks.net, "Firefox 55.0 breaks compatibility with older versions of the browser and Firefox ESR. Users who want to downgrade are advised to back up their profiles prior to installing the update." See "Changed" below.
              2. Important Note:  Although installations of 32x will upgrade with this version, the 64x version is now default on 64x systems with 2GB RAM.  Starting with version 56, Firefox will "silently and forcibly auto-upgrade" users running the 32-bit version of Firefox on 64-bit computers with more than 2GB of RAM to the 64-bit version. The next scheduled release is September 26, 2017 (5 week cycle with release for critical fixes as needed).  
              3. Adobe Flash Player is now click-to-activate. 
              4. Also, see the following regarding add-ons starting in Firefox 57:  Firefox add-on technology is modernizing 
              *UPDATE:  At the time of publishing the Release Notes, there was no indication of security fixes included.  In the interim, however, the Release Notes have been updated and Version 55 includes five (5) critical, ten (10 high, seven (7) moderate and six (6) low security updates.
              New
              • Launched Windows support for WebVR, bringing immersive experiences to the web. See examples and try working demos at Mozilla VR.
              • Added options that let users optimize recent performance improvements
                • Setting to enable Hardware VP9 acceleration on Windows 10 Anniversary Edition for better battery life and lower CPU usage while watching videos
                • Setting to modify the number of concurrent content processes for faster page loading and more responsive tab switching
              • Simplified installation process with a streamlined Windows stub installer
                • Firefox for Windows 64-bit is now installed by default on 64-bit systems with at least 2GB of RAM
                • Full installers with advanced installation options are still available
              • Improved address bar functionality
                • Search with any installed one-click search engine directly from the address bar
                • Search suggestions appear by default
                • When entering a hostname (like pinterest.com) in the URL bar, Firefox resolves to the secure version of the site (https://www.pinterest.com) instead of the insecure version (http://www.pinterest.com) when possible
              • Updated Sidebar for bookmarks, history, and synced tabs so it can appear at the right edge of the window as well as the left
              • Added support for stereo microphones with WebRTC
              • Simplified printing from Reader Mode
              • Updated Firefox for OSX and macOS to allow users to assign custom keyboard shortcuts to Firefox menu items via System Preferences
              • Browsing sessions with a high number of tabs are now restored in an instant
              • Make screenshots of webpages, and save them locally or upload them to the cloud. This feature will undergo A/B testing and will not be visible for some users.
              • Added Belarusian (be) locale

              Changed

              • Modernized application update UI to be less intrusive and more aligned with the rest of the browser. Only users who have not restarted their browser 8 days after downloading an update or users who opted out of automatic updates will see this change.
              • Firefox does not support downgrades, even though this may have worked in past versions. Users who install Firefox 55+ and later downgrade to an earlier version may experience issues with Firefox.
              • Made the Adobe Flash plugin click-to-activate by default and allowed only on http:// and https:// URL schemes. (This change will not be visible to all users immediately. For more information see the Firefox plugin roadmap)
              Update:

              To get the update now, select "Help" from the Firefox menu, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

              References




              Remember - "A day without laughter is a day wasted."
              May the wind sing to you and the sun rise in your heart...