Thursday, September 28, 2017

Mozilla Firefox Version 56.0 Released with Security Updates


FirefoxMozilla sent Firefox Version 56.0 to the release channel today.  The update includes two (2) Critical, six (6) High, seven (7) Moderate and two (2) Low security updates.  Firefox ESR was updated to version 52.4.0.

Important Notes:  
  1. Although version 56 is scheduled to "silently and forcibly auto-upgrade" users running the 32-bit version of Firefox on 64-bit computers with more than 2GB of RAM to the 64-bit version, it was not updated to the 64-bit version on my machine. 
  2.  Users of Lenovo's "OneKey Theater" software for IdeaPad laptops and users running Firefox for Windows over a Remote Desktop Connection (RDP) are advised to check the unresolved issues below.
  3. Version 56 makes Firefox Screenshots and Send Tabs available to all users.
  4. See the following regarding add-ons starting in Firefox 57:  Firefox add-on technology is modernizing 

Security Fixes:

Critical:
High:
Moderate:
Low:
New
  • Launched Firefox Screenshots, a feature that lets users take, save, and share screenshots without leaving the browser
  • Added support for address form autofill (en-US only)
  • Updated Preferences
    • Added search tool so users can find a specific setting quickly
    • Reorganized preferences so users can more easily scan settings
    • Rewrote descriptions so users can better understand choices and how they affect browsing
    • Revised data collection choices so they align with updated Privacy Notice and data collection strategy
  • Media opened in a background tab will not play until the tab is selected
  • Improved Send Tabs feature of Sync for iOS and Android, and Send Tabs can be discovered even by users without a Firefox Account

Changed

  • Replaced character encoding converters with a new Encoding Standard-compliant implementation written in Rust
  • Added hardware acceleration for AES-GCM
  • Updated the Safe Browsing protocol to version 4
  • Reduced update download file size by approximately 20 percent
  • Improved security for verifying update downloads

Unresolved

  • Startup crash with RelevantKnowledge adware installed. Firefox Support has helpful instructions to remove it.
  • Startup crashes with 64-bit Firefox on Windows 7, for users of Lenovo's "OneKey Theater" software for IdeaPad laptops. To fix this crash, please re-install 32-bit Firefox.
  • Users running Firefox for Windows over a Remote Desktop Connection (RDP) may find that audio playback is disabled due to increased security restrictions. Learn how to mitigate this issue until it is corrected in an upcoming release

Update:

To get the update now, select "Help" from the Firefox menu, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

References




Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Tuesday, September 26, 2017

Pale Moon Version 27.5.0 Released


Pale Moon
Pale Moon has been updated to Version 27.5.0. This is a major release furthering the development of the browser.


The changes and fixes in this release are extensive and include user interface changes including a menu option to restart the browser, media improvements and much more.

Details from the Release Notes:

Changes/fixes:
  • User interface:
    • Added a menu option to restart the browser.
    • Added Windows-specific CSS parameters and queries for the use of the system accent color. Added are parameters -moz-win-accentcolor and -moz-win-accentcolortext, and the media query -moz-win-accentcolor-applies to know if Windows is actively using an accent color.
    • Changed Windows' browser CSS sheet ot use variables instead of hard-coding colors, simplifying its style and making it more flexible. Further cleaned up the Windows 10 specific browser style.
    • Changed the theme on Windows 10 to use the new accent colors and improve O.S. consistency.
    • Fixed some general inconsistencies in the Windows theme on all Windows operating systems.
    • Updated Windows widgets to be able to pick up Windows 10 accent colors dynamically and have the browser 's look and feel respond accordingly, even with automatic color changes based on desktop wallpaper.
    • Removed the experimental FF4 prerelease status-in-addressbar feature because the already-crowded address bar needs a break. This should solve some extension interop issues, theme issues and domain highlighting issues people have reported.
    • Cleaned up some dead code for the plugin updater that no longer exists.
    • Fixed a text direction issue in preferences.
    • Fixed an issue with disabled context menu entries after using Customize...
    • Reorganized and cleaned up the status preferences.
  • Media:
    • MSE Media updates (ongoing). We are focusing on improving MP4 handling.
    • Improved MP3 metadata parsing (e.g. incorrect duration with embedded album cover)
    • Fixed a number of searching issues in MP3 files
    • Fixed a few crashes.
  • Fixed an issue with automatically exporting bookmarks to HTML on shutdown.
  • Fixed a regression re: domains allowed to/blocked from installing add-ons.
  • Fixed several internal errors thrown in the front-end.
  • Fixed several minor issues in the devtools.
  • Added a fix to prevent the home page from being loaded (and subsequently overridden) when restoring a session.
  • Added an option to control add-on blocklist behavior (Options -> Security)
  • Added DOM function isSameNode().
  • Added DOM onvisibilitychange event.
  • Added document.scrollingelement (CSSOM).
  • Added a basic implementation of Object.values and Object.entries enumerator functions (ECMA2017 draft).
  • Added "Open in new private window" to bookmarks, feeds and history entries.
  • Added HTTP request method OPTIONS.
  • Added an option to exit to a no-content page after encountering a network or security error.
    This is controlled with the preference browser.escape_to_blank -- when set to true, "Get me out of here" buttons will load a blank page instead of the browser's home page.
  • Added experimental Brotli accept-encoding (alternative to gzip/deflate compressed http data transfer). Disabled by default for now because it causes issues.
  • Improved the handling of several CSS selectors.
  • Changed session storage to remember form data for https sites by default.
  • Added (yet another) trap prevention method to onbeforeunload events.
  • Fixed privacy preferences not correctly resetting all options when choosing "Remember History"
  • Fixed not being able to deselect loading bookmarks in the sidebar.
  • Limited the display of user names and hosts in the http auth dialog to sane lengths, preventing over-sizing issues.
  • Fixed a number of potential crash points.
  • Improved the security of the Windows dll loader module.
  • Reinstated "Open all in tabs" option on folders of live bookmarks (feeds).
  • Made URL matching more liberal in selected text to make it easier to open stated addresses.
  • Fixed an issue with Graphite font rendering where automatic font collision fixing didn't always work.
  • Color Management for images is now disabled by default on Linux, due to many distributions not having a streamlined setup with sane default ICC profiles, which makes images look worse when color management is enabled.
  • Tightened the update security check to prevent acceptance of update manifests that have been intercepted/replaced through https MitM attacks.
    Please be aware that https-filtering antivirus may interfere with future application updates as a result.
  • Updated the ANGLE library to broaden WebGL support and reduce the potential of crashes (due to junk being sent to the video driver).
  • Added content-sniffing for WebP images (working around CloudFront's incorrect content-type headers).
  • Fixed a problem with some H.264 media not playing (SPS NAL).
  • Improved timer efficiency (switch back to lower precision when high precision is no longer needed, reducing CPU/power consumption).
  • Improved context search on selected text/links.
  • Updated address bar handling with Alt or Shift modifiers, so that "switch to tab" with a modifier can open copies of already-opened sites.
  • Added a fix on Linux for starting the browser from Enlightenment.
  • Privacy fix: Pale Moon will now clear QuotaManager storage (asm.js cache/IndexedDB data) as part of clearing Offline Website Data.
Minimum system Requirements (Windows):
  • Windows Vista/Windows 7/8/10/Server 2008 or later
  • Windows Platform Update (Vista/7) strongly recommended
  • A processor with SSE2 instruction support
  • 256 MB of free RAM (512 MB or more recommended)
  • At least 150 MB of free (uncompressed) disk space
Pale Moon includes both 32- and 64-bit versions for Windows:

Update

To get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window.  Select About Pale Moon > Check for Updates.




Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...


Saturday, September 23, 2017

Oracle Java™ Platform, Standard Edition 9 Released

java


Oracle released Java™ Platform, Standard Edition 9, 64-bit only, for Windows 7, Windows 8x, Windows 10 as well as Windows Server 2012, Windows Server 2012 R2 and Windows Server 2016 R and Windows Server 2016 R2.  The update includes security enhancements.

For browser support as well as Linux, Solaris and Mac OS X, see Oracle JDK 9 and JRE 9 Certified System Configurations Contents. Java Version 9 is not compatible with Windows XP or Windows Vista. 

Oracle does not plan to migrate desktops from Java 8 to Java 9 through the auto update feature.  Therefore, it is strongly recommended that you uninstall JRE 8 prior to updating.


    Download Information



    Notes:
    • UNcheck any pre-checked toolbar and/or software options presented with the update. They are not part of the software update and are completely optional.  Preferably, see the instructions below on how to handle "Unwanted Extras". 
    • Verify your versionhttp://www.java.com/en/download/testjava.jsp.

      Note
      :  The Java version verification page will only work if your browser has NPAPI support.  In that case, to check the version, open a cmd window and enter the following (note the space following Java):  java -version

    Critical Patch Updates

    For Oracle Java SE Critical Patch Updates, the next scheduled dates are as follows:
    • 17 October 2017
    • 16 January 2018
    • 17 April 2018
    • 17 July 2018

    "Unwanted Extras"

    Although most people do not need Java on their computer, there are some programs and games that require Java.  In the event you need to continue using Java, How-to Geek discovered a little-known and  unpublicized option in the Java Control Panel to suppress the offers for the pre-checked unwanted extras that Oracle has long included with the updates.  Although the Ask Toolbar has been removed, tha does not preclude the pre-checked option for some other unnecessary add-on.

    Do the following to suppress the sponsor offers:
    1. Launch the Windows Start menu
    2. Click on Programs
    3. Find the Java program listing
    4. Click Configure Java to launch the Java Control Panel
    5. Click the Advanced tab and go to the "Miscellaneous" section at the bottom.
    6. Check the box by the “Suppress sponsor offers when installing or updating Java” option and click OK.
    Java suppress sponsor offers

    Java Security Recommendations

    1)  In the Java Control Panel, at minimum, set the security to high.
    2)  Keep Java disabled until needed.  Uncheck the box "Enable Java content in the browser" in the Java Control Panel.

    3)  Instructions on removing older (and less secure) versions of Java can be found at http://java.com/en/download/faq/remove_olderversions.xml
     


    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...


    Tuesday, September 12, 2017

    Microsoft Security Updates for September, 2017



    The September security release consists of 81 security updates for the following software in which 26 are listed as Critical, 53 are rated Important, and two are Moderate in severity. 
    • Internet Explorer
    • Microsoft Edge
    • Microsoft Windows
    • Microsoft Office and Microsoft Office Services and Web Apps
    • Adobe Flash Player
    • Skype for Business and Lync
    • .NET Framework
    • Microsoft Exchange Server
      The updates address Remote Code Execution, Spoofing, "Defense in Depth", Information Disclosure and Elevation of Privilege. "Defense-in-Depth" is a fix that does not apply to an actively exploitable vulnerability but prevents future vulnerabilities caused by the same code when surrounding code changes expose the problem.

      For more information about the updates released today, see https://portal.msrc.microsoft.com/en-us/security-guidance/summary.  Updates can be sorted by OS from the search box. Information about the update for Windows 10 is available at Windows 10 Update history.

      A few of the CVEs addressed by Microsoft this month that deserve some extra attention are discussed in Zero Day Initiative — The September 2017 Security Update Review by Dustin Childs.

        Additional Update Notes

        • Adobe Flash Player -- For Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows RT 8.1 and Windows 10, Adobe Flash Player is now a security bulletin rather than a security advisory and is included with the updates as identified above.
        • MSRT -- Microsoft released an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center. 
        • Windows 10 -- A summary of important product developments included in each update, with links to more details is available at Windows 10 Update History. The page will be regularly refreshed, as new updates are released.

        References


          Remember - "A day without laughter is a day wasted."
          May the wind sing to you and the sun rise in your heart...





          Adobe Flash Player Critical Security Updates

          Adobe Flashplayer

          Adobe has released Version 27.0.0.130 of Adobe Flash Player for Microsoft Windows, Macintosh, Chrome and Linux.

          These updates address vulnerabilities could lead to remote code execution.

          Release date:  September 12, 2017
          Vulnerability identifier: APSB17-28
          CVE Numbers:   CVE-2017-11281, CVE-2017-3106
          Platform: Windows, Macintosh, Linux and Chrome OS

          Update:

          *Important Note:  Downloading the update from the Adobe Flash Player Download Center link includes a pre-checked option to install unnecessary extras, such as McAfee Scan Plus or Google Drive.  If you use the download center, uncheck any unnecessary extras that you do not want.  They are not needed for the Flash Player update.

            Verify Installation

            To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu. 

            Do this for each browser installed on your computer.

            To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.

            References



            Remember - "A day without laughter is a day wasted."
            May the wind sing to you and the sun rise in your heart...