Wednesday, April 18, 2018

Oracle Java SE Critical Security Update

java

Oracle released the scheduled critical security updates for its Java SE Runtime Environment software.  The Critical Patch Update contains 14 new security fixes for Oracle Java SE.  Twelve (12) of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. 

Update

If Java is still installed on your computer, it is recommended that this update be applied as soon as possible due to the threat posed by a successful attack.

Download Information

Java SE 8u171/ 8u172
http://www.oracle.com/technetwork/java/javase/8u171-relnotes-4308888.html
http://www.oracle.com/technetwork/java/javase/8u172-relnotes-4308893.html
http://www.oracle.com/technetwork/java/javase/downloads/jre8-downloads-2133155.html

Java SE 10.0.1  (x64-bit only)
http://www.oracle.com/technetwork/java/javase/10-0-1-relnotes-4308875.html
http://www.oracle.com/technetwork/java/javase/downloads/jre10-downloads-4417026.html
Notes:
  • UNcheck any pre-checked toolbar and/or software options presented with the update. They are not part of the software update and are completely optional.  Preferably, see the instructions below on how to handle "Unwanted Extras".  
  • Oracle does not plan to migrate desktops from Java 8 to Java 9 through the auto update feature.  Therefore, it is strongly recommended that you uninstall JRE 8 prior to updating.
  • Verify your versionhttp://www.java.com/en/download/testjava.jsp.   Note:  The Java version verification page will only work if your browser has NPAPI support.  In that case, to check the version, open a cmd window and enter the following (note the space following Java):  java -version

Critical Patch Updates

For Oracle Java SE Critical Patch Updates, the next scheduled dates are as follows:
  • 17 July 2018
  • 16 October 2018
  • 15 January 2019
  • 16 April 2019

Unwanted "Extras"

Although most people do not need Java on their computer, there are some programs and games that require Java.  In the event you need to continue using Java, How-to Geek discovered a little-known and  unpublicized option in the Java Control Panel to suppress the offers for the pre-checked unwanted extras that Oracle has long included with the updates.  Although the Ask Toolbar has been removed, tha does not preclude the pre-checked option for some other unnecessary add-on.

Do the following to suppress the sponsor offers:
  1. Launch the Windows Start menu
  2. Click on Programs
  3. Find the Java program listing
  4. Click Configure Java to launch the Java Control Panel
  5. Click the Advanced tab and go to the "Miscellaneous" section at the bottom.
  6. Check the box by the “Suppress sponsor offers when installing or updating Java” option and click OK.
Java suppress sponsor offers

Java Security Recommendations

1)  In the Java Control Panel, at minimum, set the security to high.
2)  Keep Java disabled until needed.  Uncheck the box "Enable Java content in the browser" in the Java Control Panel.

3)  Instructions on removing older (and less secure) versions of Java can be found at http://java.com/en/download/faq/remove_olderversions.xml

References




Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...




Tuesday, April 17, 2018

Pale Moon Version 27.9.0 Released


Pale Moon
Pale Moon has been updated to version 27.9.0. 

Note:  This is the last major development update for the v27 milestone (codenamed "Tycho").  After this, the focus will be for new features entirely on UXP and the new v28 milestone building on it. Version 27.9 will continue to be supported with security and stability updates for a while, but no major new features will be added from this point forward.

From the Release Notes:

Changes/fixes:

  • Fixed a number of spec compliance issues in our media subsystem.
  • Added a trailing slash to referrers when policy is set to fix some web compatibility issues.
  • Fixed the property order in Object.getOwnPropertyNames(string) and others for web compatibility.
  • Updated RegExp(RegExp object, flags) to the ES6 standard specification.
  • Changed the embedded font from the no longer free EmojiOne to the open-licensed Twemoji (with additional fixes). This also further extends unicode support to Unicode 10 emoji(s). Please note that as a result, color emoji(s) will look different than before.
  • Adjusted some things in our memory allocator code to provide, among other things, better allocation alignment on Windows.
  • Made the attempt to migrate people from the old sync server domain name to the current one more aggressive. We will be retiring the old pmsync.palemoon.net Sync server address shortly to remove the need for us to maintain a security certificate for it; this preference migration should automatically put everyone on the correct server address (pmsync.palemoon.org) when upgrading.
  • Made reading of the sessionstore synchronous, to speed up startup and prevent the homepage from being loaded when restoring a session.
  • Added a fix to switch to the correct window/tab when a web notification is clicked.
  • Changed the placeholder text to not include "Search" when all search functions from the address bar are disabled.
  • Enabled the use of Skia for canvas on Linux and OSX.
  • Worked around a potential cause for some non-standard bitmapped fonts ending up with incorrect line heights (I'm looking at you, Noto fonts!).
  • Added a workaround for incorrectly-encoded JPEG-XR images with planar alpha. Ultimately, the jxrlib reference implementation should be fixed to encode according to spec.
  • Aligned XCTO:nosniff allowed script MIME types with the updated spec.
  • Improved the logic for storing vector images in the surface cache.
  • Fixed character set handling for XMLHttpRequests.
       Minimum system Requirements (Windows):
      • Windows Vista/Windows 7/8/10/Server 2008 or later
      • Windows Platform Update (Vista/7) strongly recommended
      • A processor with SSE2 instruction support
      • 256 MB of free RAM (512 MB or more recommended)
      • At least 150 MB of free (uncompressed) disk space
      Pale Moon includes both 32- and 64-bit versions for Windows:

      Update

      To get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window.  Select About Pale Moon > Check for Updates.




      Remember - "A day without laughter is a day wasted."
      May the wind sing to you and the sun rise in your heart...


      Tuesday, April 10, 2018

      Microsoft Security Updates, April 2018



      The April security release consists of 67 CVEs, of which 24 are listed as Critical, 42 are rated Important and 1 is rated Moderate in severity. One is listed as being publicly known and none are listed as being under active attack.  

      The updates address Remote Code Execution, Information Disclosure, Denial of Service and Security Feature Bypass.  The release consists of security updates for the following software:
      • Internet Explorer
      • Microsoft Edge
      • Microsoft Windows
      • Microsoft Office and Microsoft Office Services and Web Apps
      • ChakraCore
      • Adobe Flash Player
      • Microsoft Malware Protection Engine
      • Microsoft Visual Studio
      • Microsoft Azure IoT SDK

      Known Issues: 4093112 4093118 4093108

      Note:  KB4100375 (OS Build 17133.73) has been released to Windows Insiders running Build 17133 in the Fast, Slow, and Release Preview rings. This update includes the following quality improvements (no new OS features):
      • Addresses a PDF security issue in Microsoft Edge.
      • Addresses an issue that, in some instances, prevents Internet Explorer from identifying custom controls.
      • Security updates to Internet Explorer, Microsoft Edge, Microsoft scripting engine, Windows kernel, Microsoft graphics component, Windows Server, Windows cryptography, and Windows datacenter networking.

      As usual, Dustin Childs has provided a closer look at some of the patches for this month.in this month's Zero Day Initiative — The April 2018 Security Update Review.

      More:  For more information about the updates released today, see https://portal.msrc.microsoft.com/en-us/security-guidance/summary.  Updates can be sorted by OS from the search box. Information about the update for Windows 10 is available at Windows 10 Update history.

      Additional Update Notes

      • Adobe Flash Player -- For Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows RT 8.1 and Windows 10, Adobe Flash Player is now a security bulletin rather than a security advisory and is included with the updates as identified above.
      • MSRT -- Microsoft released an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center.  Note:  Users who are paranoid about the remote possibility of a FP can opt to run this tool from a Command Prompt, appending a   /N   parameter [for "detect only" mode].
      • Windows 10 -- A summary of important product developments included in each update, with links to more details is available at Windows 10 Update History. The page will be regularly refreshed, as new updates are released.

      References


      Remember - "A day without laughter is a day wasted."
      May the wind sing to you and the sun rise in your heart...





      Adobe Flash Player Security Update Released

      Adobe Flashplayer

      Adobe has released Version 29.0.0.140 of Adobe Flash Player.  These updates address critical vulnerabilities that could lead to remote code execution affecting version 29.0.0.113 and earlier.  Successful exploitation could lead to arbitrary code execution in the context of the current user.

      Release date:  April 10, 2018
      Vulnerability identifier: APSB18--08
      Platform:  Windows, Macintosh, Linux and Chrome OS

      Fixed Issues

      • [Mac]RTMPS Error NetConnection.Connect.CertificatePrincipalMismatch (FP-4198784)
      • [Edge] FP settings panel 'close' button stops responding on zoom.
      • Multiple security and functional fixes

      Update:

      *Important Note:  Downloading the update from the Adobe Flash Player Download Center link includes a pre-checked option to install unnecessary extras, such as McAfee Scan Plus or Google Drive.  If you use the download center, uncheck any unnecessary extras that you do not want.  They are not needed for the Flash Player update.

        Verify Installation

        To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu. 

        Do this for each browser installed on your computer.

        To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.

        References



        Remember - "A day without laughter is a day wasted."
        May the wind sing to you and the sun rise in your heart...









        Sunday, April 01, 2018

        Happy Easter! "Khrystos Voskres!"



        "Khrystos Voskres!"

        (Christ is Risen!)






        "Voistyno Voskres!"

        (He is Truly Risen!)







        Home
        Remember - "A day without laughter is a day wasted."
        May the wind sing to you and the sun rise in your heart...

        Monday, March 26, 2018

        Mozilla FIrefox Version 59.0.2 Released with Security Update


        FirefoxMozilla sent Firefox Version 59.0.2 to the release channel today.  The update has one security update identified as high and numerous fixes.

        ESR has been updated to version 52.7.3.

        Security Fixes

        Fixed

        • Invalid page rendering with hardware acceleration enabled (Bug 1435472)
        • Windows 7 users with touch screens or certain 3rd party desktop applications which interact with Firefox through accessibility services may experience random browser crashes. Known 3rd party applicatioins with issues: StickyPassword, Windows 7 touch screen. (Bug 1424505)
        • Browser keyboard shortcuts (eg copy Ctrl+C) don't work on sites that use those keys with resistFingerprinting enabled (Bug 1433592)
        • High CPU / memory churn caused by third-party software on some computers (Bug 1446280)
        • Users who have configured an "automatic proxy configuration URL" and want to reload their proxy settings from the URL will find the Reload button disabled in the Connection Settings dialog when they select Preferences/Options > Network Proxy > Settings... (Bug 1445991)
        • URL Fragment Identifiers Break Service Worker Responses (Bug 1443850)
        • User's trying to cancel a print around the time it completes will continue to get intermittent crashes (Bug 1441598)
        • Broken getUserMedia (audio) on DragonFly, FreeBSD, NetBSD, OpenBSD. Video chat apps either wouldn't work or be always muted (Bug 1444074)

        Update:
        To get the update now, select "Help" from the Firefox menu, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

        References




        Remember - "A day without laughter is a day wasted."
        May the wind sing to you and the sun rise in your heart...

        Thursday, March 22, 2018

        Pale Moon Version 27.8.2 Released with Security Updates


        Pale Moon
        Pale Moon has been updated to version 27.8.2.  This is a security update which includes DiD* fixes.  Details from the Release Notes:

        Changes/fixes:
        • Privacy fix: prevented update checks for the default theme.
        • Added a user-agent override for Dropbox to improve compatibility with their service.
        • Fixed an issue with mouseover handling related to (CVE-2018-5103). DiD
        • Disabled the Mac OSX Nano allocator. DiD
        • Fixed (CVE-2018-5129) OOB Write.
        • Updated the lz4 library to 1.8.0 to solve potential issues. DiD
        • Fixed (CVE-2018-5137) Path traversal on chrome:// URLs
        • Fixed several memory safety an synchronicity hazards.
        DiD This means that the fix is "Defense-in-Depth": It is a fix that does not apply to a (potentially) actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code, e.g. when surrounding code changes, exposing the problem, or when new attack vectors are discovered.
             Minimum system Requirements (Windows):
            • Windows Vista/Windows 7/8/10/Server 2008 or later
            • Windows Platform Update (Vista/7) strongly recommended
            • A processor with SSE2 instruction support
            • 256 MB of free RAM (512 MB or more recommended)
            • At least 150 MB of free (uncompressed) disk space
            Pale Moon includes both 32- and 64-bit versions for Windows:

            Update

            To get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window.  Select About Pale Moon > Check for Updates.




            Remember - "A day without laughter is a day wasted."
            May the wind sing to you and the sun rise in your heart...


            Friday, March 16, 2018

            Mozilla Firefox Version 59.0.1 Released with Critical Security Update


            FirefoxMozilla sent Firefox Version 59.0.1 to the release channel today.  The update addresses a critical security vulnerability uncovered in by Richard Zhu via Trend Micro's Zero Day Initiative, Pwn2Own 2018.

            ESR has been updated to version 52.7.2.

            Security Fixes

            Unresolved


            Update:
            To get the update now, select "Help" from the Firefox menu, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

            References




            Remember - "A day without laughter is a day wasted."
            May the wind sing to you and the sun rise in your heart...

            Tuesday, March 13, 2018

            Microsoft March, 2018, Security Updates



            The March security release consists of 75 CVEs, of which 14 are listed as Critical, and 61 are rated Important in severity. Two are listed as being publicly known but none are listed as being under active attack.  In particular, note CVE-2018-0886, CVE-2018-0940 and CVE-2018-0868 discussed in this month's Zero Day Initiative — The March 2018 Security Update Review by Dustin Childs.

            The updates address Remote Code Execution, Elevation of Privilege, Denial of Service, Information Disclosure, Elevation of Privilege and Security Feature Bypass 

            The release consists of security updates for the following software:

            • Internet Explorer
            • Microsoft Edge
            • Microsoft Windows
            • Microsoft Office and Microsoft Office Services and Web Apps
            • Microsoft Exchange Server
            • ASP.NET Core
            • .NET Core
            • PowerShell Core
            • ChakraCore
            • Adobe Flash
            Known Issues: 4088787, 4088782, 4088776, 4088786, 4088779, 4088876, 4088879, 4088875 and 4088878.

            More:  For more information about the updates released today, see https://portal.msrc.microsoft.com/en-us/security-guidance/summary.  Updates can be sorted by OS from the search box. Information about the update for Windows 10 is available at Windows 10 Update history.

            Additional Update Notes

            • Adobe Flash Player -- For Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows RT 8.1 and Windows 10, Adobe Flash Player is now a security bulletin rather than a security advisory and is included with the updates as identified above.
            • MSRT -- Microsoft released an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center.  Note:  Users who are paranoid about the remote possibility of a FP can opt to run this tool from a Command Prompt, appending a   /N   parameter [for "detect only" mode].
            • Windows 10 -- A summary of important product developments included in each update, with links to more details is available at Windows 10 Update History. The page will be regularly refreshed, as new updates are released.

            References


            Remember - "A day without laughter is a day wasted."
            May the wind sing to you and the sun rise in your heart...





            Mozillia Firefox Version 59 Released


            FirefoxMozilla sent Firefox Version 59.0 to the release channel today.  The update addresses a number of bugs as well as security fixes for both Firefox and Firefox ESR.

            ESR has been updated to version remains at version 52.7.0.

            Security Fixes


             New
            • Performance enhancements:
              - Faster load times for content on the Firefox Home page
              - Faster page load times by loading either from the networked cache or the cache on the user’s hard drive (Race Cache With Network)
              - Improved graphics rendering using Off-Main-Thread Painting (OMTP) for Mac users (OMTP for Windows and Linux was released in Firefox 58)
            • Drag-and-drop to rearrange Top Sites on the Firefox Home page, and customize new windows and tabs in other ways
            • Added features for Firefox Screenshots:
              - Basic annotation lets the user draw on and highlight saved screenshots
              - Recropping to change the viewable area of saved screenshots
            • Enhanced WebExtensions API including better support for decentralized protocols and the ability to dynamically register content scripts
            • Improved Real-Time Communications (RTC) capabilities.
              - Implemented RTP Transceiver to give pages more fine grained control over calls
              - Implemented features to support large scale conferences
            • Added support for W3C specs for pointer events and improved platform integration with added device support for mouse, pen, and touch screen pointer input
            • Added the Ecosia search engine as an option for German Firefox
            • Added the Qwant search engine as an option for French Firefox
            • Added settings in about:preferences to stop websites from asking to send notifications or access your device’s camera, microphone, and location, while still allowing trusted websites to use these features

            Fixed

            Changed

            • Firefox Private Browsing Mode will remove path information from referrers to prevent cross-site tracking

            Unresolved

            Update:
            To get the update now, select "Help" from the Firefox menu, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

            References




            Remember - "A day without laughter is a day wasted."
            May the wind sing to you and the sun rise in your heart...

            Adobe Flash Player Critical Security Update

            Adobe Flashplayer

            Adobe has released Version 29.0.0.113 of Adobe Flash Player.  These updates address critical vulnerabilities that could lead to remote code execution affecting version 28.0.0.161 and earlier.  Successful exploitation could potentially allow an attacker to take control of the affected system.  The update addresses CVE-2018-4919 and CVE-2018-4920, both critical vulnerabilities.

            Release date:  March 13, 2018
            Vulnerability identifier: APSB18--05
            Platform:  Windows, Macintosh, Linux and Chrome OS

            Update:

            *Important Note:  Downloading the update from the Adobe Flash Player Download Center link includes a pre-checked option to install unnecessary extras, such as McAfee Scan Plus or Google Drive.  If you use the download center, uncheck any unnecessary extras that you do not want.  They are not needed for the Flash Player update.

              Verify Installation

              To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu. 

              Do this for each browser installed on your computer.

              To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.

              References



              Remember - "A day without laughter is a day wasted."
              May the wind sing to you and the sun rise in your heart...









              Tuesday, March 06, 2018

              Update: Pale Moon Version 27.8.1 Released


              Pale Moon
              Update:  Pale Moon has been updated to version 27.8.1 to address some breaking issues.
               
              Changes/fixes:

              • Backed out the NSPR/NSS update from 27.8.0 for causing crashes, general operational instability and handshake issues.
              • Disabled TLS 1.3 draft support by default, because with the NSS backout we only support an older draft right now that is no longer current and may cause connectivity issues. You can manually re-enable it at your own risk in about:config by setting security.tls.version.max to 4.


              Pale Moon has been updated to Version 27.8.0. This is a development update with new and improved features and bugfixes.

              Linux versions will follow shortly.  Details from the Release Notes:

              Changes/fixes:
              • Added support for emojis on Windows systems that have relatively poor support for them with standard font sets by including our own font (EmojiOne based for now).
              • Added a setting in preferences to select the use of tab previews with Ctrl+Tab.
              • Added Eyedropper menu entry to the AppMenu.
              • Added a preference to control whether the text cursor (caret) should be thicker when dealing with CJK characters or not (default = yes).
              • Added URL fix-ups for schemes (mis-typed "ttp://" etc.).
              • Added support for ES6 "Symbol species".
              • Updated our TLS 1.3 support to the latest (probably final) draft.
              • Fixed gap inconsistency in the tabstrip.
              • Fixed a number of browser crashes.
              • Fixed a crash with the exponentiation operator "**"
              • Set the performance timer granularity to 1 ms.
              • Updated the kiss-fft library to our forked 1.4.0 version.
              • Disabled a potentially problematic optimization on Win 8+ with high contrast themes in use.
              • Removed the notification bar when in full screen to prevent unwanted visible screen elements.
              • Removed unmaintained and insecure WebRTC code - building with WebRTC enabled is no longer an option.
              • Removed redundant checks for "Vista or later" since that is all we support.
              • Added display of the http status to raw request displays.
              • Added a workaround for cloned videos not retaining their muted state.
              • Added a temporary workaround to avoid crashes on trackless media.
              • Removed some superfluous ellipses from menu labels.
              • Fixed undesired shrinking of line heights as a result of setting minimum font size in preferences.
              • Fixed some issues with setting the new tab preference (regression).

                   Minimum system Requirements (Windows):
                  • Windows Vista/Windows 7/8/10/Server 2008 or later
                  • Windows Platform Update (Vista/7) strongly recommended
                  • A processor with SSE2 instruction support
                  • 256 MB of free RAM (512 MB or more recommended)
                  • At least 150 MB of free (uncompressed) disk space
                  Pale Moon includes both 32- and 64-bit versions for Windows:

                  Update

                  To get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window.  Select About Pale Moon > Check for Updates.




                  Remember - "A day without laughter is a day wasted."
                  May the wind sing to you and the sun rise in your heart...


                  Tuesday, February 13, 2018

                  Microsoft February Security Updates



                  The February security release consists of 50 CVEs, of which 14 are listed as Critical, 34 are rated Important, and 2 are rated Moderate in severity. The updates address Remote Code Execution, Elevation of Privilege, Information Disclosure and Security Feature BypassThe release consists of security updates for the following software: 

                  • Internet Explorer
                  • Microsoft Edge
                  • Microsoft Windows
                  • Microsoft Office and Microsoft Office Services and Web Apps
                  • ChakraCore
                  • Adobe Flash


                  More:  For more information about the updates released today, see https://portal.msrc.microsoft.com/en-us/security-guidance/summary.  Updates can be sorted by OS from the search box. Information about the update for Windows 10 is available at Windows 10 Update history.

                  Also see this month's Zero Day Initiative — The February 2018 Security Update Review by Dustin Childs in which he discusses several of the patches and includes a breakdown of the CVE's addressed in the update. 

                  Additional Update Notes

                  • Adobe Flash Player -- For Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows RT 8.1 and Windows 10, Adobe Flash Player is now a security bulletin rather than a security advisory and is included with the updates as identified above.
                  • MSRT -- Microsoft released an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center.  Note:  Users who are paranoid about the remote possibility of a FP can opt to run this tool from a Command Prompt, appending a   /N   parameter [for "detect only" mode].
                  • Windows 10 -- A summary of important product developments included in each update, with links to more details is available at Windows 10 Update History. The page will be regularly refreshed, as new updates are released.

                  References


                  Remember - "A day without laughter is a day wasted."
                  May the wind sing to you and the sun rise in your heart...





                  Adobe Reader and Acrobat Critical Security Updates

                  Adobe

                  Adobe has released security updates for Adobe Reader DC and Adobe Acrobat DC for Windows and Macintosh.  These updates are rated as four (4) critical and one (1) rated important, addressing the CVE's from the vulnerability details listed below. 

                  Release date:  February 13, 2018
                  Vulnerability identifier: APSB18-02
                  Platform: Windows and Macintosh

                  Vulnerability Category Vulnerability Impact Severity CVE Number
                  Security Mitigation Bypass
                  Privilege Escalation
                  Critical CVE-2018-4872
                  Heap Overflow
                  Arbitrary Code Execution
                  Critical CVE-2018-4890, CVE-2018-4904, CVE-2018-4910, CVE-2018-4917
                  Use-after-free
                  Arbitrary Code Execution
                  Critical CVE-2018-4888, CVE-2018-4892, CVE-2018-4902, CVE-2018-4911, CVE-2018-4913
                  Out-of-bounds write
                  Arbitrary Code Execution
                  Critical CVE-2018-4879, CVE-2018-4895, CVE-2018-4898, CVE-2018-4901, CVE-2018-4915,
                  CVE-2018-4916, CVE-2018-4918
                  Out-of-bounds read
                  Remote Code Execution Important CVE-2018-4880, CVE-2018-4881, CVE-2018-4882, CVE-2018-4883, CVE-2018-4884,
                  CVE-2018-4885, CVE-2018-4886, CVE-2018-4887, CVE-2018-4889, CVE-2018-4891,
                  CVE-2018-4893, CVE-2018-4894, CVE-2018-4896, CVE-2018-4897, CVE-2018-4899,
                  CVE-2018-4900, CVE-2018-4903, CVE-2018-4905, CVE-2018-4906, CVE-2018-4907,
                  CVE-2018-4908, CVE-2018-4909, CVE-2018-4912, CVE-2018-4914

                  Update or Complete Download

                  Update checks can be manually activated by choosing Help > Check for Updates.  Reader DC was updated to 18.011.20036.and Acrobat DC to 18.011.20035.   
                  Note: UNcheck any pre-checked additional options presented with the update. They are not part of the software update and are completely optional.


                  References





                  Home
                  Remember - "A day without laughter is a day wasted."
                  May the wind sing to you and the sun rise in your heart...







                  Wednesday, February 07, 2018

                  Mozilla Firefox Version 58.0.2 Released


                  FirefoxMozilla sent Firefox Version 58.0.2 to the release channel today.  The update addresses a number of bugs.

                  ESR remains at version 52.6.0.

                  Fixed


                  • Avoid a signature validation issue during update on macOS
                  • Blocklisted graphics drivers related to off main thread painting crashes
                  • Tab crash during printing
                  • Fix clicking links and scrolling emails on Microsoft Hotmail and Outlook (OWA) webmail

                  Unresolved

                  • Users running Firefox for Windows over a Remote Desktop Connection (RDP) may find that audio playback is disabled due to increased security restrictions.
                  • Users running certain screen readers may experience performance issues and are advised to use Firefox ESR until performance issues are resolved in an upcoming future release.
                  Update:
                  To get the update now, select "Help" from the Firefox menu, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

                  References




                  Remember - "A day without laughter is a day wasted."
                  May the wind sing to you and the sun rise in your heart...

                  Tuesday, February 06, 2018

                  Adobe Flash Player Critical Security Update Released

                  Adobe Flashplayer

                  Adobe has released Version 28.0.0.161 of Adobe Flash Player.  These updates address critical vulnerabilities that could lead to remote code execution in Adobe Flash Player 28.0.0.137 and earlier versions.  Successful exploitation could potentially allow an attacker to take control of the affected system. 

                  In particular, the update addresses CVE-2018-4878 which exists in the wild, and is being used in limited, targeted attacks against Windows users.  These attacks leverage Office documents with embedded malicious Flash content distributed via email. Also included in the update are functional fixes.

                  Release date:  February 6, 2018
                  Vulnerability identifier: APSB18--03
                  Platform:  Windows, Macintosh, Linux and Chrome OS

                  Update:

                  *Important Note:  Downloading the update from the Adobe Flash Player Download Center link includes a pre-checked option to install unnecessary extras, such as McAfee Scan Plus or Google Drive.  If you use the download center, uncheck any unnecessary extras that you do not want.  They are not needed for the Flash Player update.

                    Verify Installation

                    To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu. 

                    Do this for each browser installed on your computer.

                    To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.

                    References



                    Remember - "A day without laughter is a day wasted."
                    May the wind sing to you and the sun rise in your heart...









                    Thursday, February 01, 2018

                    Pale Moon Version 27.7.2 Released


                    Pale Moon
                    Pale Moon has been updated to Version 27.7.2. This is a security and stability update.

                    Linux versions will follow shortly.  Details from the Release Notes:

                    Changes/fixes:
                    • Changed the X-Content-Type-Options: nosniff behavior to only check "success" class server responses, for web compatibility reasons.
                    • Changed the performance timer resolution once more to a granularity of 1 ms, after evaluating more potential ways of abusing Spectre.
                      This takes the most cautious approach possible lacking more information (because apparently NDAs have been signed over this between mainstream players), follows Safari's lead, and should make it not just infeasible but downright impossible to use these timers for nefarious purposes in this context.
                    • Improved the debug-only startup cache wrapper to prevent a rare crash.
                    • Fixed a crash in the XML parser.
                    • Added a check for integer overflow in AesTask::DoCrypto() (CVE-2018-5122) DiD
                    • Fixed a potential race condition in the browser cache.
                    • Fixed a crash in HTML media elements (CVE-2018-5102)
                    • Fixed a crash in XHR using workers.
                    • Fixed a crash with some uncommon FTP operations.
                    • Fixed a potential race condition in the JAR library.
                    *DiD This means that the fix is "Defense-in-Depth": It is a fix that does not apply to a (potentially) actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code, e.g. when surrounding code changes, exposing the problem, or when new attack vectors are discovered. 
                         Minimum system Requirements (Windows):
                        • Windows Vista/Windows 7/8/10/Server 2008 or later
                        • Windows Platform Update (Vista/7) strongly recommended
                        • A processor with SSE2 instruction support
                        • 256 MB of free RAM (512 MB or more recommended)
                        • At least 150 MB of free (uncompressed) disk space
                        Pale Moon includes both 32- and 64-bit versions for Windows:

                        Update

                        To get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window.  Select About Pale Moon > Check for Updates.




                        Remember - "A day without laughter is a day wasted."
                        May the wind sing to you and the sun rise in your heart...


                        Monday, January 29, 2018

                        Mozilla Firefox Version 58.0.1 Released with Critical Security Update


                        FirefoxMozilla sent Firefox Version 58.0.1 to the release channel today.  The critical security update was issued to fix Bug 1433065 which resulted in Firefox 58 not loading any pages (including about: pages) when using certain non-default security policies on Windows (for example with Windows Defender Exploit Protection or Webroot security products).

                        ESR was not affected by this but.

                        Security Update

                        Critical

                        Unresolved

                        • Users running Firefox for Windows over a Remote Desktop Connection (RDP) may find that audio playback is disabled due to increased security restrictions.
                        • Users running certain screen readers may experience performance issues and are advised to use Firefox ESR until performance issues are resolved in an upcoming future release.
                        Update:
                        To get the update now, select "Help" from the Firefox menu, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

                        References




                        Remember - "A day without laughter is a day wasted."
                        May the wind sing to you and the sun rise in your heart...

                        Microsoft Security Update Release




                        Microsoft has issued an out-of-band Windows update that disables patches for the Spectre Variant 2 bug (CVE-2017-5715). The update is only needed if you installed the Intel BIOS/firmware update from the OEM and you are experiencing reboot issues.

                        The update applies to Windows 7 Service Pack 1, Windows 8.1, Windows 10, Windows 10 Version 1511, Windows 10 Version 1607, Windows 10 Version 1703, Windows 10 version 1709, Windows Server 2008 R2,  Standard Windows Server 2012 R2 Standard.

                        For those who need it, KB4078130 is only available from the  Microsoft Update Catalog.

                        References


                        Remember - "A day without laughter is a day wasted."
                        May the wind sing to you and the sun rise in your heart...





                        Tuesday, January 23, 2018

                        Firefox Version 58.0 Released with Security Updates


                        FirefoxMozilla sent Firefox Version 58.0 to the release channel today.  The update comprises three (3) critical, thirteen (13) high, thirteen (13) moderate and three (3) low security updates.

                        ESR was updated to version 52.6.0 and included the critical update for CVE-2018-5089.

                        Security Updates

                        Critical

                        High:

                        Moderate:
                        Low:

                        New

                        Fixed

                        • Fonts installed in non-standard directories will no longer appear blank for Linux users
                        • Various security fixes

                        Changed

                        • User profiles created in Firefox 58 (and in future releases) are not supported in previous versions of Firefox. Users who downgrade to a previous version should create a new profile for that version. Learn about alternatives to downgrading on our support site.
                        • Added a warning to alert users and site owners of planned security changes to sites affected by the gradual distrust plan for the Symantec certificate authority
                        Update:
                        To get the update now, select "Help" from the Firefox menu, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

                        References




                        Remember - "A day without laughter is a day wasted."
                        May the wind sing to you and the sun rise in your heart...