Monday, January 29, 2018

Mozilla Firefox Version 58.0.1 Released with Critical Security Update


FirefoxMozilla sent Firefox Version 58.0.1 to the release channel today.  The critical security update was issued to fix Bug 1433065 which resulted in Firefox 58 not loading any pages (including about: pages) when using certain non-default security policies on Windows (for example with Windows Defender Exploit Protection or Webroot security products).

ESR was not affected by this but.

Security Update

Critical

Unresolved

  • Users running Firefox for Windows over a Remote Desktop Connection (RDP) may find that audio playback is disabled due to increased security restrictions.
  • Users running certain screen readers may experience performance issues and are advised to use Firefox ESR until performance issues are resolved in an upcoming future release.
Update:
To get the update now, select "Help" from the Firefox menu, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

References




Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Microsoft Security Update Release




Microsoft has issued an out-of-band Windows update that disables patches for the Spectre Variant 2 bug (CVE-2017-5715). The update is only needed if you installed the Intel BIOS/firmware update from the OEM and you are experiencing reboot issues.

The update applies to Windows 7 Service Pack 1, Windows 8.1, Windows 10, Windows 10 Version 1511, Windows 10 Version 1607, Windows 10 Version 1703, Windows 10 version 1709, Windows Server 2008 R2,  Standard Windows Server 2012 R2 Standard.

For those who need it, KB4078130 is only available from the  Microsoft Update Catalog.

References


Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...





Tuesday, January 23, 2018

Firefox Version 58.0 Released with Security Updates


FirefoxMozilla sent Firefox Version 58.0 to the release channel today.  The update comprises three (3) critical, thirteen (13) high, thirteen (13) moderate and three (3) low security updates.

ESR was updated to version 52.6.0 and included the critical update for CVE-2018-5089.

Security Updates

Critical

High:

Moderate:
Low:

New

Fixed

  • Fonts installed in non-standard directories will no longer appear blank for Linux users
  • Various security fixes

Changed

  • User profiles created in Firefox 58 (and in future releases) are not supported in previous versions of Firefox. Users who downgrade to a previous version should create a new profile for that version. Learn about alternatives to downgrading on our support site.
  • Added a warning to alert users and site owners of planned security changes to sites affected by the gradual distrust plan for the Symantec certificate authority
Update:
To get the update now, select "Help" from the Firefox menu, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

References




Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Thursday, January 18, 2018

Pale Moon Version 27.7.1 Emergency Release


Pale Moon
Pale Moon has been updated to Version 27.7.1. This is a small emergency update to Pale Moon 27.7.0 to address website breakages as a result of an incomplete addition of a new feature in JavaScript. This also addresses too thick tab borders in some situations on Windows.

Linux versions will follow shortly. Details from the Release Notes:

Changes/fixes:
  • Added support for Array.prototype[@@unscopables].
    Unfortunately, the addition of Javascript's ES6 Unscopables in 27.7.0 was incomplete, which caused a number of websites (e.g. Chase on-line banking, some Russian government sites) to display blank or not complete loading after updating to that version of the browser. This update should fix the problem by adding the missing part of the feature.
  • Fixed an issue with the default theme causing tab borders to be drawn too thick at higher settings for visual element scaling (125%/150%) in Windows.
     Minimum system Requirements (Windows):
    • Windows Vista/Windows 7/8/10/Server 2008 or later
    • Windows Platform Update (Vista/7) strongly recommended
    • A processor with SSE2 instruction support
    • 256 MB of free RAM (512 MB or more recommended)
    • At least 150 MB of free (uncompressed) disk space
    Pale Moon includes both 32- and 64-bit versions for Windows:

    Update

    To get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window.  Select About Pale Moon > Check for Updates.




    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...


    Wednesday, January 17, 2018

    Oracle Java SE Critical Security Update

    java

    Oracle released the scheduled critical security updates for its Java SE Runtime Environment software.  The update contains 21 new security fixes for multiple versions of Java SE, 18 of which are remotely exploitable without authentication.  The update also includes numerous bug fixes.

    Update

    If Java is still installed on your computer, it is recommended that this update be applied as soon as possible due to the threat posed by a successful attack.

    Download Information

    Java SE 8u161/8u162
    Java™ SE Development Kit 8, Update 161 Release Notes
    Java™ SE Development Kit 8, Update 162 Release Notes
    Java SE Runtime Environment 8 - Downloads

    Java SE 9.0.4  (x64-bit only)
    Java™ SE Development Kit 9.0.4 Release Notes
    Java SE Runtime Environment 9 - Downloads
    Notes:
    • UNcheck any pre-checked toolbar and/or software options presented with the update. They are not part of the software update and are completely optional.  Preferably, see the instructions below on how to handle "Unwanted Extras".  
    • Oracle does not plan to migrate desktops from Java 8 to Java 9 through the auto update feature.  Therefore, it is strongly recommended that you uninstall JRE 8 prior to updating.
    • Verify your versionhttp://www.java.com/en/download/testjava.jsp.   Note:  The Java version verification page will only work if your browser has NPAPI support.  In that case, to check the version, open a cmd window and enter the following (note the space following Java):  java -version

    Critical Patch Updates

    For Oracle Java SE Critical Patch Updates, the next scheduled dates are as follows:
    • 17 April 2018
    • 17 July 2018
    • 16 October 2018
    • 15 January 2019

    Unwanted "Extras"

    Although most people do not need Java on their computer, there are some programs and games that require Java.  In the event you need to continue using Java, How-to Geek discovered a little-known and  unpublicized option in the Java Control Panel to suppress the offers for the pre-checked unwanted extras that Oracle has long included with the updates.  Although the Ask Toolbar has been removed, tha does not preclude the pre-checked option for some other unnecessary add-on.

    Do the following to suppress the sponsor offers:
    1. Launch the Windows Start menu
    2. Click on Programs
    3. Find the Java program listing
    4. Click Configure Java to launch the Java Control Panel
    5. Click the Advanced tab and go to the "Miscellaneous" section at the bottom.
    6. Check the box by the “Suppress sponsor offers when installing or updating Java” option and click OK.
    Java suppress sponsor offers

    Java Security Recommendations

    1)  In the Java Control Panel, at minimum, set the security to high.
    2)  Keep Java disabled until needed.  Uncheck the box "Enable Java content in the browser" in the Java Control Panel.

    3)  Instructions on removing older (and less secure) versions of Java can be found at http://java.com/en/download/faq/remove_olderversions.xml

    References




    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...




    Monday, January 15, 2018

    Pale Moon Version 27.7.0 Released with Security Updates


    Pale Moon
    Pale Moon has been updated to Version 27.7.0. This is a stability and bugfix release, as well as adding a number of new features to further improve web compatibility.  Details from the Release Notes:

    Security/privacy fixes:

    • Disabled automatic filling in of log-in details by default to prevent potential risks of credentials being abused (e.g. for tracking) or stolen.
    • Added a preference (in the category security) to easily enable or disable automatic filling in of log-in data.
    • Removed the sending of referrers when opening a link in a new private window.
    • Added an option to disable the page visibility Web API (dom.visibilityAPI.enabled), allowing users to prevent pages from knowing whether they are being actively displayed to the user or not.
    • Removed the "ask every time" policy for cookies. For granular control, please use any of the excellent available extensions to regulate cookie use on a per-site or per-url basis.
    • Added support for X-Content-Type-Options: nosniff (for scripts).
    • Changed the resolution of performance timers to a level where any future potential abuse for hardware-timing attacks becomes impractical. DiD
    DiD This means that the fix is "Defense-in-Depth": It is a fix that does not apply to a (potentially) actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code, e.g. when surrounding code changes, exposing the problem, or when new attack vectors are discovered.
    Changes/fixes:
    • Reorganized access to preferences (moved to the Tools menu on Linux, and renamed from "Options" to "Preferences" on Windows).
    • Renamed "Restart with add-ons disabled" to "Restart in Safe Mode" to better reflect what it does.
    • Worked around an issue with some improperly-encoded PNG files not decoding after our libpng update.
    • Fixed an issue on Mac builds not properly populating the application menu.
    • Added "My home page" as an option for new tabs.
    • Added an option to disable the 4th and 5th mouse buttons (Windows).
      (mouse.button4.enabled and mouse.button5.enabled, respectively)
    • Improved the resetting of non-default profiles.
    • Fixed an issue with details/summary having the incorrect height if floated, breaking layouts.
    • Made several more improvements to the details/summary tags to align them with the current spec and fix some additional bugs.
    • Implemented support for flex/columnset contents inside buttons to align its behavior with other browsers.
      (this should fix layout issues with Twitch's new web interface)
    • Fixed an issue where CSS clone operations would draw a border.
    • Changed the way fractional border widths are rounded to provide more natural behavior.
    • Fixed an issue where number inputs would incorrectly be flagged as read-only.
    • Added assets for tile display in the Windows start panel.
    • Finished sync infra swapover by adding a one-time pref migration for server used.
    • Improved WebAudio API: Return the connected audio node from AudioNode.connect()
    • Added support for a default playback start position in media elements.
    • Fixed an assert in cubeb-alsa code (Linux).
    • Added support for media cue-change events (e.g. subtitles).
    • Updated SQLite to 3.21.0.
    • Fixed a crash when trying to use the platform embedded.
    • Fixed devtools (gcli) screenshots on vertical-text pages.
    • Fixed devtools copy as cURL for POST requests.
    • Improved the HTML editor component (several bugfixes).
    • Added support for ES7's exponentiation a ** b operator.
    • Fixed an issue with arrow functions incorrectly creating an 'arguments' binding.
    • Added Javascript's ES6 "unscopables".
     Minimum system Requirements (Windows):
    • Windows Vista/Windows 7/8/10/Server 2008 or later
    • Windows Platform Update (Vista/7) strongly recommended
    • A processor with SSE2 instruction support
    • 256 MB of free RAM (512 MB or more recommended)
    • At least 150 MB of free (uncompressed) disk space
    Pale Moon includes both 32- and 64-bit versions for Windows:

    Update

    To get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window.  Select About Pale Moon > Check for Updates.




    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...


    Sunday, January 14, 2018

    HomeGroup Service Retiring

    It appears that many people have missed that HomeGroup is on the way out.  Windows 10 provides other ways of connecting devices and sharing files. 

    From Feature Deprecation:
    "Homegroup: This feature may continue to function on machines with the Creators Update installed; however, Homegroup will sunset in the release that follows. This page can help you troubleshoot problems with Homegroup following installation of Windows 10.
    Here are additional resources if you would like to share files and printers without using Homegroup:

    The changes began in Windows Insider Preview Build 17063:
    "A note about HomeGroup: Easily connecting to and sharing the important pieces of your digital life with those who matter most has never been easier with today’s Modern PCs and the cloud. Whether it’s connecting PCs and printers on your home network via the Share functionality in Windows or using OneDrive to share a photo album of your last vacation, Windows 10 makes connecting multiple devices and sharing content streamlined and simple. And it’s because of that evolution that with today’s build you’ll start to see us retire the HomeGroup service. HomeGroup was terrific for the pre-cloud and pre-mobile era, but today this functionality is built right into Windows 10 and apps. Starting with this build, the HomeGroup service is no longer operational in Windows 10. The user profile used for sharing and the file/folder/printer shares will continue to work.

    Here are recommended alternatives to HomeGroup for you to get the best file-sharing experience in Windows 10 going forward:
    • File Storage:
      • OneDrive is a cloud-first, cross-device storage and collaboration platform for all of the pieces of data that matter most in your life – like your files, your photos, your videos, and more.
      • OneDrive Files On-Demand takes cloud file storage a step further, allowing you to access all your files in the cloud without having to download them and use storage space on your device.
    • Share Functionality: For those who prefer not to use the Cloud to connect their devices, the Share functionality for folders and printers allows you to see the available devices and connect them to and from other PCs on your home network.
    • Easier Connection: No more remembering cryptic HomeGroup passwords in order to connect to another PC. You can now simply connect through your Microsoft Account email address across devices."
    Home
    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...

    Tuesday, January 09, 2018

    Microsoft January, 2018 Security Updates



    The January security release consists of 56 CVEs, 16 are listed as Critical and 38 are rated Important, 1 is rated Moderate and 1 is rated as Low in severity. The updates address Remote Code Execution, Tampering, Security Feature Bypass, Information Disclosure and Denial of Service.  The release consists of security updates for the following software: 

    • Internet Explorer
    • Microsoft Edge
    • Microsoft Windows
    • Microsoft Office and Microsoft Office Services and Web Apps
    • SQL Server
    • ChakraCore
    • .NET Framework
    • .NET Core
    • ASP.NET Core
    • Adobe Flash


      Known Issues 4056890 4056891 4056892 4056893 4056888 4056895 4056898 4056894 4056897 4056896 4056899


      Important:  Because the out-of-band security update for "Meltdown"/"Spectre" requires the setting of a registry key and not all antivirus software has been updated to include the key, Microsoft updated Important: January 3, 2018, Windows security updates and antivirus software to include the following Note: 
      Note: Customers will not receive the January 2018 security updates (or any subsequent security updates) and will not be protected from security vulnerabilities unless their antivirus software vendor sets the following registry key:
      Key="HKEY_LOCAL_MACHINE" Subkey="SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat" Value="cadca5fe-87d3-4b96-b7fb-a231484277cc" Type="REG_DWORD”
      Data="0x00000000”

      If your computer has not received the security update, check the status at CVE-2017-5753, CVE-2017-5715, and CVE-2017-5754 (Meltdown and Spectre) Windows antivirus patch compatibility. In the event both "Sets registry key" and "Supported" are not both indicated with the letter "Y", Bleeping Computer has created a .reg file that can be used to create the registry.  However, it should only be used if your antivirus vendor has indicated that a manual install is needed.  For in-depth information, see the Bleeping Computer articles Microsoft Says No More Windows Security Updates Unless AVs Set a Registry Key and How to Check and Update Windows Systems for the Meltdown and Spectre CPU Flaws.

      Further note that some AMD devices are getting into an unbootable state after installing the "Meltdown"/"Spectre" security update. As a result, Microsoft is temporarily pausing sending updates to devices with impacted AMD processors at this time. Further information is available at Windows Meltdown and Spectre patches: Now Microsoft blocks security updates for some AMD based PCs.

      More:  For more information about the updates released today, see https://portal.msrc.microsoft.com/en-us/security-guidance/summary.  Updates can be sorted by OS from the search box. Information about the update for Windows 10 is available at Windows 10 Update history.

      Also see this month's Zero Day Initiative — The January 2018 Security Update Review by Dustin Childs in which he discusses several of the patches and lincludes a breakdown of the CVE's addressed in the update. 

      Additional Update Notes

      • Adobe Flash Player -- For Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows RT 8.1 and Windows 10, Adobe Flash Player is now a security bulletin rather than a security advisory and is included with the updates as identified above.
      • MSRT -- Microsoft released an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center.  Note:  Users who are paranoid about the remote possibility of a FP can opt to run this tool from a Command Prompt, appending a   /N   parameter [for "detect only" mode].
      • Windows 10 -- A summary of important product developments included in each update, with links to more details is available at Windows 10 Update History. The page will be regularly refreshed, as new updates are released.

      References


      Remember - "A day without laughter is a day wasted."
      May the wind sing to you and the sun rise in your heart...





      Adobe Flash Player Security Update

      Adobe Flashplayer

      Adobe has released Version 28.0.0.137 of Adobe Flash Player.  The update addresses CVE-2018-4871, Information Disclosure, and is rated Important.  Also included in the update are functional fixes

      Release date:  January 9, 2018
      Vulnerability identifier: APSB18--01
      Platform:  Windows, Macintosh, Linux and Chrome OS

      Update:

      *Important Note:  Downloading the update from the Adobe Flash Player Download Center link includes a pre-checked option to install unnecessary extras, such as McAfee Scan Plus or Google Drive.  If you use the download center, uncheck any unnecessary extras that you do not want.  They are not needed for the Flash Player update.

        Verify Installation

        To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu. 

        Do this for each browser installed on your computer.

        To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.

        References



        Remember - "A day without laughter is a day wasted."
        May the wind sing to you and the sun rise in your heart...









        Thursday, January 04, 2018

        Mozilla Firefox Version 57.0.4 Released to Address "Meltdown" and "Spectre"


        FirefoxMozilla sent Firefox Version 57.0.4 to the release channel to address the "Meltdown" and "Spectre" timing attacks.  As of this posting, the has not been an update released for Firefox ESR.*  The update includes one High security update and is discussed in the Mozilla Security Blog at Mitigations landing for new class of timing attack | Mozilla Security Blog.

        *Edit Note: From Speculative execution side-channel attack ("Spectre") — Mozilla, "SharedArrayBuffer is already disabled in Firefox 52 ESR."

        Security Update

        • 2018-01 -- Speculative execution side-channel attack ("Spectre")

            Update:

            To get the update now, select "Help" from the Firefox menu, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

            References




            Remember - "A day without laughter is a day wasted."
            May the wind sing to you and the sun rise in your heart...

            Microsoft Out-of-Band Security Update for "Meltdown" and "Spectre" CPU Flaws



            Microsoft released out-of-band security updates to address what are being referred to as "Meltdown" and "Spectre" CPU flaws, reported to be affecting almost all CPUs released since 1995.

            As explained by John Hazen, Principal PM Lead, Microsoft Edge in Mitigating speculative execution side-channel attacks in Microsoft Edge and Internet Explorer, Microsoft released KB4056890 with mitigations for the class of vulnerabilities which can be exploited as described in Security Advisory ADV180002These techniques can be used via JavaScript code running in the browser, which may allow attackers to gain access to memory in the attacker’s process.

            The January security release consists of security updates for the following software:

            • Internet Explorer
            • Microsoft Edge
            • Microsoft Windows

              The updates address Elevation of Privilege and Information DisclosureThe related CVEs are CVE-2017-5753, CVE-2017-5715, and CVE-2017-5754. See Lawrence Abrams article at Bleeping Computer which includes a list of vendors official notices, patches and updates, including Amazon, AMD, Apple, Chrome, Intel, Mozilla, nVidia and more. 

              Important NoteThe update released is incompatible with a small number of anti-virus products and may result in BSOD's.  As a result, the update is only being released to devices running antivirus software from partners who have confirmed their software is compatible with the January 2018 Windows operating system security update.  See Important information regarding the Windows security updates released on January 3, 2018 and anti-virus software for additional information.


              For more information about the updates released today, see https://portal.msrc.microsoft.com/en-us/security-guidance/summary.  Updates can be sorted by OS from the search box. Information about the update for Windows 10 is available at Windows 10 Update history.

              References


              Remember - "A day without laughter is a day wasted."
              May the wind sing to you and the sun rise in your heart...





              Monday, January 01, 2018

              A Windows Insider MVP Brief Look at 2017



              Windows Insider MVPThe Windows Insider MVP Program had a busy 2017 with many PGI's (Product Group Interactions) arranged by the MVP Leads, Tyler Ahn and Joe Camp.  The primary focus has been the launch of the long-awaited Windows Insider MVP website, https://insider.windows.com/en-us/community-mvp/.

              The Windows Insider MVP Program originated following the October 2015 reorganization of the the Microsoft MVP Program.  The first award cycle was in July, 2016 and comprised MVPS who were in the Consumer Security, Surface, Windows Experience and Windows Phone award categories as of the April Microsoft MVP award cycle. (Thank you for "adopting us", Windows Insider Team!)  From there it has expanded so if you know a Windows Insider who, over the past 12 months, has "demonstrated superior knowledge, leadership and passion, combined with a desire to help and accelerate other's learning, careers, and abilities", the nomination form can be found here.

              On a personal note, not only was I the subject of an interview (Windows Insider — Corrine Chorney: Windows Insider MVP and Security... , but am still overwhelmed that I was also included with others as an example of "technical leadership excellence" by Dona Sarkar when she spoke at the Senior Technical Leadership Program Summit in November (https://twitter.com/donasarkar/status/930793914595909634).  (Yes, the photo in the interview and Dona's Tweet is me.  It was from an old "throwback Thursday".

              With ~45 builds released during the year, the Windows Insider Program has been an overwhelming success.  Busy, but successful!  The year began with Windows Insider Build 15002 on January 9, 2017, and ended with Windows 10 Insider Preview Build 17063 on December 19,  2017.  The Windows 10 Creators Update was released worldwide on April 11, 2017, followed by the Windows 10 Fall Creators Update on  October 17, 2017.  The latest Insider Preview releases for PC, Server, IoT, and SDKs as well as ISO images can now be found on the Flight Hub.

              The Feedback Hub has had a lot of improvements made during 2017.  Should you run into an issue or have an improvement suggestion, it is important to take the time to document or "upvote" it in the Feedback Hub.  All submissions are reviewed and submitted to the appropriate Product Group Team for review.

              There have been so many changes to Windows 10 that it is hard to keep track.  If you are still new to the Fall Creator's Update, you may find this Windows Experience blog post helpful:  What’s new in the Windows 10 Fall Creators Update.

              Like other Windows Insider MVPs (WIMVP) and Windows Insiders, I am looking forward to the changes and additions to Windows 10 in the upcoming Insider Preview Builds in 2018!



              References:


              Home
              Remember - "A day without laughter is a day wasted."
              May the wind sing to you and the sun rise in your heart...

              Happy New Year!


              Happy New Year family, friends and Security Garden subscribers. 

              To each of you in 2018, may your days be filled with wine and roses and all things bright and beautiful!


              [Wine_Roses.jpg]May love and laughter light your days,
              and warm your heart and home.

              May good and faithful friends be yours,
              wherever you may roam.

              May peace and plenty bless your world
              with joy that long endures.

              May all life's passing seasons
              bring the best to you and yours!


              Happy New Year!




              Home
              Remember - "A day without laughter is a day wasted."
              May the wind sing to you and the sun rise in your heart...