Tuesday, June 26, 2018

Mozilla Firefox Version 61.0 Released with Security Improvements


FirefoxMozilla sent Firefox Version 61.0 to the release channel today.  The update includes fifteen (15) security fixes, of which four (4) are critical, four (4) are rated High, six (6) are rated Moderate and one (1) is rated Low.

In addition, Firefox ESR 52.9.0 has also been released.   This is the last "main" version that will support Windows XP although some some minor builds (52.9.x) may be added through August.

Security Fixes

New

  • Enhanced performance:
    • Faster page rendering with Quantum CSS improvements and the new retained display list feature
    • Faster switching between tabs on Windows and Linux
    • WebExtensions now run in their own process on MacOS

  • Convenient access to more search engines: You can now add search engines to the address bar “Search with” tool from the page action menu when on a webpage that provides an OpenSearch plugin
  • Share links from Firefox for MacOS more easily: You can now share the URL of an active tab from the page actions menu in the address bar

  • Improved security:
    • On-by-default support for the latest draft of the TLS 1.3 specification
    • Access to FTP subresources inside http(s) pages has been blocked

  • A more consistent user experience: Improvements for dark theme support across the entire Firefox user interface
  • More customization for tab management: added support to allow WebExtensions to hide tabs
  • Improved bookmark syncing

Changed

  • The settings for customizing your homepage and new tab page in Firefox have been added to a new Preferences section that can be accessed from Firefox at about: preferences#home. The settings can also be accessed via the gear icon on the New Tab page.


Update:  To get the update now, select "Help" from the Firefox menu, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

References




Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Tuesday, June 12, 2018

Microsoft Security Updates for June, 2018



The June security release consists of 50 CVEs, of which 11 are listed as Critical and 39 are rated Important.  One is listed as being publicly known at the time of release, and none are listed as under active attack.

The updates address Security Feature Bypass, Information Disclosure, Remote Code Execution, Elevation of Privilege and Denial of Service.  The release consists of security updates for the following software:
  • Internet Explorer
  • Microsoft Edge
  • Microsoft Windows
  • Microsoft Office and Microsoft Office Services and Web Apps
  • ChakraCore
  • Adobe Flash Player (although Adobe released Flash Player updates last week)
In addition, Microsoft is releasing the following advisory:  Microsoft Security Advisory 4338110, "Guidance to mitigate speculative execution side-channel vulnerabilities".

Known Issues: 4284880, 4284819, 4284835, 4284826, 4284867

As usual, Dustin Childs has provided a closer look at some of the patches for this month.in this month's Zero Day Initiative — The June 2018 Security Update Review.

More:  For more information about the updates released today, see https://portal.msrc.microsoft.com/en-us/security-guidance/summary.  Updates can be sorted by OS from the search box. Information about the update for Windows 10 is available at Windows 10 Update history.

Additional Update Notes

  • Adobe Flash Player -- For Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows RT 8.1 and Windows 10, Adobe Flash Player is now a security bulletin rather than a security advisory and is included with the updates as identified above.
  • MSRT -- Microsoft released an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center.  Note:  Users who are paranoid about the remote possibility of a FP can opt to run this tool from a Command Prompt, appending a   /N   parameter [for "detect only" mode].
  • Windows 10 -- A summary of important product developments included in each update, with links to more details is available at Windows 10 Update History. The page will be regularly refreshed, as new updates are released.

References


Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...





Pale Moon Version 27.9.3 Released with Security Updates


Pale Moon
Pale Moon has been updated to version 27.9.3.  This is a security update.  From the Release Notes:

Changes/fixes:
  • (CVE-2017-0381) Ported a patch from libopus upstream. Note, contrary to that report, the libopus maintainers state they don't believe remote code execution was possible, so this was not a critical patch.
  • Fixed an issue with task counting in JS GC.
  • Fixed a use-after-free in DOMProxyHandler::EnsureExpandoObject (thanks to Berk Cem Göksel for reporting).
  • Portable only: Included the previously omitted registry helper. This may in some cases help with file/type associations.
       Minimum system Requirements (Windows):
      • Windows 7/8/10/Server 2008 or later
      • A processor with SSE2 instruction support
      • 256 MB of free RAM (512 MB or more recommended)
      • At least 150 MB of free (uncompressed) disk space
      Pale Moon includes both 32- and 64-bit versions for Windows:

      Update

      To get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window.  Select About Pale Moon > Check for Updates.




      Remember - "A day without laughter is a day wasted."
      May the wind sing to you and the sun rise in your heart...


      Thursday, June 07, 2018

      Adobe Flash Player Critical Security Update

      Adobe Flashplayer

      Adobe has released Version 30.0.0.113 of Adobe Flash Player.  The update address critical vulnerabilities that could lead to remote code execution affecting version 29.0.0.171 and earlier.

      Release date:  June 7, 2018
      Vulnerability identifier: APSB18-19
      Platform:  Windows, Macintosh, Linux and Chrome OS
       

      Vulnerability details


      Vulnerability Category Vulnerability Impact Severity CVE Number
      Type Confusion Arbitrary Code Execution Critical CVE-2018-4945
      Integer Overflow Information Disclosure Important CVE-2018-5000
      Out-of-bounds read Information Disclosure Important CVE-2018-5001
      Stack-based buffer overflow Arbitrary Code Execution Critical CVE-2018-5002

      Note that exploit for CVE-2018-5002 exists in the wild, and is being used in limited, targeted attacks against Windows users. These attacks leverage Office documents with embedded malicious Flash Player content distributed via email.  

      Note:  Microsoft has issued an out-of-band update for the critical Adobe Flash Player vulnerabilities:  Security update for Adobe Flash Player: June 7, 2018

      Update:

      *Important Note:  Downloading the update from the Adobe Flash Player Download Center link includes a pre-checked option to install unnecessary extras, such as McAfee Scan Plus or Google Drive.  If you use the download center, uncheck any unnecessary extras that you do not want.  They are not needed for the Flash Player update.

        Verify Installation

        To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu. 

        Do this for each browser installed on your computer.

        To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.

        References



        Remember - "A day without laughter is a day wasted."
        May the wind sing to you and the sun rise in your heart...









        Wednesday, June 06, 2018

        Mozlla Firefox Version 60.0.2 Released


        FirefoxMozilla sent Firefox Version 60.0.2 to the release channel today.  The update includes developer and MacOS fixes.

        It wasn't listed in the Release Notes when I originally posted but, come to find out not only was Firefox ESR updated both ESR and Version 60.0.2 included two security fixes, one rated critical and one rated high.  Firefox ESR is now Version 52.8.1.

        Fixed
        • Fix missing nodes in the developer tools Inspector panel (bug 1460223)
        • Fix font rendering when using third-party font managers on OS X 10.11 and earlier (bug 1460917)


        Changed
        • Updated to NSS 3.36.4 from 3.36.1:
          • Connecting to a server that was recently upgraded to TLS 1.3 would result in a SSL_RX_MALFORMED_SERVER_HELLO error (bug 1462303)
          • Fix crash on macOS related to authentication tokens, e.g. PK11 or WebAuthn (bug 1461731)
          See release notes for NSS 3.36.2 and 3.36.4

          Update:  To get the update now, select "Help" from the Firefox menu, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

          References




          Remember - "A day without laughter is a day wasted."
          May the wind sing to you and the sun rise in your heart...