Friday, September 21, 2018

Mozilla Firefox Version 62.0.2 Released


FirefoxMozilla sent Firefox Version 62.0.2 to the release channel today.  According to the release notes, the update appears to be limited to fixes without changes or security updates.

Fixed
  • Unvisited bookmarks can once again be autofilled in the address bar (bug 1488879)
  • WebGL rendering issues (bug 1489099)
  • Updates from unpacked language packs no longer break the browser (bug 1488934)
  • Fix fallback on startup when a language pack is missing (bug 1492459)
  • Profile refresh from the Windows stub installer restarts the browser (bug 1491999)
  • Properly restore window size and position when restarting on Windows (bugs 1489214 and 1489852)
  • Avoid crash when sharing a profile with newer (as yet unreleased) versions of Firefox (bug 1490585)
  • Do not undo removal of search engines when using a language pack (bug 1489820)
  • Fixed rendering of some web sites (bug 1421885)
  • Restored compatibility with some sites using deprecated TLS settings (bug 1487517)
  • Fix screen share on MacOS when using multiple monitors (bug 1487419)

Update:  To get the update now, select "Help" from the Firefox menu, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

References




Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Thursday, September 20, 2018

Microsoft Cumulative Updates Released for Windows 10


Microsoft has released cumulative updates with non-security improvements and fixes for Windows 10 April 2018 Update (version 1803) and Windows 10 Fall Creators Update (version 1709).  The update for both versions 1803 and 179 includes quality improvements with no new operating system features introduced.
The updates are available from Windows Update or the Microsoft Update Catalog.

Update 27Sep2018Cumulative update KB4458469 for Windows 10 version 1803 has been re-released because of a missing solution. See https://support.microsoft.com/en-us/help/4458469/windows-10-update-kb4458469




Home
Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Pale Moon Version 28.1.0 Released


Pale Moon
Pale Moon version 28.1.0 has been released.  This update is considered a major update, focused on performance and security as well as some regression and bug fixes.

From the Release Notes:

Changes/fixes:
  • Updated NSS to 3.38, removed TLS 1.3 draft version check since it's considered final.
  • Reinstated RC4 as an optional encryption cypher for non-standard environments (e.g. old routing/peripheral networked hardware on LAN). RC4 and 3DES are marked weak and disabled, and will never be used in the first handshake with a site, only as last-ditch fallback when specifically enabled (meaning they won't show up on ssllabs' test, for example).
  • Removed Telemetry accumulation calls, automatic timers and stopwatches. This removes a very noticeable performance sink for all operations on all platforms.
  • Fixed many occurrences of discouraged types of memory access for primarily GCC 8 compatibility. This improves overall code security as a defense-in-depth measure.
  • Re-implemented the pref-controlled custom background color for standalone images.
  • Updated session history handling for internal pages. about:logopage is no longer stored in history, and you can choose to store the QuickDial page in history by setting the pref browser.newtabpage.add_to_session_history to true. This is disabled by default (meaning you can't use the "Back" button to go back to the QuickDial page) as a defense-in-depth security measure.
  • Added ui.menu.allow_content_scroll to control whether content can be scrolled if a context menu is open.
  • Fixed incorrect code removal in ipc.
  • Removed support for TLS session caches in TLSServerSocket.
  • Added support for local-ref as SVG xlink:href values.
  • Changed the find bar to be a browser-global toolbar again (like in Pale Moon 27) instead of per-tab. For people who prefer search terms to be saved on a per-tab basis (like with the per-tab findbar previously), this is possible by setting findbar.termPerTab to true. This resolves a number of issues, including styling with lightweight themes not applying to the find bar, and status pop-ups overlapping the find bar.
  • Ported all relevant security fixes from Mozilla's Gecko/62 release, including CVE-2018-12377 and CVE-2018-12379.
  • Restored part of the searchplugin API that was removed by Mozilla, so extensions can provide and save edits to installed search engines.
  • Improved the speed of restoring browsing sessions upon startup.
  • Fixed the "Restore previous session" button sometimes being missing from about:home, while a restorable session would be present.
  • Fixed tab previews in the Windows taskbar (if enabled).
  • Fixed the setting of the new tab page being "My Home Page" so it'll pick up subsequent changes to the home page URL automatically.
  • Removed the Firefox Accounts migrator from Sync.
  • Fixed an issue with the enabled state of number controls if appearances changed.
  • Stopped building ffvpx on 32-bit platforms (except windows) to use the (faster) system-installed lib instead.
  • Re-added a horizontal scroll action option for mouse wheel. (regression)
  • Fixed handling of content language if the locale is changed.
  • Fixed document navigation with the F6 key.
  • Fixed toolbar styling in toolkit themes.
  • Fixed viewing the source of a selection.
    Download:

    Update

    To get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window.  Select About Pale Moon > Check for Updates.




    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...



    Wednesday, September 19, 2018

    Adobe Reader DC and Adobe Acrobat DC Security Updates Released

    Adobe

    Adobe has released security updates for Adobe Reader DC and Adobe Acrobat DC for Windows and Macintosh.  These updates are rated as critical and important.  Successful exploitation could lead to arbitrary code execution in the context of the current user.

    Release date:  September 19, 2018
    Vulnerability identifier: APSB18-34
    Platform: Windows and Macintosh

    Update or Complete Download

    Reader DC and Acrobat DC were updated to version 2018.011.20063. Update checks can be manually activated by choosing Help > Check for Updates. 
    Note: UNcheck any pre-checked additional options presented with the update. They are not part of the software update and are completely optional.


    References





    Home
    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...







    Tuesday, September 11, 2018

    Microsoft Security Updates for September, 2018



    The September security updates consist of 61 CVEs, of which 17 are listed as Critical 43 are rated Important, and 1 is rated as Moderate in severity.  Four are listed as publicly known at the time of release and one of is reported as being actively exploited. 

    The release consists of security updates for the following:  Internet Explorer, Microsoft Edge, Microsoft Windows, Microsoft Office and Microsoft Office Services and Web Apps, ChakraCore, Adobe Flash Player, .NET Framework, Microsoft.Data.OData, and ASP.NET


    The updates address Remote Code Execution, Elevation of Privilege, Security Feature Bypass, and Spoofing.


    Known Issues

      Recommended Reading: 

      See Dustin Childs excellent review and recommendations
      in Zero Day Initiative — The September 2018 Security Update Review where he provides additional information on the CVC reported as actively exploited and more.


      More:  For more information about the updates released today, see https://portal.msrc.microsoft.com/en-us/security-guidance/summary.  Updates can be sorted by OS from the search box. Information about the update for Windows 10 is available at Windows 10 Update history.

      Additional Update Notes

      • Adobe Flash Player -- For Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows RT 8.1 and Windows 10, Adobe Flash Player is now a security bulletin rather than a security advisory and is included with the updates as identified above.
      • MSRT -- Microsoft released an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center.  Note:  Users who are paranoid about the remote possibility of a FP can opt to run this tool from a Command Prompt, appending a   /N   parameter [for "detect only" mode].

      References


      Remember - "A day without laughter is a day wasted."
      May the wind sing to you and the sun rise in your heart...





      Adobe Flash Player and AIR Updates

      Adobe Flashplayer

      Adobe has released Version 31.0.0.108 of Adobe Flash Player and AIR.  The update addresses both security and functional issues in Flash Player.  The update to AIR fixes issues and introduces new features, as indicated in the Release Notes.

      Release date:  September 11, 2018
      Vulnerability identifier: APSB18-31
      Platform:  Windows, Macintosh, Linux and Chrome OS

      Fixed Issues

      Flash Player
      • Assorted security and functional fixes
      AIR
      • Incorrect path on macOS using File.browseForSave() if target file already exists (AIR-4198652)
      • ETC2 Non Alpha ATF are not rendered in ADL
      • Swiping iPhone bottom\up opens system tray instead small arrow (AIR-4198602)

      Vulnerability details

      Vulnerability Category Vulnerability Impact Severity CVE Number
      Privilege Escalation Information Disclosure Important CVE-2018-15967

      Update:

      *Important Note:  Downloading the update from the Adobe Flash Player Download Center link includes a pre-checked option to install unnecessary extras, such as McAfee Scan Plus or Google Drive.  If you use the download center, uncheck any unnecessary extras that you do not want.  They are not needed for the Flash Player update.

        Verify Installation

        To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu. 

        Do this for each browser installed on your computer.

        To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.

        References



        Remember - "A day without laughter is a day wasted."
        May the wind sing to you and the sun rise in your heart...









        Wednesday, September 05, 2018

        Mozilla Firefox Version 62.0 Released


        FirefoxMozilla sent Firefox Version 62.0 to the release channel today.

        Update:  As usual, Mozilla published the information about the security updates long after releasing the update.  The update included nine (9) security updates of which one (1) is critical, three (3) are high, two (2) moderate and three (3) are rated low.  The updates apply to both  newly released Firefox Version 62.0 as well as earlier released Firefox ESR 60.2.

        Critical
        High
        Moderate
        Low

        New

        • Firefox Home (the default New Tab) now allows users to display up to 4 rows of top sites, Pocket stories, and highlights
        • “Reopen in Container” tab menu option appears for users with Containers that lets them choose to reopen a tab in a different container
        • In advance of removing all trust for Symantec-issued certificates in Firefox 63, a preference was added that allows users to distrust certificates issued by Symantec. To use this preference, go to about:config in the address bar and set the preference "security.pki.distrust_ca_policy" to 2.
        • Added FreeBSD support for WebAuthn
        • Improved graphics rendering for Windows users without accelerated hardware using Parallel-Off-Main-Thread Painting
        • Support for CSS Shapes, allowing for richer web page layouts. This goes hand in hand with a brand new Shape Path Editor in the CSS inspector.
        • CSS Variable Fonts (OpenType Font Variations) support, which makes it possible to create beautiful typography with a single font file
        • Updates for enterprise environments:
          • AutoConfig is sandboxed to the documented API by default. You
            can disable the sandbox by setting the preference
            general.config.sandbox_enabled to false. Our long term plan is to
            remove the ability to turn off the sandboxing. If you need to
            continue to use more complex AutoConfig scripts, you will need to use
            Firefox Extended Support Release (ESR).
        • Added Canadian English (en-CA) locale

        Changed

        • Removed the description field for bookmarks. Users who have stored descriptions using the field may wish to export these descriptions as html or json files, as they will be removed in a future release.
        • Dark theme is automatically enabled in macOS 10.14 dark mode
        • Changed the default setting to Enforce (3) for the security.pki.name_matching_mode preference
        • Adobe Flash applets now run in a more secure mode using process sandboxing on macOS. Learn how this may affect features here.
        • Users disconnecting from Sync are now offered the option to wipe their Firefox profile data (including bookmarks, passwords, history, cookies, and site data) from their desktop computer
        • Changed how WebRTC handles screen sharing: When screen-sharing a window, the window will be brought to front
        Update:  To get the update now, select "Help" from the Firefox menu, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

        References




        Remember - "A day without laughter is a day wasted."
        May the wind sing to you and the sun rise in your heart...