Mozilla Firefox Version 62.0.2 Released

Mozilla sent Firefox Version 62.0.2 to the release channel today.  According to the release notes, the update appears to be limited to fixes without changes or security updates.

Fixed

• Unvisited bookmarks can once again be autofilled in the address bar (bug 1488879)
  
• WebGL rendering issues (bug 1489099)
  
• Updates from unpacked language packs no longer break the browser (bug 1488934)
  
• Fix fallback on startup when a language pack is missing (bug 1492459)
  
• Profile refresh from the Windows stub installer restarts the browser (bug 1491999)
  
• Properly restore window size and position when restarting on Windows (bugs 1489214 and 1489852)
  
• Avoid crash when sharing a profile with newer (as yet unreleased) versions of Firefox (bug 1490585)
  
• Do not undo removal of search engines when using a language pack (bug 1489820)
  
• Fixed rendering of some web sites (bug 1421885)
  
• Restored compatibility with some sites using deprecated TLS settings (bug 1487517)
  
• Fix screen share on MacOS when using multiple monitors (bug 1487419)
  

Update:  To get the update now, select "Help" from the Firefox menu, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

References

• Common questions after updating Firefox
• Security Updates
• Mozilla Firefox Release Notes
• Rapid Release Calendar

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Microsoft Cumulative Updates Released for Windows 10

Microsoft has released cumulative updates with non-security improvements and fixes for Windows 10 April 2018 Update (version 1803) and Windows 10 Fall Creators Update (version 1709).  The update for both versions 1803 and 179 includes quality improvements with no new operating system features introduced.

• Version 1803:  KB4458469
• Version 1709:  KB4457136

The updates are available from Windows Update or the Microsoft Update Catalog.

Update 27Sep2018:  Cumulative update KB4458469 for Windows 10 version 1803 has been re-released because of a missing solution. See https://support.microsoft.com/en-us/help/4458469/windows-10-update-kb4458469. 

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Pale Moon Version 28.1.0 Released

Pale Moon version 28.1.0 has been released.  This update is considered a major update, focused on performance and security as well as some regression and bug fixes.

From the Release Notes:

Changes/fixes:

• Updated NSS to 3.38, removed TLS 1.3 draft version check since it's considered final.
• Reinstated RC4 as an optional encryption cypher for non-standard environments (e.g. old routing/peripheral networked hardware on LAN). RC4 and 3DES are marked weak and disabled, and will never be used in the first handshake with a site, only as last-ditch fallback when specifically enabled (meaning they won't show up on ssllabs' test, for example).
• Removed Telemetry accumulation calls, automatic timers and stopwatches. This removes a very noticeable performance sink for all operations on all platforms.
• Fixed many occurrences of discouraged types of memory access for primarily GCC 8 compatibility. This improves overall code security as a defense-in-depth measure.
• Re-implemented the pref-controlled custom background color for standalone images.
• Updated session history handling for internal pages. about:logopage is no longer stored in history, and you can choose to store the QuickDial page in history by setting the pref browser.newtabpage.add_to_session_history to true. This is disabled by default (meaning you can't use the "Back" button to go back to the QuickDial page) as a defense-in-depth security measure.
• Added ui.menu.allow_content_scroll to control whether content can be scrolled if a context menu is open.
• Fixed incorrect code removal in ipc.
• Removed support for TLS session caches in TLSServerSocket.
• Added support for local-ref as SVG xlink:href values.
• Changed the find bar to be a browser-global toolbar again (like in Pale Moon 27) instead of per-tab. For people who prefer search terms to be saved on a per-tab basis (like with the per-tab findbar previously), this is possible by setting findbar.termPerTab to true. This resolves a number of issues, including styling with lightweight themes not applying to the find bar, and status pop-ups overlapping the find bar.
• Ported all relevant security fixes from Mozilla's Gecko/62 release, including CVE-2018-12377 and CVE-2018-12379.
• Restored part of the searchplugin API that was removed by Mozilla, so extensions can provide and save edits to installed search engines.
• Improved the speed of restoring browsing sessions upon startup.
• Fixed the "Restore previous session" button sometimes being missing from about:home, while a restorable session would be present.
  
• Fixed tab previews in the Windows taskbar (if enabled).
• Fixed the setting of the new tab page being "My Home Page" so it'll pick up subsequent changes to the home page URL automatically.
• Removed the Firefox Accounts migrator from Sync.
• Fixed an issue with the enabled state of number controls if appearances changed.
• Stopped building ffvpx on 32-bit platforms (except windows) to use the (faster) system-installed lib instead.
• Re-added a horizontal scroll action option for mouse wheel. (regression)
• Fixed handling of content language if the locale is changed.
• Fixed document navigation with the F6 key.
• Fixed toolbar styling in toolkit themes.
• Fixed viewing the source of a selection.

Download:

• Pale Moon for Windows
• Pale Moon for Linux

Update

To get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window.  Select About Pale Moon > Check for Updates.

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Adobe Reader DC and Adobe Acrobat DC Security Updates Released

Adobe has released security updates for Adobe Reader DC and Adobe Acrobat DC for Windows and Macintosh.  These updates are rated as critical and important.  Successful exploitation could lead to arbitrary code execution in the context of the current user.

Release date:  September 19, 2018
Vulnerability identifier: APSB18-34
Platform: Windows and Macintosh

Update or Complete Download

Reader DC and Acrobat DC were updated to version 2018.011.20063. Update checks can be manually activated by choosing Help > Check for Updates. 

• Reader DC and other versions are available here:  https://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows 
• Acrobat DC for Windows is available here:  http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Windows  

Note: UNcheck any pre-checked additional options presented with the update. They are not part of the software update and are completely optional.

References

• PSIRT
• Security Bulletin
• System Requirements

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Microsoft Security Updates for September, 2018

The September security updates consist of 61 CVEs, of which 17 are listed as Critical 43 are rated Important, and 1 is rated as Moderate in severity.  Four are listed as publicly known at the time of release and one of is reported as being actively exploited. 

The release consists of security updates for the following:  Internet Explorer, Microsoft Edge, Microsoft Windows, Microsoft Office and Microsoft Office Services and Web Apps, ChakraCore, Adobe Flash Player, .NET Framework, Microsoft.Data.OData, and ASP.NET

The updates address Remote Code Execution, Elevation of Privilege, Security Feature Bypass, and Spoofing.

Known Issues

• 4457128
• 4457144
• 4458321

Recommended Reading: 

See Dustin Childs excellent review and recommendations in Zero Day Initiative — The September 2018 Security Update Review where he provides additional information on the CVC reported as actively exploited and more.

More:  For more information about the updates released today, see https://portal.msrc.microsoft.com/en-us/security-guidance/summary.  Updates can be sorted by OS from the search box. Information about the update for Windows 10 is available at Windows 10 Update history.

Additional Update Notes

• Adobe Flash Player -- For Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows RT 8.1 and Windows 10, Adobe Flash Player is now a security bulletin rather than a security advisory and is included with the updates as identified above.
• MSRT -- Microsoft released an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center.  Note:  Users who are paranoid about the remote possibility of a FP can opt to run this tool from a Command Prompt, appending a   /N   parameter [for "detect only" mode].

References

• Release Notes
• Security Update FAQ
• Security Updates Guide

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Adobe Flash Player and AIR Updates

Adobe has released Version 31.0.0.108 of Adobe Flash Player and AIR.  The update addresses both security and functional issues in Flash Player.  The update to AIR fixes issues and introduces new features, as indicated in the Release Notes.

Release date:  September 11, 2018
Vulnerability identifier: APSB18-31
Platform:  Windows, Macintosh, Linux and Chrome OS

Fixed Issues

Flash Player

• Assorted security and functional fixes

AIR

• Incorrect path on macOS using File.browseForSave() if target file already exists (AIR-4198652)
• ETC2 Non Alpha ATF are not rendered in ADL
• Swiping iPhone bottom\up opens system tray instead small arrow (AIR-4198602)

Vulnerability details

Vulnerability Category	Vulnerability Impact	Severity	CVE Number
Privilege Escalation	Information Disclosure	Important	CVE-2018-15967

Update:

• With the option to 'Allow Adobe to install updates', the update will be automatic. Without that setting enabled, either install the update via the update mechanism when prompted or via the Download Center*.
• Windows 7 and earlier:  Installation links for Windows 7 and earlier are provided by Adobe at Installation problems | Flash Player | Windows 7 and earlier: 
• Flash Player for Internet Explorer - ActiveX 
• Flash Player for Firefox/Pale Moon - NPAPI
• Flash Player for Opera and Chromium-based browsers - PPAPI
• Microsoft Edge and Internet Explorer 11:  Adobe Flash Player will be automatically updated to the latest version for Windows 8.1 and 10.
• Google Chrome:  Adobe Flash Player will be automatically updated to the latest Google Chrome version.
• Flash Player Uninstaller:  http://download.macromedia.com/get/flashplayer/current/support/uninstall_flash_player.exe
• Adobe AIR:  Adobe - Adobe AIR

*Important Note:  Downloading the update from the Adobe Flash Player Download Center link includes a pre-checked option to install unnecessary extras, such as McAfee Scan Plus or Google Drive.  If you use the download center, uncheck any unnecessary extras that you do not want.  They are not needed for the Flash Player update.

Verify Installation

To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu. 

Do this for each browser installed on your computer.

To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.

References

• Adobe Priority Ratings
• AIR Download Center 
• Installing and Updating Flash Player - FAQ
• Release Notes:  Flash Player® 31 AIR® 31
• Security Bulletin
• PSIRT

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Mozilla Firefox Version 62.0 Released

Mozilla sent Firefox Version 62.0 to the release channel today.

Update:  As usual, Mozilla published the information about the security updates long after releasing the update.  The update included nine (9) security updates of which one (1) is critical, three (3) are high, two (2) moderate and three (3) are rated low.  The updates apply to both  newly released Firefox Version 62.0 as well as earlier released Firefox ESR 60.2.

Critical

• #CVE-2018-12376: Memory safety bugs fixed in Firefox 62 and Firefox ESR 60.2

High

•  #CVE-2018-12377: Use-after-free in refresh driver timers
• #CVE-2018-12378: Use-after-free in IndexedDB
• #CVE-2018-12375: Memory safety bugs fixed in Firefox 62

Moderate

• #CVE-2018-12379: Out-of-bounds write with malicious MAR file 
• #CVE-2017-16541: Proxy bypass using automount and autofs 

Low

• #CVE-2018-12381: Dragging and dropping Outlook email message results in page navigation
• #CVE-2018-12382: Addressbar spoofing with javascript URI on Firefox for Android
• #CVE-2018-12383: Setting a master password post-Firefox 58 does not delete unencrypted previously stored passwords

New

• Firefox Home (the default New Tab) now allows users to display up to 4 rows of top sites, Pocket stories, and highlights
• “Reopen in Container” tab menu option appears for users with Containers that lets them choose to reopen a tab in a different container
• In advance of removing all trust for Symantec-issued certificates in Firefox 63, a preference was added that allows users to distrust certificates issued by Symantec. To use this preference, go to about:config in the address bar and set the preference "security.pki.distrust_ca_policy" to 2.
• Added FreeBSD support for WebAuthn
• Improved graphics rendering for Windows users without accelerated hardware using Parallel-Off-Main-Thread Painting
• Support for CSS Shapes, allowing for richer web page layouts. This goes hand in hand with a brand new Shape Path Editor in the CSS inspector.
• CSS Variable Fonts (OpenType Font Variations) support, which makes it possible to create beautiful typography with a single font file
• Updates for enterprise environments:
  
  • AutoConfig is sandboxed to the documented API by default. You
    can disable the sandbox by setting the preference
    general.config.sandbox_enabled to false. Our long term plan is to
    remove the ability to turn off the sandboxing. If you need to
    continue to use more complex AutoConfig scripts, you will need to use
    Firefox Extended Support Release (ESR).
• Added Canadian English (en-CA) locale

Changed

• Removed the description field for bookmarks. Users who have stored descriptions using the field may wish to export these descriptions as html or json files, as they will be removed in a future release.
• Dark theme is automatically enabled in macOS 10.14 dark mode
• Changed the default setting to Enforce (3) for the security.pki.name_matching_mode preference
• Adobe Flash applets now run in a more secure mode using process sandboxing on macOS. Learn how this may affect features here.
• Users disconnecting from Sync are now offered the option to wipe their Firefox profile data (including bookmarks, passwords, history, cookies, and site data) from their desktop computer
• Changed how WebRTC handles screen sharing: When screen-sharing a window, the window will be brought to front

Update:  To get the update now, select "Help" from the Firefox menu, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

References

• Common questions after updating Firefox
• Security Updates
• Mozilla Firefox Release Notes
• Rapid Release Calendar

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...