Tuesday, January 29, 2019

Mozilla Firefox Version 65.0 Released with Security Updates


Firefox Mozilla sent Firefox Version 65.0 to the release channel today.  Firefox ESR has been updated to Version 60.5.
The update included seven (7) security updates of which three (3) are critical, three (3) are high, and one (1) is rated low.

Critical

High

Moderate

New

  • Enhanced tracking protection: Simplified content blocking settings give users standard, strict, and custom options to control online trackers. A redesigned content blocking section in the site information panel (viewed by expanding the small “i” icon in the address bar) shows what Firefox detects and blocks on each website you visit. To learn more about content blocking, visit the Mozilla Blog.
  • A better experience for multilingual users: An updated Language section in Preferences allows users to install multiple language packs and order language preferences for Firefox and websites, without having to download locale-specific versions.
  • Support for Handoff on macOS: Continue browsing across devices. Pick up where you left off with iOS (via Firefox or Safari) on Firefox on Mac.
  • A better video streaming experience for Windows users: Firefox now supports the next-generation, royalty-free video compression technology called AV1. Read about Mozilla’s contribution to this new open standard.
  • Improved performance and web compatibility, with support for the WebP image format: WebP brings the same image quality as existing formats at smaller file sizes, which saves bandwidth and speeds up page load.

Changed

  • Enhanced security for macOS, Linux, and Android users via stronger stack smashing protection which is now enabled by default for all platforms. "Stack smashing" is a common security attack in which malicious actors corrupt or take control of a vulnerable program.
  • Firefox will now warn you when closing a window (regardless of whether you have automatic session restore enabled for restart).
  • Easier performance management: The revamped Task Manager page found at about:performance now reports memory usage for tabs and add-ons.
  • Improved the pop-up blocker to prevent multiple pop-up windows from being opened by websites at the same time.

Enterprise

Developer

  • Additional support for Flexbox: Launched a new Flexbox inspector tool that details Flexbox containers and helps debug Flex item sizes.
  • All CSS changes made in the Rules panel are now tracked in the new Changes tab.
  • Added support for the Storage Access API on desktop platforms.
Update:  To get the update now, select "Help" from the Firefox menu, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

References

Remember - "A day without laughter is a day wasted." May the wind sing to you and the sun rise in your heart...

Wednesday, January 23, 2019

Pale Moon Version 28.3.1 Released



Pale Moon
Pale Moon has been updated to version 28.3.1.  This is a minor bugfix and stability release. The Linux versions will follow.

From the Release Notes:

If you are using a language pack, please make sure you have the matching version for this browser version installed. Some strings were added for Captive Portal detection (see below) and outdated language packs will cause blank preference pages.

Changes/fixes:
  • Improved toolbar icon display for all DPIs on Windows.
  • Disabled the IntersectionObserver API by default while we work on resolving crashes caused by it.
  • Added isIntersecting to the IntersectionObserver API per specification.
  • Added an option to the preferences window to enable Captive Portal detection (Advanced -> General). If your network connection regularly encounters Captive Portals (e.g. using a laptop on the road or other WiFi connections that require login or agreement to terms) then enabling this detection may make your use of such networks more convenient.
    For those worried about privacy: the detection service makes use of our own infrastructure and does not contact third parties like Apple or Google.
Download:

Update

To get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window.  Select About Pale Moon > Check for Updates.




Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...



Tuesday, January 22, 2019

Microsoft Cumulative Update Released for Windows 10 Version 1809


Microsoft has released a cumulative update with non-security improvements and fixes for Windows 10 version 1809.  This update includes quality improvements with no new operating system features introduced. 

The update is available from Windows Update or the Microsoft Update Catalog.  See KB4476976 improvements and fixes.

Note:

Microsoft strongly recommends you install the latest servicing stack update (SSU) for your operating system before installing the latest cumulative update (LCU). SSUs improve the reliability of the update process to mitigate potential issues while installing the LCU.  If you are using Windows Update, the latest SSU (KB4470788) will be offered to you automatically. To get the stand-alone package for the latest SSU, go to the Microsoft Update Catalog.

Home
Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Wednesday, January 16, 2019

Java Critical Security Updates Released

java

Oracle released the scheduled critical security updates for its Java SE Runtime Environment software.  This Critical Patch Update contains 5 new security fixes for Oracle Java SE, all of which may be remotely exploitable without authentication.

Update

If Java is still installed on your computer, it is recommended that this update be applied as soon as possible due to the threat posed by a successful attack.

Download Information

Java SE 8u201 or 8u202
Java SE 11.0.2  (x64-bit only) 

Note:  JDK only.

Notes:
  • UNcheck any pre-checked toolbar and/or software options presented with the update. They are not part of the software update and are completely optional.  Preferably, see the instructions below on how to handle "Unwanted Extras".  
  • Oracle does not plan to migrate desktops from Java 8 to Java 9 through the auto update feature.  Therefore, it is strongly recommended that you uninstall JRE 8 prior to updating.
  • Verify your versionhttp://www.java.com/en/download/testjava.jsp.   Note:  The Java version verification page will only work if your browser has NPAPI support.  In that case, to check the version, open a cmd window and enter the following (note the space following Java):  java -version

Critical Patch Updates

For Oracle Java SE Critical Patch Updates, the next scheduled dates are as follows:
  • 16 April 2019
  • 16 July 2019
  • 15 October 2019
  • 14 January 2020

Unwanted "Extras"

Although most people do not need Java on their computer, there are some programs and games that require Java.  In the event you need to continue using Java, How-to Geek discovered a little-known and  unpublicized option in the Java Control Panel to suppress the offers for the pre-checked unwanted extras that Oracle has long included with the updates.  Although the Ask Toolbar has been removed, tha does not preclude the pre-checked option for some other unnecessary add-on.

Do the following to suppress the sponsor offers:
  1. Launch the Windows Start menu
  2. Click on Programs
  3. Find the Java program listing
  4. Click Configure Java to launch the Java Control Panel
  5. Click the Advanced tab and go to the "Miscellaneous" section at the bottom.
  6. Check the box by the “Suppress sponsor offers when installing or updating Java” option and click OK.
Java suppress sponsor offers

Java Security Recommendations

1)  In the Java Control Panel, at minimum, set the security to high.
2)  Keep Java disabled until needed.  Uncheck the box "Enable Java content in the browser" in the Java Control Panel.
3)  Instructions on removing older (and less secure) versions of Java can be found at http://java.com/en/download/faq/remove_olderversions.xml

References




Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...




Tuesday, January 15, 2019

Pale Moon Version 28.3.0 Released


Pale Moon
Pale Moon has been updated to version 28.3.0.  This is a major development and bugfix release.

The release includes DiD ("Defense-in-Depth") changes.  This means that a fix does not apply to a (potentially)actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code, e.g. when surrounding code changes, exposing the problem, or when new attack vectors are discovered.

The Linux versions will follow.

From the Release Notes:

Changes/fixes:

  • Added AV1 support for MP4/MSE videos. Please note that this is a reference library implementation and the upstream decoding lib currently has poor performance for higher resolutions (720p+). This is disabled by default; use the about:config preference media.av1.enabled to enable this codec.
  • Changed the API used for video playback with FFmpeg 58+. This should solve performance issues with VPx.
  • Redesigned the main toolbar icons as SVG images to make them HiDPI compliant.
  • Fixed the sync notification (infobar) icon.
  • Fixed a potential cycle collector resource leak.
  • Added icons and controls to tabs to indicate if sound is playing the tab and if so, allowing the user to mute it with a click.
    This is a native implementation of the API in use in Basilisk and performs the same function as the "expose noisy tabs" extension, although the extension may still be preferred by some for e.g. skinning capabilities. The feature may be disabled with browser.tabs.showAudioPlayingIcon.
  • Removed support for VR hardware.
  • Fixed out-of-bounds sizes for CSS calculation strings.
  • Removed the DirectShow component since it is no longer necessary.
  • Removed Firefox Accounts integration, phase 1:
    • Changed the Sync client to the one from Tycho.
    • Made Sync optional at build time.
  • Stopped trying to cater to addons.mozilla.org since they no longer offer anything useful to Pale Moon after the Great XUL Extension Purge™.
  • Added an option to process favicons for optimal sized display and removing animations. Enable this with browser.chrome.favicons.process
  • Fixed an incorrect preference reference in feed reader.
  • Fixed an issue with lazy frame construction on display:contents elements. This should solve e.g. the use of mathjax in comments on stackoverflow.
  • Media code improvements and cleanup (ongoing).
  • Updated the DropBox useragent override to solve login issues.
  • Fixed potential crashes due to shutdown observers in VTT and font lists. DiD
  • Enabled some mistakingly-disabled optimizations in the JS JIT compiler.
  • Fixed several potential crashes in JS. DiD
  • Fixed several potential crashes in WebCrypto. DiD
  • Fixed a potential crash in JS Range Analysis. DiD
  • Fixed a potential crash in the layout engine due to combo boxes. DiD
  • Fixed a potential shutdown crash in non-standard environments related to 2D Canvas. DiD
  • Fixed a potential overflow in the PNG writer. DiD
  • Fixed a potential double-free in the MAR signing utility. DiD
  • Fixed an issue where URLs could be extracted cross-origin (CVE-2018-18494).
  • Updated NSPR to v4.20.
  • Updated NSS to 3.41, providing (among other things) full compatibility with the final version of TLS 1.3 on websites.
  • Updated location.protocol to the latest spec.
  • Updated Intersection Observers to the latest spec and enabled them by default.
  • Updated the SQLite lib to 3.26.0.
  • Fixed errors about the login manager's recipeManager not being available (yet).
  • Switched status bar download arrow to SVG.
  • Fixed a crash in IntersectionObservers.
  • Fixed initialization of the Search service from browser code to avoid synchronous init.
  • Added logging of performance warnings to devtools consoles.
  • Fixed favicons in taskbar tab preview listings.
  • Blocked Comodo IS dll < version 6.3 to prevent startup crashes.
  • Fixed issues in the HTML form submit observer module.
  • Limited resolving depth of CSS variables to a sane maximum (fixes cras.sh issue).
  • Removed Mozilla's proprietary constructor on WebAudio's AudioContext, aligning it with the standard specification.
  • Exposed the previously hidden preference in about:config for page thumbnail generation (some people prefer this for local privacy).
  • Aligned Element.ScrollIntoView with the DOM specification. This improves, among other things, compatibility with the React framework.

Download:

Update

To get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window.  Select About Pale Moon > Check for Updates.




Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...



Wednesday, January 09, 2019

Mozilla Firefox Version 64.0.2 Released


Firefox Mozilla sent Firefox Version 64.0.2 to the release channel today.  Firefox ESR remains at Version 60.4.

Fixed

  • Fixed a browser crash on MacOS (bug 1510058)
  • Updated the Japanese translation for missing strings (bug 1513259)
  • Properly restore column sizes in developer tools inspector (bug 1503175)
  • Fixed video stuttering on Youtube (bug 1513511)
  • Fix updates for some lightweight themes (bug 1508777)
Update:  To get the update now, select "Help" from the Firefox menu, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

References




Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...




Tuesday, January 08, 2019

Microsoft January Security Updates Released



The January security updates have been released and consist of 49 security patches and two advisories in which 7 are listed as Critical , 40 are rated Important and 2 are listed as Moderate in severity. One is listed as publicly known at the time of release but none are reported as being actively exploited.

The updates address Remote Code Execution, Information Disclosure, Elevation of Privilege, Denial of Service and Spoofing and apply to the following: Internet Explorer (IE), Edge, ChakraCore, Microsoft Windows, Office and Microsoft Office Services and Web Apps, Visual Studio, and the .NET Framework.

Recommended Reading: 

Note:  See Dustin Childs review and analysis in
Zero Day Initiative — The January 2019 Security Update Review.
 
More:  For more information about the updates released today, see https://portal.msrc.microsoft.com/en-us/security-guidance/summary.  Updates can be sorted by OS from the search box. Information about the update for Windows 10 is available at Windows 10 Update history.

Additional Update Notes

  • Adobe Flash Player -- For Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows RT 8.1 and Windows 10, Adobe Flash Player is now a security bulletin rather than a security advisory and is included with the updates as identified above.
  • MSRT -- Microsoft released an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center.  Note:  Users who are paranoid about the remote possibility of a FP can opt to run this tool from a Command Prompt, appending a   /N   parameter [for "detect only" mode].
  • Servicing Stack Updates -- A list of the latest servicing stack updates for each operating system can be found in ADV990001. This list will be updated whenever a new servicing stack update is released. It is important to install the latest servicing stack update.  

References


Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...





Adobe Flash Player Updates Released


Adobe Flashplayer

Adobe has released Version 32.0.0.114 of Adobe Flash Player and AIR for Windows, macOS, Linux and Chrome OS. These updates address feature and performance bugs, and do not include security fixes. 

Release date:  January 8, 2019
Vulnerability identifier: APSB19-01
Platform:  Windows, Macintosh, Linux and Chrome OS

Fixed Issues

  • Flash Player:  Flash Memory usage increased with latest version leading to application performance issues (FP-4198948)

Update:

*Important Note:  Downloading the update from the Adobe Flash Player Download Center link includes a pre-checked option to install unnecessary extras, such as McAfee Scan Plus or Google Drive.  If you use the download center, uncheck any unnecessary extras that you do not want.  They are not needed for the Flash Player update.

    Verify Installation

    To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu. 

    Do this for each browser installed on your computer.

    To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.

    References



    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...









    Thursday, January 03, 2019

    Adobe Acrobat DC and Reader DC Security Updates Released

    Adobe

    Adobe has released security updates for Adobe Acrobat and Reader for Windows and MacOS to address critical  vulnerabilities. Successful exploitation could lead to arbitrary code execution in the context of the current user.  

    Release date:  January 3, 2019
    Vulnerability identifier: APSB19-02
    Platform: Windows and MacOS

    Update or Complete Download

    Reader DC and Acrobat DC were updated to version 2019.010.20069. Update checks can be manually activated by choosing Help & Check for Updates. 
    Note: UNcheck any pre-checked additional options presented with the update. They are not part of the software update and are completely optional.


    References





    Home
    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...