Friday, July 26, 2019

Windows 10 Cumulative Updates



Microsoft released cumulative updates with non-security improvements and fixes for Windows 10 Version 1903 today.  In addition updates were recently released for Versions 1809, 1803, 1709, 1703 and 1607. 

In addition,  SSU (KB4512937) has been released for Windows 10 Version 1809 and will be offered to you automatically with Windows Update. To get the standalone package for the latest SSU, search for it in the Microsoft Update Catalog.(Service Stack Update).

To view the improvements and features as well as known issues with accompanying work-around, see the following KB articles for your version of Windows 10:
To download and install the update, go to Settings > Update and Security Windows Update and select Check for updates.


Home
Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Thursday, July 25, 2019

Pale Moon Version 28.6.1 Released with Security Updates


Pale Moon
Pale Moon has been updated to version 28.6.1.  This is a security and bugfix update.

From the Release Notes:

Changes/fixes:

  • Improved handling of FTP resource loading (allow save-as and cater to some FTP-based browsing).
  • Added a preference (security.block_ftp_subresources) to allow users to completely bypass the blocking of FTP subresources if required for their environment, if the improvements made in this release do not suffice.
  • Added blocking of authentication-locked cross-origin image subresources by default to prevent spurious auth prompts.
    A preference (network.auth.subresource-http-img-XO-auth) was added to allow users to bypass this blocking if required for their environment.
  • Changed the behavior of file: URIs to treat each URI as a unique origin. This prevents cross-file access from scripting.
    A preference (security.fileuri.unique_origin) was added to allow users to relax this restriction if required for their environment.
  • Implemented a revised version of http2PushedStream to address some thread safety issues.
  • Aligned browser behavior with mainstream regarding inner window behavior when domain is manipulated.
  • Backed out a 28.5.* patch for causing multiple issues in the UI and web content.
  • Updated NSS to 3.41.2 (custom) to pick up several upstream fixes.
  • Fixed a type confusion issue in JavaScript Arrays. (DiD)
  • Added a fix for cross-thread access of Necko. (DiD)
  • Added a port safety check for Alternative Services.
  • Implemented fixes for applicable security issues: CVE-2019-11719, CVE-2019-11711, CVE-2019-11715, CVE-2019-11717, CVE-2019-11714 (DiD), CVE-2019-11729 (DiD), CVE-2019-11727 (DiD), CVE-2019-11730 (DiD), CVE-2019-11713 (DiD) and several networking and memory-safety hazards that do not have CVE numbers.
DiD This means that the fix is "Defense-in-Depth": It is a fix that does not apply to a (potentially) actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code, e.g. when surrounding code changes, exposing the problem, or when new attack vectors are discovered.

UpdateTo get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window.  Click About Pale Moon and  Check for Updates.




Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...



Thursday, July 18, 2019

Firefox Version 68.0.1 Released

Firefox

Mozilla sent Firefox Version 68.0.1 to the release channel today. As of the last check, no update is available for ESR.

New

  • macOS releases are now signed by the Apple notary service, allowing Firefox to properly run on macOS 10.15 Beta releases

Fixed

  • Fixed missing Full Screen button when watching videos in full screen mode on HBO GO (bug 1562837)
  • Fixed a bug causing incorrect messages to appear for some locales when sites try to request the use of the Storage Access API (bug 1558503)
  • Users in Russian regions may have their default search engine changed (bug 1565315)
  • Built-in search engines in some locales do not function correctly (bug 1565779)
Update:  To get the update now, select "Help" from the Firefox menu, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

References


Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Wednesday, July 17, 2019

Oracle Java SE Critical Security Update Released

java

Oracle released the scheduled critical security updates for its Java SE Runtime Environment software.  This Critical Patch Update contains 10 new security fixes for Oracle Java SE.  Nine (9) of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here. The update also includes numerous Bug Fixes.

Update

If Java is still installed on your computer, it is recommended that this update be applied as soon as possible due to the threat posed by a successful attack.

Download Information

Java SE 8u221
Java SE 12.0.2 Development Kit (64-bit only)
Notes:
  • UNcheck any pre-checked toolbar and/or software options presented with the update. They are not part of the software update and are completely optional.  Preferably, see the instructions below on how to handle "Unwanted Extras".  
  • Oracle does not plan to migrate desktops from Java 8 to Java 9 through the auto update feature.  Therefore, it is strongly recommended that you uninstall JRE 8 prior to updating.
  • Verify your versionhttp://www.java.com/en/download/testjava.jsp.   Note:  The Java version verification page will only work if your browser has NPAPI support.  In that case, to check the version, open a cmd window and enter the following (note the space following Java):  java -version

Critical Patch Updates

For Oracle Java SE Critical Patch Updates, the next scheduled dates are as follows:
  • 15 October 2019
  • 14 January 2020
  • 14 April 2020
  • 14 July 2020

Unwanted "Extras"

Although most people do not need Java on their computer, there are some programs and games that require Java.  In the event you need to continue using Java, How-to Geek discovered a little-known and  unpublicized option in the Java Control Panel to suppress the offers for the pre-checked unwanted extras that Oracle has long included with the updates.  Although the Ask Toolbar has been removed, tha does not preclude the pre-checked option for some other unnecessary add-on.

Do the following to suppress the sponsor offers:
  1. Launch the Windows Start menu
  2. Click on Programs
  3. Find the Java program listing
  4. Click Configure Java to launch the Java Control Panel
  5. Click the Advanced tab and go to the "Miscellaneous" section at the bottom.
  6. Check the box by the “Suppress sponsor offers when installing or updating Java” option and click OK.
Java suppress sponsor offers

Java Security Recommendations

1)  In the Java Control Panel, at minimum, set the security to high.
2)  Keep Java disabled until needed.  Uncheck the box "Enable Java content in the browser" in the Java Control Panel.
3)  Instructions on removing older (and less secure) versions of Java can be found at http://java.com/en/download/faq/remove_olderversions.xml

References




Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...




Tuesday, July 09, 2019

Microsoft July 2019 Security Updates



The July security updates have been released and consist of 78 CVEs and 2 advisories. Of these 78 CVEs, 15 are rated Critical, 62 are rated Important, and one is rated Moderate in severity. Six are listed as publicly known, and two are listed as under active attack at the time of release.

The updates address Spoofing, Elevation of Privilege, Remote Code Execution, Denial of Service,  Information Disclosure and Security Feature Bypass. They apply to the following:  Adobe Flash Player, Microsoft Windows, Internet Explorer, Microsoft Edge, Microsoft Office and Microsoft Office Services and Web Apps, Azure DevOps, Open Source Software, .NET Framework, Azure, SQL Server, ASP.NET, Visual Studio and Microsoft Exchange Server.

Known Issues:  See the Known Issues and accompanying work-around in the KB Articles:

KB Article Applies To
4493730 Servicing stack update for Windows Server 2008 SP2
4507434 Internet Explorer 11
4507435 Windows 10, version 1803
4507448 Windows 8.1, Windows Server 2012 R2 (Monthly Rollup)
4507449 Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1 (Monthly Rollup)
4507450 Windows 10, version 1703
4507453 Windows 10, version 1903, Windows Server version 1903
4507455 Windows 10, version 1709
4507457 Windows 8.1, Windows Server 2012 R2 (Security-only update)
4507458 Windows 10
4507460 Windows 10 1607 and Windows Server 2016
4507462 Windows Server 2012 (Monthly Rollup)
4507464 Windows Server 2012 (Security-only update)
4507469 Windows 10, version 1809, Windows Server 2019

Recommended Reading:  

See Dustin Childs review and analysis in Zero Day Initiative — The July 2019 Security Update Review.

For more information about the updates released today, see https://portal.msrc.microsoft.com/en-us/security-guidance/summary.  Updates can be sorted by OS from the search box. Information about the update for Windows 10 is available at Windows 10 Update history.

Additional Update Notes:

  • Adobe Flash Player -- For Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows RT 8.1 and Windows 10, Adobe Flash Player is now a security bulletin rather than a security advisory and is included with the updates as identified above.
  • MSRT -- Microsoft released an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center.  Note:  Users who are paranoid about the remote possibility of a FP can opt to run this tool from a Command Prompt, appending a   /N   parameter [for "detect only" mode].
  • Servicing Stack Updates -- A list of the latest servicing stack updates for each operating system can be found in ADV990001. This list will be updated whenever a new servicing stack update is released. It is important to install the latest servicing stack update. 
  • Windows 10 updates are cumulative. The monthly security release includes all security fixes for vulnerabilities that affect Windows 10, in addition to non-security updates. The updates are also available via the Microsoft Update Catalog.
  • For information on lifecycle and support dates for Windows 10 operating systems, please see Windows Lifecycle Facts Sheet.
  • Windows Update History:

References


Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...





Mozilla Firefox Version 68.0 Released With Security Updates


Firefox Mozilla sent Firefox Version 68.0 to the release channel today.  The update included twenty-one (21) security updates of which two (2) are critical, four (4) are high, ten (10) moderate and five (5) are rated low.

Correction:   Firefox ESR 60.8.0 has been released and the Extended Support Release version upgrade to 68.0 ESR is now available.

Critical

High

Moderate

Low

New

  • Dark mode in reader view expands so that windows are also dark on the controls, sidebars and toolbars.
  • Improved extension security and discovery:
    • New reporting feature in about:addons allows you to report security and performance issues with extensions and themes.
    • Redesigned extensions dashboard in about:addons provides easy access to information about your extensions, including data and settings access required by each extension.
    • Find high quality, secure extensions via the Recommended Extensions program in about:addons, which now displays user count and ratings for each extension. "Recommended” badges for these extensions also appear on AMO. More extensions will be added over time.
  • Cryptomining and fingerprinting protections are added to strict content blocking settings in Privacy & Security preferences.
  • WebRender will roll out to Windows 10 users with AMD graphics cards.
  • Windows Background Intelligent Transfer Service (BITS) update download support, which allows Firefox update downloads to continue when Firefox is closed.

Fixed

  • Local files can no longer access other files in the same directory.

Changed

  • Unified existing locales (bn-BD, bn-IN) under a single Bengali (bn) localization.
  • The following unmaintained translations have been removed: Assamese (as), English - South Africa (en-ZA), Maithili (mai), Malayalam (ml), Odia (or). Existing users will be migrated to the British English (en-GB) version.
  • When an HTTPS error caused by antivirus software is detected, Firefox will attempt to automatically fix it
  • Camera and microphone access now require an HTTPS connection.
  • The way non-default preferences are synced has changed. Please see this support article for more details

Update:  To get the update now, select "Help" from the Firefox menu, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

References


Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Adobe Flash Player Update Released


Adobe Flashplayer

Adobe has released Version 32.0.0.223 of Adobe Flash Player for Windows, macOS, Linux and Chrome OS. The update addresses bug fixes described in the Release Notes as "Assorted functional fixes". 

Release date:  July 9, 2019
Vulnerability identifier: None
Platform:  Windows, Macintosh, Linux and Chrome OS

Update:

*Important Note:  Downloading the update from the Adobe Flash Player Download Center link includes a pre-checked option to install unnecessary extras, such as McAfee Scan Plus or Google Drive.  If you use the download center, uncheck any unnecessary extras that you do not want.  They are not needed for the Flash Player update.

    Verify Installation

    To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu. 

    Do this for each browser installed on your computer.

    To verify the version of Adobe Flash Player for Android, go to Settings/Applications/Manage Applications/Adobe Flash Player x.x.

    References



    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...









    Thursday, July 04, 2019

    Out-of-Band Pale Moon Update to Version 28.6.0.1


    Pale Moon
    Pale Moon has been updated to version 28.6.0.1. This is an out-of-band update to fix some pressing issues with the latest release.  Linux versions will follow when the Linux builders have had time to make fresh builds.

    From the Release Notes:

    Changes/fixes:

    • Updated the application icon to provide better visuals on Windows classic and other grey backgrounds.
    • Reduced the Master Password hashing rounds to prevent issues with stored password retrieval while still sufficiently strengthening the encryption.
      If you have previously re-keyed the database after the update to 28.6.0, you should do so again by going through the change master password process to reduce access times.
    • Updated the WhatsApp Web site-specific user-agent override to respond to Google refusing access based on the old string.
    • Updated the branding for the portable launcher.

    Update

    To get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window.  Click About Pale Moon and  Check for Updates.




    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...



    Tuesday, July 02, 2019

    Pale Moon Version 28.6.0 Released


    Pale Moon
    Pale Moon has been updated to version 28.6.0.  This is a major development update, focusing on under-the-hood improvements and bugfixes, code cleanup, and performance.

    From the Release Notes:

    Changes/fixes:
    • Implemented String.prototype.trimStart and String.prototype.trimEnd (ES2019)
    • Implemented Array.prototype.flat and Array.prototype.flatMap (ES2019)
    • Implemented Symbol.prototype.description (ES2019)
    • Added support for gzip-compressed SVG-in-Opentype fonts.
    • Updated official branding.
    • Updated reader view components.
    • Added a preference to control the setting of cookies through meta header information (non-standard feature) and disabled by default.
    • Updated ES6 Atomics and re-enabled them.
    • Updated internationalization code to support updated time zones and the Japanese Reiwa era.
    • Updated NSS to a custom version to have better encryption strength for master passwords.
      IMPORTANT: To use this strong encryption and re-key the password database with it, change your master password (can be changed to the same one you already had if desired, but you have to go through the change password process). Depending on your computer and the number of stored passwords, this encryption update may take some time, so please be patient. Please be aware that once re-keyed, the password store will be locked to the new encryption and will no longer be accessible with the master password in older versions of Pale Moon.
    • Restored "Release notes" in the help menu.
    • Rearchitectured the application/extension update code.
    • Added several performance improvements to DOM and the parser.
    • Improved JavaScript garbage collection of dead compartments.
    • Fixed a performance issue with painting on some pages.
    • Improved performance of some websites with complex event regions.
    • Fixed a potential performance issue in display lists on some pages.
    • Fixed a rendering bottleneck for the use of XRender when using a remote session.
    • Fixed graphical artifacts/flickering when using XRender on Intel or Intel-hybrid GPU setups.
    • Added a DiD fix for potential future issues with inlining array natives.
    • Fixed a potential UAF situation in the HTML5 parser (DiD)
    • Fixed an origin-clean bypass issue.
    • Changed the way permissions for predefined sites are loaded.
    • Reverted the 28.5.1 change to treat *.jnlp files as executables (CVE-2019-11696) after input from an Oracle representative. Java Web Start files are not executable and should not be treated any different than regular documents handled by external applications.
    • Removed SecurityUI telemetry.
    • Removed some other dead telemetry code.
    • Removed geo-specific selection of default search engines.
    • Deprecated the use of FUEL.
    • Removed the unused code for "enhanced tiles" in the new tab page.
    • Removed preference to brute-force e10s to on.
    • Removed Unboxed Array code.
    • Removed Unboxed Object code.
    • Fixed failure to print if a page contains a 0-sized canvas element.
    • Fixed an issue with tab-modal dialogs being presented in the wrong order.
    • Fixed an issue with the tab bar remaining collapsed in customize mode if normally hidden.
    • Fixed an issue with Sync when choosing to overwrite data with synced data.
    • Fixed an issue with tab previews on the taskbar.
    • Fixed an issue with IntersectionObserver viewport accuracy.
    • Fixed Scroll bar orientation on Mac OS X.
    • Fixed an issue with anchor/link targets not re-using a named target.
    • Fixed a build issue with Gnu-CC on PPC64.
    • Fixed browser.link.open_newwindow functionality.

    Update

    To get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window.  Click About Pale Moon and  Check for Updates.




    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...



    Monday, July 01, 2019

    Windows Insider MVP! #WIMVP

    So excited and proud to receive the email announcing that I have been re-awarded Windows Insider MVP again. 

    Windows Insider MVP


    Dear Corrine:

    Congratulations! Thank you for your continued contributions to the Windows community, we are excited to re-award you as a Windows Insider MVP. This award is a token of our appreciation, your leadership and passion help make Windows the best yet. We look forward to our on-going collaboration with you and all of our Windows Insider MVPs as we continue to strengthen the Windows Insider MVP (WI MVP) Program.

    References:


    Home
    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...