Mozilla Firefox Version 70.0.1 Released

Mozilla sent Firefox Version 70.0.1 to the release channel today.  The update included several bug fixes, including one that resulted in some sites failing to load.

As of the time of this posting there was no indication of an update for Firefox ESR.

Fixed

• Fix for an issue that caused some websites or page elements using dynamic JavaScript to fail to load. (Bug 1592136)
  
• Update OpenH264 video plugin for macOS 10.15 users (Bug 1587543)
  
• Title bar no longer shows in full screen view (Bug 1588747)
  

Changed

• OpenH264 video codec version bump for macOS 10.15 users (Bug 1587543)

Update:  To get the update now, select "Help" from the Firefox menu, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

References

• Common questions after updating Firefox
• Security Updates
• Release Notes
• Rapid Release Calendar

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Pale Moon Version 28.7.2 Released with Security Updates

Pale Moon has been updated to version 28.7.2.  This is a security and bugfix update.

From the Release Notes:

Changes/fixes:

• Disabled the use of ICC color profiles for images on Linux by default.
• Updated timezone data for internationalization functions.
• Fixed the option to use hardware acceleration over RDP for Windows 8.1 and 10.
• Fixed an issue with inner window navigation potentially leaking.
• Fixed a startup crash caused by Qihoo 360 Safeguard/360 Total Security.
• Ported some expat parser fixes from upstream.
• Ported several NSS upstream fixes to our build.
  
• Aligned handling of U+0000 in the html5 parser with expectations.
• Added size checks to WebGL data buffering.
• Fixed build issues with newer glibc versions.
• Fixed build issues for ARM targets.
• Worked around a gcc9 compiler issue that would prevent building with it.
• Sec bug fixes: CVE-2019-15903, CVE-2019-11757, CVE-2019-11763 and several potentially exploitable crashes and memory safety hazards that don't have a CVE number.
• Unified XUL Platform Mozilla Security Patch Summary: 6 fixed, 6 DiD, 1 rejected, 24 not applicable.

Update:  To get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window.  Click About Pale Moon and  Check for Updates.

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Windows 10 Version 1903 Cumulative Update Released

Microsoft released cumulative update KB 4522355 with non-security improvements and fixes for Windows 10 Version 1903 today.  The update includes a long list of non-security quality improvements.  There are currently no known issues with the update. 

The highlights listed are as follows:

• Updates an issue that prevents Microsoft Narrator from working in certain touch mode scenarios.
• Updates an issue that starts assistive technology (AT) (such as Microsoft Narrator, Magnifier, or NVDA) after signing in when you've configured it to start before signing in. 
• Updates an issue that causes Magnifier to stop working in certain scenarios, and you have to restart it manually. 
• Updates an issue that causes Microsoft Narrator to stop working in the middle of a session in certain scenarios. 
• Updates an issue that might prevent a scroll bar from being selected. 
• Updates an issue that allows a device to go to Sleep (S3) even if you configure the device to never sleep. 
• Updates an issue that prevents you from shrinking a window in some cases.
• Updates an issue that prevents you from connecting to a virtual private network (VPN).
• Updates an issue that causes screen flickering or is slow to display the screen when you show application thumbnails on a monitor that has high dots per inch (DPI).
• Updates an issue that causes the tile for the Photos app to appear larger than expected in the Start menu under certain conditions. 
• Updates an issue that causes the system to stop responding at the sign-in screen.
• Updates an issue that might cause a black screen to appear the first time you sign in after installing a feature or quality update.
• Updates an issue that causes the Start menu, the Cortana Search bar, Tray icons, or Microsoft Edge to stop responding in certain scenarios after installing a monthly update.

To download and install the update, go to Settings -> Update and Security ->  Windows Update and select Check for updates.  The standalone package for this update is available in the Microsoft Update Catalog.  In addition, with Windows Update, the latest SSU (KB4525419) will be offered to you automatically. To get the standalone package for the latest SSU, search for it in the Microsoft Update Catalog.

Windows 10 update history

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Mozilla Firefox Version 70.0 Released with Security Updates

Mozilla sent Firefox Version 70.0 to the release channel today.  The update included thirteen (13) security updates of which one (1) is critical, three (3) are high, eight (8) moderate and one (1) are rated low.

With the release of Version 70.0, the Enhanced Tracking Protection added in Version 69.0 is on by default on all platforms.  Information about the feature is available in the Mozilla blog post, Latest Firefox Brings Privacy Protections Front and Center Letting You Track the Trackers. 

Also released was Firefox ESR Version 68.2.

Critical

• # CVE-2019-11764: Memory safety bugs fixed in Firefox 70 and Firefox ESR 68.2

High

• # CVE-2018-6156: Heap buffer overflow in FEC processing in WebRTC
• # CVE-2019-15903: Heap overflow in expat library in XML_GetCurrentLineNumber
• # CVE-2019-11757: Use-after-free when creating index updates in IndexedDB

Moderate

• # CVE-2019-11759: Stack buffer overflow in HKDF output
• # CVE-2019-11760: Stack buffer overflow in WebRTC networking
• # CVE-2019-11761: Unintended access to a privileged JSONView object
• # CVE-2019-11762: document.domain-based origin isolation has same-origin-property violation
• # CVE-2019-11763: Incorrect HTML parsing results in XSS bypass technique
• # CVE-2019-11765: Incorrect permissions could be granted to a website
• # CVE-2019-17000: CSP bypass using object tag with data: URI
• # CVE-2019-17001: CSP bypass using object tag when script-src 'none' is specified

Low

• # CVE-2019-17002: upgrade-insecure-requests was not being honored for links dragged and dropped

New

• More privacy protections from Enhanced Tracking Protection:
  
  • Social tracking protection, which blocks cross-site tracking cookies from sites like Facebook, Twitter, and LinkedIn, is now a standard feature of Enhanced Tracking Protection.
  • The Privacy Protections report shows an overview, with details, of the trackers Firefox has blocked. It provides consolidated reports from Monitor and Lockwise.
• More security protections from Firefox Lockwise, our digital identity and password management tool:
  
  • Lockwise for desktop lets you create, update, and delete your logins and passwords to sync across all your devices, including the Lockwise mobile apps and Firefox mobile browsers
.
  • Integrated breach alerts from Firefox Monitor, to alert you when saved logins and passwords are compromised in online data breaches.
  • Complex password generation, to help you create and save strong passwords for new online accounts.
• Improvements to core engine components, for better browsing on more sites
  
  • A faster Javascript Baseline Interpreter to handle the modern web’s
    large codebases and improve page load performance by as much as 8
    percent.
  • WebRender rolled out to more Firefox for Windows users, now available by default on Windows desktops with integrated Intel graphics cards and resolution of 1920x1200 or less) for improved graphics rendering.
  • Compositor improvements in Firefox for macOS that reduce power
    consumption, speed up page load by as much as 22 percent, and reduce
    resource use for video by up to 37 percent.
• More browser features to help you get the most out of Firefox products and services
  
  • A stand-alone Firefox account menu for easy access to Firefox services like Monitor and Send.
  • A message panel accessed from the gift icon in the toolbar that offers a quick overview of new releases and key features.
  • When a website uses your geolocation, an indicator is shown in the
    address bar.

Changed

• Built-in Firefox pages now follow the system dark mode preference
  
• Aliased theme properties have been removed, which may affect some themes
  
• Passwords can now be imported from Chrome on macOS in addition to existing support for Windows
  
• Readability is now greatly improved on under- or overlined texts, including links. The lines will now be interrupted instead of crossing over a glyph.
  

Update:  To get the update now, select "Help" from the Firefox menu, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

References

• Common questions after updating Firefox
• Security Updates
• Release Notes
• Rapid Release Calendar

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Adobe Acrobat DC and Reader DC Out-of-Band Update Released

Adobe has released an out-of-band update for Adobe Acrobat and Reader Adobe which contains stability and services load optimization fixes, updating the latest release to updated to version 2019.021.20048.

Release date:  October 17, 2019
Vulnerability identifier: None
Platform: Windows and MacOS

The Release Notes for Adobe Acrobat and Reader have been updated with the following notice:

"Note : A follow up update (19.021.20048) is available which fixes critical issues in this update. Adobe recommends that you directly pick the next update - 19.021.20048."

Note: UNcheck any pre-checked additional options presented with the update. They are not part of the software update and are completely optional.

References

• PSIRT
• Release Notes
• Security Bulletin
• System Requirements

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Oracle Java Critical Security Updates Released

Oracle released the scheduled critical security updates for its Java SE Runtime Environment software.  This Critical Patch Update contains 20 new security patches for Oracle Java SE.  All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.

Update

If Java is still installed on your computer, it is recommended that this update be applied as soon as possible due to the threat posed by a successful attack.

Download Information

Java SE 13

• Release Notes: https://www.oracle.com/technetwork/java/javase/documentation/13u-relnotes-5461742.html
• Download: https://www.oracle.com/technetwork/java/javase/downloads/index.html#JDK13

Java SE 11

• Release Notes: https://www.oracle.com/technetwork/java/javase/documentation/11u-relnotes-5093844.html
• Download: https://www.oracle.com/technetwork/java/javase/downloads/index.html#JDK11

Java SE 8

• Release Notes: https://www.oracle.com/technetwork/java/javase/8u-relnotes-2225394.html
• Download: https://www.oracle.com/technetwork/java/javase/downloads/index.html#JDK8

Notes:

• UNcheck any pre-checked toolbar and/or software options presented with the update. They are not part of the software update and are completely optional.  Preferably, see the instructions below on how to handle "Unwanted Extras".  
• Oracle does not plan to migrate desktops from Java 8 to Java 9 through the auto update feature.  Therefore, it is strongly recommended that you uninstall JRE 8 prior to updating.
• Verify your version:  http://www.java.com/en/download/testjava.jsp.   Note:  The Java version verification page will only work if your browser has NPAPI support.  In that case, to check the version, open a cmd window and enter the following (note the space following Java):  java -version

Critical Patch Updates

For Oracle Java SE Critical Patch Updates, the next scheduled dates are as follows:

• 14 January 2020
• 14 April 2020
• 14 July 2020
• 20 October 2020

Unwanted "Extras"

Although most people do not need Java on their computer, there are some programs and games that require Java.  In the event you need to continue using Java, How-to Geek discovered a little-known and  unpublicized option in the Java Control Panel to suppress the offers for the pre-checked unwanted extras that Oracle has long included with the updates.  Although the Ask Toolbar has been removed, tha does not preclude the pre-checked option for some other unnecessary add-on.

Do the following to suppress the sponsor offers:

1. Launch the Windows Start menu
2. Click on Programs
3. Find the Java program listing
4. Click Configure Java to launch the Java Control Panel
5. Click the Advanced tab and go to the "Miscellaneous" section at the bottom.
6. Check the box by the “Suppress sponsor offers when installing or updating Java” option and click OK.

Java Security Recommendations

1)  In the Java Control Panel, at minimum, set the security to high.
2)  Keep Java disabled until needed.  Uncheck the box "Enable Java content in the browser" in the Java Control Panel.

3)  Instructions on removing older (and less secure) versions of Java can be found at http://java.com/en/download/faq/remove_olderversions.xml

References

• Java, The Never-Ending Saga  
• Critical Patch Updates and Security Alerts
• Oracle Java SE Risk Matrix 
• Oracle Quality Assurance Blog 

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Microsoft Cumulative Updates for Windows 10, Windows 8.1 and Windows 7 Released

Microsoft released cumulative updates with non-security improvements and fixes for Windows 10 Versions 1809, 1803 and 1709 today.  In addition, cumulative updates were also released for Windows 8.1 and Windows 7:

Windows 10 Version 1809, KB4520062:

• Prevents blank tiles from appearing in the Start menu when you upgrade to Windows 10, version 1809 from any previous version of Windows 10.  However, if you have already upgraded to Windows 10, version 1809, installing this update will not remove existing blank tiles. 
• Updates an issue that causes the power consumption for a device in Connected Standby mode to be high.
• Updates an issue that might display a black screen at startup during the first sign in after installing an update. 
• Updates an issue with Bluetooth that occurs when using certain audio profiles for extended periods.
• Updates an issue that prevents users from opening the print dialog in Internet Explorer to print a webpage. 
• Updates an issue that causes the Settings app to stop working when you change a Theme. 
• Updates an issue that might prevent a scroll bar from being selected in Internet Explorer. 

Windows 10 Version 1803, KB4519978:

• Updates an issue that might display a black screen at startup during the first sign in after installing an update. 
• Updates an issue with Bluetooth when using certain audio profiles for extended periods.
• Updates an issue that causes a system to stop working during the Windows upgrade process.
• Updates an issue that may prevent a scroll bar from being selected in Internet Explorer. 

 Windows 10 Version 1709, KB4520006:

• Updates an issue that causes a system to stop working during the Windows upgrade process.

Windows 8.1:  KB4520012
Windows 7:  KB4519972 


To download and install the update, go to Settings -> Update and Security ->  Windows Update and select Check for updates. 

Windows Update History:

• Windows 10
• Windows 8.1
• Windows 7

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Adobe Acrobat DC and Reader DC Security Updates Released

Adobe has released security updates for Adobe Acrobat and Reader addressing a long list of CVE's for Windows and macOS. Particularly due to 45 of the vulnerabilities being rated critical for Reader, it is advised that the update be applied as soon a possible.  The update additionally includes bug fixes. 

Release date:  October 15, 2019
Vulnerability identifier: APSB19-49
Platform: Windows and MacOS

Update or Complete Download

Reader DC and Acrobat DC were updated to version 2019.02.2.20047. 

 Update checks can be manually activated by choosing Help/Check for Updates. 

• Reader DC and other versions are available here:  https://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows
  
• Acrobat DC for Windows is available here:  http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Windows

Note: UNcheck any pre-checked additional options presented with the update. They are not part of the software update and are completely optional.

References

• PSIRT
• Release Notes
• Security Bulletin
• System Requirements

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Mozilla Firefox Version 69.0.3 Released

Mozilla sent Firefox Version 69.0.3 to the release channel today.  The update fixed two bugs.  No update has been posted for Firefox ESR.

Fixed

• Fixed download errors for Windows 10 users with Parental Controls enabled (bug 1586228)
• Fixed Yahoo mail users being prompted to download files when clicking on emails (bug 1582848)

Update:  To get the update now, select "Help" from the Firefox menu, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

References

• Common questions after updating Firefox
• Security Updates
• Release Notes
• Rapid Release Calendar

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Adobe Flash Player Update

Although not released prior to the Microsoft Security updates, Adobe later released Version 32.0.0.270 of Adobe Flash Player for Windows, macOS, Linux and Chrome OS. The update contains assorted functional fixes.

Release date:  October 9, 2019
Vulnerability identifier: None
Platform:  Windows, Macintosh, Linux and Chrome OS

Update:

• With the option to 'Allow Adobe to install updates', the update will be automatic. Without that setting enabled, either install the update via the update mechanism when prompted or via the Download Center*.
• Windows 7 and earlier:  Installation links for Windows 7 and earlier are provided by Adobe at Installation problems | Flash Player | Windows 7 and earlier: 
• Flash Player for Internet Explorer - ActiveX 
• Flash Player for Firefox/Pale Moon - NPAPI
• Flash Player for Opera and Chromium-based browsers - PPAPI
• Uninstaller (if needed) : http://download.macromedia.com/get/flashplayer/current/support/uninstall_flash_player.exe 
• Microsoft Edge and Internet Explorer 11:  Security updates for Adobe Flash Player are automatically updated to the latest version for Windows 8.1 and 10 via Windows Update.
• Google Chrome:  Adobe Flash Player will be automatically updated to the latest Google Chrome version.
• Flash Player Uninstaller:  http://download.macromedia.com/get/flashplayer/current/support/uninstall_flash_player.exe
• Adobe AIR:  Adobe - Adobe AIR

*Important Note:  Downloading the update from the Adobe Flash Player Download Center link includes a pre-checked option to install unnecessary extras, such as McAfee Scan Plus or Google Drive.  If you use the download center, uncheck any unnecessary extras that you do not want.  They are not needed for the Flash Player update.

Verify Installation

To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu. 

Do this for each browser installed on your computer.

To verify the version of Adobe Flash Player for Android, go to Settings/Applications/Manage Applications/Adobe Flash Player x.x.

References

• Adobe Priority Ratings
• AIR Download Center 
• Installing and Updating Flash Player - FAQ
• Release Notes
• Security Bulletin
• PSIRT

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Microsoft October 2019 Security Updates

The Microsoft October security updates have been released and consist of  59 CVEs. Of these 59 CVEs, 9 are rated Critical, 49 are rated Important and 1 is rated Moderate in severity. Two are listed as publicly known and two others are listed as under active attack at the time of release.

The updates address Spoofing, Remote Code Execution, Information Disclosure, Tampering and Denial of Service. They apply to the following:  Microsoft Windows, Internet Explorer, Edge (EdgeHTML-based), ChakraCore, Microsoft Office and Microsoft Office Services and Web Apps, SQL Server Management Studio, Microsoft Dynamics 365, Windows Update Assistant and Open Source Software.

Note:  Adobe has not issued a Flash Player update.

Known Issues:  See the Known Issues and accompanying work-around in the KB Articles:

KB Article	Applies To
4519338	Windows 10, version 1809, Windows Server 2019
4519974	Internet Explorer
4519976	Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1 (Monthly Rollup)
4519985	Windows Server 2012 (Security-only update)
4519990	Windows 8.1, Windows Server 2012 R2 (Security-only update)
4519998	Windows 10, version 1607, Windows Server 2016
4520004	Windows 10, version 1709
4520005	Windows 8.1, Windows Server 2012 R2 (Monthly Rollup)
4520007	Windows Server 2012 (Monthly Rollup)
4520008	Windows 10, version 1803, Windows Server version 1803
4520010	Windows 10, version 1703
4520011	Windows 10

Recommended Reading:  

See Dustin Childs review and analysis in Zero Day Initiative — The October 2019 Security Update Review.

For more information about the updates released today, see https://portal.msrc.microsoft.com/en-us/security-guidance/summary.  Updates can be sorted by OS from the search box. Information about the update for Windows 10 is available at Windows 10 Update history.

Additional Update Notes:

• Adobe Flash Player -- For Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows RT 8.1 and Windows 10, Adobe Flash Player is now a security bulletin rather than a security advisory and is included with the updates as identified above.
• MSRT -- Microsoft released an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center.  Note:  Users who are paranoid about the remote possibility of a FP can opt to run this tool from a Command Prompt, appending a   /N   parameter [for "detect only" mode].
• Servicing Stack Updates -- A list of the latest servicing stack updates for each operating system can be found in ADV990001. This list will be updated whenever a new servicing stack update is released. It is important to install the latest servicing stack update. Learn more about SSU's in Servicing Stack Updates (SSU)
• Windows 10 updates are cumulative. The monthly security release includes all security fixes for vulnerabilities that affect Windows 10, in addition to non-security updates. The updates are also available via the Microsoft Update Catalog.
• For information on lifecycle and support dates for Windows 10 operating systems, please see Windows Lifecycle Facts Sheet.
• Windows Update History:
  • Windows 10
  • Windows 8.1
  • Windows 7

References

• Security Update FAQ
• Security Updates Guide

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Microsoft Out-of-Band Security Update Released

Microsoft has released an Out-of-Band security update addressing CVE-2019-1367.  This CVE addresses a scripting engine memory corruption vulnerability.  An update is available for each of Windows 10 versions 1903 through version 1607, Windows 8.1 and Windows 7. 

The following important notice is provided for each version of Windows 10 and a similar notice for Windows 8.1 and Windows 7:

"IMPORTANT This is a required security update that expands the out-of-band update dated September 23, 2019. This security update includes the Internet Explorer scripting engine security vulnerability (CVE-2019-1367) mitigation and corrects a recent printing issue some users have experienced. Customers using Windows Update or Windows Server Update Services (WSUS) will be offered this update automatically. To help secure your devices, we recommend that you install this update as soon as a possible and restart your PC to fully apply the mitigations. Like all cumulative updates, this update supersedes any preceding update.

Note This update does not replace the upcoming October 2019 monthly update, which is scheduled to release on October 8, 2019."

Updates provided for the latest Windows 10 version 1903 through version 1607:

• Windows 10, Version 1903:  https://support.microsoft.com/en-us/help/4524147
• Windows 10, Version 1809:  https://support.microsoft.com/en-us/help/4524148
• Windows 10, Version 1803:  https://support.microsoft.com/en-us/help/4524149
• Windows 10, Version 1709:  https://support.microsoft.com/en-us/help/4524150
• Windows 10, Version 1703:  https://support.microsoft.com/en-us/help/4524151
• Windows 10, Version 1607:  https://support.microsoft.com/en-us/help/4524152
• Windows 8.1:  https://support.microsoft.com/en-us/help/4524156
• Windows 7:  https://support.microsoft.com/en-gb/help/4524157

Information about the updates is available from the Windows Update History:

• Windows 10
• Windows 8.1
• Windows 7

References

• Security Update FAQ
• Security Updates Guide

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Mozilla Firefox Version 69.0.2 Released With Bug Fixes

Mozilla sent Firefox Version 69.0.2 to the release channel today.  The update fixed several bugs.  No update has been posted for Firefox ESR.

Fixed

• Fixed a crash when editing files on Office 365 websites (bug 1579858)
  
• Fixed detection of the Windows 10 Parental Controls feature being enabled (bug 1584613)
  
• Fixed a Linux-only crash when changing the playback speed while watching YouTube videos (bug 1582222)
  

Update:  To get the update now, select "Help" from the Firefox menu, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

References

• Common questions after updating Firefox
• Security Updates
• Release Notes
• Rapid Release Calendar

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...