Tuesday, December 31, 2019
Tuesday, December 10, 2019
Microsoft December 2019 Security Updates Released
The Microsoft December security updates have been released and consist of 36 CVEs. Of these 36 CVEs, 7 are rated Critical, 28 are rated Important and 1 moderate in severity. None of the patches released this month are listed as publicly known, but one is listed as being actively exploited at the time of release.
The updates apply to the following: Microsoft Windows, Internet Explorer, Microsoft Office and Microsoft Office Services and Web Apps, SQL Server, Visual Studio and Skype for Business.
Reminder: After 1/14/2020 Windows 7 and Windows Server 2008 R2 will be out of extended support and no longer getting security updates.
Known Issues: The following KBs contain information about known issues with the security updates. For a complete list of security update KBs, please see 20191210.
KB Article | Applies To |
---|---|
4484190 | Excel 2013 |
4484179 | Excel 2016 |
4461590 | PowerPoint 2013 |
4484190 | PowerPoint 2016 |
4484190 | Word 2013 |
4484190 | Word 2016 |
4530681 | Windows 10 |
4530684 | Windows 10, version 1803, Windows Server version 1803, Windows 10, version 1809, Windows Server version 1809 |
4530689 | Windows 10, version 1607, Windows Server 2016 |
4530691 | Windows Server 2012 (Monthly Rollup) |
4530698 | Windows Server 2012 (Security-only update) |
4530702 | Windows 8.1, Windows Server 2012 R2 (Monthly Rollup) |
4530714 | Windows 10, version 1709 |
4530715 | Windows 10, version 1809, Windows Server 2019 |
4530717 | Windows 10, version 1803, Windows Server version 1803 |
4530730 | Windows 8.1, Windows Server 2012 R2 (Security-only update) |
4530734 | Windows 7 SP1, Windows Server 2008 R2 SP1 (Monthly Rollup) |
Recommended Reading:
See Dustin Childs review and analysis in Zero Day Initiative — The December 2019 Security Update Review.
For more information about the updates released today, see https://portal.msrc.microsoft.com/en-us/security-guidance/summary. Updates can be sorted by OS from the search box. Information about the update for Windows 10 is available at Windows 10 Update history.
Additional Update Notes:
- Adobe Flash Player -- For Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows RT 8.1 and Windows 10, Adobe Flash Player is now a security bulletin rather than a security advisory and is included with the updates as identified above.
- MSRT -- Microsoft released an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center. Note: Users who are paranoid about the remote possibility of a FP can opt to run this tool from a Command Prompt, appending a /N parameter [for "detect only" mode].
- Servicing Stack Updates -- A list of the latest servicing stack updates for each operating system can be found in ADV990001. This list will be updated whenever a new servicing stack update is released. It is important to install the latest servicing stack update. Learn more about SSU's in Servicing Stack Updates (SSU)
- Windows 10 updates are cumulative. The monthly security release includes all security fixes for vulnerabilities that affect Windows 10, in addition to non-security updates. The updates are also available via the Microsoft Update Catalog.
- For information on lifecycle and support dates for Windows 10 operating systems, please see Windows Lifecycle Facts Sheet.
- Windows Update History:
References
Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...
Adobe FLash Player Update Released
Adobe released Version 32.0.0.303 of Adobe Flash Player for Windows, macOS, Linux and Chrome OS. The update contains assorted functional fixes.
Release date: December 10, 2019
Vulnerability identifier: None
Platform: Windows, Macintosh, Linux and Chrome OS
Update:
- With the option to 'Allow Adobe to install updates', the update will be automatic. Without that setting enabled, either install the update via the update mechanism when prompted or via the Download Center*.
- Windows 7 and earlier: Installation links for Windows 7 and earlier are provided by Adobe at Installation problems | Flash Player | Windows 7 and earlier:
- Flash Player for Internet Explorer - ActiveX
- Flash Player for Firefox/Pale Moon - NPAPI
- Flash Player for Opera and Chromium-based browsers - PPAPI
- Uninstaller (if needed) : http://download.macromedia.com/get/flashplayer/current/support/uninstall_flash_player.exe
- Microsoft Edge and Internet Explorer 11: Security updates for Adobe Flash Player are automatically updated to the latest version for Windows 8.1 and 10 via Windows Update.
- Google Chrome: Adobe Flash Player will be automatically updated to the latest Google Chrome version.
- Flash Player Uninstaller: http://download.macromedia.com/get/flashplayer/current/support/uninstall_flash_player.exe
- Adobe AIR: Adobe - Adobe AIR
*Important Note: Downloading the update from the Adobe Flash Player Download Center link includes a pre-checked option to install unnecessary extras, such as McAfee Scan Plus or Google Drive. If you use the download center, uncheck any unnecessary extras that you do not want. They are not needed for the Flash Player update.
Verify Installation
To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu.Do this for each browser installed on your computer.
To verify the version of Adobe Flash Player for Android, go to Settings/Applications/Manage Applications/Adobe Flash Player x.x.
References
- Adobe Priority Ratings
- AIR Download Center
- Installing and Updating Flash Player - FAQ
- Release Notes
- Security Bulletin
- PSIRT
Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...
Adobe Acrobat DC and Acrobat Reader DC Security Updates Released
Adobe has released security updates for Adobe Acrobat and Reader addressing critical security updates. The update additionally includes bug fixes.
Release date: December 10, 2019
Vulnerability identifier: APSB19-55
Platform: Windows and MacOS
Update or Complete Download
Reader DC and Acrobat DC were updated to version 2019.02.2.20058.Update checks can be manually activated by choosing Help/Check for Updates.
- Reader DC and other versions are available here: https://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows
- Acrobat DC for Windows is available here: http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Windows
References
Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...
Pale Moon Version 28.8.0 Released with Security Updates
Pale Moon has been updated to version 28.8.0 with security updates*. This is a major development release that includes many improvements as well as some landmark features added/enabled. In addition, many libraries have been updated for added stability and performance.
*A fix identified as "DiD" ("Defense-in-Depth") means that it is a fix that does not apply to a (potentially) actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code, e.g. when surrounding code changes, exposing the problem, or when new attack vectors are discovered.
From the Release Notes:
New features:
- Added support for modern Solaris operating systems like Illumos (thanks Athenian200!).
- Implemented
position:sticky
for table parts - You can now use CSS to e.g. stick table headers so they don't scroll off the screen! - Enabled basic implementation of module type scripting.
While not fully spec compliant (yet), this will fix the few web
compatibility issues with sites that rely on this feature without
fallback (e.g. the Chromium bugtracker).
- Implemented Promise.
prototype.finally()
(ES2018). - Implemented Regular Expression lookbehind (ES2018).
- Implemented Regular Expression /s flag (dotAll support) (ES2018).
- Implemented
String.prototype.matchAll
(regex) (ES2020).
- Added Ekoru to the list of default search engines. This is a Bing-backed search engine that donates the majority of its revenue to various charities that support the planet and animals. An environment-supporting alternative to Ecosia if you don't want to support Google in the process.
- Changed the way tables are rendered to fix a number of spec compliance issues and allow relative positioning of table parts.
- Now building against the Windows 10 SDK 10.0.17763.132 for increased compatibility with Windows 10 and improved Spectre mitigation.
- Removed the unused DiskSpaceWatcher component.
- Updated cairo code.
- Updated SQLite to 3.30.1.
- Updated the Brotli library to 1.0.7.
- Updated the woff2 library to 1.0.2.
- Updated the OpenType Sanitizer to 8.0.0.
- Updated the Javascript math library for precision and performance fixes.
- Updated the embedded Emoji font to Mozilla's COLR-mapped twemoji 0.5.0 (Twemoji 12.1.3), to support Emoji 12.
- Improved CSS grid rendering.
- Changed packaging for archives to use 7z/xz instead of zip/bz2.
- Made the second argument of (DOM/CSS)
insertRule()
optional for (Chrome) web compatibility. - Removed the non-standard
object.prototype.watch()/unwatch()
functions. Please note that this may affect some extensions; those will need to be updated to no longer use these non-standard functions.
- Fixed the status bar module to work around an issue with
relying on
watch()/unwatch()
.
- Fixed a build failure in the libcubeb sndio module.
- Fixed a small oversight in the release branch that would
potentially still mark jnlp files as executable.
- Fixed the certificate retrieval logic in the certificate exception dialog.
- Fixed an issue with add-ons potentially getting confused during add-on updates due to cached scripts.
- Fixed a crash due to unnecessary reparenting calls in layout.
- Reinstated the mentioning of the number of accelerated/total windows in Troubleshooting Information, for completeness.
- Moved the embedded font for Emoji from application to
platform so all UXP applications can easily benefit from it (thanks
Tobin!).
- Cleaned up the jemalloc code: Removed dead/unused code, removed conditionals around "always on" code, and made the allocator VLA-free.
- Fixed an oversight in the release branch still marking
"jnlp" (Java Web Start) as executable.
- Removed the silent fallback to insecure install locations
on Windows.
Pale Moon will no longer by default install into unprotected program locations (this was a regression in v28).
If your operating system account does not have the necessary privileges, you need to manually select an accessible folder to install into. This is important to prevent malware from modifying installed programs in well-known but otherwise unprotected installation locations.
- Added a preference for, and disabled, the confirmation prompt for URL authentication (prevents evil traps).
- Disabled the use of HPKP by default due to the inherent risks involved with this feature. A preference was added to completely disable header processing, and using preloaded pins is effectively disabled. Please note that this is automatically disabled by default for everyone, regardless of your previous setting for this feature, and it is strongly recommended you keep this feature disabled. HPKP will eventually be removed (overall Internet concensus).
- Fixed a potential issue when interacting with plugins. (DiD)
- Fixed a potential crash scenario when reading PAC configuration. (DiD)
- Fixed a potential issue with text selection painting. (DiD)
- Fixed an issue with element references not being properly
updated. (DiD)
- Fixed an issue with incorrect saving of web pages as text.
(DiD)
- Fixed a potential issue with clipboard handling. (DiD)
- Fixed a potential issue with attaching the debugger to web workers. (DiD)
- Updated NSS to 3.41.4 to address CVE-2019-11756 and CVE-2019-11745.
- Unified XUL Platform Mozilla Security Patch Summary: 2 fixed, 8 DiD, 16 not applicable.
Update: To get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window. Click About Pale Moon and Check for Updates.
Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...
Tuesday, December 03, 2019
Mozilla Firefox Version 71.0 Released with Security Updates
Mozilla sent Firefox Version 71.0 to the release channel today. The update included thirteen (13) security updates of which six (6) are high and five (5) are rated moderate.
Also released was Firefox ESR Version 68.3.
Note: The following extensions have been removed from the Mozilla addon repository due to concerns that they were tracking a user's activity as they are browsed the web: Avast Online Security, Avast SafePrice, AVG Online Security, and AVG SafePrice. Additional information is available at Bleeping Computer.
High
- #CVE-2019-11756: Use-after-free of SFTKSession object
- #CVE-2019-17008: Use-after-free in worker destruction
- #CVE-2019-13722: Stack corruption due to incorrect number of arguments in WebRTC code
- #CVE-2019-11745: Out of bounds write in NSS when encrypting with a block cipher
- #CVE-2019-17012: Memory safety bugs fixed in Firefox 71 and Firefox ESR 68.3
- #CVE-2019-17013: Memory safety bugs fixed in Firefox 71
Moderate
- #CVE-2019-17014: Dragging and dropping a cross-origin resource, incorrectly loaded as an image, could result in information disclosure
- #CVE-2019-17009: Updater temporary files accessible to unprivileged processes
- #CVE-2019-17010: Use-after-free when performing device orientation checks
- #CVE-2019-17005: Buffer overflow in plain text serializer
- #CVE-2019-17011: Use-after-free when retrieving a document in antitracking
New
- Improvements to Lockwise, our integrated password manager:
- Firefox now recognizes subdomains and will autofill domain logins from Lockwise
- Integrated breach alerts from Firefox Monitor are now available to users with screen readers
- More information about Enhanced Tracking Protection in action:
- Notifications when Firefox blocks cryptominers
- A running tally of blocked trackers in the protection panel accessed by clicking the address bar shield
- Picture-in-picture video comes to Firefox for Windows: Select the blue icon from the right edge of a video to pop open a floating window so you can keep watching while working in other tabs. Learn how the feature works.
- Native MP3 decoding on Windows, Linux, and macOS
Changed
- Configuration page (about:config) reimplemented in HTML
- Firefox will now ship with Catalan (Valencian) (ca-valencia), Tagalog (tl), and Triqui (trs)
References
Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...