Pale Moon Version 28.8.2 Released

Pale Moon has been updated to version 28.8.2 as a small bugfix and compatibility update.

From the Release Notes:


Changes/fixes:

• Reverted the addition of JavaScript regular expression lookarounds since the implementation caused crashes. We'll have to revisit this later.
• Fixed an issue where FTP servers would hang the browser if they were not sending answers according to the protocol specification.
• Added a workaround for GitHub trying to enforce more Google-isms (which we don't support at this time) to browsers that identify as "Firefox-alike".

Update:  To get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window.  Click About Pale Moon and  Check for Updates.

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Adobe Flash Player Update

Adobe released Version 32.0.0.321 of Adobe Flash Player for Windows, macOS, Linux and Chrome OS to provide a minor update to refresh a content security certificate used in Adobe's DRM system.

Release date:  January 21, 2020
Vulnerability identifier: None
Platform:  Windows, Macintosh, Linux and Chrome OS

Update:

• With the option to 'Allow Adobe to install updates', the update will be automatic. Without that setting enabled, either install the update via the update mechanism when prompted or via the Download Center*.
• Windows 7 and earlier:  Installation links for Windows 7 and earlier are provided by Adobe at Installation problems | Flash Player | Windows 7 and earlier: 
• Flash Player for Internet Explorer - ActiveX 
• Flash Player for Firefox/Pale Moon - NPAPI
• Flash Player for Opera and Chromium-based browsers - PPAPI
• Uninstaller (if needed) : http://download.macromedia.com/get/flashplayer/current/support/uninstall_flash_player.exe 
• Microsoft Edge and Internet Explorer 11:  Security updates for Adobe Flash Player are automatically updated to the latest version for Windows 8.1 and 10 via Windows Update.  NOTE:  The embedded ActiveX Flash for Windows 8.1 and Windows 10 remains at version 32.0.0.255. 
• Google Chrome:  Adobe Flash Player will be automatically updated to the latest Google Chrome version.
• Flash Player Uninstaller:  http://download.macromedia.com/get/flashplayer/current/support/uninstall_flash_player.exe
• Adobe AIR:  Adobe - Adobe AIR

*Important Note:  Downloading the update from the Adobe Flash Player Download Center link includes a pre-checked option to install unnecessary extras, such as McAfee Scan Plus or Google Drive.  If you use the download center, uncheck any unnecessary extras that you do not want.  They are not needed for the Flash Player update.

Verify Installation

To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu. 

Do this for each browser installed on your computer.

To verify the version of Adobe Flash Player for Android, go to Settings/Applications/Manage Applications/Adobe Flash Player x.x.

References

• Adobe Priority Ratings
• AIR Download Center 
• Installing and Updating Flash Player - FAQ
• Release Notes
• Security Bulletin
• PSIRT

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Mozilla Firefox Version 72.0.2 Released

Mozilla sent Firefox Version 72.0.2 to the release channel today.  The update fixes various issues as well as including stability fixes.

Also released was Firefox ESR Version 68.4.2

Fixes

• Various stability fixes
  
• Fixed issues opening files with spaces in their path (bug 1601905)
  
• Fixed a hang opening about:logins when a master password is set (bug 1606992)
  
• Fixed a web compatibility issue with CSS Shadow Parts which shipped in Firefox 72 (bug 1604989)
  
• Fixed inconsistent playback performance for fullscreen 1080p videos on some systems (bug 1608485)
  

Update:  To get the update now, select "Help" from the Firefox menu, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

References

• Common questions after updating Firefox
• Security Updates
• Release Notes
• Rapid Release Calendar

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Microsoft Security Advisory for Remote Code Execution Vulnerability in IE

Microsoft released Security Advisory ADV200001 for a remote code execution vulnerability with limited active attacks in Internet Explorer.  The issue is described as the way that the scripting engine handles objects in memory in Internet Explorer. As described in the advisory:

"The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."

In the event you use Internet Explorer, it is strongly advised that you follow the instructions at the bottom of the Advisory to restrict access to JScript.dll as a workaround.

References

• Security Advisory ADV200001

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Chromium-Based Microsof Edge Released

As announced previously, the long-awaited new Microsoft Edge Chromium-based browser has been released.  For consumers, it will be installed in a future update to Windows 10, following a measured roll-out via Windows Update over the next several months. The Windows Update schedule for Windows 10 versions is available at Windows updates for Microsoft Edge | Microsoft Docs.

Having daily used the development version of Microsoft Edge since it was initially made available, the Chromium-based version has proved to be a definite improvement.  Learn about the new features by following the "Learn More" links at Microsoft Edge Browser Features.   

If you don't want to wait for Windows Update, you can download the new Edge browser today.  It is available for Windows 10, Windows 8.1, Windows 8, Windows 7, macOS, iOS and Android from the download page at Download New Microsoft Edge Browser | Microsoft. Click the arrow to select the version for your device.


References:

• Upgrading to the new Microsoft Edge - Microsoft Edge Blog
• Microsoft Edge Browser Features
• Download New Microsoft Edge Browser | Microsoft
• Windows updates for Microsoft Edge | Microsoft Docs

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Oracle Java SE JRE Security Updates

Oracle released the scheduled critical security updates for its Java SE Runtime Environment software.  This Critical Patch Update contains 12 new security patches for Oracle Java SE.  All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.

Update

If Java is still installed on your computer, it is recommended that this update be applied as soon as possible due to the threat posed by a successful attack.

Download Information

Java SE Runtime Environment Version 8u241:  https://www.oracle.com/technetwork/java/javase/downloads/jre8-downloads-2133155.html

Notes:

• UNcheck any pre-checked toolbar and/or software options presented with the update. They are not part of the software update and are completely optional.  Preferably, see the instructions below on how to handle "Unwanted Extras".  
• Oracle does not plan to migrate desktops from Java 8 to Java 9 through the auto update feature.  Therefore, it is strongly recommended that you uninstall JRE 8 prior to updating.
• Verify your version:  http://www.java.com/en/download/testjava.jsp.   Note:  The Java version verification page will only work if your browser has NPAPI support.  In that case, to check the version, open a cmd window and enter the following (note the space following Java):  java -version

Critical Patch Updates

For Oracle Java SE Critical Patch Updates, the next scheduled dates are as follows:

• 14 April 2020
• 14 July 2020
• 20 October 2020 
• 19 January 2021

Unwanted "Extras"

Although most people do not need Java on their computer, there are some programs and games that require Java.  In the event you need to continue using Java, How-to Geek discovered a little-known and  unpublicized option in the Java Control Panel to suppress the offers for the pre-checked unwanted extras that Oracle has long included with the updates.  Although the Ask Toolbar has been removed, tha does not preclude the pre-checked option for some other unnecessary add-on.

Do the following to suppress the sponsor offers:

1. Launch the Windows Start menu
2. Click on Programs
3. Find the Java program listing
4. Click Configure Java to launch the Java Control Panel
5. Click the Advanced tab and go to the "Miscellaneous" section at the bottom.
6. Check the box by the “Suppress sponsor offers when installing or updating Java” option and click OK.

Java Security Recommendations

1)  In the Java Control Panel, at minimum, set the security to high.
2)  Keep Java disabled until needed.  Uncheck the box "Enable Java content in the browser" in the Java Control Panel.

3)  Instructions on removing older (and less secure) versions of Java can be found at http://java.com/en/download/faq/remove_olderversions.xml

References

• Java, The Never-Ending Saga  
• Critical Patch Updates and Security Alerts
• Oracle Java SE Risk Matrix 
• Oracle Quality Assurance Blog 

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Microsoft January 2020 Security Updates

The Microsoft January security updates have been released and consist of 49 CVEs. Of these 8 CVEs, 7 are rated Critical and 41 are rated Important in severity. None of the patches released this month are listed as publicly known, but one is listed as being actively exploited at the time of release.

The updates apply to the following:  Microsoft Windows, Internet Explorer, Microsoft Office and Microsoft Office Services and Web Apps, ASP.NET Core, .NET Core, .NET Framework, OneDrive for Android, and Microsoft Dynamics.

Reminder:  After today (14 January 2020) Windows 7 and Windows Server 2008 R2 will be out of extended support and no longer getting security updates.

Known Issues:  The following KBs contain information about known issues with the security updates. For a complete list of security update KBs, please see 20200114. For more information about Windows Known Issues, please see Windows message center (links to currently-supported versions of Windows are in the left pane).

KB Article	Applies To
4534271	Windows 10, version 1607, Windows Server 2016
4534273	Windows 10, version 1809, Windows Server version 1809, Windows 10, version 1809, Windows Server version 1809
4534276	Windows 10, version 1709
4534283	Windows Server 2012 (Monthly Rollup)
4534288	Windows Server 2012 (Security-only update)
4534293	Windows 10, version 1803, Windows Server version 1803
4534297	Windows 8.1, Windows Server 2012 R2 (Monthly Rollup)
4534306	Windows 10
4534309	Windows 8.1, Windows Server 2012 R2 (Security-only update)

Recommended Reading:  

See Dustin Childs review and analysis in Zero Day Initiative — The January 2020 Security Update Review.

For more information about the updates released today, see https://portal.msrc.microsoft.com/en-us/security-guidance/summary.  Updates can be sorted by OS from the search box. Information about the update for Windows 10 is available at Windows 10 Update history.

Additional Update Notes:

• Adobe Flash Player -- For Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows RT 8.1 and Windows 10, Adobe Flash Player is now a security bulletin rather than a security advisory and is included with the updates as identified above.
• MSRT -- Microsoft released an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center.  Note:  Users who are paranoid about the remote possibility of a FP can opt to run this tool from a Command Prompt, appending a   /N   parameter [for "detect only" mode].
• Servicing Stack Updates -- A list of the latest servicing stack updates for each operating system can be found in ADV990001. This list will be updated whenever a new servicing stack update is released. It is important to install the latest servicing stack update. Learn more about SSU's in Servicing Stack Updates (SSU)
• Windows 10 updates are cumulative. The monthly security release includes all security fixes for vulnerabilities that affect Windows 10, in addition to non-security updates. The updates are also available via the Microsoft Update Catalog.
• For information on lifecycle and support dates for Windows 10 operating systems, please see Windows Lifecycle Facts Sheet.
• Windows Update History:
  • Windows 10
  • Windows 8.1
  • Windows 7

References

• Security Update FAQ
• January Security Updates Guide

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Adobe Flash Update Released

Adobe released Version 32.0.0.314 of Adobe Flash Player for Windows, macOS, Linux and Chrome OS. Once again, the update contains assorted functional fixes.

Release date:  January 14, 2020
Vulnerability identifier: None
Platform:  Windows, Macintosh, Linux and Chrome OS

Update:

• With the option to 'Allow Adobe to install updates', the update will be automatic. Without that setting enabled, either install the update via the update mechanism when prompted or via the Download Center*.
• Windows 7 and earlier:  Installation links for Windows 7 and earlier are provided by Adobe at Installation problems | Flash Player | Windows 7 and earlier: 
• Flash Player for Internet Explorer - ActiveX 
• Flash Player for Firefox/Pale Moon - NPAPI
• Flash Player for Opera and Chromium-based browsers - PPAPI
• Uninstaller (if needed) : http://download.macromedia.com/get/flashplayer/current/support/uninstall_flash_player.exe 
• Microsoft Edge and Internet Explorer 11:  Security updates for Adobe Flash Player are automatically updated to the latest version for Windows 8.1 and 10 via Windows Update.  NOTE:  The embedded ActiveX Flash for Windows 8.1 and Windows 10 remains at version 32.0.0.255. 
• Google Chrome:  Adobe Flash Player will be automatically updated to the latest Google Chrome version.
• Flash Player Uninstaller:  http://download.macromedia.com/get/flashplayer/current/support/uninstall_flash_player.exe
• Adobe AIR:  Adobe - Adobe AIR

*Important Note:  Downloading the update from the Adobe Flash Player Download Center link includes a pre-checked option to install unnecessary extras, such as McAfee Scan Plus or Google Drive.  If you use the download center, uncheck any unnecessary extras that you do not want.  They are not needed for the Flash Player update.

Verify Installation

To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu. 

Do this for each browser installed on your computer.

To verify the version of Adobe Flash Player for Android, go to Settings/Applications/Manage Applications/Adobe Flash Player x.x.

References

• Adobe Priority Ratings
• AIR Download Center 
• Installing and Updating Flash Player - FAQ
• Release Notes
• Security Bulletin
• PSIRT

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Pale Moon Version 28.8.1 Updated with Security Updates

Pale Moon has been updated to version 28.8.1.  This is an important security and stability release. In addition to fixes identified as "DiD*, the update addresses CVE-2019-17026, which is being actively exploited.  Please update your browser to this version as soon as possible.

*A fix identified as "DiD" ("Defense-in-Depth") means that it is a fix that does not apply to a (potentially) actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code, e.g. when surrounding code changes, exposing the problem, or when new attack vectors are discovered. 

From the Release Notes:


Changes/fixes:

• Fixed a sampling issue in libsoundtouch (DiD)
• Fixed an issue with a new upcoming Windows 10 feature not honoring Private Browsing mode by default (DiD)
• Fixed several stability and memory safety hazards. (DiD)
  
• Fixed an issue where files could inadvertently be executed with the designated file type handler instead of opened. (CVE-2019-17019)
• Fixed an issue with the JavaScript JIT compiler that could lead to exploitable crashes. (CVE-2019-17026) actively exploited
• Unified XUL Platform Mozilla Security Patch Summary: 2 fixed, 7 DiD, 12 not applicable.

Update:  To get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window.  Click About Pale Moon and  Check for Updates.

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Mozilla Firefox Version 72.0.1 Released with Critical Security Update

Just one day after releasing Firefox Version 72.0, Mozilla sent Firefox Version 72.0.1 to the release channel today.  The update includes one (1) critical security update.

Also released was Firefox ESR Version 68.4.1

Critical

• CVE-2019-17026: IonMonkey type confusion with StoreElementHole and

Update:  To get the update now, select "Help" from the Firefox menu, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

References

• Common questions after updating Firefox
• Security Updates
• Release Notes
• Rapid Release Calendar

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Mozilla Firefox Version 72.0 Released with Security Updates

Mozilla sent Firefox Version 72.0 to the release channel today.  The update included twelve (12) security updates of which five (5) are high, six (6) are moderate and one (1) rated low.

Also released was Firefox ESR Version 68.4.

High

• CVE-2019-17015: Memory corruption in parent process during new content process initialization on Windows
• CVE-2019-17016: Bypass of @namespace CSS sanitization during pasting
• CVE-2019-17017: Type Confusion in XPCVariant.cpp
• CVE-2019-17024: Memory safety bugs fixed in Firefox 72 and Firefox ESR 68.4
• CVE-2019-17025: Memory safety bugs fixed in Firefox 72

Moderate

• CVE-2019-17017: Type Confusion in XPCVariant.cpp
• CVE-2019-17018: Windows Keyboard in Private Browsing Mode may retain word suggestions
• CVE-2019-17019: Python files could be inadvertently executed upon opening a download
• CVE-2019-17020: Content Security Policy not applied to XSL stylesheets applied to XML documents
• CVE-2019-17021: Heap address disclosure in parent process during content process initialization on Windows
• CVE-2019-17022: CSS sanitization does not escape HTML tags

Low

• CVE-2019-17023: NSS may negotiate TLS 1.2 or below after a TLS 1.3 HelloRetryRequest had been sen

New

• Firefox’s Enhanced Tracking Protection marks a major new milestone in our battle against cross-site tracking: we now block fingerprinting scripts by default for all users, taking a new bold step in the fight for our users’ privacy.
  
• Firefox replaces annoying notification request pop-ups with a more delightful experience, by default for all users. The pop-ups no longer interrupt your browsing, in its place, a speech bubble will appear in the address bar when you interact with the site.
  
• Picture-in-picture video is now also available in Firefox for Mac and Linux: Select the blue icon from the right edge of a video to pop open a floating window so you can keep watching while working in other tabs or apps. Learn how the feature works.
  

Changed

• Support for blocking images from individual domains has been removed from Firefox, because of low usage and poor user experience.

Update:  To get the update now, select "Help" from the Firefox menu, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

References

• Common questions after updating Firefox
• Security Updates
• Release Notes
• Rapid Release Calendar

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...