Wednesday, March 25, 2020

Pale Moon Version 28.9.0.2


Pale Moon
Pale Moon version 28.9.0.2 has been released.   From the announcement at Pale Moon updated to 28.9.0.2 - Pale Moon forum:

"This is a small but critical update to the browser to address various run-time operation issues due to a bug in the browser's start-up code.

If you are currently having issues with the browser handling form history, session restore, or compatibility with various websites, please update."
From the Release Notes

This is a small bugfix update addressing 2 more important issues in 28.9.0:
  • Fixed an issue with browser migration and initialization code causing various browser run-time problems.
  • Fixed an issue with cache behavior where some users would have trouble having their windows and tabs restored in "soft refresh" mode (see v28.9.0 release notes). To solve this, we reverted to the previous (pull from cache) mode for now while we investigate the cause.

Linux versions for this update will follow very shortly!


UpdateTo get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window.  Click About Pale Moon and  Check for Updates.


Release Notes


Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...


Tuesday, March 24, 2020

Pale Moon Version 28.9.0.1 Released


Pale Moon
Pale Moon version 28.9.0.1 has been released.  This is a small but critical update to address user-agent overrides (used for a number of major websites) not working as they should.

Linux versions for this update will follow very shortly!



UpdateTo get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window.  Click About Pale Moon and  Check for Updates.


Release Notes:


Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...



Microsoft Cumulative Update for Windows 10 Versions 1909 and 1903



Microsoft released cumulative update KB 4541335 with non-security improvements and fixes for Windows 10 Versions 1909 and 1903 today.  From the KB Article:
 "Windows 10, versions 1903 and 1909 share a common core operating system and an identical set of system files. As a result, the new features in Windows 10, version 1909 were included in the recent monthly quality update for Windows 10, version 1903 (released October 8, 2019), but are currently in a dormant state. These new features will remain dormant until they are turned on using an enablement package, which is a small, quick-to-install “master switch” that simply activates the Windows 10, version 1909 features.
To reflect this change, the release notes for Windows 10, version 1903 and Windows 10, version 1909 will share an update history page. Each release page will contain a list of addressed issues for both 1903 and 1909 versions. Note that the 1909 version will always contain the fixes for 1903; however, 1903 will not contain the fixes for 1909. This page will provide you with the build numbers for both 1909 and 1903 versions so that it will be easier for support to assist you if you encounter issues.
For more details about the enablement package and how to get the feature update, see the Windows 10, version 1909 delivery options blog."
In addition, Microsoft made the change below and documented in the Windows message center:
"Timing for upcoming Windows optional C and D releases
We have been evaluating the public health situation, and we understand this is impacting our customers. In response to these challenges we are prioritizing our focus on security updates. Starting in May 2020, we are pausing all optional non-security releases (C and D updates) for all supported versions of Windows client and server products (Windows 10, version 1909 down through Windows Server 2008 SP2).

There is no change to the monthly security updates (B release – Update Tuesday); these will continue as planned to ensure business continuity and to keep our customers protected and productive."
 The update includes non-security quality improvements and there are currently no known issues with the update. The highlights listed are as follows:
  • Updates an issue that causes an error when printing to a document share. 
  • Updates a performance issue in applications that occurs when content that is protected by digital rights management (DRM) plays or is paused in the background. 
  • Updates an issue that prevents the mute button from working on certain devices with the Microsoft Your Phone app. 
  • Updates an issue that prevents applications from closing. 
  • Updates an issue that causes calendar dates to appear on the wrong day of the week in the clock and date region of the notification area when you select the Samoa time zone. 
  • Updates an issue that causes applications to close unexpectedly when a user enters East Asian characters after changing the keyboard layout. 
To download and install the update, go to Settings -> Update and Security ->  Windows Update and select Check for updates.  The standalone package for this update is available in the Microsoft Update Catalog.  In addition, with Windows Update, the latest SSU (KB4541338) will be offered to you automatically. To get the standalone package for the latest SSU, search for it in the Microsoft Update Catalog.

Windows 10 update history

Home
Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Pale Moon Version 28.9.0 Released With Security-Related Fixes


Pale Moon
Pale Moon version 28.9.0 has been released.  The update is a major development update with new features, changes/fixes as well as security-related fixes.

The update includes DiD ("Defense-in-Depth") updates.  A DiD update is s a fix that does not apply to a (potentially) actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code, e.g. when surrounding code changes, exposing the problem, or when new attack vectors are discovered.

From the Release Notes:

New features:
  • Implemented asynchronous iterators (await iterator.next() and for await loops) (ES2018)
  • Implemented promise-based media playback.
  • Implemented non-standard legacy CSSStyleSheet rules functions.
  • Implemented the html5 element. To switch this on, flip dom.dialog_element.enabled to true.
  • Implemented the optional hiding of pinned tabs in CtrlTab/AllTab panes. (controlled through the preferences browser.ctrlTab.hidePinnedTabs and browser.allTabs.hidePinnedTabs)
  • Added 1.25x playback speed to html media elements.
  • Added a hidden pref (browser.places.smartBookmarks.max) to control the sizes of default smart bookmarks categories.
Changes/fixes:
  • Aligned document.open() with the overhauled specification.
  • Aligned the way DOM styles are computed with mainstream browser behavior.
  • Removed the (unused) DOM promise implementation.
  • Enabled seeking to next frame in media files.
  • Enabled dynamic UA updates for emergency use.
  • Implemented rule processing stub for font-variation-settings.
  • Increased the maximum XML nesting depth to 2048 levels for extreme corner cases and to conservatively align with other browsers.
  • Improved the privacy of geolocation lookup calls, with thanks to a generous service donation from ip-api.com
  • Improved reporting of the operating system in site-specific user-agent overrides.
  • Improved table drawing performance again after the rewrite for sticky positioning making it slower.
  • Updated CSP processing to allow custom scheme wildcards to be specified without a port.
  • Aligned the behavior of outlines with other browsers when dealing with CSS-repositioned elements.
  • Changed the way hardware acceleration is controlled from the application.
  • Changed the default monospace font for main languages from Courier New to Consolas.
    This provides a more balanced font for fixed-width text that is slightly more condensed and more in line with the naturally compacter variable-width fonts used everywhere else.
  • Changed the browser's behavior when restoring tabs from previous sessions. To prevent stale pages, it will now by default perform a "soft refresh" of the page instead of drawing it purely from cache without checking if the page needs updating. If you prefer the old behavior, set browser.sessionstore.cache_behavior to 0 in about:config.
  • Updated NSPR to 4.24 and NSS to ~3.48.1-RTM, removing the previous custom patch level with NSS being able to support custom rounds for DBM now.
    For extensive release notes with all NSS changes, see NSS_Releases
  • Implemented an NSS performance optimization for Master Password use with limited effect.
  • Fixed some potential crashing scenarios with WebGL on Linux.
  • Completely removed showModalDialog.
  • Disabled some logging in production builds.
  • Removed various gadgeteering/redundant/dead DOM APIs (casting/presentation, FlyWeb)
  • Removed support for a number of critical libraries being system-supplied.
  • Removed "Copy raw data" button from the troubleshooting information page, since it's never used by us in that format, and users mistakenly keep using it instead of copying text.
  • Removed a bunch of Android and iOS support code.
  • Fixed an issue with form elements sometimes being incorrectly disabled.
  • Fixed several crashes.
  • Fixed an issue with Captive Portal detection sometimes firing even when disabled by the user.
  • Performed various tree-wide code cleanups.
  • Backed out a large code cleanup patch for causing subtle issues in website operation (e.g. WordPress). This will have to be revisited later; the reintroduced code is not in use in practice.
  • Cleaned up the application updater code.
Security-related fixes:
  • Fixed a potential pointer issue issue in cubeb. DiD
  • Disabled allowing remote jar: URIs by default for security reasons. If you need this functionality for your non-standard environment, you can enable it with the preference network.jar.block-remote-files, but please consider moving away from this method of providing web-based applications.
  • Removed a potentially dangerous and otherwise ineffective optimization from the JavaScript engine.
  • Fixed unwanted behavior where created/focused pop-up windows could potentially cover the DOM fullscreen notification, hiding it from users. (CVE-2020-6810)
  • Fixed an issue where copying data as a curl request from developer tools would not properly escape parameters. (CVE-2020-6811)
  • Updated our sctp library code with several upstream fixes.
  • Unified XUL Platform Mozilla Security Patch Summary: 4 fixed, 3 already mitigated, 1 rejected, 11 not applicable.

UpdateTo get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window.  Click About Pale Moon and  Check for Updates.




Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...



Tuesday, March 17, 2020

Adobe Acrobat DC and Reader DC Security Updates Released

Adobe
Adobe has released security updates for Adobe Acrobat and Reader for Windows and macOS. These updates address critical and important vulnerabilities. Successful exploitation could lead to arbitrary code execution in the context of the current user.

Release date:  March 17, 2020
Vulnerability identifier: APSB20-13
Platform: Windows and MacOS

Update or Complete Download

Reader DC and Acrobat DC were updated to version 20.006.20042.

 Update checks can be manually activated by choosing Help/Check for Updates. 
Note: UNcheck any pre-checked additional options presented with the update. They are not part of the software update and are completely optional.

References





Home
Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...



Thursday, March 12, 2020

KB4551762 Released for WIndows 10 Versions 1903 and 1909 to Address CVE-2020-0796



Microsoft released KB4551762 to Address CVE-2020-0796.  From CVE-2020-0796 | Windows SMBv3 Client/Server Remote Code Execution Vulnerability:
"A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server or client.

To exploit the vulnerability against a server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 server. To exploit the vulnerability against a client, an unauthenticated attacker would need to configure a malicious SMBv3 server and convince a user to connect to it.

The security update addresses the vulnerability by correcting how the SMBv3 protocol handles these specially crafted requests."

KB 4551762:  This update is for Windows 10 Versions 1903 and 1909.

Home
Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Wednesday, March 11, 2020

Adobe Flash Player Update Released


Adobe Flashplayer

Adobe released Version 32.0.0.344 of Adobe Flash Player for Windows, macOS, Linux and Chrome OS. The update has important bug fixes.

Release date:  March 11, 2020
Vulnerability identifier:  None
Platform:  Windows, Macintosh, Linux and Chrome OS

Update:

*Important Note:  Downloading the update from the Adobe Flash Player Download Center link includes a pre-checked option to install unnecessary extras, such as McAfee Scan Plus or Google Drive.  If you use the download center, uncheck any unnecessary extras that you do not want.  They are not needed for the Flash Player update.

    Verify Installation

    To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu. 

    Do this for each browser installed on your computer.

    To verify the version of Adobe Flash Player for Android, go to Settings/Applications/Manage Applications/Adobe Flash Player x.x.

    References



    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...









    Tuesday, March 10, 2020

    Microsoft March 2020 Security Updates



    The Microsoft March security updates have been released and consist of 115 CVEs. Of these 26 CVEs, rated Critical, 88 Important, and 1 rated Important in severity. None of the bugs being patched are listed as being publicly known or under active attack at the time of release.

    The updates apply to the following:  Microsoft Windows, Microsoft Edge(EdgeHTML-based), Microsoft Edge (Chromium-based), ChakraCore, Internet Explorer, Microsoft Exchange Server, Microsoft Office and Microsoft Office Services and Web Apps, Azure DevOps, Windows Defender, Visual Studio, Open Source Software, Azure, and Microsoft Dynamics.

    As of the time of this posting, Adobe has not released updates for Flash Player.

    The KBs listed below contain information about known issues with the security updates.

    Known Issues

    4538032 Visual Studio
    4538461 Windows 10 Version 1809, Windows Server 2019
    4540123 Microsoft Exchange Server
    4540670 Windows 10, version 1607, Windows Server 2016
    4540671 Internet Explorer
    4540673 Windows 10, version 1809, Windows Server version 1809, Windows 10, version 1809, Windows Server version 1809
    4540688 Windows 7, Windows Server 2008 R2 (Monthly Rollup)
    4540694 Windows Server 2012 (Security-only update)
    4541500 Windows 7, Windows Server 2008 R2 (Security-only update)
    4541504 Windows Server 2008 (Security-only update)
    4541505 Windows 8.1, Windows Server 2012 R2 (Security-only update)
    4541506 Windows Server 2008 Service Pack 2 (Monthly Rollup)
    4541509 Windows 8.1, Windows Server 2012 R2 (Monthly Rollup)
    4541510 Windows Server 2012 (Monthly Rollup)

    Recommended Reading:  

    See Dustin Childs review and analysis in Zero Day Initiative — The March 2020 Security Update Review.

    For more information about the updates released today, see https://portal.msrc.microsoft.com/en-us/security-guidance/summary.  Updates can be sorted by OS from the search box. Information about the update for Windows 10 is available at Windows 10 Update history.

    Additional Update Notes:

    • Adobe Flash Player -- For Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows RT 8.1 and Windows 10, Adobe Flash Player is now a security bulletin rather than a security advisory and is included with the updates as identified above.
    • MSRT -- Microsoft released an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center.  Note:  Users who are paranoid about the remote possibility of a FP can opt to run this tool from a Command Prompt, appending a   /N   parameter [for "detect only" mode].
    • Servicing Stack Updates -- A list of the latest servicing stack updates for each operating system can be found in ADV990001. This list will be updated whenever a new servicing stack update is released. It is important to install the latest servicing stack update. Learn more about SSU's in Servicing Stack Updates (SSU)
    • Windows 10 updates are cumulative. The monthly security release includes all security fixes for vulnerabilities that affect Windows 10, in addition to non-security updates. The updates are also available via the Microsoft Update Catalog.
    • For information on lifecycle and support dates for Windows 10 operating systems, please see Windows Lifecycle Facts Sheet.
    • Windows Update History:

    References


    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...





    Mozilla Firefox Version 74.0 Released With Security Updates

    Firefox

    Mozilla sent Firefox Version 74.0 to the release channel today.  The update included twelve (12) security updates of which five (5) are high, six (6) are moderate and one (1) are rated low.

    Also released was Firefox ESR Version 68.6.

    High


    Moderate


    Low

    New

    • Your login management has improved with the ability to reverse alpha sort (Name Z-A) in Lockwise, which you can access under Logins and Passwords.
    • Firefox now makes importing your bookmarks and history from the new Microsoft Edge browser on Windows and Mac simple.
    • Add-ons installed by external applications can now be removed using the Add-ons Manager (about:addons). Going forward, only users can install add-ons; they cannot be installed by an application.
    • Facebook Container prevents Facebook from tracking you around the web - Facebook logins, likes, and comments are automatically blocked on non-Facebook sites. But when we need an exception, you can now create one by adding custom sites to the Facebook Container.
    • Firefox now provides better privacy for your web voice and video calls through support for mDNS ICE by cloaking your computer’s IP address with a random ID in certain WebRTC scenarios.

    Fixed

    • We have fixed issues involving pinned tabs such as being lost. You should also no longer see them reorder themselves.

    Changed

    • When a video is uploaded with a batch of photos on Instagram, the Picture-in-Picture toggle would sit atop of the “next” button. The toggle is now moved allowing you to flip through to the next image of the batch.
    • On Windows, Ctrl+I can now be used to open the Page Info window instead of opening the Bookmarks sidebar. Ctrl+B still opens the Bookmarks sidebar making keyboard shortcuts more useful for our users.
    • We have disabled TLS 1.0 and TLS 1.1 to improve your website connections. Sites that don't support TLS version 1.2 will now show an error page.
    Update:  To get the update now, select "Help" from the Firefox menu, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

    References


    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...

    Sunday, March 01, 2020

    Pale Moon Version 28.8.4 Released with Security Update


    Pale Moon
    Pale Moon has been updated to version 28.8.4The update is a small web compatibility and security update.  Linux versions will follow shortly.

    The update includes a DiD ("Defense-in-Depth") update.  A DiD update is s a fix that does not apply to a (potentially) actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code, e.g. when surrounding code changes, exposing the problem, or when new attack vectors are discovered.

    From the Release Notes:

    Changes/fixes:
    • Implemented optional catch binding (ES2019).
    • Fixed a hazardous crash related to module scripting.

    UpdateTo get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window.  Click About Pale Moon and  Check for Updates.




    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...