Thursday, April 30, 2020

Pale Moon Version 28.9.2 Released


Pale Moon
Pale Moon version 28.9.2 has been released.  The update is a minor update for potential code issues, web compatibility and stability.

The update includes DiD ("Defense-in-Depth") updates.  A DiD update is s a fix that does not apply to a (potentially) actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code, e.g. when surrounding code changes, exposing the problem, or when new attack vectors are discovered.
From the Release Notes
  • Re-based the 28.9 version of browsers on a separate development branch that excludes the extensive work being done for Google WebComponents, to avoid potential performance and stability issues caused by as-of-yet incomplete and in-progress code for the new milestone.
  • Enabled DOM High Resolution timestamps for compatibility with websites that strictly rely on them for operation.
  • Added a preference to allow copying the unescaped URL from the address bar (especially useful for internationalized domain names and paths).
    To enable this, set browser.urlbar.decodeURLsOnCopy to true in about:config
  • Fixed several application crashes (thanks, Fysac!)

Linux versions for this update will follow shortly.


UpdateTo get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window.  Click About Pale Moon and  Check for Updates.


Release Notes


Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...


Tuesday, April 21, 2020

Microsoft Cumulative Update for Windows 10 Versions 1909, 1903, 1809 and 1803



Microsoft released a cumulative update with non-security improvements and fixes for Windows 10 Versions 1909, 1903, 1809 and 1803 today.  The following information was included regarding the optional non-security updates:
 "IMPORTANT We have been evaluating the public health situation, and we understand this is impacting our customers. In response to these challenges, we are prioritizing our focus on security updates. Starting in May 2020, we are pausing all optional non-security releases (C and D updates) for all the supported versions of Windows client and server products (Windows 10, version 1909 down to Windows Server 2008 SP2)."
The updates include various improvements and fixes for the respective Windows 10 version.  In particular, the issue that causes Windows Update to stop responding when checking for updates has been addressed for Versions 1909 and 1903.

Windows 10 Version 1909 and Windows 10 Version 1903: KB4550945
Windows 10 Version 1809: KB4550969
Windows 10 Version 1803: KB4550944

To download and install the update, go to Settings -> Update and Security ->  Windows Update and select Check for updates.  The standalone package for this update is available in the Microsoft Update Catalog.  In addition, with Windows Update, the latest SSU  will be offered to you automatically. To get the standalone package for the latest SSU, search for it in the Microsoft Update Catalog.

Windows 10 update history

Home
Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Tuesday, April 14, 2020

Oracle Java SE JRE Security Updates

java

Oracle released the scheduled critical security updates for its Java SE Runtime Environment software. This Critical Patch Update contains 15 new security patches for Oracle Java SE.  All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.

Update

If Java is still installed on your computer, it is recommended that this update be applied as soon as possible due to the threat posed by a successful attack.

Download Information

Java SE Runtime Environment Version 8u251:  https://www.oracle.com/technetwork/java/javase/downloads/jre8-downloads-2133155.html

Notes:

  • UNcheck any pre-checked toolbar and/or software options presented with the update. They are not part of the software update and are completely optional.  Preferably, see the instructions below on how to handle "Unwanted Extras".  
  • Oracle does not plan to migrate desktops from Java 8 to Java 9 through the auto update feature.  Therefore, it is strongly recommended that you uninstall JRE 8 prior to updating.
  • Verify your versionhttp://www.java.com/en/download/testjava.jsp.   Note:  The Java version verification page will only work if your browser has NPAPI support.  In that case, to check the version, open a cmd window and enter the following (note the space following Java):  java -version

Critical Patch Updates

For Oracle Java SE Critical Patch Updates, the next scheduled dates are as follows:
  • 14 July 2020
  • 20 October 2020 
  • 19 January 2021 
  • 13 April 2021

Unwanted "Extras"

Although most people do not need Java on their computer, there are some programs and games that require Java.  In the event you need to continue using Java, How-to Geek discovered a little-known and  unpublicized option in the Java Control Panel to suppress the offers for the pre-checked unwanted extras that Oracle has long included with the updates.  Although the Ask Toolbar has been removed, tha does not preclude the pre-checked option for some other unnecessary add-on.

Do the following to suppress the sponsor offers:
  1. Launch the Windows Start menu
  2. Click on Programs
  3. Find the Java program listing
  4. Click Configure Java to launch the Java Control Panel
  5. Click the Advanced tab and go to the "Miscellaneous" section at the bottom.
  6. Check the box by the “Suppress sponsor offers when installing or updating Java” option and click OK.
Java suppress sponsor offers

Java Security Recommendations

1)  In the Java Control Panel, at minimum, set the security to high.
2)  Keep Java disabled until needed.  Uncheck the box "Enable Java content in the browser" in the Java Control Panel.
3)  Instructions on removing older (and less secure) versions of Java can be found at http://java.com/en/download/faq/remove_olderversions.xml

References




Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...




Microsoft April 2020 Security Updates



The Microsoft April security updates have been released and consist of 113 CVEs. Of these CVEs, 17 are rated Critical and 96 are rated Important in severity. Two of the bugs* One of the bugs addressed this month is listed as being under active attack, and two are listed as being public at the time of release.

*Edit Note: Microsoft initially listed CVE-2020-0968 a being under active attack. They have since revised this bulletin to note it is not under attack.

The updates apply to the following:  Microsoft Windows, Microsoft Edge (EdgeHTML-based), Microsoft Edge (Chromium-based), ChakraCore, Internet Explorer, Microsoft Office and Microsoft Office Services and Web Apps, Windows Defender, Visual Studio, Microsoft Dynamics, Microsoft Apps for Android, and Microsoft Apps for Mac.

The KBs listed below contain information about known issues with the security updates.

KB Article Applies To
3128012 Microsoft Office 2016
3162033 Microsoft Publisher 2013
3203462 Microsoft Office 2010
4011097 Microsoft Publisher 2016
4011104 Microsoft Office 2013
4032216 Microsoft Publisher 2010
4462210 Microsoft Access 2013
4462225 Microsoft Visio 2010
4464527 Microsoft Access 2010
4464544 Microsoft Visio 2013
4484117 Microsoft Office 2013
4484125 Microsoft Project 2013
4484126 Microsoft Office 2010
4484132 Microsoft Project 2010
4484167 Microsoft Access 2016
4484214 Microsoft Office 2016
4484226 Microsoft PowerPoint 2013
4484235 Microsoft PowerPoint 2010
4484244 Microsoft Visio 2016
4484246 Microsoft PowerPoint 2016
4484269 Microsoft Project 2016
4484273 Microsoft Excel 2016
4484274 Microsoft Outlook 2016
4484281 Microsoft Outlook 2013
4484283 Microsoft Excel 2013
4484284 Microsoft Outlook 2010
4484285 Microsoft Excel 2010
4484295 Microsoft Word 2010
4484300 Microsoft Word 2016
4484319 Microsoft Word 2013
4549949 Windows 10 Version 1809, Windows Server 2019
4550905 Internet Explorer
4550917 Windows Server 2012 (Monthly Rollup)
4550922 Windows 10, version 1803
4550927 Windows 10, version 1709
4550929 Windows 10, version 1607, Windows Server 2016
4550930 Windows 10
4550951 Windows Server 2008 Service Pack 2 (Monthly Rollup)
4550957 Windows Server 2008 Service Pack 2 (Security-only update)
4550961 Windows 8.1, Windows Server 2012 R2 (Monthly Rollup)
4550964 Windows 7, Windows Server 2008 R2 (Monthly Rollup)
4550965 Windows 7, Windows Server 2008 R2 (Security-only update)
4550970 Windows 8.1, Windows Server 2012 R2 (Security-only update)
4550971 Windows Server 2012 (Security-only update)

Recommended Reading:  

See Dustin Childs review and analysis in Zero Day Initiative — The April 2020 Security Update Review.

For more information about the updates released today, see https://portal.msrc.microsoft.com/en-us/security-guidance/summary.  Updates can be sorted by OS from the search box. Information about the update for Windows 10 is available at Windows 10 Update history.

Additional Update Notes:

  • Adobe Flash Player -- For Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows RT 8.1 and Windows 10, Adobe Flash Player is now a security bulletin rather than a security advisory and is included with the updates as identified above. Note, however, that there are no Adobe Flash Player security updates for Active X.
  • MSRT -- Microsoft released an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center.  Note:  Users who are paranoid about the remote possibility of a FP can opt to run this tool from a Command Prompt, appending a   /N   parameter [for "detect only" mode].
  • Servicing Stack Updates -- A list of the latest servicing stack updates for each operating system can be found in ADV990001. This list will be updated whenever a new servicing stack update is released. It is important to install the latest servicing stack update. Learn more about SSU's in Servicing Stack Updates (SSU)
  • Windows 10 updates are cumulative. The monthly security release includes all security fixes for vulnerabilities that affect Windows 10, in addition to non-security updates. The updates are also available via the Microsoft Update Catalog.
  • For information on lifecycle and support dates for Windows 10 operating systems, please see Windows Lifecycle Facts Sheet.
  • Windows Update History:

References


Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...





Adobe Flash Player Update Released


Adobe Flashplayer

Adobe released Version 32.0.0.363 of Adobe Flash Player for Windows, macOS, Linux and Chrome OS. The update has important bug fixes.

Release date:  April 14, 2020
Vulnerability identifier:  None
Platform:  Windows, Macintosh, Linux and Chrome OS

Update:

*Important Note:  Downloading the update from the Adobe Flash Player Download Center link includes a pre-checked option to install unnecessary extras, such as McAfee Scan Plus or Google Drive.  If you use the download center, uncheck any unnecessary extras that you do not want.  They are not needed for the Flash Player update.

    Verify Installation

    To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu. 

    Do this for each browser installed on your computer.

    To verify the version of Adobe Flash Player for Android, go to Settings/Applications/Manage Applications/Adobe Flash Player x.x.

    References



    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...









    Sunday, April 12, 2020

    Happy Easter! "Khrystos Voskres!"



    "Khrystos Voskres!"

    (Christ is Risen!)






    "Voistyno Voskres!"

    (He is Truly Risen!)






    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...




    Friday, April 10, 2020

    Pale Moon Version 28.9.1 Released With Security Updates


    Pale Moon
    Pale Moon version 28.9.1 has been released.  The update is a minor bugfix and security update. 

    The update includes DiD ("Defense-in-Depth") updates.  A DiD update is s a fix that does not apply to a (potentially) actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code, e.g. when surrounding code changes, exposing the problem, or when new attack vectors are discovered.
    From the Release Notes

    • Re-imported the ExtensionStorage js module for use by browser extensions.
    • Fixed an issue with the WebRequest module having erroneously un-processed build directives in it. This might have caused some subtle breakage.
    • Removed the use of high-resolution Windows system timers from the layout refresh driver; this should help with some performance and battery life issues.
    • Fixed an issue where various parts of hardware acceleration weren't properly linked when changing the option from preferences.
      If you have changed the preferences option to "use hardware acceleration when available" between 28.9.0 and this release, it is recommended that you go into preferences and toggle the option off/on to the preferred setting to correct any discrepancies.
    • Fixed an issue with building the user-agent string using the build date as ID.
    • Fixed an issue with the release of document content viewers (CVE-2020-6819). DiD
    • Fixed an issue with handling functions with rest parameters. DiD
    • Unified XUL Platform Mozilla Security Patch Summary: 2 Defense-in-depth, 14 not applicable.

    Linux versions for this update will follow very shortly.


    UpdateTo get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window.  Click About Pale Moon and  Check for Updates.


    Release Notes


    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...


    Tuesday, April 07, 2020

    Mozilla Firefox Version 75.0 Released With Security Updates

    Firefox

    Mozilla sent Firefox Version 75.0 to the release channel today.  The update included five (5) security updates of which three (3) are high and two (2) are moderate in severity.

    Also released was Firefox ESR Version 68.7.

    High

    Moderate

    New

    • With today's release, a number of improvements will help you search smarter, faster. Type less and find more with Firefox's revamped address bar:
      • Focused, clean search experience that's optimized for smaller laptop screens
      • Top sites now appear when you select the address
      • Improved readability of search suggestions with a focus on new search terms
      • Suggestions include solutions to common Firefox issues
      • On Linux, the behavior when clicking on the Address Bar and the Search Bar now matches other desktop platforms: a single click selects all without primary selection, a double click selects a word, and a triple click selects all with primary selection
    • Firefox will locally cache all trusted Web PKI Certificate Authority certificates known to Mozilla. This will improve HTTPS compatibility with misconfigured web servers and improve security.
    • Firefox is now available in Flatpak, an easier way to install and use Firefox on Linux.
    • Direct Composition is being integrated for our users on Windows to help improve performance and enable our ongoing work to ship WebRender on Windows 10 laptops with Intel graphics cards.
    Update:  To get the update now, select "Help" from the Firefox menu, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

    References


    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...

    Friday, April 03, 2020

    Critical. Update Released for Mozilla Firefox Version 74.0.1 and Firefox ESR Version 68.6.1

    Firefox

    Mozilla sent Firefox Version 74.0.1 and Firefox ESR Version 68.6.1 to the release channel today.  The update included two (2) security updates both rated critical.

    Critical



    Update:  To get the update now, select "Help" from the Firefox menu, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

    References


    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...