Tuesday, August 25, 2020

Mozilla Firefox Version 80.0 Released With Security Updates

Firefox


Mozilla sent Firefox Version 80.0 to the release channel today.  The update includes ten security updates of which three (3) are rated high, four (4) moderate and three (3) low.  Curiously, the items listed in the Release Notes as "Fixed" are the same as those for Version 79.0.

Also released was Firefox ESR Version 68.12.

High

 

Moderate

 

Low

 New

  • Firefox can now be set as the default system PDF viewer.
Fixed
  • Several crashes while using a screen reader were fixed, including a frequently encountered crash when using the JAWS screen reader.
  • Firefox Developer Tools received significant fixes allowing screen reader users to benefit from some of the tools that were previously inaccessible.
  • SVG title and desc elements (labels and descriptions) are now correctly exposed to assistive technology products such as screen readers.

Changed

  • For users with reduced motion settings, we’ve reduced a number of animations such as tab loading to reduce motion for users with migraines and epilepsy.
  • The new add-ons blocklist has been enabled to improve performance and scalability.

References

Home
Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Monday, August 24, 2020

Optional Hotfix Released for Adobe Acrobat and Reader


AdobeAdobe has released an optional hotfix for Adobe Acrobat and Reader for Windows and macOS that addresses some important bug fixes.

Release date:  August 19, 2020
Vulnerability identifier: None
Platform: Windows and MacOS

Update or Complete Download

Reader DC and Acrobat DC were updated to version 20.012.20043.

 Update checks can be manually activated by choosing Help/Check for Updates. 
Note: UNcheck any pre-checked additional options presented with the update. They are not part of the software update and are completely optional.

References



Home
Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Thursday, August 20, 2020

Microsoft Cumulative Update For Windows 1909 and 1903


Microsoft released cumulative update KB456616 with non-security improvements and fixes for Windows 10 Versions 1909 and 1903 today.  There are no known issues with this update.

The following are highlights of the issues resolved with this update:

  • Updates an issue that causes the hard drive to fill up in certain error situations. 
  • Updates an issue that prevents Microsoft Gaming Services from starting because of error 15612. 
  • Updates time zone information for the Yukon, Canada.
  • Updates a visual offset issue on a touchscreen. Edits you make with a pen or finger appear in a different region than expected if the device is connected to an external monitor.
  • Updates an issue that causes the Settings page to close unexpectedly, which prevents default applications from being set up properly. 
  • Updates an issue that prevents you from unlocking a device if you typed a space before the username when you first signed in to the device. 
  • Updates an issue that causes applications to take a long time to open. 

To download and install the update, go to Settings -> Update and Security ->  Windows Update and select Check for updates.  The standalone package for this update is available in the  Microsoft Update Catalog.  In addition, with Windows Update, the latest SSU  (KB4569073) will be offered to you automatically. To get the standalone package for the latest SSU, search for it in the Microsoft Update Catalog.

Home
Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Wednesday, August 19, 2020

Out-of-Band Security Update for Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2



Microsoft has released Out-of-Band security update KB4578013 addressing CVE-2020-1530 and CVE-2020-1537 which could allow attackers to gain elevated privileges after successful exploitation.

 There are no prerequisites for the update and a restart is not required. To get the standalone package for this update, go to the Microsoft Update Catalog website.

 Note:   The August 11, 2020 security update addressed the vulnerabilities for all other supported operating systems.

Windows Update History:  Windows 8.1


Home
Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...


Tuesday, August 11, 2020

Microsoft August 2020 Security Updates



The Microsoft August security updates have been released and consist of 120 CVEs.  Of these 120 CVEs, 17 are rated Critical and 103 are rated Important in severity.  CVE-2020-1464 - Windows Spoofing Vulnerability is both publicly known and listed as being under active attack.  CVE-2020-1380 - Scripting Engine Memory Corruption Vulnerability is also listed as being under active attack at the time of release. 

The updates apply to the following: Microsoft Windows, Microsoft Edge (EdgeHTML-based), Microsoft Edge (Chromium-based), Microsoft ChakraCore, Internet Explorer, Microsoft Scripting Engine, SQL Server, Microsoft JET Database Engine, .NET Framework, ASP.NET Core, Microsoft Office and Microsoft Office Services and Web Apps, Microsoft Windows Codecs Library, and Microsoft Dynamics.

Update Note:  A Microsoft Security Advisory Notification was issued announcing an update to ADV990001 with information on new versions of Servicing Stack.  For information about Servicing Stack updates see Servicing Stack Updates (SSU).

 The KBs listed below contain information about known issues with the security updates.

KB Article Applies To
4565349 Windows 10 Version 1809, Windows Server 2019
4566782 Windows 10, version 2004
4571694 Windows 10, version 1607, Windows Server 2016
4571702 Windows Server 2012 (Security-only update)
4571703 Windows 8.1, Windows Server 2012 R2 (Monthly Rollup)
4571719 Windows 7, Windows Server 2008 R2 (Security-only update)
4571723 Windows 8.1, Windows Server 2012 R2 (Security-only update)
4571729 Windows 7, Windows Server 2008 R2 (Monthly Rollup)
4571730 Windows Server 2008 Service Pack 2 (Monthly Rollup)
4571736 Windows Server 2012 (Monthly Rollup)
4571746 Windows Server 2008 Service Pack 2 (Security-only update)

Recommended Reading:  

See Dustin Childs review and analysis in Zero Day Initiative — The August Security Update Review.

For more information about the updates released today, see https://portal.msrc.microsoft.com/en-us/security-guidance/summary.  Updates can be sorted by OS from the search box.

Additional Update Notes:

  • Adobe Flash Player -- For Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows RT 8.1 and Windows 10, Adobe Flash Player is now a security bulletin rather than a security advisory and is included with the updates as identified above. Note, however, that there are no Adobe Flash Player security updates for Active X.
  • MSRT -- The Malicious Software Removal Tool is now run on a quarterly basis rather than monthly.  See Remove specific prevalent malware with Windows Malicious Software Removal Tool.
  • Servicing Stack Updates -- A list of the latest servicing stack updates for each operating system can be found in ADV990001. This list will be updated whenever a new servicing stack update is released. It is important to install the latest servicing stack update. Learn more about SSU's in Servicing Stack Updates (SSU)
  • Windows 10 updates are cumulative. The monthly security release includes all security fixes for vulnerabilities that affect Windows 10, in addition to non-security updates. The updates are also available via the Microsoft Update Catalog.
  • For information on lifecycle and support dates for Windows 10 operating systems, please see Windows Lifecycle Facts Sheet.
  • Windows Update History:

References


Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...





Adobe Flash Player Bugfix Update Released


Adobe Flashplayer

Adobe released Version 32.0.0.414 of Adobe Flash Player for Windows, macOS, Linux and Chrome OS with assorted functional fixes.

Release date:  August 11, 2020
Vulnerability identifier: None
Platform:  Windows, Macintosh, Linux and Chrome OS

Update:

*Important Note:  Downloading the update from the Adobe Flash Player Download Center link includes a pre-checked option to install unnecessary extras, such as McAfee Scan Plus or Google Drive.  If you use the download center, uncheck any unnecessary extras that you do not want.  They are not needed for the Flash Player update.

Verify Installation

To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu. 

Do this for each browser installed on your computer.

To verify the version of Adobe Flash Player for Android, go to Settings/Applications/Manage Applications/Adobe Flash Player x.x.

References



Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...


Adobe Acrobat DC and Reader DC Security Updates Released

Adobe
Adobe has released security updates for Adobe Acrobat and Reader for Windows and macOS. These updates address critical and important vulnerabilities. Successful exploitation could lead to arbitrary code execution in the context of the current user.

Release date:  August 11, 2020
Vulnerability identifier: APSB20-48
Platform: Windows and MacOS

Update or Complete Download

Reader DC and Acrobat DC were updated to version 20.012.20041.

 Update checks can be manually activated by choosing Help/Check for Updates. 
Note: UNcheck any pre-checked additional options presented with the update. They are not part of the software update and are completely optional.

References





Home
Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...


Tuesday, August 04, 2020

Pale Moon Version 28.12.0 Released With Security Updates


Pale Moon
Pale Moon version 28.12.0 has been released.  The update is a development, bugfix and security update.  Linux versions will follow shortly.

The update includes DiD ("Defense-in-Depth") updates.  A DiD update is s a fix that does not apply to a (potentially) actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code, e.g. when surrounding code changes, exposing the problem, or when new attack vectors are discovered.
From the Release Notes
 
Changes/fixes:
  • Added controls for WASM to the browser's preferences, and enabled by default.
  • Enabled various arbitrarily-disabled CSS functions.
  • Added the use of basic path descriptors (i.e. polygon) to css clip paths.
  • Implemented multithreaded request signal handling for the Abort API. Please see implementation notes below.
  • Updated the included US-English dictionary, adding approximately 2500 additional words.
  • Removed the DOM battery API. This was already disabled for privacy reasons for a long while.
  • Fixed an erroneous warning displayed on toolkit-only add-ons like supplied dictionaries.
  • Fixed an issue with the sessionstore tab load preference.
  • Improved the generation of the names of downloaded files to prevent confusion. (CVE-2020-15658)
  • Fixed a code issue with base64 encoding of data.
  • Fixed 2 safety hazards in JavaScript. (One being CVE-2020-15656) DiD
  • Fixed a spec compliance issue with regards to the cross-origin loading of scripts. (CVE-2020-15652)
  • Improved the loading of a system DLL on Windows, preventing low-risk hijacking potential. (CVE-2020-15657) See implementation notes.
  • Unified XUL Platform Mozilla Security Patch Summary: 4 fixed, 2 defense-in-depth, 15 not applicable.
Implementation notes:

  1. In 28.11.0, we introduced the Abort API as new code. The implementation of it still had an issue where especially web workers would not always see the availability of abort signals on fetch requests while AbortSignal was implemented in the browser. This effectively made some websites (especially those using a particular polyfill for the Abort API that would detect the need to polyfill by way of Request.signal) throw errors that were fine before. We offered users a workaround by temporarily disabling the AbortController in the browser by way of a preference (dom.abortController.enabled).
    v28.12.0 fixes the multi-threaded handling of signals, which should solve these problems. As such, the workaround is no longer needed and upon upgrade the preference will be reset to enable AbortControllers again.
  2. DLL-hijacking on Windows would only be possible if a malicious actor already either gained administrative access to the program's installation folder or otherwise have unrestricted access to the program folder (by having it installed in local application folders inside the user's profile space or other insecure program locations). In that case the system is already compromised and any executable can be replaced, so having dll loading hijacked would be the least of your concerns (i.e. the main program .exe could also be replaced/infected in that case).

UpdateTo get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window.  Click About Pale Moon and  Check for Updates.


Release Notes


Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...