Pale Moon Version 28.16.0 Released With Security Updates

Pale Moon has been updated to version 28.16.0.  This is a development and security update.

Note: Included in the updates are DiD* patches.

*DiD stands for "Defense-in-Depth" and is a fix that does not apply to an actively exploitable vulnerability in Pale Moon but prevents future vulnerabilities caused by the same code when surrounding code changes, exposing the problem.

Note for Linux users: With CentOS 6 going end-of-life, this version will be the last for which we will be building 32-bit Linux official binaries to download. While your distribution may choose to continue offering 32-bit versions of the browser, built from source by the maintainers, we won't be offering any further official 32-bit Linux binaries on our website. Please check with your distribution's package maintainers to know if further 32-bit support will be available on your particular flavor of Linux.

Changes/fixes:

• Aligned CSS tab-size with the specification and un-prefixed it.
• Updated Brotli library to 1.0.9.
• Updated JAR lib code.
• Optimized UI code, resulting in smaller downloads and less space consumed on disk.
• Changed the default Firefox Compatibility version number to 68.0 (since versions ending in .9 makes some frameworks unhappy, refusing access to users)
• Cleaned up HPKP leftovers.
• Disabled the DOM filesystem API by default.
• Removed Phone Vibrator API.
• Fixed an issue where the software uninstaller would not remove the program files it should.
• Fixed a devtools crash related to timeline snapshots.
• Fixed an issue in Skia that could cause unsafe memory access. DiD
• Fixed several data race conditions. DiD
• Fixed an XSS vulnerability where scripts could be executed when pasting data into on-line editors.
• Linux: Fixed an overflow issue in freetype.
• Security issues addressed: CVE-2020-26960, CVE-2020-26951, CVE-2020-26956, CVE-2020-15999 and several others that do not have a CVE designation.
• Unified XUL Platform Mozilla Security Patch Summary: 4 fixed, 4 defense-in-depth, 3 rejected, 20 not applicable.

Implementation notes:

• Windows binaries should all be properly code-signed again.
• The uninstaller issue might only appear if you have not used the internal updater to update the browser after installation.
• The DOM Filesystem and dir picker APIs are, in practice, not used on websites. We've disabled these web-exposed APIs because they are not entirely without potential risk, and intend to remove them in a future version unless there is a demonstrable need to keep them as optional (unsupported) APIs in the platform.
• One of the rejected security patches deals with entering a single word in the address bar. Standard browser behavior in that situation is for browsers to do a normal network lookup of that word in case it is a LAN machine name (other browsers also do this) which may "leak" your entered search term to the LAN. If you want to avoid this, please always use the search box for entering web searches, as it's unambiguous what to do with single words in that case.

 Pale Moon includes both 32- and 64-bit versions for Windows:

• 32x:  Pale Moon - x32 builds
• 64x:  Pale Moon - x64 builds

Update

To get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window.  Select About Pale Moon > Check for Updates.

Release Notes

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Adobe Acrobat and Reader Optional Hotfix Released

Adobe has released an optional hotfix for Adobe Acrobat and Reader for Windows and macOS that addresses some important bug fixes.

Release date:  November 23, 2020
Vulnerability identifier: None
Platform: Windows and MacOS

Bug fixes

Browser:

• 4317476: Performance issues while loading PDFs in IE Browser and SAP tools
• 4317186: IE Browser & SAP tools crashing when opening second PDF

Update or Complete Download

Reader DC and Acrobat DC were updated to version 20.013.20066.

 Update checks can be manually activated by choosing Help/Check for Updates. 

• Reader DC and other versions are available here:  https://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows
  
• Acrobat DC for Windows is available here:  http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Windows

Note: UNcheck any pre-checked additional options presented with the update. They are not part of the software update and are completely optional.

References

• PSIRT
• Release Notes
• Security Bulletin
• System Requirements

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Mozilla Firefox Version 83.0 Released with Security Updates

Mozilla sent Firefox Version 83.0 to the release channel today.  The update includes seven security updates of which four (4) are rated high, eleven (11) moderate and six (6) rated low.

Firefox ESR was updated to Version 78.5.

High

• #CVE-2020-26951: Parsing mismatches could confuse and bypass security sanitizer for chrome privileged code
• #CVE-2020-26952: Out of memory handling of JITed, inlined functions could lead to a memory corruption
• #CVE-2020-26968: Memory safety bugs fixed in Firefox 83 and Firefox ESR 78.5
• #CVE-2020-26969: Memory safety bugs fixed in Firefox 83

 Moderate

• #CVE-2020-16012: Variable time processing of cross-origin images during drawImage calls
• #CVE-2020-26953: Fullscreen could be enabled without displaying the security UI
• #CVE-2020-26954: Local spoofing of web manifests for arbitrary pages in Firefox for Android
• #CVE-2020-26955: Cookies set during file downloads are shared between normal and Private Browsing Mode in Firefox for Android
• #CVE-2020-26956: XSS through paste (manual and clipboard API)
• #CVE-2020-26957: OneCRL was not working in Firefox for Android
• #CVE-2020-26958: Requests intercepted through ServiceWorkers lacked MIME type restrictions
• #CVE-2020-26959: Use-after-free in WebRequestService
• #CVE-2020-26960: Potential use-after-free in uses of nsTArray
• #CVE-2020-15999: Heap buffer overflow in freetype
• #CVE-2020-26961: DoH did not filter IPv4 mapped IP Addresses

  Low

• #CVE-2020-26962: Cross-origin iframes supported login autofill
• #CVE-2020-26963: History and Location interfaces could have been used to hang the browser
• #CVE-2020-26964: Firefox for Android's Remote Debugging via USB could have been abused by untrusted apps on older versions of Android
• #CVE-2020-26965: Software keyboards may have remembered typed passwords
• #CVE-2020-26966: Single-word search queries were also broadcast to local network
• #CVE-2020-26967: Mutation Observers could break or confuse Firefox Screenshots feature

New

• Firefox keeps getting faster as a result of significant updates to SpiderMonkey, our JavaScript engine, you will now experience improved page load performance by up to 15%, page responsiveness by up to 12%, and reduced memory usage by up to 8%. We have replaced part of the JavaScript engine that helps to compile and display websites for you, improving security and maintainability of the engine at the same time.

• Firefox introduces HTTPS-Only Mode. When enabled, this new mode ensures that every connection Firefox makes to the web is secure and alerts you when a secure connection is not available. You can enable it in Firefox Preferences.

• Pinch zooming will now be supported for our users with Windows touchscreen devices and touchpads on Mac devices. Firefox users may now use pinch to zoom on touch-capable devices to zoom in and out of webpages.

• Picture-in-Picture now supports keyboard shortcuts for fast forwarding and rewinding videos: use the arrow keys to move forward and back 15 seconds, along with volume controls. For a list of supported commands see Support Mozilla

• When you are presenting your screen on a video conference in Firefox, you will see our improved user interface that makes it clearer which devices or displays are being shared.

• We’ve improved functionality and design for a number of Firefox search features:

  • Selecting a search engine at the bottom of the search panel now enters search mode for that engine, allowing you to see suggestions (if available) for your search terms. The old behavior (immediately performing a search) is available with a shift-click.
  • When Firefox autocompletes the URL of one of your search engines, you can now search with that engine directly in the address bar by selecting the shortcut in the address bar results.
  • We’ve added buttons at the bottom of the search panel to allow you to search your bookmarks, open tabs, and history.

• Firefox supports AcroForm, which will allow you to fill in, print, and save supported PDF forms and the PDF viewer also has a new fresh look.

• Our users in India on the English build of Firefox will now see Pocket recommendations in their new tab featuring some of the best stories on the web. If you don’t see them, you can turn on Pocket articles in your new tab by following these steps.

• For the recently released Apple devices built with Apple Silicon CPUs, you can use Firefox 83 and future releases without any change. This release (83) will support emulation under Apple’s Rosetta 2 that ships with macOS Big Sur. We are working toward Firefox being natively-compiled for these CPUs in a future release.

• This is a major release for WebRender as we roll out to more Firefox users on Windows 7 and 8 as well as on macOS 10.12 to 10.15.

Fixed

• This release also includes a number of accessibility fixes:

  • Screen reader features which report paragraphs now correctly report paragraphs instead of lines in Google Docs
  • When reading by word using a screen reader, words are now correctly reported when there is punctuation nearby
  • The arrow keys now work correctly after tabbing in the picture-in-picture window

• For users on macOS restoring a session with minimized windows, Firefox now uses much less power and you should see much longer battery life.

References

• Common questions after updating Firefox
• Security Updates
  
• Release Notes
• Rapid Release Calendar

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Lest We Forget

The "eleventh hour of the eleventh day of the eleventh month" of 1918.  Whether you call it Veteran's Day, Armistice Day or Remembrance Day, November 11th is a time to put aside politics and pay tribute to all who died for their country.  It is also a perfect time to thank the Veterans in whatever country you live in.

As in previous years, I am republishing a portion of my friend Canuk's last tribute and, once again, adding a special thank you to my friends Mitch the "Phantom Phixer" and Larry, "Ghost".

The comment Canuk posted provides one example of why he was a special person:

"I too "will remember your friends who never had a full life", while thanking you and your comrades who have served with pride, honesty and honour."

LEST WE FORGET

We Shall Keep the Faith by Moira Michael, November 1918 Oh! you who sleep in Flanders Fields, Sleep sweet - to rise anew! We caught the torch you threw And holding high, we keep the Faith With All who died. We cherish, too, the poppy red That grows on fields where valor led; It seems to signal to the skies That blood of heroes never dies, But lends a lustre to the red Of the flower that blooms above the dead In Flanders Fields. And now the Torch and Poppy Red We wear in honor of our dead. Fear not that ye have died for naught; We'll teach the lesson that ye wrought In Flanders Fields. Flags courtesy of3DFlags.com

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Microsoft November 2020 Security Updates

The Microsoft November security updates have been released and consist of 112 CVEs.  Of these 112 CVEs, 17 are rated Critical, 93 are rated Important and 2 are rated low in severity.  

The updates apply to the following:  Microsoft Windows, Microsoft Office and Microsoft Office Services and Web Apps, Internet Explorer, Microsoft Edge (EdgeHTML-based)m Microsoft Edge (Chromium-based), ChakraCore, Microsoft Exchange Server, Microsoft Dynamics, Microsoft Windows Codecs Library, Azure Sphere, Windows Defender, Microsoft Teams, Azure SDK, Azure DevOps, and Visual Studio.

An update to ADV990001 includes information on the new versions of Servicing Stack.  For information about Servicing Stack updates see Servicing Stack Updates (SSU).

The KBs listed below contain information about known issues with the security updates. 

KB Article	Applies To
4486714	SharePoint Server 2019
4486717	SharePoint Server 2016
4586781	Windows 10, version 2004, Windows Server version 2004, Windows 10, version 20H2, Windows Server version 20H2
4586786	Windows 10, version 1903, Windows Server version 1903, Windows 10, version 1909, Windows Server version 1909
4586793	Windows 10 Version 1809, Windows Server 2019
4586805	Windows 7, Windows Server 2008 R2 (Security-only update)
4586807	Windows Server 2008 (Monthly Rollup)
4586808	Windows Server 2012 (Security-only update)
4586817	Windows Server 2008 (Security-only update)
4586823	Windows 8.1, Windows Server 2012 R2 (Security-only update)
4586827	Windows 7, Windows Server 2008 R2 (Monthly Rollup)
4586830	Windows 10, version 1607, Windows Server 2016
4586834	Windows Server 2012 (Monthly Rollup)
4586845	Windows 8.1, Windows Server 2012 R2 (Monthly Rollup)
4486714	SharePoint Server 2019
4486717	SharePoint Server 2016
4588741	Microsoft Exchange Server 2013, Microsoft Exchange Server 2016, Microsoft Exchange Server 2019

Recommended Reading:   

See Dustin Childs review and analysis in Zero Day Initiative — The November Security Update Review.

For more information about the updates released today, see the new version of the Security Update Guide, described here.

Additional Update Notes:

• Adobe Flash Player -- For Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows RT 8.1 and Windows 10, Adobe Flash Player is now a security bulletin rather than a security advisory and is included with the updates as identified above.
  
• MSRT -- The Malicious Software Removal Tool is now run on a quarterly basis rather than monthly.  See Remove specific prevalent malware with Windows Malicious Software Removal Tool.
• Servicing Stack Updates -- A list of the latest servicing stack updates for each operating system can be found in ADV990001. This list will be updated whenever a new servicing stack update is released. It is important to install the latest servicing stack update. Learn more about SSU's in Servicing Stack Updates (SSU)
• Windows 10 updates are cumulative. The monthly security release includes all security fixes for vulnerabilities that affect Windows 10, in addition to non-security updates. The updates are also available via the Microsoft Update Catalog.
• For information on lifecycle and support dates for Windows 10 operating systems, please see Windows Lifecycle Facts Sheet.
• Windows Update History:
  • Windows 10
  • Windows 8.1

References

• Security Update FAQ
• November Security Updates Guide

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Adobe Flash Player Update Released

Adobe released Version 32.0.0.453 of Adobe Flash Player for Windows, macOS, Linux and Chrome OS with important bug fixes.

Release date:  November 10, 2020
Vulnerability identifier:  None
Platform:  Windows, Macintosh, Linux and Chrome OS
 

From the Release Notes:

Flash Player End of Life Information
As previously announced in July 2017, Adobe will stop updating and distributing Flash Player after December 31, 2020.  We made this announcement in collaboration with several of our technology partners – including Apple, Facebook, Google, Microsoft and Mozilla.  Adobe will continue issuing regular Flash Player security patches while maintaining operating system and browser compatibility through the end of 2020.  For general information on the Adobe Flash Player EOL, please see our FAQ.  More information on Flash support options for enterprise customers is available here.

Update:

• With the option to 'Allow Adobe to install updates', the update will be automatic. Without that setting enabled, either install the update via the update mechanism when prompted or via the Download Center*.
• Windows 7 and earlier:  Installation links for Windows 7 and earlier are provided by Adobe at Installation problems | Flash Player | Windows 7 and earlier: 
• Flash Player for Internet Explorer - ActiveX
• Flash Player for Firefox/Pale Moon - NPAPI
• Flash Player for Opera and Chromium-based browsers - PPAPI
• Uninstaller (if needed) : http://download.macromedia.com/get/flashplayer/current/support/uninstall_flash_player.exe 
• Microsoft Edge and Internet Explorer 11:  The embedded ActiveX Flash for IE/EdgeClassic on Windows 8.1/10 remains at x.445. When security updates for Adobe Flash Player are released, the latest version for Windows 8.1 and 10 are automatically updated via Windows Update.
• Google Chrome:  Adobe Flash Player will be automatically updated to the latest Google Chrome version.
• Flash Player Uninstaller:  http://download.macromedia.com/get/flashplayer/current/support/uninstall_flash_player.exe
• Adobe AIR:  Adobe - Adobe AIR

*Important Note:  Downloading the update from the Adobe Flash Player Download Center link includes a pre-checked option to install unnecessary extras, such as McAfee Scan Plus or Google Drive.  If you use the download center, uncheck any unnecessary extras that you do not want.  They are not needed for the Flash Player update.

Verify Installation

To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu. 

Do this for each browser installed on your computer.

To verify the version of Adobe Flash Player for Android, go to Settings/Applications/Manage Applications/Adobe Flash Player x.x.

References

• Adobe Priority Ratings
• AIR Download Center 
• Installing and Updating Flash Player - FAQ
• Release Notes
• Security Bulletin
• PSIRT

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Mozilla Firefox Version 82.0.3 Released With Critical Security Update

Mozilla sent Firefox Version Version 82.0.3 to the release channel today to fix a critical security vulnerability.  Firefox ESR was updated to Version 78.4.1.

Critical

• • CVE-2020-26950: Write side effects in MCallGetProperty opcode not accounted for

 References

• Common questions after updating Firefox
• Security Updates
• Release Notes
• Rapid Release Calendar

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Adobe Acrobat DC and Reader DC Security Updates Released

Adobe has released security updates for Adobe Acrobat and Reader for Windows and macOS. These updates address critical, important, and moderate vulnerabilities. Successful exploitation could lead to arbitrary code execution in the context of the current user.

Release date:  November 3, 2020
Vulnerability identifier: APSB20-67
Platform: Windows and MacOS

Update or Complete Download

Reader DC and Acrobat DC were updated to version 20.013.20064.  Updates should become available via the internal updater or checks can be manually activated by choosing Help/Check for Updates. 

• Reader DC and other versions are available here:  https://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows
  
• Acrobat DC for Windows is available here:  http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Windows

Note: UNcheck any pre-checked additional options presented with the update. They are not part of the software update and are completely optional.

References

• PSIRT
• Release Notes
• Security Bulletin
• System Requirements

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...