Tuesday, July 18, 2017

Java SE Critical Security Update

java

Oracle released the scheduled critical security updates for its Java SE Runtime Environment software.  The update contains 32 new security fixes for Oracle Java SE.  28 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. 

Update

If Java is still installed on your computer, it is recommended that this update be applied as soon as possible due to the threat posed by a successful attack.

Download Information

Download link:  Java SE 8u141

Verify your version:  http://www.java.com/en/download/testjava.jsp

Notes:
  • Minimally, UNcheck any pre-checked toolbar and/or software options presented with the update. They are not part of the software update and are completely optional.  Preferably, see the instructions below on how to handle "Unwanted Extras". 
  • Starting with Java SE 7 Update 21 in April 2013, all Java Applets and Web Start Applications should be signed with a trusted certificate.  It is not recommended to run untrusted/unsigned Certificates.  See How to protect your computer against dangerous Java Applets

Critical Patch Updates

For Oracle Java SE Critical Patch Updates, the next scheduled dates are as follows:
  • 17 October 2017
  • 16 January 2018
  • 17 April 2018
  • 17 July 2018

Unwanted "Extras"

Although most people do not need Java on their computer, there are some programs and games that require Java.  In the event you need to continue using Java, How-to Geek discovered a little-known and  unpublicized option in the Java Control Panel to suppress the offers for the pre-checked unwanted extras that Oracle has long included with the updates.  Although the Ask Toolbar has been removed, tha does not preclude the pre-checked option for some other unnecessary add-on.

Do the following to suppress the sponsor offers:
  1. Launch the Windows Start menu
  2. Click on Programs
  3. Find the Java program listing
  4. Click Configure Java to launch the Java Control Panel
  5. Click the Advanced tab and go to the "Miscellaneous" section at the bottom.
  6. Check the box by the “Suppress sponsor offers when installing or updating Java” option and click OK.
Java suppress sponsor offers

Java Security Recommendations


1)  In the Java Control Panel, at minimum, set the security to high.
2)  Keep Java disabled until needed.  Uncheck the box "Enable Java content in the browser" in the Java Control Panel.

3)  Instructions on removing older (and less secure) versions of Java can be found at http://java.com/en/download/faq/remove_olderversions.xml

References




Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...




Wednesday, July 12, 2017

Pale Moon Version 27.4.0 Released with Security Updates


Pale Moon
Pale Moon version 27.4.0 has been released with security fixes, including DiD* patches.
*DiD stands for "Defense-in-Depth" and is a fix that does not apply to an actively exploitable vulnerability in Pale Moon but prevents future vulnerabilities caused by the same code when surrounding code changes, exposing the problem.
This is a major update to address most of the media streaming issues users have had.  In addition, the update includes enhancements, bug fixes and security fixes to the browser.


Details from the Release Notes:

Security fixes:
  • Removed preloading of HPKP hosts and enabled HPKP header enforcement.
  • Added support for TLS 1.3, the up-next secure connection protocol.
  • Fixed an issue with TLS 1.3 not supporting renegotiation by design.
  • Relaxed some restrictions for CSP to temporarily work around web compatibility issues with the CSP-3 deprecated child-src directive.
  • Updated NSS to 3.28.5.1-PM to address some security issues.
  • Updated the installer selfextractor module to address unsafe loading of libraries.
  • Changed the way certain resources are included to reduce effectiveness of some common fingerprinting techniques. (e.g. browserleaks.org)
  • Fixed a regression in the display of security information in the page info dialog for insecure content.
  • Fixed two potential issues with allocating memory for video. DiD
  • Fixed a potential issue with the network prediction algorithm. DiD
  • Restricted the use of Aspirational scripts in IDNs to prevent domain spoofing, in anticipation of the UAX#31 update making this official.
  • Prevented a Mac font specific issue that could be abused for domain spoofing (CVE-2017-7763)
  • Fixed several potentially exploitable crashes. (CVE-2017-7751) (CVE-2017-7757) and some that do not have a CVE designation.
Changes/fixes:
  • Completely re-worked the Media Source Extensions code to make it spec compliant, and asynchronous as per specification for MSE with MP4. This should fix playback problems on YouTube, Twitch, Vimeo and other sites that previously had some issues. A massive thank you to Travis for his tireless work on making this happen!
    Please note that MSE+WebM (disabled by default) is not using this new code yet (planned for the next release), and as such there is a temporary set of things to keep in mind if you don't use default settings:
    • If you have previously enabled MSE+WebM, this setting will be reset when you update to avoid conflicting settings with the updated MSE code.
    • We've added an extra setting in Options to disable the updated MSE code (asynchronous use) in case you need to use WebM or are otherwise having issues with the updated code (please let us know in that case).
    • Once again, the MSE+WebM and Asynchronous MSE use are currently mutually exclusive. You can have one or the other, not both, until we sort out the code for WebM. To enable MSE+WebM you will first have to disable Asynchronouse MSE in settings (otherwise the WebM setting will be greyed out and disabled).
  • Added a control in options/preferences for HSTS and HPKP usage.
  • Changed HTML bookmark exports to write CRLF line endings to the file on Windows.
  • Leveraged multi-core rendering for libVPX (VP8/VP9 WebM decoding).
  • Fixed some issues accessing DeviantArt (useragent-sniffing).
  • Aligned CSS text-align with the spec.
  • Added a recovery module for browser initialization issues (e.g. when using a wrong language pack).
  • Fixed spurious console errors for XHR requests with certain http response codes.
  • Enabled v-sync aligned refresh for a smoother scrolling experience.
  • Removed support for CSS XP-theme media queries.
  • Improved console error reporting.
  • Fixed resetting toolbars and controls from the safe mode dialog.
  • Fixed bookmark recovery option from the safe mode dialog.
  • Fixed innerText getters for display:none elements.
  • Fixed a GL buffer crash that might occur with certain combinations of drivers and hardware.
  • Added some more details to about:support.
  • Fixed a potential crash when the last audio device is removed during playback.
  • Fixed a crash on about:support when windowless browsers are created.
  • Updated
  • Updated the interpretation of 2-digit years in date formats to match other browsers: 0-49 = 2000-2049, 50-99 = 1950-1999.
  • Added q units to CSS (quarter of a millimeter).
  • Added .origin property to blobs.
  • Fixed several minor layout issues.
  • Fixed disabled HTML elements not producing the proper JS events.
  • Implemented web content handler blacklist according to the spec, allowing more than feeds to be registered.
  • Fixed a spec compliance issue with execCommand() on HTML elements.
  • Fixed a problem with table borders being drawn uneven or being omitted when zooming the page.
  • Added devtools "filter URLs" option in the network panel.
  • Added visual sorting options to the Network inspector.
  • Added importing of login data from Chrome profiles on Windows (Chrome has to be closed first).
  • Added importing of tags from bookmark export files (HTML format).
  • Updated usage of SourceMap headers with the updated spec (SourceMap header, keeping X-SourceMap as a fallback).
  • Fixed several cases of wrongly-used negations in JS modules.
  • Added the auxclick mouse event.
  • Added a control to not autoplay video unless it is in view (media.block-play-until-visible).
  • Updated the Graphite font library to 1.3.10.
  • Updated how image and media elements respond to window size changes (responsive design).
  • Added parsing and use of rotation meta data in video.
  • Fixed several crashes in a number of modules.
  • Fixed performance regression for scaling large vector images (e.g. MSIE Chalkboard test)
  • Fixed some issues with notification icons.
  • Fixed some internal errors with live bookmarks.
  • Updated SQLite to 3.19.3.
  • Fixed several reported issues with devtools (cli-cookies, cli help, copying cURL, inspecting SVGs, element size calculations, etc.)
  • Fixed an issue where a server response was allowed to override add-ons' specified version ranges even for add-ons that have strict compatibility (e.g. themes, language packs).

Minimum system Requirements (Windows):
  • Windows Vista/Windows 7/8/10/Server 2008 or later
  • Windows Platform Update (Vista/7) strongly recommended
  • A processor with SSE2 instruction support
  • 256 MB of free RAM (512 MB or more recommended)
  • At least 150 MB of free (uncompressed) disk space
Pale Moon includes both 32- and 64-bit versions for Windows, Pale Moon Portable, Pale Moon for Linux and Pale Moon for Android.

    Update

    To get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window.  Select About Pale Moon > Check for Updates.


    References:


    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...


    Tuesday, July 11, 2017

    Microsoft Security Updates for July, 2017




    The July security release consists of security updates for the following software:
    • Internet Explorer
    • Microsoft Edge
    • Microsoft Windows
    • Microsoft Office and Microsoft Office Services and Web Apps
    • .NET Framework
    • Adobe Flash Player
    • Microsoft Exchange Server


    The updates address Remote Code Execution, Denial of Service, Information Disclosure and Elevation of Privilege in 57 CVE's in which 19 are Critical, 35 Important, and 3 Moderate in severity.

    For more information about the updates released today, see https://portal.msrc.microsoft.com/en-us/security-guidance/summary.  Updates can be sorted by OS from the search box. Information about the update for Windows 10 is available at Windows 10 Update history.

    For a complete list of the CVEs addressed in the July update, see the The July 2017 Security Update Review by Dustin Childs.


      Additional Update Notes

      • Adobe Flash Player -- For Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows RT 8.1 and Windows 10, Adobe Flash Player is now a security bulletin rather than a security advisory and is included with the updates as identified above.
      • MSRT -- Microsoft released an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center. 
      • Windows 10 -- A summary of important product developments included in each update, with links to more details is available at Windows 10 Update History. The page will be regularly refreshed, as new updates are released.

      References


        Remember - "A day without laughter is a day wasted."
        May the wind sing to you and the sun rise in your heart...





        Adobe Flash Player Security Update Released

        Adobe Flashplayer

        Adobe has released Version 26.0.0.137 of Adobe Flash Player for Microsoft Windows, Macintosh, Chrome and Linux.

        These updates address vulnerabilities could lead to remote code execution, information disclosure and Memory address disclosure..

        Release date:  July 11, 2017
        Vulnerability identifier: APSB17-21
        CVE Numbers:   CVE-2017-3080, CVE-2017-3099, CVE-2017-3100
        Platform: Windows, Macintosh, Linux and Chrome OS

        Update:

        *Important Note:  Downloading the update from the Adobe Flash Player Download Center link includes a pre-checked option to install unnecessary extras, such as McAfee Scan Plus or Google Drive.  If you use the download center, uncheck any unnecessary extras that you do not want.  They are not needed for the Flash Player update.

          Verify Installation

          To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu. 

          Do this for each browser installed on your computer.

          To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.

          References



          Remember - "A day without laughter is a day wasted."
          May the wind sing to you and the sun rise in your heart...









          Saturday, July 01, 2017

          Windows Insider MVP!

          What a great way to start the day!  🐱‍👤
          "Congratulations! Thank you for your continued contributions to the Windows community, we are excited to re-award you as a Windows Insider MVP. This award is a token of our appreciation, your leadership and passion help make Windows the best yet. We look forward to our on-going collaboration with you and all of our Windows Insider MVPs as we continue to strengthen the Windows Insider MVP (WI MVP) Program."


          Home
          Remember - "A day without laughter is a day wasted."
          May the wind sing to you and the sun rise in your heart...

          Thursday, June 29, 2017

          Mozilla Firefox Version 54.0.1 Released


          FirefoxMozilla sent Firefox Version 54.0.1 to the release channel today.  Firefox ESR was updated to version 52.2.1. 

          The update includes a number of bug fixes.

          The next scheduled release is August 8, 2017 (5 week cycle with release for critical fixes as needed).

          Fixes:

          To get the update now, select "Help" from the Firefox menu, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

          References




          Remember - "A day without laughter is a day wasted."
          May the wind sing to you and the sun rise in your heart...

          Tuesday, June 13, 2017

          Mozilla Firefox Version 54.0


          FirefoxMozilla sent Firefox Version 54.0 to the release channel today.  Firefox ESR was updated to version 52. The update includes 1 (one) critical, 8 (eight) high and 1 (one) moderate security update.

          The next scheduled release is August 8, 2017 (5 week cycle with release for critical fixes as needed).

          New
          • Added Burmese (my) locale
          • Added support for multiple content processes (e10s-multi)
          • Simplified the download button and download status panel

          Changed
          • Moved the mobile bookmarks folder to the main bookmarks menu for easier access
          Update:

          To get the update now, select "Help" from the Firefox menu, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

          References




          Remember - "A day without laughter is a day wasted."
          May the wind sing to you and the sun rise in your heart...

          Microsoft Security Updates for June, 2017



          The June Microsoft updates address vulnerabilities in Internet Explorer, Microsoft Edge, Microsoft Windows, Microsoft Office and Microsoft Office Services and Web Apps, Silverlight, Skype for Business and Lync and Adobe Flash Player for Windows 8.1 and above.  Addressed in the updates are Remote Code Execution and Elevation of Privilege.  

          Known Issues
          4022717
          4022726
          4022715


          For more information about the updates released today, see https://portal.msrc.microsoft.com/en-us/security-guidance/summary.  Information about the update for Windows 10 is available at Windows 10 Update history.

          To have a better understanding about the updates released today, see the Zero Day Initiative — The June 2017 Security Update Review by Dustin Childs.

            Additional Update Notes

            • Adobe Flash Player -- For Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows RT 8.1 and Windows 10, Adobe Flash Player is now a security bulletin rather than a security advisory and is included with the updates as identified above.
            • MSRT -- Microsoft released an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center. 
            • Windows 10 -- A summary of important product developments included in each update, with links to more details is available at Windows 10 Update History. The page will be regularly refreshed, as new updates are released.

            References


              Remember - "A day without laughter is a day wasted."
              May the wind sing to you and the sun rise in your heart...





              Adobe Critical Shockware Player Update

              Shockwave Player Adobe has released a critical security update for Adobe Shockwave Player which update address a memory corruption that could potentially lead to remote code execution.

              Although I have yet to need Shockwave Player on this computer, there are still many people who use it.  If you have Shockwave Player installed, please update to the latest version.

              Release date: June 13, 2017
              Vulnerability identifier: APSB17-18

              CVE number: CVE-2017-3086
              Platform: Windows

              The newest version 12.2.9.199 is available here: http://get.adobe.com/shockwave/.  As usual, watch for any pre-checked add-ons not needed for the update.

              References


              Home
              Remember - "A day without laughter is a day wasted."
              May the wind sing to you and the sun rise in your heart...

              Adobe Flash Player Critical Security Update

              Adobe Flashplayer

              Adobe has released Version 26.0.0.126 of Adobe Flash Player for Microsoft Windows, Macintosh, Chrome and Linux.

              These updates address critical vulnerabilities including a use-after-free vulnerability that could lead to code execution and memory corruption vulnerabilities that could lead to remote code execution.

              Release date:  June 13, 2017
              Vulnerability identifier: APSB17-17
              CVE Numbers:   CVE-2017-3075, CVE-2017-3081, CVE-2017-3083, CVE-2017-3084, CVE-2017-3076, CVE-2017-3077, CVE-2017-3078, CVE-2017-3079, CVE-2017-3082
              Platform: Windows, Macintosh, Linux and Chrome OS

              Update:

              *Important Note:  Downloading the update from the Adobe Flash Player Download Center link includes a pre-checked option to install unnecessary extras, such as McAfee Scan Plus or Google Drive.  If you use the download center, uncheck any unnecessary extras that you do not want.  They are not needed for the Flash Player update.

                Verify Installation

                To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu. 

                Do this for each browser installed on your computer.

                To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.

                References



                Remember - "A day without laughter is a day wasted."
                May the wind sing to you and the sun rise in your heart...









                Sunday, May 28, 2017

                Memorial Day: Remembering Those Who Gave Their All for Their Country

                Vietnam Memorial Wall
                April 30, 2005
                Photograph by Luigi Masu

                Memorial Day is a day set aside to remember those who have died in the service of their country.  It is also a time when I remember a very special Canadian who likely knew more about U.S. politics and history than most U.S. citizens. Memorial Day 2007 was his last blog post, reading in part:
                "Memorial Day was officially proclaimed on 5 May 1868 by General John Logan, national commander of the Grand Army of the Republic, in his General Order No. 11, and was first observed on 30 May 1868, when flowers were placed on the graves of Union and Confederate soldiers at Arlington National Cemetery. The first state to officially recognize the holiday was New York in 1873. By 1890 it was recognized by all of the northern states. The South refused to acknowledge the day, honoring their dead on separate days until after World War I (when the holiday changed from honoring just those who died fighting in the Civil War to honoring Americans who died fighting in any war). For more history of Memorial Day visit Memorial Day History."

                Home
                Remember - "A day without laughter is a day wasted."
                May the wind sing to you and the sun rise in your heart...

                Tuesday, May 09, 2017

                Microsoft Security Updates for May, 2017


                After today, Windows 10 devices running version 1507 will no longer receive security and quality updates.  Instructions on how to update to the latest Windows 10 version are available in this Microsoft support article.

                May Security Update Details:

                The May Microsoft updates address vulnerabilities in  Internet Explorer, Microsoft Edge, Microsoft Windows, Microsoft Office and Microsoft Office Services and Web Apps, .NET Framework and Adobe Flash Player for Windows 8.1 and above.  Addressed in the updates are Remote Code Execution and Elevation of Privilege.  

                For more information about the updates released today, see https://portal.msrc.microsoft.com/en-us/security-guidance/summary.  Information about the update for Windows 10 is available at Windows 10 update history.

                However, to actually have a better understanding about the updates released today, see Zero Day Initiative — The May 2017 Security Update Review by Dustin Childs.
                 

                  Additional Update Notes

                  • Adobe Flash Player -- For Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows RT 8.1 and Windows 10, Adobe Flash Player is now a security bulletin rather than a security advisory and is included with the updates as identified above.
                  • MSRT -- Microsoft released an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center. 
                  • Windows 10 -- A summary of important product developments included in each update, with links to more details is available at Windows 10 Update History. The page will be regularly refreshed, as new updates are released.

                  References


                    Remember - "A day without laughter is a day wasted."
                    May the wind sing to you and the sun rise in your heart...





                    Adobe Flash Player Critical Update

                    Adobe Flashplayer

                    Adobe has released Version 25.0.0.171 of Adobe Flash Player for Microsoft Windows, Macintosh, Chrome and Linux.

                    These updates address critical vulnerabilities including a use-after-free vulnerability that could lead to code execution and memory corruption vulnerabilities that could lead to code execution.

                    Release date:  May 9 11, 2017
                    Vulnerability identifier: APSB17-15
                    CVE number: CVE-2017-3068, CVE-2017-3069, CVE-2017-3070, CVE-2017-3071, CVE-2017-3072, CVE-2017-3073, CVE-2017-30744
                    Platform: Windows, Macintosh, Linux and Chrome OS

                    Update:

                    *Important Note:  Downloading the update from the Adobe Flash Player Download Center link includes a pre-checked option to install unnecessary extras, such as McAfee Scan Plus or Google Drive.  If you use the download center, uncheck any unnecessary extras that you do not want.  They are not needed for the Flash Player update.

                      Verify Installation

                      To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu. 

                      Do this for each browser installed on your computer.

                      To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.

                      References



                      Remember - "A day without laughter is a day wasted."
                      May the wind sing to you and the sun rise in your heart...









                      Monday, May 08, 2017

                      Security Update for Microsoft Malware Protection Engine



                      Microsoft released Security Advisory 4022344 about an update to the Microsoft Malware Protection Engine.  The update addresses a security vulnerability that was reported to Microsoft.

                      The vulnerability addressed in the update could allow remote code execution if the Microsoft Malware Protection Engine scans a specially crafted file. According to the Advisory,
                      "An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take control of the system."

                      An updated MSRT will be included with the Security Updates on May 9.  Windows Defender will automatically update or can be manually launched and checked for updates.

                      References:




                      Home
                      Remember - "A day without laughter is a day wasted."
                      May the wind sing to you and the sun rise in your heart...

                      False/Positives of WinPatrol wpsetup.exe and Access to Website

                      WinPatrol Scotty

                      Since the new release of WinPatrol Version 35.5.2017.8 was announced, there have been reports of the wpsetup.exe being detected as a trojan.  I reached out to Bret Lowry who gave me permission to share information about both the false/positives as well as problems reaching WinPatrol.com.

                      False/Positives

                      Those are false positives; we have reported them to most of the manufacturers.
                      Many are due to BitDefender having a false positive.
                      Emsisoft
                      GData
                      eScan
                      Ad-Aware

                      All use BitDefender under the covers. You can tell by looking at the detection name in VirusTotal.
                      Symantec reports ALL new binaries as a potential threat until the manufacturer contacts them, that is how they are handling the flood of new malware. They’ve been doing that for years now but no one calls them out for it out of fear of the giant.

                      It is due to our using the InstallMate installer.
                      The installer is not infected. {emphasis added}

                      What would be super helpful would be a grass roots campaign demanding VirusTotal act responsibly by providing a link on their site for reporting false positives directly to the manufacturer in question.

                      Access to WinPatrol.com

                      There have also been reports of problems reaching the WinPatrol website.  Bret indicated that problem with the slowness is not due to problems at WinPatrol.com.  Rather the issue is due to the Internet Backbone company Level3.  As can be seen from the following link to the Level3 Outage map, the problem with Level3 connectivity is widespread:  http://downdetector.com/status/level3/map/Although I found access slow earlier today, I was able to get the update by launching WinPatrol and selecting "Check for Save Updates" from the PLUS tab.

                      You can find the unofficial WinPatrol forum at LandzDown here

                      Home
                      Remember - "A day without laughter is a day wasted."
                      May the wind sing to you and the sun rise in your heart...

                      WinPatrol Update Released

                      WinPatrol Scotty

                      WinPatrol Version 35.5.2017.8 was released with several fixes to better align with Windows 10.

                      Fixes:
                      • Fixed addition of Startup programs to be compatible with recent changes to Windows 10.
                      • Fixed removal of Startup programs to be compatible with recent changes to Windows 10.
                      • Disabled and removed checkbox for “Allow PLUS info data collection” because recent changes in allowed URL length resulting in no data being returned for customers.

                      Direct Download Link: WinPatrol Version 35.5.2017.8


                      You can find the unofficial WinPatrol forum at LandzDown here.


                      Home
                      Remember - "A day without laughter is a day wasted."
                      May the wind sing to you and the sun rise in your heart...

                      Friday, May 05, 2017

                      Mozilla Firefox Verson 53.0.2 Released


                      FirefoxMozilla sent Firefox Version 53.0.2 to the release channel today.  (No references made to version 53.0.1.)  When checking, I wasn't offered an update to Firefox ESR.

                      The next scheduled release is June 13, 2017 (5 week cycle with release for critical fixes as needed).

                      Security Fix:

                      Fixed

                      • Make form validation errors and date picker panel visible to the user (Bug 1341190)

                      Changed

                      • The non-standard showDialog argument to window.find is now ignored (Bug 1348409)
                        Update:

                        To get the update now, select "Help" from the Firefox menu, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

                          References




                          Remember - "A day without laughter is a day wasted."
                          May the wind sing to you and the sun rise in your heart...




                          Friday, April 28, 2017

                          PaleMoon Version 27.3 Released with Security Updates


                          Pale Moon
                          Pale Moon has been updated to Version 27.3.  Included in the updates are DiD* patches.
                          *DiD stands for "Defense-in-Depth" and is a fix that does not apply to an actively exploitable vulnerability in Pale Moon but prevents future vulnerabilities caused by the same code when surrounding code changes, exposing the problem.

                          Note that Version 27.3 is a major development update with many changes in the media back-end.  As a result, it is important to realize that some aspects are still a work in progress and some html5 video playback issues with MSE (Media Source Encryption) may be encountered.

                          Details from the Release Notes:

                          Security/privacy changes:
                          • Updated NSS to 3.28.4-RTM to address a number of issues.
                          • Added support for RSA-AES(-GCM)-SHA256/384 suites to broaden compatibility.
                          • Reconfigured networking security: disabled static DHE suites by default, enabled all RSA-AES(-GCM)-SHA256/384 suites in their stead.
                          • Fixed referrer policy keyword to align with the current spec ("cross-origin" vs "crossorigin").
                          • Added an option to display punycode domain for IDN websites to combat phishing.
                            This is enabled by default for domain-validated https sites.
                            Preference: browser.identity.display_punycode
                            0 = Display IDN name in identity panel (previous behavior)
                            1 = Display punycode name for DV SSL domains (default)
                            2 = Also display punycode for HTTP sites if IDN name used
                          • Fixed an issue to prevent contacting remote servers when a connection might get blocked.
                          • Fixed 3 public security flaws in libevent, which may affect Mozilla-based products. DiD
                          • Fixed several memory- and thread-safety hazards.
                          • Fixed an address bar spoofing issue. (CVE-2017-5451)
                          • Fixed a potentially exploitable crash with HTTP/2. (CVE-2017-5446)
                          • Fixed several security hazards in XSLT processing. (CVE-2017-5438) (CVE-2017-5439) (CVE-2017-5440)
                          • Fixed several security hazards in old protocols. (CVE-2017-5444) (CVE-2017-5445)
                          • Fixed out-of-bounds access in text formatting. (CVE-2017-5447)
                          • Fixed a potentially exploitable issue with innerText. (CVE-2017-5442)
                          • Fixed a potentially exploitable issue in graphite font shaping.
                          • Fixed a potentially exploitable crash with credential-authentication.
                          • Fixed out-of-bounds access with text selection in rare cases.
                          • Fixed a security hazard in the ANGLE library.
                              Changes/fixes:
                              • Fixed up, checked and enabled vertical text writing modes!
                                Pale Moon will now be able to display vertical, right-to-left script.
                              • Added the option to reset non-default profiles.
                              • Fixed various issues in the WebP image decoder.
                              • Added internally-supported document types to allowed types.
                              • Fixed locale selection in ICU after update to ICU58.
                                (Note: Pale Moon uses the system locale for date formatting, not the browser locale)
                              • Re-implemented the previous spellchecker dictionary logic (allow user override of document/element language, improve logic and make it unambiguous).
                              • Ongoing fixes for the MP4 parser and MSE.
                              • Made HTML Media Elements' preload attribute MSE-spec compliant.
                                The preload attribute on HTML media elements is now ignored in the case of an MSE source. This prevents an issue with sourceopen not firing when preload="none".
                              • Fixed some issues with Windows WMF media playback.
                              • Fixed an issue with Synced preferences sometimes overwriting stored individual preferences.
                              • Fixed display of RSS folder icons.
                              • Fixed issues with custom context menus.
                              • Fixed an issue importing bookmarks with separators losing their extra data.
                              • Changed the way numeric addresses are handled in the address bar so it doesn't perform a search when it shouldn't.
                              • Added an option (browser.sessionstore.cache_behavior) to control from which source restored tabs pull their page content:
                                0 = load restored tab data from cache (current behavior, default)
                                1 = refresh restored tab data from the network
                                2 = refresh stored tab data from the network and bypass any cached data.
                              • Improved upon a v27 performance regression with SVG scaling.
                              • Improved performance by being more selective which CSS animations to process.
                                As a side-effect, elements changing their display from "none" to something visible now also animate.
                              • Increased memory allocation for the use of very large PAC files.
                              • Added menu entries for the permissions manager and improvements to its function and display.
                              • Added preferences to control "highlight all" behavior of the find bar:
                                accessibility.typeaheadfind.highlightallbydefault = true/false highlight all found words by default.
                                accessibility.typeaheadfind.highlightallremember = true/false remember the last-used state of Highlight All.
                              • Added devtools command-line options.
                              • Added remote IP and protocol to Devtools->Network entry details.
                              • Added support for
                                and HTML tags.
                              • Fixed a regression in the MSIE profile migrator.
                              • Removed migration of browser-specific settings when migrating data from IE/Safari.
                              • Implemented optional parameters for permessage-deflate in preparation for RFC7692 errata making acceptance of them mandatory (and to prevent web compat issues doe to the current conflicting text of it).
                              • Made the image document favicon skinnable.
                              • Aligned DOM selection addRange with the spec.
                              • Exposed mozAnon constructor js binding to system scopes for XHR.
                              • Enhanced form data handling from JavaScript.
                              Minimum system Requirements (Windows):
                              • Windows Vista/Windows 7/8/10/Server 2008 or later
                              • Windows Platform Update (Vista/7) strongly recommended
                              • A processor with SSE2 instruction support
                              • 256 MB of free RAM (512 MB or more recommended)
                              • At least 150 MB of free (uncompressed) disk space
                              Pale Moon includes both 32- and 64-bit versions for Windows, Pale Moon Portable, Pale Moon for Linux and Pale Moon for Android.

                                Update

                                To get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window.  Select About Pale Moon > Check for Updates.


                                References:


                                Remember - "A day without laughter is a day wasted."
                                May the wind sing to you and the sun rise in your heart...


                                Wednesday, April 19, 2017

                                Mozilla Firefox Version 53.0 Released with Massive Security Updates


                                FirefoxMozilla sent Firefox Version 53.0 to the release channel today.  The update includes a massive 35 security updates identified as eight (8) Critical, sixteen (16) High, seven (7) Moderate updates and four (4) low security updates.  Firefox ESR was updated to version 45.9.0.

                                The next scheduled release is June 13, 2017 (5 week cycle with release for critical fixes as needed).

                                Security Fixes:

                                Critical

                                High

                                Moderate

                                Low

                                New

                                • Improved graphics stability for Windows users with the addition of compositor process separation (Quantum Compositor)
                                • Two new 'compact' themes available in Firefox, dark and light, based on the Firefox Developer Edition theme
                                • Lightweight themes are now applied in private browsing windows
                                • Reader Mode now displays estimated reading time for the page
                                • Windows 7+ users on 64-bit OS can select 32-bit or 64-bit versions in the stub installer

                                Changed

                                • Updated the design of site permission requests to make them harder to miss and easier to understand
                                • Windows XP and Vista are no longer supported. XP and Vista users running Firefox 52 will continue to receive security updates on Firefox ESR 52.
                                • 32-bit Mac OS X is no longer supported. 32-bit Mac OS X users can switch to Firefox ESR 52 to continue receiving security updates.
                                • Updates for Mac OS X are smaller in size compared to updates for Firefox 52
                                • Media playback on new tabs is blocked until the tab is visible
                                • The last few characters of shortened tab titles fade out instead of being replaced by ellipses to keep more of the title visible
                                • New visual design for audio and video controls
                                • Ended Firefox Linux support for processors older than Pentium 4 and AMD Opteron
                                Update:

                                To get the update now, select "Help" from the Firefox menu, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

                                  References




                                  Remember - "A day without laughter is a day wasted."
                                  May the wind sing to you and the sun rise in your heart...




                                  Tuesday, April 18, 2017

                                  Oracle Java Critical Security Updates Released

                                  java

                                  Oracle released the scheduled critical security updates for its Java SE Runtime Environment software.  The update contains eight (8) new security fixes for Oracle Java SE. 
                                  Details for the CVE's addressed in the update are available here.

                                  Update

                                  If Java is still installed on your computer, it is recommended that this update be applied as soon as possible due to the threat posed by a successful attack.

                                  Download Information

                                  Download link:  Java SE 8u131

                                  Verify your version:  http://www.java.com/en/download/testjava.jsp

                                  Notes:
                                  • Minimally, UNcheck any pre-checked toolbar and/or software options presented with the update. They are not part of the software update and are completely optional.  Preferably, see the instructions below on how to handle "Unwanted Extras". 
                                  • Starting with Java SE 7 Update 21 in April 2013, all Java Applets and Web Start Applications should be signed with a trusted certificate.  It is not recommended to run untrusted/unsigned Certificates.  See How to protect your computer against dangerous Java Applets

                                  Critical Patch Updates

                                  For Oracle Java SE Critical Patch Updates, the next scheduled dates are as follows:
                                  • 18 July 2017
                                  • 17 October 2017
                                  • 16 January 2018
                                  • 17 April 2018

                                  Unwanted "Extras"

                                  Although most people do not need Java on their computer, there are some programs and games that require Java.  In the event you need to continue using Java, How-to Geek discovered a little-known and  unpublicized option in the Java Control Panel to suppress the offers for the pre-checked unwanted extras that Oracle has long included with the updates.  Although the Ask Toolbar has been removed, tha does not preclude the pre-checked option for some other unnecessary add-on.

                                  Do the following to suppress the sponsor offers:
                                  1. Launch the Windows Start menu
                                  2. Click on Programs
                                  3. Find the Java program listing
                                  4. Click Configure Java to launch the Java Control Panel
                                  5. Click the Advanced tab and go to the "Miscellaneous" section at the bottom.
                                  6. Check the box by the “Suppress sponsor offers when installing or updating Java” option and click OK.
                                  Java suppress sponsor offers

                                  Java Security Recommendations


                                  1)  In the Java Control Panel, at minimum, set the security to high.
                                  2)  Keep Java disabled until needed.  Uncheck the box "Enable Java content in the browser" in the Java Control Panel.

                                  3)  Instructions on removing older (and less secure) versions of Java can be found at http://java.com/en/download/faq/remove_olderversions.xml

                                  References




                                  Remember - "A day without laughter is a day wasted."
                                  May the wind sing to you and the sun rise in your heart...