Tuesday, November 14, 2017

Microsoft Security Updates for November, 2017



The November security release consists of 53 security updates in which 20 are listed as Critical, 30 are rated Important and 3 rated as Moderate. The November security release consists of security updates for the following software:
  • Internet Explorer
  • Microsoft Edge
  • Microsoft Windows
  • Microsoft Office and Microsoft Office Services and Web Apps
  • ASP.NET Core and .NET Core
  • Chakra Core
The updates address Remote Code Execution, Information Disclosure, "Defense in Depth" (Note:  "Defense-in-Depth" is a fix that does not apply to an actively exploitable vulnerability but prevents future vulnerabilities caused by the same code when surrounding code changes expose the problem.), Denial of Service, Security Feature Bypass, Spoofing and Elevation of Privilege.

For more information about the updates released today, see https://portal.msrc.microsoft.com/en-us/security-guidance/summary.  Updates can be sorted by OS from the search box. Information about the update for Windows 10 is available at Windows 10 Update history.

Also see this month's Zero Day Initiative — The November 2017 Security Update Review by Dustin Childs in which he discusses ADV170020 - Microsoft Office Defense in Depth Update, CVE-2017-11830 - Device Guard Security Feature Bypass Vulnerability and CVE-2017-11877 - Microsoft Excel Security Feature Bypass Vulnerability.

Known Issues

    Additional Update Notes

    • Adobe Flash Player -- For Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows RT 8.1 and Windows 10, Adobe Flash Player is now a security bulletin rather than a security advisory and is included with the updates as identified above.
    • MSRT -- Microsoft released an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center. 
      Note:  Users who are paranoid about the remote possibility of a FP can opt to run this tool from a Command Prompt, appending a   /N   parameter [for "detect only" mode].
    • Windows 10 -- A summary of important product developments included in each update, with links to more details is available at Windows 10 Update History. The page will be regularly refreshed, as new updates are released.

    References


      Remember - "A day without laughter is a day wasted."
      May the wind sing to you and the sun rise in your heart...





      Adobe Shockwave Player Critical Update

      Shockwave Player
      Adobe has released a security update for Adobe Shockwave Player for Windows. This update resolves a critical memory corruption vulnerability that could lead to code execution.

      Although I have yet to need Shockwave Player on this computer, there are still many people who use it.  If you have Shockwave Player installed, please update to the latest version.

      Release date: November 14, 2017
      Vulnerability identifier: APSB17-40
      CVE number: CVE-2017-11294
      Platform: Windows

      The newest version 12.3.1.201 is available here: http://get.adobe.com/shockwave/.  As usual, watch for any pre-checked add-ons not needed for the update.

      References


      Home
      Remember - "A day without laughter is a day wasted."
      May the wind sing to you and the sun rise in your heart...

      Adobe Reader DC and Adobe Acrobat DC Security Updates Released

      Adobe

      Adobe has released security updates for Adobe Reader DC and Adobe Acrobat DC for Windows and Macintosh.  In addition, although Adobe Reader XI reached end-of-life last month, an update has also been released.  These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system.  

      Release date:  November 9, 2017
      Vulnerability identifier: APSB17-36
      Platform: Windows and Macintosh

      Update or Complete Download

      Update checks can be manually activated by choosing Help > Check for Updates.  Although Reader DC and Acrobat DC are both updated to the 2018.009.20044 version, the unexpected update for Adobe reader remains in the incremental version 11. 
      Note: UNcheck any pre-checked additional options presented with the update. They are not part of the software update and are completely optional.


      References





      Home
      Remember - "A day without laughter is a day wasted."
      May the wind sing to you and the sun rise in your heart...







      Adobe Flash Player Critical Security Update

      Adobe Flashplayer

      Adobe has released Version 27.0.0.187 of Adobe Flash Player.  The update addresses critical vulnerabilities that could lead to code execution for Microsoft Windows, Macintosh, Chrome and Linux.  The update also includes bug fixes.

      Release date:  November 14, 2017
      Vulnerability identifier: APSB17-33
      Platform: Windows and Macintosh

      Update:

      *Important Note:  Downloading the update from the Adobe Flash Player Download Center link includes a pre-checked option to install unnecessary extras, such as McAfee Scan Plus or Google Drive.  If you use the download center, uncheck any unnecessary extras that you do not want.  They are not needed for the Flash Player update.

        Verify Installation

        To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu. 

        Do this for each browser installed on your computer.

        To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.

        References



        Remember - "A day without laughter is a day wasted."
        May the wind sing to you and the sun rise in your heart...









        Mozilla Firefox Version 57.0 Released with Security Updates


        FirefoxMozilla sent Firefox Version 57.0 to the release channel today.  The update includes four (4) security updates, 1 Critical, 1 High, 1 Moderate and 1 Low.  

        Update:  Firefox ESR version 52.5 has been released.

        With this release, "legacy" add-ons (XUL-based) will no longer function.  This update changes the add-ons system to the WebExtensions API. The Mozilla Add-ons portal will list only WebExtensions-compatible add-ons by default.  Legacy Extensions are listed separately located under Tools > Add-ons.  From there click "Find a Replacement"and check the three pages of available extensions.

        In addition, this update introduces the new Quantum engine (Firefox Quantum) which is replacing parts of parts of the familiar old Gecko engine.

        Security Updates
        • Critical Vulnerability: Can be used to run attacker code and install software, requiring no user interaction beyond normal browsing.
        • High Vulnerability:  Can be used to gather sensitive data from sites in other windows or inject data or code into those sites, requiring no more than normal browsing actions.
        • Moderate:  Vulnerabilities that would otherwise be High or Critical except they only work in uncommon non-default configurations or require the user to perform complicated and/or unlikely steps.
        • Low:  Minor security vulnerabilities such as Denial of Service attacks, minor data leaks, or spoofs. (Undetectable spoofs of SSL indicia would have "High" impact because those are generally used to steal sensitive data intended for other sites.)

        New

        • A completely new browsing engine, designed to take full advantage of the processing power in modern devices
        • A redesigned interface with a clean, modern appearance, consistent visual elements, and optimizations for touch screens
        • A unified address and search bar. New installs will see this unified bar. Learn how to add the stand-alone search bar to the toolbar
        • A revamped new tab page that includes top visited sites, recently visited pages, and recommendations from Pocket (in the US, Canada, and Germany)
        • An updated product tour to orient new and returning Firefox users
        • AMD VP9 hardware video decoder support for improved video playback with lower power consumption
        • An expanded section in preferences to manage all website permissions

        Changed

        • Firefox now exclusively supports extensions built using the WebExtension API, and unsupported legacy extensions will no longer work. Learn more about our efforts to improve the performance and security of extensions
        • The browser's autoscroll feature, as well as scrolling by keyboard input and touch-dragging of scrollbars, now use asynchronous scrolling. These scrolling methods are now similar to other input methods like mousewheel, and provide a smoother scrolling experience
        • The content process now has a stricter security sandbox that blocks filesystem reading and writing on Linux, similar to the protections for Windows and macOS that shipped in Firefox 56
        • Middle mouse paste in the content area no longer navigates to URLs by default on Unix systems
        • Removed the toolbar Share button. If you relied on this feature, you can install the Share Backported extension instead.
        • Some older versions of the ATOK IME, including ATOK 2006, 2008, 2009 and 2010, can cause crashes and are therefore disabled on the Windows 64-bit version of Firefox Quantum. To fix those incompatibility issues, please use a newer version of ATOK or one of other IMEs.
        • The default font for Japanese text is now Meiryo

          Update:

          To get the update now, select "Help" from the Firefox menu, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

          References




          Remember - "A day without laughter is a day wasted."
          May the wind sing to you and the sun rise in your heart...

          Friday, November 10, 2017

          Lest We Forget

          Whether you call it Veteran's Day, Armistice Day or Remembrance Day, November 11th is a time to put aside politics and pay tribute to all who died for their country.  It is also a perfect time to thank the Veterans in whatever country you live in. 

          As in previous years, I am republishing my friend Canuk's last tribute and, once again, adding a special thank you to my friends "Phantom Phixer" and "Ghost".

          The comment Canuk posted provides one example of why he was a special person:
          "I too "will remember your friends who never had a full life", while thanking you and your comrades who have served with pride, honesty and honour.

          Despite anyone's thoughts of the current conflict in Iraq - opposition or agreement, we must always remember that these brave young men and women are fighting for a cause they also may or may not agree with. The huge difference between them and us is that they are putting their lives on the line 24/7 while we sit in our homes in comfort, using the freedom of speech previous warriors won for us, and for that they deserve our love, respect, and support."
          LEST WE FORGET




          We Shall Keep the Faith by Moira Michael, November 1918
          Oh! you who sleep in Flanders Fields, Sleep sweet - to rise anew! We caught the torch you threw And holding high, we keep the Faith With All who died. We cherish, too, the poppy red That grows on fields where valor led; It seems to signal to the skies That blood of heroes never dies, But lends a lustre to the red Of the flower that blooms above the dead In Flanders Fields. And now the Torch and Poppy Red We wear in honor of our dead. Fear not that ye have died for naught; We'll teach the lesson that ye wrought In Flanders Fields. Flags courtesy of3DFlags.com









          Remember - "A day without laughter is a day wasted."
          May the wind sing to you and the sun rise in your heart...



          Tuesday, November 07, 2017

          Pale Moon Version 27.6.0 Released With Security Updates


          Pale Moon
          Pale Moon has been updated to Version 27.6.0. This is a major development update. Details from the Release Notes:

          Security/privacy fixes:
          • Added an option to clear Site Connectivity Data (delete history).
          • Removed stale entries from the HSTS preload list, and improved generation/processing of it.
          • Removed undesired certificate issuer organization to common name fallback (if issuer org is empty).
          • Added pretty-printing for ECDSA-SHA224, 256, 384 and 512 hashed certificate signatures.
          • Worked around some more issues with broken Apple fonts.
          Changes/fixes:

          • Dropped support for Direct2D 1.0 to avoid font rendering issues. Windows installations not capable of using Direct2D 1.1 will now fall back to software rendering. As a result, fonts may look different from this version onwards if you are on Windows Vista or Windows 7. Users on Windows 7 affected by this should install the Platform Update to re-enable Direct2D.
          • Updated the Brotli decoder library, and enabled support for Brotli HTTP content-encoding by default.
          • Added notifications to inform users about WebExtensions not being supported if they try to install them (as opposed to "extension is corrupt")
          • Added a number of DOM childNode convenience functions. This should fix some lazy-loading frameworks.
            (enjoy your LOLcats again!)
          • Changed automatic updates over to the new infrastructure.
          • Added extra proxy settings in Options, covering DNS lookups through SOCKS v5 and automatic proxy authentication with known credentials.
          • Added a selectable fallback character encoding of UTF-8 and fallback to UTF-8 as a last effort. (Issue #1423)
          • Improved timing of canplay and canplaythrough firing to work around a potential race condition locking up queued video playback.
          • Improved upmixing of mono sound for multi-channel setups.
          • Fixed a parallelization issue with the KISS-FFT library causing CPU-deadlocked threads (Issue #1425)
          • Fixed "Remove from history" function from the downloads panel.
          • Forced focus on the address bar in new windows if the content is a blank/empty document.
          • Fixed the dropmarker in the address bar to allow the suggestions to be closed with a click.
          • Further cleaned up the status bar code.
          • Disabled window.showModalDialog; it's been removed from the spec 2 years ago and has potential abuse issues (modal dialogs block the UI)
          • Fixed image decoder calls to make sure the image load event doesn't fire prematurely.
          • Updated LibPNG to 1.6.28, and enabled faster SSE2 decoding.
          • Updated WOFF2 code from upstream.
          • Updated the zlib compression library.
          • Made general improvements to internal code structure and spec adherence.
          • Fixed an issue with certain command-line parameters being used.
          • Updated the default theme to improve consistency and contrast of toolbar and download buttons.
          • Increased the default duration of notification pop-ups and made them configurable.
          • Improved handling of audio-visual media (ongoing).
          • Fixed an issue in CSS where elements would sometimes reflow to the next line even with sufficient visual space.
          • Aligned the implementation of for(let x=y;;) loops with the final ES6 specification.
          • Fixed the selection system inside of a nested contenteditable element being broken.
          • Fixed Windows 10 detection for blocklisting graphics drivers.
          • Enabled pasting of clipboard data in documents without an editor element to improve web compatibility.
          • Fixed the uninstallation routine of restartless add-ons.
          • Fixed the handling of unimplemented functions in the console API.
          • Updated the Facebook user-agent to enable otherwise vendor-restricted functionality.
          • Updated the SVG scaling cache limit to be more lenient for larger SVG images at a small performance trade-off, working around some sites' design issues.
           Minimum system Requirements (Windows):
          • Windows Vista/Windows 7/8/10/Server 2008 or later
          • Windows Platform Update (Vista/7) strongly recommended
          • A processor with SSE2 instruction support
          • 256 MB of free RAM (512 MB or more recommended)
          • At least 150 MB of free (uncompressed) disk space
          Pale Moon includes both 32- and 64-bit versions for Windows:

          Update

          To get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window.  Select About Pale Moon > Check for Updates.




          Remember - "A day without laughter is a day wasted."
          May the wind sing to you and the sun rise in your heart...


          Thursday, October 26, 2017

          Mozilla Firefox Version 56.0.2 Released


          FirefoxMozilla sent Firefox Version 56.0.2 to the release channel today.  The update includes several bug fixes.  There is no mention of the previously listed unresolved issues.

          Firefox ESR remains at version 52.4.0.

          Fixed

              Previous Listed Unresolved Issues

              • Due to a bug in Mac OS X High Sierra, fullscreen mode has some issues
              • Startup crash with RelevantKnowledge adware installed. Firefox Support has helpful instructions to remove it.
              • Startup crashes with 64-bit Firefox on Windows 7, for users of Lenovo's "OneKey Theater" software for IdeaPad laptops. To fix this crash, please re-install 32-bit Firefox.
              • Users running Firefox for Windows over a Remote Desktop Connection (RDP) may find that audio playback is disabled due to increased security restrictions. Learn how to mitigate this issue until it is corrected in an upcoming release

              Update:

              To get the update now, select "Help" from the Firefox menu, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

              References




              Remember - "A day without laughter is a day wasted."
              May the wind sing to you and the sun rise in your heart...

              Wednesday, October 25, 2017

              Another Adobe Flash Player Update

              Adobe Flashplayer

              Adobe has released Version 27.0.0.183 of Adobe Flash Player for Microsoft Windows, Macintosh, Chrome and Linux.

              The update does not include any security fixes.  Rather, it is to correct an important functional fix impacting Flex content.  If impacted, it is recommend the update be installed.  For those who have the option to 'Allow Adobe to install updates', the update will be automatic. 

              Update:

              *Important Note:  Downloading the update from the Adobe Flash Player Download Center link includes a pre-checked option to install unnecessary extras, such as McAfee Scan Plus or Google Drive.  If you use the download center, uncheck any unnecessary extras that you do not want.  They are not needed for the Flash Player update.

                Verify Installation

                To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu. 

                Do this for each browser installed on your computer.

                To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.

                References



                Remember - "A day without laughter is a day wasted."
                May the wind sing to you and the sun rise in your heart...









                Saturday, October 21, 2017

                Adobe Reader XI and Acrobat XI -- End-of-Life

                Adobe

                Adobe provides product support from the general availability date of Adobe Acrobat and Adobe Reader for five years.  The five-year date was October 15, 2017, meaning Adobe Reader XI and Acrobat XI have reached end-of-life.  As a result, Adobe will no longer be providing technical support for those products.  This also includes both product and, more importantly, security updates.

                If either or both of these programs are installed on your computer it is strongly advised that you uninstall them as soon as possible.  If you wish to stay with Adobe products, the Adobe Acrobat Reader DC can be downloaded from here.
                Note: UNcheck any pre-checked additional options presented with the download. They are not part of the software and are completely optional.
                If you use Windows 10, Microsoft Edge works great to read PDF documents.  In addition, new features are included in the Windows 10 Fall Creators Update.   See How Microsoft Edge will beat Chrome as the best PDF reader with the Fall Creators Update for additional information.

                Another alternative is Sumatra PDF:
                "Sumatra PDF is a free PDF, eBook (ePub, Mobi), XPS, DjVu, CHM, Comic Book (CBZ and CBR) reader for Windows.
                Sumatra PDF is powerful, small, portable and starts up very fast.
                Simplicity of the user interface has a high priority."

                h/t ky331

                References

                Adobe Acrobat XI and Adobe Reader XI End of Support
                Adobe Support Lifecycle Policy,


                Home
                Remember - "A day without laughter is a day wasted."
                May the wind sing to you and the sun rise in your heart...







                Wednesday, October 18, 2017

                Oracle Java Critical Security Updates Released

                java

                Oracle released the scheduled critical security updates for its Java SE Runtime Environment software.  The update contains 22 new security fixes for Oracle Java SE.  Twenty-two (22) of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  

                Update

                If Java is still installed on your computer, it is recommended that this update be applied as soon as possible due to the threat posed by a successful attack.

                Download Information

                Java SE 8u151/ 8u152
                Java™ SE Development Kit 8, Update 151 Release Notes
                Java™ SE Development Kit 8, Update 152 Release Notes
                Java SE Runtime Environment 8 - Downloads

                Java SE 9.0.1  (x64-bit only)
                Java™ SE Development Kit 9.0.1 Release Notes
                Java SE Runtime Environment 9 - Downloads
                Notes:
                • UNcheck any pre-checked toolbar and/or software options presented with the update. They are not part of the software update and are completely optional.  Preferably, see the instructions below on how to handle "Unwanted Extras".  
                • Oracle does not plan to migrate desktops from Java 8 to Java 9 through the auto update feature.  Therefore, it is strongly recommended that you uninstall JRE 8 prior to updating.
                • Verify your versionhttp://www.java.com/en/download/testjava.jsp.   Note:  The Java version verification page will only work if your browser has NPAPI support.  In that case, to check the version, open a cmd window and enter the following (note the space following Java):  java -version

                Critical Patch Updates

                For Oracle Java SE Critical Patch Updates, the next scheduled dates are as follows:
                • 16 January 2018
                • 17 April 2018
                • 17 July 2018
                • 16 October 2018

                Unwanted "Extras"

                Although most people do not need Java on their computer, there are some programs and games that require Java.  In the event you need to continue using Java, How-to Geek discovered a little-known and  unpublicized option in the Java Control Panel to suppress the offers for the pre-checked unwanted extras that Oracle has long included with the updates.  Although the Ask Toolbar has been removed, tha does not preclude the pre-checked option for some other unnecessary add-on.

                Do the following to suppress the sponsor offers:
                1. Launch the Windows Start menu
                2. Click on Programs
                3. Find the Java program listing
                4. Click Configure Java to launch the Java Control Panel
                5. Click the Advanced tab and go to the "Miscellaneous" section at the bottom.
                6. Check the box by the “Suppress sponsor offers when installing or updating Java” option and click OK.
                Java suppress sponsor offers

                Java Security Recommendations

                1)  In the Java Control Panel, at minimum, set the security to high.
                2)  Keep Java disabled until needed.  Uncheck the box "Enable Java content in the browser" in the Java Control Panel.

                3)  Instructions on removing older (and less secure) versions of Java can be found at http://java.com/en/download/faq/remove_olderversions.xml

                References




                Remember - "A day without laughter is a day wasted."
                May the wind sing to you and the sun rise in your heart...




                Monday, October 16, 2017

                Adobe Flash Player Out-of-Band Critical Security Update

                Adobe Flashplayer

                Adobe has released Version 27.0.0.170 of Adobe Flash Player for Microsoft Windows, Macintosh, Chrome and Linux.

                The critical update addresses a report that an exploit for CVE-2017-11292 exists in the wild, and is being used in limited, targeted attacks against users running Windows.

                Release date:  October 16, 2017
                Vulnerability identifier: APSB17-32
                CVE Numbers:   CVE-2017-11292
                Platform: Windows, Macintosh, Linux and Chrome OS

                Update:

                *Important Note:  Downloading the update from the Adobe Flash Player Download Center link includes a pre-checked option to install unnecessary extras, such as McAfee Scan Plus or Google Drive.  If you use the download center, uncheck any unnecessary extras that you do not want.  They are not needed for the Flash Player update.

                  Verify Installation

                  To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu. 

                  Do this for each browser installed on your computer.

                  To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.

                  References



                  Remember - "A day without laughter is a day wasted."
                  May the wind sing to you and the sun rise in your heart...









                  Tuesday, October 10, 2017

                  Microsoft Security Updates for October, 2017



                  The October security release consists of 62 security updates for the following software in which 27 are listed as Critical and 35 are rated Important. In particular, note that one CVE in Microsoft Office is listed as under active attack, and two other CVEs are listed as publically known prior to release.
                  • Internet Explorer
                  • Microsoft Edge
                  • Microsoft Windows
                  • Microsoft Office and Microsoft Office Services and Web Apps
                  • Skype for Business and Lync
                  • Chakra Core

                    Known Issues
                    The updates address Remote Code Execution, Information Disclosure, "Defense in Depth",Security Feature Bypass and Elevation of Privilege. Note:  "Defense-in-Depth" is a fix that does not apply to an actively exploitable vulnerability but prevents future vulnerabilities caused by the same code when surrounding code changes expose the problem.  In addition, Windows 10 1511 support ends today.

                    For more information about the updates released today, see https://portal.msrc.microsoft.com/en-us/security-guidance/summary.  Updates can be sorted by OS from the search box. Information about the update for Windows 10 is available at Windows 10 Update history.

                    CVEs addressed by Microsoft this month that deserve extra attention are discussed in Zero Day Initiative — The October 2017 Security Update Review by Dustin Childs.

                      Additional Update Notes

                      • Adobe Flash Player -- For Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows RT 8.1 and Windows 10, Adobe Flash Player is now a security bulletin rather than a security advisory and is included with the updates as identified above.
                      • MSRT -- Microsoft released an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center. 
                        Note:  Users who are paranoid about the remote possibility of a FP can opt to run this tool from a Command Prompt, appending a   /N   parameter [for "detect only" mode].
                      • Windows 10 -- A summary of important product developments included in each update, with links to more details is available at Windows 10 Update History. The page will be regularly refreshed, as new updates are released.

                      References


                        Remember - "A day without laughter is a day wasted."
                        May the wind sing to you and the sun rise in your heart...





                        Adobe Flash Player Updates

                        Adobe Flashplayer

                        Adobe has released Version 27.0.0.159 of Adobe Flash Player for Microsoft Windows, Macintosh, Chrome and Linux.

                        These updates address functionality bugs.

                        Release date:  October 10, 2017
                        Vulnerability identifier: APSB17-31
                        CVE Numbers:   None
                        Platform: Windows, Macintosh, Linux and Chrome OS

                        Update:

                        *Important Note:  Downloading the update from the Adobe Flash Player Download Center link includes a pre-checked option to install unnecessary extras, such as McAfee Scan Plus or Google Drive.  If you use the download center, uncheck any unnecessary extras that you do not want.  They are not needed for the Flash Player update.

                          Verify Installation

                          To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu. 

                          Do this for each browser installed on your computer.

                          To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.

                          References



                          Remember - "A day without laughter is a day wasted."
                          May the wind sing to you and the sun rise in your heart...









                          Pale Moon 27.5.1 Released


                          Pale Moon
                          Pale Moon has been updated to Version 27.5.1. This is a security and stability update.

                          The security updates include DiD ("Defense-in-Depth") fixes.  This means that it is a fix that does not apply to a (potentially) actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code when surrounding code changes, exposing the problem.

                          Details from the Release Notes:

                          Changes/fixes:
                          • Changed the default Windows 10 styling when no accent color is aplied to black-on-white.
                          • Changed the theme styling on Windows 10 when the system window frame is used (menu bar enabled) to use the window manager background directly, preventing visual lag updating the window color when it changes.
                          • Updated user agent overrides for DropBox, YouTube and Yahoo to work around user agent sniffing issues.
                          • Fixed a crash in the media subsystem.
                          • Fixed a regression where video playback hardware acceleration was disabled incorrectly on some systems.
                           Security fixes:
                          • Updated libhyphen to the latest upstream code to fix a security issue.
                          • Updated NSPR to 4.16-RTM with a patch to un-bust building on win64.
                          • Updated NSS to 3.32.1-RTM.
                          • Worked around some more issues with Mac fonts (CVE-2017-7825).
                          • Fixed a potential rooting hazard in NPAPI plugin code. DiD
                          • Fixed a potential reference issue in JavaScript arrays. DiD
                          Minimum system Requirements (Windows):
                          • Windows Vista/Windows 7/8/10/Server 2008 or later
                          • Windows Platform Update (Vista/7) strongly recommended
                          • A processor with SSE2 instruction support
                          • 256 MB of free RAM (512 MB or more recommended)
                          • At least 150 MB of free (uncompressed) disk space
                          Pale Moon includes both 32- and 64-bit versions for Windows:

                          Update

                          To get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window.  Select About Pale Moon > Check for Updates.




                          Remember - "A day without laughter is a day wasted."
                          May the wind sing to you and the sun rise in your heart...


                          Monday, October 09, 2017

                          Mozlla Firefox Version 56.0.1 Released


                          FirefoxMozilla sent Firefox Version 56.0.1 to the release channel today.  The update includes one fix and the migration to 64-bit Firefox for users of the 32-bit version.  Note the unresolved issues!

                          Firefox ESR remains at version 52.4.0.

                          Fixed

                          • Block D3D11 when using Intel drivers on Windows 7 systems with partial AVX support (bug 1403353)

                          Changed

                          • Users of 32-bit Firefox on 64-bit Windows are migrated to 64-bit Firefox for increased stability and security.

                          Unresolved

                          • Due to a bug in Mac OS X High Sierra, fullscreen mode has some issues
                          • Startup crash with RelevantKnowledge adware installed. Firefox Support has helpful instructions to remove it.
                          • Startup crashes with 64-bit Firefox on Windows 7, for users of Lenovo's "OneKey Theater" software for IdeaPad laptops. To fix this crash, please re-install 32-bit Firefox.
                          • Users running Firefox for Windows over a Remote Desktop Connection (RDP) may find that audio playback is disabled due to increased security restrictions. Learn how to mitigate this issue until it is corrected in an upcoming release

                          Update:

                          To get the update now, select "Help" from the Firefox menu, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

                          References




                          Remember - "A day without laughter is a day wasted."
                          May the wind sing to you and the sun rise in your heart...

                          Tuesday, October 03, 2017

                          Cycber Security Awareness Month


                          October is National Cyber Security Awareness Month (NCSAM).  The 2017 Cyber Security Awareness Month marks the seventh anniversary of the campaign.  It is also European Cyber Security Awareness Month (ECSM) https://cybersecuritymonth.eu/  and in Canada, https://www.getcybersafe.gc.ca/index-eng.aspx 

                            Stop | Think | Connect

                          With that in mind, consider the following suggestions not only during Cyber Security Awareness month but every day:

                              Stop:  Before you click that formatted link in your email, search results or social media account, mouse over the link to ensure the URL matches the description.

                              Think:  Whether it is email, Facebook, Twitter, an online forum or other online media, instead of spouting off the first reply that comes to mind when you disagree, think before you click the send button.  Remember that your online reputation can follow you in "real life".

                              Connect:  When you connect to the Internet, ensure your device software as well as any apps or third-party software are up to date.

                          Each week, Malwarebytes Labs will focus on a theme and provide helpful articles, useful tips, and valuable analysis so that you can increase awareness and spread the word. This week’s theme: simple steps to online safety. The first:  National cybersecurity awareness month: simple steps to online safety | Malwarebytes Labs


                          Home
                          Remember - "A day without laughter is a day wasted."
                          May the wind sing to you and the sun rise in your heart...

                          Thursday, September 28, 2017

                          Mozilla Firefox Version 56.0 Released with Security Updates


                          FirefoxMozilla sent Firefox Version 56.0 to the release channel today.  The update includes two (2) Critical, six (6) High, seven (7) Moderate and two (2) Low security updates.  Firefox ESR was updated to version 52.4.0.

                          Important Notes:  
                          1. Although version 56 is scheduled to "silently and forcibly auto-upgrade" users running the 32-bit version of Firefox on 64-bit computers with more than 2GB of RAM to the 64-bit version, it was not updated to the 64-bit version on my machine. 
                          2.  Users of Lenovo's "OneKey Theater" software for IdeaPad laptops and users running Firefox for Windows over a Remote Desktop Connection (RDP) are advised to check the unresolved issues below.
                          3. Version 56 makes Firefox Screenshots and Send Tabs available to all users.
                          4. See the following regarding add-ons starting in Firefox 57:  Firefox add-on technology is modernizing 

                          Security Fixes:

                          Critical:
                          High:
                          Moderate:
                          Low:
                          New
                          • Launched Firefox Screenshots, a feature that lets users take, save, and share screenshots without leaving the browser
                          • Added support for address form autofill (en-US only)
                          • Updated Preferences
                            • Added search tool so users can find a specific setting quickly
                            • Reorganized preferences so users can more easily scan settings
                            • Rewrote descriptions so users can better understand choices and how they affect browsing
                            • Revised data collection choices so they align with updated Privacy Notice and data collection strategy
                          • Media opened in a background tab will not play until the tab is selected
                          • Improved Send Tabs feature of Sync for iOS and Android, and Send Tabs can be discovered even by users without a Firefox Account

                          Changed

                          • Replaced character encoding converters with a new Encoding Standard-compliant implementation written in Rust
                          • Added hardware acceleration for AES-GCM
                          • Updated the Safe Browsing protocol to version 4
                          • Reduced update download file size by approximately 20 percent
                          • Improved security for verifying update downloads

                          Unresolved

                          • Startup crash with RelevantKnowledge adware installed. Firefox Support has helpful instructions to remove it.
                          • Startup crashes with 64-bit Firefox on Windows 7, for users of Lenovo's "OneKey Theater" software for IdeaPad laptops. To fix this crash, please re-install 32-bit Firefox.
                          • Users running Firefox for Windows over a Remote Desktop Connection (RDP) may find that audio playback is disabled due to increased security restrictions. Learn how to mitigate this issue until it is corrected in an upcoming release

                          Update:

                          To get the update now, select "Help" from the Firefox menu, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

                          References




                          Remember - "A day without laughter is a day wasted."
                          May the wind sing to you and the sun rise in your heart...

                          Tuesday, September 26, 2017

                          Pale Moon Version 27.5.0 Released


                          Pale Moon
                          Pale Moon has been updated to Version 27.5.0. This is a major release furthering the development of the browser.


                          The changes and fixes in this release are extensive and include user interface changes including a menu option to restart the browser, media improvements and much more.

                          Details from the Release Notes:

                          Changes/fixes:
                          • User interface:
                            • Added a menu option to restart the browser.
                            • Added Windows-specific CSS parameters and queries for the use of the system accent color. Added are parameters -moz-win-accentcolor and -moz-win-accentcolortext, and the media query -moz-win-accentcolor-applies to know if Windows is actively using an accent color.
                            • Changed Windows' browser CSS sheet ot use variables instead of hard-coding colors, simplifying its style and making it more flexible. Further cleaned up the Windows 10 specific browser style.
                            • Changed the theme on Windows 10 to use the new accent colors and improve O.S. consistency.
                            • Fixed some general inconsistencies in the Windows theme on all Windows operating systems.
                            • Updated Windows widgets to be able to pick up Windows 10 accent colors dynamically and have the browser 's look and feel respond accordingly, even with automatic color changes based on desktop wallpaper.
                            • Removed the experimental FF4 prerelease status-in-addressbar feature because the already-crowded address bar needs a break. This should solve some extension interop issues, theme issues and domain highlighting issues people have reported.
                            • Cleaned up some dead code for the plugin updater that no longer exists.
                            • Fixed a text direction issue in preferences.
                            • Fixed an issue with disabled context menu entries after using Customize...
                            • Reorganized and cleaned up the status preferences.
                          • Media:
                            • MSE Media updates (ongoing). We are focusing on improving MP4 handling.
                            • Improved MP3 metadata parsing (e.g. incorrect duration with embedded album cover)
                            • Fixed a number of searching issues in MP3 files
                            • Fixed a few crashes.
                          • Fixed an issue with automatically exporting bookmarks to HTML on shutdown.
                          • Fixed a regression re: domains allowed to/blocked from installing add-ons.
                          • Fixed several internal errors thrown in the front-end.
                          • Fixed several minor issues in the devtools.
                          • Added a fix to prevent the home page from being loaded (and subsequently overridden) when restoring a session.
                          • Added an option to control add-on blocklist behavior (Options -> Security)
                          • Added DOM function isSameNode().
                          • Added DOM onvisibilitychange event.
                          • Added document.scrollingelement (CSSOM).
                          • Added a basic implementation of Object.values and Object.entries enumerator functions (ECMA2017 draft).
                          • Added "Open in new private window" to bookmarks, feeds and history entries.
                          • Added HTTP request method OPTIONS.
                          • Added an option to exit to a no-content page after encountering a network or security error.
                            This is controlled with the preference browser.escape_to_blank -- when set to true, "Get me out of here" buttons will load a blank page instead of the browser's home page.
                          • Added experimental Brotli accept-encoding (alternative to gzip/deflate compressed http data transfer). Disabled by default for now because it causes issues.
                          • Improved the handling of several CSS selectors.
                          • Changed session storage to remember form data for https sites by default.
                          • Added (yet another) trap prevention method to onbeforeunload events.
                          • Fixed privacy preferences not correctly resetting all options when choosing "Remember History"
                          • Fixed not being able to deselect loading bookmarks in the sidebar.
                          • Limited the display of user names and hosts in the http auth dialog to sane lengths, preventing over-sizing issues.
                          • Fixed a number of potential crash points.
                          • Improved the security of the Windows dll loader module.
                          • Reinstated "Open all in tabs" option on folders of live bookmarks (feeds).
                          • Made URL matching more liberal in selected text to make it easier to open stated addresses.
                          • Fixed an issue with Graphite font rendering where automatic font collision fixing didn't always work.
                          • Color Management for images is now disabled by default on Linux, due to many distributions not having a streamlined setup with sane default ICC profiles, which makes images look worse when color management is enabled.
                          • Tightened the update security check to prevent acceptance of update manifests that have been intercepted/replaced through https MitM attacks.
                            Please be aware that https-filtering antivirus may interfere with future application updates as a result.
                          • Updated the ANGLE library to broaden WebGL support and reduce the potential of crashes (due to junk being sent to the video driver).
                          • Added content-sniffing for WebP images (working around CloudFront's incorrect content-type headers).
                          • Fixed a problem with some H.264 media not playing (SPS NAL).
                          • Improved timer efficiency (switch back to lower precision when high precision is no longer needed, reducing CPU/power consumption).
                          • Improved context search on selected text/links.
                          • Updated address bar handling with Alt or Shift modifiers, so that "switch to tab" with a modifier can open copies of already-opened sites.
                          • Added a fix on Linux for starting the browser from Enlightenment.
                          • Privacy fix: Pale Moon will now clear QuotaManager storage (asm.js cache/IndexedDB data) as part of clearing Offline Website Data.
                          Minimum system Requirements (Windows):
                          • Windows Vista/Windows 7/8/10/Server 2008 or later
                          • Windows Platform Update (Vista/7) strongly recommended
                          • A processor with SSE2 instruction support
                          • 256 MB of free RAM (512 MB or more recommended)
                          • At least 150 MB of free (uncompressed) disk space
                          Pale Moon includes both 32- and 64-bit versions for Windows:

                          Update

                          To get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window.  Select About Pale Moon > Check for Updates.




                          Remember - "A day without laughter is a day wasted."
                          May the wind sing to you and the sun rise in your heart...